This fixes CVE-2018-18439 ("insufficient boundary checks in network
image boot") by using lmb to check for a valid range to store
received blocks.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
[trini: Always build lib/lmb.o on LMB and lib/fdtdec.o on OF_LIBFDT]
Signed-off-by: Tom Rini <trini@konsulko.com>
This fixes CVE-2018-18440 ("insufficient boundary checks in filesystem
image load") by using lmb to check the load size of a file against
reserved memory addresses.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This adds two new functions, lmb_alloc_addr and
lmb_get_unreserved_size.
lmb_alloc_addr behaves like lmb_alloc, but it tries to allocate a
pre-specified address range. Unlike lmb_reserve, this address range
must be inside one of the memory ranges that has been set up with
lmb_add.
lmb_get_unreserved_size returns the number of bytes that can be
used up to the next reserved region or the end of valid ram. This
can be 0 if the address passed is reserved.
Added test for these new functions.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
boot_fdt_add_mem_rsv_regions() adds reserved memory sections to an lmb
struct. Currently, it only parses regions described by /memreserve/
entries.
Extend this to the more commonly used scheme of the "reserved-memory"
node.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
lmb_add_region handles overlapping regions wrong: instead of merging
or rejecting to add a new reserved region that overlaps an existing
one, it just adds the new region.
Since internally the same function is used for lmb_alloc, change
lmb_add_region to reject overlapping regions.
Also, to keep reserved memory correct after 'free', reserved entries
created by allocating memory must not set their size to a multiple
of alignment but to the original size. This ensures the reserved
region is completely removed when the caller calls 'lmb_free', as
this one takes the same size as passed to 'lmb_alloc' etc.
Add test to assert this.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
The lmb code fails if base + size of RAM overflows to zero.
Fix this by calculating end as 'base + size - 1' instead of 'base + size'
where appropriate.
Added tests to assert this is fixed.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Buildman clang support and a few fixes
Small fixes to 'dm tree' and regmap test
Improve sandbox build compatibility
A few other minor fixes
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEslwAIq+Gp8wWVbYnfxc6PpAIreYFAlw+AlIACgkQfxc6PpAI
reYchAf+L/P5JsLoCKAY84v11eWQkCS44idAYStD8Q023dyuyNC/W6G3qEQVGkHu
SXBzNrZ5wSJanN5I3h3ktJ7yfMOYIvSO2qLHphxDstPaZbCY4Zac6NywHrHxQpA9
fbSilQRbcVWrPo5rsjjZhXmMdQRZVOmGD6CYZj1AihWAiHfYth7f6laNWNTWQA8C
z+aoiF70t/PbvwFbgdzzYOjoGdXI9XML0xTqdLWRlsBKjf3z54pCV6LmN2xrsrDZ
k7lr+x7ajJUFhivxzjowf4aOjhDB+/+I3sr+hJ5vkMM0Kqg14bbEU+xJRGpDc18K
QPvVHT5JGe/nq1cZXuCqzrYxTrrA7A==
=w9ln
-----END PGP SIGNATURE-----
Merge tag 'dm-pull-15jan19' of git://git.denx.de/u-boot-dm
Fix recent changes to serial API for driver model
Buildman clang support and a few fixes
Small fixes to 'dm tree' and regmap test
Improve sandbox build compatibility
A few other minor fixes
Add the dollar_complete() function to auto-complete arguments starting
with a '$' and use it in the cmd_auto_complete() path such that all
args starting with a $ can be auto-completed based on the available env
vars.
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
[trini: Fix some linking problems]
Signed-off-by: Tom Rini <trini@konsulko.com>
The uuid command is only really useful in U-Boot, but it's useless in
SPL. Worse yet, it pulls in various environment manipulation functions
as it call env_set(). Do not compile the command in in SPL.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Tom Rini <trini@konsulko.com>
With 8 bytes addressing even on 32 bit machines these checks
are no longer valid. Remove them.
Signed-off-by: Keerthy <j-keerthy@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The printf() string here is not actually correct. Add a cast to avoid
a warning when checking is enabled.
Signed-off-by: Simon Glass <sjg@chromium.org>
While changing the RTS alignment to 64KB in commit 7a82c3051c
("efi_loader: Align runtime section to 64kb") the relocation code
started to break.
The reason for that is that we didn't actually look at the real
relocation data. We merely took the RUNTIME_CODE section as a
hint and started to relocate based on self calculated data from
that point on. That calculation was now out of sync though.
