Tom reports that generating the ESL file we need for authenticated
capsule updates fails to work on azure which expects a RO git tree.
Move it to $(objtree)
Reported-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
commit ddf67daac3 ("efi_capsule: Move signature from DTB to .rodata")
was reverted in
commit 47a25e81d3 ("Revert "efi_capsule: Move signature from DTB to .rodata"")
because that's what U-Boot was usually doing -- using the DT to store
configuration and data. Some of the discussions can be found here [0].
(Ab)using the device tree to store random data isn't ideal though.
On top of that with new features introduced over the years, keeping
the certificates in the DT has proven to be problematic.
One of the reasons is that platforms might send U-Boot a DTB
from the previous stage loader using a transfer list which won't contain
the signatures since other loaders are not aware of internal
U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding
the capsule certificate there does not work and requires users to dump
it and re-create it injecting the public keys.
Now that we have proper memory permissions for arm64, move the certificate
to .rodata and read it from there.
[0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Jonathan Humphreys <j-humphreys@ti.com> # on TI sk-am62p-lp
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC
Tested-by: Raymond Mao <raymond.mao@linaro.org>
The new_packagelist() function of the HII Protocols implementation is
calling malloc() without checking its return code; fix this.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Instead of just printing the label, add information for the Device
path as well so it's easier to see if we are booting from disk, network
etc
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Calling bootefi on an address that was loaded from memory (e.g., cramfs
or SPI flash via "sf read", etc.), currently results in the EFI binary
not being able to access the EFI image device path.
For example, iPXE would fail with an error "EFI could not get loaded
image's device path: Error 0x7f39e082 (https://ipxe.org/7f39e082)".
This is due to an incomplete special-case in efi_binary_run, where a new
device path was created but not used in all required places.
Fix the in-memory special case, set the "bootefi_device_path" to the
generated "file_path".
iPXE will now boot, and report the device path as
"/MemoryMapped(0x0,0xSTART,0xLEN)"
Signed-off-by: Christian Kohlschütter <christian@kohlschutter.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Add support to install an initrd when running an EFI binary
with efi_binary_run
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
U-Boot can pass an initrd to subsequent boot stages via the
EFI_LOAD_FILE2_PROTOCOL. The current implementation only supports
this functionality via the efi boot manager: the initrd is taken
from the load options of the BootCurrent variable. This commit adds
support for registering a memory mapped initrd, e.g. loaded from a
FIT image. For now this new method takes precedence over loading the
initrd from the BootCurrent variable (if both are present) because
the BootCurrent variable is not cleared on exiting the boot manager.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
U-Boot currently reserves only 0x3000 bytes when copying the FDT
in copy_fdt(), which may not be sufficient if additional nodes
(such as FMAN firmware) are added later.
This patch uses the exisitng SYS_FDT_PAD to reserve space for FDT fixup
instead of hardcoded value.
This change prevents potential corruption when resizing FDT after
EFI boot, especially when firmware like FMAN requires additional
space.
Signed-off-by: Gabriel Nesteruk <gnesteruk@sii.pl>
Signed-off-by: Pawel Kochanowski <pkochanowski@sii.pl>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When BLOBLIST_TABLES is used, the ACPI tables are not currently added to
the list of EFI tables. While we don't want to create a new memory
region, we do want to tell EFI about the tables.
Fix this by covering this case. At some point the non-bloblist code can
likely be removed.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 3da59ee9579 ("efi_loader: Avoid mapping the ACPI tables twice")
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Now that capsule update sets the dfu_alt_info environment variable
explicitly, there is no need to support it in the set_dfu_alt_info()
function. Decouple SET_DFU_ALT_INFO from EFI_CAPSULE_FIRMWARE_FIT and
EFI_CAPSULE_FIRMWARE_RAW. For many boards, this was the only use of
set_dfu_alt_info() so remove the function entirely.
Fixes: a9e6f01a94 ("efi: Define set_dfu_alt_info() for boards with UEFI capsule update enabled")
Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
Signed-off-by: Michal Simek <michal.simek@amd.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> # for board/libre-computer/*
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Wadim Egorov <w.egorov@phytec.de> # for
The current implementation of EFI capsule update uses set_dfu_alt_info() to
set the dfu_alt_info environment variable with the settings it requires.
However, set_dfu_alt_info() is doing this for all DFU operations, even
those unrelated to capsule update.
