[SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS

[Kevin O'Connor]

On Fri, Feb 13, 2015 at 02:09:05PM -0600, Timothy Pearson wrote:
> On 02/13/2015 02:05 PM, Kevin O'Connor wrote:
> >In general, I prefer for these types of options to be set at runtime
> >(by making a new CBFS file such as "etc/run-option-roms" and using the
> >romfile_loadint() mechanism) instead of at compile time.
> >
> >That said, it should already possible to prevent a particular option
> >rom from running by creating a dummy option rom for that device in
> >CBFS.  That is, it should be possible to create a dummy cbfs file
> >"pci1234,5678.rom" to prevent the option rom on PCI device 1234:5678
> >from running.  Not sure if this fixes the issue you were seeing, but
> >if so maybe the best fix is to just update the documentation.
> 
> This patch in particular guarantees that no matter what devices are plugged
> in (e.g. long after the BIOS has been flashed) they will not have their
> option ROMs executed.  Its primary use is for those who want a blob-free
> system, e.g. for high-security applications.

That makes sense, but I think it needs to be a runtime setting.  I'll
see if I can put together a quick patch to better show what I mean.

The documentation for SeaBIOS CBFS files currently lives in the
coreboot wiki.  I'll also see if I can move that into the SeaBIOS
docs/ directory so that future changes like this can update both docs
and code at the same time.

In any case, SeaBIOS is in a feature freeze for the next few days as
we prepare for the next release.

-Kevin