| Age | Commit message (Collapse) | Author |
|---|
|
The CMD_BOOT[IZ] symbols have a dependency on LMB, correctly,
currently. Make sure that in BOOT_DEFAULTS_CMDS we only select these
commands if LMB is enabled.
Signed-off-by: Tom Rini <[email protected]>
|
|
|
|
The CEDIT functionality, due to the cmos functions, depends directly on
DM_RTC being enabled in order to provide that API. Express this in
Kconfig as well.
Signed-off-by: Tom Rini <[email protected]>
|
|
The calls around lmb functions for these commands are not specific to
SYS_BOOT_RAMDISK_HIGH but rather part of the general loading portion of
the command itself currently. Move this dependency to the right spot.
Signed-off-by: Tom Rini <[email protected]>
|
|
It is not functionally possible to use the code enabled by
PARTITION_TYPE_GUID without having EFI_PARTITION be enabled as well. Not
all users of the former had ensured that the latter was enabled however,
so audit all current users and then as appropriate select or imply
EFI_PARTITION as needed.
Signed-off-by: Tom Rini <[email protected]>
|
|
As exposed by "make randconfig", we have an issue around SPL_UPL. This
depends on SPL_LIBGENERIC_SUPPORT indirectly. In turn, SPL_UPL_OUT needs
to next depend on SPL_UPL.
Signed-off-by: Tom Rini <[email protected]>
|
|
As exposed by "make randconfig", we have an issues around a number of
symbols in BOOT_DEFAULTS_CMDS. Due to the nature of how we currently
handle other networking related command options, we need to be testing
for "!NO_NET" (which is the symbol for no networking stack) or "NET ||
NET_LWIP" rather than CMD_NET alone. For consistency and clarity here
use "CMD_NET && !NO_NET" here.
Signed-off-by: Tom Rini <[email protected]>
|
|
As exposed by "make randconfig", we have xPL_FIT select'ing
xPL_OF_CONTROL, and that in turn requires xPL_LIBGENERIC_SUPPORT. The
most reasonable solution here is to have xPL_FIT select
xPL_LIBGENERIC_SUPPORT.
Signed-off-by: Tom Rini <[email protected]>
|
|
The options to enable pre-load signature support (full U-Boot or in SPL)
must depend on FIT_SIGNATURE being enabled, and not select it.
Signed-off-by: Tom Rini <[email protected]>
|
|
If no signature could be verified and the loop terminates, the iterator
'noffset' has no meaningful value so name yields NULL.
Signed-off-by: Ludwig Nussel <[email protected]>
|
|
Commit 2092322b31cc ("boot: Add fit_config_get_hash_list() to build
signed node list") removed printing the list of hashed nodes during
verification. Add it back to have a chance to compare the list when
debugging.
Signed-off-by: Ludwig Nussel <[email protected]>
|
|
Commit 488445cefa1 ("doc: Move FIT into its own directory") moved the
documentation in doc/uImage.FIT to doc/usage/fit, subsequently all
documents and example sources have been converted to reStructuredText.
Fix (almost) all of the remaining occurrences of the old path and
filenames across the tree.
The exception is doc/uImage.FIT/command_syntax_extensions.txt which
apparently has been removed entirely, or at least I was unable to
locate where that document is now.
Signed-off-by: Daniel Golle <[email protected]>
|
|
Simon Glass <[email protected]> says:
Each arch does something slightly different before booting the OS. Some
archs even do different things depending on the CPU type.
It is quite hard to know what actually happens in the final milliseconds
before the OS boot.
This series attempts to start cleaning up U-Boot in this area.
The basic intent is to create a new bootm_final() function which can be
called by all archs. It provides some flags for a couple of necessary
variations but otherwise it is generic.
All architectures are converted over to use this new function.
board_quiesce_devices() is moved into bootm_final() so that all archs
benefit from it.
This series fixes a bug in device_remove() is fixed where removing a
parent with specialised flags (e.g. DM_REMOVE_ACTIVE_ALL) could leave
children activated, since they do not match the flags. This fixes is
needed to avoid bootm_final() causing test failures on sandbox.
Future work could take this a little further:
- Convert EFI loader to use the same function
- Improve comments for cleanup_before_linux() across architectures
- Support fake-run tracing on all archs
Link: https://lore.kernel.org/r/[email protected]
|
|
ARM stashes bootstage data to a known memory location before booting,
so the kernel can pick it up. Add this to bootm_final() so all
architectures benefit from it.
