- avb_slot_verify_data_free() doesn't check its data parameter
- out_data can be null if avb_slot_verify() fails to allocate memory
Signed-off-by: Gary Bisson <bisson.gary@gmail.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Link: https://lore.kernel.org/r/20250402144219.1875067-1-bisson.gary@gmail.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Note that this undoes the changes of commit cf6d4535cc ("x86:
emulation: Disable bloblist for now") as that was intended only for the
release due to time.
A recent change tried to speed up EFI booting by not calling dhcp_run
from eth_bootdev_hunt() every time. PXE so far relied on that dhcp_run
call to get an IP address.
Fix that by adding a dhcp_run call to the pxe bootflow, with autoload
disabled to only get the ip address and nothing else.
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Fixes: 1f68057e03 ("net: eth_bootdev_hunt() should not run DHCP")
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Simon Glass <sjg@chromium.org> says:
The membuff implementation curently has no tests. It also assumes that
head and tail can never correspond unless the buffer is empty.
This series provides a compile-time flag to support a 'full' flag. It
also adds some tests of the main routines.
The data structure is also renamed to membuf which fits better with
U-Boot.
There may be some cases in the code which could be optimised a little,
but the implementation is functional.
Link: https://lore.kernel.org/r/20250318152059.1464369-1-sjg@chromium.org
The double 'f' is not necessary and is a bit annoying as elsewhere in
U-Boot we use 'buf'. Rename all the functions before it is used more
widely.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update the string to take account of UARTs which are connected on I/O
ports, as on x86.
Fix a typo in an error message in the same command, while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
If only a single label is provided in the list, bootdev_next_label()
does not operate correctly and reads beyond the end of the pointer list.
Fix this by adding a new check. Also add a note to convert this array
to an alist
Signed-off-by: Simon Glass <sjg@chromium.org>
Any 'bootable' flag in a DOS partition causes boostd to only scan
bootable partitions for that media. This can mean that extlinux.conf
files on the root disk are missed.
Put this logic behind a flag and update the documentation.
For now, the flag is enabled, to preserve the existing behaviour of
bootstd which is to ignore non-bootable partitions so long as there is
at least one bootable partition on the disk. Future work may provide a
command (or some other mechanism) to control this.
Signed-off-by: Simon Glass <sjg@chromium.org>
The option ONENAND_BOOT is never set, so remove it. The option
SYS_ONENAND_BOOT was never migrated to Kconfig and any platforms which
supported that have long been removed from the code, so remove the
reference there as well.
Signed-off-by: Tom Rini <trini@konsulko.com>
The EFI HTTP boot puts the ISO installer image at some location in
memory. Information about this image has to be passed on to the OS
kernel, which is done by adding a persistent memory(pmem) node to the
devicetree(DT) that is passed to the OS. The OS kernel then gets
information about the presence of this ISO image and proceeds with the
installation.
In U-Boot, this ISO image gets mounted as a memory mapped blkmap
device slice, with the 'preserve' attribute. Add a helper function
which iterates through all such slices, and invokes a callback. The
callback adds the pmem node to the DT and removes the corresponding
memory region from the EFI memory map. Invoke this helper function as
part of the DT fixup which happens before booting the OS.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Tobias Waldekranz <tobias@waldekranz.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
One of the problems an OS may face, when running in EFI, is that
a mounted ISO, after calling ExitBootServices goes away, if that ISO
is resident in RAM memory as a ramdisk.
ACPI has NFIT and NVDIMM support to provide ramdisks to the OS, but we
don't have anything in place for DTs. Linux and device trees have support
for persistent memory devices. So add a function that can inject a pmem
node in a DT, so we can pass information on the ramdisk the OS.
Signed-off-by: Masahisa Kojima <kojima.masahisa@socionext.com>
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Simon Glass <sjg@chromium.org> says:
This series includes some patches related to allowing read_all() to be
used with the extlinux / PXE bootmeths.
These patches were split out from the stb4 series, since it will need to
have additional patches for LWIP, to avoid breaking PXE booting when
LWIP is used.
Link: https://lore.kernel.org/r/20250306002533.2380866-1-sjg@chromium.org
Adjust the remaining call in this function to use the bootm API. This
will allow PXE to work without the command line.
Signed-off-by: Simon Glass <sjg@chromium.org>
Tidy up this code a little to avoid two calls to env_get() for both
fdt_addr and fdtcontroladdr
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Rather than building a command line for each operation, use the
functions provided by the bootm API.
Make sure that the bootm functions are available if pxe_utils is used.
Since SYS_BOOTM_LEN is not present for the tools-only build, adjust the
code to handle that.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
A compressed booti image relies on the compression-format's header at
the start to indicate which compression algorithm is used.
We don't support this elsewhere in U-Boot, so assume that a compressed
file is always a booti file. Once it is compressed, a check is made to
make sure that it actually is.
Simplify the implementation by adding a new function which returns the
booti image-type if compression is detected.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present the booti format is handled separately, in its own command.
Provide a way to boot uncompressed booti images within the bootm code,
so that eventually we can boot these images without CONFIG_CMDLINE
Update bootm_init() to attach the images for all formats which use them.
Add some debugging while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
Arm invented a new format for arm64 and something similar is also used
with RISC-V. Add this to the list of supported formats and provide a way
for the format to be detected on both architectures.
Update the genimg_get_format() function to support this.
Fix up switch() statements which don't currently mention this format.
Booti does not support a ramdisk, so this can be ignored.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use an enum so it is clearer that these options are related. Update
genimg_get_format(), tidy up the function comment and move it to the
header file, since it is exported.
Signed-off-by: Simon Glass <sjg@chromium.org>
This code cannot be compiled by boards which don't have this option. Add
an accessor in the header file to avoid another #ifdef
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Since this function only adjusts one element of the bootm command, pass
just that. This will make it easier to refactor things to remove the
bootm command.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
This function is quite long. Split out the FDT processing into its own
function.
Add a function comment for the new label_process_fdt() function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
This function is far too long. Split out the part which builds and runs
the bootm/i/z commands into its own function.
Add a function comment for the new label_run_boot() function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Add support for starting TFA from U-Boot running in EL3 as part of
fitImage boot, so the user can start U-Boot in the highest privilege
level on the platform, bundle TFA, Linux, DT into a single fitImage
and boot such a bundle as a whole.
There are two main benefits of this approach. First is the ability
to run U-Boot in EL3, where it has unrestricted access to the entire
system and can act as a useful debug tool, as it was always intended
to be used. Second is the ability to easily and safely update of any
component in the fitImage, be it TFA, Linux or DT.
The boot process is similar to regular Linux with DT fitImage boot
process, except the TFA has to be bundled into the fitImage. For the
bundling instructions, see below. The TFA is started as a 'loadables'
with custom U_BOOT_FIT_LOADABLE_HANDLER and armv8_switch_to_el2_prep()
handling implemented in board code, and performing the handoff and
boot in case the TFA was loaded.
The loadables handler is optional and meant to set up any sort of
handoff structures used by the TFA BL31 or perform any other setup
that is needed by the blob. The custom armv8_switch_to_el2_prep()
has to implement the jump to TFA BL31 with return to U-Boot just
before booting the Linux kernel.
Example fitImage image and configuration section:
/dts-v1/;
/ {
description = "Linux kernel with FDT blob and TFA BL31";
images {
kernel-1 { ... };
fdt-1 { ... };
atf-1 { /* This is the TFA BL31 image */
description = "TFA BL31";
data = /incbin/("../build/plat/release/bl31.bin");
type = "tfa-bl31";
arch = "arm64";
os = "arm-trusted-firmware";
compression = "none";
load = <0x46400000>;
entry = <0x46400000>;
};
};
configurations {
default = "conf-1";
conf-1 {
description = "Boot Linux";
kernel = "kernel-1";
fdt = "fdt-1";
loadables = "atf-1"; /* This is the TFA BL31 loadable */
};
};
};
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
607b07554e removed the check on the return status of the
android_image_get_dtb_img_addr call from android_image_get_dtb_by_index,
which results in null pointer accesses shortly after when trying to
check the header of a nonexistent DTB.
Fixes: 607b07554e ("android: boot: move to andr_image_data structure")
Signed-off-by: Sam Day <me@samcday.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Link: https://lore.kernel.org/r/20250123-android-handle-no-dtb-v1-1-1cb7373247da@samcday.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
A FIT image which is NOT using -E when created by mkimage - that is with
image data within the FIT - will fail to apply FDTO if the base FDT
image node does not specify a load property (which points to an address
in DRAM). This is because we check that the FDT address we want to apply
overlay to (i.e. modify and likely increase in size) is not inside the
FIT and give up otherwise. This is assumed necessary because we may then
overwrite other data when applying in-place.
However, we can do better than giving up: relocating the FDT in another
place in DRAM where it's safe to increase its size and apply FDTOs.
While at it, do not discriminate anymore on whether the data is within
the FIT data address space - that is FIT images created with mkimage -E
- as that still may be susceptible to unintended data overwrites as
mkimage -E simply concatenates all blobs after the FIT. If the FDT blob
isn't the last, it'll result in overwriting later blobs when resizing.
The side effect is that the load property in the FIT is only
temporarily used to load the FDT but then relocated right before we
start applying overlays.
Suggested-by: Marek Vasut <marex@denx.de>
Reviewed-by: Marek Vasut <marex@denx.de>
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
So far only VBE-simple is implemented in U-Boot. This supports a single
image which can be updated in situ.
