If 0 is passed to the 'bytes' parameter in the ubi_start_update(),
there is no need to call the ubi_more_update_data(). Otherwise,
there will be a double-free of 'vol->upd_buf'.
Also check that the ubi_start_update() was called before calling
the ubi_more_update_data().
Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com>
ZSTD can be a better tradeoff between NAND IO operations and decompression
speed giving a better boot time.
Signed-off-by: Piotr Wojtaszczyk <piotr.wojtaszczyk@timesys.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
This series brings our zlib code more up to date. However, it drops an
important performance improvement that is required on some of our
supported platforms in order to boot Linux before the watchdog resets
the system. Furthermore, the "post increment" version of this
performance loop was not tested, so while we can fix it, it would then
require re-testing all platforms. At this point in time, we will revert
updating zlib (which has had a potential security issue since 2016) and
fix this in the v2024.10 release.
This reverts commit 4914263c9a14315390d3ccc4816cf3a94cfd156d, reversing
changes made to ef8ef5f77c9a998f76a48277a883af1645b54117.
Reported-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Tom Rini <trini@konsulko.com>
Documentation:
Update requirements.txt to use current Python module versions
Add a page describing debugging U-Boot with GDB
FIT: describe data-size as a conditionally mandatory property
Correct link to FIT specification in SPL code.
Correct kaslrseed command long text description
UEFI:
Add unit test checking that don't have kaslr-seed when measuring boot
Deduplicate code for measured boot.
Other:
Print size information in fwu command
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmaBU44ACgkQhO4vgnE3
U0s1JRAAgyxfK6mjgS0rGI3wBv9N9twxYm/+2XcBFxqywcazuls31uNs+XO+U14u
pS73qzRn4gempz8FxOEjlEhzN4ycEjlR1zpO39Z21/wq1TSGSVjnRPmGnBx5t19Y
wxtptXr1A8mnaoqv3A3seEepC3/PDNSANjo/euHwHruepVM+f9VdotqVbr4Y4kFM
qYHuIBKawjMWDy8BB0HlbMgGDDanZZKbXjus8h0RVrbHQePUgAiztZ5bQCRSp9A7
uFNVvuIKSl2SUQ3kHIL9pwYhRCOXaNTSCsyiaxwfAMkhK9Em6QP2647ddvNNKAw2
V4EUf52lTUnd527iLqjvEvKcGcrVNCoYWsKtuRS8YHk/2jn7BjPY/bHW8MCiWN3Z
sG48Cqbq+fVG0+Qk2/I68kvGYGh4S4f9AeNihtQRXaxDzrLk1jBESakzUXI52ub3
YK+aZ83t232n9pyXZe855Qxpcp5HLfg6ZtdjnB/Oqp7NpSpuPeo8FmFwZ2Nz/+5u
qk29LwA5U8gO3N3qbwjIt7FpjlYuYyo8A3kiZttOy9epSM+0YrHx7V+dx8RJPKrD
a1NT1dONWL2QhoYC5788o/L+WPJprEy38aY3LYrbdtxlbqoTV1RRg5/RVfD6D6vk
lVR+RP/l/5iCa6nw5Cls6DZcMgV7DyCtyp0uMTJDVe7L62qhBFk=
=7g5n
-----END PGP SIGNATURE-----
Merge tag 'efi-2024-10-rc1' of https://source.denx.de/u-boot/custodians/u-boot-efi into next
Pull request efi-2024-10-rc1
Documentation:
Update requirements.txt to use current Python module versions
Add a page describing debugging U-Boot with GDB
FIT: describe data-size as a conditionally mandatory property
Correct link to FIT specification in SPL code.
Correct kaslrseed command long text description
UEFI:
Add unit test checking that don't have kaslr-seed when measuring boot
Deduplicate code for measured boot.
Other:
Print size information in fwu command
Before 9d0750064e (doc: Move external FIT docs into the main body), the
FIT property data-size was not a mandatory property and still it is not
expected to be set alongside the data property.
Move the data-size property to the "Conditionally mandatory property"
section, where it actually belongs.
Signed-off-by: Bastian Germann <bage@debian.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Simon reports that after enabling all algorithms on the TPM some boards
fail since they don't have enough storage to accommodate the ~5KB growth.
The choice of hash algorithms is determined by the platform and the TPM
configuration. Failing to cap a PCR in a bank which the platform left
active is a security vulnerability. It might allow unsealing of secrets
if an attacker can replay a good set of measurements into an unused bank.
