Hardcoded and unchecked IMR address map for Intel ADSP can cause memory corruption #76247
Comments
marc-hb
added
bug
|
@ceolin @kv2019i will want to be in on this too I suspect. FWIW an awful lot of that stuff doesn't need to be managed And the remaining areas that can't be automatic will end up corresponding to "addresses the CSME, boot ROM or host loader code knows about external to the firmware". And those probably belong in device tree or an evolved loader protocol. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This reverts commit 8847de0. This should now work thanks to the "better" IMR addresses in zephyrproject-rtos/zephyr#76196 Note the longer term issue is still open: zephyrproject-rtos/zephyr#76247 Signed-off-by: Marc Herbert <marc.herbert@intel.com>
This reverts commit 8847de0. This should now work thanks to the "better" IMR addresses in zephyrproject-rtos/zephyr#76196 Note the longer term issue is still open: zephyrproject-rtos/zephyr#76247 Signed-off-by: Marc Herbert <marc.herbert@intel.com>
|
Assigning this to @lyakh for now, as I believe this would require some firmware loader works too for the addresses. |
|
This issue has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 14 days. Note, that you can always re-open a closed issue at any time. |
Describe the bug
This is a follow-up to thesofproject/sof#9308 where the audio DSP firmware on MTL stopped booting across the board after a random combination of Pull Requests that all passed separately. After a long and tedious investigation by @tmleman and @lyakh , it was found that the IMR memory had been corrupted for a long time - we just never noticed it before.
The IMR (Isolated Memory Region) is an area of the main/host memory that stays up when the audio DSP (including its local memory) is off. It speeds up restarting the audio firmware. Starting with the "ACE" generation it is the standard way to restart (there is a
sof_debug=0x80debug bit/option to boot from scratch instead). Among others, the IMR contains a complete image of the firmware code which happened to be partially overwritten.The reason it was partially overwritten is because the
adsp_memory.hfile (see 6069f946be1bd502) maps that IMR region with hardcoded constants that became disconnected with reality.The urgent and temporary fix submitted in #76196 re-hardcodes "better" values but that's obviously not sustainable. This GitHub issue is to discuss and track the longer term solution(s).
To Reproduce
Inspect the code size and notice that it is to big for the IMR area meant for it.
Originally posted by @tmleman in thesofproject/sof#9308 (comment)
L3_MEM_BASE_ADDR = 0xa1000000 IMR_BOOT_LDR_MANIFEST_BASE = 0xa1042000 IMR_BOOT_LDR_TEXT_ENTRY_BASE = 0xa1048000 IMR_BOOT_LDR_LIT_BASE = 0xa1048180 IMR_BOOT_LDR_TEXT_BASE = 0xa10481c0 IMR_BOOT_LDR_DATA_BASE = 0xa1049000 # The beginning of the memory copied to the hpsram. 0xa1049000 -> 0xa0030000 IMR_BOOT_LDR_BSS_BASE = 0xa1110000 IMR_BOOT_LDR_STACK_BASE = 0xa1120000 IMR_L3_HEAP_BASE = 0xa1121000 The last copied address = 0xa1133000 -> 0xa011a000Expected behavior
At build time, a linker or elfutils script must 1. either compute some optimal allocation, or 2. at the very least check that areas are big enough for their intended purposes and fail when not big enough.
If possible, additional runtime checks/protections cannot hurt.
Impact
As usual with memory corruption: critical.
Failure to boot, security risks, etc.
The text was updated successfully, but these errors were encountered: