| /* |
| * Copyright 2015, Google Inc. |
| * Copyright 2018-present, Facebook Inc. |
| * All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions are |
| * met: |
| * |
| * * Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * * Redistributions in binary form must reproduce the above |
| * copyright notice, this list of conditions and the following disclaimer |
| * in the documentation and/or other materials provided with the |
| * distribution. |
| * * Neither the name of Google Inc. nor the names of its |
| * contributors may be used to endorse or promote products derived from |
| * this software without specific prior written permission. |
| * |
| * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| * |
| * Alternatively, this software may be distributed under the terms of the |
| * GNU General Public License ("GPL") version 2 as published by the Free |
| * Software Foundation. |
| */ |
| |
| #include <ctype.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/types.h> |
| #include <arpa/inet.h> |
| |
| #include "flash.h" |
| #include "fmap.h" |
| #include "layout.h" |
| #include "platform.h" |
| #include "search.h" |
| |
| #define ACPI_FMAP_PATH "/sys/devices/platform/chromeos_acpi/FMAP" |
| #define FDT_FMAP_PATH "/proc/device-tree/firmware/chromeos/fmap-offset" |
| |
| static size_t fmap_size(const struct fmap *fmap) |
| { |
| return sizeof(*fmap) + (fmap->nareas * sizeof(struct fmap_area)); |
| } |
| |
| static int is_valid_fmap(const struct fmap *fmap) |
| { |
| if (memcmp(fmap, FMAP_SIGNATURE, strlen(FMAP_SIGNATURE)) != 0) |
| return 0; |
| /* strings containing the magic tend to fail here */ |
| if (fmap->ver_major > FMAP_VER_MAJOR) |
| return 0; |
| if (fmap->ver_minor > FMAP_VER_MINOR) |
| return 0; |
| /* a basic consistency check: flash address space size should be larger |
| * than the size of the fmap data structure */ |
| if (fmap->size < fmap_size(fmap)) |
| return 0; |
| |
| /* fmap-alikes along binary data tend to fail on having a valid, |
| * null-terminated string in the name field.*/ |
| int i; |
| for (i = 0; i < FMAP_STRLEN; i++) { |
| if (fmap->name[i] == 0) |
| break; |
| if (!isgraph(fmap->name[i])) |
| return 0; |
| if (i == FMAP_STRLEN - 1) { |
| /* name is specified to be null terminated single-word string |
| * without spaces. We did not break in the 0 test, we know it |
| * is a printable spaceless string but we're seeing FMAP_STRLEN |
| * symbols, which is one too many. |
| */ |
| return 0; |
| } |
| } |
| return 1; |
| |
| } |
| |
| /** |
| * @brief Do a brute-force linear search for fmap in provided buffer |
| * |
| * @param[in] buffer The buffer to search |
| * @param[in] len Length (in bytes) to search |
| * |
| * @return offset in buffer where fmap is found if successful |
| * -1 to indicate that fmap was not found |
| * -2 to indicate fmap is truncated or exceeds buffer + len |
| */ |
| static off_t fmap_lsearch(const uint8_t *buf, size_t len) |
| { |
| off_t offset; |
| bool fmap_found = 0; |
| |
| for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) { |
| if (is_valid_fmap((struct fmap *)&buf[offset])) { |
| fmap_found = 1; |
| break; |
| } |
| } |
| |
| if (!fmap_found) |
| return -1; |
| |
| if (offset + fmap_size((struct fmap *)&buf[offset]) > len) { |
| msg_gerr("fmap size exceeds buffer boundary.\n"); |
| return -2; |
| } |
| |
| return offset; |
| } |
| |
| /** |
| * @brief Read fmap from provided buffer and copy it to fmap_out |
| * |
| * @param[out] fmap_out Double-pointer to location to store fmap contents. |
| * Caller must free allocated fmap contents. |
