[bug#78286] Update arm-trusted-firmware to 2.12.2

Message ID 875xidqsfk.fsf@wireframe
State New
Headers
Series [bug#78286] Update arm-trusted-firmware to 2.12.2 |

Commit Message

Vagrant Cascadian May 6, 2025, 10:34 p.m. UTC
  The attached patch updates arm-trusted-firmware packages to 2.12.2.

I believe this fixes a few minor CVE, although it is not immediately
obvious from upstream commit logs...

All dependents build on both x86_64-linux and aarch64-linux:

guix build: computing dependents of package arm-trusted-firmware-imx8mq@2.12.2...
/gnu/store/gg1gmqb89kjaqbq8f9ndzs3ll7niq56d-arm-trusted-firmware-imx8mq-2.12.2
guix build: computing dependents of package arm-trusted-firmware-rk3328@2.12.2...
/gnu/store/wcqyaw6cqzlk8asv3vh4alsrd9a291m7-arm-trusted-firmware-rk3328-2.12.2
/gnu/store/zxs49a0msm4vff5szc7757k1s0lpszla-u-boot-orangepi-r1-plus-lts-rk3328-2025.01
/gnu/store/vap8w54l9kvi4179cy5w0kl2a5f9ixr9-u-boot-rock64-rk3328-2025.01
guix build: computing dependents of package arm-trusted-firmware-rk3399@2.12.2...
/gnu/store/0z2c2dikv1d5avr6f0jga5gsq5pl2x69-arm-trusted-firmware-rk3399-2.12.2
/gnu/store/y0yzl9wccwmhhipblkrv370kafb7d30v-u-boot-rockpro64-rk3399-2025.01
/gnu/store/mw39784wjpbnxhc5arlwcqk93ml1m7pr-u-boot-firefly-rk3399-2025.01
/gnu/store/85rgpgic0vqziczgb92csavl0vxrwm0k-u-boot-puma-rk3399-2025.01
/gnu/store/mbijwvldbwzkscb79v1qqnhnlc93sqgf-u-boot-pinebook-pro-rk3399-2025.01
guix build: computing dependents of package arm-trusted-firmware-rk3588@2.12.2...
/gnu/store/dx9b2ymbj3f7h77mf7b86jagiwkxrdlg-arm-trusted-firmware-rk3588-2.12.2
guix build: computing dependents of package arm-trusted-firmware-sun50i-a64@2.12.2...
/gnu/store/10sx5h064fbjnhc2c6vvkqrp43sj23f0-arm-trusted-firmware-sun50i-a64-2.12.2
/gnu/store/m35rj7p3fjhkkbanj3i9xlw808byl8gp-u-boot-pine64-lts-2025.01
/gnu/store/090mm7g00cl6ws435lf97j7cfdbnnfki-u-boot-pinebook-2025.01
/gnu/store/8f7hn13g71a8cj6pqlj4qjrz5qcbam2s-u-boot-pine64-plus-2025.01
guix build: computing dependents of package arm-trusted-firmware-sun50i-h616@2.12.2...
/gnu/store/jljnh49swdkax8fpl2xqpaag065vggai-arm-trusted-firmware-sun50i-h616-2.12.2
/gnu/store/kvh138wv7ri6fni3mcan7xdbw7i3p3j2-u-boot-orangepi-zero2w-2025.01

I also boot-tested a mnt/reform2 (which admittedly uses a custom u-boot).

