Merge tag 'efi-2025-01-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi

CI: https://source.denx.de/u-boot/custodians/u-boot-efi/-/pipelines/23529

- Documentation:
  - Document wget syntax enhancements with lwIP network stack
  - Move README.kconfig to HTML documentation
  - Remove redundant README.TPL
- UEFI:
  - Simplify efi_tcg2_hash_log_extend_event()
  - Allow EFI_LOADER_BOUNCE_BUFFER on all architectures
  - Correctly unmap and free memory on errors
- Other:
 - Enable EFI_LOADER_BOUNCE_BUFFER on StarFive VisionFive 2

8 files changed, 143 insertions, 129 deletions

diff --git a/configs/starfive_visionfive2_defconfig b/configs/starfive_visionfive2_defconfig
index 1c70d1d4b70..20f89ae6796 100644
--- a/configs/starfive_visionfive2_defconfig
+++ b/configs/starfive_visionfive2_defconfig
@@ -32,6 +32,7 @@ CONFIG_CMODEL_MEDANY=y
 CONFIG_RISCV_SMODE=y
 # CONFIG_OF_BOARD_FIXUP is not set
 # CONFIG_SYS_MALLOC_CLEAR_ON_INIT is not set
+CONFIG_EFI_LOADER_BOUNCE_BUFFER=y
 CONFIG_FIT=y
 CONFIG_BOOTSTD_DEFAULTS=y
 CONFIG_BOOTSTAGE=y
diff --git a/doc/README.TPL b/doc/README.TPL
deleted file mode 100644
index 95b466e4af9..00000000000
--- a/doc/README.TPL
+++ /dev/null
@@ -1,49 +0,0 @@
-Generic TPL framework
-=====================
-
-Overview
---------
-
-TPL---Third Program Loader.
-
-Due to the SPL on some boards(powerpc mpc85xx) has a size limit and cannot
-be compatible with all the external device(e.g. DDR). So add a tertiary
-program loader (TPL) to enable a loader stub loaded by the code from the
-SPL. It loads the final uboot image into DDR, then jump to it to begin
-execution. Now, only the powerpc mpc85xx has this requirement and will
-implemente it.
-
-Keep consistent with SPL, with this framework almost all source files for a
-board can be reused. No code duplication or symlinking is necessary anymore.
-
-How it works
-------------
-
-There has been a directory $(srctree)/spl which contains only a Makefile. The
-Makefile is shared by SPL and TPL.
-
-The object files are built separately for SPL/TPL and placed in the
-directory spl/tpl. The final binaries which are generated are
-u-boot-{spl|tpl}, u-boot-{spl|tpl}.bin and u-boot-{spl|tpl}.map.
-
-During the TPL build a variable named CONFIG_TPL_BUILD is exported in the
-make environment and also appended to CPPFLAGS with -DCONFIG_TPL_BUILD.
-
-The SPL options are shared by SPL and TPL, the board config file should
-determine which SPL options to choose based on whether CONFIG_TPL_BUILD
-is set. Source files can be compiled for TPL with options chosen in the
-board config file.
-
-TPL use a small device tree (u-boot-tpl.dtb), containing only the nodes with
-the pre-relocation properties: 'bootph-all' and 'bootph-pre-sram'
-(see doc/develop/spl.rst for details).
-
-For example:
-
-spl/Makefile:
-LIBS-$(CONFIG_SPL_LIBCOMMON_SUPPORT) += common/libcommon.o
-
-CONFIG_SPL_LIBCOMMON_SUPPORT is defined in board config file:
-#ifdef CONFIG_TPL_BUILD
-#define CONFIG_SPL_LIBCOMMON_SUPPORT
-#endif
diff --git a/doc/develop/index.rst b/doc/develop/index.rst
index 30f7fdb8847..d9f2a838207 100644
--- a/doc/develop/index.rst
+++ b/doc/develop/index.rst
@@ -13,6 +13,7 @@ General
    codingstyle
    designprinciples
    docstyle
+   kconfig
    memory
    patman
    process
diff --git a/doc/README.kconfig b/doc/develop/kconfig.rst
index 808cf56e59c..227074dc497 100644
--- a/doc/README.kconfig
+++ b/doc/develop/kconfig.rst
@@ -1,3 +1,5 @@
+.. SPDX-License-Identifier: GPL-2.0-or-later
+
 Kconfig in U-Boot
 =================
 
@@ -5,22 +7,20 @@ This document describes the configuration infrastructure of U-Boot.
 
