<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git, branch main</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/?h=main</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/?h=main'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2026-07-16T22:11:24Z</updated>
<entry>
<title>Merge patch series "cyclic: update and optimization"</title>
<updated>2026-07-16T22:11:24Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-07-16T18:07:07Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=96c308b8d2a6a1496c0a7366db9a7becf42d2454'/>
<id>urn:sha1:96c308b8d2a6a1496c0a7366db9a7becf42d2454</id>
<content type='text'>
Patrice Chotard &lt;patrice.chotard@foss.st.com&gt; says:

First patch is replacing uint64_t by u64 as suggested by b4
Second patch optimizes cyclic_run() to parse cyclic list only
if a cyclic function's timestamp is elapsed.

Link: https://lore.kernel.org/r/20260706-optimize_cyclic_run-v3-0-06ecbd74ef7c@foss.st.com
</content>
</entry>
<entry>
<title>cyclic: reduce get_timer_us() calls inside hlist_for_each_entry_safe()</title>
<updated>2026-07-16T22:11:19Z</updated>
<author>
<name>Patrice Chotard</name>
<email>patrice.chotard@foss.st.com</email>
</author>
<published>2026-07-06T16:06:09Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=9c1b13b3fd271500cd8a61f86816d822e4852a90'/>
<id>urn:sha1:9c1b13b3fd271500cd8a61f86816d822e4852a90</id>
<content type='text'>
On STM32MP157C-DK2, when using the "ums" command, in sleep_thread(),
ctrlc() is called every ~640ms which doesn't allows high reactivity when
user press CTRL+C in U-Boot console.

In sleep_thread() loop, ctrlc() is called every 200000 iterations.
But schedule is called on each loop iteration.

Optimize cyclic_run() in order to not call get_timer_us() on each entry.

This allow to save computation time :
  _ before : ctrlc() is called every ~640ms
  _ after  : ctrlc() is called every ~230ms

Signed-off-by: Rasmus Villemoes &lt;rv@rasmusvillemoes.dk&gt;
Signed-off-by: Patrice Chotard &lt;patrice.chotard@foss.st.com&gt;
Cc: Marek Vasut &lt;marek.vasut@mailbox.org&gt;
</content>
</entry>
<entry>
<title>cyclic: replace uint64_t by u64 suggested by b4</title>
<updated>2026-07-16T22:11:11Z</updated>
<author>
<name>Patrice Chotard</name>
<email>patrice.chotard@foss.st.com</email>
</author>
<published>2026-07-06T16:06:08Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=08af4faa0f0eac4622e52e699729bd157d6d806a'/>
<id>urn:sha1:08af4faa0f0eac4622e52e699729bd157d6d806a</id>
<content type='text'>
For new patch, b4 is suggested to replace type 'uint64_t' by 'u64' :
      CHECK: Prefer kernel type 'u64' over 'uint64_t'

Update cyclic.c accordingly in order to be coherent with following commit.

Signed-off-by: Patrice Chotard &lt;patrice.chotard@foss.st.com&gt;
Reviewed-by: Marek Vasut &lt;marek.vasut@mailbox.org&gt;
</content>
</entry>
<entry>
<title>Merge patch series "vbe: bound FIT external-data reads against the firmware area"</title>
<updated>2026-07-16T18:06:40Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-07-16T18:06:40Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=91303d8a663248e15bd76801778ff709e490d88d'/>
<id>urn:sha1:91303d8a663248e15bd76801778ff709e490d88d</id>
<content type='text'>
Aristo Chen &lt;aristo.chen@canonical.com&gt; says:

vbe_read_fit() loads a firmware-phase FIT from a fixed firmware area on
a block device and then issues a follow-up blk_read() to pull in the
image, and optionally an FDT, referenced by the FIT's image node. The
source offset on the device and the read length both come from the FIT
itself, via data-position or data-offset and data-size. Those properties
live on mutable boot media and can be controlled by an attacker with
write access to the firmware area. On the TPL or VPL path, and on the
bootmeth bootflow path reached via abrec_read_bootflow_fw() and
vbe_simple_read_bootflow_fw(), the follow-up blk_read() runs before any
signature or hash check on the loaded phase.

Patch 1 is a sandbox test-tree preparation. The firmware1 node in
arch/sandbox/dts/test.dts declared area-size = 0xe00000 (14 MiB), but
the binman fw-update section in sandbox_vpl.dtsi is 32 MiB and the FIT
inside it carries ~16 MiB of external data, so the FIT already extended
past the declared area. The mismatch was tolerated because no caller
bounded the external-data load against area_size. Patch 1 raises
area-size to match the binman section size so test_vbe_vpl keeps passing
once the bound is enforced. The patches are ordered so the test is never
broken in the middle of the series.

