diff options
Diffstat (limited to 'tools')
39 files changed, 694 insertions, 125 deletions
diff --git a/tools/Makefile b/tools/Makefile index 97ce1dbb17e..02297e8c93a 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -63,7 +63,8 @@ HOSTCFLAGS_img2srec.o := -pedantic hostprogs-y += mkenvimage mkenvimage-objs := mkenvimage.o os_support.o generated/lib/crc32.o -hostprogs-y += dumpimage mkimage fit_info fit_check_sign +hostprogs-y += dumpimage mkimage fit_info +hostprogs-$(CONFIG_FIT_SIGNATURE) += fit_check_sign hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += fdt_add_pubkey hostprogs-$(CONFIG_TOOLS_LIBCRYPTO) += preload_check_sign diff --git a/tools/binman/binman.rst b/tools/binman/binman.rst index 84b1331df5c..392e507d449 100644 --- a/tools/binman/binman.rst +++ b/tools/binman/binman.rst @@ -1143,6 +1143,13 @@ Optional entries Some entries need to exist only if certain conditions are met. For example, an entry may want to appear in the image only if a file has a particular format. +Also, the ``optional`` property may be used to mark entries as optional:: + + tee-os { + filename = "tee.bin"; + optional; + }; + Obviously the entry must exist in the image description for it to be processed at all, so a way needs to be found to have the entry remove itself. diff --git a/tools/binman/btool/openssl.py b/tools/binman/btool/openssl.py index c6df64c5316..b26f087c447 100644 --- a/tools/binman/btool/openssl.py +++ b/tools/binman/btool/openssl.py @@ -153,7 +153,7 @@ numFirewallRegions = INTEGER:{firewall_cert_data['num_firewalls']} def x509_cert_rom(self, cert_fname, input_fname, key_fname, sw_rev, config_fname, req_dist_name_dict, cert_type, bootcore, - bootcore_opts, load_addr, sha): + bootcore_opts, load_addr, sha, debug): """Create a certificate Args: @@ -221,9 +221,13 @@ emailAddress = {req_dist_name_dict['emailAddress']} # iterationCnt = INTEGER:TEST_IMAGE_KEY_DERIVE_INDEX # salt = FORMAT:HEX,OCT:TEST_IMAGE_KEY_DERIVE_SALT + # When debugging low level boot firmware it can be useful to have ROM or TIFS + # unlock JTAG access to the misbehaving CPUs. However in a production setting + # this can lead to code modification by outside parties after it's been + # authenticated. To gain JTAG access add the 'debug' flag to the binman config [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 - debugType = INTEGER:4 + debugType = INTEGER:{ "4" if debug else "0" } coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 ''', file=outf) @@ -238,7 +242,7 @@ emailAddress = {req_dist_name_dict['emailAddress']} imagesize_sbl, hashval_sbl, load_addr_sysfw, imagesize_sysfw, hashval_sysfw, load_addr_sysfw_data, imagesize_sysfw_data, hashval_sysfw_data, sysfw_inner_cert_ext_boot_block, - dm_data_ext_boot_block, bootcore_opts): + dm_data_ext_boot_block, bootcore_opts, debug): """Create a certificate Args: @@ -324,9 +328,13 @@ compSize = INTEGER:{imagesize_sysfw_data} shaType = OID:{sha_type} shaValue = FORMAT:HEX,OCT:{hashval_sysfw_data} +# When debugging low level boot firmware it can be useful to have ROM or TIFS +# unlock JTAG access to the misbehaving CPUs. However in a production setting +# this can lead to code modification by outside parties after it's been +# authenticated. To gain JTAG access add the 'debug' flag to the binman config [ debug ] debugUID = FORMAT:HEX,OCT:0000000000000000000000000000000000000000000000000000000000000000 -debugType = INTEGER:4 +debugType = INTEGER:{ "4" if debug else "0" } coreDbgEn = INTEGER:0 coreDbgSecEn = INTEGER:0 diff --git a/tools/binman/control.py b/tools/binman/control.py index 1946656f7d3..af447d792a7 100644 --- a/tools/binman/control.py +++ b/tools/binman/control.py @@ -97,7 +97,7 @@ def _ReadMissingBlobHelp(): return tag, msg my_data = pkg_resources.resource_string(__name__, 'missing-blob-help') - re_tag = re.compile('^([-a-z0-9]+):$') + re_tag = re.compile(r"^([-\.a-z0-9]+):$") result = {} tag = None msg = '' @@ -530,6 +530,57 @@ def _RemoveTemplates(parent): for node in del_nodes: node.Delete() +def propagate_prop(node, prop): + """Propagate the provided property to all the parent nodes up the hierarchy + + Args: + node (fdt.Node): Node and all its parent nodes up to the root to + propagate the property. + prop (str): Boolean property to propagate + + Return: + True if any change was made, else False + """ + changed = False + while node: + if prop not in node.props: + node.AddEmptyProp(prop, 0) + changed = True + node = node.parent + return changed + +def scan_and_prop_bootph(node): + """Propagate bootph properties from children to parents + + The bootph schema indicates that bootph properties in children should be + implied in their parents, all the way up the hierarchy. This is expensive + to implement in U-Boot before relocation at runtime, so this function + explicitly propagates these bootph properties upwards during build time. + + This is used to set the bootph-all, bootph-some-ram property in the parent + node if the respective property is found in any of the parent's subnodes. + The other bootph-* properties are associated with the SPL stage and hence + handled by fdtgrep.c. + + Args: + node (fdt.Node): Node to scan for bootph-all and bootph-some-ram + property + + Return: + True if any change was made, else False + + """ + bootph_prop = {'bootph-all', 'bootph-some-ram'} + + changed = False + for prop in bootph_prop: + if prop in node.props: + changed |= propagate_prop(node.parent, prop) + + for subnode in node.subnodes: + changed |= scan_and_prop_bootph(subnode) + return changed + def PrepareImagesAndDtbs(dtb_fname, select_images, update_fdt, use_expanded, indir): """Prepare the images to be processed and select the device tree @@ -589,6 +640,9 @@ def PrepareImagesAndDtbs(dtb_fname, select_images, update_fdt, use_expanded, ind fname = tools.get_output_filename('u-boot.dtb.tmpl2') tools.write_file(fname, dtb.GetContents()) + if scan_and_prop_bootph(dtb.GetRoot()): + dtb.Sync(True) + images = _ReadImageDesc(node, use_expanded) if select_images: @@ -645,14 +699,27 @@ def CheckForProblems(image): _ShowHelpForMissingBlobs(tout.ERROR, missing_list) faked_list = [] + faked_optional_list = [] + faked_required_list = [] image.CheckFakedBlobs(faked_list) - if faked_list: + for e in faked_list: + if e.optional: + faked_optional_list.append(e) + else: + faked_required_list.append(e) + if faked_required_list: tout.warning( "Image '%s' has faked external blobs and is non-functional: %s\n" % (image.name, ' '.join([os.path.basename(e.GetDefaultFilename()) - for e in faked_list]))) + for e in faked_required_list]))) optional_list = [] + # For optional blobs, we should inform the user when the blob is not present. This will come as + # a warning since it may not be immediately apparent that something is missing otherwise. + # E.g. user thinks they supplied a blob, but there is no info of the contrary if they made an + # error. + # Faked optional blobs are not relevant for final images (as they are dropped anyway) so we + # will omit the message with default verbosity. image.CheckOptional(optional_list) if optional_list: tout.warning( @@ -660,6 +727,12 @@ def CheckForProblems(image): (image.name, ' '.join([e.name for e in optional_list]))) _ShowHelpForMissingBlobs(tout.WARNING, optional_list) + if faked_optional_list: + tout.info( + "Image '%s' has faked optional external blobs but is still functional: %s\n" % + (image.name, ' '.join([os.path.basename(e.GetDefaultFilename()) + for e in faked_optional_list]))) + missing_bintool_list = [] image.check_missing_bintools(missing_bintool_list) if missing_bintool_list: @@ -667,7 +740,7 @@ def CheckForProblems(image): "Image '%s' has missing bintools and is non-functional: %s\n" % (image.name, ' '.join([os.path.basename(bintool.name) for bintool in missing_bintool_list]))) - return any([missing_list, faked_list, missing_bintool_list]) + return any([missing_list, faked_required_list, missing_bintool_list]) def ProcessImage(image, update_fdt, write_map, get_contents=True, allow_resize=True, allow_missing=False, @@ -697,7 +770,6 @@ def ProcessImage(image, update_fdt, write_map, get_contents=True, image.SetAllowMissing(allow_missing) image.SetAllowFakeBlob(allow_fake_blobs) image.GetEntryContents() - image.drop_absent() image.GetEntryOffsets() # We need to pack the entries to figure out where everything @@ -736,12 +808,12 @@ def ProcessImage(image, update_fdt, write_map, get_contents=True, image.Raise('Entries changed size after packing (tried %s passes)' % passes) + has_problems = CheckForProblems(image) + image.BuildImage() if write_map: image.WriteMap() - has_problems = CheckForProblems(image) - image.WriteAlternates() return has_problems diff --git a/tools/binman/entry.py b/tools/binman/entry.py index bdc60e47fca..ce7ef28e94b 100644 --- a/tools/binman/entry.py +++ b/tools/binman/entry.py @@ -88,6 +88,7 @@ class Entry(object): updated with a hash of the entry contents comp_bintool: Bintools used for compress and decompress data fake_fname: Fake filename, if one was created, else None + faked (bool): True if the entry is absent and faked required_props (dict of str): Properties which must be present. This can be added to by subclasses elf_fname (str): Filename of the ELF file, if this entry holds an ELF @@ -759,7 +760,7 @@ class Entry(object): self.image_pos) # pylint: disable=assignment-from-none - def GetEntries(self): + def GetEntries(self) -> None: """Return a list of entries contained by this entry Returns: @@ -1120,7 +1121,7 @@ features to produce new behaviours. if self.missing and not self.optional: missing_list.append(self) - def check_fake_fname(self, fname, size=0): + def check_fake_fname(self, fname: str, size: int = 0) -> str: """If the file is missing and the entry allows fake blobs, fake it Sets self.faked to True if faked @@ -1130,9 +1131,7 @@ features to produce new behaviours. size (int): Size of fake file to create Returns: - tuple: - fname (str): Filename of faked file - bool: True if the blob was faked, False if not + fname (str): Filename of faked file """ if self.allow_fake and not pathlib.Path(fname).is_file(): if not self.fake_fname: @@ -1142,8 +1141,8 @@ features to produce new behaviours. tout.info(f"Entry '{self._node.path}': Faked blob '{outfname}'") self.fake_fname = outfname self.faked = True - return self.fake_fname, True - return fname, False + return self.fake_fname + return fname def CheckFakedBlobs(self, faked_blobs_list): """Check if any entries in this section have faked external blobs @@ -1352,6 +1351,10 @@ features to produce new behaviours. os.mkdir(cls.fake_dir) tout.notice(f"Fake-blob dir is '{cls.fake_dir}'") + def drop_absent_optional(self) -> None: + """Entries don't have any entries, do nothing""" + pass + def ensure_props(self): """Raise an exception if properties are missing diff --git a/tools/binman/etype/blob.py b/tools/binman/etype/blob.py index 041e1122953..acd9ae34074 100644 --- a/tools/binman/etype/blob.py +++ b/tools/binman/etype/blob.py @@ -42,7 +42,7 @@ class Entry_blob(Entry): if fdt_util.GetBool(self._node, 'write-symbols'): self.auto_write_symbols = True - def ObtainContents(self, fake_size=0): + def ObtainContents(self, fake_size: int = 0) -> bool: self._filename = self.GetDefaultFilename() self._pathname = tools.get_input_filename(self._filename, self.external and (self.optional or self.section.GetAllowMissing())) @@ -50,10 +50,11 @@ class Entry_blob(Entry): if not self._pathname: if not fake_size and self.assume_size: fake_size = self.assume_size - self._pathname, faked = self.check_fake_fname(self._filename, - fake_size) + self._pathname = self.check_fake_fname(self._filename, fake_size) self.missing = True - if not faked: + if self.optional: + self.mark_absent("missing but optional") + if not self.faked: content_size = 0 if self.assume_size: # Ensure we get test coverage on next line content_size = self.assume_size diff --git a/tools/binman/etype/blob_ext_list.py b/tools/binman/etype/blob_ext_list.py index 1bfcf6733a7..a8b5a24c3a1 100644 --- a/tools/binman/etype/blob_ext_list.py +++ b/tools/binman/etype/blob_ext_list.py @@ -33,11 +33,11 @@ class Entry_blob_ext_list(Entry_blob): self._filenames = fdt_util.GetStringList(self._node, 'filenames') self._pathnames = [] - def ObtainContents(self): + def ObtainContents(self) -> bool: missing = False pathnames = [] for fname in self._filenames: - fname, _ = self.check_fake_fname(fname) + fname = self.check_fake_fname(fname) pathname = tools.get_input_filename( fname, self.external and self.section.GetAllowMissing()) # Allow the file to be missing diff --git a/tools/binman/etype/cbfs.py b/tools/binman/etype/cbfs.py index 124fa1e4ffc..5879f377231 100644 --- a/tools/binman/etype/cbfs.py +++ b/tools/binman/etype/cbfs.py @@ -276,7 +276,8 @@ class Entry_cbfs(Entry): for entry in self._entries.values(): entry.ListEntries(entries, indent + 1) - def GetEntries(self): + def GetEntries(self) -> dict[str, Entry]: + """Returns the entries (tree children) of this section""" return self._entries def ReadData(self, decomp=True, alt_format=None): diff --git a/tools/binman/etype/fit.py b/tools/binman/etype/fit.py index ed3cac4ee7e..db40479d30e 100644 --- a/tools/binman/etype/fit.py +++ b/tools/binman/etype/fit.py @@ -557,12 +557,15 @@ class Entry_fit(Entry_section): Raises: ValueError: Filename 'rsa2048.key' not found in input path ValueError: Multiple key paths found + ValueError: 'dir/rsa2048' is a path not a filename """ def _find_keys_dir(node): for subnode in node.subnodes: if (subnode.name.startswith('signature') or subnode.name.startswith('cipher')): hint = subnode.props['key-name-hint'].value + if '/' in hint: + self.Raise(f"'{hint}' is a path not a filename") name = tools.get_input_filename( f"{hint}.key" if subnode.name.startswith('signature') else f"{hint}.bin") diff --git a/tools/binman/etype/mkimage.py b/tools/binman/etype/mkimage.py index 6ae5d0c8a4f..75e59c3d3a3 100644 --- a/tools/binman/etype/mkimage.py +++ b/tools/binman/etype/mkimage.py @@ -205,7 +205,7 @@ class Entry_mkimage(Entry_section): self.record_missing_bintool(self.mkimage) return data - def GetEntries(self): + def GetEntries(self) -> dict[str, Entry]: # Make a copy so we don't change