Makefile: Add build-time overlap check for programs loaded after coreboot

On non-x86 platforms, coreboot uses the memlayout.ld mechanism to
statically allocate the different memory regions it needs and guarantees
at build time that there are no dangerous overlaps between them. At the
end of its (ramstage) execution, however, it usually loads a payload
(and possibly other platform-specific components) that is not integrated
into the coreboot build system and therefore cannot provide the same
overlap guarantees through memlayout.ld. This creates a dangerous memory
hazard where a new component could be loaded over memory areas that are
still in use by the code-loading ramstage and lead to arbitrary memory
corruption bugs.

This patch fills this gap in our build-time correctness guarantees by
adding the necessary checks as a new intermediate Makefile target on
route to assembling the final image. It will parse the memory footprint
information of the payload (and other platform-specific post-ramstage
components) from CBFS and compare it to a list of memory areas known to
be still in use during late ramstage, generating a build failure in case
of a possible hazard.

BUG=chrome-os-partner:48008
TEST=Built Oak while moving critical regions in the way of BL31 or the
payload, observing the desired build-time errors. Built Nyan, Jerry and
Falco without issues for good measure.

Change-Id: I3ebd2c1caa4df959421265e26f9cab2c54909b68
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/13949
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <pgeorgi@google.com>

Makefile.inc

@@ -846,6 +846,52 @@ board_id-type := raw
 $(obj)/board_id:
 	printf $(CONFIG_BOARD_ID_STRING) > $@
 
+# Ensure that no payload segment overlaps with memory regions used by ramstage
+# (not for x86 since it can relocate itself in that case)
+ifneq ($(CONFIG_ARCH_X86),y)
+check-ramstage-overlap-regions := ramstage
+check-ramstage-overlap-files :=
+ifneq ($(CONFIG_PAYLOAD_NONE),y)
+check-ramstage-overlap-files += $(CONFIG_CBFS_PREFIX)/payload
+endif
+
+# will output one or more lines of "<load address in hex> <memlen in decimal>"
+cbfs-get-segments-cmd = $(CBFSTOOL) $(obj)/coreboot.pre print -v | sed -n \
+	'\%$(1)%,\%^[^ ]\{4\}%s%    .*load: \(0x[0-9a-fA-F]*\),.*length: [0-9]*/\([0-9]*\).*%\1 \2%p'
+
+ramstage-symbol-addr-cmd = $(OBJDUMP_ramstage) -t $(objcbfs)/ramstage.elf | \
+	sed -n '/ $(1)$$/s/^\([0-9a-fA-F]*\) .*/0x\1/p'
+
+check-ramstage-overlaps: $(obj)/coreboot.pre
+	programs=$$($(foreach file,$(check-ramstage-overlap-files), \
+		$(call cbfs-get-segments-cmd,$(file)) ; )) ; \
+	regions=$$($(foreach region,$(check-ramstage-overlap-regions), \
+		echo $(region) ; \
+		$(call ramstage-symbol-addr-cmd,_$(region)) ; \
+		$(call ramstage-symbol-addr-cmd,_e$(region)) ; )) ; \
+	pstart= ; pend= ; \
+	for x in $$programs; do \
+	    if [ -z $$pstart ]; then pstart=$$(($$x)) ; continue ; fi ; \
+	    pend=$$(($$pstart + $$x)) ; \
+	    rname= ; rstart= ; rend= ; \
+	    for y in $$regions ; do \
+	        if [ -z $$rname ]; then rname=$$y ; continue ; fi ; \
+	        if [ -z $$rstart ]; then rstart=$$(($$y)) ; continue ; fi ; \
+	        rend=$$(($$y)) ; \
+	        if [ $$pstart -lt $$rend -a $$rstart -lt $$pend ]; then \
+	            echo "ERROR: Ramstage region _$$rname overlapped by:" \
+	                 $(check-ramstage-overlap-files) ; \
+	            exit 1 ; \
+	        fi ; \
+	        rname= ; rstart= ; rend= ; \
+	    done ; \
+	    pstart= ; pend= ; \
+	done
+
+INTERMEDIATE+=check-ramstage-overlaps
+PHONY+=check-ramstage-overlaps
+endif
+
 junit.xml:
 	echo "Building $(UTIL)"
 	echo '<?xml version="1.0" encoding="utf-8"?><testsuite>' > $@.tmp

src/arch/arm/Makefile.inc

@@ -25,6 +25,10 @@ ifeq ($(CONFIG_ARCH_ROMSTAGE_ARM),y)
 CBFSTOOL_PRE1_OPTS = -m arm -s $(CONFIG_CBFS_SIZE)
 endif
 
+ifeq ($(CONFIG_ARCH_RAMSTAGE_ARM),y)
+check-ramstage-overlap-regions += postram_cbfs_cache stack ttb
+endif
+
 ifeq ($(CONFIG_ARCH_ARM),y)
 subdirs-y += libgcc/
 subdirs-y += armv4/ armv7/

src/arch/arm64/Makefile.inc

@@ -33,6 +33,10 @@ ifeq ($(CONFIG_ARCH_ROMSTAGE_ARM64),y)
 CBFSTOOL_PRE1_OPTS = -m arm64 -s $(CONFIG_CBFS_SIZE)
 endif
 
+ifeq ($(CONFIG_ARCH_RAMSTAGE_ARM64),y)
+check-ramstage-overlap-regions += postram_cbfs_cache stack ttb
+endif
+
 ################################################################################
 # bootblock
 ################################################################################
@@ -182,6 +186,8 @@ $(BL31_CBFS)-type := stage
 $(BL31_CBFS)-compression := $(CBFS_COMPRESS_FLAG)
 cbfs-files-y += $(BL31_CBFS)
 
+check-ramstage-overlap-files += $(BL31_CBFS)
+
 ifeq ($(CONFIG_ARM64_USE_SECURE_OS),y)
 
 SECURE_OS_FILE := $(CONFIG_ARM64_SECURE_OS_FILE)
@@ -190,6 +196,8 @@ $(SECURE_OS_FILE_CBFS)-file := $(SECURE_OS_FILE)
 $(SECURE_OS_FILE_CBFS)-type := stage
 cbfs-files-y += $(SECURE_OS_FILE_CBFS)
 
+check-ramstage-overlap-files += $(SECURE_OS_FILE_CBFS)
+
 endif # CONFIG_ARM64_USE_SECURE_OS
 
 endif # CONFIG_ARM64_USE_ARM_TRUSTED_FIRMWARE

src/arch/mips/Makefile.inc

@@ -22,6 +22,10 @@ ifeq ($(CONFIG_ARCH_ROMSTAGE_MIPS),y)
 CBFSTOOL_PRE1_OPTS = -m mips -s $(CONFIG_CBFS_SIZE)
 endif
 
+ifeq ($(CONFIG_ARCH_RAMSTAGE_MIPS),y)
+check-ramstage-overlap-regions += stack
+endif
+
 ###############################################################################
 # bootblock
 ###############################################################################

src/arch/riscv/Makefile.inc

@@ -19,6 +19,10 @@ riscv_flags = -I$(src)/arch/riscv/
 
 riscv_asm_flags =
 
+ifeq ($(CONFIG_ARCH_RAMSTAGE_RISCV),y)
+check-ramstage-overlap-regions += stack
+endif
+
 ################################################################################
 ## bootblock
 ################################################################################