When one attempts to build Tiger and Jaguar from the same directory,
because Tiger will set the IOMUX to 2 but Jaguar doesn't reset it,
Jaguar will have IOMUX set to 2 if built after Tiger.
This isn't an issue if in separate directories or building Tiger after
Jaguar because the default if missing from the configuration file is 0.
Let's make it explicit that the iomux is 0 for Jaguar.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
board: theobroma-systems: add instructions for how to use upstream TF-A
Upstream TF-A has support for RK3588 since v2.12 so let's document how
to use upstream TF-A instead of the prebuilt binary blob from Rockchip
if one wants to do that.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
board: theobroma-systems: update instructions for newer Rockchip rkbin
The instructions are regularly out of date because the generated or
prebuilt binaries are updated and the filename doesn't match our
instructions anymore.
Additionally, since commit 55a95caaef15 ("tools: ddrbin_tool: add
ddrbin_tool.py and update to v1.21 20241211") end of October 2024,
ddrbin_tool doesn't exist anymore and has been replaced by
ddrbin_tool.py python script (which currently isn't an executable) so
let's update these instructions as well.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tom Rini [Fri, 12 Dec 2025 21:19:41 +0000 (15:19 -0600)]
Merge patch series "clk: ti: Cleanup common functions and omap-cm"
Markus Schneider-Pargmann (TI.com) <msp@baylibre.com> says:
This series cleans up the direct dependency of ARCH_OMAP2PLUS to compile
ti/clk.c which holds common functions for other clock drivers. It creates its
own config symbols for these common functions and for the omap-cm driver as
well.
The omap-cm driver config symbol is added as default enabled.
clk: ti: Split common omap2plus functions into new symbol
Create a new symbol for the common clock functions used by some of the
omap2plus clock drivers. These drivers now select this new symbol when
they need the functions. Note these common functions are not
ARCH_OMAP2PLUS specific.
Note that the common functions are using regmap, so select it here.
Reviewed-by: Tom Rini <trini@konsulko.com> Signed-off-by: Markus Schneider-Pargmann (TI.com) <msp@baylibre.com>
Upstream DT uses simple-pm-bus instead of simple-bus. simple-pm-bus
requires power domain support. On am33xx, PRM manages power domains but
all domains are enabled at boot. Add stub driver with custom of_xlate
that expects no argumetns to allow simple-pm-bus and dependent devices
to probe.
Signed-off-by: Markus Schneider-Pargmann (TI.com) <msp@baylibre.com>
Tom Rini [Tue, 9 Dec 2025 21:23:01 +0000 (15:23 -0600)]
fs: fat: Perform sanity checks on getsize in get_fatent()
We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.
This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55.
Tom Rini [Fri, 12 Dec 2025 01:19:06 +0000 (19:19 -0600)]
Revert "clk: Return value calculated by ERR_PTR"
While this change was intended to fix a mistake in the code, of calling
the ERR_PTR macro but not making use of the result, it seems that
functionally platforms depend on the loop not existing here. The TI K3
families of platforms for example were broken by this commit.
Ferass El Hafidi [Thu, 11 Dec 2025 15:37:00 +0000 (15:37 +0000)]
arm: meson: add support for EFI capsule updates
Previously, few Amlogic devices supported EFI capsule updates.
Generally only the Libre Computer ones with SPI flash supported it,
thanks to board-specific code.
This commit commonises capsule update support across supported
Amlogic boards. Similar to Qualcomm's support for it, the dfu string
and firmware name is automatically generated at runtime depending on
which device we are booted from. Right now this supports flashing to
the eMMC/SD and SPI flash.
As usual, the capsule UUID is automatically generated. You can get it
by enabling CONFIG_CMD_EFIDEBUG and running:
mmc: sdhci-cadence6: Add DLL master control and improve tuning reliability
- Add support for configuring the PHY DLL master control register for all
SD/eMMC timing modes (DS, HS, SDR, DDR, HS200, HS400) by extending the
PHY configuration arrays and writing the value during PHY adjustment.
