off-by: Jonas Rebmann
Acked-by: Ahmad Fatoum
> ---
> .github/workflows/test-labgrid-pytest.yml | 10 -
> scripts/generate_testfs.sh | 33 -
> test/py/test_fit.py| 43
> +-
Hi,
On 18.09.25 09:43, Tobias Waldekranz wrote:
> This series adds initial support for dm-verity. Notably, it does not
> include any support for validation of any root hash signature. As
> such, practical use in a production setting is still limited, unless
> you have some other way of securely de
On 10/6/25 6:15 AM, chalian...@gmail.com wrote:
> From: Chali Anis
>
> The multi_v8_efi_defconfig enables a lot of drivers that are not needed
> for an EFI payload. Therefore add a minimal EFI-only config.
>
> Signed-off-by: Chali Anis
Reviewed-by: Ahmad Fatoum
> --
7b273 ("scripts: rockchip: implement image signing")
Signed-off-by: Ahmad Fatoum
---
scripts/rkimage.c | 15 ---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index 9b3ae8bbfff7..e5b6d61c4a9d 100644
--- a/scripts/rkimage.
. This symbol seems to be there for all ARM64 configs we have
and if this ceases, CI will let us know.
Signed-off-by: Ahmad Fatoum
---
MAKEALL | 9 +++--
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/MAKEALL b/MAKEALL
index d47f0204f1f1..abce297a9bf8 100755
--- a/MAKEALL
+++ b
A message like
tlv: No such file or directory
can mean either tlv command is missing or it returned -ENOENT.
Let's differentiate between these two situations, so the former becomes:
tlv: No such command
Reported-by: Jonas Rebmann
Signed-off-by: Ahmad Fatoum
---
v1 -> v2:
- n
A message like
tlv: No such file or directory
can mean either tlv command is missing or it returned -ENOENT.
Let's differentiate between these two situations, so the former becomes:
tlv: No such command
Reported-by: Jonas Rebmann
Signed-off-by: Ahmad Fatoum
---
common/binfmt.
We duplicate the fallback behavior and use an unnecessary intermediate
str variable, when we could return directly.
Signed-off-by: Ahmad Fatoum
---
v1 -> v2:
- new patch (missing prerequisite)
---
common/misc.c | 139 --
1 file changed,
emulate.pl is no longer documented and all its functionality has been
replaced by either pytest conftest.py, changes in Labgrid itself or
MAKEALL. It's thus time to remove it.
Signed-off-by: Ahmad Fatoum
---
v1 -> v2:
- remove now unused runner tuxmake_arch as well
---
test/
ecc_get_curve25519 is used in the kernel only to support the hisilicon
hpre driver and can't be used for general purpose like the NIST curves
defined in ecc_curve_defs.h.
In barebox, the function is fully unused, so drop it to prevent
confusion.
Reported-by: Jonas Rebmann
Signed-off-by:
...@pengutronix.de
>
> Changes in v1:
> - Link to RFC:
>
> https://lore.kernel.org/all/20250814130702.4039241-1-a.fat...@pengutronix.de/
> - Add more actual security policies
> - Fix some typos in Documentation
> - Catch invalid policy names in sconfig command
>
> Signe
On 17.09.25 15:53, Sascha Hauer wrote:
> +bool is_allowed(const struct security_policy *policy, unsigned option)
> +{
> + policy = policy ?: active_policy;
> +
> + if (WARN(option > SCONFIG_NUM))
> + return false;
> +
> + if (!policy && *CONFIG_SECURITY_POLICY_INIT) {
> +
On 18.09.25 09:43, Tobias Waldekranz wrote:
> For targets that support inclusion of the testfs, make sure to inject
> all config options needed to run the device mapper pytests.
>
> Signed-off-by: Tobias Waldekranz
Reviewed-by: Ahmad Fatoum
> ---
> .github/workflows/test-
On 18.09.25 09:43, Tobias Waldekranz wrote:
> This avoids the need for each step to (re)discover features. Start off
> by only checking for 'testfs', but this can easily be expanded in the
> future.
>
> Signed-off-by: Tobias Waldekranz
Reviewed-by: Ahmad Fatoum
> -
ified parts are readable
> - Ensure that reading from a modified block results in an I/O error
>
> Signed-off-by: Tobias Waldekranz
Reviewed-by: Ahmad Fatoum
Thanks for including a test!
