heads
heads copied to clipboard
Quest to reduce firmware size
Hello guys/gals
There is tickets opened to:
- remove networking ( #564 ), with corresponding PR attempt to remove networking with cleanup ( #572 ) while cryptsetup seemed to depend on CONFIG_NET and some explicit crypto modules in the past ( #79 ), while putting
CONFIG_LINUX_E1000E=n
in board config liberates 295688 bytes. @merge : Is that enough? - reduce libslang.so.2 footprint ( #517 )
- reduce kernel crypto footprint (what ticket?)
The priorities should be, see below for binaries/libraries footprints:
- [ ] Reduce libgcrypt.so.20 footprint (1145176 uncompressed bytes)
- [ ] Reduce lvm footprint (1599032 uncompressed bytes)
- [ ] Reduce gpg footprint (869568 uncompressed bytes)
- [ ] libcairo.so.2 footprint (851968 uncompressed bytes)
- [ ] libpixman-1.so.0 footprint (667048 uncompressed bytes)
EDIT: one liner to decompress and differenciate builds space
To help in finding consumed space, here is what I do.
make BOARD=x230
cd build/x230/
xz --decompress initrd.cpio.xz
cpio --extract < initrd.cpio
cpio --extract < heads.cpio
cpio --extract < modules.cpio
find . -type f -ls | sort -r -n -k7
789884 12288 -rw-r--r-- 1 user user 12582912 Jun 28 13:00 ./coreboot.rom 789885 11912 -rw-r--r-- 1 user user 12212224 Jun 28 13:00 ./initrd.cpio 789821 10648 -rw-r--r-- 1 user user 10903552 Jun 28 13:00 ./tools.cpio 789880 2868 -rw-r--r-- 1 user user 2936832 Jun 28 12:59 ./bzImage 789986 1564 -rwx------ 1 user user 1599032 Jun 28 13:01 ./bin/lvm 790106 1120 -rwx------ 1 user user 1145176 Jun 28 13:01 ./lib/libgcrypt.so.20 789881 968 -rw-r--r-- 1 user user 989696 Jun 28 12:59 ./modules.cpio 789943 852 -rwx------ 1 user user 869568 Jun 28 13:01 ./bin/gpg 790103 832 -rwx------ 1 user user 851968 Jun 28 13:01 ./lib/libcairo.so.2 790113 652 -rwx------ 1 user user 667048 Jun 28 13:01 ./lib/libpixman-1.so.0 790102 556 -rwx------ 1 user user 568680 Jun 28 13:01 ./lib/libc.so 789938 480 -rwx------ 1 user user 490640 Jun 28 13:01 ./bin/flashrom 789900 476 -rwx------ 1 user user 486024 Jun 28 13:01 ./bin/busybox 790018 384 -rwx------ 1 user user 391760 Jun 28 13:01 ./bin/scdaemon 789944 352 -rwx------ 1 user user 359960 Jun 28 13:01 ./bin/gpg-agent 790117 328 -rwx------ 1 user user 332504 Jun 28 13:01 ./lib/libtpm.so 790105 320 -rwx------ 1 user user 324784 Jun 28 13:01 ./lib/libdevmapper.so.1.02 789882 316 -rw-r--r-- 1 user user 321024 Jun 28 13:00 ./heads.cpio 790109 312 -rwx------ 1 user user 318464 Jun 28 13:01 ./lib/libmbedcrypto.so.0 790123 292 -rw------- 1 user user 295688 Jun 28 13:01 ./lib/modules/e1000e.ko 790108 216 -rwx------ 1 user user 217192 Jun 28 13:01 ./lib/libksba.so.8 790114 200 -rwx------ 1 user user 201096 Jun 28 13:01 ./lib/libpng16.so.16 789925 180 -rwx------ 1 user user 180960 Jun 28 13:01 ./bin/dropbear 790037 172 -rwx------ 1 user user 172544 Jun 28 13:01 ./bin/ssh 790127 168 -rw------- 1 user user 170512 Jun 28 13:01 ./lib/modules/mmc_core.ko 790131 160 -rw------- 1 user user 160792 Jun 28 13:01 ./lib/modules/xhci-hcd.ko 789960 156 -rwx------ 1 user user 158952 Jun 28 13:01 ./bin/kexec 790104 156 -rwx------ 1 user user 155744 Jun 28 13:01 ./lib/libcryptsetup.so.4 789924 132 -rwx------ 1 user user 133216 Jun 28 13:01 ./bin/dmsetup 790130 132 -rw------- 1 user user 132520 Jun 28 13:01 ./lib/modules/usb-storage.ko 790051 124 -rwx------ 1 user user 122992 Jun 28 13:01 ./bin/tpm 790107 120 -rwx------ 1 user user 120024 Jun 28 13:01 ./lib/libgpg-error.so.0 790097 108 -rw------- 1 user user 108800 Jun 28 13:01 ./etc/wordlist_en_eff.txt 790121 108 -rwx------ 1 user user 107512 Jun 28 13:01 ./lib/libz.so.1 790119 96 -rwx------ 1 user user 98064 Jun 28 13:01 ./lib/libusb-1.0.so.0 789983 76 -rwx------ 1 user user 73920 Jun 28 13:01 ./bin/lspci 790101 72 -rwx------ 1 user user 73416 Jun 28 13:01 ./lib/libassuan.so.0 790124 68 -rw------- 1 user user 66208 Jun 28 13:01 ./lib/modules/ehci-hcd.ko 789914 64 -rwx------ 1 user user 62680 Jun 28 13:01 ./bin/cryptsetup-reencrypt 789913 56 -rwx------ 1 user user 55760 Jun 28 13:01 ./bin/cryptsetup 790129 52 -rw------- 1 user user 53136 Jun 28 13:01 ./lib/modules/sdhci.ko 790004 52 -rwx------ 1 user user 52520 Jun 28 13:01 ./bin/pinentry-tty 790126 52 -rw------- 1 user user 49352 Jun 28 13:01 ./lib/modules/mmc_block.ko 789934 48 -rwx------ 1 user user 49032 Jun 28 13:01 ./bin/fbwhiptail 790112 48 -rwx------ 1 user user 48672 Jun 28 13:01 ./lib/libpci.so.3.5.4 790111 48 -rwx------ 1 user user 48672 Jun 28 13:01 ./lib/libpci.so.3 790115 48 -rwx------ 1 user user 45160 Jun 28 13:01 ./lib/libpopt.so.0 790116 44 -rwx------ 1 user user 43864 Jun 28 13:01 ./lib/libqrencode.so.3 790128 40 -rw------- 1 user user 38104 Jun 28 13:01 ./lib/modules/sdhci-pci.ko 790089 36 -rwx------ 1 user user 35654 Jun 28 13:01 ./etc/functions 790068 32 -rwx------ 1 user user 29584 Jun 28 13:01 ./bin/veritysetup 789977 32 -rwx------ 1 user user 29568 Jun 28 13:01 ./bin/libremkey_hotp_verification 789906 24 -rwx------ 1 user user 23696 Jun 28 13:01 ./bin/cbmem 789940 24 -rwx------ 1 user user 21064 Jun 28 13:01 ./bin/flashtool 790019 20 -rwx------ 1 user user 20400 Jun 28 13:01 ./bin/scp 790087 20 -rw------- 1 user user 19992 Jun 28 13:01 ./etc/distro/keys/tails.key 790118 20 -rwx------ 1 user user 18800 Jun 28 13:01 ./lib/libusb-0.1.so.4 789949 20 -rwx------ 1 user user 16936 Jun 28 13:01 ./bin/gui-init 789904 16 -rwx------ 1 user user 15368 Jun 28 13:01 ./bin/cbfs 790110 16 -rwx------ 1 user user 14912 Jun 28 13:01 ./lib/libnpth.so.0 790056 16 -rwx------ 1 user user 14464 Jun 28 13:01 ./bin/uefi 790120 16 -rwx------ 1 user user 13984 Jun 28 13:01 ./lib/libuuid.so.1 790085 16 -rw------- 1 user user 12413 Jun 28 13:01 ./etc/distro/keys/fedora.key 789879 12 -rw-r--r-- 1 user user 11225 Jun 28 13:00 ./hashes.txt 790007 12 -rwx------ 1 user user 10776 Jun 28 13:01 ./bin/poke 790125 12 -rw------- 1 user user 10592 Jun 28 13:01 ./lib/modules/ehci-pci.ko 790132 12 -rw------- 1 user user 10456 Jun 28 13:01 ./lib/modules/xhci-pci.ko 789931 12 -rwx------ 1 user user 10409 Jun 28 13:01 ./bin/factory-reset-libremkey.sh 789969 12 -rwx------ 1 user user 10093 Jun 28 13:01 ./bin/kexec-select-boot 789945 12 -rwx------ 1 user user 8780 Jun 28 13:01 ./bin/gpg-gui.sh 790014 12 -rwx------ 1 user user 8581 Jun 28 13:01 ./bin/reencrypt-luks 789966 8 -rwx------ 1 user user 7944 Jun 28 13:01 ./bin/kexec-save-default 790002 8 -rwx------ 1 user user 7872 Jun 28 13:01 ./bin/peek 789993 8 -rwx------ 1 user user 7556 Jun 28 13:01 ./bin/mount-sdcard 790049 8 -rwx------ 1 user user 7448 Jun 28 13:01 ./bin/totp 789957 8 -rwx------ 1 user user 7064 Jun 28 13:01 ./bin/hotp 789896 8 -rwx------ 1 user user 6832 Jun 28 13:01 ./bin/base32 790011 8 -rwx------ 1 user user 5304 Jun 28 13:01 ./bin/qrenc 789968 8 -rwx------ 1 user user 4972 Jun 28 13:01 ./bin/kexec-seal-key 789994 8 -rwx------ 1 user user 4185 Jun 28 13:01 ./bin/mount-usb 789965 4 -rwx------ 1 user user 3654 Jun 28 13:01 ./bin/kexec-parse-boot 790098 4 -rwx------ 1 user user 3622 Jun 28 13:01 ./init 789910 4 -rwx------ 1 user user 3329 Jun 28 13:01 ./bin/config-gui.sh 789961 4 -rwx------ 1 user user 3099 Jun 28 13:01 ./bin/kexec-boot 790020 4 -rwx------ 1 user user 2753 Jun 28 13:01 ./bin/seal-libremkey 789970 4 -rwx------ 1 user user 2628 Jun 28 13:01 ./bin/kexec-sign-config 789962 4 -rwx------ 1 user user 2379 Jun 28 13:01 ./bin/kexec-insert-key 789937 4 -rwx------ 1 user user 2107 Jun 28 13:01 ./bin/flash.sh 789936 4 -rwx------ 1 user user 2077 Jun 28 13:01 ./bin/flash-gui.sh 790066 4 -rwx------ 1 user user 2070 Jun 28 13:01 ./bin/usb-scan 789964 4 -rwx------ 1 user user 2033 Jun 28 13:01 ./bin/kexec-parse-bls 790021 4 -rwx------ 1 user user 2027 Jun 28 13:01 ./bin/seal-totp 790061 4 -rwx------ 1 user user 1839 Jun 28 13:01 ./bin/unseal-hotp 789883 4 -rw------- 1 user user 1748 Jun 28 13:01 ./.ash_history 789967 4 -rwx------ 1 user user 1689 Jun 28 13:01 ./bin/kexec-save-key 790086 4 -rw------- 1 user user 1629 Jun 28 13:01 ./etc/distro/keys/qubes-4.key 789921 4 -rwx------ 1 user user 1552 Jun 28 13:01 ./bin/diceware.sh 789963 4 -rwx------ 1 user user 1375 Jun 28 13:01 ./bin/kexec-iso-init 790134 4 -rwx------ 1 user user 1373 Jun 28 13:01 ./mount-boot 789941 4 -rwx------ 1 user user 1299 Jun 28 13:01 ./bin/generic-init 789971 4 -rwx------ 1 user user 1119 Jun 28 13:01 ./bin/kexec-unseal-key 790151 4 -rwx------ 1 user user 1000 Jun 28 13:01 ./sbin/insmod 790052 4 -rwx------ 1 user user 983 Jun 28 13:01 ./bin/tpm-reset 789976 4 -rwx------ 1 user user 965 Jun 28 13:01 ./bin/libremkey_hotp_initialize 790140 4 -rwx------ 1 user user 922 Jun 28 13:01 ./sbin/config-dhcp.sh 789972 4 -rwx------ 1 user user 875 Jun 28 13:01 ./bin/key-init 789905 4 -rwx------ 1 user user 799 Jun 28 13:01 ./bin/cbfs-init 790082 4 -rw------- 1 user user 736 Jun 28 13:01 ./etc/config 789997 4 -rwx------ 1 user user 675 Jun 28 13:01 ./bin/network-init-recovery 790057 4 -rwx------ 1 user user 661 Jun 28 13:01 ./bin/uefi-init 790062 4 -rwx------ 1 user user 634 Jun 28 13:01 ./bin/unseal-totp 790074 4 -rwx------ 1 user user 574 Jun 28 13:01 ./bin/x230-flash.init 790012 4 -rwx------ 1 user user 366 Jun 28 13:01 ./bin/qubes-measure-luks 789939 4 -rwx------ 1 user user 360 Jun 28 13:01 ./bin/flashrom-kgpe-d16-openbmc.sh 790092 4 -rwx------ 1 user user 340 Jun 28 13:01 ./etc/keylime-init 790072 4 -rwx------ 1 user user 320 Jun 28 13:01 ./bin/wget-measure.sh 790013 4 -rwx------ 1 user user 258 Jun 28 13:01 ./bin/reboot 790065 4 -rwx------ 1 user user 220 Jun 28 13:01 ./bin/usb-init 790008 4 -rwx------ 1 user user 205 Jun 28 13:01 ./bin/poweroff 790088 4 -rw------- 1 user user 197 Jun 28 13:01 ./etc/fstab 790093 4 -rw------- 1 user user 174 Jun 28 13:01 ./etc/motd 789946 4 -rwx------ 1 user user 106 Jun 28 13:01 ./bin/gpgv 789888 4 -rw------- 1 user user 73 Jun 28 13:01 ./.gnupg/gpg-agent.conf 789920 4 -rwx------ 1 user user 62 Jun 28 13:01 ./bin/diceware-eff.sh 790073 4 -rwx------ 1 user user 35 Jun 28 13:01 ./bin/whiptail 790096 4 -rw------- 1 user user 27 Jun 28 13:01 ./etc/shells 790095 4 -rw------- 1 user user 27 Jun 28 13:01 ./etc/passwd 790091 4 -rw------- 1 user user 20 Jun 28 13:01 ./etc/hosts 790090 4 -rw------- 1 user user 10 Jun 28 13:01 ./etc/group 789889 4 -rw------- 1 user user 10 Jun 28 13:01 ./.gnupg/gpg.conf
A few other ideas:
-
Clean up board-specific files from other devices. (Example is flashrom-kgpe-d16-openbmc.sh is present in X230 builds, x230-flash.init being in main X230 or on Chell Chromebook). This change will likely need to happen during the build process.
-
Move flash definitions from flash.sh to the board config files. As we support more boards, this will be critical, as all maintained boards are presently defined in flash.sh, and as this project supports more and more boards, flash.sh will get larger and larger. I've started work on this.
These may not be as high priority as other changes, but ones to certainly look at to help reduce firmware size, especially as the project grows.
@SebastianMcMillan : Those are good cleanup ideas, but unfortunately, will not impact the initrd.cpio.xz (including heads.cpio and tools.cpio), those text files being highly compressed.
The problem lies in binaries, not higly compressed under initrd.cpio.xz
This article (or the series it comes from) may yield some inspiration: https://lwn.net/Articles/748198/ Edit: this one is probably more useful https://lwn.net/Articles/741494/
Solution lies in #307
@zaolin pointed out:
Update: Getting rid of libgcrypt and replacement for gpg would be a good way to safe 2MB in total. See, https://sequoia-pgp.org/ as alternative
Update: Getting rid of libgcrypt and replacement for gpg would be a good way to safe 2MB in total. See, https://sequoia-pgp.org/ as alternative
@zaolin : Unfortunately, there is no smartcard support in sequoia-pgp ATM, on which Heads relies on for verified /boot integrity.
@tlaurion ask them for support, they should have basic support for it. They are on IRC #sequoia at Freenode
Here we go again, since
- #710 would require newer versions of gpg toolchain, which won't fit in actual x230 board config. EDIT: it actually fitted.
- #709 non neutered ME board configs lack around 300k to fit VBOOT in.
To troubleshoot:
make BOARD=x230
cd build/x230
xz -d initrd.cpio.xz ; for i in initrd.cpio modules.cpio tools.cpio heads.cpio; do cpio -i < $i; done && find . -type f -ls | sort -r -n -k7 |grep -v cpio
Output:
28192 2956 -rw-r--r-- 1 user user 3023312 May 3 12:25 ./bzImage
61393 1592 -rwx------ 1 user user 1627856 May 3 12:45 ./bin/lvm
61507 1132 -rwx------ 1 user user 1156424 May 3 12:45 ./lib/libgcrypt.so.20
61352 892 -rwx------ 1 user user 911264 May 3 12:45 ./bin/gpg
61504 740 -rwx------ 1 user user 757232 May 3 12:45 ./lib/libcairo.so.2
61515 652 -rwx------ 1 user user 666216 May 3 12:45 ./lib/libpixman-1.so.0
61502 584 -rwx------ 1 user user 596544 May 3 12:45 ./lib/libc.so
61347 556 -rwx------ 1 user user 568264 May 3 12:45 ./bin/flashrom
61313 472 -rwx------ 1 user user 483160 May 3 12:45 ./bin/busybox
61424 400 -rwx------ 1 user user 407784 May 3 12:45 ./bin/scdaemon
61353 368 -rwx------ 1 user user 376024 May 3 12:45 ./bin/gpg-agent
61519 332 -rwx------ 1 user user 339304 May 3 12:45 ./lib/libtpm.so
61506 328 -rwx------ 1 user user 333240 May 3 12:45 ./lib/libdevmapper.so.1.02
61511 320 -rwx------ 1 user user 325104 May 3 12:45 ./lib/libmbedcrypto.so.0
61524 300 -rw------- 1 user user 304272 May 3 12:45 ./lib/modules/e1000e.ko
61510 224 -rwx------ 1 user user 227696 May 3 12:45 ./lib/libksba.so.8
61516 204 -rwx------ 1 user user 207912 May 3 12:45 ./lib/libpng16.so.16
61335 184 -rwx------ 1 user user 184824 May 3 12:45 ./bin/dropbear
61442 176 -rwx------ 1 user user 176408 May 3 12:45 ./bin/ssh
61369 168 -rwx------ 1 user user 170984 May 3 12:45 ./bin/kexec
61528 160 -rw------- 1 user user 159840 May 3 12:45 ./lib/modules/xhci-hcd.ko
61505 156 -rwx------ 1 user user 159000 May 3 12:45 ./lib/libcryptsetup.so.4
61334 136 -rwx------ 1 user user 137464 May 3 12:45 ./bin/dmsetup
61527 132 -rw------- 1 user user 132360 May 3 12:45 ./lib/modules/usb-storage.ko
61509 128 -rwx------ 1 user user 130000 May 3 12:45 ./lib/libgpg-error.so.0
61456 124 -rwx------ 1 user user 126584 May 3 12:45 ./bin/tpm
61523 108 -rwx------ 1 user user 108832 May 3 12:45 ./lib/libz.so.1
61521 96 -rwx------ 1 user user 96896 May 3 12:45 ./lib/libusb-1.0.so.0
61501 76 -rwx------ 1 user user 76736 May 3 12:45 ./lib/libassuan.so.0
61390 72 -rwx------ 1 user user 73600 May 3 12:45 ./bin/lspci