- Fix tuning reliability by toggling the DLL reset before and after
updating the PHY_DLL_SLAVE_CTRL_REG_ADDR register.
Signed-off-by: Tanmay Kathpalia <tanmay.kathpalia@altera.com> Reviewed-by: Balsundar Ponnusamy <balsundar.ponnusamy@altera.com> Acked-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
1. Replace underscores with hyphens in device tree property names to
follow the standard DT naming convention. This affects all
"lpbk_ctrl" properties which are now correctly named "lpbk-ctrl".
mmc: sdhci-cadence: Enable software tuning for both SD and eMMC interfaces
Remove interface type restrictions in sdhci_cdns_execute_tuning() to
enable software tuning for both SD and eMMC devices. The previous
assumption that SD timing should be handled by SDHCI core is incorrect
based on the actual function assignment logic.
The execute_tuning function is assigned based on MMC_SUPPORTS_TUNING
config, which is enabled by both MMC_UHS_SUPPORT and MMC_HS200_SUPPORT.
Changes:
Remove IS_MMC() check that restricted tuning to eMMC only
Remove opcode validation limited to MMC_CMD_SEND_TUNING_BLOCK_HS200
Signed-off-by: Tanmay Kathpalia <tanmay.kathpalia@altera.com> Reviewed-by: Balsundar Ponnusamy <balsundar.ponnusamy@altera.com> Reviewed-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
mmc: sdhci-cadence: Use hardware version field for Cadence SDHCI controller
Replace device tree compatible string checks with hardware version field
detection to determine SDHCI controller capabilities. This approach is
more robust and aligns with standard SDHCI specification practices.
Controllers with SDHCI version 4.2 and above will automatically use the
enhanced PHY adjustment, and tuning v6-specific procedures.
Signed-off-by: Tanmay Kathpalia <tanmay.kathpalia@altera.com> Reviewed-by: Balsundar Ponnusamy <balsundar.ponnusamy@altera.com> Acked-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
mmc: sdhci: Add SDHCI_SPEC_400, _410, and _420 version defines
Add SDHCI_SPEC_400, SDHCI_SPEC_410, and SDHCI_SPEC_420 macros to sdhci.h
to support newer SDHCI specification versions. These defines are required
for compatibility with controllers implementing SDHCI 4.0 and above.
mmc: sdhci-cadence: Set controller and PHY speed modes for SD and eMMC cards
Replace the legacy clock frequency-based timing mode selection with
proper MMC timing mode constants.
Changes to sdhci-cadence.c:
- Add sdhci_cdns_get_hrs06_mode() helper function for mode selection
- Replace clock frequency logic with mmc->selected_mode switch statement
- Use proper MMC timing constants (MMC_HS, UHS_SDR104, etc.)
- Add SD card specific handling with standard SDHCI control register setup
Changes to sdhci-cadence6.c:
- Add SD high speed PHY and control configuration arrays
- Update sdhci_cdns6_phy_adj() to use timing modes instead of HRS06 modes
- Support both SD and eMMC timing modes with appropriate PHY settings
Signed-off-by: Tanmay Kathpalia <tanmay.kathpalia@altera.com> Reviewed-by: Balsundar Ponnusamy <balsundar.ponnusamy@altera.com> Reviewed-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
mmc: sdhci-cadence: Use max-frequency property from device tree
When f_max parameter is 0 in sdhci_setup_cfg(), the function defaults
to using the maximum frequency from host controller capabilities register
instead of the max-frequency property parsed from device tree.
The max-frequency property from device tree is parsed by mmc_of_parse()
and stored in plat->cfg.f_max, but sdhci_setup_cfg() was being called
with f_max=0, causing it to ignore the device tree value and use the
host capabilities register value instead.
Fix this by passing plat->cfg.f_max to sdhci_setup_cfg() to ensure
the device tree specified maximum frequency is respected over the
hardware default.
