[PATCH v4 10/11] qualcomm: add defconfig, env and docs for SPL on sdm845

Sun Apr 26 01:26:12 CEST 2026

From: Michael Srba <Michael.Srba at seznam.cz>

The defconfig should in principle be board-agnostic. Environment
simply contains a dfu env specifying where to load u-boot proper
(TEXT_BASE - 64).

Signed-off-by: Michael Srba <Michael.Srba at seznam.cz>
Reviewed-by: Simon Glass <sjg at chromium.org>
---
 MAINTAINERS                   |   1 +
 board/qualcomm/sdm845_spl.env |   2 +
 configs/sdm845_spl_defconfig  | 138 ++++++++++++++++++++++++++++++++++++++++++
 doc/board/qualcomm/index.rst  |   1 +
 doc/board/qualcomm/spl.rst    |  91 ++++++++++++++++++++++++++++
 5 files changed, 233 insertions(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index 6c596971ae4..1de57ff7606 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -676,6 +676,7 @@ S:	Maintained
 T:	git https://source.denx.de/u-boot/custodians/u-boot-snapdragon.git
 F:	configs/qcm6490_defconfig
 F:	configs/qcs9100_defconfig
+F:	configs/sdm845_spl_defconfig
 F:	drivers/*/*/pm8???-*
 F:	drivers/gpio/msm_gpio.c
 F:	drivers/mmc/msm_sdhci.c
diff --git a/board/qualcomm/sdm845_spl.env b/board/qualcomm/sdm845_spl.env
new file mode 100644
index 00000000000..2396d003b0c
--- /dev/null
+++ b/board/qualcomm/sdm845_spl.env
@@ -0,0 +1,2 @@
+# U-Boot proper text base - 64
+dfu_alt_info_ram=uboot.bin ram 0x1487FFC0 0x180000
diff --git a/configs/sdm845_spl_defconfig b/configs/sdm845_spl_defconfig
new file mode 100644
index 00000000000..04afe282a3a
--- /dev/null
+++ b/configs/sdm845_spl_defconfig
@@ -0,0 +1,138 @@
+CONFIG_ARM=y
+CONFIG_SKIP_LOWLEVEL_INIT=y
+CONFIG_COUNTER_FREQUENCY=19200000
+CONFIG_POSITION_INDEPENDENT=y
+# CONFIG_INIT_SP_RELATIVE is not set
+CONFIG_ARCH_SNAPDRAGON=y
+CONFIG_TEXT_BASE=0x14880000
+CONFIG_SYS_MALLOC_LEN=0x20000
+CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y
+CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x146bffff
+CONFIG_SPL_SYS_MALLOC_F_LEN=0x20000
+CONFIG_SPL_SERIAL=y
+CONFIG_SPL_DRIVERS_MISC=y
+CONFIG_SPL_STACK=0x146bffff
+CONFIG_SPL_TEXT_BASE=0x1483f000
+CONFIG_SPL_BSS_START_ADDR=0x14680000
+CONFIG_SPL_BSS_MAX_SIZE=0x2000
+CONFIG_SYS_BOOTM_LEN=0x4000000
+CONFIG_SYS_LOAD_ADDR=0x0
+CONFIG_WATCHDOG_TIMEOUT_MSECS=60000
+CONFIG_TARGET_SDM845=y
+CONFIG_SPL=y
+CONFIG_SPL_PAYLOAD="u-boot.img"
