<feed xmlns='http://www.w3.org/2005/Atom'>
<title>u-boot.git/test/py/tests, branch next</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cgit.235523.xyz/u-boot.git/atom/test/py/tests?h=next</id>
<link rel='self' href='http://cgit.235523.xyz/u-boot.git/atom/test/py/tests?h=next'/>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/'/>
<updated>2026-06-17T15:54:27Z</updated>
<entry>
<title>Merge patch series "bootm: bound noload kernel decompression to the allocated buffer"</title>
<updated>2026-06-17T15:54:27Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-06-17T15:54:27Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a57f2a31a7cd875dd96291394fb7c8c574b70a65'/>
<id>urn:sha1:a57f2a31a7cd875dd96291394fb7c8c574b70a65</id>
<content type='text'>
Aristo Chen &lt;aristo.chen@canonical.com&gt; says:

For a compressed kernel_noload image, bootm_load_os() allocates a
decompression buffer of ALIGN(image_len * 4, SZ_1M) and then passes
CONFIG_SYS_BOOTM_LEN (typically 128 MiB on arm64) to image_decomp() as
the output limit. The decompressors honour whatever limit they are
given, so a kernel that decompresses to more than four times its
compressed size runs past the end of the allocated buffer and silently
corrupts adjacent memory.

A 4x compression ratio is at the edge of what modern compressors
(zstd, xz) achieve on real kernels, and is trivially exceeded by
crafted, highly compressible payloads, so this is reachable both
accidentally and intentionally. The overflow can land on already-loaded
boot artefacts (FDT, ramdisk, loadables), U-Boot's own data, or
memory-mapped device registers; the existing post-decompression overlap
check in bootm_load_os() only catches overlap with the FIT itself.

Patch 1 plumbs the actual allocation size through to image_decomp() and
handle_decomp_error() via a single decomp_len variable, so
decompression stops at the buffer boundary and fails cleanly when the
image is too large. The non-noload code path is unchanged and continues
to use CONFIG_SYS_BOOTM_LEN. A clarifying note is printed when the
failure is gated by the per-image buffer, so the generic
"increase CONFIG_SYS_BOOTM_LEN" advice does not mislead.

Patch 2 raises the noload-decompression headroom from 4x to 8x. The 4x
factor is at the edge of what zstd and xz achieve on real kernels, so
well-compressed vendor kernels can fail to boot at runtime once the
bound is enforced. 8x covers them comfortably while remaining bounded.

Patch 3 adds two sandbox py-tests against the per-image buffer at the
final 8x value: one that exceeds the buffer and must be rejected, and
one that matches the buffer exactly and must succeed (guarding the
boundary).

Tested on sandbox: both new tests pass; the existing
test_fit_compressed_images_load (which covers the load-address path)
and the other tests in test/py/tests/test_fit.py continue to pass.

Link: https://lore.kernel.org/r/20260605154255.833334-1-aristo.chen@canonical.com
</content>
</entry>
<entry>
<title>test/py: test kernel_noload decompression buffer overflow</title>
<updated>2026-06-17T15:53:20Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-06-05T15:42:51Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a7ea33e3a35860326aeb5792f337bd9082d40ecf'/>
<id>urn:sha1:a7ea33e3a35860326aeb5792f337bd9082d40ecf</id>
<content type='text'>
Add sandbox tests that exercise the per-image decompression buffer that
bootm_load_os() allocates for a compressed kernel_noload image
(ALIGN(image_len * 8, SZ_1M)).

The overflow test builds a FIT whose decompressed size far exceeds the
per-image buffer and asserts that 'bootm loados' rejects it with a
decompression error rather than overflowing.

The boundary test builds a FIT whose decompressed size equals the
per-image buffer exactly and asserts that 'bootm loados' succeeds,
guarding against an off-by-one rejection at the buffer limit.

Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>Merge patch series "various memory related fixups"</title>
<updated>2026-06-15T17:04:48Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-06-15T17:04:48Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=a0a1e9f2f1dffed04ee52723ce957c07bb905c25'/>
<id>urn:sha1:a0a1e9f2f1dffed04ee52723ce957c07bb905c25</id>
<content type='text'>
rs@ti.com &lt;rs@ti.com&gt; says:

From: Randolph Sapp &lt;rs@ti.com&gt;

Nitpicks and fixes from the discovery thread on adding PocketBeagle2 support
[1]. This does a lot of general setup required for the device, but these
modifications themselves aren't device specific. For those specifically
interested in PocketBeagle2 support and don't care about these details, my
development branch is public [2].

That first patch may provoke some opinions, but honestly if that warning was
still present I wouldn't have spent a week poking holes in both the EFI and LMB
allocations systems. Please let me know if there is a specific usecase that it
breaks though.

[1] https://lore.kernel.org/all/DHHC66BBMD27.YHGIH43C6XBK@ti.com/
[2] https://github.com/StaticRocket/u-boot/tree/feature/pocketbeagle2

Link: https://lore.kernel.org/r/20260604155038.3182-1-rs@ti.com
</content>
</entry>
<entry>
<title>test: boot: add a fdt reserved region check</title>
<updated>2026-06-15T17:04:39Z</updated>
<author>
<name>Randolph Sapp</name>
<email>rs@ti.com</email>
</author>
<published>2026-06-04T15:50:37Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=de12fa4df89277460aacaea7c9a43421190ee04d'/>
<id>urn:sha1:de12fa4df89277460aacaea7c9a43421190ee04d</id>
<content type='text'>
Add a image_fdt suite and a check for boot_fdt_add_mem_rsv_regions. This
will ensure the user is properly informed of any reservation failures.
It will also validate that reservations are cleaned up correctly when
switching FDTs.

Signed-off-by: Randolph Sapp &lt;rs@ti.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
Acked-by: Ilias Apalodimas &lt;ilias.apalodimas@linaro.org&gt;
</content>
</entry>
<entry>
<title>test_ut: add a ut_ubman fixture to clean up tests</title>
<updated>2026-06-15T17:04:39Z</updated>
<author>
<name>Randolph Sapp</name>
<email>rs@ti.com</email>
</author>
<published>2026-06-04T15:50:36Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=5a17d02223b942f97bd3df9d6acb835fded4ad28'/>
<id>urn:sha1:5a17d02223b942f97bd3df9d6acb835fded4ad28</id>
<content type='text'>
Add a ut_ubman fixture to clean up after certain problematic tests
without negatively affecting the current assert based testing.

Currently this catches "bootstd bootflow_cmd_boot" and "bootstd
bootflow_scan_boot" ut_subtests, as these will change the sandbox state
a little too much to be recoverable from.

Signed-off-by: Randolph Sapp &lt;rs@ti.com&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>image-fit: Validate external data offset and size</title>
<updated>2026-06-12T21:38:27Z</updated>
<author>
<name>Anton Ivanov</name>
<email>anton@binarly.io</email>
</author>
<published>2026-06-04T10:39:50Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=69f6272b24a26c17a5b6de3b041218ec57239943'/>
<id>urn:sha1:69f6272b24a26c17a5b6de3b041218ec57239943</id>
<content type='text'>
fit_image_get_data() uses the data-position, data-offset, and
data-size FIT properties without bounds checking. A crafted FIT
image can specify values that cause out-of-bounds read during
signature verification of an untrusted FIT.

Validate that the external data offset and size are non-negative,
and that the data region fits within the FIT image bounds.

