| Age | Commit message (Collapse) | Author |
|---|
|
This patch moves the falcon mode handling logic out of
spl_spi_load_image to spl_spi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.
Signed-off-by: Anshul Dalal <[email protected]>
|
|
This patch moves the falcon mode handling logic out of
spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.
Signed-off-by: Anshul Dalal <[email protected]>
|
|
Currently the logic to handle falcon mode as well as the regular boot is
inside spl_mmc_do_fs_boot, this prevents us from cleanly extending
falcon mode functionality like toggleable fallback to U-Boot proper.
Therefore this patch splits the logic into spl_mmc_fs_load and
spl_mmc_fs_load_os to handle the regular boot and falcon mode use case.
Signed-off-by: Anshul Dalal <[email protected]>
|
|
This patch adds the new SPL_OS_BOOT_SECURE symbol that enables secure
boot flow in falcon mode. This symbol can be used to disable certain
inherently insecure options during falcon boot.
Reviewed-by: Tom Rini <[email protected]>
Signed-off-by: Anshul Dalal <[email protected]>
|
|
Due to how we implement the logic for selecting what should/shouldn't be
built in a given phase it becomes extremely cumbersome to make these
phases link when configured by "allyesconfig". As a starting point for
being able to enable "allyesconfig" and expand our static coverage,
disable all other phases in this case.
Future work can be done to enable other phases as time and interest
permit.
Signed-off-by: Tom Rini <[email protected]>
|
|
Today, only a few platforms enable SPL_LOAD_FIT_FULL, and all enable
SPL_LOAD_FIT. As can be seen in usage, the FULL symbol is a superset of
the first symbol, not an alternative. Update Kconfig entries based on
this and simplify the only code which checks for either being set.
Signed-off-by: Tom Rini <[email protected]>
|
|
We can only enable Falcon Mode (aka SPL_OS) on architectures which
implement certain hooks. Express these dependencies in Kconfig.
Signed-off-by: Tom Rini <[email protected]>
|
|
It is possible that we will not have enabled the options to call
spl_sata_load_image_raw so use the __maybe_unused decorator to silence
the compiler warning.
Signed-off-by: Tom Rini <[email protected]>
|
|
In Kconfig syntax, "!=" is a string and not numerical comparison. This
means that to check for a non-zero SPL_SIZE_LIMIT_PROVIDE_STACK value we
need to test that it is "> 0" rather than "!=" 0. This is because "0x0 >
0" is false while "0x0 != 0" is true.
Signed-off-by: Tom Rini <[email protected]>
|
|
before args"
Anshul Dalal <[email protected]> says:
During the implementation of falcon mode for TI's K3 devices [1], I encountered
several limitations in regards to the current falcon mode support in U-Boot
especially in ensuring a secure boot flow.
Although the current implementation allows for loading of a signed fitImage as
the SPL payload, there are still a few edge cases that might allow bypassing the
verified boot path.
The following issues with current falcon mode need to be resolved:
1) No fallback:
We currently fallback to regular boot flow if falcon mode fails,
this might not be secure.
2) No arguments file:
We currently load a kernel file (which could be a raw image or FIT)
alongside an args file (usually the DT). The args file here doesn't have
any verification mechanism, so should be skipped altogether as the FIT can
contain the DT.
3) No access to env:
In ext and fat fs boot, currently we also reads the environment to get the
names of the kernel and the arg file. This should be disabled in secure
falcon flow as the env might not be secure.
4) No raw image boot:
Boot should fail when the kernel file is a raw kernel image, only FIT should
be allowed.
As per the recommendation of maintainers[2], I have decided to split the above
set of tasks into multiple patch series. This is the first one which fixes the
load order of kernel image and the args file in falcon mode. Along with some
minor cleanup.
[1]: https://lore.kernel.org/u-boot/[email protected]/
[2]: https://lore.kernel.org/u-boot/20250911172313.GT124814@bill-the-cat/
Link: https://lore.kernel.org/r/[email protected]
|
|
Minor cleanup of spl_ext and spl_fat files, removing the outdated
CONFIG_SPL_LIBCOMMON_SUPPORT symbols similar to the commit 1847129025e0
("spl: mmc: Drop checks for CONFIG_SPL_LIBCOMMON_SUPPORT") and adding a
few extra failure reports.
Reviewed-by: Tom Rini <[email protected]>
Signed-off-by: Anshul Dalal <[email protected]>
|
|
Load the kernel image before args in falcon mode to be consistent with
the load order for other boot media.
