From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from blyat.fensystems.co.uk (blyat.fensystems.co.uk [54.246.183.96]) by mx.groups.io with SMTP id smtpd.web08.1116.1613765542206214449 for ; Fri, 19 Feb 2021 12:12:23 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: ipxe.org, ip: 54.246.183.96, mailfrom: mcb30@ipxe.org) Received: from dolphin.home (unknown [IPv6:2a00:23c6:5495:5e00:72b3:d5ff:feb1:e101]) by blyat.fensystems.co.uk (Postfix) with ESMTPSA id 45745440FE; Fri, 19 Feb 2021 20:12:18 +0000 (UTC) Subject: Re: [edk2-devel] EfiRom vs. iPXE usability note To: devel@edk2.groups.io, lersek@redhat.com, iPXE devel list References: From: "Michael Brown" Message-ID: <940d8ccb-c493-0eff-2152-bc3e605389ab@ipxe.org> Date: Fri, 19 Feb 2021 20:12:17 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on blyat.fensystems.co.uk Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 19/02/2021 17:33, Laszlo Ersek wrote: > The PCI Firmware Spec does not seem to specify a particular "checksum > byte" in the option ROM format, it only seems to state that the bytes in > the option ROM must sum to zero. > > This (apparently) allows option ROM providers to implement different > schemes for placing the checksum byte. > > When talking about traditional BIOS ROMs, EfiRom considers the last byte > in the image the checksum byte. The assumption is that the last byte is > padding anyway, so it can be repurposed as a checksum byte. > > On the other hand, iPXE's "util/catrom.pl", or more precisely, > "util/Option/ROM.pm", considers byte#6 -- a reserved byte -- in the PCI > Expansion ROM Header the checksum byte. > > iPXE's choice is arguably safer, because it does not assume any > particular padding at the end of the traditional ROM BIOS image that > could be stolen as checksum byte. Thank you for sharing this. It made me curious as to the reason why we use that byte for the checksum. As far as I can tell, it dates back to at least the ISA-era Plug and Play BIOS Specification v1.0a, which defines the option ROM header as including a 4-byte "initialization vector" occupying bytes 3-6 inclusive, with the comment: The field is four bytes wide even though most implementations may adhere to the custom of defining a simple three byte NEAR JMP. The definition of the fourth byte may be OEM specific. So, iPXE is safe to choose to use offset 6 as the checksum byte for any iPXE ROM images, knowing that future specification versions could not define an alternative use for this byte. > However, iPXE's "util/efirom" tool, which converts *.efidrv to *.efirom, > doesn't seem to offer "EFI compression", while EfiRom does (-ec option). > For QEMU live-migration compatibility, we further pad the *combined* ROM > images, currently to 256 KB. Abandoning EFI compression would eat up > approx. 80KB suddenly, and nearly exhaust our current padding. Hence the > above "hybrid" approach, where we retain EfiRom for the EFI > compression's sake, but use "util/catrom.pl" for combining the images. That part, at least, I can fix: https://github.com/ipxe/ipxe/pull/268 iPXE now produces compressed EFI ROM images by default. Thank you for pushing me to do this! > Assuming my reading of the PCI Firmware Spec is correct, I think that > not specifying a particular checksum byte, in the various headers, was a > mistake in the spec. It's difficult to combine ROMs of different origins > into a multi-ROM image, like this. I concur with this interpretation. As far as I can tell, there is no general solution for updating the checksum that is guaranteed to work on arbitrary BIOS ROM images. As the closest thing to the OEM for iPXE: please consider this email to be the PnP "OEM specific" definition of the byte at offset 6 of the expansion ROM header as being the checksum byte for any iPXE ROMs. Tools working on _iPXE_ BIOS ROM images may update this byte as needed. Thanks, Michael