Tom Rini [Mon, 20 Oct 2025 19:55:08 +0000 (13:55 -0600)]
spl: Restore args file being default in falcon mode
When falcon mode is enabled and SPL_OS_BOOT_SECURE is not enabled,
restore the previous default behavior of having an args file be
expected. Platforms which are using a FIT image here and do not need
this can update at their convenience to disable this option now.
Fixes: b1a3ed068869 ("spl: make args file optional in falcon mode") Signed-off-by: Tom Rini <trini@konsulko.com>
Tom Rini [Mon, 20 Oct 2025 17:54:43 +0000 (11:54 -0600)]
Merge patch series "Add support for secure falcon mode: disable args file"
Anshul Dalal <anshuld@ti.com> says:
Continuing from the last series[1], this patch series addresses the requirement
to disable the args file in falcon mode.
The args file is used in falcon mode for loading the device-tree for the kernel.
However in secure falcon mode, the expected payload is a FIT containing a signed
device-tree and kernel image. Thus removing the need to load the extra args
file in the first place. Also, loading the extra file without any authentication
mechanism exposes an attack vector and should therefore be disabled to keep the
boot secure.
This patch set builds on the last few to first optionally allow for loading the
args file in non-secure falcon boot flow [1/3] and then disable them altogether
in the next patch [2/3] for secure falcon mode.
Anshul Dalal [Thu, 9 Oct 2025 11:58:45 +0000 (17:28 +0530)]
spl: set fdt address as spl_image arg in falcon mode
The arg field of `struct spl_image_info` is used by jump_to_image_linux
as the argument for the kernel in falcon mode.
Since commit 601cebc29d2a ("cmd: spl: Remove ATAG support from this
command"), fdt is the only valid argument for kernel in falcon mode.
However fdt was only being set as the argument in nor and xip boot
modes, this patch fixes it for all boot modes and removes the now
redundant code from spl_nor and spl_xip.
Anshul Dalal [Thu, 9 Oct 2025 11:58:44 +0000 (17:28 +0530)]
spl: prevent loading args file in secure falcon mode
The expected payload for the SPL in secure falcon mode is a fitImage
that contains the kernel image and the DT. This removes the need to load
an additional args file, which exposes an additional attack vector since
it can not be verified.
Therefore this patch disables loading of the arg file when
SPL_OS_BOOT_SECURE is set.
Reviewed-by: Tom Rini <trini@konsulko.com> Signed-off-by: Anshul Dalal <anshuld@ti.com>
Anshul Dalal [Thu, 9 Oct 2025 11:58:43 +0000 (17:28 +0530)]
spl: make args file optional in falcon mode
Falcon mode loads a kernel file and an args file which is the
device-tree. However in the case of kernel file being a FIT that
contains the device-tree within it, loading the args file is not
required.
Therefore, this patch introduces a new SPL_OS_BOOT_ARGS config options
that allows us to enable or disable loading of the args file in falcon
mode.
Tom Rini [Mon, 20 Oct 2025 16:17:54 +0000 (10:17 -0600)]
Merge patch series "Add support for secure falcon mode: disable fallback"
Anshul Dalal <anshuld@ti.com> says:
Continuing from the last series[1], this patch series addresses the requirement of
allowing no fallbacks in secure falcon mode.
To do this in a clean way, all the falcon mode logic for each boot media was
refactored to a corresponding *_load_image_os function whereas the regular
boot is implemented in *_load_image, this allows us to easily return early in
case the *_load_image_os function fails with secure mode enabled.
The series also introduces the new SPL_OS_BOOT_SECURE config symbol which
enables secure falcon boot flow.
The generic flow after the patch series looks as follows:
static int spl_<bootmedia>_load_image(...) {
if (CONFIG_IS_ENABLED(OS_BOOT)) {
Anshul Dalal [Fri, 17 Oct 2025 19:33:11 +0000 (01:03 +0530)]
spl: nand: refactor spl_nand_load_image for falcon mode
This patch moves the falcon mode handling logic out of
spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.
