Date: Wed, 7 Aug 2024 00:35:34 +0100 From: Jessica Clarke <jrtc27@freebsd.org> To: Warner Losh <imp@FreeBSD.org> Cc: "src-committers@freebsd.org" <src-committers@FreeBSD.org>, "dev-commits-src-all@freebsd.org" <dev-commits-src-all@FreeBSD.org>, "dev-commits-src-main@freebsd.org" <dev-commits-src-main@FreeBSD.org> Subject: Re: git: 7ee781e2bfc2 - main - loader: Document that WITH_BEARSSL may need other tweaks Message-ID: <71670C64-CE80-47B1-809D-AFACA9C3E8FF@freebsd.org> In-Reply-To: <202408062330.476NURrx080788@gitrepo.freebsd.org> References: <202408062330.476NURrx080788@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7 Aug 2024, at 00:30, Warner Losh <imp@FreeBSD.org> wrote: >=20 > The branch main has been updated by imp: >=20 > URL: = https://cgit.FreeBSD.org/src/commit/?id=3D7ee781e2bfc2558060dec95564414a0b= ff4415c1 >=20 > commit 7ee781e2bfc2558060dec95564414a0bff4415c1 > Author: Warner Losh <imp@FreeBSD.org> > AuthorDate: 2024-08-05 21:16:37 +0000 > Commit: Warner Losh <imp@FreeBSD.org> > CommitDate: 2024-08-06 23:22:36 +0000 >=20 > loader: Document that WITH_BEARSSL may need other tweaks >=20 > /boot/loader is right up aginst the 500k limit we have to make sure > everything works in a wide variety of environments. However, adding > WITH_BEARSSL can push it over the edge since we are so close to the > limit with it enabled. One may also need to increase LOADERSIZE = when > enabling it. It's often safe to go much higher, especially when you > don't plan on using pxeldr. Document this trade off here. Can you please mention i386/amd64/x86/whatever and BIOS up front in the descriptions here? As it stands it reads like a lot of historic FreeBSD documentation that assumes you=E2=80=99re dealing with x86 + BIOS. Jess > MFC After: 3 days > Sponsored by: Netflix > Reviewed by: sjg, markj > Differential Revision: https://reviews.freebsd.org/D46211 > --- > tools/build/options/WITH_BEARSSL | 19 +++++++++++++++++++ > tools/build/options/WITH_LOADER_VERIEXEC | 2 ++ > 2 files changed, 21 insertions(+) >=20 > diff --git a/tools/build/options/WITH_BEARSSL = b/tools/build/options/WITH_BEARSSL > index 6a4447d723ed..9dcebbf1ae30 100644 > --- a/tools/build/options/WITH_BEARSSL > +++ b/tools/build/options/WITH_BEARSSL > @@ -8,3 +8,22 @@ This library is currently only used to perform > signature verification and related operations > for Verified Exec and > .Xr loader 8 . > +.Pp > +Due to size constraints, one may need to set > +.Va LOADERSIZE > +larger than the > +default 500000, although often loader is under the 500k limit even = with > +this option. > +Setting > +.Va LOADERSIZE > +larger than 500000 may cause > +.Xr pxeboot 8 > +to be too large to work. > +Careful testing of the loader in the target environment when built = with a larger > +limit to establish safe limits is critical because different BIOS = environments > +reserve differing amounts of the low 640k space, making a precise = limit for > +everybody impossible. > +.Pp > +See also > +.Va WITH_LOADER_PXEBOOT > +for other considerations. > diff --git a/tools/build/options/WITH_LOADER_VERIEXEC = b/tools/build/options/WITH_LOADER_VERIEXEC > index a50ff9a317e6..d784df968949 100644 > --- a/tools/build/options/WITH_LOADER_VERIEXEC > +++ b/tools/build/options/WITH_LOADER_VERIEXEC > @@ -4,3 +4,5 @@ with support for verification similar to Verified = Exec. > .Pp > Depends on > .Va WITH_BEARSSL . > +May require a larger > +.Va LOADERSIZE .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?71670C64-CE80-47B1-809D-AFACA9C3E8FF>