Re: git: 7ee781e2bfc2 - main - loader: Document that WITH_BEARSSL may need other tweaks

From: Jessica Clarke <jrtc27_at_freebsd.org>
Date: Tue, 06 Aug 2024 23:35:34 UTC
On 7 Aug 2024, at 00:30, Warner Losh <imp@FreeBSD.org> wrote:
> 
> The branch main has been updated by imp:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=7ee781e2bfc2558060dec95564414a0bff4415c1
> 
> commit 7ee781e2bfc2558060dec95564414a0bff4415c1
> Author:     Warner Losh <imp@FreeBSD.org>
> AuthorDate: 2024-08-05 21:16:37 +0000
> Commit:     Warner Losh <imp@FreeBSD.org>
> CommitDate: 2024-08-06 23:22:36 +0000
> 
>    loader: Document that WITH_BEARSSL may need other tweaks
> 
>    /boot/loader is right up aginst the 500k limit we have to make sure
>    everything works in a wide variety of environments. However, adding
>    WITH_BEARSSL can push it over the edge since we are so close to the
>    limit with it enabled. One may also need to increase LOADERSIZE when
>    enabling it. It's often safe to go much higher, especially when you
>    don't plan on using pxeldr. Document this trade off here.

Can you please mention i386/amd64/x86/whatever and BIOS up front in the
descriptions here? As it stands it reads like a lot of historic FreeBSD
documentation that assumes you’re dealing with x86 + BIOS.

Jess

>    MFC After:              3 days
>    Sponsored by:           Netflix
>    Reviewed by:            sjg, markj
>    Differential Revision:  https://reviews.freebsd.org/D46211
> ---
> tools/build/options/WITH_BEARSSL         | 19 +++++++++++++++++++
> tools/build/options/WITH_LOADER_VERIEXEC |  2 ++
> 2 files changed, 21 insertions(+)
> 
> diff --git a/tools/build/options/WITH_BEARSSL b/tools/build/options/WITH_BEARSSL
> index 6a4447d723ed..9dcebbf1ae30 100644
> --- a/tools/build/options/WITH_BEARSSL
> +++ b/tools/build/options/WITH_BEARSSL
> @@ -8,3 +8,22 @@ This library is currently only used to perform
> signature verification and related operations
> for Verified Exec and
> .Xr loader 8 .
> +.Pp
> +Due to size constraints, one may need to set
> +.Va LOADERSIZE
> +larger than the
> +default 500000, although often loader is under the 500k limit even with
> +this option.
> +Setting
> +.Va LOADERSIZE
> +larger than 500000 may cause
> +.Xr pxeboot 8
> +to be too large to work.
> +Careful testing of the loader in the target environment when built with a larger
> +limit to establish safe limits is critical because different BIOS environments
> +reserve differing amounts of the low 640k space, making a precise limit for
> +everybody impossible.
> +.Pp
> +See also
> +.Va WITH_LOADER_PXEBOOT
> +for other considerations.
> diff --git a/tools/build/options/WITH_LOADER_VERIEXEC b/tools/build/options/WITH_LOADER_VERIEXEC
> index a50ff9a317e6..d784df968949 100644
> --- a/tools/build/options/WITH_LOADER_VERIEXEC
> +++ b/tools/build/options/WITH_LOADER_VERIEXEC
> @@ -4,3 +4,5 @@ with support for verification similar to Verified Exec.
> .Pp
> Depends on
> .Va WITH_BEARSSL .
> +May require a larger
> +.Va LOADERSIZE .