Anshul Dalal [Fri, 17 Oct 2025 19:33:10 +0000 (01:03 +0530)]
spl: nor: refactor spl_nor_load_image for falcon mode
This patch moves the falcon mode handling logic out of
spl_nor_load_image to spl_nor_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.
Anshul Dalal [Fri, 17 Oct 2025 19:33:09 +0000 (01:03 +0530)]
spl: spi: refactor spl_spi_load_image for falcon mode
This patch moves the falcon mode handling logic out of
spl_spi_load_image to spl_spi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.
Anshul Dalal [Fri, 17 Oct 2025 19:33:08 +0000 (01:03 +0530)]
spl: ubi: refactor spl_ubi_load_image for falcon mode
This patch moves the falcon mode handling logic out of
spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.
Anshul Dalal [Fri, 17 Oct 2025 19:33:07 +0000 (01:03 +0530)]
spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot
Currently the logic to handle falcon mode as well as the regular boot is
inside spl_mmc_do_fs_boot, this prevents us from cleanly extending
falcon mode functionality like toggleable fallback to U-Boot proper.
Therefore this patch splits the logic into spl_mmc_fs_load and
spl_mmc_fs_load_os to handle the regular boot and falcon mode use case.
Anshul Dalal [Fri, 17 Oct 2025 19:33:06 +0000 (01:03 +0530)]
spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol
This patch adds the new SPL_OS_BOOT_SECURE symbol that enables secure
boot flow in falcon mode. This symbol can be used to disable certain
inherently insecure options during falcon boot.
Reviewed-by: Tom Rini <trini@konsulko.com> Signed-off-by: Anshul Dalal <anshuld@ti.com>
Based on feedback other SOCs (for example Star64) are using driver in non
DMA mode which is causing issues that's why revert this patch.
cdns,is-dma should be removed differently.
Signed-off-by: Michal Simek <michal.simek@amd.com> Reported-by: E Shattow <e@freeshell.de>
* samsung: Extend E850-96 documentation to be comprehensive
* environment: fix links to Linux kernel documentation
* sandbox: fix typos
* document dmareset command
* ti: j722s_evm: drop outdated boot note
UEFI:
* Prevent leak of memory from tmp_files
* Correctly check if the HTTP protocol is found
* Use ESRT_FW_TYPE_SYSTEMFIRMWARE instead of ESRT_FW_TYPE_UNKNOWN
* dbginfodump: use guid definition
Others:
* lib/uuid: add support for efi debug image info table guid
Vincent Stehlé [Mon, 13 Oct 2025 14:21:09 +0000 (16:21 +0200)]
lib: uuid: add efi debug image info table guid
Add the EFI Debug Image Info Table GUID to the translation table used by
uuid_guid_get_str().
This allows to print a human readable table name with `efidebug tables'
instead of "(unknown)".
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com> Cc: Tom Rini <trini@konsulko.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Vincent Stehlé [Mon, 13 Oct 2025 14:21:08 +0000 (16:21 +0200)]
efi_loader: dbginfodump: use guid definition
Use the Debug Image Info Table GUID definition from efi_api.h instead or
redefining it locally.
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de> Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org> Cc: Tom Rini <trini@konsulko.com> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
efi_loader: correctly check if the HTTP protocol is found
In function efi_http_service_binding_destroy_child() phandler is created as
as a local variable. If efi_search_protocol() fails, phandler will hold a
random value from the stack. Even it is not zero, we must not use it.
If efi_search_protocol() succeeds, the pointer has already be dereferenced,
so checking against NULL makes not sense here.
If ChildHandle is not a valid UEFI handle, we must return
EFI_INVALID_PARAMETER.
Use a single location for EFI_EXIT().
