Janne Grunau <j@jannau.net> says:
Starting with v2024.10 dev_iommu_dma_unmap calls during device removal
trigger a NULL pointer dereference in the Apple dart iommu driver. The
iommu device is removed before its user. The sparsely used DM_FLAG_VITAL
flag is intended to describe this dependency. Add it to the driver.
Adding this flag is unfortunately not enough since the boot routines
except the arm one simply remove all drivers. Add and use a new function
which calls
dm_remove_devioce_flags(DM_REMOVE_ACTIVE_ALL | DM_REMOVE_NON_VITAL);
dm_remove_devices_flags(DM_REMOVE_ACTIVE_ALL);
to ensure this order dependency is head consistently.
Link: https://lore.kernel.org/r/20241123-iommu_apple_dart_ordering-v2-0-cc2ade6dde97@jannau.net
This replaces dm_remove_devices_flags() calls in all boot
implementations to ensure non vital devices are consistently removed
first. All boot implementation except arch/arm/lib/bootm.c currently
just call dm_remove_devices_flags(DM_REMOVE_ACTIVE_ALL). This can result
in crashes when dependencies between devices exists. The driver model's
design document describes DM_FLAG_VITAL as "indicates that the device is
'vital' to the operation of other devices". Device removal at boot
should follow this.
Instead of adding dm_remove_devices_flags() with (DM_REMOVE_ACTIVE_ALL |
DM_REMOVE_NON_VITAL) everywhere add dm_remove_devices_active() which
does this.
Fixes a NULL pointer deref in the apple dart IOMMU driver during EFI
boot. The xhci-pci (driver which depends on the IOMMU to work) removes
its mapping on removal. This explodes when the IOMMU device was removed
first.
dm_remove_devices_flags() is kept since it is used for testing of
device_remove() calls in dm.
Signed-off-by: Janne Grunau <j@jannau.net>
We never free and unmap the memory on errors and we never unmap it when
freeing it. The latter won't cause any problems even on sandbox, but for
consistency always use unmap_sysmem()
Fixes: commit 22f2c9ed9f ("efi: memory: use the lmb API's for allocating and freeing memory")
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Commit 775f7657ba ("Kconfig: clean up the efi configuration status")
by mistake revoked commit dcd1b63b70 ("efi_loader: allow
EFI_LOADER_BOUNCE_BUFFER on all architectures").
Fixes: 775f7657ba ("Kconfig: clean up the efi configuration status")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Tested-by: Loic Devulder <ldevulder@suse.com>
The value of variable nt is never used. Just use NULL when calling
efi_check_pe().
The API function is not expected to write to the console. Such output might
have unwanted side effects on the screen layout of an EFI application.
Leave error handling to the caller.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The behavior of memcpy() for overlapping buffers is undefined.
Fixes: 4c57ec76b7 ("tpm: Implement state command for Cr50")
Addresses-Coverity-ID: 356664 Overlapping buffer in memory copy
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
In the message string " %s[%d]\t[0x%llx-0x%llx], 0x%08llx bytes flags: "
a comma is missing before flags.
To avoid increasing the code size replace '0x%' by '%#'.
Printing the size with leading zeros but not the addresses does not really
make sense. Remove the leading zeros from the size output.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
[trini: Fix test/cmd/bdinfo.c for these changes]
Signed-off-by: Tom Rini <trini@konsulko.com>
Commit c3cf0dc64f ("lmb: add a check to prevent memory overrun")
addressed a possible buffer overrun using assert_noisy().
Resetting via panic() in lmb_print_region() while allowing invalid
lmb flags elsewhere is not reasonable.
Instead of panicking print a message indicating the problem.
fls() returns an int. Using a u64 for bitpos does not match.
Use int instead.
fls() takes an int as argument. Using 1ull << bitpos generates a u64.
Use 1u << bitpos instead.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Acked-by: Sughosh Ganu <sughosh.ganu@linaro.org>
RFC 3447 says that Typical salt length are either 0 or the length
of the output of the digest algorithm, RFC 4055 also recommends
hash value length as the salt length. Moreover, By convention,
most of the signing infrastructures/libraries use the length of
the digest algorithm (such as google cloud kms:
https://cloud.google.com/kms/docs/algorithms).
If the salt-length parameter is not set, openssl default to the
maximum allowed value, which is a openssl 'specificity', so this
works well for local signing, but restricts compatibility with
other engines (e.g pkcs11/libkmsp11):
```
returning 0x71 from C_SignInit due to status INVALID_ARGUMENT:
at rsassa_pss.cc:53: expected salt length for key XX is 32,
but 478 was supplied in the parameters
Could not obtain signature: error:41000070:PKCS#11 module::Mechanism invalid
```
To improve compatibility, we set the default RSA-PSS salt-length
value to the conventional one. A further improvement could consist
in making it configurable as signature FIT node attribute.
rfc3447: https://datatracker.ietf.org/doc/html/rfc3447
rfc4055: https://datatracker.ietf.org/doc/html/rfc4055
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Avoid a build failure when building with CONFIG_API=y, CONFIG_EXAMPLES=y:
lib/vsprintf.c:312:14: warning:
‘device_path_string’ defined but not used [-Wunused-function]
312 | static char *device_path_string(char *buf, char *end, void *dp, int field_width,
| ^~~~~~~~~~~~~~~~~~
Fixes: 64b5ba4d29 ("efi_loader: make device path to text protocol customizable")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Heinrich Schuchardt <heinrich.schuchardt@canonical.com> says:
The lib_test_uuid_to_le and lib lib_test_dynamic_uuid tests fail on
32-bit systems. But we never caught this in our CI because we never
ran any of our C unit tests on 32-bit.
Enable CONFIG_UNIT_TEST on qemu_arm_defconfig.
hextoul() cannot convert a string to a 64-bit number on a 32-bit system.
Use the new function hextoull() instead.
Link: https://lore.kernel.org/r/20241103224223.195255-1-heinrich.schuchardt@canonical.com
hextoul() cannot convert a string to a 64-bit number on a 32-bit system.
Use function hextoull() instead.
Reported-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Fixes: 22c48a92cd ("lib: uuid: supporting building as part of host tools")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
hextoul() cannot convert a string to a 64-bit number on a 32-bit system.
Use function hextoull() instead.
Reported-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Fixes: 22c48a92cd ("lib: uuid: supporting building as part of host tools")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
Tested-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
We often convert hexadecimal strings to hextoull(). Provide a wrapper
function to simple_strtoull() that does not require specifying the radix.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
SNI, or Server Name Indication, is an addition to the TLS encryption
protocol that enables a client device to specify the domain name it is
trying to reach in the first step of the TLS handshake, preventing
common name mismatch errors and not reaching to HTTPS server that
enforce this condition. Since most of the websites require it nowadays
add support for it.
It's worth noting that this is already sent to lwIP [0]
[0] https://github.com/lwip-tcpip/lwip/pull/47
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The current code support mbedTLS 2.28. Since we are using a newer
version in U-Boot, update the necessary accessors and the lwIP codebase
to work with mbedTLS 3.6.0. It's worth noting that the patches are
already sent to lwIP [0]
While at it enable LWIP_ALTCP_TLS and enable TLS support in lwIP
[0] https://github.com/lwip-tcpip/lwip/pull/47
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Since lwIP and mbedTLS have been merged we can tweak the config options
and enable TLS1.2 support. Add RSA and ECDSA by default and enable
enough block cipher modes of operation to be comatible with modern
TLS requirements and webservers
Reviewed-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
These functions can be used with struct lmb pointers and will be used to
manage IOVA space in the apple_dart iommu driver. This restores part of
the pointer base struct lmb API from before commit ed17a33fed ("lmb:
make LMB memory map persistent and global").
io_lmb_add() and io_lmb_free() can trivially reuse exisiting lmb
functions. io_lmb_setup() is separate for unique error log messages.
io_lmb_alloc() is a simplified copy of _lmb_alloc_base() since the
later has unused features and internal use of the global LMB memory map.
