| Age | Commit message (Collapse) | Author |
|---|
|
The functions use 'ulong', however, the comments said 'uint32_t'.
Update the comments to match the prototype.
Signed-off-by: Kunihiko Hayashi <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
base FDT and overlay DTO blobs loaded from a FIT image.
Those blobs come from FIT payload data. In the overlay path,
fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
header check in fit_image_load() is skipped. This leaves fdt_open_into()
to consume header-derived offsets/sizes from unvalidated input.
Validate the full blob against the payload length first with
fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).
Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT copies")
Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
Signed-off-by: James Hilliard <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
libfdt expects FDT/DTO blobs to be 8-byte aligned. When loading the
base FDT or overlays from a FIT, the mapped buffer may be unaligned,
which can break fdt_open_into() on strict-alignment architectures.
boot_get_fdt_fit() relocates the base FDT with boot_relocate_fdt()
before applying overlays. That uses the bootm memory map and can
overlap with the FIT buffer when the FIT is loaded into RAM,
corrupting data needed to load the kernel and ramdisk.
Allocate writable, 8-byte aligned copies of the base FDT and overlays
with memalign() and fdt_open_into(). Grow the base buffer as needed,
apply overlays to it and pack the final tree. Free each temporary
overlay copy after application and check fdt_pack() errors.
Fixes: 8fbcc0e0e839 ("boot: Assure FDT is always 8-byte aligned")
Fixes: 881f0b77dc8c ("image: apply FDTOs on FDT image node")
Signed-off-by: James Hilliard <[email protected]>
Cc: Jamie Gibbons <[email protected]>
Reviewed-by: Marek Vasut <[email protected]>
|
|
Print the actual error code in a couple of places in boot_get_fdt_fit().
These are FDT error codes, not errno, so printing the string is more
helpful than printing the numeric value.
The only caller of boot_get_fdt_fit() unconditionally replaces the
returned error code (fdt_noffset) with ENOENT so the actual error would
otherwise be lost.
Signed-off-by: David Lechner <[email protected]>
|
|
Show name of configuration node which was not found.
current state gives no hint if fit image is wrong or the requested name.
Could not find configuration node
load of <NULL> failed
After this patch we see name like this:
Could not find configuration node '#ov-test'
load of <NULL> failed
Signed-off-by: Frank Wunderlich <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
constants"
Quentin Schulz <[email protected]> says:
This does a bit of "cleanup" by reusing constants for some FIT
properties instead of having the same string in multiple places.
Additionally, this adds a new constant for the compatible property in
FIT configuration nodes[1] which is useful for FIT images with multiple
FIT configuration nodes to support multiple devices in the same blob.
U-Boot will try to figure out which node to select based on that
compatible[2].
However, if this property is missing (and the first blob in the fdt
property of the configuration node is uncompressed), the compatible from
the root node of the associated kernel FDT will be used for the
autoselection mechanism. For now, I only print the property if it
exists, but maybe it'd make sense to expose the fallback one if it's
missing. I guess we can implement that later on if desired.
[1] https://fitspec.osfw.foundation/#optional-properties compatible paragraph
[2] https://fitspec.osfw.foundation/#select-a-configuration-to-boot
Link: https://lore.kernel.org/r/[email protected]
|
|
Fit conf node may have a compatible property[1] which stores the
compatible of the first blob in the fdt property of the node. This can
be used to automatically select the proper conf node based on the
compatible from the running U-Boot (matching the former's compatible
with the latter)[2].
This brings the ability to mkimage/dumpimage to print the compatibles of
the configuration node(s). U-Boot CLI commands such as iminfo also see
this addition to their output.
[1] https://fitspec.osfw.foundation/#optional-properties compatible paragraph
[2] https://fitspec.osfw.foundation/#select-a-configuration-to-boot
Signed-off-by: Quentin Schulz <[email protected]>
|
|
Fit conf node may have a compatible property[1] which stores the root
compatible of the first blob in the fdt property of the node. This can
be used to automatically select the proper conf node based on the
compatible from the running U-Boot (matching the former's compatible
with the latter)[2].
This adds (and uses) this constant for FIT node parsing.
