u-boot.git/include/asm-generic/sections.h, branch master Unnamed repository; edit this file 'description' to name the repository. efi_loader: Move public cert for capsules to .rodata 2025-04-11T11:25:31+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2025-04-01T11:27:25+00:00 fd58c275f6ba524101ba0990e53f5a11ac390bd0 commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata") was reverted in commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") because that's what U-Boot was usually doing -- using the DT to store configuration and data. Some of the discussions can be found here [0]. (Ab)using the device tree to store random data isn't ideal though. On top of that with new features introduced over the years, keeping the certificates in the DT has proven to be problematic. One of the reasons is that platforms might send U-Boot a DTB from the previous stage loader using a transfer list which won't contain the signatures since other loaders are not aware of internal U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding the capsule certificate there does not work and requires users to dump it and re-create it injecting the public keys. Now that we have proper memory permissions for arm64, move the certificate to .rodata and read it from there. [0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/ Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Tested-by: Jonathan Humphreys <j-humphreys@ti.com> # on TI sk-am62p-lp Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC Tested-by: Raymond Mao <raymond.mao@linaro.org> 
commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata")
was reverted in
commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"")
because that's what U-Boot was usually doing -- using the DT to store
configuration and data. Some of the discussions can be found here [0].

(Ab)using the device tree to store random data isn't ideal though.
On top of that with new features introduced over the years, keeping
the certificates in the DT has proven to be problematic.
One of the reasons is that platforms might send U-Boot a DTB
from the previous stage loader using a transfer list which won't contain
the signatures since other loaders are not  aware of internal
U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding
the capsule certificate there does not work and requires users to dump
it and re-create it injecting the public keys.

Now that we have proper memory permissions for arm64, move the certificate
to .rodata and read it from there.

[0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Jonathan Humphreys <j-humphreys@ti.com>  # on TI sk-am62p-lp
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC
Tested-by: Raymond Mao <raymond.mao@linaro.org>
arm: Prepare linker scripts for memory permissions 2025-03-14T11:30:12+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2025-02-20T13:54:40+00:00 1c7d0c411c033f7158dccc34c795951b667dd591 Upcoming patches are switching the memory mappings to RW, RO, RX after the U-Boot binary and its data are relocated. Add annotations in the linker scripts to and mark text, data, rodata sections and align them to a page boundary. It's worth noting that .efi_runtime memory permissions are left untouched for now. There's two problems with EFI currently. The first problem is that we bundle data, rodata and text in a single .efi_runtime section which also must be close to .text for now. As a result we also dont change the permissions for anything contained in CPUDIR/start.o. In order to fix that we have to decoule .text_rest, .text and .efi_runtime and have the runtime services on their own section with proper memory permission annotations (efi_rodata etc). The efi runtime regions (.efi_runtime_rel) can be relocated by the OS when the latter is calling SetVirtualAddressMap. Which means we have to configure those pages as RX for U-Boot but convert them to RWX just before ExitBootServices. It also needs extra code in efi_tuntime relocation code since R_AARCH64_NONE are emitted as well if we page align the section. Due to the above ignore EFI for now and fix it later once we have the rest in place. Acked-by: Jerome Forissier <jerome.forissier@linaro.org> Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-S905X-CC Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Upcoming patches are switching the memory mappings to RW, RO, RX
after the U-Boot binary and its data are relocated. Add
annotations in the linker scripts to and mark text, data, rodata
sections and align them to a page boundary.

It's worth noting that .efi_runtime memory permissions are left
untouched for now. There's two problems with EFI currently.

The first problem is that we bundle data, rodata and text in a single
.efi_runtime section which also must be close to .text for now.
As a result we also dont change the permissions for anything contained
in CPUDIR/start.o. In order to fix that we have to decoule .text_rest,
.text and .efi_runtime and have the runtime services on their own
section with proper memory permission annotations (efi_rodata etc).

The efi runtime regions (.efi_runtime_rel) can be relocated by the OS when
the latter is calling SetVirtualAddressMap. Which means we have to
configure those pages as RX for U-Boot but convert them to RWX just before
ExitBootServices. It also needs extra code in efi_tuntime relocation
code since R_AARCH64_NONE are emitted as well if we page align the
section.