| * @param[in] buf Buffer to search |
| * @param[in] len Length (in bytes) to search |
| * |
| * @return 0 if successful |
| * 1 to indicate error |
| * 2 to indicate fmap is not found |
| */ |
| int fmap_read_from_buffer(struct fmap **fmap_out, const uint8_t *const buf, size_t len) |
| { |
| off_t offset = fmap_lsearch(buf, len); |
| if (offset < 0) { |
| msg_gdbg("Unable to find fmap in provided buffer.\n"); |
| return 2; |
| } |
| msg_gdbg("Found fmap at offset 0x%06zx\n", (size_t)offset); |
| |
| const struct fmap *fmap = (const struct fmap *)(buf + offset); |
| *fmap_out = malloc(fmap_size(fmap)); |
| if (*fmap_out == NULL) { |
| msg_gerr("Out of memory.\n"); |
| return 1; |
| } |
| |
| memcpy(*fmap_out, fmap, fmap_size(fmap)); |
| return 0; |
| } |
| |
| static int fmap_lsearch_rom(struct fmap **fmap_out, |
| struct flashctx *const flashctx, size_t rom_offset, size_t len) |
| { |
| int ret = -1; |
| uint8_t *buf; |
| |
| if (prepare_flash_access(flashctx, true, false, false, false)) |
| goto _finalize_ret; |
| |
| /* likely more memory than we need, but it simplifies handling and |
| * printing offsets to keep them uniform with what's on the ROM */ |
| buf = malloc(rom_offset + len); |
| if (!buf) { |
| msg_gerr("Out of memory.\n"); |
| goto _finalize_ret; |
| } |
| |
| ret = flashctx->chip->read(flashctx, buf + rom_offset, rom_offset, len); |
| if (ret) { |
| msg_pdbg("Cannot read ROM contents.\n"); |
| goto _free_ret; |
| } |
| |
| ret = fmap_read_from_buffer(fmap_out, buf + rom_offset, len); |
| _free_ret: |
| free(buf); |
| _finalize_ret: |
| finalize_flash_access(flashctx); |
| return ret; |
| } |
| |
| static int fmap_bsearch_rom(struct fmap **fmap_out, struct flashctx *const flashctx, |
| size_t rom_offset, size_t len, size_t min_stride) |
| { |
| size_t stride, fmap_len = 0; |
| int ret = 1, fmap_found = 0, check_offset_0 = 1; |
| struct fmap *fmap; |
| const unsigned int chip_size = flashctx->chip->total_size * 1024; |
| const int sig_len = strlen(FMAP_SIGNATURE); |
| |
| if (rom_offset + len > flashctx->chip->total_size * 1024) |
| return 1; |
| |
| if (len < sizeof(*fmap)) |
| return 1; |
| |
| if (prepare_flash_access(flashctx, true, false, false, false)) |
| return 1; |
| |
| fmap = malloc(sizeof(struct fmap)); |
| if (!fmap) { |
| msg_gerr("Out of memory.\n"); |
| goto _free_ret; |
| } |
| |
| /* |
| * For efficient operation, we start with the largest stride possible |
| * and then decrease the stride on each iteration. Also, check for a |
| * remainder when modding the offset with the previous stride. This |
| * makes it so that each offset is only checked once. |
| * |
| * Zero (rom_offset == 0) is a special case and is handled using a |
| * variable to track whether or not we've checked it. |
| */ |
| size_t offset; |
| for (stride = chip_size / 2; stride >= min_stride; stride /= 2) { |
| if (stride > len) |
| continue; |
| |
| for (offset = rom_offset; |
| offset <= rom_offset + len - sizeof(struct fmap); |
| offset += stride) { |
| if ((offset % (stride * 2) == 0) && (offset != 0)) |
| continue; |
| if (offset == 0 && !check_offset_0) |
| continue; |
| check_offset_0 = 0; |
| |
| /* Read errors are considered non-fatal since we may |
| * encounter locked regions and want to continue. */ |
| if (flashctx->chip->read(flashctx, (uint8_t *)fmap, offset, sig_len)) { |
| /* |
| * Print in verbose mode only to avoid excessive |
| * messages for benign errors. Subsequent error |
| * prints should be done as usual. |
| */ |
| msg_cdbg("Cannot read %d bytes at offset %zu\n", sig_len, offset); |
