commit ddf67daac3 ("efi_capsule: Move signature from DTB to .rodata")
was reverted in
commit 47a25e81d3 ("Revert "efi_capsule: Move signature from DTB to .rodata"")
because that's what U-Boot was usually doing -- using the DT to store
configuration and data. Some of the discussions can be found here [0].
(Ab)using the device tree to store random data isn't ideal though.
On top of that with new features introduced over the years, keeping
the certificates in the DT has proven to be problematic.
One of the reasons is that platforms might send U-Boot a DTB
from the previous stage loader using a transfer list which won't contain
the signatures since other loaders are not aware of internal
U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding
the capsule certificate there does not work and requires users to dump
it and re-create it injecting the public keys.
Now that we have proper memory permissions for arm64, move the certificate
to .rodata and read it from there.
[0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Jonathan Humphreys <j-humphreys@ti.com> # on TI sk-am62p-lp
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC
Tested-by: Raymond Mao <raymond.mao@linaro.org>
Rename the C and header files to use the membuf basename, to match the
functions.
Add a MAINTAINERS entry while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
Upcoming patches are switching the memory mappings to RW, RO, RX
after the U-Boot binary and its data are relocated. Add
annotations in the linker scripts to and mark text, data, rodata
sections and align them to a page boundary.
It's worth noting that .efi_runtime memory permissions are left
untouched for now. There's two problems with EFI currently.
The first problem is that we bundle data, rodata and text in a single
.efi_runtime section which also must be close to .text for now.
As a result we also dont change the permissions for anything contained
in CPUDIR/start.o. In order to fix that we have to decoule .text_rest,
.text and .efi_runtime and have the runtime services on their own
section with proper memory permission annotations (efi_rodata etc).
The efi runtime regions (.efi_runtime_rel) can be relocated by the OS when
the latter is calling SetVirtualAddressMap. Which means we have to
configure those pages as RX for U-Boot but convert them to RWX just before
ExitBootServices. It also needs extra code in efi_tuntime relocation
code since R_AARCH64_NONE are emitted as well if we page align the
section.
Due to the above ignore EFI for now and fix it later once we have the
rest in place.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-S905X-CC
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add a linker symbol which can be used to mark relocation code, so it can
be collected by the linker and copied into a suitable place and executed
when needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
This breaks chromebook_coral which says:
Video: No video mode configured in FSP!
This reverts commit 2e9313179a.
Signed-off-by: Simon Glass <sjg@chromium.org>
These fields are currently set on exactly two platforms today, and used
by only one of them. Update pic32mzdask to use CFG_SYS_SRAM* in the one
location it needs it and otherwise drop this field from the bd_info
struct.
Signed-off-by: Tom Rini <trini@konsulko.com>
Tests which create a new bloblist overwrite the existing one in sandbox.
Provide a flag for tests to declare this behaviour. Save and restore the
bloblist pointer so that other tests remain unaffected.
Note that when sandbox is running normally, the bloblist has been
relocated to high in memory. The existing bloblist tests create a new
bloblist low in memory, so they do not conflict.
Correct a build error on coreboot by using accessors for gd->bloblist:
Signed-off-by: Simon Glass <sjg@chromium.org>
Nothing in cyclic.h is needed to define struct global_data, so do not
include that header.
If any .c file relies on getting cyclic.h through asm/global_data.h,
it needs to include it itself.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Stefan Roese <sr@denx.de>
If the environment is not enabled we don't need these fields in
global_data. Make them conditional.
Make these fields conditional. Move env_buf up one so it can share
an #ifdef.
Signed-off-by: Simon Glass <sjg@chromium.org>
The early malloc region is normally quite small and is certainly less
than 4GB, so use a 32-bit value for the limit and pointer. Update the
comments for clarity while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some of the logging fields are larger than they need to be. Shrink them
and adjust the ordering to improve alignment.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is the length of the U-Boot binary, which is typically 200-800KB
and certainly not larger than 4GB. Use a 32-bit value to save space in
global_data and move it up to be with fields of the same alignment.
Signed-off-by: Simon Glass <sjg@chromium.org>
The bus clock and memory clock are unlikely to go above 4GHz for now, so
reduce the field size to 32 bits.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move all the fields which are always present to the top of the struct,
so we can potentially save some space by taking note of alignment.
Signed-off-by: Simon Glass <sjg@chromium.org>
Provide a function to locate this information, rather than doing it
automatically on startup, to save space in global_data.
Signed-off-by: Simon Glass <sjg@chromium.org>
This value is only really used before relocation. There is not much use
to showing its value in bdinfo, so drop it. Move it to the new boardf
struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
Quite a few of the members of struct global_data are only used before
reloction, or have little meaning afterwards, yet they hang around in
struct global_data for the lifetime of U-Boot. This uses up precious
pre-relocation SRAM on many boards.
