From patchwork Fri Oct  4 13:14:59 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Hutt <tdhutt@gmail.com>
X-Patchwork-Id: 1992746
Return-Path: 
 <opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=yFP1m0qa;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=Lrau0BMi;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.infradead.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;
 receiver=patchwork.ozlabs.org)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKptq4rCbz1xtH
	for <incoming@patchwork.ozlabs.org>; Fri,  4 Oct 2024 23:15:15 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=VnDUYRk4Rd3WC/ESHQAVeWW01wfLGgtChj10p/t8hpA=; b=yFP1m0qaUxAiCh
	pCgil4vP1KbYKJ3yWsqOOPJ9yVn/AzbgMSp4NLlJdbALhhkoTfFoJwryVkfNgup8v6GQRNz8rOAHs
	2EaolruZb1wZqvbqYV3cGbQaRylR8hHbUEUrOV81csjtrYiY1AxWmT00ekEzPyNbuwx9cnhviaUVN
	fDVFT6P9+L6n2ziwLZdkNfyONvhVzVAqZIztxaMIBrVLpHWxqR6FaQOFqu7JO5ur5LFx5K3WgJ76C
	BgvHVpKgvKqUWIpc+fpGCrTnqrJsWzaNT0jGSmBoZcq3hVFQ22liNRAIJA+sOukXa28c3DdZOxkM+
	qdlKeU3t6q1jDBJSrrNQ==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux))
	id 1swi9D-0000000CSiY-3PLl;
	Fri, 04 Oct 2024 13:15:07 +0000
Received: from mail-ej1-x629.google.com ([2a00:1450:4864:20::629])
	by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux))
	id 1swi9A-0000000CShs-3vIV
	for opensbi@lists.infradead.org;
	Fri, 04 Oct 2024 13:15:06 +0000
Received: by mail-ej1-x629.google.com with SMTP id
 a640c23a62f3a-a86e9db75b9so301705266b.1
        for <opensbi@lists.infradead.org>;
 Fri, 04 Oct 2024 06:15:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1728047703; x=1728652503;
 darn=lists.infradead.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=99ddDgQRknzAXULShVeHyxIvMrtaB4XGiUm4gLkvWx0=;
        b=Lrau0BMiU2Nrd8AVRG5ldlfL8qfCUpkFeE0FBTQAr+t2ck2+Xz+1cToUC+M8cQ8Y3Z
         4L1YFg3bGjRA0ehUwBKsGb/73dlIfg5oVsxO1Jondh4YqK2kAz8gp2DYMhqGPiBGeDSU
         Qgw8A4EqzhNQArNxNT0HaJeFNwGFdLRNeI0380EFk4ozGC4vlUYRyttI0wZl8chwEZYD
         hzHhWyl0y7Jug9GgNoMRC3gPFZ04iIteHEOBY8L9L2LIIxfzmUnKFXagVh7FF/dROBrT
         R9WcWq9MbWff7+4BCHx16O+NvyvxNTshubt3U8OyadUmBGcbKxIgk8znXaU4DoOnszCN
         8uPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728047703; x=1728652503;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=99ddDgQRknzAXULShVeHyxIvMrtaB4XGiUm4gLkvWx0=;
        b=UOUEP25VtT3wRsD6J/aqepNIRnQWnqDU40VN5qvWlBSO+DZPZUs8NEqjS+XIwL2dSU
         AN4y9S6/HAx1wBznrGs6LEFi7ds75CRB+SJK0r+QlondF05Q2/hrFfUnPR0ZWKcq7WBZ
         QUWsnDQBmVA0/Trw79pKAbaxqsmKwZUm81DG+IYal0TgZ8CP5YUAvl+7YEsMy1w1nHr8
         RmoUm9/kt3Z5kETnAitHD9JorBkz7+qCEzIbPL3Yxa59DeHtDVmoeyQEpq/m3fogu2q1
         xMLwByklgS7CXZy9nJVRBEuaSqqf7qI+ge6hA3vg2rF84otrhvzOk3B71GF4x6nf/Cux
         wNrQ==
X-Gm-Message-State: AOJu0YyVRCERbGlsgTVUtTWQxAmEo+vvHW/uVF4ltfjm2SjzpXUkwMJz
	1ZDqBMU2mlq4aCpGfkFTMdT7TQjZBKYK+2sMk+ihn3Y8U06r4sfjPZ5Mew==
X-Google-Smtp-Source: 
 AGHT+IGkJizZS1gIFLusGe9ZlQ4MNWu3hKpvC7clTfqGySzwwOc75rMQo6ltq7+yl75f7IVtJI06FA==
X-Received: by 2002:a17:907:f14f:b0:a88:b93b:cdcb with SMTP id
 a640c23a62f3a-a991bdbe11cmr269236466b.47.1728047702497;
        Fri, 04 Oct 2024 06:15:02 -0700 (PDT)
Received: from nb9JHHSQ3.codasip.com
 (stav-22-b2-v4wan-169880-cust1982.vm26.cable.virginm.net. [94.174.71.191])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-a99102858b0sm225085766b.40.2024.10.04.06.15.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 04 Oct 2024 06:15:02 -0700 (PDT)
From: Tim Hutt <tdhutt@gmail.com>
To: opensbi@lists.infradead.org
Cc: Tim Hutt <tdhutt@gmail.com>
Subject: [PATCH] Makefile: perform sanity checks on payload during build
Date: Fri,  4 Oct 2024 14:14:59 +0100
Message-Id: <20241004131459.774924-1-tdhutt@gmail.com>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20241004_061505_003455_70D80F87 
X-CRM114-Status: GOOD (  18.84  )
X-Spam-Score: -2.1 (--)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  To make mistakes more obvious and debugging easier we can
   check that the payload is not an ELF file,
 and that the first byte is possibly
    the start of a valid instruction. I would have preferred to not do this
 check
    in Bash but I didn't want to introduce any additional dependencies,
 and there
    isn't a proper language already in use.
 Content analysis details:   (-2.1 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/, no
                             trust
                             [2a00:1450:4864:20:0:0:0:629 listed in]
                             [list.dnswl.org]
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's
                             domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider
                             [tdhutt(at)gmail.com]
X-BeenThere: opensbi@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <opensbi.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/opensbi>,
 <mailto:opensbi-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/opensbi/>
List-Post: <mailto:opensbi@lists.infradead.org>
List-Help: <mailto:opensbi-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/opensbi>,
 <mailto:opensbi-request@lists.infradead.org?subject=subscribe>
Sender: "opensbi" <opensbi-bounces@lists.infradead.org>
Errors-To: opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

