v2025.10.0

[Sascha Hauer <s.hauer@pengutronix.de>]

Hi All,

We finally have an October release.

We have two bigger things both security related in this release I am happy
to mention here.

First of all thanks to Tobias barebox now supports device mapper and with
it dm-verity. This is a great step towards more standardized booting
when it comes to secure boot. Right now with secure boot we depended on
FIT images in separate partitions, dm-verity will allow us to put
unsigned kernel images into the root partition.

Then there's security policy support. Security policies allow us to
decide at a Kconfig level whether an operation is allowed or forbidden
in a specific security mode which makes it more straight forward to
review security constraints while still allowing more flexibilities to
decide what can be done in development or security enforced mode.

Apart from that there are a few more boards supported in this release:
Samsung Galaxy S8, Samsung Galaxy S20 5G, Radxa Rock-5T and Protonic
PRT8ML.

A few releases ago we started maintaining a migration guide in
Documentation/migration-guides which mentions breaking or other
important changes users might be interested in when migrating to a new
barebox release. I'll add that to the announcement mail in future, so
here we go. Also as usual see below for all patches that went into this
release.

Have Fun!
  Sascha

Migration to v2025.10.0
=======================

Rename in /dev
--------------

The i.MX SNVS device file is now simply called ``snvs`` instead of the
previous unwieldy name derived from device tree,
e.g., ``/dev/30370000.snvs@30370000:snvs-lpgpr.of0``.

EEPROMs that are pointed at by a device tree alias do no longer have
an extra 0 at the end, e.g., ``/dev/eeprom00`` has become ``/dev/eeprom0``.

AM62L DT Bindings
-----------------

The SCMI clock IDs for the AM62L have changed in ARM Trusted Firmware,
because the old assignment was not conforming to spec.

barebox now requires TF-A to contain commit
229d03adf ("PENDING: feat(ti): add missing scmi pds").


----------------------------------------------------------------
Ahmad Fatoum (47):
      ci: container: update components installed on top to newest versions
      ci: container: update to Debian Trixie
      ci: build: shuffle goal and prerequisite ordering
      ARM: cpu: allow selecting CPU_V7/CPU_V8 directly
      checkpatch: drop ENOSYS warning
      crypto: ecc: drop unused curve25519 definitions
      kconfig: allow setting CONFIG_ from the outside
      scripts: include scripts/include for all host tools
      kbuild: implement loopable loop_cmd
      Add security policy support
      kbuild: allow security config use without source tree modification
      defaultenv: update PS1 according to security policy
      security: policy: support externally provided configs
      docs: security-policies: add documentation
      commands: go: add security config option
      console: ratp: add security config option
      bootm: support calling bootm_optional_signed_images at any time
      bootm: make unsigned image support runtime configurable
      ARM: configs: add virt32_secure_defconfig
      boards: qemu-virt: add security policies
      boards: qemu-virt: allow setting policy from command line
      test: py: add basic security policy test
      test: emulate.pl: remove in favor of pytest
      common: misc: reduce duplication in strerror
      common: binfmt: replace generic ENOENT message with "Command not found"
      MAKEALL: query CONFIG_64BIT before make instead of CONFIG_ARM64 after
      Makefile: fix spurious find No such file or directory warnings
      test: py: policies: rework for latest changes
      Revert "MAKEALL: query CONFIG_64BIT before make instead of CONFIG_ARM64 after"
      scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility
      scripts: sconfigpast: print panic message when nonnull fails
      kbuild: fix spurious CI failure around sconfig_names.h
      security: hide CRYPTO_BUILTIN_DEVELOPMENT_KEYS behind INSECURE
      Documentation: migration-2025.09.0: add missing guide
      Documentation: migration-2025.10.0: add guide
      Documentation: fix warnings during config build
      scripts: container.sh: support -e for environment variables
      Documentation: add contributing section
      checkpatch: increase maximum line length to 100
      MAKEALL: print --shuffle seed used for initial make *_defconfig
      ci: container: downgrade LLVM to v20
      Documentation: contributing: fix command to reproduce shuffle failure
      MAKEALL: do not early abort initial "probe" defconfig sourcing
      security: policy: remove duplicate SECURITY_POLICY_PATH symbol
      Documentation: migration-2025.08.0: add note about W^X
      Documentation: boards: k3: fix wrong indentation in ReST
      ARM: Rockchip: mention tee-raw.bin by name

Alexander Kurz (1):
      ARM: boards: kindle mx50: extend vendor ATAGs

Alexander Shiyan (5):
      Revert "ARM: at91: choose proper parent for both MCI clocks"
      clk: rockchip: rk3588: Add PLL rate for 1500 MHz
      clk: rockchip: Drop empty init callback for rk3588 PLL type
      ARM: dts: rockchip: Set initial CPU frequencies for RK3588
      ARM: dts: rockchip: Set CPLL frequency for RK3588

Chali Anis (4):
      clk: clkdev: fix format security.
      drivers: dma: refactor: rename dma_ops to dma_device_ops.
      riscv: dma: rename dma_ops to dma_map_ops.
      video: efi-gop: remove dependency to x86.

