[U-Boot] [PATCH v3 2/2] sunxi: binman: Add U-Boot binary size check
Maxime Ripard
maxime.ripard at bootlin.com
Wed May 2 13:41:55 UTC 2018
1;5201;0c
On Wed, May 02, 2018 at 10:34:49AM +0100, Måns Rullgård wrote:
> Siarhei Siamashka <siarhei.siamashka at gmail.com> writes:
>
> > On Tue, 01 May 2018 18:25:06 +0100
> > Måns Rullgård <mans at mansr.com> wrote:
> >
> >> Maxime Ripard <maxime.ripard at free-electrons.com> writes:
> >>
> >> > The U-Boot binary may trip over its actual allocated size in the storage.
> >> > In such a case, the environment will not be readable anymore (because
> >> > corrupted when the new image was flashed), and any attempt at using saveenv
> >> > to reconstruct the environment will result in a corrupted U-Boot binary.
> >> >
> >> > Reviewed-by: Andre Przywara <andre.przywara at arm.com>
> >> > Signed-off-by: Maxime Ripard <maxime.ripard at free-electrons.com>
> >> > ---
> >> > arch/arm/dts/sunxi-u-boot.dtsi | 12 ++++++++++++
> >> > 1 file changed, 12 insertions(+)
> >> >
> >> > diff --git a/arch/arm/dts/sunxi-u-boot.dtsi b/arch/arm/dts/sunxi-u-boot.dtsi
> >> > index 5adfd9bca2ec..72e95afd780e 100644
> >> > --- a/arch/arm/dts/sunxi-u-boot.dtsi
> >> > +++ b/arch/arm/dts/sunxi-u-boot.dtsi
> >> > @@ -1,5 +1,14 @@
> >> > #include <config.h>
> >> >
> >> > +/*
> >> > + * This is the maximum size the U-Boot binary can be, which is basically
> >> > + * the start of the environment, minus the start of the U-Boot binary in
> >> > + * the MMC. This makes the assumption that the MMC is using 512-bytes
> >> > + * blocks, but devices using something other than that remains to be
> >> > + * seen.
> >> > + */
> >> > +#define UBOOT_MMC_MAX_SIZE (CONFIG_ENV_OFFSET - (CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR * 512))
> >> > +
> >> > / {
> >> > binman {
> >> > filename = "u-boot-sunxi-with-spl.bin";
> >> > @@ -8,6 +17,9 @@
> >> > filename = "spl/sunxi-spl.bin";
> >> > };
> >> > u-boot-img {
> >> > +#ifdef CONFIG_MMC
> >> > + size = <UBOOT_MMC_MAX_SIZE>;
> >> > +#endif
> >> > pos = <CONFIG_SPL_PAD_TO>;
> >> > };
> >> > };
> >> > --
> >>
> >> This is broken in (at least) two ways:
> >>
> >> 1. It is simply nonsensical if u-boot and env are on different devices
> >> or not on mmc even if mmc support is enabled.
> >>
> >> 2. It causes u-boot-sunxi-with-spl.bin to be padded to the env offset.
> >> At best, this is useless. If the env doesn't immediately follow
> >> u-boot, it really breaks things.
> >>
> >> Please fix or revert, I don't really care which.
> >
> > The padding is not useless. It reserves space for future size expansions
> > and makes it harder for the users to hurt themselves.
> >
> > For example, if the padded U-Boot size is 1024K while the actual size
> > is only ~800K, then adventurous users might be tempted to fit some of
> > their data into this gap. Yay, ~200K of storage space for free! Except
> > that the next U-Boot release may grow up to 900K without any warning
> > and if the users are not careful enough, then their data would be
> > corrupted during upgrade.
>
> Do U-Boot users really need that level of hand-holding?
Yes, and that's never a good argument to make, because...
> > Could you please tell us what is your problem and why reverting this
> > patch would fix it?
>
> See above. Best case, it just wastes space in the created file. If the
> configuration is anything other than U-Boot immediately followed by env
> on the same device, it _will_ break things horribly. A few examples:
>
> 1. U-Boot and env are on different devices, e.g. U-Boot on mmc and env
> in SPI NOR flash. In this case, padding the file to the env offset
> makes no sense. Writing the image will corrupt anything stored
> after U-Boot at a smaller (but still safe) offset.
.. I could make pretty much the same one for all your cases, which
would be completely useless, and wouldn't fix anything.
I guess this one could be solved using an ifdef guard with
ENV_IS_IN_MMC.
> 2. U-Boot at a non-zero offset, followed by env, but _not_ on mmc. If
> CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR, probably at its default
> value, is smaller than the offset of U-Boot in its actual device,
> the padding will be too large. Writing the image file will then
> corrupt a stored env.
This one would be covered too.
> 3. U-Boot at start of device, env at end as indicated by a negative
> CONFIG_ENV_OFFSET. With this configuration, binman tries to pad the
> image to (nearly) 2^64 bytes and promptly fills up your storage
> device.
I'm not too sure about how to fix this one though. Any suggestion?
Maxime
--
Maxime Ripard, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
https://bootlin.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180502/d376f331/attachment.sig>
More information about the U-Boot
mailing list