Simon Glass [Fri, 6 Mar 2026 01:20:09 +0000 (18:20 -0700)]
boot: Add fit_config_get_hash_list() to build signed node list
The hashed-nodes property in a FIT signature node lists which FDT paths
are included in the signature hash. It is intended as a hint so should
not be used for verification.
Add a function to build the node list from scratch by iterating the
configuration's image references. Skip properties known not to be image
references. For each image, collect the path plus all hash and cipher
subnodes.
Use the new function in fit_config_check_sig() instead of reading
'hashed-nodes'.
Update the test_vboot kernel@ test case: fit_check_sign now catches the
attack at signature-verification time (the @-suffixed node is hashed
instead of the real one, causing a mismatch) rather than at
fit_check_format() time.
Update the docs to cover this. The FIT spec can be updated separately.
Signed-off-by: Simon Glass <simon.glass@canonical.com> Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/ Reported-by: Apple Security Engineering and Architecture (SEAR) Tested-by: Tom Rini <trini@konsulko.com>
Tom Rini [Mon, 9 Mar 2026 15:12:43 +0000 (09:12 -0600)]
Merge patch series "64-bit PCIe for AM64, AM69, J7200, J722S and J784S4"
Siddharth Vadapalli <s-vadapalli@ti.com> says:
Since Linux device-tree has switched to 64-bit Address space for the
PCIe Controllers on TI SoCs, currently, U-Boot needs to support the
same. This series adds support for 64-bit addressing for PCIe along with
enabling Root-Complex mode of operation for AM69 and J784S4 SoCs.
configs: j722s_evm_a53_defconfig: enable 64-bit addressing for PCIe
The PCIe0 instance of PCIe on the J722S SoC uses the 4 GB Address Window
starting from 0x6_0000_0000 to map System Addresses to PCIe Bus Addresses.
Hence, enable CONFIG_SYS_PCI_64BIT.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com> Fixes: 79f3e77133bd ("Subtree merge tag 'v6.16-dts' of dts repo [1] into dts/upstream")
configs: j7200_evm_a72_defconfig: enable 64-bit addressing for PCIe
The PCIe1 instance of PCIe on the J7200 SoC uses the 4 GB Address Window
starting from 0x41_0000_0000 to map System Addresses to PCIe Bus Addresses.
Hence, enable CONFIG_SYS_PCI_64BIT.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com> Fixes: 79f3e77133bd ("Subtree merge tag 'v6.16-dts' of dts repo [1] into dts/upstream")
configs: am64x_evm_a53_defconfig: enable 64-bit addressing for PCIe
The PCIe0 instance of PCIe on the AM64x SoC uses the 4 GB Address Window
starting from 0x6_0000_0000 to map System Addresses to PCIe Bus Addresses.
Hence, enable CONFIG_SYS_PCI_64BIT.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com> Fixes: 79f3e77133bd ("Subtree merge tag 'v6.16-dts' of dts repo [1] into dts/upstream")
The PCIe Controllers on the J784S4 and AM69 SoCs support Root-Complex
mode of operation. PCIe0 instance of PCIe on both of the SoCs is brought
out on the Starter-Kit (AM69) and EVM (J784S4) boards. Hence, enable
the configs required for Root-Complex mode of operation.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com> Fixes: 79f3e77133bd ("Subtree merge tag 'v6.16-dts' of dts repo [1] into dts/upstream")
arm: mach-k3: arm64-mmu: add mapping for PCIe 4 GB Address Windows
The PCIe Controllers in the K3 SoCs have 4 GB Address Windows in the
64-bit address space to map System (CPU) Addresses to PCIe Bus Addresses.
The physical addresses for these Address Windows across PCIe instances
across SoCs is as follows:
+--------+----------------+----------------+----------------+----------------+
| SoC | PCIe0 | PCIe1 | PCIe2 | PCIe3 |
+--------+----------------+----------------+----------------+----------------+
| AM64 | 0x6_0000_0000 | NA | NA | NA |
| J722S | 0x6_0000_0000 | NA | NA | NA |
| AM68 | NA | 0x41_0000_0000 | NA | NA |
| J7200 | NA | 0x41_0000_0000 | NA | NA |
| J721S2 | NA | 0x41_0000_0000 | NA | NA |
| J742S2 | 0x40_0000_0000 | 0x41_0000_0000 | NA | NA |
| AM69 | 0x40_0000_0000 | 0x41_0000_0000 | 0x42_0000_0000 | 0x43_0000_0000 |
| J721E | 0x40_0000_0000 | 0x41_0000_0000 | 0x42_0000_0000 | 0x43_0000_0000 |
| J784S4 | 0x40_0000_0000 | 0x41_0000_0000 | 0x42_0000_0000 | 0x43_0000_0000 |
+--------+----------------+----------------+----------------+----------------+
Two regions for a 1:1 mapping from virtual addresses to physical addresses
catering to all of the above will be required, which are:
1. For AM64 and J722S SoCs
=> Start: 0x6_0000_0000 Size: 0x1_0000_0000
2. For AM68, AM69, J7200, J721E, J721S2, J742S2 and J784S4 SoCs
=> Start: 0x40_0000_0000 Size: 0x4_0000_0000
Since the 'Flash Peripherals' region from 0x5_0000_0000 to 0x8_7FFF_FFFF
includes the mapping for AM64 and J722S SoCs, only the second region
mentioned above needs to be added.
