oversized secure-boot ramdisk silently truncated

[cleverca22]

Mandatory information

• Raspberry Pi model: pi4b

Describe the bug
if the boot.img file is over 64mb, it will silently be truncated to 64mb, and then fail the boot.sig validation

To Reproduce
create a properly signed boot.img that is 100mb in size

Expected behaviour
at a bare minimum, report that it is too big on the uart logs, so other users dont have to decompile just to find the size limit
the size limit should also be documented and checked in the scripts for building the image, they currently warn for >20mb, but dont tell you that >64mb wont work

ideally, have a more dynamic buffer size, but i can see that being difficult

Bootloader version and configuration
RPi: BOOTLOADER release VERSION:a6afaeaa DATE: Oct 5 2021 TIME: 08:53:57 BOOTMODE: 0x00000006 part: 0 BUILD_TIMESTAMP=1633420437 0xd328cdce 0x00c03112 0x0006f72c

[all]
BOOT_UART=1
WAKE_ON_GPIO=1
POWER_OFF_ON_HALT=0
DHCP_TIMEOUT=45000
DHCP_REQ_TIMEOUT=4000
TFTP_FILE_TIMEOUT=30000
TFTP_IP=192.168.2.15
TFTP_PREFIX=0
SD_BOOT_MAX_RETRIES=3
NET_BOOT_MAX_RETRIES=5
ENABLE_SELF_UPDATE=1
SIGNED_BOOT=1

gpio=21=ip,pu

[gpio21=0]
BOOT_ORDER=0x3

[gpio21=1]
BOOT_ORDER=0x5421

[none]
FREEZE_VERSION=0

Additional context
Add any other context about the problem here.

RPi: BOOTLOADER release VERSION:a6afaeaa DATE: Oct  5 2021 TIME: 08:53:57 BOOTMODE: 0x00000006 part: 0 BUILD_TIMESTAMP=1633420437 0xd328cdce 0x00c03112 0x0006f72c
PM_RSTS: 0x00001000
part 00000000 reset_info 00000000
uSD voltage 3.3V
Initialising SDRAM 'Micron' 16Gb x2 total-size: 32 Gbit 3200

XHCI-STOP
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
USBSTS 811
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
xHC ports 5 slots 32 intrs 4
Reset USB port-power 1000 ms
xhci_set_port_power 1 0
xhci_set_port_power 2 0
xhci_set_port_power 3 0
xhci_set_port_power 4 0
xhci_set_port_power 5 0
xhci_set_port_power 1 1
xhci_set_port_power 2 1
xhci_set_port_power 3 1
xhci_set_port_power 4 1
xhci_set_port_power 5 1
XHCI-STOP
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
USBSTS 18
XHCI-STOP
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
USBSTS 19
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
xHC ports 5 slots 32 intrs 4
Boot mode: SD (01) order 542
SD HOST: 250000000 CTL0: 0x00000000 BUS: 100000 Hz actual: 100000 HZ div: 2500 (1250) status: 0x1fff0000 delay: 1080
SD HOST: 250000000 CTL0: 0x00000f00 BUS: 100000 Hz actual: 100000 HZ div: 2500 (1250) status: 0x1fff0000 delay: 1080
OCR 80ff8000 [2]
CID: 0002544d5341303247092b62d0be00c6
CSD: 002e00325b5aa3b4ffffff800a800000
SD: bus-width: 4 spec: 2 SCR: 0x02258000 0x01000000
SD HOST: 250000000 CTL0: 0x00000f00 BUS: 12500000 Hz actual: 12500000 HZ div: 20 (10) status: 0x1fff0000 delay: 8
MBR: 0x00000800, 1046528 type: 0x0b
MBR: 0x00000000,       0 type: 0x00
MBR: 0x00000000,       0 type: 0x00
MBR: 0x00000000,       0 type: 0x00
Trying partition: 0
type: 16 lba: 2048 oem: 'mkfs.fat' volume: '  V       ^ '
rsc 16 fat-sectors 256 c-count 65373 c-size 16
root dir cluster 1 sectors 32 entries 512
FAT16 clusters 65373
secure-boot
Loading boot.img ...
SIG boot.sig db8002deb34d482a4cb46dd6cb25a7904b90aa6c4bbaf054f288268021292600 1634538695
Verifying
Bad signature boot.img
Error 12 loading boot.img
Boot mode: NETWORK (02) order 54

yes, the signature is valid, it fails with a 100mb image, but works with a 64mb image, signed using the same directions and key

[timg236]

Thanks. Yes, there should be an explicit error message for this so we'll add that.

The current limit as you say is 64MB, maybe 128MB could be supported although the signature check will be a bit slow. There's some wiggle room in the memory map but I don't want to commit to things that will cause headaches in the future until the use-cases are better understood.

[cleverca22]

for context, my initrd is 50mb
i had to manually gzip -9 the linux kernel, and delete all unused start*.elf files, just to make it barely fit within 64mb

but i can see 2 ways i could optimize my end
either shrink the initrd more
or put the kernel+initrd outside of the firmware ramdisk, so the firmware only validates uboot, and uboot validates linux+initrd

[timg236]

The latest beta-release (also in usbboot) should help here. The limit is increased to 96MB and some of the error messages have been improved
978ced9 and
raspberrypi/usbboot@80945ed

[ibot3]

Thank you for increasing the limit.

I am using unsigned/non-secure images and really had problems with the 64MB limit.
96MB should be enough for now, but is there a reason why it can't increased further for images without signature?

[ibot3]

Hmm, @timg236 it seems that the new limit somehow doesn't apply..

I still says this in dmesg and just truncates the image after 64MB:

rootfs image is not initramfs (XZ-compressed data is corrupt): looks like an initrd
Freeing initrd memory: 65532K

The initrd file has around ~68MB.

[cleverca22]

@ibot3 this ticket is about the firmware ramdisk, but your error message looks like a linux ramdisk, which doesnt have a size limit

when the firmware ramdisk gets truncated, that also changes the hash, causing the signature to be invalid, so it wont even boot

[ibot3]

Okay, sorry. Then I just misunderstood something.

However, there seems to be a limit of 64MB which is really annoying:
https://forums.raspberrypi.com/viewtopic.php?t=269993#p1642596

But I don't know where this limit is applied. But I should probably create an other issue for this (I just dk where).

[timg236]

It's 96MB and it's applied by the bootloader - the logging should indicate this more clearly.

That's still pretty big for a ramdisk that should only include kernel, start.elf and minimal initrd for secure-boot

[ibot3]

I am using the initrd to store a minimal bootstrapped debian in it which is around 300MB uncompressed.

It's working fine as long as the initrd is below 64MB. But if that's not the case, the initrd seems to get truncated which causes a corrupted system, because important files are missing.

I am using netboot for this by the way.

-rw-r--r--  1 root root  19K Oct 29 11:52 COPYING.linux
-rw-r--r--  1 root root 1.6K Oct 29 11:52 LICENCE.broadcom
-rw-r--r--  1 root root    0 Nov 29 11:41 UART
-rw-r--r--  1 root root  27K Nov 29 11:56 bcm2710-rpi-2-b.dtb
-rw-r--r--  1 root root  29K Nov 29 11:56 bcm2710-rpi-3-b-plus.dtb
-rw-r--r--  1 root root  29K Nov 29 11:56 bcm2710-rpi-3-b.dtb
-rw-r--r--  1 root root  27K Nov 29 11:56 bcm2710-rpi-cm3.dtb
-rw-r--r--  1 root root  49K Nov 29 11:56 bcm2711-rpi-4-b.dtb
-rw-r--r--  1 root root  49K Nov 29 11:56 bcm2711-rpi-400.dtb
-rw-r--r--  1 root root  50K Nov 29 11:56 bcm2711-rpi-cm4.dtb
-rw-r--r--  1 root root  20K Nov 29 11:56 bcm2837-rpi-3-a-plus.dtb
-rw-r--r--  1 root root  21K Nov 29 11:56 bcm2837-rpi-3-b-plus.dtb
-rw-r--r--  1 root root  21K Nov 29 11:56 bcm2837-rpi-3-b.dtb
-rw-r--r--  1 root root  20K Nov 29 11:56 bcm2837-rpi-cm3-io3.dtb
-rw-r--r--  1 root root  52K Oct 29 11:52 bootcode.bin
-rw-r--r--  1 root root   99 Nov 29 11:41 cmdline.txt
-rw-r--r--  1 root root  279 Nov 29 11:41 config.txt
-rw-r--r--  1 root root 7.2K Oct 29 11:52 fixup.dat
-rw-r--r--  1 root root 5.3K Oct 29 11:52 fixup4.dat
-rw-r--r--  1 root root 3.2K Oct 29 11:52 fixup4cd.dat
-rw-r--r--  1 root root 8.3K Oct 29 11:52 fixup4db.dat
-rw-r--r--  1 root root 8.3K Oct 29 11:52 fixup4x.dat
-rw-r--r--  1 root root 3.2K Oct 29 11:52 fixup_cd.dat
-rw-r--r--  1 root root  11K Oct 29 11:52 fixup_db.dat
-rw-r--r--  1 root root  11K Oct 29 11:52 fixup_x.dat
-rw-r--r--  1 root root  68M Nov 29 12:06 initrd
-rw-r--r--  1 root root  20M Nov 29 11:56 kernel8.img
-rwxr-xr-x  1 root root 429K Nov 29 11:41 msd.elf
drwxr-xr-x  2 root root  16K Nov 29 11:56 overlays
-rw-r--r--  1 root root 2.9M Oct 29 11:52 start.elf
-rw-r--r--  1 root root 2.2M Oct 29 11:52 start4.elf
-rw-r--r--  1 root root 783K Oct 29 11:52 start4cd.elf
-rw-r--r--  1 root root 3.6M Oct 29 11:52 start4db.elf
-rw-r--r--  1 root root 2.9M Oct 29 11:52 start4x.elf
-rw-r--r--  1 root root 783K Oct 29 11:52 start_cd.elf
-rw-r--r--  1 root root 4.6M Oct 29 11:52 start_db.elf
-rw-r--r--  1 root root 3.6M Oct 29 11:52 start_x.elf
``

[timg236]

There's no benefit in including all the start.elf variants or bootcode.bin.

N.B. The purpose of the ramdisk is just to bootstrap secure-boot and not provide alternate methods for running Linux from memory e.g. you could use NFS to load the root filesystem

[ibot3]

Okay I found a guide which uses an cow-overlayfs with an ro NFS: https://blockdev.io/read-only-rpi/

But imo the initrd solution is more clean. And with an NFS, I have a dependency on the availability of the NFS server.
I would like to run the pis independent of the network.

We have 30+ PoE powered pis and I just want to be able to create a new image and just restart all pis to keep them up to date.

So would there be a way to increase this limit of 64MB?

[timg236]

If you use the latest beta EEPROM 2021-11-22 then the limit is 96MB.
https://github.com/raspberrypi/rpi-eeprom/blob/master/firmware/beta/pieeprom-2021-11-22.bin

I think in the future we might be able to go as high as 256MB assuming you can tolerate the load time. However, there's a few memory map things that we'd need to think through first e..g. conflicting with large amounts of GPU memory and random Kernel load addresses i.e. not a very short term fix

[timg236]

Closing since this the limit was increased to 96MB in the stable release. Larger RAM disks might be supported in future but will probably have the caveat that GPU memory will be automatically reduced instead. That should be ok because KMS + libcamera mostly remove the need for GPU memory.

[ibot3]

@timg236
The limit has been raised, but I still have the same problems with 2022-08-02 (and also all other versions):

rootfs image is not initramfs (XZ-compressed data is corrupt): looks like an initrd
Freeing initrd memory: 65532K

So there still seems to be some limit of 64MB and I don't understand where it comes from.

However I am using initramfs initrd in config.txt instead of boot_ramdisk.

[timg236]

If it's getting that far it's unlikely to be a bootloader issue. It might be worth updating the latest start.elf file.

I'm currently using an 80MB with a 69MB rootfs.cpio.zst initrd

[boris-kolpackov]

@timg236 I seem to be running into the same issue as @ibot3 with PXE boot of Pi 4 model B 8GB. Specifically, I am trying to boot with an 86MB initrd and it appears to be truncated. I have the latest stable eeprom (2022-09-02) with start4.elf and fixup4.dat downloaded today (commit ecc243c). I've also confirmed that a smaller initrd boots successfully in exactly the same configuration (kernel, config.txt, DT, etc).

When you say that you are currently using 80MB initrd, is this via PXE or from SD/USB? If the latter, perhaps there is something specific to the network boot that's going on here?

For completeness, here is my config.txt (it is based on the Debian images):

disable_splash=1

arm_64bit=1

enable_uart=1
upstream_kernel=1

kernel=buildos-image-aarch64
#kernel=vmlinuz-5.18.0-3-arm64

initramfs buildos-initrd-aarch64
#initramfs initrd.img-5.18.0-3-arm64

Let me know if you need any additional information or have any hints.

[pelwell]

Recent firmwares support a new setting - sha256. Non-zero values enable the calculation and display of SHA256 digests for loaded files (as calculated by sha256sum). Note that this can really slow down the boot process, but it will help to confirm or rule out corruption.

[lurch]

https://www.raspberrypi.com/documentation/computers/config_txt.html#sha256 for (slightly) more info.

