U-Boot expects the FDT to be located right after the _end
linker symbol (see fdtdec.c: board_fdt_blob_setup())
The "basic" LOAD_FIT path is aware of this limitation, and relocates
the FDT at the expected location. Guessing the expected location
probably only works reliably on 32-bit arm, and it feels like a hack.
One proposal would be to pass the FDT address to u-boot
(e.g. using 'r2' on arm platforms).
The variable is named "fdt_hack" to remind future contributors that,
"hey! we should fix the underlying problem". However, that is beyond
the scope of this patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The information on the OS should be contained in the FIT, as the
self-explanatory "os" property of a node under /images. Hard-coding
this to U_BOOT might send us down the wrong path later in the boot
process.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The correct FDT to use is described by the "fdt" property of the
configuration node. When the fit_unamep argument to fit_image_load()
is "fdt", we get the "/images/fdt" node. This is incorrect, as it
ignores the "fdt" property of the config node, and in most cases,
the "/images/fdt" node doesn't exist.
Use NULL for the 'fit_unamep' argument. With NULL, fit_image_load()
uses the IH_TYPE_FLATDT value to read the config property "fdt",
which points to the correct FDT node(s).
fit_image_load() should probably be split into a function that reads
an image by name, and one that reads an image by config reference. I
don't make those decisions, I just point out the craziness.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Several architectures had a default board_fit_config_name_match already;
this provides a generic weak version. We default to rejecting all configs.
This will use the FIT's default config, instead of the first config. This
may result in boot failures if there are multiple configurations and the
first config is *not* the default.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
The "simple" SPL_LOAD_FIT path is the most compliant with the format
documented in doc/uImage.FIT/source_file_format.txt. The other two
paths to load a FIT are SPL_LOAD_FIT_FULL and the "bootm" command.
Since the Kconfig menu is the most likely place for a new user to see
these options, it seems like the most logical candidate to document
the limitations. This documents the _known_ issues, and is not
intended to be a complete list of all follies.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Commit 4afc4f37c7 ("doc: FIT image: Clarify format and simplify
syntax") and delegated FPGA images to be added via the list of
"loadables" in lieu of the "fpga" property. Now actually implement
this in code.
Note that the "compatible" property is ignored for the time being, as
implementing "compatible" loading is beyond the scope of this change.
However, "u-boot,fpga-legacy" is accepted without warning.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Commit 4afc4f37c7 ("doc: FIT image: Clarify format and simplify
syntax") requires that FPGA images be referenced through the
"loadables" in the config node. This means that "fpga" properties in
config nodes are deprecated.
Given that there are likely FIT images which use "fpga", let's not
break those right away. Print a warning message that such use is
deprecated, and give users a couple of releases to update their
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The FPGA loading code in spl_simple_fit_read() can easily be separated
from the rest of the logic. It is split into two functions instead of
one because spl_fit_upload_fpga() is used in a subsequent patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
spl_load_fit_image() will try to load an image at the address given
in the "load" property. Absent such property, it uses
image_info->load_addr
Correct use of this is demonstrated in spl_fit_append_fdt(), which
resets the 'load_addr' before each spl_load_fit_image() call.
On the other hand loading "loadables" loop in spl_load_simple_fit()
completely ignores this. It re-uses the same structure, but doesn't
reset load_addr. If loadable [i] does not have a "load" property, its
load address defaults to load_addr, which still contains the address
of loadable [i - 1].
A simple solution is to treat NULL as an invalid load address. The
caller can set load_addr = 0 to request an abort if the "load"
property is absent.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
mkimage supports rsa2048, and rsa4096 signatures. With newer silicon
now supporting hardware-accelerated ECDSA, it makes sense to expand
signing support to elliptic curves.
Implement host-side ECDSA signing and verification with libcrypto.
Device-side implementation of signature verification is beyond the
scope of this patch.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
rsa-checksum.c sontains the hash_calculate() implementations. Despite
the "rsa-" file prefix, this function is useful for other algorithms.
To prevent confusion, move this file to lib/, and rename it to
hash-checksum.c, to give it a more "generic" feel.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We move qfw into its own uclass and split the PIO functions into a
specific driver for that uclass. The PIO driver is selected in the
qemu-x86 board config (this covers x86 and x86_64).
include/qfw.h is cleaned up and documentation added.
Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
If there were no variable substitutions in a command, then initial
assignments would be misinterpreted as commands, instead of being skipped
over. This is demonstrated by the following example:
=> foo=bar echo baz
Unknown command 'foo=bar' - try 'help'
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Similar to support for SHA1 and SHA256, allow the use of hardware hashing
engine by enabling the algorithm and setting CONFIG_SHA_HW_ACCEL /
CONFIG_SHA_PROG_HW_ACCEL.
Signed-off-by: Joel Stanley <joel@jms.id.au>
The optee_copy_fdt_nodes is only used to copy op-tee nodes
of U-Boot device tree (from gd->fdt_blob when OF_LIVE is not activated)
to external device tree but it is not compatible with OF_LIVE.
This patch migrates all used function fdt_ functions to read node on
old_blob to ofnode functions, compatible with OF_LIVE and remove this
parameter "old_blob".
The generated "device tree" is checked on stm32mp platform with OF_LIVE
activated.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Update the debug trace for the reserved video memory to KB as indicated
in the message with "%luk"; before the patch the computed size
gd->relocaddr - addr is in bytes.
This patch aligns the debug trace in reserve_video() with others
functions, for example on stm32mp157c-dk2:
- Reserving 3080192k for video at: dfd00000
+ Reserving 3008k for video at: dfd00000
Reserving 873k for U-Boot at: dfc25000
Reserving 32776k for malloc() at: ddc23000
Reserving 72 Bytes for Board Info at: ddc22fb0
Reserving 280 Bytes for Global Data at: ddc22e90
Reserving 119072 Bytes for FDT at: ddc05d70
Reserving 0x278 Bytes for bootstage at: ddc05af0
Fixes: 5630d2fbc5 ("board: Show memory for frame buffers")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a weak nand_get_mtd function for nand drivers to provide mtd info
and use this to set pagesize such that reading of non page-aligned
elements can succeed.
The spl_load_simple_fit already handles block block access so all we
need to do is provide the nand writesize as the block length.
Further cleanup of the drivers which use nand_spl_loaders.c such as
am335x_spl_bch.c, atmel_nand.c, and nand_spl_simple.c could be done
using info from mtd_info instead of statically defined details.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
commit 9f6a14c47f ("spl: fit: nand: fix fit loading in case of bad blocks")
added support for adjusting the image offset to account for bad blocks.
However this requires nand_spl_adjust_offset() which requires fully defined
specifics of the NAND chip being used may not be avialable.
Allow skipping this support for drivers or configs which don't specify
the NAND chip details statically with defines.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
In preparation to add SiFive Unmatched board support, let's rename
the existing fu540 board to unleashed.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Leo Yu-Chi Liang <ycliang@andestech.com>
Add missing endianness conversions to usb_get_port_status(). This
(amongst others) is necessary to enable the use of USB 3 hubs on
big-endian platforms like MIPS Octeon.
Signed-off-by: Aaron Williams <awilliams@marvell.com>
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Chandrakala Chavva <cchavva@marvell.com>
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Marek Vasut <marex@denx.de>
Some boards may want to show the SKU ID or other information obtained at
runtime. Allow this to come from sysinfo. The board can then provide a
sysinfo driver to provide it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The _SUPPORT suffix is from an earlier time and interferes with use of
the CONFIG_IS_ENABLED() macro. Rename the option to drop the suffix.
Tidy up the TODO that prompted this.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present bootstage silently ignores new records if it runs out of
space. It is sometimes obvious by looking at the report, but the IDs are
not contiguous, so it is easy to miss.
Aad a message so that action can be taken.
Signed-off-by: Simon Glass <sjg@chromium.org>
We have two separate places that need to figure out the bootstage ID to
use. Put this code in a function so that the logic is in one place.
Signed-off-by: Simon Glass <sjg@chromium.org>
Sandbox is special in that it is used for testing and it does not match
any particular target architecture. Allow it to load an image from any
architecture, so that 'bootm' can be used as needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some systems (e.g. x86 APL) run SPL from read-only memory. The device
instances created by dtoc are therefore not writeable. To make things work
we would need to copy the devices to read/write memory.
To avoid this, add an option to use a separate runtime struct for devices,
just as is done for drivers. This can be used to hold information that
changes at runtime, avoiding the need for a copy.
Also add a Kconfig option for read-only SPL, which selects this feature.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
part_get_info_by_name will return -1 on error, and >0 on success.
Signed-off-by: schspa <schspa@gmail.com>
Cc: Igor Opaniuk <igor.opaniuk@gmail.com>
Reviewed-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Unfortunately -ENODATA is not available in OpenBSD. Use -EBADMSG
instead, to indicate a missing timestamp.
Fixes: c5819701a3 image: Adjust the workings of fit_check_format()
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
This Trusted Application allows enabling SCP03 as well as provisioning
the keys on TEE controlled secure element (ie, NXP SE050).
All the information flowing on buses (ie I2C) between the processor
and the secure element must be encrypted. Secure elements are
pre-provisioned with a set of keys known to the user so that the
secure channel protocol (encryption) can be enforced on the first
boot. This situation is however unsafe since the keys are publically
available.
For example, in the case of the NXP SE050, these keys would be
available in the OP-TEE source tree [2] and of course in the
documentation corresponding to the part.
To address that, users are required to rotate/provision those keys
(ie, generate new keys and write them in the secure element's
persistent memory).
For information on SCP03, check the Global Platform HomePage and
google for that term [1]
[1] globalplatform.org
[2] https://github.com/OP-TEE/optee_os/
check:
core/drivers/crypto/se050/adaptors/utils/scp_config.c
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
When multiple log() calls are used which don't end in newline, the
log prefix is prepended multiple times in the same line. This makes the
output look strange.
Fix this by detecting when the previous log record did not end in newline.
In that case, setting a flag.
Drop the unused BUFFSIZE in the test while we are here.
As an example implementation, update log_console to check the flag and
produce the expected output.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present only a single flag (force_debug) is used in log records. Before
adding more, convert this into a bitfield, so more can be added without
using more space.
To avoid expanding the log_record struct itself (which some drivers may
wish to store in memory) reduce the line-number field to 16 bits. This
provides for up to 64K lines which should be enough for anyone.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present this casts addresses to pointers so cannot work with sandbox.
Update the code to use map_sysmem() instead.
As part of this change, the existing load_ptr is renamed to src_ptr since
it is not a pointer to load_addr. It is confusing to use a similar name
for something that is not actually related. For the alignment code,
ALIGN() is used instead of open-coded alignment. Add a comment to the line
that casts away a const.
Use a (new) load_ptr variable to access memory at address load_addr.
Signed-off-by: Simon Glass <sjg@chromium.org>
Vendor Authorized Boot is a security feature for authenticating
the images such as U-Boot, ARM trusted Firmware, Linux kernel,
device tree blob and etc loaded from FIT. After those images are
loaded from FIT, the VAB certificate and signature block appended
at the end of each image are sent to Secure Device Manager (SDM)
for authentication. U-Boot will validate the SHA384 of the image
against the SHA384 hash stored in the VAB certificate before
sending the image to SDM for authentication.
Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Reviewed-by: Ley Foon Tan <ley.foon.tan@intel.com>
At present initr_addr_map() is put at a late stage in the
init_sequence_r[] calls. This won't work because lot of
device driver initialization (e.g.: serial port) happens
before it but is lack of the address translation support.
This moves the call to a bit earlier, right after the DM
initialization.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
At present fdt_read_prop() can only handle 1 or 2 cells. It is
called by fdt_read_range() which may be used to read PCI address
from <ranges> for a PCI bus node where the number of PCI address
cell is 3. The <ranges> property is an array of:
{ <child address> <parent address> <size in child address space> }
When trying to read <child address> from a PCI bus node using
fdt_read_prop(), as the codes below:
/* Read <child address> */
if (child_addr) {
r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
acells);
if (r)
return r;
}
it will fail, because the PCI child address is made up of 3 cells
but fdt_read_prop() cannot handle it. We advance the cell offset
by 1 so that the <child address> can be correctly read.
This adds the special handling of such case.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
At present these three Kconfigs exist even when bootstage is not enabled.
This is not necessary since bootstage.c is only built if BOOTSTAGE is
enabled.
Make them conditional. Also fix up the overflow message to mention TPL.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is printed twice but we only need one message, since there is very
little processing in between them. Drop the second one, since all branches
of the switch() already have output. Update the U-Boot message to include
the phase being jumped to.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some compression algorithms currently can be enabled for SPL and
U-Boot proper separately. Therefore take into account USE_HOSTCC
is well as CONFIG_IS_ENABLED() in these cases to prevent compiling these
functions in case of a host tool build.
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
The OUT endpoint can just be ignored as it is not used, just as the
corresponding Set_Report request for IN-only interfaces. E.g. the
Linux gadget hid keyboard also provides an interrupt endpoint.
Also cleanup confusing debug messages like "found set protocol", which
is printed when a keyboard device is found, while the Set_Protocol request
is issued quite some time later.
Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Having the ability to support firmware FIT signatures on the SPL sounds
not so useful if the SPL is not supporting to load a (U-boot) firmware
as a FIT image.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Selecting SPL_FIT_SIGNATURE (without selecting U-boot proper
verified boot first) breaks the build due to
CONFIG_FIT_SIGNATURE_MAX_SIZE being undefined, in addition to Kconfig
warnings on RSA and IMAGE_SIGN_INFO unmet dependencies.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Sometimes it is useful to boot OS with already fixed-up
device tree. Check for env variable 'skip_board_fixup'
before calling ft_board_setup().
Current behaviour is unchanged, additionally user can
set skip_board_fixup to 1 to skip the fixup.
Signed-off-by: Wasim Khan <wasim.khan@nxp.com>
OF_STDOUT_PATH was meant to hold the devicetree path to the serial
console, to be put into the linux,stdout-path property of the chosen node.
The only user of that was sunxi, and it was actually wrong for years
there: the paths hardcoded in sunxi_common.h were not matching the DTs,
evident by the leading 0's in nodenames, which have been removed years
ago.
On top of that, "linux,stdout-path" is now deprecated for a while (Linux
commit 2a9d832cc9aae from November 2014), and also all modern DTs
(including those included in U-Boot) carry a "stdout-path" property
already.
So remove the stanza from sunxi_common.h, and, since this was the last
user, also remove the associated bits from the rest of U-Boot.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Fix -Wint-to-pointer-cast warning
common/splash_source.c: In function 'splash_load_raw':
common/splash_source.c💯12: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
100 | bmp_hdr = (struct bmp_header *)bmp_load_addr;
| ^
common/splash_source.c: In function 'splash_sf_read_raw':
common/splash_source.c:39:47: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
39 | return spi_flash_read(sf, offset, read_size, (void *)bmp_load_addr);
| ^
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add the following functions to get a specific device's DMA ranges:
- dev_get_dma_range()
- ofnode_get_dma_range()
- of_get_dma_range()
- fdt_get_dma_range()
They are specially useful in oder to be able validate a physical address
space range into a bus's and to convert addresses from and to address
spaces.
Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Matthias Brugger <mbrugger@suse.com>
When a FIT config specifies a devicetree, we should load it, no
questions asked. In the case of the "simple" FIT loading path, a
difficulty arises in selecting the load address of the FDT.
The default FDT location is right after the "kernel" or "firmware"
image. However, if that is an OP-TEE image, then the FDT may end up in
secure DRAM, and not be accessible to normal world kernels.
Although the best solution is to be more careful about the FDT
address, a viable workaround is to only append the FDT after a u-boot
or Linux image. This is identical to the previous logic, except that
FDT loading is extended to IH_OS_LINUX images.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Use the IS_ENABLED() macro to control code flow, instead of the
caveman approach of sprinkling #ifdefs. Code size is not affected, as
the linker garbage-collects unused functions. However, readability is
improved significantly.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The configuration node a sub node under "/configurations", which
describes the components to load from "/images". We only need to
locate this node once.
However, for each component, spl_fit_get_image_name() would parse the
FIT image, looking for the correct node. Such work duplication is not
necessary. Instead, once the node is found, cache it, and re-use it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When a desired configuration is not found, conf_node will have a
negative value. Thus the for loop will start at the root "/" node of
the image, print the "/description" property, and stop.
It appears the intent of the loop was to print the names of the
subnodes under "/configurations". We would need the offset to the
"/configurations" node, which is abstracted by fit_find_config_node().
This change agrees that abstracting the node offset is the correct
design, and we shouldn't be parsing the configurations manually. Thus
the loop in spl_fit_get_image_name() is useless. Remove it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Several loose arguments describe the FIT image. They are thus related,
and it makes sense to pass them together, in a structure. Examples
include the FIT blob pointer, offset to FDT nodes, and the offset to
external data.
Use a spl_fit_info structure to group these parameters.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The logical steps in spl_load_simple_fit() are difficult to follow.
I think the long comments, ifdefs, and ungodly number of variables
seriously affect the readability. In particular, it violates section 6
of the coding style, paragraphs (3), and (4).
The purpose of this patch is to improve the situation by
- Factoring out initialization and parsing to separate functions
- Reduce the number of variables by using a context structure
This change introduces no functional changes.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The size is derived from the FIT image itself. Any alignment
requirements are machine-specific and known by the board code. Thus
the total length can be derived from the FIT image and knowledge of
the platform. The 'length' argument is redundant. Remove it.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CC: Matt Porter <mporter@konsulko.com>
In case of IOMUX enabled it assumes that console devices in the list
are available to get them stopped properly via ->stop() callback.
However, the USB keyboard driver violates this assumption and tries
to play tricks so the device get destroyed while being listed as
an active console.
Swap the order of device deregistration and IOMUX update along with
converting to use iomux_replace_device() jelper to avoid the use-after-free.
Fixes: 3cbcb28928 ("usb: Fix usb_kbd_deregister when console-muxing is used")
Fixes: 8a83487030 ("dm: usb: Add a remove() method for USB keyboards")
Reported-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Some console devices may appear or disappear at run time. In order to
support such a hotplug mechanism introduce a new iomux_replace_device()
helper to update the list of devices without altering environment.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
It is not only less lines of code, but also better readability
when new macro is being in use. Introduce for_each_console_dev()
helper macro and convert current users to it.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Logical continuation of the change that brought console_devices_set() is
to unify console_setfile() with it and replace in the callers.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
console_devices_set() missed the console device counter to be set correctly.
Fixes: 45375adc97 ("console: add function console_devices_set")
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
It's possible that NULLDEV can be disabled while it makes leftovers,
move entire device under #if.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Nobody is using stdio_deregister(), remove for good.
Note, even its parameters are not consistent with stdio_register().
So, if anyone want to introduce this again, better with some consistency.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Using unit addresses in a FIT is a security risk. Add a check for this
and disallow it.
CVE-2021-27138
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.
Enable this by default if signature verification is enabled.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
At present this function does not accept a size for the FIT. This means
that it must be read from the FIT itself, introducing potential security
risk. Update the function to include a size parameter, which can be
invalid, in which case fit_check_format() calculates it.
For now no callers pass the size, but this can be updated later.
Also adjust the return value to an error code so that all the different
types of problems can be distinguished by the user.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
When searching for a node called 'fred', any unit address appended to the
name is ignored by libfdt, meaning that 'fred' can match 'fred@1'. This
means that we cannot be sure that the node originally intended is the one
that is used.
Disallow use of nodes with unit addresses.
Update the forge test also, since it uses @ addresses.
CVE-2021-27138
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
At present fdt_find_regions() assumes that the FIT is a valid devicetree.
If the FIT has two root nodes this is currently not detected in this
function, nor does libfdt's fdt_check_full() notice. Also it is possible
for the root node to have a name even though it should not.
Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
detected.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Move this out of the common header and include it only where needed. In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly. Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Config allows to disable printing contents of fitImage to optimize boottime.
Signed-off-by: Ravik Hasija <rahasij@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
It is useful to know the TEXT_BASE value for the image being loaded in
TPL/SPL. Add a new spl_get_image_text_base() function to handle this.
Make use of this in the x86 SPL handler, instead of having the logic
there.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reinitialize DFU USB gadget after flashing the 'SCRIPT' entity to ensure
that the potential changes to the 'dfu_alt_info' environment variable are
applied.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
[lukma - I've moved the bool retry to avoid build (CI) errors]
AVB Verified Boot uses functions related to MMC.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>
If both stop key and delay key are empty, the length of these
keys is 0. The subtraction operation will cause the u_int type
variable to overflow, will cause illegal memory access in key
input loop.
This commit fixes this bug by using int type instead of u_init.
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Add tag names for recently added types.
Fixes: d2cb7a22da (x86: Allow putting some tables in the bloblist)
Signed-off-by: Simon Glass <sjg@chromium.org>
Typically in TPL/SPL the bloblist is quite small. But U-Boot proper may
want to add a lot more to it, such as ACPI tables.
Add a way to expand the bloblist by relocating it in U-Boot proper, along
with the other relocation activities.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is useful to be able to figure out which phase we are loading next and
which phase we came from. Add some functions to handle this as well as
returning the name of a phase. This allows messages like "Booting to x"
where x is the next phase.
At present, TPL says 'Jumping to U-Boot' at the end, when in fact it is
jumping to SPL. This is confusing, so use the new functions to correct
this.
Tests for this will come with an upcoming minor SPL test refactor.
Signed-off-by: Simon Glass <sjg@chromium.org>
In fit_config_verify_sig(), when no 'signature*' subnode exists in
the configuration node, the fdt_for_each_subnode() loop is a no-op.
Therefore, no error flags are set, and 'err_,sg' is not populated
with an error string. This is incorrect behavior.
Populate err_msg to indicate that no 'signature' is found, before
entering the loop. The first call to fit_image_verify_sig() will
override clear err_msg, or set it to a more specific message.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit add an option TPL_BOOTCOUNT_LIMIT to
use bootcount on TPL.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
H616 supports and needs bigger SPL than 32 KiB, mostly due to big DRAM
driver and need for PMIC configuration, which pulls several drivers which
are not needed otherwise.
spl_mmc_get_uboot_raw_sector() will now compare pre-configured size with
that, reported in SPL header. If size in header is bigger, it will use
that value instead.
In the process of function rework, also add missing function argument.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Reviewed-by: Samuel Holland <samuel@sholland.org>
It turns out that there are at least 2 other SoCs which have basically
the same memory map, similar clocks and other features as H6. It's very
likely that we'll see more such SoCs in the future. In order to ease
porting to new SoCs and lower ifdef clutter, introduce common symbol for
them.
Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Reviewed-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
When CONFIG_FIT_CIPHER=y and CONFIG_FIT_SIGNATURE=n is there is no
implementation of image_get_host_blob for mkimage/dumpimage:
/usr/bin/ld: tools/common/image-cipher.o: in function `fit_image_decrypt_data':
image-cipher.c:(.text+0x9a): undefined reference to `image_get_host_blob'
Move the implementation to a common file so it can be shaed between
image-cipher.c and image-fit-sig.c.
Signed-off-by: Joel Stanley <joel@jms.id.au>
obj-$(CONFIG_$(SPL_TPL_)YMODEM_SUPPORT) += xyzModem.o is there,
no need obj-$(CONFIG_SPL_YMODEM_SUPPORT) += xyzModem.o
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Remove the #if 0 present since the first version of console.c
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
With our optimization settings the linker eliminates unused functions.
But for debugging it is better to compile with -Og or -O0. With -O0
compiling the sandbox fails due to the missing function fixup_cmdtable()
called by dm_reloc() and others.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
When the hash check fails on a loadable image, the SPL/TPL simply
jump to the next one. This commit changes this behaviour, when the
hash check fails on a loadable image, the function spl_load_simple_fit
stops and report an error.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
There should be no need to insert non-printable characters
and this prevents line editing getting confused.
Signed-off-by: Steve Bennett <steveb@workware.net.au>
Adds an optional SALT value to AUTOBOOT_STOP_STR_SHA256. If a string
followed by a ":" is prepended to the sha256, the portion to the left
of the colon will be used as a salt and the password will be appended
to the salt before the sha256 is computed and compared.
Signed-off-by: Joel Peshkin <joel.peshkin@broadcom.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Patrick Delaunay <patrick.delaunay@st.com>
Cc: Heiko Schocher <hs@denx.de>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Joel Peshkin <joel.peshkin@broadcom.com>
To: u-boot@lists.denx.de
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
When at some point environment shrinks we need to stop dropped devices.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Obviously the following has unnecessary indentation level in 'else' branch.
if (foo) {
...
return;
} else {
...
}
Drop indentation level by removing redundant 'else'.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Refactor iomux_doenv() a bit in order to increase readability.
There is no change in code generation on x86.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
It's realloc() 101 to avoid `foo = realloc(foo, ...);` call
due to getting a memory leak.
Actually it's not clear why realloc() has been used here.
If we shrink the array, the memcpy() overwrites it anyway
with the contents of a new array. If it becomes bigger,
same story.
Drop useless realloc() for good and thus preserve console list
in case of failed allocation.
Fixes: 16a28ef219 ("IOMUX: Add console multiplexing support.")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rename search_device() to console_search_dev() since it's in console.h.
Suggested-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
There is no need to call ->start() for already started device. All the same,
there is no need to call ->stop() for devices still in use.
For now enforce this only for IOMUX case.
Cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In the future we would like to stop unused consoles and
also add a reference counting to avoid imbalanced calls
to ->start() and ->stop() in some cases.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add the helper function console_has_tstc() and replace the test
#if CONFIG_IS_ENABLED(CONSOLE_MUX) to a simple 'if' test to
respect the U-Boot coding rule.
No functional change.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add helper functions to access to gd->console_out and gd->console_in
with membuff API and replace the #ifdef CONFIG_CONSOLE_RECORD test
by if (IS_ENABLED(CONFIG_CONSOLE_RECORD)) to respect the U-Boot
coding rule.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a new function to access to console_devices only defined if
CONFIG_IS_ENABLED(CONSOLE_MUX).
This path allows to remove #if CONFIG_IS_ENABLED(CONSOLE_MUX)
in console_getc function.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Remove #ifdef or #ifndef for CONFIG when it is possible to simplify
the console.c code and respect the U-Boot coding rules.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CONFIG_HANDOFF is used in u-boot proper to locate handoff info from SPL
during pre-relocation init (in setup_spl_handoff). Add explicit dependency
on CONFIG_SPL, to fix the following build error when CONFIG_HANDOFF &&
!CONFIG_SPL:
common/board_f.c: In function ‘setup_spl_handoff’:
common/board_f.c:283:4: error: ‘gd_t {aka struct global_data}’
has no member named ‘spl_handoff’
gd->spl_handoff = bloblist_find(BLOBLISTT_SPL_HANDOFF,
^~
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In order to remove the arch-specific ifdefs around initr_trap, introduce
arch_initr_trap weak initcall. Implementations for ppc/m68k/mips have
been moved to arch/<arch>/lib/traps.c
Default implementation is a nop stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Add a return value to bb_miiphy_init and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to api_init and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to jumptable_init and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to xen_init and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to noncached_init and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to pci_init and use it directly in the post-relocation
init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to pci_ep_init and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to post_output_backlog and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a return value to cpu_secondary_init_r and use it directly in the
post-relocation init sequence, rather than using a wrapper stub.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Drop initr_console_record wrapper and call console_record_init directly.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Use IS_ENABLED(CONFIG_OF_EMBED) in instead of #ifdefs in reserve_fdt,
reloc_fdt functions.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
setup_bdinfo is used to populate various bdinfo fields, so move
setup_machine code there, as all it does is setting
gd->bd->bi_arch_number.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Use IS_ENABLED(CONFIG_TIMER_EARLY) instead of #ifdef in initf_dm. Also,
move timer code to the main ifdef, so that ret is defined.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Drop initf_console_record wrapper and call console_record_init directly.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Currently, the following #ifdef construct is used to check whether to run
console_record_init() during pre-relocation init:
defined(CONFIG_CONSOLE_RECORD) && CONFIG_VAL(SYS_MALLOC_F_LEN)
Introduce CONFIG_CONSOLE_RECORD_INIT_F Kconfig option to get rid of the
complex ifdef check. Also, use IS_ENABLED() instead of #ifdef.
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reduce the log overhead when the traces are filtered,
by moving the vsnprintf call from _log() to log_dispatch().
This patch avoids the printf treatment when LOG features is
activated, but trace is filtered, for example when
MAX_LOG_LEVEL=8 and LOG_DEFAULT_LEVEL=6.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Allow to record the console output before before U-Boot
has a console ready.
This patch allows to test the console output in sandbox test
based on console record.
It is possible because GD_FLG_RECORD and GD_FLG_SERIAL_READY
are 2 independent flags.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reorder test on gd value and remove the duplicated test (!gd)
in putc and puts function.
This patch is a preliminary step for rework of this function.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Use the console puts functions to output the traces before
the log initialization (when CONFIG_LOG is not activated).
This patch allows to display the first U-Boot traces
(with macro debug) when CONFIG_DEBUG_UART is activated
and not only drop them.
For example for traces in board_f.c requested by the macro debug,
when LOG_DEBUG is defined and CONFIG_LOG is activated.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Update _log function to drop any traces when log is yet initialized:
vsnprintf is no more executed in this case.
This patch allows to reduce the cost for the dropped early debug trace.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
fit_check_format() must check that the buffer contains a flattened device
tree before calling any device tree library functions.
Failure to do may cause segmentation faults.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
- DM support for OMAP PWM backlight
- USB host mode support for AM654
- Minor SPI fixes
- Add support k2g ice board with 1GHz silicon
- Fix GTC programming for K3 devices
The __of_translate_address routine translates an address from the
device tree into a CPU physical address. A note in the description of
the routine explains that the crossing of any level with
since inherited from IBM. This does not happen for Texas Instruments, or
at least for the beaglebone device tree. Without this patch, in fact,
the translation into physical addresses of the registers contained in the
am33xx-clocks.dtsi nodes would not be possible. They all have a parent
with #size-cells = <0>.
The CONFIG_OF_TRANSLATE_ZERO_SIZE_CELLS symbol makes translation
possible even in the case of crossing levels with #size-cells = <0>.
The patch acts conservatively on address translation, except for
removing a check within the of_translate_one function in the
drivers/core/of_addr.c file:
+
ranges = of_get_property(parent, rprop, &rlen);
- if (ranges == NULL && !of_empty_ranges_quirk(parent)) {
- debug("no ranges; cannot translate\n");
- return 1;
- }
if (ranges == NULL || rlen == 0) {
offset = of_read_number(addr, na);
memset(addr, 0, pna * 4);
debug("empty ranges; 1:1 translation\n");
There are two reasons:
1 The function of_empty_ranges_quirk always returns false, invalidating
the following if statement in case of null ranges. Therefore one of
the two checks is useless.
2 The implementation of the of_translate_one function found in the
common/fdt_support.c file has removed this check while keeping the one
about the 1:1 translation.
The patch adds a test and modifies a check for the correctness of an
address in the case of enabling translation also for zero size cells.
The added test checks translations of addresses generated by nodes of
a device tree similar to those you can find in the files am33xx.dtsi
and am33xx-clocks.dtsi for which the patch was created.
The patch was also tested on a beaglebone black board. The addresses
generated for the registers of the loaded drivers are those specified
by the AM335x reference manual.
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Tested-by: Dario Binacchi <dariobin@libero.it>
Reviewed-by: Simon Glass <sjg@chromium.org>
So far we used the separate mksunxiboot tool for generating a bootable
image for Allwinner SPLs, probably just for historical reasons.
Use the mkimage framework to generate a so called eGON image the
Allwinner BROM expects.
The new image type is called "sunxi_egon", to differentiate it
from the (still to be implemented) secure boot TOC0 image.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@siol.net>
Reviewed-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
arm64:
- DT updates
microblaze:
- Add support for NOR device support
spi:
- Fix unaligned data write issue
nand:
- Minor code change
xilinx:
- Fru fix in limit calculation
- Fill git repo link for all Xilinx boards
video:
- Add support for seps525 spi display
tools:
- Minor Vitis file support
cmd/common
- Minor code indentation fixes
serial:
- Uartlite debug uart initialization fix
-----BEGIN PGP SIGNATURE-----
iFsEABECAB0WIQQbPNTMvXmYlBPRwx7KSWXLKUoMIQUCX/ROlgAKCRDKSWXLKUoM
IRC5AIkBzg4Sz8fQgdCiOK89k7tdFKMAnA9SYhgm4TSCzffZCJwnm78QoGAC
=4FnY
-----END PGP SIGNATURE-----
Merge tag 'xilinx-for-v2021.04' of https://gitlab.denx.de/u-boot/custodians/u-boot-microblaze into next
Xilinx changes for v2021.04
arm64:
- DT updates
microblaze:
- Add support for NOR device support
spi:
- Fix unaligned data write issue
nand:
- Minor code change
xilinx:
- Fru fix in limit calculation
- Fill git repo link for all Xilinx boards
video:
- Add support for seps525 spi display
tools:
- Minor Vitis file support
cmd/common
- Minor code indentation fixes
serial:
- Uartlite debug uart initialization fix
This uses up space in the SPL binary but it always starts as zero. Also
some boards cannot support data in TPL (e.g. Intel Apollo Lake).
Use malloc() to allocate this structure instead, by moving the init a
little later, after malloc() is inited. Make this function optional since
it pulls in malloc().
