Tom Rini <trini@konsulko.com> says:
This series switches to always using $(PHASE_) in Makefiles when
building rather than $(PHASE_) or $(XPL_). It also starts on documenting
this part of the build, but as a follow-up we need to rename
doc/develop/spl.rst and expand on explaining things a bit.
Link: https://lore.kernel.org/r/20250401225851.1125678-1-trini@konsulko.com
It is confusing to have both "$(PHASE_)" and "$(XPL_)" be used in our
Makefiles as part of the macros to determine when to do something in our
Makefiles based on what phase of the build we are in. For consistency,
bring this down to a single macro and use "$(PHASE_)" only.
Signed-off-by: Tom Rini <trini@konsulko.com>
commit ddf67daac3 ("efi_capsule: Move signature from DTB to .rodata")
was reverted in
commit 47a25e81d3 ("Revert "efi_capsule: Move signature from DTB to .rodata"")
because that's what U-Boot was usually doing -- using the DT to store
configuration and data. Some of the discussions can be found here [0].
(Ab)using the device tree to store random data isn't ideal though.
On top of that with new features introduced over the years, keeping
the certificates in the DT has proven to be problematic.
One of the reasons is that platforms might send U-Boot a DTB
from the previous stage loader using a transfer list which won't contain
the signatures since other loaders are not aware of internal
U-Boot ABIs. On top of that QEMU creates the DTB on the fly, so adding
the capsule certificate there does not work and requires users to dump
it and re-create it injecting the public keys.
Now that we have proper memory permissions for arm64, move the certificate
to .rodata and read it from there.
[0] https://lore.kernel.org/u-boot/CAPnjgZ2uM=n8Qo-a=DUkx5VW5Bzp5Xy8=Wgmrw8ESqUBK00YJQ@mail.gmail.com/
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Jonathan Humphreys <j-humphreys@ti.com> # on TI sk-am62p-lp
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on AML-A311D-CC
Tested-by: Raymond Mao <raymond.mao@linaro.org>
Note that this undoes the changes of commit cf6d4535cc ("x86:
emulation: Disable bloblist for now") as that was intended only for the
release due to time.
Sam Edwards <cfsworks@gmail.com> says:
This is v2 of my "misc. fixes" series, sent to prepare the codebase for more
direct LLVM support in the near future. This series contains several fixes that
I found in the process of preparing that support and which address issues
independent of any future feature or enhancement. I am sending these now, both
so that their inclusion is not delayed by discussion on my upcoming series and
to make the latter more manageable.
Link: https://lore.kernel.org/r/20250315221813.1265193-1-CFSworks@gmail.com
This allows setting READELF=llvm-readelf in order to use the LLVM
version of the readelf utility. It also aligns with the practice of not
using $(CROSS_COMPILE) in any build recipes directly, reducing the
number of places where $(CROSS_COMPILE) is used.
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
RELRO is an instruction to a dynamic loader to make a memory range
read-only after relocations are applied, for added security. Some
linkers (e.g. LLD) require that all sections covered by the RELRO are
contiguous, so that only a single RELRO is needed. U-Boot at present
neither satisfies this requirement (e.g. x86_64 linker script currently
puts .dynamic too far from .got) nor preserves the RELRO when converting
away from ELF, therefore add `-z norelro` to global linker options.
This can be brought back in the future when the linker scripts are
cleaned up and U-Boot understands RELROs.
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
This flag only makes sense for `binary` output, because .hex/.srec are
sparse formats and represent gaps without filler. While the GNU binutils
version of objcopy does not seem to mind the extra flag being passed,
llvm-objcopy considers this a fatal error.
There is already a version of the objcopy command template in the
Makefile that doesn't use --gap-fill, which is provided for EFI. So use
this other version for all .hex/.srec outputs as well.
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Some boards use a CONFIG option to specify the value of this variable.
This is normally handled by efi_get_distro_fdt_name() but in the case
of sunxi this does not work, since 'soc' is sunxi, but the files are
in the allwinner directory.
Provide a work-around for this particular case.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Refactor the entire kconfig page for mbedtls, adapt mbedtls makefile
and default config file using 'XPL_', in order to have independent
mbedtls kconfig options in U-Boot Proper, SPL, TPL and VPL.
User can choose legacy or mbedtls libraries for them independently.
Set mbedtls native hashing libraries as default when MBEDTLS_LIB,
SPL_MBEDTLS_LIB, TPL_MBEDTLS_LIB or VPL_MBEDTLS_LIB is selected.
If users prefer using U-Boot legacy hashing libraries, please select
MBEDTLS_LIB_HASHING_ALT, SPL_MBEDTLS_LIB_HASHING_ALT,
TPL_MBEDTLS_LIB_HASHING_ALT or VPL_MBEDTLS_LIB_HASHING_ALT for U-Boot
Proper, SPL, TPL and VPL respectively.
Moreover, rename a few kconfig options and update their descriptions to
improve the consistency of terminology.
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Not all MediaTek platforms needs u-boot-mtk.bin.
This patch will let u-boot generates u-boot-mtk.bin only if
CONFIG_MTK_BROM_HEADER_INFO is not empty.
Signed-off-by: Weijie Gao <weijie.gao@mediatek.com>
When performing a build consisting of only a defconfig target and then
this tool, we were missing two dependencies. Add them.