the original entries = OrderedDict(self._entries) if self._imagename: diff --git a/tools/binman/etype/section.py b/tools/binman/etype/section.py index 1d50bb47753..03c4f7c6ec7 100644 --- a/tools/binman/etype/section.py +++ b/tools/binman/etype/section.py @@ -537,7 +537,7 @@ class Entry_section(Entry): for entry in self._entries.values(): entry.WriteMap(fd, indent + 1) - def GetEntries(self): + def GetEntries(self) -> dict[str, Entry]: return self._entries def GetContentsByPhandle(self, phandle, source_entry, required): @@ -772,9 +772,17 @@ class Entry_section(Entry): todo) return True - def drop_absent(self): - """Drop entries which are absent""" - self._entries = {n: e for n, e in self._entries.items() if not e.absent} + def drop_absent_optional(self) -> None: + """Drop entries which are absent. + Call for all nodes in the tree. Leaf nodes will do nothing per + definition. Sections however have _entries and should drop all children + which are absent. + """ + self._entries = {n: e for n, e in self._entries.items() if not (e.absent and e.optional)} + # Drop nodes first before traversing children to avoid superfluous calls + # to children of absent nodes. + for e in self.GetEntries().values(): + e.drop_absent_optional() def _SetEntryOffsetSize(self, name, offset, size): """Set the offset and size of an entry diff --git a/tools/binman/etype/ti_secure.py b/tools/binman/etype/ti_secure.py index 420ee263e4f..f6caa0286d9 100644 --- a/tools/binman/etype/ti_secure.py +++ b/tools/binman/etype/ti_secure.py @@ -124,6 +124,7 @@ class Entry_ti_secure(Entry_x509_cert): 'OU': 'Processors', 'CN': 'TI Support', 'emailAddress': 'support@ti.com'} + self.debug = fdt_util.GetBool(self._node, 'debug', False) def ReadFirewallNode(self): self.firewall_cert_data['certificate'] = "" diff --git a/tools/binman/etype/ti_secure_rom.py b/tools/binman/etype/ti_secure_rom.py index f6fc3f90f84..7e90c655940 100644 --- a/tools/binman/etype/ti_secure_rom.py +++ b/tools/binman/etype/ti_secure_rom.py @@ -87,6 +87,7 @@ class Entry_ti_secure_rom(Entry_x509_cert): 'OU': 'Processors', 'CN': 'TI Support', 'emailAddress': 'support@ti.com'} + self.debug = fdt_util.GetBool(self._node, 'debug', False) def NonCombinedGetCertificate(self, required): """Generate certificate for legacy boot flow diff --git a/tools/binman/etype/u_boot_spl_pubkey_dtb.py b/tools/binman/etype/u_boot_spl_pubkey_dtb.py index cb196061de2..3061c4bcdc4 100644 --- a/tools/binman/etype/u_boot_spl_pubkey_dtb.py +++ b/tools/binman/etype/u_boot_spl_pubkey_dtb.py @@ -87,6 +87,8 @@ class Entry_u_boot_spl_pubkey_dtb(Entry_blob_dtb): dir=tools.get_output_dir())\ as pubkey_tdb: tools.write_file(pubkey_tdb.name, self.GetData()) + if '/' in self._key_name_hint: + self.Raise(f"'{self._key_name_hint}' is a path not a filename") keyname = tools.get_input_filename(self._key_name_hint + ".crt") self.fdt_add_pubkey.run(pubkey_tdb.name, os.path.dirname(keyname), diff --git a/tools/binman/etype/x509_cert.py b/tools/binman/etype/x509_cert.py index 25e6808b7f9..b6e8b0b4fb0 100644 --- a/tools/binman/etype/x509_cert.py +++ b/tools/binman/etype/x509_cert.py @@ -52,6 +52,7 @@ class Entry_x509_cert(Entry_collection): self.sysfw_inner_cert_ext_boot_block = None self.dm_data_ext_boot_block = None self.firewall_cert_data = None + self.debug = False def ReadNode(self): super().ReadNode() @@ -114,7 +115,8 @@ class Entry_x509_cert(Entry_collection): bootcore=self.bootcore, bootcore_opts=self.bootcore_opts, load_addr=self.load_addr, - sha=self.sha + sha=self.sha, + debug=self.debug ) elif type == 'rom-combined': stdout = self.openssl.x509_cert_rom_combined( @@ -140,7 +142,8 @@ class Entry_x509_cert(Entry_collection): hashval_sysfw_data=self.hashval_sysfw_data, sysfw_inner_cert_ext_boot_block=self.sysfw_inner_cert_ext_boot_block, dm_data_ext_boot_block=self.dm_data_ext_boot_block, - bootcore_opts=self.bootcore_opts + bootcore_opts=self.bootcore_opts, + debug=self.debug ) if stdout is not None: data = tools.read_file(output_fname) diff --git a/tools/binman/ftest.py b/tools/binman/ftest.py index 4cf7dfc8216..8225216fbec 100644 --- a/tools/binman/ftest.py +++ b/tools/binman/ftest.py @@ -84,6 +84,7 @@ FILES_DATA = (b"sorry I'm late\nOh, don't bother apologising, I'm " + b"sorry you're alive\n") COMPRESS_DATA = b'compress xxxxxxxxxxxxxxxxxxxxxx data' COMPRESS_DATA_BIG = COMPRESS_DATA * 2 +MISSING_DATA = b'missing' REFCODE_DATA = b'refcode' FSP_M_DATA = b'fsp_m' FSP_S_DATA = b'fsp_s' @@ -250,7 +251,7 @@ class TestFunctional(unittest.TestCase): # ATF and OP_TEE TestFunctional._MakeInputFile('bl31.elf', tools.read_file(cls.ElfTestFile('elf_sections'))) - TestFunctional._MakeInputFile('tee.elf', + TestFunctional.tee_elf_path = TestFunctional._MakeInputFile('tee.elf', tools.read_file(cls.ElfTestFile('elf_sections'))) # Newer OP_TEE file in v1 binary format @@ -514,9 +515,9 @@ class TestFunctional(unittest.TestCase): return dtb.GetContents() def _DoReadFileDtb(self, fname, use_real_dtb=False, use_expanded=False, - verbosity=None, map=False, update_dtb=False, - entry_args=None, reset_dtbs=True, extra_indirs=None, - threads=None): + verbosity=None, allow_fake_blobs=True, map=False, + update_dtb=False, entry_args=None, reset_dtbs=True, + extra_indirs=None, threads=None): """Run binman and return the resulting image This runs binman with a given test file and then reads the resulting @@ -534,6 +535,7 @@ class TestFunctional(unittest.TestCase): use_expanded: True to use expanded entries where available, e.g. 'u-boot-expanded' instead of 'u-boot' verbosity: Verbosity level to use (0-3, None=don't set it) + allow_fake_blobs: whether binman should fake missing ext blobs map: True to output map files for the images update_dtb: Update the offset and size of each entry in the device tree before packing it into the image @@ -571,7 +573,7 @@ class TestFunctional(unittest.TestCase): retcode = self._DoTestFile(fname, map=map, update_dtb=update_dtb, entry_args=entry_args, use_real_dtb=use_real_dtb, use_expanded=use_expanded, verbosity=verbosity, - extra_indirs=extra_indirs, + allow_fake_blobs=allow_fake_blobs, extra_indirs=extra_indirs, threads=threads) self.assertEqual(0, retcode) out_dtb_fname = tools.get_output_filename('u-boot.dtb.out') @@ -4017,7 +4019,7 @@ class TestFunctional(unittest.TestCase): self.assertEqual({ 'image-pos': 0, 'offset': 0, - 'size': 1890, + 'size': 1378, 'u-boot:image-pos': 0, 'u-boot:offset': 0, @@ -4025,7 +4027,7 @@ class TestFunctional(unittest.TestCase): 'fit:image-pos': 4, 'fit:offset': 4, - 'fit:size': 1840, + 'fit:size': 1328, 'fit/images/kernel:image-pos': 304, 'fit/images/kernel:offset': 300, @@ -4043,8 +4045,8 @@ class TestFunctional(unittest.TestCase): 'fit/images/fdt-1/u-boot-spl-dtb:offset': 0, 'fit/images/fdt-1/u-boot-spl-dtb:size': 6, - 'u-boot-nodtb:image-pos': 1844, - 'u-boot-nodtb:offset': 1844, + 'u-boot-nodtb:image-pos': 1332, + 'u-boot-nodtb:offset': 1332, 'u-boot-nodtb:size': 46, }, props) @@ -5210,13 +5212,15 @@ fdt fdtmap Extract the devicetree blob from the fdtmap def testExtblobList(self): """Test an image with an external blob list""" - data = self._DoReadFile('215_blob_ext_list.dts') - self.assertEqual(REFCODE_DATA + FSP_M_DATA, data) + data = self._DoReadFileDtb('215_blob_ext_list.dts', + allow_fake_blobs=False) + self.assertEqual(REFCODE_DATA + FSP_M_DATA, data[0]) def testExtblobListMissing(self): """Test an image with a missing external blob""" with self.assertRaises(ValueError) as e: - self._DoReadFile('216_blob_ext_list_missing.dts') + self._DoReadFileDtb('216_blob_ext_list_missing.dts', + allow_fake_blobs=False) self.assertIn("Filename 'missing-file' not found in input path", str(e.exception)) @@ -5224,7 +5228,7 @@ fdt fdtmap Extract the devicetree blob from the fdtmap """Test an image with an missing external blob that is allowed""" with terminal.capture() as (stdout, stderr): self._DoTestFile('216_blob_ext_list_missing.dts', - allow_missing=True) + allow_missing=True, allow_fake_blobs=False) err = stderr.getvalue() self.assertRegex(err, "Image 'image'.