| Age | Commit message (Collapse) | Author |
|
The ZynqMP Boot Image Format allows specifying the register
initialization file with the "[init]" attribute. Since this
feature is already supported by the "zynqmpimage" backend, this
commit leverages that existing capability to add support for the
"[init]" attribute in the zynqmpbif backend:
https://docs.amd.com/r/en-US/ug1283-bootgen-user-guide/init
This currently uses the same register initialization file format as
zynqmpimage (ASCII text hex values with each line composed of a pair
of register address and value), for example:
===
0xff003248 0x12345678
===
It is not, yet, compatible with the format used by bootgen:
https://docs.amd.com/r/en-US/ug1283-bootgen-user-guide/Initialization-Pairs-and-INT-File-Attribute
Use this feature, with other zynqmpbif options, like so:
===
image : {
[init] reginit.int
[bootloader] fsbl.elf
[pmufw_image] pmufw.elf
[destination_cpu=a53-0, exception_level=el-3] bl31.elf
[destination_cpu=a53-0, exception_level=el-2, load=0x08000000,
startup=0x08000000] u-boot.bin
}
===
Signed-off-by: Erich E. Hoover <[email protected]>
Signed-off-by: Michal Simek <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
|
|
|
|
Delete the command-line tool and its supporting modules, now that this
functionality lives in the standalone patch-manager package.
Keep the modules that buildman still imports (commit and patchstream,
plus their dependencies series, get_maintainer and settings), along with
the stub command. Trim __init__.py to match.
Signed-off-by: Simon Glass <[email protected]>
|
|
These tests cover the patch-management functionality, which is being
removed from the tree in favour of the standalone patch-manager package.
Drop the tests and their data files.
Signed-off-by: Simon Glass <[email protected]>
|
|
patman is now maintained as a standalone 'patch-manager' package, rather
than in the U-Boot tree. Replace the command with a small stub which
tells people how to install it.
buildman still uses the shared modules commit and patchstream (and their
dependencies), so leave those in place; the patches that follow remove
the patch-management code itself.
Signed-off-by: Simon Glass <[email protected]>
|
|
patman is no longer shipped from the U-Boot tree, so drop it from the
'make pip' target and from make_pip.sh, and remove its packaging files
(setup.py, pyproject.toml, requirements.txt). Nothing else refers to
them by this point in the series, so they can go.
Also fix binman's pyproject.toml, which declares package-data for a
'patman' package (a copy-paste leftover); use 'binman' instead.
Signed-off-by: Simon Glass <[email protected]>
|
|
The CI runner image pre-caches pip packages by downloading each tool's
requirements.txt from master. A later patch removes patman's
requirements.txt from the tree, so stop fetching and installing it.
The same step already installs setuptools explicitly (patman's
requirements list it too), so this needs nothing further.
This takes effect the next time someone rebuilds the image; the existing
image keeps working in the meantime.
Signed-off-by: Simon Glass <[email protected]>
|
|
The full patman manual now lives with the standalone patch-manager
package, making the 1000-line copy in the tree redundant.
Remove the in-tree manual, its README and the doc/develop/patman.rst
toctree page.
The sending-patches guide already introduces patman, so point it at the
patch-manager package instead of the now-dead ':doc:' cross-reference
and, with the manual gone, add a couple of lines on how the tool works.
Point the SPI howto at that guide too, rather than repeating the install
details.
Signed-off-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Reviewed-by: Mattijs Korpershoek <[email protected]>
|
|
In preparation of the migration of the mailman mailing-list currently
hosted on the denx.de infrastructure, migrate the links in the code,
comments and documentation to https://patch.msgid.link to be future proof
and always link to the expected content data and uses the message-id in
the URL which will help find the appropriate e-mail in the future.
Signed-off-by: Neil Armstrong <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
OP-TEE tee.bin is generated externally and might be missing during the
build.
Signed-off-by: Mathieu Dubois-Briand <[email protected]>
|
|
Prepare v2026.07-rc5
|
|
Tom Rini <[email protected]> says:
As part of the resync to dtc version v1.7.2-35-g52f07dcca47c from the
Linux Kernel, we missed updating the fdt_check_full function because it
exists in its own file in upstream dtc and the kernel doesn't import it,
as reported by Anton Ivanov. This short series brings in the upstream
fdt_check.c file and then implements our size-saving option, but in the
modern way.
The size-saving portion has been upstreamed.
Link: https://lore.kernel.org/r/[email protected]
|
|
In the upstream project, the function fdt_check_full has been moved from
fdt_ro.c to its own file, fdt_check.c. This file is not included in the
Linux kernel copy and so has not been synced over. As we do need and use
the fdt_check_full function, bring that file over as of the current
upstream we are synced to. Remove our copy of this function from
fdt_ro.c and add fdt_check.o and 1-liner fdt_check.c where needed. Note
that for now, this will increase size in some cases as upstream does not
have a size reduction method here.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
fdt_get_name() can return NULL and set len to a negative error code.
fdt_find_regions() does not check for this, leading to a potential NULL
pointer dereference and a buffer out-of-bounds write during signature
verification of an untrusted FIT. fdt_next_region(), fdt_check_full(),
and display_fdt_by_regions() also lack validation.
Add NULL checks and propagate the error code from fdt_get_name()
to the caller.
Signed-off-by: Anton Ivanov <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
dotted directories"
Aristo Chen <[email protected]> says:
The get_basename() helper in tools/fit_image.c searches the entire input
path independently for the last '/' and the last '.'. When the last '.'
falls at an offset earlier than the last '/', for example "./mydt",
"a.b/c" or "sub.d/leaf", 'end' points before 'start' and the computed
length is negative. The size check uses signed comparison so the negative
value flows unchanged into memcpy() (cast to size_t there) and mkimage
segfaults during -f auto FIT generation. The helper is reached on every
auto-FIT build via the -b, --fit-tee and --fit-tfa-bl31 file arguments.
The first patch restricts the dot search to the substring that follows
the last slash, which is the minimal fix and preserves the existing
behaviour for typical inputs such as "arch/arm/dts/foo.dtb".
The second patch adds a parametrized sandbox test under
test/py/tests/test_fit_mkimage_validate.py that drives mkimage -f auto
with each of the crashing inputs ("./mydt", "./sub.d/leaf", "./a.b/c")
plus one control input ("./mydt.dtb"). The test reads the resulting
/images/fdt-1 description back from the produced FIT via fdtget to verify
get_basename()'s output matches the expected stripped basename.
Reproducer that previously segfaulted and now produces a valid image:
echo dummy > kernel.bin
echo dummy > ./mydt
./tools/mkimage -f auto -A arm -O linux -T kernel -C none \
-a 0x80000000 -e 0x80000000 -n test \
-d kernel.bin -b ./mydt out.itb
Verified by rebuilding tools/mkimage on master and running the command
above with each of the four parametrized inputs. The three crash triggers
all segfault before the fix and now produce the expected fdt-1
descriptions ("mydt", "leaf", "c"); the control input "./mydt.dtb"
continues to produce "mydt" as before.
Link: https://lore.kernel.org/r/[email protected]
|
|
The get_basename() helper in tools/fit_image.c searches the entire input
path for the last '/' and the last '.' independently. When the last '.'
falls at an offset earlier than the last '/' (for example "./mydt",
"a.b/c", or "sub.d/leaf"), 'end' points before 'start' and the computed
length is negative. The subsequent size check uses signed comparison so
the negative value passes through unchanged, and memcpy() is then called
with that length implicitly cast to size_t, which segfaults.
Restrict the dot search to the substring that follows the last slash so
that only an extension in the filename component can become the end of
the basename. This matches the function's stated intent of stripping an
extension from the leaf, and keeps the existing behaviour for typical
inputs such as "arch/arm/dts/foo.dtb".
