[SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS

Timothy Pearson tpearson at raptorengineeringinc.com
Fri Feb 13 21:09:05 CET 2015 

On 02/13/2015 02:05 PM, Kevin O'Connor wrote:
> On Wed, Feb 11, 2015 at 05:32:03PM -0600, Timothy Pearson wrote:
>> TEST: Booted ASUS KFSN4-DRE with iPXE ROMs built in to CBFS;
>> with this option set the on-board network ROMs were ignored
>> while the iPXE ROMs executed normally.
>>
>> Signed-off-by: Timothy Pearson<tpearson at raptorengineeringinc.com>
>
> Hi Timothy,
>
> Thanks for providing the patch and sorry for the delay in reviewing.
>
>> ---
>>   src/Kconfig      |   11 +++++++++++
>>   src/optionroms.c |    3 +++
>>   2 files changed, 14 insertions(+)
>>
>> diff --git a/src/Kconfig b/src/Kconfig
>> index 45ca59c..9cac231 100644
>> --- a/src/Kconfig
>> +++ b/src/Kconfig
>> @@ -355,6 +355,17 @@ menu "BIOS interfaces"
>>           default y
>>           help
>>               Support finding and running option roms during POST.
>> +    config CBFS_OPTIONROMS_ONLY
>> +        depends on OPTIONROMS&&  COREBOOT_FLASH
>> +        bool "Only execute option ROMs stored in CBFS"
>> +        default "n"
>> +        help
>> +            Only execute option ROMs that are stored in CBFS.
>> +            Do not scan PCI bus for option ROMs.  This is useful
>> +            if one or more of your PCI devices crash/hang SeaBIOS
>> +            when executing their option ROMs, but you need to use
>> +            one or more option ROMs (such as SeaVGABIOS) that were
>> +            loaded into CBFS.
>
> In general, I prefer for these types of options to be set at runtime
> (by making a new CBFS file such as "etc/run-option-roms" and using the
> romfile_loadint() mechanism) instead of at compile time.
>
> That said, it should already possible to prevent a particular option
> rom from running by creating a dummy option rom for that device in
> CBFS.  That is, it should be possible to create a dummy cbfs file
> "pci1234,5678.rom" to prevent the option rom on PCI device 1234:5678
> from running.  Not sure if this fixes the issue you were seeing, but
> if so maybe the best fix is to just update the documentation.
>
> -Kevin

This patch in particular guarantees that no matter what devices are 
plugged in (e.g. long after the BIOS has been flashed) they will not 
have their option ROMs executed.  Its primary use is for those who want 
a blob-free system, e.g. for high-security applications.

The second patch in this series also operates slightly different from 
the proposed device ID-based override in that it allows the blacklisting 
of entire buses and devices based on their physical location on the bus 
instead of the exact device installed.  I could easily see a use for any 
of the three methods depending on the exact needs of the end user.

-- 
Timothy Pearson
Raptor Engineering
+1 (415) 727-8645
http://www.raptorengineeringinc.com

More information about the SeaBIOS mailing list