From 1e4829855234d8dc91c2840a79e9a64a2e8bf3a6 Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sat, 16 May 2026 00:38:07 +0100 Subject: tools: mkimage: add dm-verity Merkle-tree generation When mkimage encounters a dm-verity subnode inside a component image node it now automatically invokes veritysetup(8) with --no-superblock to generate the Merkle hash tree, screen-scrapes the Root hash and Salt from the tool output, and writes the computed properties back into the FIT blob. The user only needs to specify algorithm, data-block-size, and hash-block-size in the ITS; mkimage fills in digest, salt, num-data-blocks, and hash-start-block. Because --no-superblock is used, hash-start-block equals num-data-blocks with no off-by-one. The image data property is replaced with the expanded content (original data followed directly by the hash tree) so that subsequent hash and signature subnodes operate on the complete image. fit_image_add_verification_data() is restructured into two passes: dm-verity first (may grow data), then hashes and signatures. Signed-off-by: Daniel Golle Reviewed-by: Simon Glass --- tools/fit_image.c | 91 +++++++++++- tools/image-host.c | 414 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 496 insertions(+), 9 deletions(-) (limited to 'tools') diff --git a/tools/fit_image.c b/tools/fit_image.c index 1dbc14c63e4..b53088bf783 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -40,10 +40,10 @@ static int fit_estimate_hash_sig_size(struct image_tool_params *params, const ch return -EIO; /* - * Walk the FIT image, looking for nodes named hash* and - * signature*. Since the interesting nodes are subnodes of an - * image or configuration node, we are only interested in - * those at depth exactly 3. + * Walk the FIT image, looking for nodes named hash*, + * signature*, and dm-verity. Since the interesting nodes are + * subnodes of an image or configuration node, we are only + * interested in those at depth exactly 3. * * The estimate for a hash node is based on a sha512 digest * being 64 bytes, with another 64 bytes added to account for @@ -55,6 +55,10 @@ static int fit_estimate_hash_sig_size(struct image_tool_params *params, const ch * account for fdt overhead and the various other properties * (hashed-nodes etc.) that will also be filled in. * + * For a dm-verity node the small metadata properties (digest, + * salt, two u32s and a temp-file path) are written into the + * FDT by fit_image_process_verity(). + * * One could try to be more precise in the estimates by * looking at the "algo" property and, in the case of * configuration signatures, the sign-images property. Also, @@ -76,6 +80,18 @@ static int fit_estimate_hash_sig_size(struct image_tool_params *params, const ch if (signing && !strncmp(name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) estimate += 1024; + + if (!strcmp(name, FIT_VERITY_NODENAME)) { + if (!params->external_data) { + fprintf(stderr, + "%s: dm-verity requires external data (-E)\n", + params->cmdname); + munmap(fdt, sbuf.st_size); + close(fd); + return -EINVAL; + } + estimate += 256; + } } munmap(fdt, sbuf.st_size); @@ -470,6 +486,41 @@ static int fit_write_images(struct image_tool_params *params, char *fdt) return 0; } +/** + * fit_copy_image_data() - copy image data, using cached verity expansion + * @fdt: FIT blob + * @node: image node offset + * @buf: destination buffer + * @buf_ptr: write offset within @buf + * @data: embedded image data (used when no dm-verity expansion exists) + * @lenp: in/out: on entry, length of @data; on exit, bytes written + * + * When fit_image_process_verity() has run, the expanded image data + * (original + hash tree) is cached in memory. Look it up by image name + * and copy from the cached buffer rather than the embedded ``data`` + * property; fall back to @data otherwise. + * + * Return: 0 on success + */ +static int fit_copy_image_data(void *fdt, int node, void *buf, + int buf_ptr, const void *data, int *lenp) +{ + const char *image_name = fdt_get_name(fdt, node, NULL); + const void *vdata; + size_t vsize; + + if (image_name && + !fit_verity_get_expanded(image_name, &vdata, &vsize)) { + memcpy(buf + buf_ptr, vdata, vsize); + *lenp = vsize; + return 0; + } + + memcpy(buf + buf_ptr, data, *lenp); + + return 0; +} + /** * fit_write_configs() - Write out a list of configurations to the FIT * @@ -653,6 +704,8 @@ static int fit_extract_data(struct image_tool_params *params, const char *fname) int node; int align_size = 0; int len = 0; + int verity_extra = 0; + int orig_len; fd = mmap_fdt(params->cmdname, fname, 0, &fdt, &sbuf, false, false); if (fd < 0) @@ -686,11 +739,34 @@ static int fit_extract_data(struct image_tool_params *params, const char *fname) align_size += 4; } + /* + * When dm-verity is active the external data for an image is + * larger than the embedded data property (original + hash tree). + * Walk images once more and consult the in-memory cache for the + * actual expanded size. + */ + fdt_for_each_subnode(node, fdt, images) { + const char *image_name; + const void *vdata; + size_t vsize; + + orig_len = 0; + if (fdt_subnode_offset(fdt, node, FIT_VERITY_NODENAME) < 0) + continue; + image_name = fdt_get_name(fdt, node, NULL); + if (!image_name || + fit_verity_get_expanded(image_name, &vdata, &vsize)) + continue; + fdt_getprop(fdt, node, FIT_DATA_PROP, &orig_len); + if ((int)vsize > orig_len) + verity_extra += (int)vsize - orig_len; + } + /* * Allocate space to hold the image data we will extract, * extral space allocate for image alignment to prevent overflow. */ - buf = calloc(1, fit_size + align_size); + buf = calloc(1, fit_size + align_size + verity_extra); if (!buf) { ret = -ENOMEM; goto err_munmap; @@ -721,7 +797,10 @@ static int fit_extract_data(struct image_tool_params *params, const char *fname) data = fdt_getprop(fdt, node, FIT_DATA_PROP, &len); if (!data) continue; - memcpy(buf + buf_ptr, data, len); + + ret = fit_copy_image_data(fdt, node, buf, buf_ptr, data, &len); + if (ret) + goto err_munmap; debug("Extracting data size %x\n", len); ret = fdt_delprop(fdt, node, FIT_DATA_PROP); diff --git a/tools/image-host.c b/tools/image-host.c index 8b550af0dc1..8f1e7be4066 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -12,8 +12,12 @@ #include #include #include +#include #include +#include +#include + #if CONFIG_IS_ENABLED(FIT_SIGNATURE) #include #include @@ -626,6 +630,376 @@ int fit_image_cipher_data(const char *keydir, void *keydest, image_noffset, cipher_node_offset, data, size, cmdname); } +/* + * In-memory cache of dm-verity expanded buffers (original data followed + * by the Merkle hash tree), keyed by image unit name. Populated by + * fit_image_process_verity() and consumed by fit_extract_data() / + * fit_copy_image_data() so that the expanded content never leaves the + * mkimage process address space. + */ +struct fit_verity_blob { + char *name; + void *data; + size_t size; + struct fit_verity_blob *next; +}; + +static struct fit_verity_blob *fit_verity_blobs; + +/* Stash a malloc'd expanded buffer; takes ownership of @data on success. */ +static int fit_verity_stash(const char *name, void *data, size_t size) +{ + struct fit_verity_blob *b; + + b = calloc(1, sizeof(*b)); + if (!b) + return -ENOMEM; + b->name = strdup(name); + if (!b->name) { + free(b); + return -ENOMEM; + } + b->data = data; + b->size = size; + b->next = fit_verity_blobs; + fit_verity_blobs = b; + + return 0; +} + +int fit_verity_get_expanded(const char *name, const void **data, size_t *size) +{ + struct fit_verity_blob *b; + + for (b = fit_verity_blobs; b; b = b->next) { + if (!strcmp(b->name, name)) { + *data = b->data; + *size = b->size; + return 0; + } + } + + return -ENOENT; +} + +/** + * fit_image_process_verity() - Run veritysetup and fill dm-verity properties + * + * Extracts the embedded image data to a temporary file, runs + * ``veritysetup format`` to generate the Merkle hash tree (appended to the + * same file), parses Root hash / Salt from its stdout, and writes the + * computed properties (digest, salt, num-data-blocks, hash-start-block) + * back into the FIT dm-verity subnode. + * + * The expanded data (original data + hash tree) is read back into a + * malloc'd buffer and stashed in an in-memory cache