+CONFIG_SKIP_RELOCATE=y
+# CONFIG_EFI_LOADER is not set
+CONFIG_OF_BOARD_SETUP=y
+CONFIG_USE_PREBOOT=y
+CONFIG_CONSOLE_RECORD=y
+CONFIG_CONSOLE_RECORD_OUT_SIZE=0xA000
+CONFIG_CONSOLE_RECORD_OUT_SIZE_F=0xA000
+CONFIG_LOGLEVEL=9
+CONFIG_SYS_STDIO_DEREGISTER=y
+CONFIG_LOG_MAX_LEVEL=9
+CONFIG_SPL_LOG=y
+CONFIG_SPL_LOG_MAX_LEVEL=9
+# CONFIG_DISPLAY_CPUINFO is not set
+CONFIG_SPL_MAX_SIZE=0x7ffc0
+CONFIG_SPL_PAD_TO=0x0
+CONFIG_SPL_REMAKE_ELF_LDSCRIPT="arch/arm/mach-snapdragon/u-boot-spl-elf-sdm845.lds"
+CONFIG_SPL_DMA=y
+CONFIG_SPL_REMAKE_ELF=y
+CONFIG_SPL_DM_RESET=y
+CONFIG_SPL_POWER_DOMAIN=y
+CONFIG_BOOTM_NETBSD=y
+CONFIG_CMD_CLK=y
+CONFIG_CMD_DFU=y
+CONFIG_CMD_GPIO=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_MMC=y
+CONFIG_CMD_UFS=y
+CONFIG_CMD_CAT=y
+CONFIG_CMD_RNG=y
+CONFIG_CMD_REGULATOR=y
+CONFIG_CMD_LOG=y
+CONFIG_OF_UPSTREAM_BUILD_VENDOR=y
+CONFIG_ENV_USE_DEFAULT_ENV_TEXT_FILE=y
+CONFIG_ENV_DEFAULT_ENV_TEXT_FILE="board/qualcomm/sdm845_spl.env"
+CONFIG_NET_RANDOM_ETHADDR=y
+# CONFIG_OFNODE_MULTI_TREE is not set
+CONFIG_BUTTON_QCOM_PMIC=y
+CONFIG_CLK=y
+CONFIG_SPL_CLK=y
+CONFIG_CLK_STUB=y
+CONFIG_SPL_CLK_STUB=y
+CONFIG_CLK_QCOM_SDM845=y
+CONFIG_DFU_MMC=y
+CONFIG_DFU_RAM=y
+CONFIG_DFU_SCSI=y
+CONFIG_SYS_DFU_DATA_BUF_SIZE=0x5000
+CONFIG_DMA=y
+CONFIG_DMA_CHANNELS=y
+CONFIG_USB_FUNCTION_FASTBOOT=y
+CONFIG_FASTBOOT_BUF_ADDR=0xdeadbeef
+CONFIG_MSM_GPIO=y
+CONFIG_QCOM_PMIC_GPIO=y
+CONFIG_DM_I2C=y
+CONFIG_SYS_I2C_QUP=y
+CONFIG_I2C_MUX=y
+CONFIG_IOMMU=y
+CONFIG_QCOM_HYP_SMMU=y
+CONFIG_MISC=y
+CONFIG_NVMEM=y
+CONFIG_I2C_EEPROM=y
+CONFIG_MMC_SDHCI=y
+CONFIG_MMC_SDHCI_ADMA=y
+CONFIG_MMC_SDHCI_MSM=y
+CONFIG_DM_ETH_PHY=y
+CONFIG_PHY=y
+CONFIG_SPL_PHY=y
+CONFIG_PHY_QCOM_QMP_UFS=y
+CONFIG_PHY_QCOM_QUSB2=y
+CONFIG_PHY_QCOM_USB_SNPS_FEMTO_V2=y
+CONFIG_PHY_QCOM_SNPS_EUSB2=y
+CONFIG_PHY_QCOM_USB_HS_28NM=y
+CONFIG_PHY_QCOM_USB_SS=y
+CONFIG_PINCTRL=y
+CONFIG_PINCONF=y
+CONFIG_PINCTRL_QCOM_APQ8016=y
+CONFIG_PINCTRL_QCOM_APQ8096=y
+CONFIG_PINCTRL_QCOM_QCM2290=y
+CONFIG_PINCTRL_QCOM_QCS404=y
+CONFIG_PINCTRL_QCOM_SDM845=y
+CONFIG_PINCTRL_QCOM_SM6115=y
+CONFIG_PINCTRL_QCOM_SM8250=y
+CONFIG_PINCTRL_QCOM_SM8550=y
+CONFIG_PINCTRL_QCOM_SM8650=y
+CONFIG_PINCTRL_QCOM_X1E80100=y
+CONFIG_DM_PMIC=y
+CONFIG_PMIC_QCOM=y
+CONFIG_DM_REGULATOR=y
+CONFIG_DM_REGULATOR_FIXED=y
+CONFIG_DM_REGULATOR_QCOM_RPMH=y
+CONFIG_DM_RNG=y