Signed-off-by: Anshul Dalal <[email protected]>
|
|
Load the kernel image before args in falcon mode to be consistent with
the load order for other boot media.
Reviewed-by: Tom Rini <[email protected]>
Signed-off-by: Anshul Dalal <[email protected]>
|
|
Currently in falcon mode, the FS and raw mmc boot loads the args file
first followed by the kernel image whereas others load in the opposite
order. This inconsistency means falcon boot doesn't behave the same
across various boot media.
For example, in the case where the kernel file is a FIT with the kernel
image present alongside the dtb and the args file is another DT, which
DT should be picked? The one form the FIT or the one set by the args
file? Currently this depends entirely on how the boot media handles
falcon mode.
Therefore, this patch enforces the load order of the kernel image first
followed by the args file in FAT FS boot. So in the above example, the
args file would take precedence.
Reviewed-by: Tom Rini <[email protected]>
Signed-off-by: Anshul Dalal <[email protected]>
|
|
Prepare v2025.10-rc5
|
|
spl_start_uboot is a board overridable function that switches to falcon
boot mode on return value of 0.
Though for SPI, the falcon boot mode was being enabled on return value
of 1 which is not the correct behaviour. Therefore this patch fixes it
to the expected boot flow.
Fixes: 14509a28aa20 ("spl: spi: Consolidate spi_load_image_os into spl_spi_load_image")
Signed-off-by: Anshul Dalal <[email protected]>
|
|
The SPI flash driver does not build without SPI support enabled.
Fixes: 4151f4f822bb ("spl: Rework and tighten some dependencies")
Signed-off-by: Heinrich Schuchardt <[email protected]>
Acked-by: Peng Fan <[email protected]>
Acked-by: Anshul Dalal <[email protected]>
|
|
I had trouble booting some am335x boards (both
beagleboneblack and a custom board). SPL would start just fine, and
apparently load U-Boot proper, but it would hang when jumping to
U-Boot.
While debugging, I stumbled on this memcpy() which from code
inspection very much looked to have overlapping src and dst, and
indeed a simple printf revealed
calling memcpy(0x8087bf68, 0x8087bf80, 0xf7f8)
Now, it will always be with src > dst, our memcpy()
implementations "most likely" do forward-copying, and in the end it
turned out that this wasn't the culprit after all [*].
But to avoid me or others barking up the wrong tree in the future, and
because this use of memcpy() is technically undefined, use memmove()
instead.
[*] That was 358d1cc232c ("spl: Align FDT load address"), which has
since been fixed in master but not the v2025.07 I worked of by
52caad0d14a ("ARM: Align image end to 8 bytes to fit DT alignment").
Signed-off-by: Rasmus Villemoes <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
Explicitly specify the type by replacing macro with variable
to fix the possible compilation warning.
Signed-off-by: Leo Yu-Chi Liang <[email protected]>
|
|
Explicitly specify the type by replacing macro with variable
to fix the possible compilation warning.
Signed-off-by: Leo Yu-Chi Liang <[email protected]>
|
|
In boot_from_devices the variable loader is not NULL checked after
assignment and before first use but later code does check it for NULL.
Add a NULL check before first use.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
Add the basic Kconfig options, addresses and other values for the
existing Kconfig settings for the new Allwinner A523/T527/H728 SoC.
Signed-off-by: Andre Przywara <[email protected]>
|
|
The 'overhead' variable is uninitialized and actually shall not be used.
Delete it to fix coverity CID 37041718 - Uninitialized scalar variable.
Fixes: 73c40fcb7367 ("spl: Refactor spl_load_info->read to use units of bytes")
Reported-by: Andrew Goodbody <[email protected]>
Signed-off-by: Ye Li <[email protected]>
Reviewed-by: Peng Fan <[email protected]>
Signed-off-by: Fabio Estevam <[email protected]>
Reviewed-by: Andrew Goodbody <[email protected]>
|
|
To support PQC container format which is used for post quantum
authentication on new i.MX parts like i.MX94
The major changes compared to legacy container format is in
signature block, new container tag and version, and new alignment
of container header.
Signed-off-by: Ye Li <[email protected]>
Signed-off-by: Jacky Bai <[email protected]>
Signed-off-by: Alice Guo <[email protected]>
Acked-by: Peng Fan <[email protected]>
|
|
We have a few options that we cannot enable in a "allyesconfig" type
build because we cannot use zero as a default value.