The bootstage_stash_default() function is a no-op when bootstage or
stashing is disabled.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
The RISC-V announce_and_cleanup() duplicates the common pre-boot
steps. Replace it with a call to bootm_final().
Move board_quiesce_devices() into bootm_final() so it is available to
all architectures. Drop the RISC-V weak definition and header
declaration since the generic one in bootm.h is used instead.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
There are various functions which announce that booting is imminent and
do related preparation. Most of these are arch-specific.
In practice, most archs do a similar thing. It would be better to
have a common function, with perhaps some events for things that are
really arch- and board-specific.
Create a new bootm_final() function with the common pre-boot steps:
printing the "Starting kernel" message, recording bootstage data,
optionally writing bootstage to the FDT and printing a report, and
removing active devices.
Be careful to avoid using BIT() macros which are not available with host
tools.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
Quentin Schulz <[email protected]> says:
This migrates the last user of the legacy LED API, IMX233-OLinuXino and
net/bootp.c, to the modern LED framework.
I do have concern about being able to use BOOTP in SPL? In which case, I
should probably add an additional check on CONFIG_IS_ENABLED(LED) in
addition to IS_ENABLED(CONFIG_LED_BOOT)?
I haven't tested this as I do not own an IMX233-OLinuXino, so please
give this a try if you own this device.
Then, since there's no user left of this legacy API, it is entirely
removed.
Link: https://lore.kernel.org/r/[email protected]
|
|
No user of the legacy LED API anymore (except Sunxi with the PinePhone
but that is now a Sunxi-specific implementation), so let's remove
anything related.
Signed-off-by: Quentin Schulz <[email protected]>
|
|
The functions use 'ulong', however, the comments said 'uint32_t'.
Update the comments to match the prototype.
Signed-off-by: Kunihiko Hayashi <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
https://source.denx.de/u-boot/custodians/u-boot-net into next
Pull request net-20260312.
net:
- Move network PHY under NETDEVICES
- s/DM_CLK/CLK/ in HIFEMAC_{ETH,MDIO}
- Add support for Airoha AN8811HB PHY
- airoha: PCS and MDIO support for Airoha AN7581 SoC
net-lwip:
- Fix issue when TFTP blocksize is >8192
- Adjust PBUF_POOL_SIZE/IP_REASS_MAX_PBUFS for better performance and
resource usage.
- Enable mii command for NET_LWIP
|
|
If we are using the legacy or the LWIP network stack,
should not influence our decision to provide command `mii`.
Let BOOT_DEFAULTS_CMDS imply MII if either of the network
stacks is available.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Symbol CONFIG_VPL_CRYPTO does not exist.
Don't select it.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Fixes: 4218456b3fac ("vbe: Add Kconfig options for VPL")
Reviewed-by: Quentin Schulz <[email protected]>
|
|
Prepare v2026.04-rc4
|
|
The hashed-nodes property in a FIT signature node lists which FDT paths
are included in the signature hash. It is intended as a hint so should
not be used for verification.
Add a function to build the node list from scratch by iterating the
configuration's image references. Skip properties known not to be image
references. For each image, collect the path plus all hash and cipher
subnodes.
Use the new function in fit_config_check_sig() instead of reading
'hashed-nodes'.
Update the test_vboot kernel@ test case: fit_check_sign now catches the
attack at signature-verification time (the @-suffixed node is hashed
instead of the real one, causing a mismatch) rather than at
fit_check_format() time.
Update the docs to cover this. The FIT spec can be updated separately.
Signed-off-by: Simon Glass <[email protected]>
Closes: https://lore.kernel.org/u-boot/[email protected]/
Reported-by: Apple Security Engineering and Architecture (SEAR)
Tested-by: Tom Rini <[email protected]>
|
|
FIT images don't work without having to explicitly specify physical
load addresses. Digging into that it looks like a flaw in
bootm_load_os().
It duplicates images->os for convenience. However, the code handling
"kernel_noload" images then updates the load address in the copy with
the value lmb_alloc_mem() returned. Later there's another call to
lmb_alloc_mem() that uses the old value. This leads to havoc due
to subsequent calls of lmb_alloc_mem() picking too low addresses.
The "fix" is to mark the local variable const to avoid accidental
assignments. This works but IMO the logic is still flawed somehow as
this leads to overlapping lmb reservations. I guess the fixed
reservation should only be done when the noload path wasn't hit.