Hence, add the region to support 64-bit address space for PCIe.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com> Fixes: 79f3e77133bd ("Subtree merge tag 'v6.16-dts' of dts repo [1] into dts/upstream")
Drivers should extract device-tree data before probing via the
.of_to_plat hook.
Implement it for stm32_dsi driver. By doing so, it also solve a
variable shadowing in stm32_dsi_probe() where &clk was used as
peripheral clock and ref clock.
For readability some struct have been renamed such as:
Tom Rini [Wed, 4 Mar 2026 20:25:30 +0000 (14:25 -0600)]
Merge patch series "MAINTAINERS: Update ADI ADSP platform maintainers"
Philip Molloy <philip@philipmolloy.com> says:
This series updates the maintainers for the ADI ADSP platform. It
follows Greg's series adding support for ADI ADSP SoCs.
Timesys spent years developing and maintaining Linux support for ADI
ADSP SoCs. The maintenance contract has ended and ADI has brought that
effort in-house. Additionally, Timesys was acquired by another company.
Thanks to everyone at Timesys for all of their hard work over the years!
Daniel Golle [Fri, 27 Feb 2026 01:50:46 +0000 (01:50 +0000)]
tools/atmelimage: add const qualifier to fix compiler warning
More strict checks in GCC 15 expose a new warning:
tools/atmelimage.c: In function ‘atmel_find_pmecc_parameter_in_token’:
tools/atmelimage.c:64:31: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
64 | param = strstr(token, "=");
| ^
cc1: all warnings being treated as errors
Add 'const' qualifier to variable 'param' to prevent build failing
due to -Werror.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Tom Rini [Wed, 4 Mar 2026 20:24:59 +0000 (14:24 -0600)]
Merge tag 'u-boot-ufs-20260304' of https://source.denx.de/u-boot/custodians/u-boot-ufs
A few fixes/missing changes for UFS:
- remove unused ufs_post_bind() declaration
- Disable UTP command timeout in slow mode
- Missing MediaTek UFS PHY Driver to be used with the UFS driver
Marek Vasut [Sun, 15 Feb 2026 14:04:55 +0000 (15:04 +0100)]
kbuild: Drop phandle from diff between base DT and U-Boot augmented DT if DEVICE_TREE_DEBUG=1
Remove the "phandle = <0x..>;" properties from the DT diff between
unpatched base DT and U-Boot augmented DT if DEVICE_TREE_DEBUG=1.
The phandle numbers are only generated by DTC, but not referenced
anywhere in the DT, because the original references are specifically
not replaced by phandle numbers when recent DTC is invoked with the
-I dts -O dts flags . The phandle number are therefore only a noise
in the diff, filter them out.
Simon Glass [Sat, 14 Feb 2026 02:47:34 +0000 (19:47 -0700)]
kbuild: unexport sub_make_done to fix child make invocations
The exported sub_make_done variable leaks into the environment of all
child processes. When make targets like tcheck spawn independent make
invocations with O=, those child makes inherit sub_make_done=1, skip
the KBUILD_OUTPUT setup and try to build in the source tree.
There is a workaround that resets sub_make_done to 0 for specific test
targets, but this isn't great since it has tolist every target that
spawns independent make invocations.
Instead, unexport sub_make_done once we are in the final make
invocation. The direct sub-make already has the value in its
environment from the export, and no further propagation is needed.
This also allows the per-target workaround to be removed.
Fixes: 27529f1cb02d ("kbuild: skip parsing pre sub-make code for recursion") Signed-off-by: Simon Glass <simon.glass@canonical.com>
Simon Glass [Fri, 13 Feb 2026 13:39:09 +0000 (06:39 -0700)]
menu: Move shortcut-key handling to bootmenu_loop()
The bootmenu_conv_key() function is shared with expo subsystem for key
input. Adding alphanumeric-to-BKEY_SHORTCUT conversion there causes expo
to swallow typed characters instead of inserting them as text, since
BKEY_SHORTCUT falls in the range that expo treats as a command key
rather than passing through.
Move the shortcut-key detection into bootmenu_loop() where it is
only used in the bootmenu context.