61525 64 -rw------- 1 user user 64800 May 3 12:45 ./lib/modules/ehci-hcd.ko
61326 64 -rwx------ 1 user user 62328 May 3 12:45 ./bin/cryptsetup-reencrypt
61325 60 -rwx------ 1 user user 59144 May 3 12:45 ./bin/cryptsetup
61514 52 -rwx------ 1 user user 52272 May 3 12:45 ./lib/libpci.so.3.5.4
61513 52 -rwx------ 1 user user 52272 May 3 12:45 ./lib/libpci.so.3
61411 52 -rwx------ 1 user user 52200 May 3 12:45 ./bin/pinentry-tty
61343 52 -rwx------ 1 user user 51616 May 3 12:45 ./bin/fbwhiptail
61517 48 -rwx------ 1 user user 48088 May 3 12:45 ./lib/libpopt.so.0
61518 48 -rwx------ 1 user user 47448 May 3 12:45 ./lib/libqrencode.so.3
61473 32 -rwx------ 1 user user 32560 May 3 12:45 ./bin/veritysetup
61319 28 -rwx------ 1 user user 27048 May 3 12:45 ./bin/cbmem
61425 24 -rwx------ 1 user user 22664 May 3 12:45 ./bin/scp
61349 24 -rwx------ 1 user user 22432 May 3 12:45 ./bin/flashtool
61488 20 -rw------- 1 user user 19992 May 3 12:45 ./etc/distro/keys/tails.key
61495 20 -rw------- 1 user user 18852 May 3 12:45 ./etc/oem/keys/insurgo.key
61520 20 -rwx------ 1 user user 18464 May 3 12:45 ./lib/libusb-0.1.so.4
61317 20 -rwx------ 1 user user 18352 May 3 12:45 ./bin/cbfs
61461 20 -rwx------ 1 user user 18320 May 3 12:45 ./bin/uefi
61358 16 -rwx------ 1 user user 14657 May 3 12:45 ./bin/gui-init
61522 16 -rwx------ 1 user user 14656 May 3 12:45 ./lib/libuuid.so.1
61512 16 -rwx------ 1 user user 14552 May 3 12:45 ./lib/libnpth.so.0
61414 16 -rwx------ 1 user user 14200 May 3 12:45 ./bin/poke
61407 12 -rwx------ 1 user user 12056 May 3 12:45 ./bin/oem-factory-reset
61486 12 -rw------- 1 user user 10955 May 3 12:45 ./etc/distro/keys/fedora.key
61526 12 -rw------- 1 user user 10728 May 3 12:45 ./lib/modules/ehci-pci.ko
61529 12 -rw------- 1 user user 10568 May 3 12:45 ./lib/modules/xhci-pci.ko
61409 12 -rwx------ 1 user user 10096 May 3 12:45 ./bin/peek
61309 12 -rwx------ 1 user user 10088 May 3 12:45 ./bin/base32
100 12 -rw-r--r-- 1 user user 10056 May 3 12:39 ./hashes.txt
61454 12 -rwx------ 1 user user 10048 May 3 12:45 ./bin/totp
61366 12 -rwx------ 1 user user 10024 May 3 12:45 ./bin/hotp
61378 12 -rwx------ 1 user user 9894 May 3 12:45 ./bin/kexec-select-boot
61354 12 -rwx------ 1 user user 9681 May 3 12:45 ./bin/gpg-gui.sh
61490 8 -rwx------ 1 user user 8173 May 3 12:45 ./etc/functions
61322 8 -rwx------ 1 user user 5924 May 3 12:45 ./bin/config-gui.sh
61418 8 -rwx------ 1 user user 5912 May 3 12:45 ./bin/qrenc
61377 8 -rwx------ 1 user user 4178 May 3 12:45 ./bin/kexec-seal-key
61345 4 -rwx------ 1 user user 4074 May 3 12:45 ./bin/flash-gui.sh
61374 4 -rwx------ 1 user user 3654 May 3 12:45 ./bin/kexec-parse-boot
61375 4 -rwx------ 1 user user 3364 May 3 12:45 ./bin/kexec-save-default
61498 4 -rwx------ 1 user user 3322 May 3 12:45 ./init
61370 4 -rwx------ 1 user user 3099 May 3 12:45 ./bin/kexec-boot
61400 4 -rwx------ 1 user user 3043 May 3 12:45 ./bin/mount-usb
61426 4 -rwx------ 1 user user 2717 May 3 12:45 ./bin/seal-libremkey
61371 4 -rwx------ 1 user user 2344 May 3 12:45 ./bin/kexec-insert-key
61471 4 -rwx------ 1 user user 2130 May 3 12:45 ./bin/usb-scan
61373 4 -rwx------ 1 user user 2033 May 3 12:45 ./bin/kexec-parse-bls
61427 4 -rwx------ 1 user user 2027 May 3 12:45 ./bin/seal-totp
61466 4 -rwx------ 1 user user 1838 May 3 12:45 ./bin/unseal-hotp
61346 4 -rwx------ 1 user user 1724 May 3 12:45 ./bin/flash.sh
61376 4 -rwx------ 1 user user 1677 May 3 12:45 ./bin/kexec-save-key
61487 4 -rw------- 1 user user 1629 May 3 12:45 ./etc/distro/keys/qubes-4.key
61379 4 -rwx------ 1 user user 1407 May 3 12:45 ./bin/kexec-sign-config
61372 4 -rwx------ 1 user user 1375 May 3 12:45 ./bin/kexec-iso-init
61530 4 -rwx------ 1 user user 1373 May 3 12:45 ./mount-boot
61350 4 -rwx------ 1 user user 1299 May 3 12:45 ./bin/generic-init
60093 4 -rw------- 1 user user 1247 May 3 12:45 ./.ash_history
61380 4 -rwx------ 1 user user 1044 May 3 12:45 ./bin/kexec-unseal-key
61546 4 -rwx------ 1 user user 1000 May 3 12:45 ./sbin/insmod
61535 4 -rwx------ 1 user user 922 May 3 12:45 ./sbin/config-dhcp.sh
61318 4 -rwx------ 1 user user 799 May 3 12:45 ./bin/cbfs-init
61381 4 -rwx------ 1 user user 770 May 3 12:45 ./bin/key-init
61485 4 -rw------- 1 user user 700 May 3 12:45 ./etc/config
61457 4 -rwx------ 1 user user 694 May 3 12:45 ./bin/tpm-reset
61403 4 -rwx------ 1 user user 675 May 3 12:45 ./bin/network-init-recovery
61462 4 -rwx------ 1 user user 661 May 3 12:45 ./bin/uefi-init
61467 4 -rwx------ 1 user user 634 May 3 12:45 ./bin/unseal-totp
61479 4 -rwx------ 1 user user 574 May 3 12:45 ./bin/x230-flash.init
61419 4 -rwx------ 1 user user 366 May 3 12:45 ./bin/qubes-measure-luks
61348 4 -rwx------ 1 user user 360 May 3 12:45 ./bin/flashrom-kgpe-d16-openbmc.sh
61477 4 -rwx------ 1 user user 320 May 3 12:45 ./bin/wget-measure.sh
61420 4 -rwx------ 1 user user 258 May 3 12:45 ./bin/reboot
