aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-12-10fs: fat: generate unique short namesHeinrich Schuchardt
File names must be unique within their directory. So before assigning a short name we must check that it is unique. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10fs: fat: call set_name() only onceHeinrich Schuchardt
In set_name() we select the short name. Once this is correctly implemented this will be a performance intensive operation because we need to check that the name does not exist yet. So set_name should only be called once. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10fs: fat: pass shortname to fill_dir_slotHeinrich Schuchardt
Currently we pass the short name via the directory iterator. Pass it explicitly as a parameter. This removes the requirement to set the short name in the iterator before writing the long name. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10fs: fat: create correct short namesHeinrich Schuchardt
The current function set_name() used to create short names has the following deficiencies resolved by this patch: * Long names (e.g. FOO.TXT) are stored even if a short name is enough. * Short names with spaces are created, e.g. "A ~1.TXT". * Short names with illegal characters are created, e.g. "FOO++BAR". * Debug output does not not consider that the short file name has no concluding '\0'. The solution for the following bug is split of into a separate patch: * Short file names must be unique. This patch only provides the loop over possible short file names. Fixes: c30a15e590c ("FAT: Add FAT write feature") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10fs: fat: export fat_next_cluster()Heinrich Schuchardt
Rename function next_cluster() to fat_next_cluster() and export it. When creating a new directory entries we should reuse deleted entries. This requires re-scanning the directory. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10fs: fat: correct first cluster for '..'Heinrich Schuchardt
The FAT specification [1] requires that for a '..' directory entry pointing to the root directory the fields DIR_FstClusHi and DIR_FstClusLo are 0. [1] Microsoft FAT Specification, Microsoft Corporation, August 30 2005 Fixes: 31a18d570d96 ("fs: fat: support mkdir") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
2020-12-07spl: fit: Prefer a malloc()'d buffer for loading imagesAlexandru Gagniuc
Fit images were loaded to a buffer provided by spl_get_load_buffer(). This may work when the FIT image is small and fits between the start of DRAM and SYS_TEXT_BASE. One problem with this approach is that the location of the buffer may be manipulated by changing the 'size' field of the FIT. A maliciously crafted FIT image could place the buffer over executable code and be able to take control of SPL. This is unacceptable for secure boot of signed FIT images. Another problem is with larger FIT images, usually containing one or more linux kernels. In such cases the buffer be be large enough so as to start before DRAM (Figure I). Trying to load an image in this case has undefined behavior. For example, on stm32mp1, the MMC controller hits a RX overrun error, and aborts loading. _________________ | FIT Image | | | /===================\ /=====================\ || DRAM || | DRAM | || || | | ||_________________|| SYS_TEXT_BASE | ___________________ | | | || FIT Image || | | || || | _________________ | SYS_SPL_MALLOC_START || _________________ || || malloc() data || ||| malloc() data ||| ||_________________|| |||_________________||| | | ||___________________|| | | | | Figure I Figure II One possibility that was analyzed was to remove the negative offset, such that the buffer starts at SYS_TEXT_BASE. This is not a proper solution because on a number of platforms, the malloc buffer() is placed at a fixed address, usually after SYS_TEXT_BASE. A large enough FIT image could cause the malloc()'d data to be overwritten (Figure II) when loading. /======================\ | DRAM | | | | | CONFIG_SYS_TEXT_BASE | | | | | ____________________ | CONFIG_SYS_SPL_MALLOC_START || malloc() data || || || || __________________ || ||| FIT Image ||| ||| ||| ||| ||| Figure III The solution proposed here is to replace the ad-hoc heuristics of spl_get_load_buffer() with malloc(). This provides two advantages: * Bounds checking of the buffer region * Guarantees the buffer does not conflict with other memory The first problem is solved by constraining the buffer such that it will not overlap currently executing code. This eliminates the chance of a malicious FIT being able to replace the executing SPL code prior to signature checking. The second problem is solved in conjunction with increasing CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is carefully crafted on a per-platform basis, the chances of memory conflicts are virtually eliminated. Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2020-12-07Merge branch '2020-12-07-bootm-and-spl-atf-improvements' into nextTom Rini
- Series to improve "bootm" by allowing variable evaluation within the cmdline we would be passing. This will help with Chrome OS but can be useful elsewhere. - Improve ATF (TF-A) support within SPL.