Addresses-Coverity-ID: CID 531974 (Unchecked return value) Fixes: 5753dc3f6572 ("efi_loader: Prevent dereference of uninitialised variable") Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Sam Protsenko [Mon, 6 Oct 2025 23:25:38 +0000 (18:25 -0500)]
doc: samsung: Extend E850-96 documentation to be comprehensive
Add more bootloading details for E850-96 board. New sections cover next
topics:
- Hardware configuration of the boot device
- Flashing and updating the software (multiple methods)
- Booting with Standard Boot (multiple methods)
- EFI System Partition structure for E850-96
- Loadable firmware (LDFW) note
- Ethernet and USB Host Support
That documents all recently enabled U-Boot features for E850-96, which
can hopefully make U-Boot more useful for the users and developers of
this platform.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Andrew Goodbody [Thu, 2 Oct 2025 09:39:58 +0000 (10:39 +0100)]
fs: semihosting: Use correct variable for error check
After calling a function that can return an error, the test to detect
that error should use the return value not a different variable. Fix it.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org> Reviewed-by: Sean Anderson <sean.anderson@seco.com> Fixes: f676b45151c3 ("fs: Add semihosting filesystem")
As requirement of CR side, QSPI Flash usage via RPC driver shall
be disabled and leaving the control of this module to CR side.
Perform DT modification to disable the RPC SPI.
Signed-off-by: Nguyen Tran <nguyen.tran.pz@bp.renesas.com> Reviewed-by: Khanh Le <khanh.le.xr@renesas.com> Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
[Marek: Do not modify defconfig, modify the DT instead, this way
the RPC SPI can be enabled without recompiling the U-Boot
itself. Update commit message accordingly.]
Commit 63da3a795e86 ("ARM: dts: renesas: Drop R8A779H0 V4M DTs with OF_UPSTREAM counterparts")
removed unnecessary V4H DTs from arch/arm/dts , but in the process
also incorrectly dropped the -u-boot.dtsi U-Boot extras. Reinstate
those extras.
Due to DT file name change for the R8A779H0 V4M Gray Hawk, update
the r8a779h0-gray-hawk-u-boot.dtsi filename to newly matching
r8a779h0-gray-hawk-single-u-boot.dtsi .
Align r8a779h0-u-boot.dtsi with clean up commits 1487c34efa7b ("arm64: dts: renesas: Deduplicate extalr_clk bootph-all") dd8f57ed2f0b ("ARM: dts: renesas: Drop most of bootph-* tags")
Fixes: 63da3a795e86 ("ARM: dts: renesas: Drop R8A779H0 V4M DTs with OF_UPSTREAM counterparts") Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Marek Vasut [Sun, 7 Sep 2025 19:16:27 +0000 (21:16 +0200)]
serial: sh: Handle HSCIF RX FIFO overflow
The HSCIF RX FIFO may overflow when data are streaming from remote end
into the HSCIF while U-Boot is still starting up. In that case, HSFSR
bit RDF is set, but HSFDR field R is zero. This confuses .tstc callback
into considering RX FIFO to be empty, which leads to .getc to be never
invoked, even when user attempts to pass more input onto the command
line.
Fix this by considering the RDF flag in serial_rx_fifo_level(), which
is called from .tstc in case of no errors. If RDF flag is set, trigger
the .getc callback and let it clear the RX FIFO.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Marek Vasut [Thu, 18 Sep 2025 16:36:01 +0000 (18:36 +0200)]
arm64: renesas: r8a779g3: Reset PCIe before next stage on Retronix R-Car V4H Sparrow Hawk
Fully reset both PCIe controllers before booting the next stage on
Retronix R-Car V4H Sparrow Hawk board. This is necessary especially
in case U-Boot brought up the PCIe controllers, at which point the
next stage might be confused by the state of the PCIe controller.
The reset has to happen this late and not in the PCIe controller
driver, because the SRCR11 bits seem to affect both controllers.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Marek Vasut [Thu, 18 Sep 2025 16:36:00 +0000 (18:36 +0200)]
pci: pcie-rcar-gen4: Shut down controller on link down and remove
In case the link is down, or the controller driver is removed before
booting the next stage, shut down the PCIe link, put both the remote
PCIe device and the controller into reset, and disable clock. This
way, the hardware is not left active when not in use.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Patrice Chotard [Thu, 9 Oct 2025 13:08:33 +0000 (15:08 +0200)]
led: Update led_get_by_label()
During led_init() execution, led_get_label() returns either the label
property (which is an obsolete property [1]) or the LED's node name.
