| Message ID | 20180124092345.5072-1-clingutla@codeaurora.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Jan 24, 2018 at 02:53:45PM +0530, Lingutla Chandrasekhar wrote: > Sometime kernel image and dtb load offsets can overlap due to > dynamically increased Image or dtb size if both load addresses > are near to each other, which leads to bootup failures. > > So validate dtb load address and kernel image, if they overlap > do not proceed to boot. > > Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org> > --- > > Changes since v0: > - Print overlap bytes. > - Simplify ovelap checks. This all feels a bit fragile to me, since we're relying on some portion of the Image and .dtb working in order to run this code successfully. I'd rather not pretend to detect this exact scenario, particularly as I can't see it being useful for anybody other than firmware developers (who are in a better position to check whether or not this is happening). More generally, is there not some .dtb checksum failure that detects corruption there? Perhaps we could do something like that for the Image too? Will
Hi Will, On 1/29/2018 9:18 PM, Will Deacon wrote: > On Wed, Jan 24, 2018 at 02:53:45PM +0530, Lingutla Chandrasekhar wrote: >> Sometime kernel image and dtb load offsets can overlap due to >> dynamically increased Image or dtb size if both load addresses >> are near to each other, which leads to bootup failures. >> >> So validate dtb load address and kernel image, if they overlap >> do not proceed to boot. >> >> Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org> >> --- >> >> Changes since v0: >> - Print overlap bytes. >> - Simplify ovelap checks. > This all feels a bit fragile to me, since we're relying on some portion of > the Image and .dtb working in order to run this code successfully. I'd > rather not pretend to detect this exact scenario, particularly as I can't > see it being useful for anybody other than firmware developers (who are in a > better position to check whether or not this is happening). Yes, it is useful for boot loaders, adding one more condition to current checks for bootloader failures, so that boot loader developers can easily identify the real issue(Image size increased dynamically). > More generally, is there not some .dtb checksum failure that detects > corruption there? Perhaps we could do something like that for the Image > too? In boot loader, first we load Image and then dtb to corresponding DDR offset right, so not sure checksum would help here. > Will
Hi, On Mon, Feb 05, 2018 at 01:36:12PM +0530, Chandra Sekhar Lingutla wrote: > On 1/29/2018 9:18 PM, Will Deacon wrote: > > On Wed, Jan 24, 2018 at 02:53:45PM +0530, Lingutla Chandrasekhar wrote: > >> Sometime kernel image and dtb load offsets can overlap due to > >> dynamically increased Image or dtb size if both load addresses > >> are near to each other, which leads to bootup failures. > >> > >> So validate dtb load address and kernel image, if they overlap > >> do not proceed to boot. > >> > >> Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org> > >> --- > >> > >> Changes since v0: > >> - Print overlap bytes. > >> - Simplify ovelap checks. > > This all feels a bit fragile to me, since we're relying on some portion of > > the Image and .dtb working in order to run this code successfully. I'd > > rather not pretend to detect this exact scenario, particularly as I can't > > see it being useful for anybody other than firmware developers (who are in a > > better position to check whether or not this is happening). > > Yes, it is useful for boot loaders, adding one more condition to current checks > for bootloader failures, so that boot loader developers can easily identify the > real issue(Image size increased dynamically). It would be better if your bootloader checked the image_size header in the kernel Image (see Documentation/arm64/booting.txt). Then it can either bail out, or decide where to place the DTB dynamically. > > More generally, is there not some .dtb checksum failure that detects > > corruption there? Perhaps we could do something like that for the Image > > too? > > In boot loader, first we load Image and then dtb to corresponding DDR offset right, > so not sure checksum would help here. If that's the case, it's possible that the DTB gets placed over the code performing this check in the kernel. It is not possibleto detect this overlap in the bootloader? Both the kernel Image and DTB have size fields. Thanks, Mark.
diff --git a/arch/arm64/kernel/setup.c b/arch/arm64/kernel/setup.c index 30ad2f085d1f..fd9be0ad4a78 100644 --- a/arch/arm64/kernel/setup.c +++ b/arch/arm64/kernel/setup.c @@ -181,14 +181,21 @@ static void __init smp_build_mpidr_hash(void) static void __init setup_machine_fdt(phys_addr_t dt_phys) { void *dt_virt = fixmap_remap_fdt(dt_phys); + u64 end_phys = __pa_symbol(_end); + u64 start_phys = __pa_symbol(_text); const char *name; - if (!dt_virt || !early_init_dt_scan(dt_virt)) { - pr_crit("\n" - "Error: invalid device tree blob at physical address %pa (virtual address 0x%p)\n" + if (!dt_virt || (end_phys > dt_phys && + (dt_phys + fdt_totalsize(dt_virt)) > start_phys) || + !early_init_dt_scan(dt_virt)) { + pr_crit("Error: invalid device tree blob at physical address %pa (virtual address 0x%p)\n" "The dtb must be 8-byte aligned and must not exceed 2 MB in size\n" + "The dtb load address overllaped %lld bytes with kernel image\n" "\nPlease check your bootloader.", - &dt_phys, dt_virt); + &dt_phys, dt_virt, + (dt_phys < start_phys) ? + (dt_phys + fdt_totalsize(dt_virt) - start_phys) : + (end_phys - dt_phys)); while (true) cpu_relax();
Sometime kernel image and dtb load offsets can overlap due to dynamically increased Image or dtb size if both load addresses are near to each other, which leads to bootup failures. So validate dtb load address and kernel image, if they overlap do not proceed to boot. Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org> --- Changes since v0: - Print overlap bytes. - Simplify ovelap checks.