| continue; |
| } |
| |
| if (memcmp(fmap, FMAP_SIGNATURE, sig_len) != 0) |
| continue; |
| |
| if (flashctx->chip->read(flashctx, (uint8_t *)fmap + sig_len, |
| offset + sig_len, sizeof(*fmap) - sig_len)) { |
| msg_cerr("Cannot read %zu bytes at offset %06zx\n", |
| sizeof(*fmap) - sig_len, offset + sig_len); |
| continue; |
| } |
| |
| if (is_valid_fmap(fmap)) { |
| msg_gdbg("fmap found at offset 0x%06zx\n", offset); |
| fmap_found = 1; |
| break; |
| } |
| msg_gerr("fmap signature found at %zu but header is invalid.\n", offset); |
| ret = 2; |
| } |
| |
| if (fmap_found) |
| break; |
| } |
| |
| if (!fmap_found) |
| goto _free_ret; |
| |
| fmap_len = fmap_size(fmap); |
| struct fmap *tmp = fmap; |
| fmap = realloc(fmap, fmap_len); |
| if (!fmap) { |
| msg_gerr("Failed to realloc.\n"); |
| free(tmp); |
| goto _free_ret; |
| } |
| |
| if (flashctx->chip->read(flashctx, (uint8_t *)fmap + sizeof(*fmap), |
| offset + sizeof(*fmap), fmap_len - sizeof(*fmap))) { |
| msg_cerr("Cannot read %zu bytes at offset %06zx\n", |
| fmap_len - sizeof(*fmap), offset + sizeof(*fmap)); |
| /* Treat read failure to be fatal since this |
| * should be a valid, usable fmap. */ |
| ret = 2; |
| goto _free_ret; |
| } |
| |
| *fmap_out = fmap; |
| ret = 0; |
| _free_ret: |
| if (ret) |
| free(fmap); |
| finalize_flash_access(flashctx); |
| return ret; |
| } |
| |
| /** |
| * @brief Read fmap from ROM |
| * |
| * @param[out] fmap_out Double-pointer to location to store fmap contents. |
| * Caller must free allocated fmap contents. |
| * @param[in] flashctx Flash context |
| * @param[in] rom_offset Offset in ROM to begin search |
| * @param[in] len Length to search relative to rom_offset |
| * |
| * @return 0 on success, |
| * 2 if the fmap couldn't be read, |
| * 1 on any other error. |
| */ |
| int fmap_read_from_rom(struct fmap **fmap_out, |
| struct flashctx *const flashctx, size_t rom_offset, size_t len) |
| { |
| int ret; |
| |
| if (!flashctx || !flashctx->chip) |
| return 1; |
| |
| /* |
| * Binary search is used at first to see if we can find an fmap quickly |
| * in a usual location (often at a power-of-2 offset). However, once we |
| * reach a small enough stride the transaction overhead will reverse the |
| * speed benefit of using bsearch at which point we need to use brute- |
| * force instead. |
| * |
| * TODO: Since flashrom is often used with high-latency external |
| * programmers we should not be overly aggressive with bsearch. |
| */ |
| ret = fmap_bsearch_rom(fmap_out, flashctx, rom_offset, len, 256); |
| if (ret) { |
| msg_gdbg("Binary search failed, trying linear search...\n"); |
| ret = fmap_lsearch_rom(fmap_out, flashctx, rom_offset, len); |
| } |
| |
| return ret; |
| } |
| |
| /* Read value from ACPI in sysfs, if it exists. */ |
| __attribute__((unused)) static int read_fmap_base_acpi(uint32_t *out) |
| { |
| int rv = 0; |
| FILE *f; |
| |
| if (!(f = fopen(ACPI_FMAP_PATH, "r"))) |
| return -1; |
| |
| /* FMAP base is an ASCII signed integer. */ |
| if (fscanf(f, "%d", (int *)out) != 1) |
| rv = -1; |
| |
| fclose(f); |
| |
| if (rv) |
| msg_gdbg("%s: failed to read fmap_base from ACPI\n", __func__); |
| else |
| msg_gdbg("%s: read fmap_base from ACPI\n", __func__); |
| |
| return rv; |
| } |
| |
| /* Read value from FDT, if it exists. */ |
| __attribute__((unused)) static int read_fmap_base_fdt(uint32_t *out) |
| { |
| int rv = 0; |
| uint32_t data; |
| FILE *f; |
| |
| if (!(f = fopen(FDT_FMAP_PATH, "r"))) |
| return -1; |
| |
| /* Value is stored as network-byte order dword. */ |
| if (fread(&data, sizeof(data), 1, f) != 1) |
