<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git/test/boot, branch main</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/test/boot?h=main</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/test/boot?h=main'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2026-07-16T18:06:40Z</updated>
<entry>
<title>Merge patch series "vbe: bound FIT external-data reads against the firmware area"</title>
<updated>2026-07-16T18:06:40Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-07-16T18:06:40Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=91303d8a663248e15bd76801778ff709e490d88d'/>
<id>urn:sha1:91303d8a663248e15bd76801778ff709e490d88d</id>
<content type='text'>
Aristo Chen &lt;aristo.chen@canonical.com&gt; says:

vbe_read_fit() loads a firmware-phase FIT from a fixed firmware area on
a block device and then issues a follow-up blk_read() to pull in the
image, and optionally an FDT, referenced by the FIT's image node. The
source offset on the device and the read length both come from the FIT
itself, via data-position or data-offset and data-size. Those properties
live on mutable boot media and can be controlled by an attacker with
write access to the firmware area. On the TPL or VPL path, and on the
bootmeth bootflow path reached via abrec_read_bootflow_fw() and
vbe_simple_read_bootflow_fw(), the follow-up blk_read() runs before any
signature or hash check on the loaded phase.

Patch 1 is a sandbox test-tree preparation. The firmware1 node in
arch/sandbox/dts/test.dts declared area-size = 0xe00000 (14 MiB), but
the binman fw-update section in sandbox_vpl.dtsi is 32 MiB and the FIT
inside it carries ~16 MiB of external data, so the FIT already extended
past the declared area. The mismatch was tolerated because no caller
bounded the external-data load against area_size. Patch 1 raises
area-size to match the binman section size so test_vbe_vpl keeps passing
once the bound is enforced. The patches are ordered so the test is never
broken in the middle of the series.

Patch 2 adds the missing range check, confining the FIT-supplied
[load_addr, load_addr + len) window to [addr, addr + area_size] before
block numbers and lengths are computed, and applying the same constraint
to fdt_load_addr and fdt_size. The check is written in subtraction-only
form against the trusted area_size so the comparison cannot itself
overflow.

Patch 3 adds two sandbox unit tests under test/boot/ that construct
synthetic FITs with out-of-range data-position and oversized data-size,
write them to mmc1, and confirm vbe_read_fit() returns -E2BIG for each
before issuing the follow-up blk_read().

Deferring the external-data blk_read() until after the phase has been
signature-verified would be a stronger structural fix and was discussed
on the v1 thread. Simon confirmed the bounded read is the right first
step and that the verify-then-load change should be a separate series,
so this v3 stays scoped to the bound.

Link: https://lore.kernel.org/r/20260705034414.2247-1-aristo.chen@canonical.com
</content>
</entry>
<entry>
<title>test: vbe: cover vbe_read_fit() external-data bounds checks</title>
<updated>2026-07-16T18:06:15Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-07-05T03:44:11Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=9fa00f563bea7ac4a4fda3220e05b21ebd4a242f'/>
<id>urn:sha1:9fa00f563bea7ac4a4fda3220e05b21ebd4a242f</id>
<content type='text'>
vbe_read_fit() rejects FITs whose external-data window extends past the
trusted firmware area on disk by returning -E2BIG. Add two sandbox unit
tests that construct synthetic FITs with attacker-controlled
data-position and data-size values, write them to mmc1, and assert
vbe_read_fit() catches each one before issuing the follow-up
blk_read().

vbe_read_fit_oob_position uses a data-position past area_size, which
trips the load_addr - addr &gt; area_size clause. vbe_read_fit_oversize_data
keeps data-position inside the area but picks a data-size that overruns
area_size - (load_addr - addr), tripping the third clause.

The two remaining bound clauses stay unreachable from a sandbox test.
The load_addr &lt; addr guard trivially holds when addr comes from
CONFIG_VAL(TEXT_BASE), which is 0 on sandbox, and the FDT-region bound
sits behind a !CONFIG_SANDBOX guard in vbe_read_fit(), so fdt_size stays
0 and that block is skipped in this test environment.

