As discussed previously [1,2], the source command is not safe to use with
verified boot unless there is a key with required = "images" (which has its
own problems). This is because if such a key is absent, signatures are
verified but not required. It is assumed that configuration nodes will
provide the signature. Because the source command does not use
configurations to determine the image to source, effectively no
verification takes place.
To address this, allow specifying configuration nodes. We use the same
syntax as the bootm command (helpfully provided for us by fit_parse_conf).
By default, we first try the default config and then the default image. To
force using a config, # must be present in the command (e.g. `source
$loadaddr#my-conf`). For convenience, the config may be omitted, just like
the address may be (e.g. `source \#`). This also works for images
(`source :` behaves exactly like `source` currently does).
[1] https://lore.kernel.org/u-boot/7d711133-d513-5bcb-52f2-a9dbaa9eeded@prevas.dk/
[2] https://lore.kernel.org/u-boot/042dcb34-f85f-351e-1b0e-513f89005fdd@gmail.com/
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Two callers of image_source_script specify an image name. However, both
use the deprecated @ syntax, indicating that they have not been updated
in a while. If CONFIG_FIT_SIGNATURE is enabled, we will reject such
names outright. Back in commit 152576a598 ("stm32mp: stm32prog: handle
U-Boot script in flashlayout alternate"), we even renamed one of the
nodes. Instead of hard-coding a script image name, just use the default
image.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Perform simple renames of:
CONFIG_MXC_USB_FLAGS to CFG_MXC_USB_FLAGS
CONFIG_MXC_USB_PORT to CFG_MXC_USB_PORT
CONFIG_MXC_USB_PORTSC to CFG_MXC_USB_PORTSC
Signed-off-by: Tom Rini <trini@konsulko.com>
This define is not enabled by the only platform which currently enables
the legacy option of CONFIG_USB_DEVICE. We can drop this code.
Signed-off-by: Tom Rini <trini@konsulko.com>
As it's no longer possible to have !DM_USB set, we can remove these
dependencies.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Prevent access to arbitrary memory locations in gen_ndis_set_resp
via manipulation of buf->InformationBufferOffset. Original
implementation permits manipulation of InformationBufferOffset to
exploit OID_GEN_CURRENT_PACKET_FILTER to set arbitrary memory contents
within a 32byte offset as the devices packet filter. The packet filter
value may be next retrieved using gen_ndis_query_resp so it is possible
to extract specific memory regions two bytes a time.
The rndis_query_response was not modified as neither the buffer offset
nor length passed to gen_ndis_query_resp is used.
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Commit fbce985e28 to fix CVE-2022-2347
blocks DFU usb requests.
The verification of the transfer direction was done by an equality
but it is a bit mask.
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Reviewed-by: Fabio Estevam <festevam@denx.de>
Reviewed-by: Sultan Qasim Khan <sultan.qasimkhan@nccgroup.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Tested-by: Marek Vasut <marex@denx.de>
As DM_ETH is required for all network drivers, it's now safe to remove
the non-DM_ETH support code fro usb_ether itself.
Signed-off-by: Tom Rini <trini@konsulko.com>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS namespace do
not easily transition to Kconfig. In many cases they likely should come
from the device tree instead. Move these out of CONFIG namespace and in
to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS_SDRAM
namespace do not easily transition to Kconfig. In many cases they likely
should come from the device tree instead. Move these out of CONFIG
namespace and in to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Drop support for quickly deprecated DT property "snps,ref-clock-period-ns"
to prevent its proliferation.
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
GUCTL.REFCLKPER can only account for clock frequencies with integer
periods. To address this, program REFCLK_FLADJ with the relative error
caused by period truncation. The formula given in the register reference
has been rearranged to allow calculation based on rate (instead of
period), and to allow for fixed-point arithmetic.
Additionally, calculate a value for 240MHZDECR. This configures a
simulated 240Mhz clock using a counter with one fractional bit (PLS1).
This register is programmed only for versions >= 2.50a, since this is
the check also used by commit db2be4e9e30c ("usb: dwc3: Add frame length
adjustment quirk").
[ marek: Ported from Linux kernel commit
596c87856e08d ("usb: dwc3: Program GFLADJ") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Instead of using a special property to determine the reference clock
period, use the rate of the reference clock. When we have a legacy
snps,ref-clock-period-ns property and no reference clock, use it
instead. Fractional clocks are not currently supported, and will be
dealt with in the next commit.
[ marek: Ported from Linux kernel commit
5114c3ee24875 ("usb: dwc3: Calculate REFCLKPER based on reference clock") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Set reference clock period when it differs from dwc3 default hardware
set.
We could calculate clock period based on reference clock frequency. But
this information is not always available. This is the case of PCI bus
attached USB host. For that reason we use a custom property.