Signed-off-by: Tanmay Kathpalia <tanmay.kathpalia@altera.com> Reviewed-by: Balsundar Ponnusamy <balsundar.ponnusamy@altera.com> Reviewed-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
mmc: mmc-uclass: Use max-frequency from device tree with default handling
When the max-frequency property is not specified in the device tree,
the function now explicitly defaults to 0 instead of leaving cfg->f_max
uninitialized. This allows sdhci_setup_cfg() to properly detect the
absence of a device tree specified frequency and fall back to using
the host controller's maximum base clock frequency from the capabilities
register.
Signed-off-by: Tanmay Kathpalia <tanmay.kathpalia@altera.com> Reviewed-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
Add reset control functionality to the SDHCI Cadence driver to properly
handle hardware reset sequences during probe. This ensures the controller
is in a known state before initialization.
Signed-off-by: Tanmay Kathpalia <tanmay.kathpalia@altera.com> Reviewed-by: Balsundar Ponnusamy <balsundar.ponnusamy@altera.com> Reviewed-by: Peng Fan <peng.fan@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
armv8/fsl-layerscape: fdt: Remove offline cores from cooling device maps
Some processor families use a generic device tree, and rely on u-boot
fixups to massage that for lower core count personalities (i.e. NXP
LX2* family). For example, the LX2160A device tree will be used and
then modified to offline non-existent cores when running on an 8-core
LX2080A.
However, the cooling maps still contain references to the non-existent
core phandles, resulting in:
OF: /thermal-zones/cluster6-7-thermal/cooling-maps/map0:
could not find phandle 15
Rebuild the cooling maps as non-existent cores are deleted.
Signed-off-by: Anthony Pighin <anthony.pighin@nokia.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
[Ferass: check digest type in _print_header, version in _verify_image] Signed-off-by: Ferass El Hafidi <funderscore@postmarketos.org> Link: https://patch.msgid.link/20251126-spl-gx-v5-1-6cbffb2451ca@postmarketos.org Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Tom Rini [Wed, 19 Nov 2025 14:55:30 +0000 (08:55 -0600)]
ls1043a: Stop disabling device tree relocation
Remove setting of fdt_high to ~0, which disables device tree relocation,
from the default environment. Doing so prevents U-Boot from correcting
problems such as having an unaligned device tree and leads to various
failure modes in the OS.
Signed-off-by: Tom Rini <trini@konsulko.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
Tom Rini [Wed, 19 Nov 2025 14:55:28 +0000 (08:55 -0600)]
ls1012afrdm: Stop disabling device tree relocation
Remove setting of fdt_high to ~0, which disables device tree relocation,
from the default environment. Doing so prevents U-Boot from correcting
problems such as having an unaligned device tree and leads to various
failure modes in the OS.
Signed-off-by: Tom Rini <trini@konsulko.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
binman: blob_dtb: improve error message when SPL is not found
When using binman with the '-a spl-dtb=y' flag, if the SPL blob is not
found, binman throws a cryptic error message:
binman: 'NoneType' object has no attribute 'startswith'
Let's improve the error message to explicitly state which SPL blob is
missing.
This is particularly useful when binman is used as a standalone tool
outside the U-Boot source tree.
Signed-off-by: Jérémie Dautheribes <jeremie.dautheribes@bootlin.com>
[trini: Add '# pragma: no cover' because coverage doesn't seem to like
the documentation about this error] Signed-off-by: Tom Rini <trini@konsulko.com>
Tom Rini [Wed, 12 Nov 2025 21:19:42 +0000 (15:19 -0600)]
fs/jffs2: Make depend on !64BIT
Building this code on 64bit platforms leads to warnings (and so errors
in CI). Rather than rework the code, as this is a deprecated filesystem,
don't try and disallow building on 64bit hosts.