Reproducer that previously segfaulted and now produces a valid image:
echo dummy > kernel.bin
echo dummy > ./mydt
./tools/mkimage -f auto -A arm -O linux -T kernel -C none \
-a 0x80000000 -e 0x80000000 -n test \
-d kernel.bin -b ./mydt out.itb
Signed-off-by: Aristo Chen <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
Prepare v2026.07-rc4
|
|
A single percent sign might be interpreted as a string format directive
and shall thus be escaped - doubling it - to actually indicate a
percentage.
Without the escape, pytest fails to run test_fdt.py with the following
error:
ValueError: Test coverage failure
fdt code coverage: Traceback (most recent call last):
File "/usr/lib64/python3.14/argparse.py", line 1748, in _check_help
formatter._expand_help(action)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File "/usr/lib64/python3.14/argparse.py", line 676, in _expand_help
return help_string % params
~~~~~~~~~~~~^~~~~~~~
TypeError: %c requires an int or a unicode character, not dict
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/user/u-boot/./tools/dtoc/test_fdt", line 1002, in <module>
sys.exit(main())
~~~~^^
File "/home/user/u-boot/./tools/dtoc/test_fdt", line 987, in main
parser.add_argument('-T', '--test-coverage', action='store_true',
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
default=False,
^^^^^^^^^^^^^^
help='run tests and check for 100% coverage')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.14/argparse.py", line 1562, in add_argument
self._check_help(action)
~~~~~~~~~~~~~~~~^^^^^^^^
File "/usr/lib64/python3.14/argparse.py", line 1750, in _check_help
raise ValueError('badly formed help string') from exc
ValueError: badly formed help string
Fixes: 7640b166604e ("test_fdt: Convert to use argparse")
Signed-off-by: Francesco Valla <[email protected]>
|
|
The SPI NOR minimum subsector size is 4 kiB, update the alignment.
THis is particularly important in case of embedded DUMMY_DDR, which
must be at at least 4 kiB aligned offset.
Fixes: a2b96ece5be1 ("tools: add i.MX8/8X image support")
Signed-off-by: Marek Vasut <[email protected]>
Reviewed-by: Peng Fan <[email protected]>
|
|
Boot from FSPI requires additional 448 Byte long header, with U-Boot SPL
starting at offset 0x1000. Currently, both i.MX8MM and i.MX8MN attempt
to generate this header using fspi_conf_block with filename pointing at
CONFIG_FSPI_CONF_FILE file. This does not work, for two reasons.
First, the CONFIG_FSPI_CONF_FILE is generated by mkimage -T imx8mimage
and may not be available yet when the fspi_conf_block is evaluated. That
leads to a race condition where highly parallel builds fail to find the
CONFIG_FSPI_CONF_FILE, which is usually called fspi_header.bin, on first
build attempt.
Second, binman gets confused and patches incorrect offset of DDR PHY
firmware blobs into U-Boot SPL, the offset is incremented by exactly
0x1000 which is the size of fspi_conf_block.
Fix both problems at once, make imx8mimage handle the generated FSPI
header and prepend it in front of the imx8mimage processed data. This
way, the race condition is solved, because the data generated by the
imx8mimage are surely combined only after mkimage -T imx8mimage ran.
The binman offset calculation is also solved, because there is no
fspi_conf_block node in the DT anymore.
Signed-off-by: Marek Vasut <[email protected]>
|
|
Daniel Golle <[email protected]> says:
This series adds dm-verity support to U-Boot's FIT image infrastructure.
It is the first logical subset of the larger OpenWrt boot method series
posted as an RFC in February 2026 [1], extracted here for independent
review and merging.
OpenWrt's firmware model embeds a read-only squashfs or erofs root
filesystem directly inside a uImage.FIT container as a FILESYSTEM-type
loadable FIT image. At boot the kernel maps this sub-image directly from
the underlying block device via the fitblk driver (/dev/fit0, /dev/fit1,
...), the goal is that the bootloader never even copies it to RAM.
dm-verity enables the kernel to verify the integrity of those mapped
filesystems at read time, with a Merkle hash tree stored contiguously in
the same sub-image just after the data. Two kernel command-line
parameters are required:
dm-mod.create= -- the device-mapper target table for the verity device
dm-mod.waitfor= -- a comma-separated list of block devices to wait for
before dm-init sets up the targets (needed when fitblk
probes late, e.g. because it depends on NVMEM
calibration data)
The FIT dm-verity node schema was upstreamed into the flat-image-tree
specification [2], which this implementation tries to follow exactly.
