In commit a1274cc94a ("ARM: Page align secure section only when it is
executed in situ"), we used output section attributes (the "ALIGN"
keyword after the colon) to specify the alignment requirements. Using
the constant "COMMONPAGE" there was recently broken in binutils 2.31 [1].
Binutils maintainer Alan Modra suggested the former method would still
work. Since both methods achieve the same result, this patch does just
that. This fixes the "reboot after bootm" issue we've been seeing on
sunxi when booting non-secure.
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=23571
Suggested-by: Alan Modra <amodra@gmail.com>
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Acked-by: Jagan Teki <jagan@openedev.com>
Some times gcc may generate data that is then used within code that may
be part of an efi runtime section. That data could be jump tables,
constants or strings.
In order to make sure we catch these, we need to ensure that gcc emits
them into a section that we can relocate together with all the other
efi runtime bits. This only works if the -ffunction-sections and
-fdata-sections flags are passed and the efi runtime functions are
in a section that starts with ".text".
Up to now we had all efi runtime bits in sections that did not
interfere with the normal section naming scheme, but this forces
us to do so. Hence we need to move the efi_loader text/data/rodata
sections before the global *(.text*) catch-all section.
With this patch in place, we should hopefully have an easier time
to extend the efi runtime functionality in the future.
Signed-off-by: Alexander Graf <agraf@suse.de>
[agraf: Fix x86_64 breakage]
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
It turns out this change was not intended to be merged and as such,
revert it.
This reverts commit cdde7de036.
Reported-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Using u-boot-2017.05 on i.MX6UL we ran into following problem:
Initially U-Boot could be started normally.
If we added one random command in configuration, the newly generated
image hung at startup (last output was DRAM: 256 MiB).
We tracked this down to a data abort within relocation (relocated_code).
relocated_code in arch/arm/lib/relocate.S copies 8 bytes per loop
iteration until the source pointer is equal to __image_copy_end.
In a good case __image_copy_end was aligned to 8 bytes, so the loop
stopped as suggested, but in an errornous case __image_copy_end was
not aligned to 8 bytes, so the loop ran out of bounds and caused a
data abort exception.
This patches solves the issue by aligning __image_copy_end to 8 byte
using the linker script related to arm.
I don't know if it's the correct way to solve this, so some review would
be very appreciated.
Jon Master reports that QEMU refuses to load a U-Boot image built
with CONFIG_ARMV7_NONSEC, but without CONFIG_ARMV7_PSCI since
commit 5a3aae68c7 ("ARM: armv7: guard memory reserve for PSCI
with #ifdef CONFIG_ARMV7_PSCI").
It looks like only PSCI that needs the Secure stack, so move
the #ifdef to guard the whole of .secure_stack allocation in order
not to create the empty section.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reported-by: Jon Masters <jcm@redhat.com>
Link: http://patchwork.ozlabs.org/patch/664025/
If CONFIG_ARMV7_NONSEC is enabled, the linker script requires
CONFIG_ARMV7_PSCI_NR_CPUS regardless of CONFIG_ARMV7_PSCI.
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
The secure monitor may need to store global or static values within the
secure section of memory, such as target PC or CPU power status.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
As the PSCI implementation grows, we might exceed the size of the secure
memory that holds the firmware.
Add a configurable CONFIG_ARMV7_SECURE_MAX_SIZE so platforms can define
how much secure memory is available. The linker then checks the size of
the whole secure section against this.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Until now we've been using memory beyond psci_text_end as stack space
for the secure monitor or PSCI implementation, even if space was not
allocated for it.
This was partially fixed in ("ARM: allocate extra space for PSCI stack
in secure section during link phase"). However, calculating stack space
from psci_text_end in one place, while allocating the space in another
is error prone.
This patch adds a separate empty secure stack section, with space for
CONFIG_ARMV7_PSCI_NR_CPUS stacks, each 1 KB. There's also
__secure_stack_start and __secure_stack_end symbols. The linker script
handles calculating the correct VMAs for the stack section. For
platforms that relocate/copy the secure monitor before using it, the
space is not allocated in the executable, saving space.
For platforms that do not define CONFIG_ARMV7_PSCI_NR_CPUS, a whole page
of stack space for 4 CPUs is allocated, matching the previous behavior.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Targets that define CONFIG_ARMV7_SECURE_BASE will copy the secure section
to another address before execution.
Since the secure section in the u-boot image is only storage, there's
no reason to page align it and increase the binary image size.