Patch 2 adds the missing range check, confining the FIT-supplied
[load_addr, load_addr + len) window to [addr, addr + area_size] before
block numbers and lengths are computed, and applying the same constraint
to fdt_load_addr and fdt_size. The check is written in subtraction-only
form against the trusted area_size so the comparison cannot itself
overflow.

Patch 3 adds two sandbox unit tests under test/boot/ that construct
synthetic FITs with out-of-range data-position and oversized data-size,
write them to mmc1, and confirm vbe_read_fit() returns -E2BIG for each
before issuing the follow-up blk_read().

Deferring the external-data blk_read() until after the phase has been
signature-verified would be a stronger structural fix and was discussed
on the v1 thread. Simon confirmed the bounded read is the right first
step and that the verify-then-load change should be a separate series,
so this v3 stays scoped to the bound.

Link: https://lore.kernel.org/r/20260705034414.2247-1-aristo.chen@canonical.com
</content>
</entry>
<entry>
<title>test: vbe: cover vbe_read_fit() external-data bounds checks</title>
<updated>2026-07-16T18:06:15Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-07-05T03:44:11Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=9fa00f563bea7ac4a4fda3220e05b21ebd4a242f'/>
<id>urn:sha1:9fa00f563bea7ac4a4fda3220e05b21ebd4a242f</id>
<content type='text'>
vbe_read_fit() rejects FITs whose external-data window extends past the
trusted firmware area on disk by returning -E2BIG. Add two sandbox unit
tests that construct synthetic FITs with attacker-controlled
data-position and data-size values, write them to mmc1, and assert
vbe_read_fit() catches each one before issuing the follow-up
blk_read().

vbe_read_fit_oob_position uses a data-position past area_size, which
trips the load_addr - addr &gt; area_size clause. vbe_read_fit_oversize_data
keeps data-position inside the area but picks a data-size that overruns
area_size - (load_addr - addr), tripping the third clause.

The two remaining bound clauses stay unreachable from a sandbox test.
The load_addr &lt; addr guard trivially holds when addr comes from
CONFIG_VAL(TEXT_BASE), which is 0 on sandbox, and the FDT-region bound
sits behind a !CONFIG_SANDBOX guard in vbe_read_fit(), so fdt_size stays
0 and that block is skipped in this test environment.

The new file follows the existing bootstd VBE test layout and writes
the FIT at block 16, past the version and nvdata blocks already used by
bootstd_setup_for_tests().

Suggested-by: Simon Glass &lt;sjg@chromium.org&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>vbe: bound FIT external-data offset and size before blk_read</title>
<updated>2026-07-16T18:06:15Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-07-05T03:44:10Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a84c7670a698c1d42a6da7e713afdeaaa51eae46'/>
<id>urn:sha1:a84c7670a698c1d42a6da7e713afdeaaa51eae46</id>
<content type='text'>
vbe_read_fit() loads a firmware-phase FIT from the trusted firmware area
and then issues a blk_read() to pull in the image, and optionally an
FDT, referenced by the FIT image node. The source offset on the device
and the read length both come from the FIT's data-position or data-offset
property and its data-size property, which live on mutable boot media
and can be controlled by an attacker with prior write access to the
firmware area.

Without a range check the resulting blk_read() can read past the
firmware area on the device and, on the non-SPL path, write an
attacker-chosen number of blocks past the malloc(aligned_size) FIT
buffer into adjacent memory. Only the SPL branch routes through
spl_load_simple_fit(), which hashes the data. The external-data block
reached from TPL or VPL, and from the bootflow path via
abrec_read_bootflow_fw() and vbe_simple_read_bootflow_fw(), runs before
any signature or hash check on the loaded phase.

Confine the FIT-supplied [load_addr, load_addr + len) window to
[addr, addr + area_size] before computing block numbers and lengths,
and apply the same constraint to fdt_load_addr and fdt_size. The checks
are written in subtraction-only form against the trusted area_size so
the comparison itself cannot overflow.

Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>sandbox: vbe: size firmware1 area to fit the binman fw-update section</title>
<updated>2026-07-16T18:06:14Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-07-05T03:44:09Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a8fc408cdfcbc3d8a04b493510a54d852f60550d'/>
<id>urn:sha1:a8fc408cdfcbc3d8a04b493510a54d852f60550d</id>
<content type='text'>
The firmware1 node in test.dts declares area-size = 0xe00000 (14 MiB)
but the binman fw-update section in sandbox_vpl.dtsi is 0x2000000
(32 MiB) and the FIT inside it carries ~16 MiB of external data
(spl + u-boot subimages). The FIT therefore extends past the
declared firmware area, contradicting the documented contract of
vbe_read_fit() that the FIT must fit within @area_size.

