u-boot.git/lib/efi_loader/efi_capsule.c, branch next Unnamed repository; edit this file 'description' to name the repository. Merge patch series "treewide: Clean up usage of DECLARE_GLOBAL_DATA_PTR" 2026-02-17T19:51:26+00:00 Tom Rini trini@konsulko.com 2026-02-17T19:51:26+00:00 9ddccb51443d4856e5ad2f06cc3552627b86b3d9 Peng Fan (OSS) <peng.fan@oss.nxp.com> says: This patch set primarily removes unused DECLARE_GLOBAL_DATA_PTR instances. Many files declare DECLARE_GLOBAL_DATA_PTR and include asm/global_data.h even though gd is never used. In these cases, asm/global_data.h is effectively treated as a proxy header, which is not a good practice. Following the Include What You Use principle, files should include only the headers they actually depend on, rather than relying on global_data.h indirectly. This approach is also adopted in Linux kernel [1]. The first few patches are prepartion to avoid building break after remove the including of global_data.h. A script is for filtering the files: list=`find . -name "*.[ch]"` for source in ${list} do result=`sed -n '/DECLARE_GLOBAL_DATA_PTR/p' ${source}` if [ "${result}" == "DECLARE_GLOBAL_DATA_PTR;" ]; then echo "Found in ${source}" result=`sed -n '/\<gd\>/p' ${source}` result2=`sed -n '/\<gd_/p' ${source}` result3=`sed -n '/\<gd->/p' ${source}` if [ "${result}" == "" ] && [ "${result2}" == "" ] && [ "${result3}" == "" ];then echo "Cleanup ${source}" sed -i '/DECLARE_GLOBAL_DATA_PTR/{N;/\n[[:space:]]*$/d;s/.*\n//;}' ${source} sed -i '/DECLARE_GLOBAL_DATA_PTR/d' ${source} sed -i '/global_data.h/d' ${source} git add ${source} fi fi done [1] https://lpc.events/event/17/contributions/1620/attachments/1228/2520/Linux%20Kernel%20Header%20Optimization.pdf CI: https://github.com/u-boot/u-boot/pull/865 Link: https://lore.kernel.org/r/20260209-cleanup-v2-0-73a3a84ddbdb@nxp.com 
Peng Fan (OSS) <peng.fan@oss.nxp.com> says:

This patch set primarily removes unused DECLARE_GLOBAL_DATA_PTR
instances.

Many files declare DECLARE_GLOBAL_DATA_PTR and include
asm/global_data.h even though gd is never used. In these cases,
asm/global_data.h is effectively treated as a proxy header, which is
not a good practice.

Following the Include What You Use principle, files should include
only the headers they actually depend on, rather than relying on
global_data.h indirectly. This approach is also adopted in Linux kernel
[1].

The first few patches are prepartion to avoid building break after
remove the including of global_data.h.

A script is for filtering the files:
list=`find . -name "*.[ch]"`
for source in ${list}
do
        result=`sed -n '/DECLARE_GLOBAL_DATA_PTR/p' ${source}`
        if [ "${result}" == "DECLARE_GLOBAL_DATA_PTR;" ]; then
                echo "Found in ${source}"

                result=`sed -n '/\<gd\>/p' ${source}`
                result2=`sed -n '/\<gd_/p' ${source}`
                result3=`sed -n '/\<gd->/p' ${source}`
                if [ "${result}" == "" ] && [ "${result2}" == "" ] && [ "${result3}" == "" ];then
                        echo "Cleanup ${source}"
                        sed -i '/DECLARE_GLOBAL_DATA_PTR/{N;/\n[[:space:]]*$/d;s/.*\n//;}' ${source}
                        sed -i '/DECLARE_GLOBAL_DATA_PTR/d' ${source}
                        sed -i '/global_data.h/d' ${source}
                        git add ${source}
                fi
        fi
done

[1] https://lpc.events/event/17/contributions/1620/attachments/1228/2520/Linux%20Kernel%20Header%20Optimization.pdf

CI: https://github.com/u-boot/u-boot/pull/865

Link: https://lore.kernel.org/r/20260209-cleanup-v2-0-73a3a84ddbdb@nxp.com
treewide: Clean up DECLARE_GLOBAL_DATA_PTR usage 2026-02-17T19:50:22+00:00 Peng Fan peng.fan@nxp.com 2026-02-09T01:30:18+00:00 0f90b1e715f8abe41b0875752eb184f46032ff11 Remove DECLARE_GLOBAL_DATA_PTR from files where gd is not used, and drop the unnecessary inclusion of asm/global_data.h. Headers should be included directly by the files that need them, rather than indirectly via global_data.h. Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com> #STMicroelectronics boards and STM32MP1 ram test driver Tested-by: Anshul Dalal <anshuld@ti.com> #TI boards Acked-by: Yao Zi <me@ziyao.cc> #TH1520 Signed-off-by: Peng Fan <peng.fan@nxp.com> 
Remove DECLARE_GLOBAL_DATA_PTR from files where gd is not used, and
drop the unnecessary inclusion of asm/global_data.h.

