git: 7ee781e2bfc2 - main - loader: Document that WITH_BEARSSL may need other tweaks

From: Warner Losh <imp_at_FreeBSD.org>
Date: Tue, 06 Aug 2024 23:30:27 UTC
The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=7ee781e2bfc2558060dec95564414a0bff4415c1

commit 7ee781e2bfc2558060dec95564414a0bff4415c1
Author:     Warner Losh <imp@FreeBSD.org>
AuthorDate: 2024-08-05 21:16:37 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2024-08-06 23:22:36 +0000

    loader: Document that WITH_BEARSSL may need other tweaks
    
    /boot/loader is right up aginst the 500k limit we have to make sure
    everything works in a wide variety of environments. However, adding
    WITH_BEARSSL can push it over the edge since we are so close to the
    limit with it enabled. One may also need to increase LOADERSIZE when
    enabling it. It's often safe to go much higher, especially when you
    don't plan on using pxeldr. Document this trade off here.
    
    MFC After:              3 days
    Sponsored by:           Netflix
    Reviewed by:            sjg, markj
    Differential Revision:  https://reviews.freebsd.org/D46211
---
 tools/build/options/WITH_BEARSSL         | 19 +++++++++++++++++++
 tools/build/options/WITH_LOADER_VERIEXEC |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/tools/build/options/WITH_BEARSSL b/tools/build/options/WITH_BEARSSL
index 6a4447d723ed..9dcebbf1ae30 100644
--- a/tools/build/options/WITH_BEARSSL
+++ b/tools/build/options/WITH_BEARSSL
@@ -8,3 +8,22 @@ This library is currently only used to perform
 signature verification and related operations
 for Verified Exec and
 .Xr loader 8 .
+.Pp
+Due to size constraints, one may need to set
+.Va LOADERSIZE
+larger than the
+default 500000, although often loader is under the 500k limit even with
+this option.
+Setting
+.Va LOADERSIZE
+larger than 500000 may cause
+.Xr pxeboot 8
+to be too large to work.
+Careful testing of the loader in the target environment when built with a larger
+limit to establish safe limits is critical because different BIOS environments
+reserve differing amounts of the low 640k space, making a precise limit for
+everybody impossible.
+.Pp
+See also
+.Va WITH_LOADER_PXEBOOT
+for other considerations.
diff --git a/tools/build/options/WITH_LOADER_VERIEXEC b/tools/build/options/WITH_LOADER_VERIEXEC
index a50ff9a317e6..d784df968949 100644
--- a/tools/build/options/WITH_LOADER_VERIEXEC
+++ b/tools/build/options/WITH_LOADER_VERIEXEC
@@ -4,3 +4,5 @@ with support for verification similar to Verified Exec.
 .Pp
 Depends on
 .Va WITH_BEARSSL .
+May require a larger
+.Va LOADERSIZE .