Fabian Pflug (1):
      ARM: k3: fix wrong reference to help

Ivaylo Ivanov (3):
      video: simplefb-client: switch to dev_get_resource
      ARM: boards: add support for Samsung Galaxy S8 (dreamlte)
      ARM: boards: add support for Samsung Galaxy S20 5G (x1s)

Jonas Rebmann (3):
      ARM: i.MX8M: protonic-imx8m: enable deep probe
      ARM: boards: Add support for PRT8ML
      ci: container: install crcmod and cryptography

Lucas Sinn (1):
      ARM: rockchip: add support for Radxa ROCK 5T

Matthias Zoechmann (3):
      scripts: imx: fix string in further auth block
      scripts: imx-image: support DCD_WRITE on closed dev
      mach-imx: Kconfig: add option for image with dcd auth block

Michael Grzeschik (1):
      clk: clk_set_parent: skip any operation if current and new parents are equal

Michael Tretter (2):
      ARM: rockchip: select bbu default target using bootsource
      ARM: rockchip: cleanup iram handling

Philipp Zabel (1):
      ARM: i.MX6: configure AIPS registers only if trusted

Sascha Hauer (39):
      dts: update to v6.17-rc4
      mci: am654-sdhci: Wait for transfer complete interrupt with MMC_RSP_BUSY cmd
      mci: sdhci: am654: Use sdhci_wait_idle()
      ARM: i.MX8M: initialize SNVS
      nvmem: snvs_lpgpr: Add i.MX7/8 support
      nvmem: snvs_lpgpr: set nvmem config name to snvs
      ARM: defconfigs: enable SNVS driver in i.MX8 configs
      ARM: k3: move am62x specific bits out of common file
      ARM: k3: add FAT environment support
      dts: update to v6.17-rc5
      dts: update to v6.17-rc6
      treewide: drop useless casting to void * in of_device_id
      ARM: dts: k3-am62l: read MAC address from E-Fuse
      crc-itu-t: fix typo in CRC ITU-T polynomial comment
      firmware: handle firmware files being links correctly
      lib: add crc16 support
      nvmem: add support for Atmel sha204(a)
      commands: implement sconfig command
      usbserial: add inline wrappers
      security: usbgadget: add usbgadget security policy
      security: fastboot: add security policy for fastboot oem
      security: shell: add policy for executing the shell
      security: add security policy for loading barebox environment
      security: add filesystem security policies
      security: console: add security policy for console input
      ARM: am62l: Update SCMI clock ids
      Merge branch 'for-next/device-mapper'
      Merge branch 'for-next/dts'
      Merge branch 'for-next/exynos'
      Merge branch 'for-next/imx'
      Merge branch 'for-next/k3'
      Merge branch 'for-next/make-shuffle'
      Merge branch 'for-next/misc'
      Merge branch 'for-next/rockchip'
      Merge branch 'for-next/security-policies'
      ARM: dts: am62lx: fix secondary core startup
      Kbuild: make sure to build fixdep first
      github/ci: build Container on pushes to ci branch only
      Release v2025.10.0

Steffen Trumtrar (1):
      spi: mvebu: move timekeeping out of hot path

Tobias Waldekranz (18):
      string: add strtokv
      vsprintf: Add rasprintf(): the reallocing string printf family
      dm: Add initial device mapper infrastructure
      dm: linear: Add linear target
      MIPS: qemu-malta_defconfig: Use largest possible relocation table
      test: self: dm: Add test of linear target
      commands: dmsetup: Basic command set for dm device management
      dm: Add helper to manage a lower device
      dm: linear: Refactor to make use of the generalized cdev management
      dm: verity: Add transparent integrity checking target
      dm: verity: Add helper to parse superblock information
      commands: veritysetup: Create dm-verity devices
      ci: pytest: Open up testfs to more consumers than the FIT test
      ci: pytest: Enable testfs feature on malta boards
      ci: pytest: Generate test data for dm-verity
      test: pytest: add basic dm-verity test
      ci: pytest: Centralize feature discovery to a separate step
      ci: pytest: Enable device-mapper labgrid tests


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |