Commit Graph

5567 Commits

Author SHA1 Message Date
Tom Rini
22fc991daf Prepare v2021.04-rc4
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEEGjx/cOCPqxcHgJu/FHw5/5Y0tywFAmBPhiUACgkQFHw5/5Y0
 tywChgv/RYpdSKrD5s4kCJnImfOwDznESj/CqAQK3Au5zviq7qXRrgxyTKv2e1wM
 W51vUBd0cE1YTACXqbr92wSSyqoTthLqd57KQgVele5uC2dvkqVTSvjPOUwtyIbQ
 BTPkoQnHPn30AILRdPjpEdBGfZhJDDtJFdQopn6h4GjEjPKVH8Wx1Dd+V6SD5f20
 WiksUjgdjMr1AmORY+LdwwJO8FZrGGPYgs8CDtiqxmCSwh3d7kUFFTT+G23BZdo7
 M+81+1uIUaW2Bolds7ZTPrrjr8bPwkWoTqNYhUB4bNPLp72gwnjM1rtU1X3hyiJM
 MdxSBimLHUOYPihfeSYCHSUrJaQFAAEFkuzWfZN1fgoswKEZQIVVVTzT/TomTyqf
 1DIXD+0HpXGKgVLW/Nkpl4D+UFjR865XI4kiuDxddjKI7bGbvDlbZ/k3PNelD7op
 umUswHnC3OTSw/g+A9VH/zf1rMFNLfu++vD7XJtdoWlcsl6x6/6Fh75tuC6K/X0K
 caPmehD3
 =ENym
 -----END PGP SIGNATURE-----

Merge tag 'v2021.04-rc4' into next

Prepare v2021.04-rc4
2021-03-15 12:15:38 -04:00
Jorge Ramirez-Ortiz
166363f2ed common: SCP03 control (enable and provision of keys)
This Trusted Application allows enabling SCP03 as well as provisioning
the keys on TEE controlled secure element (ie, NXP SE050).

All the information flowing on buses (ie I2C) between the processor
and the secure element must be encrypted. Secure elements are
pre-provisioned with a set of keys known to the user so that the
secure channel protocol (encryption) can be enforced on the first
boot. This situation is however unsafe since the keys are publically
available.

For example, in the case of the NXP SE050, these keys would be
available in the OP-TEE source tree [2] and of course in the
documentation corresponding to the part.

To address that, users are required to rotate/provision those keys
(ie, generate new keys and write them in the secure element's
persistent memory).

For information on SCP03, check the Global Platform HomePage and
google for that term [1]
[1] globalplatform.org
[2] https://github.com/OP-TEE/optee_os/
    check:
    core/drivers/crypto/se050/adaptors/utils/scp_config.c

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-03-13 13:14:52 -05:00
Simon Glass
9ad7a6c25c log: Handle line continuation
When multiple log() calls are used which don't end in newline, the
log prefix is prepended multiple times in the same line. This makes the
output look strange.

Fix this by detecting when the previous log record did not end in newline.
In that case, setting a flag.

Drop the unused BUFFSIZE in the test while we are here.

As an example implementation, update log_console to check the flag and
produce the expected output.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-12 17:41:35 -05:00
Simon Glass
79d5983b61 log: Set up a flag byte for log records
At present only a single flag (force_debug) is used in log records. Before
adding more, convert this into a bitfield, so more can be added without
using more space.

To avoid expanding the log_record struct itself (which some drivers may
wish to store in memory) reduce the line-number field to 16 bits. This
provides for up to 64K lines which should be enough for anyone.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-12 17:41:35 -05:00
Simon Glass
891d9e84a7 spl: Convert spl_fit to work with sandbox
At present this casts addresses to pointers so cannot work with sandbox.
Update the code to use map_sysmem() instead.

As part of this change, the existing load_ptr is renamed to src_ptr since
it is not a pointer to load_addr. It is confusing to use a similar name
for something that is not actually related. For the alignment code,
ALIGN() is used instead of open-coded alignment. Add a comment to the line
that casts away a const.

Use a (new) load_ptr variable to access memory at address load_addr.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-12 09:57:31 -05:00
Siew Chin Lim
1bc20897c1 arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)
Vendor Authorized Boot is a security feature for authenticating
the images such as U-Boot, ARM trusted Firmware, Linux kernel,
device tree blob and etc loaded from FIT. After those images are
loaded from FIT, the VAB certificate and signature block appended
at the end of each image are sent to Secure Device Manager (SDM)
for authentication. U-Boot will validate the SHA384 of the image
against the SHA384 hash stored in the VAB certificate before
sending the image to SDM for authentication.

