[BUG report] spl: image size check fails in spl_load()

Sean Anderson seanga2 at gmail.com
Fri Feb 21 03:18:06 CET 2025 

On 2/20/25 00:22, Anshul Dalal wrote:
> On Wed Feb 19, 2025 at 9:17 PM IST, Sean Anderson wrote:
>> On 2/18/25 01:07, Anshul Dalal wrote:
>>> On Sat Feb 15, 2025 at 11:18 PM IST, Sean Anderson wrote:
>>>> On 2/14/25 06:12, Anshul Dalal wrote:
>>>>> Hi all!
>>>>>
>>>>> I was trying to implement falcon boot on TI AM62x EVM with the kernel image on
>>>>> SD card's filesystem but the following check in `_spl_load` at
>>>>> `include/spl_load.h:95` fails to -EIO as per the latest commit [89d3333]:
>>>>>
>>>>> 	return read < spl_image->size ? -EIO : 0;
>>>>>
>>>>> The check seems to be comparing the image size gathered from the header
>>>>> (spl_image->size) with the number of bytes read form the loader.
>>>>>
>>>>>    From spl_load.h:
>>>>>
>>>>> 	ret = spl_parse_image_header(spl_image, bootdev, header);
>>>>> 	if (ret)
>>>>> 		return ret;
>>>>>
>>>>> 	base_offset = spl_image->offset;
>>>>> 	/* Only NOR sets this flag. */
>>>>> 	if (IS_ENABLED(CONFIG_SPL_NOR_SUPPORT) &&
>>>>> 	    spl_image->flags & SPL_COPY_PAYLOAD_ONLY)
>>>>> 		base_offset += sizeof(*header);
>>>>> 	image_offset = ALIGN_DOWN(base_offset, spl_get_bl_len(info));
>>>>> 	overhead = base_offset - image_offset;
>>>>> 	size = ALIGN(spl_image->size + overhead, spl_get_bl_len(info));
>>>>>
>>>>> 	read = info->read(info, offset + image_offset, size,
>>>>> 			  map_sysmem(spl_image->load_addr - overhead, size));
>>>>>
>>>>> 	if (read < 0)
>>>>> 		return read;
>>>>>
>>>>> 	return read < spl_image->size ? -EIO : 0;
>>>>>
>>>>> During kernel build process the header size is computed including the BSS
>>>>> whereas it's removed when creating the uncompressed image. Therefore the size
>>>>> of the uncompressed image on filesystem will be smaller than the size specified
>>>>> in the header. Which leads to failure of the above check.
>>>>>
>>>>>    From linux kernel's `arch/arm64/kernel/image.h:63`:
>>>>>
>>>>> 	#define HEAD_SYMBOLS						\
>>>>> 		DEFINE_IMAGE_LE64(_kernel_size_le, _end - _text);	\
>>>>> 		DEFINE_IMAGE_LE64(_kernel_flags_le, __HEAD_FLAGS);
>>>>>
>>>>> Disabling the check leads to a successful boot directly to the kernel.
>>>>> Therefore it seems like the check is non functional as the size in the kernel
>>>>> header does not correspond with the file size of the kernel image.
>>>>
>>>> Did this work before v2024.04?
>>>>
>>>
>>> No, the check existed by v2024.04. I tested on the commit prior to
>>> 775074165d97 (the commit that added the check) and falcon boot works.
>>
>> Sorry, that's what I meant. E.g. did this work in v2024.01 etc.
>>
>> Just wanted to determine whether this was a bug or a feature request.
>>
>>>> How exactly are you loading your image? E.g. what are the values of
>>>>
>>>
>>> I have my DTB and kernel Image on the 1st partition of the SD card which
>>> is FAT. Which also includes the u-boot.img in case falcon fails and we
>>> need a fallback.
>>>
>>>> CONFIG_SPL_OS_BOOT
>>>> CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR
>>>> CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_PARTITION
>>>> CONFIG_SPL_FALCON_BOOT_MMCSD
>>>> CONFIG_SPL_FS_FAT
>>>> CONFIG_SPL_FS_EXT4
>>>> CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
>>>> CONFIG_SUPPORT_EMMC_BOOT
>>>>
>>>
>>> Since I'm not booting from RAW mmc but instead FS boot, I don't think
>>> the SYS_MMCSD_RAW_* configs are relevant but in any case:
>>>
>>> CONFIG_SPL_OS_BOOT=y
>>> CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR=y
>>> # CONFIG_SYS_MMCSD_RAW_MODE_U_BOOT_USE_PARTITION is not set
>>> # CONFIG_SPL_FALCON_BOOT_MMCSD is not set
>>> CONFIG_SPL_FS_FAT=y
>>> # CONFIG_SPL_FS_EXT4 is not set
>>> CONFIG_SPL_FS_LOAD_PAYLOAD_NAME="u-boot.img"
>>> # CONFIG_SUPPORT_EMMC_BOOT is not set
>>>
>>> Some other relevant configs:
>>>
>>> CONFIG_SYS_MMCSD_FS_BOOT=y
>>> CONFIG_SYS_MMCSD_FS_BOOT_PARTITION=1
>>> CONFIG_SPL_PAYLOAD_ARGS_ADDR=0x82000000
>>> CONFIG_SPL_FS_LOAD_KERNEL_NAME="Image"
>>> CONFIG_SPL_FS_LOAD_ARGS_NAME="k3-am625-sk.dtb"
>>>
>>>>    From what I can tell, the OS_BOOT path should not call spl_load in the first place.
>>>
>>> It is called from spl_load_image_fat which is in turn called by
>>> spl_load_image_fat_os as it's last return statement during falcon boot.
>>
>> Ah, there it is. This function is used both by OS_BOOT and regular boot. I intentionally
>> tried not to touch the OS_BOOT path, but it looks like one change got in anyway.
>>
>>>>
>>>> In any case, the root problem is that the size reported by the kernel is actually the
>>>> space the kernel will need when it is loaded, and not the size of the data to load
>>>> (which we need). So if we have a short read, we have no way of knowing if the filesystem
>>>> is corrupt, the image was truncated while writing, or if it's just missing the bss. And
>>>> we still have to rely of the image size so that we can load from e.g. NAND or SPI where
>>>> there is no filesystem.
>>>>
>>>
>>> There seems to be no way to get the actual size of the kernel image just
>>> from the image header. I think we should drop the check (at least in
>>> case of FS boot without a FIT image). On NAND or SPI, the size from the
>>> header would be larger than the actual file size. So, at worst we would
>>> have read some extra data where BSS was supposed to be anyways.
>>>
>>>> One way to fix this could be to move the length check to spl_load_info->read. This would
>>>> involve updating all the callers and callees.
>>>>
>>>
>>> I think it would be better handled in spl_load where we can more easily
>>> have separate checks for FIT and a kernel image whereas
>>> spl_info_info->read would have no way of knowing if the binary type
>>> without passing in the header as well.
>>
>> Yeah, I thought about this after I sent the email...
>>
>>> I suggest we do something like the following in spl_load:
>>>
>>> 	if (image_get_magic(header) == FDT_MAGIC)
>>> 		return read < spl_image->size ? -EIO : 0;
>>> 	else
>>> 		return read == 0 ? -EIO : 0;
>>
>> I would prefer not doing this sort of thing since it grows the size of every SPL, but only a
>> few do falcon boot. Maybe it's better to skip the size check only for OS_BOOT and CMD_BOOTI.
>>
>> Or maybe we can move this hack to spl_fit_read. i.e:
>>
>> 	ret = fat_read_file(filename, buf, file_offset, size, &actread);
>> 	if (ret)
>> 		return ret;
>>
>> 	if (CONFIG_IS_ENABLED(OS_BOOT) && IS_ENABLED(CMD_BOOTI))
>> 		return size;
>> 	else
>> 		return actread;
>>
>> I think this would have the least impact overall.
>>
> 
> Looks good to me, we would need to do the same for ext4 in spl_ext.c. I
> can send a patch with the fix if you'd like.

Sure.

--Sean

More information about the U-Boot mailing list