Hi Sughosh, On Thu, Nov 25, 2021 at 12:42:56PM +0530, Sughosh Ganu wrote: > In the FWU Multi Bank Update feature, the information about the > updatable images is stored as part of the metadata, on a separate > partition. Add functions for reading from and writing to the metadata > when the updatable images and the metadata are stored on a block > device which is formated with GPT based partition scheme. > > Signed-off-by: Sughosh Ganu <sughosh.g...@linaro.org> > --- > lib/fwu_updates/fwu_metadata_gpt_blk.c | 716 +++++++++++++++++++++++++ > 1 file changed, 716 insertions(+) > create mode 100644 lib/fwu_updates/fwu_metadata_gpt_blk.c > > +#define SECONDARY_VALID 0x2
Change those to BIT(0), BIT(1) etc please > + > +#define MDATA_READ (u8)0x1 > +#define MDATA_WRITE (u8)0x2 > + > +#define IMAGE_ACCEPT_SET (u8)0x1 > +#define IMAGE_ACCEPT_CLEAR (u8)0x2 > + > +static int gpt_verify_metadata(struct fwu_metadata *metadata, bool pri_part) > +{ > + u32 calc_crc32; > + void *buf; > + > + buf = &metadata->version; > + calc_crc32 = crc32(0, buf, sizeof(*metadata) - sizeof(u32)); > + > + if (calc_crc32 != metadata->crc32) { > + log_err("crc32 check failed for %s metadata partition\n", > + pri_part ? "primary" : "secondary"); I think we can rid of the 'bool pri_part'. It's only used for printing and you can have more that 2 partitions anyway right? > + return -1; > + } > + > + return 0; > +} > + > +static int gpt_get_metadata_partitions(struct blk_desc *desc, Please add a function descriptions (on following functions as well) > + u32 *primary_mpart, > + u32 *secondary_mpart) u16 maybe? This is the number of gpt partitions with metadata right? > +{ > + int i, ret; > + u32 nparts, mparts; > + gpt_entry *gpt_pte = NULL; > + const efi_guid_t fwu_metadata_guid = FWU_METADATA_GUID; > + > + ALLOC_CACHE_ALIGN_BUFFER_PAD(gpt_header, gpt_head, 1, > + desc->blksz); > + > + ret = get_gpt_hdr_parts(desc, gpt_head, &gpt_pte); > + if (ret < 0) { > + log_err("Error getting GPT header and partitions\n"); > + ret = -EIO; > + goto out; > + } > + > + nparts = gpt_head->num_partition_entries; > + for (i = 0, mparts = 0; i < nparts; i++) { > + if (!guidcmp(&fwu_metadata_guid, > + &gpt_pte[i].partition_type_guid)) { > + ++mparts; > + if (!*primary_mpart) > + *primary_mpart = i + 1; > + else > + *secondary_mpart = i + 1; > + } > + } > + > + if (mparts != 2) { > + log_err("Expect two copies of the metadata instead of %d\n", > + mparts); > + ret = -EINVAL; > + } else { > + ret = 0; > + } > +out: > + free(gpt_pte); > + > + return ret; > +} > + > +static int gpt_get_metadata_disk_part(struct blk_desc *desc, > + struct disk_partition *info, > + u32 part_num) > +{ > + int ret; > + char *metadata_guid_str = "8a7a84a0-8387-40f6-ab41-a8b9a5a60d23"; > + > + ret = part_get_info(desc, part_num, info); > + if (ret < 0) { > + log_err("Unable to get the partition info for the metadata part > %d", > + part_num); > + return -1; > + } > + > + /* Check that it is indeed the metadata partition */ > + if (!strncmp(info->type_guid, metadata_guid_str, UUID_STR_LEN)) { > + /* Found the metadata partition */ > + return 0; > + } > + > + return -1; > +} > + > +static int gpt_read_write_metadata(struct blk_desc *desc, > + struct fwu_metadata *metadata, > + u8 access, u32 part_num) > +{ > + int ret; > + u32 len, blk_start, blkcnt; > + struct disk_partition info; > + > + ALLOC_CACHE_ALIGN_BUFFER_PAD(struct fwu_metadata, mdata, 1, > desc->blksz); > + > + ret = gpt_get_metadata_disk_part(desc, &info, part_num); > + if (ret < 0) { > + printf("Unable to get the metadata partition\n"); > + return -ENODEV; > + } > + > + len = sizeof(*metadata); > + blkcnt = BLOCK_CNT(len, desc); > + if (blkcnt > info.size) { > + log_err("Block count exceeds metadata partition size\n"); > + return -ERANGE; > + } > + > + blk_start = info.start; > + if (access == MDATA_READ) { > + if (blk_dread(desc, blk_start, blkcnt, mdata) != blkcnt) { > + log_err("Error reading metadata from the device\n"); > + return -EIO; > + } > + memcpy(metadata, mdata, sizeof(struct fwu_metadata)); > + } else { > + if (blk_dwrite(desc, blk_start, blkcnt, metadata) != blkcnt) { > + log_err("Error writing metadata to the device\n"); > + return -EIO; > + } > + } > + > + return 0; > +} > + > +static int gpt_read_metadata(struct blk_desc *desc, > + struct fwu_metadata *metadata, u32 part_num) > +{ > + return gpt_read_write_metadata(desc, metadata, MDATA_READ, part_num); > +} > + > +static int gpt_write_metadata_partition(struct blk_desc *desc, > + struct fwu_metadata *metadata, > + u32 part_num) > +{ > + return gpt_read_write_metadata(desc, metadata, MDATA_WRITE, part_num); > +} > + > +static int gpt_update_metadata(struct fwu_metadata *metadata) > +{ > + int ret; > + struct blk_desc *desc; > + u32 primary_mpart, secondary_mpart; > + > + ret = fwu_plat_get_blk_desc(&desc); > + if (ret < 0) { > + log_err("Block device not found\n"); > + return -ENODEV; > + } > + > + primary_mpart = secondary_mpart = 0; > + ret = gpt_get_metadata_partitions(desc, &primary_mpart, > + &secondary_mpart); > + > + if (ret < 0) { > + log_err("Error getting the metadata partitions\n"); > + return -ENODEV; > + } > + > + /* First write the primary partition*/ > + ret = gpt_write_metadata_partition(desc, metadata, primary_mpart); > + if (ret < 0) { > + log_err("Updating primary metadata partition failed\n"); > + return ret; > + } > + > + /* And now the replica */ > + ret = gpt_write_metadata_partition(desc, metadata, secondary_mpart); > + if (ret < 0) { > + log_err("Updating secondary metadata partition failed\n"); > + return ret; > + } So shouldn't we do something about this case? The first partition was correctly written and the second failed. Now if the primary GPT somehow gets corrupted the device is now unusable. I assume that depending on what happened to the firmware rollback counter, we could either try to rewrite this, or revert the first one as well (assuming rollback counters allow that). > + > + return 0; > +} > + > +static int gpt_get_valid_metadata(struct fwu_metadata **metadata) > +{ > + int ret; > + struct blk_desc *desc; > + u32 primary_mpart, secondary_mpart; > + > + ret = fwu_plat_get_blk_desc(&desc); > + if (ret < 0) { > + log_err("Block device not found\n"); > + return -ENODEV; > + } > + > + primary_mpart = secondary_mpart = 0; > + ret = gpt_get_metadata_partitions(desc, &primary_mpart, > + &secondary_mpart); > + > + if (ret < 0) { > + log_err("Error getting the metadata partitions\n"); > + return -ENODEV; > + } > + > + *metadata = malloc(sizeof(struct fwu_metadata)); > + if (!