| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far, we only supported finding compatible configurations that have
a compatible property inside the configuration's device tree node.
According to spec, this is optional however, and e.g. Yocto's
kernel-fitimage.bbclass don't generate it.
Instead, the bootloader is expected to lookup the compatible inside the
referenced FDT. With fdt_machine_is_compatible, this is much less of a
performance hit than with of_machine_is_compatible, so let's implement
support for this.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20240301130445.171385-5-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, we match the first compatible configuration. There may be
multiple matching configurations however and we should continue looking
for a better match if a match didn't achieve maximal score.
Do that by checking score against OF_DEVICE_COMPATIBLE_MAX_SCORE and
continuing the search if unequal.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20231205113618.3966168-4-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
U-Boot interprets "kernel_noload" to mean that the load and entry
addresses shall be ignored[1] and that the kernel image should be executed
in-place, unless compressed[2]. The entry and load addresses are still
mandatory and need to be initialized to some dummy value according to
spec[3].
barebox, which is unaware of any special semantics for the kernel_noload
type, would thus try to place a kernel_noload image at the dummy load
address specified and fail if that's not possible. Fix this by treating
type = "kernel_noload" as if load and entry properties were omitted,
in which case barebox falls back to find a suitable memory region at
runtime.
This change is motivated by the Linux kernel series adding FIT as
additional Kbuild target for ARM64[4]. With the change here, it's possible
to consume these FIT images in barebox as well.
[1]: U-Boot commit b9b50e89d317 ("image: Implement IH_TYPE_KERNEL_NOLOAD")
[2]: https://patchwork.ozlabs.org/project/uboot/list/?series=382849&state=*
[3]: https://github.com/open-source-firmware/flat-image-tree/releases/download/v0.8/fit-specification-v0.8.pdf
[4]: https://lore.kernel.org/linux-arm-kernel/20231129172200.430674-1-sjg@chromium.org/T/#meb5bda548de8d8d403c67ee90f639923c8a182fa
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20231129203106.2417486-1-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux will decompress its own ramdisk, so a well-formed ITS would
specify compression = "none", so the bootloader doesn't unpack the
ramdisk and the kernel takes care of it.
Some older versions of the Yocto kernel-fitimage.bbclass did populate
compression != "none" for ramdisks, so now barebox will fail to boot
the FIT images generated by them.
Fix this issue by not acting on the compression property when the image
in question is a ramdisk. We still print a warning, so users can fix
their ITS.
This aligns us with U-Boot's behavior[1].
[1]: https://git.yoctoproject.org/poky/commit/?h=kirkstone&id=2c58079222310
[2]: https://github.com/u-boot/u-boot/commit/bddd985734653c366c8da073650930
Fixes: 2ab6780b80e3 ("FIT: add first support for compressed images")
Reported-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Tested-by: Christian Eggers <ceggers@arri.de>
[Tested both patches, as 1/2 is also required ]
Link: https://lore.barebox.org/20230825102246.4189465-2-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There are four conditions that need to be true for successful decompression
and the follow-up commit will add one more. Thus split off the compression
handling to aid readability.
No functional change.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20230825102246.4189465-1-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
One would expect that all children of a configuration node are signature
nodes, but OpenEmbedded's core kernel-fitimage.bbclass always generates
a dummy hash-1 node into configurations with just an algo and no digest,
which barebox would try to interpret as a FIT configuration leading to
an error verifying the FIT image:
ERROR: FIT: hashed-strings start not found in
/configurations/conf-something/hash-1
Make it possible to boot such FIT images by only verifying nodes that
are supposed to be signatures. This aligns us with U-Boot behavior, but
introduces theoretical breakage for FIT images that have signature nodes
with funny names. Given that everyone uses signature@1 or signature-1 and we even
hardcode it as places and that the failure mode is to refuse boot of old
images with new barebox version when FIT image verification is required,
this is deemed acceptable.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20230727155726.2133700-1-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
| |
We have the %pOF format specifier for printing device nodes. Use it
where appropriate.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Barebox doesn't use the FIT image size from the header
when loading FIT images. It bluntly assumes that the FIT image
is equal to the file size. Which would be true if the
FIT image is a file. But if it's situated on a raw device,
then barebox proceeds to load the entire contents of that
raw device, only to conclude that it only needed parts of it.
Fix it.
Cc: Daniel Brát <danek.brat@gmail.com>
Signed-off-by: Christian Melki <christian.melki@t2data.com>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20230519121028.2475832-1-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FIT image contents are often compressed, but we got by so far, because
a compressed initramfs is usually meant to be decompressed by the kernel
(and so has compression = "none") and arm32 kernels had their own
decompresser embedded. On ARM64, bootloader is responsible for
uncompressing kernel, so we should properly process the compression
property we so far ignored.
The decompression isn't as efficient as one would hope for, because
the FIT format only describes length of the compressed data. We thus
have two options:
- define an output size up-front, e.g. by guessing the uncompressed
buffer size for decompression or hardcoding it (e.g. U-Boot's
CONFIG_SYS_BOOTM_LEN).
- Uncompress to a file descriptor
We choose the second one to play it safe, but it comes with worse
performance because of extra memory copies. Intention is to go with
first option for the kernel image: We know how much size we can spare
for the kernel image and can have bootm_load_os uncompress there
directly without intermittent memory copies. This would involve slight
change to the barebox decompresser API to align it with the kernel's,
which allows to have it accept and observe an output buffer size.
So far, we had the kernel PREBOOT API, which lacks such a parameter,
but that's an optimization for another day.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20220809091946.3906847-1-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
| |
FIT images can have properties with very long values. Make it possible
to use of_dump to inspect them by adding a -P option that restricts
how much of the value is printed.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.barebox.org/20220808065639.453483-2-a.fatoum@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
| |
So far the rsa key and the image signature must have a matching
key-name-hint. Relax that by trying other available keys when
the key-name-hints don't match or when the matching key can't verify
the signature.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
| |
Currently there is no way to iterate over all available RSA keys.
This patch collects all keys on a list so we can add an iterator
in the next step.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
| |
Use digest_verify() to verify hashes rather than open code it. This
simplifies the code a bit.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
of_unflatten_dtb() doesn't check the size of the device tree blob
passed to it. Add a size argument end add checks for the size. Some
callers have no idea of the buffer size themselves, INT_MAX is passed
in these cases.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Link: https://lore.barebox.org/20210624085223.14616-4-s.hauer@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
| |
For hash algorithm selection, only the first argument of the tuple is
needed. The ',' is included to avoid false-positive matches.
Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For all files in common/ that already have a license text:
- Replace with appropriate SPDX-License-Identifier
- Remove empty comment lines around replacement
- remove comment completely if only thing remaining is name
of file without description
Reviewed-by: Roland Hieber <rhi@pengutronix.de>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
According to the U-Boot documentation for the FIT file format, the load
and entry have to be allways defined for a "kernel" or "standalone".
But Barebox ignored the parameters. That changes with this patch.
For backward compatibility the default values for load or entry are
still used if they are not given by the FIT file.
Signed-off-by: Christian Mauderer <christian.mauderer@embedded-brains.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
| |
The compiled-in keys can be retrieved with rsa_get_key(). Try to use
them first before falling back to looking up the keys in the device
tree.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
| |
Until now rsa_of_read_key() took a pointer to a key and filled the
struct rsa_public_key members with allocated values. So far we have
never freed these values. Change rsa_of_read_key() to always return
a fully allocated key and provide rsa_key_free() to free it. Let the
FIT image code free the key after usage.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
| |
Just a cleanup over barebox tree
Signed-off-by: Alexander Shiyan <shc_work@mail.ru>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The examples in the U-boot docs use "hash-N" and "signature-N" as the names
for hash/signature nodes. It seems "@N" was used instead at some point
during the development of the FIT format and "-N" is more correct (in fact,
dtc throws warnings when using "@N" without a reg attribute). Support for
the "@N" node names is preserved for backward compatibility.
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
| |
Tell the user what device tree node we're looking for.
Signed-off-by: Roland Hieber <r.hieber@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
| |
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
| |
This adds fit_open_buf() which can open a buffer as FIT image.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
different images can be grouped together to build a FIT configuration.
So far we only supported opening images as parts of configurations.
This patch adds support for opening images that are not part of a
configuration. This mode is used when the configuration parameter of
fit_open_image is NULL.
The main difference is in the way the RSA signature is checked. When
being part of a configuration all involved nodes (including the hash
nodes of the images, but not the image itself) are covered by the
signature, thus during opening an image only the validity of the image
data hash has to be checked. When not being part of a configuration,
the image data itself is signed and must be checked.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
| |
Create and use fit_alloc_digest() and fit_read_rsa_public_key()
which we can use a second time in the next step.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Preparation for the next step which will allow to open
images which are not part of a configuration.
This has one change inside: We used to iterate over all
subnodes of a image expecting all of them containing a hash,
so it could happen that we check multiple hashes if more exist
or that we falsely interpret some unrelated subnode as hash node.
With this patch we expect the hash in a subnode named "hash@1"
as required by the FIT image format description.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
| |
We need the /images and /configurations nodes more than once,
so store them in the fit_handle rather than searching for them
each time again.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The images in FIT images can be opened in two different ways. They
can be either opened directly based on their names in the images/
node or as part of a configuration based on their names in the
corresponding /configuration/ node.
So far we only supported the latter. To prepare supporting the former
we return a cookie belonging to the configuration from
fit_open_configuration() which we use in fit_open_image() to refer
to the desired configuration.
While at it document fit_open_configuration().
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
| |
Only do what fit_open_configuration() suggests: open the configuration,
but not the images in it.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently only fit_open() is exported which only opens the predefined
images "kernel", "dtb" and "ramdisk". To make the FIT code more usable
for other code which may want to open other images export
fit_open_configuration() and fit_open_image().
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |/
|
|
|
|
|
|
| |
In case of error of_unflatten_dtb() returns an ERR_PTR. Make sure
that handle->root contains NULL in this case so that we do not call
of_delete_node on the error pointer in the exit path.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
| |
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
| |
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
| |
The majority of the stuff currently in include/boot.h is about bootm
code implemented common/bootm.c. To be more consistent move it to a
new file include/bootm.h.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
|
| |
The verify "available" mode checks whatever is available in the
booted image, so when an image has a signature, it is checked and
must be correct and when an image is hashed, it is also checked
for correctness.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
|
| |
when fit is configured to force signed images then print an error
message when an unsigned image is opened to give the user a clue
what went wrong.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
| |
|
|
|
|
|
| |
When fit is configured to check hashes print an error when an image
does not contain hashes instead of failing silently.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
|
|
This implementation is inspired by U-Boot's FIT support. Instead of
using libfdt (which does not exist in barebox), configuration signatures
are verified by using a simplified DT parser based on barebox's own
code.
Currently, only signed configurations with hashed images are supported,
as the other variants are less useful for verified boot. Compatible FIT
images can be created using U-Boot's mkimage tool.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
|
