[SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS

Kevin O'Connor kevin at koconnor.net
Sat Feb 14 18:02:54 CET 2015


On Fri, Feb 13, 2015 at 04:35:08PM -0500, Kevin O'Connor wrote:
> On Fri, Feb 13, 2015 at 02:09:05PM -0600, Timothy Pearson wrote:
> > This patch in particular guarantees that no matter what devices are plugged
> > in (e.g. long after the BIOS has been flashed) they will not have their
> > option ROMs executed.  Its primary use is for those who want a blob-free
> > system, e.g. for high-security applications.
> 
> That makes sense, but I think it needs to be a runtime setting.  I'll
> see if I can put together a quick patch to better show what I mean.

Below is an example of what I was suggesting (untested).  The patch
below uses the file "/etc/pci-optionroms" - 0 means don't run any
option roms, 1 means run only the option rom for the primary vga
device, 2 means run option roms for only non-vga devices, and 3 means
run all option roms (the default).

-Kevin


diff --git a/src/optionroms.c b/src/optionroms.c
index 93d9d2f..ed05870 100644
--- a/src/optionroms.c
+++ b/src/optionroms.c
@@ -20,6 +20,8 @@
 #include "string.h" // memset
 #include "util.h" // get_pnp_offset
 
+static int EnforceChecksum, S3ResumeVga, RunPCIroms;
+
 
 /****************************************************************
  * Helper functions
@@ -60,8 +62,6 @@ call_bcv(u16 seg, u16 ip)
     __callrom(MAKE_FLATPTR(seg, 0), ip, 0);
 }
 
-static int EnforceChecksum;
-
 // Verify that an option rom looks valid
 static int
 is_valid_rom(struct rom_header *rom)
@@ -329,7 +329,7 @@ init_pcirom(struct pci_device *pci, int isvga, u64 *sources)
             , pci_bdf_to_bus(bdf), pci_bdf_to_dev(bdf), pci_bdf_to_fn(bdf)
             , pci->vendor, pci->device);
     struct rom_header *rom = lookup_hardcode(pci);
-    if (! rom)
+    if (!rom && RunPCIroms & (isvga ? 1 : 2))
         rom = map_pcirom(pci);
     if (! rom)
         // No ROM present.
@@ -416,7 +416,6 @@ optionrom_setup(void)
  * VGA init
  ****************************************************************/
 
-static int S3ResumeVga;
 int ScreenAndDebug;
 struct rom_header *VgaROM;
 
@@ -432,6 +431,7 @@ vgarom_setup(void)
     // Load some config settings that impact VGA.
     EnforceChecksum = romfile_loadint("etc/optionroms-checksum", 1);
     S3ResumeVga = romfile_loadint("etc/s3-resume-vga-init", CONFIG_QEMU);
+    RunPCIroms = romfile_loadint("etc/pci-optionroms", 3);
     ScreenAndDebug = romfile_loadint("etc/screen-and-debug", 1);
 
     if (CONFIG_OPTIONROMS_DEPLOYED) {



More information about the SeaBIOS mailing list