*metadata) { > + log_err("Unable to allocate memory for reading metadata\n"); > + return -ENOMEM; > + } > + > + ret = gpt_read_metadata(desc, *metadata, primary_mpart); > + if (ret < 0) { > + log_err("Failed to read the metadata from the device\n"); > + return -EIO; > + } > + > + ret = gpt_verify_metadata(*metadata, 1); > + if (!ret) > + return 0; > + > + /* > + * Verification of the primary metadata copy failed. > + * Try to read the replica. > + */ > + memset(*metadata, 0, sizeof(struct fwu_metadata)); > + ret = gpt_read_metadata(desc, *metadata, secondary_mpart); > + if (ret < 0) { > + log_err("Failed to read the metadata from the device\n"); > + return -EIO; > + } > + > + ret = gpt_verify_metadata(*metadata, 0); > + if (!ret) > + return 0; > + > + /* Both the metadata copies are corrupted. */ > + return -1; > +} > + > +static int gpt_check_metadata_validity(void) > +{ > + int ret; > + struct blk_desc *desc; > + struct fwu_metadata *pri_metadata; > + struct fwu_metadata *secondary_metadata; init those to NULL so you can goto out and free pri_metadata/secondary_metadata unconditionally But do you really need a pointer here? Can't this just be struct fwu_metadata pri_metadata, secondary_metadata;? > + u32 primary_mpart, secondary_mpart; > + u32 valid_partitions; u16 for both I guess? > + > + ret = fwu_plat_get_blk_desc(&desc); > + if (ret < 0) { > + log_err("Block device not found\n"); > + return -ENODEV; > + } > + > + /* > + * Two metadata partitions are expected. > + * If we don't have two, user needs to create > + * them first > + */ > + primary_mpart = secondary_mpart = 0; > + valid_partitions = 0; > + ret = gpt_get_metadata_partitions(desc, &primary_mpart, > + &secondary_mpart); > + > + if (ret < 0) { > + log_err("Error getting the metadata partitions\n"); > + return -ENODEV; > + } > + > + pri_metadata = malloc(sizeof(*pri_metadata)); > + if (!pri_metadata) { > + log_err("Unable to allocate memory for reading metadata\n"); > + return -ENOMEM; > + } > + > + secondary_metadata = malloc(sizeof(*secondary_metadata)); > + if (!secondary_metadata) { > + log_err("Unable to allocate memory for reading metadata\n"); > + return -ENOMEM; > + } > + > + ret = gpt_read_metadata(desc, pri_metadata, primary_mpart); > + if (ret < 0) { > + log_err("Failed to read the metadata from the device\n"); > + ret = -EIO; > + goto out; It doesn't make sense to exit here without checking the secondary partition. > + } > + > + ret = gpt_verify_metadata(pri_metadata, 1); > + if (!ret) > + valid_partitions |= PRIMARY_VALID; > + > + /* Now check the secondary partition */ > + ret = gpt_read_metadata(desc, secondary_metadata, secondary_mpart); > + if (ret < 0) { > + log_err("Failed to read the metadata from the device\n"); > + ret = -EIO; Ditto, if the first is valid we can still rescue that. > + goto out; > + } > + > + ret = gpt_verify_metadata(secondary_metadata, 0); > + if (!ret) > + valid_partitions |= SECONDARY_VALID; > + > + if (valid_partitions == (PRIMARY_VALID | SECONDARY_VALID)) { > + ret = -1; > + /* > + * Before returning, check that both the > + * metadata copies are the same. If not, > + * the metadata copies need to be > + * re-populated. > + */ > + if (!memcmp(pri_metadata, secondary_metadata, > + sizeof(*pri_metadata))) > + ret = 0; Is anyone else copying the metadata if this fails? In that case would it make sense to just copy pri_metadata-> secondary_metadata here and sync them up? > + goto out; > + } else if (valid_partitions == SECONDARY_VALID) { > + ret = gpt_write_metadata_partition(desc, secondary_metadata, > + primary_mpart); > + if (ret < 0) { > + log_err("Restoring primary metadata partition > failed\n"); > + goto out; > + } > + } else if (valid_partitions == PRIMARY_VALID) { > + ret = gpt_write_metadata_partition(desc, pri_metadata, > + secondary_mpart); > + if (ret < 0) { > + log_err("Restoring secondary metadata partition > failed\n"); > + goto out; > + } > + } else { > + ret = -1; > + } I would write this whole if a bit differently. Since you have the valid partitions in a bitmap. redefine your original definitions like #define PRIMARY_VALID BIT(0) #define SECONDARY_VALID BIT(1) #define BOTH_VALID (PRIMARY_VALID | SECONDARY_VALID) if (!