{"id":2222304,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2222304/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260411-qcom_spl-v2-7-9609557cf562@seznam.cz/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.2/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260411-qcom_spl-v2-7-9609557cf562@seznam.cz>","list_archive_url":null,"date":"2026-04-11T00:00:12","name":"[v2,07/10] mach-snapdragon: boot0.h: add sdm845_spl_boot0.h","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ed6c4183eb15f02019dba87b38974e95f31af3bc","submitter":{"id":77645,"url":"http://patchwork.ozlabs.org/api/1.2/people/77645/?format=json","name":"Michael Srba","email":"michael.srba@seznam.cz"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260411-qcom_spl-v2-7-9609557cf562@seznam.cz/mbox/","series":[{"id":499535,"url":"http://patchwork.ozlabs.org/api/1.2/series/499535/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=499535","date":"2026-04-11T00:00:12","name":"Add SPL support for Qualcomm platforms, starting with sdm845","version":2,"mbox":"http://patchwork.ozlabs.org/series/499535/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222304/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222304/checks/","tags":{},"related":[],"headers":{"Return-Path":"<u-boot-bounces@lists.denx.de>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=seznam.cz header.i=@seznam.cz header.a=rsa-sha256\n header.s=szn1 header.b=EIWVJInS;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=seznam.cz","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n secure) header.d=seznam.cz header.i=@seznam.cz header.b=\"EIWVJInS\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=seznam.cz","phobos.denx.de;\n spf=pass smtp.mailfrom=michael.srba@seznam.cz"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4ft4bC6D5Cz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 11 Apr 2026 17:11:19 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 228F38426C;\n\tSat, 11 Apr 2026 09:09:09 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 792D684198; Sat, 11 Apr 2026 02:04:00 +0200 (CEST)","from mxd-2-a16.seznam.cz (mxd-2-a16.seznam.cz\n [IPv6:2a02:598:64:8a00::1000:a16])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id D0AC683DC9\n for <u-boot@lists.denx.de>; Sat, 11 Apr 2026 02:03:57 +0200 (CEST)","from email.seznam.cz by smtpc-mxd-7644845457-sbn6w\n (smtpc-mxd-7644845457-sbn6w [2a02:598:64:8a00::1000:a16])\n id 3833eebb633dbad2399a22e5; Sat, 11 Apr 2026 02:03:17 +0200 (CEST)","from [127.0.0.1] (ip-111-27.static.ccinternet.cz [147.161.27.111])\n by smtpd-relay-6597cc8696-xddnz (szn-email-smtpd/2.0.72) with ESMTPA\n id 4aece207-b9b5-4b16-8581-b04eff31af3e;\n Sat, 11 Apr 2026 02:03:03 +0200"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=seznam.cz; s=szn1;\n t=1775865797; bh=vVTEeJaDEDLgb20scJoILNdnbX8OzJkq8Zymvzp2gPc=;\n h=From:Date:Subject:MIME-Version:Content-Type:\n Content-Transfer-Encoding:Message-Id:To:Cc;\n