Fixes: 8c986521c3c9 ("cmd: bootmenu: permit to select bootmenu entry with a shortcut") Signed-off-by: Simon Glass <simon.glass@canonical.com> Reviewed-by: Tom Rini <trini@konsulko.com>
Romain Gantois [Tue, 17 Feb 2026 09:27:52 +0000 (10:27 +0100)]
dm: core: Don't allow ofnode_to_fdt() to return NULL
The ofnode_to_fdt() function may return a NULL pointer in multiple cases.
Or, this function's return value is often passed directly to functions such
as fdt_getprop() which end up dereferencing it, thus causing a NULL pointer
exception.
Don't allow ofnode_to_fdt() to return NULL, to avoid a NULL pointer
dereference.
common/memsize.c: Fix get_ram_size() original data restore
The get_ram_size() function fails to restore the original RAM data when
the data cache is enabled. This issue was observed on an AM625 R5 SPL
with 512MB of RAM and is a regression that became visible with
commit bc07851897bd ("board: ti: Pull redundant DDR functions to a common
location and Fixup DDR size when ECC is enabled").
Observed boot failure messages:
Warning: Did not detect image signing certificate. Skipping authentication to prevent boot failure. This will fail on Security Enforcing(HS-SE) devices
Authentication passed
Starting ATF on ARM64 core...
The system then hangs. This indicates that without a data cache flush,
data in the cache is not coherent with RAM, preventing the system from
booting. This was verified by printing the content of this address when
the issue occurs.
Add a data cache flush after each restore operation to resolve this
issue.
Fixes: bc07851897bd ("board: ti: Pull redundant DDR functions to a common location and Fixup DDR size when ECC is enabled") Fixes: 1c64b98c1ec4 ("common/memsize.c: Fix get_ram_size() when cache is enabled") Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com> Reviewed-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com> Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> # Toradex Verdin AM62
Padmarao Begari [Wed, 26 Nov 2025 15:06:41 +0000 (16:06 +0100)]
ufs: Disable UTP command timeout in slow mode
When the UFS controller is operating in slow (PWM) mode,
the driver is disabled the timeout for UTP send commands.
In high-speed mode, the timeout remains enabled to
detect stalled or failed transfers. This change ensures reliable
operation in slow mode, where command completion may take longer
and timeouts are not required.
Vincent Stehlé [Mon, 16 Feb 2026 11:30:16 +0000 (12:30 +0100)]
efi_loader: fix specific LoadImage() return code
When the LoadImage() UEFI function is called with both its SourceBuffer and
DevicePath input arguments equal to NULL, it must return EFI_NOT_FOUND [1].
However, it does return EFI_INVALID_PARAMETER instead; fix it.
Tom Rini [Tue, 24 Feb 2026 18:31:07 +0000 (12:31 -0600)]
Gitlab: Fix TEST_PY_TEST_SPEC for qemu-x86_64 in sjg-lab
With the change to regularize the usage of TEST_PY_TEST_SPEC in the
sjg-lab stanza with commit c7f360f20d84 ("Gitlab: Rework sjg-lab calling
test.py to be closer to test.py stage") the leading "and " part of the
usage under qemu-x86_64 wasn't removed when it should have been. Do so
now.
Fixes: c7f360f20d84 ("Gitlab: Rework sjg-lab calling test.py to be closer to test.py stage") Reviewed-by: Simon Glass <simon.glass@canonical.com> Signed-off-by: Tom Rini <trini@konsulko.com>
Peng Fan [Tue, 10 Feb 2026 08:12:16 +0000 (16:12 +0800)]
iommu: Validate device tree node in dev_iommu_enable
Similar to pinctrl_select_state(), add dev_has_ofnode() check before doing the
real work. Device(scmi_base.0) does not have a real device node, ofnode_null()
is assigned as the device tree node for scmi base protocol device:
'commit 7eb4eb541c14 ("firmware: scmi: install base protocol to SCMI agent")'
However with recent update in
'commit 0535e46d55d7 ("scripts/dtc: Update to upstream version v1.7.2-35-g52f07dcca47c")',
SPL panic in fdt_check_node_offset_()->fdt_next_tag(), because offset is -1
and SPL_OF_LIBFDT_ASSUME_MASK is 0xFF.
So need to validate device tree node.