Ahmad
> ---
> test/py/test_dm.py | 38 ++
> 1 file changed, 3
ast, but didn't debug into why the
build failed, but you fixed that already in the last series.
Reviewed-by: Ahmad Fatoum
> ---
> arch/mips/configs/qemu-malta_defconfig | 4
> test/mips/be@qemu-malta_defconfig.yaml | 1 +
> test/mips/qemu-malta64el_defconfig.yaml | 1 +
n the ITS being
> available. This allows us to enable the testfs feature on all matrix
> cells that support 9p over virtio.
>
> Signed-off-by: Tobias Waldekranz
Reviewed-by: Ahmad Fatoum
FWIW, testfs was supposed to be just a stop-gap.
My current plan is to have a "meta-boo
s,
Ahmad
> ---
> Ahmad Fatoum (5):
> efi: payload: split image handling from legacy handover boot support
> efi: payload: add support for efi stub boot
> efi: payload: add support for fit image
> efi: payload: make selectable without COMPILE_TEST
> ARM
nce we autorise memory
> execution.
>
> Fixes: 7497c86c5032 ("efi: payload: early-mem: add memory type on early mem
> allocation")
> Signed-off-by: Chali Anis
Reviewed-by: Ahmad Fatoum
Thanks,
Ahmad
> ---
> efi/payload/entry-single.c | 2 +-
> 1 file changed
On 9/17/25 4:02 PM, Sascha Hauer wrote:
> On Tue, Sep 16, 2025 at 11:38:48AM +0200, Ahmad Fatoum wrote:
>> Hello Sascha,
>>
>> On 9/16/25 11:32 AM, Sascha Hauer wrote:
>>> Several drivers in the tree use an enum for the chip type casted to int
>>> as driver
Hi David,
On 9/18/25 12:09 PM, David Picard wrote:
> I tried to squash, but it kicked Ahmad off the author list...
That's no issue. If you want to credit me, you can add a
Co-developed-by: Ahmad Fatoum
into the squashed commit directly before my S-o-b with your S-o-b at the
end.
Hi,
On 9/14/25 9:32 PM, chalian...@gmail.com wrote:
> From: Chali Anis
>
> This patch is an esthetic cleanup, rename the dma_ops to dma_device_ops
> to be sure that the struct in drivers/dma is different from one used in
> arch/riscv/cpu. I accidentally faced the issue telling that the struct is
ake imx_v8_defconfig
> echo foo > firmware/foo
> echo bar > firmware/bar
> ln -sf foo firmware/imx8mm-bl31.bin
> make
>
> The following should rebuild the barebox image including the updated
> firmware, but doesn't:
>
> ln -sf bar firmware/imx8mm-bl31.bin
Hi,
On 9/9/25 11:34 AM, Sascha Hauer wrote:
> On Wed, Sep 03, 2025 at 04:46:05PM +0200, Christian Thießen via B4 Relay
> wrote:
>> From: Christian Thießen
>>
>> The fec_imx driver stores an enum fec_type value in the match data
>> pointer. When retrieving this value in fec_probe(), it handles
>>
Hello Sascha,
On 9/16/25 11:32 AM, Sascha Hauer wrote:
> Several drivers in the tree use an enum for the chip type casted to int
> as driver_data. This comes with the problem that device_get_match_data()
> returns NULL for these devices and a potential error check bails out
> then.
>
> This patch
will collect all tokens from a string into an
> array, which is useful in situations where you need to know how many
> tokens there are, and when a token's relative position in the order is
> significant.
>
> Signed-off-by: Tobias Waldekranz
Reviewed-by: Ahmad Fato
We don't have system calls in barebox and we make ample use of ENOSYS,
so let's drop the checkpatch warning to avoid confusion.
Reported-by: Christian Thießen
Signed-off-by: Ahmad Fatoum
---
scripts/checkpatch.pl | 8
1 file changed, 8 deletions(-)
diff --git a/scripts/che
Hi,
On 16.09.25 06:54, chalian...@gmail.com wrote:
> From: Ahmad Fatoum
>
> We currently lack a way to build a barebox EFI payload on ARM without
> enabling some other subarchitecture. As CONFIG_EFI_PAYLOAD has a global
> effect and adds EFI stubs to all enabled board, an EFI
Hi,
On 9/14/25 9:40 PM, chalian...@gmail.com wrote:
> From: Chali Anis
>
> remove the framebuffer console and let develpers select it when needed, this
> fixes the problem that consist of having the screen splited to top and bottom
> displaying the output twice, and considerably speedup the efi
On 08.09.25 11:27, Tobias Waldekranz wrote:
> On fre, sep 05, 2025 at 18:54, Ahmad Fatoum wrote:
>>> +static struct dm_device *dmsetup_find(const char *name)
>>> +{
>>> + struct dm_device *dm;
>>> +
>>> + dm = dm_find_by_name(name);
>>
by 1.
