[flashrom] Porting flashrom to OpenBSD

[Stuart Henderson]

On 2010/06/26 14:47, Kevin Chadwick wrote:
> On Fri, 25 Jun 2010 20:53:35 -0400
> Brynet <brynet at gmail.com> wrote:
>
> > I know of at least one OpenBSD developer wanting to update their BIOS
> > from OpenBSD.
>
> Sorry, but it's an imperfect world and I'm sure everyone appreciates
> your efforts.
>
> Personally I'd much prefer using a boot disk (OpenBSD or not) or
> even a special kernel to do this and only this. I am disgusted with the
> live updates of bios and video bios on windows.

That's your opinion, feel free to handle flashing this way.
Those who need to update flash ICs remotely and have experienced
the pain of trying to get certain vendor tools to run under
pxeboot + serial console will know there are cases where this
is just not an option.

> I'm sure that developer is perfectly capable of checksumming his bios
> and updating.
>
> Many may not realise the risks, which are often there during every
> boot and may not check their bioses or wish to do so so often. The ones
> who do, may take precautions and still wish to do less checks.
>
> I'd prefer to know my bsd.rd environment cannot do this when I run
> something from userland and the security of OpenBSD improved to the
> highest level, when/if X solves the remaining issues.

We already have a bios flasher in the ports tree (sysutils/dellflash).
It requires special steps to be taken to use. Userland just does not
and should not have this level of access to the system unless
configuration changes are deliberately made. (In the case of
dellflash, a kernel module handles access to the flash device
which of course must be loaded before securelevel is raised).

I don't see anybody here talking about permitting this sort of
thing by default.

It is at least going to take a reboot and either running in single-
user mode or adjusting rc.securelevel. The system administrator must
make a deliberate change; unless he is hard of thinking he will
clearly understand that this will impact security.