Re: git: 7ee781e2bfc2 - main - loader: Document that WITH_BEARSSL may need other tweaks
- In reply to: Warner Losh : "git: 7ee781e2bfc2 - main - loader: Document that WITH_BEARSSL may need other tweaks"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 06 Aug 2024 23:35:34 UTC
On 7 Aug 2024, at 00:30, Warner Losh <imp@FreeBSD.org> wrote: > > The branch main has been updated by imp: > > URL: https://cgit.FreeBSD.org/src/commit/?id=7ee781e2bfc2558060dec95564414a0bff4415c1 > > commit 7ee781e2bfc2558060dec95564414a0bff4415c1 > Author: Warner Losh <imp@FreeBSD.org> > AuthorDate: 2024-08-05 21:16:37 +0000 > Commit: Warner Losh <imp@FreeBSD.org> > CommitDate: 2024-08-06 23:22:36 +0000 > > loader: Document that WITH_BEARSSL may need other tweaks > > /boot/loader is right up aginst the 500k limit we have to make sure > everything works in a wide variety of environments. However, adding > WITH_BEARSSL can push it over the edge since we are so close to the > limit with it enabled. One may also need to increase LOADERSIZE when > enabling it. It's often safe to go much higher, especially when you > don't plan on using pxeldr. Document this trade off here. Can you please mention i386/amd64/x86/whatever and BIOS up front in the descriptions here? As it stands it reads like a lot of historic FreeBSD documentation that assumes you’re dealing with x86 + BIOS. Jess > MFC After: 3 days > Sponsored by: Netflix > Reviewed by: sjg, markj > Differential Revision: https://reviews.freebsd.org/D46211 > --- > tools/build/options/WITH_BEARSSL | 19 +++++++++++++++++++ > tools/build/options/WITH_LOADER_VERIEXEC | 2 ++ > 2 files changed, 21 insertions(+) > > diff --git a/tools/build/options/WITH_BEARSSL b/tools/build/options/WITH_BEARSSL > index 6a4447d723ed..9dcebbf1ae30 100644 > --- a/tools/build/options/WITH_BEARSSL > +++ b/tools/build/options/WITH_BEARSSL > @@ -8,3 +8,22 @@ This library is currently only used to perform > signature verification and related operations > for Verified Exec and > .Xr loader 8 . > +.Pp > +Due to size constraints, one may need to set > +.Va LOADERSIZE > +larger than the > +default 500000, although often loader is under the 500k limit even with > +this option. > +Setting > +.Va LOADERSIZE > +larger than 500000 may cause > +.Xr pxeboot 8 > +to be too large to work. > +Careful testing of the loader in the target environment when built with a larger > +limit to establish safe limits is critical because different BIOS environments > +reserve differing amounts of the low 640k space, making a precise limit for > +everybody impossible. > +.Pp > +See also > +.Va WITH_LOADER_PXEBOOT > +for other considerations. > diff --git a/tools/build/options/WITH_LOADER_VERIEXEC b/tools/build/options/WITH_LOADER_VERIEXEC > index a50ff9a317e6..d784df968949 100644 > --- a/tools/build/options/WITH_LOADER_VERIEXEC > +++ b/tools/build/options/WITH_LOADER_VERIEXEC > @@ -4,3 +4,5 @@ with support for verification similar to Verified Exec. > .Pp > Depends on > .Va WITH_BEARSSL . > +May require a larger > +.Va LOADERSIZE .