[SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS

Kevin O'Connor kevin at koconnor.net
Sat Feb 14 17:34:54 CET 2015

On Sat, Feb 14, 2015 at 03:15:42AM +0100, Peter Stuge wrote:
> Kevin O'Connor wrote:
> > > This patch in particular guarantees that no matter what devices
> > > are plugged in (e.g. long after the BIOS has been flashed) they
> > > will not have their option ROMs executed.
> > 
> > That makes sense, but I think it needs to be a runtime setting.
> Timothy's original approach is appealing more and more to me. It's a
> good way to know that the system will stay as it was when flashed.
> Runtime setting - the argument there would be that if someone can
> change the flash contents to create a new CBFS file they could also
> replace the SeaBIOS payload, right?

Right - if one can modify the flash then one can modify seabios, and
so there is no appreciable security if an attacker can modify the

I'd like the default SeaBIOS build to be useful for a wide audience.
I view the Kconfig settings as a means to make smaller builds (for
those with a small flash size) and as a means to select options that
can't be auto-detected or configured at runtime.  Using run-time
options reduces the overall compile and test coverage (as more people
are running the same binary).


More information about the SeaBIOS mailing list