I've spent time trying to figure out why my board (Rockchip PX30-based)
suddenly boot loops when running a specific program in Linux userspace
after working on a U-Boot upgrade. I actually inadvertently had the TEE
environment variable set for a device which doesn't actually need to run
any TEE OS (so had OPTEE_LIB disabled).
It is currently possible to build an image with an OP-TEE OS (via the
TEE environment variable) without OPTEE_LIB. U-Boot will happily load
the TEE OS and the next OS (e.g. the Linux kernel).
This is an issue because on FDT-enabled devices, OP-TEE OS adds nodes to
the reserved-memory FDT node for the memory regions it just reserved for
itself. This updated FDT is then passed to U-Boot proper which should
know better not to use memory from there. The actual issue is that
without OPTEE_LIB and OF_LIBFDT enabled, U-Boot proper will not copy
those nodes over to the next OS's FDT before starting it. This results
in the next OS's (e.g. Linux kernel) to not be aware of reserved memory,
incurring random crashes or device reboots when it tries to access
secure reserved memory area.
On Rockchip, the U-Boot FIT image which contains both the TEE OS and
U-Boot proper is generated by binman. Unfortunately, binman doesn't seem
to have access to Kconfig symbols (grep CONFIG_ doesn't return anything
meaningful and binman is either configured through FDT nodes or via CLI
arguments, c.f. cmd_binman in the root Makefile) so we cannot try to be
smart and guide the user to the correct Kconfig option to select if TEE
is set. We could add a property based on the presence of OPTEE_LIB in
rockchip-u-boot.dtsi for example and have a custom message based on
that, the issue is that I assume all FDT-based platforms do actually
need to do this dance, and not only Rockchip.
Another option could be to add a CLI argument to binman through which
we would pass the state of OPTEE_LIB and error out the build in that
case, but that feels like opening the door to other various dirty hacks.
Another option is to propagate the TEE environment variable to the
preprocessor of the FDT (via dtc_cpp_flags) and then we can do
#if defined(TEE) && !IS_ENABLED(CONFIG_OPTEE_LIB)
#error "CONFIG_OPTEE_LIB must be enabled!"
#endif
but we have the same issue as above, it is then Rockchip-specific and
doesn't feel right to me.
Yet another option is to remove the @tee-SEQ node from the binman FIT
description when OPTEE_LIB isn't set but then we would lose the
following nice message when no TEE is provided:
Image 'simple-bin' is missing optional external blobs but is still functional: tee-os
and even worse, build without any TEE OS even though we could provide
one via the TEE environment variable.
Finally, another option could be to move this hack under
arch/arm/mach-rockchip/Kconfig to make it Rockchip-specific or add a
depends on ARCH_ROCKCHIP. However OP-TEE OS on Aarch32 Rockchip boards
doesn't actually need any of that if SPL_OPTEE_IMAGE is set because
arch/arm/mach-rockchip/sdram.c then marks some hardcoded memory regions
in RAM as holes in DRAM, which has the same effect as reserved memory
regions I guess. I assume other platforms may use something different,
so it may be casting too wide of a net.
This commit is what I could come up with as a stopgap measure to avoid
building images that simply cannot reliably work and fail randomly.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
The fitImage may be stored in EFI update capsule at address that
is not aligned to 8 bytes. Since fitImage is a DT, new version of
libfdt 1.7.2 rejects such an unaligned DT. Patch the code and copy
the fitImage into aligned buffer in case it is not aligned. This
does increase overhead for unaligned fitImages in EFI capsules, but
tries to keep the overhead low for aligned ones.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When building with clang, we see a warning:
lib/efi_selftest/efi_selftest_snp.c:63:18: error: field dhcp_hdr within
'struct dhcp' is less aligned than 'struct dhcp_hdr' and is usually due
to 'struct dhcp' being packed, which can lead to unaligned accesses
[-Werror,-Wunaligned-access]
when building lib/efi_selftest/efi_selftest_snp.c. Resolve this error by
packing struct dhcp_hdr as well, as the only place it is used also is
packed.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Memset() must return a pointer to the start of the updated memory block.
Fixes: 476476e73b ("efi: Add support for loading U-Boot through an EFI stub")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Convert function comments in efi_selftest_console.c to match
Sphinx style.
Correct function name in print_uuid() comment.
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Pull request efi-2026-01-rc2
CI: https://source.denx.de/u-boot/custodians/u-boot-efi/-/pipelines/28208
Documentation:
* bootstd: Describe environment variable extension_overlay_addr
environment and remove extension support from TODO list
EFI:
* Correct the detection of the video mode in the EFI payload app:
- Use struct efi_gop_mode_info in the definition of struct
efi_entry_gopmode.
- In function get_mode_from_entry() use the correct type for the video
mode structure.
* Use a valid error code as return value in efi_store_memory_map().
* Avoid a memory leak for the variable name in efi_bl_create_block_device().
* Correct the code indentation in efi_uc_stop().
* Correct the description of struct efi_priv.
* Fix typos in code comments.
Other:
* qfw: Add more fields and a heading to qfw list
* Fix the support for ACPI pass-through on ARM and RISC-V:
Avoid zeroing out the XSDT address
* test: provide unit test for 'acpi list' command
# -----BEGIN PGP SIGNATURE-----
#
# iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmkNj/kACgkQxIHbvCwF
# GsS8NQ/6Aj+Z54HJTIEfoXssvElLr5ATactrCxszq42i/yy6dLqa2Ym1afG6w1XS
# 1ZbCeU/bCXFke5Tsz+x89gEfckUm83oTwngwcID0WR1qn8mWjwR7tM5MuORq8NxU
# 7NwLuFs9O/QZihagKdz6hv1/Y+cBwiAYLY16EYVSuUlbLaKQo3QvxwWkqG3jdKWV
# Rm58/PolU+2h04MBwP0SxSduX4OyRF/tMOGjf5RGLyqCyj8kIgdu7PvUAPMM+Gps
# KemL59V0Bdv8hlF4JknmPz+idtZg2nHIDdNrBZvoxwzwGQeRZ1YXAMruRxZXqDYL
# tiuDp6HMv/GfIIGkz14tJtJMdboaAybAnluPWGalx8JQJqJzEPww0R+9s4KKQeWL
# mHgRyl6PxVV9p19f79Qq6q6ETwrFDX0YH3pdrGUk3DBa3lDt0UsEAnuW4FvaJ8tx
# 3PMrjKAxpxocT0hglsMVnptnfvDEigMsjwH/TWrau83mY+juxFQLjm+U4vye+qCa
# 4zXjjLas18+eRcrv2KxU7teakyi1Jp+WbqHq37L26YcQMaLq/RkBc0bTrsreKKLu
# jprYFpvc7EJpH2Fd1XWaZ2EnxXcVSJSvrY/iwRQqb6wbwQ6XGtMvSh3IFY8IzAoh
# N2Pj78oaYqyL1q/TftuZWhEHo3a0M/HfM4D+oMSHzJtWCb0wZHE=
# =OGcS
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri 07 Nov 2025 12:21:45 AM CST
# gpg: using RSA key 6DC4F9C71F29A6FA06B76D33C481DBBC2C051AC4
# gpg: Good signature from "Heinrich Schuchardt <xypron.glpk@gmx.de>" [unknown]
# gpg: aka "[jpeg image of size 1389]" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 6DC4 F9C7 1F29 A6FA 06B7 6D33 C481 DBBC 2C05 1AC4
The type efi_status_t is not compatible with the return type int.
Let efi_store_memory_map() return -EFAULT instead of a truncated EFI error
code.
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When editing eficonfig "optional data" (typically cmdline arguments)
it's useful to be able to edit the string rather than having to re-type
the entire thing. Implement support for editing buffers to make this a
whole lot nicer. Specifically, add support for moving the cursor with
the arrow keys and End key as well as deleting backwards with the delete
key.
Signed-off-by: Casey Connolly <casey.connolly@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
We do not yet support UTHREADS in xPL phases. However, we have the need
to dummy out certain functions so that xPL can build when full U-Boot
has UTHREADS enabled. Update the few places that need to use
CONFIG_IS_ENABLED so that we have the correct dummy in xPL.
Signed-off-by: Tom Rini <trini@konsulko.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Add the EFI Debug Image Info Table GUID to the translation table used by
uuid_guid_get_str().
This allows to print a human readable table name with `efidebug tables'
instead of "(unknown)".
Signed-off-by: Vincent Stehlé <vincent.stehle@arm.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
We currently set the firmware image type to ESRT_FW_TYPE_UNKNOWN.
The spec defines the following:
ESRT_FW_TYPE_UNKNOWN 0x00000000
ESRT_FW_TYPE_SYSTEMFIRMWARE 0x00000001
ESRT_FW_TYPE_DEVICEFIRMWARE 0x00000002
ESRT_FW_TYPE_UEFIDRIVER 0x00000003
Since we don't support updating DEVICEFIRMWARE or UEFIDRIVER types,
let's switch over to SYSTEMFIRMWARE which seems more appropriate.
Suggested-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
In function efi_http_service_binding_destroy_child() phandler is created as
as a local variable. If efi_search_protocol() fails, phandler will hold a
random value from the stack. Even it is not zero, we must not use it.
If efi_search_protocol() succeeds, the pointer has already be dereferenced,
so checking against NULL makes not sense here.
If ChildHandle is not a valid UEFI handle, we must return
EFI_INVALID_PARAMETER.
Use a single location for EFI_EXIT().
Addresses-Coverity-ID: CID 531974 (Unchecked return value)
Fixes: 5753dc3f65 ("efi_loader: Prevent dereference of uninitialised variable")
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
After the malloc of tmp_files and before its value is recorded an early
exit will need to free tmp_files to prevent leaking that memory.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
TPM changes:
Make all drive names defined with U_BOOT_DRIVER unique
TEE changes:
Rework things such that sandbox will also traverse the optee directory
when SANDBOX_TEE is enabled, but only build one of the optee-specific
files when OPTEE is enabled.
EFI changes:
Up to now we were relying on the file extension to accept and load
an image over HTTP. We expected images to be either .iso or .img.
By wiring up internal existing functions we can try to mount any
file extension and reject it only if mounting fails.
part_driver_lookup_type
Enhances the process for identifying disk images within the EFI boot
manager. Utilize part_driver_lookup_type() to verify the validity of a
downloaded file as a disk image, rather than depending on file
extensions.
part_driver_lookup_type() is now used in the prepare_loaded_image()
function in the EFI boot manager to detect partitions on a block device
created from a downloaded image. This allows the boot manager to boot
from any disk image that can be recognized by a partition driver, not
just ISO and IMG images.
Update prepare_loaded_image() to create the ramdisk block device
internally, obtain the blk_desc and use part_driver_lookup_type() to
detect a valid partition table.
In try_load_from_uri_path(), try prepare_loaded_image() first to detect
disk images, and fall back to PE-COFF detection only if that fails.
Signed-off-by: Javier Tia <javier.tia@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
We should compile the LZ4_decompress_safe and
LZ4_decompress_safe_partial functions in SPL and they will be discarded
if unused.
Signed-off-by: Tom Rini <trini@konsulko.com>
Add the script name as a prefix to fw_addr and fw_size variables
to make sure they are always unique and won't easily conflict with
user variables.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
The script based firmware loader does not use anything from the
fs_loader implementation. Separate it into its own library source
file and convert the mediatek PHY to use this separate code. This
should reduce the amount of code that is pulled in alongside the
firmware loader, as the FS loader is no longer included.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
FWU metadata information is unavailable for platform-specific
operations since FWU initialization has not yet occurred.
The initialization function is invoked as part of the main
loop event. To address this, the FWU platform hook function
is introduced during FWU initialization, allowing metadata
processing with platform-specific operations.
Signed-off-by: Padmarao Begari <padmarao.begari@amd.com>
Link: https://lore.kernel.org/r/20250912100539.4127378-2-padmarao.begari@amd.com
Signed-off-by: Michal Simek <michal.simek@amd.com>
We have a large number of library symbols that should not be prompted
for by the user really but rather selected by the platform (or SoC) as
needed. To start with however, make these depend on !COMPILE_TEST.
Signed-off-by: Tom Rini <trini@konsulko.com>
SoCFPGA updates for v2025.10:
CI: https://source.denx.de/u-boot/custodians/u-boot-socfpga/-/pipelines/27762
This pull request brings a set of updates across SoCFPGA platforms
covering Agilex5, Agilex7, N5X, and Stratix10. The changes include:
* Agilex5 enhancements:
- USB3.1 enablement and DWC3 host driver support
- System Manager register configuration for USB3
- Watchdog timeout increase and SDMMC clock API integration
- dcache handling improvements in SMC mailbox path
- Enable SPL_SYS_DCACHE_OFF in defconfig
* Clock driver improvements:
- Introduce dt-bindings header for Agilex clocks
- Add enable/disable API and EMAC clock selection fixes
- Replace manual shifts with FIELD_GET usage
* DDR updates:
- IOSSM mailbox compatibility check
- Correct DDR calibration status handling
* Device tree changes:
- Agilex5: disable cache allocation for reads
- Stratix10: add NAND IP node
- Enable driver model watchdog
- Enable USB3.1 node for Agilex5
* Config cleanups:
- Simplify Agilex7 VAB defconfig
- Remove obsolete SYS_BOOTM_LEN from N5X VAB config
- Enable CRC32 support for SoCFPGA
- Increase USB hub debounce timeout
Overall this set improves reliability of DDR and cache flows,
adds missing USB and MMC features for Agilex5, and refines clock
and configuration handling across platforms.
This patch set has been tested on Agilex 5 devkit, and Agilex devkit.
Now that SNTP is supported, enable SNTP debug traces when LWIP_DEBUG is
enabled. In particular, this allows to see which NTP servers are
received during DHCP.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
There are 3 options listed between choice/endchoice FILE/TEE/NO_STORE.
There is no reason to add other config with dependencies between
choice/endchoice because they can never be selected because they depends on
only that 3 options which can be selected.
That's why move additional configuration with dependency below choice
section.
Signed-off-by: Michal Simek <michal.simek@amd.com>
This is needed because distro_efi_read_bootflow_net will then need
dhcp_run which is not already enabled by CMD_NET.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When doing compile testing build we cannot rely on having a valid file
for EFI_VAR_SEED_FILE to exist, so disable this option when doing
compile tests.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The TFTP implementation does not resend the initial request if there is
no response from the server. Since TFTP is based on UDP, there should be
a mechanism to deal with unreliable transmissions at this point, similar
to what we have for data packets. Therefore, introduce request
retransmission.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
CC: Venkatesh Abbarapu <venkatesh.abbarapu@amd.com>
CC: Michal Simek <michal.simek@amd.com>
CC: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add Kconfig symbol LWIP_ICMP_SHOW_UNREACH which, when enabled, prints a
message to the console upon reception of ICMP unreachable messages. For
example:
$ make qemu_arm64_lwip_defconfig
$ qemu-system-aarch64 -M virt -cpu max -nographic -bios u-boot.bin
[...]
=> dhcp
DHCP client bound to address 10.0.2.15 (0 ms)
=> tftp 192.168.0.100:69:Image
Using virtio-net#32 device
TFTP from server 192.168.0.100; our IP address is 10.0.2.15
Filename 'Image'.
Load address: 0x40200000
Loading: ICMP destination unreachable (host unreachable) from 192.168.0.16
Timeout!
=> tftp 192.168.0.16:69:Image
Using virtio-net#32 device
TFTP from server 192.168.0.16; our IP address is 10.0.2.15
Filename 'Image'.
Load address: 0x40200000
Loading: ICMP destination unreachable (port unreachable) from 192.168.0.16
Timeout!
=>
Submitted upstream as https://github.com/lwip-tcpip/lwip/pull/73.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Provide a trivial implementation of sntp_format_time() to fix a build
error when CONFIG_LWIP_DEBUG=y:
lib/lwip/lwip/src/apps/sntp/sntp.c: In function ‘sntp_format_time’:
lib/lwip/lwip/src/apps/sntp/sntp.c:283:10: error: implicit declaration of function ‘ctime’ [-Werror=implicit-function-declaration]
283 | return ctime(&ut);
| ^~~~~
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
The UEFI 2.11 specification, chapter 23.1.3 requires
EFI_FIRMWARE_MANAGEMENT_PROTOCOL.GetImageInfo() to return
EFI_INVALID_PARAMETER if *ImageInfoSize is not too small
and ImageInfo is NULL.
Fixes: f27c201485 ("efi_loader: add firmware management protocol for FIT image")
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The code foresees that parameters descriptor_size and descriptor_count
might be NULL and then dereferences them without further check.
The size check must take into account the descriptor count.
ImageInfo might be NULL. In this case we must not dereference it.
Fixes: 4ac6041c3c ("efi: ESRT creation tests")
Addresses-Coverity-ID: CID 569497: Null pointer dereferences (FORWARD_NULL)
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
With the current code we allocate to little memory when adding entries to
the EFI_DEBUG_INFO_TABLE and we fail to correctly move entries when an
entry is removed.
EFI_DEBUG_TABLE_ENTRY_SIZE must be the size of an entry in the
EFI_DEBUG_INFO_TABLE, not the size of a pointer.
Fixes: 146546138a ("efi: add EFI_DEBUG_IMAGE_INFO for debug")
Addresses-Coverity-ID: CID 569498: Code maintainability issues (SIZEOF_MISMATCH)
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Create a Kconfig which indicates that EFI functionality is in use,
either as a client (EFI app / stub) or provider (EFI loader). This will
make it easier to share code between these two parts of U-Boot
Signed-off-by: Simon Glass <sjg@chromium.org>
The generic name 'EFI' would be more useful for common EFI features. At
present it just refers to the EFI app and stub, which is confusing.
Rename it to EFI_CLIENT
Signed-off-by: Simon Glass <sjg@chromium.org>
This directory was created when U-Boot gained the ability to run as an
EFI app in 2015. Since then the EFI-loader feature has been added.
The code in lib/efi is not actually used by the loader, so the name is
confusing.
Rename the directory to efi_client to indicate that it includes files
just for U-Boot being a client of EFI, i.e. the EFI app and stub.
Signed-off-by: Simon Glass <sjg@chromium.org>
