u-boot.git/tools/binman, branch v2026.04 Unnamed repository; edit this file 'description' to name the repository. mkimage: fit: align DTs in external data to 8 Bytes by default 2026-02-02T15:15:52+00:00 Marek Vasut marek.vasut+renesas@mailbox.org 2026-01-29T03:53:29+00:00 22129bf4733d78da046337440e85a9e49ca1a421 Unless specified otherwise using the mkimage -B n option, align DTs in fitImage external data to 8 Bytes, and retain alignment of everything else to 4 Bytes. This should fulfill the DTspec requirement, that DTs must be placed at 8 Byte aligned addresses, even for DTs that are part of fitImage with external data. For fitImage with embedded data, there is nothing we can do, as the embedded data are aligned to 4 Bytes, just like any other DT property. Replace fdtdec_get_child_count() counting of images with counting of padding using fdt_for_each_subnode(). This is much more useful, as the added up padding can be passed directly to calloc() when allocating the buffer which holds the external data. The image count is no longer needed. Adjust the image layouting such, that buf_ptr is incremented to place the next image at align_size aligned offset. This is done at the beginning of the loop, once the align_size for current image can be determined from the current image type. Update binman test to validate the new 8 Byte alignment. Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org> 
Unless specified otherwise using the mkimage -B n option, align
DTs in fitImage external data to 8 Bytes, and retain alignment
of everything else to 4 Bytes. This should fulfill the DTspec
requirement, that DTs must be placed at 8 Byte aligned addresses,
even for DTs that are part of fitImage with external data. For
fitImage with embedded data, there is nothing we can do, as the
embedded data are aligned to 4 Bytes, just like any other DT
property.

Replace fdtdec_get_child_count() counting of images with counting
of padding using fdt_for_each_subnode(). This is much more useful,
as the added up padding can be passed directly to calloc() when
allocating the buffer which holds the external data. The image
count is no longer needed.

Adjust the image layouting such, that buf_ptr is incremented to
place the next image at align_size aligned offset. This is done
at the beginning of the loop, once the align_size for current
image can be determined from the current image type.

Update binman test to validate the new 8 Byte alignment.

Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
binman: Regenerate expired test certificate 2026-01-27T22:20:33+00:00 Simon Glass sjg@chromium.org 2026-01-22T22:44:10+00:00 4234f4d432bf1dcd30b5fee91c71abc1acae5e75 The test certificate expired on Feb 13, 2024. This just used for testing, so regenerate it with a 100-year validity period. Suggested-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Simon Glass <simon.glass@canonical.com> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> 
The test certificate expired on Feb 13, 2024. This just used for
testing, so regenerate it with a 100-year validity period.

Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Merge tag 'u-boot-socfpga-next-20251217' of https://source.denx.de/u-boot/custodians/u-boot-socfpga into next 2025-12-18T14:06:10+00:00 Tom Rini trini@konsulko.com 2025-12-18T14:06:10+00:00 930eff5416ea98ebd09cec73f5d06a7033b4d52e This pull request brings together a set of fixes and enhancements across the SoCFPGA platform family, with a focus on MMC/SPL robustness, EFI boot enablement, and Agilex5 SD/eMMC support. CI: https://source.denx.de/u-boot/custodians/u-boot-socfpga/-/pipelines/28776 Highlights: * SPL / MMC: o Fix Kconfig handling for SYS_MMCSD_RAW_MODE_U_BOOT_USE_PARTITION_TYPE o Correct raw sector calculations and respect explicit sector values when loading U-Boot from MMC in SPL o Adjust raw MMC loading logic for SoCFPGA platforms * EFI boot: o Permit EFI booting on SoCFPGA platforms o Disable mkeficapsule tool build for Arria 10 where unsupported * Agilex5: o Upgrade SDHCI controller from SD4HC to SD6HC o Enable MMC and Cadence SDHCI support in defconfig o Add dedicated eMMC device tree and defconfig for Agilex5 SoCDK o Revert incorrect GPIO configuration for SDIO_SEL o Refine U-Boot DT handling for SD and eMMC boot variants * SPI: o Allow disabling the DesignWare SPI driver in SPL via Kconfig * Board / configuration fixes: o Enable random MAC address generation for Cyclone V o Fix DE0-Nano-SoC boot configuration o Remove obsolete or conflicting options from multiple legacy SoCFPGA defconfigs 
This pull request brings together a set of fixes and enhancements across
the SoCFPGA platform family, with a focus on MMC/SPL robustness, EFI
boot enablement, and Agilex5 SD/eMMC support.

