In pursuit of the goal of eliminating the proliferation of raw region
devices to represent CBFS files outside of the CBFS core code, this
patch removes the get_spd_cbfs_rdev() API and instead replaces it with
spd_cbfs_map() which will find and map the SPD file in one go and return
a pointer to the relevant section. (This makes it impossible to unmap
the mapping again, which all but one of the users didn't bother to do
anyway since the API is only used on platforms with memory-mapped
flash. Presumably this will stay that way in the future so this is not
something worth worrying about.)
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Iec7571bec809f2f0712e7a97b4c853b8b40702d1
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50350
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Wim Vervoorn <wvervoorn@eltan.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
In pursuit of the eventual goal of removing cbfs_boot_locate() (and
direct rdev access) from CBFS APIs, this patch replaces all remaining
"simple" uses of the function call that can easily be replaced by the
newer APIs (like cbfs_load() or cbfs_map()). Some cases of
cbfs_boot_locate() remain that will be more complicated to solve.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Icd0f21e2fa49c7cc834523578b7b45b5482cb1a8
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50348
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
The CBFS stage header is part of the file data (not the header) from
CBFS's point of view, which is problematic for verification: in pre-RAM
environments, there's usually not enough scratch space in CBFS_CACHE to
load the full stage into memory, so it must be directly loaded into its
final destination. However, that destination is decided from reading the
stage header. There's no way we can verify the stage header without
loading the whole file and we can't load the file without trusting the
information in the stage header.
To solve this problem, this patch changes the CBFS stage format to move
the stage header out of the file contents and into a separate CBFS
attribute. Attributes are part of the metadata, so they have already
been verified before the file is loaded.
Since CBFS stages are generally only meant to be used by coreboot itself
and the coreboot build system builds cbfstool and all stages together in
one go, maintaining backwards-compatibility should not be necessary. An
older version of coreboot will build the old version of cbfstool and a
newer version of coreboot will build the new version of cbfstool before
using it to add stages to the final image, thus cbfstool and coreboot's
stage loader should stay in sync. This only causes problems when someone
stashes away a copy of cbfstool somewhere and later uses it to try to
extract stages from a coreboot image built from a different revision...
a debugging use-case that is hopefully rare enough that affected users
can manually deal with finding a matching version of cbfstool.
The SELF (payload) format, on the other hand, is designed to be used for
binaries outside of coreboot that may use independent build systems and
are more likely to be added with a potentially stale copy of cbfstool,
so it would be more problematic to make a similar change for SELFs. It
is not necessary for verification either, since they're usually only
used in post-RAM environments and selfload() already maps SELFs to
CBFS_CACHE before loading them to their final destination anyway (so
they can be hashed at that time).
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I8471ad7494b07599e24e82b81e507fcafbad808a
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46484
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This patch rewrites the last few users of prog_locate() to access CBFS
APIs directly and removes the call. This eliminates the double-meaning
of prog_rdev() (referring to both the boot medium where the program is
stored before loading, and the memory area where it is loaded after) and
makes sure that programs are always located and loaded in a single
operation. This makes CBFS verification easier to implement and secure
because it avoids leaking a raw rdev of unverified data outside the CBFS
core code.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I7a5525f66e1d5f3a632e8f6f0ed9e116e3cebfcf
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49337
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This patch removes the prog_locate() call for all instances of loading
payload formats (SELF and FIT), as the previous patch did for stages.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I582b37f36fe6f9f26975490a823e85b130ba49a2
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49336
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patch removes the prog_locate() step for stages and rmodules.
Instead, the stage and rmodule loading functions will now perform the
locate step directly together with the actual loading. The long-term
goal of this is to eliminate prog_locate() (and the rdev member in
struct prog that it fills) completely in order to make CBFS verification
code safer and its security guarantees easier to follow. prog_locate()
is the main remaining use case where a raw rdev of CBFS file data
"leaks" out of cbfs.c into other code, and that other code needs to
manually make sure that the contents of the rdev get verified during
loading. By eliminating this step and moving all code that directly
deals with file data into cbfs.c, we can concentrate the code that needs
to worry about file data hashing (and needs access to cbfs_private.h
APIs) into one file, making it easier to keep track of and reason about.
