-
-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read and measure CBFS files into initrd #357
Conversation
Also successfully tested measurement by altering CBFS file name and data with flashtool on x230 after TOTP seal |
initrd/bin/network-init-recovery
Outdated
# TODO: setup DHCP if available | ||
ifconfig eth0 > /dev/ttyprintk | ||
|
||
# Setup the ssh server, allow root logins and log to stderr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The verb is spelled with a space Set up.
initrd/bin/network-init-recovery
Outdated
if [ ! -z "$CONFIG_BOOT_STATIC_IP" ]; then | ||
ifconfig eth0 $CONFIG_BOOT_STATIC_IP | ||
fi | ||
# TODO: setup DHCP if available |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The verb is spelled with a space Set up.
initrd/bin/network-init-recovery
Outdated
fi | ||
|
||
if [ -e /sys/class/net/eth0 ]; then | ||
# Setup static IP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The verb is spelled with a space Set up.
initrd/bin/network-init-recovery
Outdated
|
||
if [ -f /lib/modules/e1000e.ko ]; then | ||
insmod /lib/modules/e1000e.ko | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The modules are device specific, right? Should that depend on some configuration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They are device specific. I could use the variables in module/linux
that control the inclusion of the kernel modules (CONFIG_LINUX_E1000
, CONFIG_LINUX_E1000E
, CONFIG_LINUX_IGB
, CONFIG_LINUX_SFC
, CONFIG_LINUX_MLX4
) and export them in all the board configs, but that's equivalent to testing for existence in the initrd. @osresearch what do you think?
I'm so excited to merge this so that we can move the user config and volatile things out of the initrd. The cbfs reader patch should be sent as a patch to https://github.com/osresearch/flashtools so that we don't have the maintain it as a patch. I hear the owner of that tree accepts PRs. In QEMU when I last tried to read the ROM from
So it is something in the way that the memory map is being communicated to qemu that prevents us from being able to see the ROM. We could patch the Heads kernel to allow this, although it would be good to know why it is not communicated. |
Confirmed, in QEMU the
I'll fix |
I really like this solution! Great work! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another review will probably happen on the flashtools repo once you send the PR but here's a preliminary one!
patches/flashtools.patch
Outdated
+ if (lseek(fd, off, SEEK_SET) == -1) { | ||
+ fprintf(stderr, "Failed to seek to next CBFS offset %lx\n", off); | ||
+ return EXIT_FAILURE; | ||
+ } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indentation is wrong here
patches/flashtools.patch
Outdated
+ if (read(fd, &file, sizeof(struct cbfs_file)) < 0) { | ||
+ fprintf(stderr, "Failed to read cbfs file header\n"); | ||
+ return EXIT_FAILURE; | ||
+ } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indentation of this closing bracket is wrong.
patches/flashtools.patch
Outdated
+ printf("File name : '%s'\n", name); | ||
+ } | ||
+ | ||
+ if (do_list && file.type == 0x50) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The magic number here should be made into a macro.. I'm assuming 0x50 is FILE_TYPE_RAW?
Also, I don't think it's necessary for the specific task the tool was written for but the file type could/should probably be given as argument to the program.
patches/flashtools.patch
Outdated
+ uint32_t align = header.align; | ||
+ // loop through files | ||
+ uint64_t off = end - ((uint64_t) header.romsize) + ((uint64_t) header.offset); | ||
+ while (1) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of an infinite loop (which breaks when it's outside the bounds of the cbfs), it would be better to do :
while (off < end) {
patches/flashtools.patch
Outdated
+ } | ||
+ | ||
+ char *file_data = malloc(file.len); | ||
+ if (read(fd, file_data, file.len) < 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verify file_data was allocated correctly.. A corrupted image could cause you to try and allocate GBs of data which would fail.
patches/flashtools.patch
Outdated
+ } | ||
+ | ||
+ size_t name_size = file.offset - sizeof(struct cbfs_file); | ||
+ char *name = calloc(name_size, sizeof(char)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name is allocated but never freed.
patches/flashtools.patch
Outdated
+ if (verbose) { | ||
+ printf("\n-------- End Data\n"); | ||
+ } | ||
+ do_read++; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe break once the file is read ?
patches/flashtools.patch
Outdated
+ | ||
+ uint64_t end = 0x100000000; | ||
+ if (verbose) { | ||
+ printf("Seeking to %lx\n", end-4); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you print the file to stdout, all the verbose printfs should probably go to sdterr.
@kakaroto thanks for the comments! I'll incorporate them into the upcoming https://github.com/osresearch/flashtools PR |
The |
Also added convenience call to import keys and removed credentials
@osresearch PTAL should be good to review and merge. I've tested on You should now be able to add keys just as:
|
Needed to identify which files should be preserved between upgrades such as "heads/initrd/*" or "heads/counter"
Minor change to require that cbfs file names be prefixed as
|
By default, both Tested on x230 and kgpe-d16 |
@@ -74,4 +79,5 @@ linuxboot.run: $(build)/$(BOARD)/linuxboot.rom | |||
BOARD:=$(linuxboot_board) \ | |||
KERNEL=$(build)/$(BOARD)/bzImage \ | |||
INITRD=$(build)/$(BOARD)/initrd.cpio.xz \ | |||
CUSTOM=$(CUSTOMPWD) \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is $CUSTOMPWD
?
Closes #182 and depends on PR #355. Allows the user to add files such as keys to the reproducibly-build coreboot.rom via cbfstool as long as there CBFS name is prefixed as
initrd/*
:Tested on x230.