Adriana Nicolae [Tue, 9 Dec 2025 15:55:38 +0000 (07:55 -0800)]
test: dm: fdtdec: Validate FDT size in unit test
The current FDT decoding tests calculate the memory required
for FDT manipulation by directly adding a fixed margin to
fdt_totalsize(gd->fdt_blob). The static analyzer flagged
"gd->fdt_blob->totalsize" as a tainted value being passed
to fdt_open_into().
Ensure the size is validated by checking that the total size
is within a reasonable maximum FDT limit for unit tests.
Signed-off-by: Adriana Nicolae <adriana@arista.com>
Beleswar Padhi [Tue, 9 Dec 2025 05:50:43 +0000 (11:20 +0530)]
configs: am43xx: Migrate to CONFIG_SYS_MEM_TOP_HIDE from CFG_PRAM
The TI AM43xx HS boards have been using CFG_PRAM to hide the top 64MB
firewalled DRAM memory from U-Boot. However, CFG_PRAM only prevents
U-Boot from relocating into that memory, but it is still open for access
for any other usage.
Therefore, migrate into using CONFIG_SYS_MEM_TOP_HIDE which reduces the
ram size itself ensuring that memory is not visible to U-Boot at all
(either for reloc, or general usage).
_ Add 1 GiB DRAM support for STM32MP13x DHCOR SoM
_ Fix 512 MiB DRAM support for STM32MP13x DHCOR SoM
_ Fix handling OPTEE in middle of the DRAM
_ Add missing debug UART build for STM32MP1 DHSOM
Marek Vasut [Tue, 18 Nov 2025 23:17:23 +0000 (00:17 +0100)]
ARM: stm32: Add missing build of debug UART init code on DH STM32MP1 DHSOM
Commit c37a6684818d ("stm32mp: fix compilation issue with DEBUG_UART")
split the debug UART initialization code into two files, but failed to
update other non-ST boards. This did not lead to noticeable breakage
until debug UART is enabled, which is not the default. Update the
Makefile accordingly to allow debug UART to work.
Fixes: c37a6684818d ("stm32mp: fix compilation issue with DEBUG_UART") Signed-off-by: Marek Vasut <marek.vasut@mailbox.org> Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Marek Vasut [Tue, 18 Nov 2025 23:19:36 +0000 (00:19 +0100)]
ARM: dts: stm32: Add 1 GiB DRAM settings for DH STM32MP13xx DHCOR SoM
Add DRAM settings for 1 GiB variant of DH STM32MP13xx DHCOR SoM
and support for SoM DRAM coding HW straps decoding and automatic
DRAM configuration selection. Enable CONFIG_BOARD_EARLY_INIT_F on
all STM32MP1 DHSOM, as it is required for the HW straps decoding.
Signed-off-by: Marek Vasut <marek.vasut@mailbox.org> Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Marek Vasut [Tue, 18 Nov 2025 23:17:14 +0000 (00:17 +0100)]
stm32mp: Fix handling of OPTEE in the middle of DRAM
STM32MP13xx may have OPTEE-OS at 0xdd000000 even on systems with 1 GiB
of DRAM at 0xc0000000, which is not the end of DRAM anymore. This puts
the OPTEE-OS in the middle of DRAM. Currently, the code sets RAM top to
0xdd000000 and prevents the DRAM range past OPTEE at 0xe0000000..0xffffffff
from being set as cacheable and from being usable. The code also sets the
area over OPTEE as invalid region in MMU tables, which is not correct.
Adjust the code such, that it only ever sets RAM top just before OPTEE
in case the OPTEE is really at the end of DRAM, mainly to be backward
compatible. Furthermore, adjust the MMU table configuration such, that
the regions over the OPTEE are simply skipped and not reconfigured, and
the regions between end of OPTEE and RAM top are set as cacheable, if
any actually exist.
Pranav Tilak [Mon, 8 Dec 2025 13:54:24 +0000 (14:54 +0100)]
arm64: versal: Fix LTO for mini_ospi/mini_qspi
With LTO enabled, mini U-Boot was hanging during reloc_fdt().