To ensure we're not running into such a situation again, this patch
makes the runtime relocation code a bit more robust. We can just
trust the phys/virt hints from the payload. We also should check that
we really only have a single section, as the code doesn't handle
multiple code relocations yet.
Fixes: 7a82c3051c ("efi_loader: Align runtime section to 64kb")
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reported-by: Loic Devulder <ldevulder@suse.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Loic Devulder <ldevulder@suse.de>
Tested-by: Jonathan Gray <jsg@jsg.id.au>
Signed-off-by: Alexander Graf <agraf@suse.de>
In commit 483dbab9f9 ("lib: crc32: mark function crc32() as
__efi_runtime") one local static variable was missed. It did not end up in
the __efi_runtime_data section as it should.
If CONFIG_DYNAMIC_CRC_TABLE=y a data abort execption may occur when the
UEFI payload calls the SetVirtualAddressMap() runtime service.
Reported-by: Dominik Adamski <dominik.adamski@northerntech.community>
Fixes: 483dbab9f9 ("lib: crc32: mark function crc32() as __efi_runtime")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Reading the position in a file after closing the same results in a read
after free.
Correct the sequence in the test.
Reported-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The commit below incorrectly fixed hexport_r();
> size = totlen + 1;
One extra byte is necessary to NULL-terminate a whole buffer, "resp."
Fixes: f1b20acb4a ("hashtable: Fix length calculation in hexport_r")
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Building U-Boot with CONFIG_PCI and CONFIG_DM_PCI enabled, but
CONFIG_SPL_PCI_SUPPORT disabled, results in following linker
error:
lib/built-in.o: In function `fdtdec_get_pci_bar32':
lib/fdtdec.c:305: undefined reference to `dm_pci_read_bar32'
fdtdec.c:305:(.text.fdtdec_get_pci_bar32+0x24): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `dm_pci_read_bar32'
This is because reference to dm_pci_read_bar32() remains in lib/fdtdec.c
while SPL build does not descend into drivers/pci directory in
drivers/Makefile if CONFIG_SPL_PCI_SUPPORT is not enabled.
Fix this by applying appropriate #define guards in lib/fdtdec.c.
It looks like ns16550.c has the same problem, so fixed that too.
To simplify this, CONFIG_SPL_PCI_SUPPORT is renamed to CONFIG_SPL_PCI
(enables use of CONFIG_IS_ENABLED() macro).
Suggested-by: Vignesh R <vigneshr@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
In some cases it may be useful to be able to change the fdt we have been
using and use another one instead. For example, the TI platforms uses an
EEPROM to store board information and, based on the type of board,
different dtbs are used by the SPL. When DM_I2C is used, a first dtb must
be used before the I2C is initialized and only then the final dtb can be
selected.
To speed up the process and reduce memory usage, introduce a new function
fdtdec_setup_best_match() that re-use the DTBs loaded in memory by
fdtdec_setup() to select the best match.
Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
The CRC16-CCITT checksum function is useful for space-constrained
applications (such as obtaining a checksum across a 2KBit or 4KBit
EEPROM) in boot applications. It has not been accessible from boot
scripts until now (due to not having a dedicated command and not being
supported by the hash infrstructure) limiting its applicability
outside of custom commands.
This adds the CRC16-CCITT (poly 0x1021, init 0x0) algorithm to the
list of available hashes and adds a new crc16_ccitt_wd_buf() to make
this possible.
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
[trini: Fix building crc16.o for SPL/TPL]
Signed-off-by: Tom Rini <trini@konsulko.com>
This merges the CRC16-CCITT headers into u-boot/crc.h to prepare for
rolling CRC16 into the hash infrastructure. Given that CRC8, CRC32
and CRC32-C already have their prototypes in a single header file, it
seems a good idea to also include CRC16-CCITT in the same.
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
There is only one place in the code which assumes at build-time that we
are using either a v1 or a v2 TPM. Fix this up and add a new function to
return the version of a TPM.
Supported TPM versions (v1 and v2) can be enabled independently and it is
possible to use both versions at once. This is useful for sandbox when
running tests.
Signed-off-by: Simon Glass <sjg@chromium.org>
This release is fully packed with lots of glorious improvements in UEFI
land again!