Headers should be included directly by the files that need them,
rather than indirectly via global_data.h.

Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com> #STMicroelectronics boards and STM32MP1 ram test driver
Tested-by: Anshul Dalal <anshuld@ti.com> #TI boards
Acked-by: Yao Zi <me@ziyao.cc> #TH1520
Signed-off-by: Peng Fan <peng.fan@nxp.com>
fwu: Pass bank state enum to fwu_state_machine_updates() 2026-02-11T10:17:18+00:00 Kory Maincent kory.maincent@bootlin.com 2026-01-19T16:07:41+00:00 e8d9ad18f068f65537bc04779d6110a1058bfb1e Change fwu_state_machine_updates() to accept an enum fwu_bank_states parameter instead of a boolean. This makes the function interface more explicit and prepares for adding FWU_BANK_INVALID support to handle boot failures on the active bank. Convert the FWU_BANK_* defines to an enum and update all call sites accordingly. Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Change fwu_state_machine_updates() to accept an enum fwu_bank_states
parameter instead of a boolean. This makes the function interface more
explicit and prepares for adding FWU_BANK_INVALID support to handle
boot failures on the active bank.

Convert the FWU_BANK_* defines to an enum and update all call sites
accordingly.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_loader: Trigger capsule updates with automatically generated boot options 2025-12-24T07:32:35+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2025-12-17T09:40:04+00:00 2ca1d6028446c612c55a7c49431d793b28ba2195 The EFI spec in §8.5.5 says "The directory \EFI\UpdateCapsule is checked for capsules only within the EFI system partition on the device specified in the active boot option determine by reference to BootNext variable or BootOrder variable processing." Automatically generated boot options don't point to the ESP, they point to the disk itself and find_handle() won't match when searching for an ESP during a capsule update. This happens because find_handle() only matches device paths that are shorter or equal to the device path passed as an argument. Since the EFI spec allows it we want to allow capsule updates, when the boot option points to a disk, but that disk contains an ESP with a \EFI\UpdateCapsule directory. So, let's change device_is_present_and_system_part() and check if the supplied device path contains an ESP. If it does return the handle of the device. Otherwise, iterate over child devices and return the handle of the first child that contains an ESP. The returned handle can then be reused later. Rather than calling efi_fs_from_path(), we can simply look up the EFI_SIMPLE_FILE_SYSTEM_PROTOCOL on the discovered handle, avoiding the need to re-parse device paths. Reported-by: Balaji Selvanathan <balaji.selvanathan@oss.qualcomm.com> Reported-by: John Toomey <john.toomey@amd.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
The EFI spec in §8.5.5 says
"The directory \EFI\UpdateCapsule is checked for capsules only within
 the EFI system partition on the device specified in the active boot
 option determine by reference to BootNext variable or BootOrder variable
 processing."

Automatically generated boot options don't point to the ESP, they point to
the disk itself and find_handle() won't match when searching for an ESP
during a capsule update.
This happens because find_handle() only matches device paths that are
shorter or equal to the device path passed as an argument.
Since the EFI spec allows it we want to allow capsule updates, when the
boot option points to a disk, but that disk contains an ESP with a
\EFI\UpdateCapsule directory.

So, let's change device_is_present_and_system_part() and check if the
supplied device path contains an ESP. If it does return the handle of
the device. Otherwise, iterate over child devices and return the handle
of the first child that contains an ESP.

The returned handle can then be reused later. Rather than calling
efi_fs_from_path(), we can simply look up the EFI_SIMPLE_FILE_SYSTEM_PROTOCOL
on the discovered handle, avoiding the need to re-parse device paths.

Reported-by: Balaji Selvanathan <balaji.selvanathan@oss.qualcomm.com>
Reported-by: John Toomey <john.toomey@amd.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: Fix a memory leak when retrieving device paths from boot vars 2025-12-06T10:43:28+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2025-11-27T12:19:06+00:00 ad53505a4861ad7eec5c6a919ea39692d915e433 get_dp_device() is used to derive the device path from a boot variable. However, if the last efi_get_variable_int() call fails, we return an error without freeing 'buf'. There's no need to call efi_get_variable_int() for variables we don't know the size since we have the efi_get_var() wrapper. Replace that in the two instances we use it. The first one will also fix the memory leak. A nice sideeffect is that the code size is also reduced, since we are re-using functions instead of open coding them $~ bloat-o-meter u-boot u-boot.new add/remove: 0/0 grow/shrink: 1/2 up/down: 6/-196 (-190) Function old new delta version_string 70 76 +6 efi_launch_capsules 2288 2196 -92 get_dp_device 244 140 -104 Total: Before=1222331, After=1222141, chg -0.02% Fixes: c74cd8bd08d1 ("efi_loader: capsule: add capsule_on_disk support") Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
get_dp_device() is used to derive the device path from a boot variable.
However, if the last efi_get_variable_int() call fails, we return an
error without freeing 'buf'.

There's no need to call efi_get_variable_int() for variables we don't
know the size since we have the efi_get_var() wrapper.

Replace that in the two instances we use it. The first one will also
fix the memory leak.
A nice sideeffect is that the code size is also reduced, since we are
re-using functions instead of open coding them

$~ bloat-o-meter u-boot u-boot.new
add/remove: 0/0 grow/shrink: 1/2 up/down: 6/-196 (-190)
Function                                     old     new   delta
version_string                                70      76      +6
efi_launch_capsules                         2288    2196     -92
get_dp_device                                244     140    -104
Total: Before=1222331, After=1222141, chg -0.02%

Fixes: c74cd8bd08d1 ("efi_loader: capsule: add capsule_on_disk support")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: Prevent leak of memory from tmp_files 2025-10-18T09:41:31+00:00 Andrew Goodbody andrew.goodbody@linaro.org 2025-10-03T14:54:34+00:00 11a64138f5f3525c2b02059e316701c4f55714cb After the malloc of tmp_files and before its value is recorded an early exit will need to free tmp_files to prevent leaking that memory. This issue was found by Smatch. Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org> Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de> 
After the malloc of tmp_files and before its value is recorded an early
exit will need to free tmp_files to prevent leaking that memory.

This issue was found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_loader: Separate device path into its own header 2025-05-25T09:27:18+00:00 Simon Glass sjg@chromium.org 2025-05-24T17:28:21+00:00 f4bbd7b9faa4c20e5b838d7ea609ebadc7305ba0 These functions are useful for the EFI app. As a first step towards making these available outside lib/efi_loader, create a separate header file and include it where needed. Add proper comments to the functions, since many are missing at present. Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
These functions are useful for the EFI app. As a first step towards
making these available outside lib/efi_loader, create a separate header
file and include it where needed. Add proper comments to the functions,
since many are missing at present.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: Move public cert for capsules to .rodata 2025-04-11T11:25:31+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2025-04-01T11:27:25+00:00 fd58c275f6ba524101ba0990e53f5a11ac390bd0 commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata") was reverted in commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") because that's what U-Boot was usually doing -- using the DT to store configuration and data. Some of the discussions can be found here [0]. (Ab)using the device tree to store random data isn't ideal though. On top of that with new features introduced over the years, keeping the certificates in the DT has proven to be problematic. One of the reasons is that platforms might send U-Boot a DTB from the previous stage loader using a transfer list which won't contain the signatures since other loaders are not aware of internal U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding the capsule certificate there does not work and requires users to dump it and re-create it injecting the public keys. Now that we have proper memory permissions for arm64, move the certificate to .rodata and read it from there. [0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/ Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Tested-by: Jonathan Humphreys <j-humphreys@ti.com> # on TI sk-am62p-lp Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC Tested-by: Raymond Mao <raymond.mao@linaro.org> 
commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata")
was reverted in
commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"")
because that's what U-Boot was usually doing -- using the DT to store
configuration and data. Some of the discussions can be found here [0].

(Ab)using the device tree to store random data isn't ideal though.
On top of that with new features introduced over the years, keeping
the certificates in the DT has proven to be problematic.
One of the reasons is that platforms might send U-Boot a DTB
from the previous stage loader using a transfer list which won't contain
the signatures since other loaders are not  aware of internal
U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding
the capsule certificate there does not work and requires users to dump
it and re-create it injecting the public keys.

Now that we have proper memory permissions for arm64, move the certificate
to .rodata and read it from there.

[0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Jonathan Humphreys <j-humphreys@ti.com>  # on TI sk-am62p-lp
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC
Tested-by: Raymond Mao <raymond.mao@linaro.org>
fwu: print a message if empty capsule checks fail 2024-09-19T07:52:50+00:00 Sughosh Ganu sughosh.ganu@linaro.org 2024-09-09T11:20:21+00:00 6f933aa963bb971d848ff6bd1c743035bbc98ead When dealing with processing of the empty capsule, the capsule gets applied only when the checks for the empty capsule pass. Print a message to highlight if empty capsule checks fail, and return an error value, similar to the normal capsules. Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org> Tested-by: Michal Simek <michal.simek@amd.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
When dealing with processing of the empty capsule, the capsule gets
applied only when the checks for the empty capsule pass. Print a
message to highlight if empty capsule checks fail, and return an error
value, similar to the normal capsules.

Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Tested-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
include: export uuid.h 2024-09-12T15:35:37+00:00 Caleb Connolly caleb.connolly@linaro.org 2024-08-30T12:34:37+00:00 58d825fb18053ec7e432de7bbb70a452b9228076 Move this header to include/u-boot/ so that it can be used by external tools. Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org> 
Move this header to include/u-boot/ so that it can be used by external
tools.

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>