u-boot.git/boot, branch v2026.04 Unnamed repository; edit this file 'description' to name the repository. treewide: fix uImage.FIT document paths 2026-03-27T09:50:29+00:00 Daniel Golle daniel@makrotopia.org 2026-02-27T00:03:29+00:00 72cc446490e74fdf392f5e049cf8fd28d9c6818d Commit 488445cefa1 ("doc: Move FIT into its own directory") moved the documentation in doc/uImage.FIT to doc/usage/fit, subsequently all documents and example sources have been converted to reStructuredText. Fix (almost) all of the remaining occurrences of the old path and filenames across the tree. The exception is doc/uImage.FIT/command_syntax_extensions.txt which apparently has been removed entirely, or at least I was unable to locate where that document is now. Signed-off-by: Daniel Golle <daniel@makrotopia.org> 
Commit 488445cefa1 ("doc: Move FIT into its own directory") moved the
documentation in doc/uImage.FIT to doc/usage/fit, subsequently all
documents and example sources have been converted to reStructuredText.

Fix (almost) all of the remaining occurrences of the old path and
filenames across the tree.

The exception is doc/uImage.FIT/command_syntax_extensions.txt which
apparently has been removed entirely, or at least I was unable to
locate where that document is now.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
image-fit: Fix mismatched parameter type in comment 2026-03-18T17:05:57+00:00 Kunihiko Hayashi hayashi.kunihiko@socionext.com 2026-03-04T07:51:00+00:00 eeca6ed86ff65cb8213d0d960a0733c7d8ddde5d The functions use 'ulong', however, the comments said 'uint32_t'. Update the comments to match the prototype. Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> 
The functions use 'ulong', however, the comments said 'uint32_t'.
Update the comments to match the prototype.

Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
boot: Add fit_config_get_hash_list() to build signed node list 2026-03-09T15:49:50+00:00 Simon Glass simon.glass@canonical.com 2026-03-06T01:20:09+00:00 2092322b31cc8b1f8c9e2e238d1043ae0637b241 The hashed-nodes property in a FIT signature node lists which FDT paths are included in the signature hash. It is intended as a hint so should not be used for verification. Add a function to build the node list from scratch by iterating the configuration's image references. Skip properties known not to be image references. For each image, collect the path plus all hash and cipher subnodes. Use the new function in fit_config_check_sig() instead of reading 'hashed-nodes'. Update the test_vboot kernel@ test case: fit_check_sign now catches the attack at signature-verification time (the @-suffixed node is hashed instead of the real one, causing a mismatch) rather than at fit_check_format() time. Update the docs to cover this. The FIT spec can be updated separately. Signed-off-by: Simon Glass <simon.glass@canonical.com> Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/ Reported-by: Apple Security Engineering and Architecture (SEAR) Tested-by: Tom Rini <trini@konsulko.com> 
The hashed-nodes property in a FIT signature node lists which FDT paths
are included in the signature hash. It is intended as a hint so should
not be used for verification.

Add a function to build the node list from scratch by iterating the
configuration's image references. Skip properties known not to be image
references. For each image, collect the path plus all hash and cipher
subnodes.

Use the new function in fit_config_check_sig() instead of reading
'hashed-nodes'.

Update the test_vboot kernel@ test case: fit_check_sign now catches the
attack at signature-verification time (the @-suffixed node is hashed
instead of the real one, causing a mismatch) rather than at
fit_check_format() time.

Update the docs to cover this. The FIT spec can be updated separately.

Signed-off-by: Simon Glass <simon.glass@canonical.com>
Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/
Reported-by: Apple Security Engineering and Architecture (SEAR)
Tested-by: Tom Rini <trini@konsulko.com>
boot: fit: validate FDT/DTO payload before fdt_open_into() 2026-02-24T16:28:37+00:00 James Hilliard james.hilliard1@gmail.com 2026-02-23T20:40:04+00:00 0b2939464feef001e4d4b69578f29a7a4d572fcd boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the base FDT and overlay DTO blobs loaded from a FIT image. Those blobs come from FIT payload data. In the overlay path, fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT header check in fit_image_load() is skipped. This leaves fdt_open_into() to consume header-derived offsets/sizes from unvalidated input. Validate the full blob against the payload length first with fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR). Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT copies") Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/ Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Reviewed-by: Tom Rini <trini@konsulko.com> 
boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
base FDT and overlay DTO blobs loaded from a FIT image.

Those blobs come from FIT payload data. In the overlay path,
fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
header check in fit_image_load() is skipped. This leaves fdt_open_into()
to consume header-derived offsets/sizes from unvalidated input.

Validate the full blob against the payload length first with
fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).

Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT copies")
Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
bootstd: rauc: Fix null pointer access while checking root part 2026-02-16T17:52:01+00:00 Martin Schwan m.schwan@phytec.de 2026-02-11T08:36:22+00:00 c3538f788dbac291df24171ae1eeb1563ab8af53 Fix a segmentation fault caused by a null pointer access during root partition checking. The function part_get_info() was falsely given null for the disk_partition struct, which later resulted in accessing a null pointer and thus undefined behavior. Fixes: 5d7c080ae5dc ("bootstd: rauc: Don't check root part filesystem") Signed-off-by: Martin Schwan <m.schwan@phytec.de> 
Fix a segmentation fault caused by a null pointer access during root
partition checking. The function part_get_info() was falsely given null
for the disk_partition struct, which later resulted in accessing a null
pointer and thus undefined behavior.

Fixes: 5d7c080ae5dc ("bootstd: rauc: Don't check root part filesystem")
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
cmd: pxe_utils: fix syntax error in comments 2026-02-16T17:52:01+00:00 Hugo Villeneuve hvilleneuve@dimonoff.com 2026-02-11T15:19:09+00:00 2ac30d21e459736acb164c363498596872e0bfb3 Add missing "to" so that the sentence makes sense. Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com> 
Add missing "to" so that the sentence makes sense.

Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
image: fit: Apply overlays using aligned writable FDT copies 2026-02-16T17:52:01+00:00 James Hilliard james.hilliard1@gmail.com 2026-02-12T21:34:09+00:00 5ebf0c55a23ad740da1ec191ac157c490f207e0f libfdt expects FDT/DTO blobs to be 8-byte aligned. When loading the base FDT or overlays from a FIT, the mapped buffer may be unaligned, which can break fdt_open_into() on strict-alignment architectures. boot_get_fdt_fit() relocates the base FDT with boot_relocate_fdt() before applying overlays. That uses the bootm memory map and can overlap with the FIT buffer when the FIT is loaded into RAM, corrupting data needed to load the kernel and ramdisk. Allocate writable, 8-byte aligned copies of the base FDT and overlays with memalign() and fdt_open_into(). Grow the base buffer as needed, apply overlays to it and pack the final tree. Free each temporary overlay copy after application and check fdt_pack() errors. Fixes: 8fbcc0e0e839 ("boot: Assure FDT is always 8-byte aligned") Fixes: 881f0b77dc8c ("image: apply FDTOs on FDT image node") Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Cc: Jamie Gibbons <Jamie.Gibbons@microchip.com> Reviewed-by: Marek Vasut <marek.vasut@mailbox.org> 
libfdt expects FDT/DTO blobs to be 8-byte aligned. When loading the
base FDT or overlays from a FIT, the mapped buffer may be unaligned,
which can break fdt_open_into() on strict-alignment architectures.

boot_get_fdt_fit() relocates the base FDT with boot_relocate_fdt()
before applying overlays. That uses the bootm memory map and can
overlap with the FIT buffer when the FIT is loaded into RAM,
corrupting data needed to load the kernel and ramdisk.

Allocate writable, 8-byte aligned copies of the base FDT and overlays
with memalign() and fdt_open_into(). Grow the base buffer as needed,
apply overlays to it and pack the final tree. Free each temporary
overlay copy after application and check fdt_pack() errors.

