u-boot.git/boot, branch v2025.04-rc2 Unnamed repository; edit this file 'description' to name the repository. image: apply FDTOs on FDT image node without a load property 2025-02-04T17:57:36+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-01-22T15:53:15+00:00 881f0b77dc8cfc454fb99ee183717d2538013665 A FIT image which is NOT using -E when created by mkimage - that is with image data within the FIT - will fail to apply FDTO if the base FDT image node does not specify a load property (which points to an address in DRAM). This is because we check that the FDT address we want to apply overlay to (i.e. modify and likely increase in size) is not inside the FIT and give up otherwise. This is assumed necessary because we may then overwrite other data when applying in-place. However, we can do better than giving up: relocating the FDT in another place in DRAM where it's safe to increase its size and apply FDTOs. While at it, do not discriminate anymore on whether the data is within the FIT data address space - that is FIT images created with mkimage -E - as that still may be susceptible to unintended data overwrites as mkimage -E simply concatenates all blobs after the FIT. If the FDT blob isn't the last, it'll result in overwriting later blobs when resizing. The side effect is that the load property in the FIT is only temporarily used to load the FDT but then relocated right before we start applying overlays. Suggested-by: Marek Vasut <marex@denx.de> Reviewed-by: Marek Vasut <marex@denx.de> Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
A FIT image which is NOT using -E when created by mkimage - that is with
image data within the FIT - will fail to apply FDTO if the base FDT
image node does not specify a load property (which points to an address
in DRAM). This is because we check that the FDT address we want to apply
overlay to (i.e. modify and likely increase in size) is not inside the
FIT and give up otherwise. This is assumed necessary because we may then
overwrite other data when applying in-place.

However, we can do better than giving up: relocating the FDT in another
place in DRAM where it's safe to increase its size and apply FDTOs.

While at it, do not discriminate anymore on whether the data is within
the FIT data address space - that is FIT images created with mkimage -E
- as that still may be susceptible to unintended data overwrites as
mkimage -E simply concatenates all blobs after the FIT. If the FDT blob
isn't the last, it'll result in overwriting later blobs when resizing.

The side effect is that the load property in the FIT is only
temporarily used to load the FDT but then relocated right before we
start applying overlays.

Suggested-by: Marek Vasut <marex@denx.de>
Reviewed-by: Marek Vasut <marex@denx.de>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
vbe: Add an implementation of VBE-ABrec 2025-02-03T22:01:36+00:00 Simon Glass sjg@chromium.org 2025-01-26T18:43:29+00:00 f1eb367d76c9b28053b3adcb6bdeb865c6eda5fd So far only VBE-simple is implemented in U-Boot. This supports a single image which can be updated in situ. It is often necessary to support two images (A and B) so that the board is not bricked if the update is interrupted or is bad. In some cases, a non-updatable recovery image is desirable, so that the board can be returned to a known-good state in the event of a serious failure. Introduce ABrec which provides these features. It supports three independent images and the logic to select the desired one on boot. While we are here, fix a debug message to indicate the function it called. Provide a maintainers entry for VBE. Note that fwupdated only supports VBE-simple so far, but supports for ABrec will appear in time. Signed-off-by: Simon Glass <sjg@chromium.org> 
So far only VBE-simple is implemented in U-Boot. This supports a single
image which can be updated in situ.

It is often necessary to support two images (A and B) so that the board
is not bricked if the update is interrupted or is bad.

In some cases, a non-updatable recovery image is desirable, so that the
board can be returned to a known-good state in the event of a serious
failure.

Introduce ABrec which provides these features. It supports three
independent images and the logic to select the desired one on boot.

While we are here, fix a debug message to indicate the function it
called. Provide a maintainers entry for VBE.

Note that fwupdated only supports VBE-simple so far, but supports for
ABrec will appear in time.

