Peripheral holding CID0 cannot be accessed, remove this completely
incorrect check. While there, fix and simplify the semaphore checking
that should be performed when the CID filtering is enabled.
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
If the CID filtering is enabled, the semaphore mode is disabled as well.
To avoid an incorrect behavior and error trace, add a check of CID
filtering state before acquiring the semaphore.
Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Update stm32key to support stm32mp21 OTP mapping.
Create a new list of key to support the following differences :
- STM32MP21x SoC support 128b and 25b FSBL encryption keys.
- OEM-KEY1 and OEM-KEY2 used for authentication are in different OTP
from STM32MP25 and STM32MP23.
stm32key is compatible with platform STM32MP2 (aarch64)
Hence, use unsigned long to handle argument addr of function
read_key_value() instead of u32.
Signed-off-by: Thomas Bourgoin <thomas.bourgoin@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
syscon_get_first_range()'s return value is used as base address to perform
a read, without any checks.
In case stmp32mp_syscon is not binded, syscon_get_first_range() returns
-ENODEV which leads to a "Synchronous abort".
Add syscon_get_first_range() check on return value.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
syscon_get_first_range()'s return value is used as base address to perform
a read, without any checks.
In case stmp32mp_syscon is not binded, syscon_get_first_range() returns
-ENODEV which leads to a "Synchronous abort".
Add syscon_get_first_range() check on return value.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Same code is duplicated into stm32mp25x.c, stm32mp23x.c and stm32mp21x.c.
Migrate read_deviceid(), get_cpu_dev(), get_cpu_rev(), get_cpu_type() and
get_cpu_package() into new stm32mp2x.c.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
STM32MP21 application processors (STM32 MPUs) based on a single
Arm Cortex®-A35 core running up to 1.5 GHz and Cortex®-M33 core
running at 300 MHz.
It is pin-compatible with the STM32MP2 series in the VFBGA361
10×10 mm package: the STM32MP21 uses a subset of the STM32MP23
pinout, which itself is a subset of the STM32MP25.
More details available here :
https://www.st.com/en/microcontrollers-microprocessors/stm32mp2-series.html
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
boot_get_fdt_fit_into_buffer() calls fdt_open_into() for both the
base FDT and overlay DTO blobs loaded from a FIT image.
Those blobs come from FIT payload data. In the overlay path,
fit_image_load() is called with FIT_LOAD_IGNORED, so the IH_TYPE_FLATDT
header check in fit_image_load() is skipped. This leaves fdt_open_into()
to consume header-derived offsets/sizes from unvalidated input.
Validate the full blob against the payload length first with
fdt_check_full(fdtsrcbuf, srclen), then proceed with fdt_totalsize() and
fdt_open_into(). This fixes Coverity CID 644638 (TAINTED_SCALAR).
Fixes: 5ebf0c55a2 ("image: fit: Apply overlays using aligned writable FDT copies")
Link: https://lore.kernel.org/all/20260223195109.GG3233182@bill-the-cat/
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
commit ba20b2443c ("arm: mach-k3: common: Reserve video memory from
end of the RAM") switched spl_enable_cache() to use gd->ram_top directly
but omitted the board_get_usable_ram_top() call that limits RAM
configuration and provides updated RAM end address per memory map
used by board and impacts subsequent allocations and reservations.
For e.g. here it impacts how high the TLB may be placed.
On Verdin AM62 (512 MiB), the raw end of RAM (0xA0000000) is inside
OP-TEE's region. board_get_usable_ram_top() in verdin-am62.c returns
0x9C000000 to keep relocations below it, but spl_enable_cache() never
called it. commit 42b3ee7fa5 ("arm: mach-k3: am62x: Enable memory
firewall support") then enforced the OP-TEE firewall, turning the silent
corruption into a hard hang.
Fix by calling board_get_usable_ram_top() after computing raw ram_top,
consistent with setup_dest_addr() in board_f.c. A weak default is
provided for boards that do not need to restrict the RAM top.
Fixes: ba20b2443c ("arm: mach-k3: common: Reserve video memory from end of the RAM")
Reported-by: Francesco Dolcini <francesco@dolcini.it>
Link: https://lore.kernel.org/all/20260224102121.GB340942@francesco-nb/
Signed-off-by: Devarsh Thakkar <devarsht@ti.com>
Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com> # Verdin AM62 512MB
Commit 9ebdbbc43e ("arm: armv8: invalidate dcache entries on
dcache_enable") broke Apple Silicon machines in certain scenarios.
If the MMU is currently not enabled we need to flush the TLB
before we enable it to prevent stale TLB entries from becoming
active again. So move the __asm_invalidate_tlb_all() back
immediately before the mmu_setup() call.
Fixes: 9ebdbbc43e ("arm: armv8: invalidate dcache entries on dcache_enable")
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
class_get_device_by_driver()'s return value is not checked, in case of BSEC
driver is not probed, dev is not set and used just after as parameter of
misc_read() which leads to a Synchronous Abort.
Add uclass_get_device_by_driver()'s return value check to fix it.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
On 1GB board, in particular cases, a prefetch operation is done just above
the 1GB boundary. The DDR size is 1GB (0x80000000 to 0xc0000000), there is
an access on 0xc00017c0 (ie 0x800017c0).
As beginning of DDR is protected by MMU until CONFIG_TEXT_BASE
(0x80000000 to 0x84000000), it triggers the following IAC:
E/TC:0 stm32_iac_itr:192 IAC exceptions [159:128]: 0x200
E/TC:0 stm32_iac_itr:197 IAC exception ID: 137
I/TC:
DUMPING DATA FOR risaf@420d0000
I/TC: =====================================================
I/TC: Status register (IAESR0): 0x11
I/TC: -----------------------------------------------------
I/TC: Faulty address (IADDR0): 0xc00017c0
I/TC: =====================================================
E/TC:0 Panic at /usr/src/debug/optee-os-stm32mp/4.0.0-gitvalid.8>
E/TC:0 TEE load address @ 0x82000000
E/TC:0 Call stack:
E/TC:0 0x82007f30
E/TC:0 0x820444b4
E/TC:0 0x8202dc54
E/TC:0 0x82041fe0
E/TC:0 0x820143b8
By default, in MMU table, the DDR size is set to 4GB, but not all
STM32MP2 based board embeds 4GB, some has only 1 or 2GB of DDR.
The MMU table entry dedicated to DDR need to be updated with the real
DDR size previously read from DT.
After relocation, in enable_caches(), update the MMU table between the
dcache_disable() / dcache_enable() with the real DDR size.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Fix index check against array size. If that index is equal
to the array size, we'll access one-past-the-end of the array.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
No more need to test if a fsbl partition is present on NOR when booting
from serial or USB. Now MTD devices are automatically populated with
partition information found in DT. Remove fsbl_nor_detected boolean from
stm32prog_data struct and all code using it.
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The hardware denies any access from the U-Boot non-secure world to the
secure-protected pins. Hence, prevent any driver to configure such a pin.
Identify the secure pins with "NO ACCESS" through the 'pinmux status -a'
command.
Use a driver data structure to identify which hardware versions support
this feature.
Signed-off-by: Fabien Dessenne <fabien.dessenne@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
sqfs_frag_lookup() reads a 16-bit metadata block header whose lower
15 bits encode the data size. Unlike sqfs_read_metablock() in
sqfs_inode.c, this function does not validate that the decoded size is
within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can
set the size field to any value up to 32767, causing memcpy to write
past the 8192-byte 'entries' heap buffer.
Add the same bounds check used by sqfs_read_metablock(): reject any
metadata block header with SQFS_METADATA_SIZE(header) exceeding
SQFS_METADATA_BLOCK_SIZE.
Found by fuzzing with libFuzzer + AddressSanitizer.
Signed-off-by: Eric Kilmer <eric.kilmer@trailofbits.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
We currently provide default board names for each board in their
respective evm.c file. However for custom boards, this behaviour
overwrites the default DT as set in the defconfig
(CONFIG_DEFAULT_FDT_FILE or CONFIG_DEFAULT_DEVICE_TREE).
This patch changes the default name to be NULL which prevents this
overwrite and allows ti_set_fdt_env to instead fallback to the correct
DT as set in Kconfig.