2020-12-04bootm: Support string substitution in bootargsSimon Glass
In some cases it is necessary to pass parameters to Linux so that it will boot correctly. For example, the rootdev parameter is often used to specify the root device. However the root device may change depending on whence U-Boot loads the kernel. At present it is necessary to build up the command line by adding device strings to it one by one. It is often more convenient to provide a template for bootargs, with U-Boot doing the substitution from other environment variables. Add a way to substitute strings in the bootargs variable. This allows things like "rootdev=${rootdev}" to be used in bootargs, with the ${rootdev} substitution providing the UUID of the root device. For example, to substitute the GUID of the kernel partition: setenv bootargs "console=/dev/ttyS0 rootdev=${uuid}/PARTNROFF=1 kern_guid=${uuid}" part uuid mmc 2:2 uuid bootm This is particularly useful when the command line from another place. For example, Chrome OS stores the command line next to the kernel itself. It depends on the kernel version being used as well as the hardware features, so it is extremely difficult to devise a U-Boot script that works on all boards and kernel versions. With this feature, the command line can be read from disk and used directly, with a few substitutions set up. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04cli: Support macro processing with a fixed-size bufferSimon Glass
At present cli_simple_process_macros() requires that the caller provide an output buffer that is exactly CONFIG_SYS_CBSIZE bytes in length. This makes sense since it is designed to be used from the command line. But we also want to use it for bootargs substitution. Update the function to allow the caller to specify the buffer size. Also return an error if the buffer is exhausted. The caller can ignore that if preferred. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04x86: zimage: Add silent-console processingSimon Glass
At present zimage does its own command-line processing and does not support the 'silent console' feature. There doesn't seem to be any good reason for this. Add support for silent console to zimage. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Allow updating the bootargs in a bufferSimon Glass
At present we only support updating the 'bootargs' environment variable. Add another function to update a buffer instead. This will allow zimage to use this feature. Also add a lot more tests to cover various cases. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Update bootm_process_cmdline_env() to use flagsSimon Glass
At present only one transformation is supported: making the Linux console silent. To prepare for adding more, convert the boolean parameter into a flag value. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Split out bootargs environment reading / writingSimon Glass
At present bootm_process_cmdline_env() reads the 'bootargs' variable and then writes it back afterwards. This is painful for tests, which would rather use a simple buffer. It is also useful for zimage to use a buffer, since it does not actually put the Linux command line in the bootargs variable. Refactor the existing code into two pieces. One handles reading and writing the environment variable, as well as allocating a buffer for use by the rest of the code, which now operates on a buffer. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Use size rather than length for CONSOLE_ARGSimon Glass
Use the size (including terminator) for in this function, rather than the length. This is arguably easier to follow, with the coming refactor. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Add a bool parameter to bootm_process_cmdline_env()Simon Glass
This function will soon do more than just handle the 'silent linux' feature. As a first step, update it to take a boolean parameter, indicating whether or not the processing is required. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Rename fixup_silent_linux()Simon Glass
We want to add more processing to this function. Before doing so, rename it to bootm_process_cmdline_env(), which is more generic. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Update fixup_silent_linux() to return an errorSimon Glass
At present this function fails silently on error. Update it to produce an error code. Report this error to the user and abort the boot, since it likely will prevent a successful start. No tests are added at this stage, since additional refactoring is taking place in subsequent patches. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04bootm: Add tests for fixup_silent_linux()Simon Glass
This function currently has no tests. Export it so that we can implement a simple test on sandbox. Use IS_ENABLED() to remove the unused code, instead #ifdef. Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04env: Allow returning errors from hdelete_r()Simon Glass
At present this function returns 1 on success and 0 on failure. But in the latter case it provides no indication of what went wrong. If an attempt is made to delete a non-existent variable, the caller may want to ignore this error. This happens when setting a non-existent variable to "", for example. Update the function to return 0 on success and a useful error code on failure. Add a function comment too. Make sure that env_set() does not return an error if it is deleting a variable that doesn't exist. We could update env_set() to return useful error numbers also, but that is beyond the scope of this change. Signed-off-by: Simon Glass <sjg@chromium.org> wip
