From mboxrd@z Thu Jan  1 00:00:00 1970
From: Doug Goldstein <cardoe@cardoe.com>
Subject: Re: [PATCH v4 04/14] firmware/makefile: install BIOS
 blob ...
Date: Mon, 18 Apr 2016 15:31:27 +0100
Message-ID: <5714EFBF.2000806@cardoe.com>
References: <1457978150-27201-1-git-send-email-anthony.perard@citrix.com>
 <1457978150-27201-5-git-send-email-anthony.perard@citrix.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1554812858907186848=="
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <1457978150-27201-5-git-send-email-anthony.perard@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
 <mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
To: Anthony PERARD <anthony.perard@citrix.com>, xen-devel@lists.xen.org
Cc: Ian Jackson <ian.jackson@eu.citrix.com>, Wei Liu <wei.liu2@citrix.com>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1554812858907186848==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="8eLA8SV8TV50ifnM6COOm882wMAlhrxUm"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--8eLA8SV8TV50ifnM6COOm882wMAlhrxUm
Content-Type: multipart/mixed; boundary="TRh14iodsOsRt1mjR5Ss7G20ILRrxgpdm"
From: Doug Goldstein <cardoe@cardoe.com>
To: Anthony PERARD <anthony.perard@citrix.com>, xen-devel@lists.xen.org
Cc: Wei Liu <wei.liu2@citrix.com>, Ian Jackson <ian.jackson@eu.citrix.com>,
 Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Message-ID: <5714EFBF.2000806@cardoe.com>
Subject: Re: [Xen-devel] [PATCH v4 04/14] firmware/makefile: install BIOS blob
 ...
References: <1457978150-27201-1-git-send-email-anthony.perard@citrix.com>
 <1457978150-27201-5-git-send-email-anthony.perard@citrix.com>
In-Reply-To: <1457978150-27201-5-git-send-email-anthony.perard@citrix.com>

--TRh14iodsOsRt1mjR5Ss7G20ILRrxgpdm
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 3/14/16 5:55 PM, Anthony PERARD wrote:
> ... into the firmware directory, along with hvmloader.
>=20
> Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
> ---
> Change in V4:
> - remove install of acpi dsdt table
>=20
> Change in V3:
> - do not check if ROMs file exist before installing, they should exist
> - change rules for dsdt_anycpu_qemu_xen.c in oder to generate both .c a=
nd
>   .aml files without changing temporarly the other dsdt_*.c rules.
> ---
>  tools/firmware/Makefile | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
>=20
> diff --git a/tools/firmware/Makefile b/tools/firmware/Makefile
> index 6cc86ce..6a37758 100644
> --- a/tools/firmware/Makefile
> +++ b/tools/firmware/Makefile
> @@ -19,6 +19,9 @@ SUBDIRS-y +=3D hvmloader
> =20
>  LD32BIT-$(CONFIG_FreeBSD) :=3D LD32BIT_FLAG=3D-melf_i386_fbsd
> =20
> +SEABIOS_ROM :=3D seabios-dir/out/bios.bin
> +OVMF_ROM :=3D ovmf-dir/ovmf.bin
> +
>  ovmf-dir:
>  	GIT=3D$(GIT) $(XEN_ROOT)/scripts/git-checkout.sh $(OVMF_UPSTREAM_URL)=
 $(OVMF_UPSTREAM_REVISION) ovmf-dir
>  	cp ovmf-makefile ovmf-dir/Makefile;
> @@ -45,6 +48,16 @@ endif
>  install: all
>  	[ -d $(INST_DIR) ] || $(INSTALL_DIR) $(INST_DIR)
>  	[ ! -e $(TARGET) ] || $(INSTALL_DATA) $(TARGET) $(INST_DIR)
> +ifeq ($(CONFIG_SEABIOS),y)
> +ifeq ($(SEABIOS_PATH),)
> +	$(INSTALL_DATA) $(SEABIOS_ROM) $(INST_DIR)/seabios.bin
> +endif
> +endif
> +ifeq ($(CONFIG_OVMF),y)
> +ifeq ($(OVMF_PATH),)
> +	$(INSTALL_DATA) $(OVMF_ROM) $(INST_DIR)/ovmf.bin
> +endif
> +endif
> =20
>  .PHONY: clean
>  clean: subdirs-clean
>=20

So I'm going to toss this out there but what if we don't install these
at all? We talked about reducing the scope that the Xen Security team
had to maintain. What if we just state that SeaBIOS and/or OVMF are
dependencies? All the downstream distros don't use the pre-built
binaries from Xen and build it themselves. For plain Xen users we just
add that to the list of dependencies.

I think SeaBIOS and OVMF are a lot more low risk than something like
QEMU since they have a very clear target so they're a lot more likely to
remain stable. SeaBIOS also has a fairly low level of churn, especially
on stable branches.


Just a thought.
--=20
Doug Goldstein


--TRh14iodsOsRt1mjR5Ss7G20ILRrxgpdm--

--8eLA8SV8TV50ifnM6COOm882wMAlhrxUm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0

iQJ8BAEBCgBmBQJXFO/CXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNTM5MEQ2RTNFMTkyNzlCNzVDMzIwOTVB
MkJDMDNEQzg3RUQxQkQ0AAoJEKK8A9yH7RvUhvYP/jLQurQrZWkOyiMenpYLNPG1
0YIs4WY2glXxpKgSStXfjX0mKp9Ioq3i4MDzdUTpvvArad/KJZ/XytNtYl6nXpUj
eGZrjsZFPKN3rFYK34MtR4mpb2Jclxk13W/372wEI0Dc6+dojnurOF4NYL3oLnud
aMZq9F+PxgILAM9BjnolYt1IU2K0m8ExKiduM54x/0aVC4ch12OmV0OqA3Py/S0q
lauU3AmaUVGQJU07KbbZBJcXMmwiD0T0IQMgXCu2i+pwSsi3W706W8mPxdP4synQ
1KBdtHicZ1Iz4Dkxi4ZpI1KFKwI0qfB/yZPX5CsdkvJgpNUZzQY4ZX/Lel5uRJyD
YaH/JxWyIDk+GTzmAwV10M8D6fAaKZ+wiKK+Xc6Ym8l5jikX/TLydMrBl7zXbTLZ
J4eBYkYFVlOjXjrk8tqWxNif0Rgx/zVYVllCuLOgC7gpvLUVjp5H3u6MhrAikCpc
QD6M1gB5N/e3jEN74KqWfv1WpCCuOkRLHI0ubC6ouFkUfQX+cEmjoyf5BneXYLie
n9l10W4Uq2lqNqJf3PuaDLCS68vxw32ycEx8/JmmJtjMYnB0kwXzXO5nUWcLJapw
MxDLdv4TB/lbkh2m4e3GW+rcDP03ncKzPRqfJwGNTj3s2M1aSH8qBrfVhC1MW0qb
ief44aEJz4xnfdu/CDeT
=xzAF
-----END PGP SIGNATURE-----

--8eLA8SV8TV50ifnM6COOm882wMAlhrxUm--


--===============1554812858907186848==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KWGVuLWRldmVs
IG1haWxpbmcgbGlzdApYZW4tZGV2ZWxAbGlzdHMueGVuLm9yZwpodHRwOi8vbGlzdHMueGVuLm9y
Zy94ZW4tZGV2ZWwK

--===============1554812858907186848==--