Re: [OE-core] [PATCH v2] u-boot: upgrade 2026.01 -> 2026.04

Re: [OE-core] [PATCH v2] u-boot: upgrade 2026.01 -> 2026.04

[Mathieu Dubois-Briand]

On Wed Apr 8, 2026 at 1:45 PM CEST, Fabio Estevam via lists.openembedded.org wrote:
> Upgrade to U-Boot 2026.04.
>
> Remove the CVE-2026-33243.patch as it is already applied in 2026.04.
>
> Signed-off-by: Fabio Estevam <festevam@gmail.com>
> ---

Hi Jon, Ross,

I just want to let you now some patches in meta-arm will have to be
dropped or refreshed once this upgrade is merged in master:

ERROR: u-boot-1_2026.04-r0 do_patch: QA Issue: Fuzz detected:
Applying patch 0003-vexpress64-Imply-CONFIG_ARM64_CRC32-by-default.patch

https://autobuilder.yoctoproject.org/valkyrie/#/builders/75/builds/3451

Thanks,
Mathieu

-- 
Mathieu Dubois-Briand, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[OE-core] [PATCH] python3-cryptography(-vectors): upgrade 46.0.5 -> 46.0.7

[Wang Mingyu]

From: Wang Mingyu <wangmy@fujitsu.com>

Add 0001-bump-uv_build-to-0.11.0.patch to bump uv_build version

0001-bump-uv_build-to-0.10.0-14271.patch
0001-pyproject.toml-bump-uv_build-version-requirement.patch
removed since they're not needed in 46.0.7

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 .../python/python3-cryptography-common.inc    |  2 +-
 .../python/python3-cryptography-vectors.bb    |  6 ++---
 .../0001-bump-uv_build-to-0.10.0-14271.patch  | 27 -------------------
 .../0001-bump-uv_build-to-0.11.0.patch        | 26 ++++++++++++++++++
 ...ml-bump-uv_build-version-requirement.patch | 22 ---------------
 .../python/python3-cryptography.bb            |  2 +-
 6 files changed, 30 insertions(+), 55 deletions(-)
 delete mode 100644 meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.10.0-14271.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.11.0.patch
 delete mode 100644 meta/recipes-devtools/python/python3-cryptography-vectors/0001-pyproject.toml-bump-uv_build-version-requirement.patch

diff --git a/meta/recipes-devtools/python/python3-cryptography-common.inc b/meta/recipes-devtools/python/python3-cryptography-common.inc
index 4e4434bd66..0515cf7705 100644
--- a/meta/recipes-devtools/python/python3-cryptography-common.inc
+++ b/meta/recipes-devtools/python/python3-cryptography-common.inc
@@ -3,4 +3,4 @@
 #
 # Additionally AUH will detect that they share this .inc file and
 # perform a lockstep upgrade for both.
-PV = "46.0.5"
+PV = "46.0.7"
diff --git a/meta/recipes-devtools/python/python3-cryptography-vectors.bb b/meta/recipes-devtools/python/python3-cryptography-vectors.bb
index 800bf1b0e0..0d2b638527 100644
--- a/meta/recipes-devtools/python/python3-cryptography-vectors.bb
+++ b/meta/recipes-devtools/python/python3-cryptography-vectors.bb
@@ -9,10 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8c3617db4fb6fae01f1d253ab91511e4 \
 # NOTE: Make sure to keep this recipe at the same version as python3-cryptography
 #       Upgrade both recipes at the same time
 require python3-cryptography-common.inc
-SRC_URI += "file://0001-pyproject.toml-bump-uv_build-version-requirement.patch \
-            file://0001-bump-uv_build-to-0.10.0-14271.patch \
-"
-SRC_URI[sha256sum] = "ffbccee9455201c01b37c63d65d9f83b362d40c2bed9caac248ebbdfa4e4fc7c"
+SRC_URI += "file://0001-bump-uv_build-to-0.11.0.patch"
+SRC_URI[sha256sum] = "08f3d13846fdd86d4c1138a88c695cee203b3dd3825c784d64a3b06d000cdda1"
 
