[U-Boot] [PATCH] fs: cbfs: remove wrong header validation

Christian Gmeiner christian.gmeiner at gmail.com
Wed Dec 12 14:27:57 UTC 2018 

Hi Bin,

Finally I have some time to look deeper into this issue.

>
> On Thu, Sep 20, 2018 at 10:47 PM Christian Gmeiner
> <christian.gmeiner at gmail.com> wrote:
> >
> > Coreboot does not contain such a check:
> > https://github.com/coreboot/coreboot/blob/eeb4e20b2f6d786c92fe3efb30817e90389a2bfe/src/commonlib/cbfs.c#L64
> >
> > Before this change cbfsinit failed with 'Bad CBFS file'. After this change all cbfs commands
> > are working as expected.
> >
> > Signed-off-by: Christian Gmeiner <christian.gmeiner at gmail.com>
> > ---
> >  fs/cbfs/cbfs.c | 6 +-----
> >  1 file changed, 1 insertion(+), 5 deletions(-)
> >
> > diff --git a/fs/cbfs/cbfs.c b/fs/cbfs/cbfs.c
> > index 0dce639b49..2a581f0c18 100644
> > --- a/fs/cbfs/cbfs.c
> > +++ b/fs/cbfs/cbfs.c
> > @@ -96,11 +96,7 @@ static int file_cbfs_next_file(u8 *start, u32 size, u32 align,
> >                 }
> >
> >                 swap_file_header(&header, fileHeader);
> > -               if (header.offset < sizeof(struct cbfs_fileheader) ||
> > -                   header.offset > header.len) {
> > -                       file_cbfs_result = CBFS_BAD_FILE;
> > -                       return -1;
> > -               }
>
> It looks to me the existing codes were doing some sanity checks. Can
> you elaborate why this is failing on your board? In your coreboot
> reference, I don't see exactly how U-Boot codes are connected to the
> coreboot one.
>

This has nothing to do with my board at all - I can easily reproduce
this issue under qemu:

qemu-system-i386 -bios build/coreboot.rom  -hda /dev/zero -serial
stdio -display none
WARNING: Image format was not specified for '/dev/zero' and probing guessed raw.
         Automatically detecting the format is dangerous for raw
images, write operations on block 0 will be restricted.
         Specify the 'raw' format explicitly to remove the restrictions.


coreboot-4.8-2510-g303a4bfd4a Wed Dec 12 02:20:54 UTC 2018 bootblock starting...
CBFS: 'Master Header Locator' located CBFS at [1fa0200:2000000)
CBFS: Locating 'fallback/romstage'
CBFS: Found @ offset 80 size 3c04


coreboot-4.8-2510-g303a4bfd4a Wed Dec 12 02:20:54 UTC 2018 romstage starting...
CBMEM:
IMD: root @ 07fff000 254 entries.
IMD: root @ 07ffec00 62 entries.
CBFS: 'Master Header Locator' located CBFS at [1fa0200:2000000)
CBFS: Locating 'fallback/ramstage'
CBFS: Found @ offset 3d00 size acb2
Decompressing stage fallback/ramstage @ 0x07fbcfc0 (128664 bytes)
Loading module at 07fbd000 with entry 07fbd000. filesize: 0x15750
memsize: 0x1f658
Processing 1257 relocs. Offset value of 0x071bd000


