A malformed FIT image could have an image name property that is not NUL
terminated. Reject such images.
Reported-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>
The change in commit 3704b888a4 ("common/spl: fix potential out of buffer
access in spl_fit_get_image_name function") led to function
spl_fit_get_image_name() no longer detecting if a property does not exist
at a non-zero buffer.
Link: https://lore.kernel.org/u-boot/38f5d078-3328-4bdb-9c95-4fb5fe89ddc2@gmx.de/T/#m59f3a23e675daa992c28d12236de71cae2ca2bb9
Fixes: 3704b888a4 ("common/spl: fix potential out of buffer access in spl_fit_get_image_name function")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: E Shattow <e@freeshell.de>
Commit 6fe50e3950 ("arm: asm/system.h: mrc and mcr need .arm if
__thumb2__ is not set") is not a proper fix for the LTO link error
mentioned in its description. It causes 32-bit arm instructions to be
mixed with thumb instructions, which the Kirkwood SoCs do not support.
For example, board_init_r() is mostly generated in Thumb-1 mode as
expected since the build flags contain -mthumb -mthumb-interwork. The
MCR instruction corresponding to writefr_extra_feature_reg() is also
correcly emitted as a 32-bit ARM instruction (it cannot be encoded in
Thumb-1 anyways). The problem is, the compiler inlines the MCR without
generating the BX or BLX instruction which are needed to transition
between the ARM and the Thumb-1 states. From the objdump output:
006186a0 <board_init_r>:
board_init_r():
/home/jerome/work/u-boot/common/board_r.c:799
6186a0: b5f0 push {r4, r5, r6, r7, lr}
6186a2: b0ab sub sp, #172 @ 0xac
get_gd():
/home/jerome/work/u-boot/./arch/arm/include/asm/global_data.h:127
6186a4: 464a mov r2, r9
...
/home/jerome/work/u-boot/arch/arm/mach-kirkwood/cpu.c:242
619aae: 9b15 ldr r3, [sp, #84] @ 0x54
writefr_extra_feature_reg():
/home/jerome/work/u-boot/./arch/arm/include/asm/arch/cpu.h:100
619ab0: ee2f3f11 mcr 15, 1, r3, cr15, cr1, {0}
^^^^^^^^
32-bit ARM instruction
Further investigation is needed to understand how to fix the issue so
that the code size is minimal for all boards. In the mean time, this
fix disables LTO for the two problematic files (common/board_f.c and
common/board_r.c). This makes the Kirkwood-based boards bootable again.
The binary size is increased by 1048 bytes which is perfectly
acceptable.
Fixes: 6fe50e3950 ("arm: asm/system.h: mrc and mcr need .arm if __thumb2__ is not set")
Reported-by: Tony Dinh <mibodhi@gmail.com>
Tested-by: Tony Dinh <mibodhi@gmail.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
This fix a possible NULL pointer dereference.
There is also a risk of memory leaking within the same portion of code.
The leak will happen if loaded image is bad or damaged. In this case
u-boot-spl will try booting from the other available media. Unfortunately
resources allocated for previous boot media will NOT be freed.
We can't fix that issue as the memory allocation mechanism used here
is unknown. It can be different kinds of malloc() or something else.
To somewhat reduce memory consumption, one can try to reuse previously
allocated memory as it's done in board_spl_fit_buffer_addr() from
test/image/spl_load.c.
The corresponding comment was put to the code as well.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Reviewed-by: Anshul Dalal <anshuld@ti.com>
load_simple_fit() returns -EPERM for the images with broken signatures.
Unfortunately this may conflict with image loaging selection on the base
of boot phase. See commit 873112db9c
("spl: Support selecting images based on phase in simple FIT").
Thus loading of
configurations {
uboot {
description = "u-boot";
firmware = "atf";
loadables = "atf", "tee", "uboot";
};
};
with damaged "tee" image may finish without errors. This may results in
board bricking.
This patch fixes commit 873112db9c
("spl: Support selecting images based on phase in simple FIT")
by replacing EPERM with EBADSLT places where it should be done.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
The current code have two issues:
1) ineffective NULL pointer check
str = strchr(str, '\0') + 1
if (!str || ...
The str here will never be NULL (because we add 1 to result of strchr())
2) strchr() may go out of the buffer for the special forms of name variable.
It's better use memchr() function here.