| rv = -1; |
| else |
| *out = ntohl(data); |
| |
| fclose(f); |
| |
| if (rv) |
| msg_gdbg("%s: failed to read fmap_base from FDT\n", __func__); |
| else |
| msg_gdbg("%s: read fmap_base from FDT\n", __func__); |
| |
| return rv; |
| } |
| |
| /* |
| * Find the FMAP base from ACPI or FDT. |
| * @search: Search information |
| * @offset: Place to put offset |
| * @return 0 if offset found, -1 if not |
| */ |
| static int get_fmap_base(struct search_info *search, off_t *offset) |
| { |
| uint32_t fmap_base; |
| uint32_t from_top; |
| |
| #if IS_X86 |
| if (read_fmap_base_acpi(&fmap_base) < 0) |
| return -1; |
| #elif IS_ARM |
| if (read_fmap_base_fdt(&fmap_base) < 0) |
| return -1; |
| #else |
| return -1; |
| #endif |
| |
| /* |
| * TODO(b/158017386): see if we can remove this hack. It may |
| * only apply to older platforms which are now AUE. |
| * |
| * There are 2 kinds of fmap_base. |
| * |
| * 1. Shadow ROM/BIOS area (x86), such as 0xFFxxxxxx. |
| * 2. Offset to start of flash, such as 0x00xxxxxx. |
| * |
| * The shadow ROM is a cached copy of the BIOS ROM which resides below |
| * 4GB host/CPU memory address space on x86. The top of BIOS address |
| * aligns to the last byte of address space, 0xFFFFFFFF. So to obtain |
| * the ROM offset when shadow ROM is used, we subtract the fmap_base |
| * from 4G minus 1. |
| * |
| * CPU address flash address |
| * space p space |
| * 0xFFFFFFFF +-------+ --- +-------+ 0x400000 |
| * | | ^ | | ^ |
| * | 4MB | | | | | from_top |
| * | | v | | v |
| * fmap_base--> | -fmap | ------|--fmap-|-- the offset we need. |
| * ^ | | | | |
| * | +-------+-------+-------+ 0x000000 |
| * | | | |
| * | | | |
| * | | | |
| * | | | |
| * 0x00000000 +-------+ |
| * |
| * We'll use bit 31 to determine if the shadow BIOS area is being used. |
| * This is sort of a hack, but allows us to perform sanity checking for |
| * older x86-based Chrome OS platforms. |
| */ |
| |
| msg_gdbg("%s: fmap_base: %#x, ROM size: 0x%zx\n", |
| __func__, fmap_base, search->total_size); |
| |
| if (fmap_base & (1 << 31)) { |
| from_top = 0xFFFFFFFF - fmap_base + 1; |
| msg_gdbg("%s: fmap is located in shadow ROM, from_top: %#x\n", |
| __func__, from_top); |
| if (from_top > search->total_size) |
| return -1; |
| *offset = search->total_size - from_top; |
| } else { |
| msg_gdbg("%s: fmap is located in physical ROM\n", __func__); |
| if (fmap_base > search->total_size) |
| return -1; |
| *offset = fmap_base; |
| } |
| |
| msg_gdbg("%s: ROM offset: %#jx\n", __func__, (intmax_t)*offset); |
| return 0; |
| } |
| |
| static int add_fmap_entries_from_buf(const uint8_t *buf) |
| { |
| struct fmap *fmap; |
| int i; |
| struct flashrom_layout *const layout = get_global_layout(); |
| |
| fmap = (struct fmap *)(buf); |
| |
| for (i = 0; i < fmap->nareas; i++) { |
| if (layout->num_entries >= MAX_ROMLAYOUT) { |
| msg_gerr("ROM image contains too many regions\n"); |
| return -1; |
| } |
| layout->entries[layout->num_entries].start = fmap->areas[i].offset; |
| |
| /* |
| * Flashrom rom entries use absolute addresses. So for non-zero |
| * length entries, we need to subtract 1 from offset + size to |
| * determine the end address. |
| */ |
| layout->entries[layout->num_entries].end = fmap->areas[i].offset + |
| fmap->areas[i].size; |
| if (fmap->areas[i].size) |
| layout->entries[layout->num_entries].end--; |
| |
| size_t name_len = sizeof(fmap->areas[i].name); |
| layout->entries[layout->num_entries].name = calloc(1, name_len); |
| memcpy(layout->entries[layout->num_entries].name, fmap->areas[i].name, name_len); |
| |
