u-boot.git/scripts/Makefile.lib, branch v2025.07-rc5 Unnamed repository; edit this file 'description' to name the repository. scripts/Makefile.lib: add PLATFORM_LIBGCC to efi linking 2025-05-11T11:30:31+00:00 Adriano Cordova adrianox@gmail.com 2025-05-08T18:30:32+00:00 43d43241d1c9592bee640227a1c8ed8bc880f255 Link .efi applications using libgcc Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com> 
Link .efi applications using libgcc

Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
efi_loader: Move public cert for capsules to .rodata 2025-04-11T11:25:31+00:00 Ilias Apalodimas ilias.apalodimas@linaro.org 2025-04-01T11:27:25+00:00 fd58c275f6ba524101ba0990e53f5a11ac390bd0 commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata") was reverted in commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"") because that's what U-Boot was usually doing -- using the DT to store configuration and data. Some of the discussions can be found here [0]. (Ab)using the device tree to store random data isn't ideal though. On top of that with new features introduced over the years, keeping the certificates in the DT has proven to be problematic. One of the reasons is that platforms might send U-Boot a DTB from the previous stage loader using a transfer list which won't contain the signatures since other loaders are not aware of internal U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding the capsule certificate there does not work and requires users to dump it and re-create it injecting the public keys. Now that we have proper memory permissions for arm64, move the certificate to .rodata and read it from there. [0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/ Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Tested-by: Jonathan Humphreys <j-humphreys@ti.com> # on TI sk-am62p-lp Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC Tested-by: Raymond Mao <raymond.mao@linaro.org> 
commit ddf67daac39d ("efi_capsule: Move signature from DTB to .rodata")
was reverted in
commit 47a25e81d35c ("Revert "efi_capsule: Move signature from DTB to .rodata"")
because that's what U-Boot was usually doing -- using the DT to store
configuration and data. Some of the discussions can be found here [0].

(Ab)using the device tree to store random data isn't ideal though.
On top of that with new features introduced over the years, keeping
the certificates in the DT has proven to be problematic.
One of the reasons is that platforms might send U-Boot a DTB
from the previous stage loader using a transfer list which won't contain
the signatures since other loaders are not  aware of internal
U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding
the capsule certificate there does not work and requires users to dump
it and re-create it injecting the public keys.

Now that we have proper memory permissions for arm64, move the certificate
to .rodata and read it from there.

[0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Jonathan Humphreys <j-humphreys@ti.com>  # on TI sk-am62p-lp
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC
Tested-by: Raymond Mao <raymond.mao@linaro.org>
scripts/Makefile.lib: efi: Preserve the .dynstr section as well 2025-03-17T08:35:52+00:00 Sam Edwards cfsworks@gmail.com 2025-03-15T22:18:11+00:00 7f2fe3dda4ea5384eac4afadb8a4fe5d695e2ce1 This section is required by .dynamic and llvm-objcopy will exit with a fatal error if it is not also preserved in the output. Signed-off-by: Sam Edwards <CFSworks@gmail.com> 
This section is required by .dynamic and llvm-objcopy will exit with a
fatal error if it is not also preserved in the output.

Signed-off-by: Sam Edwards <CFSworks@gmail.com>
scripts/Makefile.lib: add -L option to LD command for EFI binaries 2025-01-17T19:31:25+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2025-01-16T11:39:06+00:00 6384229dc3fc60f3e70035a6cd6ded54c352eac4 The linker uses the path specified with -L to search for linker scripts and for linker script includes. For out-of-tree builds specify the build directory with -L instead of the absolute path of the linker script. This allows using an INCLUDE statement. Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 
The linker uses the path specified with -L to search for linker scripts
and for linker script includes.

For out-of-tree builds specify the build directory with -L instead of
the absolute path of the linker script. This allows using an INCLUDE
statement.

Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
kbuild: cherry-pick kbuild fdtoverlay changes from linux 2024-09-20T06:31:57+00:00 Prasad Kummari prasad.kummari@amd.com 2024-09-06T07:08:07+00:00 10de9b5a6a5b53a37600894115685f00d3bbfc2d Linux commits: 15d16d6dadf6 kbuild: Add generic rule to apply fdtoverlay 44f87191d105 kbuild: parameterize the .o part of suffix-search The Linux commit 15d16d6dadf6 adds a generic rule in Makefile.lib to automatically apply fdtoverlay, so that each platform doesn't need to include a complex rule. This also automatically appends DTC_FLAGS_foo_base += -@ to all base files The platform's Makefile only needs to have this now: foo-dtbs := foo_base.dtb foo_overlay1.dtbo foo_overlay2.dtbo dtb-y := foo.dtb Signed-off-by: Prasad Kummari <prasad.kummari@amd.com> Reviewed-by: Tom Rini <trini@konsulko.com> Signed-off-by: Michal Simek <michal.simek@amd.com> Link: https://lore.kernel.org/r/20240906070808.1045991-2-prasad.kummari@amd.com 
Linux commits:
15d16d6dadf6 kbuild: Add generic rule to apply fdtoverlay
44f87191d105 kbuild: parameterize the .o part of suffix-search