b=EIWVJInSf5cES9B3IbxK4BLibesC7TFE4QuxdqEgAZB/wwQtw2O1M5QSu/FOQE/2m\n HB3qUaGl9QZ0+rBXMObcCzIH4KlnB/NQXTBm3XE6LJzwKlrdwAhnsMo/BhYkciez5i\n AvDfe/U/wfNYWUw4cx8oust04dj3+QXQXT4KEDaM9YD4WqGgZY43ndtetTSNHq1NGr\n YBI3y0tqfl67GrGSpKWEwS6LtO7e+oTTMoZD54DsUslDAu2AQ6gbbeZqhxvKHzsCcl\n KHJlpLQrDRs+FH9+ZgqUBMwG4cwSHPJXysrImZmoUQrjvbxqvJ/bfYgQtyVSwUXh2i\n PQJz0bwmv851g==","From":"michael.srba@seznam.cz","Date":"Sat, 11 Apr 2026 02:00:12 +0200","Subject":"[PATCH v2 07/10] mach-snapdragon: boot0.h: add sdm845_spl_boot0.h","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"7bit","Message-Id":"<20260411-qcom_spl-v2-7-9609557cf562@seznam.cz>","References":"<20260411-qcom_spl-v2-0-9609557cf562@seznam.cz>","In-Reply-To":"<20260411-qcom_spl-v2-0-9609557cf562@seznam.cz>","To":"u-boot@lists.denx.de, Sumit Garg <sumit.garg@kernel.org>,\n u-boot-qcom@groups.io","Cc":"Tom Rini <trini@konsulko.com>,\n Ilias Apalodimas <ilias.apalodimas@linaro.org>,\n Simon Glass <sjg@chromium.org>, Sughosh Ganu <sughosh.ganu@arm.com>,\n Anshul Dalal <anshuld@ti.com>, Peng Fan <peng.fan@nxp.com>,\n Mattijs Korpershoek <mkorpershoek@kernel.org>,\n Quentin Schulz <quentin.schulz@cherry.de>,\n Heinrich Schuchardt <xypron.glpk@gmx.de>, Andrew Davis <afd@ti.com>,\n Hrushikesh Salunke <h-salunke@ti.com>,\n Dario Binacchi <dario.binacchi@amarulasolutions.com>, Ye Li <ye.li@nxp.com>,\n Andre Przywara <andre.przywara@arm.com>,\n Alif Zakuan Yuslaimi <alif.zakuan.yuslaimi@altera.com>,\n Leo Yu-Chi Liang <ycliang@andestech.com>,\n Andrew Goodbody <andrew.goodbody@linaro.org>, Dhruva Gole <d-gole@ti.com>,\n Kaustabh Chakraborty <kauschluss@disroot.org>,\n Jerome Forissier <jerome.forissier@arm.com>,\n Heiko Schocher <hs@nabladev.com>,\n Marek Vasut <marek.vasut+renesas@mailbox.org>,\n Lukasz Majewski <lukma@denx.de>,\n Mateusz Kulikowski <mateusz.kulikowski@gmail.com>,\n Dinesh Maniyam <dinesh.maniyam@altera.com>,\n Neil Armstrong <neil.armstrong@linaro.org>,\n Patrice Chotard <patrice.chotard@foss.st.com>,\n Patrick Delaunay <patrick.delaunay@foss.st.com>,\n Michal Simek <michal.simek@amd.com>, Yao Zi <me@ziyao.cc>,\n Peter Korsgaard <peter@korsgaard.com>,\n Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>,\n Casey Connolly <casey.connolly@linaro.org>,\n Tingting Meng <tingting.meng@altera.com>,\n Tien Fong Chee <tien.fong.chee@altera.com>, Alice Guo <alice.guo@nxp.com>,\n George Chan <gchan9527@gmail.com>,\n Balaji Selvanathan <balaji.selvanathan@oss.qualcomm.com>,\n Alexey Charkov <alchark@gmail.com>, Ronald Wahl <ronald.wahl@legrand.com>,\n Michael Srba <Michael.Srba@seznam.cz>","X-Mailer":"b4 0.15.1","X-Mailman-Approved-At":"Sat, 11 Apr 2026 09:08:55 +0200","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion <u-boot.lists.denx.de>","List-Unsubscribe":"<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>","List-Archive":"<https://lists.denx.de/pipermail/u-boot/>","List-Post":"<mailto:u-boot@lists.denx.de>","List-Help":"<mailto:u-boot-request@lists.denx.de?subject=help>","List-Subscribe":"<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" <u-boot-bounces@lists.denx.de>","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"From: Michael Srba <Michael.Srba@seznam.cz>\n\nOn sdm845, running u-boot SPL in EL3 requires escalting by using\nan unintentional feature in old builds of xbl_sec.elf. We do this\nin boot0.h so the rest of U-Boot can stay blissfully unaware\nof XBL_SEC. If we are already in EL3 for whatever reason, the\ncode is skipped.