Now that we have everything in place switch the page permissions for
.rodata, .text and .data just after we relocate everything in top of the
RAM.
Unfortunately we can't enable this by default, since we have examples of
U-Boot crashing due to invalid access. This usually happens because code
defines const variables that it later writes. So hide it behind a Kconfig
option until we sort it out.
It's worth noting that EFI runtime services are not covered by this
patch on purpose. Since the OS can call SetVirtualAddressMap which can
relocate runtime services, we need to set them to RX initially but remap
them as RWX right before ExitBootServices.
Link: https://lore.kernel.org/u-boot/20250129-rockchip-pinctrl-const-v1-0-450ccdadfa7e@cherry.de/
Link: https://lore.kernel.org/u-boot/20250130133646.2177194-1-andre.przywara@arm.com/
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The .init callback is not called by any function, drop it.
There are no more users of the init callback, drop the entire
mechanism.
Reviewed-by: Paul Barker <paul.barker.ct@bp.renesas.com>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Rather than doing autoprobe within the driver model code, move it out to
the board-init code. This makes it clear that it is a separate step from
binding devices.
For now this is always done twice, before and after relocation, but we
should discuss whether it might be possible to drop the post-relocation
probe.
For boards with SPL, the autoprobe is still done there as well.
Note that with this change, autoprobe happens after the
EVT_DM_POST_INIT_R/F events are sent, rather than before.
Link: https://lore.kernel.org/u-boot/20240626235717.272219-1-marex@denx.de/
Signed-off-by: Simon Glass <sjg@chromium.org>
Patch keeps the access to dtb_dt_embedded() within fdtdec API,
by means of new API function introduction. This new function is a
common place for updating appropriate global_data fields for
OF_EMBED case.
Also, the consequence of the patch is movement of '___dtb_dt_*begin'
symbols' declaration from header file, because nobody used symbols
outside the lib/fdtdec.c.
Signed-off-by: Evgeny Bachinin <EABachinin@salutedevices.com>
Suggested-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Patch resolves two kind of bugs, one of which is vulnerability related
to KASLR.
=== Issue briefly ===
Working with FDT (via non-relocated gd::fdt_blob) from inside bootm
command may lead to the reading the garbage instead of FDT nodes. And
this can result in various side-effects depending on DTS nodes, being
parsed during bootm.
But below is my specific story how I faced with this issue due to
MESON_RNG probing failure.
=== Bugs description ===
1) Bug is revealed on:
* configuration below
* U-boot 2024.10 - f919c3a889 ("Prepare v2024.10")
It seems, the following patch is a trigger:
ea955eea4f ("fdt: automatically add /chosen/kaslr-seed if DM_RNG is enabled")
Generally, CONFIG_OF_EMBED=y & CONFIG_RNG_MESON=y are the most
valuable ones for reproducing the issue.
```
CONFIG_ARCH_FIXUP_FDT_MEMORY=y
CONFIG_CMD_FDT=y
CONFIG_DEFAULT_FDT_FILE=""
CONFIG_FDT_64BIT=y
CONFIG_OF_BOARD_SETUP=y
CONFIG_OF_CONTROL=y
CONFIG_OF_EMBED=y
CONFIG_OF_LIBFDT_ASSUME_MASK=0x0
CONFIG_OF_LIBFDT_OVERLAY=y
CONFIG_OF_LIBFDT=y
CONFIG_OF_LIST="meson-axg-our-device-name"
CONFIG_OF_REAL=y
CONFIG_OF_TRANSLATE=y
CONFIG_SUPPORT_OF_CONTROL=y
CONFIG_SYS_FDT_PAD=0x3000
CONFIG_TOOLS_OF_LIBFDT=y
CONFIG_DM_RNG=y
CONFIG_RNG_MESON=y
```
2) Due to CONFIG_OF_EMBED, the DTS is embedded into U-boot ELF and
accessible via __dtb_dt_begin symbol.
On early boot stage (board_f.c) the fdtdec_setup() is called only
once before U-boot's relocation into top of RAM. fdtdec_setup()
initializes gd::fdt_blob for FDTSRC_EMBED case:
```
gd->fdt_blob = dtb_dt_embedded();
gd->fdt_src = FDTSRC_EMBED;
```
3) Then reloc_fdt() is called in board_f.c
But due to CONFIG_OF_EMBED=y the reloc_fdt() does not update
gd::fdt_blob value (strictly speaking, it is impossible for
CONFIG_OF_EMBED=y, because U-boot ELF has not been relocated yet
at this moment).
