diff options
author | Leah Rowe <leah@libreboot.org> | 2024-06-22 21:44:49 +0100 |
---|---|---|
committer | Leah Rowe <leah@libreboot.org> | 2024-06-22 21:44:49 +0100 |
commit | 71137b12b497e6935c81bf5fc73a0c17246fafd2 (patch) | |
tree | 0446ae765af2fb3db9f461e135def0e629bec9cd | |
parent | d4d5d2902c020419057d63c9791804906a6c60dd (diff) |
roms: remove support for "grubonly" seabios
due to lbmk issue #216, it is now unwise to use grub as the
primary payload on any machine; the sheer complexity of grub
and the number of memory corruption bugs that have been fixed
due to auditing over the years, means more such bugs exist.
we now provide seabios as the primary payload on all x86 ports,
but provide a "grubfirst" configuration where a bootorder file
in seabios can be added via cbfs, which tells seabios to load
grub from cbfs first, while still allowing use of the boot select
menu by pressing esc in seabios.
well, the "grubonly" option also disables the seabios esc menu,
so that *only* grub runs. there is no point in using this unless
you want to harden your setup, for example if you want to set up
encrypted /boot and boot that from grub, and have a grub password
disallowing unauthorised bootup of your machine.
see grub hardening guide;
https://libreboot.org/docs/linux/grub_hardening.html
at least as of today, 22 June 2024, that page already says
how to manually disable the seabios menu in the same way, if that
is the setup you want. alternatively, a user may be wily
enough to edit target.cfg for their board and compile a rom
that only has the grub payload in it, if that is what the user
wishes to do.
regardless, the default configurations provided by lbmk must never
be unsafe, norc should the build system support such unsafe
settings;
yes, grub as primary payload is technically still supported in
lbmk. actually, at the time of this revision, i have half a mind
to remove that functionality altogether, so that only seabios is
allowed as primary payload, when compiling a rom image that also
has grub, chainloading grub from the seabios menu instead.
Signed-off-by: Leah Rowe <leah@libreboot.org>
-rwxr-xr-x | script/roms | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/script/roms b/script/roms index 9cfab81a..213f1b1f 100755 --- a/script/roms +++ b/script/roms @@ -23,7 +23,7 @@ stm32dir="$stm32src/boards" # Disable all payloads by default. # target.cfg files have to specifically enable [a] payload(s) pv="payload_uboot payload_grub_withseabios payload_seabios payload_memtest t" -pv="$pv payload_seabios_withgrub payload_seabios_grubonly payload_grub" +pv="$pv payload_seabios_withgrub payload_grub" v="romdir cbrom initmode displaymode cbcfg targetdir tree release ubootelf" v="$v grub_timeout board grub_scan_disk uboot_config grubtree grubelf tmpmv" eval `setvars "n" $pv` @@ -110,8 +110,6 @@ configure_target() [ "$payload_grub_withseabios" = "y" ] && eval `setvars "y" \ payload_grub payload_seabios payload_seabios_withgrub` [ "$payload_seabios_withgrub" = "y" ] && payload_seabios="y" - [ "$payload_seabios_grubonly" = "y" ] && \ - eval `setvars "y" payload_seabios payload_seabios_withgrub` # The reverse logic must not be applied. If SeaBIOS-with-GRUB works, # that doesn't mean GRUB-with-SeaBIOS will, e.g. VGA ROM execution @@ -137,8 +135,8 @@ build_payloads() [ "$payload_memtest" = "y" ] && x_ ./update trees -b memtest86plus [ "$payload_seabios" = "y" ] && x_ ./update trees -b seabios - if [ "$payload_grub" = "y" ] || [ "$payload_seabios_withgrub" = "y" ] \ - || [ "$payload_seabios_grubonly" = "y" ]; then + if [ "$payload_grub" = "y" ] || [ "$payload_seabios_withgrub" = "y" ] + then [ -f "$grubelf" ] || x_ ./update trees -b grub $grubtree fi @@ -239,9 +237,6 @@ build_grub_roms() [ "$payload1" = "grub" ] && return 0 cbfs "$tmprom" "$grubdata/bootorder" bootorder raw cprom cp "$tmprom" "${newrom%.rom}_grubfirst.rom" - [ "$payload_seabios_grubonly" = "y" ] || return 0 - x_ "$cbfstool" "$tmprom" add-int -i 0 -n etc/show-boot-menu - cprom cp "$tmprom" "${newrom%.rom}_grubonly.rom" } # make a rom in /tmp/ and then print the path of that ROM |