Commit Graph

69741 Commits

Author SHA1 Message Date
Simon Glass
725e4fce61 dm: core: Drop unused parameter from dm_scan_fdt()
This doesn't need to be passed the devicetree anymore. Drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
2ebea5eaeb dm: core: Combine the flattree and livetree binding code
At present there are two copies of this code. With ofnode we can combine
them to reduce duplication. Update the dm_scan_fdt_node() function and
adjust its callers.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
d0c20ce6bc dm: core: Add an ofnode function to get the devicetree root
This is needed in at least one place. Avoid the conditional code in root.c
by adding this inline function.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
e80be74934 dm: core: Drop device_bind_offset()
This function is not needed since the standard device_bind() can be used
instead. Drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
0d56fba3c4 dm: core: Drop dev_set_of_offset()
This pre-livetree function is not needed anymore. Drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
20da4e0231 dm: Drop uses of dev_set_of_offset()
The need for this can be avoided by passing the correct node to the
device_bind() function.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
a2703ce10c dm: Remove uses of device_bind_offset()
This function is not needed since the standard device_bind() can be used
instead.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
0de1b07406 dm: core: Add a livetree function to check node status
Add a way to find out if a node is enabled or not, based on its 'status'
property.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
734206dda1 dm: core: Rename device_bind_ofnode() to device_bind()
This is the standard function to use when binding devices. Drop the
'_ofnode' suffix to make this clear.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:18 -07:00
Simon Glass
e12052b322 dm: core: Rename device_bind() to device_bind_offset()
This function is not necessary anymore, since device_bind_ofnode() does
the same thing and works with both flattree and livetree.

Rename it to indicate that it is special.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Heinrich Schuchardt
6ca5ff3f20 test: unit test for exception command
Test that an exception SIGILL is answered by a reset on the sandbox if
CONFIG_SANDBOX_CRASH_RESET=y or by exiting to the OS otherwise.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Heinrich Schuchardt
04cc7914f2 efi_selftest: implement exception test for sandbox
Provide a unit test that causes an illegal instruction to occur.

The test can be run with the following commands:

    => setenv efi_selftest exception
    => bootefi selftest

This might be the output:

    Executing 'exception'
    EFI application triggers exception.
    Illegal instruction
    pc = 0x1444d016, pc_reloc = 0xffffaa078e8dd016
    UEFI image [0x0000000000000000:0xffffffffffffffff] '/\selftest'
    UEFI image [0x000000001444b000:0x0000000014451fff] pc=0x2016 '/bug.efi'
    Resetting ...

It would tell us that the exception was triggered by an instruction
0x2016 bytes after the load address of the binary with filename /bug.efi.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Heinrich Schuchardt
3a5ec03578 cmd: sandbox: implement exception command
Implement the commands

* exception undefined - execute an illegal instruction
* exception sigsegv - cause a segment violation

Here is a possible output:

    => exception undefined
    Illegal instruction
    pc = 0x55eb8d0a7575, pc_reloc = 0x57575
    Resetting ...

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Heinrich Schuchardt
b46f30a378 sandbox: add handler for exceptions
Add a handler for SIGILL, SIGBUS, SIGSEGV.

When an exception occurs print the program counter and the loaded
UEFI binaries and reset the system if CONFIG_SANDBOX_CRASH_RESET=y
or exit to the OS otherwise.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
21f9075def sandbox: serial: Update to use membuff
Rather than implementing our own circular queue, use membuff. This allows
us to read multiple bytes at once into the serial input.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
1bf0a40219 sandbox: serial: Convert to livetree
Use a livetree function to read the colour.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
c5ea0167be serial: sandbox: Drop unnecessary #ifdefs
CONFIG_OF_CONTROL is always enabled for sandbox (as it should be for all
boards), so we can drop it. Also use IS_ENABLED() for the SPL check.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
9b3303822d dtoc: Tidy up Python style in dtb_platdata
Update this, mostly to add comments for argument and return types. It is
probably still too early to use type hinting since it was introduced in
3.5.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
479dd30f4a patman: Drop tools.ToChar() and ToChars()
This is useful anymore, since we always want to call chr() in Python 3.
Drop it and adjust callers to use chr().