Signed-off-by: Anton Ivanov &lt;anton@binarly.io&gt;
Reviewed-by: Simon Glass &lt;sjg@chromium.org&gt;
</content>
</entry>
<entry>
<title>image-fit-sig: Validate hashed-strings region size</title>
<updated>2026-06-12T21:35:54Z</updated>
<author>
<name>Anton Ivanov</name>
<email>anton@binarly.io</email>
</author>
<published>2026-06-02T18:29:25Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=e73328612534e81b41d0363fad9a7b4385cd3d39'/>
<id>urn:sha1:e73328612534e81b41d0363fad9a7b4385cd3d39</id>
<content type='text'>
fit_config_check_sig() reads the hashed-strings property and uses
its size value without validation when building the region list for
signature verification. A crafted FIT image can specify an arbitrary
size, causing the hash calculation to read beyond the end of the FIT
image. The property length is also not checked, so a truncated
hashed-strings property causes strings[1] to be read past the end of
the property. This may result in the out-of-bounds read during signature
verification of an untrusted FIT.

Validate both the property length and that the declared strings region
fits within bounds before adding it to the region list.

Signed-off-by: Anton Ivanov &lt;anton@binarly.io&gt;
</content>
</entry>
<entry>
<title>Merge patch series "tools: mkimage: fix get_basename crash on paths with dotted directories"</title>
<updated>2026-06-11T18:00:55Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-06-11T18:00:55Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=c6fe911d58eaeda7ca84732f570c9a13a90c83d7'/>
<id>urn:sha1:c6fe911d58eaeda7ca84732f570c9a13a90c83d7</id>
<content type='text'>
Aristo Chen &lt;aristo.chen@canonical.com&gt; says:

The get_basename() helper in tools/fit_image.c searches the entire input
path independently for the last '/' and the last '.'. When the last '.'
falls at an offset earlier than the last '/', for example "./mydt",
"a.b/c" or "sub.d/leaf", 'end' points before 'start' and the computed
length is negative. The size check uses signed comparison so the negative
value flows unchanged into memcpy() (cast to size_t there) and mkimage
segfaults during -f auto FIT generation. The helper is reached on every
auto-FIT build via the -b, --fit-tee and --fit-tfa-bl31 file arguments.

The first patch restricts the dot search to the substring that follows
the last slash, which is the minimal fix and preserves the existing
behaviour for typical inputs such as "arch/arm/dts/foo.dtb".

The second patch adds a parametrized sandbox test under
test/py/tests/test_fit_mkimage_validate.py that drives mkimage -f auto
with each of the crashing inputs ("./mydt", "./sub.d/leaf", "./a.b/c")
plus one control input ("./mydt.dtb"). The test reads the resulting
/images/fdt-1 description back from the produced FIT via fdtget to verify
get_basename()'s output matches the expected stripped basename.

Reproducer that previously segfaulted and now produces a valid image:

  echo dummy &gt; kernel.bin
  echo dummy &gt; ./mydt
  ./tools/mkimage -f auto -A arm -O linux -T kernel -C none \
                  -a 0x80000000 -e 0x80000000 -n test \
                  -d kernel.bin -b ./mydt out.itb

Verified by rebuilding tools/mkimage on master and running the command
above with each of the four parametrized inputs. The three crash triggers
all segfault before the fix and now produce the expected fdt-1
descriptions ("mydt", "leaf", "c"); the control input "./mydt.dtb"
continues to produce "mydt" as before.

Link: https://lore.kernel.org/r/20260526070336.23199-1-aristo.chen@canonical.com
</content>
</entry>
<entry>
<title>test/py: cover get_basename crash on paths with dotted directories</title>
<updated>2026-06-11T18:00:46Z</updated>
<author>
<name>Aristo Chen</name>
<email>aristo.chen@canonical.com</email>
</author>
<published>2026-05-26T07:03:33Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=4a4452a03916d8687442b1d0af5098be986e439e'/>
<id>urn:sha1:4a4452a03916d8687442b1d0af5098be986e439e</id>
<content type='text'>
Add a parametrized regression test for the fix in the previous commit.
The test invokes mkimage in auto-FIT mode (-f auto) with a -b argument
whose directory component contains a '.' and whose leaf either lacks an
extension or is a plain identifier. Before the fix these inputs caused
get_basename() to compute a negative length and segfault inside memcpy.
The test asserts that mkimage exits successfully and that the fdt
sub-image description matches the expected stripped basename, covering
"./mydt", "./sub.d/leaf", and "./a.b/c". A control input of "./mydt.dtb"
is also exercised to confirm normal extension stripping still works.