Signed-off-by: Simon Glass <sjg@chromium.org>
vbe: Allow VBE to disable adding loadables to the FDT 2025-02-03T22:01:36+00:00 Simon Glass sjg@chromium.org 2025-01-26T18:43:28+00:00 f4415f2a375c6dab4b8b20a40d4c7ec15f1e951e When VBE operates within VPL it does not want the FDT to be changed. Provide a way to disable this feature. Move the FIT_IMAGE_TINY condition out of spl_fit_record_loadable() so that both conditions are together. This makes the code easier to understand. Replace the existing fit_loaded member, which is no-longer used. Signed-off-by: Simon Glass <sjg@chromium.org> 
When VBE operates within VPL it does not want the FDT to be changed.
Provide a way to disable this feature.

Move the FIT_IMAGE_TINY condition out of spl_fit_record_loadable() so
that both conditions are together. This makes the code easier to
understand.

Replace the existing fit_loaded member, which is no-longer used.

Signed-off-by: Simon Glass <sjg@chromium.org>
vbe: Tidy up a few comments 2025-02-03T22:01:36+00:00 Simon Glass sjg@chromium.org 2025-01-26T18:43:27+00:00 39a9b033ceeca65b45917094cc9099a610f0185e Join the comment block for the fit_image_load() call back to where it should be. Also fix a debug statement. Signed-off-by: Simon Glass <sjg@chromium.org> 
Join the comment block for the fit_image_load() call back to where it
should be. Also fix a debug statement.

Signed-off-by: Simon Glass <sjg@chromium.org>
vbe: Support selecting images based on phase in FIT 2025-02-03T22:01:36+00:00 Simon Glass sjg@chromium.org 2025-01-26T18:43:18+00:00 5fb647c83efcfe5dc2aabfdcbfc8b6cdbe3ebedb With SPL we want to specify the phase of the image to be loaded. Add support for this. This is the implementation of a FIT feature added to the spec a few years ago and entails a small code-size increase, about 70 bytes on Thumb2. Signed-off-by: Simon Glass <sjg@chromium.org> Link: https://docs.u-boot.org/en/latest/usage/fit/index.html 
With SPL we want to specify the phase of the image to be loaded. Add
support for this.

This is the implementation of a FIT feature added to the spec a few
years ago and entails a small code-size increase, about 70 bytes on
Thumb2.

Signed-off-by: Simon Glass <sjg@chromium.org>
Link: https://docs.u-boot.org/en/latest/usage/fit/index.html
bootmeth_efi: Support PXE booting 2025-01-26T10:06:57+00:00 Simon Glass sjg@chromium.org 2025-01-23T22:07:24+00:00 21de624eb89c647a21b06a5b0f5b186838be1d17 Finish off the implementation so it is possible to boot an EFI app over a network. Signed-off-by: Simon Glass <sjg@chromium.org> 
Finish off the implementation so it is possible to boot an EFI app over
a network.

Signed-off-by: Simon Glass <sjg@chromium.org>
efi_loader: Pass in the required parameters from EFI bootmeth 2025-01-26T10:06:57+00:00 Simon Glass sjg@chromium.org 2025-01-23T22:07:23+00:00 a2338955fc1d3bb6de86ab4fb6e7c55ff189f4f0 Rather than setting up the global variables and then making the call, pass them into function directly. This cleans up the code and makes it all a bit easier to understand. Signed-off-by: Simon Glass <sjg@chromium.org> 
Rather than setting up the global variables and then making the call,
pass them into function directly. This cleans up the code and makes it
all a bit easier to understand.

Signed-off-by: Simon Glass <sjg@chromium.org>
bootstd: android: Allow boot with AVB failures when unlocked 2025-01-23T14:23:05+00:00 Mattijs Korpershoek mkorpershoek@baylibre.com 2025-01-08T14:38:42+00:00 6745cbed6edc06fae7fbc4b360e39c3963d57b13 When the bootloader is UNLOCKED, it should be possible to boot Android even if AVB reports verification errors [1]. This allows developers to flash modified partitions on userdebug/engineering builds. Developers can do so on unlocked devices with: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img In such case, bootmeth_android refuses to boot. Allow the boot to continue when the device is UNLOCKED and AVB reports verification errors. [1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Reviewed-by: Julien Masson <jmasson@baylibre.com> Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-2-ba7d3b0d5b6a@baylibre.com Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com> 
When the bootloader is UNLOCKED, it should be possible to boot Android
even if AVB reports verification errors [1].