Reported-by: Ye Li <ye.li@nxp.com> Closes: https://lore.kernel.org/u-boot/939a9696-27fa-45a1-b428-feffe21ac6d5@oss.nxp.com/ Signed-off-by: Peng Fan <peng.fan@nxp.com>
Peng Fan [Tue, 10 Feb 2026 08:12:15 +0000 (16:12 +0800)]
power: domain: Validate device tree node in dev_power_domain_ctrl
Similar to pinctrl_select_state(), add dev_has_ofnode() check before doing the
real work. Device(scmi_base.0) does not have a real device node, ofnode_null()
is assigned as the device tree node for scmi base protocol device:
'commit 7eb4eb541c14 ("firmware: scmi: install base protocol to SCMI agent")'
However with recent update in
'commit 0535e46d55d7 ("scripts/dtc: Update to upstream version v1.7.2-35-g52f07dcca47c")',
SPL panic in fdt_check_node_offset_()->fdt_next_tag(), because offset is -1
and SPL_OF_LIBFDT_ASSUME_MASK is 0xFF.
So need to validate device tree node.
Reported-by: Ye Li <ye.li@nxp.com> Closes: https://lore.kernel.org/u-boot/939a9696-27fa-45a1-b428-feffe21ac6d5@oss.nxp.com/ Signed-off-by: Peng Fan <peng.fan@nxp.com>
Peng Fan [Tue, 10 Feb 2026 08:12:14 +0000 (16:12 +0800)]
firmware: scmi: Validate device tree node before setup channel
SCMI base protocol device does not have a device tree, it should use and
need to use the agent base channel.
For scmi_base.[x], there is no real device tree node for it. ofnode_null() is
assigned as the device tree node for scmi base protocol device:
commit 7eb4eb541c14 ("firmware: scmi: install base protocol to SCMI agent")
However with recent update in commit 0535e46d55d7
("scripts/dtc: Update to upstream version v1.7.2-35-g52f07dcca47c"),
SPL panic in fdt_check_node_offset_()->fdt_next_tag(), because offset is -1
and SPL_OF_LIBFDT_ASSUME_MASK is 0xFF.
So add a check in x_get_channel() to validate the protocol devices'
ofnode.
Reported-by: Ye Li <ye.li@nxp.com> Closes: https://lore.kernel.org/u-boot/939a9696-27fa-45a1-b428-feffe21ac6d5@oss.nxp.com/ Signed-off-by: Peng Fan <peng.fan@nxp.com>
board: samsung: exynos-mobile: use blkmap for booting from userdata subpartitions
Some distributions tend to provide a single combined image with EFS and
the system root filesystem. Flashing it as-is in a single partition
(usually done in userdata partition as it is the largest) is not
bootable as U-Boot does not understand subpartitions.
Use blkmap to map the userdata partition into its own block device.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
The USB PHY used by the Exynos7870 SoC has a single USB 2.0 interface.
Add its dedicated variant enum, compatible, and init/exit functions.
The PHY enable bit of Exynos7870's PHY is different in contrast to that
of Exynos850 and most Exynos PHYs. To allow this change, a simple if
condition is added in exynos_usbdrd_phy_isol() which changes the
bitmask. Since the variant enum is required, the function argument is
changed to accept the driver data itself.
The variant enum is used to uniquely identify which SoC the PHY block
belongs to. It is initially set in the match table, along with the
compatible string, it gets copied to driver data struct during probe.
SoC specific functions must only be called if the respective variant
enum is set. Add switch-case blocks wherever required.
Peripheral holding CID0 cannot be accessed, remove this completely
incorrect check. While there, fix and simplify the semaphore checking
that should be performed when the CID filtering is enabled.
ARM: stm32mp: Do not acquire RIFSC semaphore if CID filtering is disabled
If the CID filtering is enabled, the semaphore mode is disabled as well.
To avoid an incorrect behavior and error trace, add a check of CID
filtering state before acquiring the semaphore.
Thomas Bourgoin [Wed, 4 Feb 2026 10:20:46 +0000 (11:20 +0100)]
stm32mp: cmd_stm32key: add support of STM32MP21x SoC
Update stm32key to support stm32mp21 OTP mapping.
Create a new list of key to support the following differences :
- STM32MP21x SoC support 128b and 25b FSBL encryption keys.
- OEM-KEY1 and OEM-KEY2 used for authentication are in different OTP
from STM32MP25 and STM32MP23.
stm32key is compatible with platform STM32MP2 (aarch64)
Hence, use unsigned long to handle argument addr of function
read_key_value() instead of u32.
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com> Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Patrice Chotard [Wed, 4 Feb 2026 10:16:08 +0000 (11:16 +0100)]
stm32mp1: Add check on syscon_get_first_range() return value
syscon_get_first_range()'s return value is used as base address to perform
a read, without any checks.
In case stmp32mp_syscon is not binded, syscon_get_first_range() returns
-ENODEV which leads to a "Synchronous abort".
Add syscon_get_first_range() check on return value.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Patrice Chotard [Wed, 4 Feb 2026 10:16:07 +0000 (11:16 +0100)]
stm32mp2: Add check on syscon_get_first_range() return value
syscon_get_first_range()'s return value is used as base address to perform
a read, without any checks.
In case stmp32mp_syscon is not binded, syscon_get_first_range() returns
-ENODEV which leads to a "Synchronous abort".
Add syscon_get_first_range() check on return value.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Patrice Chotard [Tue, 3 Feb 2026 16:49:27 +0000 (17:49 +0100)]
ARM: dts: stm32: Add bootph-all in stm32mp215f-dk-u-boot.dtsi
Add temporarily bootph-all property in usart2 and syscfg nodes
to allows stm32mp215f-dk board to boot.
When DT kernel series [1] will be merged and synchronized in U-Boot
this patch will be reverted.
Patrice Chotard [Tue, 3 Feb 2026 16:49:25 +0000 (17:49 +0100)]
ARM: stm32mp: Add STM32MP21 support
STM32MP21 application processors (STM32 MPUs) based on a single
Arm Cortex®-A35 core running up to 1.5 GHz and Cortex®-M33 core
running at 300 MHz.
It is pin-compatible with the STM32MP2 series in the VFBGA361
10×10 mm package: the STM32MP21 uses a subset of the STM32MP23
pinout, which itself is a subset of the STM32MP25.
More details available here :
https://www.st.com/en/microcontrollers-microprocessors/stm32mp2-series.html
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Patrice Chotard [Tue, 3 Feb 2026 16:49:24 +0000 (17:49 +0100)]
stm32mp: cmd_stm32key: add support of STM32MP21x
Add cmd_stm32key support for STM32MP21x SoCs family.
Signed-off-by: Yann Gautier <yann.gautier@foss.st.com> Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com> Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Patrice Chotard [Tue, 3 Feb 2026 16:49:21 +0000 (17:49 +0100)]
clk: stm32mp21: Add clock driver support
Add clock driver support for STM32MP21 SoCs.
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com> Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
James Hilliard [Mon, 23 Feb 2026 20:40:04 +0000 (13:40 -0700)]
boot: fit: validate FDT/DTO payload before fdt_open_into()
boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
base FDT and overlay DTO blobs loaded from a FIT image.
Those blobs come from FIT payload data. In the overlay path,
fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
header check in fit_image_load() is skipped. This leaves fdt_open_into()
to consume header-derived offsets/sizes from unvalidated input.
Validate the full blob against the payload length first with
fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).
Devarsh Thakkar [Tue, 24 Feb 2026 13:45:57 +0000 (19:15 +0530)]
arm: mach-k3: common: Clamp RAM end address to board-usable region in spl_enable_cache()
commit ba20b2443c29 ("arm: mach-k3: common: Reserve video memory from
end of the RAM") switched spl_enable_cache() to use gd->ram_top directly
but omitted the board_get_usable_ram_top() call that limits RAM
configuration and provides updated RAM end address per memory map
used by board and impacts subsequent allocations and reservations.
For e.g. here it impacts how high the TLB may be placed.
On Verdin AM62 (512 MiB), the raw end of RAM (0xA0000000) is inside
OP-TEE's region. board_get_usable_ram_top() in verdin-am62.c returns
0x9C000000 to keep relocations below it, but spl_enable_cache() never
called it. commit 42b3ee7fa524 ("arm: mach-k3: am62x: Enable memory
firewall support") then enforced the OP-TEE firewall, turning the silent
corruption into a hard hang.
Fix by calling board_get_usable_ram_top() after computing raw ram_top,
consistent with setup_dest_addr() in board_f.c. A weak default is
provided for boards that do not need to restrict the RAM top.
Fixes: ba20b2443c29 ("arm: mach-k3: common: Reserve video memory from end of the RAM") Reported-by: Francesco Dolcini <francesco@dolcini.it> Link: https://lore.kernel.org/all/20260224102121.GB340942@francesco-nb/ Signed-off-by: Devarsh Thakkar <devarsht@ti.com> Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> # Verdin AM62 512MB
Mark Kettenis [Sat, 10 Jan 2026 19:56:10 +0000 (20:56 +0100)]
arm: armv8: Flush TLB before enabling MMU
Commit 9ebdbbc43e5f ("arm: armv8: invalidate dcache entries on
dcache_enable") broke Apple Silicon machines in certain scenarios.
If the MMU is currently not enabled we need to flush the TLB
before we enable it to prevent stale TLB entries from becoming
active again. So move the __asm_invalidate_tlb_all() back
immediately before the mmu_setup() call.
Fixes: 9ebdbbc43e5f ("arm: armv8: invalidate dcache entries on dcache_enable") Signed-off-by: Mark Kettenis <kettenis@openbsd.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Patrice Chotard [Wed, 11 Feb 2026 14:32:23 +0000 (15:32 +0100)]
board: st: common: add uclass_get_device_by_driver()'s return value check
class_get_device_by_driver()'s return value is not checked, in case of BSEC
driver is not probed, dev is not set and used just after as parameter of
misc_read() which leads to a Synchronous Abort.