Page align the secure section only when CONFIG_ARMV7_SECURE_BASE is not
defined. And instead of just aligning the __secure_start symbol, align
the whole .__secure_start section. This also makes the section empty,
so we need to add KEEP() to the input entry to prevent the section from
being garbage collected.
Also use ld constant "COMMONPAGESIZE" instead of hardcoded page size.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
The PSCI implementation expects at most 2 pages worth of space reserved
at the end of the secure section for its stacks. If PSCI is relocated to
secure SRAM, then everything is fine. If no secure SRAM is available,
and PSCI remains in main memory, the reserved memory space doesn't cover
the space used by the stack.
If one accesses PSCI after Linux has fully booted, the memory that should
have been reserved for the PSCI stacks may have been used by the kernel
or userspace, and would be corrupted. Observed after effects include the
system hanging or telinit core dumping when trying to reboot. It seems
the init process gets hit the most on my test bed.
This fix allocates the space used by the PSCI stacks in the secure
section by skipping pages in the linker script, but only when there is
no secure SRAM, to avoid bloating the binary.
This fix is only a stop gap. It would be better to rework the stack
allocation mechanism, maybe with proper usage of CONFIG_ macros and an
explicit symbol.
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Update the link script to drop this code when not needed. This is only done
for two architectures at present.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
After booting has finished, EFI allows firmware to still interact with the OS
using the "runtime services". These callbacks live in a separate address space,
since they are available long after U-Boot has been overwritten by the OS.
This patch adds enough framework for arbitrary code inside of U-Boot to become
a runtime service with the right section attributes set. For now, we don't make
use of it yet though.
We could maybe in the future map U-boot environment variables to EFI variables
here.
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
"DISCARD" will remove ._secure.text relocate, but PSCI framework
has already used some absolute address those need to relocate.
Use readelf -t -r u-boot show us:
.__secure_start addr: 601408e4
.__secure_end addr: 60141460
60141140 00000017 R_ARM_RELATIVE
46 _secure_monitor:
47 #ifdef CONFIG_ARMV7_PSCI
48 ldr r5, =_psci_vectors
60141194 00000017 R_ARM_RELATIVE
6014119c 00000017 R_ARM_RELATIVE
601411a4 00000017 R_ARM_RELATIVE
601411ac 00000017 R_ARM_RELATIVE
64 _psci_table:
66 .word psci_cpu_suspend
...
72 .word psci_migrate
60141344 00000017 R_ARM_RELATIVE
6014145c 00000017 R_ARM_RELATIVE
202 ldr r5, =psci_text_end
Solutions:
1. Change absolute address to RelAdr.
Based on LDR (immediate, ARM), we only have 4K offset to jump.
Now PSCI code size is close to 4K size that is LDR limit jump size,
so even if the LDR is based on the current instruction address,
there is also have a risk for RelAdr. If we use two jump steps I
think we can fix this issue, but looks too hack, so give up this way.
2. Enable "DISCARD" only for CONFIG_ARMV7_SECURE_BASE has defined.
If CONFIG_ARMV7_SECURE_BASE is defined in platform, all of secure
will in the BASE address that is absolute.
Signed-off-by: Wang Dongsheng <dongsheng.wang@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
The code such as PSCI in section named secure is bundled with
u-boot image, and when bootm, the code will be copied to their
runtime address same to compliation/linking address -
CONFIG_ARMV7_SECURE_BASE.
When compile the PSCI code and link it into the u-boot image,
there will be relocation entries in .rel.dyn section for PSCI.
Actually, we do not needs these relocation entries.
If still keep the relocation entries in .rel.dyn section,
r0 at line 103 and 106 in arch/arm/lib/relocate.S may be an invalid
address which may not support read/write for one SoC.
102 /* relative fix: increase location by offset */
103 add r0, r0, r4
104 ldr r1, [r0]
105 add r1, r1, r4
106 str r1, [r0]
So discard them to avoid touching the relocation entry in
arch/arm/lib/relocate.S.
Signed-off-by: Peng Fan <Peng.Fan@freescale.com>
Cc: Tom Warren <twarren@nvidia.com>
Cc: York Sun <yorksun@freescale.com>
Cc: Hans De Goede <hdegoede@redhat.com>
Cc: Ian Campbell <ijc@hellion.org.uk>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Tom Rini <trini@konsulko.com>
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Stefano Babic <sbabic@denx.de>
Acked-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
CONFIG_ARMV7_VIRT depends on CONFIG_ARMV7_NONSEC, thus doesn't need to
be taken into account additionally. CONFIG_ARMV7_PSCI is only set on
boards that support CONFIG_ARMV7_NONSEC, and it only works on those.