61470 4 -rwx------ 1 user user 220 May 3 12:45 ./bin/usb-init
61415 4 -rwx------ 1 user user 205 May 3 12:45 ./bin/poweroff
61489 4 -rw------- 1 user user 197 May 3 12:45 ./etc/fstab
61493 4 -rw------- 1 user user 174 May 3 12:45 ./etc/motd
61355 4 -rwx------ 1 user user 106 May 3 12:45 ./bin/gpgv
60437 4 -rw------- 1 user user 73 May 3 12:45 ./.gnupg/gpg-agent.conf
61478 4 -rwx------ 1 user user 35 May 3 12:45 ./bin/whiptail
61497 4 -rw------- 1 user user 27 May 3 12:45 ./etc/shells
61496 4 -rw------- 1 user user 27 May 3 12:45 ./etc/passwd
61492 4 -rw------- 1 user user 20 May 3 12:45 ./etc/hosts
61491 4 -rw------- 1 user user 10 May 3 12:45 ./etc/group
61303 4 -rw------- 1 user user 10 May 3 12:45 ./.gnupg/gpg.conf
A public build showing that not moving along with this actual ticket or with #703 is breaking x230 support and 12Mb boards altogether, Heads having become too big.
@flammit: This build will fail at coreboot integration of cpios (CBFS region not being big enough), but artifacts will include initird.cpio.xz, heads.cpio, tools.cpio and modules.cpio for others to see the limit and dead end we are now facing.
Now what?
@tlaurion is reducing the kernel size not an option, or simply too much effort?
@MrChromebox : my reluctance in attacking Kernel size reduction comes with the conclusions of #453 where some 300k were obtained. Of course, those recommendations should be investigated.
Will reread myself. I have tagged you in #517 to resume there if you can reduce FBWhiptail general footprint, which are the next in line (when combined) after kernel, while lvm and gpg would also to be addressed.
I'll revisit gpg2 myself, in the goal of fixing #668 for #710
@MrChromebox #668 and #710 being resolved, I've been looking at multiple source on kernel debloating to do some state of the art.
It seems that be most interesting articles are...
Runtime collection based optimizations:
- [ ] https://hckuo.github.io/pdfs/cozart.pdf
LTO:
- [ ] https://lwn.net/Articles/744507/
- [ ] https://wiki.debian.org/LTO
- [ ] https://github.com/andikleen/linux-misc/tree/lto-420-2
Reading.
Playing around with information found under this "Shrinking the kernel with an AXE" blog post to reduce kernel size prior of going the LTO way.
git diff osresearch/master> patch
cat patch
diff --git a/config/linux-x230.config b/config/linux-x230.config
index dd5af0c..6cb7ea8 100644
--- a/config/linux-x230.config
+++ b/config/linux-x230.config
@@ -14,6 +14,7 @@ CONFIG_INITRAMFS_SOURCE="../../../blobs/dev.cpio"
# CONFIG_RD_LZO is not set
# CONFIG_RD_LZ4 is not set
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+# CONFIG_MULTIUSER is not set
# CONFIG_SGETMASK_SYSCALL is not set
# CONFIG_SYSFS_SYSCALL is not set
# CONFIG_BASE_FULL is not set
@@ -25,18 +26,18 @@ CONFIG_CC_OPTIMIZE_FOR_SIZE=y
# CONFIG_MEMBARRIER is not set
CONFIG_EMBEDDED=y
# CONFIG_VM_EVENT_COUNTERS is not set
-# CONFIG_SLUB_DEBUG is not set
# CONFIG_COMPAT_BRK is not set
+CONFIG_SLOB=y
CONFIG_JUMP_LABEL=y
CONFIG_CC_STACKPROTECTOR_STRONG=y
CONFIG_MODULES=y
+CONFIG_TRIM_UNUSED_KSYMS=y
# CONFIG_IOSCHED_DEADLINE is not set
# CONFIG_IOSCHED_CFQ is not set
CONFIG_SMP=y
# CONFIG_X86_EXTENDED_PLATFORM is not set
CONFIG_PROCESSOR_SELECT=y
# CONFIG_CPU_SUP_CENTAUR is not set
-CONFIG_PREEMPT_VOLUNTARY=y
CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y
# CONFIG_X86_MCE_AMD is not set
# CONFIG_PERF_EVENTS_INTEL_RAPL is not set
@@ -56,7 +57,6 @@ CONFIG_KEXEC_FILE=y
CONFIG_PHYSICAL_ALIGN=0x1000000
# CONFIG_MODIFY_LDT_SYSCALL is not set
# CONFIG_SUSPEND is not set
-CONFIG_ACPI_VIDEO=y
CONFIG_PCI_MSI=y
# CONFIG_HT_IRQ is not set
CONFIG_PCI_IOV=y
@@ -184,9 +184,7 @@ CONFIG_MFD_SYSCON=y
CONFIG_DRM=y
CONFIG_DRM_I915=y
CONFIG_FB_VESA=y
-CONFIG_BACKLIGHT_LCD_SUPPORT=y
# CONFIG_LCD_CLASS_DEVICE is not set
-CONFIG_BACKLIGHT_CLASS_DEVICE=y
# CONFIG_BACKLIGHT_GENERIC is not set
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_USB=y
@@ -207,9 +205,7 @@ CONFIG_GENERIC_PHY=y
# CONFIG_DMIID is not set
CONFIG_GOOGLE_FIRMWARE=y
CONFIG_GOOGLE_MEMCONSOLE_X86_LEGACY=y
-# CONFIG_EXT2_FS is not set
CONFIG_EXT4_FS=y
-CONFIG_EXT4_USE_FOR_EXT2=y
# CONFIG_DNOTIFY is not set
# CONFIG_INOTIFY_USER is not set
CONFIG_ISO9660_FS=y
@@ -218,7 +214,6 @@ CONFIG_MSDOS_FS=y
CONFIG_VFAT_FS=y
# CONFIG_PROC_SYSCTL is not set
# CONFIG_PROC_PAGE_MONITOR is not set
-CONFIG_TMPFS=y
# CONFIG_MISC_FILESYSTEMS is not set
CONFIG_NLS_DEFAULT="utf8"
CONFIG_NLS_CODEPAGE_437=y
@@ -238,13 +233,11 @@ CONFIG_STACKTRACE=y
# CONFIG_DEBUG_BUGVERBOSE is not set
# CONFIG_RCU_TRACE is not set
# CONFIG_FTRACE is not set
-# CONFIG_STRICT_DEVMEM is not set
# CONFIG_X86_VERBOSE_BOOTUP is not set
# CONFIG_DOUBLEFAULT is not set
CONFIG_IO_DELAY_0XED=y
CONFIG_OPTIMIZE_INLINING=y
# CONFIG_X86_DEBUG_FPU is not set
-CONFIG_HARDENED_USERCOPY=y
CONFIG_CRYPTO_RSA=m
CONFIG_CRYPTO_USER=y
CONFIG_CRYPTO_MCRYPTD=m
Raw results
Before:
28192 2956 -rw-r--r-- 1 user user 3023312 May 3 12:25 ./bzImage
Now:
31097 2876 -rw-r--r-- 1 user user 2941392 May 26 10:46 ./bzImage
Gain: 81.92Kb without LTO following this blog post.
Edit: Meanwhile, trying to upgrade the kernel breaks x230-flash board support because not enough space is available under CBFS on the 4MB flash chip alone.
LTO attempt is continuing under #730. Maybe extend the use to other tools being built, let's see...
Any help welcome!
@MrChromebox @Matthew-Bradley @merge @SebastianMcMillan ?
The goal of the 3 different commits linked to this issue is to show different use cases linked to previous discussions over Slack that happened in the past days.
We take #703 pipeline as a reference where the x230-hotp-maximized build output will serve as a reference for compressed saved space between feature deactivation.
This board has has the following board config initially, from which we will deactivate features to compare gained space.
Initially, this board is fully loaded with
- FBWHIPTAIL(CAIRO) and dependencies
- E1000E driver
- HOTP (For HOTP remote attestation over Nitrokey/Librem Key USB Security dongles).
- NKSTORECLI
- GPG2
Here is an exerpt of used space:
"/root/project/build/coreboot-4.8.1/x230-hotp-maximized/cbfstool" "/root/project/build/coreboot-4.8.1/x230-hotp-maximized/coreboot.rom" print
Name Offset Type Size Comp
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 84708 none
cpu_microcode_blob.bin 0x14c00 microcode 25600 none
fallback/ramstage 0x1b080 stage 81122 none
config 0x2edc0 raw 768 none
revision 0x2f100 raw 581 none
cmos_layout.bin 0x2f380 cmos_layout 1804 none
fallback/dsdt.aml 0x2fb00 raw 13646 none
fallback/payload 0x330c0 simple elf 7191492 none
(empty) 0x70ecc0 null 4524824 none
bootblock 0xb5f800 bootblock 1968 none
-
Where total size of the Heads linux payload itself:
fallback/payload 0x330c0 simple elf 7191492 none
-
Where free room in defined CBFS region created for the coreboot rom in coreboot config for that board:
(empty) 0x70ecc0 null 4524824 none
Now let's compare.
x230-hotp-maximized: testing compressed gain from removing E1000E and DROPBEAR (User side network tools for https://github.com/osresearch/heads/issues/590) where build output:
Name Offset Type Size Comp
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 84708 none
cpu_microcode_blob.bin 0x14c00 microcode 25600 none
fallback/ramstage 0x1b080 stage 81123 none
config 0x2edc0 raw 768 none
revision 0x2f100 raw 581 none
cmos_layout.bin 0x2f380 cmos_layout 1804 none
fallback/dsdt.aml 0x2fb00 raw 13646 none
fallback/payload 0x330c0 simple elf 7028676 none
(empty) 0x6e70c0 null 4687640 none
bootblock 0xb5f800 bootblock 1968 none
x230-hotp-maximized: reverting network tools deactivation. Testing compressed gain from removing FBwhiptail support(Deactivating CAIRO and FBWHIPTAIL) and switching to SLANG and NEWT for console only output without fancyness for https://github.com/osresearch/heads/issues/590) where build output:
Name Offset Type Size Comp
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 84708 none
cpu_microcode_blob.bin 0x14c00 microcode 25600 none
fallback/ramstage 0x1b080 stage 81122 none
config 0x2edc0 raw 768 none
revision 0x2f100 raw 581 none
cmos_layout.bin 0x2f380 cmos_layout 1804 none
fallback/dsdt.aml 0x2fb00 raw 13646 none
fallback/payload 0x330c0 simple elf 6910916 none
(empty) 0x6ca4c0 null 4805400 none
bootblock 0xb5f800 bootblock 1968 none
x230-hotp-maximized: Testing compressed gain from removing Whiptail altogether and switching back to generic-init for https://github.com/osresearch/heads/issues/590) where build output:
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 84708 none
cpu_microcode_blob.bin 0x14c00 microcode 25600 none
fallback/ramstage 0x1b080 stage 81110 none
config 0x2edc0 raw 768 none
revision 0x2f100 raw 581 none
cmos_layout.bin 0x2f380 cmos_layout 1804 none
fallback/dsdt.aml 0x2fb00 raw 13646 none
fallback/payload 0x330c0 simple elf 6588868 none
(empty) 0x67bac0 null 5127448 none
bootblock 0xb5f800 bootblock 1968 none
For comparison available in CI, the current X230-hotp-verification board, with E1000E and DROPBEAR already deactivated in tree build's log:
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 84708 none
cpu_microcode_blob.bin 0x14c00 microcode 25600 none
fallback/ramstage 0x1b080 stage 81111 none
config 0x2edc0 raw 570 none
revision 0x2f040 raw 581 none
cmos_layout.bin 0x2f2c0 cmos_layout 1804 none
fallback/dsdt.aml 0x2fa40 raw 13646 none
fallback/payload 0x33000 simple elf 6860228 none
(empty) 0x6bde00 null 137688 none
bootblock 0x6df800 bootblock 1968 none
As we can see from past reffered commit failing CI build failing log
E: Could not add [../../build/x230/bzImage, 7015364 bytes (6850 KB)@0x0]; too big?