Note that this property may also appear in fpga image nodes[3] but that
isn't done in this commit.
[1] https://fitspec.osfw.foundation/#optional-properties compatible paragraph
[2] https://fitspec.osfw.foundation/#select-a-configuration-to-boot
[3] https://fitspec.osfw.foundation/#images-node 2.3.2 Conditionally mandatory property
Signed-off-by: Quentin Schulz <[email protected]>
|
|
Some properties have their string represented in include/image.h via
constants, so let's use those constants instead of using a hardcoded
string.
Signed-off-by: Quentin Schulz <[email protected]>
|
|
If noffset is negative, do not pass it to fit_get_name() and then further to
libfdt, this will crash sandbox with SIGSEGV because libfdt can not handle
negative node offsets without full tree check, which U-Boot inhibits to keep
size lower.
Instead, always check noffset before use, and if the return value indicates
failure, exit right away.
Signed-off-by: Marek Vasut <[email protected]>
Acked-by: Heinrich Schuchardt <[email protected]>
|
|
With the changes in commit 8fbcc0e0e839 ("boot: Assure FDT is always at
8-byte aligned address") to call memalign(...) we now always call
memalign(...) rather than malloc(...) when allocating a buffer that may
contain a device tree. However, memalign(...) is not portable among all
of the host OSes we support. The C11 standard does require that
aligned_alloc(...) exist and it takes the same parameters as
memalign(...) does. Change this file to call aligned_alloc rather than
memalign, and for the non-USE_HOSTCC case define that function back to
memalign.
Fixes: 8fbcc0e0e839 ("boot: Assure FDT is always at 8-byte aligned address")
Suggested-by: Heinrich Schuchardt <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
The fitImage may contain FDT at 4-byte aligned address, because alignment
of DT tags is 4 bytes. However, libfdt and also Linux expects DT to be at
8-byte aligned address. Make sure that the DTs embedded in fitImages are
always used from 8-byte aligned addresses. In case the DT is decompressed,
make sure the target buffer is 8-byte aligned. In case the DT is only
loaded, make sure the target buffer is 8-byte aligned too.
Signed-off-by: Marek Vasut <[email protected]>
|
|
Fix a typo in image-fit.c.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Wolfgang Wallner <[email protected]>
|
|
Add support for starting TFA from U-Boot running in EL3 as part of
fitImage boot, so the user can start U-Boot in the highest privilege
level on the platform, bundle TFA, Linux, DT into a single fitImage
and boot such a bundle as a whole.
There are two main benefits of this approach. First is the ability
to run U-Boot in EL3, where it has unrestricted access to the entire
system and can act as a useful debug tool, as it was always intended
to be used. Second is the ability to easily and safely update of any
component in the fitImage, be it TFA, Linux or DT.
The boot process is similar to regular Linux with DT fitImage boot
process, except the TFA has to be bundled into the fitImage. For the
bundling instructions, see below. The TFA is started as a 'loadables'
with custom U_BOOT_FIT_LOADABLE_HANDLER and armv8_switch_to_el2_prep()
handling implemented in board code, and performing the handoff and
boot in case the TFA was loaded.
The loadables handler is optional and meant to set up any sort of
handoff structures used by the TFA BL31 or perform any other setup
that is needed by the blob. The custom armv8_switch_to_el2_prep()
has to implement the jump to TFA BL31 with return to U-Boot just
before booting the Linux kernel.
Example fitImage image and configuration section:
/dts-v1/;
/ {
description = "Linux kernel with FDT blob and TFA BL31";
images {
kernel-1 { ... };
fdt-1 { ... };
atf-1 { /* This is the TFA BL31 image */
description = "TFA BL31";
data = /incbin/("../build/plat/release/bl31.bin");
type = "tfa-bl31";
arch = "arm64";
os = "arm-trusted-firmware";
compression = "none";
load = <0x46400000>;
entry = <0x46400000>;
};
};
configurations {
default = "conf-1";
conf-1 {
description = "Boot Linux";
kernel = "kernel-1";
fdt = "fdt-1";
loadables = "atf-1"; /* This is the TFA BL31 loadable */
};
};
};
Reviewed-by: Tom Rini <[email protected]>
Signed-off-by: Marek Vasut <[email protected]>
|
|
A FIT image which is NOT using -E when created by mkimage - that is with
image data within the FIT - will fail to apply FDTO if the base FDT
image node does not specify a load property (which points to an address
in DRAM). This is because we check that the FDT address we want to apply
overlay to (i.e. modify and likely increase in size) is not inside the
FIT and give up otherwise. This is assumed necessary because we may then
overwrite other data when applying in-place.