To help with this, start a new struct which exists only before
relocation. Move new_fdt into this new struct. Drop the display of it
in the 'bdinfo' command as it is probably not very useful.
Note that the field does not exist in SPL builds.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use shorter types for some of these fields to save space. Reorder to put
fields with like alignment together.
Signed-off-by: Simon Glass <sjg@chromium.org>
We don't need a full word for this boolean value. Convert it into a flag
to save space in global_data.
Reviewed-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
This value mirrors information recorded by driver model video drivers,
so can be removed to save space. Drop it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Only m68k and powerpc use this field, so move it to the arch-specific
info, to reduce the size for other archs.
Signed-off-by: Simon Glass <sjg@chromium.org>
Specify the FIT and include information about each loaded image, as
required by the UPL handoff.
Write the UPL handoff into the bloblist before jumping to the next phase.
Control this using a runtime flag to avoid conflicting with other
handoff mechanisms.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a 'upl' command to work with Universal Payload features. For now it
only supports reading and writing a handoff structure.
Signed-off-by: Simon Glass <sjg@chromium.org>
The cyclic subsystem is currently enabled either in all build phases
or none. For tools this should not be enabled, but since lib/shc256.c
and other files include watchdog.h in the host build, we must make
sure that it is not enabled there.
Add an SPL symbol so that there is more control of this.
Add an include into cyclic.h so that tools can include this file.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Devarsh Thakkar <devarsht@ti.com>
Reviewed-by: Stefan Roese <sr@denx.de>
The dm_root_f field seems to be entirely write-only and hence
redundant, unless 'git grep' fails to find some access generated via
preprocessor token concatenation or similar.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Simon Glass <sjg@chromium.org>
__efi_runtime_start/end are defined as c variables for arm7 only in
order to force the compiler emit relative references. However, defining
those within a section definition will do the same thing since [0].
On top of that the v8 linker scripts define it as a symbol.
So let's remove the special sections from the linker scripts, the
variable definitions from sections.c and define them as a symbols within
the correct section.
[0] binutils commit 6b3b0ab89663 ("Make linker assigned symbol dynamic only for shared object")
Suggested-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Sam Edwards <CFSworks@gmail.com> # Binary output identical
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
__efi_runtime_rel_start/end are defined as c variables for arm7 only in
order to force the compiler emit relative references. However, defining
those within a section definition will do the same thing since [0].
On top of that the v8 linker scripts define it as a symbol.
So let's remove the special sections from the linker scripts, the
variable definitions from sections.c and define them as a symbols within
the correct section.
[0] binutils commit 6b3b0ab89663 ("Make linker assigned symbol dynamic only for shared object")
Suggested-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Sam Edwards <CFSworks@gmail.com>
Tested-by: Sam Edwards <CFSworks@gmail.com> # Binary output identical
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag marks an EFI binary where
the following conditions are met [1]:
* Executable and writable sections are separated.
* The application does not run self-modifying code.
* The application uses the EFI_MEMORY_ATTRIBUTE_PROTOCOL when loading
executable code.
* The application does not assume that all memory ranges are usable.
* The stack is not expected to be executable.
The only EFI binaries U-Boot provides that do not fulfill these
requirements are the EFI app and the EFI payload.
Once we have implemented separation of writable and executable memory in
U-Boot we can use the IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag to decide
if we will load an EFI binary.
[1] New UEFI CA memory mitigation requirements for signing
https://techcommunity.microsoft.com/t5/hardware-dev-center/new-uefi-ca-memory-mitigation-requirements-for-signing/ba-p/3608714
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
If one defines HUSH_MODERN_PARSER, it is then possible to use modern parser with:
=> cli get
old
=> cli set modern
=> cli get
modern
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Francis Laniel <francis.laniel@amarulasolutions.com>
Currently {read,write}s{b,w,lq}() functions are available only on some
architectures, and there are no io{read,write}{8,16,32,64}_rep()
functions in u-boot. This patch adds generic versions that may be used
without arch-specific implementation.
Since some of added functions were already added locally in some files,
remove them to avoid redeclaration errors.
Signed-off-by: Igor Prusov <ivprusov@salutedevices.com>
Typically the bloblist is set up after the devicetree is present. This
makes sense because bloblist may use malloc() to allocate the space it
needs.
However sometimes the devicetree itself may be present in the bloblist.
In that case it is at a known location in memory so we can init the
bloblist very early, before devicetree.
Add a flag to indicate whether the bloblist has been inited. Add a
function to init it only if needed. Use that in the init sequence.
Signed-off-by: Simon Glass <sjg@chromium.org>