Thus other uses of DFU, such as DFU boot which sets its own value for the
dfu_alt_info environment variable, will have that setting overwritten with
the capsule update setting. Similarly, any user defined value for the
dfu_alt_info environment variable would get overwritten when any DFU
operation was performed, including simply performing a "dfu 0 list"
command.
The solution is stop using the set_dfu_alt_info() mechanism to set the
dfu_alt_info environment variable and instead explicitly set it to the
capsule update's setting just before performing the capsule update's DFU
operation, and then restore the environment variable back to its original
value.
This patch implements the explicit setting and restoring of the
dfu_alt_info environment variable as part of the EFI capsule update
operation.
The fix is fully implemented in a subsequent patch that removes the capsule
update dfu_alt_info support in set_dfu_alt_info().
Signed-off-by: Jonathan Humphreys <j-humphreys@ti.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Note that this undoes the changes of commit cf6d4535cc ("x86:
emulation: Disable bloblist for now") as that was intended only for the
release due to time.
It has been reported that memory corruption can occurred because network
packages where received after EXIT_BOOT_SERVICES. See the thread
starting at [1].
We try to remove all drivers when EXIT_BOOT_SERVICES is called. But
* Some network drivers don't call their own stop method when removed.
* Some network drivers don't have a remove method.
* Some devices have CONFIG_DM_DEVICE_REMOVE=n.
Let's call eth_halt() in EXIT_BOOT_SERVICES explicitly.
[1]
https://lore.kernel.org/all/C101B675-EEE6-44CB-8A44-83F72182FBD6@kohlschutter.com/
Cc: Michael Brown <mcb30@ipxe.org>
Reported-by: Christian Kohlschütter <christian@kohlschutter.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Michael Brown <mcb30@ipxe.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Christian Kohlschütter <christian@kohlschutter.com>
The EFI HTTP boot puts the ISO installer image at some location in
memory. Information about this image has to be passed on to the OS
kernel, which is done by adding a persistent memory(pmem) node to the
devicetree(DT) that is passed to the OS. The OS kernel then gets
information about the presence of this ISO image and proceeds with the
installation.
In U-Boot, this ISO image gets mounted as a memory mapped blkmap
device slice, with the 'preserve' attribute. Add a helper function
which iterates through all such slices, and invokes a callback. The
callback adds the pmem node to the DT and removes the corresponding
memory region from the EFI memory map. Invoke this helper function as
part of the DT fixup which happens before booting the OS.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Tobias Waldekranz <tobias@waldekranz.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
ACPI has NFIT and NVDIMM support to provide ramdisks to the OS. Linux
and device trees have support for persistent memory(pmem) devices. The
firmware can then add a pmem node for the region of memory occupied by
the ramdisk when passing the device-tree to the OS.
It's worth noting that for linux to instantiate the /dev/pmemX device,
the memory described in the pmem node has to be omitted from the EFI
memory map we hand over to the OS if ZONE_DEVICES and SPARSEMEM is
enabled. With those enabled the pmem driver ends up calling
devm_memremap_pages() instead of devm_memremap(). The latter works
whether the memory is omitted or marked as reserved, but mapping pages
only works if the memory is omitted.
On top of that, depending on how the kernel is configured, that memory
area must be page aligned or 2MiB aligned. PowerPC is an exception here
and requires 16MiB alignment, but since we don't have EFI support for
it, limit the alignment to 2MiB.
Ensure that the ISO image is 2MiB aligned and remove the region
occupied by the image from the EFI memory map.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
With upcoming changes supporting pmem nodes, we need to remove the
pmem area from the EFI memory map. Rename efi_add_memory_map_pg() to
efi_update_memory_map(), and allow removing memory from the EFI memory
map.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The efi_install_fdt() function is called before booting an EFI binary,
either directly, or through a bootmanager. This function installs a
copy of the device-tree(DT) on the EFI configuration table, which is
passed on to the OS.
The current logic in this function does not install a DT if a
device-tree is already installed as an EFI configuration
table. However, this existing copy of the DT might not be up-to-date,
or it could be a wrong DT for the image that is being booted. Always
install a DT afresh to the configuration table before booting the EFI
binary.
Installing a new DT also involves some additional checks that are
needed to clean up memory associated with the existing DT copy. Check
for an existing copy, and free up that memory.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
There is logic in the copy_fdt() function which is iterating over the
platform's DRAM banks and setting the fdt_ram_start variable. However,
this variable is not used subsequently in the function. Remove this
superfluous code.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
When converting an IPv4 device path node to text, the
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL will produce the following string:
IPv4(5.6.7.8,TCP,UDP,0x6,DHCP,1.2.3.4,9.10.11.12,255.255.255.0)
This string erroneously contains multiple protocols: TCP, UDP and 0x6.