It can't be the function name as dev parameter is NULL.
Later, during led_post_bind() execution, for the same LED, the attributed
label by led_get_label() can be the function name, as led_get_label()
dev's parameter is set.
During call sequence led_boot_on() => led_boot_get() => led_get_by_label()
with label given in parameter (priv->boot_led_label which is either the
label or node's name set previously in led_init()) can be different to
to uc_plat->label and returns -ENODEV.
Update led_get_by_label() to allow to retrieve LED also by its node name.
Tom Rini [Fri, 10 Oct 2025 22:09:00 +0000 (16:09 -0600)]
test/py: Update to a newer pytest release
Our pytest package was pinned to a release from 2021. The minimum
compatible with labgrid v25.0.x is pytest 7.0.0. Update to the current
relase which is currently 8.4.2
The EFI secure boot tests install a security data base.
Other EFI tests assume that secure boot is not enabled.
Add the missing tear-down at the end of each secboot test sequence.
Reported-by: Tom Rini <trini@konsulko.com> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> Tested-by: Tom Rini <trini@konsulko.com>
With commit c85b8071e7d3 ("virtio: blk: support block sizes exceeding 512
bytes") logic was added to detect the VIRTIO_BLK_F_BLK_SIZE capability and
to copy the block size reported by QEMU to the block device descriptor.
The logical block size can be set when invoking QEMU:
In U-Boot the logical block size is shown by command `virtio info`:
=> virtio info
Device 0: QEMU VirtIO Block Device
Type: Hard Disk
Capacity: 1024.0 MB = 1.0 GB (262144 x 4096)
There where two flaws which together hid that the logic was incorrect:
* VIRTIO_BLK_F_BLK_SIZE was missing in the driver capabilities and the bit
was filtered out.
* The result of the call to virtio_has_feature() was negated.
The problem became apparent when using ARM FVP as emulator which does not set
VIRTIO_BLK_F_BLK_SIZE.
Fixes: c85b8071e7d3 ("virtio: blk: support block sizes exceeding 512 bytes") Reported-by: Debbie Horsfall <debbie.horsfall@arm.com> Tested-by: Andre Przywara <andre.przywara@arm.com> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Anshul Dalal [Thu, 9 Oct 2025 12:34:34 +0000 (18:04 +0530)]
env: Kconfig: disable external env in secure os boot
Falcon mode uses falcon_image_file from the env during mmc fs boot, but
external env can be compromised. Therefore disable access to external
env by setting SPL_ENV_IS_NOWHERE when SPL_OS_BOOT_SECURE is set.
Signed-off-by: Anshul Dalal <anshuld@ti.com> Reviewed-by: Tom Rini <trini@konsulko.com>
Andrew Goodbody [Wed, 8 Oct 2025 09:23:36 +0000 (10:23 +0100)]
ti_sci: Provide error code on error exit
In ti_sci_get_response the check for message sequence will return ret
on a fail but ret will be 0 at that point. Instead return -EINVAL.
Also change dev_dbg call to dev_err to be consistent with other error
detection code in the same function.
Andrew Goodbody [Wed, 8 Oct 2025 09:23:35 +0000 (10:23 +0100)]
ti_sci: Prevent memory leak
temp is assigned the pointer returned by malloc which is used without a
NULL check and then never freed. Add a NULL check and ensure temp is
freed on all return paths.
Tom Rini [Wed, 1 Oct 2025 20:30:57 +0000 (14:30 -0600)]
clk: sophgo: Fix a warning about void returns value
The cv1800b_clk_setfield function returns void, but was doing "return
writel(...);" and while seemingly having a void function return a void
function is not a warning, when readl is a macro this problem is shown.
Correct the code to instead simply call writel.
Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Yao Zi <ziyao@disroot.org>
It has been reported that the commit causes boot regression for SPL on
StarFive VisionFive 2 or compatible boards. Inspecting the code, I did
spot one logic error for deciding whether Zaamo or Zalrsc is used, and
it's still unclear what exactly causes the regression, let's revert it
for now.