- Make PE images more standards compliant
- Improve sandbox support
- Improve correctness
- Fix RISC-V execution on virt model
- Honor board defined top of ram (fixes a few boards)
- Imply DM USB access when distro boot is available
- Code cleanups
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABAgAGBQJcBYKAAAoJECszeR4D/txgBgwQALmYioI67R5/Iizpv7bg+rIQ
0TyPKZHmfHtVjGHd5X4X+9NBsoaSKqGnoI12bJ+V9hIMuiu5qFKyM3icTOOJ6LI6
wggnvMWZl5nfZmdEgETHTmaZkQZzKwhzbftGlGf2j19FdDk1OOI7hRNLeaIZUTv0
VHiUV68PP/1Of1y7iqB5jij1wTUHWlCufKjGXELP0bAXx86/tecgCuvjBihXizz/
sMsCxEF8++pb5l/l4yFEkKd5rr5D/ZkKMLR4KniZVq2qP1S4calolP14ykHN+a/l
uKP4e4GDuYyrgXXTNRFhVTlaAn18bmvxH4ialnpYVZKRtfsdHPHQXfqmgf8ZgJPE
JK3mmG6eLCbBPeND2Yz3b7G/Ec04z+RJXx0hriyLdejLgp5jM9SBtygiz6FmQLpQ
VfDJNEWV7ot6Ejou55O0d9u5ATF0jAd4tikmsrStWWZOVHvie6nG0wFYiRxnWCKP
sid0p7lWSUKEl0sAvA0LglNMzd4tCAq7vtkfLj/BVrDc9Jpir9CVJ13ppXIGk1HC
YIGWLo0uXAGC9wgRE7ZgGCKtQ6VFZRbSiJQOowi4MrHzHXH218oSNz2w25tAVTBw
le2WbxlGNYhV1xnoWMks1GTdWGQDCXdfBAhfzRIvQq2kz4z9V8hzpnVDIk2ZL3L1
o3nqUatR0ZVXPcinf+Ke
=6o9t
-----END PGP SIGNATURE-----
Merge tag 'signed-efi-next' of git://github.com/agraf/u-boot
Patch queue for efi - 2018-12-03
This release is fully packed with lots of glorious improvements in UEFI
land again!
- Make PE images more standards compliant
- Improve sandbox support
- Improve correctness
- Fix RISC-V execution on virt model
- Honor board defined top of ram (fixes a few boards)
- Imply DM USB access when distro boot is available
- Code cleanups
We add the support of the padding pss for rsa signature.
This new padding is often recommended instead of pkcs-1.5.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The rsa signature use a padding algorithm. By default, we use the
padding pkcs-1.5. In order to add some new padding algorithm, we
add a padding framework to manage several padding algorithm.
The choice of the padding is done in the file .its.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Previous implementation of the rsa signature was using
the openssl API EVP_Sign*, but the new openssl API
EVP_DigestSign* is more flexible. So we move to this
new API.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In this patch, helper functions for an load option variable (BootXXXX)
are added:
* efi_deserialize_load_option(): parse a string into load_option data
(renamed from parse_load_option and exported)
* efi_serialize_load_option(): convert load_option data into a string
Those functions will be used to implement efishell command.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
This is a preparatory patch for use in efi_serialize_load_option()
as a load option's file_path should have both a device path and
a file path.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
The UEFI spec mandates that runtime sections are 64kb aligned to enable
support for 64kb page size OSs.
This patch ensures that we extend the runtime section to 64kb to be spec
compliant.
Signed-off-by: Alexander Graf <agraf@suse.de>
The variable name setup_ok might suggest a boolean with true indicating
OK. Let's avoid the misleading name.
%s/setup_ok/setup_status/g
Suggested-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
We should not call eth_rx() before the network interface is initialized.
The services of the simple network protocol should check the state of
the network adapter.
Add and correct comments.
Without this patch i.mx6 system Wandboard Quad rev B1 fails to execute
bootefi selftest.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Calling net_send_packet() requires that the buffer is aligned to a multiple
of PKTALIGN (= ARCH_DMA_MINALIGN). The UEFI spec does not require
efi_net_transmit() to be called with a buffer with any special alignment.
So we have to copy to an aligned buffer. The current coding copies to an
aligned buffer only if CONFIG_EFI_LOADER_BOUNCE_BUFFER=y. Many boards
like the Odroid C2 do not use a bounce buffer.
With the patch we copy to a correctly aligned buffer in all cases.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
To use the simple network protocol we have to call the start service first
and the initialize service second.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Check that the memory area containing the device tree is marked as runtime
data.
Update the Python test to pass ${fdtcontroladdr} to bootefi.