Add the missing `break' statements in the dp_msging() function to fix this
and obtain the following expected string instead:
IPv4(5.6.7.8,TCP,DHCP,1.2.3.4,9.10.11.12,255.255.255.0)
Fixes: aaf63429a1 ("efi_loader: add IPv4() to device path to text protocol")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Adriano Cordova <adrianox@gmail.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Ben reports a failure to boot the kernel on hardware that starts its
physical memory from 0x0.
The reason is that lmb_alloc_addr(), which is supposed to reserve a
specific address, takes the address as the first argument, but then also
returns the address for success or failure and treats 0 as a failure.
Since we already know the address change the prototype to return an int.
Reported-by: Ben Schneider <ben@bens.haus>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ben Schneider <ben@bens.haus>
Reviewed-by: Sughosh Ganu <sughosh.ganu@linaro.org>
EFI applications need to be relocatable. Ordinarily, this is achieved
through a PE-format .reloc section, but since that requires toolchain
tricks to achieve, U-Boot's EFI applications instead embed ELF-flavored
relocation information and use it for self-relocation; thus, the
.dynamic section needs to be preserved.
Before this patch, it was tacked on to the end of .text, but this was
not proper: A .text section is SHT_PROGBITS, while the .dynamic section
is SHT_DYNAMIC. Attempting to combine them like this creates a section
type mismatch. While GNU ld doesn't seem to complain, LLVM's lld
considers this a fatal linking error.
This patch moves .dynamic out to its own section, so that the output ELF
has the correct types. (They're all mashed together when converting to
binary anyway, so this patch causes no change in the final .efi output.)
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Cc: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The lone user of the legacy USB device framework have been removed for
some time. Remove the final parts of the code that were missed.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Link: https://lore.kernel.org/r/20250227205101.4127604-1-trini@konsulko.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Structure jmp_buf_data provides the underlying format of jmp_buf, which
we actually don't care about. Clean up existing code to use the standard
jmp_buf type. This introduces no functional change.
Signed-off-by: Yao Zi <ziyao@disroot.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Separate setjmp.h into an architecture independent part and an architecture
specific part. This simplifies moving from using struct jmp_buf_data
directly to using type jmp_buf in our code which is the C compliant way.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Add support for multiple efi_net_obj structs in efi_net.c. This comes
in preparation for an EFI network driver supporting multiple network
interfaces. For now the EFI network stack still registers a single ethernet
udevice as an EFI network device even if multiple are present, namely
the one that was the current device at the moment of EFI initialization.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
In preparation to support mutiple efi net udevices. Add a device path
cache to support device paths from multiple ethernet udevices.
The device paths can be added to the cache before EFI gets initialized and
the protocols get installed.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
In preparation to support multiple EFI net objects, support
constructing device paths using an ethernet device different
than the default. Add a udevice argument to the device path
generation, and keep the callsites with eth_get_dev() to
preserve existing functionality.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
This gets called each time a payload is to get executed by bootefi.
For now this only updates the PXE IP address.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
The coomand bootefi calls efi_init_obj_list to do the efi set up
before launching an .efi payload, but efi_init_obj_list is called
only once. There are some initializations which depend on the
environment and should be done each time a payload gets launched and
not only once. A motivation for this changes is the following order
of events:
1. Launch an EFI application (e.g. bootefi hello)
2. Change the ip address
3. Launch another application which uses the pxe protocol
As the EFI pxe protocol was initialized when the handles
for efi net were created in 1., the ip was hardcoded there.
In this example, another possibility would be to make a callback for ip
address changes to go all the way up to efi_net.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
The following symbols are exposed:
- efi_reinstall_protocol_interface
This is done so that the device path protocol interface
of the network device can be changed internally by u-boot
when a new bootfile gets downloaded.
- eth_set_dev
To support multiple network udevices
- efi_close_event
This comes in preparation to support unregistering
an EFI network device from the EFI network stack when
the underlying U-boot device gets removed
- efi_[dis]connect_controller
The EFI network driver uses ConnectController to add a
NIC to the EFI network stack.
