Commit Graph

769 Commits

Author SHA1 Message Date
Eugen Hristev
d98b5df418 boot/at91bootstrap3: add BR2_TARGET_AT91BOOTSTRAP3_NEEDS_PYTHON3
Some at91bootstrap3 configurations now use Python scripts on the host
for NAND/PMEC related utilities. In order to be able to use those
scripts, this commit adds a new
BR2_TARGET_AT91BOOTSTRAP3_NEEDS_PYTHON3 which allows to express the
need for host-python3 as a dependency to build at91bootstrap3.

Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
[Thomas: this was extracted from a patch from Eugen adding
at91bootstrap 4.x support.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-19 11:21:00 +02:00
Thomas Petazzoni
7abfdeea12 boot/at91bootstrap3: bump 3.x series to 3.10.2
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-19 11:20:51 +02:00
Eugen Hristev
e009816c67 boot/at91bootstrap3: add support for at91bootstrap 4.x series
The project at https://github.com/linux4sam/at91bootstrap was until
now releasing 3.x versions, which were packaged using
boot/at91bootstrap3/ in Buildroot. Microchip has now started a new
branch of at91bootstrap, called 4.x, which will only support the
following devices: sam9x60, sama5d2, sama5d3, sama5d4, sama7g5. A
number of older devices from Microchip will only be supported by the
existing 3.x series.

Therefore, we cannot simply remove support for the 3.x series, and
allow using only the 4.x series.

So what this commit does is extend the boot/at91bootstrap3 package to
support building both 3.x and 4.x versions. In detail, this implies:

 * Having the BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION symbol point to
   the latest 4.x version. Indeed, we want
   BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION to really point to the
   latest upstream version, even if that means potential breakage for
   users. Users who want to use a fixed version of at91bootstrap
   should anyway not be using
   BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION.

 * Introduce BR2_TARGET_AT91BOOTSTRAP3_LATEST_VERSION_3X for users who
   would like to use the latest 3.x series.

 * Adjust the installation logic, as images to install are now in
   build/binaries/*.bin instead of binaries/*.bin. In order to not
   have to differentiate 3.x and 4.x, we simply use $(wildcard ...) to
   expand the list of files to install.

 * To make it clear that boot/at91bootstrap3 supports both 3.x and
   4.x, we also update the prompt of the package.

at911bootstrap does not carry a license file; so far we were using
main.c as the license file, as it carries the license blurb. Now that we
have a known alternate version, we would need a per-version hash for
that file. However, this is a bit too cumbersome to handle, so just drop
using main.c as the license file. When upstream introduces a proper
license file, we can revisit the situation.

Update the two defconfigs that were using the upstream 3.9.3 version;
all other defconfigs are using custom tarballs or custom git trees.

Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
[Thomas: while this patch is based on previous work by Eugen, it was
reworked quite significantly.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
  - drop main.c as license file, explain why
  - update the two defconfigs
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-19 11:15:29 +02:00
Dick Olsson
1074a37e78 boot/edk2: new package
EDK2 is a modern, feature-rich, cross-platform firmware development
environment for the UEFI and PI specifications.

The initial version of this bootloader package makes it possible to
build firmware for the following seven configurations:

 * QEMU x86-64 pc machine
 * QEMU aarch64 virt machine, booting directly from flash
 * QEMU aarch64 virt machine, booting via the kernel protocol
 * QEMU aarch64 sbsa-ref machine
 * ARM FVP vexpress machine
 * Socionext SynQuacer Developerbox
 * SolidRun MacchiatoBin

Support the use of EDK2 UEFI payloads as BL33 in ARM Trusted Firmware.

Signed-off-by: Dick Olsson <hi@senzilla.io>
[yann.morin.1998@free.fr:
  - duplicate defaults in Config.in
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-17 16:52:33 +02:00
Peter Korsgaard
448910b017 boot/opensbi: only check/reference COPYING.BSD when _LATEST_VERSION is used
With the addition of support for custom opensbi version in commit
5c7166d387 (boot/opensbi: add support for version configuration), we can no
longer be sure that the license file name / hash will be correct in all
cases, so only specify COPYING.BSD when _LATEST_VERSION is used, similar to
how we do it for the Linux kernel.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-05-13 09:48:32 +02:00
Peter Korsgaard
ace8179deb boot/opensbi: move patches to 0.9/ subdir to only apply when the 0.9 version is selected
With the addition of support for custom opensbi version in commit
5c7166d387 (boot/opensbi: add support for version configuration), we can no
longer be sure that the Buildroot patches can be applied - So move them to a
0.9 subdir to ensure they are only applied when the _LATEST_VERSION is used.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-05-13 09:48:24 +02:00
Fabrice Fontaine
2f7582538f boot/opensbi: unconditionally disable SSP
Fix build failure raised since commit
810ba387be

Fixes:
 - https://gitlab.com/kubu93/buildroot/-/jobs/1247043359

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-05-12 09:43:18 +02:00
Peter Korsgaard
49453aea90 boot/Config.in: fix beaglev-ddrinit include after rename
Commit 3b551f68a5 (boot/beaglev-ddrlnit: rename to beaglev-ddrinit to
match renamed upstream repo) forgot to update the include in boot/Config.in,
breaking menuconfig.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-05-11 09:09:07 +02:00
Peter Korsgaard
3b551f68a5 boot/beaglev-ddrlnit: rename to beaglev-ddrinit to match renamed upstream repo
And adjust DEVELOPERS and beaglev_defconfig to match.

The typo in the repo name has now been fixed:

https://github.com/starfive-tech/beagle_ddrinit/issues/6

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-05-10 22:04:38 +02:00
Fabrice Fontaine
0a8e568c65 boot/opensbi: bump to version 0.9
https://github.com/riscv/opensbi/releases/tag/v0.9

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-05-10 09:00:33 +02:00
Thomas Petazzoni
6e746d27c0 boot/beaglev-secondboot: new package
This packages allows to build the first stage bootloader used on the
BeagleV, which is used even before the DDR initialization and
OpenSBI/U-Boot. Yes, "secondboot" is strange for what is the first
stage bootloader, but that's the upstream name.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr:
  - add hash file
  - commit is HEAD only right now, so don't reference HEAD
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-07 23:11:33 +02:00
Thomas Petazzoni
c3dd9ebae0 boot/beaglev-ddrlnit: new package
This commit adds a package for the DDR initialization code used on the
BeagleV platform.