According to the code the property is a sequence of C-string like
shown below:
'h', 'e', 'l', 'l', 'o', '\0', 'w', 'o', 'r', 'l', 'd', '\0', '!', '\0'
index is the string number we are interested, so
index = 0 => "hello",
index = 1 => "world",
index = 2 => "!"
The issue will arrise if last string for some reason have no terminating
'\0' character. This can happen for damaged or specially crafted dtb.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
Reviewed-by: Tom Rini <trini@konsulko.com>
The condition here is reversed, which makes link and coral very slow,
leading to lab failures.
Fixes 6c171f7a18 ("common: board: make initcalls static")
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Apart from ENOENT observing return value as ENOSYS when
!DM_REGULATOR that's why cover both configurations.
Changed code is not working as operation should be "&&"
not "||" (ret != -ENOENT && ret != -ENOSYS).
Also fix the remove function where the regulator_set_enable_if_allowed()
function is returning an error.
Signed-off-by: Padmarao Begari <padmarao.begari@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Signed-off-by: Michal Simek <michal.simek@amd.com>
Link: https://lore.kernel.org/r/a2d520f14efc30fc28ec59881205e156dabbfcd9.1744350937.git.michal.simek@amd.com
Commit 2a00d73d08 ("spl: mmc: Try to clean up raw-mode options") breaks
the boot of the BSH SMM S2 board. As stated in the commit itself, "Some
boards use this value even though MMC is not enabled in SPL, for example
imx8mn_bsh_smm_s2".
Support load of the U-Boot image from raw NAND sector. This is equivalent
to load from MMC raw sector.
Fixes: 2a00d73d08 ("spl: mmc: Try to clean up raw-mode options")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Similar to AArch64's case, Clang may wrongly fold accesses to gd pointer
which is defined with register qualifier into constants, breaking
various components.
This patch defines gd as a macro when building with Clang or LTO, which
expands to get_gd() that accesses gp pointer in assembly, making RISC-V
ports function properly and preparing for introduction of LTO in the
future. Board initialization code is also adapted for non-assignable gd.
Reported-by: Nathaniel Hourt <I@nathaniel.land>
Signed-off-by: Yao Zi <ziyao@disroot.org>
Reviewed-by: Leo Yu-Chi Liang <ycliang@andestech.com>
Now that cyclic_unregister() is safe to call on a not-registered
cyclic_info, we can make cyclic_register() behave like the mod_timer()
and hrtimer_start() APIs in linux, in that they don't distinguish
between whether the timer was already enabled or not; from the point
of the call it is, with whatever timeout/period is set in that most
recent call.
This avoids users of the cyclic API from separately keeping track of
whether their callback is already registered or not, and even if they
know it is, can be used for changing the period (and/or the callback
function) without first doing unregister().
See also this recent'ish message from kernel maintainer Thomas
Gleixner on that API design for timer frameworks:
https://lore.kernel.org/lkml/87ikn6sibi.ffs@tglx/
First of all the question is whether add() and mod() are really
valuable distinctions. I'm not convinced at all. Back then, when we
introduced hrtimers, we came to the conclusion that hrtimer_start()
is sufficient.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Make cyclic_unregister() safe to call with an already unregistered, or
possibly never registered, struct cyclic_info. This is similar to how
the various timer APIs in the linux kernel work (they all allow
calling delete/cancel/... on an inactive timer object).
This means callers don't have to separately keep track of whether
their cyclic callback is registered or not, and avoids them trying to
peek into the struct cyclic_info for that information - which leads to
somewhat ugly code as it would have to be guarded by ifdef
CONFIG_CYCLIC.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Almost all Rockchip boards use the same Kconfig value for SPL_PAD_TO,
0x7f8000.
u-boot-rockchip.bin is typically written to offset 64S (32KiB) of MMC
media. u-boot.itb (or u-boot.img) is typically expected at offset 16384S
(8MiB) of MMC media (SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR=0x4000).
SPL_PAD_TO is used as the offset for u-boot.itb (or u-boot.img) in the
generated simple-bin binman image, and can be calculated as:
SPL_PAD_TO = (16384S - 64S) * 512 = 0x7f8000
Add this value as a default value for ARCH_ROCKCHIP.
Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
When SPL loading image to secure region, for example, ATF and tee to
DDR secure region. Because the USDHC controller is non-secure master,
it can't access this region and will cause loading issue.
So use a trampoline buffer in non-secure region, then use CPU to copy the
image from trampoline buffer to destination secure region.
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Alice Guo <alice.guo@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Add a console_printf_select_stderr() function so that it is not
necessary for the caller to process the format string.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Caleb Connolly <caleb.connolly@linaro.org> says:
Introduce a new event to signal that the live tree has been built,
allowing boards to perform fixups on the tree before devices are bound.
Crucially this allows for devices to be enabled or disabled, but also
allows for properties that are parsed during the bind stage to be
modified (such as dr_mode for dwc3).
With this in place, mach-snapdragon is switched over to use the event
and some hacky U-Boot specific DT overrides (which had to be undone
prior to booting an image) are removed in favour of fixing up the
livetree (which is not passed on to further boot stages).
Finally, some minor fixes are made for the QCM2290 RB1 board, the sdcard
is enabled and it now uses USB host mode in U-Boot like it's bigger
sibling the RB2.
Link: https://lore.kernel.org/r/20250411-livetree-fixup-v2-0-1236823377bb@linaro.org
OF_LIVE offers a variety of benefits, one of them being that the live
tree can be modified without caring about the underlying FDT. This is
particularly valuable for working around U-Boot limitations like lacking
USB superspeed support on Qualcomm platforms, no runtime OTG, or
peripherals like the sdcard being broken (and displaying potentially
worrying error messages).
Add an event to signal when the live tree has been built so that we can
apply fixups to it directly before devices are bound.
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
CONFIG_SYS_NONCACHED_MEMORY is defined as hex, not bool. It should be
replaced with CONFIG_SYS_HAS_NONCACHED_MEMORY when switched from #ifdef to
CONFIG_IS_ENABLED().
Fixes: 6c171f7a18 (common: board: make initcalls static)
Signed-off-by: Weijie Gao <weijie.gao@mediatek.com>
Tested-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk> # rock5b
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
SPL_TEXT_BASE is used as the load address for the main domain SPL on k3
platforms.
Since the config value is the same for every board, this patch sets the
value 0x80080000 as default for all 64-bit ARCH_K3, 0x43c00000 as
default for the R5 cores and deletes the instances of SPL_TEXT_BASE in
individual defconfigs.
Signed-off-by: Anshul Dalal <anshuld@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Jerome Forissier <jerome.forissier@linaro.org> says:
This series introduces threads and uses them to improve the performance
of the USB bus scanning code and to implement background jobs in the
shell via two new commands: 'spawn' and 'wait'.
The threading framework is called 'uthread' and is inspired from the
barebox threads [2]. setjmp() and longjmp() are used to save and
restore contexts, as well as a non-standard extension called initjmp().
This new function is added in several patches, one for each
architecture that supports HAVE_SETJMP. A new symbol is defined:
HAVE_INITJMP. Two tests, one for initjmp() and one for the uthread
scheduling, are added to the lib suite.
After introducing threads and making schedule() and udelay() a thread
re-scheduling point, the USB stack initialization is modified to benefit
from concurrency when UTHREAD is enabled, where uthreads are used in
usb_init() to initialize and scan multiple busses at the same time.
The code was tested on arm64 and arm QEMU with 4 simulated XHCI buses
and some devices. On this platform the USB scan takes 2.2 s instead of
5.6 s. Tested on i.MX93 EVK with two USB hubs, one ethernet adapter and
one webcam on each, "usb start" takes 2.4 s instead of 4.6 s.
Finally, the spawn and wait commands are introduced, allowing the use of
threads from the shell. Tested on the i.MX93 EVK with a spinning HDD
connected to USB1 and the network connected to ENET1. The USB plus DHCP
init sequence "spawn usb start; spawn dhcp; wait" takes 4.5 seconds
instead of 8 seconds for "usb start; dhcp".
[1] https://patchwork.ozlabs.org/project/uboot/list/?series=446674
[2] https://github.com/barebox/barebox/blob/master/common/bthread.c
Link: https://lore.kernel.org/r/20250418141114.2056981-1-jerome.forissier@linaro.org
Make the schedule() call from the CYCLIC framework a uthread scheduling
point too. This makes sense since schedule() is called from a lot of
places where uthread_schedule() needs to be called.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Stefan Roese <sr@denx.de>
initr_net() initalizes the network devices by calling eth_initalize().
There is no good reason to disable this if no command line interface is
present.