Fixes: 8fbcc0e0e839 ("boot: Assure FDT is always 8-byte aligned")
Fixes: 881f0b77dc8c ("image: apply FDTOs on FDT image node")
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Cc: Jamie Gibbons <Jamie.Gibbons@microchip.com>
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
boot/fit: print error name in boot_get_fdt_fit() 2026-01-30T18:38:03+00:00 David Lechner dlechner@baylibre.com 2026-01-29T20:03:41+00:00 8bca63d2ed9d73ec2ff83fa76510245e48e29730 Print the actual error code in a couple of places in boot_get_fdt_fit(). These are FDT error codes, not errno, so printing the string is more helpful than printing the numeric value. The only caller of boot_get_fdt_fit() unconditionally replaces the returned error code (fdt_noffset) with ENOENT so the actual error would otherwise be lost. Signed-off-by: David Lechner <dlechner@baylibre.com> 
Print the actual error code in a couple of places in boot_get_fdt_fit().

These are FDT error codes, not errno, so printing the string is more
helpful than printing the numeric value.

The only caller of boot_get_fdt_fit() unconditionally replaces the
returned error code (fdt_noffset) with ENOENT so the actual error would
otherwise be lost.

Signed-off-by: David Lechner <dlechner@baylibre.com>
boot/fit: print name of config node not found 2026-01-27T22:19:54+00:00 Frank Wunderlich frank-w@public-files.de 2026-01-16T18:29:02+00:00 09cc6788683172a5588eca2cb7536a20a600faa9 Show name of configuration node which was not found. current state gives no hint if fit image is wrong or the requested name. Could not find configuration node load of <NULL> failed After this patch we see name like this: Could not find configuration node '#ov-test' load of <NULL> failed Signed-off-by: Frank Wunderlich <frank-w@public-files.de> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> 
Show name of configuration node which was not found.

current state gives no hint if fit image is wrong or the requested name.

Could not find configuration node
load of <NULL> failed

After this patch we see name like this:

Could not find configuration node '#ov-test'
load of <NULL> failed

Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
fit: Rework SPL_LOAD_FIT_ADDRESS slightly 2026-01-27T22:19:11+00:00 Tom Rini trini@konsulko.com 2026-01-18T19:56:10+00:00 272b8784faf33b0eded27ba78ad4251151ef357b Options which deal with memory locations and have a default value of 0x0 are dangerous, as that is often not a valid memory location. Rework SPL_LOAD_FIT_ADDRESS as follows: - Add SPL_HAS_LOAD_FIT_ADDRESS to guard prompting the question as the case of loading a FIT image does not strictly require setting an address and allows for a malloc()'d area to be used. - For SPL_RAM_SUPPORT, select the new guard symbol if SPL_LOAD_FIT is enabled because in that case an address must be provided. - Update defconfigs for these new changes. Largely this means some defconfigs need to enable SPL_HAS_LOAD_FIT_ADDRESS to maintain their current status. In the case of sandbox, we also need to set SPL_LOAD_FIT_ADDRESS to 0x0. Signed-off-by: Tom Rini <trini@konsulko.com> 
Options which deal with memory locations and have a default value of 0x0
are dangerous, as that is often not a valid memory location. Rework
SPL_LOAD_FIT_ADDRESS as follows:
- Add SPL_HAS_LOAD_FIT_ADDRESS to guard prompting the question as the
  case of loading a FIT image does not strictly require setting an
  address and allows for a malloc()'d area to be used.
- For SPL_RAM_SUPPORT, select the new guard symbol if SPL_LOAD_FIT is
  enabled because in that case an address must be provided.
- Update defconfigs for these new changes. Largely this means some
  defconfigs need to enable SPL_HAS_LOAD_FIT_ADDRESS to maintain their
  current status. In the case of sandbox, we also need to set
  SPL_LOAD_FIT_ADDRESS to 0x0.

Signed-off-by: Tom Rini <trini@konsulko.com>