Also drop ToChars() which is no-longer used.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
6a4ccad8e0 patman: Drop tools.ToByte()
This is not needed in Python 3. Drop it.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
fc0056e8d5 patman: Drop unicode helper functions
We don't need these now that everything uses Python 3. Remove them and
the extra code in GetBytes() and ToBytes() too.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Simon Glass
5ea9dccf02 fdt: Use an Enum for the data type
Use an Enum instead of the current ad-hoc constants, so that there is a
data type associated with each 'type' value.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-13 07:58:17 -07:00
Tom Rini
ddaa949785 Pull request for UEFI sub-system for next
Bug fixes
 
 * avoid corruption of FAT file system when using long names
 * correct values for RuntimeServicesSupport concerning UEFI capsule update
 * link partition to block device via EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER
 
 New feature
 
 * support EFI_LOAD_FILE_PROTOCOL in LoadImage() boot service
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAl/R2n4ACgkQxIHbvCwF
 GsSQqA/9Hckx74SkpunCpSog9G2npr8eapnO27jTw6Cq/P1aLpleKm7giYs3YVSq
 m8VcfCYgWH05R0C5KIO3hkvLg1vLJBF1hAiOmZNN3MRqp2ihy51j0MuxcCmY4sag
 9p6cgGaI0rSlsyAp9RAFErv7xL/y4o0XDeKNi/EbjJL5k2sysCKT/JyTIDZdE1hs
 /6YFuowlXYZgHsbVd1tlLDvZNG2FyVWhCyBe8YAh/aEszR0W7k376asFWe4BkWp0
 LsEpMn2xBOacVl6VCajYMO1OlUS9VsCBrbW0A8tbgUb26nqArP9U/EvtXL+JIQl2
 Xv078xCCRJ7Q0CvVu6QoIiD2v31RSLDSeavxCLWaw090YygHQ8vI7+JXJ1NnC3pa
 zrBccEvKkOyO+WXPWOb/Ruj0IaHzksNaMkQgGh8KvWnFjXxq7hpPJtrX3xri0MLS
 qQUAS/DOG9eL4poI3lMfeGoIKtCAfjXW80yWHTEAE1wGsk4xzsyf6igQS4eQ0Oen
 peoVnHaA2i4NruaPNa/8cgiypVr0iOBJsqTmj1RMhFz2aWIkgqcOm3RzIDRpoiFV
 dbXiMbktoJVOlO2y3htJvtC+f1CYz2/jNP/S+g2i6dbNwPS8PVH5G5ZUd2q0GYa1
 Rvf3M3gCByG1y/wYDsoUArjGfO6DFB6tqpK1xU/Ih4hbY4vXSqA=
 =800G
 -----END PGP SIGNATURE-----

Merge tag 'efi-next' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi into next

Pull request for UEFI sub-system for next

Bug fixes

* avoid corruption of FAT file system when using long names
* correct values for RuntimeServicesSupport concerning UEFI capsule update
* link partition to block device via EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER

New feature

* support EFI_LOAD_FILE_PROTOCOL in LoadImage() boot service
2020-12-10 13:54:33 -05:00
Heinrich Schuchardt
264485131c efi_loader: link partition to block device
We provide a UEFI driver for block devices. When ConnectController() is
called for a handle with the EFI_BLOCK_IO_PROTOCOL this driver creates the
partitions. When DisconnectController() is called the handles for the
partitions have to be deleted. This requires that the child controllers
(partitions) open the EFI_BLOCK_IO_PROTOCOL of the controller (block IO
device) with attribute EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:33 +01:00
Heinrich Schuchardt
f9ad240e65 efi_loader: make efi_protocol_open() non-static
Provide efi_protocol_open() as library function.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:33 +01:00
Heinrich Schuchardt
7f8e656338 efi_selftest: test EFI_LOAD_FILE_PROTOCOL
A unit test is supplied to test the support for the EFI_LOAD_FILE_PROTOCOL
and the EFI_LOAD_FILE2_PROTOCOL by the LoadImage() boot service.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:33 +01:00
Heinrich Schuchardt
6d78ca8360 efi_selftest: clean up Makefile
Bring all obj-y entries together.

Sort *.o targets.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:33 +01:00
Heinrich Schuchardt
3da0b28582 efi_loader: support EFI_LOAD_FILE_PROTOCOL
Support loading images via the EFI_LOAD_FILE_PROTOCOL and
EFI_LOAD_FILE2_PROTOCOL.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
0e074d1239 efi_loader: carve out efi_load_image_from_file()
efi_load_image_from_file() should read via either of:

* EFI_SIMPLE_FILE_SYSTEM_PROTOCOL
* EFI_LOAD_FILE_PROTOCOL
* EFI_LOAD_FILE2_PROTOCOL

To make the code readable carve out a function to load the image via the
file system protocol.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
c06c55b1f5 efi_loader: pass boot_policy to efi_load_image_from_path
Implementing support for loading images via the EFI_LOAD_FILE_PROTOCOL
requires the boot policy as input for efi_load_image_from_path().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
b6f11098c9 efi_loader: move EFI_LOAD_FILE2_PROTOCOL_GUID
The EFI_LOAD_FILE_PROTOCOL_GUID and EFI_LOAD_FILE2_PROTOCOL_GUID are needed
to complement the implementation of the LoadFile() boot service.

Remove a duplicate declaration of a variable for the
EFI_LOAD_FILE2_PROTOCOL_GUID.
Move the remaining declaration to efi_boottime.c.
Add a variable for the EFI_LOAD_FILE_PROTOCOL_GUID.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
0e9d2d7bc2 efi_loader: resequence functions in efi_boottime.c
For implementing support for the EFI_LOAD_FILE_PROTOCOL in the LoadImage()
service we will have to call the LocateDevicePath() service. To avoid a
forward declaration resequence the functions.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
861072b2a8 efi_loader: remove EFI_HII_CONFIG_ROUTING_PROTOCOL
Our implementation of the EFI_HII_CONFIG_ROUTING_PROTOCOL is a mere stub,
where all services return an error code. The protocol is neither needed for
the EFI shell nor for the UEFI SCT. To reduce the code size remove it from
the U-Boot binary.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
470fa190f3 efi_loader: don't set EFI_RT_SUPPORTED_UPDATE_CAPSULE
The EFI_RT_PROPERTIES_TABLE configuration table indicates which runtime
services are available at runtime.

Even if CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y, we neither support
UpdateCapsule() nor QueryCapsuleCapabilities() at runtime. Thus we should
not set the corresponding flags EFI_RT_SUPPORTED_UPDATE_CAPSULE and
EFI_RT_SUPPORTED_QUERY_CAPSULE_CAPABILITIES in RuntimeServicesSupported.

Fixes: 2bc27ca8a0 ("efi_loader: define UpdateCapsule api")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:32 +01:00
Heinrich Schuchardt
3d20d212cf fs: fat: deletion of long file names
Long file names are stored in multiple directory entries. When deleting a
file we must delete all of them.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:00 +01:00
Heinrich Schuchardt
89735b44c4 fs: fat: first dentry of long name in FAT iterator
A long name is split over multiple directory entries. When deleting a file
with a long name we need the first directory entry to be able to delete the
whole chain.

Add the necessary fields to the FAT iterator:

* cluster of first directory entry
* address of first directory entry
* remaining entries in cluster

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:15:00 +01:00
Heinrich Schuchardt
4a593dd0c5 fs: fat: use constant DELETED_FLAG
When deleting a directory entry 0xe5 is written to name[0].

We have a constant for this value and should use it consistently.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
1e51c8d64a fs: fat: search file should not allocate cluster
Searching for a file is not a write operation. So it should not lead to the
allocation of a new cluster to the directory.

If we reuse deleted entries, we might not even use the new cluster and due
to not flushing it the directory could be corrupted.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
3049a5106c fs: fat: reuse deleted directory entries
When creating new directory entries try to reuse entries marked as deleted.

In fill_dir_slot() do not allocate new clusters as this has already been
done in fat_find_empty_dentries().

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
32a5f887c4 fs: fat: fat_find_empty_dentries()
Provide a function to find a series of empty directory entries.

The current directory is scanned for deleted entries.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
569b0e1938 fs: fat: flush new directory cluster
When handling long file names directory entries may be split over multiple
clusters. We must make sure that new clusters are zero filled on disk.

When allocating a new cluster for a directory flush it.

The flushing should be executed before updating the FAT. This way if
flushing fails, we still have a valid directory structure.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
7557c84855 fs: fat: set start cluster for root directory
When iterating over a child directory we set itr->start_clust.
Do the same when over the root directory.

When looking for deleted directory entries or existing short names we will
have to iterate over directories a second and third time. With this patch
we do not need any special logic for the root directory.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
27ed690382 fs: fat: dentry iterator for fill_dir_slot()
For reusing deleted directory entries we have to adjust the function called
to step to the next directory entry.