Let initr_net() depend on CONFIG_NET || CONFIG_NET_LWIP.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
As the code is today, we get a warning about "select" statements on
"choice" options not doing anything. However, it also works as intended
because SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR is the default option
within that choice statement. To guard against future regressions, make
the choice statement in common/spl/Kconfig have an explicit default if
MVEBU_SPL_BOOT_DEVICE_MMC.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Stefan Roese <sr@denx.de>
Add a check for CONFIG_SKIP_RELOCATE in reserve_uboot to skip the
relocation of the U-Boot image.
CONFIG_SKIP_RELOCATE skips relocation of U-Boot to the end of RAM
allowing for systems that have extremely limited RAM to run U-Boot.
Signed-off-by: Jesse Taube <Mr.Bossman075@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
iomux_match_device() returns -ENOENT instead of the end index, which means
console_stop() is never called at the moment for unused consoles.
This prevents e.g. f_acm from releasing the USB gadget interface when
removing it from stdio/stderr/stdin.
Fixes: b672c1619b ("IOMUX: Split out iomux_match_device() helper")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Jerome Forissier <jerome.forissier@linaro.org> says:
This series replaces the dynamic initcalls (with function pointers) with
static calls, and gets rid of initcall_run_list(), init_sequence_f,
init_sequence_f_r and init_sequence_r. This makes the code simpler and the
binary slighlty smaller: -2281 bytes/-0.21 % with LTO enabled and -510
bytes/-0.05 % with LTO disabled (xilinx_zynqmp_kria_defconfig).
Execution time doesn't seem to change noticeably. There is no impact on
the SPL.
The inline assembly fixes, although they look unrelated, are triggered
on some platforms with LTO enabled. For example: kirkwood_defconfig.
CI: https://source.denx.de/u-boot/custodians/u-boot-net/-/pipelines/25514
Link: https://lore.kernel.org/r/20250404135038.2134570-1-jerome.forissier@linaro.org
Change board_init_f(), board_init_f_r() and board_init_r() to make
static calls instead of iterating over the init_sequence_f,
init_sequence_f_r and init_sequence_r arrays, respectively. This makes
the code a simpler (and even more so when initcall_run_list() is
later removed) and it reduces the binary size as well. Tested with
xilinx_zynqmp_kria_defconfig; bloat-o-meter results:
- With LTO
add/remove: 106/196 grow/shrink: 10/28 up/down: 31548/-33829 (-2281)
Total: Before=1070471, After=1068190, chg -0.21%
- Without LTO
add/remove: 0/54 grow/shrink: 3/0 up/down: 2322/-2832 (-510)
Total: Before=1121723, After=1121213, chg -0.05%
Execution time does not change in a noticeable way.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEtlGhRjxqvtBpDFXNBYMxKxlfZLYFAmf5HL8ACgkQBYMxKxlf
ZLaY6A//Ry5wkX1f/WTVFUO6gBJQom6hsEpkNgYwtgzaWOWhqvR53e5sbsiMPKnO
5BRtKhrs0Jp2/kl06+k5tsGQbr3rogvwNS9m8DFyF2Hfq7uT2ooQKzxeBM9MaGhI
p+7d92JjcHeYP7ejWcoAnag0ZvM/3iofdsrRcGsFjbYbcbAkBtAUDj2RqaZFIAFk
A6g6/IZ62K6QH24oAMPv5yR4ru2tfzRMJHdZh79FHMXNp9wOLgMsHAV8NToQ/ZHU
ACn9EHc4g9aI8h8gXPTEjCzOx6saYcmV+zzn0mSeICCSbOqvJ/C2/96NUlD5BW8/
XFIeuBNgnHyxv4O3idFpyaxF34SMp2j2dDAIQFLN+0lG1M1Zi75pqf9UzlSvvSjm
d1xd/LbrOEwNEyTKG7Ss0e3nf03lP22s2COpFUPJAijkfRZ8K/Y8RISeQv+MJKwa
AZqYofLua0Uo0kuKTiHuOdD5oWUxmEcjtisaP/X9hcXWteTillntp120qm/a93s2
X015V56B/e2+uf9xAQW+iqnrcgpMGKffqbs7tVhVr3SDTDa+c4/c6EXX2naqzgDQ
T/S0hetOONuNXZvyAguUq5HKNI0IoC+OZQhA1uIgq+JyV/7qgENyrERlt29435cg
NAr+410m0OKYUGHz5xwLSUh2j68v/4fZj7I4nZt4eYjEfYk/2dI=
=Ep2x
-----END PGP SIGNATURE-----
Merge tag 'qcom-for-2025.07' of https://source.denx.de/u-boot/custodians/u-boot-snapdragon
Qualcomm changes for v2025.07:
CI: https://source.denx.de/u-boot/custodians/u-boot-snapdragon/-/pipelines/25653
There's been a surprising amount of activity lately on the Qualcomm
side with the two oldest boards getting some fresh attention and a lot
of cleanup and polish going on across the board.