keyed by @image_name + * via fit_verity_stash(). The same buffer is returned through + * @expanded_data / @expanded_size so that hash and signature subnodes + * can be computed over the complete image; the returned pointer is a + * *view* of the cached buffer and must not be freed by the caller. + * fit_extract_data() later retrieves the same buffer via + * fit_verity_get_expanded() to write the external data section. + * + * @fit: FIT blob (read-write) + * @image_name: image unit name (for diagnostics) + * @verity_noffset: dm-verity subnode offset + * @data: embedded image data + * @data_size: size of @data in bytes + * @expanded_data: output -- malloc'd buffer with expanded content + * @expanded_size: output -- size of @expanded_data + * Return: 0 on success, -ve on error (-ENOSPC when the FIT blob is full) + */ +static int fit_image_process_verity(void *fit, const char *image_name, + int verity_noffset, + const void *data, size_t data_size, + void **expanded_data, size_t *expanded_size) +{ + const char *algo_prop; + char algo[64]; + const fdt32_t *val; + unsigned int data_block_size, hash_block_size; + uint32_t num_data_blocks; + size_t hash_offset; + uint32_t hash_start_block; + char tmpfile[] = "/tmp/mkimage-verity-XXXXXX"; + char dbs_arg[32], hbs_arg[32], algo_arg[80], hoff_arg[40]; + int pipefd[2]; + pid_t pid; + FILE *fp; + char line[256]; + char *colon, *value, *end; + char root_hash_hex[256] = {0}; + char salt_hex[256] = {0}; + uint8_t digest_bin[FIT_MAX_HASH_LEN]; + uint8_t salt_bin[FIT_MAX_HASH_LEN]; + int digest_len = 0, salt_len = 0; + void *expanded = NULL; + struct stat st; + int fd, ret; + + *expanded_data = NULL; + *expanded_size = 0; + + algo_prop = fdt_getprop(fit, verity_noffset, FIT_VERITY_ALGO_PROP, + NULL); + if (!algo_prop) { + fprintf(stderr, + "Missing '%s' in dm-verity node of '%s'\n", + FIT_VERITY_ALGO_PROP, image_name); + return -EINVAL; + } + /* Local copy -- the FDT pointer goes stale after fdt_setprop(). */ + snprintf(algo, sizeof(algo), "%s", algo_prop); + + val = fdt_getprop(fit, verity_noffset, FIT_VERITY_DBS_PROP, NULL); + if (!val) { + fprintf(stderr, + "Missing '%s' in dm-verity node of '%s'\n", + FIT_VERITY_DBS_PROP, image_name); + return -EINVAL; + } + data_block_size = fdt32_to_cpu(*val); + + val = fdt_getprop(fit, verity_noffset, FIT_VERITY_HBS_PROP, NULL); + if (!val) { + fprintf(stderr, + "Missing '%s' in dm-verity node of '%s'\n", + FIT_VERITY_HBS_PROP, image_name); + return -EINVAL; + } + hash_block_size = fdt32_to_cpu(*val); + + if (data_block_size < 512 || (data_block_size & (data_block_size - 1)) || + hash_block_size < 512 || (hash_block_size & (hash_block_size - 1))) { + fprintf(stderr, + "Block sizes must be >= 512 and a power of two in dm-verity node of '%s'\n", + image_name); + return -EINVAL; + } + + if (data_size % data_block_size) { + fprintf(stderr, + "Image '%s' size %zu not a multiple of data-block-size %d\n", + image_name, data_size, data_block_size); + return -EINVAL; + } + + if (data_size / data_block_size > UINT32_MAX || + data_size / hash_block_size > UINT32_MAX) { + fprintf(stderr, + "Image '%s' too large for dm-verity (> 2^32 blocks)\n", + image_name); + return -EINVAL; + } + num_data_blocks = data_size / data_block_size; + hash_offset = data_size; + + fd = mkstemp(tmpfile); + if (fd < 0) { + fprintf(stderr, "Can't create temp file: %s\n", + strerror(errno)); + return -EIO; + } + + if (write(fd, data, data_size) != (ssize_t)data_size) { + fprintf(stderr, "Can't write temp file: %s\n", + strerror(errno)); + ret = -EIO; + goto err_unlink; + } + close(fd); + fd = -1; + + /* + * Invoke veritysetup via fork/execvp -- no shell, so each argument + * goes verbatim to the binary and the algo string cannot inject + * additional commands no matter how crafted the .its is. + */ + snprintf(algo_arg, sizeof(algo_arg), "--hash=%s", algo); + snprintf(dbs_arg, sizeof(dbs_arg), "--data-block-size=%u", + data_block_size); + snprintf(hbs_arg, sizeof(hbs_arg), "--hash-block-size=%u", + hash_block_size); + snprintf(hoff_arg, sizeof(hoff_arg), "--hash-offset=%zu", hash_offset); + + if (pipe(pipefd) < 0) { + fprintf(stderr, "Can't create pipe: %s\n", strerror(errno)); + ret = -EIO; + goto err_unlink; + } + + pid = fork(); + if (pid < 0) { + fprintf(stderr, "Can't fork: %s\n", strerror(errno)); + close(pipefd[0]); + close(pipefd[1]); + ret = -EIO; + goto err_unlink; + } + + if (pid == 0) { + /* child: redirect stdout+stderr to pipe write-end, then exec */ + char *argv[] = { + "veritysetup", "format", tmpfile, tmpfile, + "--no-superblock", algo_arg, dbs_arg, hbs_arg, + hoff_arg, NULL, + }; + + close(pipefd[0]); + if (dup2(pipefd[1], STDOUT_FILENO) < 0 || + dup2(pipefd[1], STDERR_FILENO) < 0) + _exit(127); + close(pipefd[1]); + execvp(argv[0], argv); + fprintf(stderr, "Can't exec veritysetup: %s\n", + strerror(errno)); + _exit(127); + } + + /* parent: parse key: value lines from veritysetup stdout */ + close(pipefd[1]); + fp = fdopen(pipefd[0], "r"); + if (!fp) { + fprintf(stderr, "Can't fdopen veritysetup pipe: %s\n", + strerror(errno)); + close(pipefd[0]); + waitpid(pid, NULL, 0); + ret = -EIO; + goto err_unlink; + } + + while (fgets(line, sizeof(line), fp)) { + colon = strchr(line, ':'); + if (!colon) + continue; + value = colon + 1; + while (*value == ' ' || *value == '\t') + value++; + end = value + strlen(value) - 1; + while (end > value && (*end == '\n' || *end == '\r' || + *end == ' ')) + *end-- = '\0'; + + if (!strncmp(line, "Root hash:", 10)) + snprintf(root_hash_hex, sizeof(root_hash_hex), + "%s", value); + else if (!strncmp(line, "Salt:", 5)) + snprintf(salt_hex, sizeof(salt_hex), "%s", value); + } + fclose(fp); + + if (waitpid(pid, &ret, 0) < 0 || !WIFEXITED(ret) || + WEXITSTATUS(ret) != 0) { + fprintf(stderr, "veritysetup failed for '%s'\n", image_name); + ret = -EIO; + goto err_unlink; + } + + if (!root_hash_hex[0] || !salt_hex[0]) { + fprintf(stderr, "Failed to parse veritysetup output for '%s'\n", + image_name); + ret = -EIO; + goto err_unlink; + } + + digest_len = strlen(root_hash_hex) / 2; + salt_len = strlen(salt_hex) / 2; + + if (digest_len > (int)sizeof(digest_bin) || + salt_len > (int)sizeof(salt_bin)) { + fprintf(stderr, "Hash/salt too long for '%s'\n", image_name); + ret = -EINVAL; + goto err_unlink; + } + + if (hex2bin(digest_bin, root_hash_hex, digest_len) || + hex2bin(salt_bin, salt_hex, salt_len)) { + fprintf(stderr, "Invalid hex in veritysetup output for '%s'\n", + image_name); + ret = -EINVAL; + goto err_unlink; + } + + if (stat(tmpfile, &st)) { + fprintf(stderr, "Can't stat temp file: %s\n", + strerror(errno)); + ret = -EIO; + goto err_unlink; + } + + expanded = malloc(st.st_size); + if (!expanded) { + ret = -ENOMEM; + goto err_unlink; + } + + fd = open(tmpfile, O_RDONLY); + if (fd < 0 || read(fd, expanded, st.st_size) != st.st_size) { + fprintf(stderr, "Can't read back temp file: %s\n", + strerror(errno)); + ret = -EIO; + goto err_free; + } + close(fd); + fd = -1; + + /* Temp file is no longer needed -- expanded buffer lives in memory. */ + unlink(tmpfile); + + /* hash tree starts immediately after data (no superblock) */ + hash_start_block = hash_offset / hash_block_size; + + ret = fdt_setprop(fit, verity_noffset, FIT_VERITY_DIGEST_PROP, + digest_bin, digest_len); + if (ret) { + ret = (ret == -FDT_ERR_NOSPACE) ? -ENOSPC : -EIO; + goto err_free; + } + + ret = fdt_setprop(fit, verity_noffset, FIT_VERITY_SALT_PROP, + salt_bin, salt_len); + if (ret) { + ret = (ret == -FDT_ERR_NOSPACE) ? -ENOSPC : -EIO; + goto err_free; + } + + ret = fdt_setprop_u32(fit, verity_noffset, FIT_VERITY_NBLK_PROP, + num_data_blocks); + if (ret) { + ret = (ret == -FDT_ERR_NOSPACE) ? -ENOSPC : -EIO; + goto err_free; + } + + ret = fdt_setprop_u32(fit, verity_noffset, FIT_VERITY_HBLK_PROP, + hash_start_block); + if (ret) { + ret = (ret == -FDT_ERR_NOSPACE) ? -ENOSPC : -EIO; + goto err_free; + } + + /* + * Stash the expanded buffer in the in-process cache; fit_extract_data() + * looks it up via fit_verity_get_expanded() to populate the external + * data section. On success the cache takes ownership of @expanded. + */ + ret = fit_verity_stash(image_name, expanded, st.st_size); + if (ret) + goto err_free; + + *expanded_data = expanded; + *expanded_size = st.st_size; + + return 0; + +err_free: + free(expanded); +err_unlink: + if (fd >= 0) + close(fd); + unlink(tmpfile); + return ret; +} + /** * fit_image_add_verification_data() - calculate/set verig. data for image node * @@ -652,6 +1026,8 @@ int fit_image_cipher_data(const char *keydir, void *keydest, * * For signature details, please see doc/usage/fit/signature.rst * + * For dm-verity details, please see doc/usage/fit/dm-verity.rst + * * @keydir Directory containing *.key and *.crt files (or NULL) * @keydest FDT Blob to write public keys into (NULL if none) * @fit: Pointer to the FIT format image header @@ -667,9 +1043,16 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile, const char *cmdname, const char* algo_name) { const char *image_name; + const char *node_name; const void *data; size_t size; + /* + * View pointer into the dm-verity cache (owned by image-host.c). + * Do not free; the cache lives until mkimage exits. + */ + void *verity_data = NULL; int noffset; + int ret; /* Get image data and data length */ if (fit_image_get_emb_data(fit, image_noffset, &data, &size)) { @@ -679,13 +1062,38 @@ int fit_image_add_verification_data(const char *keydir, const char *keyfile, image_name = fit_get_name(fit, image_noffset, NULL); - /* Process all hash subnodes of the component image node */ + /* + * Pass 1 -- dm-verity: run veritysetup to produce the Merkle + * hash tree and fill in computed metadata. The expanded + * content (original data + hash tree) is returned in + * verity_data so that pass 2 hashes the complete image. + */ for (noffset = fdt_first_subnode(fit, image_noffset); noffset >= 0; noffset = fdt_next_subnode(fit, noffset)) { - const char *node_name; - int ret = 0; + if (!strcmp(fit_get_name(fit, noffset, NULL), + FIT_VERITY_NODENAME)) { + ret = fit_image_process_verity(fit, image_name, + noffset, + data, size, + &verity_data, + &size); + if (ret) + return ret; + if (verity_data) + data = verity_data; + break; + } + } + /* + * Pass 2 -- hashes and signatures: compute over the (possibly + * expanded) image data. + */ + for (noffset = fdt_first_subnode(fit, image_noffset); + noffset >= 0; + noffset = fdt_next_subnode(fit, noffset)) { + ret = 0; /* * Check subnode name, must be equal to "hash" or "signature". * Multiple hash nodes require unique unit node -- cgit v1.3.1 From 759968136d68ba178904313c38ad1003525c58ac Mon Sep 17 00:00:00 2001 From: Aristo Chen Date: Tue, 26 May 2026 07:03:32 +0000 Subject: tools: mkimage: fix get_basename crash on paths with dotted directories The get_basename() helper in tools/fit_image.c searches the entire input path for the last '/' and the last '.' independently. When the last '.' falls at an offset earlier than the last '/' (for example "./mydt", "a.b/c", or "sub.d/leaf"), 'end' points before 'start' and the computed length is negative. The subsequent size check uses signed comparison so the negative value passes through unchanged, and memcpy() is then called with that length implicitly cast to size_t, which segfaults. Restrict the dot search to the substring that follows the last slash so that only an extension in the filename component can become the end of the basename. This matches the function's stated intent of stripping an extension from the leaf, and keeps the existing behaviour for typical inputs such as "arch/arm/dts/foo.dtb". Reproducer that previously segfaulted and now produces a valid image: echo dummy > kernel.bin echo dummy > ./mydt ./tools/mkimage -f auto -A arm -O linux -T kernel -C none \ -a 0x80000000 -e 0x80000000 -n test \ -d kernel.bin -b ./mydt out.itb Signed-off-by: Aristo Chen Reviewed-by: Quentin Schulz --- tools/fit_image.