The initial stack pointer was placed too low, and the FDT memcpy
destination was carved only 4KB above it. This left insufficient
margin, causing the FDT copy to overwrite the live early stack
and corrupt execution before relocation.
To fix this, increase the malloc heap from 8KB to 12KB and raise the
initial stack pointer by 4KB. Together these adjustments increase
the separation between the early stack and the FDT region during
the pre-relocation phase, eliminating the overlap and fixing the
hang on mini builds (QSPI/OSPI).
Signed-off-by: Pranav Tilak <pranav.vinaytilak@amd.com> Signed-off-by: Michal Simek <michal.simek@amd.com>
Tom Rini [Wed, 19 Nov 2025 14:55:36 +0000 (08:55 -0600)]
sifive-unleashed: Stop disabling device tree relocation
Remove setting of fdt_high to ~0, which disables device tree relocation,
from the default environment. Doing so prevents U-Boot from correcting
problems such as having an unaligned device tree and leads to various
failure modes in the OS.
Tom Rini [Wed, 19 Nov 2025 14:55:19 +0000 (08:55 -0600)]
ae350: Stop disabling device tree relocation
Remove setting of fdt_high to ~0, which disables device tree relocation,
from the default environment. Doing so prevents U-Boot from correcting
problems such as having an unaligned device tree and leads to various
failure modes in the OS.
Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Leo Yu-Chi Liang <ycliang@andestech.com>
Conor Dooley [Wed, 19 Nov 2025 12:38:43 +0000 (12:38 +0000)]
riscv: mpfs: move SoC level options to the CPU Kconfig
There are multiple boards that use the PolarFire SoC, so extract
the Kconfig sections that are determined at a CPU level from the board
Kconfigs now that we have a CPU Kconfig.
E Shattow [Thu, 30 Oct 2025 06:23:32 +0000 (23:23 -0700)]
ram: starfive: drop references to 16GB memory size
16GB memory size is not addressable on StarFive JH-7110 SoC because the
DRAM uncached alias begins at +8GB offset from start of DRAM. The logic
for 16GB memory size is a fall-through to the default for an unknown size.
Let's drop this unnecessary 16GB memory size and rely on the case default.
Randolph [Wed, 29 Oct 2025 08:23:28 +0000 (16:23 +0800)]
falcon: support booting linux from MMC/Parallel Flash
To support booting Linux from MMC, the file name should be
set up correctly. To support booting Linux from Parallel Flash,
the SPL_LOAD_FIT_ADDRESS should point to the Parallel Flash.
Tom Rini [Sun, 7 Dec 2025 14:10:24 +0000 (08:10 -0600)]
Merge patch series "Azure: Rework world build to directly use the container"
This series from Tom Rini <trini@konsulko.com> makes some of our Azure
jobs easier to follow by removing the abstraction of calling docker from
the job we're running and instead following normal Azure Pipelines
conventions.
Tom Rini [Wed, 26 Nov 2025 23:49:59 +0000 (17:49 -0600)]
Azure: Rework binman testsuite job to directly use the container
Similar to the changes made for the world build job, rework the binman
testsuite job as well. There's no functional changes, but makes our CI
clearer to others familiar with Azure pipelines.
Tom Rini [Wed, 26 Nov 2025 23:49:58 +0000 (17:49 -0600)]
Azure: Rework world build to directly use the container
While we had problems historically using buildman inside of a container
when invoked directly via Azure, rather than calling docker in our
script, that is no longer the case. We can make the job a bit easier to
understand by running it more normally. The challenge here is that our
container normally runs with an unprivileged user that we have populated
tools for and Azure creates and uses a new unprivileged user. Copy what
we need over to the new user.
Daniel Schultz [Mon, 24 Nov 2025 08:25:06 +0000 (00:25 -0800)]
board: phytec: phytec_som_detection: Add support for phyFLEX
phyFLEX are SoMs based on the FPSC standard.