To make mistakes more obvious and debugging easier we can check that the payload is not an ELF file, and that the first byte is possibly the start of a valid instruction.

I would have preferred to not do this check in Bash but I didn't want to introduce any additional dependencies, and there isn't a proper language already in use.

I also made it an `#error` to not define `FW_PAYLOAD_PATH` since the build system will always do that. If the user doesn't specify one a default file is used.
---
 firmware/external_deps.mk |  3 ++-
 firmware/fw_payload.S     |  6 ++----
 scripts/check-payload.sh  | 43 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 5 deletions(-)
 create mode 100755 scripts/check-payload.sh

diff --git a/firmware/external_deps.mk b/firmware/external_deps.mk
index 6264005..d4c480c 100644
--- a/firmware/external_deps.mk
+++ b/firmware/external_deps.mk
@@ -10,5 +10,6 @@
 $(platform_build_dir)/firmware/fw_dynamic.o: $(FW_FDT_PATH)
 $(platform_build_dir)/firmware/fw_jump.o: $(FW_FDT_PATH)
 $(platform_build_dir)/firmware/fw_payload.o: $(FW_FDT_PATH)
-
+	scripts/check-payload.sh $(FW_PAYLOAD_PATH_FINAL)
+	$(call compile_as,$@,$<)
 $(platform_build_dir)/firmware/fw_payload.o: $(FW_PAYLOAD_PATH_FINAL)
diff --git a/firmware/fw_payload.S b/firmware/fw_payload.S
index 3c8433e..0b0f342 100644
--- a/firmware/fw_payload.S
+++ b/firmware/fw_payload.S
@@ -94,8 +94,6 @@ fw_options:
 	.globl payload_bin
 payload_bin:
 #ifndef FW_PAYLOAD_PATH
-	wfi
-	j	payload_bin
-#else
-	.incbin	FW_PAYLOAD_PATH
+#error FW_PAYLOAD_PATH should always be set by the build system
 #endif
+	.incbin	FW_PAYLOAD_PATH
diff --git a/scripts/check-payload.sh b/scripts/check-payload.sh
new file mode 100755
index 0000000..5752497
--- /dev/null
+++ b/scripts/check-payload.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+# Simple script to try and detect invalid payloads. The payload should be a flat
+# image and the first bytes should be valid instructions - OpenSBI will jump
+# to the start of the file. It shouldn't be an ELF file.
+#
+# Bash is a terrible language for this purpose but we can make it work.
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <file>"
+    exit 1
+fi
+
+# Check the payload is not an ELF file.
+readelf -h "$1" >/dev/null 2>&1 && {
+    echo "Error: The payload is an ELF file; it should be a flat executable instead."
+    exit 1
+}
+
+# Check the first bytes are a valid RISC-V instruction. Since we don't know
+# what is valid we can only do limited checks but this will check that it is at
+# least a 16 or 32-bit instruction. Larger instructions are currently unused.
+first_byte="$(head -c 1 "$1")"
+LC_ALL=C printf -v first_byte_dec %d \'$first_byte
+
+# for byte in range(256):
+#     if not ((byte & 0b11) != 0b11 or (byte & 0b11100) != 0b11100):
+#         print(byte)
+[ \
+    "$first_byte_dec" == 31 -o \
+    "$first_byte_dec" == 63 -o \
+    "$first_byte_dec" == 95 -o \
+    "$first_byte_dec" == 127 -o \
+    "$first_byte_dec" == 159 -o \
+    "$first_byte_dec" == 191 -o \
+    "$first_byte_dec" == 223 -o \
+    "$first_byte_dec" == 255 \
+] && {
+    echo "Error: The payload's first byte is not a 16- or 32-bit RISC-V instruction. The payload should be a flat executable."
+    exit 1
+}
+
+exit 0