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'tools') diff --git a/tools/fit_image.c b/tools/fit_image.c index 1dbc14c63e4..6c129117297 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -265,8 +265,14 @@ static void get_basename(char *str, int size, const char *fname) */ p = strrchr(fname, '/'); start = p ? p + 1 : fname; - p = strrchr(fname, '.'); - end = p ? p : fname + strlen(fname); + /* + * Search for the extension dot only within the basename. Searching + * the whole path would let a dot in the directory part (for example + * "./mydt" or "a.b/c") place 'end' before 'start' and produce a + * negative length, which the size check below does not catch. + */ + p = strrchr(start, '.'); + end = p ? p : start + strlen(start); len = end - start; if (len >= size) len = size - 1; -- cgit v1.3.1 From f3d2ff3f5c3f49216b45a30b4b9a315a1b8d2142 Mon Sep 17 00:00:00 2001 From: Anton Ivanov Date: Tue, 2 Jun 2026 19:27:52 +0100 Subject: fdt: Check return value of fdt_get_name() calls fdt_get_name() can return NULL and set len to a negative error code. fdt_find_regions() does not check for this, leading to a potential NULL pointer dereference and a buffer out-of-bounds write during signature verification of an untrusted FIT. fdt_next_region(), fdt_check_full(), and display_fdt_by_regions() also lack validation. Add NULL checks and propagate the error code from fdt_get_name() to the caller. Signed-off-by: Anton Ivanov Reviewed-by: Simon Glass --- boot/fdt_region.c | 5 +++++ scripts/dtc/libfdt/fdt_ro.c | 3 +++ tools/fdtgrep.c | 3 +++ 3 files changed, 11 insertions(+) (limited to 'tools') diff --git a/boot/fdt_region.c b/boot/fdt_region.c index 0a9d47bb2bd..dd6e87925be 100644 --- a/boot/fdt_region.c +++ b/boot/fdt_region.c @@ -88,6 +88,8 @@ int fdt_find_regions(const void *fdt, char * const inc[], int inc_count, if (depth == FDT_MAX_DEPTH) return -FDT_ERR_BADSTRUCTURE; name = fdt_get_name(fdt, offset, &len); + if (!name) + return len; /* The root node must have an empty name */ if (!depth && *name) @@ -563,6 +565,9 @@ int fdt_next_region(const void *fdt, if (p.depth == FDT_MAX_DEPTH) return -FDT_ERR_BADSTRUCTURE; name = fdt_get_name(fdt, offset, &len); + if (!name) + return len; + if (p.end - path + 2 + len >= path_len) return -FDT_ERR_NOSPACE; diff --git a/scripts/dtc/libfdt/fdt_ro.c b/scripts/dtc/libfdt/fdt_ro.c index 3e7e26b4398..d7b424c658f 100644 --- a/scripts/dtc/libfdt/fdt_ro.c +++ b/scripts/dtc/libfdt/fdt_ro.c @@ -940,6 +940,9 @@ int fdt_check_full(const void *fdt, size_t bufsize) int len; name = fdt_get_name(fdt, offset, &len); + if (!name) + return len; + if (*name || len) return -FDT_ERR_BADLAYOUT; } diff --git a/tools/fdtgrep.c b/tools/fdtgrep.c index b4c041070f5..dba7240001f 100644 --- a/tools/fdtgrep.c +++ b/tools/fdtgrep.c @@ -355,6 +355,9 @@ static int display_fdt_by_regions(struct display_info *disp, const void *blob, case FDT_BEGIN_NODE: name = fdt_get_name(blob, offset, &len); + if (!name) + return len; + fprintf(f, "%*s%s {", depth++ * shift, "", *name ? name : "/"); break; -- cgit v1.3.1 From 37fef5ab88d1134fd6b8b53090e0bfa442732e24 Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Tue, 26 May 2026 14:19:27 -0600 Subject: dtc: Resync fdt_check_full() with upstream version v1.7.2-35-g52f07dcca47c In the upstream project, the function fdt_check_full has been moved from fdt_ro.c to its own file, fdt_check.c. This file is not included in the Linux kernel copy and so has not been synced over. As we do need and use the fdt_check_full function, bring that file over as of the current upstream we are synced to. Remove our copy of this function from fdt_ro.c and add fdt_check.o and 1-liner fdt_check.c where needed. Note that for now, this will increase size in some cases as upstream does not have a size reduction method here. Reviewed-by: Simon Glass Signed-off-by: Tom Rini --- lib/libfdt/Makefile | 1 + lib/libfdt/fdt_check.c | 2 + scripts/dtc/Makefile | 2 +- scripts/dtc/libfdt/Makefile.libfdt | 2 +- scripts/dtc/libfdt/fdt_check.c | 96 ++++++++++++++++++++++++++++++++++++++ scripts/dtc/libfdt/fdt_ro.c | 88 ---------------------------------- scripts/dtc/update-dtc-source.sh | 2 +- tools/Makefile | 3 +- tools/libfdt/fdt_check.c | 2 + 9 files changed, 106 insertions(+), 92 deletions(-) create mode 100644 lib/libfdt/fdt_check.c create mode 100644 scripts/dtc/libfdt/fdt_check.c create mode 100644 tools/libfdt/fdt_check.c (limited to 'tools') diff --git a/lib/libfdt/Makefile b/lib/libfdt/Makefile index c492377032b..b4113cfb478 100644 --- a/lib/libfdt/Makefile +++ b/lib/libfdt/Makefile @@ -5,6 +5,7 @@ obj-y += \ fdt.o \ + fdt_check.o \ fdt_ro.o \ fdt_wip.o \ fdt_strerror.o \ diff --git a/lib/libfdt/fdt_check.c b/lib/libfdt/fdt_check.c new file mode 100644 index 00000000000..b7fa4a7c0bb --- /dev/null +++ b/lib/libfdt/fdt_check.c @@ -0,0 +1,2 @@ +#include +#include "../../scripts/dtc/libfdt/fdt_check.c" diff --git a/scripts/dtc/Makefile b/scripts/dtc/Makefile index 2ba8dba03be..6aecae1c6dd 100644 --- a/scripts/dtc/Makefile +++ b/scripts/dtc/Makefile @@ -10,7 +10,7 @@ dtc-objs += dtc-lexer.lex.o dtc-parser.tab.o # The upstream project builds libfdt as a separate library. We are choosing to # instead directly link the libfdt object files into fdtoverlay. -libfdt-objs := fdt.o fdt_ro.o fdt_wip.o fdt_sw.o fdt_rw.o fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o +libfdt-objs := fdt.o fdt_ro.o fdt_wip.o fdt_sw.o fdt_rw.o fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o fdt_check.o libfdt = $(addprefix libfdt/,$(libfdt-objs)) fdtoverlay-objs := $(libfdt) fdtoverlay.o util.o diff --git a/scripts/dtc/libfdt/Makefile.libfdt b/scripts/dtc/libfdt/Makefile.libfdt index e54639738c8..b6d8fc02dd0 100644 --- a/scripts/dtc/libfdt/Makefile.libfdt +++ b/scripts/dtc/libfdt/Makefile.libfdt @@ -8,7 +8,7 @@ LIBFDT_soname = libfdt.$(SHAREDLIB_EXT).1 LIBFDT_INCLUDES = fdt.h libfdt.h libfdt_env.h LIBFDT_VERSION = version.lds LIBFDT_SRCS = fdt.c fdt_ro.c fdt_wip.c fdt_sw.c fdt_rw.c fdt_strerror.c fdt_empty_tree.c \ - fdt_addresses.c fdt_overlay.c + fdt_addresses.c fdt_overlay.c fdt_check.c LIBFDT_OBJS = $(LIBFDT_SRCS:%.c=%.o) LIBFDT_LIB = libfdt-$(DTC_VERSION).$(SHAREDLIB_EXT) diff --git a/scripts/dtc/libfdt/fdt_check.c b/scripts/dtc/libfdt/fdt_check.c new file mode 100644 index 00000000000..a21ebbc9239 --- /dev/null +++ b/scripts/dtc/libfdt/fdt_check.c @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: (GPL-2.0-or-later OR BSD-2-Clause) +/* + * libfdt - Flat Device Tree manipulation + * Copyright (C) 2006 David Gibson, IBM Corporation. + */ +#include "libfdt_env.h" + +#include +#include + +#include "libfdt_internal.h" + +int fdt_check_full(const void *fdt, size_t bufsize) +{ + int err; + int num_memrsv; + int offset, nextoffset = 0; + uint32_t tag; + unsigned int depth = 0; + const void *prop; + const char *propname; + bool expect_end = false; + + if (bufsize < FDT_V1_SIZE) + return -FDT_ERR_TRUNCATED; + if (bufsize < fdt_header_size(fdt)) + return -FDT_ERR_TRUNCATED; + err = fdt_check_header(fdt); + if (err != 0) + return err; + if (bufsize < fdt_totalsize(fdt)) + return -FDT_ERR_TRUNCATED; + + num_memrsv = fdt_num_mem_rsv(fdt); + if (num_memrsv < 0) + return num_memrsv; + + while (1) { + offset = nextoffset; + tag = fdt_next_tag(fdt, offset, &nextoffset); + + if (nextoffset < 0) + return nextoffset; + + /* If we see two root nodes, something is wrong */ + if (expect_end && tag != FDT_END) + return -FDT_ERR_BADSTRUCTURE; + + switch (tag) { + case FDT_NOP: + break; + + case FDT_END: + if (depth != 0) + return -FDT_ERR_BADSTRUCTURE; + return 0; + + case FDT_BEGIN_NODE: + depth++; + if (depth > INT_MAX) + return -FDT_ERR_BADSTRUCTURE; + + /* The root node must have an empty name */ + if (depth == 1) { + const char *name; + int len; + + name = fdt_get_name(fdt, offset, &len); + if (!name) + return len; + + if (*name || len) + return -FDT_ERR_BADSTRUCTURE; + } + break; + + case FDT_END_NODE: + if (depth == 0) + return -FDT_ERR_BADSTRUCTURE; + depth--; + if (depth == 0) + expect_end = true; + break; + + case FDT_PROP: + prop = fdt_getprop_by_offset(fdt, offset, &propname, + &err); + if (!prop) + return err; + break; + + default: + return -FDT_ERR_INTERNAL; + } + } +} diff --git a/scripts/dtc/libfdt/fdt_ro.c b/scripts/dtc/libfdt/fdt_ro.c index 3e7e26b4398..065baa70735 100644 --- a/scripts/dtc/libfdt/fdt_ro.c +++ b/scripts/dtc/libfdt/fdt_ro.c @@ -884,91 +884,3 @@ int fdt_node_offset_by_compatible(const void *fdt, int startoffset, return offset; /* error from fdt_next_node() */ } - -#if !defined(FDT_ASSUME_MASK) || FDT_ASSUME_MASK != 0xff -int fdt_check_full(const void *fdt, size_t bufsize) -{ - int err; - int num_memrsv; - int offset, nextoffset = 0; - uint32_t tag; - unsigned depth = 0; - const void *prop; - const char *propname; - bool expect_end = false; - - if (bufsize < FDT_V1_SIZE) - return -FDT_ERR_TRUNCATED; - err = fdt_check_header(fdt); - if (err != 0) - return err; - if (bufsize < fdt_totalsize(fdt)) - return -FDT_ERR_TRUNCATED; - - num_memrsv = fdt_num_mem_rsv(fdt); - if (num_memrsv < 0) - return num_memrsv; - - while (1) { - offset = nextoffset; - tag = fdt_next_tag(fdt, offset, &nextoffset); - - if (nextoffset < 0) - return nextoffset; - - /* If we see two root nodes, something is wrong */ - if (expect_end && tag != FDT_END) - return -FDT_ERR_BADLAYOUT; - - switch (tag) { - case FDT_NOP: - break; - - case FDT_END: - if (depth != 0) - return -FDT_ERR_BADSTRUCTURE; - return 0; - - case FDT_BEGIN_NODE: - depth++; - if (depth > INT_MAX) - return -FDT_ERR_BADSTRUCTURE; - - /* The root node must have an empty name */ - if (depth == 1) { - const char *name; - int len; - - name = fdt_get_name(fdt, offset, &len); - if (*name || len) - return -FDT_ERR_BADLAYOUT; - } - break; - - case FDT_END_NODE: - if (depth == 0) - return -FDT_ERR_BADSTRUCTURE; - depth--; - if (depth == 0) - expect_end = true; - break; - - case FDT_PROP: - prop = fdt_getprop_by_offset(fdt, offset, &propname, - &err); - if (!prop) - return err; - break; - - default: - return -FDT_ERR_INTERNAL; - } - } -} -#else -int fdt_check_full(const void __always_unused *fdt, - size_t __always_unused bufsize) -{ - return 0; -} -#endif /* #if !defined(FDT_ASSUME_MASK) || FDT_ASSUME_MASK != 0xff */ diff --git a/scripts/dtc/update-dtc-source.sh b/scripts/dtc/update-dtc-source.sh index 94627541533..2b62da68368 100755 --- a/scripts/dtc/update-dtc-source.sh +++ b/scripts/dtc/update-dtc-source.sh @@ -34,7 +34,7 @@ DTC_LINUX_PATH=`pwd`/scripts/dtc DTC_SOURCE="checks.c data.c dtc.c dtc.h flattree.c fstree.c livetree.c srcpos.c \ srcpos.h treesource.c util.c util.h version_gen.h \ dtc-lexer.l dtc-parser.y" -LIBFDT_SOURCE="fdt.c fdt.h fdt_addresses.c fdt_empty_tree.c \ +LIBFDT_SOURCE="fdt.c fdt.h fdt_addresses.c fdt_empty_tree.c fdt_check.c \ fdt_overlay.c fdt_ro.c fdt_rw.c fdt_strerror.c fdt_sw.c \ fdt_wip.c libfdt.h libfdt_env.h libfdt_internal.h" FDTOVERLAY_SOURCE=fdtoverlay.c diff --git a/tools/Makefile b/tools/Makefile index 1a5f425ecda..535a5d51c89 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -82,7 +82,8 @@ HOSTCFLAGS_image-host.o += \ # The following files are synced with upstream DTC. # Use synced versions from scripts/dtc/libfdt/. LIBFDT_OBJS := $(addprefix libfdt/, fdt.o fdt_ro.o fdt_wip.o fdt_sw.o fdt_rw.o \ - fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o) + fdt_strerror.o fdt_empty_tree.o fdt_addresses.o fdt_overlay.o \ + fdt_check.o) RSA_OBJS-$(CONFIG_TOOLS_LIBCRYPTO) := $(addprefix generated/lib/rsa/, \ rsa-sign.o rsa-verify.o \ diff --git a/tools/libfdt/fdt_check.c b/tools/libfdt/fdt_check.c new file mode 100644 index 00000000000..a17a0194f5c --- /dev/null +++ b/tools/libfdt/fdt_check.c @@ -0,0 +1,2 @@ +#include "fdt_host.h" +#include "../scripts/dtc/libfdt/fdt_check.c" -- cgit v1.3.1 From 223d0f0de8bd05a5957a1e2ff1d73314d34343cd Mon Sep 17 00:00:00 2001 From: Mathieu Dubois-Briand Date: Wed, 10 Jun 2026 16:17:09 +0200 Subject: binman: Add optee binary to i.MX9 platform types OP-TEE tee.bin is generated externally and might be missing during the build. Signed-off-by: Mathieu Dubois-Briand --- tools/binman/etype/nxp_imx9image.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'tools') diff --git a/tools/binman/etype/nxp_imx9image.py b/tools/binman/etype/nxp_imx9image.py index e0e806f2b7f..138563ba33a 100644 --- a/tools/binman/etype/nxp_imx9image.py +++ b/tools/binman/etype/nxp_imx9image.py @@ -36,7 +36,8 @@ class Entry_nxp_imx9image(Entry_mkimage): 'append', 'boot-from', 'cntr-version', 'container', 'dummy-ddr', 'dummy-v2x', 'hold', 'image', 'soc-type' ] - external_files = ['oei-m33-tcm.bin', 'm33_image.bin', 'bl31.bin'] + external_files = ['oei-m33-tcm.bin', 'm33_image.bin', 'bl31.bin', + 'tee.bin'] with open(self.config_filename, 'w', encoding='utf-8') as f: for prop in self._node.props.values(): -- cgit v1.3.1