Without the change:
+ bootm 0x40200000#qemu-arm 0x40200000#qemu-arm 0x40000000
Using 'qemu-arm' configuration
Verifying Hash Integrity ... OK
Trying 'kernel' kernel subimage
Description: Linux kernel
Created: 2026-02-24 14:10:09 UTC
Type: Kernel Image (no loading done)
Compression: gzip compressed
Data Start: 0x402000b8
Data Size: 12227440 Bytes = 11.7 MiB
Hash algo: sha256
Hash value: 7ea661fdecdd1127edd419cfbf8bff52e2d5ac55c...
Verifying Hash Integrity ... sha256+ OK
Using 'qemu-arm' configuration
Verifying Hash Integrity ... OK
Trying 'ramdisk' ramdisk subimage
Description: Initial ramdisk
Created: 2026-02-24 14:10:09 UTC
Type: RAMDisk Image
Compression: uncompressed
Data Start: 0x40da9528
Data Size: 1067114 Bytes = 1 MiB
Architecture: AArch64
OS: Linux
Load Address: unavailable
Entry Point: unavailable
Hash algo: sha256
Hash value: 2a711dcb5f58615187645ccec615c67eddcfbb3138...
Verifying Hash Integrity ... sha256+ OK
Booting using the fdt blob at 0x40000000
Working FDT set to 40000000
Uncompressing Kernel Image (no loading done) to 13a400000
Loading Ramdisk to 400fb000, end 401ff86a ... OK
device tree - allocation error
FDT creation failed!
resetting ...
Bloblist at 0 not found (err=-2)
alloc space exhausted ptr 400 limit 0
Bloblist at 0 not found (err=-2)
[reset]
After:
+ bootm 0x40200000#qemu-arm 0x40200000#qemu-arm 0x40000000
Using 'qemu-arm' configuration
Verifying Hash Integrity ... OK
Trying 'kernel' kernel subimage
Description: Linux kernel
Created: 2026-02-24 14:10:09 UTC
Type: Kernel Image (no loading done)
Compression: gzip compressed
Data Start: 0x402000b8
Data Size: 12227440 Bytes = 11.7 MiB
Hash algo: sha256
Hash value: 7ea661fdecdd1127edd419cfbf8bff52e2d5ac55ce...
Verifying Hash Integrity ... sha256+ OK
Using 'qemu-arm' configuration
Verifying Hash Integrity ... OK
Trying 'ramdisk' ramdisk subimage
Description: Initial ramdisk
Created: 2026-02-24 14:10:09 UTC
Type: RAMDisk Image
Compression: uncompressed
Data Start: 0x40da9528
Data Size: 1067114 Bytes = 1 MiB
Architecture: AArch64
OS: Linux
Load Address: unavailable
Entry Point: unavailable
Hash algo: sha256
Hash value: 2a711dcb5f58615187645ccec615c67eddcfbb3138...
Verifying Hash Integrity ... sha256+ OK
Booting using the fdt blob at 0x40000000
Working FDT set to 40000000
Uncompressing Kernel Image (no loading done) to 13a400000
Loading Ramdisk to 13a2fb000, end 13a3ff86a ... OK
Loading Device Tree to 000000013a1f8000, end 000000013a2fafff ... OK
Working FDT set to 13a1f8000
Starting kernel ...
Signed-off-by: Ludwig Nussel <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
base FDT and overlay DTO blobs loaded from a FIT image.
Those blobs come from FIT payload data. In the overlay path,
fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
header check in fit_image_load() is skipped. This leaves fdt_open_into()
to consume header-derived offsets/sizes from unvalidated input.
Validate the full blob against the payload length first with
fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).
Fixes: 5ebf0c55a23 ("image: fit: Apply overlays using aligned writable FDT copies")
Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
Signed-off-by: James Hilliard <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
Prepare v2026.04-rc3
|
|
Remove DECLARE_GLOBAL_DATA_PTR from files where gd is not used, and
drop the unnecessary inclusion of asm/global_data.h.
Headers should be included directly by the files that need them,
rather than indirectly via global_data.h.
Reviewed-by: Patrice Chotard <[email protected]> #STMicroelectronics boards and STM32MP1 ram test driver
Tested-by: Anshul Dalal <[email protected]> #TI boards
Acked-by: Yao Zi <[email protected]> #TH1520
Signed-off-by: Peng Fan <[email protected]>
|
|
Fix a segmentation fault caused by a null pointer access during root
partition checking. The function part_get_info() was falsely given null
for the disk_partition struct, which later resulted in accessing a null
pointer and thus undefined behavior.