The typo in the package name is upstream's typo, and we just keep it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
[yann.morin.1998@free.fr:
  - upstream name is beaglev_ddrlnit, not *init (keep their typo)
  - rename package and variables accordingly
  - the referenced commit is no longer the HEAD of said branch
  - add a hash file
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-07 23:10:37 +02:00
Thomas Petazzoni
24010550be boot/opensbi: add options to enable/disable image installation
Until now, whenever a BR2_TARGET_OPENSBI_PLAT value was specified,
opensbi.mk was assuming that both fw_jump and fw_dynamic would be
produced. However, this is not the case: the OpenSBI per-platform
config.mk can decide which image to build.

As an example, the config.mk for VIC7100-based BeagleV only enables
producing the fw_payload image.

This commit adds three options to enable the installation of images:
one for fw_jump, one for fw_dynamic, one for fw_payload.

The options for fw_jump and fw_dynamic are "default y" when
BR2_TARGET_OPENSBI_PLAT is not empty, to preserve existing behavior.

The option for fw_payload is forcefully selected when either Linux or
U-Boot are selected as payloads.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-07 22:29:02 +02:00
Thomas Petazzoni
fe1353020e boot/opensbi: allow using U-Boot as a payload
The opensbi package already allows to use Linux as a payload for
OpenSBI, but in some cases, U-Boot as payload is useful. This commit
adds a BR2_TARGET_OPENSBI_UBOOT_PAYLOAD option, modeled after the
existing BR2_TARGET_OPENSBI_LINUX_PAYLOAD.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-30 09:49:15 +02:00
Thomas Petazzoni
5c7166d387 boot/opensbi: add support for version configuration
OpenSBI contains platform-specific code, so very much like Linux,
U-Boot or other bootloaders, using the upstream version of OpenSBI
will very often not be sufficient.

This commit therefore adds the possibility of specifying a custom
version of OpenSBI, either custom from upstream, custom tarball, or
custom from Git. Support for other version control systems has not
been implemented for now, but could be added later if needed.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-30 09:46:21 +02:00
Thomas Petazzoni
3887e8c095 boot/at91bootstrap: add legal information
The old at91bootstrap version (1.x) uses a strange variant of the BSD
license, called "BSD Source Code Attribution" and referenced by SPDX
as BSD-Source-Code.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-04-20 23:00:55 +02:00
Fabio Estevam
bd62da59b9 boot/uboot: bump to version 2021.04
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-04-20 21:31:49 +02:00
Thomas Petazzoni
1988ebd36c boot/shim: re-enable on ARM32
shim 15.4 builds just fine on ARM32.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 11:46:09 +02:00
Thomas Petazzoni
55c524d46f boot/shim: bump to version 15.4
- Use the tarball provided by upstream developers instead of the one
  generated by Github. Indeed
  https://github.com/rhboot/shim/releases/tag/15.4 indicates "As
  usual, please use the shim-15.4.tar.bz2 tarball, rather than the
  other two archives github automatically produces."

- The tarball now includes the gnu-efi code, so we no longer need to
  select gnu-efi and have it as a build dependency. We continue to use
  BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS as we still only build for those
  architectures that have gnu-efi support. We also drop the
  EFI_INCLUDE, EFI_PATH and LIBDIR variables, as gnu-efi no longer
  needs to be searched in STAGING_DIR.

- Drop all four patches, which were backports from upstream.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 11:45:17 +02:00
Thomas Petazzoni
4239eff73b boot/shim: fix build issues with gcc 9.x
Backport a set of upstream patches to fix:

MokManager.c: In function ‘write_back_mok_list’:
MokManager.c:1081:19: error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
 1081 |   if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
      |                   ^~~~~~~~~~~~~~~
MokManager.c:1103:19: error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
 1103 |   if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
      |                   ^~~~~~~~~~~~~~~
MokManager.c: In function ‘delete_cert’:
MokManager.c:1144:19: error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
 1144 |   if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
      |                   ^~~~~~~~~~~~~~
MokManager.c: In function ‘delete_hash_in_list’:
MokManager.c:1195:20: error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
 1195 |   if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
      |                    ^~~~~~~~~~~~~~
MokManager.c: In function ‘delete_keys’:
MokManager.c:1359:19: error: taking address of packed member of ‘struct <anonymous>’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
 1359 |   if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
      |                   ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [<builtin>: MokManager.o] Error 1

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 11:44:57 +02:00
Thomas Petazzoni
888f47cbce boot/shim: fix build issue due to gnu-efi
shim fails to build with:

console.c:448:5: error: ‘EFI_WARN_UNKOWN_GLYPH’ undeclared here (not in a function); did you mean ‘EFI_WARN_UNKNOWN_GLYPH’?
  448 |  {  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
      |     ^~~~~~~~~~~~~~~~~~~~~
      |     EFI_WARN_UNKNOWN_GLYPH
make[2]: *** [<builtin>: console.o] Error 1
make[2]: *** Waiting for unfinished jobs....

Backport upstream commit d230d02f990f02293736dca78b108f86c86d1bd0 to
resolve this issue.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 11:44:06 +02:00
Thomas Petazzoni
a490687571 boot/grub2: ignore the last 3 remaining CVEs
An analysis of the last 3 remaining CVEs that are reported to affect
the grub2 package has allowed to ensure that we can safely ignore
them:

 * CVE-2020-14372 is already fixed by a patch we have in our patch
   stack for grub2

 * CVE-2019-14865 and CVE-2020-15705 are both distro-specific and do
   not affect grub2 upstream, nor grub2 with the stack of patches we
   have in Buildroot

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-04-06 09:36:48 +02:00
Peter Seiderer
a9f94d7aba boot/syslinux: fix gcc-10.x compile
Add two patches ([1], [2]) taken from the fedora syslinux package ([3]) to fix
compile/linking with gcc-10.x compiler.

[1] https://src.fedoraproject.org/rpms/syslinux/raw/rawhide/f/0005-Workaround-multiple-definition-of-symbol-errors.patch
[2] https://src.fedoraproject.org/rpms/syslinux/raw/rawhide/f/0006-Replace-builtin-strlen-that-appears-to-get-optimized.patch
[3] https://src.fedoraproject.org/rpms/syslinux/tree/rawhide

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-03-20 23:01:38 +01:00
Thomas Petazzoni
a7143fb316 toolchain: drop old BR2_TOOLCHAIN_HAS_BINUTILS_BUG_* options
The BR2_TOOLCHAIN_HAS_BINUTILS_BUG_19615 and
BR2_TOOLCHAIN_HAS_BINUTILS_BUG_20006 options were last selected by the
BR2_TOOLCHAIN_EXTERNAL_CODESOURCERY_AMD64 toolchain, but this
toolchain has been removed as part of commit
d87e114a8f in August 2020.

It's time to get rid of those two options that are never enabled.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-15 20:43:30 +01:00
Stefan Sørensen
1bad507220 boot/grub2: Backport 2021/03/02 securify fixes
Details: https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html

As detailed in commit 7e64a050fb, it is
difficult to utilize the upstream patches directly, so a number of
patches include changes to generated files so that we don't need invoke
the gentpl.py script.