\n\nSigned-off-by: Michael Srba <Michael.Srba@seznam.cz>\n---\n arch/arm/mach-snapdragon/include/mach/boot0.h      |   4 +\n .../include/mach/sdm845_spl_boot0.h                | 120 +++++++++++++++++++++\n 2 files changed, 124 insertions(+)","diff":"diff --git a/arch/arm/mach-snapdragon/include/mach/boot0.h b/arch/arm/mach-snapdragon/include/mach/boot0.h\nindex 44a764788de..5d401051bd1 100644\n--- a/arch/arm/mach-snapdragon/include/mach/boot0.h\n+++ b/arch/arm/mach-snapdragon/include/mach/boot0.h\n@@ -1,6 +1,10 @@\n /* SPDX-License-Identifier: GPL-2.0+ */\n #if defined(CONFIG_SPL_BUILD)\n+#if defined(CONFIG_SPL_TARGET_SDM845)\n+#include \"sdm845_spl_boot0.h\"\n+#else\n \tb\treset\n+#endif\n #else\n /* currently only db410c enables boot0.h in u-boot proper */\n #include \"msm8916_boot0.h\"\ndiff --git a/arch/arm/mach-snapdragon/include/mach/sdm845_spl_boot0.h b/arch/arm/mach-snapdragon/include/mach/sdm845_spl_boot0.h\nnew file mode 100644\nindex 00000000000..a0136578756\n--- /dev/null\n+++ b/arch/arm/mach-snapdragon/include/mach/sdm845_spl_boot0.h\n@@ -0,0 +1,120 @@\n+/* SPDX-License-Identifier: GPL-2.0+ */\n+/*\n+ * Workaround for non-qcom-signed code being entered in EL1 on sdm845\n+ * Copyright (C) 2026 Michael Srba <Michael.Srba@seznam.cz>\n+ *\n+ * This code uses an unintentional ownership enhancing feature in older builds of XBL_SEC\n+ * in order to elevate our privileges to EL3 as soon as possible after a system reset.\n+ * This allows for a very close approximation of a clean state.\n+ *\n+ * Do note that you still need to own the device in the sense that you control the code that\n+ * XBL_SEC jumps to in EL1, which is sadly not a level of ownership commonly afforded to you\n+ * by the device manufacturer. On such devices, CVE-2021-30327 could help, but it's not documented\n+ * and there is no PoC available utilizing it\n+ *\n+ */\n+#include <linux/arm-smccc.h>\n+\n+#define SCM_SMC_FNID(s, c)\t((((s) & 0xFF) << 8) | ((c) & 0xFF))\n+\n+#define ARM_SMCCC_SIP32_FAST_CALL \\\n+\tARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL, ARM_SMCCC_SMC_32, ARM_SMCCC_OWNER_SIP, 0)\n+\n+/* same as with qcom's TZ */\n+#define QCOM_SCM_SVC_MEM_DUMP 0x03\n+/* unlike the TZ counterpart, in XBL_SEC this simply unlocks the XPUs */\n+#define QCOM_SCM_MEM_DUMP_UNLOCK_SECURE_REGIONS 0x10\n+\n+/*\n+ * We put our payload in place of some SCM call, the important thing is that it's hopefully\n+ * in a memory region that is not in cache.\n+ *\n+ * It would be cleaner to just put our code at the scm entry point in the vector table,\n+ * however it seems that we can't force cache coherency from EL1 if EL3 doesn't have\n+ * any reason to care about that.\n+ */\n+#define QCOM_SCM_SVC_DONOR 0x01\n+#define QCOM_SCM_DONOR 0x16\n+/* we replace the instructions at this address with a jump to the start of u-boot */\n+/* NOTE: this address is specific to a particular XBL_SEC elf */\n+#define XBL_SEC_DONOR_SCM_ADDR 0x146a0ce0\n+\n+/* gnu as doesn't implement these useful pseudoinstructions */\n+.macro movq Xn, imm\n+    movz    \\Xn,  \\imm & 0xFFFF\n+    movk    \\Xn, (\\imm >> 16) & 0xFFFF, lsl 16\n+    movk    \\Xn, (\\imm >> 32) & 0xFFFF, lsl 32\n+    movk    \\Xn, (\\imm >> 48) & 0xFFFF, lsl 48\n+.endm\n+\n+.macro movl Wn, imm\n+    movz    \\Wn,  \\imm & 0xFFFF\n+    movk    \\Wn, (\\imm >> 16) & 0xFFFF, lsl 16\n+.endm\n+\n+/* copy 32 bits to an address from a label */\n+.macro copy32 addr, text_base, addrofval, offset\n+\tmovl\tx0, \\addr\n+\tadd\tx0, x0, \\offset\n+\tmovq\tx1, \\text_base\n+\tadd\tx1, x1, \\addrofval\n+\tadd\tx1, x1, \\offset\n+\tldr\tw2, [x1]\n+\tstr\tw2, [x0]\n+\tdc\tcvau, x0 // flush cache to RAM straight away, we need to do it by address anyway\n+.endm\n+\n+.macro copy_instructions addr, text_base, start_addr, num_bytes // num_bytes must be a multiple of 4\n+\tmov x3,\t#0x0 // x0, x1 and w2 used by copy32\n+1:\n+\tcopy32\t\\addr, \\text_base, \\start_addr, x3\n+\tadd\tx3, x3, #0x4 // i+=4\n+\tcmp\tx3, \\num_bytes\n+\tblo\t1b\n+.endm\n+\n+\t/*  If we're already in EL3 for some reason,  skip this whole thing */\n+\tmrs\tx0, CurrentEL\n+\tcmp\tx0, #(3 << 2)\t/* EL3 */\n+\tbeq\treset\n+\n+\t/* disable the mmu */\n+\tmrs\tx0, sctlr_el1\n+\tand     x0, x0, #~(1 << 0) // CTRL_M\n+\tmsr\tsctlr_el1, x0\n+\n+\tmov\tx0, #ARM_SMCCC_SIP32_FAST_CALL\n+\tmovk\tx0, #SCM_SMC_FNID(QCOM_SCM_SVC_MEM_DUMP, QCOM_SCM_MEM_DUMP_UNLOCK_SECURE_REGIONS)\n+\tmov\tx1, #0x0\t/* no params */\n+\tmov\tx6, #0x0\n+\n+\tsmc\t#0 /* unlock XBL_SEC code area for writing (assuming old enough XBL_SEC build) */\n+\n+\t/* this will also flush the writes from cache */\n+\tcopy_instructions XBL_SEC_DONOR_SCM_ADDR, CONFIG_SPL_TEXT_BASE, el3_payload, #((el3_payload_end - el3_payload))\n+\n+\t/* this probably doesn't affect EL3, but it doesn't hurt */\n+\tdsb\tish\t/* block until cache is flushed */\n+\tic\tiallu\t/* force re-fetch of our shiny new instructions */\n+\tdsb\tish\t/* block until invalidation is finished */\n+\tisb\tsy\t/* unify here ? */\n+\n+\tmov\tx0, #ARM_SMCCC_SIP32_FAST_CALL\n+\tmovk\tx0, #SCM_SMC_FNID(QCOM_SCM_SVC_DONOR, QCOM_SCM_DONOR)\n+\tmov\tx1, #0x0\t/* no params */\n+\tsmc\t#0\t/* call the payload */\n+\n+el3_ret_point:\n+\tb\treset\n+\n+el3_payload:\n+\t/* disable the mmu for EL3 too */\n+\tmrs\tx0, sctlr_el3\n+\tand     x0, x0, #~(1 << 0) // CTRL_M\n+\tmsr\tsctlr_el3, x0\n+\n+\t/* jump back to our code, but now in EL3 */\n+\tmovl\tx0, CONFIG_SPL_TEXT_BASE\n+\tadd\tx0, x0, (el3_ret_point - _start)\n+\tbr\tx0\n+el3_payload_end:\n","prefixes":["v2","07/10"]}