[PATCH 0/6] Miscellaneous FWU fixes

Thu Sep 5 09:38:08 CEST 2024

On Thu, 5 Sept 2024 at 13:03, Michal Simek <michal.simek at amd.com> wrote:
>
>
>
> On 9/5/24 08:24, Sughosh Ganu wrote:
> > On Wed, 4 Sept 2024 at 17:30, Michal Simek <michal.simek at amd.com> wrote:
> >>
> >>
> >>
> >> On 8/30/24 13:40, Sughosh Ganu wrote:
> >>>
> >>> The following set of patches are miscellaneous fixes and some
> >>> hardening of the FWU update logic.
> >>>
> >>> Sughosh Ganu (6):
> >>>     fwu: v2: perform some checks before reading metadata
> >>>     fwu: v2: try reading both copies of metadata
> >>>     fwu: v1: do a version check for the metadata
> >>>     fwu: check all images for transitioning out of Trial State
> >>>     fwu: add dependency checks for selecting FWU metadata version
> >>>     fwu: do not allow capsule processing on exceeding Trial Counter
> >>>       threshold
> >>>
> >>>    include/fwu.h            | 11 ++++++
> >>>    lib/fwu_updates/Kconfig  |  1 +
> >>>    lib/fwu_updates/fwu.c    | 31 +++++++++++++++-
> >>>    lib/fwu_updates/fwu_v1.c | 18 +++++++--
> >>>    lib/fwu_updates/fwu_v2.c | 80 ++++++++++++++++++++++------------------
> >>>    5 files changed, 99 insertions(+), 42 deletions(-)
> >>>
> >>
> >> I found one more thing.
> >>
> >> I did this change
> >>
> >> diff --git a/tools/mkfwumdata.c b/tools/mkfwumdata.c
> >> index fbc2067bc12d..dab9530e499c 100644
> >> --- a/tools/mkfwumdata.c
> >> +++ b/tools/mkfwumdata.c
> >> @@ -293,7 +293,7 @@ static void fwu_fill_version_specific_mdata(struct
> >> fwu_mdata_object *mobj)
> >>           struct fwu_mdata *mdata = mobj->mdata;
> >>
> >>           mdata->metadata_size = mobj->size;
> >> -       mdata->desc_offset = sizeof(struct fwu_mdata);
> >> +       mdata->desc_offset = 0x21; sizeof(struct fwu_mdata);
> >>
> >>           for (i = 0; i < MAX_BANKS_V2; i++)
> >>                   mdata->bank_state[i] = i < mobj->banks ?
> >>
> >>
> >> to break desc_offset location. I generated mdata structure and write it to
> >> primary mdata partition.
> >>
> >> This has been spotted by (my debug) which is the reason why I did it.
> >>
> >>          if (g_mdata.desc_offset != FWU_IMG_DESC_OFFSET) {
> >>                  printf("mdata offset is not 0x20\n");
> >>                  return false;
> >>          }
> >>
> >> But I got one more message below which
> >>
> >> mdata offset is not 0x20
> >> Both FWU metadata copies are valid but do not match. Restoring the secondary
> >> partition from the primary
> >
> > The reason why this logic is in place is to handle the scenario
> > whereby, during the metadata update, the primary copy gets updated
> > correctly, but due to some reason (like a power cut), the secondary
> > copy does not -- this is because the primary copy gets updated first.
> > In such a scenario, the secondary copy of metadata can be then
> > restored from the primary copy. In the scenario where the primary copy
> > is corrupted, it will show up in the crc check, and will get restored
> > from the secondary copy.
>
> But in this case - CRC of primary is correct but data inside is wrong because
> offset is at 0x21 not at 0x20.

How will this event play out ? Am I missing something ? When the
metadata is getting updated, the offset will be written as 0x20, and
not 0x21. And in case the metadata gets corrupted, the CRC check would
fail and the primary partition would get restored from the secondary
(assuming that the secondary copy is correct).

-sughosh

> That likely means that U-Boot is not actually using this field to find where
> data is but I think that's fine to say not supported mdata structure but u-boot
> should never copy this "primary broken" description to secondary one as syncup.
>
> M
>