The new file follows the existing bootstd VBE test layout and writes
the FIT at block 16, past the version and nvdata blocks already used by
bootstd_setup_for_tests().

Suggested-by: Simon Glass &lt;sjg@chromium.org&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>test: bootdev: scan with a broken high-priority device</title>
<updated>2026-07-03T16:14:25Z</updated>
<author>
<name>Denis Mukhin</name>
<email>dmukhin@ford.com</email>
</author>
<published>2026-06-23T22:06:30Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=93e9af685fefc454580dcf567b03c139a2fe8ebc'/>
<id>urn:sha1:93e9af685fefc454580dcf567b03c139a2fe8ebc</id>
<content type='text'>
Add bootdev_hunt_fallthrough() test to verify that 'bootflow scan -l'
falls back to a lower-priority bootdev when a higher-priority hunter
fails.

Introduce a simple 'sandbox-bootdev' device for the test. The new
bootdev can be configured to produce an error at the hunting stage.

Introduce new host_set_flags_by_label() API and a flags field to
'host_sb_plat' to simulate a bootdev hunter failure for the test.

Adjust boot{dev,flow} tests which depend on bootdev hunters.

Signed-off-by: Denis Mukhin &lt;dmukhin@ford.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>Merge patch series "various memory related fixups"</title>
<updated>2026-06-15T17:04:48Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-06-15T17:04:48Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a0a1e9f2f1dffed04ee52723ce957c07bb905c25'/>
<id>urn:sha1:a0a1e9f2f1dffed04ee52723ce957c07bb905c25</id>
<content type='text'>
rs@ti.com &lt;rs@ti.com&gt; says:

From: Randolph Sapp &lt;rs@ti.com&gt;

Nitpicks and fixes from the discovery thread on adding PocketBeagle2 support
[1]. This does a lot of general setup required for the device, but these
modifications themselves aren't device specific. For those specifically
interested in PocketBeagle2 support and don't care about these details, my
development branch is public [2].

That first patch may provoke some opinions, but honestly if that warning was
still present I wouldn't have spent a week poking holes in both the EFI and LMB
allocations systems. Please let me know if there is a specific usecase that it
breaks though.

[1] https://lore.kernel.org/all/DHHC66BBMD27.YHGIH43C6XBK@ti.com/
[2] https://github.com/StaticRocket/u-boot/tree/feature/pocketbeagle2

Link: https://lore.kernel.org/r/20260604155038.3182-1-rs@ti.com
</content>
</entry>
<entry>
<title>test: boot: add a fdt reserved region check</title>
<updated>2026-06-15T17:04:39Z</updated>
<author>
<name>Randolph Sapp</name>
<email>rs@ti.com</email>
</author>
<published>2026-06-04T15:50:37Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=de12fa4df89277460aacaea7c9a43421190ee04d'/>
<id>urn:sha1:de12fa4df89277460aacaea7c9a43421190ee04d</id>
<content type='text'>
Add a image_fdt suite and a check for boot_fdt_add_mem_rsv_regions. This
will ensure the user is properly informed of any reservation failures.
It will also validate that reservations are cleaned up correctly when
switching FDTs.

Signed-off-by: Randolph Sapp &lt;rs@ti.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Acked-by: Ilias Apalodimas &lt;ilias.apalodimas@linaro.org&gt;
</content>
</entry>
<entry>
<title>test: boot: add runtime unit test for fit_verity_build_cmdline()</title>
<updated>2026-05-27T19:41:33Z</updated>
<author>
<name>Daniel Golle</name>
<email>daniel@makrotopia.org</email>
</author>
<published>2026-05-15T23:38:27Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=e7ee728ace3c6cc45fce3d8f14560d2be99ec07a'/>
<id>urn:sha1:e7ee728ace3c6cc45fce3d8f14560d2be99ec07a</id>
<content type='text'>
Add test/boot/fit_verity.c with four tests that construct FIT blobs
in memory and exercise fit_verity_build_cmdline().