* SDM660 gets USB phy fixes and a pinctrl driver
* The recently added SA8775P/QCS9100 SoC gets a pinctrl driver
* The Qualcomm pinctrl driver now handles reserved pins correctly,
fixing crashes on some boards when running "gpio status -a"
* OF_UPSTREAM_BUILD_VENDOR is enabled in qcom_defconfig
* SDM845 and SC7280 get missing clocks added (since we're now stricter
about those). This gets USB working more reliably in more cases.
* DM_USB_GADGET is enabled for all boards using DWC3 and fasbtoot is
enabled too
* A bug in the livetree fixup code is fixed (making USB work on a lot
more platforms)
* Button label lookup is made case insensitive* bootretry becomes more dynamic, allowing it to be hijacked to make a
"persistent" boot menu that allows dropping to U-Boot shell later on
* A new qcom-phone.config fragment is added along with a phone-specific
default environment and phone-specific debugging/bringup docs. These
make U-Boot more usable on devices without a serial port or keyboard.
* The db820c gets fixed up and updated documentation
* The db410c also gets some love and modernisation as well as a new
reviewer.
* A new driver is added for the USB VBUS regulator found on various
Qualcomm PMICs
* The Qualcomm SPMI driver gets some fixes and cleanup for SPMI v5 and
v7 support.
Documentation:
* Update authenticated capsules documentation
UEFI:
* add support for loading FIT images including initrd
- efi_loader: efi_load_initrd: provide a memory mapped initrd
- efi_loader: binary_run: register an initrd
- bootm: add support for initrd in do_bootm_efi
* efi_selftest: remove un-needed NULL checks
* efi: Fix efiboot for payloads loaded from memory
* Print extra information from the bootmgr
* Move public cert for capsules to .rodata
* set EFI capsule dfu_alt_info env explicitly
* Make FDT extra space configurable
* Install the ACPI table from the bloblist
* Handle GD_FLG_SKIP_RELOC
* handle malloc() errors
Others:
* acpi: select CONFIG_BLOBLIST
* smbios: select CONFIG_BLOBLIST
* xilinx: dfu: Fill directly update_info.dfu_string
* cmd: fwu: Dump custom fields from mdata structure
* board: remove capsule update support in set_dfu_alt_info()
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmf5ELMACgkQhO4vgnE3
U0tr9g/7B1F/aMYr7TB8Pf+fKM4lTbajdJyH+J4iHOZ22B76oW0DFVJNnVP9KIxp
ioLUO6tdb80wrmL+/rZAkWdNpbNco6j7huGwhe29R3TRyf43+PZHm2hpqunY/Orc
/Ub3S0u01nH0deWiEMuJ0YZexRYWTPZJogYjTLTfHsRyXdQhWbcUhPECsEaDXBhA
3ISp18cl3WQiU+aSAcI6S5xo+Xo0Q06DLDhRKs0WudgEM+Y4b0zlyj8pRA2GNwVX
ehvdfowsEbzZTBCyIbBfb8jWASw/vDLxtnlSaUG63g/hvllNdM1eXJrlcXdvv8VU
95wY8cYg49TpQTPYF4hlFzpO4XdxqU0z//FNsLrCV8kcXQKlLiK7eAF8/I+cZCQC
A/Xq8ZmkYcljOrsDNdBB9sCOVEQux9mf897kUHA3FFSg0fnvdgmkT2YTW447MvXJ
eoCRaccMkg5DXZ/gBkiG3nIFgXDwRmSNz9KqYj6zKvhNRGkwVLD3/3brZWNWz009
d4amO0aeVFaPioelm7sGzecJMj2IE5FuB66gloqfAsecWHQqfUX4+MZpH3BLPfek
O0c0bi6Rw7aAowBDF4Q8LOQE0jL84gWHbv7URGY3O9aufirBgn3Zjxd701XrbGWA
/y5kIEMZf1Z31gpgSUM4TuO51Op8vlUit9wD5prvwi84Sh013yo=
=bdEe
-----END PGP SIGNATURE-----
Merge tag 'efi-2025-07-rc1' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request efi-2025-07-rc1
CI:
* https://source.denx.de/u-boot/custodians/u-boot-efi/-/pipelines/25648
Documentation:
* Update authenticated capsules documentation
UEFI:
* Add support for loading FIT images including initrd
- efi_loader: efi_load_initrd: provide a memory mapped initrd
- efi_loader: binary_run: register an initrd
- bootm: add support for initrd in do_bootm_efi
* efi_selftest: remove un-needed NULL checks
* efi: Fix efiboot for payloads loaded from memory
* Print extra information from the bootmgr
* Move public cert for capsules to .rodata
* Set EFI capsule dfu_alt_info env explicitly
* Make FDT extra space configurable
* Install the ACPI table from the bloblist