Signed-off-by: Ahmad Fatoum
---
arch/riscv/lib/setupc.S | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/riscv/lib/setupc.S b/arch/riscv/lib/setupc.S
index d225186c79fd..423de4181ea6 100644
--- a/arch/riscv/lib/setupc.S
+++ b/arch/riscv/lib/setupc.S
@@ -32,14 +
at is not completely understood, but it's
fixed by removing these two lines that are erroneous anyway, so let's do
that.
[1]: https://esr.arm64.dev/#0x96000147
Fixes: 868df08038a9 ("ARM: aarch64: Add relocation support")
Signed-off-by: Chali Anis
Signed-off-by: Ahmad
Hi,
On 08.09.25 11:27, Tobias Waldekranz wrote:
> On fre, sep 05, 2025 at 18:50, Ahmad Fatoum wrote:
>> On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
>>> Verify that the 'linear' target works as expected.
>>>
>>> Do this by (1) creating a dm devi
On 08.09.25 11:27, Tobias Waldekranz wrote:
> On fre, sep 05, 2025 at 18:14, Ahmad Fatoum wrote:
>> If someone looks at this code, because they have seen this error, they
>> won't necessarily know how to interpret the %d.
>
> My intention was that it could be correl
Hello Tobias,
On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
> Add an implementation of libc's standard strtok(3), which is useful
> for tokenizing strings.
strtok was previously removed in favor of strsep as it doesn't suffer
from re-entrancy issues (poller and bthreads can run during delays). If
gt; Declare that variable as an array as that's what it actually is.
>
> Signed-off-by: Sascha Hauer
Reviewed-by: Ahmad Fatoum
> ---
> arch/powerpc/mach-mpc5xxx/loadtask.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/power
On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
> Verify that the 'linear' target works as expected.
>
> Do this by (1) creating a dm device with a couple of linear mappings
> to two underlying ramdisks, and then (2) verify that data is returned
> in the expected order when reading it through the dm
Hi,
On 9/5/25 12:30 AM, anis chali wrote:
>
> Hello Ahmad,
>
>>> ---
>>> efi/Kconfig | 17 +
>>> 1 file changed, 17 insertions(+)
>>>
>> diff --git a/efi/Kconfig b/efi/Kconfig
>>> index 84f670fd23d3..c3811574920d 100644
>>> --- a/efi/Kconfig
>>> +++ b/efi/Kconfig
>>> @@ -50,4 +5
Hi,
On 8/31/25 5:55 AM, chalian...@gmail.com wrote:
> From: Chali Anis
>
> This patch has more stock, between implementing EFI STUB boot, refactor to
> reuse the code and finaly support the fit image format.
If you look at the existing image_handler code for ARM64, you will find
that it has no
Hi,
On 9/5/25 12:44 AM, anis chali wrote:
> Hi,
>
>> We should rename the existing image.c to handover.c and keep it x86 only
>> and add your code without the historical baggage IMO.
> Ok, We can rename the file, do we need to create a shared file between them,
> beacuse we have all the code for
Hi Anis,
On 9/5/25 2:16 AM, anis chali wrote:
> Hi,
>
>> Thinking about it, this doesn't really fit into the existing model.
>> We have CONFIG_EFI_PAYLOAD, which when enabled gives _all_ images
>> an EFI stub.
>>
>> I think it's better to just give CPU_V7 and CPU_V8 prompts.
> Don't understand.
In fec_probe, pass FEC_TYPE_COUNT as defaultval and return -ENODEV for
> all type values greater or equal to that.
>
> Fixes: 20d87123a6 ("treewide: replace dev_get_drvdata with
> device_get_match_data")
> Signed-off-by: Christian Thießen
Reviewed-by: Ahmad F
On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
> This target allows you to map in a region of another device as a
> contiguous range of blocks of a dm device.