In addition to the security fixes, these required patches has been
backported:

  f76a27996 efi: Make shim_lock GUID and protocol type public
  04ae030d0 efi: Return grub_efi_status_t from grub_efi_get_variable()
  ac5c93675 efi: Add a function to read EFI variables with attributes
  d7e54b2e5 efi: Add secure boot detection

The following security issues are fixed:

CVE-2020-14372 grub2: The acpi command allows privileged user to load crafted
               ACPI tables when Secure Boot is enabled
CWE-184
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

GRUB2 enables the use of the command acpi even when Secure Boot is signaled by
the firmware. An attacker with local root privileges to can drop a small SSDT
in /boot/efi and modify grub.cfg to instruct grub to load said SSDT. The SSDT
then gets run by the kernel and it overwrites the kernel lock down configuration
enabling the attacker to load unsigned kernel modules and kexec unsigned code.

Reported-by: Máté Kukri

*******************************************************************************

CVE-2020-25632 grub2: Use-after-free in rmmod command
CWE-416
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The rmmod implementation for GRUB2 is flawed, allowing an attacker to unload
a module used as dependency without checking if any other dependent module is
still loaded. This leads to an use-after-free scenario possibly allowing an
attacker to execute arbitrary code and by-pass Secure Boot protections.

Reported-by: Chris Coulson (Canonical)

*******************************************************************************

CVE-2020-25647 grub2: Out-of-bound write in grub_usb_device_initialize()
CWE-787
6.9/CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

grub_usb_device_initialize() is called to handle USB device initialization. It
reads out the descriptors it needs from the USB device and uses that data to
fill in some USB data structures. grub_usb_device_initialize() performs very
little bounds checking and simply assumes the USB device provides sane values.
This behavior can trigger memory corruption. If properly exploited, this would
lead to arbitrary code execution allowing the attacker to by-pass Secure Boot
mechanism.

Reported-by: Joseph Tartaro (IOActive) and Ilja van Sprundel (IOActive)

*******************************************************************************

CVE-2020-27749 grub2: Stack buffer overflow in grub_parser_split_cmdline
CWE-121
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

grub_parser_split_cmdline() expands variable names present in the supplied
command line in to their corresponding variable contents and uses a 1kB stack
buffer for temporary storage without sufficient bounds checking. If the
function is called with a command line that references a variable with a
sufficiently large payload, it is possible to overflow the stack buffer,
corrupt the stack frame and control execution. An attacker may use this to
circumvent Secure Boot protections.

Reported-by: Chris Coulson (Canonical)

*******************************************************************************

CVE-2020-27779 grub2: The cutmem command allows privileged user to remove
               memory regions when Secure Boot is enabled
CWE-285
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The GRUB2's cutmem command does not honor Secure Boot locking. This allows an
privileged attacker to remove address ranges from memory creating an
opportunity to circumvent Secure Boot protections after proper triage about
grub's memory layout.

Reported-by: Teddy Reed

*******************************************************************************

CVE-2021-3418 - grub2: GRUB 2.05 reintroduced CVE-2020-15705
CWE-281
6.4/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

The GRUB2 upstream reintroduced the CVE-2020-15705. This refers to a distro
specific flaw which made upstream in the mentioned version.

If certificates that signed GRUB2 are installed into db, GRUB2 can be booted
directly. It will then boot any kernel without signature validation. The booted
kernel will think it was booted in Secure Boot mode and will implement lock
down, yet it could have been tampered.

This flaw only affects upstream and distributions using the shim_lock verifier.

Reported-by: Dimitri John Ledkov (Canonical)

*******************************************************************************

CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The option parser in GRUB2 allows an attacker to write past the end of
a heap-allocated buffer by calling certain commands with a large number
of specific short forms of options.

Reported-by: Daniel Axtens (IBM)

*******************************************************************************

CVE-2021-20233 grub2: Heap out-of-bound write due to mis-calculation of
               space required for quoting
CWE-787
7.5/CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

There's a flaw on GRUB2 menu rendering code setparam_prefix() in the menu
rendering code performs a length calculation on the assumption that expressing
a quoted single quote will require 3 characters, while it actually requires
4 characters. This allow an attacker to corrupt memory by one byte for each
quote in the input.

Reported-by: Daniel Axtens (IBM)

*******************************************************************************

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-14 08:24:24 +01:00
Nicolas Toromanoff
3cf8173e5c boot/uboot: fix kconfig with per-package directories and host-make
If PER_PACKAGE_DIRECTORIES=Y and using host-make package (because
BR2_FORCE_HOST_BUILD=Y or local make is too old) .stamp_dotconfig
target needs per-package/uboot/host/bin/host-make that doesn't
exist yet.

Add host-make into UBOOT_KCONFIG_DEPENDENCIES.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-13 09:08:48 +01:00
Peter Korsgaard
a56be0d30f Merge branch 'next'
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-03-08 08:06:00 +01:00
Edgar Bonet
7108838386 boot/at91bootstrap3: fix checksum of license
Commit ca1604388a updated the checksum of
the tarball, but failed to update the one of main.c, which serves as a
license file.

Signed-off-by: Edgar Bonet <bonet@grenoble.cnrs.fr>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-07 21:42:24 +01:00
Etienne Carriere
80d1bc9b19 boot/optee-os: bump to version 3.12.0
Bump OP-TEE OS package version to OP-TEE release 3.12.0.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-03-06 23:32:37 +01:00
Bartosz Bilas
4c488c7385 boot/barebox: bump version to 2021.01.0
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-23 13:43:32 +01:00
Francois Perrad
399432d60f uboot: fix binman with a new dependency
since 2021.01, tools/binman is broken.
tools/binman/control.py imports pkg_resources
the module pkg_resources is supplied by setuptools,
so this new dependency is required.

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-12 09:46:27 +01:00
Fabrice Fontaine
0aa8533213 boot/at91bootstrap3: add CPE variables
cpe:2.3🅰️linux_sam:at91bootstrap is a valid CPE identifier for this
package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Alinux_sam%3Aat91bootstrap

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-23 21:34:38 +01:00
Fabrice Fontaine
4b6202f721 Replace LIBFOO_CPE_ID_NAME by LIBFOO_CPE_ID_PRODUCT
Replace LIBFOO_CPE_ID_NAME by LIBFOO_CPE_ID_PRODUCT to better "comply"
with the official "Well-Formed CPE Name Data Model" parameters:
 - https://csrc.nist.gov/publications/detail/nistir/7695/final
 - https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-21 22:43:24 +01:00
Michael Walle
05e6d35fe7 boot/uboot: bump to version 2021.01
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-18 22:48:45 +01:00
Yann E. MORIN
7bbf17f359 boot/barebox, package/linux-headers: carry site-method archive format version when overriding _SOURCE
Commit 5b95a5dc2 (support/download: change format of archives generated
from git) changed the way the archives generated from git repositories
are named, adding a "format-version" identifier right between the
package version and the file extension.

Commit c043ecb20 (support/download: change format of archives generated
from svn) did so for archives generated from a subversion checkout.

However, for a few packages, we manually force the _SOURCE variable,
because we want to share the archive with another package, to avoid
downloading and storing those archives twice. This is the case for:

  - linux-headers and linux
  - barebox-aux and barebox

When the generated tarballs were renamed with the aforementioned
commits, those packages were not updated accordingly.

Fix that by manually propagating the per-site-method format-version.

Reported-by: "Stephane Viau (OSS)" <stephane.viau@oss.nxp.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: "Stephane Viau (OSS)" <stephane.viau@oss.nxp.com>
Cc: Arnout Vandecappelle <arnout@mind.be>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-18 22:39:14 +01:00
Fabrice Fontaine
aa10748fd7 boot/shim: add SHIM_CPE_ID_VENDOR
cpe:2.3🅰️redhat:shim is a valid CPE identifier for this package:

  https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe%3A2.3%3Aa%3Aredhat%3Ashim

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-01-17 17:14:25 +01:00
Bartosz Bilas
1f763042f9 boot/barebox: bump version to 2020.11.0
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-16 23:10:42 +01:00
Bin Meng
3fccb15705 boot/uboot: introduce BR2_TARGET_UBOOT_NEEDS_OPENSBI
Some RISC-V platforms (such as SiFive HiFive Unleashed) encapsulate
the OpenSBI firmware image inside U-Boot.

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-16 22:41:19 +01:00
Yann E. MORIN
5b95a5dc27 support/download: change format of archives generated from git
Switch to using the tarball helper, that can generate reproducible
archives whatever the tar version >= 1.27.

However, those archives are not identical to the previous ones generated
in the (now-broken) gnu format.

To avoid any clashing between old and new archives, and new and old
Buildroot versions, we need to name the new generated archives
differently from the existing ones.

So, we bump the git-specific format-version to -br1.

The %ci date  has been supported by git back to 1.6.0, released August
2008); it is not strictly ISO8601, but is still accepted as a PAX date
header. The strict ISO8601 placeholder, %cI, was only introduced with
2.2.0, release in November 2014, so too recent to be widely available.

As the format and the names of the archives changes, we need to update
all the hash files with the new names and hashes.

Of all the bootloaders that have a git download method, vexpress-firmware
is the only one to have a hash. Others have no hash files, or they have
explicitly set BR_NO_CHECK_HASH_FOR.

For the packages, linux-headers is the special snowflake, as the git
download is only for custom git tree, so it is excluded from the hash
verification with BR_NO_CHECK_HASH_FOR.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Vincent Fazio <vfazio@xes-inc.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Reviewed-by: Vincent Fazio <vfazio@xes-inc.com>

    ---8<------8<------8<------8<---
    #!/bin/sh
    # Find and download all packages using git as backend.
    # Manually fix hashes for affected packages.

    # Packages that only have a host variant
    HOST_ONLY='imx-mkimage|mxsldr|netsurf-buildsystem|opkg-utils|prelink-cross|qoriq-rcw|vboot-utils'

    # Packages that have a non-git main _SOURCE, and/or which
    # have BR_NO_CHECK_HASH_FOR for the git _SOURCE
    NOT_GIT='aufs|aufs-util|xenomai|linux-headers'

    export BR2_DL_DIR=$(pwd)/temp-dl-dir

    make defconfig
    make $( git grep -l -E 'SITE_METHOD[[:space:]]*:?=[[:space:]]*git\>|_SITE[[:space:]]*:?=[[:space:]]*git:' \
                boot/vexpress-firmware/ package/ \
            |sed -r -e 's,.*/([^/]+)\.mk,\1,' \
            |sed -r -e '/^('"${NOT_GIT}"')$/d;' \
                    -e 's/^('"${HOST_ONLY}"')/host-\1/;' \
                    -e 's/$/-legal-info/;'
          )

    ---8<------8<------8<------8<---
2021-01-10 22:06:58 +01:00
Matt Weber
63332c33aa package: provide CPE ID details for numerous packages
This patch adds CPE ID information for a significant number of
packages.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-04 21:43:54 +01:00
Vincent Stehlé
754dc0d933 boot/boot-wrapper-aarch64: bump version
Bump bootwrapper to the latest version.

Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-01-02 18:42:57 +01:00
D. Olsson
2cfdf8b8a2 boot/mv-ddr-marvell: Bump to HEAD as of 20201207
Rebase on the mv-ddr-devel branch as the release branches are no longer
maintained.

Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-30 10:29:05 +01:00
D. Olsson
d8705587dc boot/arm-trusted-firmware: Bump to version 2.4
Required in order to build properly with the latest stable release of
EDK2 UEFI firmware.

Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-30 10:29:05 +01:00
Jules Maselbas
1c1a629d81 boot/barebox: kconfig needs the toolchain
In barebox v2020.09.0, kconfig has been updated to a newer version
based on Linux 5.9-rc2.  As in linux, kconfig can call the compiler
to test its capabilities.

We have no way to know if a custom version would require it or not,
so we just unconditionally depend on the toolchain

Signed-off-by: Jules Maselbas <jmaselbas@kalray.eu>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-29 23:53:43 +01:00
Yann E. MORIN
bd560b6da5 boot/lpc32xxcdl: switch upstream location
The upstream git tree has disappeared, but a ZIP file is still hosted
somewhere at NXP. The content of that zip file has been verified to be
100% identical to the tarball we hosted on s.b.o.

As this is a zip file, we can't use the generic extract commands, and
must come up with our own. As such, it no longer makes sense to fix the
CRLF as a post-extract hook; this is moved to the extract command.

Add a hash file while at it.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-12-29 18:11:49 +01:00
Christoph Müllner
7b3fcbcdaa boot/arm-trusted-firmware: Forward stack protection configuration
TF-A supports stack smashing protection (-fstack-protector-*).
However, that feature is currently silently disabled because
ENABLE_STACK_PROTECTOR is not set during build time.

As documented in the TF-A user guide, the flag ENABLE_STACK_PROTECTOR
is required to enable stack protection support. When enabled the symbols
for the stack protector (e.g. __stack_chk_guard) are built.
This needs to be done because TF-A does not link against an external
library that provides that symbols (e.g. libc).

So in case we see that BR2_SSP_* is enabled, let's enable the corresponding
ENABLE_STACK_PROTECTOR build flag for TF-A as documented in the TF-A user guide.