* Handle GD_FLG_SKIP_RELOC
* Handle malloc() errors
Others:
* acpi: select CONFIG_BLOBLIST
* smbios: select CONFIG_BLOBLIST
* xilinx: dfu: Fill directly update_info.dfu_string
* cmd: fwu: Dump custom fields from mdata structure
* board: remove capsule update support in set_dfu_alt_info()
Introduce a new config option: RETRY_BOOTCMD. When enabled this causes
hush shell to re-run "bootcmd" when the auto-boot counter times out.
Tested-by: Danila Tikhonov <danila@jiaxyga.com> # google-sunfish
Tested-by: Jens Reidel <adrian@mainlining.org> # xiaomi-davinci
Link: https://lore.kernel.org/r/20250331-qcom-phones-v4-2-f52e57d3b8c6@linaro.org
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
If the EFI runtime services pointers are relocated even though
relocation is skipped, it corrupts some other data resulting in some
unexpected behaviour.
In this specific case, it overwrote some page table entries resulting in
the device memory address range's mappings getting removed. Eventually,
after the completion of efi_runtime_relocate(), when a driver tries to
access its device's registers it crashes since the mappings are absent.
Signed-off-by: Varadarajan Narayanan <quic_varada@quicinc.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
In console_setfile(), there is some #ifdef'ed code, updating monitor
functions for a U-Boot proper build. This is called inside a switch/case
statement, but the closing "break;" is inside the #ifdef section.
This doesn't look right: we should not fall through to the error case
for an SPL/TPL build.
Move the "break" to be always effective, solving a compiler warning about
an untagged implicit fallthrough.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Andre Przywara <andre.przywara@arm.com> says:
C's implicit fallthrough behaviour in switch/case statements can lead to
subtle bugs. Quite some while ago many compilers introduced warnings in
those cases, requiring intentional fallthrough's to be annotated.
So far we were not enabling that compiler option, so many ambiguities
and some bugs in the code went unnoticed.
This series adds the required annotations in code paths that the first
stage of the U-Boot CI covers. There is a large number of cases left
in the libbz2 code. The usage of switch/case is borderline insane there,
labels are hidden in macros, and there are no breaks, but just goto's.
Upstream still uses very similar code, without any annotations. I still
am not 100% sure those are meant to fall through or not, and plan to do
further investigations, but didn't want to hold the rest of the patches
back. You can see for yourself by applying patch 18/18 and building for
sandbox64, for instance.
Because of this we cannot quite enable the warning in the Makefile yet,
but those fixes are worth regardless, and be it to increase readability.
Please note that those patches do not fix anything, really, they just add
those fallthrough annotations, so the series is not really critical.
Link: https://lore.kernel.org/r/20250327153313.2105227-1-andre.przywara@arm.com
In some cases in the generic code, we were already using switch/case
fallthrough annotations comments, though in a way which might not be
understood by most compilers.
Replace two non-standard /* no break */ comments with our fallthrough;
statement-like macro, to make this visible to the compiler.
Also use this macro in place of an /* Fall through */ comment, to be
more consistent.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Depending on the various MMC boot configurations, we might end up with
trying filesystem mode when a raw image boot failed. This fall-through
in the switch/case statement is explained in a comment, but this is not
visible to the compiler, which still will complain.