Signed-off-by: Siew Chin Lim <elly.siew.chin.lim@intel.com>
Reviewed-by: Ley Foon Tan <ley.foon.tan@intel.com>
2021-03-08 10:59:10 +08:00
Bin Meng
a43b598cc1 common: Move initr_addr_map() to a bit earlier
At present initr_addr_map() is put at a late stage in the
init_sequence_r[] calls. This won't work because lot of
device driver initialization (e.g.: serial port) happens
before it but is lack of the address translation support.

This moves the call to a bit earlier, right after the DM
initialization.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2021-03-05 10:25:43 +05:30
Bin Meng
a932aa3c69 common: fdt_support: Support special case of PCI address in fdt_read_prop()
At present fdt_read_prop() can only handle 1 or 2 cells. It is
called by fdt_read_range() which may be used to read PCI address
from <ranges> for a PCI bus node where the number of PCI address
cell is 3. The <ranges> property is an array of:

  { <child address> <parent address> <size in child address space> }

When trying to read <child address> from a PCI bus node using
fdt_read_prop(), as the codes below:

    /* Read <child address> */
    if (child_addr) {
        r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
                          acells);
        if (r)
            return r;
    }

it will fail, because the PCI child address is made up of 3 cells
but fdt_read_prop() cannot handle it. We advance the cell offset
by 1 so that the <child address> can be correctly read.

This adds the special handling of such case.

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2021-03-05 10:25:42 +05:30
Simon Glass
939b04e9cf bootstage: Fix dependency for BOOTSTAGE_RECORD_COUNT
At present these three Kconfigs exist even when bootstage is not enabled.
This is not necessary since bootstage.c is only built if BOOTSTAGE is
enabled.

Make them conditional. Also fix up the overflow message to mention TPL.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-03 19:17:25 -07:00
Simon Glass
185756ec0f bootm: Fix duplicate debugging in bootm_process_cmdline()
These two returns use the same string so are not distinguishable with
LOG_ERROR_RETURN. Fix it.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-02 15:53:37 -05:00
Simon Glass
1a9e75bd5d spl: Drop duplicate 'Jumping to U-Boot' message
This is printed twice but we only need one message, since there is very
little processing in between them. Drop the second one, since all branches
of the switch() already have output. Update the U-Boot message to include
the phase being jumped to.

Signed-off-by: Simon Glass <sjg@chromium.org>
2021-03-02 15:53:37 -05:00
Frieder Schrempf
3bbe1a7faf Respect that some compression algos can be enabled separately for SPL
Some compression algorithms currently can be enabled for SPL and
U-Boot proper separately. Therefore take into account USE_HOSTCC
is well as CONFIG_IS_ENABLED() in these cases to prevent compiling these
functions in case of a host tool build.

Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
2021-03-01 10:21:36 +01:00
Stefan Brüns
ba0b984bb0 usb: kbd: Also accept keyboards with Interrupt OUT endpoint
The OUT endpoint can just be ignored as it is not used, just as the
corresponding Set_Report request for IN-only interfaces. E.g. the
Linux gadget hid keyboard also provides an interrupt endpoint.

Also cleanup confusing debug messages like "found set protocol", which
is printed when a keyboard device is found, while the Set_Protocol request
is issued quite some time later.

Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
2021-02-26 15:30:55 +01:00
Klaus Heinrich Kiwi
bdb7f2632b Kconfig: SPL_FIT_SIGNATURE requires SPL_LOAD_FIT
Having the ability to support firmware FIT signatures on the SPL sounds
not so useful if the SPL is not supporting to load a (U-boot) firmware
as a FIT image.

Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
2021-02-24 16:51:48 -05:00
Klaus Heinrich Kiwi
6ce28132b8 Kconfig: SPL_FIT_SIGNATURE selects FIT_SIGNATURE
Selecting SPL_FIT_SIGNATURE (without selecting U-boot proper
verified boot first) breaks the build due to
CONFIG_FIT_SIGNATURE_MAX_SIZE being undefined, in addition to Kconfig
warnings on RSA and IMAGE_SIGN_INFO unmet dependencies.

Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
2021-02-24 16:51:48 -05:00
Wasim Khan
402558b1fe cmd: fdt: skip board specific fixup using env variable
Sometimes it is useful to boot OS with already fixed-up
device tree. Check for env variable 'skip_board_fixup'
before calling ft_board_setup().
Current behaviour is unchanged, additionally user can
set skip_board_fixup to 1 to skip the fixup.

Signed-off-by: Wasim Khan <wasim.khan@nxp.com>
2021-02-24 16:51:48 -05:00
Tom Rini
a3ddc776fa - splash_source warning fix when building with 64-bit toolchains
- lq123p1jx31 and nv101wxmn51 compatible in simple panel driver
  - remove not used mb862xx driver
  - add Himax HX8238D panel driver
  - s/video_uc_platdata/video_uc_plat/
 -----BEGIN PGP SIGNATURE-----
 
 iGwEABECACwWIQSC4hxrSoIUVfFO0kRM6ATMmsalXAUCYDOevA4cYWd1c3RAZGVu
 eC5kZQAKCRBM6ATMmsalXNaAAJ0RUysoiZFAddxyrW7otwe+xxmdTACbBcVXCPuX
 W41gJtQyftU4rMGbMoo=
 =iAX1
 -----END PGP SIGNATURE-----

Merge tag 'video-for-v2021.04-rc3' of https://gitlab.denx.de/u-boot/custodians/u-boot-video

 - splash_source warning fix when building with 64-bit toolchains
 - lq123p1jx31 and nv101wxmn51 compatible in simple panel driver
 - remove not used mb862xx driver
 - add Himax HX8238D panel driver
 - s/video_uc_platdata/video_uc_plat/
2021-02-22 09:11:27 -05:00
Andre Przywara
e036a1d227 fdt/sunxi: Remove OF_STDOUT_PATH
OF_STDOUT_PATH was meant to hold the devicetree path to the serial
console, to be put into the linux,stdout-path property of the chosen node.

The only user of that was sunxi, and it was actually wrong for years
there: the paths hardcoded in sunxi_common.h were not matching the DTs,
evident by the leading 0's in nodenames, which have been removed years
ago.

On top of that, "linux,stdout-path" is now deprecated for a while (Linux
commit 2a9d832cc9aae from November 2014), and also all modern DTs
(including those included in U-Boot) carry a "stdout-path" property
already.

So remove the stanza from sunxi_common.h, and, since this was the last
user, also remove the associated bits from the rest of U-Boot.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-19 23:29:47 +00:00
Jaehoon Chung
a0b74acb9b common: splash_source: fix -Wint-to-pointer-cast warning
Fix -Wint-to-pointer-cast warning

common/splash_source.c: In function 'splash_load_raw':
common/splash_source.c💯12: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
  100 |  bmp_hdr = (struct bmp_header *)bmp_load_addr;
      |            ^
common/splash_source.c: In function 'splash_sf_read_raw':
common/splash_source.c:39:47: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
   39 |  return spi_flash_read(sf, offset, read_size, (void *)bmp_load_addr);
      |                                               ^

Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-19 22:17:10 +01:00
Tom Rini
766927a759 Merge branch '2021-02-18-SPL-FIT-OP-TEE-Linux-improvements'
- Improve interactions between SPL / OP-TEE and Linux in FIT images
2021-02-18 12:02:11 -05:00
Nicolas Saenz Julienne
51bdb50904 dm: Introduce xxx_get_dma_range()
Add the following functions to get a specific device's DMA ranges:
 - dev_get_dma_range()
 - ofnode_get_dma_range()
 - of_get_dma_range()
 - fdt_get_dma_range()
They are specially useful in oder to be able validate a physical address
space range into a bus's and to convert addresses from and to address
spaces.

Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Matthias Brugger <mbrugger@suse.com>
2021-02-18 11:56:25 +01:00
Alexandru Gagniuc
71551055cb spl: fit: Load devicetree when a Linux payload is found
When a FIT config specifies a devicetree, we should load it, no
questions asked. In the case of the "simple" FIT loading path, a
difficulty arises in selecting the load address of the FDT.

The default FDT location is right after the "kernel" or "firmware"
image. However, if that is an OP-TEE image, then the FDT may end up in
secure DRAM, and not be accessible to normal world kernels.