Signed-off-by: Anshul Dalal <anshuld@ti.com>
Reviewed-by: Bryan Brattlof <bb@ti.com>
Update dev-data and clk-data to include wake-up I2C device for J722s.
Signed-off-by: Chintan Vankar <c-vankar@ti.com>
Tested-by: Richard Genoud <richard.genoud@bootlin.com>
Add simple test for zip/unzip/gzwrite commands. The test works as
follows. First, create three buffers with a bit of space between
each of them, fill them with random data, then compress data in
buffer 1 into buffer 2, decompress data in buffer 2 either directly
into buffer 3 or into MMC 1 and then read them back into buffer 3,
and finally compare buffer 1 and buffer 3, they have to be identical.
The buffers are filled with random data to detect out of bounds writes.
Test for various sizes, both small and large and unaligned.
The test uses ut_assert_skip_to_line() to skip over gzwrite progress
bar. Since the progress bar updates fill up the console record buffer,
increase the size of it to compensate.
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Tested-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
What is not being built and tested in CI, breaks. Enable the 'zip'
command in sandbox to get it build tested in preparation for an
actual unit test.
Reviewed-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
This commit updates the RAM region filtering logic in
board_get_usable_ram_top() to skip any memory regions whose start address
is above 4GB. Previously, only the end address was capped at 4GB, but
regions entirely above this threshold were still considered.
Typically, the following memory map entries would cause
board_get_usable_ram_top() to return 0x100000000, which is incorrect.
start=00000000, end=00001000, type=16
start=00001000, end=000a0000, type=1
start=000a0000, end=000f6000, type=2
start=000f6000, end=000f7000, type=16
start=000f7000, end=00100000, type=2
start=00100000, end=6f170000, type=1
start=6f170000, end=70000000, type=16
start=70000000, end=80800000, type=2
start=e0000000, end=f8000000, type=2
start=fa000000, end=fc000000, type=2
start=fc800000, end=fc880000, type=2
start=fd800000, end=fe800000, type=2
start=feb00000, end=feb80000, type=2
start=fec00000, end=fed00000, type=2
start=fed20000, end=fed80000, type=2
start=feda1000, end=feda2000, type=2
start=fedc0000, end=fede0000, type=2
start=100000000, end=102400000, type=2
start=102400000, end=47f800000, type=1
start=4000000000, end=4020000000, type=2
By adding a check to continue the loop if the region's start address
exceeds 0xffffffffULL, the function now properly ignores regions that are
not usable in 32-bit address space.
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
Since commit 27cc5951c8 ("include: env: ti: add default for
do_main_cpsw0_qsgmii_phyinit"), the value of the environment variable
do_main_cpsw0_qsgmii_phyinit happened to remain '0' and couldn't be
changed without user intervention. This behavior is due to the following
cyclic dependency:
A) ti_common.env sets do_main_cpsw0_qsgmii_phyinit to '0' and its value
can only be updated automatically by main_cpsw0_qsgmii_phyinit.
B) main_cpsw0_qsgmii_phyinit is defined in j721e.env and it can run only
if 'do_main_cpsw0_qsgmii_phyinit' is already '1' which isn't possible
unless the user manually assigns the value.
Fix the aforementioned cyclic dependency by using board_late_init() to
detect the QSGMII Daughtercard and set do_main_cpsw0_qsgmii_phyinit.
Additionally, to address the issue of do_main_cpsw0_qsgmii_phyinit being
'undefined' for other platforms, replace:
if test ${do_main_cpsw0_qsgmii_phyinit} -eq 1;
with:
if env exists do_main_cpsw0_qsgmii_phyinit;
in ti_common.env.
Fixes: 27cc5951c8 ("include: env: ti: add default for do_main_cpsw0_qsgmii_phyinit")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Reviewed-by: Anshul Dalal <anshuld@ti.com>
Fix a segmentation fault caused by a null pointer access during root
partition checking. The function part_get_info() was falsely given null
for the disk_partition struct, which later resulted in accessing a null
pointer and thus undefined behavior.
Fixes: 5d7c080ae5 ("bootstd: rauc: Don't check root part filesystem")
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
libfdt expects FDT/DTO blobs to be 8-byte aligned. When loading the
base FDT or overlays from a FIT, the mapped buffer may be unaligned,
which can break fdt_open_into() on strict-alignment architectures.
boot_get_fdt_fit() relocates the base FDT with boot_relocate_fdt()
before applying overlays. That uses the bootm memory map and can
overlap with the FIT buffer when the FIT is loaded into RAM,
corrupting data needed to load the kernel and ramdisk.
Allocate writable, 8-byte aligned copies of the base FDT and overlays
with memalign() and fdt_open_into(). Grow the base buffer as needed,
apply overlays to it and pack the final tree. Free each temporary
overlay copy after application and check fdt_pack() errors.
Fixes: 8fbcc0e0e8 ("boot: Assure FDT is always 8-byte aligned")
Fixes: 881f0b77dc ("image: apply FDTOs on FDT image node")
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Cc: Jamie Gibbons <Jamie.Gibbons@microchip.com>
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
It has been a long while since Jagan Teki, Joe Hershberger or Ramon
Fried have been active in the community. We thank them for their time
over the years. Remove them from the active maintainer list and mark a
few things as Orphaned for now.
Signed-off-by: Tom Rini <trini@konsulko.com>
The cdns3_bind() function is responsible for identifying the appropriate
driver to bind to the USB Controller's device-tree node. If the device-tree
node has the 'dr_mode' property set to 'otg', the existing approach fails
to bind a driver, leading to loss of functionality.
To address this, use the VBUS Valid field of the OTG Status register to
determine the role as follows:
- If VBUS Valid field is set, it indicates that a USB Host is supplying
power and the Controller should assume the Peripheral role.
- If VBUS Valid field is clear, it indicates the absence of a USB Host and
the Controller should assume the Host role.
Additionally, when 'dr_mode' happens to be 'otg' and the STRAP settings
are not specified, use VBUS Valid to determine the role in cdns3_drd_init()
and assign it to cdns->dr_mode.
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Reviewed-by: Marek Vasut <marek.vasut@mailbox.org>
The size of the memory allocated for the EFI Conformance Profiles Table is
computed with `num_entries' always equal to zero, which is incorrect when
CONFIG_EFI_EBBR_2_1_CONFORMANCE is enabled.
This can be verified by allocating the ECPT memory with malloc() instead of
efi_allocate_pool(), building u-boot with sandbox_defconfig and
CONFIG_VALGRIND=y, and by finally running the following command:
valgrind --suppressions=scripts/u-boot.supp \
./u-boot -T -c 'efidebug tables'
Fix this by using an array of the supported profiles GUIDs instead, which
should also be easier to extend in the future as U-Boot should publish the
GUIDs for all supported EBBR revisions.
Fixes: 6b92c17352 ("efi: Create ECPT table")
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Jose Marinho <jose.marinho@arm.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The read_blocks() function from the Block IO protocol is a UEFI function;
make sure to call it from within U-Boot using the EFI_CALL() macro.
To demonstrate the issue on an AArch64 machine, define the DEBUG macro in
include/efi_loader.h and build u-boot with sandbox_defconfig, then download
and uncompress the ACS-DT image [1], and finally execute the following
command:
$ ./u-boot -T -c " \
host bind 0 systemready-dt_acs_live_image.wic; \
setenv loadaddr 0x10000; \
load host 0 \${loadaddr} EFI/BOOT/Shell.efi; \
bootefi \${loadaddr} \${fdtcontroladdr}"
The following assertion should fail:
lib/efi_loader/efi_net.c:858: efi_network_timer_notify: Assertion `__efi_entry_check()' failed.
This happens due to the following EFIAPI functions call chain:
efi_start_image()
efi_disk_read_blocks()
(due to the missing EFI_CALL, entry_count == 2)
efi_network_timer_notify()
Link: https://github.com/ARM-software/arm-systemready/releases/download/v25.12_DT_3.1.1/systemready-dt_acs_live_image.wic.xz [1]
Fixes: ce3dbc5d08 ("efi_loader: add UEFI GPT measurement")
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Tom Rini <trini@konsulko.com>
Cc: Masahisa Kojima <kojima.masahisa@socionext.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Masahisa Kojima <kojima.masahisa@socionext.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
