[coreboot] CBMEM Console corruption with fsp_baytrail in coreboot 4.2

Aaron Durbin adurbin at google.com
Fri Nov 20 05:23:18 CET 2015 

On Thu, Nov 19, 2015 at 4:17 PM, Martin Roth <gaumless at gmail.com> wrote:
> Hi Ben, I'm still trying to get to this. I don't know if you saw how
> different the fsp cbmem route is from other platforms. The fsp copies the
> contents of the car stack to the top of memory when it tears down the cache
> as ram. The pointer to that gets saved and passed to the cbmem transfer
> code. Something has obviously happened to this sequence. I plan on trying to
> bisect the change. The latest I'll be able to get to that is this weekend.

Where does that pointer get saved? I'm not seeing that code nor how it
does CAR migration. Or do you just mean the hob pointer thing --
CBMEM_FSP_HOB_PTR ?

For the console backing store it always resided outside of _car_start
and _car_end. I don't see how it's breaking down...

However, I do see this hard coded assumption in car.c:

>-------/* It's already pointing outside car.global_data. */
>-------if (*mig_var < _car_start || *mig_var > _car_end)
>------->-------return mig_var;

#if !IS_ENABLED(CONFIG_PLATFORM_USES_FSP1_0)
>-------/* Keep console buffer in CAR until cbmemc_reinit() moves it. */
>-------if (*mig_var == _car_end)
>------->-------return mig_var;
#endif

That _car_end check in the conditional should be referencing the
_preram_cbmem_console symbol proper.

Does this fix the issue?

diff --git a/src/cpu/x86/car.c b/src/cpu/x86/car.c
index 36c5cf0..b9d2c6e 100644
--- a/src/cpu/x86/car.c
+++ b/src/cpu/x86/car.c
@@ -18,6 +18,7 @@
 #include <console/console.h>
 #include <cbmem.h>
 #include <arch/early_variables.h>
+#include <symbols.h>

 #if IS_ENABLED(CONFIG_PLATFORM_USES_FSP1_0)
 #include <drivers/intel/fsp1_0/fsp_util.h>
@@ -89,15 +90,22 @@ void *car_sync_var_ptr(void *var)
        if (mig_var == var)
                return mig_var;

+       /*
+        * Migrate the cbmem console pointer for FSP 1.0 platforms. Otherwise,
+        * keep console buffer in CAR until cbmemc_reinit() moves it.
+        */
+       if (*mig_var == _preram_cbmem_console) {
+               if (IS_ENABLED(CONFIG_PLATFORM_USES_FSP1_0)) {
+                       *mig_var += (char *)mig_var - (char *)var;
+                       return mig_var;
+               } else
+                       return mig_var;
+       }
+
        /* It's already pointing outside car.global_data. */
        if (*mig_var < _car_start || *mig_var > _car_end)
                return mig_var;

-#if !IS_ENABLED(CONFIG_PLATFORM_USES_FSP1_0)
-       /* Keep console buffer in CAR until cbmemc_reinit() moves it. */
-       if (*mig_var == _car_end)
-               return mig_var;
-#endif

        /* Move the pointer by the same amount the variable storing it was
         * moved by.


>
> Martin
>
> On Thu, Nov 19, 2015 at 17:07 Ben Gardner <gardner.ben at gmail.com> wrote:
>>
>> Hi,
>>
>> I've narrowed down where the CBMEM console is getting corrupted and
>> found a work around that gets it working again.
>> It is getting corrupted in the FSP Early Init function. So in the
>> Intel blob, not coreboot.
>>
>> I added logs to cbmemc_init() and cbmrmc_reinit() that show the
>> console pointer, size, cursor and the first 64 bytes of the console
>> (including size and console).
>>
>> Right before the call to FspInitApi() in fsp_early_init():
>> fsp_early_init: cbm_cons_p: fef00000 size=3064 cur=2606
>> fef00000: f8 0b 00 00 7b 0a 00 00 63 62 6d 65 6d 63 5f 69
>> ........cbmemc_i
>> fef00010: 6e 69 74 3a 20 63 62 6d 5f 63 6f 6e 73 5f 70 3a  nit:
>> cbm_cons_p:
>> fef00020: 20 66 65 66 30 30 30 30 30 20 73 69 7a 65 3d 33   fef00000
>> size=3
>> fef00030: 30 36 34 20 63 75 72 3d 30 0a 66 65 66 30 30 30  064
>> cur=0.fef000
>>
>> And this is at the top of romstage_main_continue():
>> romstage_main_continue: cbm_cons_p: 00000b96 size=2052398204
>> cur=1024945500
>> 00000b96: 7c 1c 55 7a bd 6d 17 3d 17 a9 76 69 ee 07 d1 b8
>> |.Uz.m.=..vi....
>> 00000ba6: fa 6b 75 85 ee 7a dd 8f e9 48 59 93 b4 f8 0a ce
>> .ku..z...HY.....
>> 00000bb6: 1c dc fe a4 09 d6 ba 1d 88 8f 23 e4 40 cc 88 cd
>> ..........#. at ...
>> 00000bc6: 90 91 53 e4 71 6d 90 1d bd e9 fa 13 a8 16 fd b5
>> ..S.qm..........
>>
>> So, the FSP is trashing the CAR variables.
>>
>> I looked at the changes to src/arch/x86/car.ld and see that the
>> CONSOLE line was moved before _car_data_start.
>> That move appears to have been in commit dd6fa93d by Aaron Durbin.
>> http://review.coreboot.org/#/c/11740/3/src/arch/x86/car.ld
>>
>> When I moved that CONSOLE line back to after _car_data_end, the
>> console works again.
>> That also fixes the timestamp table infinite loop issue.
>>
>> So, I have a work-around.
>> However, I suspect that the root issue of the FSP trashing CAR
>> variables persists.
>>
>> My initial email about the timestamp issue is here:
>> http://www.coreboot.org/pipermail/coreboot/2015-November/080719.html
>>
>> I'm not sure what to do about this.
>> The above change seems reasonable and needed for verstage support, so
>> sending my 'fix' upstream probably isn't viable.
>>
>> Suggestions?
>>
>> Thanks,
>> Ben

More information about the coreboot mailing list