Add additional "SOM types" for the phyFLEX modules base on the
FPSC Gamma specification. These modules come in four different
variants; prototypes (PT), standard product (SP), KSP (KP) and
KSM (KM).
- Fix the i.MX9 USB instance number for revision B0.
- Add nxp-imx9image etype for binman node.
- Use default for SYS_MALLOC_F_LEN for apalis-imx8 and colibri-imx8x.
- Switch phycore-imx93 to standard boot.
- Update the nitrogen6x maintainer.
Primoz Fiser [Fri, 5 Dec 2025 11:10:43 +0000 (12:10 +0100)]
board: phytec: phycore-imx93: Set boot_targets dynamically
Set boot_targets environment variable dynamically, so that when booting
from SD-card, boot binaries are also preferably fetched from the SD-card
by default. If the user decides to set their own boot_targets, we should
not overwrite them.
Primoz Fiser [Fri, 5 Dec 2025 11:10:42 +0000 (12:10 +0100)]
board: phytec: phycore-imx93: Switch to standard boot
Enable standard boot for the phyCORE-i.MX93 board and use it as a new
default. Add required standard boot variables to the environment, while
removing old boot scripts and now unnecessary environment variables.
Adjust variables according to the requirements of PHYTEC ampliphy-boot
distro-boot. Last but not least, order environment vars by alphabet and
run 'make savedefconfig' to resync defconfig.
Fedor Ross [Mon, 1 Dec 2025 16:08:06 +0000 (17:08 +0100)]
imx9: scmi: soc: USB instance number change for silicon revision B0
For silicon revision A1, the USB instance number for USB1 is 3 and for
USB2 it is 4. This changed for revision B0 where the USB instance number
for USB1 is 0 and for USB2 it is 1, which is the intended instance
number. Select the correct numbering according to the selected SoC
(IMX95) and its revision.
This patch is based on the information provided by:
"AN14750 Migration Guide from i.MX 95 A1 to B0; Rev. 1.0" .
Reviewed-by: Alice Guo <alice.guo@nxp.com> Signed-off-by: Fedor Ross <fedor.ross@ifm.com> Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
Tom Rini [Sat, 6 Dec 2025 17:46:15 +0000 (11:46 -0600)]
Merge patch series "test/py: fit: Deduplicate the test"
This series from Marek Vasut <marek.vasut@mailbox.org> cleans up some of
the FIT pytests we have and then extends mkimage to support including
the TEE in FIT images when using "-f auto" to create the resulting FIT.
Marek Vasut [Tue, 25 Nov 2025 15:42:57 +0000 (16:42 +0100)]
mkimage: Add support for bundling TEE in mkimage -f auto
Introduce two new parameters to be used with mkimage -f auto to bundle
TEE image into fitImage, using auto-generated fitImage. Add -z to specify
TEE file name and -Z to specify TEE load and entry point address. This is
meant to be used with systems which boot all of TEE, Linux and its DT from
a single fitImage, all booted by U-Boot.
Example invocation:
"
$ mkimage -E -A arm -C none -e 0xc0008000 -a 0xc0008000 -f auto \
-d arch/arm/boot/zImage \
-b arch/arm/boot/dts/st/stm32mp135f-dhcor-dhsbc.dtb \
-z ../optee_os/out/arm-plat-stm32mp1/core/tee-raw.bin \
-Z 0xde000000 \
/path/to/output/fitImage
"
Documentation update and test are also included, the test validates
both positive and negative test cases, where fitImage does not include
TEE and does include TEE blobs.
Acked-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
Marek Vasut [Tue, 25 Nov 2025 15:42:56 +0000 (16:42 +0100)]
test/py: fit: Deduplicate the test
Introduce generate_and_check_fit_image() and call it with various
parameters to test various configurations of the fitImage. This is
identical to the existing test, expect for the code duplication.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
Tom Rini [Sat, 6 Dec 2025 17:44:56 +0000 (11:44 -0600)]
Merge patch series "fit: allow signing with an OpenSSL engine"
Quentin Schulz <foss+uboot@0leil.net> says:
I have a couple of products whose U-Boot FIT is signed via a proprietary
OpenSSL engine which only expects the name of a "slot" to select the key
to sign data with.
