#619 Ignoring option roms by default in SeaBIOS builds?

Open
opened 1 month ago by sudoman · 0 comments
sudoman commented 1 month ago

Here is the workaround that we use to avoid running non-free option roms on the CPU. Would it make sense for LibreBoot to disable these by default, or to at least document the procedure?

Running the VGA option rom makes sense if we're using the internal native (free) graphics init, but wouldn't make sense in combination with a PCIe graphics card, since the option rom would likely be non-free. In that case, SeaBIOS wouldn't display text on the screen.

Option roms frequently slow down or break the boot process, but it's possible that in some cases the device might not work without executing the option rom, in which case it makes sense to buy a different PCIe device. Note that for servers in production, testing this out may require extra down time if new hardware needs to be purchased and installed.

disable option roms with cbfstool

This method applies a hard-coded variable to the LibreBoot / Coreboot ROM that tells it to not load external option roms. (LibreBoot from 2016 loads option roms by default.)

documentation on this method

If those pages are missing, visit https://archive.is or https://archive.org.

compile cbfstool

Clone the Coreboot git repo:

git clone http://review.coreboot.org/coreboot.git

Compile cbfstool:

cd coreboot
cd util/cbfstool

    make -j5

sudo cp cbfstool /usr/local/bin/

If dependencies are missing, libreboot_r20160907_util.tar.xz has a compiled version at the https://libreboot.org/download.html mirrors.

get the LibreBoot rom from the machine

Downloading the rom from the machine itself is a good approach so you don't have to worry about setting the MAC address to a non-generic value before writing the patched rom.

If you are able to boot to GNU/Linux on the device:

flashrom -p internal -r libreboot.rom

patch the LibreBoot ROM

Controls option ROM execution for roms found on PCI devices (as opposed to roms found in CBFS/fw_cfg). Valid values are 0: Execute no ROMs, 1: Execute only VGA ROMs, 2: Execute all ROMs. The default is 2 (execute all ROMs).

cbfstool libreboot.rom add-int -i 1 -n etc/pci-optionrom-exec
cbfstool libreboot.rom print

write the LibreBoot ROM

If you are using a fresh ROM image, don't forget to patch it so there aren't MAC collisions. Alternatively, get the rom from the machine itself (see above).

If you are booted into GNU/Linux on the device:

flashrom -p internal -w libreboot.rom

Do a shutdown, then a cold boot.

Here is the workaround that we use to avoid running non-free option roms on the CPU. Would it make sense for LibreBoot to disable these by default, or to at least document the procedure? Running the VGA option rom makes sense if we're using the internal native (free) graphics init, but wouldn't make sense in combination with a PCIe graphics card, since the option rom would likely be non-free. In that case, SeaBIOS wouldn't display text on the screen. Option roms frequently slow down or break the boot process, but it's possible that in some cases the device might not work without executing the option rom, in which case it makes sense to buy a different PCIe device. Note that for servers in production, testing this out may require extra down time if new hardware needs to be purchased and installed. ## disable option roms with cbfstool This method applies a hard-coded variable to the LibreBoot / Coreboot ROM that tells it to not load external option roms. (LibreBoot from 2016 loads option roms by default.) ### documentation on this method * <https://www.coreboot.org/SeaBIOS#Other_Configuration_items> * <https://seabios.org/Runtime_config> If those pages are missing, visit <https://archive.is> or <https://archive.org>. ### compile cbfstool Clone the Coreboot git repo: git clone http://review.coreboot.org/coreboot.git Compile cbfstool: cd coreboot cd util/cbfstool make -j5 sudo cp cbfstool /usr/local/bin/ If dependencies are missing, `libreboot_r20160907_util.tar.xz` has a compiled version at the `https://libreboot.org/download.html` mirrors. ### get the LibreBoot rom from the machine Downloading the rom from the machine itself is a good approach so you don't have to worry about **setting the MAC address** to a non-generic value before writing the patched rom. If you are able to boot to GNU/Linux on the device: flashrom -p internal -r libreboot.rom ### patch the LibreBoot ROM > *Controls option ROM execution for roms found on PCI devices (as opposed to > roms found in CBFS/fw_cfg). Valid values are 0: Execute no ROMs, 1: Execute > only VGA ROMs, 2: Execute all ROMs. The default is 2 (execute all ROMs).* cbfstool libreboot.rom add-int -i 1 -n etc/pci-optionrom-exec cbfstool libreboot.rom print ### write the LibreBoot ROM If you are using a fresh ROM image, don't forget to patch it so there aren't **MAC collisions**. Alternatively, get the rom from the machine itself (see above). If you are booted into GNU/Linux on the device: flashrom -p internal -w libreboot.rom Do a shutdown, then a cold boot.
Sign in to join this conversation.
Loading...
Cancel
Save
There is no content yet.