 PYPI_PACKAGE = "cryptography_vectors"
 
diff --git a/meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.10.0-14271.patch b/meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.10.0-14271.patch
deleted file mode 100644
index 9fa4d1cd47..0000000000
--- a/meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.10.0-14271.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 1f6626557e4766ffa40874984f1e29197ed66eb8 Mon Sep 17 00:00:00 2001
-From: Ridai Govinda Pombo <beholderseye@vivaldi.net>
-Date: Tue, 3 Mar 2026 10:38:12 +0800
-Subject: [PATCH] bump uv_build to 0.10.0 (#14271)
-
-Co-authored-by: Ridai Govinda Pombo <beholders.eye@disroot.org>
-
-Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/14cfa5757461d5c228600fc0104ac0ef08ea15d9]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- pyproject.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pyproject.toml b/pyproject.toml
-index f01d2c1..f7af712 100644
---- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -1,5 +1,5 @@
- [build-system]
--requires = ["uv_build>=0.7.19,<0.10.0"]
-+requires = ["uv_build>=0.7.19,<0.11.0"]
- build-backend = "uv_build"
- 
- [project]
--- 
-2.34.1
-
diff --git a/meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.11.0.patch b/meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.11.0.patch
new file mode 100644
index 0000000000..05f225de2f
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.11.0.patch
@@ -0,0 +1,26 @@
+From b1e8722ccf79ef02ae929df2e7fd7547e8615e68 Mon Sep 17 00:00:00 2001
+From: Wang Mingyu <wangmy@fujitsu.com>
+Date: Wed, 22 Apr 2026 10:09:16 +0000
+Subject: [PATCH] bump uv_build to 0.11.0
+
+Upstream-Status: Backport [https://github.com/pyca/cryptography/pull/14545]
+
+Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
+---
+ pyproject.toml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pyproject.toml b/pyproject.toml
+index eac1a07..6bc8d46 100644
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -1,5 +1,5 @@
+ [build-system]
+-requires = ["uv_build>=0.7.19,<0.9.0"]
++requires = ["uv_build>=0.7.19,<0.12.0"]
+ build-backend = "uv_build"
+ 
+ [project]
+-- 
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-cryptography-vectors/0001-pyproject.toml-bump-uv_build-version-requirement.patch b/meta/recipes-devtools/python/python3-cryptography-vectors/0001-pyproject.toml-bump-uv_build-version-requirement.patch
deleted file mode 100644
index 6faaf1051d..0000000000
--- a/meta/recipes-devtools/python/python3-cryptography-vectors/0001-pyproject.toml-bump-uv_build-version-requirement.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 6d4c14a2781fb02903fd4d59f638cf72ee370b8d Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin <alex@linutronix.de>
-Date: Thu, 18 Dec 2025 20:20:13 +0100
-Subject: [PATCH] pyproject.toml: bump uv_build version requirement
-
-Upstream-Status: Backport [partial https://github.com/pyca/cryptography/pull/13617]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- pyproject.toml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pyproject.toml b/pyproject.toml
-index 2ed12a3..f01d2c1 100644
---- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -1,5 +1,5 @@
- [build-system]
--requires = ["uv_build>=0.7.19,<0.9.0"]
-+requires = ["uv_build>=0.7.19,<0.10.0"]
- build-backend = "uv_build"
- 
- [project]
diff --git a/meta/recipes-devtools/python/python3-cryptography.bb b/meta/recipes-devtools/python/python3-cryptography.bb
index fc5cb50b02..a2a2d3ac0c 100644
--- a/meta/recipes-devtools/python/python3-cryptography.bb
+++ b/meta/recipes-devtools/python/python3-cryptography.bb
@@ -11,7 +11,7 @@ LDSHARED += "-pthread"
 # NOTE: Make sure to keep this recipe at the same version as python3-cryptography-vectors
 #       Upgrade both recipes at the same time
 require python3-cryptography-common.inc
-SRC_URI[sha256sum] = "abace499247268e3757271b2f1e244b36b06f8515cf27c4d49468fc9eb16e93d"
+SRC_URI[sha256sum] = "e4cfd68c5f3e0bfdad0d38e023239b96a2fe84146481852dffbcca442c245aa5"
 
 SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
             file://check-memfree.py \
-- 
2.43.0

[OE-core] [PATCH] python3-spdx-python-model: upgrade 0.0.4 -> 0.0.5

[Wang Mingyu]

From: Wang Mingyu <wangmy@fujitsu.com>

0001-generate-bindings-allow-to-use-local-files.patch
removed since it's included in 0.0.5

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 ...te-bindings-allow-to-use-local-files.patch | 58 -------------------
 ....bb => python3-spdx-python-model_0.0.5.bb} |  3 +-
 2 files changed, 1 insertion(+), 60 deletions(-)
 delete mode 100644 meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
 rename meta/recipes-devtools/python/{python3-spdx-python-model_0.0.4.bb => python3-spdx-python-model_0.0.5.bb} (89%)

diff --git a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch b/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
deleted file mode 100644
index ec24d7beb3..0000000000
--- a/meta/recipes-devtools/python/python3-spdx-python-model/0001-generate-bindings-allow-to-use-local-files.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 9fb565a0a70c6985fa1efde13cfe7fb4851588ce Mon Sep 17 00:00:00 2001
-From: Benjamin Robin <benjamin.robin@bootlin.com>
-Date: Tue, 24 Feb 2026 10:59:25 +0100
-Subject: [PATCH] generate-bindings: allow to use local files
-
-shacl2code needs to download the following URLs during build time:
- - https://spdx.org/rdf/3.0.1/spdx-model.ttl
- - https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl
- - https://spdx.org/rdf/3.0.1/spdx-context.jsonld
-
-There are a lot of package build tools that do not allow to download
-a file during the build. So provide a way to use local file:
-If the environment variable SHACL2CODE_SPDX_DIR is defined, load
-the SPDX model and SPDX context from the directory specified by this
-environment variable.
-
-Upstream-Status: Submitted [https://github.com/spdx/spdx-python-model/pull/19]
-
-Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
----
- gen/generate-bindings | 22 ++++++++++++++++------
- 1 file changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/gen/generate-bindings b/gen/generate-bindings
-index b963c55a3bc9..bc7041ee3bb9 100755
---- a/gen/generate-bindings
-+++ b/gen/generate-bindings
-@@ -14,12 +14,22 @@ echo "# Import all versions" > __init__.py
- for v in $SPDX_VERSIONS; do
-     MODNAME="v$(echo "$v" | sed 's/[^a-zA-Z0-9_]/_/g')"
-
--    shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \
--        --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \
--        --context https://spdx.org/rdf/$v/spdx-context.jsonld \
--        --license Apache-2.0 \
--        python \
--        -o "$MODNAME.py"
-+    if [ -n "${SHACL2CODE_SPDX_DIR}" ] && [ -d "${SHACL2CODE_SPDX_DIR}/$v" ]
-+    then
-+        shacl2code generate --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-model.ttl" \
-+            --input "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-json-serialize-annotations.ttl" \
-+            --context-url "file://${SHACL2CODE_SPDX_DIR}/$v/spdx-context.jsonld" https://spdx.org/rdf/$v/spdx-context.jsonld  \
-+            --license Apache-2.0 \
-+            python \
-+            -o "$MODNAME.py"
-+    else
-+        shacl2code generate --input https://spdx.org/rdf/$v/spdx-model.ttl \
-+            --input https://spdx.org/rdf/$v/spdx-json-serialize-annotations.ttl \
-+            --context https://spdx.org/rdf/$v/spdx-context.jsonld \
-+            --license Apache-2.0 \
-+            python \
-+            -o "$MODNAME.py"
-+    fi
-
-     echo "from . import $MODNAME" >> __init__.py
- done
---
-2.53.0
diff --git a/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.5.bb
similarity index 89%
rename from meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb
rename to meta/recipes-devtools/python/python3-spdx-python-model_0.0.5.bb
index 00c3b3913c..c77bdffada 100644
--- a/meta/recipes-devtools/python/python3-spdx-python-model_0.0.4.bb
+++ b/meta/recipes-devtools/python/python3-spdx-python-model_0.0.5.bb
@@ -5,13 +5,12 @@ LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
 