This patch is the first step of this move, later patches will do the
same for SELFs and other program types.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ia600e55f77c2549a00e2606f09befc1f92594a3a
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49335
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
This patchs adds a new CBFS primitive that allows callers to pass in an
allocator function that will be called once the size of the file to load
is known, to decide on its final location. This can be useful for
loading a CBFS file straight into CBMEM, for example. The new primitive
is combined with cbfs_map() and cbfs_load() into a single underlying
function that can handle all operations, to reduce the amount of code
that needs to be duplicated (especially later when file verification is
added). Also add a new variation that allows restraining or querying the
CBFS type of a file as it is being loaded, and reorganize the
documentation/definition of all these accessors and variations in the
header file a little.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I5fe0645387c0e9053ad5c15744437940fc904392
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49334
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
This patch pulls control of the memory pool serving allocations from the
CBFS_CACHE memlayout area into cbfs.c and makes it a core part of the
CBFS API. Previously, platforms would independently instantiate this as
part of boot_device_ro() (mostly through cbfs_spi.c). The new cbfs_cache
pool is exported as a global so these platforms can still use it to
directly back rdev_mmap() on their boot device, but the cbfs_cache can
now also use it to directly make allocations itself. This is used to
allow transparent decompression support in cbfs_map().
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I0d52b6a8f582a81a19fd0fd663bb89eab55a49d9
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49333
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
The new CBFS API contains a couple of trivial wrappers that all just
call the same base functions with slightly different predetermined
arguments, and I'm planning to add several more of them as well. This
patch changes these functions to become static inlines, and reorganizes
the cbfs.h header a bit for better readability while I'm at it.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: If0170401b2a70c158691b6eb56c7e312553afad1
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49331
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Doing this all in one go keeps the files consistent and should make
future refactoring easier.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I4a701d24fc9ccd68dce8789aab15fd21964a55f9
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49330
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Returning an error on a failure to measure makes the system not
bootable.
Change-Id: Ifd20e543d3b30de045c0656eccdcc494c2fb10ce
Signed-off-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/51099
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
This patch changes the memlayout macro infrastructure so that the size
of a region "xxx" (i.e. the distance between the symbols _xxx and _exxx)
is stored in a separate _xxx_size symbol. This has the advantage that
region sizes can be used inside static initializers, and also saves an
extra subtraction at runtime. Since linker symbols can only be treated
as addresses (not as raw integers) by C, retain the REGION_SIZE()
accessor macro to hide the necessary typecast.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ifd89708ca9bd3937d0db7308959231106a6aa373
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49332
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
The lb_gpio coreboot table entries use name fields fixed to 16 bytes.
GCC will not allow creating a static initializer for such a field with a
string of more than 16 characters... but exactly 16 characters is fine,
meaning there's no room for the terminating NUL byte. The payloads (at
least depthcharge) can deal with this as well because they're checking
the size when looking at that table entry, but our printk("%16s") does
not and will happily walk over the end until somewhere else in memory we
finally find the next NUL byte.
We should probably try to avoid strings of exactly 16 characters in this
field anyway, just in case -- but since GCC doesn't warn about them they
can easily slip back in. So solve this bug by also adding a precision
field to the printk, which will make it stop overrunning the string.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ifd7beef00d828f9dc2faa4747eace6ac4ca41899
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49496
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Hide the detail of allocation from cbmem from the FSP.
Loading of a BMP logo file from CBFS is not tied to FSP
version and we do not need two copies of the code, move
it under lib/.
Change-Id: I909f2771af534993cf8ba99ff0acd0bbd2c78f04
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50359
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Factor out the condition when an attempt to load
stage from cache can be tried.
