<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git/boot, branch main</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/boot?h=main</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/boot?h=main'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2026-07-16T18:06:40Z</updated>
<entry>
<title>Merge patch series "vbe: bound FIT external-data reads against the firmware area"</title>
<updated>2026-07-16T18:06:40Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-07-16T18:06:40Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=91303d8a663248e15bd76801778ff709e490d88d'/>
<id>urn:sha1:91303d8a663248e15bd76801778ff709e490d88d</id>
<content type='text'>
Aristo Chen &lt;aristo.chen@canonical.com&gt; says:

vbe_read_fit() loads a firmware-phase FIT from a fixed firmware area on
a block device and then issues a follow-up blk_read() to pull in the
image, and optionally an FDT, referenced by the FIT's image node. The
source offset on the device and the read length both come from the FIT
itself, via data-position or data-offset and data-size. Those properties
live on mutable boot media and can be controlled by an attacker with
write access to the firmware area. On the TPL or VPL path, and on the
bootmeth bootflow path reached via abrec_read_bootflow_fw() and
vbe_simple_read_bootflow_fw(), the follow-up blk_read() runs before any
signature or hash check on the loaded phase.

Patch 1 is a sandbox test-tree preparation. The firmware1 node in
arch/sandbox/dts/test.dts declared area-size = 0xe00000 (14 MiB), but
the binman fw-update section in sandbox_vpl.dtsi is 32 MiB and the FIT
inside it carries ~16 MiB of external data, so the FIT already extended
past the declared area. The mismatch was tolerated because no caller
bounded the external-data load against area_size. Patch 1 raises
area-size to match the binman section size so test_vbe_vpl keeps passing
once the bound is enforced. The patches are ordered so the test is never
broken in the middle of the series.

Patch 2 adds the missing range check, confining the FIT-supplied
[load_addr, load_addr + len) window to [addr, addr + area_size] before
block numbers and lengths are computed, and applying the same constraint
to fdt_load_addr and fdt_size. The check is written in subtraction-only
form against the trusted area_size so the comparison cannot itself
overflow.

Patch 3 adds two sandbox unit tests under test/boot/ that construct
synthetic FITs with out-of-range data-position and oversized data-size,
write them to mmc1, and confirm vbe_read_fit() returns -E2BIG for each
before issuing the follow-up blk_read().

Deferring the external-data blk_read() until after the phase has been
signature-verified would be a stronger structural fix and was discussed
on the v1 thread. Simon confirmed the bounded read is the right first
step and that the verify-then-load change should be a separate series,
so this v3 stays scoped to the bound.

Link: https://lore.kernel.org/r/20260705034414.2247-1-aristo.chen@canonical.com
</content>
</entry>
<entry>
<title>vbe: bound FIT external-data offset and size before blk_read</title>
<updated>2026-07-16T18:06:15Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-07-05T03:44:10Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a84c7670a698c1d42a6da7e713afdeaaa51eae46'/>
<id>urn:sha1:a84c7670a698c1d42a6da7e713afdeaaa51eae46</id>
<content type='text'>
vbe_read_fit() loads a firmware-phase FIT from the trusted firmware area
and then issues a blk_read() to pull in the image, and optionally an
FDT, referenced by the FIT image node. The source offset on the device
and the read length both come from the FIT's data-position or data-offset
property and its data-size property, which live on mutable boot media
and can be controlled by an attacker with prior write access to the
firmware area.

Without a range check the resulting blk_read() can read past the
firmware area on the device and, on the non-SPL path, write an
attacker-chosen number of blocks past the malloc(aligned_size) FIT
buffer into adjacent memory. Only the SPL branch routes through
spl_load_simple_fit(), which hashes the data. The external-data block
reached from TPL or VPL, and from the bootflow path via
abrec_read_bootflow_fw() and vbe_simple_read_bootflow_fw(), runs before
any signature or hash check on the loaded phase.

Confine the FIT-supplied [load_addr, load_addr + len) window to
[addr, addr + area_size] before computing block numbers and lengths,
and apply the same constraint to fdt_load_addr and fdt_size. The checks
are written in subtraction-only form against the trusted area_size so
the comparison itself cannot overflow.

Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>cmd: fdt: keep control FDT during checksign</title>
<updated>2026-07-13T23:06:29Z</updated>
<author>
<name>James Hilliard</name>
<email>james.hilliard1@gmail.com</email>
</author>
<published>2026-06-26T00:18:21Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=58c2284a1a90d138f60364caf3513dda5693f8ff'/>
<id>urn:sha1:58c2284a1a90d138f60364caf3513dda5693f8ff</id>
<content type='text'>
The fdt checksign command accepts an optional address for an FDT
containing public keys. It currently installs that blob as gd-&gt;fdt_blob
before verifying the FIT configuration.

This breaks verification with DM-backed crypto drivers which have not
probed yet, since the later probe path expects gd-&gt;fdt_blob to remain
U-Boot's control FDT. For example, an ECDSA verifier can be bound from
the control FDT but fail to probe after fdt checksign points
gd-&gt;fdt_blob at the key-only DTB.

Add a FIT config verification helper that takes the key blob explicitly
and use it from fdt checksign. This keeps gd-&gt;fdt_blob unchanged while
still allowing the command to verify against an external key DTB.

Signed-off-by: James Hilliard &lt;james.hilliard1@gmail.com&gt;
</content>
</entry>
<entry>
<title>bootdev: scan boot devices at each priority level</title>
<updated>2026-07-03T16:14:25Z</updated>
<author>
<name>Denis Mukhin</name>
<email>dmukhin@ford.com</email>
</author>
<published>2026-06-23T22:06:29Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=264ba13f14767fbe7a881d25167d305fa5d7f6b6'/>
<id>urn:sha1:264ba13f14767fbe7a881d25167d305fa5d7f6b6</id>
<content type='text'>
Currently, default 'bootflow scan -lb' will stop booting the board if
any of higher-priority bootdevs fail to be hunted even if there are
bootdevs of lower priority.