Signed-off-by: Aristo Chen &lt;aristo.chen@canonical.com&gt;
</content>
</entry>
<entry>
<title>Merge patch series "allow control DTB to double as "FIT image""</title>
<updated>2026-06-11T13:56:52Z</updated>
<author>
<name>Tom Rini</name>
<email>trini@konsulko.com</email>
</author>
<published>2026-06-11T13:56:52Z</published>
<link rel='alternate' type='text/html' href='http://cgit.235523.xyz/u-boot.git/commit/?id=69491eb60a86e68fac304a7f1f9ff9fcd05f0d39'/>
<id>urn:sha1:69491eb60a86e68fac304a7f1f9ff9fcd05f0d39</id>
<content type='text'>
Rasmus Villemoes &lt;rv@rasmusvillemoes.dk&gt; says:

The commit message for patch 1 explains what it is I'd like to be able
to do, but here's some more background:

For a long time, we've embedded the boot script in the U-Boot binary
by building a bootscript.itb, and using a .dtsi like

  / {
          config {
                 bootscript = /incbin/("/path/to/bootscript.itb");
          };
  };

which in turn is mentioned in CONFIG_DEVICE_TREE_INCLUDES, that
bootscript.itb FIT image has been embedded in U-Boot's control
dtb. Running that was then a matter of doing

  fdt addr ${fdtcontroladdr} &amp;&amp; fdt get addr bsaddr /config bootscript &amp;&amp; source ${bsaddr}

There are a couple of advantage of having the bootscript (and other
script logic) embedded in the U-Boot binary. First, there's no need to
figure out some separate partition to store the script in, and making
sure that gets updated whenever the bootloader itself does. Second,
one doesn't need to worry about verifying the script; whatever steps
one needs to take to implement secure boot for U-Boot itself will by
necessity also cover the control dtb (if nothing else then because
that's where the public key for the kernel verification lives). And
third, the boot script is automatically updated together with U-Boot
itself; and if U-Boot is stored in an eMMC boot partition, that update
is guaranteed to be atomic.

Now with the stricter requirements of libfdt starting from v2026.04,
the above command no longer worked, or only half the time, because the
embedded FIT image may not land on an 8-byte aligned address. So that
line had to be changed a little (line breaks added)

  fdt addr ${fdtcontroladdr}
    &amp;&amp; fdt get addr bsaddr /config bootscript
    &amp;&amp; fdt get size bssize /config bootscript
    &amp;&amp; cp.b ${bsaddr} ${loadaddr} ${bssize}
    &amp;&amp; source ${loadaddr}

which is getting quite unwieldy.

Then it struck me that one could perhaps simplify all of this quite a
lot: Cut out the intermediate bootscript.itb, just create a .dtsi
which directly puts a /images node inside the control dtb

/ {
  	images {
		default = "bootscript";
		bootscript {
			description = "Boot script";
			data = /incbin/("/path/to/bootscript.sh");
			type = "script";
			compression = "none";
		};
	};
};

and treat the control dtb itself as a FIT image; so the command to put
in $bootcmd becomes simply

  source ${fdtcontroladdr}:bootscript

and embedding other pieces of callable scripts is quite trivial.

And that almost works out-of-the-box, except for the fit_check_format() sanity check.

Introduce a CONFIG_ knob that allows one to opt out of those sanity
checks, for the special case of the address being checked being
identical to gd-&gt;fdt_blob.

Link: https://lore.kernel.org/r/20260602213013.558064-1-rv@rasmusvillemoes.dk
</content>
</entry>
</feed>