Tested (USB2 only) on IPQ6010 SoC based board with 24 MHz reference
clock while hardware default is 19.2 MHz.
[ baruch: rewrite commit message; drop GFLADJ code; remove 'quirk-' from
property name; mention tested hardware ]
[ marek: Ported from Linux kernel commit
7bee318838890 ("usb: dwc3: reference clock period configuration") ]
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Balaji Prakash J <bjagadee@codeaurora.org>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Marek Vasut <marex@denx.de> # Port from Linux
Cache ref_clk clock pointer in struct dwc3 . This is a preparatory
patch for subsequent backports from Linux kernel which configure
GFLADJ register content based on the ref_clk rate and therefore need
access to the ref_clk pointer.
It is possible to extract the clock pointer from existing clk_bulk
list of already claimed clock, no need to call clk_get*() again.
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
The "generic_bus_%x_dev_%x" string which is printed into this buffer
can be up to 34 characters long ("generic_bus_12345678_dev_12345678").
The buffer would be clipped by snprintf() if both %x were at maximum
range. Make sure the buffer is long enough to cover such possibility.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Invoking lseek() may result in an error. Handle it.
Addresses-Coverity-ID: 376212 ("Error handling issues (CHECKED_RETURN)")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
DFU implementation does not bound the length field in USB
DFU download setup packets, and it does not verify that
the transfer direction. Fixing the length and transfer
direction.
CVE-2022-2347
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Reviewed-by: Marek Vasut <marex@denx.de>
Unlike the other 64-bit mvebu SoCs the AlleyCat5 uses the older ehci
block from the 32-bit SoCs. Adapt the ehci-marvell.c driver to cope with
the fact that the ac5 does not have the mbus infrastructure the 32-bit
SoCs have and ensure USB_EHCI_IS_TDI is selected.
Signed-off-by: Chris Packham <judge.packham@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
The struct is only used to overlay the MMIO region, so the behavior is
the same. This obsoletes the Kconfig option for the number of ports.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Add test coverage for blk_write() as well.
The blk_erase() is not tested for now as the USB stor interface does not
support erase.
Signed-off-by: Simon Glass <sjg@chromium.org>
The code checks the return value from uclass_first_device as well as
that the device exists but it passes on the return value which may be
zero if there are no gadget devices. Just check that a device was
returned and return -ENODEV otherwise.
Also remove the dev variable which is not really used for anything.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Fix typo that was caused by the same feature being split in to 2 different
configuration options. Replace CONFIG_USBNET_DEVADDR with
CONFIG_USBNET_DEV_ADDR
Signed-off-by: Ignacio Zamora <nachopitt@gmail.com>
When host issues "fastboot reboot fastboot", it's expected that the
board drops the USB connection before resetting.
On some boards, such as Khadas VIM3L and SEI610, this is not the case.
We observe the following error:
$ fastboot reboot fastboot
Rebooting into fastboot OKAY [ 0.004s]
fastboot: error: Failed to boot into userspace fastboot; one or more components might be unbootable.
This does not happen when we use the RST button on the board.
It can be reproduced in linux with:
# echo b > /proc/sysrq-trigger
In this case, we hit a undefined hardware behavior, where D+ and D-
are in an unknown state. Therefore the host can't detect usb
disconnection.
Make sure we always call usb_gadget_release() when a "fastboot reboot"
command is issued.
Note: usb_gadget_release() should be called before g_dnl_unregister()
because g_dnl_unregister() triggers a complete() call on each
endpoint (thus calling do_reset()).
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Remove unused ehci_{setup,shutdown}_phy() helpers now replaced by
generic_{setup,shutdown}_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Replace ehci_setup_phy() and ehci_shutdown_phy () by respectively
generic_setup_phy() and generic_shutdown_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Replace ohci_setup_phy() and ohci_shutdown_phy () by respectively
generic_setup_phy() and generic_shutdown_phy().
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Take the USB_ETHER ifdef block apart and make use of obj-$(VAR) instead
to include the source files in build. The duplicate CI_UDC entry is now
removed, the USB_DEVICE ifdef is now reduced to core.o ep.o addition,
the ether.o can be conditionally compiled in using USB_ETHER.
No functional change.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
When processing USB_REQ_CLEAR_FEATURE, USB_REQ_SET_FEATURE, and
USB_REQ_GET_STATUS packets in dwc2_ep0_setup an out of bounds access
can occur. This is caused by the wIndex field of the usb control packet
being used as an index into an array whose size is DWC2_MAX_ENDPOINTS (4).
Signed-off-by: Alison Huffman <alisn@google.com>
Move this code out of the helper function so we can (later) add it as part
of the shared emulation code. Set a default value of 0 for buff_used since
that is what we use when there is an error.
Signed-off-by: Simon Glass <sjg@chromium.org>