u-boot.git, branch v2022.04-rc2 Unnamed repository; edit this file 'description' to name the repository. Prepare v2022.04-rc2 2022-02-14T22:03:08+00:00 Tom Rini trini@konsulko.com 2022-02-14T22:03:08+00:00 8a4ef8786f053cb4e2fb5db7c9ab90c09a6bb37b Signed-off-by: Tom Rini <trini@konsulko.com> 
Signed-off-by: Tom Rini <trini@konsulko.com>
Merge branch '2022-02-14-assorted-fixes' 2022-02-14T19:18:45+00:00 Tom Rini trini@konsulko.com 2022-02-14T19:18:45+00:00 139e049732e2df1bc69eec9e8fdad274bb118bfb - Fix for pstore already being in the DT, "setlocalversion" script bugfix and pdu001 platform bugfix 
- Fix for pstore already being in the DT, "setlocalversion" script
  bugfix and pdu001 platform bugfix
arm: pdu001: Fix dt to work with the current am33xx dtsi files 2022-02-14T18:04:39+00:00 Felix Brack fb@ltec.ch 2022-02-08T10:38:39+00:00 9f0deae6d5fa656d604b3efa2371ea52def22173 The changes introduced with commit 6337d53fdf45 ("arm: dts: sync am33xx with Linux 5.9-rc7") prevent the PDU001 from operating correctly. This patch fixes the configuration of the pin multiplexer and uart3. Signed-off-by: Felix Brack <fb@ltec.ch> 
The changes introduced with commit 6337d53fdf45 ("arm: dts: sync am33xx
with Linux 5.9-rc7") prevent the PDU001 from operating correctly.
This patch fixes the configuration of the pin multiplexer and uart3.

Signed-off-by: Felix Brack <fb@ltec.ch>
scripts: setlocalversion: remove quotes around localversion from config 2022-02-14T18:04:39+00:00 Nikita Maslov wkernelteam@gmail.com 2022-01-13T21:13:39+00:00 609177140bdc6c8f1ca46955c6117e4420620d27 After replacing of include/config/auto.conf sourcing with extraction of CONFIG_LOCALVERSION, resulting version string contains quotes around localversion part which are always present in auto.conf (even if localversion is empty). This patch fixes this script to remove quotes. Signed-off-by: Nikita Maslov <wkernelteam@gmail.com> Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com> Cc: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> 
After replacing of include/config/auto.conf sourcing with
extraction of CONFIG_LOCALVERSION, resulting version string
contains quotes around localversion part which are always
present in auto.conf (even if localversion is empty).

This patch fixes this script to remove quotes.

Signed-off-by: Nikita Maslov <wkernelteam@gmail.com>
Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
pstore: Support already existing reserved-memory node 2022-02-14T18:03:49+00:00 Detlev Casanova detlev.casanova@collabora.com 2022-02-07T16:02:30+00:00 ac52cba63f26eab9c74f3d1c2da00835724d3484 The pstore command tries to create a reserved-memory node but fails if it is already present with: Add 'reserved-memory' node failed: FDT_ERR_EXISTS This patch creates the node only if it does not exist and adapts the reg values sizes depending on already present #address-cells and #size-cells values. Signed-off-by: Detlev Casanova <detlev.casanova@collabora.com> 
The pstore command tries to create a reserved-memory node but fails if
it is already present with:

    Add 'reserved-memory' node failed: FDT_ERR_EXISTS

This patch creates the node only if it does not exist and adapts the reg
values sizes depending on already present #address-cells and #size-cells
values.

Signed-off-by: Detlev Casanova <detlev.casanova@collabora.com>
Merge tag 'efi-2022-04-rc2-4' of https://source.denx.de/u-boot/custodians/u-boot-efi 2022-02-11T20:11:52+00:00 Tom Rini trini@konsulko.com 2022-02-11T20:07:49+00:00 162c22bfbc4141f22937c6bc37aa02fd4621e76c Pull request for efi-2022-04-rc2-4 Documentation: * mkeficapsule man-page UEFI changes: * add support for signing images to mkeficapsule * add support for user define capsule GUID * adjust unit tests for capsules * fix UEFI image signature validation in case of multiple signatures 
Pull request for efi-2022-04-rc2-4

Documentation:

* mkeficapsule man-page

UEFI changes:

* add support for signing images to mkeficapsule
* add support for user define capsule GUID
* adjust unit tests for capsules
* fix UEFI image signature validation in case of multiple signatures
test/py: efi_secboot: adjust secure boot tests to code changes 2022-02-11T19:07:55+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-02-11T07:37:50+00:00 72b509b7019878e2a5f69bcf7198a0927a77ad60 The previous patch is changing U-Boot's behavior wrt certificate based binary authentication. Specifically an image who's digest of a certificate is found in dbx is now rejected. Fix the test accordingly and add another one testing signatures in reverse order Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The previous patch is changing U-Boot's behavior wrt certificate based
binary authentication.  Specifically an image who's digest of a
certificate is found in dbx is now rejected.  Fix the test accordingly
and add another one testing signatures in reverse order

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: fix dual signed image certification 2022-02-11T19:07:55+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2022-02-11T07:37:49+00:00 54cebe8a3ae8b56d784dbd0672cbd06102423eeb The EFI spec allows for images to carry multiple signatures. Currently we don't adhere to the verification process for such images. The spec says: "Multiple signatures are allowed to exist in the binary's certificate table (as per PE/COFF Section "Attribute Certificate Table"). Only one hash or signature is required to be present in db in order to pass validation, so long as neither the SHA-256 hash of the binary nor any present signature is reflected in dbx." With our current implementation signing the image with two certificates and inserting both of them in db and one of them dbx doesn't always reject the image. The rejection depends on the order that the image was signed and the order the certificates are read (and checked) in db. While at it move the sha256 hash verification outside the signature checking loop, since it only needs to run once per image and get simplify the logic for authenticating an unsigned imahe using sha256 hashes. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The EFI spec allows for images to carry multiple signatures. Currently
we don't adhere to the verification process for such images.

The spec says:
"Multiple signatures are allowed to exist in the binary's certificate
table (as per PE/COFF Section "Attribute Certificate Table"). Only one
hash or signature is required to be present in db in order to pass
validation, so long as neither the SHA-256 hash of the binary nor any
present signature is reflected in dbx."

With our current implementation signing the image with two certificates
and inserting both of them in db and one of them dbx doesn't always reject
the image.  The rejection depends on the order that the image was signed
and the order the certificates are read (and checked) in db.

While at it move the sha256 hash verification outside the signature
checking loop, since it only needs to run once per image and get simplify
the logic for authenticating an unsigned imahe using sha256 hashes.

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test/py: efi_capsule: check the results in case of CAPSULE_AUTHENTICATE 2022-02-11T19:07:55+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2022-02-09T10:10:42+00:00 e012550cd7d6cde866b848cf3a0543ce50204a07 Before the capsule authentication is supported, this test script works correctly, but with the feature enabled, most tests will fail due to unsigned capsules. So check the results depending on CAPSULE_AUTHENTICATE or not. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> 
Before the capsule authentication is supported, this test script works
correctly, but with the feature enabled, most tests will fail due to
unsigned capsules.
So check the results depending on CAPSULE_AUTHENTICATE or not.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
test/py: efi_capsule: add a test for "--guid" option 2022-02-11T19:07:55+00:00 AKASHI Takahiro takahiro.akashi@linaro.org 2022-02-09T10:10:41+00:00 e9b74979b462f56569d40b431d2c8799ef7f5f69 This test scenario tests a new feature of mkeficapsule, "--guid" option, which allows us to specify FMP driver's guid explicitly at the command line. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org> 
This test scenario tests a new feature of mkeficapsule, "--guid" option,
which allows us to specify FMP driver's guid explicitly at the command
line.

Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>