The runtime feature is guarded behind CONFIG_FIT_VERITY. If not
enabled the resulting binary size remains unchanged. If enabled the
binary size increases by about 3kB.
[1] previous submissions:
RFC: https://www.mail-archive.com/[email protected]/msg565945.html
v1: https://www.mail-archive.com/[email protected]/msg569472.html
v2: https://www.mail-archive.com/[email protected]/msg570599.html
v3: https://www.mail-archive.com/[email protected]/msg573223.html
v4: https://www.mail-archive.com/[email protected]/msg574000.html
[2] flat-image-tree dm-verity node spec:
https://github.com/open-source-firmware/flat-image-tree/commit/795fd5fd7f0121d0cb03efb1900aafc61c704771
Link: https://lore.kernel.org/r/[email protected]
|
|
When mkimage encounters a dm-verity subnode inside a component image
node it now automatically invokes veritysetup(8) with --no-superblock
to generate the Merkle hash tree, screen-scrapes the Root hash and Salt
from the tool output, and writes the computed properties back into the
FIT blob.
The user only needs to specify algorithm, data-block-size, and
hash-block-size in the ITS; mkimage fills in digest, salt,
num-data-blocks, and hash-start-block. Because --no-superblock is
used, hash-start-block equals num-data-blocks with no off-by-one.
The image data property is replaced with the expanded content (original
data followed directly by the hash tree) so that subsequent hash and
signature subnodes operate on the complete image.
fit_image_add_verification_data() is restructured into two passes:
dm-verity first (may grow data), then hashes and signatures.
Signed-off-by: Daniel Golle <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Our official domain is now u-boot-project.org, so update all in-tree
references to use the correct domain.
Reviewed-by: Tony Dinh <[email protected]>
Reviewed-by: Peter Robinson <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
In parse_config(), devname is dynamically allocated by sscanf().
When sscanf() fails to fill enough fields (rc < 3), devname is freed and
the loop continues to the next line. However, if the next call to sscanf()
fails to match (rc == 0), devname is not written and still holds the stale
freed pointer. The subsequent free(devname) then operates on
already-freed memory.
Fix this by resetting devname to NULL before each sscanf() call, so
that a non-matching call leaves a NULL pointer and the subsequent
free() becomes a harmless no-op.
Reported-by: Coverity Scan
Link: https://lists.denx.de/pipermail/u-boot/2026-April/614161.html
Signed-off-by: Kory Maincent <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
The PKCS#11 signing tests in ftest.py call tools.run('softhsm2-util', ...)
directly (and the equivalent for pkcs11-tool and p11-kit), even though
the test setup has already constructed the corresponding Bintool
instances. As Quentin Schulz observed on v1, the bintool wrapper for
these tools is currently used only as an "is this installed?" probe.
Route the eight remaining call sites in ftest.py through
<bintool>.run_cmd(...), which the Bintool base class already provides.
The change is test-side only; no production binman code calls these
tools.
Suggested-by: Quentin Schulz <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.
Extend the docstring with a short description of what softhsm2-util
does and how binman uses it, so the generated documentation has useful
content.
Suggested-by: Heinrich Schuchardt <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.
Extend the docstring with a short description of what pkcs11-tool does
and how binman uses it, so the generated documentation has useful
content.
Suggested-by: Heinrich Schuchardt <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
The Sphinx-generated bintools.rst currently produces an empty section
for this bintool, since its class docstring is only a single line and
so the body under the heading is blank.
Extend the docstring with a short description of what p11-kit does and
how binman uses it, so the generated documentation has useful content.
Suggested-by: Heinrich Schuchardt <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
|
|
When using a worktree '.git' actually is a file and pygit2
init_repository() does not like that. The intention is not to create
a new git repo anyway so use normal constructor instead of
init_repository().
Signed-off-by: Ludwig Nussel <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Yan WANG <[email protected]> says:
This series improves the reliability and efficiency of binman preload
header generation and test it against an encrypted FIT image signed with
a preload header.
When a preload header references other entries (e.g. an encrypted FIT)
through the collection etype, the referenced entries may be rebuilt
multiple times during binman processing. This becomes problematic when
the referenced entry produces non-deterministic output, such as FIT
encryption using random IVs or timestamps, since rebuilding the entry
changes the data.
This series ensures that referenced entries are built only once and that
preload signing is performed after all data is collected. It also avoids
unnecessary repacking or repeated signing operations by the preload.
The changes include:
* generate preload header placeholders in ObtainContents() and sign
data only once in ProcessContentsUpdate()
* mark referenced entries as build_done in the collection etype to
avoid rebuilding data
* add a functional test for signing an encrypted FIT with a preload
header
Link: https://lore.kernel.org/r/[email protected]
|
|
Add a test to verify the preload header correctly signs an encrypted
FIT. This test exercises the case where encryption uses random IVs that
would change between mkimage calls.
Signed-off-by: Paul HENRYS <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The collection etype uses phandles in the 'content' property to
reference other entries. Mark each referenced entry with build_done
to avoid rebuilding the same entry data multiple times.
This is important for cases where rebuilding may change the data
content, e.g. due to timestamps or random IVs in encryption.
Refactor GetContentsByPhandle() to return both the entry object and
its data.
Signed-off-by: yan wang <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
To optimize preload generation, generate the header and signatures only
after all data has been collected in ProcessContentsUpdate(). This
avoids signing the data multiple times.
Since header_size is known upfront (from __init__), create a placeholder
in `ObtainContents()` to avoid an extra packing pass when
ProcessContentsUpdate() detects a size change.
This reduces unnecessary repacking and signing operations.
Signed-off-by: Paul HENRYS <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Building with GCC 15.2 results in warnings:
tools/asn1_compiler.c: In function ‘tokenise’:
tools/asn1_compiler.c:442:37: warning:
assignment discards ‘const’ qualifier from pointer target type
[-Wdiscarded-qualifiers]
442 | dir = bsearch(&tokens[tix], directives,
| ^
tools/asn1_compiler.c: In function ‘main’:
tools/asn1_compiler.c:632:11: warning:
assignment discards ‘const’ qualifier from pointer target type
[-Wdiscarded-qualifiers]
632 | p = strchr(grammar_name, '.');
| ^
bsearch() is defined as
void *bsearch(size_t n, size_t size;
const void key[size], const void base[size * n],
size_t n, size_t size,
typeof(int (const void [size], const void [size]))
*compar);
* Use the correct type for dir.
strchr() is defined as
char *strchr(const char *s, int c).
* Use a conversion for the assignment to p.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
These files are now auto-generated by the binman_docs Sphinx extension
during the doc build, so the committed copies and their symlinks in
doc/develop/package/ are no longer needed.
Update binman.rst to reference the Sphinx extension instead of the
manual generation commands.
Signed-off-by: Simon Glass <[email protected]>
Rebased to apply file deletions cleanly.
Signed-off-by: Heinrich Schuchardt <[email protected]>
|
|
Add setuptools package configuration to pyproject.toml so that
u_boot_pylib is installed as a proper Python package without changing
the existing flat directory structure and making sure all modules are
installed.
Signed-off-by: Paul HENRYS <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
|
|
Fix 4 instances in buildman.rst where examples were missing :: for
proper formatting. Three cases just had a single : and in one case,
: didn't make grammatical sense, so it gets a stand-alone :: along
with fixing the indent.
Signed-off-by: David Lechner <[email protected]>
|
|
Commit 488445cefa1 ("doc: Move FIT into its own directory") moved the
documentation in doc/uImage.FIT to doc/usage/fit, subsequently all
documents and example sources have been converted to reStructuredText.
Fix (almost) all of the remaining occurrences of the old path and
filenames across the tree.
The exception is doc/uImage.FIT/command_syntax_extensions.txt which
apparently has been removed entirely, or at least I was unable to
locate where that document is now.
Signed-off-by: Daniel Golle <[email protected]>
|
|
The dependency on fwu_mdata.h creates unnecessary configuration
requirements. To generate metadata V1, CONFIG_FWU_MDATA_V1 must be
enabled, which in turn requires enabling FWU_MULTI_BANK_UPDATE,
EFI_CAPSULE_ON_DISK, PARTITION_TYPE_GUID, and other unrelated configs.
This is not suitable for a simple standalone tool.
Additionally, even with the "-v 1" option to generate V1 metadata, the
tool will still include the firmware store description if
CONFIG_FWU_MDATA_V1 is not enabled. This structure should only be
present in metadata V2.
Replace the fwu_mdata.h dependency with the new fwumdata header to make
the tool compatible with both V1 and V2 without requiring any defconfig
changes. This also uses the access helper functions from the header to
eliminate code duplication.
Acked-by: Sughosh Ganu <[email protected]>
Tested-by: Sughosh Ganu <[email protected]>
Signed-off-by: Kory Maincent <[email protected]>
Tested-by: Dario Binacchi <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
Add a new fwumdata tool to allows users to read, display, and modify FWU
(Firmware Update) metadata from Linux userspace. It provides functionality
similar to fw_printenv/fw_setenv but for FWU metadata. Users can view
metadata, change active/previous bank indices, modify bank states, and set
image acceptance flags. Configuration is done via fwumdata.config file.
Signed-off-by: Kory Maincent <[email protected]>
Tested-by: Dario Binacchi <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
The FWU metadata specification version 2 supports a maximum of 4 banks.
Add validation to enforce this limit and prevent creation of non-compliant
metadata structures when using version 2.
Without this check, users could inadvertently create invalid metadata by
specifying more than 4 banks, leading to potential compatibility issues
with FWU-compliant firmware update implementations.
Signed-off-by: Kory Maincent <[email protected]>
Tested-by: Dario Binacchi <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
Replace the generic error message with a more informative one.
This helps users quickly understand the correct command-line argument
format when the tool reports an error.
Signed-off-by: Kory Maincent <[email protected]>
Tested-by: Dario Binacchi <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
Update FWU metadata-related tools by moving mkfwumdata.c into a new
tools/fwumdata_src/ directory structure. This refactoring prepares for the
addition of the fwumdata runtime tool, which will allow editing FWU
metadata directly from the target.
The Kconfig and Makefile entries are also moved into separate files within
the new directory (Kconfig and fwumdata.mk respectively) to keep all FWU
metadata tool configurations together and improve maintainability.
Signed-off-by: Kory Maincent <[email protected]>
Tested-by: Dario Binacchi <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
mkfwumdata is a built image. Add it to .gitignore.
Signed-off-by: Kory Maincent <[email protected]>
Tested-by: Dario Binacchi <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
Test pkcs11 URI support for UEFI capsule generation. Both
public certificate and private key are used over pkcs11
protocol.
Pkcs11-tool has been introduced as softhsm tool doesn't have
functionality to import certificates in commonly distributed
version (only in the latest).
Signed-off-by: Wojciech Dubowik <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Mkeficapsule can dump signature for signed capsules. It can
be used in test to validate signature i.e. with openssl.
Add an entry for device tree node.
Signed-off-by: Wojciech Dubowik <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
It will be used to capsule signature verification.
Signed-off-by: Wojciech Dubowik <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Only short option has been present. Also rename dump_sig
to dump-sig to match with other parameter names.
Fixes: 16abff246b40 ("tools: mkeficapsule: add firmware image signing")
Signed-off-by: Wojciech Dubowik <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
With pkcs11 support in mkeficapsule we can now accept URI
tokens and not only files.
Signed-off-by: Wojciech Dubowik <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|