1 /*
2 * This file is part of the flashrom project.
3 *
4 * Copyright (C) 2002 Steven James <[email protected]>
5 * Copyright (C) 2002 Linux Networx
6 * (Written by Eric Biederman <[email protected]> for Linux Networx)
7 * Copyright (C) 2006-2009 coresystems GmbH
8 * (Written by Stefan Reinauer <[email protected]> for coresystems GmbH)
9 * Copyright (C) 2010 Carl-Daniel Hailfinger
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; version 2 of the License.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 */
20
21 #include <unistd.h>
22 #include <stdio.h>
23 #include <ctype.h>
24 #include <strings.h>
25 #include <string.h>
26 #include "flash.h"
27 #include "programmer.h"
28 #include "coreboot_tables.h"
29 #include "hwaccess_physmap.h"
30
31 static char *cb_vendor = NULL, *cb_model = NULL;
32
33 /* Tries to find coreboot IDs in the supplied image and compares them to the current IDs.
34 * Returns...
35 * -1 if IDs in the image do not match the IDs embedded in the current firmware,
36 * 0 if the IDs could not be found in the image or if they match correctly.
37 */
cb_check_image(const uint8_t * image,unsigned int size)38 int cb_check_image(const uint8_t *image, unsigned int size)
39 {
40 const unsigned int *walk;
41 unsigned int mb_part_offset, mb_vendor_offset;
42 const char *mb_part, *mb_vendor;
43
44 walk = (const unsigned int *)(image + size - 0x10);
45 walk--;
46
47 if ((*walk) == 0 || ((*walk) & 0x3ff) != 0) {
48 /* Some NVIDIA chipsets store chipset soft straps (IIRC Hypertransport init info etc.) in
49 * flash at exactly the location where coreboot image size, coreboot vendor name pointer and
50 * coreboot board name pointer are usually stored. In this case coreboot uses an alternate
51 * location for the coreboot image data. */
52 walk = (const unsigned int *)(image + size - 0x80);
53 walk--;
54 }
55
56 /*
57 * Check if coreboot last image size is 0 or not a multiple of 1k or
58 * bigger than the chip or if the pointers to vendor ID or mainboard ID
59 * are outside the image of if the start of ID strings are nonsensical
60 * (nonprintable and not \0).
61 */
62 mb_part_offset = *(walk - 1);
63 mb_vendor_offset = *(walk - 2);
64 if ((*walk) == 0 || ((*walk) & 0x3ff) != 0 || (*walk) > size ||
65 mb_part_offset > size || mb_vendor_offset > size) {
66 msg_pdbg("Flash image seems to be a legacy BIOS. Disabling coreboot-related checks.\n");
67 return 0;
68 }
69
70 mb_part = (const char *)(image + size - mb_part_offset);
71 mb_vendor = (const char *)(image + size - mb_vendor_offset);
72 if (!isprint((unsigned char)*mb_part) ||
73 !isprint((unsigned char)*mb_vendor)) {
74 msg_pdbg("Flash image seems to have garbage in the ID location. "
75 "Disabling coreboot-related checks.\n");
76 return 0;
77 }
78
79 msg_pdbg("coreboot last image size (not ROM size) is %d bytes.\n", *walk);
80
81 msg_pdbg("Manufacturer: %s\n", mb_vendor);
82 msg_pdbg("Mainboard ID: %s\n", mb_part);
83
84 /* If these are not set, the coreboot table was not found. */
85 if (!cb_vendor || !cb_model)
86 return 0;
87
88 /* These comparisons are case insensitive to make things a little less user^Werror prone. */
89 if (!strcasecmp(mb_vendor, cb_vendor) && !strcasecmp(mb_part, cb_model)) {
90 msg_pdbg2("This coreboot image matches this mainboard.\n");
91 } else {
92 msg_perr("This coreboot image (%s:%s) does not appear to\n"
93 "be correct for the detected mainboard (%s:%s).\n",
94 mb_vendor, mb_part, cb_vendor, cb_model);
95 return -1;
96 }
97
98 return 0;
99 }
100
compute_checksum(void * addr,unsigned long length)101 static unsigned long compute_checksum(void *addr, unsigned long length)
102 {
103 uint8_t *ptr;
104 volatile union {
105 uint8_t byte[2];
106 uint16_t word;
107 } chksum;
108 unsigned long sum;
109 unsigned long i;
110
111 /* In the most straight forward way possible,
112 * compute an ip style checksum.
113 */
114 sum = 0;
115 ptr = addr;
116 for (i = 0; i < length; i++) {
117 unsigned long value;
118 value = ptr[i];
119 if (i & 1) {
120 value <<= 8;
121 }
122 /* Add the new value */
123 sum += value;
124 /* Wrap around the carry */
125 if (sum > 0xFFFF) {
126 sum = (sum + (sum >> 16)) & 0xFFFF;
127 }
128 }
129 chksum.byte[0] = sum & 0xff;
130 chksum.byte[1] = (sum >> 8) & 0xff;
131
132 return (~chksum.word) & 0xFFFF;
133 }
134
135 #define for_each_lbrec(head, rec) \
136 for(rec = (struct lb_record *)(((char *)head) + sizeof(*head)); \
137 (((char *)rec) < (((char *)head) + sizeof(*head) + head->table_bytes)) && \
138 (rec->size >= 1) && \
139 ((((char *)rec) + rec->size) <= (((char *)head) + sizeof(*head) + head->table_bytes)); \
140 rec = (struct lb_record *)(((char *)rec) + rec->size))
141
count_lb_records(struct lb_header * head)142 static unsigned int count_lb_records(struct lb_header *head)
143 {
144 struct lb_record *rec;
145 unsigned int count;
146
147 count = 0;
148 for_each_lbrec(head, rec) {
149 count++;
150 }
151
152 return count;
153 }
154
lb_header_valid(struct lb_header * head,unsigned long addr)155 static int lb_header_valid(struct lb_header *head, unsigned long addr)
156 {
157 if (memcmp(head->signature, "LBIO", 4) != 0)
158 return 0;
159 msg_pdbg("Found candidate at: %08lx-%08lx\n",
160 addr, addr + sizeof(*head) + head->table_bytes);
161 if (head->header_bytes != sizeof(*head)) {
162 msg_perr("Header bytes of %"PRId32" are incorrect.\n",
163 head->header_bytes);
164 return 0;
165 }
166 if (compute_checksum((uint8_t *) head, sizeof(*head)) != 0) {
167 msg_perr("Bad header checksum.\n");
168 return 0;
169 }
170
171 return 1;
172 }
173
lb_table_valid(struct lb_header * head,struct lb_record * recs)174 static int lb_table_valid(struct lb_header *head, struct lb_record *recs)
175 {
176 if (compute_checksum(recs, head->table_bytes)
177 != head->table_checksum) {
178 msg_perr("Bad table checksum: %04"PRIx32".\n",
179 head->table_checksum);
180 return 0;
181 }
182 if (count_lb_records(head) != head->table_entries) {
183 msg_perr("Bad record count: %"PRId32".\n",
184 head->table_entries);
185 return 0;
186 }
187
188 return 1;
189 }
190
find_lb_table(void * base,unsigned long start,unsigned long end)191 static struct lb_header *find_lb_table(void *base, unsigned long start,
192 unsigned long end)
193 {
194 unsigned long addr;
195
196 /* For now be stupid.... */
197 for (addr = start; addr < end; addr += 16) {
198 struct lb_header *head =
199 (struct lb_header *)(((char *)base) + addr);
200 struct lb_record *recs =
201 (struct lb_record *)(((char *)base) + addr + sizeof(*head));
202 if (!lb_header_valid(head, addr))
203 continue;
204 if (!lb_table_valid(head, recs))
205 continue;
206 msg_pdbg("Found coreboot table at 0x%08lx.\n", addr);
207 return head;
208
209 }
210
211 return NULL;
212 }
213
find_lb_table_remap(unsigned long start_addr,uint8_t ** table_area)214 static struct lb_header *find_lb_table_remap(unsigned long start_addr,
215 uint8_t **table_area)
216 {
217 size_t offset;
218 unsigned long end;
219 size_t mapping_size;
220 void *base;
221
222 mapping_size = getpagesize();
223 offset = start_addr % getpagesize();
224 start_addr -= offset;
225
226 base = physmap_ro("high tables", start_addr, mapping_size);
227 if (ERROR_PTR == base) {
228 msg_perr("Failed getting access to coreboot high tables.\n");
229 return NULL;
230 }
231
232 for (end = getpagesize(); offset < end; offset += 16) {
233 struct lb_record *recs;
234 struct lb_header *head;
235
236 /* No more headers to check. */
237 if (end - offset < sizeof(*head))
238 return NULL;
239
240 head = (struct lb_header *)(((char *)base) + offset);
241
242 if (!lb_header_valid(head, offset))
243 continue;
244
245 if (mapping_size - offset < head->table_bytes + sizeof(*head)) {
246 size_t prev_mapping_size = mapping_size;
247 mapping_size = head->table_bytes + sizeof(*head);
248 mapping_size += offset;
249 mapping_size += getpagesize() - (mapping_size % getpagesize());
250 physunmap(base, prev_mapping_size);
251 base = physmap_ro("high tables", start_addr, mapping_size);
252 if (ERROR_PTR == base)
253 msg_perr("Failed getting access to coreboot high tables.\n");
254 else
255 head = (struct lb_header *)(((char *)base) + offset);
256 }
257
258 recs = (struct lb_record *)(((char *)base) + offset + sizeof(*head));
259 if (!lb_table_valid(head, recs))
260 continue;
261 msg_pdbg("Found coreboot table at 0x%08zx.\n", offset);
262 *table_area = base;
263 return head;
264 }
265
266 physunmap(base, mapping_size);
267 return NULL;
268 }
269
find_mainboard(struct lb_record * ptr,unsigned long addr)270 static void find_mainboard(struct lb_record *ptr, unsigned long addr)
271 {
272 struct lb_mainboard *rec;
273 int max_size;
274 char vendor[256], part[256];
275
276 rec = (struct lb_mainboard *)ptr;
277 max_size = rec->size - sizeof(*rec);
278 msg_pdbg("Vendor ID: %.*s, part ID: %.*s\n",
279 max_size - rec->vendor_idx,
280 rec->strings + rec->vendor_idx,
281 max_size - rec->part_number_idx,
282 rec->strings + rec->part_number_idx);
283 snprintf(vendor, 255, "%.*s", max_size - rec->vendor_idx, rec->strings + rec->vendor_idx);
284 snprintf(part, 255, "%.*s", max_size - rec->part_number_idx, rec->strings + rec->part_number_idx);
285
286 cb_vendor = strdup(vendor);
287 cb_model = strdup(part);
288 }
289
next_record(struct lb_record * rec)290 static struct lb_record *next_record(struct lb_record *rec)
291 {
292 return (struct lb_record *)(((char *)rec) + rec->size);
293 }
294
search_lb_records(struct lb_record * rec,struct lb_record * last,unsigned long addr)295 static void search_lb_records(struct lb_record *rec, struct lb_record *last, unsigned long addr)
296 {
297 struct lb_record *next;
298
299 for (next = next_record(rec); (rec < last) && (next <= last);
300 rec = next, addr += rec->size) {
301 next = next_record(rec);
302 if (rec->tag == LB_TAG_MAINBOARD) {
303 find_mainboard(rec, addr);
304 break;
305 }
306 }
307 }
308
309 #define BYTES_TO_MAP (1024*1024)
310 /* returns 0 if the table was parsed successfully and cb_vendor/cb_model have been set. */
cb_parse_table(const char ** vendor,const char ** model)311 int cb_parse_table(const char **vendor, const char **model)
312 {
313 uint8_t *table_area;
314 unsigned long addr, start;
315 struct lb_header *lb_table;
316 struct lb_record *rec, *last;
317
318 #if defined(__MACH__) && defined(__APPLE__)
319 /* This is a hack. DirectHW fails to map physical address 0x00000000.
320 * Why?
321 */
322 start = 0x400;
323 #else
324 start = 0x0;
325 #endif
326 table_area = physmap_ro_unaligned("low megabyte", start, BYTES_TO_MAP - start);
327 if (ERROR_PTR == table_area) {
328 msg_perr("Failed getting access to coreboot low tables.\n");
329 return -1;
330 }
331
332 lb_table = find_lb_table(table_area, 0x00000, 0x1000);
333 if (!lb_table)
334 lb_table = find_lb_table(table_area, 0xf0000 - start, BYTES_TO_MAP - start);
335 if (lb_table) {
336 struct lb_forward *forward = (struct lb_forward *)
337 (((char *)lb_table) + lb_table->header_bytes);
338 if (forward->tag == LB_TAG_FORWARD) {
339 start = forward->forward;
340 physunmap_unaligned(table_area, BYTES_TO_MAP);
341 lb_table = find_lb_table_remap(start, &table_area);
342 }
343 }
344
345 if (!lb_table) {
346 msg_pdbg("No coreboot table found.\n");
347 return -1;
348 }
349
350 addr = ((char *)lb_table) - ((char *)table_area) + start;
351 msg_pinfo("coreboot table found at 0x%lx.\n",
352 (unsigned long)lb_table - (unsigned long)table_area + start);
353 rec = (struct lb_record *)(((char *)lb_table) + lb_table->header_bytes);
354 last = (struct lb_record *)(((char *)rec) + lb_table->table_bytes);
355 msg_pdbg("coreboot header(%"PRId32") checksum: %04"PRIx32" table(%"PRId32") checksum: %04"PRIx32" entries: %"PRId32"\n",
356 lb_table->header_bytes, lb_table->header_checksum,
357 lb_table->table_bytes, lb_table->table_checksum,
358 lb_table->table_entries);
359 search_lb_records(rec, last, addr + lb_table->header_bytes);
360 *vendor = cb_vendor;
361 *model = cb_model;
362 return 0;
363 }
364