 PYPI_PACKAGE = "spdx_python_model"
-SRC_URI[sha256sum] = "bdec725398babcbdd4bcb7c16cf23497d06a48d0ef3ea1edb19a3b0d431ab8c1"
+SRC_URI[sha256sum] = "4bcf7c6e5e2e8f0b787ed4eb8fb519e2ed776e820cb6d9eb93e44e98eb92ca2d"
 
 SRC_URI += " \
     https://spdx.org/rdf/3.0.1/spdx-context.jsonld;name=spdx1 \
     https://spdx.org/rdf/3.0.1/spdx-json-serialize-annotations.ttl;name=spdx2 \
     https://spdx.org/rdf/3.0.1/spdx-model.ttl;name=spdx3 \
-    file://0001-generate-bindings-allow-to-use-local-files.patch \
 "
 
 SRC_URI[spdx1.sha256sum] = "c72b0928f094c83e5c127784edb1ebca2af74a104fcacc007c332b23cbc788bd"
-- 
2.43.0

[OE-core] [PATCH v2] u-boot: upgrade 2026.01 -> 2026.04

[Wang Mingyu]

From: Wang Mingyu <wangmy@fujitsu.com>

CVE-2026-33243.patch
removed since it's included 2026.04

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
---
 .../u-boot/files/CVE-2026-33243.patch         | 374 ------------------
 meta/recipes-bsp/u-boot/u-boot-common.inc     |   2 +-
 ...ols_2026.01.bb => u-boot-tools_2026.04.bb} |   0
 .../{u-boot_2026.01.bb => u-boot_2026.04.bb}  |   2 -
 4 files changed, 1 insertion(+), 377 deletions(-)
 delete mode 100644 meta/recipes-bsp/u-boot/files/CVE-2026-33243.patch
 rename meta/recipes-bsp/u-boot/{u-boot-tools_2026.01.bb => u-boot-tools_2026.04.bb} (100%)
 rename meta/recipes-bsp/u-boot/{u-boot_2026.01.bb => u-boot_2026.04.bb} (95%)