Fixes: 5d7c080ae5dc ("bootstd: rauc: Don't check root part filesystem")
Signed-off-by: Martin Schwan <[email protected]>
|
|
Add missing "to" so that the sentence makes sense.
Signed-off-by: Hugo Villeneuve <[email protected]>
|
|
libfdt expects FDT/DTO blobs to be 8-byte aligned. When loading the
base FDT or overlays from a FIT, the mapped buffer may be unaligned,
which can break fdt_open_into() on strict-alignment architectures.
boot_get_fdt_fit() relocates the base FDT with boot_relocate_fdt()
before applying overlays. That uses the bootm memory map and can
overlap with the FIT buffer when the FIT is loaded into RAM,
corrupting data needed to load the kernel and ramdisk.
Allocate writable, 8-byte aligned copies of the base FDT and overlays
with memalign() and fdt_open_into(). Grow the base buffer as needed,
apply overlays to it and pack the final tree. Free each temporary
overlay copy after application and check fdt_pack() errors.
Fixes: 8fbcc0e0e839 ("boot: Assure FDT is always 8-byte aligned")
Fixes: 881f0b77dc8c ("image: apply FDTOs on FDT image node")
Signed-off-by: James Hilliard <[email protected]>
Cc: Jamie Gibbons <[email protected]>
Reviewed-by: Marek Vasut <[email protected]>
|
|
Print the actual error code in a couple of places in boot_get_fdt_fit().
These are FDT error codes, not errno, so printing the string is more
helpful than printing the numeric value.
The only caller of boot_get_fdt_fit() unconditionally replaces the
returned error code (fdt_noffset) with ENOENT so the actual error would
otherwise be lost.
Signed-off-by: David Lechner <[email protected]>
|
|
Show name of configuration node which was not found.
current state gives no hint if fit image is wrong or the requested name.
Could not find configuration node
load of <NULL> failed
After this patch we see name like this:
Could not find configuration node '#ov-test'
load of <NULL> failed
Signed-off-by: Frank Wunderlich <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
Options which deal with memory locations and have a default value of 0x0
are dangerous, as that is often not a valid memory location. Rework
SPL_LOAD_FIT_ADDRESS as follows:
- Add SPL_HAS_LOAD_FIT_ADDRESS to guard prompting the question as the
case of loading a FIT image does not strictly require setting an
address and allows for a malloc()'d area to be used.
- For SPL_RAM_SUPPORT, select the new guard symbol if SPL_LOAD_FIT is
enabled because in that case an address must be provided.
- Update defconfigs for these new changes. Largely this means some
defconfigs need to enable SPL_HAS_LOAD_FIT_ADDRESS to maintain their
current status. In the case of sandbox, we also need to set
SPL_LOAD_FIT_ADDRESS to 0x0.
Signed-off-by: Tom Rini <[email protected]>
|
|
The bootm command can handle the compressed image, but current
code fails to boot from it.
## Loading kernel (any) from FIT Image at a8000000 ...
<snip>
Compression: gzip compressed
Data Start: 0xa80000d4
Data Size: 10114520 Bytes = 9.6 MiB
Architecture: AArch64
OS: EFI Firmware
Load Address: 0x90000000
<snip>
Uncompressing Kernel Image to 90000000
## Transferring control to EFI (at address a80000d4) ...
Booting <NULL>
Not a PE-COFF file
Loading image failed
To take care of the compressed image, the load address needs
to be passed instead of the original compressed image address.
Signed-off-by: Masahisa Kojima <[email protected]>
Tested-by: Kunihiko Hayashi <[email protected]>
|
|
https://source.denx.de/u-boot/custodians/u-boot-dfu
u-boot-dfu-20260116
CI: https://source.denx.de/u-boot/custodians/u-boot-dfu/-/pipelines/29018
Android:
* Fix missing dependency for BOOTMETH_ANDROID
* Add bootconfig support
* Add 'get ramdisk' command to abootimg
DFU:
* Improve error handling in dfu_fill_entity()
USB Gadget:
* ci_udc: Ensure ci_ep->desc is valid before using it
* ci_udc: Add additional debug prints
|
|
While reading bootflow, memory was not released if an
error occurred.
Signed-off-by: Francois Berder <[email protected]>
Acked-by: Martin Schwan <[email protected]>
Tested-by: Martin Schwan <[email protected]>
|
|
For android vendor boot image version 4 bootconfig is mandatory.[1]
In the android_image_get_ramdisk function, after copying both vendor and
boot ramdisks, we extract all androidboot.* entries from the kernel
command line. These entries are added to the bootconfig section.