It is often necessary to support two images (A and B) so that the board
is not bricked if the update is interrupted or is bad.
In some cases, a non-updatable recovery image is desirable, so that the
board can be returned to a known-good state in the event of a serious
failure.
Introduce ABrec which provides these features. It supports three
independent images and the logic to select the desired one on boot.
While we are here, fix a debug message to indicate the function it
called. Provide a maintainers entry for VBE.
Note that fwupdated only supports VBE-simple so far, but supports for
ABrec will appear in time.
Signed-off-by: Simon Glass <sjg@chromium.org>
When VBE operates within VPL it does not want the FDT to be changed.
Provide a way to disable this feature.
Move the FIT_IMAGE_TINY condition out of spl_fit_record_loadable() so
that both conditions are together. This makes the code easier to
understand.
Replace the existing fit_loaded member, which is no-longer used.
Signed-off-by: Simon Glass <sjg@chromium.org>
Join the comment block for the fit_image_load() call back to where it
should be. Also fix a debug statement.
Signed-off-by: Simon Glass <sjg@chromium.org>
With SPL we want to specify the phase of the image to be loaded. Add
support for this.
This is the implementation of a FIT feature added to the spec a few
years ago and entails a small code-size increase, about 70 bytes on
Thumb2.
Signed-off-by: Simon Glass <sjg@chromium.org>
Link: https://docs.u-boot.org/en/latest/usage/fit/index.html
Rather than setting up the global variables and then making the call,
pass them into function directly. This cleans up the code and makes it
all a bit easier to understand.
Signed-off-by: Simon Glass <sjg@chromium.org>
When the bootloader is UNLOCKED, it should be possible to boot Android
even if AVB reports verification errors [1].
This allows developers to flash modified partitions on
userdebug/engineering builds.
Developers can do so on unlocked devices with:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
In such case, bootmeth_android refuses to boot.
Allow the boot to continue when the device is UNLOCKED and AVB reports
verification errors.
[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
Fixes: 125d9f3306 ("bootstd: Add a bootmeth for Android")
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-2-ba7d3b0d5b6a@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
When booting an Android build with AVB enabled, it's still possible to
deactivate the check for development purposes if the bootloader state is
UNLOCKED.
This is very useful for development and can be done at flashing time via:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
However, with bootmeth_android, we cannot boot this way:
Scanning bootdev 'mmc@fa10000.bootdev':
0 android ready mmc 0 mmc@fa10000.bootdev.whole
** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
avb_vbmeta_image.c:188: ERROR: Hash does not match!
avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
get_partition: can't find partition '_a'
avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
Verification failed, reason: I/O error occurred while trying to load data
Boot failed (err=-5)
No more bootdevs
From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is
'\0', but the doc explicitly request it to be NULL instead.
Add NULL as last element to requested_partitions to avoid this problem.
Fixes: 125d9f3306 ("bootstd: Add a bootmeth for Android")
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-1-ba7d3b0d5b6a@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
kcmdline and kcmdline_extra strings can be NULL. In that case, we still
read the content from 0x00000 and pass that to the kernel, which is
completely wrong.
Fix android_image_get_kernel() to check for NULL before checking if
they are empty strings.
Fixes: 53a0ddb6d3 ("boot: android: fix extra command line support")
Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
Reviewed-by: Nicolas Belin <nbelin@baylibre.com>
Reviewed-by: Julien Masson <jmasson@baylibre.com>
Tested-by: Sam Day <me@samcday.com>
Link: https://lore.kernel.org/r/20250113-kcmdline-extra-fix-v1-1-03cc9c039159@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
This function is really just getting the data. The size comes along for
the ride. In fact this function is only reliable way to obtain the data
for an image in a FIT, since the FIT may use external data.
Rename it to fit_image_get_data()
Signed-off-by: Simon Glass <sjg@chromium.org>
This function can only be used with FITs that use embedded data. Rename
it so this is clear.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Simon Glass <sjg@chromium.org> says:
This includes various patches towards implementing the VBE abrec
bootmeth in U-Boot. It mostly focuses on introducing a relocating
SPL-loader so that VBE can run in the limited amount of SRAM available
on many devices.
Another minor new feature is support in VBE for specifying the image
phase when loading from a FIT. This allows a single FIT to include
images for several boot phases, thus simplifying image-creation.
One lingering niggle in this series is that it has a different code path
for sandbox, since it does not support the relocating jump. It should be
possible to resolve this with additional work, but I have not attempted
this so far.
For v2, I have split the first patch into 5 pieces, to make it easier to
see the code-size impact, plus added a few tweaks to reduce code size.
Again, only MMC is supported so far.
Looking ahead, series G will have some more plumbing and H some rk3399
pieces. That should be enough to complete these feature.
Here is a run in my lab, with the VBE ABrec bootmeth. You can see that
VPL runs before memory is set up. SPL sets up memory and can be upgraded
in the field reliably.
$ ub-int vbe
Building U-Boot in sourcedir for rk3399-generic
Bootstrapping U-Boot from dir /tmp/b/rk3399-generic
Writing U-Boot using method rockchip
U-Boot TPL 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58)
Trying to boot from vbe_abrec
load: Firefly-RK3399 Board
Using 'config-3' configuration
Trying 'image-vpl' firmware subimage
Using 'config-3' configuration
Trying 'fdt-3' fdt subimage
U-Boot VPL 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58)
Trying to boot from vbe_abrec
load: Firefly-RK3399 Board
Starting with empty state
VBE: Firmware pick A at 800000
Using 'config-3' configuration
Trying 'spl' firmware subimage
Using 'config-3' configuration
Trying 'fdt-3' fdt subimage
Channel 0: DDR3, 800MHz
BW=32 Col=10 Bk=8 CS0 Row=15 CS1 Row=15 CS=2 Die BW=16 Size=2048MB
Channel 1: DDR3, 800MHz
BW=32 Col=10 Bk=8 CS0 Row=15 CS1 Row=15 CS=2 Die BW=16 Size=2048MB
256B stride
U-Boot SPL 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58 -0700)
Trying to boot from vbe_abrec
load: Firefly-RK3399 Board
VBE: Firmware pick A at 900000
load_simple_fit: Skip load 'atf-5': image size is 0!
Relocating bloblist ff8eff00 to 100000: done
ns16550_serial serial@ff1a0000: pinctrl_select_state_full: uclass_get_device_by_phandle_id: err=-19
U-Boot 2025.01-rc3-00345-gdfbdbf1eb56c-dirty (Jan 08 2025 - 10:47:58 -0700)
SoC: Rockchip rk3399
Reset cause: POR
Model: Firefly-RK3399 Board
DRAM: 4 GiB (effective 3.9 GiB)
Core: 314 devices, 33 uclasses, devicetree: separate
MMC: mmc@fe310000: 3, mmc@fe320000: 1, mmc@fe330000: 0
Loading Environment from SPIFlash... Invalid bus 0 (err=-19)
*** Warning - spi_flash_probe_bus_cs() failed, using default environment
In: serial,usbkbd
Out: serial,vidconsole
Err: serial,vidconsole
Model: Firefly-RK3399 Board
Net: PMIC: RK808
eth0: ethernet@fe300000
starting USB...
Bus usb@fe380000: USB EHCI 1.00
Bus usb@fe3a0000: USB OHCI 1.0
Bus usb@fe3c0000: USB EHCI 1.00
Bus usb@fe3e0000: USB OHCI 1.0
Bus usb@fe900000: Register 2000140 NbrPorts 2
Starting the controller
USB XHCI 1.10
scanning bus usb@fe380000 for devices... 1 USB Device(s) found
scanning bus usb@fe3a0000 for devices... 1 USB Device(s) found
scanning bus usb@fe3c0000 for devices... 2 USB Device(s) found
scanning bus usb@fe3e0000 for devices... 1 USB Device(s) found
scanning bus usb@fe900000 for devices... 1 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
Hit any key to stop autoboot: 0
Link: https://lore.kernel.org/r/20250116012723.2820301-1-sjg@chromium.org
For a sandbox implementation, where code size is no object, it makes sense
to use the full bootstd drivers to load images.
For real boards, running from SRAM, this adds quite a bit of overhead.
Add a way to load the next phase using just the underlying storage
driver, to reduce code size. For now, only MMC is supported.
Change the log_debug() to show the load address and size in a more
neutral way, rather than suggesting that the load has already happened.
Signed-off-by: Simon Glass <sjg@chromium.org>
VBE needs to load different images from a FIT depending on the xPL phase
in use. The IH_PHASE value is used to select the image to load.
Add the required logic to handle this. For compatibility with the
SPL-loader driver, fill out a struct spl_image_info with the details
needed to boot the next phase.
This is good enough for VBE-simple but ABrec will need the full set of
bootstd features. So add a USE_BOOTMETH define to control this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add FDT support so that this can be copied down in memory after loading
and made available to the new image.
Signed-off-by: Simon Glass <sjg@chromium.org>
In many cases the FIT includes a devicetree. Add support for loading
this into a suitable place in memory.
Signed-off-by: Simon Glass <sjg@chromium.org>
In some cases only the 'loadable' property is present in the FIT.
Handle this by loading the first such image.
Signed-off-by: Simon Glass <sjg@chromium.org>
There is no guarantee that an FIT image starts on a block boundary. When
it doesn't, the image starts part-way through the first block.
Add logic to detect this and copy the image down into place.
Signed-off-by: Simon Glass <sjg@chromium.org>
