From 81dc20e744aa1762c17dcf5aac5c37643d62a983 Mon Sep 17 00:00:00 2001 From: Julius Werner Date: Thu, 15 Oct 2020 17:37:57 -0700 Subject: cbfs: Move stage header into a CBFS attribute The CBFS stage header is part of the file data (not the header) from CBFS's point of view, which is problematic for verification: in pre-RAM environments, there's usually not enough scratch space in CBFS_CACHE to load the full stage into memory, so it must be directly loaded into its final destination. However, that destination is decided from reading the stage header. There's no way we can verify the stage header without loading the whole file and we can't load the file without trusting the information in the stage header. To solve this problem, this patch changes the CBFS stage format to move the stage header out of the file contents and into a separate CBFS attribute. Attributes are part of the metadata, so they have already been verified before the file is loaded. Since CBFS stages are generally only meant to be used by coreboot itself and the coreboot build system builds cbfstool and all stages together in one go, maintaining backwards-compatibility should not be necessary. An older version of coreboot will build the old version of cbfstool and a newer version of coreboot will build the new version of cbfstool before using it to add stages to the final image, thus cbfstool and coreboot's stage loader should stay in sync. This only causes problems when someone stashes away a copy of cbfstool somewhere and later uses it to try to extract stages from a coreboot image built from a different revision... a debugging use-case that is hopefully rare enough that affected users can manually deal with finding a matching version of cbfstool. The SELF (payload) format, on the other hand, is designed to be used for binaries outside of coreboot that may use independent build systems and are more likely to be added with a potentially stale copy of cbfstool, so it would be more problematic to make a similar change for SELFs. It is not necessary for verification either, since they're usually only used in post-RAM environments and selfload() already maps SELFs to CBFS_CACHE before loading them to their final destination anyway (so they can be hashed at that time). Signed-off-by: Julius Werner Change-Id: I8471ad7494b07599e24e82b81e507fcafbad808a Reviewed-on: https://review.coreboot.org/c/coreboot/+/46484 Tested-by: build bot (Jenkins) Reviewed-by: Aaron Durbin --- src/soc/amd/common/block/pi/refcode_loader.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'src/soc/amd') diff --git a/src/soc/amd/common/block/pi/refcode_loader.c b/src/soc/amd/common/block/pi/refcode_loader.c index fe2df5b972..70cedb3c1c 100644 --- a/src/soc/amd/common/block/pi/refcode_loader.c +++ b/src/soc/amd/common/block/pi/refcode_loader.c @@ -29,14 +29,8 @@ static int agesa_locate_raw_file(const char *name, struct region_device *rdev) static int agesa_locate_stage_file_early(const char *name, struct region_device *rdev) { - const size_t metadata_sz = sizeof(struct cbfs_stage); - if (agesa_locate_file(name, rdev, CBFS_TYPE_STAGE)) return -1; - - /* Peel off the cbfs stage metadata. */ - return rdev_chain(rdev, rdev, metadata_sz, - region_device_sz(rdev) - metadata_sz); } static int agesa_locate_stage_file_ramstage(const char *name, -- cgit v1.2.3