If MEASURED_BOOT or EFI_TCG2_PROTOCOL is enabled our Kconfig will enable
all supported hashing algorithms. We still want to allow users to add a
TPM and not enable measured boot via EFI or bootm though and at the same
time, control the compiled algorithms for size reasons.
So let's add a function tpm2_allow_extend() which checks the TPM active
PCRs banks against the one U-Boot was compiled with. We only allow
extending PCRs if the algorithms selected during build match the TPM
configuration.
It's worth noting that this is only added for TPM2.0, since TPM1.2 is
lacking a lot of code at the moment to read the available PCR banks.
We unconditionally enable SHA1 when a TPM is selected, which is the only
hashing algorithm v1.2 supports.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org> # chromebook-link
This function was used on measured boot to retrieve the number of active
PCR banks and was designed to work with the TCG protocols.
Since we now have the need to retrieve the active PCRs outside the
measured boot context -- e.g use the in the command line, decouple the
function.
Create one that will only adheres to TCG TSS2.0 [0] specification called
tpm2_get_pcr_info() which can be used by the TPM2.0 APIs and a new one that
is called from the measured boot context called tcg2_get_pcr_info()
[0] https://trustedcomputinggroup.org/wp-content/uploads/TSS_Overview_Common_Structures_Version-0.9_Revision-03_Review_030918.pdf
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
efi_tcg2.h already includes tpm-v2.h. Remove it
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The previous patch is moving the TPM TCG headers in their own file for
a cleaner API. Move the functions in their own file as well.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
commit 97707f12fdab ("tpm: Support boot measurements") moved out code
from the EFI subsystem into the TPM one to support measurements when
booting with !EFI.
Those were moved directly into the TPM subsystem and in the tpm-v2.c
library. In hindsight, it would have been better to move it in new
files since the TCG2 is governed by its own spec, it's overeall cleaner
and also easier to enable certain parts of the TPM functionality.
So let's start moving the headers in a new file containing the TCG
specific bits.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
commit 97707f12fdab ("tpm: Support boot measurements") moved some of the
EFI TCG code to the TPM subsystem. Those definitions are now in tpm-v2.h.
Let's remove the stale entries
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The number of random bytes generated is hard coded as 8.
The command takes no argument.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Test that we don't have a /chosen/kaslr-seed property if we measure the
device-tree.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Update all required Python packages to current release.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
It is useful when structure is also used for saving vendor data covered
by CRC32.
Signed-off-by: Michal Simek <michal.simek@amd.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tim Harvey <tharvey@gateworks.com> says:
This series will automatically add /chosen/kaslr-seed to the dt if
DM_RNG is enabled
during the boot process.
If RANDOMIZE_BASE is enabled in the Linux kernel instructing it to
randomize the virtual address at which the kernel image is loaded, it
expects entropy to be provided by the bootloader by populating
/chosen/kaslr-seed with a 64-bit value from source of entropy at boot.
If we have DM_RNG enabled populate this value automatically when
fdt_chosen is called. We skip this if ARMV8_SEC_FIRMWARE_SUPPORT
is enabled as its implementation uses a different source of entropy
that is not yet implemented as DM_RNG. We also skip this if
MEASURED_BOOT is enabled as in that case any modifications to the
dt will cause measured boot to fail (although there are many other
places the dt is altered).
As this fdt node is added elsewhere create a library function and
use it to deduplicate code. We will provide a parameter to overwrite
the node if present.
For our automatic injection, we will use the first rng device and
not overwrite if already present with a non-zero value (which may
have been populated by an earlier boot stage). This way if a board
specific ft_board_setup() function wants to customize this behavior
it can call fdt_kaslrseed with a rng device index of its choosing and
set overwrite true.
Note that the kalsrseed command (CMD_KASLRSEED) is likely pointless now
but left in place in case boot scripts exist that rely on this command
existing and returning success. An informational message is printed to
alert users of this command that it is likely no longer needed.
Note that the Kernel's EFI STUB only relies on EFI_RNG_PROTOCOL for
randomization and completely ignores the kaslr-seed for its own
randomness needs (i.e the randomization of the physical placement of
the kernel). It gets weeded out from the DTB that gets handed over via
efi_install_fdt() as it would also mess up the measured boot DTB TPM
measurements as well.
Now that kaslr-seed is automatically added to the chosen node if DM_RNG
is enabled, adjust the test to expect this.
