loader: Document that WITH_BEARSSL may need other tweaks

/boot/loader is right up aginst the 500k limit we have to make sure everything works in a wide variety of environments. However, adding WITH_BEARSSL can push it over the edge since we are so close to the limit with it enabled. One may also need to increase LOADERSIZE when enabling it. It's often safe to go much higher, especially when you don't plan on using pxeldr. Document this trade off here. MFC After: 3 days Sponsored by: Netflix Reviewed by: sjg, markj Differential Revision: https://reviews.freebsd.org/D46211
2024-11-30 08:43:23 +00:00 · 2024-08-05 15:16:37 -06:00 · 2024-08-05 15:16:37 -06:00 · 7ee781e2bf
commit 7ee781e2bf
parent 093d9b46f4
2 changed files with 21 additions and 0 deletions
--- a/tools/build/options/WITH_BEARSSL
+++ b/tools/build/options/WITH_BEARSSL
@ -8,3 +8,22 @@ This library is currently only used to perform
 signature verification and related operations
 for Verified Exec and
 .Xr loader 8 .
+.Pp
+Due to size constraints, one may need to set
+.Va LOADERSIZE
+larger than the
+default 500000, although often loader is under the 500k limit even with
+this option.
+Setting
+.Va LOADERSIZE
+larger than 500000 may cause
+.Xr pxeboot 8
+to be too large to work.
+Careful testing of the loader in the target environment when built with a larger
+limit to establish safe limits is critical because different BIOS environments
+reserve differing amounts of the low 640k space, making a precise limit for
+everybody impossible.
+.Pp
+See also
+.Va WITH_LOADER_PXEBOOT
+for other considerations.
--- a/tools/build/options/WITH_LOADER_VERIEXEC
+++ b/tools/build/options/WITH_LOADER_VERIEXEC
@ -4,3 +4,5 @@ with support for verification similar to Verified Exec.
 .Pp
 Depends on
 .Va WITH_BEARSSL .
+May require a larger
+.Va LOADERSIZE .