- The logic around HAS_BOARD_SIZE_LIMIT assumes that if we have set this
then we compare with it. Similarly, we need to set SPL_NO_BSS_LIMIT as
the default there.
- Both SYS_CUSTOM_LDSCRIPT and ENV_USE_DEFAULT_ENV_TEXT_FILE then prompt
for a file name to use.
- The SYS_I2C_SOFT driver is a legacy driver which requires a lot of
configuration within the board config. file instead, so disable it.
Signed-off-by: Tom Rini <[email protected]>
|
|
Add Renesas R-Car Gen4 SCIF/HSCIF loader compatible SREC generation.
This is a regular U-Boot SPL SREC augmented with a short header which
describes where to store the received data and how much data to store.
This header is interpreted by the R-Car Gen4 BootROM SCIF/HSCIF loader.
Signed-off-by: Marek Vasut <[email protected]>
|
|
|
|
A malformed FIT image could have an image name property that is not NUL
terminated. Reject such images.
Reported-by: Mikhail Kshevetskiy <[email protected]>
Signed-off-by: Heinrich Schuchardt <[email protected]>
Tested-by: E Shattow <[email protected]>
|
|
spl_fit_get_image_name function
The change in commit 3704b888a4ca ("common/spl: fix potential out of buffer
access in spl_fit_get_image_name function") led to function
spl_fit_get_image_name() no longer detecting if a property does not exist
at a non-zero buffer.
Link: https://lore.kernel.org/u-boot/[email protected]/T/#m59f3a23e675daa992c28d12236de71cae2ca2bb9
Fixes: 3704b888a4ca ("common/spl: fix potential out of buffer access in spl_fit_get_image_name function")
Signed-off-by: Heinrich Schuchardt <[email protected]>
Tested-by: E Shattow <[email protected]>
|
|
The Allwinner A100 SoC has been around for a while, mostly on cheap
tablets, but didn't generate much interest in the community so far.
There were some efforts by two Allwinner employees in 2020, which led
to basic upstream Linux support for that SoC, although this momentum
dried up pretty quickly, leaving a lot of peripherals unsupported.
The A100 was silently replaced with the seemingly identical Allwinner
A133, which is reportedly a better bin of the A100. So far we assume
that both are compatible from a software perspective. There are some
more devices with the A133 out there now, so people are working on
filling the gaps, and adding U-Boot (and TF-A) support.
Based on the just added pinctrl, clock and DRAM support, this adds the
missing bits, mostly addresses and values for the SPL.
The A133 seems to be an predecessor to the H6, so we can share a lot of
code with that (and the H616 code), and just need to adjust some details.
Signed-off-by: Andre Przywara <[email protected]>
|
|
Prepare v2025.07-rc5
With this merge, tighten up the LTO_FLAGS removal we added to not
trigger on ARMv7 (which is Thumb-2 and should be fine).
|
|
This fix a possible NULL pointer dereference.
There is also a risk of memory leaking within the same portion of code.
The leak will happen if loaded image is bad or damaged. In this case
u-boot-spl will try booting from the other available media. Unfortunately
resources allocated for previous boot media will NOT be freed.
We can't fix that issue as the memory allocation mechanism used here
is unknown. It can be different kinds of malloc() or something else.
To somewhat reduce memory consumption, one can try to reuse previously
allocated memory as it's done in board_spl_fit_buffer_addr() from
test/image/spl_load.c.
The corresponding comment was put to the code as well.
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
Reviewed-by: Anshul Dalal <[email protected]>
|
|
load_simple_fit() returns -EPERM for the images with broken signatures.
Unfortunately this may conflict with image loaging selection on the base
of boot phase. See commit 873112db9ce68c38984ff25808dde726f8dd5573
("spl: Support selecting images based on phase in simple FIT").
Thus loading of
configurations {
uboot {
description = "u-boot";
firmware = "atf";
loadables = "atf", "tee", "uboot";
};
};
with damaged "tee" image may finish without errors. This may results in
board bricking.
This patch fixes commit 873112db9ce68c38984ff25808dde726f8dd5573
("spl: Support selecting images based on phase in simple FIT")
by replacing EPERM with EBADSLT places where it should be done.
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
|
|
function
The current code have two issues:
1) ineffective NULL pointer check
str = strchr(str, '\0') + 1
if (!str || ...
The str here will never be NULL (because we add 1 to result of strchr())
2) strchr() may go out of the buffer for the special forms of name variable.
It's better use memchr() function here.
According to the code the property is a sequence of C-string like
shown below:
'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '!', '\0'
index is the string number we are interested, so
index = 0 => "hello",
index = 1 => "world",
index = 2 => "!"
The issue will arrise if last string for some reason have no terminating
'\0' character. This can happen for damaged or specially crafted dtb.
Signed-off-by: Mikhail Kshevetskiy <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
This function is currently a misnomer at times as we have cases where it
passes arguments to the image. In preparation for making that be a more
common case rename this function to jump_to_image(...). In order to do
this, rename jump_to_image in board_init_r(...) to jumper so that we do
not have a conflict.
Signed-off-by: Simon Glass <[email protected]>
[trini: Reword the commit message, adding missing cases of
jump_to_image_no_args()]
Signed-off-by: Tom Rini <[email protected]>
|
|
On several RISC-V boards we have seen that 1 MiB is a insufficient value
for CONFIG_SPL_SYS_MALLOC_SIZE.
For instance qemu-riscv32_spl_defconfig fails booting because u-boot.itb
exceeds 1 MiB.
8 MiB is a reasonable value that allows adding FPGA blobs or splash images
to main U-boot.
Reported-by: Simon Glass <[email protected]>
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Leo Yu-Chi Liang <[email protected]>
|
|
Tom Rini <[email protected]> says:
Hey all,
Related to my other series I've posted recently on cleaning up some
headers, this series here is the result of at least lightly auditing the
#includes used in include/[a-m]*.h. This ignores subdirectories, as at
least in part I think the top-level includes we've constructed are the
most likely places to have some extra transitive include paths. I'm sure
there's exceptions and I'll likely audit deeper once this first pass is
done. This only gets as far as "include/m*.h" because I didn't want this
to get too big. This also sets aside <miiphy.h> and <phy.h>. While
miiphy.h does not directly need <phy.h> there are *so* many users and I
think I had half of the tree just about not building when I first tried.
It might be worth further investigation, but it might just be OK as-is.
Link: https://lore.kernel.org/r/[email protected]
|
|
This file does not need <asm/cache.h> so remove it. However the file
common/spl/spl_fat.c does need it, so add it there.
Signed-off-by: Tom Rini <[email protected]>
|
|
Prepare v2025.07-rc3
|
|
The formatting with %pa / %pap behaves like %x, which results in an
incorrect value being output. To improve this, a new fine-tuning
Kconfig SPL_USE_TINY_PRINTF_POINTER_SUPPORT for pointer formatting
has been added. If it is enabled, the output of %pa / %pap should
be correct, and if it is disabled, the pointer formatting is
completely unsupported. In addition to indicate unsupported formatting,
'?' will be output. This allows enabling pointer formatting only
when needed. For SPL_NET it is selected by default. Then it also
supports the formatting with %pm, %pM and %pI4.
In summery this level of %p support for tiny printf is possible now:
1) The standard tiny printf won't have support for pointer formatting.
So it doesn't print misleading values for %pa, instead '?' will be
output:
%p => ?
%pa => ?a
%pap => ?ap
2) If SPL_USE_TINY_PRINTF_POINTER_SUPPORT is enabled or DEBUG is defined
tiny printf supports formatting %p and %pa / %pap.
3) If SPL_NET is enabled the support of pointers is extended
for %pm, %pM and %pI4.
Signed-off-by: Christoph Niedermaier <[email protected]>
|
|
Commit 2a00d73d081a ("spl: mmc: Try to clean up raw-mode options") breaks
the boot of the BSH SMM S2 board. As stated in the commit itself, "Some
boards use this value even though MMC is not enabled in SPL, for example
imx8mn_bsh_smm_s2".
Support load of the U-Boot image from raw NAND sector. This is equivalent
to load from MMC raw sector.
Fixes: 2a00d73d081a ("spl: mmc: Try to clean up raw-mode options")
Signed-off-by: Dario Binacchi <[email protected]>
|
|
Almost all Rockchip boards use the same Kconfig value for SPL_PAD_TO,
0x7f8000.
u-boot-rockchip.bin is typically written to offset 64S (32KiB) of MMC
media. u-boot.itb (or u-boot.img) is typically expected at offset 16384S
(8MiB) of MMC media (SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x4000).
SPL_PAD_TO is used as the offset for u-boot.itb (or u-boot.img) in the
generated simple-bin binman image, and can be calculated as:
SPL_PAD_TO = (16384S - 64S) * 512 = 0x7f8000
Add this value as a default value for ARCH_ROCKCHIP.
Signed-off-by: Jonas Karlman <[email protected]>
Reviewed-by: Kever Yang <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
When SPL loading image to secure region, for example, ATF and tee to
DDR secure region. Because the USDHC controller is non-secure master,
it can't access this region and will cause loading issue.
So use a trampoline buffer in non-secure region, then use CPU to copy the
image from trampoline buffer to destination secure region.
Signed-off-by: Ye Li <[email protected]>
Signed-off-by: Alice Guo <[email protected]>
Reviewed-by: Peng Fan <[email protected]>
|
|
SPL_TEXT_BASE is used as the load address for the main domain SPL on k3
platforms.
Since the config value is the same for every board, this patch sets the
value 0x80080000 as default for all 64-bit ARCH_K3, 0x43c00000 as
default for the R5 cores and deletes the instances of SPL_TEXT_BASE in
individual defconfigs.
Signed-off-by: Anshul Dalal <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
As the code is today, we get a warning about "select" statements on
"choice" options not doing anything. However, it also works as intended
because SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is the default option
within that choice statement. To guard against future regressions, make
the choice statement in common/spl/Kconfig have an explicit default if
MVEBU_SPL_BOOT_DEVICE_MMC.
Signed-off-by: Tom Rini <[email protected]>
Reviewed-by: Stefan Roese <[email protected]>
|
|
Andre Przywara <[email protected]> says:
C's implicit fallthrough behaviour in switch/case statements can lead to
subtle bugs. Quite some while ago many compilers introduced warnings in
those cases, requiring intentional fallthrough's to be annotated.
So far we were not enabling that compiler option, so many ambiguities
and some bugs in the code went unnoticed.
This series adds the required annotations in code paths that the first
stage of the U-Boot CI covers. There is a large number of cases left
in the libbz2 code. The usage of switch/case is borderline insane there,
labels are hidden in macros, and there are no breaks, but just goto's.
Upstream still uses very similar code, without any annotations. I still
am not 100% sure those are meant to fall through or not, and plan to do
further investigations, but didn't want to hold the rest of the patches
back. You can see for yourself by applying patch 18/18 and building for
sandbox64, for instance.
Because of this we cannot quite enable the warning in the Makefile yet,
but those fixes are worth regardless, and be it to increase readability.
Please note that those patches do not fix anything, really, they just add
those fallthrough annotations, so the series is not really critical.
Link: https://lore.kernel.org/r/[email protected]
|
|
Depending on the various MMC boot configurations, we might end up with
trying filesystem mode when a raw image boot failed. This fall-through
in the switch/case statement is explained in a comment, but this is not
visible to the compiler, which still will complain.
Add the proper compiler-visible annotation, to allow enabling the
compiler check in the future.
Signed-off-by: Andre Przywara <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
Sam Edwards <[email protected]> says:
This is v2 of my "misc. fixes" series, sent to prepare the codebase for more
direct LLVM support in the near future. This series contains several fixes that
I found in the process of preparing that support and which address issues
independent of any future feature or enhancement. I am sending these now, both
so that their inclusion is not delayed by discussion on my upcoming series and
to make the latter more manageable.
Link: https://lore.kernel.org/r/[email protected]
|
|
While the image size is generally a multiple of 8 bytes, this is not
actually guaranteed; some linkers (like LLD) will shave a few bytes off
of the end of output sections if there are no content bytes there. Since
libfdt imposes a hard rule of 8-byte alignment, make the SPL also be
explicit about the alignment when loading the FDT.
Signed-off-by: Sam Edwards <[email protected]>
|
|
libfdt 1.6.1+ requires the FDT to be 8-byte aligned and returns an error
if not. OpenSBI 1.0+ includes this version of libfdt and will also
reject misaligned FDTs.
However, OpenSBI cannot indicate the error to the user: since it cannot
access the serial console, it can only silently hang. This proved very
difficult to diagnose without proper debugging facilities. Therefore,
give the U-Boot SPL, which *can* print error messages, an additional
check for proper FDT alignment. Hopefully this saves a lot of
development cycles if another developer encounters alignment problems.
Signed-off-by: Sam Edwards <[email protected]>
|
