Re: [PATCH] firmware: export x86_64 platform flash bios region via sysfs

From: Richard Hughes
Date: Thu Nov 11 2021 - 08:22:46 EST


On Thu, 11 Nov 2021 at 13:01, Mika Westerberg
<mika.westerberg@xxxxxxxxxxxxxxx> wrote:
> I'm not sure I understand why the platform security needs to be turned off?

Sorry to be unclear, I meant we had to turn off Secure Boot (and thus
also kernel lockdown) so that we could use /dev/mem to verify that
OEMs have set up the IFD, BLE, BIOSWP etc correctly. You'd be
surprised just how many vendors don't read the specifications
correctly and get this wrong. We also need port IO to use the
intel-spi driver so we can parse the BIOS contents from userspace,
which you can't obviously do when SB is turned off. The eSPI
controller is hidden on some hardware now, and we need to play games
to make it visible again.

> I think exposing /dev/mem opens another can of worms that we want to
> avoid.

Ohh it's not all of /dev/mem, it's just the 16MB BIOS region that has
to be mapped at that address for the hardware to boot.

> Don't we already expose some of the EFI stuff under /sys/firmware?

Yes, some information, but not the file volumes themselves. I don't
think the kernel wants to be in the game of supporting every nested
container and compression format that EFI supports. It's also the
wrong layer to expose platform attributes like BLE, but that's an
orthogonal thing to the patch Hans-Gert is proposing.

> I just don't want to
> spend yet another Christmas holiday trying to fix angry peoples laptops :(

Completely understood, I don't think any of us want that.

> Having said that the hardware sequencer used in the recent CPUs should
> be much safer in that sense.

FWIW, I'd be fine if we had RO access for HWSEQ flash access only. If
I understood correctly that's what Mauro proposed (with a patch) and
instead was told that it was being rewritten as a mtd driver
completion time unknown.

Richard.