This reduces the TPL binary size on coral by about 64 bytes
Signed-off-by: Simon Glass <sjg@chromium.org>
Support reusing board_fit_config_name_match() to automatically
select a sensible default configuration for booting fitImages
using 'bootm'.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Replace most #ifdef checks for USE_HOSTCC and CONFIG_*
with normal if instructions.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Check for negative return value of fdt_noffset from calling
boot_get_fdt_fit().
Signed-off-by: Hongwei Zhang <hongweiz@ami.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We use 'priv' for private data but often use 'platdata' for platform data.
We can't really use 'pdata' since that is ambiguous (it could mean private
or platform data).
Rename some of the latter variables to end with 'plat' for consistency.
Signed-off-by: Simon Glass <sjg@chromium.org>
This construct is quite long-winded. In earlier days it made some sense
since auto-allocation was a strange concept. But with driver model now
used pretty universally, we can shorten this to 'auto'. This reduces
verbosity and makes it easier to read.
Coincidentally it also ensures that every declaration is on one line,
thus making dtoc's job easier.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fit images were loaded to a buffer provided by spl_get_load_buffer().
This may work when the FIT image is small and fits between the start
of DRAM and SYS_TEXT_BASE.
One problem with this approach is that the location of the buffer may
be manipulated by changing the 'size' field of the FIT. A maliciously
crafted FIT image could place the buffer over executable code and be
able to take control of SPL. This is unacceptable for secure boot of
signed FIT images.
Another problem is with larger FIT images, usually containing one or
more linux kernels. In such cases the buffer be be large enough so as
to start before DRAM (Figure I). Trying to load an image in this case
has undefined behavior.
For example, on stm32mp1, the MMC controller hits a RX overrun error,
and aborts loading.
_________________
| FIT Image |
| |
/===================\ /=====================\
|| DRAM || | DRAM |
|| || | |
||_________________|| SYS_TEXT_BASE | ___________________ |
| | || FIT Image ||
| | || ||
| _________________ | SYS_SPL_MALLOC_START || _________________ ||
|| malloc() data || ||| malloc() data |||
||_________________|| |||_________________|||
| | ||___________________||
| | | |
Figure I Figure II
One possibility that was analyzed was to remove the negative offset,
such that the buffer starts at SYS_TEXT_BASE. This is not a proper
solution because on a number of platforms, the malloc buffer() is
placed at a fixed address, usually after SYS_TEXT_BASE. A large
enough FIT image could cause the malloc()'d data to be overwritten
(Figure II) when loading.
/======================\
| DRAM |
| |
| | CONFIG_SYS_TEXT_BASE
| |
| |
| ____________________ | CONFIG_SYS_SPL_MALLOC_START
|| malloc() data ||
|| ||
|| __________________ ||
||| FIT Image |||
||| |||
||| |||
Figure III
The solution proposed here is to replace the ad-hoc heuristics of
spl_get_load_buffer() with malloc(). This provides two advantages:
* Bounds checking of the buffer region
* Guarantees the buffer does not conflict with other memory
The first problem is solved by constraining the buffer such that it
will not overlap currently executing code. This eliminates the chance
of a malicious FIT being able to replace the executing SPL code prior
to signature checking.
The second problem is solved in conjunction with increasing
CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is
carefully crafted on a per-platform basis, the chances of memory
conflicts are virtually eliminated.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
In some cases it is necessary to pass parameters to Linux so that it will
boot correctly. For example, the rootdev parameter is often used to
specify the root device. However the root device may change depending on
whence U-Boot loads the kernel. At present it is necessary to build up
the command line by adding device strings to it one by one.
It is often more convenient to provide a template for bootargs, with
U-Boot doing the substitution from other environment variables.
Add a way to substitute strings in the bootargs variable. This allows
things like "rootdev=${rootdev}" to be used in bootargs, with the
${rootdev} substitution providing the UUID of the root device.
For example, to substitute the GUID of the kernel partition:
setenv bootargs "console=/dev/ttyS0 rootdev=${uuid}/PARTNROFF=1
kern_guid=${uuid}"
part uuid mmc 2:2 uuid
bootm
This is particularly useful when the command line from another place. For
example, Chrome OS stores the command line next to the kernel itself. It
depends on the kernel version being used as well as the hardware features,
so it is extremely difficult to devise a U-Boot script that works on all
boards and kernel versions. With this feature, the command line can be
read from disk and used directly, with a few substitutions set up.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present cli_simple_process_macros() requires that the caller provide
an output buffer that is exactly CONFIG_SYS_CBSIZE bytes in length. This
makes sense since it is designed to be used from the command line. But we
also want to use it for bootargs substitution.
Update the function to allow the caller to specify the buffer size. Also
return an error if the buffer is exhausted. The caller can ignore that if
preferred.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present we only support updating the 'bootargs' environment
variable. Add another function to update a buffer instead. This will
allow zimage to use this feature.
Also add a lot more tests to cover various cases.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present only one transformation is supported: making the Linux console
silent. To prepare for adding more, convert the boolean parameter into a
flag value.
Signed-off-by: Simon Glass <sjg@chromium.org>