212 lines
13 KiB
HTML
212 lines
13 KiB
HTML
<!doctype html>
|
|
<html>
|
|
<head>
|
|
<meta charset="UTF-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<title>Hojuix</title>
|
|
<link
|
|
rel="stylesheet"
|
|
href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"
|
|
/>
|
|
<link rel="stylesheet" href="/style.css" />
|
|
<style>
|
|
p {
|
|
font-family: 'Courier New', monospace;
|
|
}
|
|
|
|
.contentBox {
|
|
/* Override padding to add more padding to the sides */
|
|
/* Was too close for comfort, kinda felt claustrophobic */
|
|
padding-left: 25px;
|
|
padding-right: 25px;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div align="center">
|
|
|
|
<table class="mainBox" style="width: 95%">
|
|
<tbody>
|
|
<td class="innerBox">
|
|
<div class="contentBox">
|
|
|
|
<p align="center" style="font-size: 32px; color: CornflowerBlue;">
|
|
<u>SeaBIOS Fork</u>
|
|
</p><br>
|
|
|
|
<p style="font-size: 18px;">
|
|
This is basically some notes on my personal fork of SeaBIOS, along with explanations
|
|
on certain design choices I made.
|
|
</p><br>
|
|
|
|
<p style="font-size: 20px; color: MediumSlateBlue;">
|
|
<u>
|
|
General information
|
|
</u>
|
|
</p>
|
|
|
|
<p style="padding-left: 20px; padding-bottom: 10px; font-size: 18px;">
|
|
Please keep in mind that this is my personal fork of SeaBIOS, and is not intended
|
|
for other people to use.<br>
|
|
Although, if you so choose to, I am not going to stop you ;)<br>
|
|
Also, this SeaBIOS fork is both intended to, and has only been tested in use as
|
|
a payload for Coreboot (QEMU x86_64, Thinkpad T460s).<br>
|
|
If you are interested in either using this, or just want to see the commits/code,
|
|
it is located
|
|
<a href="https://github.com/goldenkrew3000/SeaBIOS" style="color: MediumPurple;">
|
|
here (clickable).
|
|
</a><br>
|
|
|
|
</p>
|
|
|
|
<ul style="padding-left: 20px">
|
|
<li style="color: MediumSlateBlue;"> <!-- Setting color here sets the point color -->
|
|
<p style="font-size: 20px; color: MediumSlateBlue;">
|
|
<u>
|
|
Change 1 - Security through Obscurity
|
|
</u>
|
|
</p>
|
|
</li>
|
|
<p style="padding-left: 20px; font-size: 18px;">
|
|
Now, before you even think it: Yes, I know security through obscurity is
|
|
objectively a terrible method if done alone.<br>
|
|
This change involves two subchanges, which are configurable rebranding
|
|
and hiding the boot menu key respectively.<br>
|
|
|
|
<ul>
|
|
<!-- list-style-type allows filled bullet while nested -->
|
|
<li style="color: MediumSlateBlue; list-style-type: disc;">
|
|
<p style="font-size: 18px; color: MediumSlateBlue;">
|
|
<u>
|
|
Configurable Rebranding
|
|
</u>
|
|
</p>
|
|
</li>
|
|
<p style="padding-left: 20px; font-size: 18px;">
|
|
All SeaBIOS branding can be changed at compile time using the precompiler
|
|
to use custom branding strings defined in the configuration as to hide
|
|
what the actual bootloader is. Eventually, I want to have this change to
|
|
the extent that a theoretical attacker could pull the binary, pull every
|
|
string from it, and find nothing that is identifiable as SeaBIOS.
|
|
</p>
|
|
|
|
<li style="color: MediumSlateBlue; list-style-type: disc;">
|
|
<p style="font-size: 18px; color: MediumSlateBlue;">
|
|
<u>
|
|
Hiding the boot menu key
|
|
</u>
|
|
</p>
|
|
</li>
|
|
<p style="padding-left: 20px; font-size: 18px;">
|
|
When SeaBIOS reaches to the boot menu, a message is displayed to press
|
|
a key (By default, ESC) to enter the boot menu. This change allows
|
|
changing both the boot key and boot menu message from the configuration
|
|
at compile time. This is not extremely helpful in it's current state, as it
|
|
does not greatly increase security as a theoretical attacker could just
|
|
spam every key on the keyboard until success. Although this could be
|
|
changed in the future to potentially require a key combination instead
|
|
(or even a password), greatly increasing the difficulty of booting
|
|
potentially malicious boot media.