Add uclass_get_device_by_driver()'s return value check to fix it.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Patrice Chotard [Thu, 5 Feb 2026 16:20:49 +0000 (17:20 +0100)]
stm32mp2: Update size of DDR entry in MMU table
On 1GB board, in particular cases, a prefetch operation is done just above
the 1GB boundary. The DDR size is 1GB (0x80000000 to 0xc0000000), there is
an access on 0xc00017c0 (ie 0x800017c0).
As beginning of DDR is protected by MMU until CONFIG_TEXT_BASE
(0x80000000 to 0x84000000), it triggers the following IAC:
DUMPING DATA FOR risaf@420d0000
I/TC: =====================================================
I/TC: Status register (IAESR0): 0x11
I/TC: -----------------------------------------------------
I/TC: Faulty address (IADDR0): 0xc00017c0
I/TC: =====================================================
E/TC:0 Panic at /usr/src/debug/optee-os-stm32mp/4.0.0-gitvalid.8>
E/TC:0 TEE load address @ 0x82000000
E/TC:0 Call stack:
E/TC:0 0x82007f30
E/TC:0 0x820444b4
E/TC:0 0x8202dc54
E/TC:0 0x82041fe0
E/TC:0 0x820143b8
By default, in MMU table, the DDR size is set to 4GB, but not all
STM32MP2 based board embeds 4GB, some has only 1 or 2GB of DDR.
The MMU table entry dedicated to DDR need to be updated with the real
DDR size previously read from DT.
After relocation, in enable_caches(), update the MMU table between the
dcache_disable() / dcache_enable() with the real DDR size.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Patrice Chotard [Thu, 5 Feb 2026 08:50:24 +0000 (09:50 +0100)]
stm32mp: stm32prog: Remove fsbl_nor_detected from stm32prog_data struct
No more need to test if a fsbl partition is present on NOR when booting
from serial or USB. Now MTD devices are automatically populated with
partition information found in DT. Remove fsbl_nor_detected boolean from
stm32prog_data struct and all code using it.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com> Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Fabien Dessenne [Thu, 5 Feb 2026 08:07:50 +0000 (09:07 +0100)]
pinctrl: pinctrl_stm32: prevent the use of the secure protected pins
The hardware denies any access from the U-Boot non-secure world to the
secure-protected pins. Hence, prevent any driver to configure such a pin.
Identify the secure pins with "NO ACCESS" through the 'pinmux status -a'
command.
Use a driver data structure to identify which hardware versions support
this feature.
Eric Kilmer [Fri, 20 Feb 2026 19:48:08 +0000 (14:48 -0500)]
fs/squashfs: fix heap buffer overflow in sqfs_frag_lookup()
sqfs_frag_lookup() reads a 16-bit metadata block header whose lower
15 bits encode the data size. Unlike sqfs_read_metablock() in
sqfs_inode.c, this function does not validate that the decoded size is
within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can
set the size field to any value up to 32767, causing memcpy to write
past the 8192-byte 'entries' heap buffer.
Add the same bounds check used by sqfs_read_metablock(): reject any
metadata block header with SQFS_METADATA_SIZE(header) exceeding
SQFS_METADATA_BLOCK_SIZE.
Found by fuzzing with libFuzzer + AddressSanitizer.
Signed-off-by: Eric Kilmer <eric.kilmer@trailofbits.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
doc: board: samsung: exynos-mobile: remove requirement of stub device tree
Flashing U-Boot for Exynos 7870 requires creating a stub device tree,
where certain properties and nodes are defined which are populated by
the previous bootloader in the phones.
Since these properties are now available in the U-Boot device tree, it's
now possible to use the same blob generated by U-Boot in place of the
stub, when creating boot images. Update the build documentation to
reflect the same.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
ARM: dts: exynos7870-on7xelte: add properties to make S-BOOT happy
Add properties in the DTSI file which is required for S-BOOT when used
an external device tree when booting into U-Boot. S-BOOT is Samsung's
proprietary bootloader, which chainloads U-Boot.
Since this device has multiple bank nodes, add memory nodes for each RAM
bank. This is the format S-BOOT recognizes, and (re)populates it with
the correct bank sizes.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
ARM: dts: exynos7870-j6lte: add properties to make S-BOOT happy
Add properties in the DTSI file which is required for S-BOOT when used
an external device tree when booting into U-Boot. S-BOOT is Samsung's
proprietary bootloader, which chainloads U-Boot.