As a result after relocation we get fdt_blob, pointing to DTS address
before relocation:
```
# bdinfo
<...>
relocaddr = 0x000000000fedf000
reloc off = 0x000000000eedf000
<...>
fdt_blob = 0x010ce6c0 << points to __dtb_dt_begin before relocation
new_fdt = 0x0000000000000000 << empty erroneously
fdt_size = 0x0000000000000000 << zero erroneously
```
4) During bootm command (according to our ITS-config file) the Linux
is loaded into 0x01080000 (which is very close to fdt_blob addr
0x010ce6c0).
```
## Loading kernel from FIT Image at 04000000 ...
Trying 'kernel' kernel subimage
<...>
Load Address: 0x01080000
```
So Linux image overwrites the gd::fdt_blob memory location
in RAM (0x010ce6c0).
5) Issue:
Hence any manipulation with DTS (say, via FDT API) inside
implementation of bootm command leads to accessing the fdt_blob area
with garbage, that can lead to two situations:
5.1) Abort.
Call to fdt_off_dt_struct() from fdt_next_tag() :: fdt_offset_ptr()::
fdt_offset_ptr_() returns with garbage, that leads to tagp value
being out of RAM top addr (256 Mb in our board), causing the abort:
```
Boot cmd: bootm 0x4000000#boot_evt1
bootm_run_states()
<...>
image_setup_libfdt()
fdt_chosen()
fdt_kaslrseed()
uclass_get_device()
uclass_get_device_tail()
device_probe()
device_of_to_plat()
meson_rng_of_to_plat()
clk_get_by_name_optional()
clk_get_by_name()
clk_get_by_name_nodev()
ofnode_stringlist_search()
fdt_stringlist_search()
fdt_getprop()
fdt_get_property_namelen_()
fdt_first_property_offset()
fdt_check_node_offset_()
fdt_next_tag():
```
tagp = fdt_offset_ptr(fdt, offset, FDT_TAGSIZE);
```
fdt_next_tag() tagp:0x22890766
fdt_next_tag() ram_top:0x10000000 (tagp OUT of RAM)
"Synchronous Abort" handler, esr 0x96000010, far 0x22890766
elr: 000000000108be24 lr : 000000000108be24 (reloc)
elr: 000000000ff6fe24 lr : 000000000ff6fe24
x0 : 0000000000000041 x1 : 0000000000000000
x2 : 000000000ff3b57c x3 : 0000000000000012
x4 : 000000000ded2ad5 x5 : 0000000000000020
x6 : 00000000ffffffe8 x7 : 000000000ded2f40
x8 : 00000000ffffffd8 x9 : 000000000000000d
x10: 0000000000000006 x11: 000000000001869f
x12: 000000000fffffff x13: 000000000fffffff
x14: 0000000000000000 x15: 000000000ded2abb
x16: 000000000ff3b080 x17: 0000000000000001
x18: 000000000ded3dc0 x19: 0000000022890766
x20: 00000000010cb0f0 x21: 00000000000015e4
x22: 000000000ff8f4d8 x23: 000000000000000b
x24: 000000000ded2fbc x25: 000000000ffe2000
x22: 000000000ff8f4d8 x23: 000000000000000b
x24: 000000000ded2fbc x25: 000000000ffe2000
x26: 000000000ffe2000 x27: 000000000000000b
x28: 000000000ff9cf2d x29: 000000000ded2f40
Code: aa1603e1 91197484 52801742 94004de8 (b9400276)
```
5.2) Vulnerability situation "KASLR is disabled".
Almost the same as in (5.1), but 2 situations happen (depending on
the value of garbage):
* call to fdt_offset_ptr_() :: fdt_off_dt_struct(fdt)
returns not so big garbage, leading to tagp, being inside RAM.
* or calculations of absoffset inside fdt_offset_ptr() leads to
failure of the one of if() conditions with NULL as retval.