coreboot-4.8-2510-g303a4bfd4a Wed Dec 12 02:20:54 UTC 2018 ramstage starting...
Enumerating buses...
CPU_CLUSTER: 0 enabled
DOMAIN: 0000 enabled
QEMU: firmware config interface detected
QEMU: max_cpus is 1
CPU: APIC: 00 enabled
scan_bus: scanning of bus CPU_CLUSTER: 0 took 0 usecs
PCI: pci_scan_bus for bus 00
PCI: 00:00.0 [8086/1237] enabled
PCI: 00:01.0 [8086/7000] enabled
PCI: 00:01.1 [8086/7010] enabled
PCI: 00:01.3 [8086/7113] enabled
PCI: 00:02.0 [1234/1111] enabled
PCI: 00:03.0 [8086/100e] enabled
scan_bus: scanning of bus PCI: 00:01.0 took 0 usecs
scan_bus: scanning of bus PCI: 00:01.3 took 0 usecs
scan_bus: scanning of bus DOMAIN: 0000 took 0 usecs
scan_bus: scanning of bus Root Device took 0 usecs
done
found VGA at PCI: 00:02.0
Setting up VGA for PCI: 00:02.0
Setting PCI_BRIDGE_CTL_VGA for bridge DOMAIN: 0000
Setting PCI_BRIDGE_CTL_VGA for bridge Root Device
Allocating resources...
Reading resources...
QEMU: 11 files in fw_cfg
QEMU:     bootorder [size=0]
QEMU:     etc/acpi/rsdp [size=36]
QEMU:     etc/acpi/tables [size=131072]
QEMU:     etc/boot-fail-wait [size=4]
QEMU:     etc/e820 [size=20]
QEMU:     etc/smbios/smbios-anchor [size=31]
QEMU:     etc/smbios/smbios-tables [size=320]
QEMU:     etc/system-states [size=6]
QEMU:     etc/table-loader [size=4096]
QEMU:     etc/tpm/log [size=0]
QEMU:     genroms/kvmvapic.bin [size=9216]
QEMU: e820/ram: 0x00000000 +0x08000000
QEMU: reserve ioports 0x0510-0x0511 [firmware-config]
QEMU: reserve ioports 0x5658-0x5658 [vmware-port]
QEMU: reserve ioports 0xae00-0xae0f [pci-hotplug]
QEMU: reserve ioports 0xaf00-0xaf1f [cpu-hotplug]
QEMU: reserve ioports 0xafe0-0xafe3 [piix4-gpe0]
Done reading resources.
Setting resources...
PCI: 00:01.1 20 <- [0x0000005840 - 0x000000584f] size 0x00000010 gran 0x04 io
PCI: 00:02.0 10 <- [0x00fd000000 - 0x00fdffffff] size 0x01000000 gran
0x18 prefmem
PCI: 00:02.0 18 <- [0x00fe070000 - 0x00fe070fff] size 0x00001000 gran 0x0c mem
PCI: 00:02.0 30 <- [0x00fe060000 - 0x00fe06ffff] size 0x00010000 gran 0x10 romem
PCI: 00:03.0 10 <- [0x00fe040000 - 0x00fe05ffff] size 0x00020000 gran 0x11 mem
PCI: 00:03.0 14 <- [0x0000005800 - 0x000000583f] size 0x00000040 gran 0x06 io
PCI: 00:03.0 30 <- [0x00fe000000 - 0x00fe03ffff] size 0x00040000 gran 0x12 romem
Done setting resources.
Done allocating resources.
Enabling resources...
PCI: 00:00.0 cmd <- 00
PCI: 00:01.0 cmd <- 00
PCI: 00:01.1 cmd <- 01
PCI: 00:01.3 cmd <- 00
PCI: 00:02.0 cmd <- 03
PCI: 00:03.0 cmd <- 03
done.
Initializing devices...
Root Device init ...
CPU_CLUSTER: 0 init ...
Initializing CPU #0
CPU: vendor Intel device 663
CPU: family 06, model 06, stepping 03
Setting up local APIC... apic_id: 0x00 done.
CPU #0 initialized
PCI: 00:00.0 init ...
Assigning IRQ 10 to 0:1.3
Assigning IRQ 11 to 0:3.0
PCI: 00:01.0 init ...
RTC Init
PCI: 00:01.1 init ...
IDE: Primary IDE interface: on
IDE: Secondary IDE interface: on
IDE: Access to legacy IDE ports: off
PCI: 00:02.0 init ...
PCI: 00:03.0 init ...
Devices initialized
Finalize devices...
Devices finalized
Copying Interrupt Routing Table to 0x000f0000... done.
Copying Interrupt Routing Table to 0x07fb3000... done.
PIRQ table: 128 bytes.
QEMU: found ACPI tables in fw_cfg.
QEMU: loading "etc/acpi/rsdp" to 0x7f8f000 (len 36)
QEMU: loading "etc/acpi/tables" to 0x7f8f040 (len 131072)
QEMU: loaded ACPI tables from fw_cfg.
ACPI tables: 131136 bytes.
smbios_write_tables: 07f8e000
DOMAIN: 0000 (QEMU Northbridge i440fx)
QEMU: found smbios tables in fw_cfg (len 320).
QEMU: coreboot type0 table found at 0x7f8e020.
QEMU: loading smbios tables to 0x7f8e062
SMBIOS tables: 418 bytes.
Writing table forward entry at 0x00000500
Wrote coreboot table at: 00000500, 0x10 bytes, checksum b7e3
Writing coreboot table at 0x07fb4000
 0. 0000000000000000-0000000000000fff: CONFIGURATION TABLES
 1. 0000000000001000-000000000009ffff: RAM
 2. 00000000000c0000-0000000007f8dfff: RAM
 3. 0000000007f8e000-0000000007fbcfff: CONFIGURATION TABLES
 4. 0000000007fbd000-0000000007fdcfff: RAMSTAGE
 5. 0000000007fdd000-0000000007ffffff: CONFIGURATION TABLES
 6. 00000000ff800000-00000000ffffffff: RESERVED
CBFS: 'Master Header Locator' located CBFS at [1fa0200:2000000)
FMAP: Found "FLASH" version 1.1 at 1fa0000.
FMAP: base = fe000000 size = 2000000 #areas = 3
Wrote coreboot table at: 07fb4000, 0x264 bytes, checksum f4f2
coreboot table: 636 bytes.
IMD ROOT    0. 07fff000 00001000
IMD SMALL   1. 07ffe000 00001000
CONSOLE     2. 07fde000 00020000
TIME STAMP  3. 07fdd000 00000910
RAMSTAGE    4. 07fbc000 00021000
COREBOOT    5. 07fb4000 00008000
IRQ TABLE   6. 07fb3000 00001000
ACPI        7. 07f8f000 00024000
SMBIOS      8. 07f8e000 00000800
IMD small region:
  IMD ROOT    0. 07ffec00 00000400
  CAR GLOBALS 1. 07ffe9c0 00000240
  COREBOOTFWD 2. 07ffe980 00000028
CBFS: 'Master Header Locator' located CBFS at [1fa0200:2000000)
CBFS: Locating 'fallback/payload'
CBFS: Found @ offset 10000 size 354b5
Checking segment from ROM address 0xfffb0238
Checking segment from ROM address 0xfffb0254
Loading segment from ROM address 0xfffb0238
  code (compression=1)
  New segment dstaddr 0x01110000 memsize 0x793df srcaddr 0xfffb0270
filesize 0x3547d
Loading Segment: addr: 0x01110000 memsz: 0x00000000000793df filesz:
0x000000000003547d
using LZMA
Loading segment from ROM address 0xfffb0254
  Entry Point 0x01110015
Jumping to boot code at 01110015(07fb4000)


U-Boot 2019.01-rc1-00277-gee168783ae (Dec 12 2018 - 15:10:41 +0100)

CPU: x86, vendor Intel, device 663h
DRAM:  127.4 MiB
MMC:
Video: No video mode configured in coreboot!
Video: No video mode configured in coreboot!
Model: coreboot x86 payload
Net:   e1000: 52:54:00:12:34:56

Warning: e1000#0 using MAC address from ROM
eth0: e1000#0
No controllers found
Finalizing coreboot
Hit any key to stop autoboot:  0
=> cbfsinit
Bad CBFS file.
=>


So lets try to connect u-boot and coreboot sources in that area.

file_cbfs_next_file(..):
https://git.denx.de/?p=u-boot.git;a=blob;f=fs/cbfs/cbfs.c;h=0dce639b49ce095ac3eede2ee9c3138f1e0af3bb;hb=HEAD#l76
cbfs_for_each_file(..):
https://github.com/coreboot/coreboot/blob/eeb4e20b2f6d786c92fe3efb30817e90389a2bfe/src/commonlib/cbfs.c#L64

Both ot these two functions do more or less the same: look for files
in cbfs with the only difference that u-boots impl. does some
validations that
are not done in coreboot:
https://git.denx.de/?p=u-boot.git;a=blob;f=fs/cbfs/cbfs.c;h=0dce639b49ce095ac3eede2ee9c3138f1e0af3bb;hb=HEAD#l99

With this patch cbfsinit works and cbfsinfo shows the expected output:
=> cbfsinfo

CBFS version: 0x31313132
ROM size: 0x2000000
Boot block size: 0x4
CBFS size: 0x5fdfc
Alignment: 64
Offset: 0x1fa0200


What is needed to get further with this patch?

--
greets
--
Christian Gmeiner, MSc

https://christian-gmeiner.info

More information about the U-Boot mailing list