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2026-33243.patch b/meta/recipes-bsp/u-boot/files/CVE-2026-33243.patch
deleted file mode 100644
index c7086e183f..0000000000
--- a/meta/recipes-bsp/u-boot/files/CVE-2026-33243.patch
+++ /dev/null
@@ -1,374 +0,0 @@
-From 1e0e1520761a62488d10b486f6e5df0ccb82a74a Mon Sep 17 00:00:00 2001
-From: Simon Glass <simon.glass@canonical.com>
-Date: Thu, 5 Mar 2026 18:20:09 -0700
-Subject: [PATCH] boot: Add fit_config_get_hash_list() to build signed node
- list
-
-The hashed-nodes property in a FIT signature node lists which FDT paths
-are included in the signature hash. It is intended as a hint so should
-not be used for verification.
-
-Add a function to build the node list from scratch by iterating the
-configuration's image references. Skip properties known not to be image
-references. For each image, collect the path plus all hash and cipher
-subnodes.
-
-Use the new function in fit_config_check_sig() instead of reading
-'hashed-nodes'.
-
-Update the test_vboot kernel@ test case: fit_check_sign now catches the
-attack at signature-verification time (the @-suffixed node is hashed
-instead of the real one, causing a mismatch) rather than at
-fit_check_format() time.
-
-Update the docs to cover this. The FIT spec can be updated separately.
-
-Signed-off-by: Simon Glass <simon.glass@canonical.com>
-Closes: https://lore.kernel.org/u-boot/20260302220937.3682128-1-trini@konsulko.com/
-Reported-by: Apple Security Engineering and Architecture (SEAR)
-Tested-by: Tom Rini <trini@konsulko.com>
-
-[YB: Removed a skippable condition in fit_config_get_hash_list.
-	This flag is not available in this version]
-CVE: CVE-2026-33243
-Upstream-Status: Backport [https://github.com/u-boot/u-boot/commit/2092322b31cc8b1f8c9e2e238d1043ae0637b241]
-Signed-off-by: Yanis Binard <yanis.binard@smile.fr>
----
- boot/image-fit-sig.c        | 226 +++++++++++++++++++++++++++++-------
- doc/usage/fit/signature.rst |  19 ++-
- test/py/tests/test_vboot.py |   8 +-
- 3 files changed, 200 insertions(+), 53 deletions(-)
-
-diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
-index f23e9d5d0b0..d13df7d6153 100644
---- a/boot/image-fit-sig.c
-+++ b/boot/image-fit-sig.c
-@@ -18,6 +18,7 @@ DECLARE_GLOBAL_DATA_PTR;
- #include <u-boot/hash-checksum.h>
- 
- #define IMAGE_MAX_HASHED_NODES		100
-+#define FIT_MAX_HASH_PATH_BUF		4096
- 
- /**
-  * fit_region_make_list() - Make a list of image regions
-@@ -229,6 +230,178 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
- 	return 0;
- }
- 
-+/**
-+ * fit_config_add_hash() - Add hash nodes for one image to the node list
-+ *
-+ * Adds the image path, all its hash-* subnode paths, and its cipher
-+ * subnode path (if present) to the packed buffer.
-+ *
-+ * @fit:		FIT blob
-+ * @image_noffset:	Image node offset (e.g. /images/kernel-1)
-+ * @node_inc:		Array of path pointers to fill
-+ * @count:		Pointer to current count (updated on return)
-+ * @max_nodes:		Maximum entries in @node_inc
-+ * @buf:		Buffer for packed path strings
-+ * @buf_used:		Pointer to bytes used in @buf (updated on return)
-+ * @buf_len:		Total size of @buf
-+ * Return: 0 on success, -ve on error
-+ */
-+static int fit_config_add_hash(const void *fit, int image_noffset,
-+			       char **node_inc, int *count, int max_nodes,
-+			       char *buf, int *buf_used, int buf_len)
-+{
-+	int noffset, hash_count, ret, len;
-+
-+	if (*count >= max_nodes)
-+		return -ENOSPC;
-+
-+	ret = fdt_get_path(fit, image_noffset, buf + *buf_used,
-+			   buf_len - *buf_used);
-+	if (ret < 0)
-+		return -ENOENT;
-+	len = strlen(buf + *buf_used) + 1;
-+	node_inc[(*count)++] = buf + *buf_used;
-+	*buf_used += len;
-+
-+	/* Add all this image's hash subnodes */
-+	hash_count = 0;
-+	for (noffset = fdt_first_subnode(fit, image_noffset);
-+	     noffset >= 0;
-+	     noffset = fdt_next_subnode(fit, noffset)) {
-+		const char *name = fit_get_name(fit, noffset, NULL);
-+
-+		if (strncmp(name, FIT_HASH_NODENAME,
-+			    strlen(FIT_HASH_NODENAME)))
-+			continue;
-+		if (*count >= max_nodes)
-+			return -ENOSPC;
-+		ret = fdt_get_path(fit, noffset, buf + *buf_used,
-+				   buf_len - *buf_used);
-+		if (ret < 0)
-+			return -ENOENT;
-+		len = strlen(buf + *buf_used) + 1;
-+		node_inc[(*count)++] = buf + *buf_used;
-+		*buf_used += len;
-+		hash_count++;
-+	}
-+
-+	if (!hash_count) {
-+		printf("No hash nodes in image '%s'\n",
-+		       fdt_get_name(fit, image_noffset, NULL));