 The conventional configuration was replaced by Kconfig at v2014.10-rc1 release.
 
-
 Language Specification
 ----------------------
 
-Kconfig originates in Linux Kernel.
-See the file "Documentation/kbuild/kconfig*.txt" in your Linux Kernel
-source directory for a basic specification of Kconfig.
-
+The Kconfig configuration language originates in Linux kernel.
+See the Linux document
+`Kconfig Language <https://www.kernel.org/doc/html/latest/kbuild/kconfig-language.html>`_
+for a description of Kconfig.
 
 Difference from Linux's Kconfig
 -------------------------------
 
 Here are some worth-mentioning configuration targets.
 
-- silentoldconfig
-
+silentoldconfig
   This target updates .config, include/generated/autoconf.h and
   include/configs/* as in Linux.  In U-Boot, it also does the following
   for the compatibility with the old configuration system:
@@ -33,31 +33,26 @@ Here are some worth-mentioning configuration targets.
    * create tpl/include/autoconf.mk (TPL only)
 
    If we could completely switch to Kconfig in a long run
-   (i.e. remove all the include/configs/*.h), those additional processings
+   (i.e. remove all the include/configs/\*.h), those additional processings
    above would be removed.
 
-- defconfig
-
+defconfig
   In U-Boot, "make defconfig" is a shorthand of "make sandbox_defconfig"
 
-- <board>_defconfig
-
+<board>_defconfig
   Now it works as in Linux.
-  The prefixes such as "+S:" in *_defconfig are deprecated.
+  The prefixes such as "+S:" in \*_defconfig are deprecated.
   You can simply remove the prefixes.  Do not add them for new boards.
 
-- <board>_config
-
+<board>_config
   This does not exist in Linux's Kconfig.
   "make <board>_config" works the same as "make <board>_defconfig".
   Prior to Kconfig, in U-Boot, "make <board>_config" was used for the
   configuration.  It is still supported for backward compatibility, so
   we do not need to update the distro recipes.
 
-
 The other configuration targets work as in Linux Kernel.
 
-
 Migration steps to Kconfig
 --------------------------
 
@@ -84,68 +79,79 @@ Configuration file for use in makefiles
 When adding a new CONFIG macro, it is highly recommended to add it to Kconfig
 rather than to a header file.
 
-
 Conversion from boards.cfg to Kconfig
 -------------------------------------
 
 Prior to Kconfig, boards.cfg was a primary database that contained Arch, CPU,
-SoC, etc. of all the supported boards.  It was deleted when switching to
-Kconfig.  Each field of boards.cfg was converted as follows:
-
- Status      ->  "S:" entry of MAINTAINERS
- Arch        ->  CONFIG_SYS_ARCH defined by Kconfig
- CPU         ->  CONFIG_SYS_CPU defined by Kconfig
- SoC         ->  CONFIG_SYS_SOC defined by Kconfig
- Vendor      ->  CONFIG_SYS_VENDOR defined by Kconfig
- Board       ->  CONFIG_SYS_BOARD defined by Kconfig
- Target      ->  File name of defconfig (configs/<target>_defconfig)
- Maintainers ->  "M:" entry of MAINTAINERS
-
+SoC, etc. of all the supported boards. It was deleted when switching to
+Kconfig. Each field of boards.cfg was converted as follows:
+
+=========== ====================================================
+From        To
+=========== ====================================================
+Arch        CONFIG_SYS_ARCH defined by Kconfig
+Board       CONFIG_SYS_BOARD defined by Kconfig
+CPU         CONFIG_SYS_CPU defined by Kconfig
+Maintainers "M:" entry of MAINTAINERS
+SoC         CONFIG_SYS_SOC defined by Kconfig
+Status      "S:" entry of MAINTAINERS
+Target      File name of defconfig (configs/<target>\_defconfig)
+Vendor      CONFIG_SYS_VENDOR defined by Kconfig
+=========== ====================================================
 
 Tips to add/remove boards
 -------------------------
 
 When adding a new board, the following steps are generally needed:
 
- [1] Add a header file include/configs/<target>.h
- [2] Make sure to define necessary CONFIG_SYS_* in Kconfig:
-       Define CONFIG_SYS_CPU="cpu" to compile arch/<arch>/cpu/<cpu>
-       Define CONFIG_SYS_SOC="soc" to compile arch/<arch>/cpu/<cpu>/<soc>
-       Define CONFIG_SYS_VENDOR="vendor" to compile board/<vendor>/common/*
-         and board/<vendor>/<board>/*
-       Define CONFIG_SYS_BOARD="board" to compile board/<board>/*
-         (or board/<vendor>/<board>/* if CONFIG_SYS_VENDOR is defined)
-       Define CONFIG_SYS_CONFIG_NAME="target" to include
-         include/configs/<target>.h
- [3] Add a new entry to the board select menu in Kconfig.
-     The board select menu is located in arch/<arch>/Kconfig or
-     arch/<arch>/*/Kconfig.
- [4] Add a MAINTAINERS file
-     It is generally placed at board/<board>/MAINTAINERS or
-     board/<vendor>/<board>/MAINTAINERS
- [5] Add configs/<target>_defconfig
+1. Add a header file include/configs/<target>.h
+
+2. Make sure to define necessary CONFIG_SYS_* in Kconfig:
+
+   * Define CONFIG_SYS_CPU="cpu" to compile arch/<arch>/cpu/<cpu>
+   * Define CONFIG_SYS_SOC="soc" to compile arch/<arch>/cpu/<cpu>/<soc>
+   * Define CONFIG_SYS_VENDOR="vendor" to compile board/<vendor>/common/\*
+     and board/<vendor>/<board>/\*
+   * Define CONFIG_SYS_BOARD="board" to compile board/<board>/\*
+     (or board/<vendor>/<board>/* if CONFIG_SYS_VENDOR is defined)
+     Define CONFIG_SYS_CONFIG_NAME="target" to include
+     include/configs/<target>.h
+
+3. Add a new entry to the board select menu in Kconfig.
+   The board select menu is located in arch/<arch>/Kconfig or
+   arch/<arch>/\*/Kconfig.
+
+4. Add a MAINTAINERS file
+   It is generally placed at board/<board>/MAINTAINERS or
+   board/<vendor>/<board>/MAINTAINERS
+
+5. Add configs/<target>_defconfig
 
 When removing an obsolete board, the following steps are generally needed:
 
- [1] Remove configs/<target>_defconfig
- [2] Remove include/configs/<target>.h if it is not used by any other boards
- [3] Remove board/<vendor>/<board>/* or board/<board>/* if it is not used
-     by any other boards
- [4] Update MAINTAINERS if necessary
- [5] Remove the unused entry from the board select menu in Kconfig
- [6] Add an entry to doc/README.scrapyard
+1. Remove configs/<target>_defconfig
+
+2. Remove include/configs/<target>.h if it is not used by any other boards
+
+3. Remove board/<vendor>/<board>/\* or board/<board>/\* if it is not used
+   by any other boards
+
+4. Update MAINTAINERS if necessary
+
+5. Remove the unused entry from the board select menu in Kconfig
 
