From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: [Qemu-devel] Re: pc-bios/bios.bin - where it comes from? Date: Fri, 05 Mar 2010 07:51:50 -0600 Message-ID: <4B910C76.4090102@codemonkey.ws> References: <4B903859.7070808@msgid.tls.msk.ru> <4B907F83.3060007@codemonkey.ws> <4B910978.7060003@aurel32.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Michael Tokarev , "qemu-devel@nongnu.org" , KVM list , Dustin Kirkland To: Aurelien Jarno Return-path: Received: from qw-out-2122.google.com ([74.125.92.27]:12869 "EHLO qw-out-2122.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751164Ab0CENwF (ORCPT ); Fri, 5 Mar 2010 08:52:05 -0500 Received: by qw-out-2122.google.com with SMTP id 5so458661qwd.37 for ; Fri, 05 Mar 2010 05:52:04 -0800 (PST) In-Reply-To: <4B910978.7060003@aurel32.net> Sender: kvm-owner@vger.kernel.org List-ID: On 03/05/2010 07:39 AM, Aurelien Jarno wrote: > Anthony Liguori a =C3=A9crit : > =20 >> On 03/04/2010 04:46 PM, Michael Tokarev wrote: >> =20 >>> Hello. >>> >>> There are a few bugs filed about an.. interesting >>> behavour. For example: >>> >>> http://www.mail-archive.com/kvm@vger.kernel.org/msg29834.html >>> https://bugs.launchpad.net/qemu/+bug/513273 >>> >>> After quite some mix-n-matching, at least on my test machine, >>> I can say that the issue gets triggered by seabios. When >>> using pc-bios/bios.bin everything is ok. But when using >>> any other bios.bin, even downloading seabios-0.5.1.tar.gz >>> and building it - on a debian lenny system anyway - by >>> running `make', the problem triggers. >>> >>> I tried different versions/variations of vgabios.bin >>> (it's only -vga std which triggers the issue so far), >>> including 0.6b and 0.6c built from sources, vgabios.bin >>> from debian packages (0.6b and 0.6c), and the one >>> included in qemu-0.12.3.tar.gz. And my conclusion >>> so far is that vgabios.bin has exactly _no_ effect on >>> the issue. >>> >>> But when using bios.bin from qemu-kvm-0.12.3.tar.gz, >>> and _only_ that bios.bin, the problem goes away. >>> >>> =20 >> pc-bios/bios.bin gets built from roms/seabios. >> >> We don't ship seabios 0.5.1 in 0.12.3, we ship 0.5.1-stable which is= two >> commits ahead of 0.5.1. >> >> =20 >>> So the question arises: where that pc-bios/bios.bin >>> comes from into qemu-0.12.3.tar.gz? It is either >>> built from some other sources (not from seabios-0.5.1), >>> or built with some extra/different compiler/linker options, >>> or built using different compiler/linker. >>> >>> This is partially confirmed on ubuntu as well, but, >>> as far as I understand, there the behavour is different >>> with different versions of vgabios. >>> >>> =20 >> One of the reasons we include a git submodule and the source for the >> bios is so that distributors don't have to deal with building the >> packages independently. Morale of the story is, just use the source= we >> ship and don't try to be more clever than that :-) >> >> =20 > This is exactly what distribution usually fight about: same code in > different packages, but with subtle differences. If every software wa= s > like that, we would not have shared libraries anymore. This is a > nightmare at different levels, and especially at security level. > > We should probably interact more with the maintainers of the various > BIOS package (that could mean synced release), We currently do this with SeaBIOS. But ultimately, x86 firmware is tie= d=20 very closely to the underlying hardware. Keep in mind, this is software that runs within a guest, not in the hos= t=20 environment. It's really more of a data file than anything else. It=20 cannot be the source of a CVE. Regards, Anthony Liguori > in order to avoid this > kind of problem. Of course it doesn't mean we should not provide the > BIOS sources in QEMU. > > =20