tighten_me command fails with up board image
rminnich opened this issue · 11 comments
rminnich@xcpu:~/projects/linuxboot/mainboards/aeeon/up$ utk uprom.bin tighten_me save x.bin
panic: runtime error: slice bounds out of range
goroutine 1 [running]:
github.com/linuxboot/fiano/pkg/visitors.(*TightenME).process(0xc00000c080, 0x5de8a0, 0xc00000c080)
/home/rminnich/gopath/src/github.com/linuxboot/fiano/pkg/visitors/tightenme.go:74 +0xab4
github.com/linuxboot/fiano/pkg/visitors.(*TightenME).Run(0xc00000c080, 0x5dfde0, 0xc00008c1e0, 0x0, 0x0)
/home/rminnich/gopath/src/github.com/linuxboot/fiano/pkg/visitors/tightenme.go:29 +0x12b
github.com/linuxboot/fiano/pkg/visitors.ExecuteCLI(0x5dfde0, 0xc00008c1e0, 0xc00000c0a0, 0x2, 0x2, 0x0, 0x0)
/home/rminnich/gopath/src/github.com/linuxboot/fiano/pkg/visitors/cli.go:68 +0x6d
github.com/linuxboot/fiano/pkg/utk.Run(0xc000010060, 0x4, 0x4, 0x4, 0x0)
/home/rminnich/gopath/src/github.com/linuxboot/fiano/pkg/utk/utk.go:59 +0x23f
main.main()
/home/rminnich/gopath/src/github.com/linuxboot/fiano/cmds/utk/utk.go:75 +0x9e
The freespace offset is bogus, looking deeper.
Something seems seriously wrong with our parser.
Node GUID/Name Offset Size
Image 0x00000000 0x00800000
IFD 0x00000000 0x00001000
ME 0x00001000 0x003ff000
$FPT 0x00001000 0x000002b0
PSVN 0x000013c0 0x00000040
FOVD 0x00001400 0x00000c00
MDES 0x00002000 0x00001000
FCRS 0x00003000 0x00001000
EFFS 0x00004000 0x0006c000
ACDS 0x100000fff 0x00012c4c
FTPM 0x100000fff 0x0000b256
IPTS 0x100000fff 0x00000069
ISHD 0x100000fff 0x0000de80
LPBK 0x100000fff 0x0000095a
NVCL 0x100000fff 0x00006ad2
NVCP 0x100000fff 0x0000ad26
NVJC 0x100000fff 0x00005000
NVKR 0x100000fff 0x00007985
NVNF 0x100000fff 0x00001996
NVSL 0x100000fff 0x00003918
NVTD 0x100000fff 0x000021b2
STOK 0x100000fff 0x000004a4
FTPR 0x00070000 0x00078000
NFTP 0x000e8000 0x00078000
Free 0x100013c4b 0xffffffff003ec3b5
BIOS 0x00400000 0x00400000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x00400000 0x00020000
Free 0x00420000 0x00000000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x00420000 0x00020000
Free 0x00440000 0x00000000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x00440000 0x00030000
Free 0x00462860 0x0000d7a0
FV 5C60F367-A505-419A-859E-2A4FF6CA6FE5 0x00470000 0x00286000
Free 0x006a7330 0x0004ecd0
FV 61C0F511-A691-4F54-974F-B9A42172CE53 0x006f6000 0x00064000
Free 0x00742690 0x00017970
FV 61C0F511-A691-4F54-974F-B9A42172CE53 0x0075a000 0x00064000
Free 0x007a6690 0x00017970
BIOS Pad (empty) 0x007be000 0x00023000
FV B73FE497-B92E-416E-8326-45AD0D270091 0x007e1000 0x0001f000
Free 0x00800000 0x00000000
me_cleaner reports this:
Full image detected
Found FPT header at 0x1010
Found 20 partition(s)
Found FTPR header: FTPR partition spans from 0x6f000 to 0xe7000
ME/TXE firmware version 2.0.5.3112 (generation 2)
Public key match: Intel TXE, firmware versions 2.x.x.x
The AltMeDisable bit is NOT SET
Reading partitions list...