-+		return -ENOMSG;
-+	}
-+
-+	/* Add this image's cipher node if present */
-+	noffset = fdt_subnode_offset(fit, image_noffset, FIT_CIPHER_NODENAME);
-+	if (noffset != -FDT_ERR_NOTFOUND) {
-+		if (noffset < 0)
-+			return -EIO;
-+		if (*count >= max_nodes)
-+			return -ENOSPC;
-+		ret = fdt_get_path(fit, noffset, buf + *buf_used,
-+				   buf_len - *buf_used);
-+		if (ret < 0)
-+			return -ENOENT;
-+		len = strlen(buf + *buf_used) + 1;
-+		node_inc[(*count)++] = buf + *buf_used;
-+		*buf_used += len;
-+	}
-+
-+	return 0;
-+}
-+
-+/**
-+ * fit_config_get_hash_list() - Build the list of nodes to hash
-+ *
-+ * Works through every image referenced by the configuration and collects the
-+ * node paths: root + config + all referenced images with their hash and
-+ * cipher subnodes.
-+ *
-+ * Properties known not to be image references (description, compatible,
-+ * default, load-only) are skipped, so any new image type is covered by default.
-+ *
-+ * @fit:	FIT blob
-+ * @conf_noffset: Configuration node offset
-+ * @node_inc:	Array to fill with path string pointers
-+ * @max_nodes:	Size of @node_inc array
-+ * @buf:	Buffer for packed null-terminated path strings
-+ * @buf_len:	Size of @buf
-+ * Return: number of entries in @node_inc, or -ve on error
-+ */
-+static int fit_config_get_hash_list(const void *fit, int conf_noffset,
-+				    char **node_inc, int max_nodes,
-+				    char *buf, int buf_len)
-+{
-+	const char *conf_name;
-+	int image_count;
-+	int prop_offset;
-+	int used = 0;
-+	int count = 0;
-+	int ret, len;
-+
-+	conf_name = fit_get_name(fit, conf_noffset, NULL);
-+
-+	/* Always include the root node and the configuration node */
-+	if (max_nodes < 2)
-+		return -ENOSPC;
-+
-+	len = 2;  /* "/" + nul */
-+	if (len > buf_len)
-+		return -ENOSPC;
-+	strcpy(buf, "/");
-+	node_inc[count++] = buf;
-+	used += len;
-+
-+	len = snprintf(buf + used, buf_len - used, "%s/%s", FIT_CONFS_PATH,
-+		       conf_name) + 1;
-+	if (used + len > buf_len)
-+		return -ENOSPC;
-+	node_inc[count++] = buf + used;
-+	used += len;
-+
-+	/* Process each image referenced by the config */
-+	image_count = 0;
-+	fdt_for_each_property_offset(prop_offset, fit, conf_noffset) {
-+		const char *prop_name;
-+		int img_count, i;
-+
-+		fdt_getprop_by_offset(fit, prop_offset, &prop_name, NULL);
-+		if (!prop_name)
-+			continue;
-+
-+		/* Skip properties that are not image references */
-+		if (!strcmp(prop_name, FIT_DESC_PROP) ||
-+		    !strcmp(prop_name, FIT_DEFAULT_PROP))
-+			continue;
-+
-+		img_count = fdt_stringlist_count(fit, conf_noffset, prop_name);
-+		for (i = 0; i < img_count; i++) {
-+			int noffset;
-+
-+			noffset = fit_conf_get_prop_node_index(fit,
-+							       conf_noffset,
-+							       prop_name, i);
-+			if (noffset < 0)
-+				continue;
-+
-+			ret = fit_config_add_hash(fit, noffset, node_inc,
-+						  &count, max_nodes, buf, &used,
-+						  buf_len);
-+			if (ret < 0)
-+				return ret;
-+
-+			image_count++;
-+		}
-+	}
-+
-+	if (!image_count) {
-+		printf("No images in config '%s'\n", conf_name);
-+		return -ENOMSG;
-+	}
-+
-+	return count;
-+}
-+
- /**
-  * fit_config_check_sig() - Check the signature of a config
-  *
-@@ -269,20 +442,16 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset,
- 		FIT_DATA_POSITION_PROP,
- 		FIT_DATA_OFFSET_PROP,
- 	};
--
--	const char *prop, *end, *name;
-+	char *node_inc[IMAGE_MAX_HASHED_NODES];
-+	char hash_buf[FIT_MAX_HASH_PATH_BUF];
- 	struct image_sign_info info;
- 	const uint32_t *strings;
--	const char *config_name;
- 	uint8_t *fit_value;
- 	int fit_value_len;
--	bool found_config;
- 	int max_regions;
--	int i, prop_len;
- 	char path[200];
- 	int count;
- 
--	config_name = fit_get_name(fit, conf_noffset, NULL);
- 	debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, key_blob,
- 	      fit_get_name(fit, noffset, NULL),
- 	      fit_get_name(key_blob, required_keynode, NULL));
-@@ -297,45 +466,12 @@ static int fit_config_check_sig(const void *fit, int noffset, int conf_noffset,
- 		return -1;
- 	}
- 
--	/* Count the number of strings in the property */
--	prop = fdt_getprop(fit, noffset, "hashed-nodes", &prop_len);
--	end = prop ? prop + prop_len : prop;
--	for (name = prop, count = 0; name < end; name++)
--		if (!*name)
--			count++;
--	if (!count) {
--		*err_msgp = "Can't get hashed-nodes property";
--		return -1;
--	}
--
--	if (prop && prop_len > 0 && prop[prop_len - 1] != '\0') {