Signed-off-by: Janne Grunau <j@jannau.net>
Low lovel LMB functionality will be used to manage IOVA space in the
Apple dart iommu driver. This reordering ensures that those function
can not access the global LMB memory map variable.
Signed-off-by: Janne Grunau <j@jannau.net>
It will be re-used with a lmb list pointer as argument for IOVA
allocations in the apple_dart iommu driver.
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Janne Grunau <j@jannau.net>
When the --native flag is given, pretend to be running the host
architecture rather than sandbox.
Allow the same control for PXE too.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move this function from the EFI bootmeth to the common efi_helper file.
No functional change is intended.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a simple app to use for testing. This is intended to do whatever it
needs to for testing purposes. For now it just prints a message and
exits boot services.
There was a considerable amount of discussion about whether it is OK to
call exit-boot-services and then return to U-Boot. This is not normally
done in a real application, since exit-boot-services is used to
completely disconnect from U-Boot. For now, this part is skipped.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
All call sites are using size rather than end addresses,
so instead - as previously done - calculating an end address
everywhere, just modify the function to use size and internally
calculate the end address
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Patrick Wildt <pwildt@google.com>
Signed-off-by: Moritz Fischer <moritzf@google.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
There is already a defined stack-size which is used to reserve space for
the stack. It is confusing to add more in the lmb module, since then the
memory map (with meminfo command) seems to have a hole in it.
Drop this unnecessary feature.
Signed-off-by: Simon Glass <sjg@chromium.org>
Unlike linked lists, it is inefficient to remove items from an alist,
particularly if it is large. If most items need to be removed, then the
time-complexity approaches O(n2).
Provide a way to do this efficiently, by working through the alist once
and copying elements down.
Signed-off-by: Simon Glass <sjg@chromium.org>
Sometimes it is useful to empty the list without de-allocating any of
the memory used, e.g. when the list will be re-populated immediately
afterwards.
Add a new function for this.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add some macros which permit easy iteration through an alist, similar to
those provided by the 'list' implementation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Heinrich Schuchardt <heinrich.schuchardt@canonical.com> says:
With this series opendir, readdir, closedir are implemented for ext4.
These functions are needed for the UEFI sub-system to interact with
the ext4 file system.
To reduce code growth the functions are reused to implement the ls
command for ext4.
A memory leak in ext4fs_exists is resolved.
ext4fs_iterate_dir is simplified by removing a redundant pointer copy.
Link: https://lore.kernel.org/r/20241026064048.370062-1-heinrich.schuchardt@canonical.com
* Some of our file system drivers cannot report a file size for
directories. Use a dummy value in this case.
* For SetInfo the UEFI spec requires to ignore the file size field.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Function lmb_map_update_notify() is always referenced.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Fix "Integer handling issues (SIGN_EXTENSION)" in newly added code:
Cast serial_info.reg_offset to u64 to prevent an integer overflow when
shifted too many bits to the left. Currently this never happens as the
shift is supposed to be less than 4.