(valid_partitions & BOTH_VALID)) goto out; wrong = valid_partitions ^ BOTH_VALID; if (!out) <both valid code> else <'wrong' is the number of invalid partition now> gpt_write_metadata_partition(desc, (wrong == PRIMARY_VALID) ? secondary_metadata : pri_metadata), (wrong == PRIMARY_VALID) ? primary_mpart : secondary_mpart) > + > +out: > + free(pri_metadata); secondary_metadata needs freeing as well if you keep the ptrs > + > + return ret; > +} > + > +static int gpt_fill_partition_guid_array(struct blk_desc *desc, > + efi_guid_t **part_guid_arr, > + u32 *nparts) > +{ > + int ret, i; > + u32 parts; > + gpt_entry *gpt_pte = NULL; > + const efi_guid_t null_guid = NULL_GUID; > + > + ALLOC_CACHE_ALIGN_BUFFER_PAD(gpt_header, gpt_head, 1, > + desc->blksz); > + > + ret = get_gpt_hdr_parts(desc, gpt_head, &gpt_pte); > + if (ret < 0) { > + log_err("Error getting GPT header and partitions\n"); > + ret = -EIO; > + goto out; > + } > + > + *nparts = gpt_head->num_partition_entries; > + > + /* > + * There could be a scenario where the number of partition entries > + * configured in the GPT header is the default value of 128. Find > + * the actual number of populated partitioned entries > + */ > + for (i = 0, parts = 0; i < *nparts; i++) { Just init 'parts' on the declaration > + if (!guidcmp(&gpt_pte[i].partition_type_guid, &null_guid)) > + continue; > + ++parts; > + } > + > + *nparts = parts; > + *part_guid_arr = malloc(sizeof(efi_guid_t) * *nparts); > + if (!part_guid_arr) { > + log_err("Unable to allocate memory for guid array\n"); > + ret = -ENOMEM; > + goto out; > + } > + > + for (i = 0; i < *nparts; i++) { > + guidcpy((*part_guid_arr + i), > + &gpt_pte[i].partition_type_guid); > + } > + > +out: > + free(gpt_pte); > + return ret; > +} > + > +int fwu_gpt_get_active_index(u32 *active_idx) > +{ > + int ret; > + struct fwu_metadata *metadata; > + > + ret = gpt_get_valid_metadata(&metadata); > + if (ret < 0) { > + log_err("Unable to get valid metadata\n"); > + goto out; > + } > + > + /* > + * Found the metadata partition, now read the active_index > + * value > + */ > + *active_idx = metadata->active_index; > + if (*active_idx > CONFIG_FWU_NUM_BANKS - 1) { > + printf("Active index value read is incorrect\n"); > + ret = -EINVAL; > + goto out; > + } > + > +out: > + free(metadata); > + > + return ret; > +} > + > +static int gpt_get_image_alt_num(struct blk_desc *desc, > + efi_guid_t image_type_id, > + u32 update_bank, int *alt_no) > +{ > + int ret, i; > + u32 nparts; > + gpt_entry *gpt_pte = NULL; > + struct fwu_metadata *metadata; > + struct fwu_image_entry *img_entry; > + struct fwu_image_bank_info *img_bank_info; > + efi_guid_t unique_part_guid; > + efi_guid_t image_guid = NULL_GUID; > + > + ALLOC_CACHE_ALIGN_BUFFER_PAD(gpt_header, gpt_head, 1, > + desc->blksz); > + > + ret = gpt_get_valid_metadata(&metadata); > + if (ret < 0) { > + log_err("Unable to read valid metadata\n"); > + goto out; > + } > + > + /* > + * The metadata has been read. Now get the image_uuid for the > + * image with the update_bank. > + */ > + for (i = 0; i < CONFIG_FWU_NUM_IMAGES_PER_BANK; i++) { > + if (!guidcmp(&image_type_id, > + &metadata->img_entry[i].image_type_uuid)) { > + img_entry = &metadata->img_entry[i]; > + img_bank_info = &img_entry->img_bank_info[update_bank]; > + guidcpy(&image_guid, &img_bank_info->image_uuid); break;? > + } > + } > + > + /* > + * Now read the GPT Partition Table Entries to find a matching > + * partition with UniquePartitionGuid value. We need to iterate > + * through all the GPT partitions since they might be in any > + * order > + */ > + ret = get_gpt_hdr_parts(desc, gpt_head, &gpt_pte); > + if (ret < 0) { > + log_err("Error getting GPT header and partitions\n"); > + ret = -EIO; > + goto out; > + } > + > + nparts = gpt_head->num_partition_entries; > + > + for (i = 0; i < nparts; i++) { > + unique_part_guid = gpt_pte[i].unique_partition_guid; > + if (!guidcmp(&unique_part_guid, &image_guid)) { > + /* Found the partition */ > + *alt_no = i + 1; > + break; > + } > + } > + > + if (i == nparts) { > + log_err("Partition with the image guid not found\n"); > + ret = -EINVAL; > + } > + > +out: > + free(metadata); > + free(gpt_pte); > + return ret; > +} > + > +int fwu_gpt_update_active_index(u32 active_idx) > +{ > + int ret; > + void *buf; > + u32 cur_active_index; > + struct fwu_metadata *metadata; > + > + if (active_idx > CONFIG_FWU_NUM_BANKS) { > + printf("Active index value to be updated is incorrect\n"); > + return -1; > + } > + > + ret = gpt_get_valid_metadata(&metadata); > + if (ret < 0) { > + log_err("Unable to get valid metadata\n"); > + goto out; > + } > + > + /* > + * Update the active index and previous_active_index fields > + * in the metadata > + */ > + cur_active_index = metadata->active_index; > + metadata->active_index = active_idx; > + metadata->previous_active_index = cur_active_index; You don't need the cur_active_index, just swap the 2 lines above. metadata->previous_active_index = metadata->active_index; metadata->active_index = active_idx; > + > + /* > + * Calculate the crc32 for the updated metadata > + * and put the updated value in the metadata crc32 > + * field > + */ > + buf = &metadata->version; > + metadata->crc32 = crc32(0, buf, sizeof(*metadata) - sizeof(u32)); > + > + /* > + * Now write this updated metadata to both the > + * metadata partitions > + */ > + ret = gpt_update_metadata(metadata); > + if (ret < 0) { > + log_err("Failed to update metadata partitions\n"); > + ret = -EIO; > + } > + > +out: > + free(metadata); > + > + return ret; > +} > + > +int fwu_gpt_fill_partition_guid_array(efi_guid_t **part_guid_arr, u32 > *nparts) > +{ > + int ret; > + struct blk_desc *desc; > + > + ret = fwu_plat_get_blk_desc(&desc); > + if (ret < 0) { > + log_err("Block device not found\n"); > + return -ENODEV; > + } > + > + return gpt_fill_partition_guid_array(desc, part_guid_arr, nparts); > +} > + > +int fwu_gpt_get_image_alt_num(efi_guid_t image_type_id, u32 update_bank, > + int *alt_no) > +{ > + int ret; > + struct blk_desc *desc; > + > + ret = fwu_plat_get_blk_desc(&desc); > + if (ret < 0) { > + log_err("Block device not found\n"); > + return -ENODEV; > + } > + > + return gpt_get_image_alt_num(desc, image_type_id, update_bank, alt_no); > +} > + > +int fwu_gpt_metadata_check(void) > +{ > + /* > + * Check if both the copies of the metadata are valid. > + * If one has gone bad, restore it from the other good > + * copy. > + */ > + return gpt_check_metadata_validity(); > +} > + > +int fwu_gpt_get_metadata(struct fwu_metadata **metadata) > +{ > + return