Update the description of the Python test.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The sandbox uses a virtual address space that is neither the physical nor
the virtual address space of the operating system. All address used on the
command line live in this address space. So also the environment variable
${fdtcontroladdr} has to be in this address space.
Commands like bootefi and booti receive the fdt address as parameter.
Without the patch ${fdtcontroladdr} cannot be used as parameter value on
the sandbox.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
When allocating EFI memory pages the size in bytes has to be converted to
pages.
Provide a macro efi_size_in_pages() for this conversion.
Use it in the EFI subsystem and correct related comments.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Enable building the sandbox with CONFIG_EFI_SELFTEST.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
This unit test checks the following runtime services:
AllocatePages, FreePages, GetMemoryMap
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Do not use the sandbox's virtual address space for the internal structures
of the memory map. This way we can eliminate a whole lot of unnecessary
conversions.
The only conversion remaining is the one when adding known memory.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
On some systems, not all RAM may be usable within U-Boot. Maybe the
memory maps are incomplete, maybe it's used as workaround for broken
DMA. But whatever the reason may be, a platform can say that it does
not wish to have its RAM accessed above a certain address by defining
board_get_usable_ram_top().
In the efi_loader world, we ignored that hint, mostly because very few
boards actually have real restrictions around this.
So let's honor the board's wish to not access high addresses during
boot time. The best way to do so is by indicating the respective pages
as "allocated by firmware". That way, Operating Systems will still
use the pages after boot, but before boot no allocation will use them.
Reported-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Stephen Warren <swarren@nvidia.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Tested-by: Baruch Siach <baruch@tkos.co.il>
We should use a logical or when combining logical values.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
At present this code casts addresses to pointers so cannot be used with
sandbox. Update it to use mapmem instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
This reverts commit 3170db63c4.
It reportedly breaks OpenBSD/armv7 booting and I've already received
complaints from people that it breaks some Linux armv7 systems as well.
We'll have to give this whole caching story a good bit more thought.
Reported-by: Jonathan Gray <jsg@jsg.id.au>
Signed-off-by: Alexander Graf <agraf@suse.de>
We should be consistent in the types that we use to store Unicode strings.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
If a memory bank is not EFI_PAGE_SIZE aligned efi_add_known_memory() the
number of memory pages may be incorrectly calculated.
We have to round up the start address and to round down the end address
to determine which complete pages are provided by the memory bank.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Using %zu for efi_intn_t (ssize_t) creates a build warning. Anyway %zu is
not supported by efi_st_error(). So let's convert to int.
Our implementation of StriColl() only returns -1, 0, or 1.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
When the max_addr parameter of efi_find_free_memory() is within bounds
of an existing map and fits the reservation, we just return that address
as allocation value.
That breaks however if max_addr is not page aligned. So ensure that it
always comes to us page aligned, simplifying the allocation logic.
Without this, I've seen breakage where we were allocating pages at -1U
(32bit) which fits into a region that spans beyond 0x100000000. In that
case, we would return 0xffffffff as a valid memory allocation, although
we usually do guarantee they are all page aligned.
Fix this by aligning the max address argument always.
Signed-off-by: Alexander Graf <agraf@suse.de>
With RELA absolute relocations, the relocation target contains our link
offset which we need to remove from the equation again. We did this
properly in the relative relocation path, but not in the absolute one.
So let's do this for the absolute one as well. That way, u-boot can have
a TEXT_OFFSET of != 0 and still relocate itself properly.
This fixes a bug where efi_loader did not work on the RISC-V QEMU port.
With this patch, I can successfully run UEFI applications on the RISC-V
QEMU port.
Reported-by: Auer, Lukas <lukas.auer@aisec.fraunhofer.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
Linker generated arrays may be stored in code sections of memory that are
not writable. So let's allocate setup_ok as an array at runtime.
This avoids an illegal memory access observed in the sandbox.
Reported-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Factor out efi_set_bootdev() and extract efi_dp_from_name().
This function will be used to set a boot device in efishell command.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
If UninstallMultipleProtocolInterfaces fails, we sometimes return the wrong
status code. The UEFI spec mandates to always return EFI_INVALID_PARAMETER.
Update unit test.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The UEFI spec defines that a line feed moves the cursor to the next line
and (only) a carriage return moves the cursor to the beginning of the line.
So we should issue CR LF when we want to get to the start of the next line.
Add some comments.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Rename the component parent of some EFI objects to header. This avoids
misunderstandings.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
A pointer to a struct efi_object is a handle. We do not need any handle
member in this structure. Let's eliminate it.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
All our handles point to a struct efi_object. So let's define the
efi_handle_t accordingly. This helps us to discover coding errors much
more easily. This becomes evident by the corrections to the usage of
handles in this patch.
