At present there are two copies of this code. With ofnode we can combine
them to reduce duplication. Update the dm_scan_fdt_node() function and
adjust its callers.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is needed in at least one place. Avoid the conditional code in root.c
by adding this inline function.
Signed-off-by: Simon Glass <sjg@chromium.org>
This function is not necessary anymore, since device_bind_ofnode() does
the same thing and works with both flattree and livetree.
Rename it to indicate that it is special.
Signed-off-by: Simon Glass <sjg@chromium.org>
Test that an exception SIGILL is answered by a reset on the sandbox if
CONFIG_SANDBOX_CRASH_RESET=y or by exiting to the OS otherwise.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Provide a unit test that causes an illegal instruction to occur.
The test can be run with the following commands:
=> setenv efi_selftest exception
=> bootefi selftest
This might be the output:
Executing 'exception'
EFI application triggers exception.
Illegal instruction
pc = 0x1444d016, pc_reloc = 0xffffaa078e8dd016
UEFI image [0x0000000000000000:0xffffffffffffffff] '/\selftest'
UEFI image [0x000000001444b000:0x0000000014451fff] pc=0x2016 '/bug.efi'
Resetting ...
It would tell us that the exception was triggered by an instruction
0x2016 bytes after the load address of the binary with filename /bug.efi.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Implement the commands
* exception undefined - execute an illegal instruction
* exception sigsegv - cause a segment violation
Here is a possible output:
=> exception undefined
Illegal instruction
pc = 0x55eb8d0a7575, pc_reloc = 0x57575
Resetting ...
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a handler for SIGILL, SIGBUS, SIGSEGV.
When an exception occurs print the program counter and the loaded
UEFI binaries and reset the system if CONFIG_SANDBOX_CRASH_RESET=y
or exit to the OS otherwise.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rather than implementing our own circular queue, use membuff. This allows
us to read multiple bytes at once into the serial input.
Signed-off-by: Simon Glass <sjg@chromium.org>
CONFIG_OF_CONTROL is always enabled for sandbox (as it should be for all
boards), so we can drop it. Also use IS_ENABLED() for the SPL check.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update this, mostly to add comments for argument and return types. It is
probably still too early to use type hinting since it was introduced in
3.5.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is useful anymore, since we always want to call chr() in Python 3.
Drop it and adjust callers to use chr().
Also drop ToChars() which is no-longer used.
Signed-off-by: Simon Glass <sjg@chromium.org>
We don't need these now that everything uses Python 3. Remove them and
the extra code in GetBytes() and ToBytes() too.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use an Enum instead of the current ad-hoc constants, so that there is a
data type associated with each 'type' value.
Signed-off-by: Simon Glass <sjg@chromium.org>
Bug fixes
* avoid corruption of FAT file system when using long names
* correct values for RuntimeServicesSupport concerning UEFI capsule update
* link partition to block device via EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER
New feature
* support EFI_LOAD_FILE_PROTOCOL in LoadImage() boot service
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAl/R2n4ACgkQxIHbvCwF
GsSQqA/9Hckx74SkpunCpSog9G2npr8eapnO27jTw6Cq/P1aLpleKm7giYs3YVSq
m8VcfCYgWH05R0C5KIO3hkvLg1vLJBF1hAiOmZNN3MRqp2ihy51j0MuxcCmY4sag
9p6cgGaI0rSlsyAp9RAFErv7xL/y4o0XDeKNi/EbjJL5k2sysCKT/JyTIDZdE1hs
/6YFuowlXYZgHsbVd1tlLDvZNG2FyVWhCyBe8YAh/aEszR0W7k376asFWe4BkWp0
LsEpMn2xBOacVl6VCajYMO1OlUS9VsCBrbW0A8tbgUb26nqArP9U/EvtXL+JIQl2
Xv078xCCRJ7Q0CvVu6QoIiD2v31RSLDSeavxCLWaw090YygHQ8vI7+JXJ1NnC3pa
zrBccEvKkOyO+WXPWOb/Ruj0IaHzksNaMkQgGh8KvWnFjXxq7hpPJtrX3xri0MLS
qQUAS/DOG9eL4poI3lMfeGoIKtCAfjXW80yWHTEAE1wGsk4xzsyf6igQS4eQ0Oen
peoVnHaA2i4NruaPNa/8cgiypVr0iOBJsqTmj1RMhFz2aWIkgqcOm3RzIDRpoiFV
dbXiMbktoJVOlO2y3htJvtC+f1CYz2/jNP/S+g2i6dbNwPS8PVH5G5ZUd2q0GYa1
Rvf3M3gCByG1y/wYDsoUArjGfO6DFB6tqpK1xU/Ih4hbY4vXSqA=
=800G
-----END PGP SIGNATURE-----
Merge tag 'efi-next' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi into next
Pull request for UEFI sub-system for next
Bug fixes
* avoid corruption of FAT file system when using long names
* correct values for RuntimeServicesSupport concerning UEFI capsule update
* link partition to block device via EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER
New feature
* support EFI_LOAD_FILE_PROTOCOL in LoadImage() boot service
We provide a UEFI driver for block devices. When ConnectController() is
called for a handle with the EFI_BLOCK_IO_PROTOCOL this driver creates the
partitions. When DisconnectController() is called the handles for the
partitions have to be deleted. This requires that the child controllers
(partitions) open the EFI_BLOCK_IO_PROTOCOL of the controller (block IO
device) with attribute EFI_OPEN_PROTOCOL_BY_CHILD_CONTROLLER.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
A unit test is supplied to test the support for the EFI_LOAD_FILE_PROTOCOL
and the EFI_LOAD_FILE2_PROTOCOL by the LoadImage() boot service.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
efi_load_image_from_file() should read via either of:
* EFI_SIMPLE_FILE_SYSTEM_PROTOCOL
* EFI_LOAD_FILE_PROTOCOL
* EFI_LOAD_FILE2_PROTOCOL
To make the code readable carve out a function to load the image via the
file system protocol.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Implementing support for loading images via the EFI_LOAD_FILE_PROTOCOL
requires the boot policy as input for efi_load_image_from_path().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The EFI_LOAD_FILE_PROTOCOL_GUID and EFI_LOAD_FILE2_PROTOCOL_GUID are needed
to complement the implementation of the LoadFile() boot service.
Remove a duplicate declaration of a variable for the
EFI_LOAD_FILE2_PROTOCOL_GUID.
Move the remaining declaration to efi_boottime.c.
Add a variable for the EFI_LOAD_FILE_PROTOCOL_GUID.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
For implementing support for the EFI_LOAD_FILE_PROTOCOL in the LoadImage()
service we will have to call the LocateDevicePath() service. To avoid a
forward declaration resequence the functions.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Our implementation of the EFI_HII_CONFIG_ROUTING_PROTOCOL is a mere stub,
where all services return an error code. The protocol is neither needed for
the EFI shell nor for the UEFI SCT. To reduce the code size remove it from
the U-Boot binary.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The EFI_RT_PROPERTIES_TABLE configuration table indicates which runtime
services are available at runtime.
Even if CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y, we neither support
UpdateCapsule() nor QueryCapsuleCapabilities() at runtime. Thus we should
not set the corresponding flags EFI_RT_SUPPORTED_UPDATE_CAPSULE and
EFI_RT_SUPPORTED_QUERY_CAPSULE_CAPABILITIES in RuntimeServicesSupported.
Fixes: 2bc27ca8a0 ("efi_loader: define UpdateCapsule api")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Long file names are stored in multiple directory entries. When deleting a
file we must delete all of them.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
A long name is split over multiple directory entries. When deleting a file
with a long name we need the first directory entry to be able to delete the
whole chain.
Add the necessary fields to the FAT iterator:
* cluster of first directory entry
* address of first directory entry
* remaining entries in cluster
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When deleting a directory entry 0xe5 is written to name[0].
We have a constant for this value and should use it consistently.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Searching for a file is not a write operation. So it should not lead to the
allocation of a new cluster to the directory.
If we reuse deleted entries, we might not even use the new cluster and due
to not flushing it the directory could be corrupted.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When creating new directory entries try to reuse entries marked as deleted.
In fill_dir_slot() do not allocate new clusters as this has already been
done in fat_find_empty_dentries().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Provide a function to find a series of empty directory entries.
The current directory is scanned for deleted entries.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When handling long file names directory entries may be split over multiple
clusters. We must make sure that new clusters are zero filled on disk.
