[U-Boot] [PATCH 2/4] fdt: Add Kconfig options to control code size

[Heinrich Schuchardt]

On 10/27/19 4:47 PM, Simon Glass wrote:
> For better or worse libfdt recent grew a lot of code that checks the
> validity of the device tree in great detail. When using unsigned or
> unverified data this makes things safer, but it does add to code size.
>
> Add some controls to select the trade-off between safety and code size.
>
> Signed-off-by: Simon Glass <sjg at chromium.org>
> ---
>
>   lib/Kconfig         | 33 +++++++++++++++++++++++++++++++++
>   lib/libfdt/Makefile |  3 ++-
>   2 files changed, 35 insertions(+), 1 deletion(-)
>
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 135f0b372b..b8a8509d72 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -464,6 +464,17 @@ config OF_LIBFDT
>   	  particular compatible nodes. The library operates on a flattened
>   	  version of the device tree.
>
> +config OF_LIBFDT_ASSUME_MASK
> +	hex "Mask of conditions to assume for libfdt"
> +	depends on OF_LIBFDT || FIT
> +	default 0
> +	help
> +	  Use this to change the assumptions made by libfdt about the
> +	  device tree it is working with. A value of 0 means that no assumptions
> +	  are made, and libfdt is able to deal with malicious data. A value of

What do you mean by malicious here?

The checks in libfdt are about inconsistent FDT files. But they would
not discover malicious settings like a destructive voltage or frequency.

Would FDT_ASSUME_SANE match what we have been checking up to now? Why
not use 1 as the default here to reduce the code size of U-Boot?

> +	  0xff means all assumptions are made and any invalid data may cause
> +	  unsafe execution. See FDT_ASSUME_PERFECT, etc. in libfdt_internal.h
> +
>   config OF_LIBFDT_OVERLAY
>   	bool "Enable the FDT library overlay support"
>   	depends on OF_LIBFDT
> @@ -481,6 +492,17 @@ config SPL_OF_LIBFDT
>   	  particular compatible nodes. The library operates on a flattened
>   	  version of the device tree.
>
> +config SPL_OF_LIBFDT_ASSUME_MASK
> +	hex "Mask of conditions to assume for libfdt"
> +	depends on SPL_OF_LIBFDT || FIT
> +	default 0xff

On some devices the device tree is provided by the device (e.g. QEMU).
Is it wise to set FDT_ASSUME_LATEST in this case?

Best regards

Heinrich

> +	help
> +	  Use this to change the assumptions made by libfdt in SPL about the
> +	  device tree it is working with. A value of 0 means that no assumptions
> +	  are made, and libfdt is able to deal with malicious data. A value of
> +	  0xff means all assumptions are made and any invalid data may cause
> +	  unsafe execution. See FDT_ASSUME_PERFECT, etc. in libfdt_internal.h
> +
>   config TPL_OF_LIBFDT
>   	bool "Enable the FDT library for TPL"
>   	default y if TPL_OF_CONTROL
> @@ -491,6 +513,17 @@ config TPL_OF_LIBFDT
>   	  particular compatible nodes. The library operates on a flattened
>   	  version of the device tree.
>
> +config TPL_OF_LIBFDT_ASSUME_MASK
> +	hex "Mask of conditions to assume for libfdt"
> +	depends on TPL_OF_LIBFDT || FIT
> +	default 0xff
> +	help
> +	  Use this to change the assumptions made by libfdt in TPL about the
> +	  device tree it is working with. A value of 0 means that no assumptions
> +	  are made, and libfdt is able to deal with malicious data. A value of
> +	  0xff means all assumptions are made and any invalid data may cause
> +	  unsafe execution. See FDT_ASSUME_PERFECT, etc. in libfdt_internal.h
> +
>   config FDT_FIXUP_PARTITIONS
>   	bool "overwrite MTD partitions in DTS through defined in 'mtdparts'"
>   	depends on OF_LIBFDT
> diff --git a/lib/libfdt/Makefile b/lib/libfdt/Makefile
> index ef5b6e29d4..5d3ae4e2f1 100644
> --- a/lib/libfdt/Makefile
> +++ b/lib/libfdt/Makefile
> @@ -22,4 +22,5 @@ obj-y += fdt_ro.o
>   # U-Boot own file
>   obj-y += fdt_region.o
>
> -ccflags-y := -I$(srctree)/scripts/dtc/libfdt
> +ccflags-y := -I$(srctree)/scripts/dtc/libfdt \
> +	-DFDT_ASSUME_MASK=$(CONFIG_$(SPL_TPL_)OF_LIBFDT_ASSUME_MASK)
>