*missing.*: blob-ext") @@ -5766,10 +5770,10 @@ fdt fdtmap Extract the devicetree blob from the fdtmap def testFitSplitElfMissing(self): - """Test an split-elf FIT with a missing ELF file""" + """Test an split-elf FIT with a missing ELF file. Don't fake the file.""" if not elf.ELF_TOOLS: self.skipTest('Python elftools not available') - out, err = self.checkFitSplitElf(allow_missing=True) + out, err = self.checkFitSplitElf(allow_missing=True, allow_fake_blobs=False) self.assertRegex( err, "Image '.*' is missing external blobs and is non-functional: .*") @@ -6458,16 +6462,18 @@ fdt fdtmap Extract the devicetree blob from the fdtmap def testAbsent(self): """Check handling of absent entries""" data = self._DoReadFile('262_absent.dts') - self.assertEqual(U_BOOT_DATA + U_BOOT_IMG_DATA, data) + self.assertEqual(U_BOOT_DATA + b'aa' + U_BOOT_IMG_DATA, data) - def testPackTeeOsOptional(self): - """Test that an image with an optional TEE binary can be created""" + def testPackTeeOsElf(self): + """Test that an image with a TEE elf binary can be created""" entry_args = { 'tee-os-path': 'tee.elf', } + tee_path = self.tee_elf_path data = self._DoReadFileDtb('263_tee_os_opt.dts', entry_args=entry_args)[0] - self.assertEqual(U_BOOT_DATA + U_BOOT_IMG_DATA, data) + self.assertEqual(U_BOOT_DATA + tools.read_file(tee_path) + + U_BOOT_IMG_DATA, data) def checkFitTee(self, dts, tee_fname): """Check that a tee-os entry works and returns data @@ -6512,6 +6518,9 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self.assertRegex( err, "Image '.*' is missing optional external blobs but is still functional: tee-os") + self.assertNotRegex( + err, + "Image '.*' has faked external blobs and is non-functional: tee-os") def testFitTeeOsOptionalFitBad(self): """Test an image with a FIT with an optional OP-TEE binary""" @@ -6537,7 +6546,15 @@ fdt fdtmap Extract the devicetree blob from the fdtmap "Node '/binman/fit/images/@tee-SEQ/tee-os': Invalid OP-TEE file: size mismatch (expected 0x4, have 0xe)", str(exc.exception)) - def testExtblobOptional(self): + def testExtblobMissingOptional(self): + """Test an image with an external blob that is optional""" + with terminal.capture() as (stdout, stderr): + data = self._DoReadFileDtb('266_blob_ext_opt.dts', + allow_fake_blobs=False)[0] + self.assertEqual(REFCODE_DATA, data) + self.assertNotIn(MISSING_DATA, data) + + def testExtblobFakedOptional(self): """Test an image with an external blob that is optional""" with terminal.capture() as (stdout, stderr): data = self._DoReadFile('266_blob_ext_opt.dts') @@ -6546,6 +6563,9 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self.assertRegex( err, "Image '.*' is missing optional external blobs but is still functional: missing") + self.assertNotRegex( + err, + "Image '.*' has faked external blobs and is non-functional: missing") def testSectionInner(self): """Test an inner section with a size""" @@ -6726,7 +6746,7 @@ fdt fdtmap Extract the devicetree blob from the fdtmap node = dtb.GetNode('/configurations/conf-missing-tee-1') self.assertEqual('atf-1', node.props['firmware'].value) - self.assertEqual(['u-boot', 'atf-2'], + self.assertEqual(['u-boot', 'tee', 'atf-2'], fdt_util.GetStringList(node, 'loadables')) def testTooldir(self): @@ -7290,6 +7310,13 @@ fdt fdtmap Extract the devicetree blob from the fdtmap tools.to_bytes(''.join(node.props['key'].value))) self.assertNotIn('key-source', node.props) + def testKeyNameHintIsPathSplPubkeyDtb(self): + """Test that binman errors out on key-name-hint being a path""" + with self.assertRaises(ValueError) as e: + self._DoReadFile('348_key_name_hint_dir_spl_pubkey_dtb.dts') + self.assertIn( + 'Node \'/binman/u-boot-spl-pubkey-dtb\': \'keys/key\' is a path not a filename', + str(e.exception)) def testSplPubkeyDtb(self): """Test u_boot_spl_pubkey_dtb etype""" @@ -7963,6 +7990,24 @@ fdt fdtmap Extract the devicetree blob from the fdtmap entry_args=entry_args, extra_indirs=[test_subdir])[0] + def testKeyNameHintIsPathSimpleFit(self): + """Test that binman errors out on key-name-hint being a path""" + if not elf.ELF_TOOLS: + self.skipTest('Python elftools not available') + entry_args = { + 'of-list': 'test-fdt1', + 'default-dt': 'test-fdt1', + 'atf-bl31-path': 'bl31.elf', + } + test_subdir = os.path.join(self._indir, TEST_FDT_SUBDIR) + with self.assertRaises(ValueError) as e: + self._DoReadFileDtb( + '347_key_name_hint_dir_fit_signature.dts', + entry_args=entry_args, + extra_indirs=[test_subdir]) + self.assertIn( + 'Node \'/binman/fit\': \'keys/rsa2048\' is a path not a filename', + str(e.exception)) def testSimpleFitEncryptedData(self): """Test an image with a FIT containing data to be encrypted""" @@ -8020,5 +8065,29 @@ fdt fdtmap Extract the devicetree blob from the fdtmap self._DoTestFile('346_remove_template.dts', force_missing_bintools='openssl',) + def testBootphPropagation(self): + """Test that bootph-* properties are propagated correctly to supernodes""" + _, _, _, out_dtb_fname = self._DoReadFileDtb( + '347_bootph_prop.dts', use_real_dtb=True, update_dtb=True) + dtb = fdt.Fdt(out_dtb_fname) + dtb.Scan() + root = dtb.GetRoot() + parent_node = root.FindNode('dummy-parent') + subnode1 = parent_node.FindNode('subnode-1') + subnode2 = subnode1.FindNode('subnode-2') + subnode3 = subnode1.FindNode('subnode-3') + subnode4 = subnode3.FindNode('subnode-4') + + self.assertIn('bootph-some-ram', subnode1.props, + "Child node is missing 'bootph-some-ram' property") + self.assertIn('bootph-all', subnode1.props, + "Child node is missing 'bootph-all' property") + self.assertIn('bootph-some-ram', parent_node.props, + "Parent node is missing 'bootph-some-ram' property") + self.assertIn('bootph-all', parent_node.props, + "Parent node is missing 'bootph-all' property") + self.assertEqual(len(subnode4.props), 0, + "subnode shouldn't have any properties") + if __name__ == "__main__": unittest.main() diff --git a/tools/binman/image.py b/tools/binman/image.py index 24ce0af7c72..698cfa4148e 100644 --- a/tools/binman/image.py +++ b/tools/binman/image.py @@ -183,6 +183,8 @@ class Image(section.Entry_section): fname = tools.get_output_filename(self._filename) tout.info("Writing