2020-12-04board: sl28: add OP-TEE Trusted OS support (bl32)Michael Walle
Add support to load the OP-TEE Trusted OS by the SPL. Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04board: sl28: add ATF support (bl31)Michael Walle
Add support to load the bl31 part of the ARM Trusted Firmware by the SPL. Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04board: sl28: remove u-boot from loadable DT nodeMichael Walle
It is not needed. Remove it. Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04armv8: layerscape: don't initialize GIC in SPLMichael Walle
The BL31 expects the GIC to be uninitialized. Thus, if we are loading the BL31 by the SPL we must not initialize it. If u-boot is loaded by the SPL directly, it will initialize the GIC again (in the same lowlevel_init()). This was tested on a custom board with SPL loading the BL31 and jumping to u-boot as BL33 as well as loading u-boot directly by the SPL. In case the ATF BL1/BL2 is used, this patch won't change anything, because no SPL is used at all. Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04spl: atf: add support for LOAD_IMAGE_V2Michael Walle
Newer platforms use the LOAD_IMAGE_V2 parameter passing method. Add support for it. Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04spl: atf: remove helper structure from common headerMichael Walle
bl2_to_bl31_params_mem is just an implementation detail of the SPL ATF support and is not needed anywhere else. Move it from the header to the actual module. Signed-off-by: Michael Walle <michael@walle.cc> Acked-by: Michal Simek <michal.simek@xilinx.com>
2020-12-04spl: atf: provide a bl2_plat_get_bl31_params_default()Michael Walle
Move the actual implementation of the bl2_plat_get_bl31_params() to its own function. The weak function will just call the default implementation. This has the advantage that board code can still call the original implementation if it just want to modify minor things. Signed-off-by: Michael Walle <michael@walle.cc>
2020-12-04spl: atf: move storage for bl31_params into functionMichael Walle
There is no need to have the storage available globally. This is also a preparation for LOAD_IMAGE_V2 support. That will introduce a similar generator function which also has its own storage. Signed-off-by: Michael Walle <michael@walle.cc> Acked-by: Michal Simek <michal.simek@xilinx.com>
2020-12-04treewide: use CONFIG_IS_ENABLED() for ARMV8_SEC_FIRMWARE_SUPPORTMichael Walle
There is SPL_ARMV8_SEC_FIRMWARE_SUPPORT and ARMV8_SEC_FIRMWARE_SUPPORT. Thus use CONFIG_IS_ENABLED() instead of the simple #ifdef. Signed-off-by: Michael Walle <michael@walle.cc> Acked-by: Michal Simek <michal.simek@xilinx.com>
2020-12-03Merge tag 'efi-next' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi ↵Tom Rini
into next Pull request for UEFI sub-system for next This pull request adds: * eventlog support for TCG2_PROTOCOL * UEFI capusule updates It replace printf by log in efi_uclass.c
2020-12-03sandbox: enable capsule update for testingAKASHI Takahiro
Add more configuration options to allow for efi capsule update on sandbox. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03test/py: efi_capsule: test for raw image capsuleAKASHI Takahiro
The test can run on sandbox build and it attempts to execute a firmware update via a capsule-on-disk, using a raw image capsule, CONFIG_EFI_CAPSULE_RAW. To run this test successfully, you need configure U-Boot specifically; See test_capsule_firmware.py for requirements, and hence it won't run on Travis CI, at least, for now. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03test/py: efi_capsule: test for FIT image capsuleAKASHI Takahiro
The test can run on sandbox build and it attempts to execute a firmware update via a capsule-on-disk, using a FIT image capsule, CONFIG_EFI_CAPSULE_FIT. To run this test successfully, you need configure U-Boot specifically; See test_capsule_firmware.py for requirements, and hence it won't run on Travis CI, at least, for now. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03tools: add mkeficapsule command for UEFI capsule updateAKASHI Takahiro
This is a utility mainly for test purpose. mkeficapsule -f: create a test capsule file for FIT image firmware Having said that, you will be able to customize the code to fit your specific requirements for your platform. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03cmd: add "efidebug capsule" commandAKASHI Takahiro
"efidebug capsule" is more or less a debugging utility. efidebug capsule update: invoke UpdateCapsule against data on memory efidebug capsule show: show a capsule header efidebug capsule result: dump a capsule result variable Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03efi_loader: add firmware management protocol for raw imageAKASHI Takahiro
In this commit, a very simple firmware management protocol driver is implemented. It will take a binary image in a capsule file and apply the data using dfu backend storage drivers via dfu_write_by_alt() interface. So "dfu_alt_info" variable should be properly set to specify a device and location to be updated. Please read README.dfu. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03efi_loader: add firmware management protocol for FIT imageAKASHI Takahiro
In this commit, a very simple firmware management protocol driver is implemented. It will take a common FIT image firmware in a capsule file and apply the data using dfu backend storage drivers via update_fit() interface. So "dfu_alt_info" variable should be properly set to specify a device and location to be updated. Please read README.dfu. Fit image is a common file format for firmware update on U-Boot, and this protocol works neatly just as a wrapper for one. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03efi_loader: capsule: support firmware updateAKASHI Takahiro