Since this device has multiple bank nodes, add memory nodes for each RAM
bank. This is the format S-BOOT recognizes, and (re)populates it with
the correct bank sizes.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
ARM: dts: exynos7870-a2corelte: add properties to make S-BOOT happy
Add properties in the DTSI file which is required for S-BOOT when used
an external device tree when booting into U-Boot. S-BOOT is Samsung's
proprietary bootloader, which chainloads U-Boot.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
doc: board: samsung: exynos-mobile: use u-boot-nodtb.bin for packaging process
U-Boot for this board is programmed to use the external DTB if an
internal device tree is not available. This makes it safe to build boot
images using the non-DTB U-Boot binary, while taking up less space.
Reflect this change in documentation.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
doc: board: samsung: exynos-mobile: add DEVICE_TREE make flag in build
Since there is only one internal device tree allowed in U-Boot, the
DEVICE_TREE flag is required for building images for various devices.
Document it in the build guide.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
configs: exynos-mobile: remove DEFAULT_DEVICE_TREE and add OF_UPSTREAM_BUILD_VENDOR
Since the build documentation recommends using the DEVICE_TREE= make
flag, and the "board" supports multiple devices, remove the default
device tree option so as to enforce the make flag during build.
OF_UPSTREAM_BUILD_VENDOR is added so as to build all device trees
associated with the vendor with their U-Boot includes.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
board: samsung: exynos-mobile: enable OF_BOARD support
OF_BOARD allows to choose the internal device tree in runtime. Use it to
pass the external FDT as an internal one if it is not present. This
approach is also used by qcom-phone, and it reduces boot image size. It
is expected that an external FDT is present as U-Boot is packaged as an
Android boot image.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
board: samsung: exynos-mobile: disable MULTI_DTB_FIT support
MULTI_DTB_FIT allowed a single U-Boot image to be booted in multiple
devices, but it was not a scalable solution; as more devices are added,
the U-Boot binary is bound to increase, space taken up by devicetrees
which are not even used.
The other approach is to be able to build separate images for multiple
devices using the same "board" defined in U-Boot. This is used by
qcom_phone to support muitiple devices.
Follow the said approach for Exynos devices as well, disable
MULTI_DTB_FIT for this board.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
board: samsung: exynos-mobile: resolve env vars without board_info data
Move environment variable setup procedure to exynos_env_setup(). This
function is independent of data from exynos_board_info as it is due for
removal in the succeding commits.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
board: samsung: exynos-mobile: simplify parsing RAM banks from device tree
Remove the baked-in bank addresses used for figuring out RAM banks from
device tree. Instead, sequentially fill in the bank addresses and sizes,
and doing away with an extra array for specifying bases.
Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org> Signed-off-by: Minkyu Kang <mk7.kang@samsung.com>
Anshul Dalal [Tue, 3 Feb 2026 10:00:20 +0000 (15:30 +0530)]
board: ti: am64,j721*: use correct fdt if eeprom detection fails
We currently provide default board names for each board in their
respective evm.c file. However for custom boards, this behaviour
overwrites the default DT as set in the defconfig
(CONFIG_DEFAULT_FDT_FILE or CONFIG_DEFAULT_DEVICE_TREE).
This patch changes the default name to be NULL which prevents this
overwrite and allows ti_set_fdt_env to instead fallback to the correct
DT as set in Kconfig.
Marek Vasut [Thu, 5 Feb 2026 01:40:45 +0000 (02:40 +0100)]
test: cmd: Add test for zip/unzip/gzwrite commands
Add simple test for zip/unzip/gzwrite commands. The test works as
follows. First, create three buffers with a bit of space between
each of them, fill them with random data, then compress data in
buffer 1 into buffer 2, decompress data in buffer 2 either directly
into buffer 3 or into MMC 1 and then read them back into buffer 3,
and finally compare buffer 1 and buffer 3, they have to be identical.
The buffers are filled with random data to detect out of bounds writes.
Test for various sizes, both small and large and unaligned.
The test uses ut_assert_skip_to_line() to skip over gzwrite progress
bar. Since the progress bar updates fill up the console record buffer,
increase the size of it to compensate.
x86/coreboot: Exclude memory regions starting above 4GB
This commit updates the RAM region filtering logic in
board_get_usable_ram_top() to skip any memory regions whose start address
is above 4GB. Previously, only the end address was capped at 4GB, but
regions entirely above this threshold were still considered.
Typically, the following memory map entries would cause
board_get_usable_ram_top() to return 0x100000000, which is incorrect.
By adding a check to continue the loop if the region's start address
exceeds 0xffffffffULL, the function now properly ignores regions that are
not usable in 32-bit address space.
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Since commit 27cc5951c862 ("include: env: ti: add default for
do_main_cpsw0_qsgmii_phyinit"), the value of the environment variable
do_main_cpsw0_qsgmii_phyinit happened to remain '0' and couldn't be
changed without user intervention. This behavior is due to the following
cyclic dependency:
A) ti_common.env sets do_main_cpsw0_qsgmii_phyinit to '0' and its value
can only be updated automatically by main_cpsw0_qsgmii_phyinit.