Take care not to expect kaslr-seed for CONFIG_MEASURED_BOOT and
CONFIG_ARMV8_SEC_FIRMWARE_SUPPORT as we do not add it for those.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Cc: Michal Simek <michal.simek@amd.com>
Cc: Andy Yan <andy.yan@rock-chips.com>
Cc: Akash Gajjar <gajjar04akash@gmail.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Simon Glass <sjg@chromium.org>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Devarsh Thakkar <devarsht@ti.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Cc: Chris Morgan <macromorgan@hotmail.com>
Use the fdt_kaslrseed function to deduplicate code doing the same thing.
Note that the kalsrseed command (CMD_KASLRSEED) is likely pointless now
but left in place in case boot scripts exist that rely on this command
existing and returning success. An informational message is printed to
alert users of this command that it is likely no longer needed.
Note that the Kernel's EFI STUB only relies on EFI_RNG_PROTOCOL for
randomization and completely ignores the kaslr-seed for its own
randomness needs (i.e the randomization of the physical placement of
the kernel). It gets weeded out from the DTB that gets handed over via
efi_install_fdt() as it would also mess up the measured boot DTB TPM
measurements as well.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Michal Simek <michal.simek@amd.com>
Cc: Andy Yan <andy.yan@rock-chips.com>
Cc: Akash Gajjar <gajjar04akash@gmail.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Simon Glass <sjg@chromium.org>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Devarsh Thakkar <devarsht@ti.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Cc: Chris Morgan <macromorgan@hotmail.com>
Acked-by: Michal Simek <michal.simek@amd.com>
If RANDOMIZE_BASE is enabled in the Linux kernel instructing it to
randomize the virtual address at which the kernel image is loaded, it
expects entropy to be provided by the bootloader by populating
/chosen/kaslr-seed with a 64-bit value from source of entropy at boot.
If we have DM_RNG enabled populate this value automatically when
fdt_chosen is called. We skip this if ARMV8_SEC_FIRMWARE_SUPPORT
is enabled as its implementation uses a different source of entropy
that is not yet implemented as DM_RNG. We also skip this if
MEASURED_BOOT is enabled as in that case any modifications to the
dt will cause measured boot to fail (although there are many other
places the dt is altered).
Note that the Kernel's EFI STUB only relies on EFI_RNG_PROTOCOL for
randomization and completely ignores the kaslr-seed for its own
randomness needs (i.e the randomization of the physical placement of
the kernel). It gets weeded out from the DTB that gets handed over via
efi_install_fdt() as it would also mess up the measured boot DTB TPM
measurements as well.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Michal Simek <michal.simek@amd.com>
Cc: Andy Yan <andy.yan@rock-chips.com>
Cc: Akash Gajjar <gajjar04akash@gmail.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Simon Glass <sjg@chromium.org>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Devarsh Thakkar <devarsht@ti.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Cc: Chris Morgan <macromorgan@hotmail.com>
If RANDOMIZE_BASE is enabled in the Linux kernel instructing it to
randomize the virtual address at which the kernel image is loaded, it
expects entropy to be provided by the bootloader by populating
/chosen/kaslr-seed with a 64-bit value from source of entropy at boot.
Add a fdt_kaslrseed function to accommodate this allowing an existing
node to be overwritten if present. For now use the first rng device
but it would be good to enhance this in the future to allow some sort
of selection or policy in choosing the rng device used.
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Michal Simek <michal.simek@amd.com>
Cc: Andy Yan <andy.yan@rock-chips.com>
Cc: Akash Gajjar <gajjar04akash@gmail.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Simon Glass <sjg@chromium.org>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Devarsh Thakkar <devarsht@ti.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Cc: Chris Morgan <macromorgan@hotmail.com>
Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
Simon Glass <sjg@chromium.org> says:
This series includes fixes to get some rockchip and nvidia boards
working again. It also drops the broken Beaglebone Black config and
provides a devicetree fix for coral (x86).
Now that am335x_evm boots OK on the Beaglebone black, drop the latter
and update the docs to cover the change.
Also add a few updates about 'make fit' and drop the note about the
security review, as U-Boot's verified boot has had quite extensive
review now.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
This causes a hang, so disable it. Unfortunately the RAM-size fix does
not resolve the problem and I am unsure what is wrong. As soon as the
cache is enabled the board appears to hang.
Fixes: 6d8cdfd1536 ("rockchip: spl: Enable caches to speed up checksum validation")
Signed-off-by: Simon Glass <sjg@chromium.org>
The dcache may not be enabled in SPL. Add a check to avoid trying to
use an undefined function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
With a recent change, regulators_enable_boot_on() returns an error if a
regulator is already set. Check for and handle this situation.