| layout->entries[layout->num_entries].included = 0; |
| layout->entries[layout->num_entries].file = NULL; |
| |
| msg_gdbg("added fmap region \"%s\", start: 0x%08x, end: 0x%08x\n", |
| layout->entries[layout->num_entries].name, |
| layout->entries[layout->num_entries].start, |
| layout->entries[layout->num_entries].end); |
| layout->num_entries++; |
| } |
| |
| return layout->num_entries; |
| } |
| |
| enum found_t { |
| FOUND_NONE, |
| FOUND_FMAP, |
| }; |
| |
| /* returns the number of entries added, or <0 to indicate error */ |
| static int add_fmap_entries(void *source_handle, |
| size_t image_size, |
| int (*read_chunk)(void *handle, |
| void *dest, |
| size_t offset, |
| size_t size)) |
| { |
| static enum found_t found = FOUND_NONE; |
| struct search_info search; |
| struct fmap fmap_header; |
| uint8_t *buf = NULL; |
| off_t offset; |
| struct flashrom_layout *const layout = get_global_layout(); |
| |
| if (found != FOUND_NONE) { |
| msg_gdbg("Already found fmap entries, not searching again.\n"); |
| return 0; |
| } |
| |
| search_init(&search, source_handle, |
| image_size, sizeof(fmap_header), read_chunk); |
| search.handler = get_fmap_base; |
| while (found == FOUND_NONE && !search_find_next(&search, &offset)) { |
| if (search.image) { |
| memcpy(&fmap_header, search.image + offset, |
| sizeof(fmap_header)); |
| } else if (read_chunk(source_handle, (uint8_t *)&fmap_header, |
| offset, sizeof(fmap_header))) { |
| msg_gdbg("[L%d] failed to read flash at offset %#jx\n", |
| __LINE__, (intmax_t)offset); |
| return -1; |
| } |
| if (!is_valid_fmap(&fmap_header)) |
| continue; |
| int buf_size = fmap_size(&fmap_header); |
| buf = calloc(1, buf_size); |
| |
| if (read_chunk(source_handle, buf, offset, buf_size)) { |
| msg_gdbg("[L%d] failed to read %d bytes at offset 0x%lx\n", |
| __LINE__, buf_size, (unsigned long)offset); |
| return -1; |
| } else { |
| found = FOUND_FMAP; |
| } |
| } |
| |
| switch (found) { |
| case FOUND_FMAP: |
| layout->num_entries = add_fmap_entries_from_buf(buf); |
| break; |
| default: |
| msg_gdbg("%s: no fmap present\n", __func__); |
| } |
| if (buf) |
| free(buf); |
| search_free(&search); |
| |
| return layout->num_entries; |
| } |
| |
| /* |
| * read_chunk() callback used when reading contents from a file. |
| */ |
| static int read_from_file(void *fhandle, |
| void *dest, |
| size_t offset, |
| size_t size) |
| { |
| FILE *handle = fhandle; |
| |
| if (fseek(handle, offset, SEEK_SET)) { |
| msg_cerr("%s failed to seek to position %zd\n", |
| __func__, offset); |
| return 1; |
| } |
| |
| if (fread(dest, 1, size, handle) != size) { |
| msg_cerr("%s failed to read %zd bytes\n", |
| __func__, offset); |
| return 1; |
| } |
| |
| return 0; |
| } |
| |
| /* |
| * read_chunk() callback used when reading contents from the flash device. |
| */ |
| static int read_from_flash(void *handle, |
| void *dest, |
| size_t offset, |
| size_t size) |
| { |
| struct flashctx *flash = handle; |
| |
| return read_flash(flash, dest, offset, size); |
| } |
| |
| int get_fmap_entries(const char *filename, struct flashctx *flash) |
| { |
| int rv; |
| size_t image_size = flash->chip->total_size * 1024; |
| |
| /* Let's try retrieving entries from file. */ |
| if (filename) { |
| FILE *handle; |
| |
| handle = fopen(filename, "r"); |
| if (handle) { |
| rv = add_fmap_entries(handle, |
| image_size, read_from_file); |
| fclose(handle); |
| if (rv > 0) |
| return rv; |
| msg_cerr("No fmap entries found in %s\n", filename); |
| } |
| } |
| |
| return add_fmap_entries(flash, image_size, read_from_flash); |
| } |