CI: https://source.denx.de/u-boot/custodians/u-boot-socfpga/-/pipelines/28776

Highlights:

  *
    SPL / MMC:
      o
        Fix Kconfig handling for
        SYS_MMCSD_RAW_MODE_U_BOOT_USE_PARTITION_TYPE
      o
        Correct raw sector calculations and respect explicit sector values
        when loading U-Boot from MMC in SPL
      o
        Adjust raw MMC loading logic for SoCFPGA platforms
  *
    EFI boot:
      o
        Permit EFI booting on SoCFPGA platforms
      o
        Disable mkeficapsule tool build for Arria 10 where unsupported
  *
    Agilex5:
      o
        Upgrade SDHCI controller from SD4HC to SD6HC
      o
        Enable MMC and Cadence SDHCI support in defconfig
      o
        Add dedicated eMMC device tree and defconfig for Agilex5 SoCDK
      o
        Revert incorrect GPIO configuration for SDIO_SEL
      o
        Refine U-Boot DT handling for SD and eMMC boot variants
  *
    SPI:
      o
        Allow disabling the DesignWare SPI driver in SPL via Kconfig
  *
    Board / configuration fixes:
      o
        Enable random MAC address generation for Cyclone V
      o
        Fix DE0-Nano-SoC boot configuration
      o
        Remove obsolete or conflicting options from multiple legacy
        SoCFPGA defconfigs
binman: blob_dtb: improve error message when SPL is not found 2025-12-10T19:45:29+00:00 Jérémie Dautheribes jeremie.dautheribes@bootlin.com 2025-11-28T11:03:04+00:00 66be03b7ee19444b23aae3990a434a7470fc1641 When using binman with the '-a spl-dtb=y' flag, if the SPL blob is not found, binman throws a cryptic error message: binman: 'NoneType' object has no attribute 'startswith' Let's improve the error message to explicitly state which SPL blob is missing. This is particularly useful when binman is used as a standalone tool outside the U-Boot source tree. Signed-off-by: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com> [trini: Add '# pragma: no cover' because coverage doesn't seem to like the documentation about this error] Signed-off-by: Tom Rini <trini@konsulko.com> 
When using binman with the '-a spl-dtb=y' flag, if the SPL blob is not
found, binman throws a cryptic error message:
binman: 'NoneType' object has no attribute 'startswith'

Let's improve the error message to explicitly state which SPL blob is
missing.
This is particularly useful when binman is used as a standalone tool
outside the U-Boot source tree.

Signed-off-by: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com>
[trini: Add '# pragma: no cover' because coverage doesn't seem to like
the documentation about this error]
Signed-off-by: Tom Rini <trini@konsulko.com>
tools: use setuptools 78.1.1 2025-12-10T15:28:43+00:00 Heinrich Schuchardt heinrich.schuchardt@canonical.com 2025-12-09T22:32:38+00:00 ff80e95fed188ec3d4001129445e414c9c811beb CVE-2025-47273 describes a path traversal vulnerability. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Reviewed-by: Tom Rini <trini@konsulko.com> 
CVE-2025-47273 describes a path traversal vulnerability.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Merge tag 'v2026.01-rc4' into next 2025-12-08T19:17:27+00:00 Tom Rini trini@konsulko.com 2025-12-08T19:17:27+00:00 59202e5ae76ef3acb34c4236e43248f1cd3fc642 Prepare v2026.01-rc4 
Prepare v2026.01-rc4
tools: binman: fit: add tests for signing with an OpenSSL engine 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:15:00+00:00 564c6682fa9689e408e6b795cc8c8c40e5e60e81 This adds a test that signs a FIT and verifies the signature with fit_check_sign. OpenSSL engines are typically for signing with external HW so it's not that straight-forward to simulate. For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA 4096 private key is made available. It can be selected by setting the OpenSSL engine argument to dummy-rsa-engine. This can only be done if the engine is detected by OpenSSL, which works by setting the OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine is properly implementing what is expected from an RSA engine, but it seems to be enough for testing. For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11 without specific hardware. The keypairs and tokens are generated on the fly. The "prod" token is generated with a different PIN (1234 instead of 1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it. Binman will not mess with the local SoftHSMv2 setup as it will only use tokens from a per-test temporary directory enforced via the temporary configuration file set via SOFTHSM2_CONF env variable in the tests. The files created in the input dir should NOT be named the same as it is shared between all tests in the same process (which is all tests when running binman with -P 1 or with -T). Once signed, it's checked with fit_check_sign with the associated certificate. Finally, a new softhsm2_util bintool is added so that we can initialize the token and import keypairs. On Debian, the package also brings libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It is not the only package required though, as it also needs p11-kit and libengine-pkcs11-openssl (the latter bringing the former). We can detect if it's properly installed by running openssl engine dynamic -c pkcs11. If that fails, we simply skip the test. The package is installed in the CI container by default. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This adds a test that signs a FIT and verifies the signature with
fit_check_sign.

OpenSSL engines are typically for signing with external HW so it's not
that straight-forward to simulate.

For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
4096 private key is made available. It can be selected by setting the
OpenSSL engine argument to dummy-rsa-engine. This can only be done if
the engine is detected by OpenSSL, which works by setting the
OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
is properly implementing what is expected from an RSA engine, but it
seems to be enough for testing.

For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
without specific hardware. The keypairs and tokens are generated on the
fly. The "prod" token is generated with a different PIN (1234 instead of
1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.