This patch alone is not enough to actually reuse deleted directory entries
as the fill_dir_slot() is still called with first never used directory
entry.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
3a331aee56 fs: fat: generate unique short names
File names must be unique within their directory. So before assigning a
short name we must check that it is unique.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
57b745e238 fs: fat: call set_name() only once
In set_name() we select the short name. Once this is correctly implemented
this will be a performance intensive operation because we need to check
that the name does not exist yet. So set_name should only be called once.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
a343249bef fs: fat: pass shortname to fill_dir_slot
Currently we pass the short name via the directory iterator.
Pass it explicitly as a parameter.

This removes the requirement to set the short name in the iterator before
writing the long name.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:59 +01:00
Heinrich Schuchardt
28cef9ca2e fs: fat: create correct short names
The current function set_name() used to create short names has the
following deficiencies resolved by this patch:

* Long names (e.g. FOO.TXT) are stored even if a short name is enough.
* Short names with spaces are created, e.g. "A     ~1.TXT".
* Short names with illegal characters are created, e.g. "FOO++BAR".
* Debug output does not not consider that the short file name has no
  concluding '\0'.

The solution for the following bug is split of into a separate patch:

* Short file names must be unique.

This patch only provides the loop over possible short file names.

Fixes: c30a15e590 ("FAT: Add FAT write feature")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:58 +01:00
Heinrich Schuchardt
d236e825a2 fs: fat: export fat_next_cluster()
Rename function next_cluster() to fat_next_cluster() and export it.

When creating a new directory entries we should reuse deleted entries.
This requires re-scanning the directory.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2020-12-10 09:14:58 +01:00
Heinrich Schuchardt
c5924118c0 fs: fat: correct first cluster for '..'
The FAT specification [1] requires that for a '..' directory entry pointing
to the root directory the fields DIR_FstClusHi and DIR_FstClusLo are 0.

[1] Microsoft FAT Specification, Microsoft Corporation, August 30 2005

Fixes: 31a18d570d ("fs: fat: support mkdir")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
2020-12-10 09:14:58 +01:00
Alexandru Gagniuc
03f1f78a9b spl: fit: Prefer a malloc()'d buffer for loading images
Fit images were loaded to a buffer provided by spl_get_load_buffer().
This may work when the FIT image is small and fits between the start
of DRAM and SYS_TEXT_BASE.

One problem with this approach is that the location of the buffer may
be manipulated by changing the 'size' field of the FIT. A maliciously
crafted FIT image could place the buffer over executable code and be
able to take control of SPL. This is unacceptable for secure boot of
signed FIT images.

Another problem is with larger FIT images, usually containing one or
more linux kernels. In such cases the buffer be be large enough so as
to start before DRAM (Figure I). Trying to load an image in this case
has undefined behavior.
For example, on stm32mp1, the MMC controller hits a RX overrun error,
and aborts loading.
    _________________
   |    FIT Image    |
   |                 |
  /===================\                        /=====================\
  ||      DRAM       ||                        |        DRAM         |
  ||                 ||                        |                     |
  ||_________________||  SYS_TEXT_BASE         | ___________________ |
  |                   |                        ||     FIT Image     ||
  |                   |                        ||                   ||
  | _________________ |  SYS_SPL_MALLOC_START  || _________________ ||
  ||  malloc() data  ||                        |||  malloc() data  |||
  ||_________________||                        |||_________________|||
  |                   |                        ||___________________||
  |                   |                        |                     |

        Figure I                                       Figure II

One possibility that was analyzed was to remove the negative offset,
such that the buffer starts at SYS_TEXT_BASE. This is not a proper
solution because on a number of platforms, the malloc buffer() is
placed at a fixed address, usually after SYS_TEXT_BASE. A large
enough FIT image could cause the malloc()'d data to be overwritten
(Figure II) when loading.

          /======================\
          |        DRAM          |
          |                      |
          |                      |   CONFIG_SYS_TEXT_BASE
          |                      |
          |                      |
          | ____________________ |   CONFIG_SYS_SPL_MALLOC_START
          ||   malloc() data    ||
          ||                    ||
          || __________________ ||
          |||    FIT Image     |||
          |||                  |||
          |||                  |||

                 Figure III

The solution proposed here is to replace the ad-hoc heuristics of
spl_get_load_buffer() with malloc(). This provides two advantages:
    * Bounds checking of the buffer region
    * Guarantees the buffer does not conflict with other memory

The first problem is solved by constraining the buffer such that it
will not overlap currently executing code. This eliminates the chance
of a malicious FIT being able to replace the executing SPL code prior
to signature checking.

The second problem is solved in conjunction with increasing
CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is
carefully crafted on a per-platform basis, the chances of memory
conflicts are virtually eliminated.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2020-12-07 17:40:34 -05:00