u-boot.git/tools, branch next Unnamed repository; edit this file 'description' to name the repository. tools: mkfwumdata: Remove dependency on fwu_mdata.h header 2026-03-26T06:20:00+00:00 Kory Maincent kory.maincent@bootlin.com 2026-02-23T13:18:40+00:00 44a1e17b2a49d724538b4d500b27b0eda4be015c The dependency on fwu_mdata.h creates unnecessary configuration requirements. To generate metadata V1, CONFIG_FWU_MDATA_V1 must be enabled, which in turn requires enabling FWU_MULTI_BANK_UPDATE, EFI_CAPSULE_ON_DISK, PARTITION_TYPE_GUID, and other unrelated configs. This is not suitable for a simple standalone tool. Additionally, even with the "-v 1" option to generate V1 metadata, the tool will still include the firmware store description if CONFIG_FWU_MDATA_V1 is not enabled. This structure should only be present in metadata V2. Replace the fwu_mdata.h dependency with the new fwumdata header to make the tool compatible with both V1 and V2 without requiring any defconfig changes. This also uses the access helper functions from the header to eliminate code duplication. Acked-by: Sughosh Ganu <sughosh.ganu@arm.com> Tested-by: Sughosh Ganu <sughosh.ganu@arm.com> Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The dependency on fwu_mdata.h creates unnecessary configuration
requirements. To generate metadata V1, CONFIG_FWU_MDATA_V1 must be
enabled, which in turn requires enabling FWU_MULTI_BANK_UPDATE,
EFI_CAPSULE_ON_DISK, PARTITION_TYPE_GUID, and other unrelated configs.
This is not suitable for a simple standalone tool.

Additionally, even with the "-v 1" option to generate V1 metadata, the
tool will still include the firmware store description if
CONFIG_FWU_MDATA_V1 is not enabled. This structure should only be
present in metadata V2.

Replace the fwu_mdata.h dependency with the new fwumdata header to make
the tool compatible with both V1 and V2 without requiring any defconfig
changes. This also uses the access helper functions from the header to
eliminate code duplication.

Acked-by: Sughosh Ganu <sughosh.ganu@arm.com>
Tested-by: Sughosh Ganu <sughosh.ganu@arm.com>
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: Add support for fwumdata tool 2026-03-26T06:20:00+00:00 Kory Maincent kory.maincent@bootlin.com 2026-02-23T13:18:39+00:00 02673659e81391729792ebc1b816d974de3c9abf Add a new fwumdata tool to allows users to read, display, and modify FWU (Firmware Update) metadata from Linux userspace. It provides functionality similar to fw_printenv/fw_setenv but for FWU metadata. Users can view metadata, change active/previous bank indices, modify bank states, and set image acceptance flags. Configuration is done via fwumdata.config file. Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Add a new fwumdata tool to allows users to read, display, and modify FWU
(Firmware Update) metadata from Linux userspace. It provides functionality
similar to fw_printenv/fw_setenv but for FWU metadata. Users can view
metadata, change active/previous bank indices, modify bank states, and set
image acceptance flags. Configuration is done via fwumdata.config file.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: mkfwumdata: Add bank count validation for FWU metadata v2 2026-03-26T06:20:00+00:00 Kory Maincent kory.maincent@bootlin.com 2026-02-23T13:18:38+00:00 e3757929646f102070232efd86d3a308b0f54ec3 The FWU metadata specification version 2 supports a maximum of 4 banks. Add validation to enforce this limit and prevent creation of non-compliant metadata structures when using version 2. Without this check, users could inadvertently create invalid metadata by specifying more than 4 banks, leading to potential compatibility issues with FWU-compliant firmware update implementations. Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
The FWU metadata specification version 2 supports a maximum of 4 banks.
Add validation to enforce this limit and prevent creation of non-compliant
metadata structures when using version 2.

