When the bootloader is UNLOCKED, it should be possible to boot Android
even if AVB reports verification errors [1].
This allows developers to flash modified partitions on
userdebug/engineering builds.
Developers can do so on unlocked devices with:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
In such case, bootmeth_android refuses to boot.
Allow the boot to continue when the device is UNLOCKED and AVB reports
verification errors.
[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-2-ba7d3b0d5b6a@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
When booting an Android build with AVB enabled, it's still possible to
deactivate the check for development purposes if the bootloader state is
UNLOCKED.
This is very useful for development and can be done at flashing time via:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
However, with bootmeth_android, we cannot boot this way:
Scanning bootdev 'mmc@fa10000.bootdev':
0 android ready mmc 0 mmc@fa10000.bootdev.whole
** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
avb_vbmeta_image.c:188: ERROR: Hash does not match!
avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
get_partition: can't find partition '_a'
avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
Verification failed, reason: I/O error occurred while trying to load data
Boot failed (err=-5)
No more bootdevs
From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is
'\0', but the doc explicitly request it to be NULL instead.
Add NULL as last element to requested_partitions to avoid this problem.
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-1-ba7d3b0d5b6a@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
kcmdline and kcmdline_extra strings can be NULL. In that case, we still
read the content from 0x00000 and pass that to the kernel, which is
completely wrong.
Fix android_image_get_kernel() to check for NULL before checking if
they are empty strings.
Fixes: 53a0ddb6d3be ("boot: android: fix extra command line support")
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Reviewed-by: Nicolas Belin <nbelin@baylibre.com>
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Tested-by: Sam Day <me@samcday.com>
Link: https://lore.kernel.org/r/20250113-kcmdline-extra-fix-v1-1-03cc9c039159@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Following the move of the H616 family to OF_UPSTREAM in the last cycle,
now some older SoCs with identical DTs follow the lead: the F1C100s, A10,
A10s, A13. The remaining SoCs suffer from that IRQ cells incompatiblity,
breaking support for Linux < v5.13, so I am holding their move back still.
Otherwise we get proper support for the PinePhone v1.2, and PSTORE support
for all revisions of that device.
This is rounded up by a PMIC related fix for some A80 boards, and two
cleanup patches that are preparations for two new SoCs families, being
worked on as we speak. But they have to wait for the next cycle.
Gitlab CI passed, and I booted that briefly on some boards.
The ofnode_find_subnode() function currently processes things two
different ways, so the treatment of unit addresses differs depending on
whether OF_LIVE is enabled or not.
Add a new version which uses the ofnode API and add a test to check that
unit addresses can be matched correctly. Leave the old function in place
for the !OF_LIVE case, to avoid a code-size increase, e.g. on
firefly-rk3288
Signed-off-by: Simon Glass <sjg@chromium.org>
When a unit-address is provided, use it to match against the node
name.
Since this increases code size, put it into a separate function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add bloblist support so that tables can be generated and placed in a
bloblist, then passed to a payload using UPL
Signed-off-by: Simon Glass <sjg@chromium.org>
The add_u_boot_and_runtime() function paints with a broad brush,
considering all of the memory from the top of U-Boot stack to
gd->ram_top as EFI_RUNTIME_SERVICES_CODE
This is fine, but we need to make sure we don't add a separate entry for
any ACPI tables in this region (which happens when bloblist is used for
tables). Otherwise the memory map looks strange and we get a test
failure on qemu-x86 (only) for the 'virtual address map' test.