The Linux commit 15d16d6dadf6 adds a generic rule in Makefile.lib
to automatically apply fdtoverlay, so that each platform doesn't
need to include a complex rule. This also automatically appends
DTC_FLAGS_foo_base += -@ to all base files

The platform's Makefile only needs to have this now:

foo-dtbs := foo_base.dtb foo_overlay1.dtbo foo_overlay2.dtbo
dtb-y := foo.dtb

Signed-off-by: Prasad Kummari <prasad.kummari@amd.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Michal Simek <michal.simek@amd.com>
Link: https://lore.kernel.org/r/20240906070808.1045991-2-prasad.kummari@amd.com
scripts/Makefile.lib: do not include CONFIG_DEVICE_TREE_INCLUDES in dtsi_include_list 2024-09-10T17:31:54+00:00 Rasmus Villemoes rasmus.villemoes@prevas.dk 2024-09-03T21:59:36+00:00 5f044932413694475422d4b16607dfcf9aff8781 The commit mentioned in Fixes broke the CONFIG_DEVICE_TREE_INCLUDES feature, with the result that any board setting any non-empty value for that fails to build. The parent of the mentioned commit refactoring a bit by introducing the dtsi_include_list variable and changing cmd_dtc to loop over that was fine. However, the .dtsi files mentioned in CONFIG_DEVICE_TREE_INCLUDES are not supposed to be generated via the build system. They are meant for e.g. including a public key for verified boot (generated with the key2dtsi script), or for injecting some stuff to the /config node (say, a bootcmd or a load-environment setting or things like that). The files can either live in-tree in a private branch or completely outside, e.g. in some Yocto metadata. But regardless, U-Boot's build system will never know anything about them, so when the mentioned commit did dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list))) things broke, because if CONFIG_DEVICE_TREE_INCLUDES is for example "/path/to/public_key.dtsi", this would add a dependency on $(obj)//path/to/public_key.dtsi to each $(obj)/*.dtb target, yielding make[3]: *** No rule to make target 'arch/arm/dts/imx6dl-aristainetos2c_7.dtb', needed by 'dtbs'. Stop. To fix that while preserving the introduced CONFIG_EFI_CAPSULE_ESL_FILE behaviour, disentangle CONFIG_DEVICE_TREE_INCLUDES from dtsi_include_list from which dtsi_include_list_deps is built, and instead just add the items directly to the $(foreach) loop. Fixes: a958988b62 ("scripts/Makefile.lib: Add dtsi include files as deps for building DTB") Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Tested-by: Emil Kronborg <emil.kronborg@protonmail.com> 
The commit mentioned in Fixes broke the
CONFIG_DEVICE_TREE_INCLUDES feature, with the result that any board
setting any non-empty value for that fails to build.

The parent of the mentioned commit refactoring a bit by introducing
the dtsi_include_list variable and changing cmd_dtc to loop over that
was fine.

However, the .dtsi files mentioned in CONFIG_DEVICE_TREE_INCLUDES are
not supposed to be generated via the build system. They are meant for
e.g. including a public key for verified boot (generated with the
key2dtsi script), or for injecting some stuff to the /config
node (say, a bootcmd or a load-environment setting or things like
that). The files can either live in-tree in a private branch or
completely outside, e.g. in some Yocto metadata.

But regardless, U-Boot's build system will never know anything about
them, so when the mentioned commit did

dtsi_include_list_deps = $(addprefix $(obj)/,$(subst $(quote),,$(dtsi_include_list)))

things broke, because if CONFIG_DEVICE_TREE_INCLUDES is for example
"/path/to/public_key.dtsi", this would add a dependency on
$(obj)//path/to/public_key.dtsi to each $(obj)/*.dtb target, yielding

make[3]: *** No rule to make target 'arch/arm/dts/imx6dl-aristainetos2c_7.dtb', needed by 'dtbs'.  Stop.

To fix that while preserving the introduced
CONFIG_EFI_CAPSULE_ESL_FILE behaviour, disentangle
CONFIG_DEVICE_TREE_INCLUDES from dtsi_include_list from which
dtsi_include_list_deps is built, and instead just add the items
directly to the $(foreach) loop.

Fixes: a958988b62 ("scripts/Makefile.lib: Add dtsi include files as deps for building DTB")
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Tested-by: Emil Kronborg <emil.kronborg@protonmail.com>
Merge patch series "finish using .dtso for overlay source files" 2024-07-18T23:03:47+00:00 Tom Rini trini@konsulko.com 2024-07-18T19:51:15+00:00 cbfd2c28a007ae7601e5451aa2ad750b0453d518 Rasmus Villemoes <rasmus.villemoes@prevas.dk> says: This is a followup to the patches that landed in 2024.01 and nearly made sure that source files for producing .dtbo files use the .dtso extension. In the same release, a few new .dts files snuck in, and there was also some test code involving .dtbo -> .dtbo.S -> .dtbo.o I didn't really know how to handle at the time. This should finish the job, bring us in sync with linux (at least in this respect), and drop the .dts -> .dtbo build rule. 
Rasmus Villemoes <rasmus.villemoes@prevas.dk> says:

This is a followup to the patches that landed in 2024.01 and nearly
made sure that source files for producing .dtbo files use the .dtso
extension. In the same release, a few new .dts files snuck in, and
there was also some test code involving .dtbo -> .dtbo.S -> .dtbo.o I
didn't really know how to handle at the time. This should finish the
job, bring us in sync with linux (at least in this respect), and drop
the .dts -> .dtbo build rule.
kbuild: Disallow DTB overlays to built from .dts named source files 2024-07-18T19:51:07+00:00 Rasmus Villemoes rasmus.villemoes@prevas.dk 2024-07-10T07:16:12+00:00 e1ad98ed9b2868f0f2930738f63e4e58b0de9b04 [equivalent to linux commit 81d362732bac] As a follow up to the series allowing DTB overlays to built from .dtso files. Now that all overlays have been renamed, remove the ability to build from overlays from .dts files to prevent any files with the old name from accidental being added. Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> 
[equivalent to linux commit 81d362732bac]

As a follow up to the series allowing DTB overlays to built from .dtso
files. Now that all overlays have been renamed, remove the ability to
build from overlays from .dts files to prevent any files with the old
name from accidental being added.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
kbuild: Allow DTB overlays to built into .dtbo.S files 2024-07-18T19:51:06+00:00 Rasmus Villemoes rasmus.villemoes@prevas.dk 2024-07-10T07:16:09+00:00 06518fdf24e5fdf3561eb66c00bd8946cf5b0e58 [linux commit 941214a512d8, modified for U-Boot by removing the include of vmlinux.lds.h and replacing STRUCT_ALIGNMENT by 16.] DTB files can be built into the kernel by converting them to assembly files then assembling them into object files. We extend this here for DTB overlays with the .dtso extensions. We change the start and end delimiting tag prefix to make it clear that this data came from overlay files. Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> 
[linux commit 941214a512d8, modified for U-Boot by removing the
include of vmlinux.lds.h and replacing STRUCT_ALIGNMENT by 16.]

DTB files can be built into the kernel by converting them to assembly
files then assembling them into object files. We extend this here
for DTB overlays with the .dtso extensions.

We change the start and end delimiting tag prefix to make it clear that
this data came from overlay files.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
scripts/Makefile.lib: EFI: Use capsule CRT instead of ESL file 2024-07-14T07:56:24+00:00 Jonathan Humphreys j-humphreys@ti.com 2024-06-13T20:27:53+00:00 659f97eb1fc30296aa64e2ad9f4b7578e183aea5 The EFI Capsule ESL file (EFI Signature List File) used for authentication is a binary generated from the EFI Capsule public key certificate. Instead of including it in the source repo, automatically generate it from the certificate file during the build process. Currently, sandbox is the only device using this, so removed its ESL file and set the (new) CONFIG_EFI_CAPSULE_CRT_FILE config to point to its public key certificate. Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com> 
The EFI Capsule ESL file (EFI Signature List File) used for authentication
is a binary generated from the EFI Capsule public key certificate. Instead
of including it in the source repo, automatically generate it from the
certificate file during the build process.

Currently, sandbox is the only device using this, so removed its ESL file
and set the (new) CONFIG_EFI_CAPSULE_CRT_FILE config to point to its public
key certificate.

Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>