Without this check, users could inadvertently create invalid metadata by
specifying more than 4 banks, leading to potential compatibility issues
with FWU-compliant firmware update implementations.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: mkfwumdata: Improve error message specificity 2026-03-26T06:20:00+00:00 Kory Maincent kory.maincent@bootlin.com 2026-02-23T13:18:37+00:00 bcae1381f88f2122658b3aaacb04b4ea2a873a36 Replace the generic error message with a more informative one. This helps users quickly understand the correct command-line argument format when the tool reports an error. Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Replace the generic error message with a more informative one.
This helps users quickly understand the correct command-line argument
format when the tool reports an error.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: Reorganize mkfwumdata tool into fwumdata_src directory 2026-03-26T06:20:00+00:00 Kory Maincent kory.maincent@bootlin.com 2026-02-23T13:18:36+00:00 876fc8df120bfdc40648e904662a7c6fbf1e543e Update FWU metadata-related tools by moving mkfwumdata.c into a new tools/fwumdata_src/ directory structure. This refactoring prepares for the addition of the fwumdata runtime tool, which will allow editing FWU metadata directly from the target. The Kconfig and Makefile entries are also moved into separate files within the new directory (Kconfig and fwumdata.mk respectively) to keep all FWU metadata tool configurations together and improve maintainability. Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Update FWU metadata-related tools by moving mkfwumdata.c into a new
tools/fwumdata_src/ directory structure. This refactoring prepares for the
addition of the fwumdata runtime tool, which will allow editing FWU
metadata directly from the target.

The Kconfig and Makefile entries are also moved into separate files within
the new directory (Kconfig and fwumdata.mk respectively) to keep all FWU
metadata tool configurations together and improve maintainability.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
tools: gitignore: Add mkfwumdata to the git ignore file 2026-03-26T06:20:00+00:00 Kory Maincent kory.maincent@bootlin.com 2026-02-23T13:18:35+00:00 1c821b592f14d3ec5704829de112da952388a654 mkfwumdata is a built image. Add it to .gitignore. Signed-off-by: Kory Maincent <kory.maincent@bootlin.com> Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
mkfwumdata is a built image. Add it to .gitignore.

Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Tested-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
test: binman: Add test for pkcs11 signed capsule 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:16+00:00 e73443167be055c646dfd7d5a79bc30ac33e31d5 Test pkcs11 URI support for UEFI capsule generation. Both public certificate and private key are used over pkcs11 protocol. Pkcs11-tool has been introduced as softhsm tool doesn't have functionality to import certificates in commonly distributed version (only in the latest). Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
Test pkcs11 URI support for UEFI capsule generation. Both
public certificate and private key are used over pkcs11
protocol.
Pkcs11-tool has been introduced as softhsm tool doesn't have
functionality to import certificates in commonly distributed
version (only in the latest).

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
binman: DTS: Add dump-signature option for capsules 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:15+00:00 e2c46d33cfbb92f493b520524a099fdf9af0a056 Mkeficapsule can dump signature for signed capsules. It can be used in test to validate signature i.e. with openssl. Add an entry for device tree node. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
Mkeficapsule can dump signature for signed capsules. It can
be used in test to validate signature i.e. with openssl.
Add an entry for device tree node.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
binman: Add dump signature option to mkeficapsule 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:14+00:00 a251d46e68470706d0585711943e8d36cd432675 It will be used to capsule signature verification. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Simon Glass <simon.glass@canonical.com> 
It will be used to capsule signature verification.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
tools: mkeficapsule: Fix dump signature long option 2026-03-18T12:14:17+00:00 Wojciech Dubowik Wojciech.Dubowik@mt.com 2026-02-20T09:15:13+00:00 84432436bf564adc5f48ea81672ee8d5b374cb3d Only short option has been present. Also rename dump_sig to dump-sig to match with other parameter names. Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing") Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> 
Only short option has been present. Also rename dump_sig
to dump-sig to match with other parameter names.

Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing")

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@mt.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>