- efi_uninstall_protocol_interface
connect_controler for the efi network driver can install
protocols, which need to be uninstalled in disconnect_controller
- EFI_SIMPLE_NETWORK_PROTOCOL_GUID
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
This commit fixes an use after free introduced in Commit e55a4acb54
(" efi_loader: net: set EFI bootdevice device path to HTTP when loaded
from wget"). The logic in efi_net_set_dp is reworked so that when the
function is invoked it not only changes the value of the static variable
net_dp (this is how the function was implemented in e55a4acb54) but also
updates the protocol interface of the device path protocol in case efi
has started.
Fixes: e55a4acb54 ("efi_loader: net: set EFI bootdevice device path to HTTP when loaded from wget")
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
Gabriel Dalimonte <gabriel.dalimonte@gmail.com> says:
This series adds support for file renaming to EFI_FILE_PROTOCOL.SetInfo().
One of the use cases for renaming in EFI is to facilitate boot loader
boot counting.
No existing filesystems in U-Boot currently include file renaming,
resulting in support for renaming at the filesystem level and a
concrete implementation for the FAT filesystem.
Link: https://lore.kernel.org/r/20250217182648.31294-1-gabriel.dalimonte@gmail.com
Following the UEFI specification. The specification did not seem to
delineate if file_name was explicitly a file name only, or could
include paths to move the file to a different directory. The more
generous interpretation of supporting paths was selected.
Signed-off-by: Gabriel Dalimonte <gabriel.dalimonte@gmail.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
In order to support renaming via SetInfo(), path must allow for longer
values than what was originally present when file_handle was allocated.
Signed-off-by: Gabriel Dalimonte <gabriel.dalimonte@gmail.com>
The implementation roughly follows the POSIX specification for
rename() [1]. The ordering of operations attempting to minimize the chance
for data loss in unexpected circumstances.
The 'mv' command was implemented as a front end for the rename operation
as that is what most users are likely familiar with in terms of behavior.
The 'FAT_RENAME' Kconfig option was added to prevent code size increase on
size-oriented builds like SPL.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/rename.html
Signed-off-by: Gabriel Dalimonte <gabriel.dalimonte@gmail.com>
This commit fixes an use after free introduced in Commit e55a4acb54
(" efi_loader: net: set EFI bootdevice device path to HTTP when loaded
from wget"). The logic in efi_net_set_dp is reworked so that when the
function is invoked it not only changes the value of the static variable
net_dp (this is how the function was implemented in e55a4acb54) but also
updates the protocol interface of the device path protocol in case efi
has started.
Fixes: e55a4acb54 ("efi_loader: net: set EFI bootdevice device path to HTTP when loaded from wget")
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com>
The function is only used in the efi_memory.c module.
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When building with qemu_arm64_defconfig with CONFIG_CC_OPTIMIZE_FOR_DEBUG=y
and CONFIG_EFI_LOADER=n an error undefined reference to efi_add_memory_map_pg
occurs.
Move the EFI dependent part of lmb_map_update_notify() to the EFI
sub-system.
Reported-by: Liya Huang <1425075683@qq.com>
Acked-by: Liya Huang <1425075683@qq.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
For EFI runtime services, we manage to preserve string literals
by placing the .efi_runtime section just before .data and preserving
it when marking the runtime memory by marking surrounding boottime
code as runtime. This is ok for now but will break if we update any
linker scripts and decouple .text and .runtime sections.
So let's define the strings we used to compare in the appropriate
section for runtime services
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
After having been compared to a NULL value at efi_disk.c:426,
pointer 'part_info' is dereferenced at efi_disk.c:534.
Signed-off-by: Maks Mishin <maks.mishinFZ@gmail.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Move default eventlog size from efi to tpm for using in both
efi and measured boot.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Rather than setting up the global variables and then making the call,
pass them into function directly. This cleans up the code and makes it
all a bit easier to understand.
Signed-off-by: Simon Glass <sjg@chromium.org>
This code is only needed if an invalid image/device path is passed in.
Move the code out to a caller where this can be dealt with. The normal
flow will provide these parameters.
Signed-off-by: Simon Glass <sjg@chromium.org>
This uses a few global variables at present. With the bootflow we have
the required parameters, so add a function which accepts these. Update
the existing function to call the new one with the globals.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Provide these globals as parameters to this function, on the way to
making it possible to start an image without relying on the globals.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
If a board has a strict size limit, disable
* Unicode capitalization and
* HII protocols
by default to reduce the image size.
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
