Commit Graph

5 Commits (637c0a1521a03e3f65de85dcc5ffd478b37a5360)

Author SHA1 Message Date
Leah Rowe f13819386b Enable x86 U-Boot payload on every x86 board
Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-11-19 02:28:18 +00:00
Leah Rowe 80c3f9395d coreboot/fam15h: only use this, for amd boards
it is identical to fam15h_rdimm, with _udimm now removed;
the latter had a patch that added certain behaviour only
intended for rdimm, but the patch in question breaks various
configurations.

raminit has always been unreliable on these boards. i'd rather
simplify it all, in lbmk. i'll probably update this to the dasharo
tree later on, specificalyl for kgpe-d16

Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-08-10 18:24:31 +01:00
Leah Rowe e67cd17164 roms: only support SeaBIOS/SeaGRUB on x86
Never, ever build images where GRUB is the primary payload.

These options have been removed from target.cfg handling:

* seabios_withgrub
* grub_withseabios

The "payload_grub" variable now does the same thing as
the old "seabios_withgrub" variable, if set.

The "grubonly" configuration is retained, and enabled by
default when SeaGRUB is enabled (non-grubonly also available).

Due to lbmk issue #216, it is no longer Libreboot policy to
make GRUB the primary payload on any board. GRUB's sheer size
and complexity, plus the large number of memory corruption issues
similar to it that *have* been fixed over the years, tells me
that GRUB is a liability when it is the primary payload.

SeaBIOS is a much safer payload to run as primary, on x86, due
to its smaller size and much more conservative development; it
is simply far less likely to break.

If GRUB breaks in the future, the user's machine is not
bricked. This is because SeaBIOS is the default payload.

Since I no longer wish to ever provide GRUB as a primary
payload, supporting it in lbmk adds needless bloat that
will later probably break anyway due to lack of testing,
so let's just assume SeaGRUB in all cases where the user
wants to use a GRUB payload.

You can mitigate potential security issues with SeaBIOS
by disabling option ROM execution, which can be done at
runtime by inserting integers into CBFS. The SeaBIOS
documentation says how to do this.

Libreboot's GRUB hardening guide still says how to add
a bootorder file in CBFS, making SeaBIOS only load GRUB
from CBFS, and nothing else. This, combined with the
disablement of option ROM execution (if using Intel
graphics), pretty much provides the same security benefits
as GRUB-as-primary, for example when setting a GRUB password
and GPG checks, with encrypted /boot as in the hardening guide.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-22 22:57:39 +01:00
Leah Rowe 893e88bc81 roms: don't insert timeout.cfg
this is bloat, because it's something the user can already
do at runtime configuration anyway.

set it to a reasonable default of 8 seconds instead of 5,
and don't honour the timeout variable in target.cfg.

this will be documented in the next release.

Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-06-19 14:32:42 +01:00
Leah Rowe e7cb10d68b do not allow dashes in coreboot target names
Command: ./vendor download kcma-d8-rdimm_16mb

Output was:

include/lib.sh: line 115: kcma-d8-rdimm=config/vendor: No such file or directory

That will have to be audited later on, but the recent
more stringent error checking in vendor.sh triggered
this previously untriggered error message. The error
was in fact already occuring before, silently.

Anyway, mitigate by renaming all coreboot targets so
that they do not contain hyphens in the name. This
should avoid triggering errors in that eval command,
on line 115 in lib.sh

Signed-off-by: Leah Rowe <leah@libreboot.org>
2024-05-29 03:15:25 +01:00