live well,
  vagrant
  

Comments

Efraim Flashner May 7, 2025, 5:42 a.m. UTC | #1
On Tue, May 06, 2025 at 03:34:55PM -0700, Vagrant Cascadian wrote:
> The attached patch updates arm-trusted-firmware packages to 2.12.2.
> 
> I believe this fixes a few minor CVE, although it is not immediately
> obvious from upstream commit logs...
> 
> All dependents build on both x86_64-linux and aarch64-linux:
> 
> guix build: computing dependents of package arm-trusted-firmware-imx8mq@2.12.2...
> /gnu/store/gg1gmqb89kjaqbq8f9ndzs3ll7niq56d-arm-trusted-firmware-imx8mq-2.12.2
> guix build: computing dependents of package arm-trusted-firmware-rk3328@2.12.2...
> /gnu/store/wcqyaw6cqzlk8asv3vh4alsrd9a291m7-arm-trusted-firmware-rk3328-2.12.2
> /gnu/store/zxs49a0msm4vff5szc7757k1s0lpszla-u-boot-orangepi-r1-plus-lts-rk3328-2025.01
> /gnu/store/vap8w54l9kvi4179cy5w0kl2a5f9ixr9-u-boot-rock64-rk3328-2025.01
> guix build: computing dependents of package arm-trusted-firmware-rk3399@2.12.2...
> /gnu/store/0z2c2dikv1d5avr6f0jga5gsq5pl2x69-arm-trusted-firmware-rk3399-2.12.2
> /gnu/store/y0yzl9wccwmhhipblkrv370kafb7d30v-u-boot-rockpro64-rk3399-2025.01
> /gnu/store/mw39784wjpbnxhc5arlwcqk93ml1m7pr-u-boot-firefly-rk3399-2025.01
> /gnu/store/85rgpgic0vqziczgb92csavl0vxrwm0k-u-boot-puma-rk3399-2025.01
> /gnu/store/mbijwvldbwzkscb79v1qqnhnlc93sqgf-u-boot-pinebook-pro-rk3399-2025.01
> guix build: computing dependents of package arm-trusted-firmware-rk3588@2.12.2...
> /gnu/store/dx9b2ymbj3f7h77mf7b86jagiwkxrdlg-arm-trusted-firmware-rk3588-2.12.2
> guix build: computing dependents of package arm-trusted-firmware-sun50i-a64@2.12.2...
> /gnu/store/10sx5h064fbjnhc2c6vvkqrp43sj23f0-arm-trusted-firmware-sun50i-a64-2.12.2
> /gnu/store/m35rj7p3fjhkkbanj3i9xlw808byl8gp-u-boot-pine64-lts-2025.01
> /gnu/store/090mm7g00cl6ws435lf97j7cfdbnnfki-u-boot-pinebook-2025.01
> /gnu/store/8f7hn13g71a8cj6pqlj4qjrz5qcbam2s-u-boot-pine64-plus-2025.01
> guix build: computing dependents of package arm-trusted-firmware-sun50i-h616@2.12.2...
> /gnu/store/jljnh49swdkax8fpl2xqpaag065vggai-arm-trusted-firmware-sun50i-h616-2.12.2
> /gnu/store/kvh138wv7ri6fni3mcan7xdbw7i3p3j2-u-boot-orangepi-zero2w-2025.01
> 
> I also boot-tested a mnt/reform2 (which admittedly uses a custom u-boot).
> 
> live well,
>   vagrant

Looks good to me!
  
Vagrant Cascadian May 7, 2025, 9:37 p.m. UTC | #2
On 2025-05-07, Efraim Flashner wrote:
> On Tue, May 06, 2025 at 03:34:55PM -0700, Vagrant Cascadian wrote:
>> The attached patch updates arm-trusted-firmware packages to 2.12.2.
>> 
>> I believe this fixes a few minor CVE, although it is not immediately
>> obvious from upstream commit logs...
>> 
>> All dependents build on both x86_64-linux and aarch64-linux:
>> 
>> guix build: computing dependents of package arm-trusted-firmware-imx8mq@2.12.2...
>> /gnu/store/gg1gmqb89kjaqbq8f9ndzs3ll7niq56d-arm-trusted-firmware-imx8mq-2.12.2
...
>> guix build: computing dependents of package arm-trusted-firmware-sun50i-h616@2.12.2...
>> /gnu/store/jljnh49swdkax8fpl2xqpaag065vggai-arm-trusted-firmware-sun50i-h616-2.12.2
>> /gnu/store/kvh138wv7ri6fni3mcan7xdbw7i3p3j2-u-boot-orangepi-zero2w-2025.01
>> 
>> I also boot-tested a mnt/reform2 (which admittedly uses a custom u-boot).
...
> Looks good to me!

Thanks!

Pushed as f3b2a79cb2355b9b9119723a667adaefc933e715.


live well,
  vagrant
  

Patch

From cea71c67bb2fc44c6109f2d15edfd2a14a127f30 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@debian.org>
Date: Tue, 6 May 2025 18:05:00 +0000
Subject: [PATCH] gnu: arm-trusted-firmware: Update to 2.12.2.

* gnu/packages/firmware.scm (make-arm-trusted-firmware): Update to 2.12.2.

Change-Id: Ib8077e63bd3df0fe6dce634d5b7278b9389c42db
---
 gnu/packages/firmware.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/firmware.scm b/gnu/packages/firmware.scm
index 9548bc2ff7..ef4978df57 100644
--- a/gnu/packages/firmware.scm
+++ b/gnu/packages/firmware.scm
@@ -1144,7 +1144,7 @@  (define (native-build?)
         (string=? (%current-system) (gnu-triplet->nix-system triplet))))
   (package
     (name (downstream-package-name "arm-trusted-firmware-" platform))
-    (version "2.12.1")
+    (version "2.12.2")
     (source
      (origin
        (method git-fetch)
@@ -1154,7 +1154,7 @@  (define (native-build?)
               (commit (string-append "lts-v" version))))
        (file-name (git-file-name "arm-trusted-firmware" version))
        (sha256
-        (base32 "1vngwbjghgsh5i02zq66nmbxxr2d4p93rirsvh5jrhbcdn0v5xf8"))
+        (base32 "01i40asy9dsbx4l5kbvsvi55bdf308nnraf8kfli5d4cx8pxqmrj"))
        (patches (search-patches "8mq-enable-imx_hab_handler.patch"
                                 "8mq-move-stack-to-ocram_s.patch"))
        (modules '((guix build utils)))

base-commit: fbf8b81971475ee712338f1c955be6ac44099fac
-- 
2.39.5