|
|
</p>
|
|
</ul>
|
|
</p>
|
|
|
|
<br>
|
|
|
|
<li style="color: MediumSlateBlue;">
|
|
<p style="font-size: 20px; color: MediumSlateBlue;">
|
|
<u>
|
|
Change 2 - Configurable Pre-Delay and the removal of the native bootsplash
|
|
implementation
|
|
</u>
|
|
</p>
|
|
</li>
|
|
<p style="padding-left: 20px; font-size: 18px;">
|
|
First, I removed SeaBIOS's native implementation for displaying a bootsplash image,
|
|
as I could not get it to function.<br>
|
|
I also figured that the less code running, the better.<br>
|
|
Although, I still wanted a bootsplash, which leads me into my second point.<br>
|
|
I added a configurable pre-delay that delays SeaBIOS's clearing of the framebuffer
|
|
by a predetermined amount of milliseconds.<br>
|
|
This allows a set amount of time for Coreboot's bootsplash implementation to
|
|
display a boot image before displaying the boot manager.
|
|
|
|
|
|
So, I removed SeaBIOS's native implementation for displaying a bootsplash image,
|
|
as I could not get it to function (Probably due to my inability to get the
|
|
original configuration method to work, as talked about in Change 4). Although, I
|
|
still wanted a bootsplash, and Coreboot's native implementation worked really well.
|
|
I also removed SeaBIOS's implementation to remove the possibility that at some point
|
|
on some random firmware revision that it would just start working, and I would
|
|
end up with two bootsplash sequences.
|
|
|
|
|
|
Now, this introduces an issue: SeaBIOS doesn't have any method to play nicely
|
|
with Coreboot's bootsplash. So to solve this, I have added a pre-delay option
|
|
into SeaBIOS's configuration to allow the user to set a variable delay in
|
|
milliseconds just before SeaBIOS clears the framebuffer, allowing time for
|
|
Coreboot's bootsplash to display.
|
|
</p>
|
|
|
|
<br>
|
|
|
|
<li style="color: MediumSlateBlue;">
|
|
<p style="font-size: 20px; color: MediumSlateBlue;">
|
|
<u>
|
|
Change 3 - TPM support removed
|
|
</u>
|
|
</p>
|
|
</li>
|
|
<p style="padding-left: 20px; font-size: 18px;">
|
|
This might seem like a weird change, even more so considering that I live in
|
|
a country that doesn't restrict the use of TPMs (Currently, anyway).
|
|
Personally, I believe that all highly regarded secrets (Encryption keys, etc)
|
|
should be held either solely in your brain, or physically written down in
|
|
an encoded form. The TPM functionality in SeaBIOS contains a non-inconsequential
|
|
amount of code, that while it probably doesn't contain exploits, I don't use
|
|
it so I might as well remove it to lower the risk anyway.
|
|
</p>
|
|
|
|
<br>
|
|
|
|
<li style="color: MediumSlateBlue;">
|
|
<p style="font-size: 20px; color: MediumSlateBlue;">
|
|
<u>
|
|
Change 4 - New configuration scheme
|
|
</u>
|
|
</p>
|
|
</li>
|
|
<p style="padding-left: 20px; font-size: 18px;">
|
|
This is by far the largest change in this fork.<br>
|
|
Instead of SeaBIOS being configured through a file-based scheme from CBFS,
|
|
it is now configured in a header file before compilation.<br>
|
|
I did this because personally I found configuring SeaBIOS to be extremely
|
|
confusing, and I couldn't even get it to work properly.<br>
|
|
The new configuration file is in src/rf_config.h.<br>
|
|
Now, you might ask, why rf_config.h. Well, it's name comes from the previous
|
|
functions used to fetch configuration values, which were romfile_*().<br>
|
|
</p>
|
|
</ul>
|
|
|
|
</div>
|
|
</td>
|
|
</tbody>
|
|
</table>
|
|
|
|
<!-- Add some information on the bottom left and right outside the box -->
|
|
<div style="width: 95%">
|
|
<p align="left" style="display: inline-block; width: 33%">
|
|
Document version 1
|
|
</p>
|
|
<p align="center" style="display: inline-block; width: 33%">
|
|
Copyright (C) Goldenkrew3000 2026
|
|
</p>
|
|
<p align="right" style="display: inline-block; width: 33%">
|
|
Last edited 2026/02/21
|
|
</p>
|
|
</div>
|
|
|
|
</div>
|
|
</body>
|
|
</html>
|