Tom Rini [Wed, 1 Oct 2025 20:30:39 +0000 (14:30 -0600)]
watchdog: Tighten dependencies on WDT_DAVINCI
The WDT_DAVINCI driver is not safe to compile on 64bit platforms such as
allyesconfig on a 64bit host. Tighten the dependencies here to the
platforms which could use it today.
The commit 726404a66c773 ("airoha: rework RAM size handling to support
multiple RAM size") is not good enougth. It results in pacnic during
determining of memory size amount.
This patch series partly fix and partly revert the above commit.
Unfortunately for now we have no a good way to determine the an7581
memory size.
Introduce a new version of the Keystone-II "ddr" command for testing the
inline ECC support in the DDRSS bridge available on K3 devices. The ECC
hardware support in K3's DDRSS and the test method differ substantially
from what we support in the K2 variant of the command. This K3 DDRSS
command currently supports only single controller testing.
The ECC error injection procedure follows these steps:
1) Flush and disable the data cache.
2) Disable the protected ECC Rx range.
3) Flip a bit in the address.
4) Restore the range to original.
5) Read the modified value (corrected).
6) Re-enable the data cache.
This will cause the 1-bit ECC error count to increase while the read
will return the corrected value.
The K3 version of the command extends the syntax for the "ecc_err"
argument by also introducing an argument for range which specifies which
range (0, 1, 2) the address is located in.
Multi-bit ECC errors are uncorrectable and will lead to a synchronous
abort.
Signed-off-by: Georgi Vlaev <g-vlaev@ti.com> Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
[n-francis@ti.com: Add J7 and multiple-region support, simplify logic] Signed-off-by: Neha Malcom Francis <n-francis@ti.com> Reviewed-by: Udit Kumar <u-kumar1@ti.com>
Andrew Goodbody [Mon, 6 Oct 2025 10:54:56 +0000 (11:54 +0100)]
test: Remove not needed null check
In ut_report() there is a null check for stats but stats was already
dereferenced on the line before and is again dereferenced later in the
same function. Also the two places where ut_report() is called from will
have initialised the parameter so there is no chance that stats will be
null. So to prevent static analysis complaining of a use before check
just remove the check.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Tom Rini [Tue, 14 Oct 2025 14:27:01 +0000 (08:27 -0600)]
Merge tag 'mix-next-14102025' of https://source.denx.de/u-boot/custodians/u-boot-tpm
TPM changes:
Make all drive names defined with U_BOOT_DRIVER unique
TEE changes:
Rework things such that sandbox will also traverse the optee directory
when SANDBOX_TEE is enabled, but only build one of the optee-specific
files when OPTEE is enabled.
EFI changes:
Up to now we were relying on the file extension to accept and load
an image over HTTP. We expected images to be either .iso or .img.
By wiring up internal existing functions we can try to mount any
file extension and reject it only if mounting fails.
part_driver_lookup_type
cmd: sf: align erase and write on erase block boundary
Align erase and write on erase block boundary in line with how read was
aligned in commit 622b5d35613 ("cmd: sf: Handle unaligned 'update' start
offset").
Fixes: 622b5d35613 ("cmd: sf: Handle unaligned 'update' start offset") Signed-off-by: Viorel Suman <viorel.suman@nxp.com> Signed-off-by: Ye Li <ye.li@nxp.com> Reviewed-by: Peng Fan <peng.fan@nxp.com> Reviewed-by: Marek Vasut <marek.vasut+renesas@mailbox.org> Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org> # R-Car V4H
Remove cdns,is-dma DT property handling. Property is not the part of DT
binding and it is also hardcoded to value 1 in all DTs that's why remove it
because none is also testing value 0.
If there is any use case when this configuration should be supported this
patch can be reverted.
Tom Rini [Thu, 25 Sep 2025 20:56:23 +0000 (14:56 -0600)]
tpm: Make U_BOOT_DRIVER entries unique
All instances of the U_BOOT_DRIVER must use a unique name or they will
lead to link time failures due to name space conflicts when both are
present. In this case the driver was reusing the tpm_tis_i2c name.