Currently mkimage fit support expects either a key-dir (-k) or a
key-file (-G) as a toggle for signing, however this doesn't apply to our
usecase because we use an OpenSSL engine (so no key-file to provide)
which doesn't mimic a directory layout like key-dir implies. Moreover,
binman really expects private keys (.key extension) to be available in
this key-dir directory, which we of course cannot provide.
This series allows to sign a FIT image with mkimage (and binman) with
an OpenSSL engine, including PKCS11 and custom engines. If a key-dir
needs to be passed (which is typical for PKCS11), one can do so by using
fit,engine-keydir.
Note that the public key (.crt extension) still needs to be available if
one wants to embed it for signature verification (which is probably what
one wants to do :) ). It is probably possible to use the engine for
getting the public key instead of storing it on disk, but this needs to
be added to fdt_add_pubkey and then binman, through a mechanism
different from fit,engine*.
One issue though is that since binman resolves key paths absolutely and
that I don't believe an OpenSSL engine would happen to have the exact
same key_id value than a local absolute path, fit,encrypt and
fit,engine cannot cohabit. An issue for the next person who wants
an OpenSSL engine AND encrypt the same FIT image, I don't.
Note that LibreSSL supports neither engines nor providers as far as I
could tell (engine support has been explicitly removed).
Note that OpenSSL engines have been deprecated since 3.0 (Q3-2021),
however note that OpenSSL 3.5 still seems to support engines (git grep)
and is EOL end of Q1 2030.
If anyone has an idea on how to test PKCS11 with SOftHSMv2 with id=
passed in fit,engine-keydir, I'm all ears.
I'm also wondering if the explanation around fit,engine-keydir aren't
too much. After all, they are passed verbatim to mkimage as -k argument
and the special cases are all specific to mkimage and not binman.
Quentin Schulz [Fri, 21 Nov 2025 17:15:00 +0000 (18:15 +0100)]
tools: binman: fit: add tests for signing with an OpenSSL engine
This adds a test that signs a FIT and verifies the signature with
fit_check_sign.
OpenSSL engines are typically for signing with external HW so it's not
that straight-forward to simulate.
For a simple RSA OpenSSL engine, a dummy engine with a hardcoded RSA
4096 private key is made available. It can be selected by setting the
OpenSSL engine argument to dummy-rsa-engine. This can only be done if
the engine is detected by OpenSSL, which works by setting the
OPENSSL_ENGINES environment variable. I have no clue if dummy-rsa-engine
is properly implementing what is expected from an RSA engine, but it
seems to be enough for testing.
For a simple PKCS11 engine, SoftHSMv2 is used, which allows to do PKCS11
without specific hardware. The keypairs and tokens are generated on the
fly. The "prod" token is generated with a different PIN (1234 instead of
1111) to also test MKIMAGE_SIGN_PIN env variable while we're at it.
Binman will not mess with the local SoftHSMv2 setup as it will only use
tokens from a per-test temporary directory enforced via the temporary
configuration file set via SOFTHSM2_CONF env variable in the tests. The
files created in the input dir should NOT be named the same as it is
shared between all tests in the same process (which is all tests when
running binman with -P 1 or with -T).
Once signed, it's checked with fit_check_sign with the associated
certificate.
Finally, a new softhsm2_util bintool is added so that we can initialize
the token and import keypairs. On Debian, the package also brings
libsofthsm2 which is required for OpenSSL to interact with SoftHSMv2. It
is not the only package required though, as it also needs p11-kit and
libengine-pkcs11-openssl (the latter bringing the former). We can detect
if it's properly installed by running openssl engine dynamic -c pkcs11.
If that fails, we simply skip the test.
The package is installed in the CI container by default.
projects / thirdparty / u-boot.git / log