The mismatch was tolerated because no caller actually bounded the
external-data load against area_size. Bring the devicetree in line
with the binman section size so the FIT extent stays within the
trusted firmware area, in preparation for vbe_read_fit() enforcing
that bound.

state-offset and version-offset are left as-is; they were already
inside the FIT data region and are not exercised by test_vbe_vpl.

Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>Merge patch series "Add DM firmware reserved memory support"</title>
<updated>2026-07-16T18:05:25Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-07-16T18:05:25Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a5ef1849394de475ee3bb9ebfc7629b4dd3b746a'/>
<id>urn:sha1:a5ef1849394de475ee3bb9ebfc7629b4dd3b746a</id>
<content type='text'>
Paresh Bhagat &lt;p-bhagat@ti.com&gt; says:

This series adds support for DM firmware reserved memory fixup in device
tree for K3 SoCs that use separate DM firmware (K3_DM_FW enabled).

The series includes:
1. Fix for phandle corruption in FDT reserved memory fixup
2. Enable OF_SYSTEM_SETUP for AM62D2 to allow device tree fixups
3. Add Kconfig options for DM firmware reserved memory for other K3 SoCs
4. Add DM reserved memory fixup implementation

The main issue being addressed is that the current reserved DDR carveout
for DM firmware in device tree is insufficient to accommodate the DM
firmware binary on AM62A7, and potentially other K3 SoCs in the future.

Currently, the size is only modified for AM62A7 SoC. For rest of SocS
existing values from device tree is taken.

For vendor boards, please verify boot and check for errors if any.

This series depends on dts update for effected devices. If "dm" node is
not found then the existing mechanism creates a new node with same
address, which cause memory overlap issue.

Link: https://lore.kernel.org/r/20260701075021.3626094-1-p-bhagat@ti.com
</content>
</entry>
<entry>
<title>arm: mach-k3: Add DM reserved memory fixup</title>
<updated>2026-07-16T18:04:48Z</updated>
<author>
<name>Paresh Bhagat</name>
<email>p-bhagat@ti.com</email>
</author>
<published>2026-07-01T07:50:21Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=0cceea6e449888f4422e674e7157696d382eb686'/>
<id>urn:sha1:0cceea6e449888f4422e674e7157696d382eb686</id>
<content type='text'>
Add support for fixing up DM firmware reserved memory in the kernel
device tree for K3 SoCs that use separate DM firmware.

The fixup uses the CONFIG_K3_DM_FW_RESERVED_ADDR and
CONFIG_K3_DM_FW_RESERVED_SIZE Kconfig options to update the
reserved-memory node with the correct DM firmware carveout.

Note that the fixup needs DM reserved memory node is to be renamed in
dts. Example memory@9c900000 → dm@9c900000

Signed-off-by: Paresh Bhagat &lt;p-bhagat@ti.com&gt;
Reviewed-by: Neha Malcom Francis &lt;n-francis@ti.com&gt;
</content>
</entry>
<entry>
<title>arm: mack-k3: Kconfig: Add DM firmware reserved memory configs</title>
<updated>2026-07-16T18:04:48Z</updated>
<author>
<name>Paresh Bhagat</name>
<email>p-bhagat@ti.com</email>
</author>
<published>2026-07-01T07:50:20Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=5e2be9f5ccc4ca3c9cd326d4671a853b783adcae'/>
<id>urn:sha1:5e2be9f5ccc4ca3c9cd326d4671a853b783adcae</id>
<content type='text'>
Add Kconfig options for DM firmware reserved memory for K3 SOCs that
support DM firmware (K3_DM_FW enabled)
- K3_DM_FW_RESERVED_ADDR: DM firmware address
- K3_DM_FW_RESERVED_SIZE: DM firmware reserved size

These configs will be used to fixup the kernel device tree's reserved
memory node for DM. Currently the fixup is only done for AM62A7 SoC, as
K3_DM_FW_RESERVED_SIZE is being used to update DM reserved memory from
0xf0000 to 0x1f0000 as the current reserved carveout is insufficient to
accommodate the binary.

For other platforms, the addresses and sizes are based on the existing
device tree reserved memory. If needed for other SoCs, address and size
could be modified in Kconfig.

Signed-off-by: Paresh Bhagat &lt;p-bhagat@ti.com&gt;
</content>
</entry>
</feed>