--		*err_msgp = "hashed-nodes property must be null-terminated";
--		return -1;
--	}
--
--	/* Add a sanity check here since we are using the stack */
--	if (count > IMAGE_MAX_HASHED_NODES) {
--		*err_msgp = "Number of hashed nodes exceeds maximum";
--		return -1;
--	}
--
--	/* Create a list of node names from those strings */
--	char *node_inc[count];
--
--	debug("Hash nodes (%d):\n", count);
--	found_config = false;
--	for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
--		debug("   '%s'\n", name);
--		node_inc[i] = (char *)name;
--		if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) &&
--		    name[sizeof(FIT_CONFS_PATH) - 1] == '/' &&
--		    !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) {
--			debug("      (found config node %s)", config_name);
--			found_config = true;
--		}
--	}
--	if (!found_config) {
--		*err_msgp = "Selected config not in hashed nodes";
-+	/* Build the node list from the config, ignoring hashed-nodes */
-+	count = fit_config_get_hash_list(fit, conf_noffset,
-+					 node_inc, IMAGE_MAX_HASHED_NODES,
-+					 hash_buf, sizeof(hash_buf));
-+	if (count < 0) {
-+		*err_msgp = "Failed to build hash node list";
- 		return -1;
- 	}
- 
-diff --git a/doc/usage/fit/signature.rst b/doc/usage/fit/signature.rst
-index e5b5a8432e9..da08cc75c3a 100644
---- a/doc/usage/fit/signature.rst
-+++ b/doc/usage/fit/signature.rst
-@@ -353,20 +353,27 @@ meantime.
- Details
- -------
- The signature node contains a property ('hashed-nodes') which lists all the
--nodes that the signature was made over.  The image is walked in order and each
--tag processed as follows:
-+nodes that the signature was made over.  The signer (mkimage) writes this
-+property as a record of what was included in the hash.  During verification,
-+however, U-Boot does not read 'hashed-nodes'. Instead it rebuilds the node
-+list from the configuration's own image references (kernel, fdt, ramdisk,
-+etc.), since 'hashed-nodes' is not itself covered by the signature. The
-+rebuilt list always includes the root node, the configuration node, each
-+referenced image node and its hash/cipher subnodes.
-+
-+The image is walked in order and each tag processed as follows:
- 
- DTB_BEGIN_NODE
-     The tag and the following name are included in the signature
--    if the node or its parent are present in 'hashed-nodes'
-+    if the node or its parent are present in the node list
- 
- DTB_END_NODE
-     The tag is included in the signature if the node or its parent
--    are present in 'hashed-nodes'
-+    are present in the node list
- 
- DTB_PROPERTY
-     The tag, the length word, the offset in the string table, and
--    the data are all included if the current node is present in 'hashed-nodes'
-+    the data are all included if the current node is present in the node list
-     and the property name is not 'data'.
- 
- DTB_END
-@@ -374,7 +381,7 @@ DTB_END
- 
- DTB_NOP
-     The tag is included in the signature if the current node is present
--    in 'hashed-nodes'
-+    in the node list
- 
- In addition, the signature contains a property 'hashed-strings' which contains
- the offset and length in the string table of the strings that are to be
-diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
-index 7a7f9c379de..19f3f981379 100644
---- a/test/py/tests/test_vboot.py
-+++ b/test/py/tests/test_vboot.py
-@@ -362,10 +362,14 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required,
-             shutil.copyfile(fit, efit)
-             vboot_evil.add_evil_node(fit, efit, evil_kernel, 'kernel@')
- 
--            msg = 'Signature checking prevents use of unit addresses (@) in nodes'
-+            # fit_check_sign catches this via signature mismatch (the @
-+            # node is hashed instead of the real one)
-             utils.run_and_log_expect_exception(
-                 ubman, [fit_check_sign, '-f', efit, '-k', dtb],
--                1, msg)
-+                1, 'Failed to verify required signature')
-+
-+            # bootm catches it earlier, at fit_check_format() time
-+            msg = 'Signature checking prevents use of unit addresses (@) in nodes'
-             run_bootm(sha_algo, 'evil kernel@', msg, False, efit)
- 
-         # Create a new properly signed fit and replace header bytes
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 5e2ec08c30..574768b9f8 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -12,7 +12,7 @@ PE = "1"
 