However, we can do better than giving up: relocating the FDT in another
place in DRAM where it's safe to increase its size and apply FDTOs.
While at it, do not discriminate anymore on whether the data is within
the FIT data address space - that is FIT images created with mkimage -E
- as that still may be susceptible to unintended data overwrites as
mkimage -E simply concatenates all blobs after the FIT. If the FDT blob
isn't the last, it'll result in overwriting later blobs when resizing.
The side effect is that the load property in the FIT is only
temporarily used to load the FDT but then relocated right before we
start applying overlays.
Suggested-by: Marek Vasut <[email protected]>
Reviewed-by: Marek Vasut <[email protected]>
Signed-off-by: Quentin Schulz <[email protected]>
|
|
With SPL we want to specify the phase of the image to be loaded. Add
support for this.
This is the implementation of a FIT feature added to the spec a few
years ago and entails a small code-size increase, about 70 bytes on
Thumb2.
Signed-off-by: Simon Glass <[email protected]>
Link: https://docs.u-boot.org/en/latest/usage/fit/index.html
|
|
This function is really just getting the data. The size comes along for
the ride. In fact this function is only reliable way to obtain the data
for an image in a FIT, since the FIT may use external data.
Rename it to fit_image_get_data()
Signed-off-by: Simon Glass <[email protected]>
|
|
This function can only be used with FITs that use embedded data. Rename
it so this is clear.
Signed-off-by: Simon Glass <[email protected]>
Acked-by: Heinrich Schuchardt <[email protected]>
|
|
Some code has crept in which ignores this parameter. Fix this and add a
little debugging.
Signed-off-by: Simon Glass <[email protected]>
Fixes: b1307f884a9 ("fit: Support compression for non-kernel components (e.g. FDT)")
|
|
When the best-match feature fails to find something, use the provided
config name as a fallback. The allows SPL to select a suitable config
when best-match is enabled.
Signed-off-by: Simon Glass <[email protected]>
|
|
This reverts commit 1fdf53ace13f745fe8ad4d2d4e79eed98088d555, reversing
changes made to e5aef1bbf11412eebd4c242b46adff5301353c30.
I had missed that this caused too much size growth on rcar3_salvator-x.
Signed-off-by: Tom Rini <[email protected]>
|
|
Some code has crept in which ignores this parameter. Fix this and add a
little debugging.
Signed-off-by: Simon Glass <[email protected]>
Fixes: b1307f884a9 ("fit: Support compression for non-kernel components (e.g. FDT)")
|
|
When the best-match feature fails to find something, use the provided
config name as a fallback. The allows SPL to select a suitable config
when best-match is enabled.
Signed-off-by: Simon Glass <[email protected]>
|
|
Specify the FIT and include information about each loaded image, as
required by the UPL handoff.
Write the UPL handoff into the bloblist before jumping to the next phase.
Control this using a runtime flag to avoid conflicting with other
handoff mechanisms.
Signed-off-by: Simon Glass <[email protected]>
|
|
Some operating systems (e.g. seL4) and embedded applications are ELF
images. It is convenient to use FIT-images to implement trusted boot.
Added "elf" image type for booting using bootm command.
Signed-off-by: Maxim Moskalets <[email protected]>
|
|
Remove the redundant includes of u-boot/md5.h, u-boot/sha1.h,
u-boot/sha256.h and u-boot/sha512.h
Signed-off-by: Raymond Mao <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Reviewed-by: Igor Opaniuk <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
Remove <common.h> from all "boot/" files and when needed add
missing include files directly.
