Re: [SeaBIOS] [PATCH 2/2] Add PCI option ROM blacklist in CBFS
On 02/13/2015 02:10 PM, Kevin O'Connor wrote:
On Wed, Feb 11, 2015 at 05:32:36PM -0600, Timothy Pearson wrote:
File:
pci_optrom_blacklist.txt
Syntax:
bus,device,function
Numbers or a single wildcard ('*') are allowed
Each blacklisted device is placed on separate line
Examples:
Blacklist device 01:04.0:
1,4,0
Blacklist all devices on bus 5:
5,*,*
TEST: Booted ASUS KFSN4-DRE with iPXE ROMs built in to CBFS;
with the two add-on network devices blacklisted the add-on
network ROMs were ignored while the on-board iPXE ROMs executed
normally.
Thanks for submitting.
It's possible to blacklist the execution of an option rom on a
particular device today by creating a dummy option rom for that device
in CBFS. Given this, is this patch still needed?
As mentioned in my previous message yes, I believe the additional
functionality offered by this patch is needed. At least on my
coreboot-based board here the BDFs are stable and it is useful to, for
example, blacklist the option ROMs on the add-on slots to avoid a
potential failure to boot when the hardware is inevitably reconfigured
in the future.
Putting PCI bus/dev/fn ids in CBFS isn't a great solution because (I'm
told) some boards can change BDFs from one boot to another. (In
general, BDFs are not stable.) That's why the existing option rom
mechanism uses vendor/device ids.
BTW, the white space in your patch got corrupted during delivery.
If you are considering using the patch I will re-send.
Thanks!
--
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645
http://www.raptorengineeringinc.com
___
SeaBIOS mailing list
SeaBIOS@seabios.org
http://www.seabios.org/mailman/listinfo/seabios
Re: [SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS
On Wed, Feb 11, 2015 at 05:32:03PM -0600, Timothy Pearson wrote: TEST: Booted ASUS KFSN4-DRE with iPXE ROMs built in to CBFS; with this option set the on-board network ROMs were ignored while the iPXE ROMs executed normally. Signed-off-by: Timothy Pearson tpear...@raptorengineeringinc.com Hi Timothy, Thanks for providing the patch and sorry for the delay in reviewing. --- src/Kconfig | 11 +++ src/optionroms.c |3 +++ 2 files changed, 14 insertions(+) diff --git a/src/Kconfig b/src/Kconfig index 45ca59c..9cac231 100644 --- a/src/Kconfig +++ b/src/Kconfig @@ -355,6 +355,17 @@ menu BIOS interfaces default y help Support finding and running option roms during POST. +config CBFS_OPTIONROMS_ONLY +depends on OPTIONROMS COREBOOT_FLASH +bool Only execute option ROMs stored in CBFS +default n +help +Only execute option ROMs that are stored in CBFS. +Do not scan PCI bus for option ROMs. This is useful +if one or more of your PCI devices crash/hang SeaBIOS +when executing their option ROMs, but you need to use +one or more option ROMs (such as SeaVGABIOS) that were +loaded into CBFS. In general, I prefer for these types of options to be set at runtime (by making a new CBFS file such as etc/run-option-roms and using the romfile_loadint() mechanism) instead of at compile time. That said, it should already possible to prevent a particular option rom from running by creating a dummy option rom for that device in CBFS. That is, it should be possible to create a dummy cbfs file pci1234,5678.rom to prevent the option rom on PCI device 1234:5678 from running. Not sure if this fixes the issue you were seeing, but if so maybe the best fix is to just update the documentation. -Kevin ___ SeaBIOS mailing list SeaBIOS@seabios.org http://www.seabios.org/mailman/listinfo/seabios
Re: [SeaBIOS] [PATCH 2/2] Add PCI option ROM blacklist in CBFS
On 02/13/2015 03:40 PM, Kevin O'Connor wrote:
On Fri, Feb 13, 2015 at 02:16:13PM -0600, Timothy Pearson wrote:
On 02/13/2015 02:10 PM, Kevin O'Connor wrote:
On Wed, Feb 11, 2015 at 05:32:36PM -0600, Timothy Pearson wrote:
File:
pci_optrom_blacklist.txt
Syntax:
bus,device,function
Numbers or a single wildcard ('*') are allowed
Each blacklisted device is placed on separate line
Examples:
Blacklist device 01:04.0:
1,4,0
Blacklist all devices on bus 5:
5,*,*
TEST: Booted ASUS KFSN4-DRE with iPXE ROMs built in to CBFS;
with the two add-on network devices blacklisted the add-on
network ROMs were ignored while the on-board iPXE ROMs executed
normally.
Thanks for submitting.
It's possible to blacklist the execution of an option rom on a
particular device today by creating a dummy option rom for that device
in CBFS. Given this, is this patch still needed?
As mentioned in my previous message yes, I believe the additional
functionality offered by this patch is needed. At least on my
coreboot-based board here the BDFs are stable and it is useful to, for
example, blacklist the option ROMs on the add-on slots to avoid a potential
failure to boot when the hardware is inevitably reconfigured in the future.
I think I need to better understand your use-case. Can you further
describe the problem you are seeing. Is there some option rom that
works on a proprietary BIOS, but fails to work on SeaBIOS? I'm
particularly interested in the situation you face as opposed to
features a possible future user may desire.
Thanks,
-Kevin
This particular patch was a favor to Peter Stuge; as such I don't have a
use case myself for it. However the initial patch to disable all option
ROMs was for a system on which I did not want any unknown binary code to
ever execute. This has multiple applications ranging from useful
(high-security systems) to informational (proving that yes, you can have
a fully functional system utilizing only open source software).
--
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645
http://www.raptorengineeringinc.com
___
SeaBIOS mailing list
SeaBIOS@seabios.org
http://www.seabios.org/mailman/listinfo/seabios
Re: [SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS
On 02/13/2015 02:05 PM, Kevin O'Connor wrote: On Wed, Feb 11, 2015 at 05:32:03PM -0600, Timothy Pearson wrote: TEST: Booted ASUS KFSN4-DRE with iPXE ROMs built in to CBFS; with this option set the on-board network ROMs were ignored while the iPXE ROMs executed normally. Signed-off-by: Timothy Pearsontpear...@raptorengineeringinc.com Hi Timothy, Thanks for providing the patch and sorry for the delay in reviewing. --- src/Kconfig | 11 +++ src/optionroms.c |3 +++ 2 files changed, 14 insertions(+) diff --git a/src/Kconfig b/src/Kconfig index 45ca59c..9cac231 100644 --- a/src/Kconfig +++ b/src/Kconfig @@ -355,6 +355,17 @@ menu BIOS interfaces default y help Support finding and running option roms during POST. +config CBFS_OPTIONROMS_ONLY +depends on OPTIONROMS COREBOOT_FLASH +bool Only execute option ROMs stored in CBFS +default n +help +Only execute option ROMs that are stored in CBFS. +Do not scan PCI bus for option ROMs. This is useful +if one or more of your PCI devices crash/hang SeaBIOS +when executing their option ROMs, but you need to use +one or more option ROMs (such as SeaVGABIOS) that were +loaded into CBFS. In general, I prefer for these types of options to be set at runtime (by making a new CBFS file such as etc/run-option-roms and using the romfile_loadint() mechanism) instead of at compile time. That said, it should already possible to prevent a particular option rom from running by creating a dummy option rom for that device in CBFS. That is, it should be possible to create a dummy cbfs file pci1234,5678.rom to prevent the option rom on PCI device 1234:5678 from running. Not sure if this fixes the issue you were seeing, but if so maybe the best fix is to just update the documentation. -Kevin This patch in particular guarantees that no matter what devices are plugged in (e.g. long after the BIOS has been flashed) they will not have their option ROMs executed. Its primary use is for those who want a blob-free system, e.g. for high-security applications. The second patch in this series also operates slightly different from the proposed device ID-based override in that it allows the blacklisting of entire buses and devices based on their physical location on the bus instead of the exact device installed. I could easily see a use for any of the three methods depending on the exact needs of the end user. -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 http://www.raptorengineeringinc.com ___ SeaBIOS mailing list SeaBIOS@seabios.org http://www.seabios.org/mailman/listinfo/seabios
Re: [SeaBIOS] [PATCH 2/2] Add PCI option ROM blacklist in CBFS
On Fri, Feb 13, 2015 at 02:16:13PM -0600, Timothy Pearson wrote:
On 02/13/2015 02:10 PM, Kevin O'Connor wrote:
On Wed, Feb 11, 2015 at 05:32:36PM -0600, Timothy Pearson wrote:
File:
pci_optrom_blacklist.txt
Syntax:
bus,device,function
Numbers or a single wildcard ('*') are allowed
Each blacklisted device is placed on separate line
Examples:
Blacklist device 01:04.0:
1,4,0
Blacklist all devices on bus 5:
5,*,*
TEST: Booted ASUS KFSN4-DRE with iPXE ROMs built in to CBFS;
with the two add-on network devices blacklisted the add-on
network ROMs were ignored while the on-board iPXE ROMs executed
normally.
Thanks for submitting.
It's possible to blacklist the execution of an option rom on a
particular device today by creating a dummy option rom for that device
in CBFS. Given this, is this patch still needed?
As mentioned in my previous message yes, I believe the additional
functionality offered by this patch is needed. At least on my
coreboot-based board here the BDFs are stable and it is useful to, for
example, blacklist the option ROMs on the add-on slots to avoid a potential
failure to boot when the hardware is inevitably reconfigured in the future.
I think I need to better understand your use-case. Can you further
describe the problem you are seeing. Is there some option rom that
works on a proprietary BIOS, but fails to work on SeaBIOS? I'm
particularly interested in the situation you face as opposed to
features a possible future user may desire.
Thanks,
-Kevin
___
SeaBIOS mailing list
SeaBIOS@seabios.org
http://www.seabios.org/mailman/listinfo/seabios
Re: [SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS
Kevin O'Connor wrote: This patch in particular guarantees that no matter what devices are plugged in (e.g. long after the BIOS has been flashed) they will not have their option ROMs executed. That makes sense, but I think it needs to be a runtime setting. Timothy's original approach is appealing more and more to me. It's a good way to know that the system will stay as it was when flashed. Runtime setting - the argument there would be that if someone can change the flash contents to create a new CBFS file they could also replace the SeaBIOS payload, right? It is sortof true, but it *is* slightly easier to write data into erased flash than to erase existing and then write something new. //Peter ___ SeaBIOS mailing list SeaBIOS@seabios.org http://www.seabios.org/mailman/listinfo/seabios
