SeaBIOS January 2022

seabios@seabios.org

16 participants
17 discussions

[PATCH] fw/coreboot.c: Use coreboot table to find cbfs

by Arthur Heymans

The "cbfs master header" cbfs file is considered a legacy feature in coreboot and is planned for removal in the master branch. Since 2015 the coreboot tables have exported info about the active cbfs. This change uses the cbfs information in the coreboot tables instead of following the cbfs master header pointer in the bootblock to find cbfs. This change makes it possible to access CBFS fmap regions that don't feature a "cbfs master header", which is the case with Googles VBOOT solution. This breaks compatibility with very old coreboot build (build before fb5d5b16 "2015-07-14, cbtable: describe boot media"). Keeping backward compatibility with the "cbfs master header" would complicate the code. Signed-off-by: Arthur Heymans <arthur(a)aheymans.xyz> diff --git a/src/Kconfig b/src/Kconfig index 3a8ffa1..51ba827 100644 --- a/src/Kconfig +++ b/src/Kconfig @@ -93,15 +93,6 @@ endchoice help Support CBFS files compressed using the lzma decompression algorithm. - config CBFS_LOCATION - depends on COREBOOT_FLASH - hex "CBFS memory end location" - default 0 - help - Memory address of where the CBFS data ends. This should - be zero for normal builds. It may be a non-zero value if - the CBFS filesystem is at a non-standard location (eg, - 0xffe00000 if CBFS ends 2Meg below the end of flash). config MULTIBOOT depends on COREBOOT diff --git a/src/fw/coreboot.c b/src/fw/coreboot.c index 7c0954b..8a35c1d 100644 --- a/src/fw/coreboot.c +++ b/src/fw/coreboot.c @@ -88,6 +88,18 @@ struct cbmem_console { #define CBMC_OVERFLOW (1 << 31) static struct cbmem_console *cbcon = NULL; +#define CB_TAG_BOOT_MEDIA_PARAMS 0x30 + +struct cb_boot_media_params { + u32 tag; + u32 size; + /* offsets are relative to start of boot media */ + u64 fmap_offset; + u64 cbfs_offset; + u64 cbfs_size; + u64 boot_media_size; +}; + static u16 ipchksum(char *buf, int count) { @@ -146,7 +158,12 @@ find_cb_subtable(struct cb_header *cbh, u32 tag) struct cb_header * find_cb_table(void) { - struct cb_header *cbh = find_cb_header(0, 0x1000); + static struct cb_header *cbh; + + if (cbh) + return cbh; + + cbh= find_cb_header(0, 0x1000); if (!cbh) return NULL; struct cb_forward *cbf = find_cb_subtable(cbh, CB_TAG_FORWARD); @@ -317,20 +334,8 @@ ulzma(u8 *dst, u32 maxlen, const u8 *src, u32 srclen) * Coreboot flash format ****************************************************************/ -#define CBFS_HEADER_MAGIC 0x4F524243 -#define CBFS_VERSION1 0x31313131 - -struct cbfs_header { - u32 magic; - u32 version; - u32 romsize; - u32 bootblocksize; - u32 align; - u32 offset; - u32 pad[2]; -} PACKED; - #define CBFS_FILE_MAGIC 0x455649484352414cLL // LARCHIVE +#define CBFS_ALIGNMENT 64 struct cbfs_file { u64 magic; @@ -429,30 +434,50 @@ coreboot_cbfs_init(void) if (!CONFIG_COREBOOT_FLASH) return; - struct cbfs_header *hdr = *(void **)(CONFIG_CBFS_LOCATION - 4); - if ((u32)hdr & 0x03) { - dprintf(1, "Invalid CBFS pointer %p\n", hdr); + dprintf(3, "Attempting to initialize coreboot cbfs\n"); + + struct cb_header *cbh = find_cb_table(); + if (!cbh) { + dprintf(1, "cbfs_init: unable to find cb table\n"); return; } - if (CONFIG_CBFS_LOCATION && (u32)hdr > CONFIG_CBFS_LOCATION) - // Looks like the pointer is relative to CONFIG_CBFS_LOCATION - hdr = (void*)hdr + CONFIG_CBFS_LOCATION; - if (hdr->magic != cpu_to_be32(CBFS_HEADER_MAGIC)) { - dprintf(1, "Unable to find CBFS (ptr=%p; got %x not %x)\n" - , hdr, hdr->magic, cpu_to_be32(CBFS_HEADER_MAGIC)); + + struct cb_boot_media_params *cbbmp = + find_cb_subtable(cbh, CB_TAG_BOOT_MEDIA_PARAMS); + + if (!cbbmp) { + dprintf(1, "cbfs_init: unable to find boot media params\n"); return; } - dprintf(1, "Found CBFS header at %p\n", hdr); - u32 romsize = be32_to_cpu(hdr->romsize); - u32 romstart = CONFIG_CBFS_LOCATION - romsize; - struct cbfs_file *fhdr = (void*)romstart + be32_to_cpu(hdr->offset); + const u32 romsize = cbbmp->boot_media_size; + const u32 cbfs_start = cbbmp->cbfs_offset - romsize; + const u32 cbfs_end = cbfs_start + cbbmp->cbfs_size - 1; + + dprintf(3, "cbfs_init: cbfs_start=0x%08x, cbfs_end=0x%08x\n", cbfs_start, + cbfs_end); + + u32 offset = cbfs_start; + for (;;) { - if ((u32)fhdr - romstart > romsize) - break; - u64 magic = fhdr->magic; - if (magic != CBFS_FILE_MAGIC) + if (offset > cbfs_end || offset < cbfs_start) break; + + struct cbfs_file *fhdr = (void*)offset; + + if (fhdr->magic != CBFS_FILE_MAGIC) { + offset++; + offset = ALIGN(offset, CBFS_ALIGNMENT); + continue; + } + + /* Skip empty space */ + if (strcmp(fhdr->filename, "") == 0) { + offset += ALIGN(be32_to_cpu(fhdr->offset) + be32_to_cpu(fhdr->len) + , CBFS_ALIGNMENT); + continue; + } + struct cbfs_romfile_s *cfile = malloc_tmp(sizeof(*cfile)); if (!cfile) { warn_noalloc(); @@ -473,8 +498,8 @@ coreboot_cbfs_init(void) } romfile_add(&cfile->file); - fhdr = (void*)ALIGN((u32)cfile->data + cfile->rawsize - , be32_to_cpu(hdr->align)); + offset = ALIGN((u32)cfile->data + cfile->rawsize + , CBFS_ALIGNMENT); } process_links_file(); -- 2.30.2

2 months, 1 week

[PATCH] nvme: fix LBA format data structure

by Florian Larysch

The LBA Format Data structure is dword-sized, but struct nvme_lba_format erroneously contains an additional member, misaligning all LBAF descriptors after the first and causing them to be misinterpreted. Remove it. Signed-off-by: Florian Larysch <fl(a)n621.de> --- src/hw/nvme-int.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/hw/nvme-int.h b/src/hw/nvme-int.h index a4c1555..5779203 100644 --- a/src/hw/nvme-int.h +++ b/src/hw/nvme-int.h @@ -156,7 +156,6 @@ struct nvme_lba_format { u16 ms; u8 lbads; u8 rp; - u8 res; }; struct nvme_identify_ns { -- 2.34.1

4 months, 4 weeks

Cut 1.15.1 release?

by Paul Menzel

Dear SeaBIOS folks, with the latest NVMe fixes, would it make sense to tag a 1.15.1 release? The 1.16.0 release is planned for end of February, as far as I understand it. Maybe that could be moved up two weeks? Kind regards, Paul

5 months

[PATCH] nvme: avoid use-after-free in nvme_controller_enable()

by Jan Beulich

Commit b68f313c9139 ("nvme: Record maximum allowed request size") introduced a use of "identify" past it being passed to free(). Latch the value of interest into a local variable. Reported-by: Coverity (ID 1497613) Signed-off-by: Jan Beulich <jbeulich(a)suse.com> --- It was a Xen Project Coverity run which reported this after our updating to 1.15.0. --- a/src/hw/nvme.c +++ b/src/hw/nvme.c @@ -620,6 +620,7 @@ identify->nn, (identify->nn == 1) ? "" : "s"); ctrl->ns_count = identify->nn; + u8 mdts = identify->mdts; free(identify); if ((ctrl->ns_count == 0) || nvme_create_io_queues(ctrl)) { @@ -631,7 +632,7 @@ /* Populate namespace IDs */ int ns_idx; for (ns_idx = 0; ns_idx < ctrl->ns_count; ns_idx++) { - nvme_probe_ns(ctrl, ns_idx, identify->mdts); + nvme_probe_ns(ctrl, ns_idx, mdts); } dprintf(3, "NVMe initialization complete!\n");

5 months

[PATCH] sercon: Fix missing GET_LOW() to access rx_bytes

by Kevin O'Connor

The variable rx_bytes is marked VARLOW, but there was a missing GET_LOW() to access rx_bytes. Fix by copying rx_bytes to a local variable and avoid the repetitive segment memory accesses. Reported-by: Gabe Black <gabe.black(a)gmail.com> Signed-off-by: Volker Rümelin <vr_qemu(a)t-online.de> Signed-off-by: Kevin O'Connor <kevin(a)koconnor.net> --- src/sercon.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/sercon.c b/src/sercon.c index 66a1f24..3019d9b 100644 --- a/src/sercon.c +++ b/src/sercon.c @@ -626,7 +626,7 @@ sercon_check_event(void) u16 addr = GET_LOW(sercon_port); u16 keycode; u8 byte, count = 0; - int seq, chr; + int seq; // check to see if there is a active serial port if (!addr) @@ -640,20 +640,23 @@ sercon_check_event(void) // read all available data while (inb(addr + SEROFF_LSR) & 0x01) { byte = inb(addr + SEROFF_DATA); - if (GET_LOW(rx_bytes) < sizeof(rx_buf)) { - SET_LOW(rx_buf[rx_bytes], byte); - SET_LOW(rx_bytes, GET_LOW(rx_bytes) + 1); + u8 rb = GET_LOW(rx_bytes); + if (rb < sizeof(rx_buf)) { + SET_LOW(rx_buf[rb], byte); + SET_LOW(rx_bytes, rb + 1); count++; } } for (;;) { // no (more) input data - if (!GET_LOW(rx_bytes)) + u8 rb = GET_LOW(rx_bytes); + if (!rb) return; // lookup escape sequences - if (GET_LOW(rx_bytes) > 1 && GET_LOW(rx_buf[0]) == 0x1b) { + u8 next_char = GET_LOW(rx_buf[0]); + if (rb > 1 && next_char == 0x1b) { seq = findseq(); if (seq >= 0) { enqueue_key(GET_GLOBAL(termseq[seq].keycode)); @@ -664,12 +667,11 @@ sercon_check_event(void) // Seems we got a escape sequence we didn't recognise. // -> If we received data wait for more, maybe it is just incomplete. - if (GET_LOW(rx_buf[0]) == 0x1b && count) + if (next_char == 0x1b && count) return; // Handle input as individual char. - chr = GET_LOW(rx_buf[0]); - keycode = ascii_to_keycode(chr); + keycode = ascii_to_keycode(next_char); if (keycode) enqueue_key(keycode); shiftbuf(1); -- 2.31.1

5 months

[PATCHv2 0/6] Rework NVME page transfers and avoid fsegment allocation

by Kevin O'Connor

This is a resend of the previous series. Changes since last time: * Patch 1: Fix function comment on nvme_io_xfer() * Patch 3-5: Added "goto bounce" to nvme_io_xfer() as suggested by Alex * Patch 6: Added separate "single dma bounce buffer" patch to this series * Patch 6: Add checking for malloc failure -Kevin Kevin O'Connor (6): nvme: Rework nvme_io_readwrite() to return -1 on error nvme: Add nvme_bounce_xfer() helper function nvme: Convert nvme_build_prpl() to nvme_prpl_xfer() nvme: Pass prp1 and prp2 directly to nvme_io_xfer() nvme: Build the page list in the existing dma buffer nvme: Only allocate one dma bounce buffer for all nvme drives src/hw/nvme-int.h | 10 --- src/hw/nvme.c | 163 ++++++++++++++++++++++------------------------ 2 files changed, 78 insertions(+), 95 deletions(-) -- 2.31.1

5 months

[PATCH 0/5] Rework NVME page transfers and avoid fsegment allocation

by Kevin O'Connor

Hi Alex, I was looking at your recent fix for SeaBIOS NVME. I agree that it is not valid to write to the f-segment during runtime. However, I was struggling to understand the PRP list management in the nvme.c code. I came up with a different implementation that avoids allocating another buffer in the "high zone". Instead, the code in this patch series builds the page list in the existing "dma bounce buffer". I don't have a good way to test this on real hardware. It passes simple qemu tests (both with and without kvm). For example: qemu-system-x86_64 -k en-us -snapshot -L test -chardev stdio,id=seabios -device isa-debugcon,iobase=0x402,chardev=seabios -m 512 -drive file=dos-drivec,if=none,id=drive0 -device nvme,drive=drive0,serial=nvme-1 -boot menu=on Thanks, -Kevin Kevin O'Connor (5): nvme: Rework nvme_io_readwrite() to return -1 on error nvme: Add nvme_bounce_xfer() helper function nvme: Convert nvme_build_prpl() to nvme_prpl_xfer() nvme: Pass prp1 and prp2 directly to nvme_io_xfer() nvme: Build the page list in the existing dma buffer src/hw/nvme-int.h | 7 --- src/hw/nvme.c | 143 ++++++++++++++++++++-------------------------- 2 files changed, 61 insertions(+), 89 deletions(-) -- 2.31.1

5 months, 1 week

[PATCH] smm: Suppress gcc array-bounds warnings

by Kevin O'Connor

Add a hack to suppress spurious gcc array-bounds warning. Signed-off-by: Kevin O'Connor <kevin(a)koconnor.net> --- src/fw/smm.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/src/fw/smm.c b/src/fw/smm.c index d90e43a..a0b50b2 100644 --- a/src/fw/smm.c +++ b/src/fw/smm.c @@ -59,6 +59,14 @@ struct smm_layout { struct smm_state cpu; }; +// Hack to supress some gcc array-bounds warnings +static void +memcpy_nowarn(void *d, const void *s, size_t len) +{ + asm("" : "+r"(d), "+r"(s)); + memcpy(d, s, len); +} + void VISIBLE32FLAT handle_smi(u16 cs) { @@ -85,8 +93,8 @@ handle_smi(u16 cs) if (CONFIG_CALL32_SMM) { // Backup current cpu state for SMM trampolining struct smm_layout *newsmm = (void*)BUILD_SMM_ADDR; - memcpy(&newsmm->backup1, &smm->cpu, sizeof(newsmm->backup1)); - memcpy(&newsmm->backup2, &smm->cpu, sizeof(newsmm->backup2)); + memcpy_nowarn(&newsmm->backup1, &smm->cpu, sizeof(newsmm->backup1)); + memcpy_nowarn(&newsmm->backup2, &smm->cpu, sizeof(newsmm->backup2)); HaveSmmCall32 = 1; } @@ -145,8 +153,8 @@ smm_save_and_copy(void) // save original memory content struct smm_layout *initsmm = (void*)BUILD_SMM_INIT_ADDR; struct smm_layout *smm = (void*)BUILD_SMM_ADDR; - memcpy(&smm->cpu, &initsmm->cpu, sizeof(smm->cpu)); - memcpy(&smm->codeentry, &initsmm->codeentry, sizeof(smm->codeentry)); + memcpy_nowarn(&smm->cpu, &initsmm->cpu, sizeof(smm->cpu)); + memcpy_nowarn(&smm->codeentry, &initsmm->codeentry, sizeof(smm->codeentry)); // Setup code entry point. initsmm->codeentry = SMI_INSN; @@ -168,8 +176,9 @@ smm_relocate_and_restore(void) /* restore original memory content */ struct smm_layout *initsmm = (void*)BUILD_SMM_INIT_ADDR; struct smm_layout *smm = (void*)BUILD_SMM_ADDR; - memcpy(&initsmm->cpu, &smm->cpu, sizeof(initsmm->cpu)); - memcpy(&initsmm->codeentry, &smm->codeentry, sizeof(initsmm->codeentry)); + memcpy_nowarn(&initsmm->cpu, &smm->cpu, sizeof(initsmm->cpu)); + memcpy_nowarn(&initsmm->codeentry, &smm->codeentry + , sizeof(initsmm->codeentry)); // Setup code entry point. smm->codeentry = SMI_INSN; -- 2.31.1