>
> This is the basic building block used by LVM to stitch together
> logical volumes from one or more ranges of blocks from one or more
> ph
Hi,
On 9/4/25 3:35 PM, Tobias Waldekranz wrote:
> On tor, sep 04, 2025 at 13:00, Ahmad Fatoum wrote:
>> Hello Tobias,
>>
>> On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
>>> Add an implementation of libc's standard strtok(3), which is useful
>>> for tok
Hi,
On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
> +struct dm_device *dm_create(const char *name, const char *table)
> +{
> + struct dm_target *ti;
> + struct dm_device *dm;
> + int err;
> +
> + dm = xzalloc(sizeof(*dm));
> +
> + dev_set_name(&dm->dev, "%s", name);
> + dm->
On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
> Modeled on dmsetup(8) from LVM2.
>
> This lets the user create/remove arbitrary dm devices using the same
> table file format used in Linux, and dump information about currently
> configured devices.
>
> Signed-off-by: Tobias Waldekranz
> ---
> com
Hi,
On 8/28/25 5:05 PM, Tobias Waldekranz wrote:
> Add initial scaffolding for a block device mapper which is intended to
> be compatible with the corresponding subsystem in Linux.
>
> This is the foundation of several higher level abstractions, for
> example:
>
> - LVM: Linux Volume manager. Dy
Hi,
On 8/31/25 5:55 AM, chalian...@gmail.com wrote:
> From: Chali Anis
>
> This patch has more stock, between implementing EFI STUB boot, refactor to
> reuse the code and finaly support the fit image format.
We should rename the existing image.c to handover.c and keep it x86 only
and add your c
the callers expectations.
>
> Signed-off-by: Sascha Hauer
Reviewed-by: Ahmad Fatoum
> ---
> common/image-fit.c | 10 +-
> include/image-fit.h | 4 ++--
> 2 files changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/common/image-fit.c b/common/image-
We define this symbol only on MIPS and RISC-V, so it's safe to remove on
ARM.
Signed-off-by: Ahmad Fatoum
---
arch/arm/mach-sunxi/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm/mach-sunxi/Kconfig b/arch/arm/mach-sunxi/Kconfig
index 4fdd0877bf83..8552438743f3 100644
Hello Anis,
On 8/31/25 5:55 AM, chalian...@gmail.com wrote:
> From: Chali Anis
>
> Signed-off-by: Chali Anis
> ---
> efi/Kconfig | 17 +
> 1 file changed, 17 insertions(+)
>
> diff --git a/efi/Kconfig b/efi/Kconfig
> index 84f670fd23d3..c3811574920d 100644
> --- a/efi/Kconfig
x27;t attempt descending twice into images/Makefile
in parallel.
Fixes: a1f893cc16e6 ("kbuild: collect compatibility symlink creation in
symlink-y")
Signed-off-by: Ahmad Fatoum
---
Makefile | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
ind
Hi,
On 31.08.25 05:55, chalian...@gmail.com wrote:
> From: Chali Anis
>
> add a generic arm64 machine that can select the CPU_V8 and the
> required efi payload minimal configs. this machine permits to have
> a clean arm64 efi payload, idealy we don't need the other machine
> that comes from mult
ble either CONFIG_CPU_V8 or
CONFIG_CPU_V7 directly.
Signed-off-by: Ahmad Fatoum
---
arch/arm/cpu/Kconfig | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/arm/cpu/Kconfig b/arch/arm/cpu/Kconfig
index e61bcadc8c35..fe0d1e470578 100644
--- a/arch/arm/cpu/Kconfig
+++
Hi Anis,
Sidenote: majority of commit messages don't have a trailing period,
so you may want to drop it for uniformity.
On 04.09.25 03:23, chalian...@gmail.com wrote:
> From: Chali Anis
>
> fix memory free missing.
> fix unrechable code issue.
> set the fdt memory to a fixed 128KB.
> fix oftree
Hi,
On 04.09.25 08:48, Sascha Hauer wrote:
> On Thu, Sep 04, 2025 at 02:20:59AM -0400, anis chali wrote:
>>For now I submitted with 128KB.
>>> No. I don't do EFI very much and I currently don't have a setup for
>>> testing this. Ahmad is more experienced with EFI than me.
>>Ok, I c
The vexpress-a9 board is less functional in barebox than the virt board,
e.g., only the latter has a restart handler registered.
Switch over the default, so a simple pytest uses the virt labgrid
environment instead by default.
