[OE-core][whinlatter][PATCH] barebox/barebox-tools: upgrade 2025.09.0 -> 2025.09.3

[OE-core][whinlatter][PATCH] barebox/barebox-tools: upgrade 2025.09.0 -> 2025.09.3

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

2025.09.3
---------
Fixed FIT image vulnerability
https://lore.barebox.org/barebox/abljJRMecNdejSD0@pengutronix.de/

Changelog:
https://github.com/barebox/barebox/compare/v2025.09.2...v2025.09.3

2025.09.2
---------
Changelog:
https://github.com/barebox/barebox/compare/v2025.09.1...v2025.09.2

2025.09.1
---------
This stable release is specifically targeted at whinlatter which is
currently at v2025.09.0
https://lore.barebox.org/barebox/aUkaSKDePHF8__LB@pengutronix.de/

Changelog:
https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.1

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-bsp/barebox/barebox-common.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-bsp/barebox/barebox-common.inc b/meta/recipes-bsp/barebox/barebox-common.inc
index e41d0858fd..91865b4d44 100644
--- a/meta/recipes-bsp/barebox/barebox-common.inc
+++ b/meta/recipes-bsp/barebox/barebox-common.inc
@@ -3,6 +3,6 @@ SECTION = "bootloaders"
 
 LIC_FILES_CHKSUM = "file://COPYING;md5=f5125d13e000b9ca1f0d3364286c4192"
 
-PV = "2025.09.0"
+PV = "2025.09.3"
 SRC_URI = "https://barebox.org/download/barebox-${PV}.tar.bz2"
-SRC_URI[sha256sum] = "7df1aa47bb7bf1763a729137ac773e69a4052812af094475d739fc63a9295f0d"
+SRC_URI[sha256sum] = "e87eb863cbe45e4f5af8930825c8f6e20c02b82451e9e1125ea1c73c1fb49a87"

Re: [OE-core][whinlatter][PATCH] barebox/barebox-tools: upgrade 2025.09.0 -> 2025.09.3

[Yoann Congal]

On Wed Apr 8, 2026 at 2:09 AM CEST, Ankur Tyagi via lists.openembedded.org wrote:
> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>
> 2025.09.3
> ---------
> Fixed FIT image vulnerability
> https://lore.barebox.org/barebox/abljJRMecNdejSD0@pengutronix.de/
>
> Changelog:
> https://github.com/barebox/barebox/compare/v2025.09.2...v2025.09.3
>
> 2025.09.2
> ---------
> Changelog:
> https://github.com/barebox/barebox/compare/v2025.09.1...v2025.09.2
>
> 2025.09.1
> ---------
> This stable release is specifically targeted at whinlatter which is
> currently at v2025.09.0
> https://lore.barebox.org/barebox/aUkaSKDePHF8__LB@pengutronix.de/
>
> Changelog:
> https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.1
>
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>

I'm a bit torn on this one. Because on one hand, this looks like a
proper stable branch (and I appreciate the effort), but on the other
hand, there are changes that I find too risky:
For example:
* API Change: https://github.com/barebox/barebox/commit/5e9f709b2b56bd9689e174572ef2af59b9fed5d2
* New feature: https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.3#diff-2dd6d3e4c91931c982f091155a47dd8d03e26731f8d59b112e938508fe12255aR1

Thoughts?

In the meantime, I will keep it in my branch for awareness.

> ---
>  meta/recipes-bsp/barebox/barebox-common.inc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-bsp/barebox/barebox-common.inc b/meta/recipes-bsp/barebox/barebox-common.inc
> index e41d0858fd..91865b4d44 100644
> --- a/meta/recipes-bsp/barebox/barebox-common.inc
> +++ b/meta/recipes-bsp/barebox/barebox-common.inc
> @@ -3,6 +3,6 @@ SECTION = "bootloaders"
>  
>  LIC_FILES_CHKSUM = "file://COPYING;md5=f5125d13e000b9ca1f0d3364286c4192"
>  
> -PV = "2025.09.0"
> +PV = "2025.09.3"
>  SRC_URI = "https://barebox.org/download/barebox-${PV}.tar.bz2"
> -SRC_URI[sha256sum] = "7df1aa47bb7bf1763a729137ac773e69a4052812af094475d739fc63a9295f0d"
> +SRC_URI[sha256sum] = "e87eb863cbe45e4f5af8930825c8f6e20c02b82451e9e1125ea1c73c1fb49a87"


-- 
Yoann Congal
Smile ECS

Re: [OE-core][whinlatter][PATCH] barebox/barebox-tools: upgrade 2025.09.0 -> 2025.09.3

[Ahmad Fatoum]

Hello Yoann!

On 4/15/26 11:05 PM, Yoann Congal via lists.openembedded.org wrote:
> On Wed Apr 8, 2026 at 2:09 AM CEST, Ankur Tyagi via lists.openembedded.org wrote:
>> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>>
>> 2025.09.3
>> ---------
>> Fixed FIT image vulnerability
>> https://lore.barebox.org/barebox/abljJRMecNdejSD0@pengutronix.de/
>>
>> Changelog:
>> https://github.com/barebox/barebox/compare/v2025.09.2...v2025.09.3
>>
>> 2025.09.2
>> ---------
>> Changelog:
>> https://github.com/barebox/barebox/compare/v2025.09.1...v2025.09.2
>>
>> 2025.09.1
>> ---------
>> This stable release is specifically targeted at whinlatter which is
>> currently at v2025.09.0
>> https://lore.barebox.org/barebox/aUkaSKDePHF8__LB@pengutronix.de/
>>
>> Changelog:
>> https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.1
>>
>> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> 
> I'm a bit torn on this one. Because on one hand, this looks like a
> proper stable branch (and I appreciate the effort),

I had prepared the v2025.09.y releases, so we (barebox) can hone a
workflow to be able to support the release that makes it into Wrynose
for a longer time than the usual 1 month it takes between the monthly
releases of barebox.

> but on the other
> hand, there are changes that I find too risky:
> For example:
> * API Change: https://github.com/barebox/barebox/commit/5e9f709b2b56bd9689e174572ef2af59b9fed5d2

barebox is a bare metal bootloader. Its API surface is:

- the data formats it parses
- the data it passes along, e.g. fixed up device trees
- the boot/runtime services it provides to an OS (UEFI/PSCI/TEE-supplicant).

The change to bootm_set_overrides is not a change that affects
user-visible API for any of that; it is completely internal to barebox.
Revisiting it, I still think it was appropriate to backport it.

> * New feature: https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.3#diff-2dd6d3e4c91931c982f091155a47dd8d03e26731f8d59b112e938508fe12255aR1

Which features do you see there?

I read through the 50 commit titles on the first page and nearly all of
them are fixes. The very few that aren't direct fixes are relatively
benign preparatory commits followed by a fix and they were then
backported together.

> Thoughts?

For the record, v2026.09.3 and v2026.03.1 were released together and
that's the number of commits they have compared to v2025.09.0:

$ git log v2025.09.0..v2025.09.3 --oneline | wc -l
111

$ git log v2025.09.0..v2026.03.1 --oneline | wc -l
1023

So roughly 10% of commits to master since v2025.09.0 were hand selected
to be backported as fixes. FWIW, I got curious and compared v6.19.12 to
v7.0 and there it's 21%, so there's still some untapped potential (for
squashing bugs!).

> In the meantime, I will keep it in my branch for awareness.

I appreciate that the stable branch was picked up, so many thanks for that!

Cheers,
Ahmad

> 
>> ---
>>  meta/recipes-bsp/barebox/barebox-common.inc | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/recipes-bsp/barebox/barebox-common.inc b/meta/recipes-bsp/barebox/barebox-common.inc
>> index e41d0858fd..91865b4d44 100644
>> --- a/meta/recipes-bsp/barebox/barebox-common.inc
>> +++ b/meta/recipes-bsp/barebox/barebox-common.inc
>> @@ -3,6 +3,6 @@ SECTION = "bootloaders"
>>  
>>  LIC_FILES_CHKSUM = "file://COPYING;md5=f5125d13e000b9ca1f0d3364286c4192"
>>  
>> -PV = "2025.09.0"
>> +PV = "2025.09.3"
>>  SRC_URI = "https://barebox.org/download/barebox-${PV}.tar.bz2"
>> -SRC_URI[sha256sum] = "7df1aa47bb7bf1763a729137ac773e69a4052812af094475d739fc63a9295f0d"
>> +SRC_URI[sha256sum] = "e87eb863cbe45e4f5af8930825c8f6e20c02b82451e9e1125ea1c73c1fb49a87"
> 
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#235329): https://lists.openembedded.org/g/openembedded-core/message/235329
> Mute This Topic: https://lists.openembedded.org/mt/118717996/4830399
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [a.fatoum@pengutronix.de]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |

Re: [OE-core][whinlatter][PATCH] barebox/barebox-tools: upgrade 2025.09.0 -> 2025.09.3

[Yoann Congal]

On Thu Apr 16, 2026 at 1:34 PM CEST, Ahmad Fatoum wrote:
> Hello Yoann!
>
> On 4/15/26 11:05 PM, Yoann Congal via lists.openembedded.org wrote:
>> On Wed Apr 8, 2026 at 2:09 AM CEST, Ankur Tyagi via lists.openembedded.org wrote:
>>> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>>>
>>> 2025.09.3
>>> ---------
>>> Fixed FIT image vulnerability
>>> https://lore.barebox.org/barebox/abljJRMecNdejSD0@pengutronix.de/
>>>
>>> Changelog:
>>> https://github.com/barebox/barebox/compare/v2025.09.2...v2025.09.3
>>>
>>> 2025.09.2
>>> ---------
>>> Changelog:
>>> https://github.com/barebox/barebox/compare/v2025.09.1...v2025.09.2
>>>
>>> 2025.09.1
>>> ---------
>>> This stable release is specifically targeted at whinlatter which is
>>> currently at v2025.09.0
>>> https://lore.barebox.org/barebox/aUkaSKDePHF8__LB@pengutronix.de/
>>>
>>> Changelog:
>>> https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.1
>>>
>>> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
>> 
>> I'm a bit torn on this one. Because on one hand, this looks like a
>> proper stable branch (and I appreciate the effort),
>
> I had prepared the v2025.09.y releases, so we (barebox) can hone a
> workflow to be able to support the release that makes it into Wrynose
> for a longer time than the usual 1 month it takes between the monthly
> releases of barebox.
>
>> but on the other
>> hand, there are changes that I find too risky:
>> For example:
>> * API Change: https://github.com/barebox/barebox/commit/5e9f709b2b56bd9689e174572ef2af59b9fed5d2
>
> barebox is a bare metal bootloader. Its API surface is:
>
> - the data formats it parses
> - the data it passes along, e.g. fixed up device trees
> - the boot/runtime services it provides to an OS (UEFI/PSCI/TEE-supplicant).
>
> The change to bootm_set_overrides is not a change that affects
> user-visible API for any of that; it is completely internal to barebox.
> Revisiting it, I still think it was appropriate to backport it.

I kind of agreeing with you I just remember my BSP dev days where this
is the kind of function I would call for my custom boot flow (But in
this case, fix looks easy enough)

>
>> * New feature: https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.3#diff-2dd6d3e4c91931c982f091155a47dd8d03e26731f8d59b112e938508fe12255aR1
>
> Which features do you see there?

Sorry the URL is not as direct as I thought.
This should link to the new "scripts/imx/pread.c" file.
Also, looks like imx-image gained a new option :
"-a authenticate additionaly the DCD block..."
But those look like dependencies of a bugfix.

> I read through the 50 commit titles on the first page and nearly all of
> them are fixes. The very few that aren't direct fixes are relatively
> benign preparatory commits followed by a fix and they were then
> backported together.
>
>> Thoughts?
>
> For the record, v2026.09.3 and v2026.03.1 were released together and
> that's the number of commits they have compared to v2025.09.0:
>
> $ git log v2025.09.0..v2025.09.3 --oneline | wc -l
> 111
>
> $ git log v2025.09.0..v2026.03.1 --oneline | wc -l
> 1023
>
> So roughly 10% of commits to master since v2025.09.0 were hand selected
> to be backported as fixes. FWIW, I got curious and compared v6.19.12 to
> v7.0 and there it's 21%, so there's still some untapped potential (for
> squashing bugs!).
>
>> In the meantime, I will keep it in my branch for awareness.
>
> I appreciate that the stable branch was picked up, so many thanks for that!

Globally, I lean towards taking the upgrade. We will see if there are
other point of views.

And by the way, thank you for creating and maintaining a stable branch
:)

>
> Cheers,
> Ahmad
>
>> 
>>> ---
>>>  meta/recipes-bsp/barebox/barebox-common.inc | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/meta/recipes-bsp/barebox/barebox-common.inc b/meta/recipes-bsp/barebox/barebox-common.inc
>>> index e41d0858fd..91865b4d44 100644
>>> --- a/meta/recipes-bsp/barebox/barebox-common.inc
>>> +++ b/meta/recipes-bsp/barebox/barebox-common.inc
>>> @@ -3,6 +3,6 @@ SECTION = "bootloaders"
>>>  
>>>  LIC_FILES_CHKSUM = "file://COPYING;md5=f5125d13e000b9ca1f0d3364286c4192"
>>>  
>>> -PV = "2025.09.0"
>>> +PV = "2025.09.3"
>>>  SRC_URI = "https://barebox.org/download/barebox-${PV}.tar.bz2"
>>> -SRC_URI[sha256sum] = "7df1aa47bb7bf1763a729137ac773e69a4052812af094475d739fc63a9295f0d"
>>> +SRC_URI[sha256sum] = "e87eb863cbe45e4f5af8930825c8f6e20c02b82451e9e1125ea1c73c1fb49a87"
>> 
>> 
>> 
>> 
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>> View/Reply Online (#235329): https://lists.openembedded.org/g/openembedded-core/message/235329
>> Mute This Topic: https://lists.openembedded.org/mt/118717996/4830399
>> Group Owner: openembedded-core+owner@lists.openembedded.org
>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [a.fatoum@pengutronix.de]
>> -=-=-=-=-=-=-=-=-=-=-=-
>> 


-- 
Yoann Congal
Smile ECS

Re: [OE-core][whinlatter][PATCH] barebox/barebox-tools: upgrade 2025.09.0 -> 2025.09.3

[Ahmad Fatoum]

Hello Yoann,

Cc += yocto@pengutronix.de who are listed as recipe maintainers.

On 4/16/26 3:40 PM, Yoann Congal wrote:
> On Thu Apr 16, 2026 at 1:34 PM CEST, Ahmad Fatoum wrote:
>> On 4/15/26 11:05 PM, Yoann Congal via lists.openembedded.org wrote:
>>> On Wed Apr 8, 2026 at 2:09 AM CEST, Ankur Tyagi via lists.openembedded.org wrote:
>> I had prepared the v2025.09.y releases, so we (barebox) can hone a
>> workflow to be able to support the release that makes it into Wrynose
>> for a longer time than the usual 1 month it takes between the monthly
>> releases of barebox.
>>
>>> but on the other
>>> hand, there are changes that I find too risky:
>>> For example:
>>> * API Change: https://github.com/barebox/barebox/commit/5e9f709b2b56bd9689e174572ef2af59b9fed5d2
>>
>> barebox is a bare metal bootloader. Its API surface is:
>>
>> - the data formats it parses
>> - the data it passes along, e.g. fixed up device trees
>> - the boot/runtime services it provides to an OS (UEFI/PSCI/TEE-supplicant).

Rereading this, it's probably worth to spell out also:

- The protocols that barebox speaks
- The build integration (e.g. Kconfig options)
- The shell environment

Such changes are also not suitable for a point release.

>> The change to bootm_set_overrides is not a change that affects
>> user-visible API for any of that; it is completely internal to barebox.
>> Revisiting it, I still think it was appropriate to backport it.
> 
> I kind of agreeing with you I just remember my BSP dev days where this
> is the kind of function I would call for my custom boot flow (But in
> this case, fix looks easy enough)

We had rather heated discussions not so long ago about the extent we
should accommodate out-of-tree board code. :-)

I believe a build-time failure is as good as it gets if an API is just
not salvageable like the one you pointed out; It didn't take recursive
calls into account, which occurred in real world scenarios.

For compatibility breakage that is not immediately obvious at
compile-time, we are maintaining migration notes:

https://www.barebox.org/doc/latest/migration-guides/index.html

But nothing that deserves an entry there should be something that would
be ok to include in a point release - save grave security bugs that
can't be fixed any other way.

