Add the option to load the bootscript with the tftp command (static IP)
instead of the dhcp command (dynamic IP). For this a new function
tftpb_run similar to dhcp_run, is needed. The selection of which command
to use can be done with the ip_dyn environment variable, which can be
set to yes or no. The ip_dyn variable was chosen as it is already in use
on the imx platforms.
Also edit the bootstd doc.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Benjamin Hahn <B.Hahn@phytec.de>
At present the EFI bootmgr scans all devices in the system before
deciding which one to boot. Ideally it would use the bootstd iterator
for this, but in the meantime, give it a lower priority, so it runs
just before the network devices.
Note that if there are no hunted network devices hunted, then it will
run at the end, after all bootdevs are exhausted. In other words, it
will always run.
Signed-off-by: Simon Glass <sjg@chromium.org>
When there are no more bootdevs we should still go through the global
bootmeths, since some may not have yet been used, if their priority has
not yet come up.
Add a final check for this at the end of the iterator.
Update the documentation to match the new behaviour of global bootmeths.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present before scanning global bootmeths, the iterator sets the
method count to the index of the first global bootmeth. Now that we
support scanning the global bootmeths multiple times, we must leave this
count alone.
Check against have_global and first_glob_method instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
Allow bootmeths to select when they want to run, using the bootdev
priority. Provide a new bootmeth_glob_allowed() function which checks if
a bootmeth is ready to use.
Fix a comment in bootflow_system() which is a test for global bootmeths.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use the methods_done flags to make sure that each global bootmeth is
only used once. For now this has no effect, since they are all processed
at the start.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add the logic to scan through the global bootmeths for every new
bootdev, in preparation for allowing global bootmeths to select where in
the hunter ordering they go.
Use a new bootmeth_glob_allowed() function to check if a bootmeth is
allowed, ensuring that each can run at most once.
For now this has no actual effect, since the global bootmeths are
unconditionally processed at the start, with iter->methods_done being
updated to include all of them. Therefore when scanning again, no
unprocessed global bootmeths will be found.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a bitfield which tracks when bootmeths have been used. This will be
needed when global bootmeths can be used later in the iteration.
Fix a missing bootflow_free() while here.
Signed-off-by: Simon Glass <sjg@chromium.org>
The current 'doing_global' refers to being in the state of processing
global bootmeths. Since global bootmeths are currently used once at the
start, it becomes false once the last global bootmeth has been used.
In preparation for allowing bootmeths to run at other points in the
bootstd interation, add a new 'have_global' flag which tracks whether
there are any global bootmeths in the method_order[] list. It is set up
when iteration starts. Unlike doing_global which resets back to false
after the global bootmeths have been handled, once have_global is set to
true, it remains true for the entire iteration process. This provides a
quick check as to whether global-bootmeth processing is needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
For now we only support dropping non-global bootmeths from the
iteration. Update first_glob_method in that case and add a few checks
that things are correct.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present, normally when one bootmeth fails on a partition, we move on
and try the next bootmeth. However, this was not the case for the final
partition due to a bug. Rework the logic so that all partitions are
treated the same.
Signed-off-by: Simon Glass <sjg@chromium.org>
We will want to use this same logic in another place within iter_inc(),
so split it out into its own function.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Today, only a few platforms enable SPL_LOAD_FIT_FULL, and all enable
SPL_LOAD_FIT. As can be seen in usage, the FULL symbol is a superset of
the first symbol, not an alternative. Update Kconfig entries based on
this and simplify the only code which checks for either being set.
Signed-off-by: Tom Rini <trini@konsulko.com>
If there is no more active slot found in find_active_slot(), like when
all slots in BOOT_ORDER have a count of 0, the counters are reset to their
default value CONFIG_BOOTMETH_RAUC_DEFAULT_TRIES. The BOOT_ORDER is _not_
changed, which is logically correct (especially for the case when there is
only one (active) slot set, e.g. BOOT_ORDER only contains 'B', probably due
to RAUC option prevent-late-fallback being set). Resetting the counters of
inactive slots also does not harm here, and is fine as a generic solution.
But the log_info statement in this scenario
INFO: Resetting boot order and all slot tries
is incorrect. Change this to
INFO: Resetting all slot tries to 3
with the 3 being inserted by CONFIG_BOOTMETH_RAUC_DEFAULT_TRIES.
Signed-off-by: Andreas Pretzsch <apr@cn-eng.de>
Reviewed-by: Martin Schwan <m.schwan@phytec.de>
Only PowerPC and LS1021A platforms can make use of RAMBOOT_PBL. Add the
dependencies to the symbol.
Signed-off-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
We have a large number of library symbols that should not be prompted
for by the user really but rather selected by the platform (or SoC) as
needed. To start with however, make these depend on !COMPILE_TEST.
Signed-off-by: Tom Rini <trini@konsulko.com>
This reverts commit 9fe2e4b464.