Signed-off-by: Daniel Golle &lt;daniel@makrotopia.org&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>test: boot: Add test for bootmeth_rauc</title>
<updated>2026-03-06T18:09:17Z</updated>
<author>
<name>Martin Schwan</name>
<email>m.schwan@phytec.de</email>
</author>
<published>2026-02-18T13:35:07Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=36add050eea439f0b2a15e4ea0d3a8e21216f159'/>
<id>urn:sha1:36add050eea439f0b2a15e4ea0d3a8e21216f159</id>
<content type='text'>
Add a simple unit test for testing the RAUC bootmethod. Provide only the
very basic tests for now, running a scan and list, to verify correct
detection of the RAUC bootmethod. More advanced boot tests of this
bootmethod can be added in a separate patch.

This requires another mmc image (mmc10) to contain the following
partitions:

1. boot A: contains a dummy boot.scr
2. root A: contains an empty root filesystem
3. boot B: contains a dummy boot.scr
4. root B: contains an empty root filesystem

The bootmeth_rauc scans all four partitions for existence and expects a
boot script in each boot partition.

Also add BOOTMETH_RAUC as a dependency on sandbox so that we can test
this with:

$ ./test/py/test.py -B sandbox --build -k test_ut # build the mmc10.img
$ ./test/py/test.py -B sandbox --build -k bootflow_rauc

Signed-off-by: Martin Schwan &lt;m.schwan@phytec.de&gt;
Reviewed-by: Simon Glass &lt;simon.glass@canonical.com&gt;
[trini: mmc9 is now in use, switch to mmc10]
Signed-off-by: Tom Rini &lt;trini@konsulko.com&gt;
</content>
</entry>
<entry>
<title>Merge patch series "Convert extension support to UCLASS and adds its support to boot flows"</title>
<updated>2025-11-03T16:12:05Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2025-11-03T16:12:05Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=9ccda31f54881d3321263a81599454a1d6efb65e'/>
<id>urn:sha1:9ccda31f54881d3321263a81599454a1d6efb65e</id>
<content type='text'>
Kory Maincent (TI.com) &lt;kory.maincent@bootlin.com&gt; says:

This series converts the extension board framework to use UCLASS as
requested by Simon Glass, then adds extension support to pxe_utils
and bootmeth_efi (not tested) to enable extension boards devicetree load
in the standard boot process.

I can't test the imx8 extension scan enabled by the
imx8mm-cl-iot-gate_defconfig as I don't have this board.
I also can't test the efi bootmeth change as I don't have such board.

Link: https://lore.kernel.org/r/20251030-feature_sysboot_extension_board-v5-0-cfb77672fc68@bootlin.com
</content>
</entry>
<entry>
<title>boot: Remove legacy extension board support</title>
<updated>2025-11-03T16:02:39Z</updated>
<author>
<name>Kory Maincent (TI.com)</name>
<email>kory.maincent@bootlin.com</email>
</author>
<published>2025-10-30T16:45:09Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=2d12958ee71b5f400ff2045aebc9730e8e219340'/>
<id>urn:sha1:2d12958ee71b5f400ff2045aebc9730e8e219340</id>
<content type='text'>
Remove the legacy extension board implementation now that all boards
have been converted to use the new UCLASS-based framework. This
eliminates lines of legacy code while preserving functionality
through the modern driver model approach.

Update the bootstd tests, due to the removal of extension hunter.

Signed-off-by: Kory Maincent (TI.com) &lt;kory.maincent@bootlin.com&gt;
</content>
</entry>
<entry>
<title>boot: Run the EFI bootmgr just before network devices</title>
<updated>2025-10-22T20:16:56Z</updated>
<author>
<name>Simon Glass</name>
<email>sjg@chromium.org</email>
</author>
<published>2025-10-15T15:44:14Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=6a56d10fdcf1309d2070b62dc15e80a047da971b'/>
<id>urn:sha1:6a56d10fdcf1309d2070b62dc15e80a047da971b</id>
<content type='text'>
At present the EFI bootmgr scans all devices in the system before
deciding which one to boot. Ideally it would use the bootstd iterator
for this, but in the meantime, give it a lower priority, so it runs
just before the network devices.

Note that if there are no hunted network devices hunted, then it will
run at the end, after all bootdevs are exhausted. In other words, it
will always run.

Signed-off-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
</feed>