We then update the sizes of the ramdisk and bootconfig.
Finally, all androidboot.* entries are removed from the kernel command
line.
[1] https://source.android.com/docs/core/architecture/partitions/vendor-boot-partitions#bootloader-support
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Guillaume La Roque (TI.com) <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
[mkorpershoek: dropped irrelevant code comments]
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
Use map_to_sysmem() to convert header pointers to physical addresses
in parse_hdr functions, and add proper map_sysmem()/unmap_sysmem()
calls in android_image_get_data() for sandbox compatibility.
Reviewed-by: Mattijs Korpershoek <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Guillaume La Roque (TI.com) <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
To properly implement Android boot image v4, U-Boot must be able to
add additional entries to the bootconfig.
Add `add_bootconfig_parameters()` to do so.
This has been imported from Google's U-Boot source[1]
The variables/function names have been reworked to be
compliant with U-Boot's coding style.
[1] https://android.googlesource.com/platform/external/u-boot/+/7af0a0506d4de6f5ea147d10fb0664a8af07d326
Signed-off-by: Mattijs Korpershoek (TI.com) <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]>
Signed-off-by: Guillaume La Roque (TI.com) <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
If strdup call fails, one needs to free priv variable.
Signed-off-by: Francois Berder <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Link: https://lore.kernel.org/r/BESP194MB28052734FD0361EA602F6360DA8FA@BESP194MB2805.EURP194.PROD.OUTLOOK.COM
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
The code depends on set_avendor_bootimg_addr and set_abootimg_addr
functions which are only defined in cmd/abootimg.c, only built when
CMD_ABOOTIMG=y so let's add a dependency.
It should be "depends on" to be properly implemented, but we get a
circular dependency otherwise:
boot/Kconfig:566:error: recursive dependency detected!
boot/Kconfig:566: symbol BOOTMETH_ANDROID depends on CMD_ABOOTIMG
cmd/Kconfig:504: symbol CMD_ABOOTIMG depends on ANDROID_BOOT_IMAGE
boot/Kconfig:7: symbol ANDROID_BOOT_IMAGE is selected by BOOTMETH_ANDROID
so instead we do a select. It is safe because CMD_ABOOTIMG depends on
ANDROID_BOOT_IMAGE which we select here as well.
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Mattijs Korpershoek <[email protected]>
|
|
This series from Andrew Davis <[email protected]> makes a number of the TI K3
CONFIG symbols have consistent values in SPL, as they are things
determined by the SoC and not the board design.
Link: https://lore.kernel.org/r/[email protected]
|
|
These are common for all K3 based boards. Add the common values as
defaults and remove from each board defconfig
Signed-off-by: Andrew Davis <[email protected]>
Reviewed-by: Bryan Brattlof <[email protected]>
|
|
In case the 'fdt_high' environment variable is set to ~0, warn users
about the dangers of the fdt_high usage. This will hopefully lead to
removal of most of the fdt_high ~0 usage over time.
Signed-off-by: Marek Vasut <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
VPL_FIT_FULL_CHECK currently shares its description and help text with
FIT_FULL_CHECK which is quite confusing, so let's specify this applies
to VPL.
Fixes: 4218456b3fac ("vbe: Add Kconfig options for VPL")
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Anshul Dalal <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Peng Fan <[email protected]>
|
|
The prompt wrongly specifies this applies to SPL while this symbol is
for VPL, let's fix this oversight.
Fixes: 8dfbd798122b ("boot: Allow use of FIT in TPL and VPL")
Signed-off-by: Quentin Schulz <[email protected]>
Acked-by: Udit Kumar <[email protected]>
Reviewed-by: Anshul Dalal <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Peng Fan <[email protected]>
|
|
The prompt currently doesn't specify this applies to the SPL stage only,
so let's fix this oversight.
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: Anshul Dalal <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Peng Fan <[email protected]>
|
|
The prompt is missing the indication this applies for the SPL loading
a FIT image, and not any other stage.
Signed-off-by: Quentin Schulz <[email protected]>
Reviewed-by: [email protected]
Reviewed-by: Udit Kumar <[email protected]>
Reviewed-by: Anshul Dalal <[email protected]>
Reviewed-by: Kory Maincent <[email protected]>
Signed-off-by: Peng Fan <[email protected]>
|
|
https://source.denx.de/u-boot/custodians/u-boot-amlogic into next
- Add u-boot SPL support for GX SoCs
- meson_gx_mmc: reduce maximum frequency
- Add support for EFI capsule updates on all Amlogic boards
|
