From 3d09ec64ebabffdd962b1a683a6b239773065850 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Mon, 20 Apr 2026 18:47:25 +0200 Subject: acpi: fix initial RSDT and XSDT size When creating the RSDT and the XSDT table they contain no entries. The table size therefore must equal the header size. Without this change a NULL deference has been observed in acpi_find_table() when running `ut dm` on sandbox64_defconfig executed via `sudo ./u-boot -D`. Fixes: 94ba15a3f13f ("x86: Move base tables to a writer function") Fixes: 7e586f69070d ("acpi: Put table-setup code in its own function") Fixes: ab5efd576c4e ("x86: acpi: Adjust order in acpi_table.c") Fixes: 867bcb63e79f ("x86: Generate a valid ACPI table") Signed-off-by: Heinrich Schuchardt Reviewed-by: Simon Glass Update dm_test_acpi_ctx_and_base_tables() in test/dm/acpi.c to expect sizeof(struct acpi_table_header) for the initial table length (instead of sizeof(*rsdt) / sizeof(*xsdt)), and to compute the checksum over header->length bytes rather than the full struct size: Signed-off-by: Simon Glass --- lib/acpi/base.c | 4 ++-- test/dm/acpi.c | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/acpi/base.c b/lib/acpi/base.c index 5c755b14c16..01ebad8994a 100644 --- a/lib/acpi/base.c +++ b/lib/acpi/base.c @@ -44,7 +44,7 @@ static void acpi_write_rsdt(struct acpi_rsdt *rsdt) /* Fill out header fields */ acpi_fill_header(header, "RSDT"); - header->length = sizeof(struct acpi_rsdt); + header->length = sizeof(struct acpi_table_header); header->revision = 1; /* Entries are filled in later, we come with an empty set */ @@ -59,7 +59,7 @@ static void acpi_write_xsdt(struct acpi_xsdt *xsdt) /* Fill out header fields */ acpi_fill_header(header, "XSDT"); - header->length = sizeof(struct acpi_xsdt); + header->length = sizeof(struct acpi_table_header); header->revision = 1; /* Entries are filled in later, we come with an empty set */ diff --git a/test/dm/acpi.c b/test/dm/acpi.c index 559ea269de2..2de7983f9ae 100644 --- a/test/dm/acpi.c +++ b/test/dm/acpi.c @@ -374,14 +374,14 @@ static int dm_test_acpi_ctx_and_base_tables(struct unit_test_state *uts) rsdt = PTR_ALIGN((void *)rsdp + sizeof(*rsdp), 16); ut_asserteq_ptr(rsdt, ctx.rsdt); ut_asserteq_mem("RSDT", rsdt->header.signature, ACPI_NAME_LEN); - ut_asserteq(sizeof(*rsdt), rsdt->header.length); - ut_assertok(table_compute_checksum(rsdt, sizeof(*rsdt))); + ut_asserteq(sizeof(struct acpi_table_header), rsdt->header.length); + ut_assertok(table_compute_checksum(rsdt, rsdt->header.length)); xsdt = PTR_ALIGN((void *)rsdt + sizeof(*rsdt), 16); ut_asserteq_ptr(xsdt, ctx.xsdt); ut_asserteq_mem("XSDT", xsdt->header.signature, ACPI_NAME_LEN); - ut_asserteq(sizeof(*xsdt), xsdt->header.length); - ut_assertok(table_compute_checksum(xsdt, sizeof(*xsdt))); + ut_asserteq(sizeof(struct acpi_table_header), xsdt->header.length); + ut_assertok(table_compute_checksum(xsdt, xsdt->header.length)); end = PTR_ALIGN((void *)xsdt + sizeof(*xsdt), 64); ut_asserteq_ptr(end, ctx.current); -- cgit v1.2.3 From 49fc812eb4303d833f413bd31c67d66a85e9d44c Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 29 Apr 2026 14:18:51 +0200 Subject: patman: fix use in worktree When using a worktree '.git' actually is a file and pygit2 init_repository() does not like that. The intention is not to create a new git repo anyway so use normal constructor instead of init_repository(). Signed-off-by: Ludwig Nussel Reviewed-by: Simon Glass --- tools/patman/cser_helper.py | 4 ++-- tools/patman/cseries.py | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/patman/cser_helper.py b/tools/patman/cser_helper.py index 2841fcd9c20..81ad212daee 100644 --- a/tools/patman/cser_helper.py +++ b/tools/patman/cser_helper.py @@ -309,7 +309,7 @@ class CseriesHelper: self._copy_db_fields_to(series, ser) msg = None if end: - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) target = repo.revparse_single(end) first_line = target.message.splitlines()[0] msg = f'Ending before {oid(target.id)} {first_line}' @@ -725,7 +725,7 @@ class CseriesHelper: raise ValueError( f"Modified files exist: use 'git status' to check: " f'{dirty[:5]}') - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) commit = None upstream_name = None diff --git a/tools/patman/cseries.py b/tools/patman/cseries.py index bcbc4963cea..0844b5f0257 100644 --- a/tools/patman/cseries.py +++ b/tools/patman/cseries.py @@ -119,7 +119,7 @@ class Cseries(cser_helper.CseriesHelper): new_max = max_vers - 1 - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) if