image to '%s'" % fname) with open(fname, 'wb') as fd: + # For final image, don't write absent blobs to file + self.drop_absent_optional() data = self.GetPaddedData() fd.write(data) tout.info("Wrote %#x bytes" % len(data)) diff --git a/tools/binman/missing-blob-help b/tools/binman/missing-blob-help index ab0023eb9fb..d2ed35bef4d 100644 --- a/tools/binman/missing-blob-help +++ b/tools/binman/missing-blob-help @@ -14,15 +14,6 @@ atf-bl31-sunxi: Please read the section on ARM Trusted Firmware (ATF) in board/sunxi/README.sunxi64 -scp-sunxi: -SCP firmware is required for system suspend, but is otherwise optional. -Please read the section on SCP firmware in board/sunxi/README.sunxi64 - -iot2050-seboot: -See the documentation for IOT2050 board. Your image is missing SEBoot -which is mandatory for board startup. Prebuilt SEBoot located at -meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/seboot_pg*.bin. - iot2050-otpcmd: See the documentation for IOT2050 board. Your image is missing OTP command data block which is used for provisioning the customer keys to the board. @@ -31,22 +22,62 @@ meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otp for how to generate this binary. If you are not using secure boot or do not intend to provision the keys, disable CONFIG_IOT2050_EMBED_OTPCMD. +iot2050-seboot: +See the documentation for IOT2050 board. Your image is missing SEBoot +which is mandatory for board startup. Prebuilt SEBoot located at +meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild/seboot_pg*.bin. + k3-rti-wdt-firmware: If CONFIG_WDT_K3_RTI_LOAD_FW is enabled, a firmware image is needed for the R5F core(s) to trigger the system reset. One possible source is https://github.com/siemens/k3-rti-wdt. +opensbi: +See the documentation for your board. The OpenSBI git repo is at +https://github.com/riscv/opensbi.git +You may need to build fw_dynamic.bin first and re-build u-boot with +OPENSBI=/path/to/fw_dynamic.bin + rockchip-tpl: An external TPL is required to initialize DRAM. Get the external TPL binary and build with ROCKCHIP_TPL=/path/to/ddr.bin. One possible source for the external TPL binary is https://github.com/rockchip-linux/rkbin. +scp-sunxi: +SCP firmware is required for system suspend, but is otherwise optional. +Please read the section on SCP firmware in board/sunxi/README.sunxi64 + +sysfw-inner-cert: +You are missing the inner certificate for TI's Foundational Security (TIFS) +firmware which is critical to authenticating the TIFS firmware during boot. +HS-FS and HS-SE parts will not boot without this certificate. + +Have a look at your board's documentation to find and include the latest +TIFS certificate blobs and how to include them in the build. + + https://docs.u-boot.org/en/latest/board/ti/k3.html + tee-os: See the documentation for your board. You may need to build Open Portable Trusted Execution Environment (OP-TEE) and build with TEE=/path/to/tee.bin -opensbi: -See the documentation for your board. The OpenSBI git repo is at -https://github.com/riscv/opensbi.git -You may need to build fw_dynamic.bin first and re-build u-boot with -OPENSBI=/path/to/fw_dynamic.bin +ti-dm: +You are missing TI's Device Management (DM) firmware which is critical to +provide resource and power management services for your board. Your board +will not boot without this firmware. + +Have a look at your board's documentation to find the latest version of +the DM firmware binary and how to include it in the build. + + https://docs.u-boot.org/en/latest/board/ti/k3.html + +ti-fs-enc.bin: +You are missing TI's Foundational Security (TIFS) firmware which is +critical to provide foundational security services like authenticated boot, +and firewall management for the SoC. Your board will not boot without +this firmware. + +Have a look at your board's documentation to find the latest version of the +TIFS firmware binary and how to include them in the build. + + https://docs.u-boot.org/en/latest/board/ti/k3.html diff --git a/tools/binman/test/170_fit_fdt.dts b/tools/binman/test/170_fit_fdt.dts index 0197ffd1597..4b1e9b41ec0 100644 --- a/tools/binman/test/170_fit_fdt.dts +++ b/tools/binman/test/170_fit_fdt.dts @@ -15,6 +15,20 @@ fit,fdt-list = "of-list"; images { + atf { + description = "atf firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; + uboot { + description = "U-Boot firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; kernel { description = "Vanilla Linux kernel"; type = "kernel"; diff --git a/tools/binman/test/220_fit_subentry_bintool.dts b/tools/binman/test/220_fit_subentry_bintool.dts index 6e29d41eeb3..b1d8fb0feae 100644 --- a/tools/binman/test/220_fit_subentry_bintool.dts +++ b/tools/binman/test/220_fit_subentry_bintool.dts @@ -12,7 +12,7 @@ #address-cells = <1>; images { - test { + kernel { description = "Something using a bintool"; type = "kernel"; arch = "arm"; diff --git a/tools/binman/test/223_fit_fdt_oper.dts b/tools/binman/test/223_fit_fdt_oper.dts index e630165acf4..cb3b31e36f6 100644 --- a/tools/binman/test/223_fit_fdt_oper.dts +++ b/tools/binman/test/223_fit_fdt_oper.dts @@ -15,6 +15,20 @@ fit,fdt-list = "of-list"; images { + atf { + description = "atf firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; + uboot { + description = "U-Boot firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; kernel { description = "Vanilla Linux kernel"; type = "kernel"; diff --git a/tools/binman/test/284_fit_fdt_list.dts b/tools/binman/test/284_fit_fdt_list.dts index 8885313f5b8..70cdb326708 100644 --- a/tools/binman/test/284_fit_fdt_list.dts +++ b/tools/binman/test/284_fit_fdt_list.dts @@ -15,6 +15,20 @@ fit,fdt-list-val = "test-fdt1", "test-fdt2"; images { + atf { + description = "atf firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; + uboot { + description = "U-Boot firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; kernel { description = "Vanilla Linux kernel"; type = "kernel"; diff --git a/tools/binman/test/333_fit_fdt_dir.dts b/tools/binman/test/333_fit_fdt_dir.dts index aa778451a4b..71971de4232 100644 --- a/tools/binman/test/333_fit_fdt_dir.dts +++ b/tools/binman/test/333_fit_fdt_dir.dts @@ -15,6 +15,20 @@ fit,fdt-list-dir = "fdts"; images { + atf { + description = "atf firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; + uboot { + description = "U-Boot firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; kernel { description = "Vanilla Linux kernel"; type = "kernel"; diff --git a/tools/binman/test/334_fit_fdt_compat.dts b/tools/binman/test/334_fit_fdt_compat.dts index 3bf45c710db..bf1b5a4a94a 100644 --- a/tools/binman/test/334_fit_fdt_compat.dts +++ b/tools/binman/test/334_fit_fdt_compat.dts @@ -15,6 +15,20 @@ fit,fdt-list = "of-list"; images { + atf { + description = "atf firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; + uboot { + description = "U-Boot firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; kernel { description = "Vanilla Linux kernel"; type = "kernel"; diff --git a/tools/binman/test/335_fit_fdt_phase.dts b/tools/binman/test/335_fit_fdt_phase.dts index f8d0740a394..c20bcad651a 100644 --- a/tools/binman/test/335_fit_fdt_phase.dts +++ b/tools/binman/test/335_fit_fdt_phase.dts @@ -15,6 +15,20 @@ fit,fdt-list = "of-list"; images { + atf { + description = "atf firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; + uboot { + description = "U-Boot firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; kernel { description = "Vanilla Linux kernel"; type = "kernel"; diff --git a/tools/binman/test/345_fit_fdt_name.dts b/tools/binman/test/345_fit_fdt_name.dts index 631a8e5f59b..0ef2e1934a0 100644 --- a/tools/binman/test/345_fit_fdt_name.dts +++ b/tools/binman/test/345_fit_fdt_name.dts @@ -15,6 +15,20 @@ fit,fdt-list = "of-list"; images { + atf { + description = "atf firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; + uboot { + description = "U-Boot firmware"; + type = "firmware"; + compression = "none"; + load = <00000000>; + entry = <00000000>; + }; kernel { description = "Vanilla Linux kernel"; type = "kernel"; diff --git a/tools/binman/test/347_bootph_prop.dts b/tools/binman/test/347_bootph_prop.dts new file mode 100644 index 00000000000..91d4e4ad600 --- /dev/null +++ b/tools/binman/test/347_bootph_prop.dts @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; +/ { + dummy-parent { + subnode-1 { + subnode-2 { + bootph-all; + }; + subnode-3 { + bootph-some-ram; + subnode-4 { + }; + }; + }; + }; + + binman: binman { + }; +}; + diff --git a/tools/binman/test/347_key_name_hint_dir_fit_signature.dts b/tools/binman/test/347_key_name_hint_dir_fit_signature.dts new file mode 100644 index 00000000000..96e2126dadb --- /dev/null +++ b/tools/binman/test/347_key_name_hint_dir_fit_signature.dts @@ -0,0 +1,98 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + fit { + description = "test desc"; + #address-cells = <1>; + fit,fdt-list = "of-list"; + fit,sign; + + images { + u-boot { + description = "test u-boot"; + type = "standalone"; + arch = "arm64"; + os = "u-boot"; + compression = "none"; + load = <0x00000000>; + entry = <0x00000000>; + + u-boot-nodtb { + }; + + hash { + algo = "sha256"; + }; + + signature { + algo = "sha256,rsa2048"; + key-name-hint = "keys/rsa2048"; + }; + }; + @atf-SEQ { + fit,operation = "split-elf"; + description = "test tf-a"; + type = "firmware"; + arch = "arm64"; + os = "arm-trusted-firmware"; + compression = "none"; + fit,load; + fit,entry; + fit,data; + + atf-bl31 { + }; + + hash { + algo = "sha256"; + }; + + signature { + algo = "sha256,rsa2048"; + key-name-hint = "keys/rsa2048"; + }; + }; + @fdt-SEQ { + description = "test fdt"; + type = "flat_dt"; + compression = "none"; + + hash { + algo = "sha256"; + }; + + signature { + algo = "sha256,rsa2048"; + key-name-hint = "keys/rsa2048"; + }; + }; + }; + + configurations { + default = "@conf-uboot-DEFAULT-SEQ"; + @conf-uboot-SEQ { + description = "uboot config"; + fdt = "fdt-SEQ"; + fit,firmware = "u-boot"; + fit,loadables; + + hash { + algo = "sha256"; + }; + + signature { + algo = "sha256,rsa2048"; + key-name-hint = "keys/rsa2048"; + sign-images = "firmware", "loadables", "fdt"; + }; + }; + }; + }; + }; +}; diff --git a/tools/binman/test/348_key_name_hint_dir_spl_pubkey_dtb.dts b/tools/binman/test/348_key_name_hint_dir_spl_pubkey_dtb.dts new file mode 100644 index 00000000000..85ebd58b6c0 --- /dev/null +++ b/tools/binman/test/348_key_name_hint_dir_spl_pubkey_dtb.dts @@ -0,0 +1,16 @@ +// SPDX-License-Identifier: GPL-2.0+ + +/dts-v1/; + +/ { + #address-cells = <1>; + #size-cells = <1>; + + binman { + u-boot-spl-pubkey-dtb { + algo = "sha384,rsa4096"; + required = "conf"; + key-name-hint = "keys/key"; + }; + }; +}; diff --git a/tools/buildman/builder.py b/tools/buildman/builder.py index 6538a3d296f..9516e25e215 100644 --- a/tools/buildman/builder.py +++ b/tools/buildman/builder.py @@ -631,10 +631,13 @@ class Builder: Args: commit_upto: Commit number to use (0..self.count-1) target: Target name + + Return: + str: Output directory to use, or '' if None """ output_dir = self.get_output_dir(commit_upto) if self.work_in_output: - return output_dir + return output_dir or '' return os.path.join(output_dir, target) def get_done_file(self, commit_upto, target): @@ -1683,7 +1686,7 @@ class Builder: """ thread_dir = self.get_thread_dir(thread_num) builderthread.mkdir(thread_dir) - git_dir = os.path.join(thread_dir, '.git') + git_dir = os.path.join(thread_dir, '.git') if thread_dir else None # Create a worktree or a git repo clone for this thread if it # doesn't already exist diff --git a/tools/buildman/builderthread.py b/tools/buildman/builderthread.py index b4cb66397bb..371708c8a98 100644 --- a/tools/buildman/builderthread.py +++ b/tools/buildman/builderthread.py @@ -31,12 +31,14 @@ def mkdir(dirname, parents=False): """Make a directory if it doesn't already exist. Args: - dirname (str): Directory to create + dirname (str): Directory to create, or None to do nothing parents (bool): True to also make parent directories Raises: OSError: File already exists """ + if not dirname or os.path.exists(dirname): + return try: if parents: os.makedirs(dirname) @@ -45,8 +47,8 @@ def mkdir(dirname, parents=False): except OSError as err: if err.errno == errno.EEXIST: if os.path.realpath('.') == os.path.realpath(dirname): - print(f"Cannot create the current working directory '{dirname}'!") - sys.exit(1) + raise ValueError( + f"Cannot create the current working directory '{dirname}'!") else: raise @@ -55,7 +57,7 @@ def _remove_old_outputs(out_dir): """Remove any old output-target files Args: - out_dir (str): Output directory for the build + out_dir (str): Output directory for the build, or None for current dir Since we use a build directory that was previously used by another board, it may have produced an SPL image. If we don't remove it (i.e. @@ -63,7 +65,7 @@ def _remove_old_outputs(out_dir): output of this build, even if it does not produce SPL images. """ for elf in BASE_ELF_FILENAMES: - fname = os.path.join(out_dir, elf) + fname = os.path.join(out_dir or '', elf) if os.path.exists(fname): os.remove(fname) @@ -191,9 +193,11 @@ class BuilderThread(threading.Thread): Args: brd (Board): Board to create arguments for - out_dir (str): Path to output directory containing the files + out_dir (str): Path to output directory containing the files, or + or None to not use a separate output directory out_rel_dir (str): Output directory relative to the current dir - work_dir (str): Directory to which the source will be checked out + work_dir (str): Directory to which the source will be checked out, + or None to use current directory commit_upto (int): Commit number to build (0...n-1) Returns: @@ -204,22 +208,22 @@ class BuilderThread(threading.Thread): """ args = [] cwd = work_dir - src_dir = os.path.realpath(work_dir) - if not self.builder.in_tree: - if commit_upto is None: - # In this case we are building in the original source directory - # (i.e. the current directory where buildman is invoked. The - # output directory is set to this thread's selected work - # directory. - # - # Symlinks can confuse U-Boot's Makefile since we may use '..' - # in our path, so remove them. + src_dir = os.path.realpath(work_dir) if work_dir else os.getcwd() + if commit_upto is None: + # In this case we are building in the original source directory + # (i.e. the current directory where buildman is invoked. The + # output directory is set to this thread's selected work + # directory. + # + # Symlinks can confuse U-Boot's Makefile since we may use '..' + # in our path, so remove them. + if out_dir: real_dir = os.path.realpath(out_dir) args.append(f'O={real_dir}') - cwd = None - src_dir = os.getcwd() - else: - args.append(f'O={out_rel_dir}') + cwd = None + src_dir = os.getcwd() + elif out_rel_dir: + args.append(f'O={out_rel_dir}') if self.builder.verbose_build: args.append('V=1') else: @@ -397,7 +401,8 @@ class BuilderThread(threading.Thread): config_only (bool): Only configure the source, do not build it adjust_cfg (list of str): See the cfgutil module and run_commit() commit (Commit): Commit only being built - out_dir (str): Output directory for the build + out_dir (str): Output directory for the build, or None to use + current out_rel_dir (str): Output directory relatie to the current dir result (CommandResult): Previous result @@ -409,7 +414,8 @@ class BuilderThread(threading.Thread): """ # Set up the environment and command line env = self.builder.make_environment(self.toolchain) - mkdir(out_dir) + if out_dir and not os.path.exists(out_dir): + mkdir(out_dir) args, cwd, src_dir = self._build_args(brd, out_dir, out_rel_dir, work_dir, commit_upto) @@ -419,7 +425,7 @@ class BuilderThread(threading.Thread): _remove_old_outputs(out_dir) # If we need to reconfigure, do that now - cfg_file = os.path.join(out_dir, '.config') + cfg_file = os.path.join(out_dir or '', '.config') cmd_list = [] if do_config or adjust_cfg: result = self._reconfigure( @@ -627,7 +633,7 @@ class BuilderThread(threading.Thread): # Extract the environment from U-Boot and dump it out cmd = [f'{self.toolchain.cross}objcopy', '-O', 'binary', '-j', '.rodata.default_environment', - 'env/built-in.o', 'uboot.env'] + 'env/built-in.a', 'uboot.env'] command.run_one(*cmd, capture=True, capture_stderr=True, cwd=result.out_dir, raise_on_error=False, env=env) if not work_in_output: diff --git a/tools/buildman/buildman.rst b/tools/buildman/buildman.rst index 5fa7b277cb8..8c45a841024 100644 --- a/tools/buildman/buildman.rst +++ b/tools/buildman/buildman.rst @@ -1333,6 +1333,14 @@ To build a particular target, rather than the default U-Boot target, use the `--target` option. This is unlikely to be useful unless you are building a single board. +Buildman normally builds out-of-tree, meaning that the source directory is not +disturbed by the build. Use `-i` to do an in-tree build instead. Note that this +does not affect the source directory, since buildman creates a separate git +'worktree' for each board. This means that it is possible to do an in-tree +build of an entire branch, or even a 'current source' build for multiple boards. +As a special case, you can use `-wi` to do an in-tree build in the current +directory. + Build summary ------------- diff --git a/tools/buildman/control.py b/tools/buildman/control.py index 4c9489126c1..4dedd333551 100644 --- a/tools/buildman/control.py +++ b/tools/buildman/control.py @@ -390,7 +390,7 @@ def get_boards_obj(output_dir, regen_board_list, maintainer_check, full_check, read it in. Args: - output_dir (str): Output directory to use + output_dir (str): Output directory to use, or None to use current dir regen_board_list (bool): True to just regenerate the board list maintainer_check (bool): True to just run a maintainer check full_check (bool): True to just run a full check of Kconfig and @@ -414,9 +414,9 @@ def get_boards_obj(output_dir, regen_board_list, maintainer_check, full_check, return 2 return 0 - if not os.path.exists(output_dir): + if output_dir and not os.path.exists(output_dir): os.makedirs(output_dir) - board_file = os.path.join(output_dir, 'boards.cfg') + board_file = os.path.join(output_dir or '', 'boards.cfg') if regen_board_list and regen_board_list != '-': board_file = regen_board_list @@ -501,7 +501,7 @@ def adjust_args(args, series, selected): def setup_output_dir(output_dir, work_in_output, branch, no_subdirs, col, - clean_dir): + in_tree, clean_dir): """Set up the output directory Args: @@ -509,6 +509,7 @@ def setup_output_dir(output_dir, work_in_output, branch, no_subdirs, col, work_in_output (bool): True to work in the output directory branch (str): Name of branch to build, or None if none no_subdirs (bool): True to put the output in the top-level output dir + in_tree (bool): True if doing an in-tree build clean_dir: Used for tests only, indicates that the existing output_dir should be removed before starting the build @@ -516,9 +517,11 @@ def setup_output_dir(output_dir, work_in_output, branch, no_subdirs, col, str: Updated output directory pathname """ if not output_dir: - if work_in_output: - sys.exit(col.build(col.RED, '-w requires that you specify -o')) output_dir = '..' + if work_in_output: + if not in_tree: + sys.exit(col.build(col.RED, '-w requires that you specify -o')) + output_dir = None if branch and not no_subdirs: # As a special case allow the board directory to be placed in the # output directory itself rather than any subdirectory. @@ -751,7 +754,7 @@ def do_buildman(args, toolchains=None, make_func=None, brds=None, output_dir = setup_output_dir( args.output_dir, args.work_in_output, args.branch, - args.no_subdirs, col, clean_dir) + args.no_subdirs, col, args.in_tree, clean_dir) # Work out what subset of the boards we are building if not brds: diff --git a/tools/fit_image.c b/tools/fit_image.c index caed8d5f901..8717dc9a3b1 100644 --- a/tools/fit_image.c +++ b/tools/fit_image.c @@ -24,6 +24,65 @@ static struct legacy_img_hdr header; +static int fit_estimate_hash_sig_size(struct image_tool_params *params, const char *fname) +{ + bool signing = IMAGE_ENABLE_SIGN && (params->keydir || params->keyfile); + struct stat sbuf; + void *fdt; + int fd; + int estimate = 0; + int depth, noffset; + const char *name; + + fd = mmap_fdt(params->cmdname, fname, 0, &fdt, &sbuf, false, true); + if (fd < 0) + return -EIO; + + /* + * Walk the FIT image, looking for nodes named hash* and + * signature*. Since the interesting nodes are subnodes of an + * image or configuration node, we are only interested in + * those at depth exactly 3. + * + * The estimate for a hash node is based on a sha512 digest + * being 64 bytes, with another 64 bytes added to account for + * fdt structure overhead (the tags and the name of the + * "value" property). + * + * The estimate for a signature node is based on an rsa4096 + * signature being 512 bytes, with another 512 bytes to + * account for fdt overhead and the various other properties + * (hashed-nodes etc.) that will also be filled in. + * + * One could try to be more precise in the estimates by + * looking at the "algo" property and, in the case of + * configuration signatures, the sign-images property. Also, + * when signing an already created FIT image, the hash nodes + * already have properly sized value properties, so one