Fixes: d99fb64a98a power: regulator: Only run autoset once for each regulator
Reviewed-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Jonas Karlman <jonas@kwiboo.se>
Add better logging for power init so that CONFIG_LOG_ERROR_RETURN can
be enabled.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Set a size limit for this board so that we get a build error if it grows
too much.
Note that the limit is approximately, since it does not include the FDT,
microcode and fdtmap, which can change in size. However this board is
fairly stable, so overflowing this limit will likely result in the image
not fitting in the ROM space available for U-Boot.
Signed-off-by: Simon Glass <sjg@chromium.org>
It does not make sense to enable all SHA algorithms unless they are
needed. It bloats the code and in this case, causes chromebook_link to
fail to build. That board does use the TPM, but not with measured boot,
nor EFI.
Since EFI_TCG2_PROTOCOL already selects these options, we just need to
add them to MEASURED_BOOT as well.
Note that the original commit combines refactoring and new features,
which makes it hard to see what is going on.
Fixes: 97707f12fda tpm: Support boot measurements
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Simon Glass <sjg@chromium.org>
This cannot be enabled early in boot since some other init is needed.
At this point it is unclear exactly what init is needed, so disable
the debug UART to avoid a hang.
Signed-off-by: Simon Glass <sjg@chromium.org>
RAM init on mt7622 based bananapi R64 is broken since v2023.10.
Increasing the mem-map does not help here, so i reduced the maximum
available ram in get_ram_size call from 2G to 1G (board has only 1G).
Fixes: 5fd6d4c7b3ad ("arm: mediatek: retrieve ram_base from dts node for armv8 platform")
Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
Padmarao is leaving Microchip soon, and suggested that I should take
over maintaining the Icicle in U-Boot in his stead.
Suggested-by: Padmarao Begari <padmarao.begari@microchip.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
There is confusion in this function between the flag and state_mask
parameters, which prevents the boot from actually happening. Correct
this by using state_mask instead of flag for deciding which states to go
through.
This fixes booting of some 32-bit Debian kernels.
Note: Some sort of CI for this is in the works.
Fixes: 228c6722d44 ("x86: zboot: Avoid iteration in do_zboot_states()")
Signed-off-by: Simon Glass <sjg@chromium.org>
In case when either gpt_verify_headers() or gpt_verify_partitions()
fails, the memory allocated for gpt_pte will be freed in those functions
internally, but gpt_pte will still contain non-NULL dangling pointer.
The attempt to free it in those cases in gpt_verify() leads to "use
after free" error, which leads to a "Synchronous abort" exception.
This issue was found by running the next command on the device with
incorrect partition table:
=> gpt verify mmc 0 $partitions
which results to:
No partition list provided - only basic check
"Synchronous Abort" handler, esr 0x96000021, far 0xba247bff
....
Fix the issue by only freeing gpt_pte if none of those functions failed.
Fixes: bbb9ffac6066 ("gpt: command: Extend gpt command to support GPT table verification")
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
After adding the U_BOOT_LONGHELP macro some new commands came in still
that were not making use if it. Switch these cases over and in a few
places add missing newlines as well.
Signed-off-by: Tom Rini <trini@konsulko.com>
The property isn't useful in VPL/SPL/TPL as it is only for U-Boot proper
pre-reloc, which has its own DTB.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
The last usage of the DV_TIMER_ and DV_WDT_ definitions were removed in
commits 8d7757637138 ("ARM: davinci: remove support for cam_enc_4xx")
and cef443c1666c ("arm: davinci: remove leftover code for dm* SoCs"),
respectively.
Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
The davinci_hw_watchdog_ functions are defined but never called from
anywhere. Commit 881ae794b93b ("calimain: remove board") eliminated the
last call to these functions.
Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
Fix btrfs_read/read_and_truncate_page write out of bounds of destination
buffer. Old behavior break bootstd malloc'd buffers of exact file size.
Previously this OOB write have not been noticed because distroboot usually
read files into huge static memory areas.
Signed-off-by: Alex Shumsky <alexthreed@gmail.com>
Fixes: e342718 ("fs: btrfs: Implement btrfs_file_read()")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Dhruva Gole <d-gole@ti.com> says:
Add symlinks for both tiboot3.bin and tispl.bin because a user has to
anyway rename these files to get the platform to boot up.
Also update the documentation to reflect above change.
Rename the boot bins as the _unsigned postfixes are not longer
required. We have symlinks in place for having generic names for all the
boot bins now.
Signed-off-by: Dhruva Gole <d-gole@ti.com>