Rename variable image_handle to image_obj where applicable.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
fix typos
correct the header comment of efi_selftest_variables.c
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
When the last protocol interface has been uninstalled remove the handle.
Adjust ReinstallProtocol so that it does not remove the handle.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Allow an EFI application to shut down the system.
If EFI_RESET_SHUTDOWN is issued call do_poweroff().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Test the handling of execptions by trying to execute an undefined
instruction. For 32bit ARM we expect \selftest to be listed as loaded
image.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
We should not make anything in lib/efi_selftest if
CONFIG_CMD_BOOTEFI_SELFTEST is not defined.
We can make that test in lib/Makefile
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
At present many TPM calls assume there is only one TPM in the system and
look up this TPM themselves. This is inconsistent with driver model, which
expects all driver methods to have a device parameter. Update the code to
correct this.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present these functions are not accessible outside the TPM library, but
in some cases we need to call them. Export them in the header file and add
a define for the SHA1 digest size.
Also adjust tpm_open() to call tpm_close() first so that the TPM is in a
known state before opening (e.g. by a previous phase of U-Boot).
Signed-off-by: Simon Glass <sjg@chromium.org>
In some cases U-Boot is compressed and it is useful to be able to
decompress it in SPL. Add a Kconfig and Makefile change to allow this.
Note that this does not actually implement decompression.
Signed-off-by: Simon Glass <sjg@chromium.org>
When U-Boot proper is compiled with CONFIG_MULTI_DTB_FIT and tries
to call uncompress_blob(), it fails with -ENOTSUPP. This is because
the full implementation of this function which includes compression
is available only in SPL. In U-Boot proper or if the compression is
not enabled, the blob is not compressed and thus can be passed to
locate_dtb_in_fit() in fdtdec_setup() without any changes. Pass the
blob without any changes if compression is not enabled instead of
failing.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Michal Simek <michal.simek@xilinx.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
A specially crafted FIT image makes it possible to overflow the stack
with controlled values when using the verified boot feature. Depending
on the memory layout, this could be used to overwrite configuration
variables on the heap and setting them to 0, e.g. disable signature
verification, thus bypassing it.
This change fixes a bug in fdt_find_regions where the fdt structure is
parsed. A lower value than -1 of depth can lead to a buffer underflow
write on the stack.
Signed-off-by: Konrad Beckmann <konrad.beckmann@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When a driver declares DM_FLAG_PRE_RELOC flag, it wishes to be
bound before relocation. However due to a bug in the DM core,
the flag only takes effect when devices are statically declared
via U_BOOT_DEVICE(). This bug has been fixed recently by commit
"dm: core: Respect drivers with the DM_FLAG_PRE_RELOC flag in
lists_bind_fdt()", but with the fix, it has a side effect that
all existing drivers that declared DM_FLAG_PRE_RELOC flag will
be bound before relocation now. This may expose potential boot
failure on some boards due to insufficient memory during the
pre-relocation stage.
To mitigate this potential impact, the following changes are
implemented:
- Remove DM_FLAG_PRE_RELOC flag in the driver, if the driver
only supports configuration from device tree (OF_CONTROL)
- Keep DM_FLAG_PRE_RELOC flag in the driver only if the device
is statically declared via U_BOOT_DEVICE()
- Surround DM_FLAG_PRE_RELOC flag with OF_CONTROL check, for
drivers that support both statically declared devices and
configuration from device tree
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Introduce a new Kconfig option for architecture codes to control
whether it provides io{read,write}{8,16,32} I/O accessor functions.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
part_init() is currently called in every DM BLK driver, either
in its bind() or probe() method. However we can use the BLK
uclass driver's post_probe() method to do it automatically.
Update all DM BLK drivers to adopt this change.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Currently the efi block driver uses priv_auto_alloc_size for the
driver data, however that's only available after the device probe
phase. In order to make it accessible in an earlier phase, switch
to use platdata_auto_alloc_size instead.
This patch is the prerequisite for the follow up patch of DM BLK
driver changes to work with EFI loader.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We may have, the not yet considered, scenario where OPTEE is loaded before
u-boot and *not* by u-boot, e.g, the boot flow using the ARM Trusted
Firmware (ATF), where in the 32bit flow is:
BootRom->ATF(BL2)->Optee(BL32)->u-boot(BL33)
In this case we need still to reserve the memory used by optee, to avoid
for example to realocate ourself to the same address at the end of DRAM.