could + * also take pre-existence of "value" properties in hash nodes + * into account. But this rather simple approach should work + * well enough in practice. + */ + for (depth = 0, noffset = fdt_next_node(fdt, 0, &depth); + noffset >= 0 && depth > 0; + noffset = fdt_next_node(fdt, noffset, &depth)) { + if (depth != 3) + continue; + + name = fdt_get_name(fdt, noffset, NULL); + if (!strncmp(name, FIT_HASH_NODENAME, strlen(FIT_HASH_NODENAME))) + estimate += 128; + + if (signing && !strncmp(name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) + estimate += 1024; + } + + munmap(fdt, sbuf.st_size); + close(fd); + + return estimate; +} + static int fit_add_file_data(struct image_tool_params *params, size_t size_inc, const char *tmpfile) { @@ -627,6 +686,7 @@ static int fit_import_data(struct image_tool_params *params, const char *fname) struct stat sbuf; int ret; int images; + int confs; int node; fd = mmap_fdt(params->cmdname, fname, 0, &old_fdt, &sbuf, false, false); @@ -695,6 +755,43 @@ static int fit_import_data(struct image_tool_params *params, const char *fname) } } + confs = fdt_path_offset(fdt, FIT_CONFS_PATH); + static const char * const props[] = { FIT_KERNEL_PROP, + FIT_RAMDISK_PROP, + FIT_FDT_PROP, + FIT_LOADABLE_PROP, + FIT_FPGA_PROP, + FIT_FIRMWARE_PROP, + FIT_SCRIPT_PROP}; + + fdt_for_each_subnode(node, fdt, confs) { + const char *conf_name = fdt_get_name(fdt, node, NULL); + + for (int i = 0; i < ARRAY_SIZE(props); i++) { + int count = fdt_stringlist_count(fdt, node, props[i]); + + if (count < 0) + continue; + + for (int j = 0; j < count; j++) { + const char *img_name = + fdt_stringlist_get(fdt, node, props[i], j, NULL); + if (!img_name || !*img_name) + continue; + + int img = fdt_subnode_offset(fdt, images, img_name); + + if (img < 0) { + fprintf(stderr, + "Error: configuration '%s' references undefined image '%s' in property '%s'\n", + conf_name, img_name, props[i]); + ret = FDT_ERR_NOTFOUND; + goto err_munmap; + } + } + } + } + munmap(old_fdt, sbuf.st_size); /* Close the old fd so we can re-use it. */ @@ -750,7 +847,7 @@ static int fit_handle_file(struct image_tool_params *params) char bakfile[MKIMAGE_MAX_TMPFILE_LEN + 4] = {0}; char cmd[MKIMAGE_MAX_DTC_CMDLINE_LEN]; size_t size_inc; - int ret; + int ret = EXIT_FAILURE; /* Flattened Image Tree (FIT) format handling */ debug ("FIT format handling\n"); @@ -806,16 +903,16 @@ static int fit_handle_file(struct image_tool_params *params) rename(tmpfile, bakfile); /* - * Set hashes for images in the blob. Unfortunately we may need more - * space in either FDT, so keep trying until we succeed. - * - * Note: this is pretty inefficient for signing, since we must - * calculate the signature every time. It would be better to calculate - * all the data and then store it in a separate step. However, this - * would be considerably more complex to implement. Generally a few - * steps of this loop is enough to sign with several keys. + * Set hashes for images in the blob and compute + * signatures. We do an attempt at estimating the expected + * extra size, but just in case that is not sufficient, keep + * trying adding 1K, with a reasonable upper bound of 64K + * total, until we succeed. */ - for (size_inc = 0; size_inc < 64 * 1024; size_inc += 1024) { + size_inc = fit_estimate_hash_sig_size(params, bakfile); + if (size_inc < 0) + goto err_system; + do { if (copyfile(bakfile, tmpfile) < 0) { printf("Can't copy %s to %s\n", bakfile, tmpfile); ret = -EIO; @@ -824,7 +921,8 @@ static int fit_handle_file(struct image_tool_params *params) ret = fit_add_file_data(params, size_inc, tmpfile); if (!ret || ret != -ENOSPC) break; - } + size_inc += 1024; + } while (size_inc < 64 * 1024); if (ret) { fprintf(stderr, "%s Can't add hashes to FIT blob: %d\n", @@ -854,7 +952,7 @@ static int fit_handle_file(struct image_tool_params *params) err_system: unlink(tmpfile); unlink(bakfile); - return -1; + return ret; } /** diff --git a/tools/image-host.c b/tools/image-host.c index a9b86902763..21dd7f2d922 100644 --- a/tools/image-host.c +++ b/tools/image-host.c @@ -19,7 +19,7 @@ #include <openssl/evp.h> #endif -#if CONFIG_IS_ENABLED(IMAGE_PRE_LOAD) +#if CONFIG_IS_ENABLED(IMAGE_PRE_LOAD) && CONFIG_IS_ENABLED(LIBCRYPTO) #include <openssl/rsa.h> #include <openssl/err.h> #endif @@ -1416,7 +1416,7 @@ int fit_check_sign(const void *fit, const void *key, } #endif -#if CONFIG_IS_ENABLED(IMAGE_PRE_LOAD) +#if CONFIG_IS_ENABLED(IMAGE_PRE_LOAD) && CONFIG_IS_ENABLED(LIBCRYPTO) /** * rsa_verify_openssl() - Verify a signature against some data with openssl API * diff --git a/tools/imx8image.c b/tools/imx8image.c index a333ded46e2..cad55fd3cf2 100644 --- a/tools/imx8image.c +++ b/tools/imx8image.c @@ -1146,7 +1146,7 @@ int imx8image_copy_image(int outfd, struct image_tool_params *mparams) fprintf(stdout, "CONTAINER SW VERSION:\t0x%04x\n", sw_version); build_container(soc, sector_size, emmc_fastboot, - img_sp, false, fuse_version, sw_version, outfd); + img_sp, dcd_skip, fuse_version, sw_version, outfd); return 0; } diff --git a/tools/mkimage.c b/tools/mkimage.c index 2954626a283..361711c53b2 100644 --- a/tools/mkimage.c +++ b/tools/mkimage.c @@ -519,8 +519,13 @@ int main(int argc, char **argv) */ retval = tparams->fflag_handle(¶ms); - if (retval != EXIT_SUCCESS) + if (retval != EXIT_SUCCESS) { + if (retval == FDT_ERR_NOTFOUND) { + // Already printed error, exit cleanly + exit(EXIT_FAILURE); + } usage("Bad parameters for FIT image type"); + } } if (params.lflag || params.fflag) { diff --git a/tools/rmboard.py b/tools/rmboard.py index 594fd89b8d7..21d68c57261 100755 --- a/tools/rmboard.py +++ b/tools/rmboard.py @@ -112,8 +112,7 @@ def rm_board(board): rm_kconfig_include(fname) # Remove unwanted files - cmd = ['git', 'rm', '-r'] + real - stdout = command.output(*cmd, capture=True) + stdout = command.output('git', 'rm', '-r', *real) ## Change the messages as needed msg = '''arm: Remove %s board @@ -130,7 +129,8 @@ Remove it. # Check if the board is mentioned anywhere else. The user will need to deal # with this - print(command.output('git', 'grep', '-il', board, raise_on_error=False)) + cmd = ['git', 'grep', '-il', board] + print(command.output(*cmd, raise_on_error=False)) print(' '.join(cmd)) for board in sys.argv[1:]: diff --git a/tools/termios_linux.h b/tools/termios_linux.h index 0806a91180a..0e5a5c475b5 100644 --- a/tools/termios_linux.h +++ b/tools/termios_linux.h @@ -32,13 +32,13 @@ #include <asm/ioctls.h> #include <asm/termbits.h> -#if defined(BOTHER) && defined(TCGETS2) +#if defined(BOTHER) && defined(TCGETS2) && !defined(__powerpc64__) #define termios termios2 #endif static inline int tcgetattr(int fd, struct termios *t) { -#if defined(BOTHER) && defined(TCGETS2) +#if defined(BOTHER) && defined(TCGETS2) && !defined(__powerpc64__) return ioctl(fd, TCGETS2, t); #else return ioctl(fd, TCGETS, t); @@ -50,7 +50,7 @@ static inline int tcsetattr(int fd, int a, const struct termios *t) int cmd; switch (a) { -#if defined(BOTHER) && defined(TCGETS2) +#if defined(BOTHER) && defined(TCGETS2) && !defined(__powerpc64__) case TCSANOW: cmd = TCSETS2; break; |