Tom Rini [Fri, 26 Sep 2025 15:31:44 +0000 (09:31 -0600)]
tee: Rework Makefile logic
The intention of how this Makefile was written was to allow for sandbox
to build and test drivers still while otherwise requiring OPTEE to be
enabled. This however didn't work quite right in practice as sandbox
could enable some drivers which would then fail to link. Rework things
such that sandbox will also traverse the optee directory when
SANDBOX_TEE is enabled, but only build one of the optee-specific files
when OPTEE is enabled.
Javier Tia [Thu, 9 Oct 2025 13:17:47 +0000 (07:17 -0600)]
efi_loader: Improve disk image detection in efi_bootmgr
Enhances the process for identifying disk images within the EFI boot
manager. Utilize part_driver_lookup_type() to verify the validity of a
downloaded file as a disk image, rather than depending on file
extensions.
part_driver_lookup_type() is now used in the prepare_loaded_image()
function in the EFI boot manager to detect partitions on a block device
created from a downloaded image. This allows the boot manager to boot
from any disk image that can be recognized by a partition driver, not
just ISO and IMG images.
Update prepare_loaded_image() to create the ramdisk block device
internally, obtain the blk_desc and use part_driver_lookup_type() to
detect a valid partition table.
In try_load_from_uri_path(), try prepare_loaded_image() first to detect
disk images, and fall back to PE-COFF detection only if that fails.
Signed-off-by: Javier Tia <javier.tia@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Javier Tia [Thu, 9 Oct 2025 13:17:46 +0000 (07:17 -0600)]
part: Export part_driver_lookup_type for external use
Make part_driver_lookup_type non-static so it can be used outside
part.c. This allows external callers to determine the appropriate
partition driver for a block device, enabling more flexible handling of
partition types.
Add a prototype and kernel-doc comment in part.h to document the
function contract. Provide a stub inline implementation returning NULL
when partition support is disabled, ensuring build consistency across
configurations.
Signed-off-by: Javier Tia <javier.tia@linaro.org> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Sam Protsenko [Fri, 3 Oct 2025 22:27:14 +0000 (17:27 -0500)]
bootstd: Fix bootflow info for efi_mgr
A "Synchronous Abort" CPU exception happens on an attempt to run the
"bootflow info" command for a global boot method (e.g. efi_mgr):
=> bootflow select 0
=> bootflow info
"Synchronous Abort" handler, esr 0x96000006, far 0x8
It happens because do_bootflow_info() tries to dereference bflow->dev,
which is NULL in case of efi_mgr. Add the corresponding check to prevent
this NULL pointer dereference and make "bootflow info" command work
properly for global boot methods.
Fixes: 2d653f686b6d ("bootstd: Add a bootflow command") Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Tom Rini [Fri, 3 Oct 2025 20:39:34 +0000 (14:39 -0600)]
global: Disable xPL phases when we have enabled COMPILE_TEST
Due to how we implement the logic for selecting what should/shouldn't be
built in a given phase it becomes extremely cumbersome to make these
phases link when configured by "allyesconfig". As a starting point for
being able to enable "allyesconfig" and expand our static coverage,
disable all other phases in this case.
Future work can be done to enable other phases as time and interest
permit.
Tom Rini [Fri, 3 Oct 2025 20:39:30 +0000 (14:39 -0600)]
global: Make REMAKE_ELF depend on !COMPILE_TEST
The REMAKE_ELF flag is something that should be selected by the
platforms which need it, and not prompted for. Start by making this
depend on !COMPILE_TEST.
Tom Rini [Fri, 3 Oct 2025 20:39:20 +0000 (14:39 -0600)]
spl: FIT: Make SPL_LOAD_FIT_FULL depend on SPL_LOAD_FIT
Today, only a few platforms enable SPL_LOAD_FIT_FULL, and all enable
SPL_LOAD_FIT. As can be seen in usage, the FULL symbol is a superset of
the first symbol, not an alternative. Update Kconfig entries based on
this and simplify the only code which checks for either being set.