+6. Add an entry to doc/README.scrapyard
 
 TODO
 ----
 
-- In the pre-Kconfig, a single board had multiple entries in the boards.cfg
-  file with differences in the option fields.  The corresponding defconfig
-  files were auto-generated when switching to Kconfig.  Now we have too many
-  defconfig files compared with the number of the supported boards.  It is
+* In the pre-Kconfig, a single board had multiple entries in the boards.cfg
+  file with differences in the option fields. The corresponding defconfig
+  files were auto-generated when switching to Kconfig. Now we have too many
+  defconfig files compared with the number of the supported boards. It is
   recommended to have only one defconfig per board and allow users to select
   the config options.
 
-- Move the config macros in header files to Kconfig.  When we move at least
+* Move the config macros in header files to Kconfig. When we move at least
   macros used in makefiles, we can drop include/autoconfig.mk, which makes
   the build scripts much simpler.
diff --git a/doc/usage/cmd/wget.rst b/doc/usage/cmd/wget.rst
index b8ca35bb140..48bedf1e845 100644
--- a/doc/usage/cmd/wget.rst
+++ b/doc/usage/cmd/wget.rst
@@ -11,29 +11,54 @@ Synopsis
 
 ::
 
-    wget address [[hostIPaddr:]path]
+    wget [address] [host:]path
+    wget [address] url          # lwIP only
+
 
 Description
 -----------
 
-The wget command is used to download a file from an HTTP server.
+The wget command is used to download a file from an HTTP(S) server.
+In order to use HTTPS you will need to compile wget with lwIP support.
+
+Legacy syntax
+~~~~~~~~~~~~~
+
+The legacy syntax is supported by the legacy network stack (CONFIG_NET=y)
+as well as by the lwIP base network stack (CONFIG_NET_LWIP=y). It supports HTTP
+only.
 
-wget command will use HTTP over TCP to download files from an HTTP server.
 By default the destination port is 80 and the source port is pseudo-random.
-The environment variable *httpdstp* can be used to set the destination port.
+On the legacy nework stack the environment variable *httpdstp* can be used to
+set the destination port
 
 address
     memory address for the data downloaded
 
-hostIPaddr
-    IP address of the HTTP server, defaults to the value of environment
-    variable *serverip*
+host
+    IP address (or host name if `CONFIG_CMD_DNS` is enabled) of the HTTP
+    server, defaults to the value of environment variable *serverip*.
 
 path
     path of the file to be downloaded.
 
-Example
--------
+New syntax (lwIP only)
+~~~~~~~~~~~~~~~~~~~~~~
+
+In addition to the syntax described above, wget accepts URLs if the network
+stack is lwIP.
+
+address
+    memory address for the data downloaded
+
+url
+    HTTP or HTTPS URL, that is: http[s]://<host>[:<port>]/<path>.
+
+Examples
+--------
+
+Example with the legacy network stack
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 In the example the following steps are executed:
 
@@ -52,13 +77,42 @@ In the example the following steps are executed:
     HTTP/1.0 302 Found
     Packets received 4, Transfer Successful
 
+Example with lwIP
+~~~~~~~~~~~~~~~~~
+
+In the example the following steps are executed:
+
+* setup client network address
+* download a file from the HTTPS server
+
+::
+
+   => dhcp
+   DHCP client bound to address 10.0.2.15 (3 ms)
+   => wget https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.4-aarch64-minimal.iso
+   ##########################################################################
+   ##########################################################################
+   ##########################################################################
+   [...]
+   1694892032 bytes transferred in 492181 ms (3.3 MiB/s)
+   Bytes transferred = 1694892032 (65060000 hex)
+
 Configuration
 -------------
 
 The command is only available if CONFIG_CMD_WGET=y.
+To enable lwIP support set CONFIG_NET_LWIP=y.
+
+TCP Selective Acknowledgments in the legacy network stack can be enabled via
+CONFIG_PROT_TCP_SACK=y. This will improve the download speed. Selective
+Acknowledgments are enabled by default with lwIP.
+
+.. note::
 
-TCP Selective Acknowledgments can be enabled via CONFIG_PROT_TCP_SACK=y.
-This will improve the download speed.
+    U-Boot currently has no way to verify certificates for HTTPS.
+    A place to store the root CA certificates is needed, and then MBed TLS would
+    need to walk the entire chain. Therefore, man-in-the middle attacks are
+    possible and HTTPS should not be relied upon for payload authentication.
 