 # We use the revision in order to avoid having to fetch it from the
 # repo during parse
-SRCREV = "127a42c7257a6ffbbd1575ed1cbaa8f5408a44b3"
+SRCREV = "88dc2788777babfd6322fa655df549a019aa1e69"
 
 SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master;tag=v${PV}"
 
diff --git a/meta/recipes-bsp/u-boot/u-boot-tools_2026.01.bb b/meta/recipes-bsp/u-boot/u-boot-tools_2026.04.bb
similarity index 100%
rename from meta/recipes-bsp/u-boot/u-boot-tools_2026.01.bb
rename to meta/recipes-bsp/u-boot/u-boot-tools_2026.04.bb
diff --git a/meta/recipes-bsp/u-boot/u-boot_2026.01.bb b/meta/recipes-bsp/u-boot/u-boot_2026.04.bb
similarity index 95%
rename from meta/recipes-bsp/u-boot/u-boot_2026.01.bb
rename to meta/recipes-bsp/u-boot/u-boot_2026.04.bb
index ac1b0b9b2b..5259fd5832 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2026.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2026.04.bb
@@ -3,8 +3,6 @@ require u-boot.inc
 
 DEPENDS += "bc-native dtc-native gnutls-native python3-pyelftools-native"
 
-SRC_URI += "file://CVE-2026-33243.patch"
-
 # workarounds for aarch64 kvm qemu boot regressions
 SRC_URI:append:qemuarm64 = " file://disable-CONFIG_BLOBLIST.cfg"
 SRC_URI:append:genericarm64 = " file://disable-CONFIG_BLOBLIST.cfg"
-- 
2.43.0

Re: [OE-core] [PATCH v2] u-boot: upgrade 2026.01 -> 2026.04

[Fabio Estevam]

On Wed, Apr 22, 2026 at 7:36 AM wangmy via lists.openembedded.org
<wangmy=fujitsu.com@lists.openembedded.org> wrote:
>
> From: Wang Mingyu <wangmy@fujitsu.com>
>
> CVE-2026-33243.patch
> removed since it's included 2026.04
>
> Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>

I submitted the U-Boot upgrade on April 8th:

https://lists.openembedded.org/g/openembedded-core/message/234837

Not sure why it was not applied yet.

Re: [OE-core] [PATCH v2] u-boot: upgrade 2026.01 -> 2026.04

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 726 bytes --]

On Wed, 2026-04-22 at 08:07 -0300, Fabio Estevam via
lists.openembedded.org wrote:
> On Wed, Apr 22, 2026 at 7:36 AM wangmy via lists.openembedded.org
> <wangmy=fujitsu.com@lists.openembedded.org> wrote:
> > 
> > From: Wang Mingyu <wangmy@fujitsu.com>
> > 
> > CVE-2026-33243.patch
> > removed since it's included 2026.04
> > 
> > Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
> 
> I submitted the U-Boot upgrade on April 8th:
> 
> https://lists.openembedded.org/g/openembedded-core/message/234837
> 
> Not sure why it was not applied yet.

Hi Fabio,

We are currently in feature freeze for the upcoming 6.0 release. We will
resume applying upgrades after 6.0.

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]