[coreboot] Time for a new project

Carl-Daniel Hailfinger c-d.hailfinger.devel.2006 at gmx.net
Sat Apr 12 17:06:23 CEST 2008 

On 12.04.2008 16:14, Peter Stuge wrote:
> On Sat, Apr 12, 2008 at 01:16:00PM +0200, Carl-Daniel Hailfinger wrote:
>   
>> On 12.04.2008 10:28, Stefan Reinauer wrote:
>>     
>>> Carl-Daniel Hailfinger wrote:
>>>       
>>>> NAK. This design is so unfinished it is not even funny. Hint: Certain
>>>> fields in the LAR header are there for a reason (guess which).
>>>>         
>>> Yes, and because that concept is so incredibly broken beyond belief,
>>> we fixed it up at the summit. Those completely archive-unrelated
>>> fields which just sneaked into lar because we did not do our reviews
>>> thoroughly enough will finally go away again. Way to go.
>>>       
>> SELF is missing a checksum for each uncompressed segment.
>>     
>
> Is that really needed? That means we expect the decompression to
> fail silently.
>   

That could happen.

> If LAR provides a reliable transport then why add another checksum?
>   

Memory corruption during decompression and miscompilation of the
decompression code come to mind.

>> SELF is missing a per-section compression algorithm specifier
>>     
>
> Does it need one? Either the entire SELF is compressed, or not.
>   

Uh, no. The SELF design says that only some SELF segments may be
compressed, others must not be compressed.

> Again, LAR does the work. No?
>   

See above. I wouldn't have complained that much if you were right.

>> Sorry, you misunderstood. The obvious speed penalty comes from
>> unaligned accesses. Some architectures can't even handle unaligned
>> accesses at all.
>>     
>
> Can't this be solved generically in code like in memcpy_helper() ?
>   

Are you willing to copy the lzma header for every lzma-compressed SELF
segment to some reserved place in RAM? Are you willing to rewrite the
decompression code so that it can handle a detached lzma header?

>>>> The concept of PIC is missing completely.
>>>>         
>>> Because it is not needed.
>>>       
>> So you propose to handle some executable code (bootblock, raminit)
>> just with LAR and not with SELF? How are you going to explain that
>> concept a few years down the road?
>>     
>
> KISS. Since the early LAR files are simple binaries they don't need
> to be SELF.
>   

raminit needs an entry point, so it has to be SELF (unless you propose
that LAR and SELF both specify an entry point).

>>>> A LAR parser can't figure out if the archive is corrupt.
>>>>         
>>> Plain wrong. There's checksums in the lar, and that wont change.
>>>       
>> Wrong. Checksums say nothing about corrupt internal SELF structure.
>> The LAR parser has the ability (well, at least in theory) to check for
>> overlapping archive members right now. With SELF, a corrupt SELF header
>>     
>
> First of all, how would it end up corrupt? It must then be corrupt
> upon SELF creation, because if it changed in LAR, the LAR checksum
> would not match anymore.
>   

See my other mail in response to Patrick.

>> can reference arbitrary places in the archive and a pure LAR parser
>> can't find that out because it does not parse SELF by design.
>>     
>
> Why does this matter, in practise? More than one SELF will never be
> up in the air. And so what if it references locations in the LAR?
>   

A LAR archive can have multiple SELFs and each of them can reference
arbitrary memory and the LAR parser has no way to check that. A SELF
parser could check that, but then it would have to know about the LAR
structure which is a layering violation.

>>>> Ron once stated the ability to figure out whether the ROM is
>>>> corrupt before you flash it is one of the key features of LAR.
>>>>         
>> And since a pure LAR parser does not understand SELF, you need a
>> combined SELF+LAR parser to know whether the ROM has a chance to
>> boot.
>>     
>
> What would be checked in the SELF? Isn't it good enough that there is
> a SELF with the right name?
>   

Currently, the ELF-to-LAR parser has a reasonable chance to find out
whether the structure of the ELF is crap. If LAR simply handles a SELF
as opaque object, it will not notice at all if the SELF is crap.

> I think it is impossible to reliably determine boot success ahead of
> time. Only trying to boot will show the actual outcome, especially
> since we want to reflash individual LAR files. I guess I disagree
> with Ron's statement. LAR is very nice, but it can't predict the
> future. :)
>   

What? And I trusted its baseball result predictions for 2009 ;-)

> Instead the coreboot panic room will be the key feature in this
> domain. The fact that you don't just get beeps from a speaker but
> an actual way into your system regardless.
>   

Are we guaranteed to reach the panic room if the SELF points to
arbitrary memory?

>>> LAR is an archiver of arbitrary(!) files, SELF is the container
>>> for executable files. Mixing these two up was the biggest mistake
>>> in the history of the young LAR, making things irreversible and
>>> fragile.
>>>       
>
> Word.
>
>   
>> The bootblock and initram are executable files. They should be
>> contained in SELF as well
>>     
>
> I don't think that is neccessary.
>   

initram needs an entry point. Storing an entry point in LAR and in SELF
is really bad design.

>> Tables which should be loaded to a given address in memory are by
>> definition NOT code, yet you have to supply a load address
>>     
>
> Hm, what kind of tables? What would this be that is just copied from
> LAR using some generic code rather than code that knows about the
> neccessary adress already?
>   

Hm. I know of no such table yet. What about option ROMs?

>> Unfortunately, the current SELF+LAR proposal is not able to keep
>> the design simple and still perform all tasks we currently use LAR
>> for.
>>     
>
> This is where I'm lost. Please explain what would not work anymore?
>   

I hope I listed most of my concerns above.

Regards,
Carl-Daniel

More information about the coreboot mailing list