not dry_run: name = self._get_branch_name(ser.name, new_max) branch = repo.lookup_branch(name) @@ -859,7 +859,7 @@ class Cseries(cser_helper.CseriesHelper): tag_info[svi.version] = [svi.idnum, name, f'{name}-{now_str}'] # Create the tags - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) for _, (idnum, name, tag_name) in tag_info.items(): commit = repo.revparse_single(name) repo.create_tag(tag_name, commit.hex, @@ -896,7 +896,7 @@ class Cseries(cser_helper.CseriesHelper): svlist = self.db.ser_ver_get_for_series(ser.idnum) # Collect the tags - repo = pygit2.init_repository(self.gitdir) + repo = pygit2.Repository(self.gitdir) tag_info = {} for svi in svlist: name = self._get_branch_name(ser.name, svi.version) -- cgit v1.2.3 From 4dc8f10edf90cab4d7f6b7106f5e52f6c23099ed Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Tue, 5 May 2026 12:12:52 -0600 Subject: binman: Flesh out the p11-kit bintool docstring The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what p11-kit does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt Signed-off-by: Simon Glass --- tools/binman/btool/p11_kit.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tools/binman/btool/p11_kit.py b/tools/binman/btool/p11_kit.py index 9d8d5d848b4..1bbece5bb2b 100644 --- a/tools/binman/btool/p11_kit.py +++ b/tools/binman/btool/p11_kit.py @@ -7,7 +7,16 @@ from binman import bintool class Bintoolp11_kit(bintool.Bintool): - """p11-kit -- support tool for pkcs#11 libraries""" + """p11-kit -- support tool for pkcs#11 libraries + + This bintool wraps the `p11-kit` command, a support tool for PKCS#11 + modules. Binman uses this wrapper only to check that p11-kit is installed + (and to fetch it if missing); any actual PKCS#11 module discovery for + signing FIT images or capsules is done outside binman, by mkimage and the + OpenSSL PKCS#11 engine. + + See https://p11-glue.github.io/p11-glue/p11-kit.html for more details. + """ def __init__(self, name): super().__init__('p11-kit', 'Pkcs11 library modules tool', -- cgit v1.2.3 From 40c94fbf62b39a89171402054f0940d08fb05c9d Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Tue, 5 May 2026 12:12:53 -0600 Subject: binman: Flesh out the pkcs11-tool bintool docstring The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what pkcs11-tool does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt Signed-off-by: Simon Glass --- tools/binman/btool/pkcs11_tool.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tools/binman/btool/pkcs11_tool.py b/tools/binman/btool/pkcs11_tool.py index 673c0ea0ac3..ca80943f98c 100644 --- a/tools/binman/btool/pkcs11_tool.py +++ b/tools/binman/btool/pkcs11_tool.py @@ -7,7 +7,16 @@ from binman import bintool class Bintoolpkcs11_tool(bintool.Bintool): - """pkcs11-tool -- support tool for managing pkcs#11 tokens""" + """pkcs11-tool -- support tool for managing pkcs#11 tokens + + This bintool wraps the `pkcs11-tool` command from the OpenSC project for + managing objects stored in PKCS#11 tokens. Binman uses this wrapper only + to check that pkcs11-tool is installed (and to fetch it if missing); any + actual key or token management for signing FIT images or capsules is done + outside binman. + + See https://github.com/OpenSC/OpenSC/wiki for more details. + """ def __init__(self, name): super().__init__('pkcs11-tool', 'PKCS #11 tokens managing tool', -- cgit v1.2.3 From 44f9ccfdad47deadb1b61896dbbcf004b8c6fa0c Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Tue, 5 May 2026 12:12:54 -0600 Subject: binman: Flesh out the softhsm2-util bintool docstring The Sphinx-generated bintools.rst currently produces an empty section for this bintool, since its class docstring is only a single line and so the body under the heading is blank. Extend the docstring with a short description of what softhsm2-util does and how binman uses it, so the generated documentation has useful content. Suggested-by: Heinrich Schuchardt Signed-off-by: Simon Glass --- tools/binman/btool/softhsm2_util.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/binman/btool/softhsm2_util.py b/tools/binman/btool/softhsm2_util.py index 869221d841d..fd2ff2d6473 100644 --- a/tools/binman/btool/softhsm2_util.py +++ b/tools/binman/btool/softhsm2_util.py @@ -7,7 +7,17 @@ from binman import bintool class Bintoolsofthsm2_util(bintool.Bintool): - """SoftHSMv2 -- support tool for libsofthsm2""" + """SoftHSMv2 -- support tool for libsofthsm2 + + This bintool wraps the `softhsm2-util` command shipped with SoftHSMv2 (a + software implementation of a PKCS#11 token). Binman uses this wrapper only + to check that softhsm2-util is installed (and to fetch it if missing); any + actual token initialisation or key import for signing FIT images or + capsules is done outside binman, typically via mkimage and the OpenSSL + PKCS#11 engine. + + See https://www.opendnssec.org/softhsm/ for more details. + """ def __init__(self, name): super().