B) main_cpsw0_qsgmii_phyinit is defined in j721e.env and it can run only
if 'do_main_cpsw0_qsgmii_phyinit' is already '1' which isn't possible
unless the user manually assigns the value.
Fix the aforementioned cyclic dependency by using board_late_init() to
detect the QSGMII Daughtercard and set do_main_cpsw0_qsgmii_phyinit.
Additionally, to address the issue of do_main_cpsw0_qsgmii_phyinit being
'undefined' for other platforms, replace:
if test ${do_main_cpsw0_qsgmii_phyinit} -eq 1;
with:
if env exists do_main_cpsw0_qsgmii_phyinit;
in ti_common.env.
Martin Schwan [Wed, 11 Feb 2026 08:36:22 +0000 (09:36 +0100)]
bootstd: rauc: Fix null pointer access while checking root part
Fix a segmentation fault caused by a null pointer access during root
partition checking. The function part_get_info() was falsely given null
for the disk_partition struct, which later resulted in accessing a null
pointer and thus undefined behavior.
Fixes: 5d7c080ae5dc ("bootstd: rauc: Don't check root part filesystem") Signed-off-by: Martin Schwan <m.schwan@phytec.de>
James Hilliard [Thu, 12 Feb 2026 21:34:09 +0000 (14:34 -0700)]
image: fit: Apply overlays using aligned writable FDT copies
libfdt expects FDT/DTO blobs to be 8-byte aligned. When loading the
base FDT or overlays from a FIT, the mapped buffer may be unaligned,
which can break fdt_open_into() on strict-alignment architectures.
boot_get_fdt_fit() relocates the base FDT with boot_relocate_fdt()
before applying overlays. That uses the bootm memory map and can
overlap with the FIT buffer when the FIT is loaded into RAM,
corrupting data needed to load the kernel and ramdisk.
Allocate writable, 8-byte aligned copies of the base FDT and overlays
with memalign() and fdt_open_into(). Grow the base buffer as needed,
apply overlays to it and pack the final tree. Free each temporary
overlay copy after application and check fdt_pack() errors.
Fixes: 8fbcc0e0e839 ("boot: Assure FDT is always 8-byte aligned") Fixes: 881f0b77dc8c ("image: apply FDTOs on FDT image node") Signed-off-by: James Hilliard <james.hilliard1@gmail.com> Cc: Jamie Gibbons <Jamie.Gibbons@microchip.com> Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Tom Rini [Tue, 10 Feb 2026 17:13:44 +0000 (11:13 -0600)]
MAINTAINERS: Remove a few inactive people
It has been a long while since Jagan Teki, Joe Hershberger or Ramon
Fried have been active in the community. We thank them for their time
over the years. Remove them from the active maintainer list and mark a
few things as Orphaned for now.
usb: cdns3: use VBUS Valid to determine role for dr_mode OTG
The cdns3_bind() function is responsible for identifying the appropriate
driver to bind to the USB Controller's device-tree node. If the device-tree
node has the 'dr_mode' property set to 'otg', the existing approach fails
to bind a driver, leading to loss of functionality.
To address this, use the VBUS Valid field of the OTG Status register to
determine the role as follows:
- If VBUS Valid field is set, it indicates that a USB Host is supplying
power and the Controller should assume the Peripheral role.
- If VBUS Valid field is clear, it indicates the absence of a USB Host and
the Controller should assume the Host role.
Additionally, when 'dr_mode' happens to be 'otg' and the STRAP settings
are not specified, use VBUS Valid to determine the role in cdns3_drd_init()
and assign it to cdns->dr_mode.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com> Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Vincent Stehlé [Thu, 12 Feb 2026 14:40:15 +0000 (15:40 +0100)]
efi_loader: fix ecpt size computation
The size of the memory allocated for the EFI Conformance Profiles Table is
computed with `num_entries' always equal to zero, which is incorrect when
CONFIG_EFI_EBBR_2_1_CONFORMANCE is enabled.
This can be verified by allocating the ECPT memory with malloc() instead of
efi_allocate_pool(), building u-boot with sandbox_defconfig and
CONFIG_VALGRIND=y, and by finally running the following command:
Fix this by using an array of the supported profiles GUIDs instead, which
should also be easier to extend in the future as U-Boot should publish the
GUIDs for all supported EBBR revisions.
Fixes: 6b92c1735205 ("efi: Create ECPT table") Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org> Cc: Tom Rini <trini@konsulko.com> Cc: Jose Marinho <jose.marinho@arm.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
projects / thirdparty / u-boot.git / log