+CONFIG_RNG_MSM=y
+CONFIG_SCSI=y
+CONFIG_MSM_SERIAL=y
+CONFIG_SOC_QCOM=y
+CONFIG_QCOM_COMMAND_DB=y
+CONFIG_QCOM_RPMH=y
+CONFIG_SPL_SPMI=y
+CONFIG_SPMI_MSM=y
+CONFIG_SYSINFO=y
+CONFIG_SYSINFO_SMBIOS=y
+CONFIG_SYSRESET_QCOM_PSHOLD=y
+CONFIG_USB=y
+CONFIG_USB_DWC3=y
+CONFIG_USB_DWC3_GENERIC=y
+CONFIG_SPL_USB_DWC3_GENERIC=y
+CONFIG_USB_GADGET=y
+CONFIG_USB_GADGET_VENDOR_NUM=0x0525
+CONFIG_USB_GADGET_PRODUCT_NUM=0xb4a4
+CONFIG_USB_ETHER=y
+CONFIG_USB_ETH_CDC=y
+CONFIG_SPL_DFU=y
+CONFIG_SPL_USB_SDP_SUPPORT=y
+CONFIG_UFS=y
+# CONFIG_SPL_USE_TINY_PRINTF is not set
+CONFIG_CIRCBUF=y
diff --git a/doc/board/qualcomm/index.rst b/doc/board/qualcomm/index.rst
index 3238a68e859..65e3e222f68 100644
--- a/doc/board/qualcomm/index.rst
+++ b/doc/board/qualcomm/index.rst
@@ -14,3 +14,4 @@ Qualcomm
    iq8
    phones
    rdp
+   spl
diff --git a/doc/board/qualcomm/spl.rst b/doc/board/qualcomm/spl.rst
new file mode 100644
index 00000000000..0cf18c70e4a
--- /dev/null
+++ b/doc/board/qualcomm/spl.rst
@@ -0,0 +1,91 @@
+.. SPDX-License-Identifier: GPL-2.0+
+.. sectionauthor:: Michael Srba <Michael.Srba at seznam.cz>
+
+===================================
+Booting U-Boot SPL on Qualcomm SoCs
+===================================
+
+Overview
+--------
+The boot process on sdm845 (and some other Qualcomm SoCs) starts with the bootrom
+of the Application Processor, which executes XBL_SEC, which jumps to "OEM" code
+in EL1. Production devices are typically "fused", with a hash of the OEM's signing
+key burnt into one of the "QFUSE" banks on the SoC making it impossible to run
+custom bootloader code. As a result U-Boot SPL is only supported on unfused
+("secureboot off") devices. XBL_SEC is always signed by Qualcomm, and the fuses
+to disable turning off signature verification for it are always burnt at the
+factory, so replacing XBL_SEC is impossible without using JTAG. Of course JTAG
+is typically disabled on devices that have secure boot enabled, or at minimum
+greatly neutered.
+
+U-Boot SPL for Qualcomm platforms uses a custom linker script (per SoC) to build a bootable ELF.
+For sdm845 (and some other platforms) this has two sections, u-boot code and an embedded
+xbl_sec elf (signed by Qualcomm). To boot on an unfused SoC, the elf additionally
+needs to have hash sections added, which can be accomplished with qtestsign.