Signed-off-by: Tom Rini <trini@konsulko.com>
Pull request efi-2025-04-rc1
Documentation:
* Correct the defconfig name in the coolpi documentation
UEFI:
* Carve out the biggest part of the RISC-V and ARM linker scripts for EFI
binary into a common include.
* Correct the values of SizeOfCode and SizeOfInitializedData in generated
EFI binaries for RISC-V and ARM.
* Avoid gaps between sections in EFI binaries causing a failure in secure
boot.
* Makefile: let clean remove capsule_in.capsule*.efi-capsule
* Refactor some of the code used for launching EFI binaries.
In case the build system builds a directory with empty Makefile,
one which does not contain any obj-y entries, the build fails to
link due to missing built-in.o .
This happens because of this part of scripts/Makefile.build
81 ifneq ($(strip $(obj-y) $(obj-m) $(obj-) $(subdir-m) $(lib-target)),)
82 builtin-target := $(obj)/built-in.o
83 endif
which does not assign builtin-target in case obj-y is empty. The
built-in target is then not built at all, and built-in.o is not
generated by this part of scripts/Makefile.build
325 ifdef builtin-target
326 quiet_cmd_link_o_target = AR $@
327 # If the list of objects to link is empty, just create an empty built-in.o
...
335 targets += $(builtin-target)
336 endif # builtin-target
This is the correct behavior.
The final link however expects the built-in.o to exist in every directory
included in the build, even in those where the aforementioned code skipped
generation of built-in.o . Make sure the built-in.o does exist for every
directory used in final link simply by doing touch on every built-in.o used
for the link, which will create empty built-in.o in case any built-in.o is
missing.
A possible alternative fix is the always define the builtin-target
and always generate built-in.o .
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Tested-by: Quentin Schulz <quentin.schulz@cherry.de>
The flash_writer tool and previous recovery tools require the SREC load
address to be 0x5000_0000 . The PIE U-Boot build sets the address to 0x0
instead, so override the address back to make u-boot-elf.srec compatible
with the recovery tools.
Tested-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
One can use ccache by keeping ccache in PATH or by providing the full
path to ccache as well. Providing the full path to ccache fails as the
current regex tries to look for ccache being the initial token during
filtering.
Do a greedy search to remove anything before ccache for regex matching.
Fixes: 04b1d84221 ("Makefile: fix empty MK_ARCH when using ccache")
Signed-off-by: Manorit Chawdhry <m-chawdhry@ti.com>
The '?' that is used in the sed expression that determines MK_ARCH
is part of the extended regular expression syntax, but the default
behaviour of sed as specified by POSIX is to use only basic regular
expression syntax. Use the equivalent '\{0,1\}' instead as
suggested by the OpenBSD re_format(7) man page.
Fixes: 04b1d84221 ("Makefile: fix empty MK_ARCH when using ccache")
Signed-off-by: Mark Kettenis <kettenis@openbsd.org>
Reviewed-by: Marek Vasut <marex@denx.de>
Tested-by: Quentin Schulz <quentin.schulz@cherry.de>
One can use ccache by prefixing the typical CROSS_COMPILE value with
"ccache " (e.g. "ccache aarch64-gnu-linux-" for Aarch64). This however
makes the MK_ARCH empty because sed won't find a match anymore since it
expects the CROSS_COMPILE value to start with the actual toolchain (with
an unlimited number of white spaces before).
This is failing builds since commit 7506c15669 ("sandbox: Report host
default-filename in native mode").
Add "ccache" prefix to ignore but participate in the matching regex used
by sed to identify the target architecture.
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
This flag was lost by a previous change and has never been restored.
Without it, binman cannot fully handle missing blobs which are
themselves inputs to mkimage.
Discussion on this at [1] indicated that this was necessary but the
patch was not updated.
Restore the flag so that all missing blobs are reported.
Link: https://patchwork.ozlabs.org/project/uboot/patch/20221206020336.315465-1-trini@konsulko.com/
Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 93685d0dcb ("Makefile: With BINMAN_ALLOW_MISSING=1 don't error")
CI: https://source.denx.de/u-boot/custodians/u-boot-imx/-/pipelines/22796
- Switch to using upstream DT on DH i.MX8MP DHCOM PDK2/PDK3.
- Add ability to build fallback DTBOs from arch/$(ARCH)/dts.
- Remove fdt_high and initrd_high env variables from imx6-dhcom.
- Add dummy clk for imx8.
- Fix DT corruption in imx8_cpu.
- Improve DDR stability on pico-imx7d.
Currently the enablement of OF_UPSTREAM results on the build system
searching for DTs only in dts/upstream/ . There are platforms which
use U-Boot specific DTBOs applied on top of U-Boot control DT during
SPL stage, and source DTs for these are located in arch/$(ARCH)/dtb.
Add dedicated 'dtbos' target which builds only .dtbos and not .dtbs and
in case CONFIG_OF_UPSTREAM_INCLUDE_LOCAL_FALLBACK_DTBOS is enabled, build
this target for arch/$(ARCH)/dtb to generate local U-Boot specific DTBOs.
Adjust top level Makefile so binman would search for .dtb and .dtbo in
both OF_UPSTREAM specific paths and arch/$(ARCH)/dtb for the .dtbo case
in case CONFIG_OF_UPSTREAM_INCLUDE_LOCAL_FALLBACK_DTBOS is enabled.
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Marek Vasut <marex@denx.de>