Change-Id: I936f07bed6fc82f46118d217f1fd233e2e041405
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/50000
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Link .init section near the end of bootblock program.
It contains _start16bit, gdtptr and gdt that must be
addressable from realmode, thus within top 64 KiB.
Change-Id: If7b9737650362ac7cd82685cfdfaf18bd2429238
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47970
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
With the common <soc/nvs.h> approach platform does not
need to implement the common accessors or sizeof() function.
Change-Id: I1050a252f765c763c1ae2d1610cbfb0d973ba026
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49793
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
The Picasso VBIOS is not setting the reserved_mask_size correctly. This
change relaxes the constraint to allow bpp_mask <= bits_per_pixel. This
is how the code previously used to work before CB:39002.
BUG=b:177094598, b:177422379
TEST=boot zork and see depthcharge working
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
Change-Id: I2e67532fa949fbd673269d8d7f1c0d8af6124ac9
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49404
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
We currently have a mixture of calls used to determine
global ACPI S3 state. Reduce the boilerplate, ultimately
acpi_wakeup_is_s3() should be the only to keep.
Change-Id: Iff950d2bcf7eacbbdd40865abf62c35a2e8c3c69
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47694
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
For a long time, second parameter 'stop' has been
ignored. The tested range is within 1 MiB above 'start'.
Change-Id: Icbf94cd6a651fbf0cd9aab97eb11f9b03f0c3c31
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48561
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Having some symmetry with <soc/nvs.h> now allows to reduce
the amount of gluelogic to determine the size and cbmc field
of struct global_nvs.
Since GNVS creation is now controlled by ACPI_SOC_NVS,
drivers/amd/agesa/nvs.c becomes obsolete and soc/amd/cezanne
cannot have this selected until <soc/nvs.h> exists.
Change-Id: Ia9ec853ff7f5e7908f7e8fc179ac27d0da08e19d
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/49344
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Lance Zhao
For arch/x86 the realmode part has to be located within the same 64
KiB as the reset vector. Some older intel platforms also require 4 KiB
alignment for _start16bit.
To enforce the above, and to separate required parts of .text without
matching *(.text.*) rules in linker scripts, tag the pre-C environment
assembly code with section .init directive.
Description of .init section for ELF:
This section holds executable instructions that contribute to the
process initialization code. When a program starts to run, the
system arranges to execute the code in this section before calling the
main program entry point (called main for C programs).
Change-Id: If32518b1c19d08935727330314904b52a246af3c
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47599
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
We need this to happen prior to SMM module loader. If
there is some debugging output it's better they do not
appear in the middle of CPU bringup.
Change-Id: I45b4b5c0c5bf8bee258a465d1e364bfe98190e44
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48697
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Files under sb/ or soc/ should not have includes that tie those
directly to external components like ChromeEC os ChromeOS
vendorcode.
Change-Id: Ib56eeedaa9d7422e221efa9c8480ed5e12024bca
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48765
Reviewed-by: Michael Niewöhner <foss@mniewoehner.de>
Reviewed-by: Patrick Rudolph <siro@das-labor.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Implement the ACPI PPI interface as described in
"TCG PC Client Physical Presence Interface Specification" Version 1.3.
Add a new Kconfig that allows to use the full PPI instead of the stub
version compiled in.
This doesn't add code to execute the PPI request, as that's up to the
payload with graphical UI support.
Tested on GNU/Linux 5.6 using the sysfs interface at:
/sys/class/tpm/tpm0/ppi/
Change-Id: Ifffe1d9b715e2c37568e1b009e86c298025c89ac
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/45568
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
For arch/arm[64], the offsets to board identification strings and
CONFIG_ROM_SIZE inside .id were never really used; it was only a
convenience to have the strings appear near the start of image.
Add the same strings in an uncompressed file in CBFS.
Change-Id: I35d3312336e9c66d657d2ca619cf30fd79e18fd4
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47602
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently it's not possible to add multiple graphics driver into
one coreboot image. This patch series will fix this issue by providing
a single API that multiple graphics driver can use.
This is required for platforms that have two graphic cards, but
different graphic drivers, like Intel+Aspeed on server platforms or
Intel+Nvidia on consumer notebooks.
The goal is to remove duplicated fill_fb_framebuffer(), the advertisment
of multiple indepent framebuffers in coreboot tables, and better
runtime/build time graphic configuration options.
Replace set_vbe_mode_info_valid with fb_add_framebuffer_info or
fb_new_framebuffer_info_from_edid.
Change-Id: I95d1d62385a201c68c6c2527c023ad2292a235c5
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39004
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Currently, the option to cache DIMM SPD data in an FMAP region
is closely coupled to a single board (google/hatch) and requires
a custom FMAP to utilize.
Loosen this coupling by introducing a Kconfig option which adds
a correctly sized and aligned RW_SPD_CACHE region to the default FMAP.
Add a Kconfig option for the region name, replacing the existing hard-
coded instance in spd_cache.h. Change the inclusion of spd_cache.c to
use this new Kconfig, rather than the board-specific one currently used.
Lastly, have google/hatch select the new Kconfig when appropriate to
ensure no change in current functionality.
Test: build/boot WYVERN google/hatch variant with default FMAP, verify
FMAP contains RW_SPD_CACHE, verify SPD cache used via cbmem log.
Also tested on an out-of-tree Purism board.
Change-Id: Iee0e7acb01e238d7ed354e3dbab1207903e3a4fc
Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48520
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently it's not possible to add multiple graphics drivers into
one coreboot image. This patch series will fix this issue by providing
a single API that multiple graphics drivers can use.
This is required for platforms that have two graphic cards, but
different graphic drivers, like Intel+Aspeed on server platforms or
Intel+Nvidia on consumer notebooks.
The goal is to remove duplicated fill_fb_framebuffer(), the advertisment
of multiple independent framebuffers in coreboot tables, and better
runtime/build time graphic configuration options.
Replace all duplications of fill_fb_framebuffer and provide a single one
in edid_fill_fb.c. Should not change the current behaviour as still only
one graphic driver can be active at time.
Change-Id: Ife507f7e7beaf59854e533551b4b87ea6980c1f4
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39003
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
A mainboard might want to configure some things differently when a
device is in an unprovisioned state. In the case when fw_config comes
from the Chromium EC, an unprovisioned device will not have a FW_CONFIG
tag in its CBI. This patch will set the fw_config value to
UNDEFINED_FW_CONFIG in the case of an error retrieving the value, as
well as adding a function, `fw_config_is_provisioned()` to indicate the
provisioning status.
BUG=none
TEST=remove fw_config from chromium EC CBI, add code to mainboard to
print return value of fw_config_is_provisioned() (`0`), add
fw_config back to CBI, run same test and see `1`.
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Change-Id: Ib3046233667e97a5f78961fabacbeb3099b3d442
Reviewed-on: https://review.coreboot.org/c/coreboot/+/47956
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Nick Vaccaro <nvaccaro@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Currently it's not possible to add multiple graphics driver into
one coreboot image. This patch series will fix this issue by providing
a single API that multiple graphics driver can use.
This is required for platforms that have two graphic cards, but
different graphic drivers, like Intel and Aspeed on server platforms or
Intel and Nvidia on consumer notebooks.
The goals are to remove duplicated fill_fb_framebuffer(), to advertise
multiple independent framebuffers in coreboot tables, and better
runtime/build time graphic configuration options.
Add an implementation in edid_fill_fb that supports registering
multiple framebuffers, each with its own configuration.
As the current code is only compiled for a single graphics driver
there's no change in functionality.
Change-Id: I7264c2ea2f72f36adfd26f26b00e3ce172133621
Signed-off-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39002
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Nico Huber <nico.h@gmx.de>
This patch addresses the same problem as CB:48429, but hopefully this
time correctly. Since the mcache is not guaranteed to be available on
the first CBFS lookup for some special cases, we can no longer treat it
as a one-time fire-and-forget initialization. Instead, we test
cbd->mcache_size to check if the mcache has been initialized yet, and
keep trying on every lookup if we don't find it the first time.