+
+Currently, sdm845 is supported. You need a device with secure boot disabled
+(or with secure boot enabled if you enabled it yourself and have the private key,
+though for full security you'd also want to disable JTAG which will remove your ability
+to mess with the control flow in the bootrom (immutable) and in XBL_SEC (signed)).
+
+Building
+--------
+First, obtain an xbl_sec that includes the EL3 privilege escalation feature
+and place it at .output/xbl_sec.elf. You can extract it from an xbl elf.
+If you're unable to find one, you can also use JTAG/SWD to break at the SMC
+entry and use gdb to jump to the u-boot entry point in EL3.
+
+To build a bootable image, you need to use a defconfig specific to your SoC.
+This is because the ELF has to specify where in the address space to put u-boot SPL,
+and this may differ per SoC. There may be other SoC-dependent build time choices,
+though in principle those could be made at runtime.
+
+First run ``make sdm845_spl_defconfig``::
+
+	make CROSS_COMPILE=aarch64-suse-linux- O=.output DEVICE_TREE=qcom/sdm845-shift-axolotl sdm845_spl_defconfig
+
+Then compile u-boot and specify the dts for your board (technically nothing about the resulting
+SPL image should be board-specific, but there are no non-board-specific device trees in Linux)::
+
+	make CROSS_COMPILE=aarch64-suse-linux- O=.output DEVICE_TREE=qcom/sdm845-shift-axolotl
+
+Finally, use ``qtestsign`` to add the hash segments required by PBL::
+
+	qtestsign -v 5 -o .output/spl/u-boot-spl_signed.elf prog .output/spl/u-boot-spl.elf
+
+Running
+-------
+Currently, U-Boot SPL for Qualcomm platforms expects to be booted via EDL::
+
+	edl.py --loader=$PWD/.output/spl/u-boot-spl_signed.elf
+
+SPL will then launch the DFU gadget and wait for you to upload u-boot proper::
+
+	dfu-util -RD .output/u-boot.img
+
+u-boot proper will then likely crash, since SPL currently doesn't init DRAM on Qualcomm platforms
+and u-boot proper currently doesn't support running from SRAM. The latter should be an easy fix.
+
+Notes on memory map
+-------------------
+| There are various banks of SRAM on a Qualcomm SoC that we can use prior to DRAM init.
+| For example:
+| msm8916 - 512K L2-as-TCM (at ``0x08000000``), 16K OCIMEM (at ``0x08600000``)
+| msm8998 - 1M L2-as-TCM (at ``0x14000000``), 256K OCIMEM (at ``0x14680000``)
+| sdm845 - 1.5M BOOT_IMEM (at ``0x14800000``), 256K OCIMEM (at ``0x14680000``)
+
+There's also RPM code/data RAM and hexagon TCMs, but unless we want to boot dram-less Linux
+we can probably safely ignore those. On msm8916 they may come in handy though.
+
+sdm845 can also have 8M LLCC-as-TCM in theory, but this appears to be broken.
+L2-as-TCM is no longer present.
+
+Since a limited amount of not necessarily continuous SRAM is available, we need to manually
+specify where .text, .bss, the malloc pool and the stack go. The Kconfig contains reasonable
+defaults per SoC.
+
+On sdm845, we by default put U-Boot SPL in BOOT_IMEM, with .bss, malloc pool and the stack
+filling OCIMEM. We can also fit U-Boot proper in BOOT_IMEM, for dram-less DFU or peek/poke
+with a shell. To that end, we set ``CONFIG_TEXT_BASE`` at 512K into BOOT_IMEM, and set
+``CONFIG_SPL_MAX_SIZE`` to 512K - 64. We also configure dfu to load U-Boot proper
+to ``CONFIG_TEXT_BASE`` - 64. (64 bytes is the size of u-boot legacy header)

-- 
2.53.0

