This provides stack guards with checking and common
entry into postcar.
The code in cpu/intel/car/romstage.c is candidate
for becoming architectural so function prototype
is moved to <arch/romstage.h>.
Change-Id: I4c5a9789e7cf3f7f49a4a33e21dac894320a9639
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34893
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
We need to ensure uma_memory_size and uma_memory_base stay within a
32-bit address range. Both of these variables are 64 bits wide, so it is
simplest to use 64 bit math when doing the bit shifts and then check if
they are in range after.
Change-Id: Idd180f31e8cff797a6499b12bc685daa993aae05
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1229665, 1229666
Reviewed-on: https://review.coreboot.org/c/coreboot/+/32291
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
add_ivrs_device_entries() is a recursive function, and each recursive
call is passed a pointer to a root_level variable declared outside the
function. In an attempt to make the function self-contained, the initial
call is made with the root_level pointer set to NULL, and then the
function attempts to detect this and allocate a root_level variable for
the rest of the calls. This makes memory management very tricky - for
example, the pi code incorrectly attempts to free the root_level
variable at the end of *each* recursive call, which only avoids being a
double-free because free() in coreboot is currently a no-op. Let's
keep life simple and declare root_level as a local variable outside the
first function call instead.
Change-Id: Ifd63ee368fb89345b9b42ccb86cebcca64f32ac8
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1362811
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34387
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Variable length arrays were a feature added in C99 that allows the
length of an array to be determined at runtime. Eg.
int sum(size_t n) {
int arr[n];
...
}
This adds a small amount of runtime overhead, but is also very
dangerous, since it allows use of an unlimited amount of stack memory,
potentially leading to stack overflow. This is only worsened in
coreboot, which often has very little stack space to begin with. Citing
concerns like this, all instances of VLA's were recently removed from the
Linux kernel. In the immortal words of Linus Torvalds [0],
AND USING VLA'S IS ACTIVELY STUPID! It generates much more code, and
much _slower_ code (and more fragile code), than just using a fixed
key size would have done. [...] Anyway, some of these are definitely
easy to just fix, and using VLA's is actively bad not just for
security worries, but simply because VLA's are a really horribly bad
idea in general in the kernel.
This patch follows suit and zaps all VLA's in coreboot. Some of the
existing VLA's are accidental ones, and all but one can be replaced with
small fixed-size buffers. The single tricky exception is in the SPI
controller interface, which will require a rewrite of old drivers
to remove [1].
[0] https://lkml.org/lkml/2018/3/7/621
[1] https://ticket.coreboot.org/issues/217
Change-Id: I7d9d1ddadbf1cee5f695165bbe3f0effb7bd32b9
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33821
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
As most platforms will share the subset of enabling
both low RAM WB and high ROM WP MTRRs, provide them
with a single function.
Add possibility for the platform to skip these if
required.
Change-Id: Id1f8b7682035e654231f6133a42909a36e3e15a1
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34809
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
It is easier to track CAR_GLOBAL_MIGRATION which is
the approach to be deprecated with the next release.
This change enforces new policy; POSTCAR_STAGE=y is
not allowed together with CAR_GLOBAL_MIGRATION=y.
Change-Id: I0dbad6a14e68bf566ac0f151dc8ea259e5ae2250
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34804
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Add explicit CBMEM_STAGE_CACHE option. Rename
CACHE_RELOCATED_RAMSTAGE_OUTSIDE_CBMEM to TSEG_STAGE_CACHE.
Platforms with SMM_TSEG=y always need to implement
stage_cache_external_region(). It is allowed to return with a
region of size 0 to effectively disable the cache.
There are no provisions in Kconfig to degrade from
TSEG_STAGE_CACHE to CBMEM_STAGE_CACHE.
As a security measure CBMEM_STAGE_CACHE default is changed to
disabled. AGESA platforms without TSEG will experience slower
S3 resume speed unless they explicitly select the option.
Change-Id: Ibbdc701ea85b5a3208ca4e98c428b05b6d4e5340
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34664
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Furquan Shaikh <furquan@google.com>
Let garbage-collection take care of stage_cache_external_region()
if it is no needed and move implementation to a suitable file already
building for needed stages.
Remove aliasing CONFIG_RESERVED_SMM_SIZE as RESERVED_SMM_SIZE and
(unused) aliasing of CONFIG_IED_REGION_SIZE as IED_SIZE.
Change-Id: Idf00ba3180d8c3bc974dd3c5ca5f98a6c08bf34d
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34672
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Let garbage-collection take care of stage_cache_external_region()
when it is not needed and move implementation to a suitable file
already building for needed stages.
Change-Id: Ic32adcc62c7ee21bf38e2e4e5ece00524871b091
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34670
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
Let garbage-collection take care of stage_cache_external_region()
if it is no needed and move implementation to a suitable file already
building for needed stages.
Remove aliasing CONFIG_RESERVED_SMM_SIZE as RESERVED_SMM_SIZE.
Change-Id: Ie6fcc40fba14575e8ee058f45a1a359a05f00aca
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34668
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Arthur Heymans <arthur@aheymans.xyz>
The amdht code currently relies on an idiosyncratic ASSERT() macro,
which actually doesn't do anything right now, and even it did would only
print a janky error message. Replace this with the normal ASSERT() macro
from <assert.h>. The default behaviour now is to print an error message
but do nothing else, and failed assertions will only halt if you enable
FATAL_ASSERT, in which case, well, you asked for it.
Change-Id: I6db7565171a345f9afbc9fb37cff8fda58f942df
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1402076
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34375
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
- Use log2() when rounding down size_mb to the closest power of 2.
Do a sanity check beforehand that size_mb is nonzero, else log2()
will return -1 and there will be an undefined integer shift.
- The framebuffer size needs to be between 8 and 512 MiB, so check
after all the calculations are done to make sure this is the case.
Change-Id: I3962e5cdc094c8da22d8dbadf16637e02fa98689
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1391086
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34355
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
This switch was likely copy-pasted from the one right above it. However,
the MEM_CLOCK_800MHz case isn't needed, since that is explicitly checked
and avoided before the while loop. With that gone, only the
667MHz/default case is left, which we don't need to switch over anymore.
Change-Id: Idfb9cc27dd8718f627d15ba92a9c74c51c2c1c2d
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1347372
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33407
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
The GCFC (Graphics Clock Frequency Control) read is not used at
the line below.
As the default value is zero, let's remove unused read.
Found-by: scan-build 7.0.1-8
Change-Id: I82c567e3a5b0c0c4a8596ea0cb7693667c71b720
Signed-off-by: Elyes HAOUAS <ehaouas@noos.fr>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34329
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
The speed argument should be one of the six values from the mem_clock
enum, so something is very wrong if this is not the case. Better to
die now than return 0, which will cause a division-by-zero error
later on where this function is called. The first two speeds are also
unsupported and have the same problem with returning 0, so die on those
as well.
Change-Id: Ib628c0eed3d6571bdde1df27ae213ca0691ec256
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1391088
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33409
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
If the decoded SPD DRAM frequency is slower than the controller minimum,
then there will be an unsigned integer underflow in the following loop,
which will lead to a very large out of bounds array access. Ensure this
does not happen.
Change-Id: Ic8ed1293adfe0866781bd638323977abd110777e
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1229675
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33383
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
- Remove unnecessary braces
- Move variable assignment out of function call
- Do not find lowest bit set of 0, which is undefined
- Use unsigned integer when bit shifting
Change-Id: I8651f8cd04165d8d31c44f7919ad5e43499d3d4c
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1229562
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33381
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