PSVN (0x000003c0 - 0x000000400, 0x00000040 total bytes): removed
FOVD (0x00000400 - 0x000001000, 0x00000c00 total bytes): removed
MDES (0x00001000 - 0x000002000, 0x00001000 total bytes): removed
FCRS (0x00002000 - 0x000003000, 0x00001000 total bytes): removed
EFFS (0x00003000 - 0x00006f000, 0x0006c000 total bytes): removed
ACDS (NVRAM partition, no data, 0x00012c4c total bytes): nothing to remove
FTPM (NVRAM partition, no data, 0x0000b256 total bytes): nothing to remove
IPTS (NVRAM partition, no data, 0x00000069 total bytes): nothing to remove
ISHD (NVRAM partition, no data, 0x0000de80 total bytes): nothing to remove
LPBK (NVRAM partition, no data, 0x0000095a total bytes): nothing to remove
NVCL (NVRAM partition, no data, 0x00006ad2 total bytes): nothing to remove
NVCP (NVRAM partition, no data, 0x0000ad26 total bytes): nothing to remove
NVJC (NVRAM partition, no data, 0x00005000 total bytes): nothing to remove
NVKR (NVRAM partition, no data, 0x00007985 total bytes): nothing to remove
NVNF (NVRAM partition, no data, 0x00001996 total bytes): nothing to remove
NVSL (NVRAM partition, no data, 0x00003918 total bytes): nothing to remove
NVTD (NVRAM partition, no data, 0x000021b2 total bytes): nothing to remove
STOK (NVRAM partition, no data, 0x000004a4 total bytes): nothing to remove
FTPR (0x0006f000 - 0x0000e7000, 0x00078000 total bytes): NOT removed
NFTP (0x000e7000 - 0x00015f000, 0x00078000 total bytes): removed
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xe1)...
Reading FTPR modules list...
BUP (uncomp., 0x070000 - 0x088000 ): NOT removed, essential
KERNEL (LZMA , 0x088000 - 0x0a1670 ): removed
POLICY (LZMA , 0x0a2000 - 0x0ac7e4 ): removed
HOSTCOMM (LZMA , 0x0ad000 - 0x0b5e02 ): removed
FPF (LZMA , 0x0b6000 - 0x0b8c99 ): removed
RSA (LZMA , 0x0b9000 - 0x0bf560 ): removed
fTPM (LZMA , 0x0c0000 - 0x0d2d5b ): removed
SBOOT (LZMA , 0x0d3000 - 0x0d784e ): removed
NFC (LZMA , 0x0d8000 - 0x0db763 ): removed
ACDS (LZMA , 0x0dc000 - 0x0dd50b ): removed
AFWS (LZMA , 0x0de000 - 0x0e0eab ): removed
The ME minimum size should be 577536 bytes (0x8d000 bytes)
The ME region can be reduced up to:
00001000:0008dfff me
Checking the FTPR RSA signature... VALID
Done! Good luck!
so we parse
STOK 0x100000fff 0x000004a4
and me_cleaner reports
STOK (NVRAM partition, no data, 0x000004a4 total bytes): nothing to remove
so I guess that high order bit means "nothing here"?
hi Ron, is the image with ME available in some BIOS update on the Up Board site ? If yes can you post a link ?
Hi @JulienVdG, I did some digging and found that you can reprodruce a very similar callstack with "UP Board UEFI BIOS (UPC1DM17)" from this site https://downloads.up-community.org/download/up-board-uefi-bios-upc1dm17/
Direct link(might not be working): https://downloads.up-community.org/download/up-board-uefi-bios-upc1dm17/?wpdmdl=390
$ utk UPC1DM17.bin tighten_me save x.bin
panic: runtime error: slice bounds out of range [4295045120:4190208]
goroutine 1 [running]:
github.com/linuxboot/fiano/pkg/visitors.(*TightenME).process(0xc00000c080, 0x5e9780, 0xc00000c080)
/home/rawr/go/src/github.com/linuxboot/fiano/pkg/visitors/tightenme.go:74 +0x868
github.com/linuxboot/fiano/pkg/visitors.(*TightenME).Run(0xc00000c080, 0x5eabc0, 0xc0000941e0, 0xc000084b60, 0x0)
/home/rawr/go/src/github.com/linuxboot/fiano/pkg/visitors/tightenme.go:29 +0xd3
github.com/linuxboot/fiano/pkg/visitors.ExecuteCLI(0x5eabc0, 0xc0000941e0, 0xc00000c0a0, 0x2, 0x2, 0x0, 0x0)
/home/rawr/go/src/github.com/linuxboot/fiano/pkg/visitors/cli.go:68 +0x6d
github.com/linuxboot/fiano/pkg/utk.Run(0xc000010060, 0x4, 0x4, 0x4, 0x0)
/home/rawr/go/src/github.com/linuxboot/fiano/pkg/utk/utk.go:59 +0x1db
main.main()
/home/rawr/go/src/github.com/linuxboot/fiano/cmds/utk/utk.go:75 +0x9e
$ utk UPC1DM17.bin layout-table
Node GUID/Name Offset Size
Image 0x00000000 0x00800000
IFD 0x00000000 0x00001000
ME 0x00001000 0x003ff000
$FPT 0x00001000 0x000002b0
PSVN 0x000013c0 0x00000040
FOVD 0x00001400 0x00000c00
MDES 0x00002000 0x00001000
FCRS 0x00003000 0x00001000
EFFS 0x00004000 0x0006c000
ACDS 0x100000fff 0x00012c4c
FTPM 0x100000fff 0x0000b256
IPTS 0x100000fff 0x00000069
ISHD 0x100000fff 0x0000de80
LPBK 0x100000fff 0x0000095a
NVCL 0x100000fff 0x00006ad2
NVCP 0x100000fff 0x0000ad26
NVJC 0x100000fff 0x00005000
NVKR 0x100000fff 0x00007985
NVNF 0x100000fff 0x00001996
NVSL 0x100000fff 0x00003918
NVTD 0x100000fff 0x000021b2
STOK 0x100000fff 0x000004a4
FTPR 0x00070000 0x00078000
NFTP 0x000e8000 0x00078000
Free 0x100013c4b 0xffffffff003ec3b5
BIOS 0x00400000 0x00400000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x00400000 0x00020000
Free 0x00420000 0x00000000
BIOS Pad (empty) 0x00420000 0x00020000
FV 8C8CE578-8A3D-4F1C-9935-896185C32DD3 0x00440000 0x00030000
Free 0x00462860 0x0000d7a0
FV 5C60F367-A505-419A-859E-2A4FF6CA6FE5 0x00470000 0x00286000
Free 0x006a7330 0x0004ecd0
FV 61C0F511-A691-4F54-974F-B9A42172CE53 0x006f6000 0x00064000
Free 0x00742690 0x00017970
FV 61C0F511-A691-4F54-974F-B9A42172CE53 0x0075a000 0x00064000
Free 0x007a6690 0x00017970
BIOS Pad (empty) 0x007be000 0x00023000
FV B73FE497-B92E-416E-8326-45AD0D270091 0x007e1000 0x0001f000
Free 0x00800000 0x00000000
me_cleaner reports
$ python me_cleaner.py ~/Downloads/UPC1DM17/UPC1DM17.bin
Full image detected
Found FPT header at 0x1010
Found 20 partition(s)
Found FTPR header: FTPR partition spans from 0x6f000 to 0xe7000
ME/TXE firmware version 2.0.5.3112 (generation 2)
Public key match: Intel TXE, firmware versions 2.x.x.x
The AltMeDisable bit is NOT SET
Reading partitions list...
PSVN (0x000003c0 - 0x000000400, 0x00000040 total bytes): removed
FOVD (0x00000400 - 0x000001000, 0x00000c00 total bytes): removed
MDES (0x00001000 - 0x000002000, 0x00001000 total bytes): removed
FCRS (0x00002000 - 0x000003000, 0x00001000 total bytes): removed
EFFS (0x00003000 - 0x00006f000, 0x0006c000 total bytes): removed
ACDS (NVRAM partition, no data, 0x00012c4c total bytes): nothing to remove
FTPM (NVRAM partition, no data, 0x0000b256 total bytes): nothing to remove
IPTS (NVRAM partition, no data, 0x00000069 total bytes): nothing to remove
ISHD (NVRAM partition, no data, 0x0000de80 total bytes): nothing to remove
LPBK (NVRAM partition, no data, 0x0000095a total bytes): nothing to remove
NVCL (NVRAM partition, no data, 0x00006ad2 total bytes): nothing to remove
NVCP (NVRAM partition, no data, 0x0000ad26 total bytes): nothing to remove
NVJC (NVRAM partition, no data, 0x00005000 total bytes): nothing to remove
NVKR (NVRAM partition, no data, 0x00007985 total bytes): nothing to remove
NVNF (NVRAM partition, no data, 0x00001996 total bytes): nothing to remove
NVSL (NVRAM partition, no data, 0x00003918 total bytes): nothing to remove
NVTD (NVRAM partition, no data, 0x000021b2 total bytes): nothing to remove
STOK (NVRAM partition, no data, 0x000004a4 total bytes): nothing to remove
FTPR (0x0006f000 - 0x0000e7000, 0x00078000 total bytes): NOT removed
NFTP (0x000e7000 - 0x00015f000, 0x00078000 total bytes): removed
Removing partition entries in FPT...
Removing EFFS presence flag...
Correcting checksum (0xe1)...
Reading FTPR modules list...
BUP (uncomp., 0x070000 - 0x088000 ): NOT removed, essential
KERNEL (LZMA , 0x088000 - 0x0a1670 ): removed
POLICY (LZMA , 0x0a2000 - 0x0ac7e4 ): removed
HOSTCOMM (LZMA , 0x0ad000 - 0x0b5e02 ): removed
FPF (LZMA , 0x0b6000 - 0x0b8c99 ): removed
RSA (LZMA , 0x0b9000 - 0x0bf560 ): removed
fTPM (LZMA , 0x0c0000 - 0x0d2d5b ): removed
SBOOT (LZMA , 0x0d3000 - 0x0d784e ): removed
NFC (LZMA , 0x0d8000 - 0x0db763 ): removed
ACDS (LZMA , 0x0dc000 - 0x0dd50b ): removed
AFWS (LZMA , 0x0de000 - 0x0e0eab ): removed
The ME minimum size should be 577536 bytes (0x8d000 bytes)
The ME region can be reduced up to:
00001000:0008dfff me
Checking the FTPR RSA signature... VALID
Done! Good luck!
Thanks @neuron303,
Now I have a test case I can do better than blindly trying to fix it!
Oh, it's not a high order bit, it's a 0xffffffff but with the 0x1000 start added we got those 0x100000fff.
Basically MEAnalyser treat 0 and 0xffffffff as invalid, MECleaner is doing more complicated checks by comparing the offset and available space. I'm doing simply like MEAnalyser.
The output looks a lot nicer, I really like that it outputs the type.
But I do not see mecleaner using 0xffffffff as invalid.
As far as I can see mecleaner skips an partition if the type is 2 (NVRAM)
or offset == 0 or length == 0 or the partition end is beyond the ME region
The patch does not replicate that behaviour exactly, which is probably not a big problem for example when length is 0.
Though, if an NVRAM partition specifies a valid offset the behaviour would differ.
I see there is probably value being able to access NVRAM partitions.
Can we assume that 0xffffffff will always be used for partitions without data?
Yes as said above I replicated the behavior of MEAnalyser not MECleaner. 0xffffffff looks like not programmed bytes in a flash so this to me is relevant for an uninitialized/invalid flag. Also 0xffffffff + meregion_base will always be beyond the ME region so the test MECleaner does is stronger than ours.
Anyway unless Intel release the documentation of their format we will never know for sure so I'd better have something simple that works and updated it if/when we find an image that fails with our assumptions.
Also tighten_me is not MECleaner, it's only resizing the ME region to the ME content, it does not modify the firmware/features of ME.
By the way thanks for your first encouraging comment 😄
The output looks a lot nicer, I really like that it outputs the type.