Commit 9fe2e4b464 ("fdt: Make sure there is no stale initrd left")
introduces a regression in case when U-Boot transfers control to an EFI
app which acts as a subsequent bootloading program. Such an app might
try to set "linux,initrd-start" and "linux,initrd-end" fdt properties,
but by that time those properties are already removed by the code added
in the mentioned commit.
Particularly, the issue was observed on the E850-96 board where GBL EFI
app [1] can't run Android successfully anymore. More specifically, the
kernel can't see the ramdisk and panics with next messages:
/dev/root: Can't open blockdev
VFS: Cannot open root device "" or unknown-block(0,0): error -6
Please append a correct "root=" boot option; ...
Kernel panic - not syncing: VFS: Unable to mount root fs on
unknown-block(0,0)
fdt_initrd() function (where initrd dts properties are removed) is
called two times:
1. First it's called by EFI boot manager (e.g. as a part of U-Boot
Standard Boot mechanism) when it's installing FDT:
fdt_initrd
image_setup_libfdt
efi_install_fdt
efi_bootmgr_run
efi_mgr_boot
It's already enough for EFI app to malfunction. But then it's also
called second time:
2. From the EFI app, via EFI DT fixup protocol:
fdt_initrd
image_setup_libfdt
efi_dt_fixup
struct efi_dt_fixup_protocol efi_dt_fixup_prot = {
.fixup = efi_dt_fixup
};
See [2] for specific GBL code which sets those fdt properties and then
runs DT fixup protocol callback.
This issue was discussed [3], but no action was taken since then. Revert
this patch for now, until a proper solution can be found.
[1] https://source.android.com/docs/core/architecture/bootloader/generic-bootloader/gbl-dev
[2] https://android.googlesource.com/platform/bootable/libbootloader/+/refs/heads/gbl-mainline/gbl/libgbl/src/android_boot/mod.rs#208
[3] https://lists.denx.de/pipermail/u-boot/2025-July/593879.html
Fixes: 9fe2e4b464 ("fdt: Make sure there is no stale initrd left")
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
The android boot header is page aligned but the current code made the
assumption that the header was always smaller than the current header
format.
When the page_size is defined as 2048, as this is the case with the
cuttlefish target, the current code sets the end of the header in the
middle of it as the v3 and v4 headers are respectively 2112 and 2128
bytes long.
Fix that by aligning to page_size
Fixes: 1115027d2f ("android: boot: update android_image_get_data to support v3, v4")
Signed-off-by: Guillaume Ranquet <ranquet.guillaume@gmail.com>
The ARM64 kernel Image size with LOCKDEP enabled is now around 80 MiB, which
makes it unbootable due to "Image too large: increase CONFIG_SYS_BOOTM_LEN".
Increase the image size limit to 128 MiB to future proof the limit.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
At this time there are still major Linux distributions which by default
boot using LEGACY_IMAGE_FORMAT type scripts. Add this option to
DISTRO_DEFAULTS to ensure these platforms can still boot.
Fixes: d780965927 ("Drop the special am335x_boneblack_vboot target")
Reported-by: Sascha Silbe <sascha-pgp@silbe.org>
Tested-By: Sascha Silbe <sascha-pgp@silbe.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Since the bootmeth "rauc" is not a global boot method, do not select the
corresponding BOOTMETH_GLOBAL option.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Martin Schwan <m.schwan@phytec.de> says:
This series fixes a segfault, that would occur at the end of scanning a
device, which does not contain the required partition layout scheme for
a RAUC system.
With this series, a "bootflow scan" should now correctly scan the
specified devices with boot method "rauc" without crashing on invalid
partition schemes.
Link: https://lore.kernel.org/r/20250813-wip-bootmeth-rauc-priv-free-v1-0-1ef928169469@phytec.de
The private data struct can be freed when loading the boot script, as we
don't need the slot information anymore at this point.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Tested-by: Wadim Egorov <w.egorov@phytec.de>
Move freeing a distro_rauc_priv struct to a new, separate function for
better reuse.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Tested-by: Wadim Egorov <w.egorov@phytec.de>
Don't null bootflow->bootmeth_priv, as the private struct is freed later
on by the bootflow.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Tested-by: Wadim Egorov <w.egorov@phytec.de>
Fix a segfault when cleaning up the slots from the private struct. This
fault was generated by accessing a member of a null pointer.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Tested-by: Wadim Egorov <w.egorov@phytec.de>
The bootmeth rauc should scan all partitions, in particular whole
devices, and not be a global method. There may exist multiple RAUC
systems on different devices and they should all be detected. This also
fixes a bug, where both a global bootflow and one using an actual,
complete device would be detected at the same time, when scanning for
valid bootflows.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Tested-by: Wadim Egorov <w.egorov@phytec.de>
uclass_find_next_device always returns 0, so instead make it a void and
update calling sites.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Only scan for the existence of all required partitions of a RAUC system,
instead of searching for boot script files in all of them.
Previously, it might have occurred, that a slot did not contain required
files and RAUC already marked the corresponding slot as bad (not
suitable for booting). In that case, scanning for a non-existence boot
script would result in an error (and thus not booting anything), which
was different behavior compared to the legacy RAUC boot.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Fix a potential segmentation fault, by not accessing the member of a
null pointer to a private slot's name field.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Fix a potential memory leak, by checking the return value of realloc
first, before assigning it to the private list of slots.
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
The local variable method_flags is only assigned to in some of the
code paths leaving it possibly uninitialised at first use.
Initialise method_flags at declaration to ensure that it cannot be
used uninitialised. Also remove now redundant assignments.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
João Paulo Gonçalves <jpaulo.silvagoncalves@gmail.com> says:
In some use cases, board-specific device tree changes must not be overwritten
by system fixups. Although U-Boot provides ft_board_setup_ex() for this
purpose, it is currently only used on TI Keystone. This series makes
ft_board_setup_ex() a generic option, allowing its use by other architectures
and boards.
Additionally, considering that Toradex Verdin-AM62P hardware lifetime
guarantees are based on a 105°C junction temperature (while TI AM62Px supports
up to 125°C), this series implements necessary changes within TI K3 AM62P and
Toradex board code. These changes include exporting common fixup device Tree
functions used in TI K3 for board-code access and also fixup for AM62P thermal
zones to correctly reflect the number of CPU nodes according to the SoC part
number.
Link: https://lore.kernel.org/r/20250623-am62p-fdt-fixup-trip-points-v1-0-12355eb6a72f@toradex.com
In some use cases, board-specific device tree changes must not be
overwritten by system fixups. Although U-Boot provides
ft_board_setup_ex() for this purpose, it is currently only used on TI
Keystone. Make ft_board_setup_ex() to be a generic option, allowing its
use by other architectures/boards. To maintain backward compatibility,
enable it by default on TI Keystone.
Signed-off-by: João Paulo Gonçalves <joao.goncalves@toradex.com>
scene_obj_find can return NULL but this is not checked for before
the return is dereferenced. Add a NULL check.
This issue was found by Smatch.
Also add a NULL check for str.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
In the case where parse_sliteral returns an error then label_name
will not have been assigned to. In order to prevent evaluating
label_name in this case add a check for the return value of parse_sliteral.
Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Sughosh Ganu <sughosh.ganu@linaro.org> says:
The LMB module has a bunch for API's which are used for allocating
memory. There are a couple of API's for requesting memory, and two
more for reserving regions of memory. Replace these different API's
with a single one, lmb_alloc_mem(). The type of allocation to be made
is specified through one of the parameters to the function.
Additionally, the two API's for reserving regions of memory,
lmb_reserve() and lmb_alloc_addr() are the same with one
difference. One can reserve any memory region with lmb_reserve(),
while lmb_alloc_addr() actually checks that the memory region being
requested is part of the LMB memory map. Reserving memory that is not
part of the LMB memory map is pretty futile -- the allocation
functions do not allocate memory which has not been added to the LMB
memory map.
This series also removes the functionality allowing for reserving
memory regions outside the LMB memory map. Any request for reserving a
region of memory outside the LMB memory map now returns an -EINVAL
error.
Certain places in the common code using the LMB API's were not
checking the return value of the functions. Checks have been added for
them. There are some calls being made from the architecture/platform
specific code which too do not check the return value. Those have been
kept the same, as I do not have the platform with me to check if it
causes any issues on those platforms.
In addition, there is a patch which refactors code in
lmb_overlaps_region() and lmb_can_reserve_region() so that both
functionalities can be put in a single function, lmb_overlap_checks().
Finally, a new patch has been added which checks the return value of
the lmb allocation function before copying the device-tree to the
allocated address.
Link: https://lore.kernel.org/r/20250617104346.1379981-1-sughosh.ganu@linaro.org
[trini: Rework arch/arm/mach-snapdragon/board.c merge]
Signed-off-by: Tom Rini <trini@konsulko.com>
There is no need to have two separate API's for freeing up memory. Use
a single API lmb_free() to achieve this.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
There currently are two API's for requesting memory from the LMB
module, lmb_alloc() and lmb_alloc_base(). The function which does the
actual allocation is the same. Use the earlier introduced API
lmb_alloc_mem() for both types of allocation requests.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
There currently are multiple allocation API's in the LMB module. There
are a couple of API's for allocating memory(lmb_alloc() and
lmb_alloc_base()), and then there are two for requesting a reservation
for a particular memory region (lmb_reserve() and
lmb_alloc_addr()). Introduce a single API lmb_alloc_mem() which will
cater to all types of allocation requests and replace lmb_reserve()
and lmb_alloc_addr() with the new API.
Moreover, the lmb_reserve() API is pretty similar to the
lmb_alloc_addr() API, with the one difference being that the
lmb_reserve() API allows for reserving any address passed to it --
the address need not be part of the LMB memory map. The
lmb_alloc_addr() does check that the address being requested is
actually part of the LMB memory map.
There is no need to support reserving memory regions which are outside
the LMB memory map. Remove the lmb_reserve() API functionality and use
the functionality provided by lmb_alloc_addr() instead. The
lmb_alloc_addr() will check if the requested address is part of the
LMB memory map and return an error if not.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