 Return value
 ------------
diff --git a/lib/efi_loader/Kconfig b/lib/efi_loader/Kconfig
index 58d49789f12..d93f28b8422 100644
--- a/lib/efi_loader/Kconfig
+++ b/lib/efi_loader/Kconfig
@@ -481,7 +481,6 @@ endmenu
 menu "Misc options"
 config EFI_LOADER_BOUNCE_BUFFER
 	bool "EFI Applications use bounce buffers for DMA operations"
-	depends on ARM64
 	help
 	  Some hardware does not support DMA to full 64bit addresses. For this
 	  hardware we can create a bounce buffer so that payloads don't have to
diff --git a/lib/efi_loader/efi_memory.c b/lib/efi_loader/efi_memory.c
index d2f5d563f2a..e493934c713 100644
--- a/lib/efi_loader/efi_memory.c
+++ b/lib/efi_loader/efi_memory.c
@@ -451,7 +451,7 @@ efi_status_t efi_allocate_pages(enum efi_allocate_type type,
 				enum efi_memory_type memory_type,
 				efi_uintn_t pages, uint64_t *memory)
 {
-	u64 len;
+	u64 efi_addr, len;
 	uint flags;
 	efi_status_t ret;
 	phys_addr_t addr;
@@ -499,14 +499,17 @@ efi_status_t efi_allocate_pages(enum efi_allocate_type type,
 		return EFI_INVALID_PARAMETER;
 	}
 
-	addr = (u64)(uintptr_t)map_sysmem(addr, 0);
+	efi_addr = (u64)(uintptr_t)map_sysmem(addr, 0);
 	/* Reserve that map in our memory maps */
-	ret = efi_add_memory_map_pg(addr, pages, memory_type, true);
-	if (ret != EFI_SUCCESS)
+	ret = efi_add_memory_map_pg(efi_addr, pages, memory_type, true);
+	if (ret != EFI_SUCCESS) {
 		/* Map would overlap, bail out */
+		lmb_free_flags(addr, (u64)pages << EFI_PAGE_SHIFT, flags);
+		unmap_sysmem((void *)(uintptr_t)efi_addr);
 		return  EFI_OUT_OF_RESOURCES;
+	}
 
-	*memory = addr;
+	*memory = efi_addr;
 
 	return EFI_SUCCESS;
 }
@@ -546,6 +549,8 @@ efi_status_t efi_free_pages(uint64_t memory, efi_uintn_t pages)
 	if (status)
 		return EFI_NOT_FOUND;
 
+	unmap_sysmem((void *)(uintptr_t)memory);
+
 	return ret;
 }
 
diff --git a/lib/efi_loader/efi_tcg2.c b/lib/efi_loader/efi_tcg2.c
index 866a529857e..572c6b5bf63 100644
--- a/lib/efi_loader/efi_tcg2.c
+++ b/lib/efi_loader/efi_tcg2.c
@@ -607,12 +607,9 @@ efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
 	 * Format"
 	 */
 	if (flags & PE_COFF_IMAGE) {
-		IMAGE_NT_HEADERS32 *nt;
-
 		ret = efi_check_pe((void *)(uintptr_t)data_to_hash,
-				   data_to_hash_len, (void **)&nt);
+				   data_to_hash_len, NULL);
 		if (ret != EFI_SUCCESS) {
-			log_err("Not a valid PE-COFF file\n");
 			ret = EFI_UNSUPPORTED;
 			goto out;
 		}