Binman will not mess with the local SoftHSMv2 setup as it will only use
tokens from a per-test temporary directory enforced via the temporary
configuration file set via SOFTHSM2_CONF env variable in the tests. The
files created in the input dir should NOT be named the same as it is
shared between all tests in the same process (which is all tests when
running binman with -P 1 or with -T).

Once signed, it's checked with fit_check_sign with the associated
certificate.

Finally, a new softhsm2_util bintool is added so that we can initialize
the token and import keypairs. On Debian, the package also brings
libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
is not the only package required though, as it also needs p11-kit and
libengine-pkcs11-openssl (the latter bringing the former). We can detect
if it's properly installed by running openssl engine dynamic -c pkcs11.
If that fails, we simply skip the test.
The package is installed in the CI container by default.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
tools: binman: fit: add support for OpenSSL engines 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:14:59+00:00 fc75d216f0162d4a85b60fefa9938b8690480e27 This adds support for using an OpenSSL engine for signing a FIT image. To use it, one should set the fit,engine property at the FIT node level with the engine to use. This will in turn call mkimage with the -N option. The -k argument to mkimage can be specified via fit,engine-keydir. If not specified, -k is not passed to mkimage. This property is especially useful for pkcs11 engine to specify slots, token label, etc... As far as I could tell, mkimage encrypts and signs a FIT in one go, thus the -k argument applies to both signing and encrypting. Considering we reuse the -k argument for two different meanings (info to pass to the engine when using an engine otherwise the directory where keys are stored), we cannot reasonably encrypt using local keys and signing with an engine, hence the enforced check. I believe it should be possible to support encrypting and signing with the same engine (using different key pairs of course, via different key-name-hint likely), but this is left for the next person to implement. This is why the property is named fit,engine and not fit,sign-engine. Ditto for fit,engine-keydir. The public key (with .crt extension) is still required if it needs to be embedded in the SPL DTB for example. We could probably support retrieving the public key from an engine, but this is a change to make to fdt_add_pubkey.c. Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
This adds support for using an OpenSSL engine for signing a FIT image.
To use it, one should set the fit,engine property at the FIT node level
with the engine to use. This will in turn call mkimage with the -N
option.

The -k argument to mkimage can be specified via fit,engine-keydir. If
not specified, -k is not passed to mkimage. This property is especially
useful for pkcs11 engine to specify slots, token label, etc...

As far as I could tell, mkimage encrypts and signs a FIT in one go, thus
the -k argument applies to both signing and encrypting. Considering we
reuse the -k argument for two different meanings (info to pass to the
engine when using an engine otherwise the directory where keys are
stored), we cannot reasonably encrypt using local keys and signing with
an engine, hence the enforced check. I believe it should be possible to
support encrypting and signing with the same engine (using different
key pairs of course, via different key-name-hint likely), but this is
left for the next person to implement.
This is why the property is named fit,engine and not fit,sign-engine.
Ditto for fit,engine-keydir.

The public key (with .crt extension) is still required if it needs to be
embedded in the SPL DTB for example. We could probably support
retrieving the public key from an engine, but this is a change to make
to fdt_add_pubkey.c.

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
tools: binman: mkimage: add support for passing the engine 2025-12-06T17:43:08+00:00 Quentin Schulz quentin.schulz@cherry.de 2025-11-21T17:14:58+00:00 9f9de386c1e54e6b009e5510ff335ab339a89a62 mkimage has support for OpenSSL engines but binman currently doesn't for direct callers of mkimage (e.g. the fit etype). This prepares for adding support for OpenSSL engines for signing elements of a FIT image, which will done in the next commit. Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com> Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> 
mkimage has support for OpenSSL engines but binman currently doesn't for
direct callers of mkimage (e.g. the fit etype). This prepares for adding
support for OpenSSL engines for signing elements of a FIT image, which
will done in the next commit.

Reviewed-by: Wolfgang Wallner <wolfgang.wallner@br-automation.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
binman: fallback to importlib_resources on Python 3.8 2025-12-04T19:45:10+00:00 Chukun Pan amadeus@jmu.edu.cn 2025-12-02T10:00:00+00:00 02aa1a56a7cfcb858973ef8965e54cf539060fd9 Python 3.7 and 3.8 lack the files attribute in importlib.resources. Use importlib_resources to fix build errors with Python 3.8: binman: module 'importlib.resources' has no attribute 'files' Fixes: 538719cb6a77 ("binman: migrate from pkg_resources to importlib") Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> Acked-by: Quentin Schulz <quentin.schulz@cherry.de> [trini: Re-add # pragma: no cover line] Signed-off-by: Tom Rini <trini@konsulko.com> 
Python 3.7 and 3.8 lack the files attribute in importlib.resources.
Use importlib_resources to fix build errors with Python 3.8:
binman: module 'importlib.resources' has no attribute 'files'

Fixes: 538719cb6a77 ("binman: migrate from pkg_resources to importlib")
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Acked-by: Quentin Schulz <quentin.schulz@cherry.de>
[trini: Re-add # pragma: no cover line]
Signed-off-by: Tom Rini <trini@konsulko.com>