[SeaBIOS] [PATCH 1/2] Add an option to only execute option ROMs contained in CBFS
Kevin O'Connor
kevin at koconnor.net
Sat Feb 14 18:02:54 CET 2015
On Fri, Feb 13, 2015 at 04:35:08PM -0500, Kevin O'Connor wrote:
> On Fri, Feb 13, 2015 at 02:09:05PM -0600, Timothy Pearson wrote:
> > This patch in particular guarantees that no matter what devices are plugged
> > in (e.g. long after the BIOS has been flashed) they will not have their
> > option ROMs executed. Its primary use is for those who want a blob-free
> > system, e.g. for high-security applications.
>
> That makes sense, but I think it needs to be a runtime setting. I'll
> see if I can put together a quick patch to better show what I mean.
Below is an example of what I was suggesting (untested). The patch
below uses the file "/etc/pci-optionroms" - 0 means don't run any
option roms, 1 means run only the option rom for the primary vga
device, 2 means run option roms for only non-vga devices, and 3 means
run all option roms (the default).
-Kevin
diff --git a/src/optionroms.c b/src/optionroms.c
index 93d9d2f..ed05870 100644
--- a/src/optionroms.c
+++ b/src/optionroms.c
@@ -20,6 +20,8 @@
#include "string.h" // memset
#include "util.h" // get_pnp_offset
+static int EnforceChecksum, S3ResumeVga, RunPCIroms;
+
/****************************************************************
* Helper functions
@@ -60,8 +62,6 @@ call_bcv(u16 seg, u16 ip)
__callrom(MAKE_FLATPTR(seg, 0), ip, 0);
}
-static int EnforceChecksum;
-
// Verify that an option rom looks valid
static int
is_valid_rom(struct rom_header *rom)
@@ -329,7 +329,7 @@ init_pcirom(struct pci_device *pci, int isvga, u64 *sources)
, pci_bdf_to_bus(bdf), pci_bdf_to_dev(bdf), pci_bdf_to_fn(bdf)
, pci->vendor, pci->device);
struct rom_header *rom = lookup_hardcode(pci);
- if (! rom)
+ if (!rom && RunPCIroms & (isvga ? 1 : 2))
rom = map_pcirom(pci);
if (! rom)
// No ROM present.
@@ -416,7 +416,6 @@ optionrom_setup(void)
* VGA init
****************************************************************/
-static int S3ResumeVga;
int ScreenAndDebug;
struct rom_header *VgaROM;
@@ -432,6 +431,7 @@ vgarom_setup(void)
// Load some config settings that impact VGA.
EnforceChecksum = romfile_loadint("etc/optionroms-checksum", 1);
S3ResumeVga = romfile_loadint("etc/s3-resume-vga-init", CONFIG_QEMU);
+ RunPCIroms = romfile_loadint("etc/pci-optionroms", 3);
ScreenAndDebug = romfile_loadint("etc/screen-and-debug", 1);
if (CONFIG_OPTIONROMS_DEPLOYED) {
More information about the SeaBIOS
mailing list