Good map:
Type Start End Attributes
================ ================ ================ ==========
CONVENTIONAL 0000000000000000-00000000000a0000 WB
RESERVED 00000000000a0000-00000000000f0000 WB
RUNTIME DATA 00000000000f0000-00000000000f2000 WB|RT
RESERVED 00000000000f2000-0000000000100000 WB
CONVENTIONAL 0000000000100000-0000000005cc7000 WB
BOOT DATA 0000000005cc7000-0000000005ccc000 WB
RUNTIME DATA 0000000005ccc000-0000000005ccd000 WB|RT
BOOT DATA 0000000005ccd000-0000000005cce000 WB
RUNTIME DATA 0000000005cce000-0000000005cf0000 WB|RT
BOOT DATA 0000000005cf0000-0000000006cf5000 WB
RESERVED 0000000006cf5000-0000000006cfa000 WB
ACPI RECLAIM MEM 0000000006cfa000-0000000006d1c000 WB
RESERVED 0000000006d1c000-0000000006f35000 WB
RUNTIME CODE 0000000006f35000-0000000006f37000 WB|RT
RESERVED 0000000006f37000-0000000008000000 WB
RESERVED 00000000e0000000-00000000f0000000 WB
Bad map: (with BLOBLIST_TABLES but without this patch):
Type Start End Attributes
================ ================ ================ ==========
CONVENTIONAL 0000000000000000-00000000000a0000 WB
RESERVED 00000000000a0000-00000000000f0000 WB
ACPI RECLAIM MEM 00000000000f0000-00000000000f1000 WB
RESERVED 00000000000f1000-0000000000100000 WB
CONVENTIONAL 0000000000100000-0000000005ca5000 WB
BOOT DATA 0000000005ca5000-0000000005caa000 WB
RUNTIME DATA 0000000005caa000-0000000005cab000 WB|RT
BOOT DATA 0000000005cab000-0000000005cac000 WB
RUNTIME DATA 0000000005cac000-0000000005cce000 WB|RT
BOOT DATA 0000000005cce000-0000000006cd3000 WB
RUNTIME DATA 0000000006cd3000-0000000006cd5000 WB|RT
BOOT DATA 0000000006cd5000-0000000006cf4000 WB
RESERVED 0000000006cf4000-0000000006cf9000 WB
ACPI RECLAIM MEM 0000000006cf9000-0000000006ce6000 WB
Signed-off-by: Simon Glass <sjg@chromium.org>
This isn't strictly needed, but with UPL we use the reserved-memory
nodes to indicate where the SMBIOS table is. Tianocore requires 4KB
alignment on these regions, so it is easier to adjust the alignment
to match.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update the tables to use linux/sizes rather than open-coped values.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
If video is enabled we expect it to work. Avoid silent failure by adding
a panic if things go wrong.
Expand the SPL malloc-area for qemu-x86_64 to avoid a panic.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add this information to the handoff structure so that it is available to
U-Boot proper. Update bochs and the video handoff.
Signed-off-by: Simon Glass <sjg@chromium.org>
The space here is quite tight and there is plenty of room in the ROM.
Move SPL earlier to allow for expansion.
Signed-off-by: Simon Glass <sjg@chromium.org>
QEMU can have its own internal ACPI and SMBIOS tables. At present U-Boot
copies out the SMBIOS tables but points directly to the ACPI ones.
The ACPI tables are not aligned on a 4KB boundary, which means that UPL
cannot use them directly, since it uses a reserved-memory node for the
tables and that it assumed (by EDK2) to be 4KB-aligned.
On x86, QEMU provides the tables in a mapped memory region and U-Boot
makes use of these directly, thus making it difficult to use any common
code.
Adjust the logic to fit within the existing table-generation code. Use a
bloblist always and ensure that the ACPI tables is placed in an aligned
region. Set a size of 8K for QEMU. This does not actually put all the
tables in one place, for QEMU, since it currently adds a pointer to the
tables in QFW.
On ARM, enable bloblist so that SMBIOS tables can be added to the
bloblist.
Signed-off-by: Simon Glass <sjg@chromium.org>
QEMU always gets its devicetree from the OF_BOARD mechanism so we should
not depend on !BLOBLIST here.
It's not clear why we need to have any relationship with BLOBLIST so
let's remove the entire condition.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 2b71470628c dts: OF_HAS_PRIOR_STAGE should depend on !BLOBLIST
Reviewed-by: Tom Rini <trini@konsulko.com>
In contrast to some other Allwinner SoCs, there is no difference between
the DTs for the Allwinner A10s/A13 SoCs (sun5i) between the U-Boot and the
Linux kernel repository.
Remove the old copies of the A10s/A13 related .dts and .dtsi files, and
switch most of sun5i boards over to use OF_UPSTREAM.
There are two boards for which we don't have DTs in the kernel tree.
Keep those two .dts files in the legacy U-Boot DT directory, and let
their defconfig opt out of OF_UPSTREAM.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
In contrast to some other Allwinner SoCs, there is no difference between
the DTs for the Allwinner A10 SoCs (sun4i) between the U-Boot and the
Linux kernel repository.
Remove the old copies of the A10 related .dts and .dtsi files, and switch
most of sun4i boards over to use OF_UPSTREAM.
There are two boards for which we don't have DTs in the kernel tree.
Keep those two .dts files in the legacy U-Boot DT directory, and let
their defconfig opt out of OF_UPSTREAM.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Acked-by: Sumit Garg <sumit.garg@linaro.org>
In contrast to some other Allwinner SoCs, there is no difference between
the DTs for the Allwinner F1C100/F1C200 SoCs (sunvi) between the U-Boot
and the Linux kernel repository.
Remove the old copies of the F1Cx00 related .dts and .dtsi files, and
switch the whole suniv SoC over to use OF_UPSTREAM.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
In newer 1.2 PinePhone board revisions LIS3MDL magnetometer was replaced by
AF8133J. They use the same PB1 pin in different modes.
LIS3MDL uses it as an gpio input to handle interrupt.
AF8133J uses it as an gpio output as a reset signal.
It wasn't possible at runtime to enable both device tree
nodes and detect supported sensor at probe time.
AF8133J has reset pin (PB1) connected to the SoC. By default AF8133J
is in a reset state and don't respond to probe request on I2C
bus. Extra code would be needed to handle reset signal. Therefore this
code uses LIS3MDL magnetometer instead of AF8133J.
Introducing new dts 1.2b with AF8133J sensor would require probing in
SPL. That would lead to pulling in into SPL I2C controller driver,
RSB controller driver, introducing new AXP803 driver to power-up
sensors for probe. It's working, but SPL is pretty size-constrained on
A64 and doesn't have much space. Therefore fdt fixup is done in U-Boot
proper without introducing new board revision and new dts.
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Link: https://lore.kernel.org/all/20240908214718.36316-1-andrej.skvortzov@gmail.com/
Link: https://lists.denx.de/pipermail/u-boot/2024-February/545700.html
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
[Andre: fix formatting]
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
pstore will allow users to catch kernel crashes and report them to
developers. Modern (Android) phones have pstore usually enabled to get
information about kernel crash, since it's the simplest way to get
kernel backtrace on mobile device without serial console. Usually it's
enabled by default in distribution kernels like Debian.
CONFIG_PSTORE=y
CONFIG_PSTORE_RAM=m
systemd has service that automatically handles pstore and saves them
in /var/lib/pstore for later usage.
In general any DRAM address, that isn't overwritten during a boot is
suitable for pstore.
Range from 0x40000000 - 0x50000000 is heavily used by u-boot for
internal use and to load kernel, fdt, fdto, scripts, pxefile and ramdisk
later in the boot process. Ramdisk start address is 0x4FF00000,
initramfs for kernel with some hacking features and debug info enabled
can take more than 100Mb and final address will be around 0x58000000.
Address 0x61000000 will most likely not overlap with that.
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
So far all sunxi boards programming the DCDC1 power rail on the AXP PMIC
also set the DCDC5 rail, so we could handle both with the same DCDC1
guard.
Some boards using the AXP313 will need to set DCDC1 now as well, and
since the AXP313 only has three buck converters, there will be no DCDC5,
so this trick is not going to work anymore.
Don't try to be too clever, and just protect programming the two DCDC
rails with two separate guards.