Signed-off-by: Ahmad Fatoum
---
test/arm/multi_v7_defconfig.yaml
I missed updating the path to the kvx toolchain.
Signed-off-by: Ahmad Fatoum
---
test/Containerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/Containerfile b/test/Containerfile
index 39bd64603e86..c6c3c57596a6 100644
--- a/test/Containerfile
+++ b/test
biattach on an UBI partition, mtd_erase() still
> gets called, tries to call mtd->_erase and crashes. Make it fail
> gracefully by returning ENOSYS ("Function not implemented") instead.
Reviewed-by: Ahmad Fatoum
with two minor comments below.
>
> ---
> As discussed i
The simple console ctrl+c implementation doesn't define ctrlc_handled()
leading to build errors in some configurations.
Just reuse the normal ctrl+c implementation to fix this.
Signed-off-by: Ahmad Fatoum
---
common/Makefile | 2 +-
common/console_simple.c | 14 --
in
All of GCC, LLVM, the Kalray GCC, Labgrid and QEMU have had newer
releases in the mean time, so let's update them all to the newest
version in preparation for updating the Debian container as a whole.
Signed-off-by: Ahmad Fatoum
---
test/Containerfile | 12 ++--
1 file chang
We only tested in CI the build with hush and full console and the
headless build with neither. Missing is a build with a simple console
and a simple shell, so breakage in the simple console went unnoticed.
Add a new configuration, so CI can test it.
Signed-off-by: Ahmad Fatoum
---
arch/sandbox
Fixes: feef2e053ea4 ("param: operate on bobjects instead of full devices")
Signed-off-by: Ahmad Fatoum
---
common/globalvar.c | 15 +++
include/param.h| 4 ++--
lib/parameter.c| 8
3 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/common/globa
There is no reason to keep different ctrl+c implementations for the full
and simple console case. In preparation for unifying them, move the
implementation into its own file.
Signed-off-by: Ahmad Fatoum
---
common/Makefile| 2 +-
common/console.c | 60
Hi,
On 8/31/25 5:55 AM, chalian...@gmail.com wrote:
> From: Chali Anis
>
> efi GOP work also in arm64, the efi has drivers that implements
> LCDs and expose them as GOP protocol.
> Tested on QEMU ramfb and RPi3b 64 bit.
>
> Signed-off-by: Chali Anis
Acked-by: Ahmad
On 8/31/25 9:48 AM, Tobias Waldekranz wrote:
> On fre, aug 29, 2025 at 13:24, Ahmad Fatoum wrote:
>> On 28.08.25 17:05, Tobias Waldekranz wrote:
>> Fortunately, Anis (Cc'd) is right now working on exactly the use case
>> of filling out the missing pieces for using bar
Hi,
On 8/31/25 9:48 AM, Tobias Waldekranz wrote:
> On fre, aug 29, 2025 at 10:29, Sascha Hauer wrote:
> We are sort of in the same boat. We wrap our rootfs in an FIT header,
> just because that is the only format U-Boot knows how to verify. After
> verification, we strip off the header, mount it,
will also print to stderr a shuffle= line.
The integer can be passed to --shuffle locally when trying to reproduce
the breakage.
Ahmad Fatoum (3):
ci: container: update components installed on top to newest versions
ci: container: update to Debian Trixie
ci: build: shuffle goal and prerequ
Debian Trixie was released last month. Let's update our container to it.
Signed-off-by: Ahmad Fatoum
---
test/Containerfile | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/test/Containerfile b/test/Containerfile
index 9a1df8efb99c..39bd64603e86 100644
--- a
d-off-by: Ahmad Fatoum
---
images/Makefile.sandbox | 1 -
lib/vsprintf.c | 15 ---
2 files changed, 16 deletions(-)
diff --git a/images/Makefile.sandbox b/images/Makefile.sandbox
index d13ffb0124b1..5f94b6e589e8 100644
--- a/images/Makefile.sandbox
+++ b/images/Makefile.sa
n for all our defconfig builds. When a build
fails, make will also print to stderr a shuffle= line.
The integer can be passed to --shuffle locally when trying to reproduce
the breakage.
Signed-off-by: Ahmad Fatoum
---
.github/workflows/build-defconfigs.yml | 2 ++
1 file changed, 2 inser
buffer is not initialized when pointed is true, but that can't
happen, because, unlike Linux, we hardcode the value at 0.
clang warns about that though, so fix the warning by always
initializing buffer.