Most recently, both barebox v2026.03.1 and U-Boot v2026.04.0 will refuse
to boot a FIT with a verified signed configuration when some of the
images were left unsigned:

https://lore.kernel.org/barebox/20260416153455.2630276-1-a.fatoum@pengutronix.de/T/#u

Migration guide entry is the best we can do here.

>>> * New feature: https://github.com/barebox/barebox/compare/v2025.09.0...v2025.09.3#diff-2dd6d3e4c91931c982f091155a47dd8d03e26731f8d59b112e938508fe12255aR1
>>
>> Which features do you see there?
> 
> Sorry the URL is not as direct as I thought.
> This should link to the new "scripts/imx/pread.c" file.

We don't have mingw build in CI, so this fixes a build regression even
if doesn't sound this way.

> Also, looks like imx-image gained a new option :
> "-a authenticate additionaly the DCD block..."

So this was the second commit in a series of two patches. The first is a
fix and the second fixes an incompatibility with the external uuu
utility. I concede that you can decide either way whether this patch is
backport material or not.

The impact on a user not affected by this issue is nonetheless minimal.

> But those look like dependencies of a bugfix.

Fixes are occasionally split for master (next release) and next (release
after next), when the change is too involved.
Recent example is that TF-A v2.14 broke backwards compatibility for its
consumers:

https://lore.barebox.org/barebox/20260325113711.2163037-1-a.fatoum@pengutronix.de/

https://lore.barebox.org/barebox/20260325114753.2249763-1-a.fatoum@pengutronix.de/

No one size fits all.

>> I appreciate that the stable branch was picked up, so many thanks for that!
> 
> Globally, I lean towards taking the upgrade. We will see if there are
> other point of views.
> 
> And by the way, thank you for creating and maintaining a stable branch
> :)

This has been a pain point I heard at conferences in the past and I am
happy to get feedback on how we can improve the process.

The LTS and the migration guides are inspired by Yocto and we see it as
an important part of making sure that barebox is a reliable bootloader
in secure boot contexts.

I think there's generally a lot to improve[1] the status quo of embedded
bootloader security and I see making bootloader updates easier as
important as shiny new features like barebox security policies (coming
hopefully soon to an OE-core near you!), even if the former is
admittedly not as fun..

[1]:
https://osseu2025.sched.com/event/25VqL/bootloaders-under-fire-real-world-threats-and-practical-defenses-ahmad-fatoum-pengutronix

Thanks,
Ahmad

> 
>>
>> Cheers,
>> Ahmad
>>
>>>
>>>> ---
>>>>  meta/recipes-bsp/barebox/barebox-common.inc | 4 ++--
>>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/meta/recipes-bsp/barebox/barebox-common.inc b/meta/recipes-bsp/barebox/barebox-common.inc
>>>> index e41d0858fd..91865b4d44 100644
>>>> --- a/meta/recipes-bsp/barebox/barebox-common.inc
>>>> +++ b/meta/recipes-bsp/barebox/barebox-common.inc
>>>> @@ -3,6 +3,6 @@ SECTION = "bootloaders"
>>>>  
>>>>  LIC_FILES_CHKSUM = "file://COPYING;md5=f5125d13e000b9ca1f0d3364286c4192"
>>>>  
>>>> -PV = "2025.09.0"
>>>> +PV = "2025.09.3"
>>>>  SRC_URI = "https://barebox.org/download/barebox-${PV}.tar.bz2"
>>>> -SRC_URI[sha256sum] = "7df1aa47bb7bf1763a729137ac773e69a4052812af094475d739fc63a9295f0d"
>>>> +SRC_URI[sha256sum] = "e87eb863cbe45e4f5af8930825c8f6e20c02b82451e9e1125ea1c73c1fb49a87"
>>>
>>>
>>>
>>>
>>> -=-=-=-=-=-=-=-=-=-=-=-
>>> Links: You receive all messages sent to this group.
>>> View/Reply Online (#235329): https://lists.openembedded.org/g/openembedded-core/message/235329
>>> Mute This Topic: https://lists.openembedded.org/mt/118717996/4830399
>>> Group Owner: openembedded-core+owner@lists.openembedded.org
>>> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [a.fatoum@pengutronix.de]
>>> -=-=-=-=-=-=-=-=-=-=-=-
>>>
> 
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |