powerpc linux kernel board bring-up problem

Reading this forum:

https://forum.kernelnewbies.org/read.php?18,118113,118113#msg-118113

And to requote the problem here:

Hi everyone!

I got lucky and got an embedded linux internship

I’m trying to port linux to an existing board that is currently using vxWorks.
The board uses an mpc8572e processor which contains two e500v2 cores. Basically, the entry point in vmlinux
is arch/powerpc/kernel/head_fsl_booke.S

We are using the simpleboot bootwrapper which works just fine (simpleboot passes the device tree address and jump right into the gunziped vmlinux which is located at 0x0 physical).

head_fsl_booke.S include arch/powerpc/kernel/fsl_booke_entry_mapping.S and we just crash at line 223 (rfi instruction)
of fsl_booke_entry_mapping.S

215 lis r7,MSR_KERNEL@h
216 ori r7,r7,MSR_KERNEL@l
217 bl 1f /* Find our address */
218 1: mflr r9
219 rlwimi r6,r9,0,20,31
220 addi r6,r6,(2f – 1b)
221 mtspr SPRN_SRR0,r6
222 mtspr SPRN_SRR1,r7
223 rfi /* start execution out of TLB1[0] entry */

rfi at line 223 causes us to jump to 0xc000_0264 while we want to jump to 0x000_0264.
This is not caused by our mmu, we are basically loading 0xc000_0264 in srr0

It’s related to the following config fields in our defconfig:
CONFIG_PAGE_OFFSET=0xc0000000 <—-
CONFIG_PHYSICAL_START=0x00000000
CONFIG_PHYSICAL_ALIGN=0x04000000
CONFIG_TASK_SIZE=0xc0000000
CONFIG_KERNEL_START=0xc00000000 <—–

I tried to set CONFIG_KERNEL_START and CONFIG_PAGE_OFFSET to 0x0 but this would not compile:
arch/powerpc/include/asm/processor.h:100:2: error: #error User TASK_SIZE overlaps with KERNEL_START address

By the way CONFIG_TASK_SIZE=0xc0000000

Also, my debugger cannot map anything because all the symbols in vmlinux are at 0xcxxx_xxxx but we are at 0x0xxx_xxxx

Pretty much all the ports that uses the simpleboot bootwrapper are gunzipping vmlinux at 0x0 but I can easily change that
and I tried to send vmlinux at 0xc000_0000 and it solved this particular issue but then the mmu mapping just does not work
because simpleboot extract our device tree at about 0x0011_0000 and we need vmlinux and the device tree to be inside a 64Mb page (also tried to hack fsl_booke_entry_mapping.S to create a 4GB tlb entry based at 0x0 and this was causing other issues…)

Got any idea?

The details I cannot help.   But my suggested steps of action are as follows:

First is to get the cross-compiler for e500v2 (ppc):

https://www.nxp.com/docs/en/supporting-information/WBNR_FTF10_NET_F0676.pdf

http://zeromq.org/build:powerpc

https://community.nxp.com/thread/310153

Next is to compile uboot for the board:

https://github.com/theopolis/u-boot-sboot

which is support board itself (mpc8572e).   Next is the emulator, but not sure if it works? (though it indicated support for mpc8572e)

https://github.com/tycho/pearpc

And to understand how uboot can startup the PPC CPU, you will need to know PPC hardware knowledge specific to e500v2 and all the bootup details:

https://www.nxp.com/docs/en/application-note/AN4064.pdfhttps://www.nxp.com/docs/en/reference-manual/E500CORERM.pdf

And then only the final steps is the understanding of Linux kernel itself, and its bootup requirements:

https://manybutfinite.com/post/kernel-boot-process/http://processors.wiki.ti.com/index.php/HOWTO_Change_the_Linux_Kernel_Start_Address

 

Internals of ptrace(): from the malware perspective

After reading a few questions on ptrace():

https://stackoverflow.com/questions/24573247/ptrace-how-can-i-stop-getting-traced-in-child-process

https://stackoverflow.com/questions/29804846/where-would-the-cpu-context-interrupted-by-ptrace-be-userspace-stack-or-kernel?rq=1

https://stackoverflow.com/questions/27930589/when-using-getregs-does-ptrace-get-only-userspace-stack-rsp-or-both-kernel-and/48626668#48626668

I realize there is a great lack of understanding of the power and depth of ptrace().

First I shall describe all the power of ptrace():

a. When you ptrace() another program (called debuggee), the debuggee basically will stopped completely (in userspace) and let you do whatever you want with his registers, memory, and essentially everything in userspace.

http://man7.org/linux/man-pages/man2/ptrace.2.html

b. You can legally do anything that is read-only. But if you modify the register, then be aware of the consequences.

c. Malware writer likes to use ptrace(), but why and how?

This is because with ptrace(), you can essentially redirect the debuggee to call malloc(), and given the newly allocated memory, insert a new program into the newly allocated memory (making sure the pages are marked readable and executable), and redirect some existing codes to that memory for execution and then let the debuggee continue execution.

There is a lot more details then that, requiring many ptrace() calls for its complete implementation. And various names are given for it, libraries injection is one of them.

https://github.com/gaffe23/linux-inject

https://shunix.com/shared-library-injection-in-android/   (Android and other Linux shared the same kernel, or almost).

d. A syscall, by definition, is an atomic operation: this means that if it start in userspace, it will end up in userspace. It should not terminate its execution in the kernel, unless it has encountered some blocking kernel functions. An example is “kmalloc()”, which can block, and thus immediately the execution thread will be queued and to be replaced by the next tasks for execution on the CPU.

e. For security reasons, kernel execute at ring 0, and userspace is at ring 3. So by design, userspace will never be able to see any of the values on the registers or memory IN THE KERNEL. Anything to be displayed must be specifically read and transfer over from kernel to userspace.

f. The relationship between the debugger and debuggee, is a highly interlocking one:   when one is executing, you have to ensure the other is blocked and waiting for exception.   Ie, when you ptrace() the debuggee, the debugger will immediately go into a waiting mode (blocking), so that when the debuggee enter a blocking instruction, execution will return back to the debugger, and only when it is in the waiting mode will he be able to catch it.   And vice versa – it can really get very complicated between waiting and continue execution etc.

References:

c – How to detect if the current process is being run by GDB? – Stack Overflow

https://stackoverflow.com/questions/3596781/how-to-detect-if-the-current-process-is-being-run-by-gdb

Accessing data in the RAM of one process from second process

https://stackoverflow.com/questions/27853198/accessing-data-in-the-ram-of-one-process-from-second-process/27853327#27853327