Signed-off-by: Ahmad Fatoum
---
fs/jffs2/readinode.c | 2 +-
1 file changed, 1 inse
longer build the dtbs-list, so build that unconditionally
> once we descend into a directory containing device trees. The dtbs-list
> is built with always-y which should make sure it is ready once we need
> it in imagages/
>
> Fixes: 3c862a83f019 ("kbuild: restrict dtbs target
ion here.
>
> Fixes: 6518b21c6c66 ("video: add EFI Graphics Output Protocol support")
>
> Signed-off-by: Chali Anis
Uhh, so this has always been a null pointer dereference so far, but NULL
page read didn't trap for us on x86..?
Anyways:
Reviewed-by: Ahmad Fatoum
Than
On 9/1/25 9:35 AM, Sascha Hauer wrote:
> From: Matthias Zoechmann
>
> Add option CONFIG_HABV4_IMAGE_SIGNED_USB_DCD to select build of barebox
> image for i.mx6 devices with an additional authentication block in CSF
> ("0x0091000 offset size filename").
> Additional the barebox toolchain will b
Hi Tobias,
On 28.08.25 17:05, Tobias Waldekranz wrote:
> Start work on adding a device mapper that is compatible with the
> corresponding subsystem in Linux.
I haven't go through the patches, but I read this far and I am hyped!
Both Richard (Cc'd) and myself held talks[1][2] this week at ELC-E i
Hi,
On 28.08.25 17:05, Tobias Waldekranz wrote:
> This target allows you to map in a region of another device as a
> contiguous range of blocks of a dm device.
>
> This is the basic building block used by LVM to stitch together
> logical volumes from one or more ranges of blocks from one or more
Hi,
On 27.08.25 17:53, chalian...@gmail.com wrote:
> From: Chali Anis
>
> In some configuration the CPU may raise an exception bacause of an
> unknown instruction if it does not support Crypto Extensions for
> example in some BCM281X (RPi3B in my case) when running barebox
> as an EFI Payload, w
Hello Sascha,
On 8/22/25 12:37, Sascha Hauer wrote:
> Remove policy-list files before recreating them, otherwise we can get stale
> security configs when changing the build configuration or branch.
>
> Signed-off-by: Sascha Hauer
> ---
> Makefile | 6 +-
> 1 file changed, 5 insertions(+), 1
next)
It's very likely we are overly wasteful of space, but until that's fixed
properly, increase the size reserved for our early page tables.
Signed-off-by: Ahmad Fatoum
---
arch/arm/include/asm/barebox-arm.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/a
On 8/22/25 12:20, Sascha Hauer wrote:
> On Wed, Aug 20, 2025 at 03:17:48PM +0200, Sascha Hauer wrote:
>> diff --git a/scripts/Makefile.policy b/scripts/Makefile.policy
>> new file mode 100644
>> index
>> ..4c71774bbbc98f9de9cf5463e5ef431de60be6ac
>> --- /
unate bitflip an irrecoverable error.
Fix this by switching the allocations in question to non-panicking ones
and propagating the error. This issue has been detected by libfuzzer.
Signed-off-by: Ahmad Fatoum
---
v1 -> v2:
- also check for zero byte allocations
---
comm
This test key can be useful beyond the JWT selftest, so add an option to
select it.
The key added by the option is stand-alone, i.e., it is not part of the
key ring and won't be consulted for FIT image verification.
Signed-off-by: Ahmad Fatoum
---
test/Kconfig | 8
test
We should check that we have at least a FDT header before dereferencing
pointers to the structure. Issue detected with libfuzzer.
Signed-off-by: Ahmad Fatoum
---
v1 -> v2:
- new patch
---
common/state/backend_format_dtb.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --
The JWT format does only minimal string parsing before verifying the
signature, but let's add a fuzzer for that initial string parsing
anyway.
Signed-off-by: Ahmad Fatoum
---
images/Makefile.sandbox | 1 +
security/Kconfig| 1 +
security/jwt.c | 17 +
3
.
Signed-off-by: Ahmad Fatoum
---
include/fuzz.h | 14 ++
1 file changed, 14 insertions(+)
diff --git a/include/fuzz.h b/include/fuzz.h
index bd95ae6203b0..caebc284d5db 100644
--- a/include/fuzz.h
+++ b/include/fuzz.h
@@ -9,6 +9,8 @@
#include
#include
+#include
+#include
#include
When running under libfuzzer for example, it's better to trap, so
libfuzzer generates a crash input file than to just print an error
message and exit gracefully.