CC: Tang Yuantian <Yuantian.Tang@freescale.com>
CC: York Sun <yorksun@freescale.com>
CC: Steve Rae <srae@broadcom.com>
CC: Andre Przywara <andre.przywara@linaro.org>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-by: Alison Wang <alison.wang@freescale.com>
Signed-off-by: Tom Warren <twarren@nvidia.com>
In anticipation of refactoring the HYP/non-secure code to run
from secure RAM, add a new linker section that will contain that
code.
Nothing is using it just yet.
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Acked-by: Ian Campbell <ijc@hellion.org.uk>
Exception handling is basically identical for all ARM targets.
Factorize it out of the various start.S files and into a
single vectors.S file, and adjust linker scripts accordingly.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Avoids "could not find output section .gnu.hash" ld.bfd errors on openSUSE.
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Tom Rini <trini@ti.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Acked-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
This prevents references to _end from generating absolute
relocation records.
This change is binary invariant for ARM targets.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Some targets will build fine but not boot if sections .hash and
.got.plt are not present in the binary. Add them back.
Also, Exynos machines require .machine_param section in SPL.
Add it.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Tested-by: Rajeshwari S Shinde <rajeshwari.s@samsung.com>
Current LDS files /DISCARD/ a lot of sections when linking ELF
files, causing diagnostic tools such as readelf or objdump to
produce partial output. Keep all section at link stage, filter
only at objcopy time so that .bin remains minimal.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Reviewed-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
Remove ARM eabi exception handling tables (for frame unwinding).
AFAICT, u-boot stubs away the frame unwiding routines, so the tables will
more or less just consume space. It should be OK to remove them.
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
This change is only done where needed: some linker
scripts may contain relocation symbols yet remain
unchanged.
__rel_dyn_start and __rel_dyn_end each requires
its own output section; putting them in relocation
sections changes their flags and breaks relocation.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Tested-by: Lubomir Popov <lpopov@mm-sol.com>
Tested-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Reviewed-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
This change is only done where needed: some linker
scripts may contain __image_copy_{start,end} yet
remain unchanged.
Also, __image_copy_end needs its own section; putting
it in relocation sections changes their flags and makes
relocation break.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Tested-by: Lubomir Popov <lpopov@mm-sol.com>
Tested-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Reviewed-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
Discard all .dynsym sections from linker scripts
Remove all __dynsym_start definitions from linker scripts
Remove all __dynsym_start references from the codebase
Note: this touches include/asm-generic/sections.h, which
is not ARM-specific, but actual uses of __dynsym_start
are only in ARM, so this patch can safely go through
the ARM repository.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Tested-by: Lubomir Popov <lpopov@mm-sol.com>
Tested-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Reviewed-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
Remove SPL-related ASSERT() in arch/arm/cpu/u-boot.lds
as this file is never used for SPL builds.
Rewrite the ASSERT() in arch/arm/cpu/u-boot-spl.lds
to separately test image (text,data,rodata...) size,
BSS size, and full footprint each against its own max,
and make Tegra boards check full footprint.
Also, output section mmutable is not used in SPL builds.
Remove it.
Finally, update README regarding the (now homogeneous)
semantics of CONFIG_SPL_[BSS_]MAX_SIZE and add the new
CONFIG_SPL_MAX_FOOTPRINT macro.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Reported-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
Commit 3ebd1cbc introduced compiler-generated __bss_start
and __bss_end__ and commit c23561e7 rewrote all __bss_end__
as __bss_end. Their merge caused silent and harmless but
potentially bug-inducing clashes between compiler- and linker-
generated __bss_end symbols.
Make __bss_end and __bss_start compiler-only, and create
__bss_base and __bss_limit for linker-only use.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Reported-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
Albert's rework of the linker scripts conflicted with Simon's making
everyone use __bss_end. We also had a minor conflict over
README.scrapyard being added to in mainline and enhanced in
u-boot-arm/master with proper formatting.
Conflicts:
arch/arm/cpu/ixp/u-boot.lds
arch/arm/cpu/u-boot.lds
arch/arm/lib/Makefile
board/actux1/u-boot.lds
board/actux2/u-boot.lds
board/actux3/u-boot.lds
board/dvlhost/u-boot.lds
board/freescale/mx31ads/u-boot.lds
doc/README.scrapyard
include/configs/tegra-common.h
Build tested for all of ARM and run-time tested on am335x_evm.
Signed-off-by: Tom Rini <trini@ti.com>
Note this is a tree-wide change affecting multiple architectures.
At present we use __bss_start, but mostly __bss_end__. This seems
inconsistent and in a number of places __bss_end is used instead.