A capsule tagged with the guid, EFI_FIRMWARE_MANAGEMENT_CAPSULE_ID_GUID, is handled as a firmware update object. What efi_update_capsule() basically does is to load any firmware management protocol (or fmp) drivers contained in a capsule, find out an appropriate fmp driver and then invoke its set_image() interface against each binary in a capsule. In this commit, however, loading drivers is not supported. The result of applying a capsule is set to be stored in "CapsuleXXXX" variable, but its implementation is deferred to a fmp driver. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03efi_loader: capsule: add memory range capsule definitionsAKASHI Takahiro
Memory range capsule gives us a way to notify that some memory regions should be left untouched across the next reset. See UEFI specification, section 8.5.3. Since how we should handle this kind of capsule is totally up to the system, no implementation will be added in this commit. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03efi_loader: capsule: add capsule_on_disk supportAKASHI Takahiro
Capsule data can be loaded into the system either via UpdateCapsule runtime service or files on a file system (of boot device). The latter case is called "capsules on disk", and actual updates will take place at the next boot time. In this commit, we will support capsule on disk mechanism. Please note that U-Boot itself has no notion of "boot device" and all the capsule files to be executed will be detected only if they are located in a specific directory, \EFI\UpdateCapsule, on a device that is identified as a boot device by "BootXXXX" variables. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03efi_loader: define UpdateCapsule apiAKASHI Takahiro
In this commit, skeleton functions for capsule-related API's are added under CONFIG_EFI_UPDATE_CAPSULE configuration. Detailed implementation for a specific capsule type will be added in the succeeding patches. Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03common: update: fix an "unused" warning against update_flash()AKASHI Takahiro
Since update_flash() is used only in update_tftp(), it should be guarded with appropriate config options. After the commit 3149e524fc1e, common/update.c will be built under either CONFIG_UDATE_TFTP, CONFIG_DFU_TFTP or CONFIG_UPDATE_FIT. Since CONFIG_UPDATE_FIT, hence fit_update(), doesn't rely on update_flash(), the compiler may cause an "unused" warning if CONFIG_UPDATE_FIT=y and CONFIG_UPDATE_TFTP=n and CONFIG_DFU_TFTP=n. This is, for example, the case for sandbox defconfig where EFI_CAPSULE_FIRMWARE_FIT is enabled for test purpose. Fixes: 3149e524fc1e ("common: update: add a generic interface for FIT image") Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
2020-12-03cmd: efidebug: Add support for TCG2 final events tableIlias Apalodimas
A previous commit is adding EFI_TCG2_PROTOCOL, which in it's eventlog support registers an EFI configuration table. Let's add the necessary GUID so 'efidebug table' command can display table names properly. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-12-03efi_loader: Introduce eventlog support for TCG2_PROTOCOLIlias Apalodimas
In the previous patches we only introduced a minimal subset of the EFI_TCG2_PROTOCOL protocol implementing GetCapability(). So let's continue adding features to it, introducing the GetEventLog() and HashLogExtendEvent() functions. In order to do that we first need to construct the eventlog in memory, specifically in EFI_BOOT_SERVICES_DATA memory and a configuration table from EFI_ACPI_MEMORY_NVS. U-Boot won't currently add any events to the log or measure any components, but will expose the necessary EFI APIs for applications to do so. Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-12-03tpm: Add tpm2 headers for TCG2 eventlog supportIlias Apalodimas
A following patch introduces support for the EFI_TCG2_PROTOCOL eventlog management. Introduce the necessary tpm related headers Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2020-12-03tpm: use more than sha256 on pcr_extendIlias Apalodimas
The current tpm2_pcr_extend is hardcoded using SHA256. Let's make the actual command to the TPM2 configurable so we can support a wider range of algorithms and keep the current command line as-is i.e limited to SHA256 only Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-03efi_loader: replace printf by log in efi_uclass.cHeinrich Schuchardt
Use logging functions instead of printf() and debug(). Change logging messages for uclass creation and destruction to log_debug(). Reported-by: Simon Glass <sjg@chromium.org> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-02Merge branch '2020-12-01-next-imports' into nextTom Rini
- More IPQ40xx improvements - Add string support to setexpr (and tests) - ProxyDHCP support - Assorted cleanups
2020-12-01km/arm: coding style clean upHolger Brunck
Address most of the checkpatch issues we found in km_arm and common km code. CC: Stefan Roese <sr@denx.de> CC: Valentin Longchamp <valentin.longchamp@hitachi-powergrids.com> Signed-off-by: Holger Brunck <holger.brunck@hitachi-powergrids.com> Reviewed-by: Stefan Roese <sr@denx.de>
2020-12-01spl: spl_fit.c: enable check of signature for config node in spl/tplPhilippe Reynes
This commit add the support of signature check for config node in spl/tpl when the function spl_load_simple_fit is used. Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com> Reviewed-by: Simon Glass <sjg@chromium.org>