For example, if the board has both NVMe (priority 4) and USB MSD devices
(priority 5), and if NVMe bootdev hunt fails (in the event of a bad NVMe
firmware update), USB (which may be a recovery bootdev) is never hunted
automatically, leaving the board at the U-Boot prompt (user intervention
is needed, e.g. something like 'bootflow scan usb' to hunt USB).

Fix bootdev_next_prio() to scan bootdevs at the lower priority level by
not exiting the scan loop early.

Keep the existing logging verbosity unchanged and rely on the failing
subsystem to provide a suitable diagnostic message.

Signed-off-by: Denis Mukhin &lt;dmukhin@ford.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>Merge patch series "bootm: fix flush_cache() with IH_TYPE_KERNEL_NOLOAD"</title>
<updated>2026-07-03T16:13:14Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-07-03T16:13:14Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=683161607af99a12de83eb5702d1f2662a107ac1'/>
<id>urn:sha1:683161607af99a12de83eb5702d1f2662a107ac1</id>
<content type='text'>
This patch series from Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
addresses a few issues with correctly handling IH_TYPE_KERNEL_NOLOAD in
a few cases.

Link: https://lore.kernel.org/r/20260622111933.1488593-1-nora.schiffer@ew.tq-group.com
</content>
</entry>
<entry>
<title>bootm: allow omitting entry point for IH_TYPE_KERNEL_NOLOAD</title>
<updated>2026-07-03T16:11:11Z</updated>
<author>
<name>Nora Schiffer</name>
<email>nora.schiffer@ew.tq-group.com</email>
</author>
<published>2026-06-22T11:19:33Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=c63051237f2bc79838a27473709948408acdf38b'/>
<id>urn:sha1:c63051237f2bc79838a27473709948408acdf38b</id>
<content type='text'>
For IH_TYPE_KERNEL_NOLOAD, the entry point is given relative to the
image start, making 0 a valid default, and for IH_OS_EFI, it is ignored
altogether, so it may be preferable to omit it.

Signed-off-by: Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>bootm: warn about load address for IH_TYPE_KERNEL_NOLOAD in FIT</title>
<updated>2026-07-03T16:11:11Z</updated>
<author>
<name>Nora Schiffer</name>
<email>nora.schiffer@ew.tq-group.com</email>
</author>
<published>2026-06-22T11:19:32Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=c2abc606653e7eb1e8dbdbaaf1eac392689875ea'/>
<id>urn:sha1:c2abc606653e7eb1e8dbdbaaf1eac392689875ea</id>
<content type='text'>
The load address is ignored for IH_TYPE_KERNEL_NOLOAD. Instead of
failing the boot when none is set, it makes more sense to warn when it
*is* set.

Signed-off-by: Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>bootm: fix flush_cache() with IH_TYPE_KERNEL_NOLOAD</title>
<updated>2026-07-03T16:11:11Z</updated>
<author>
<name>Nora Schiffer</name>
<email>nora.schiffer@ew.tq-group.com</email>
</author>
<published>2026-06-22T11:19:31Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=0f890963da2d463dd47ec77ef75b1324cc8064f9'/>
<id>urn:sha1:0f890963da2d463dd47ec77ef75b1324cc8064f9</id>
<content type='text'>
`flush_start` must be set after `load` has been assigned.

Fixes: 69544c4fd8b1 ("bootm: Support kernel_noload with compression")
Signed-off-by: Nora Schiffer &lt;nora.schiffer@ew.tq-group.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>bootm: move OS index bound check into the legacy path</title>
<updated>2026-07-01T18:42:23Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-06-19T14:45:51Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=3900903a588964555c9e76cca53ada7d217c00f7'/>
<id>urn:sha1:3900903a588964555c9e76cca53ada7d217c00f7</id>
<content type='text'>
Commit 103b1e7ce8cc ("bootm: bound-check OS index in
bootm_os_get_boot_func()") added a range check to the shared accessor so
an out-of-range OS id can no longer drive an out-of-bounds read of
boot_os[]. That accessor is reached by every image format, but only a
legacy uImage can deliver an unchecked value. bootm_find_os() takes the
raw 8-bit ih_os byte straight from image_get_os() for legacy images,
whereas the FIT path reaches the accessor only after fit_image_load()
has rejected any image whose os is not one of the supported types, and
the Android path hardcodes IH_OS_LINUX. The check can therefore never
fail for FIT, where it only adds confusion and code.

Move the test to the legacy branch of bootm_find_os(), rejecting an
out-of-range OS where the untrusted byte enters. This keeps the FIT path
clear and lets the check be compiled out when CONFIG_LEGACY_IMAGE_FORMAT
is disabled. A valid OS id that has no handler is still reported by the
existing NULL return path in bootm_run_states().

Suggested-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>Kconfig: boot: restyle</title>
<updated>2026-06-25T20:13:31Z</updated>
<author>
<name>Johan Jonker</name>
<email>jbx6244@gmail.com</email>
</author>
<published>2026-06-10T14:37:17Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=c28e57164d78a671338f1e59ba924190a66c9a55'/>
<id>urn:sha1:c28e57164d78a671338f1e59ba924190a66c9a55</id>
<content type='text'>
Restyle all Kconfigs for "boot":
Menu entries   : no space left
Menu attributes: 1 TAB
Help text      : 1 TAB + 2 spaces
Replace '---help---' by 'help'

Signed-off-by: Johan Jonker &lt;jbx6244@gmail.com&gt;
</content>
</entry>
</feed>