Although the best solution is to be more careful about the FDT
address, a viable workaround is to only append the FDT after a u-boot
or Linux image. This is identical to the previous logic, except that
FDT loading is extended to IH_OS_LINUX images.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
aeedeae407 spl: fit: Replace #ifdef blocks with more readable constructs
Use the IS_ENABLED() macro to control code flow, instead of the
caveman approach of sprinkling #ifdefs. Code size is not affected, as
the linker garbage-collects unused functions. However, readability is
improved significantly.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
9e9aa0b473 spl: fit: Only look up FIT configuration node once
The configuration node a sub node under "/configurations", which
describes the components to load from "/images". We only need to
locate this node once.

However, for each component, spl_fit_get_image_name() would parse the
FIT image, looking for the correct node. Such work duplication is not
necessary. Instead, once the node is found, cache it, and re-use it.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
e4928270a4 spl: fit: Remove useless loop in spl_fit_get_image_name()
When a desired configuration is not found, conf_node will have a
negative value. Thus the for loop will start at the root "/" node of
the image, print the "/description" property, and stop.

It appears the intent of the loop was to print the names of the
subnodes under "/configurations". We would need the offset to the
"/configurations" node, which is abstracted by fit_find_config_node().

This change agrees that abstracting the node offset is the correct
design, and we shouldn't be parsing the configurations manually. Thus
the loop in spl_fit_get_image_name() is useless. Remove it.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:43 -05:00
Alexandru Gagniuc
3dc2079733 spl: fit: Pass FIT context via a structure pointer
Several loose arguments describe the FIT image. They are thus related,
and it makes sense to pass them together, in a structure. Examples
include the FIT blob pointer, offset to FDT nodes, and the offset to
external data.

Use a spl_fit_info structure to group these parameters.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 19:46:42 -05:00
Alexandru Gagniuc
917fa369f6 spl: fit: Factor out FIT parsing and use a context struct
The logical steps in spl_load_simple_fit() are difficult to follow.
I think the long comments, ifdefs, and ungodly number of variables
seriously affect the readability. In particular, it violates section 6
of the coding style, paragraphs (3), and (4).

The purpose of this patch is to improve the situation by
  - Factoring out initialization and parsing to separate functions
  - Reduce the number of variables by using a context structure
This change introduces no functional changes.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-17 17:12:45 -05:00
Alexandru Gagniuc
efc4ad0bc7 spl: fit: Drop 'length' argument to board_spl_fit_post_load()
The size is derived from the FIT image itself. Any alignment
requirements are machine-specific and known by the board code. Thus
the total length can be derived from the FIT image and knowledge of
the platform. The 'length' argument is redundant. Remove it.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CC: Matt Porter <mporter@konsulko.com>
2021-02-17 17:12:45 -05:00
Andy Shevchenko
eb5fd9e46c usb: kbd: destroy device after console is stopped
In case of IOMUX enabled it assumes that console devices in the list
are available to get them stopped properly via ->stop() callback.
However, the USB keyboard driver violates this assumption and tries
to play tricks so the device get destroyed while being listed as
an active console.

Swap the order of device deregistration and IOMUX update along with
converting to use iomux_replace_device() jelper to avoid the use-after-free.

Fixes: 3cbcb28928 ("usb: Fix usb_kbd_deregister when console-muxing is used")
Fixes: 8a83487030 ("dm: usb: Add a remove() method for USB keyboards")
Reported-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:08 -05:00
Andy Shevchenko
694cd5618c IOMUX: Introduce iomux_replace_device()
Some console devices may appear or disappear at run time. In order to
support such a hotplug mechanism introduce a new iomux_replace_device()
helper to update the list of devices without altering environment.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:08 -05:00
Andy Shevchenko
400797cad3 IOMUX: Split out for_each_console_dev() helper macro
It is not only less lines of code, but also better readability
when new macro is being in use. Introduce for_each_console_dev()
helper macro and convert current users to it.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:08 -05:00
Andy Shevchenko
b672c1619b IOMUX: Split out iomux_match_device() helper
Deduplicate the code used in a few places by splitting out a common helper.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:08 -05:00
Andy Shevchenko
658d6c5836 IOMUX: Switch to use stdio_file_to_flags()
Deduplicate code by replacing with stdio_file_to_flags() helper.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:08 -05:00
Andy Shevchenko
09d8f07762 console: Set file and devices at one go
Logical continuation of the change that brought console_devices_set() is
to unify console_setfile() with it and replace in the callers.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:07 -05:00
Andy Shevchenko
20a7d35148 console: Set console device counter in console_devices_set()
console_devices_set() missed the console device counter to be set correctly.