When allocating a new cluster for a directory flush it.
The flushing should be executed before updating the FAT. This way if
flushing fails, we still have a valid directory structure.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When iterating over a child directory we set itr->start_clust.
Do the same when over the root directory.
When looking for deleted directory entries or existing short names we will
have to iterate over directories a second and third time. With this patch
we do not need any special logic for the root directory.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
For reusing deleted directory entries we have to adjust the function called
to step to the next directory entry.
This patch alone is not enough to actually reuse deleted directory entries
as the fill_dir_slot() is still called with first never used directory
entry.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
File names must be unique within their directory. So before assigning a
short name we must check that it is unique.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In set_name() we select the short name. Once this is correctly implemented
this will be a performance intensive operation because we need to check
that the name does not exist yet. So set_name should only be called once.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Currently we pass the short name via the directory iterator.
Pass it explicitly as a parameter.
This removes the requirement to set the short name in the iterator before
writing the long name.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The current function set_name() used to create short names has the
following deficiencies resolved by this patch:
* Long names (e.g. FOO.TXT) are stored even if a short name is enough.
* Short names with spaces are created, e.g. "A ~1.TXT".
* Short names with illegal characters are created, e.g. "FOO++BAR".
* Debug output does not not consider that the short file name has no
concluding '\0'.
The solution for the following bug is split of into a separate patch:
* Short file names must be unique.
This patch only provides the loop over possible short file names.
Fixes: c30a15e590 ("FAT: Add FAT write feature")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Rename function next_cluster() to fat_next_cluster() and export it.
When creating a new directory entries we should reuse deleted entries.
This requires re-scanning the directory.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The FAT specification [1] requires that for a '..' directory entry pointing
to the root directory the fields DIR_FstClusHi and DIR_FstClusLo are 0.
[1] Microsoft FAT Specification, Microsoft Corporation, August 30 2005
Fixes: 31a18d570d ("fs: fat: support mkdir")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Fit images were loaded to a buffer provided by spl_get_load_buffer().
This may work when the FIT image is small and fits between the start
of DRAM and SYS_TEXT_BASE.
One problem with this approach is that the location of the buffer may
be manipulated by changing the 'size' field of the FIT. A maliciously
crafted FIT image could place the buffer over executable code and be
able to take control of SPL. This is unacceptable for secure boot of
signed FIT images.
Another problem is with larger FIT images, usually containing one or
more linux kernels. In such cases the buffer be be large enough so as
to start before DRAM (Figure I). Trying to load an image in this case
has undefined behavior.
For example, on stm32mp1, the MMC controller hits a RX overrun error,
and aborts loading.
_________________
| FIT Image |
| |
/===================\ /=====================\
|| DRAM || | DRAM |
|| || | |
||_________________|| SYS_TEXT_BASE | ___________________ |
| | || FIT Image ||
| | || ||
| _________________ | SYS_SPL_MALLOC_START || _________________ ||
|| malloc() data || ||| malloc() data |||
||_________________|| |||_________________|||
| | ||___________________||
| | | |
Figure I Figure II
One possibility that was analyzed was to remove the negative offset,
such that the buffer starts at SYS_TEXT_BASE. This is not a proper
solution because on a number of platforms, the malloc buffer() is
placed at a fixed address, usually after SYS_TEXT_BASE. A large
enough FIT image could cause the malloc()'d data to be overwritten
(Figure II) when loading.
/======================\
| DRAM |
| |
| | CONFIG_SYS_TEXT_BASE
| |
| |
| ____________________ | CONFIG_SYS_SPL_MALLOC_START
|| malloc() data ||
|| ||
|| __________________ ||
||| FIT Image |||
||| |||
||| |||
Figure III
The solution proposed here is to replace the ad-hoc heuristics of
spl_get_load_buffer() with malloc(). This provides two advantages:
* Bounds checking of the buffer region
* Guarantees the buffer does not conflict with other memory
The first problem is solved by constraining the buffer such that it
will not overlap currently executing code. This eliminates the chance
of a malicious FIT being able to replace the executing SPL code prior
to signature checking.
The second problem is solved in conjunction with increasing
CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is
carefully crafted on a per-platform basis, the chances of memory
conflicts are virtually eliminated.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>