E: Failed to add '../../build/x230/bzImage' into ROM image.
E: Failed while operating on 'COREBOOT' region!
E: The image will be left unmodified.
make[1]: *** [Makefile.inc:920: x230/coreboot.pre] Error 1
make[1]: Leaving directory '/root/project/build/coreboot-4.8.1'
tail /root/project/build/log/coreboot.log
-----
CBFS revision
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f ./x230/build.h -n revision -t raw -r COREBOOT
printf " CBFS cmos.default\n"
CBFS cmos.default
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f x230/mainboard/lenovo/x230/cbfs-file.I1T2KJ.out -n cmos.default -t cmos_default -r COREBOOT
printf " CBFS cmos_layout.bin\n"
CBFS cmos_layout.bin
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f x230/cmos_layout.bin -n cmos_layout.bin -t cmos_layout -r COREBOOT
printf " CBFS fallback/dsdt.aml\n"
CBFS fallback/dsdt.aml
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add -f x230/dsdt.aml -n fallback/dsdt.aml -t raw -c none -r COREBOOT
printf " CBFS fallback/payload\n"
CBFS fallback/payload
x230/util/cbfstool/cbfstool x230/coreboot.pre.tmp add-payload -f ../../build/x230/bzImage -n fallback/payload -c none -r COREBOOT -C "intel_iommu=igfx_off quiet" -I "../../build/x230/initrd.cpio.xz"
E: Could not add [../../build/x230/bzImage, 7015364 bytes (6850 KB)@0x0]; too big?
E: Failed to add '../../build/x230/bzImage' into ROM image.
E: Failed while operating on 'COREBOOT' region!
E: The image will be left unmodified.
make[1]: *** [Makefile.inc:920: x230/coreboot.pre] Error 1
Where the x230 coreboot config specifies the maximal usable space without neutering ME of CONFIG_CBFS_SIZE=0x700000
.
Let's note that x220 and x220/t420 current configs sets that limit to CONFIG_CBFS_SIZE=0x750000
which implies external ME neutering, where the x230 is not.
Should we change that?
@flammit @Thrilleratplay
@tlaurion so basically we'd be splitting the xx20/30 boards into two versions:
- stock IFD / BIOS region size - reduced capability, no networking, UI, etc
- 'max' versions which assume modified IFD, cleaned/shrunk ME, etc - full capability
@tlaurion If you are only asking if the current xx20 CONFIG_CBFS_SIZE
should be set to stock for these boards, I am not sure. This is roughly 3Mb. Is this enough for even the most striped down version of Heads? Maybe only have the xx20 maximum versions?
Also note, that these boards are not supported by 1vyrain and would have needed to have been flashed externally initially.
@tlaurion so basically we'd be splitting the xx20/30 boards into two versions:
1. stock IFD / BIOS region size - reduced capability, no networking, UI, etc
Well, the x230 board config is already reducing its functionalities to fit in stock BIOS region. So yes, no more DROPBEAR nor E1000E as of right now. That baseline was made to have x230-hotp-verification board, which could compile only from x230 version + HOTP.
I'm just letting eveyone know the challenges, and choices that are ahead of us in specializing boards with current force functionnalities since we rely on GPG for key generation, that GNU toolstack is huge and I wasn't able to reduce it further more. The same logic applied with FBWHIPTAIL and its WHIPTAIL equivalents for servers, as detailed in previous posts. I just thought that those extracted binaries in first posts were irrelevant for comparison, since what matters is their compressed sizes.
2. 'max' versions which assume modified IFD, cleaned/shrunk ME, etc - full capability
Correct.
@tlaurion If you are only asking if the current xx20
CONFIG_CBFS_SIZE
should be set to stock for these boards, I am not sure. This is roughly 3Mb. Is this enough for even the most striped down version of Heads? Maybe only have the xx20 maximum versions?
Also note, that these boards are not supported by 1vyrain and would have needed to have been flashed externally initially.
Right. Forgot about that, but original ROM version was really small for x220 stock. We can imply that xx20 users are already well aware of those restrictions. Funny enough, the x230 base board limits to 7mb where x220 limits to 7.5mb. Consequently, the base boards (xx20 xx30) already differ in base functionalities. Like I said on slack to @flammit which proposed to maintain minimal boards, I will focus on adding functionalities and will stray away of the base boards which will probably soon enough requir features to be removed further more, or adjusted to have users do decisions they cannot do, or all those answers. We are drifting from having Heads accessible, which i'm strongly against.
As I raised the flag a while ago, it is really difficult to maintain mutliple versions and different toolstacks. More people are welcome, but we need to face the reality that new OSes install with LUKS2 which require new version of cryptsetup part of #893, which will result soon enough into cryptsetup2 module, which will require maximized versions. Or.... users, once again, technical and knowledgeable enough, to make aware choices of going into manual mode when partitionning hteir drives to force (forced kickstart at install or equivalent???) to force LUKS1 encrypted partition, or choose an older kernel or coreboot version to keep their xx20/board board... instead of moving to the -maximized
ones. We are asking people (I'm in the consumer field) to do decisions they cannot do because they are not understanding those low levels choices. I think it is silly, I already answer 20+ questions a day and diagnosed, troubleshooted, documented and explained a lot of time (#897 #815 and others...) the joys of having the user play with different stock bios versions, not following instructions, bricking their devices, not following upgrade paths... I just want fwupd for everyone. And that requires CI builds for boards. And that requires blobs. And that requires space for developers to want to contribute... I'm tired of the same viscious circles and need a way out. -maximized
boards are my way out. You can choose maintainership if you want and you would be more then welcome! :)
Note also that the stalled #709 wil lalso required available space. So there will be a need to minimize the base boards and a choice to continue supporting those from community members. Otherwise, as @flammit said, we wil lbe able to bring back gpg1 still in modules and require users to generate their 4096 bits keys outside and import their public key inside of heads, modify the scripts to valide which version of modules is used etc.... Which means more maintainserhip, not less, on which I do not personally agree from lack of time already.