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Documentation:
* include semihosting and K3 boards only once in table of contents
* include file-system API into HTML docs
* describe struct ext2_inode
* update Python requirements
UEFI:
* mark local functions static
* simplify efi_free_pages()
* pass correct end address value to efi_dp_from_mem()
* fix typos in HII test and eficonfig command
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEK7wKXt3/btL6/yA+hO4vgnE3U0sFAmcjEjkACgkQhO4vgnE3
U0u5dg//YjrJpiMPsB4pkZ6PNDHncjpbh3itNEX+CxCVV/zrQ2wYMTAfgj4xYOQb
pq0IJjaFeQX/PV2/5Zrm/ARX8W3GlTPxhxVDmgvdzHxDhP0b6EGJp9eOsb6g6oTs
N4q89XvIzobyPpIKNH3onx7VMVCCETbBlFsTzUnq6iojNExX+RXOT+MrQuXyUUYF
dF3zaOQoKHMRMW5bXIIHaoW8zw1a1obz1u2wWEyncOFGpoMWaCB4epwC9YxrE2Vw
PEHc7XctCDYq7fAdWS5Jkh55TerM8eJYUcp3BvsWmZADmuNh2s3Ibbx2A9+we6FE
OJfd2sDPkUnvvv56pf0YytqdiqTmhudXUP44kJAY+sXjklv7zkfIoi/4+Od/42um
VNAhxOqPjYDBZn2TvOdbdm9y3/0hjJxC37oiDcbVKNsnSzsaV8rStFCIDAXmMpnL
PQDxW+3tIie8f9eUPhXGJvHwcAnzaLplYHDL5cvj8dZuEJJ7G8AGqMoJ41R5Aa9W
v47kAozKLB6bVp74ogTtI/7aKJisa47ZHvhUyYPWV6uSbABM/XPMx3T4bqzR6mqQ
rtr2+hd3x+QejCvfF6iqjm00y4tghBZebBozhjgkCCnaLVyRl/4c3djot8vN4jef
zA/H/DjBH28S6w6PjF+AWxYCDa4YhRW0IpVfOYKMrkRFFKXGsgw=
=1sEL
-----END PGP SIGNATURE-----
Merge tag 'efi-2025-01-rc2' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request efi-2025-01-rc2
Documentation:
* include semihosting and K3 boards only once in table of contents
* include file-system API into HTML docs
* describe struct ext2_inode
* update Python requirements
UEFI:
* mark local functions static
* simplify efi_free_pages()
* pass correct end address value to efi_dp_from_mem()
* fix typos in HII test and eficonfig command
The function expects an end address but is being called with
an size instead.
Fixes: 6422820ac3 ("efi_loader: split unrelated code from efi_bootmgr.c")
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Moritz Fischer <moritzf@google.com>
Reviewed-by: Patrick Wildt <pwildt@google.com>
This function is only used locally, so make it static and quiesce
the W=1 warning
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
That variable is defined and assigned a value in two functions
but it's never used.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Mark functions that are only used locally as static and
quiesce W=1 warnings
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
A few functions are only used locally but miss the 'static' keyword.
Add it and quiesce W=1 build wanrings
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
This is only used locally so make it static
Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
We currently call efi_free_pages() with a notify flag and explicitly
update the efi memory map. That's not needed as lmb_free_flags() will do
that for us if the LMB_NONOTIFY flag is removed
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
We never unmap the memory used to update the EFI memory map after
notifications
Fixes: commit 2f6191526a ("lmb: notify of any changes to the LMB memory map")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
CONFIG_CMD_DNS and CONFIG_CMD_WGET depend on CONFIG_CMD_NET.
CONFIG_CMD_NET depends on CONFIG_NET or CONFIG_NET_LWIP.
We shall only enable CONFIG_EFI_HTTP if there is network support.
We have to select CONFIG_CMD_NET.
Fixes: d7d07a8b50 ("efi_loader: support boot from URI device path")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Variables that are only used locally in a module should not be exported.
* Make the HII test data variables static.
* Remove unused GUIDs.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
lmb_alloc_flags() & lmb_alloc_base_flags() are just a wrappers for
_lmb_alloc_base(). Since the only difference is the max address of the
allowed allocation which _lmb_alloc_base() already supports with the
LMB_ALLOC_ANYWHERE flag, remove one of them.
Keep the lmb_alloc_base_flags() which also prints an error on failures
and adjust efi_allocate_pages() to only use one of them.
While at it clean up the duplicate function description from the header
file.
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