__init__('softhsm2-util', 'SoftHSMv2 support tool for libsofthsm2', -- cgit v1.2.3 From 08bcf962c5fe1d2690ac3ff6dd75d3963325476b Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Tue, 5 May 2026 12:12:55 -0600 Subject: binman: Use bintool wrappers for PKCS#11 tools in tests The PKCS#11 signing tests in ftest.py call tools.run('softhsm2-util', ...) directly (and the equivalent for pkcs11-tool and p11-kit), even though the test setup has already constructed the corresponding Bintool instances. As Quentin Schulz observed on v1, the bintool wrapper for these tools is currently used only as an "is this installed?" probe. Route the eight remaining call sites in ftest.py through .run_cmd(...), which the Bintool base class already provides. The change is test-side only; no production binman code calls these tools. Suggested-by: Quentin Schulz Signed-off-by: Simon Glass --- tools/binman/ftest.py | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index da8325f820a..9a3811c1732 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -7581,7 +7581,7 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self._CheckBintool(p11_kit) p11_kit_config = configparser.ConfigParser() - out = tools.run('p11-kit', 'print-config') + out = p11_kit.run_cmd('print-config') p11_kit_config.read_string(out) softhsm2_lib = p11_kit_config.get('softhsm2', 'module', fallback=None) @@ -7590,16 +7590,16 @@ fdt fdtmap Extract the devicetree blob from the fdtmap with unittest.mock.patch.dict('os.environ', {'SOFTHSM2_CONF': softhsm2_conf, 'PKCS11_MODULE_PATH': softhsm2_lib}): - tools.run('softhsm2-util', '--init-token', '--free', '--label', - 'U-Boot token', '--pin', '1111', '--so-pin', - '222222') - tools.run('pkcs11-tool', '--module', softhsm2_lib, - '--write-object', cert_file, '--pin', '1111', - '--type', 'cert', '--id', '999999', '--label', - 'test_cert', '--login') - tools.run('softhsm2-util', '--import', private_key, '--token', - 'U-Boot token', '--label', 'test_key', '--id', '999999', - '--pin', '1111') + softhsm2_util.run_cmd('--init-token', '--free', '--label', + 'U-Boot token', '--pin', '1111', + '--so-pin', '222222') + pkcs11_tool.run_cmd('--module', softhsm2_lib, + '--write-object', cert_file, '--pin', '1111', + '--type', 'cert', '--id', '999999', '--label', + 'test_cert', '--login') + softhsm2_util.run_cmd('--import', private_key, '--token', + 'U-Boot token', '--label', 'test_key', + '--id', '999999', '--pin', '1111') data = self._DoReadFile('capsule/signed_pkcs11.dts') self._CheckCapsule(data, signed_capsule=True) @@ -8251,12 +8251,12 @@ fdt fdtmap Extract the devicetree blob from the fdtmap with unittest.mock.patch.dict('os.environ', {'SOFTHSM2_CONF': softhsm2_conf}): - tools.run('softhsm2-util', '--init-token', '--free', '--label', - 'U-Boot token', '--pin', '1111', '--so-pin', - '222222') - tools.run('softhsm2-util', '--import', private_key, '--token', - 'U-Boot token', '--label', 'test_key', '--id', '999999', - '--pin', '1111') + softhsm2_util.run_cmd('--init-token', '--free', '--label', + 'U-Boot token', '--pin', '1111', + '--so-pin', '222222') + softhsm2_util.run_cmd('--import', private_key, '--token', + 'U-Boot token', '--label', 'test_key', + '--id', '999999', '--pin', '1111') # Make sure the private key can only be accessed through the engine os.remove(private_key) @@ -8326,12 +8326,12 @@ fdt fdtmap Extract the devicetree blob from the fdtmap with unittest.mock.patch.dict('os.environ', {'SOFTHSM2_CONF': softhsm2_conf}): - tools.run('softhsm2-util', '--init-token', '--free', '--label', - 'U-Boot prod token', '--pin', '1234', '--so-pin', - '222222') - tools.run('softhsm2-util', '--import', private_key, '--token', - 'U-Boot prod token', '--label', 'prod', '--id', '999999', - '--pin', '1234') + softhsm2_util.run_cmd('--init-token', '--free', '--label', + 'U-Boot prod token', '--pin', '1234', + '--so-pin', '222222') + softhsm2_util.run_cmd('--import', private_key, '--token', + 'U-Boot prod token', '--label', 'prod', + '--id', '999999', '--pin', '1234') # Make sure the private key can only be accessed through the engine os.remove(private_key) -- cgit v1.2.3