gpt_get_valid_metadata(metadata); > +} > + > +int fwu_gpt_revert_boot_index(u32 *active_idx) > +{ > + int ret; > + void *buf; > + u32 cur_active_index; > + struct fwu_metadata *metadata; > + > + ret = gpt_get_valid_metadata(&metadata); > + if (ret < 0) { > + log_err("Unable to get valid metadata\n"); > + goto out; > + } > + > + /* > + * Swap the active index and previous_active_index fields > + * in the metadata > + */ > + cur_active_index = metadata->active_index; > + metadata->active_index = metadata->previous_active_index; > + metadata->previous_active_index = cur_active_index; Ditto, you don't need cur_active_index; > + *active_idx = metadata->active_index; > + > + /* > + * Calculate the crc32 for the updated metadata > + * and put the updated value in the metadata crc32 > + * field > + */ > + buf = &metadata->version; > + metadata->crc32 = crc32(0, buf, sizeof(*metadata) - sizeof(u32)); > + > + /* > + * Now write this updated metadata to both the > + * metadata partitions > + */ > + ret = gpt_update_metadata(metadata); > + if (ret < 0) { > + log_err("Failed to update metadata partitions\n"); > + ret = -EIO; > + } > + > +out: > + free(metadata); > + > + return ret; > +} > + > +static int fwu_gpt_set_clear_image_accept(efi_guid_t *img_type_id, > + u32 bank, u8 action) > +{ > + void *buf; > + int ret, i; > + u32 nimages; > + struct fwu_metadata *metadata; > + struct fwu_image_entry *img_entry; > + struct fwu_image_bank_info *img_bank_info; > + > + ret = gpt_get_valid_metadata(&metadata); > + if (ret < 0) { > + log_err("Unable to get valid metadata\n"); > + goto out; > + } > + > + if (action == IMAGE_ACCEPT_SET) > + bank = metadata->active_index; I think it's clearer if fwu_gpt_accept_image() / fwu_gpt_clear_accept_image() read the metadata themselves and pass them as a ptr. That would mean you also have the right bank number and you wont be needing this anymore. > + > + nimages = CONFIG_FWU_NUM_IMAGES_PER_BANK; > + img_entry = &metadata->img_entry[0]; > + for (i = 0; i < nimages; i++) { > + if (!guidcmp(&img_entry[i].image_type_uuid, img_type_id)) { > + img_bank_info = &img_entry[i].img_bank_info[bank]; > + if (action == IMAGE_ACCEPT_SET) > + img_bank_info->accepted |= FWU_IMAGE_ACCEPTED; Do you need to preserve existing bits on 'accepted' here? > + else > + img_bank_info->accepted = 0; > + > + buf = &metadata->version; > + metadata->crc32 = crc32(0, buf, sizeof(*metadata) - > + sizeof(u32)); > + > + ret = gpt_update_metadata(metadata); > + goto out; > + } > + } > + > + /* Image not found */ > + ret = -EINVAL; > + > +out: > + free(metadata); > + > + return ret; > +} > + > +int fwu_gpt_accept_image(efi_guid_t *img_type_id) > +{ > + return fwu_gpt_set_clear_image_accept(img_type_id, 0, > + IMAGE_ACCEPT_SET); > +} > + > +int fwu_gpt_clear_accept_image(efi_guid_t *img_type_id, u32 bank) > +{ > + return fwu_gpt_set_clear_image_accept(img_type_id, bank, > + IMAGE_ACCEPT_CLEAR); > +} > + > +struct fwu_metadata_ops fwu_gpt_blk_ops = { > + .get_active_index = fwu_gpt_get_active_index, > + .update_active_index = fwu_gpt_update_active_index, > + .fill_partition_guid_array = fwu_gpt_fill_partition_guid_array, > + .get_image_alt_num = fwu_gpt_get_image_alt_num, > + .metadata_check = fwu_gpt_metadata_check, > + .revert_boot_index = fwu_gpt_revert_boot_index, > + .set_accept_image = fwu_gpt_accept_image, > + .clear_accept_image = fwu_gpt_clear_accept_image, > + .get_metadata = fwu_gpt_get_metadata, > +}; > -- > 2.17.1 > Cheers /Ilias