[boris-kolpackov]

@pelwell @lurch Thanks for the suggestion though I don't see the checksums anywhere in the serial console output. Specifically, I have BOOT_UART=1 in eeprom, enable_uart=1 and sha256=1 in config.txt and this is what I see in the serial console:

...
NET 10.0.199.18 255.0.0.0 gw 0.0.0.0 tftp 10.0.199.200
ARP 10.0.199.200 00:0d:b9:46:24:7c
NET 10.0.199.18 255.0.0.0 gw 0.0.0.0 tftp 10.0.199.200
RX: 13 IP: 0 IPV4: 6 MAC: 6 UDP: 6 UDP RECV: 2 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
TFTP_GET: 00:0d:b9:46:24:7c 10.0.199.200 dc-a6-32-d7-1d-77/start4.elf

RX: 13 IP: 0 IPV4: 6 MAC: 6 UDP: 6 UDP RECV: 2 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
RX: 14 IP: 0 IPV4: 7 MAC: 7 UDP: 7 UDP RECV: 3 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
TFTP_GET: 00:0d:b9:46:24:7c 10.0.199.200 dc-a6-32-d7-1d-77/config.txt

RX: 14 IP: 0 IPV4: 7 MAC: 7 UDP: 7 UDP RECV: 3 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
TFTP: complete 343
RX: 16 IP: 0 IPV4: 9 MAC: 9 UDP: 9 UDP RECV: 5 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
Read dc-a6-32-d7-1d-77/config.txt bytes      343 hnd 0x0
TFTP_GET: 00:0d:b9:46:24:7c 10.0.199.200 dc-a6-32-d7-1d-77/recover4.elf

RX: 16 IP: 0 IPV4: 9 MAC: 9 UDP: 9 UDP RECV: 5 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
TFTP 1: File not found
RX: 17 IP: 0 IPV4: 10 MAC: 10 UDP: 10 UDP RECV: 6 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
Read dc-a6-32-d7-1d-77/recover4.elf failed
TFTP_GET: 00:0d:b9:46:24:7c 10.0.199.200 dc-a6-32-d7-1d-77/recovery.elf

RX: 18 IP: 0 IPV4: 10 MAC: 10 UDP: 10 UDP RECV: 6 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
TFTP 1: File not found
RX: 19 IP: 0 IPV4: 11 MAC: 11 UDP: 11 UDP RECV: 7 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
Read dc-a6-32-d7-1d-77/recovery.elf failed
TFTP_GET: 00:0d:b9:46:24:7c 10.0.199.200 dc-a6-32-d7-1d-77/start4.elf

RX: 19 IP: 0 IPV4: 11 MAC: 11 UDP: 11 UDP RECV: 7 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
TFTP: complete 2249280
RX: 179 IP: 0 IPV4: 165 MAC: 165 UDP: 165 UDP RECV: 157 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
Read dc-a6-32-d7-1d-77/start4.elf bytes  2249280 hnd 0x0
TFTP_GET: 00:0d:b9:46:24:7c 10.0.199.200 dc-a6-32-d7-1d-77/fixup4.dat

RX: 180 IP: 0 IPV4: 165 MAC: 165 UDP: 165 UDP RECV: 157 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
TFTP: complete 5399
RX: 187 IP: 0 IPV4: 172 MAC: 172 UDP: 172 UDP RECV: 164 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
Read dc-a6-32-d7-1d-77/fixup4.dat bytes     5399 hnd 0x0
0x00d03114 0x00000000 0x00001fff
MEM GPU: 76 ARM: 948 TOTAL: 1024
Firmware: 102f1e848393c2112206fadffaaf86db04e98326 Aug 26 2022 14:03:16
Starting start4.elf @ 0xfec00200 partition -1
Stopping network
RX: 187 IP: 0 IPV4: 172 MAC: 172 UDP: 172 UDP RECV: 164 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
RX: 187 IP: 0 IPV4: 172 MAC: 172 UDP: 172 UDP RECV: 164 IP_CSUM_ERR: 0 UDP_CSUM_ERR: 0
GENET STOP: 0
XHCI-STOP
xHC ver: 256 HCS: 05000420 fc000031 00e70004 HCC: 002841eb
USBSTS 18
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd083]
...
[    0.243387] Trying to unpack rootfs image as initramfs...
...
[   33.670621] Initramfs unpacking failed: XZ-compressed data is corrupt
[   33.724378] Freeing initrd memory: 65532K

The observations that I can make from this:

1. The initrd is downloaded by start4.elf after Starting start4.elf @ 0xfec00200 partition -1.

2. There is no helpful diagnostics about how many bytes were downloaded (like for start4.elf itself).

3. There are no checksum anywhere to be seen.

4. From the Freeing initrd memory: 65532K kernel message it's clear that the initrd was truncated (it's full size is 88MB).

[pelwell]

Ah - you'll need uart_2ndstage=1. Only files loaded by start4.elf will be hashed.

[boris-kolpackov]

@pelwell Thanks, that definitely gave more information (continuing after the USBSTS 18 line in the above listing):

MESS:00:00:17.799731:0: genet: LINK STATUS: speed: 1000 full duplex
MESS:00:00:17.803706:0: genet: GENET START: 128 8 8
MESS:00:00:17.809590:0: genet: GENET: UMAC_START 0xdca632d7 0x1d770000
MESS:00:00:17.821179:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:17.824007:0: brfs: File read: 360 bytes
MESS:00:00:17.909734:0: HDMI1:EDID error reading EDID block 0 attempt 0
MESS:00:00:17.914242:0: HDMI1:EDID giving up on reading EDID block 0
MESS:00:00:17.926444:0: brfs: File read: /mfs/sd/config.txt
MESS:00:00:18.424602:0: gpioman: gpioman_get_pin_num: pin DISPLAY_DSI_PORT not defined
MESS:00:00:18.431919:0: *** Restart logging
MESS:00:00:18.433328:0: brfs: File read: 360 bytes
MESS:00:00:18.503957:0: hdmi: HDMI1:EDID error reading EDID block 0 attempt 0
MESS:00:00:18.508983:0: hdmi: HDMI1:EDID giving up on reading EDID block 0
MESS:00:00:18.524644:0: hdmi: HDMI1:EDID error reading EDID block 0 attempt 0
MESS:00:00:18.529726:0: hdmi: HDMI1:EDID giving up on reading EDID block 0
MESS:00:00:18.535322:0: hdmi: HDMI:hdmi_get_state is deprecated, use hdmi_get_display_state instead
MESS:00:00:18.544081:0: HDMI0: hdmi_pixel_encoding: 300000000
MESS:00:00:18.549573:0: HDMI1: hdmi_pixel_encoding: 300000000
MESS:00:00:39.123010:0: brfs: File read: /mfs/sd/buildos-initrd-aarch64
MESS:00:00:39.126564:0: Loaded 'buildos-initrd-aarch64' to 0x0 size 0x3fffc00
MESS:00:01:09.221493:0: sha256: 57d8a0e89c09ee5bef3782cbe33e7c85238b0c57faa76cec8af7983beae0d16d
MESS:00:01:09.338195:0: initramfs loaded to 0x2b000000 (size 0x3fffc00)
...

So the size reported (0xfffc00 == 67107840 == 65535KiB) is truncated. Naturally, the checksums don't match either (I've also checked the kernel checksum and it matches, so we are definitely using the same "sha256").

Let me know if you need any more information from my side.

[pelwell]

0x3fffc00 equates to 65535 x 1024. According to what I found on Wikipedia, the TFTP protocol is limited to 65535 (0xffff) blocks, each of which can hold up to 65535 bytes. However, the implementation in the EEPROM has TFTP_MAX_BLOCKSIZE set to 1024, which explains the limit you've found.

It does seem as if larger files can't be downloaded without that TFTP_MAX_BLOCKSIZE being increased, and that may have knock-on consequences - especially since an Ethernet packet payload is only ~1500 bytes.

[boris-kolpackov]

Interesting. Do you think TFTP_MAX_BLOCKSIZE can be exposed as a configuration parameter in bootconf.txt/config.txt or is this a compile-time constant?

[timg236]

The bootloader isn't loading the initrd in this case, it's loaded by start4.elf. I think it's unlikely that the ethernet max packet size would be increased though.

[timg236]

I think a better alternative would be to use BOOT_ORDER_HTTP and package all of the boot files into a boot.img. This also has the advantage that boot.img files can be signed and at some pointer we'll probably add support for HTTPS (assuming we can find space for cutdown certifcate store)

[lurch]

@pelwell / @timg236 Is it worth mentioning this maximum TFTP file-size limitation in our documentation?

[pelwell]

Is it worth asking the question?

[timg236]

Minor point, this TFTP discussion is nothing to do with issue posted by the OP which was about the boot.img ramdisk that was limited to 64MB

[lurch]

@boris-kolpackov It looks like with the latest firmware and beta EEPROM the maximum initrd size is now 91MB.

[boris-kolpackov]

@lurch Thanks, will give it a try when get a chance and report back.

[timg236]

Now that the release is available I'm locking this bug. The TFTP issue is orthogonal to the boot.img size and it's confusing to have a github issue tracking two different things even if they are superficially similar.