5 months, 1 week

[PATCH] nvme: Only allocate one dma bounce buffer for all nvme drives

by Kevin O'Connor

There is no need to create multiple dma bounce buffers as the BIOS disk code isn't reentrant capable. Signed-off-by: Kevin O'Connor <kevin(a)koconnor.net> --- This is a minor cleanup on top of the previous nvme code series. -Kevin --- src/hw/nvme-int.h | 3 --- src/hw/nvme.c | 14 +++++++++----- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/hw/nvme-int.h b/src/hw/nvme-int.h index f0d717d..f9c807e 100644 --- a/src/hw/nvme-int.h +++ b/src/hw/nvme-int.h @@ -117,9 +117,6 @@ struct nvme_namespace { u32 block_size; u32 metadata_size; u32 max_req_size; - - /* Page aligned buffer of size NVME_PAGE_SIZE. */ - char *dma_buffer; }; /* Data structures for NVMe admin identify commands */ diff --git a/src/hw/nvme.c b/src/hw/nvme.c index 39b9138..0ba981c 100644 --- a/src/hw/nvme.c +++ b/src/hw/nvme.c @@ -20,6 +20,9 @@ #include "nvme.h" #include "nvme-int.h" +// Page aligned "dma bounce buffer" of size NVME_PAGE_SIZE in high memory +static void *nvme_dma_buffer; + static void * zalloc_page_aligned(struct zone_s *zone, u32 size) { @@ -294,7 +297,8 @@ nvme_probe_ns(struct nvme_ctrl *ctrl, u32 ns_idx, u8 mdts) ns->max_req_size = -1U; } - ns->dma_buffer = zalloc_page_aligned(&ZoneHigh, NVME_PAGE_SIZE); + if (!nvme_dma_buffer) + nvme_dma_buffer = zalloc_page_aligned(&ZoneHigh, NVME_PAGE_SIZE); char *desc = znprintf(MAXDESCSIZE, "NVMe NS %u: %llu MiB (%llu %u-byte " "blocks + %u-byte metadata)", @@ -460,12 +464,12 @@ nvme_bounce_xfer(struct nvme_namespace *ns, u64 lba, void *buf, u16 count, u16 blocks = count < max_blocks ? count : max_blocks; if (write) - memcpy(ns->dma_buffer, buf, blocks * ns->block_size); + memcpy(nvme_dma_buffer, buf, blocks * ns->block_size); - int res = nvme_io_xfer(ns, lba, ns->dma_buffer, NULL, blocks, write); + int res = nvme_io_xfer(ns, lba, nvme_dma_buffer, NULL, blocks, write); if (!write && res >= 0) - memcpy(buf, ns->dma_buffer, res * ns->block_size); + memcpy(buf, nvme_dma_buffer, res * ns->block_size); return res; } @@ -499,7 +503,7 @@ nvme_prpl_xfer(struct nvme_namespace *ns, u64 lba, void *buf, u16 count, if ((ns->block_size * count) > (NVME_PAGE_SIZE * 2)) { /* We need to describe more than 2 pages, build PRP List */ u32 prpl_len = 0; - u64 *prpl = (void*)ns->dma_buffer; + u64 *prpl = nvme_dma_buffer; int first_page = 1; for (; size > 0; base += NVME_PAGE_SIZE, size -= NVME_PAGE_SIZE) { if (first_page) { -- 2.31.1

5 months, 1 week

Re: MP tables do not report multiple CPUs in Qemu 6.2.0 on x86 when given -smp cpus=n flag

by Igor Mammedov

On Wed, 19 Jan 2022 15:48:20 +0000 Peter Maydell <peter.maydell(a)linaro.org> wrote: > On Wed, 19 Jan 2022 at 14:44, Godmar Back <gback(a)cs.vt.edu> wrote: > > after upgrading to 6.2.0, I observed that code such as MIT's xv6 (see > > [1]) is no longer able to detect multiple CPUs. Their code works in > > 6.1.1, however. > > Hi; this isn't a great place for reporting QEMU bugs, because > it's more of a user-to-user discussion list. Not all QEMU > developers read it. I've cc'd the ACPI maintainers, who > hopefully may have an idea about what's happening here. > You could also file a bug at > https://gitlab.com/qemu-project/qemu/-/issues > > > I built 6.1.1 from source and 6.2.0 from source and I have also tested > > with CentOS stream's 6.1.1 qemu-kvm and was able to pinpoint this > > change to these 2 versions of qemu. I am using qemu-system-i386 > > specifically. > > > > I tried to go through the ChangeLog to see if the `-smp` option was > > deprecated or changed. I found this note [2] about invalid topologies > > having been removed in 5.2. Here's what I found after long > > experimentation: > > > > The legacy MP tables appear to work only if you specify the longform > > `-smp cpus=4,cores=1,threads=1,sockets=4` in 6.2.0. If you specify > > `-smp 4` or `-smp cpus=4` it will not work in 6.2.0 (it worked in > > 6.1.1). I am guessing that perhaps the MP tables add entries for each > > socket, but that perhaps the behavior of the shortcuts `-smp n` and > > `-smp cpus=n` was changed to influence the number of cores rather than > > sockets. > > > > In other words, `-smp cpus=n` now means `-smp > > cpus=n,cores=n,threads=1,sockets=1` whereas in 6.1.1 and before it > > meant `-smp cpus=n,cores=1,threads=1,sockets=n`. I note that > > specifying `-smp cpus=4,cores=4,threads=1,sockets=1` in 6.1.1 also > > does not create 4 entries in the legacy MP tables. Thanks for reporting issue in such a detailed way. QEMU doesn't generate legacy MP tables and as reported the above issue is still present in earlier versions when cores are used. Well seabios has a comment: /* Only populate the MPS tables with the first logical CPU in each package */ So I'd guess it has never worked for anything but sockets. With QEMU starting to prefer cores over sockets by default I'd suggest to either * explicitly provide desired topology (i.e. sockets) * use older machine type which still preffers sockets by default (ex: up to 6.1 machine types) If anybody cares about legacy tables + cores/threads usecase, I suggest to investigate what can be done on SeaBIOS side which generates MP tables (assuming if anything could be done at all). CCing SeaBIOS mail-list. > > Can someone confirm/deny this? If so, it's a breaking change that > > perhaps could be mentioned in the Changelog to save others the time > > when they upgrade. Affected educational OS include MIT's xv6 and > > Stanford's pintos OS. Legacy MP table is not actively maintained part of the code, hence it's configuration which is not tested. However if someone is interested in maintaining this, one should contribute at least a testcase that will warn developers early if usecase is broken. We can't promise not breaking it ever but at least we would be able to document any breaking changes in release notes. > > Thanks for all the work you do on qemu! > > > > - Godmar > > > > [1] https://github.com/mit-pdos/xv6-public/blob/eeb7b415dbcb12cc362d0783e41c3d1… > > [2] https://qemu-project.gitlab.io/qemu/about/removed-features.html#smp-invalid… > > > > (I'm typing this email in gmail using the plaintext setting, hopefully > > it'll preserve line breaks.) > > thanks > -- PMM >

5 months, 1 week

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

SeaBIOS January 2022