Fixes: 45375adc97 ("console: add function console_devices_set")
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:07 -05:00
Andy Shevchenko
7b9ca3f89c console: Switch to use stdio_file_to_flags()
Deduplicate code by replacing with stdio_file_to_flags() helper.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:07 -05:00
Andy Shevchenko
d9b0ac90ba stdio: Introduce a new helper stdio_file_to_flags()
Let's deduplicate existing copies by splitting off to a new helper.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:07 -05:00
Andy Shevchenko
99cb2b996b stdio: Split out nulldev_register() and move it under #if
It's possible that NULLDEV can be disabled while it makes leftovers,
move entire device under #if.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:07 -05:00
Andy Shevchenko
c090e8f236 stdio: Get rid of dead code, i.e. stdio_deregister()
Nobody is using stdio_deregister(), remove for good.

Note, even its parameters are not consistent with stdio_register().
So, if anyone want to introduce this again, better with some consistency.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
2021-02-16 11:16:07 -05:00
Simon Glass
3f04db891a image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for this
and disallow it.

CVE-2021-27138

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2021-02-15 22:31:54 -05:00
Simon Glass
6f3c2d8aa5 image: Add an option to do a full check of the FIT
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.

Enable this by default if signature verification is enabled.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2021-02-15 22:31:53 -05:00
Simon Glass
c5819701a3 image: Adjust the workings of fit_check_format()
At present this function does not accept a size for the FIT. This means
that it must be read from the FIT itself, introducing potential security
risk. Update the function to include a size parameter, which can be
invalid, in which case fit_check_format() calculates it.

For now no callers pass the size, but this can be updated later.

Also adjust the return value to an error code so that all the different
types of problems can be distinguished by the user.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2021-02-15 22:31:52 -05:00
Simon Glass
79af75f777 fit: Don't allow verification of images with @ nodes
When searching for a node called 'fred', any unit address appended to the
name is ignored by libfdt, meaning that 'fred' can match 'fred@1'. This
means that we cannot be sure that the node originally intended is the one
that is used.

Disallow use of nodes with unit addresses.

Update the forge test also, since it uses @ addresses.

CVE-2021-27138

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2021-02-15 19:17:25 -05:00
Simon Glass
8a7d4cf982 fdt_region: Check for a single root node of the correct name
At present fdt_find_regions() assumes that the FIT is a valid devicetree.
If the FIT has two root nodes this is currently not detected in this
function, nor does libfdt's fdt_check_full() notice. Also it is possible
for the root node to have a name even though it should not.

Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
detected.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2021-02-15 19:17:18 -05:00
Simon Glass
401d1c4f5d common: Drop asm/global_data.h from common header
Move this out of the common header and include it only where needed.  In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly.   Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.

Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
2021-02-02 15:33:42 -05:00
Ravik Hasija
7a01882eb3 common: Kconfig.boot: Add FIT_PRINT config option
Config allows to disable printing contents of fitImage to optimize boottime.

Signed-off-by: Ravik Hasija <rahasij@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-01 16:32:06 -05:00
Simon Glass
86c372af1a x86: spl: Add a function to find the text base
It is useful to know the TEXT_BASE value for the image being loaded in
TPL/SPL. Add a new spl_get_image_text_base() function to handle this.

Make use of this in the x86 SPL handler, instead of having the logic
there.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2021-02-01 15:11:41 +08:00
Marek Szyprowski
9129f2f164 dfu: add support for the dfu_alt_info reintialization from the flashed script
Reinitialize DFU USB gadget after flashing the 'SCRIPT' entity to ensure
that the potential changes to the 'dfu_alt_info' environment variable are
applied.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
[lukma - I've moved the bool retry to avoid build (CI) errors]
2021-01-31 14:08:56 +01:00
Heinrich Schuchardt
9c3808deba avb: AVB_VERIFY depends on MMC
AVB Verified Boot uses functions related to MMC.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Igor Opaniuk <igor.opaniuk@foundries.io>
2021-01-29 10:36:48 -05:00
Yuezhang.Mo@sony.com
e088f0c3d8 autoboot: fix illegal memory access when stop key and delay key are empty
If both stop key and delay key are empty, the length of these
keys is 0. The subtraction operation will cause the u_int type
variable to overflow, will cause illegal memory access in key
input loop.

This commit fixes this bug by using int type instead of u_init.
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2021-01-27 17:07:48 -05:00