Result is fdt_next_tag() interprets the tagp as FDT_END. And we are
returning from our callstack via functions' error paths, leading to
"No RNG device" and "KASLR disabled due to lack of seed":
```
fdt_kaslrseed()
uclass_get_device()
<...>
device_probe()
device_of_to_plat()
meson_rng_of_to_plat()
clk_get_by_name()
clk_get_by_name_nodev()
<...>
fdt_stringlist_search()
fdt_getprop()
fdt_get_property_namelen_()
fdt_first_property_offset()
fdt_check_node_offset_()
fdt_next_tag():
```
tagp = fdt_offset_ptr(fdt, offset, FDT_TAGSIZE);
```
fdt_next_tag() tagp:0000000001890677
fdt_next_tag() ram_top:0x10000000 (tagp is inside RAM)
uclass_get_device_tail():486 device_probe() ret:-22
No RNG device
Starting kernel ...
[ 0.000000] Linux version 6.9.12
[ 0.000000] KASLR disabled due to lack of seed
```
Signed-off-by: Evgeny Bachinin <EABachinin@salutedevices.com>
efi_loader.h is included twice. Remove one and move the other in
alphabetical order
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Peter Robinson <pbrobinson@gmail.com>
The call to malloc() is a bit strange. The naming of the arguments
suggests that an address is passed, but in fact it is a pointer, at
least in the board_init_r() function and SPL equivalent.
Update it to work as described. Add a function comment as well.
Note that this does adjustment does not extend into the malloc()
implementation itself, apart from changing mem_malloc_init(), since
there are lots of casts and pointers and integers are used
interchangeably.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add what it takes to enable NETDEVICES with NET_LWIP and enable DHCP as
well as the dhcp command. CMD_TFTPBOOT is selected by BOOTMETH_EFI due
to this code having an implicit dependency on do_tftpb().
Note that PXE is likely non-fonctional with NET_LWIP (or at least not
100% functional) because DHCP option 209 is not supported by the lwIP
library. Therefore, BOOTP_PXE_DHCP_OPTION cannot be enabled.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Rework BOOT LED handling. There is currently one legacy implementation
for BOOT LED from Status Led API.
This work on ancient implementation used by BOOTP by setting the LED
to Blink on boot and to turn it OFF when the firmware was correctly
received by network.
Now that we new LED implementation have support for LED boot, rework
this by also set the new BOOT LED to blink and also set it to ON before
entering main loop to confirm successful boot.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Sughosh Ganu <sughosh.ganu@linaro.org> says:
This is a follow-up from an earlier RFC series [1] for making the LMB
and EFI memory allocations work together. This is a non-rfc version
with only the LMB part of the patches, for making the LMB memory map
global and persistent.
This is part one of a set of patches which aim to have the LMB and EFI
memory allocations work together. This requires making the LMB memory
map global and persistent, instead of having local, caller specific
maps. This is being done keeping in mind the usage of LMB memory by
platforms where the same memory region can be used to load multiple
different images. What is not allowed is to overwrite memory that has
been allocated by the other module, currently the EFI memory
module. This is being achieved by introducing a new flag,
LMB_NOOVERWRITE, which represents memory which cannot be re-requested
once allocated.
The data structures (alloced lists) required for maintaining the LMB
map are initialised during board init. The LMB module is enabled by
default for the main U-Boot image, while it needs to be enabled for
SPL. This version also uses a stack implementation, as suggested by
Simon Glass to temporarily store the lmb structure instance which is
used during normal operation when running lmb tests. This does away
with the need to run the lmb tests separately.
The tests have been tweaked where needed because of these changes.
The second part of the patches, to be sent subsequently, would work on
having the EFI allocations work with the LMB API's.
[1] - https://lore.kernel.org/u-boot/20240704073544.670249-1-sughosh.ganu@linaro.org/T/#t
Notes:
1) These patches are on next, as the alist patches have been
applied to that branch.
2) I have tested the boot on the ST DK2 board, but it would be good to
get a T-b/R-b from the ST maintainers.
3) It will be good to test these changes on a PowerPC platform
(ideally an 85xx, as I do not have one).
The memory map maintained by the LMB module is now persistent and
global. This memory map is being maintained through the alloced list
structure which can be extended at runtime -- there is one list for
the available memory, and one for the used memory. Allocate and
initialise these lists during the board init.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The early malloc region is normally quite small and is certainly less
than 4GB, so use a 32-bit value for the limit and pointer. Update the
comments for clarity while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
The dm_root_f field seems to be entirely write-only and hence
redundant, unless 'git grep' fails to find some access generated via
preprocessor token concatenation or similar.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Simon Glass <sjg@chromium.org>
As part of bringing the master branch back in to next, we need to allow
for all of these changes to exist here.
Reported-by: Jonas Karlman <jonas@kwiboo.se>
Signed-off-by: Tom Rini <trini@konsulko.com>
When bringing in the series 'arm: dts: am62-beagleplay: Fix Beagleplay
Ethernet"' I failed to notice that b4 noticed it was based on next and
so took that as the base commit and merged that part of next to master.
This reverts commit c8ffd1356d, reversing
changes made to 2ee6f3a5f7.
Reported-by: Jonas Karlman <jonas@kwiboo.se>
Signed-off-by: Tom Rini <trini@konsulko.com>
The migration deadline for moving to DM_SCSI was v2023.04. A further
reminder was sent out in August 2023 to the remaining platforms that had
not migrated already, and that a few more over the line (or configs
deleted).
With this commit we:
- Rename CONFIG_DM_SCSI to CONFIG_SCSI.
- Remove all of the non-DM SCSI code. This includes removing other
legacy symbols and code and removes some legacy non-DM AHCI code.
- Some platforms that had previously been DM_SCSI=y && SCSI=n are now
fully migrated to DM_SCSI as a few corner cases in the code assumed
DM_SCSI=y meant SCSI=y.
Signed-off-by: Tom Rini <trini@konsulko.com>
Introduce EVT_SETTINGS_R, triggered post-relocation and before console
init.
This event gives an option to perform any platform-dependent setup,
which needs to take place before show_board_info(). Usage examples
include readout of EEPROM stored settings.
Signed-off-by: Artur Rojek <artur@conclusive.pl>
Reviewed-by: Simon Glass <sjg@chromium.org>
Use the new SPL/TPL/VPL_SYS_MALLOC_F symbols to determine whether the
malloc pool exists.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Sean Anderson <sean.anderson@seco.com>
The last user of the NEEDS_MANUAL_RELOC has been removed in commit
26af162ac8 ("arch: m68k: Implement relocation")
Remove now unused NEEDS_MANUAL_RELOC code.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
The last user of the NEEDS_MANUAL_RELOC has been removed in commit
26af162ac8 ("arch: m68k: Implement relocation")
Remove now unused NEEDS_MANUAL_RELOC code.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
The last user of the NEEDS_MANUAL_RELOC has been removed in commit
26af162ac8 ("arch: m68k: Implement relocation")
Remove now unused NEEDS_MANUAL_RELOC code.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Add a new event which handles this function. Convert existing use of
the function to use the new event instead.
Make sure that EVENT is enabled by affected boards, by selecting it from
the LAST_STAGE_INIT option. For x86, enable it by default since all boards
need it.
For controlcenterdc, inline the get_tpm() function and make sure the event
is not built in SPL.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move the manual-relocation code to the initcall file. Make sure to avoid
manually relocating event types. Only true function pointers should be
relocated.
Signed-off-by: Simon Glass <sjg@chromium.org>
Somehow I do not see any inlining with initcalls now. I was sure I saw
it when this commit went in, but now it seems to make things worse.
This reverts commit 47870afab9.
Signed-off-by: Simon Glass <sjg@chromium.org>
Now all linker symbols are declared as type char[]. Though we can
reference the address via both the array name 'var' and its address
'&var'. It's better to unify them to avoid confusing developers.
This patch converts all '&var' linker symbol refrences to the most
commonly used format 'var'.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
It is useful to see the base of the malloc region. This is visible when
debugging but not in normal usage.
Add it to the global data so that it can be shown.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Nikhil M Jain <n-jain1@ti.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Nikhil M Jain <n-jain1@ti.com>
Add a CONFIG option to deal with this automatically, printing a warning
when U-Boot starts up. This can be useful if the device tree comes from
another project.
We will maintain this through the 2023.07 release, providing 6 months
for people to notice.