This patch also fixes a the following linker errors with older TF-A versions
if BR2_SSP_* is enabled (i.e. -fstack-protector-* is used as compiler flag)
and ENABLE_STACK_PROTECTOR is not set, which are caused by the missing
stack protector symbols:

  [...]
  params_setup.c:(.text.params_early_setup+0xc): undefined reference to `__stack_chk_guard'
  aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x14): undefined reference to `__stack_chk_guard'
  aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x104): undefined reference to `__stack_chk_guard'
  aarch64-none-linux-gnu-ld: params_setup.c:(.text.params_early_setup+0x118): undefined reference to `__stack_chk_fail'
  aarch64-none-linux-gnu-ld: ./build/px30/release/bl31/pmu.o: in function `rockchip_soc_sys_pwr_dm_suspend':
  pmu.c:(.text.rockchip_soc_sys_pwr_dm_suspend+0xc): undefined reference to `__stack_chk_guard'
  [...]

TF-A releases after Nov 2019, that include 7af195e29a4, will circumvent
these issue by explicitliy and silently disabling the stack protector
by appending '-fno-stack-protector' to the compiler flags in case
ENABLE_STACK_PROTECTOR is not set.

Tested on a Rockchip PX30 based system (TF-A v2.2 and upstream/master).

Signed-off-by: Christoph Müllner <christoph.muellner@theobroma-systems.com>
Reviewed-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-12-15 21:24:48 +01:00
Garret Kelly
1271867831 boot/uboot: fix custom repo error message
When using a custom git or mercurial repository for u-boot the error message
indicating a version had not been provided incorrectly stated that the URL was
missing. Update the error message to indicate that it's the version that's
missing.

Signed-off-by: Garret Kelly <garret.kelly@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-16 21:30:56 +01:00
Etienne Carriere
ae102ee750 boot/optee-os: bump to version 3.11.0
Bump OP-TEE OS package version to OP-TEE release 3.11.0.

Remove patches since merged in OP-TEE OS 3.11.0

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-31 22:58:17 +01:00
Shlomi Vaknin
5d277d20cc boot/uboot: add stm32 binary format
Add `.stm32` binary format that U-Boot generates for the trusted
configuration of STM32MP platforms.

Signed-off-by: Shlomi Vaknin <shlomi.39sd@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-13 22:41:41 +02:00
Pierre-Jean Texier
ca51bc479c boot/uboot: bump to version 2020.10
See: https://lists.denx.de/pipermail/u-boot/2020-October/428516.html

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-08 23:27:19 +02:00
Matt Weber
db2b684126 package/uboot-tools: migrate BR2_TARGET_UBOOT_BOOT_SCRIPT from U-Boot pkg
For consistancy and dependencies between uboot and uboot-tools,
this patch migrates the script creation over in a similar way as
the env image creation.

Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-10-06 23:37:48 +02:00
Matt Weber
78559d699a package/uboot-tools: migrate BR2_TARGET_UBOOT_ENVIMAGE from U-Boot pkg
Migrating the support for this feature to uboot-tools to gain the
ability to build env files when BR2_TARGET_UBOOT isn't selected.

When _ENVIMAGE_SOURCE is not set, we generate a default environment.
However, this default depends on the U-Boot configuration. Therefore,
this can only be done if uboot itself is built as well, and
host-uboot-tools needs to depend on uboot.

For the same reason, the commands for creating the environment have to
be adapted a little. Take this occasion to drastically simplify them.

Note: This patch creates a circular dependency with uboot until the
similar migration patch is merged for uboot scripts

Cc: Arnout Vandecappelle <arnout@mind.be>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2020-10-06 23:37:47 +02:00
Bartosz Bilas
61484dd823 boot/uboot/Config.in: sort uboot's format extensions alphabetically
It's easier to locate given format when it's sorted.

Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-06 21:13:19 +02:00
Peter Seiderer
3cc2534b57 boot/barebox: fix target bareboxenv command compile
The buildroot custom bareboxenv compile command misses the additional
include path 'scripts/include' to gain access to the local copy of the
kernel header files (which leads to compile error when using an older
toolchain).

This could be fixed by enhancing the custom bareboxenv compile command
(see [1]) or by using the barebox build system by simply enabling the
CONFIG_BAREBOXENV_TARGET option (available since April 2012, see [2])
instead (as suggested by Yann E. MORIN).

Fixes (with BR2_TARGET_BAREBOX_BAREBOXENV enabled):

  build/barebox-2019.12.0/scripts/bareboxenv.c💯10: fatal error: linux/list.h: No such file or directory

[1] http://lists.busybox.net/pipermail/buildroot/2020-January/270942.html
[2] https://git.pengutronix.de/cgit/barebox/commit/?id=afb03d7a554a2911a3742e316f011319fcb416f1

Note: a user who would previously provide a barebox config file which
had CONFIG_BAREBOXENV_TARGET=y, but a Buildroot config file which did
not have BR2_TARGET_BAREBOX_BAREBOXENV=y, would have bareboxenv-target
built, but it would not be installed in the target. Now, and unset
BR2_TARGET_BAREBOX_BAREBOXENV will not even build it, but his is not a
regression: it was anyway previously not installed.

Reported-by: Frederick Gotham <cauldwell.thomas@gmail.com>
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[yann.morin.1998@free.fr:
  - also explicitly disable it when not selected
  - rewrap commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-10-04 21:30:36 +02:00
Bartosz Bilas
0281811d37 boot/barebox: bump version to 2020.09.0
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-10-01 21:51:40 +02:00
Thomas Petazzoni
1c967e2c8c boot/afboot-stm32: fix build with gcc 10
This commit adds a patch that passes -fno-builtin to fix the build
with gcc 10. The patch has been submitted upstream.

There are no autobuilder failures, since it's a bootloader package,
and therefore not tested by the autobuilders. However, a build failure
was detected when building toolchains and a minimal ARMv7-M system at
https://gitlab.com/bootlin/toolchains-builder/-/jobs/729359529.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-09-10 20:26:27 +02:00
Bartosz Bilas
4069d930f0 boot/barebox: bump version to 2020.08.1
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-07 21:30:33 +02:00
Thomas Petazzoni
336b4a639a Merge branch 'master' into next 2020-08-12 16:49:22 +02:00
Dick Olsson
0d61dde674 boot/optee-os: depend on host-python3
Recent versions of OP-TEE depend on Python 3. Currently, OP-TEE is
building with the Python interpreter provided by the user. This patch
includes an upstream patch that makes the interpreter configurable,
and makes use of this configuration with host-python3.

Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-09 00:13:41 +02:00
Thomas Petazzoni
ca1604388a boot/at91bootstrap3: bump version to 3.9.3
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-07 12:00:32 +02:00
Brandon Maier
43dc2007a9 boot/uboot: Fix kconfig to use $(BR2_MAKE)
U-Boot must use $(BR2_MAKE) as it uses a Make feature from v4.0. We
already use $(BR2_MAKE) in the BUILD_CMDS, but the kconfig commands
still uses $(MAKE). Without this fix, building U-Boot with kconfig will
fail with the following cryptic error.

> Makefile:37: *** missing separator.  Stop.

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-08-06 22:41:31 +02:00
Eugen Hristev
33003a47c5 boot/at91bootstrap3: enable for cortexa7
Enable this bootloader for cortex a7 based SoCs: support for the
sama7g5 SoC is now in upstream at91bootstrap3, and it is a Cortex-A7
based SoC.

Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-05 14:36:36 +02:00
Stefan Sørensen
2f7a8021b5 boot/grub2: Backport Boothole securify fixes
Details: https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html

Fixes the following security issues:

 * CVE-2020-10713
   A flaw was found in grub2, prior to version 2.06. An attacker may
   use the GRUB 2 flaw to hijack and tamper the GRUB verification
   process. This flaw also allows the bypass of Secure Boot
   protections. In order to load an untrusted or modified kernel, an
   attacker would first need to establish access to the system such as
   gaining physical access, obtain the ability to alter a pxe-boot
   network, or have remote access to a networked system with root
   access. With this access, an attacker could then craft a string to
   cause a buffer overflow by injecting a malicious payload that leads
   to arbitrary code execution within GRUB. The highest threat from
   this vulnerability is to data confidentiality and integrity as well
   as system availability.

 * CVE-2020-14308
   In grub2 versions before 2.06 the grub memory allocator doesn't
   check for possible arithmetic overflows on the requested allocation
   size. This leads the function to return invalid memory allocations
   which can be further used to cause possible integrity,
   confidentiality and availability impacts during the boot process.

 * CVE-2020-14309
   There's an issue with grub2 in all versions before 2.06 when
   handling squashfs filesystems containing a symbolic link with name
   length of UINT32 bytes in size. The name size leads to an
   arithmetic overflow leading to a zero-size allocation further
   causing a heap-based buffer overflow with attacker controlled data.

 * CVE-2020-14310
   An integer overflow in read_section_from_string may lead to a heap
   based buffer overflow.

 * CVE-2020-14311
   An integer overflow in grub_ext2_read_link may lead to a heap-based
   buffer overflow.

 * CVE-2020-15706
   GRUB2 contains a race condition in grub_script_function_create()
   leading to a use-after-free vulnerability which can be triggered by
   redefining a function whilst the same function is already
   executing, leading to arbitrary code execution and secure boot
   restriction bypass

 * CVE-2020-15707
   Integer overflows were discovered in the functions grub_cmd_initrd
   and grub_initrd_init in the efilinux component of GRUB2, as shipped
   in Debian, Red Hat, and Ubuntu (the functionality is not included
   in GRUB2 upstream), leading to a heap-based buffer overflow. These
   could be triggered by an extremely large number of arguments to the
   initrd command on 32-bit architectures, or a crafted filesystem
   with very large files on any architecture. An attacker could use
   this to execute arbitrary code and bypass UEFI Secure Boot
   restrictions. This issue affects GRUB2 version 2.04 and prior
   versions.

Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-08-03 13:38:49 +02:00
Bartosz Bilas
7485f46d09 boot/barebox: bump version to 2020.07.0
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-26 21:47:47 +02:00
Dick Olsson
a757d173f1 boot/arm-trusted-firmware: bump to version 2.2
Release notes:
https://trustedfirmware-a.readthedocs.io/en/latest/change-log.html#version-2-2

Take this opportunity to fix the hash file spacing.

Signed-off-by: Dick Olsson <hi@senzilla.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-20 22:29:17 +02:00
Fabio Estevam
500bf2c37b boot/uboot: bump to version 2020.07
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-15 17:24:51 +02:00
Etienne Carriere
8ea8822005 boot/optee-os: bump to version 3.9.0
Bump OP-TEE OS package version to OP-TEE release 3.9.0.

Update patch on pydrypto/pycryptodome to match 3.9.0.
Add patch on CFG_OPTEE_REVISION_MINOR that was not updated in release
3.9.0 and fixed only few commits above.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-14 15:33:17 +02:00
Brandon Maier
16a522b5e0 uboot: zynqmp: Support loading a PMU config
Before now, U-Boot SPL could only load the Platform Management Unit
(PMU) by patching the board-specific pm_cfg_obj.c file into the generic
PMU firmware, but that then requires generating a new PMU firmware for
every board configuration. To fix that, Luca Ceresoli added support to
U-Boot to load the pm_cfg_obj[1].

Like the PMU firmware, we need a way to pass the PMU cfg to U-Boot
during build. U-Boot only accepts the binary format of the cfg, so we
must convert the source file with the tool provided with U-Boot.

[1] https://lucaceresoli.net/zynqmp-uboot-spl-pmufw-cfg-load/

Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-06-27 19:23:18 +02:00
Mark Corbin
a517093ea9 boot/opensbi: bump to version 0.8
The OpenSBI platform 'qemu/virt' has been removed in v0.8. Builds for
the QEMU 'virt' machine can use the 'generic' platform instead.

Tested with qemu_riscv32_virt_defconfig and
qemu_riscv64_virt_defconfig using Buildroot host-qemu 5.0.0.

Signed-off-by: Mark Corbin <mark@dibsco.co.uk>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-06-24 21:29:18 +02:00
Yann E. MORIN
f289b1b36f legacy: drop options removed more than 5 years ago now
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-06-22 07:17:05 +02:00
Fabrice Fontaine
7e64a050fb boot/grub2: Fix GRUB i386-pc build with Ubuntu gcc
Backport a patch from upstream to fix the build on certain versions of
gsc, notably:

    Ubuntu 19.10 with gcc (Ubuntu 8.3.0-26ubuntu1~19.10) 8.3.0
    Ubuntu 19.10 with gcc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008

The upstream patch is simply a change in the gentpl.py script, which is
used to generate parts of the automake machinery, so if we just backport
the upstream patch, we need to call the script to regenerate those files.

However, the modified script is a python script, so we would need to add
a dependency on host-python (2 or 3), which is not so nice.

Furthermore, calling the script is not enough: it needs a specific set
of optionss for each file it is to generate. That set of options is not
static; it is constructed in the convoluted autogen.sh. Calling
autogen.sh is usally not so good an idea in the Buildroot context, and
indeed this fails becasue it calls to autoreconf, but without our
carefuly crafted options and environment variables.

There was a little light in the tunnel, in that autogen.sh can be told
not to run autoreconf, by setting the environemnt variable
FROM_BOOTSTRAP to an non-=empty string, but this is fraught with various
other side-effects, as in that cause, autogen.sh expects to be valled by
an upper sciopt, bootstrap, which is not provided in the tarball
distribution...

So, between all those issues, autogen, bootstrap, and a host-python (2
or 3) dependency, we choose another route: path the script *and* the one
generated file affected by the change. Since that patched file is a .am
file, we also patch the corresponding .in file

However, we're faced with another issue: the other generated file is
now older than the script, so the automake machinery will now want to
re-run autoconf et al during the build step, which is still not a good
idea for us. So we touch the other generated file so it is mopre recent
than the script.

This is still not sufficient, because the patched file also has a
dependency on the generated file, so we need to touch as well.

Fixes:
 - https://bugs.buildroot.org/show_bug.cgi?id=12946

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
[yann.morin.1998@free.fr:
  - keep the hunk about patching gentpl.py
  - make it a git-formatted patch
  - add the touch
  - drastically expand the commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-06-05 00:03:30 +02:00
Joachim Nilsson
2bfc379c50 boot/uboot: change from FTP to HTTPS for official releases
The HTTPS URL seems to be more reliable and quicker for download than
FTP.  FTP may also be a blocked protocol on some sites and in CI/CD
setups.

Signed-off-by: Joachim Nilsson <troglobit@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-06-04 22:47:10 +02:00
Thomas Petazzoni
a6569f2b3d Merge branch 'next'
A few conflicts had to be resolved:

 - Version number and hash for mesa3d-headers/mesa3d
 - Patches added in qemu, and the qemu version number
 - The gnuconfig README.buildroot

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-06-02 21:59:52 +02:00
Romain Naour
36c0a0c656 boot/arm-trusted-firmware: ignore licencing check for user defined official version
The commit [1] "licensing info is only valid for v1.4" fixed the legal-info
issues when a custom ATF tarball or a version from git is used.
But we need to ignore licencing for a used defined official ATF version.

Althougt the ATF version are licensed under BSD-3-Clause, the license
file can be updated between version (for example between v1.4 and v2.0).

Ignore the licencing check if the user provide a custom official version.

[1] d1a61703f7

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
[yann.morin.1998@free.fr: use positive logic with the _LATEST option]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-30 23:21:07 +02:00
Pierre-Jean Texier
f379e75dcd boot/at91bootstrap3: bump to version 3.9.2
Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-28 23:38:01 +02:00
Romain Naour
82b7400175 boot/optee-os: replace pycrypto by pycryptodomex
>From [1] included in optee-os release 3.7.0:
"PyCryptodome is a fork of PyCrypto, which is not maintained any more
(the last release dates back to 2013 [2]). It exposes almost the same
API, but there are a few incompatibilities [3]."

pem_to_pub_c.py/sign.py scripts still use pycrypto that is replaced
by pycryptodomex. Add a patch to use pycryptodomex but don't use
upstream commit since it also switches from the algorithm
TEE_ALG_RSASSA_PKCS1_V1_5_SHA256 to TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256
when replacing pycrypto to pycryptodomex [4].

[1] 90ad245043
[2] https://pypi.org/project/pycrypto/#history
[3] https://pycryptodome.readthedocs.io/en/latest/src/vs_pycrypto.html
[4] ababd72d2f

Fixes:
https://gitlab.com/buildroot.org/buildroot/-/jobs/526035730

Signed-off-by: Romain Naour <romain.naour@gmail.com>
Cc: James Hilliard <james.hilliard1@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-21 15:46:21 +02:00
Thomas Petazzoni
df3d1f8177 boot/uboot: support building U-Boot with Python 3.x
U-Boot versions newer than 2020.01 use Python 3.x instead of Python
2.x in various scripts.

We already had the BR2_TARGET_UBOOT_NEEDS_PYLIBFDT and
BR2_TARGET_UBOOT_NEEDS_PYELFTOOLS options, but depending on the U-Boot
version, we now need to indicate if Python 2.x or Python 3.x should be
used.

In addition, it turns out that some U-Boot configurations need a
Python interpreter, without needing pylibfdt or pyelftools. Some of
our defconfigs were abusing the BR2_TARGET_UBOOT_NEEDS_PYLIBFDT option
to make sure a Python interpreter was built.

To solve this issue, we introduce a choice, that let the users specify
what, if any, host python version is needed. The default is 'no', to
preserve the previous behaviour, unless any of the pylibfdt or the
pyelftools options is enabled, in which case we hide the 'no' option,
and use python 2 by default. This dfault is guaranteed by the order of
options in the choice.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[yann.morin.1998@free.fr:
  - explicitly make the choice a bool
  - make BR2_TARGET_UBOOT_NEEDS_PYTHON a blind option
  - introduce the 'no' option in the choice
  - reword the commit log accordingly
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-05-15 22:59:21 +02:00
Bartosz Bilas
75c5de34ee boot/barebox: bump version to 2020.05.0
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-15 21:33:37 +02:00
Yann E. MORIN
1dff5aa64d boot/uboot: don't specify .config to munge
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-01 15:50:27 +02:00
Yann E. MORIN
7a2524bf54 boot/barebox: don't specify .config to munge
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-05-01 15:50:27 +02:00
Pierre-Jean Texier
02bddcea7d boot/uboot: bump to version 2020.04
See https://lists.denx.de/pipermail/u-boot/2020-April/406522.html

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-04-13 21:55:59 +02:00
Thomas Petazzoni
6d5da6d916 boot/syslinux: fix build of efi part with gnu-efi 3.0.10
The following defconfig:

BR2_x86_i686=y
BR2_TOOLCHAIN_EXTERNAL=y
BR2_TOOLCHAIN_EXTERNAL_DOWNLOAD=y
BR2_TOOLCHAIN_EXTERNAL_URL="http://toolchains.bootlin.com/downloads/releases/toolchains/x86-i686/tarballs/x86-i686--glibc--bleeding-edge-2018.11-1.tar.bz2"
BR2_TOOLCHAIN_EXTERNAL_GCC_8=y
BR2_TOOLCHAIN_EXTERNAL_HEADERS_4_14=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM_GLIBC=y
BR2_TOOLCHAIN_EXTERNAL_CXX=y
BR2_INIT_NONE=y
BR2_TARGET_SYSLINUX=y
BR2_TARGET_SYSLINUX_EFI=y

fails to build due to missing setjmp/longjmp definitions, which is a
consequence of a change introduced between gnu-efi 3.0.9 and 3.0.10.