Due to the above ignore EFI for now and fix it later once we have the
rest in place.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-S905X-CC
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
spl: Provide a way to mark code needed for relocation 2025-02-03T22:01:36+00:00 Simon Glass sjg@chromium.org 2025-01-26T18:43:20+00:00 0741165f3f2f48dfea8bf3e0472208740c5c2d41 Add a linker symbol which can be used to mark relocation code, so it can be collected by the linker and copied into a suitable place and executed when needed. Signed-off-by: Simon Glass <sjg@chromium.org> 
Add a linker symbol which can be used to mark relocation code, so it can
be collected by the linker and copied into a suitable place and executed
when needed.

Signed-off-by: Simon Glass <sjg@chromium.org>
arm: fix __efi_runtime_start/end definitions 2024-03-29T14:39:25+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-03-15T06:43:49+00:00 c0802104d6b86e223e5a605b36ca77453eb00314 __efi_runtime_start/end are defined as c variables for arm7 only in order to force the compiler emit relative references. However, defining those within a section definition will do the same thing since [0]. On top of that the v8 linker scripts define it as a symbol. So let's remove the special sections from the linker scripts, the variable definitions from sections.c and define them as a symbols within the correct section. [0] binutils commit 6b3b0ab89663 ("Make linker assigned symbol dynamic only for shared object") Suggested-by: Sam Edwards <CFSworks@gmail.com> Reviewed-by: Sam Edwards <CFSworks@gmail.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Tested-by: Sam Edwards <CFSworks@gmail.com> # Binary output identical Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
__efi_runtime_start/end are defined as c variables for arm7 only in
order to force the compiler emit relative references. However, defining
those within a section definition will do the same thing since [0].
On top of that the v8 linker scripts define it as a symbol.

So let's remove the special sections from the linker scripts, the
variable definitions from sections.c and define them as a symbols within
the correct section.

[0] binutils commit 6b3b0ab89663 ("Make linker assigned symbol dynamic only for shared object")

Suggested-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Sam Edwards <CFSworks@gmail.com> # Binary output identical
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
arm: fix __efi_runtime_rel_start/end definitions 2024-03-29T14:39:25+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2024-03-15T06:43:47+00:00 6b7f91cd837cdb3262c2964e31bc5dd912f2ca8c __efi_runtime_rel_start/end are defined as c variables for arm7 only in order to force the compiler emit relative references. However, defining those within a section definition will do the same thing since [0]. On top of that the v8 linker scripts define it as a symbol. So let's remove the special sections from the linker scripts, the variable definitions from sections.c and define them as a symbols within the correct section. [0] binutils commit 6b3b0ab89663 ("Make linker assigned symbol dynamic only for shared object") Suggested-by: Sam Edwards <CFSworks@gmail.com> Reviewed-by: Sam Edwards <CFSworks@gmail.com> Tested-by: Sam Edwards <CFSworks@gmail.com> # Binary output identical Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
__efi_runtime_rel_start/end are defined as c variables for arm7 only in
order to force the compiler emit relative references. However, defining
those within a section definition will do the same thing since [0].
On top of that the v8 linker scripts define it as a symbol.

So let's remove the special sections from the linker scripts, the
variable definitions from sections.c and define them as a symbols within
the correct section.

[0] binutils commit 6b3b0ab89663 ("Make linker assigned symbol dynamic only for shared object")

Suggested-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Sam Edwards <CFSworks@gmail.com>
Tested-by: Sam Edwards <CFSworks@gmail.com> # Binary output identical
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
treewide: rework linker symbol declarations in sections header 2023-08-09T13:21:42+00:00 Shiji Yang yangshiji66@outlook.com 2023-08-03T01:47:16+00:00 506df9dc5881b74ca6463b89e9edcd14732a7da5 1. Convert all linker symbols to char[] type so that we can get the corresponding address by calling array name 'var' or its address '&var'. In this way, we can avoid some potential issues[1]. 2. Remove unused symbol '_TEXT_BASE'. It has been abandoned and has not been referenced by any source code. 3. Move '__data_end' to the arch x86's own sections header as it's only used by x86 arch. 4. Remove some duplicate declared linker symbols. Now we use the standard header file to declare them. [1] This patch fixes the boot failure on MIPS target. Error log: SPL: Image overlaps SPL Fixes: 1b8a1be1a1f1 ("spl: spl_legacy: Fix spl_end address") Signed-off-by: Shiji Yang <yangshiji66@outlook.com> Reviewed-by: Tom Rini <trini@konsulko.com> 
1. Convert all linker symbols to char[] type so that we can get the
   corresponding address by calling array name 'var' or its address
   '&var'. In this way, we can avoid some potential issues[1].
2. Remove unused symbol '_TEXT_BASE'. It has been abandoned and has
   not been referenced by any source code.
3. Move '__data_end' to the arch x86's own sections header as it's
   only used by x86 arch.
4. Remove some duplicate declared linker symbols. Now we use the
   standard header file to declare them.

[1] This patch fixes the boot failure on MIPS target. Error log:
SPL: Image overlaps SPL

Fixes: 1b8a1be1a1f1 ("spl: spl_legacy: Fix spl_end address")
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Revert "efi_capsule: Move signature from DTB to .rodata" 2021-09-18T09:47:50+00:00 Simon Glass sjg@chromium.org 2021-08-02T14:44:31+00:00 47a25e81d35c8d801cae9089de90c9ffea083409 This was unfortunately applied despite much discussion about it beiong the wrong way to implement this feature. Revert it before too many other things are built on top of it. This reverts commit ddf67daac39de76d2697d587148f4c2cb768f492. Signed-off-by: Simon Glass <sjg@chromium.org> 
This was unfortunately applied despite much discussion about it beiong
the wrong way to implement this feature.

Revert it before too many other things are built on top of it.

This reverts commit ddf67daac39de76d2697d587148f4c2cb768f492.
Signed-off-by: Simon Glass <sjg@chromium.org>
efi_capsule: Move signature from DTB to .rodata 2021-07-18T12:43:56+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2021-07-17T14:26:44+00:00 ddf67daac39de76d2697d587148f4c2cb768f492 The capsule signature is now part of our DTB. This is problematic when a user is allowed to change/fixup that DTB from U-Boots command line since he can overwrite the signature as well. So Instead of adding the key on the DTB, embed it in the u-boot binary it self as part of it's .rodata. This assumes that the U-Boot binary we load is authenticated by a previous boot stage loader. Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org> Tested-by: Masami Hiramatsu <masami.hiramatsu@linaro.org> Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The capsule signature is now part of our DTB.  This is problematic when a
user is allowed to change/fixup that DTB from U-Boots command line since he
can overwrite the signature as well.
So Instead of adding the key on the DTB, embed it in the u-boot binary it
self as part of it's .rodata.  This assumes that the U-Boot binary we load
is authenticated by a previous boot stage loader.

Reviewed-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Tested-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
dm: core: Allow storing priv/plat data separately 2021-03-26T04:03:09+00:00 Simon Glass sjg@chromium.org 2021-03-15T04:25:38+00:00 baf0371883b243fa793ba3f984704b027705d6a9 At present the device priv/data data allocated by dtoc is stored in the data section along with other variables. On some platforms it is better to allocate space for it separately, e.g. if SPL is running from read-only memory. Create a new space with the same size as that allocated by dtoc, ready for use. Signed-off-by: Simon Glass <sjg@chromium.org> Signed-off-by: Simon Glass <sjg@chromium.org> 
At present the device priv/data data allocated by dtoc is stored in the
data section along with other variables. On some platforms it is better
to allocate space for it separately, e.g. if SPL is running from read-only
memory.

Create a new space with the same size as that allocated by dtoc, ready for
use.

Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
efi_loader: pre-seed UEFI variables 2020-07-16T10:37:02+00:00 Heinrich Schuchardt xypron.glpk@gmx.de 2020-07-14T19:25:28+00:00 7dda16343d2577a52116148540ad7d17c6f19e55 Include a file with the initial values for non-volatile UEFI variables into the U-Boot binary. If this variable is set, changes to variable PK will not be allowed. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
Include a file with the initial values for non-volatile UEFI variables
into the U-Boot binary. If this variable is set, changes to variable PK
will not be allowed.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>