Re: git: e962b37bf0ff - main - bhyve: Do not enable PCI BAR decoding if a boot ROM is present

In reply to: Shawn Webb : "Re: git: e962b37bf0ff - main - bhyve: Do not enable PCI BAR decoding if a boot ROM is present"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Sun, 08 Sep 2024 19:43:36 UTC

On Fri, Sep 06, 2024 at 04:30:07PM UTC, Shawn Webb wrote:
> On Fri, Sep 06, 2024 at 09:37:45AM UTC, John Baldwin wrote:
> > On 9/5/24 22:10, Shawn Webb wrote:
> > > Hey Mark,
> > > 
> > > This commit seems to force me to now pass "-o pci.enable_bars=true" to
> > > all my VMs on amd64. I wonder if that might be a POLA violation. I
> > > didn't realize that I needed to set that until I bisected the src
> > > tree, looking for the commit that broke bhyve for me.
> > > 
> > > Is changing the default here really worth it for amd64? If so, I'm
> > > thinking this should be in both RELNOTES and UPDATING. I now have to
> > > propigate re-enabling this across my entire infrastructure.
> > > 
> > > Thanks,
> > 
> > That should only be true if you are using an older UEFI firmware that did
> > not program BARs.  Are you seeing this on stock FreeBSD, and which version
> > of the UEFI ROM are you using?
> 
> Ah, thanks for the hint, John! My UEFI edk2 bhyve package is years out
> of date. I guess I need to pay more attention to what `pkg upgrade`
> does NOT upgrade:
> 
> hbsd-laptop-02[shawn]:/home/shawn $ pkg info | grep bhyve
> uefi-edk2-bhyve-g20210226_1,2  UEFI EDK2 firmware for bhyve
> uefi-edk2-bhyve-devel-g20190424_1 UEFI-EDK2 firmware for bhyve
> 
> hbsd-laptop-02[shawn]:/home/shawn $ pkg search bhyve
> edk2-bhyve-g202308_5           EDK2 Firmware for bhyve
> 
> I'm building some packages on my laptop right now. Once that finishes,
> I'll go ahead and upgrade to the new package, retest, and report.
> 
> If this is indeed the problem (I suspect it is), I apologize for the
> noise. Thanks, though, for the hint and the help. :-)

The issue was indeed the out-of-date EDK2 UEFI firmware. Sorry for the
noise, but thank you very much for the hint!

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc