On Fri, Feb 13, 2015 at 04:35:08PM -0500, Kevin O'Connor wrote:
On Fri, Feb 13, 2015 at 02:09:05PM -0600, Timothy Pearson wrote:
This patch in particular guarantees that no matter what devices are plugged in (e.g. long after the BIOS has been flashed) they will not have their option ROMs executed. Its primary use is for those who want a blob-free system, e.g. for high-security applications.
That makes sense, but I think it needs to be a runtime setting. I'll see if I can put together a quick patch to better show what I mean.
Below is an example of what I was suggesting (untested). The patch below uses the file "/etc/pci-optionroms" - 0 means don't run any option roms, 1 means run only the option rom for the primary vga device, 2 means run option roms for only non-vga devices, and 3 means run all option roms (the default).
-Kevin
diff --git a/src/optionroms.c b/src/optionroms.c index 93d9d2f..ed05870 100644 --- a/src/optionroms.c +++ b/src/optionroms.c @@ -20,6 +20,8 @@ #include "string.h" // memset #include "util.h" // get_pnp_offset
+static int EnforceChecksum, S3ResumeVga, RunPCIroms; +
/**************************************************************** * Helper functions @@ -60,8 +62,6 @@ call_bcv(u16 seg, u16 ip) __callrom(MAKE_FLATPTR(seg, 0), ip, 0); }
-static int EnforceChecksum; - // Verify that an option rom looks valid static int is_valid_rom(struct rom_header *rom) @@ -329,7 +329,7 @@ init_pcirom(struct pci_device *pci, int isvga, u64 *sources) , pci_bdf_to_bus(bdf), pci_bdf_to_dev(bdf), pci_bdf_to_fn(bdf) , pci->vendor, pci->device); struct rom_header *rom = lookup_hardcode(pci); - if (! rom) + if (!rom && RunPCIroms & (isvga ? 1 : 2)) rom = map_pcirom(pci); if (! rom) // No ROM present. @@ -416,7 +416,6 @@ optionrom_setup(void) * VGA init ****************************************************************/
-static int S3ResumeVga; int ScreenAndDebug; struct rom_header *VgaROM;
@@ -432,6 +431,7 @@ vgarom_setup(void) // Load some config settings that impact VGA. EnforceChecksum = romfile_loadint("etc/optionroms-checksum", 1); S3ResumeVga = romfile_loadint("etc/s3-resume-vga-init", CONFIG_QEMU); + RunPCIroms = romfile_loadint("etc/pci-optionroms", 3); ScreenAndDebug = romfile_loadint("etc/screen-and-debug", 1);
if (CONFIG_OPTIONROMS_DEPLOYED) {