So, we change here the dependencies on the OPTEE lib and we set the default
size and base of TZRAM to zero.
Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Ryan Harkin <ryan.harkin@linaro.org>
Cc: u-boot@lists.denx.de
Remove a superfluous statement in efi_dp_get_next_instance().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
When the last protocol interface is uninstalled the handle is deleted but
this does not set the value of the handle to NULL.
To create a new handle with OpenProtocolInterface the value of the handle
must be NULL.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
As observed with clang:
lib/efi_loader/efi_boottime.c:1624:7: warning: variable 'info'
is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
if (ret != EFI_SUCCESS)
^~~~~~~~~~~~~~~~~~
lib/efi_loader/efi_boottime.c:1653:7: note: uninitialized use
occurs here
free(info);
^~~~
lib/efi_loader/efi_boottime.c:1624:3: note: remove the 'if' if
its condition is always false
if (ret != EFI_SUCCESS)
^~~~~~~~~~~~~~~~~~~~~~~
lib/efi_loader/efi_boottime.c:1602:31: note: initialize the
variable 'info' to silence this warning
struct efi_loaded_image *info;
^
= NULL
Rather than change how we unwind the function it makes the most sense to
initialize info to NULL so that we can continue to pass it to free().
Fixes: c982874e93 ("efi_loader: refactor efi_setup_loaded_image()")
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Do not leak native_name if out of memory.
This addresses CoverityScan CID 184095.
Reported-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
When is_dir() is called we have already execute set_blk_dev(fh).
So don't call it again.
This fixes CoverityScan CID 184093.
Reported-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Use a return type that can encompass the return value.
This fixes CoverityScan CID 184090.
Reported-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
getc() might return an error code. Avoid an incorrect converison to
Unicode.
This addresses CoverityScan CID 184087.
Reported-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The first parameter of efi_allocate_pool is a memory type. It cannot be
EFI_ALLOCATE_ANY_PAGES. Use EFI_BOOT_SERVICES_DATA instead.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The UEFI spec requires that file positions are passed as u64 in
GetPosition() and SetPosition().
Check if the file handle points to a directory in GetPosition().
Provide a unit test for GetPosition() and SetPosition().
Fix Coverity warning CID 184079 (CONSTANT_EXPRESSION_RESULT).
Add comments.
Fixes: b6dd577737 ("efi_loader: use correct types in EFI_FILE_PROTOCOL")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
Currently the relocation of the EFI runtime on x86_64 fails. This renders
the EFI subsystem unusable. The ELF relocation records for x86_64 contain
an addend field.
Always write the function name into error messages related to the EFI
runtime relocation.
Break an excessively long line.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
This reverts commit c35a7d375e.
This commit is breaking SPL on zc706.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Patrice Chotard <patrice.chotard@st.com> [on STM32F746-disco]
These are needed for the 2018 version of Chromium OS vboot. Add an
implementation for TPM v1, with v2 to come later.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present this file uses logging but it should use the new macros. Update
it and add a log message for an error.
Signed-off-by: Simon Glass <sjg@chromium.org>
In some cases (e.g. sandbox with verified boot) it is useful to support
libfdt in TPL. Update the Kconfig to handle this.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present this option applies to SPL, but it should be available in TPL
also, and separately. Change to using CONFIG_IS_ENABLED(), add a new
Kconfig option and fix up hang().
Signed-off-by: Simon Glass <sjg@chromium.org>
This is the PR for SPI-NAND changes along with few spi changes.
[trini: Re-sync changes for ls1012afrwy_qspi*_defconfig]
Signed-off-by: Tom Rini <trini@konsulko.com>
Converts fdtdec_setup_memory_banksize() to use ofnode functions instead.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Create the handle of loaded images and the EFI_LOADED_IMAGE_PROTOCOL
inside efi_setup_loaded_image(). Do not use local variables.
Currently we expect the loaded image handle to point to the loaded image
protocol. Additionally we have appended private fields to the protocol.
With the patch the handle points to a loaded image object and the private
fields are added here. This matches how we handle the net and the gop
object.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Alexander Graf <agraf@suse.de>
The EFI selftest does not succeed on Sandbox yet. The network support
seems to need some love to actually make our current tests succeed.
So let's disable running the selftest on sandbox for now until "make
tests" just works. Then we can have more amazing CI than ever.
Signed-off-by: Alexander Graf <agraf@suse.de>