The same can apply when running under a hardware debugger, so make
this option available generally.
Signed-off-by: Ahmad F
unate bitflip an irrecoverable error.
Fix this by switching the allocations in question to non-panicking ones
and propagating the error. This issue has been detected by libfuzzer.
Signed-off-by: Ahmad Fatoum
---
common/state/backend_bucket_circular.c | 6 --
common/state/backend_bucket_dir
Hi,
On 8/21/25 16:15, Sascha Hauer wrote:
> On Thu, Aug 21, 2025 at 08:57:10AM +0200, Ahmad Fatoum wrote:
>> Hi,
>>
>> On 8/20/25 15:17, Sascha Hauer wrote:
>>> From: Ahmad Fatoum
>>>
>>> To make it easier to experiment with security policies,
Hi,
On 8/20/25 15:17, Sascha Hauer wrote:
> From: Ahmad Fatoum
>
> To make it easier to experiment with security policies, add four example
> configurations, two via the build system and two "externally".
The configs need a make security_olddefconfig due to the addition
defaultenv: ps1-policy: remove stray semicolons
The semicolon next to $RED is inside the string, so it makes it into the
prompt. For the other one, it doesn't matter, so remove those too for
uniformity.
Signed-off-by: Ahmad Fatoum
---
defaultenv/defaultenv-2-security-policy/bin/ps1-polic
On 8/20/25 15:18, Sascha Hauer wrote:
> @@ -1063,6 +1064,11 @@ static int tftp_probe(struct device *dev)
> struct inode *inode;
> int ret;
>
> + if (!IS_ALLOWED(SCONFIG_FS_CRAMFS)) {
Should be SCONFIG_FS_TFTP.
--
Pengutronix e.K. |
If we have CONFIG_CRYPTO_RSA disabled, we will compile in the keys, but
not use them and fail at FIT verification time with a confusing
image signature BAD.
Improve upon this by mentioning both at init and verification time
whether keys are usable or not.
Signed-off-by: Ahmad Fatoum
---
common
ned-off-by: Ahmad Fatoum
---
common/fastboot.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/common/fastboot.c b/common/fastboot.c
index 603391de7739..e5c79c22376c 100644
--- a/common/fastboot.c
+++ b/common/fastboot.c
@@ -180,6 +180,8 @@ static int fastboot_add_partition_variables(struct fas
Hi,
On 8/20/25 11:48, Marco Felsch wrote:
> Cache the FIT image fit_open() calls to avoid loading the same FIT image
> twice. This is very useful if the same FIT image is used to provide the
> base devicetree, kernel and initrd as well as devicetree overlays.
Just curious, how much time does this
The new USE_COMPRESSED_DTB option is selected unconditionally for ARM,
so drop the stale selects to the old symbol.
Signed-off-by: Ahmad Fatoum
---
arch/arm/mach-imx/Kconfig | 1 -
arch/arm/mach-k3/Kconfig | 1 -
2 files changed, 2 deletions(-)
diff --git a/arch/arm/mach-imx/Kconfig b/arch
On 8/18/25 15:28, Sascha Hauer wrote:
> On Thu, Aug 14, 2025 at 03:06:49PM +0200, Ahmad Fatoum wrote:
>> +if SECURITY_POLICY
>> +
>> +config SECURITY_POLICY_INIT
>> +string
>> +prompt "Initial security policy"
>> +help
>> +
On 8/14/25 15:06, Ahmad Fatoum wrote:
> From: Ahmad Fatoum
> + help
> + Space separated list of security policies that should be
> + compiled into barebox and registered. This option currently
> + requires security policies to have the .sconfig extension
&
: Ahmad Fatoum
---
The irony of me sending this out after hours is not lost on me.
---
common/Kconfig | 9 +
common/poller.c | 3 ++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/common/Kconfig b/common/Kconfig
index b32a7cb2960b..ad211d1fa519 100644
--- a/common/Kconfig
This will allow us to easily consume the information in the bfetch
command.
Signed-off-by: Ahmad Fatoum
---
arch/riscv/lib/cpuinfo.c | 43
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/arch/riscv/lib/cpuinfo.c b/arch/riscv/lib/cpuinfo.c
1 - 100 of 2710 matches
Mail list logo