This has the interesting side effect of fixing operation on A80 boards,
using the AXP809 PMIC. Apparently programming DCDC5 right after DCDC1,
but before the other three rails caused some glitch, which made the board
hang during Linux boot, during the PSCI handler in U-Boot. Just keeping
the old setup order (DCDC1,2,3,4,5) will make those boards boot to the
Linux prompt again.
Fixes: ffb02942fab024d4a9b6a ("sunxi: board: simplify early PMIC setup conditions")
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Chen-Yu Tsai <wens@csie.org>
The H616 DRAM controller requires some board specific parameters, which
we declare in Kconfig, let each board specify in their defconfig, and
then use in the DRAM init code.
Other DRAM controllers now require a very similar, if not identical
parameter set, with so far the same parameter names used.
To help keep the Kconfig file at bay, rename the existing parameter
names to drop the H616_ part in there, to make them more naturally
reusable for other SoCs.
No functional change, just a rename.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
With each new SoC added to the clock_sun50i_h6.h header file, we add a
list of default values for the bus clock registers. This list gets a bit
hard to read, as the spacing between the lines looks confusing.
Tighten the lines by removing empty lines, to make it more obvious which
values belong together. Also remove those comments that were more or
less duplicating the next code line, and didn't add any information.
This makes it easier to find existing values and to add support for new
SoCs.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Use this function instead of fit_image_get_emb_data() data, since it
works will FITs that use external data.
Signed-off-by: Simon Glass <sjg@chromium.org>
This function is really just getting the data. The size comes along for
the ride. In fact this function is only reliable way to obtain the data
for an image in a FIT, since the FIT may use external data.
Rename it to fit_image_get_data()
Signed-off-by: Simon Glass <sjg@chromium.org>
This function can only be used with FITs that use embedded data. Rename
it so this is clear.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Update ofnode_add_subnode() and ofnode_add_prop() to return a suitable
error when space is exhausted in the FDT. This makes it easier to see
what is going wrong.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
At some point it would be nice to have the ofnode API automatically
expand the tree as required, to accommodate new nodes. For now, expand
the default size so that UPL can be supported.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update the version of this function in mkimage so that it uses a const
pointer, as is done in the mapmem.h header file.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some header files included on the host are moving to use abuf, so adjust
the header-inclusion to bring in size_t correctly.
Signed-off-by: Simon Glass <sjg@chromium.org>
In many cases it is useful to get the address of a buffer, e.g. when
booting from it. Add a function to handle this.
Signed-off-by: Simon Glass <sjg@chromium.org>
We want to encourage people to use an allocated bloblist since it is
more flexible than a fixed one. Make this the default, being sure not to
change existing users.
The unit tests require BLOBLIST_FIXED so add a dependency in the
Makefile to avoid build errors.
All sandbox builds require BLOBLIST_FIXED so make that the default for
sandbox.
Signed-off-by: Simon Glass <sjg@chromium.org>
The highlights are:
* Fixed boot regression due to broken memory parsing
* Enable HW RNG and KASLR on all platforms
* Add support for Snapdragon X1 Elite hardware (clk/pinctrl)
* Add support for QCS9100 ride automotive development platform (clk/ufs)
* Add support for PCIe on SM8550, SM8650 and X1E
* Implement software debounce for PMIC buttons
Additionally, some minor improvements to "ufetch" have been pulled in:
* Show CPU architecture (arm/mips/etc)
* Make CONFIG_BLK optional
* Fix 32-bit support
Simon Glass <sjg@chromium.org> says:
This includes various patches towards implementing the VBE abrec
bootmeth in U-Boot. It mostly focuses on introducing a relocating
SPL-loader so that VBE can run in the limited amount of SRAM available
on many devices.
Another minor new feature is support in VBE for specifying the image
phase when loading from a FIT. This allows a single FIT to include
images for several boot phases, thus simplifying image-creation.
One lingering niggle in this series is that it has a different code path
for sandbox, since it does not support the relocating jump. It should be
possible to resolve this with additional work, but I have not attempted
this so far.
For v2, I have split the first patch into 5 pieces, to make it easier to
see the code-size impact, plus added a few tweaks to reduce code size.
Again, only MMC is supported so far.
Looking ahead, series G will have some more plumbing and H some rk3399
pieces. That should be enough to complete these feature.
Here is a run in my lab, with the VBE ABrec bootmeth. You can see that
VPL runs before memory is set up. SPL sets up memory and can be upgraded
in the field reliably.
$ ub-int vbe
Building U-Boot in sourcedir for rk3399-generic
Bootstrapping U-Boot from dir /tmp/b/rk3399-generic
Writing U-Boot using method rockchip
U-Boot TPL 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58)
Trying to boot from vbe_abrec
load: Firefly-RK3399 Board
Using 'config-3' configuration
Trying 'image-vpl' firmware subimage
Using 'config-3' configuration
Trying 'fdt-3' fdt subimage
U-Boot VPL 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58)
Trying to boot from vbe_abrec
load: Firefly-RK3399 Board
Starting with empty state
VBE: Firmware pick A at 800000
Using 'config-3' configuration
Trying 'spl' firmware subimage
Using 'config-3' configuration
Trying 'fdt-3' fdt subimage
Channel 0: DDR3, 800MHz
BW=32 Col=10 Bk=8 CS0 Row=15 CS1 Row=15 CS=2 Die BW=16 Size=2048MB
Channel 1: DDR3, 800MHz
BW=32 Col=10 Bk=8 CS0 Row=15 CS1 Row=15 CS=2 Die BW=16 Size=2048MB
256B stride
U-Boot SPL 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58 -0700)
Trying to boot from vbe_abrec
load: Firefly-RK3399 Board
VBE: Firmware pick A at 900000
load_simple_fit: Skip load 'atf-5': image size is 0!
Relocating bloblist ff8eff00 to 100000: done
ns16550_serial serial@ff1a0000: pinctrl_select_state_full: uclass_get_device_by_phandle_id: err=-19
U-Boot 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58 -0700)
SoC: Rockchip rk3399
Reset cause: POR
Model: Firefly-RK3399 Board
DRAM: 4 GiB (effective 3.9 GiB)
Core: 314 devices, 33 uclasses, devicetree: separate
MMC: mmc@fe310000: 3, mmc@fe320000: 1, mmc@fe330000: 0
Loading Environment from SPIFlash... Invalid bus 0 (err=-19)
*** Warning - spi_flash_probe_bus_cs() failed, using default environment
In: serial,usbkbd
Out: serial,vidconsole
Err: serial,vidconsole
Model: Firefly-RK3399 Board
Net: PMIC: RK808
eth0: ethernet@fe300000
starting USB...
Bus usb@fe380000: USB EHCI 1.00
Bus usb@fe3a0000: USB OHCI 1.0
Bus usb@fe3c0000: USB EHCI 1.00
Bus usb@fe3e0000: USB OHCI 1.0
Bus usb@fe900000: Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus usb@fe380000 for devices... 1 USB Device(s) found
scanning bus usb@fe3a0000 for devices... 1 USB Device(s) found
scanning bus usb@fe3c0000 for devices... 2 USB Device(s) found
scanning bus usb@fe3e0000 for devices... 1 USB Device(s) found
scanning bus usb@fe900000 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
Hit any key to stop autoboot: 0
Link: https://lore.kernel.org/r/20250116012723.2820301-1-sjg@chromium.org
When building without DHCP/PXE configurations (NET disabled),
compilation errors may occur due to mismatched bootargs.
Ensure bootargs related to DHCP/PXE are not enabled if the
corresponding commands are disabled.
include/config_distro_bootcmd.h:443:9: error: expected ‘}’ before
‘BOOT_TARGET_DEVICES_references_PXE_without_CONFIG_CMD_DHCP_or_PXE’
443 | BOOT_TARGET_DEVICES_references_PXE_without_CONFIG_CMD_DHCP_or_PXE
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Chanho Park <parkch98@gmail.com>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