Tom Rini [Mon, 13 Oct 2025 20:19:21 +0000 (14:19 -0600)]
Merge patch series "bootstd: rauc: fix doc and info msg to reflect real flow"
Andreas Pretzsch <apr@cn-eng.de> says:
For the RAUC bootmethod, newly introduced in U-Boot 2025.10, both code
and documentation contain some incorrect (maybe outdated) statements,
so they do not reflect the real behaviour.
This series corrects both the docs and one log_info in the code, to now
reflect the real flow. Beside being visible in the code, all of it was
tested on a real machine.
Despite the very late time in RC cycle, I suggest inclusion before release
of U-Boot 2025.10, as the current statements are simply incorrect. Also I
do not see any risk in these non-functional changes.
Thanks to Martin Schwan for the review and esp. the initial code!
bootstd: rauc: extend and fix doc to reflect real flow
The documentation of bootmeth rauc in some aspects does not reflect the
real program flow. Specifically the reset of boot tries in case of "no
more slots found" is incorrect (it won't change BOOT_ORDER).
Also the search sequence for boot scripts was mixed and incomplete.
Fix these points in the documentation.
Explain the initial setup of any missing BOOT_ORDER and BOOT_x_LEFT
environment variables, and inform about BOOT_x_LEFT decrementing.
Signed-off-by: Andreas Pretzsch <apr@cn-eng.de> Reviewed-by: Martin Schwan <m.schwan@phytec.de>
bootstd: rauc: no valid slot fallback: fix info msg to reflect real flow
If there is no more active slot found in find_active_slot(), like when
all slots in BOOT_ORDER have a count of 0, the counters are reset to their
default value CONFIG_BOOTMETH_RAUC_DEFAULT_TRIES. The BOOT_ORDER is _not_
changed, which is logically correct (especially for the case when there is
only one (active) slot set, e.g. BOOT_ORDER only contains 'B', probably due
to RAUC option prevent-late-fallback being set). Resetting the counters of
inactive slots also does not harm here, and is fine as a generic solution.
But the log_info statement in this scenario
INFO: Resetting boot order and all slot tries
is incorrect. Change this to
INFO: Resetting all slot tries to 3
with the 3 being inserted by CONFIG_BOOTMETH_RAUC_DEFAULT_TRIES.
Signed-off-by: Andreas Pretzsch <apr@cn-eng.de> Reviewed-by: Martin Schwan <m.schwan@phytec.de>
Tony Dinh [Mon, 29 Sep 2025 21:49:12 +0000 (14:49 -0700)]
pci: mvebu: Unable to assign mbus windows for 2nd pcie controller
Correct the memory and IO mbus windows size increments in mvebu_pcie_bind.
Currently, pcie1 controller resource_size(&mem) and resource_size(&io)
checks result in a failure. This is because mem.end and io.end must be
incremented at the end of pcie0 windows assignment.
Signed-off-by: Tony Dinh <mibodhi@gmail.com> Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
This driver cannot link without access to functions that are defined in
files that are only build on some platforms. Express those requirements
in Kconfig as well.
Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Andrew Goodbody [Thu, 31 Jul 2025 10:51:22 +0000 (11:51 +0100)]
mmc: octeontx_hsmmc: Remove impossible test
In octeontx_mmc_io_drive_setup drive and slew are tested for being less
than 0 but they are declared as uint fields so this test must always
fail. Just remove the test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Andrew Goodbody [Tue, 22 Jul 2025 16:42:20 +0000 (17:42 +0100)]
sata: sata_mv: Remove always true test
Smatch reported an issue with a test that was always true in that an
unsigned variable will always be >= to zero. This led to a closer look
at the code which showed that some static functions returned values that
were always discarded so make those functions return void. Also make
the passing of block counts in those functions always use lbaint_t.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org> Reviewed-by: Stefan Roese <stefan.roese@mailbox.org>
Andrew Goodbody [Thu, 2 Oct 2025 10:36:09 +0000 (11:36 +0100)]
fs/squashfs: Ensure memory is freed by using unwind goto
Returning immediately from sqfs_read_nest is not consistent with other
error checks in this function and can lead to memory leaks. Instead use
the unwind goto used elsewhere to ensure that the memory is freed.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org> Acked-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
Tom Rini [Wed, 1 Oct 2025 20:31:03 +0000 (14:31 -0600)]
fs: Rework filesystem guards for xPL phases
When adding filesystems to the table in fs/fs.c we need to use
CONFIG_IS_ENABLED(FS_xxx) so that we only include references to a given
filesystem when CONFIG_FS_xxx or CONFIG_SPL_FS_xxx or similar are
enabled. Update the filesystems which weren't doing this to follow that
pattern.