This allows developers to flash modified partitions on
userdebug/engineering builds.

Developers can do so on unlocked devices with:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

In such case, bootmeth_android refuses to boot.

Allow the boot to continue when the device is UNLOCKED and AVB reports
verification errors.

[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices

Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-2-ba7d3b0d5b6a@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
bootstd: android: Add missing NULL in the avb partition list 2025-01-23T14:23:05+00:00 Mattijs Korpershoek mkorpershoek@baylibre.com 2025-01-08T14:38:41+00:00 ae58cd7b39207175c8696d7bf38321b1a4c9957a When booting an Android build with AVB enabled, it's still possible to deactivate the check for development purposes if the bootloader state is UNLOCKED. This is very useful for development and can be done at flashing time via: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img However, with bootmeth_android, we cannot boot this way: Scanning bootdev 'mmc@fa10000.bootdev': 0 android ready mmc 0 mmc@fa10000.bootdev.whole ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android avb_vbmeta_image.c:188: ERROR: Hash does not match! avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH get_partition: can't find partition '_a' avb_slot_verify.c:496: ERROR: _a: Error determining partition size. Verification failed, reason: I/O error occurred while trying to load data Boot failed (err=-5) No more bootdevs From the logs we can see that avb tries to read a partition named '_a'. It's doing so because the last element of requested_partitions implicitly is '\0', but the doc explicitly request it to be NULL instead. Add NULL as last element to requested_partitions to avoid this problem. Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Reviewed-by: Julien Masson <jmasson@baylibre.com> Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-1-ba7d3b0d5b6a@baylibre.com Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com> 
When booting an Android build with AVB enabled, it's still possible to
deactivate the check for development purposes if the bootloader state is
UNLOCKED.

This is very useful for development and can be done at flashing time via:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

However, with bootmeth_android, we cannot boot this way:

    Scanning bootdev 'mmc@fa10000.bootdev':
      0  android      ready   mmc          0  mmc@fa10000.bootdev.whole
    ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
    avb_vbmeta_image.c:188: ERROR: Hash does not match!
    avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
    get_partition: can't find partition '_a'
    avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
    Verification failed, reason: I/O error occurred while trying to load data
    Boot failed (err=-5)
    No more bootdevs

From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is
'\0', but the doc explicitly request it to be NULL instead.

Add NULL as last element to requested_partitions to avoid this problem.

Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-1-ba7d3b0d5b6a@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
boot: android: Check kcmdline's for NULL in android_image_get_kernel() 2025-01-23T14:19:37+00:00 Aaron Kling webgeek1234@gmail.com 2025-01-13T09:11:45+00:00 4e599aa73a386dd1ba5091937ef2fc388d01ddd2 kcmdline and kcmdline_extra strings can be NULL. In that case, we still read the content from 0x00000 and pass that to the kernel, which is completely wrong. Fix android_image_get_kernel() to check for NULL before checking if they are empty strings. Fixes: 53a0ddb6d3be ("boot: android: fix extra command line support") Signed-off-by: Aaron Kling <webgeek1234@gmail.com> Reviewed-by: Nicolas Belin <nbelin@baylibre.com> Reviewed-by: Julien Masson <jmasson@baylibre.com> Tested-by: Sam Day <me@samcday.com> Link: https://lore.kernel.org/r/20250113-kcmdline-extra-fix-v1-1-03cc9c039159@baylibre.com Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com> 
kcmdline and kcmdline_extra strings can be NULL. In that case, we still
read the content from 0x00000 and pass that to the kernel, which is
completely wrong.

Fix android_image_get_kernel() to check for NULL before checking if
they are empty strings.

Fixes: 53a0ddb6d3be ("boot: android: fix extra command line support")
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Reviewed-by: Nicolas Belin <nbelin@baylibre.com>
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Tested-by: Sam Day <me@samcday.com>
Link: https://lore.kernel.org/r/20250113-kcmdline-extra-fix-v1-1-03cc9c039159@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>