Change to use __bss_end for the BSS end symbol throughout U-Boot. This
makes it possible to use the asm-generic/sections.h file on all
archs.
Signed-off-by: Simon Glass <sjg@chromium.org>
Refactor linker-generated array code so that symbols
which were previously linker-generated are now compiler-
generated. This causes relocation records of type
R_ARM_ABS32 to become R_ARM_RELATIVE, which makes
code which uses LGA able to run before relocation as
well as after.
Note: this affects more than ARM targets, as linker-
lists span possibly all target architectures, notably
PowerPC.
Conflicts:
arch/arm/cpu/arm926ejs/mxs/u-boot-spl.lds
arch/arm/cpu/arm926ejs/spear/u-boot-spl.lds
arch/arm/cpu/armv7/omap-common/u-boot-spl.lds
board/ait/cam_enc_4xx/u-boot-spl.lds
board/davinci/da8xxevm/u-boot-spl-da850evm.lds
board/davinci/da8xxevm/u-boot-spl-hawk.lds
board/vpac270/u-boot-spl.lds
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Turn __bss_start and __bss_end__ from linker-generated
to compiler-generated symbols, causing relocations for
these symbols to change type, from R_ARM_ABS32 to
R_ARM_RELATIVE.
This should have no functional impact, as it affects
references to __bss_start and __bss_end__ only before
relocation, and no such references are done.
Signed-off-by: Albert ARIBAUD <albert.u.boot@aribaud.net>
Add an ASSERT() to u-boot.lds to detect an SPL that doesn't fit within
SPL_TEXT_BASE..SPL_MAX_SIZE.
Different .lds files implement this check in two possible ways:
1) An ASSERT() like this
2) Defining a MEMORY region of size SPL_MAX_SIZE, and re-directing all
linker output into that region. Since u-boot.lds is used for both
SPL and main U-Boot, this would entail only sometimes defining a
MEMORY region, and only sometimes performing that redirection, and
hence option (1) was deemed much simpler, and hence implemented.
Note that this causes build failures at least for NVIDIA Tegra Seaboard
and Ventana. However, these are legitimate; the SPL doesn't fit within
the required space, and this does cause runtime issues.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Acked-by: Simon Glass <sjg@chromium.org>
Acked-by: Allen Martin <amartin@nvidia.com>
Acked-by: Tom Rini <trini@ti.com>
Tested-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Warren <twarren@nvidia.com>
When -ffunction-sections or -fdata-section are used, symbols are placed
into sections such as .data.eserial1_device and .bss.serial_current.
Update the linker script to explicitly include these. Without this
change (at least with my gcc-4.5.3 built using crosstool-ng), I see that
the sections do end up being included, but __bss_end__ gets set to the
same value as __bss_start.
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Acked-by: Allen Martin <amartin@nvidia.com>
Acked-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
The command declaration now uses the new LG-array method to generate
list of commands. Thus the __u_boot_cmd section is now superseded and
redundant and therefore can be removed. Also, remove externed symbols
associated with this section from include/command.h .
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Joe Hershberger <joe.hershberger@gmail.com>
Cc: Mike Frysinger <vapier@gentoo.org>
Add section for the linker-generated lists into all possible linker
files, so that everyone can easily use these lists. This is mostly
a mechanical adjustment.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Joe Hershberger <joe.hershberger@gmail.com>
Cc: Mike Frysinger <vapier@gentoo.org>
Most ARM CPUs use a very similar link script. This adds a basic
script that can be used by most CPUs.
Two new symbols are introduced which are intended to eventually be
defined on all architectures to make things easier for generic relocation
and reduce special-case code for each architecture:
__image_copy_start is the start of the text area (equivalent to the
existing _start on ARM). It marks the start of the region which must be
copied to a new location during relocation. This symbol is called
__text_start on x86 and microblaze.
__image_copy_end is the end of the region which must be copied to a new
location during relocation. It is normally equal to the start of the BSS
region, but this can vary in some cases (SPL?). Making this an explicit
symbol on its own removes any ambiguity and permits common code to always
do the right thing.
This new script makes use of CPUDIR, now defined by both Makefile and
spl/Makefile, to find the directory containing the start.o object file,
which is always placed first in the image.
To permit MMU setup prior to relocation (as used by pxa) we add an area
to the link script which contains space for this. This is taken
from commit 7f4cfcf. CPUs can put the contents in there using their
start.S file. BTW, shouldn't that area be 16KB-aligned?
Signed-off-by: Simon Glass <sjg@chromium.org>