Tom Rini [Wed, 1 Oct 2025 20:30:52 +0000 (14:30 -0600)]
iotrace: Finish migrating this to Kconfig
When I migrated this to Kconfig in commit 68e54040ccc3 ("sandbox: Move
CONFIG_IO_TRACE to Kconfig") I didn't look hard enough for other
details. As explained in the README, this is valid for ARM too. So start
by making this be a prompted question and CMD_IOTRACE depend on IO_TRACE
being enabled. Next, migrate the information out of README and in to
the appropriate help text for existing options in Kconfig. Finally, make
this option be default y on SANDBOX but not selected as it's valid to
build without it.
Tom Rini [Wed, 1 Oct 2025 20:30:35 +0000 (14:30 -0600)]
sandbox: Rework readX/writeX macros to be more like ARM
The way that the current readX/writeX macros are implemented on sandbox
means that when IO_TRACE is not enabled some code will throw up
incorrect warnings due to how sandbox_{read,write} is implemented. We
instead need to do the "uX __v; __v = sandbox..(..v); __v;" trick that
ARM does.
Tom Rini [Wed, 13 Aug 2025 20:55:10 +0000 (14:55 -0600)]
arm: v7m: Allow SYS_ARCH_TIMER here
We have had an implementation of the generic timer found in many v7m
chips since 2017, but as part of the Kconfig migration forgot to allow
it as it wasn't being used at the time. Allow it to be built.
Tom Rini [Fri, 10 Oct 2025 19:28:42 +0000 (13:28 -0600)]
Merge patch series "mkimage: fit: various fixes in fit_{import,extract}_data"
Quentin Schulz <foss+uboot@0leil.net> says:
I had to hunt down a difference between the FIT after running mkimage
once and after running it twice. The use-case is typically U-Boot
generating an unsigned FIT and then calling mkimage manually to sign it
outside any build system.
While going through the code, I identified a few theoretical issues
possibly triggered by not checking the return code of fdt_setprop so
those are added. Not tested outside of building.
mkimage: fit: erase data-size property when importing data
When importing data, the data-offset property is removed and the data
content is imported inside the data property of the node.
When mkimage is run twice on the same FIT, data-size property is already
set in the second run, from the first run (via the fit_export_data
function). If we don't remove the data-size property, nothing guarantees
it matches the actual size of data within the data property. To avoid
possible mistakes when handling the data property, let's simply remove
the data-size property as well.
This also fixes an ordering issue of the data-size and data-offset
properties in FIT when comparing the FIT after one run of mkimage and a
second run. This is due to fit_export_data setting data-offset property
first (it doesn't exist so it's added) and then data-size (it doesn't
exist so it's added) for the first run, while it sets data-offset
property first (removed in fit_import_data, so it doesn't exist so it's
added) and then data-size (it exists already from the first run, so it's
simply modified) for the second run.
mkimage: fit: do not overwrite fdt_setprop return value
The return code of fdt_setprop is overwritten by the one from
fdt_delprop meaning we could very well have an issue when setting the
property that would be ignored if the deletion of the property that
comes right after passes.
USB OS Descriptors are used to install and configure the device without
requiring any user interaction on OS which support them (e.g. Windows).
Enable them in order to improve the user experience when fastboot is used.
USB OS Descriptors are used to install and configure the device without
requiring any user interaction on OS which support them (e.g. Windows).
Enable them in order to improve the user experience when fastboot is used.
Toradex Easy Installer takes advantage of USB OS Descriptors to load
itself via USB recovery.
projects / thirdparty / u-boot.git / log
