From: Shawn Guo <shawn.guo@linaro.org>
To: Marijn Suijten <marijn.suijten@somainline.org>
Cc: Shawn Guo <shawnguo@kernel.org>,
Bjorn Andersson <bjorn.andersson@linaro.org>,
linux-arm-msm@vger.kernel.org,
Konrad Dybcio <konrad.dybcio@somainline.org>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@somainline.org>,
Martin Botka <martin.botka@somainline.org>,
Pavel Dubrova <pashadubrova@gmail.com>,
Siddharth Gupta <sidgup@codeaurora.org>
Subject: Re: [PATCH] soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment
Date: Thu, 26 Aug 2021 22:18:30 +0800 [thread overview]
Message-ID: <20210826141826.GB31229@dragon> (raw)
In-Reply-To: <0410695f-85fe-1df9-46ee-bc494b81bf23@somainline.org>
Hi Marijn,
Thanks much for the information!
On Tue, Aug 24, 2021 at 05:18:05PM +0200, Marijn Suijten wrote:
> Hi Shawn,
>
> On 8/24/21 11:41 AM, Shawn Guo wrote:
> > From: Shawn Guo <shawn.guo@linaro.org>
> >
> > It's been observed on Sony Xperia M4 Aqua phone, that wcnss firmware has
> > the type of the second segment holding hashes just be PT_LOAD. So drop
> > the check on phdrs[1].p_type to get it go on that phone.
> >
> > Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
> > ---
> > drivers/soc/qcom/mdt_loader.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
> > index eba7f76f9d61..6034cd8992b0 100644
> > --- a/drivers/soc/qcom/mdt_loader.c
> > +++ b/drivers/soc/qcom/mdt_loader.c
> > @@ -98,7 +98,7 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len)
> > if (ehdr->e_phnum < 2)
> > return ERR_PTR(-EINVAL);
> > - if (phdrs[0].p_type == PT_LOAD || phdrs[1].p_type == PT_LOAD)
> > + if (phdrs[0].p_type == PT_LOAD)
> > return ERR_PTR(-EINVAL);
> > if ((phdrs[1].p_flags & QCOM_MDT_TYPE_MASK) != QCOM_MDT_TYPE_HASH)
> >
>
>
> Konrad (on the CC-list) originally came up with a similar patch to make his
> Sony phone boot (Xperia XZ, MSM8996). We however concluded that this
> solution is wrong, for the simple fact that the code below expects a PT_NULL
> header with data in the right place. Skipping this check most likely means
> that the code below will read out of bounds since the mdt file isn't large
> enough; this data is supposed to be read from an external file as indicated
> by the meaning of PT_LOAD. We built a solution for this, and fortunately
> CAF independently submitted a similar solution to the lists a while ago
> which is more thorough:
>
> https://lore.kernel.org/linux-arm-msm/1609968211-7579-1-git-send-email-sidgup@codeaurora.org/
While a thorough solution is good, I do not think my patch makes
anything worse or breaks anything, while fixing my issue on Sony Xperia
M4 Aqua. All the current assumptions hold true for my WCNSS firmware,
only except that phdrs[1] gets a PT_LOAD type.
There is a blog[1] illustrating the situation quite nicely. Again, the
only thing my WCNSS firmware differs from the illustration is that
hash segment gets a PT_LOAD type.
Skipping the check will not cause problem for firmwares we have seen,
because hash segment is duplicated in .mdt file, and we are using that
duplication instead of reading from .b01 file.
Shawn
[1] http://bits-please.blogspot.com/2016/04/exploring-qualcomms-secure-execution.html
next prev parent reply other threads:[~2021-08-26 14:18 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-24 9:41 [PATCH] soc: qcom: mdt_loader: Drop PT_LOAD check on hash segment Shawn Guo
2021-08-24 15:18 ` Marijn Suijten
2021-08-24 15:34 ` Marijn Suijten
2021-08-26 14:18 ` Shawn Guo [this message]
2021-08-26 20:52 ` Marijn Suijten
2021-08-27 6:24 ` Shawn Guo
2021-08-27 8:29 ` Marijn Suijten
2021-08-27 9:57 ` Shawn Guo
2021-08-27 10:46 ` Marijn Suijten
2021-08-27 14:12 ` Shawn Guo
2021-08-27 15:13 ` Marijn Suijten
2021-08-28 6:03 ` Shawn Guo
2021-08-28 8:58 ` Marijn Suijten
2021-08-27 16:07 ` Bjorn Andersson
2021-08-27 17:40 ` Marijn Suijten
2021-08-27 21:25 ` Bjorn Andersson
2021-08-27 23:42 ` Marijn Suijten
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210826141826.GB31229@dragon \
--to=shawn.guo@linaro.org \
--cc=angelogioacchino.delregno@somainline.org \
--cc=bjorn.andersson@linaro.org \
--cc=konrad.dybcio@somainline.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=marijn.suijten@somainline.org \
--cc=martin.botka@somainline.org \
--cc=pashadubrova@gmail.com \
--cc=shawnguo@kernel.org \
--cc=sidgup@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.