This build failure is fixed by adding another syslinux paytch, which
has been submitted upstream.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-04-04 23:07:29 +02:00
Suniel Mahesh
fbed118ed2 boot/arm-trusted-firmware: add optional host-arm-gnu-a-toolchain dependency
Some ATF configurations, require a pre-built bare metal toolchain to
build some platforms which host cortex-m series core, for instance
rockchip rk3399 has a cortex-m0 core. Without a pre-built bare metal
toolchain, the build fails:

make[3]: arm-none-eabi-gcc: Command not found

To solve this, this commit implements a
BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_ARM32_TOOLCHAIN
option. Platforms which have such requirement should enable this
config option.

Signed-off-by: Suniel Mahesh <sunil@amarulasolutions.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-29 15:08:23 +02:00
Bartosz Bilas
f779d1be65 boot/barebox: bump version to 2020.03.0
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-03-21 15:25:00 +01:00
Yann E. MORIN
451ee6fa54 boot/barebox-aux: exclude git downloads from hash check
When barebox, and thus barebox-aux, are downloaded from a git tree, then
barebox-aux download fails because a hash check is attempted on the
downloaded archive:

    Could not fetch special ref 'v2020.03.0'; assuming it is not special.
    ERROR: No hash found for barebox-aux-v2020.03.0.tar.gz

This is because we only exclude from the check the archive of the bare
barebox:

    BR_NO_CHECK_HASH_FOR += $(BAREBOX_SOURCE)

However, the default name of an archive is based on the package name,
which for barebox-aux is not 'barebox'.

Since barebox-aux really uses the exact same source as the bare barebox,
it should also share the archive name.

This has two direct consequences and advantages:

  - the hash check is completely avoided for the barebox-aux archive;

  - the barebox-aux archive is not downloaded as it is already
    downloaded for barebox.

Reported-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Tested-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-20 19:56:38 +01:00
Yann E. MORIN
ca7fa117b1 boot/barebox-aux: store downloads in same dir as bare barebox
barebox and barebox-aux are really the same package, from the same URL
and the same version. They deserve being stored in the same directory.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Yegor Yefremov <yegorslists@googlemail.com>
Tested-by: Yegor Yefremov <yegorslists@googlemail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-20 19:56:18 +01:00
Thomas Petazzoni
ddbb5dbd83 boot/arm-trusted-firmware: add optional host-dtc dependency
Some ATF configurations, such as the ones for the STM32MP1 processor
family, require DTC during the build as Device Tree files are
used. Without dtc, the build fails:

/bin/sh: 1: dtc: not found
dtc version too old (), you need at least version 1.4.4
plat/st/stm32mp1/platform.mk:239: recipe for target 'check_dtc_version' failed
make[1]: *** [check_dtc_version] Error 1

To solve this, this commit implements a
BR2_TARGET_ARM_TRUSTED_FIRMWARE_NEEDS_DTC option, in a way that mimics
the BR2_TARGET_UBOOT_NEEDS_DTC option we already have for the U-Boot
package.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-03-18 22:24:56 +01:00
Mark Corbin
5fe6b78299 boot/opensbi: bump to version 0.6
Tested with qemu_riscv32_virt_defconfig and
qemu_riscv64_virt_defconfig using Buildroot host-qemu 4.2.0.

Signed-off-by: Mark Corbin <mark@dibsco.co.uk>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-03-05 23:36:31 +01:00
Gervais, Francois
a621c9b6c8 boot/arm-trusted-firmware: add missing qstrip
Add missing qstrip wrapping to the new
BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_TARGETS option.

Signed-off-by: Francois Gervais <fgervais@distech-controls.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-11 23:37:31 +01:00
Bartosz Bilas
694d134a49 boot/barebox: bump version to 2020.01.0
Signed-off-by: Bartosz Bilas <b.bilas@grinn-global.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-08 08:45:08 +01:00
Yann E. MORIN
3091d334e7 boot/optee-os: license files hashes only valid for latest version
We can only know the details of the license files for known versions.  For
custom, older or newer versions, the license files may change, or may be
moved around.

So, do for optee-os as was done for other packages in the recent past,
and only define the list of license files for the latest version.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-06 20:42:02 +01:00
Yann E. MORIN
130329cb7b boot/at91bootstrap3: license files hashes only valid for latest version
We can only know the details of the license files for known versions.  For
custom, older or newer versions, the license files may change, or may be
moved around.

So, do for at91bootstrap3 as was done for other packages in the recent
past, and only define the list of license files for the latest version.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-06 20:38:13 +01:00
Yann E. MORIN
2ffaaea70c boot/barebox: license files hashes only valid for latest version
We can only know the details of the license files for known versions.  For
custom, older or newer versions, the license files may change, or may be
moved around.

So, do for Barebox as was done for ATF, linux, and linux-headers, and
only define the list of license files for the latest version.

Add the hash for that license file, and align hashes to the new spacing
convention.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-06 19:19:23 +01:00
Yann E. MORIN
ff1a03ab28 boot/uboot: license files hashes only valid for latest version
We can only know the details of the license files for known versions.  For
custom, older or newer versions, the license files may change, or may be
moved around.

So, do for U-Boot as was done for ATF, linux, and linux-headers, and only
define the list of license files for the latest version.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Markus Mayer <mmayer@broadcom.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-06 18:38:35 +01:00
Yann E. MORIN
ab7b96e813 boot/uboot: needs make >= 4.0
Starting with 2020.01, uboot started using the 'undefine' make
directive, which was only introduced with make 4.0.

In the general case, we do not have a way to know if the uboot
selected by the user is older or later than 2020.01, so we have
no way to know before hand if make >= 4.0 is needed or not. As
such, we have no other option than to always require it.

So, use the existing $(BR2_MAKE_HOST_DEPENDENCY) and $(BR2_MAKE),
both of each will ensure that we do use a make that is at least 4.0.

Reported-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-03 21:29:56 +01:00
Heiko Thiery
38d14c5704 package/s*: add license file hashes
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-03 14:45:36 +01:00
Heiko Thiery
2119b937a8 package/m*: add license file hashes
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-03 14:45:35 +01:00
Heiko Thiery
abb9bc29c7 package/a*: add license file hashes
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-02-03 14:44:52 +01:00
Gervais, Francois
05b8c7da6d boot/arm-trusted-firmware: allow additional make targets
Allow specifying additional build targets for ATF.

This might be more useful when using a custom git repository.

For example, when using with the ATF repository from NXP QorIQ,
there is a new build target 'pbl' which is used to build the
pbl binary image. Note that in the specific case of the 'pbl'
target, additional build variables also need to be specified
through BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES.

Signed-off-by: Francois Gervais <fgervais@distech-controls.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-02-01 23:15:41 +01:00
Fabio Estevam
e39d47d880 boot/uboot: bump to version 2020.01
Bump to U-Boot 2020.01 version.

Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-01-10 22:41:17 +01:00