Signed-off-by: Tom Rini <[email protected]>
|
|
In general terms, we -include include/linux/kconfig.h and so normal
U-Boot code does not need to also #include it. However, for code which
is shared with userspace we may need to add it so that either our full
config is available or so that macros such as CONFIG_IS_ENABLED() can be
evaluated. In this case make sure that we guard these includes with a
test for USE_HOSTCC so that it clear as to why we're doing this.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
Add support for filtering out FIT images by phase. Rather than adding yet
another argument to this already overloaded function, use a composite
value, where the phase is only added in if needed.
The FIT config is still selected (and verified) as normal, but the images
are selected based on the phase.
Tests for this come in a little later, as part of the updated VPL test.
Signed-off-by: Simon Glass <[email protected]>
|
|
Move this comment to the header file, where the APIs should be defined.
Signed-off-by: Simon Glass <[email protected]>
|
|
This is not needed and we should avoid typedefs. Use the struct instead.
Signed-off-by: Simon Glass <[email protected]>
|
|
Several different firmware users have repetitive code to extract the
firmware data from a FIT. Add some helper functions to reduce the amount
of repetition. fit_conf_get_prop_node (eventually) calls
fdt_check_node_offset_, so we can avoid an explicit if. In general, this
version avoids printing on error because the callers are typically
library functions, and because the FIT code generally has (debug)
prints of its own. One difference in these helpers is that they use
fit_image_get_data_and_size instead of fit_image_get_data, as the former
handles external data correctly.
Signed-off-by: Sean Anderson <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Peng Fan <[email protected]>
|
|
fit_image_get_comp() should not set value -1 in case it can't read
the compression node. Instead, leave the value untouched in that case
as it can be absent and a default value previously defined by the
caller of fit_image_get_comp() should be used.
As a result the warning message
WARNING: 'compression' nodes for ramdisks are deprecated, please fix your .its file!
no longer shows if the compression node is actually absent.
Signed-off-by: Daniel Golle <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The documentation above the DEFINE_ALIGN_BUFFER says it's for use
outside functions, but we're inside one.
Instead use ALLOC_CACHE_ALIGN_BUFFER, the stack based macro, which also
includes the cache alignment.
Fixes: b583348ca8c8 ("image: fit: Align hash output buffers")
Signed-off-by: Joel Stanley <[email protected]>
Tested-by: Chia-Wei Wang <[email protected]>
Reviewed-by: Sean Anderson <[email protected]>
|
|
* free() checks if its argument is NULL. Remove duplicate checks.
* Remove duplicate free(ovcopy).
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Hardware-accelerated hash functions require that the input and output
buffers be aligned to the minimum DMA alignment. memalign.h helpfully
provides a macro just for this purpose. It doesn't exist on the host,
but we don't need to be aligned there either.
Fixes: 5dfb521386 ("[new uImage] New uImage low-level API")
Signed-off-by: Sean Anderson <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
At present we rely on the key blob being in the global_data fdt_blob
pointer. This is true in U-Boot but not with tools. For clarity, pass the
parameter around.
Signed-off-by: Simon Glass <[email protected]>
|
|
Modifications would be invalid.
Signed-off-by: Jan Kiszka <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Sphinx expects Return: and not @return to indicate a return value.
find . -name '*.c' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;
find . -name '*.h' -exec \
sed -i 's/^\(\s\)\*\(\s*\)@return\(\s\)/\1*\2Return:\3/' {} \;
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Fix inconsistent function parameter name of the hash algorithm.
Signed-off-by: Chia-Wei Wang <[email protected]>
Fixes: 92055e138f2 ("image: Drop if/elseif hash selection in calculate_hash()")
Reviewed-by: Joel Stanley <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Quite a lot of the code in common/relates to booting and images. Before
adding more it seems like a good time to move the code into its own
directory.
Most files with 'boot' or 'image' in them are moved, except:
- autoboot.c which relates to U-Boot automatically running a script
- bootstage.c which relates to U-Boot timing
Drop the removal of boot* files from the output directory, since this
interfers with the symlinks created by tools and there does not appear
to be any such file from my brief testing.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Artem Lapkin <[email protected]>
Tested-by: Artem Lapkin <[email protected]>
|