Since the mcache is a hard requirement for TOCTOU safety, also make it
more clear in Kconfig that configurations known to do CBFS accesses
before CBMEM init are incompatbile with that, and make sure we die()
rather than do something unsafe if there's a case that Kconfig didn't
catch.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I4e01e9a9905f7dcba14eaf05168495201ed5de60
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48482
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This reverts commit b652aaef99. It was
dumb and didn't actually fix anything.
Change-Id: I074135dd12face1226105e0706c78ae8ecba18e0
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48481
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Christian Walter <christian.walter@9elements.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
There have been a few issues with the new CBFS mcache code in stages
after romstage, where the mcache resides in CBMEM. In a few special
cases the stage may be doing a CBFS lookup before calling
cbmem_initialize(). To avoid breaking those cases, this patch makes the
CBFS code fall back to a lookup from flash if CBMEM hasn't been
reinitialized yet in those stages.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Icf6d1a1288cb243d0c4c893cc58251687e2873b0
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48429
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
The new CBFS stack will log messages for found files but leaves error
messages up to the caller. This patch adds appropriate generic error
messages to cbfs_lookup(), matching the behavior of the old CBFS stack
for not found files.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I8cf44026accc03c466105d06683027caf1693ff0
Reviewed-on: https://review.coreboot.org/c/coreboot/+/48278
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
This patch adds the first stage of the new CONFIG_CBFS_VERIFICATION
feature. It's not useful to end-users in this stage so it cannot be
selected in menuconfig (and should not be used other than for
development) yet. With this patch coreboot can verify the metadata hash
of the RO CBFS when it starts booting, but it does not verify individual
files yet. Likewise, verifying RW CBFSes with vboot is not yet
supported.
Verification is bootstrapped from a "metadata hash anchor" structure
that is embedded in the bootblock code and marked by a unique magic
number. This anchor contains both the CBFS metadata hash and a separate
hash for the FMAP which is required to find the primary CBFS. Both are
verified on first use in the bootblock (and halt the system on failure).
The CONFIG_TOCTOU_SAFETY option is also added for illustrative purposes
to show some paths that need to be different when full protection
against TOCTOU (time-of-check vs. time-of-use) attacks is desired. For
normal verification it is sufficient to check the FMAP and the CBFS
metadata hash only once in the bootblock -- for TOCTOU verification we
do the same, but we need to be extra careful that we do not re-read the
FMAP or any CBFS metadata in later stages. This is mostly achieved by
depending on the CBFS metadata cache and FMAP cache features, but we
allow for one edge case in case the RW CBFS metadata cache overflows
(which may happen during an RW update and could otherwise no longer be
fixed because mcache size is defined by RO code). This code is added to
demonstrate design intent but won't really matter until RW CBFS
verification can be supported.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I8930434de55eb938b042fdada9aa90218c0b5a34
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41120
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
This patch introduces two new CBFS API functions which are equivalent to
cbfs_map() and cbfs_load(), respectively, with the difference that they
always operate on the read-only CBFS region ("COREBOOT" FMAP section).
Use it to replace some of the simple cases that needed to use
cbfs_locate_file_in_region().
Change-Id: I9c55b022b6502a333a9805ab0e4891dd7b97ef7f
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39306
Reviewed-by: Furquan Shaikh <furquan@google.com>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Looks like the option is generally not compatible with
garbage collections.
Nothing gets inlined, for example is_smp_boot() no longer
evaluates to constant false and thus the symbols from
secondary.S would need to be present for the build to pass
even if we set SMP=n.
Also the addresses of relocatable ramstage are currently
not normalised on the logs, so util/genprof would be unable
dress those.
Change-Id: I0b6f310e15e6f4992cd054d288903fea8390e5cf
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/45757
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: Nico Huber <nico.h@gmx.de>
