[LinuxBIOS] ROM image integrity

Eric W. Biederman ebiederman at lnxi.com
Sun Nov 13 09:33:28 CET 2005 

Stefan Reinauer <stepan at openbios.org> writes:

> The above will fail on nvidia. Agreed. 
>
> The next problem is that the id is relative to the end of the image.
> So the start position changes 
> a) dependent on the chipset
> b) dependent on the length of the motherboard manufacturer and id.
>
> NVIDIA:
>
> SECTIONS {
>         . = (_ROMBASE + ROM_IMAGE_SIZE - 0x80) - (__id_end - __id_start);
>         .id (.): {
>                 *(.id)
>         }
> }
>
> Others (src/arch/i386/lib/id.lds)
> SECTIONS {
>         . = (_ROMBASE + ROM_IMAGE_SIZE - 0x10) - (__id_end - __id_start);
>         .id (.): {
>                 *(.id)
>         }
> }
>
> the arima hdama image looks like this:
> 00000000fffdffd8 R __id_start
> 00000000fffdffd8 r vendor
> 00000000fffdffde r part
> 00000000fffdfff0 R __id_end
>
> only the last 16 bytes don't belong to the ID.
>
> funny enough, linuxbios.rom contains this:
>
> 007ffd0: ffff ffff ffff ffff 4152 494d 4100 4844  ........ARIMA.HD
> 007ffe0: 414d 4100 2800 0000 2200 0000 0000 0200  AMA.(...".......
> 007fff0: e9b5 49ff ff00 0000 e903 4aff ff00 0000  ..I.......J.....
>
> So where does the 2800 0000 2200 0000 0000 0200 come from?
>
> Does the linker put some crap in there after the ID?
>  
> This makes it really hard to do a decent identification, even if we know
> where the ID should/could be.

I don't recall exactly but look at the code in lbflash does.  I
believe there is a pointer to where the vendor and part are.

> I would also suggest that on a given cpu architecture (ie. x86 or ppc)
> the ID string should either be at a fixed address, one that suits all
> chipsets. Or It should be identifyable in flash using a signature,
> similar to the LinuxBIOS table in memory.

The problem is that over time hardware people get inventive.  So
I'm not certain that is possible.
  
>> My basic concern is that I don't think we can do this inline across
>> variations in architecture. 
>
> If such a in-rom table differs in position or details between x86 and
> ppc, this won't be too nasty.

Agreed.  But having code that works everywhere is useful.

>> Although I don't have a problem exporting
>> such information from the linuxbios table which should work universally
>> but it won't work for the first we flash something.
>
> I agree. Putting this in the LinuxBIOS table would be fine to probe the
> running system. 
> I rather plan for the case where there has never been a time with a
> non-linuxbios image in flash.

Agreed.

>> Please checkout our latest version of lbflash
>> ftp://ftp.lnxi.com/pub/linuxbios/utilities/lbflash/
>> 
>> We have a working map.  The code works well enough that we can deal
>> with multiple flash chips and other weird cases automatically.
>
> I've looked at this. Do you deliver this map as an extra file with an
> image? 

Yes.  There is a directory with all of that.

> Having this in the image would help comparing the map of an file
> image to that of the rom image for example. I.e. you have two versions
> of a board out there, one with 8MBit flash and one with 4 MBit flash.
> Someone has a 512kByte flash file. Is this the normal image of case 1
> or a complete image of case 2 etc pp.

Right now as long as the image is small enough it fits in 4Mbit it will
happily flash in either a 4Mbit or an 8Mbit part.

> I'd rather give them a 
>   cat rommap linuxbios.rom > linuxbios.flashimage 
> than 2 different files to cope with because I bet someone will mix this
> up some time. It's just not solid.

Yes and no.  Having a directory with all of the pieces is useful, and is a lot
more maintainable from a forward/backwards compatibility point of view.  If
we combine them I would rather do it as a cpio or a tar or an rpm.
Something where the structure is apparent but you have to try to work
at it to get multiple files.

>> The ideal case is if we could start converging flash_and_burn and lbflash.
>> At least with respect to user interface.
>  
> I've looked at lbflash earlier today. It seems to be using mtd for all
> it's actions while flash_and_burn uses /dev/mem and some extra magic.
> Then there's my old and obsolete /dev/bios. I want to drop that one at
> least and rather have an improved solution in userspace. 
>
> MTD is overly complex for what we are doing. and flash_and_burn has been
> working really reliably for me. 

I am conflicted on that one.  If you are talking users and not developers
it is usually easier to ensure that people have the right mtd drivers
loaded.  Last I looked the mtd code had a much better structure than
flash_and_burn, allowing for much more code reuse and a lot more
eyes looking at the problems.  flash_and_burn on the other hand seems
a great tool for developers, who know what should be happening but it
doesn't seem to have as many checks to make certain that you aren't
doing something stupid.

> I also saw you have a newer lbflash version available as a binary than
> as source. Unfortunately there's no changelog in the binary rpm. Is it
> worth waiting for that source release?

Groan.  It looks like someone forget to place the source rpm on the
public ftp site.  2.1 is pretty much a maintenance release with the
exception of a couple of very minor bug fixes nothing really has
changed.  So for getting a feel of the structure and the files we
are currently using 2.0 should be reasonable starting point.


>> The case that isn't currently covered is a checksum and that is only because
>> it keeps slipping my mind.  We do perform a full byte for byte
>> comparison against the source file though.  Which is good to ensure
>> you have flashed successfully but it doesn't detect if your romimage
>> got damaged in transport.
>
> In safety critical environments a system is required to deny service if
> it can't proof it's own integrity during runtime. Lots of systems even 
> probe flash and memory continuedly during runtime to find bit tilts
> within a really short manifestation time.

Sure I don't have a problem with putting a checksum, crc or a hash in
a data segment somewhere.  It will likely take an extra linker pass
to do that but that shouldn't be a problem.  Ideally that would be one
of the triggers for deciding if we go to fallback or normal mode.

Hmm.  In looking at things I just noticed that the decompressor
doesn't have anything like that, which really is a bug.  That I
unfortunately didn't catch when I found that code.

Eric

More information about the coreboot mailing list