Re: UKC> disable "smth"
On 2024-03-16, Nick Holland wrote: > IF you want to make changes to disk, use "config -ef" from > the booted system, then write your changes to disk. Then > you can either use config -ef to re-enable a device, or just > copy over an unmodified kernel. > > Be aware that altering the kernel binary will "break" the > Kernal Address Re-Linking (KARL). There are fixes for this, > HOWEVER, I'm not sure what your goals are here in tweaking > your kernel like this, but I'm guessing breaking KARL isn't > your biggest problem you are about to create for yourself. in the few cases where this does make sense: add to bsd.re-config(5) and run /usr/libexec/reorder_kernel by hand > This probably isn't something you want to be doing. yep. -- Please keep replies on the mailing list.
Re: UKC> disable "smth"
Thx. So, there is no kernel support for the Intel MEI, but kernel only knows how to identify it. Ugh, I wish OpenBSD had a way to audit hardware components, please? Because this Intel MEI is a closed source software (Linux based from what I read) and running inside our CPUs, with full unfettered unchecked access to all hardware components, with zero visibility for us to vet it because it's '''proprietary'''. Can we still talk about security in this context? What's OpenBSD's official position on this? On Sat, Mar 16, 2024 at 6:05 PM Zé Loff wrote: > > On Sat, Mar 16, 2024 at 05:52:22PM +0500, ofthecentury wrote: > > I boot with 'boot -c' and then > > enter 'disable mei' and then > > 'quit'. > > Pcidump still shows Intel MEI, > > just as it does when booting > > with default config. I don't > > think anything changed. > > But UKC doesn't complain > > when I disable mei, so I know > > it knows 'mei' and disables it. > > But how would I know it > > does disable it? > > > > Also, 'boot -c' accumulates what > > changes I do. How does one > > reset changes to go back to > > vanilla kernel? > > > > Just because it is detected it does not mean a driver is attached to it. > > E.g. on my machine: > > # pcidump | grep -i mei > 0:22:0: Intel 200 Series MEI > > # dmesg | grep -i mei > "Intel 200 Series MEI" rev 0x00 at pci0 dev 22 function 0 not configured > > The "not configured" is the relevant part, here. > > Plus, more knowledgeable people will correct me if I'm wrong, but I > don't think a "mei" driver exists. > > If for some reason you want to "disable" it further that this you'll > have to do it in BIOS or find a way to power it off, but good luck with > that. > > Cheers > Zé > -- >
Re: UKC> disable "smth"
On Sat, Mar 16, 2024 at 7:29 PM Nick Holland wrote: > Again, an incorrect assumption. boot -c does NOT retain > changes between boots. UKC> is after the kernel is loaded > but before the kernel is fully running. While in ukc>, > the kernel doesn't really have an ability to write to > disk, as it hasn't been fully started yet. Thanks. That's what I thought. Until I ran 'boot -c' several times and saw each of my UKC commands from previous boots be in dmesg. What's going on with this? > Be aware that altering the kernel binary will "break" the > Kernal Address Re-Linking (KARL). There are fixes for this, > HOWEVER, I'm not sure what your goals are here in tweaking > your kernel like this, but I'm guessing breaking KARL isn't > your biggest problem you are about to create for yourself. > This probably isn't something you want to be doing. No no, I want KARL, it's very important. I didn't realize this will break it. ANY kernel config editing does this? Is there a way to avoid this?
Re: UKC> disable "smth"
On 3/16/24 08:52, ofthecentury wrote: I boot with 'boot -c' and then enter 'disable mei' and then 'quit'. Pcidump still shows Intel MEI, just as it does when booting with default config. I don't think anything changed. In this case, correct. As was already pointed out -- devices exist or don't -- but that's a hw config that the OS doesn't usually have a lot of control over. All the OS can do is connect a driver or not. config or ukc only disables OS support for something. pcidump will show you what HW the OS knows exists, and on modern machines, that's going to be a pretty complete list. But UKC doesn't complain when I disable mei, so I know it knows 'mei' and disables it. this assumption is not correct: ukc> disable nothing # invalid device -- no response ukc> disable ep # valid device -- response! 110 ep* disabled 111 ep* disabled You can easily verify this with a known good device and a bogus name (like my 'nothing' above). But how would I know it does disable it? Also, 'boot -c' accumulates what changes I do. How does one reset changes to go back to vanilla kernel? Again, an incorrect assumption. boot -c does NOT retain changes between boots. UKC> is after the kernel is loaded but before the kernel is fully running. While in ukc>, the kernel doesn't really have an ability to write to disk, as it hasn't been fully started yet. IF you want to make changes to disk, use "config -ef" from the booted system, then write your changes to disk. Then you can either use config -ef to re-enable a device, or just copy over an unmodified kernel. Be aware that altering the kernel binary will "break" the Kernal Address Re-Linking (KARL). There are fixes for this, HOWEVER, I'm not sure what your goals are here in tweaking your kernel like this, but I'm guessing breaking KARL isn't your biggest problem you are about to create for yourself. This probably isn't something you want to be doing. Nick.
Re: UKC> disable "smth"
On Sat, Mar 16, 2024 at 05:52:22PM +0500, ofthecentury wrote: > I boot with 'boot -c' and then > enter 'disable mei' and then > 'quit'. > Pcidump still shows Intel MEI, > just as it does when booting > with default config. I don't > think anything changed. > But UKC doesn't complain > when I disable mei, so I know > it knows 'mei' and disables it. > But how would I know it > does disable it? > > Also, 'boot -c' accumulates what > changes I do. How does one > reset changes to go back to > vanilla kernel? > Just because it is detected it does not mean a driver is attached to it. E.g. on my machine: # pcidump | grep -i mei 0:22:0: Intel 200 Series MEI # dmesg | grep -i mei "Intel 200 Series MEI" rev 0x00 at pci0 dev 22 function 0 not configured The "not configured" is the relevant part, here. Plus, more knowledgeable people will correct me if I'm wrong, but I don't think a "mei" driver exists. If for some reason you want to "disable" it further that this you'll have to do it in BIOS or find a way to power it off, but good luck with that. Cheers Zé --
UKC> disable "smth"
I boot with 'boot -c' and then enter 'disable mei' and then 'quit'. Pcidump still shows Intel MEI, just as it does when booting with default config. I don't think anything changed. But UKC doesn't complain when I disable mei, so I know it knows 'mei' and disables it. But how would I know it does disable it? Also, 'boot -c' accumulates what changes I do. How does one reset changes to go back to vanilla kernel?