Signed-off-by: Simon Glass <sjg@chromium.org>
Version 4:
Acked-by: Michal Simek <michal.simek@amd.com>
Reset the serial flags so that the debug UART can be used (if enabled)
in the small window where there is no serial device. This can avoid a hang
in some cases.
Signed-off-by: Simon Glass <sjg@chromium.org>
This converts 2 usages of this option to the non-SPL form, since there is
no SPL_SAVE_PREV_BL_INITRAMFS_START_ADDR defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
This converts 2 usages of this option to the non-SPL form, since there is
no SPL_SAVE_PREV_BL_FDT_ADDR defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
This converts 1 usage of this option to the non-SPL form, since there is
no SPL_OF_EMBED defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
This converts 3 usages of this option to the non-SPL form, since there is
no SPL_NEEDS_MANUAL_RELOC defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
The gpio_hog_probe_all() functionality can be perfectly well replaced by
DM_FLAG_PROBE_AFTER_BIND DM flag, which would trigger .probe() callback
of each GPIO hog driver instance after .bind() and thus configure the
hogged GPIO accordingly.
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Samuel Holland <samuel@sholland.org>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS namespace do
not easily transition to Kconfig. In many cases they likely should come
from the device tree instead. Move these out of CONFIG namespace and in
to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Since the commit a9bf024b29 ("efi_loader: disk: a helper function to
create efi_disk objects from udevice"), CONFIG_EFI_SETUP_EARLY option is
by default on and will never be turned off.
So just remove this option.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Currently, we must call cyclic_init() at some point before
cyclic_register() becomes possible. That turns out to be somewhat
awkward, especially with SPL, and has resulted in a watchdog callback
not being registered, thus causing the board to prematurely reset.
We already rely on gd->cyclic reliably being set to NULL by the asm
code that clears all of gd. Now that the cyclic list is a hlist, and
thus an empty list is represented by a NULL head pointer, and struct
cyclic_drv has no other members, we can just as well drop a level of
indirection and put the hlist_head directly in struct
global_data. This doesn't increase the size of struct global_data,
gets rid of an early malloc(), and generates slightly smaller code.
But primarily, this avoids having to call cyclic_init() early; the cyclic
infrastructure is simply ready to register callbacks as soon as we
enter C code.
We can still end up with schedule() being called from asm very early,
so we still need to check that gd itself has been properly initialized
[*], but once it has, gd->cyclic_list is perfectly fine to access, and
will just be an empty list.
As for cyclic_uninit(), it was never really the opposite of
cyclic_init() since it didn't free the struct cyclic_drv nor set
gd->cyclic to NULL. Rename it to cyclic_unregister_all() and use that
in test/, and also insert a call at the end of the board_init_f
sequence so that gd->cyclic_list is a fresh empty list before we enter
board_init_r().
A small piece of ugliness is that I had to add a cast in
cyclic_get_list() to silence a "discards 'volatile' qualifier"
warning, but that is completely equivalent to the existing handling of
the uclass_root_s list_head member.
[*] I'm not really sure where we guarantee that the register used for
gd contains 0 until it gets explicitly initialized, but that must be
the case, otherwise testing gd for being NULL would not make much sense.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
Tested-by: Tim Harvey <tharvey@gateworks.com> # imx8mm-venice-*
Add an event type EVT_MAIN_LOOP that can be used for registering
events that need to be run after the platform has been initialised and
before the main_loop function is called.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
The current name is inconsistent with SPL which uses CONFIG_SPL_TEXT_BASE
and this makes it imposible to use CONFIG_VAL().
Rename it to resolve this problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present there is only one device tree used by the ofnode functions,
except for some esoteric use of live tree. In preparation for supporting
more than one, add a way to reset the list of device trees.
For now this does nothing.
Signed-off-by: Simon Glass <sjg@chromium.org>
When the embedded device tree is pointed to by the __dtb_dt_*begin
symbols, it seems to be covered by the early relocation code and doesn't
need to be manually patched.
Cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Pierre-Clément Tosi <ptosi@google.com>
Globally replace all occurances of WATCHDOG_RESET() with schedule(),
which handles the HW_WATCHDOG functionality and the cyclic
infrastructure.
Signed-off-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Tom Rini <trini@konsulko.com> [am335x_evm, mx6cuboxi, rpi_3,dra7xx_evm, pine64_plus, am65x_evm, j721e_evm]