Add the proper compiler-visible annotation, to allow enabling the
compiler check in the future.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Neha Malcom Francis <n-francis@ti.com> says:
This short series is an ongoing effort to make RAM utilization clearer for
easier debugging and understanding of code. Intention is for users to quickly
be able to identify the CONFIGs needed to modify for their RAM usecase.
Link: https://lore.kernel.org/r/20250319140327.301266-1-n-francis@ti.com
The message "DRAM: 2 GiB (effective 32 GiB)" can be a little confusing,
modify the message s/effective/total to make it more evident.
Signed-off-by: Neha Malcom Francis <n-francis@ti.com>
Simon Glass <sjg@chromium.org> says:
The membuff implementation curently has no tests. It also assumes that
head and tail can never correspond unless the buffer is empty.
This series provides a compile-time flag to support a 'full' flag. It
also adds some tests of the main routines.
The data structure is also renamed to membuf which fits better with
U-Boot.
There may be some cases in the code which could be optimised a little,
but the implementation is functional.
Link: https://lore.kernel.org/r/20250318152059.1464369-1-sjg@chromium.org
The double 'f' is not necessary and is a bit annoying as elsewhere in
U-Boot we use 'buf'. Rename all the functions before it is used more
widely.
Signed-off-by: Simon Glass <sjg@chromium.org>
Sam Edwards <cfsworks@gmail.com> says:
This is v2 of my "misc. fixes" series, sent to prepare the codebase for more
direct LLVM support in the near future. This series contains several fixes that
I found in the process of preparing that support and which address issues
independent of any future feature or enhancement. I am sending these now, both
so that their inclusion is not delayed by discussion on my upcoming series and
to make the latter more manageable.
Link: https://lore.kernel.org/r/20250315221813.1265193-1-CFSworks@gmail.com
While the image size is generally a multiple of 8 bytes, this is not
actually guaranteed; some linkers (like LLD) will shave a few bytes off
of the end of output sections if there are no content bytes there. Since
libfdt imposes a hard rule of 8-byte alignment, make the SPL also be
explicit about the alignment when loading the FDT.
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
libfdt 1.6.1+ requires the FDT to be 8-byte aligned and returns an error
if not. OpenSBI 1.0+ includes this version of libfdt and will also
reject misaligned FDTs.
However, OpenSBI cannot indicate the error to the user: since it cannot
access the serial console, it can only silently hang. This proved very
difficult to diagnose without proper debugging facilities. Therefore,
give the U-Boot SPL, which *can* print error messages, an additional
check for proper FDT alignment. Hopefully this saves a lot of
development cycles if another developer encounters alignment problems.
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
During linux build process the header size is computed including the BSS
whereas it's removed when creating the uncompressed image. Therefore the
size of the uncompressed image on filesystem will be smaller than the
size specified in the header.
This causes issues when loading the kernel image from the SPL (as in
falcon boot) with spl_load since it compares the read file size from the
FS to the header size form the image. Which leads to the following check
in `include/spl_load.h` failing to -EIO when loading kernel image:
return read < spl_image->size ? -EIO : 0;
Therefore we should return the header size back to spl_load instead of
the file size in falcon boot when not loading a FIT image.
Bug report:
https://lore.kernel.org/u-boot/20250214111656.2358748-1-anshuld@ti.com/
Fixes: 775074165d ("spl: Add generic spl_load function")
Reported-by: Anshul Dalal <anshuld@ti.com>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Anshul Dalal <anshuld@ti.com>
CFG_SYS_SPI_* are used in falcon boot to specify the offsets and size of
the respective payloads. This patch moves them to Kconfig keeping the
values consistent for each of the affected boards.
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Anshul Dalal <anshuld@ti.com>
Assorted fixes, refactorings and additions that are ready, and shave
off some load from upcoming series'.
Improves MMC performance on D1/T113 (missed clock divider), enables
eMMC access on the H616 family (never worked, many thanks to Jernej for
the fix!), DRAM detection fixes for the H616 (now reportedly stable).
Some patches for the upcoming Allwinner A133 SoC support: a few
refactorings, plus the DM clock and pinctrl driver. The DRAM init
routines work, but need some more polishing, that also holds back the
actual enablement patch, which will hopefully follow for v2025.07 still.
Also some preparatory patches for the Allwinner A523 SoC support, for
now just to improve the FEL save/restore code. There will be more patches
coming up for this, ideally also in the coming cycle still.
Gitlab CI passed, and I booted that briefly on some boards.