So this opens the debate on where to go from now for the base boards and who will take the lead into pursuing space reduction or feature reduction when CI builds will start to fail. My only option at that point will be to remove those boards from CI.
@tlaurion Something that needs to be defined is "what is included in the stock builds"?. For the sake of argument, lets say Heads is stripped down to just a Linux payload. No encryption functionality, no e1000, module, no dropbear, no fbwhiptail, and maybe no flashrom. Basically, drops to a shell and the user would run a kexec command to boot from the hard drive or usb or whatever. Would Heads fit within the 3Mb? If so, how close because if I remember correctly, the Linux 5.x kernel is larger. With such a limited space, what is the possible longevity of this build if the most fundamental part of Heads will not fit?
Would the stock builds be the same for xx20 and xx30 boards given the significant difference in available space? I would suspect yes, so a break down of features added to each build would need to be added to the documentation.
The flip side to these questions are "what can be remove?". How basic can Heads become and still be considered Heads? While the idea of removing all of the security functionality may sound ludicrous to you, it was something I was going thinking about building for myself. I miss the days when you flip a switch on a VIC20 and get a prompt almost instantly; security wouldn't be moved to the BIOS, it would not be user friendly, but turning on my computer and getting a prompt in 2 seconds sounds damn sexy to me. However, this would no longer be Heads at this point. So a line in the sand must be drawn saying that Heads must include certain functionality to be called Heads if the hardware supports it. Heads for a X200 does not need to include TPM functionality as the device doesn't support it.
To give concrete details to this discussion, all you would need to do is disable the UI bits and that gives you enough space for everything else (including cryptsetup2 and gpg2) to fit into a 6.4M payload which fits for standard x230 and ME-shrunked x220 (seems like the only route for that hardware) and 600k of free space to play with on an x230. (Note: there are other combinations of configs that work as well if you consider gpg1).
If that's not a trade off that is acceptable to you as the x230 hardware owner (no luck for x220 yet), there's a perfectly reasonable alternative by installing the "max" version.
Just based on my quick tests past last hour, I think if you clean up the kernel config to remove the networking bits (not relevant for laptop boot), you can also fit in the UI bits with at least 300k of space for user config. It's tight but it doesn't seem like there's really a problem.
Then again if there's a need for even more space for future features/modules, it can be accommodated in the "max" version.
Just based on my quick tests past last hour, I think if you clean up the kernel config to remove the networking bits (not relevant for laptop boot), you can also fit in the UI bits with at least 300k of space for user config. It's tight but it doesn't seem like there's really a problem.
Then again if there's a need for even more space for future features/modules, it can be accommodated in the "max" version.
@flammit: please revive https://github.com/osresearch/heads/issues/564, that was investigated with some effort in the past and for which conclusions are the original post:
remove networking ( #564 ), with corresponding PR attempt to remove networking with cleanup ( #572 ) while cryptsetup seemed to depend on CONFIG_NET and some explicit crypto modules in the past ( #79 ), while putting CONFIG_LINUX_E1000E=n in board config liberates 295688 bytes. @merge : Is that enough?
@tlaurion Something that needs to be defined is "what is included in the stock builds"?. For the sake of argument, lets say Heads is stripped down to just a Linux payload. No encryption functionality, no e1000, module, no dropbear, no fbwhiptail, and maybe no flashrom. Basically, drops to a shell and the user would run a kexec command to boot from the hard drive or usb or whatever. Would Heads fit within the 3Mb? If so, how close because if I remember correctly, the Linux 5.x kernel is larger. With such a limited space, what is the possible longevity of this build if the most fundamental part of Heads will not fit?
Would the stock builds be the same for xx20 and xx30 boards given the significant difference in available space? I would suspect yes, so a break down of features added to each build would need to be added to the documentation.
The flip side to these questions are "what can be remove?". How basic can Heads become and still be considered Heads? While the idea of removing all of the security functionality may sound ludicrous to you, it was something I was going thinking about building for myself. I miss the days when you flip a switch on a VIC20 and get a prompt almost instantly; security wouldn't be moved to the BIOS, it would not be user friendly, but turning on my computer and getting a prompt in 2 seconds sounds damn sexy to me. However, this would no longer be Heads at this point. So a line in the sand must be drawn saying that Heads must include certain functionality to be called Heads if the hardware supports it. Heads for a X200 does not need to include TPM functionality as the device doesn't support it.
I invite you @flammit @Thrilleratplay both to jump into #818. (sooner then later this time :) )
I think the simplest from now on, to check for x220 space limitations, is to follow xx30 boards already in CI, which informs us quite quickly of the compressed CBFS space still available.
For example, busybox 1.32 inclusion PR ( #900 ) CI's x230 board build informs us that:
"/root/project/build/coreboot-4.8.1/x230/cbfstool" "/root/project/build/coreboot-4.8.1/x230/coreboot.rom" print
Name Offset Type Size Comp
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 85188 none
cpu_microcode_blob.bin 0x14dc0 microcode 25600 none
fallback/ramstage 0x1b240 stage 81881 none
config 0x2f280 raw 589 none
revision 0x2f540 raw 581 none
cmos.default 0x2f7c0 cmos_default 256 none
cmos_layout.bin 0x2f900 cmos_layout 1804 none
fallback/dsdt.aml 0x30080 raw 13646 none
fallback/payload 0x33640 simple elf 6863812 none
(empty) 0x6bf240 null 131480 none
bootblock 0x6df400 bootblock 3000 none
From this point of time, Heads payload consumes 6863812
and leaves us 131480
to play with, after which the CBFS region of 7mb will be filled. This is interesting to follow and could be used as a deprecation warning and need of changes, since the xx20 has 7.5mb to play with, and will tolerate more changes before failing (and is not under CI for regression validation and ROM production at each merged commit).
Where last master commit CircleCI build of x230 board:
touch /root/project/build/coreboot-4.8.1/x230/.build
"/root/project/build/coreboot-4.8.1/x230/cbfstool" "/root/project/build/coreboot-4.8.1/x230/coreboot.rom" print
Name Offset Type Size Comp
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 85188 none
cpu_microcode_blob.bin 0x14dc0 microcode 25600 none
fallback/ramstage 0x1b240 stage 81876 none
config 0x2f280 raw 589 none
revision 0x2f540 raw 581 none
cmos.default 0x2f7c0 cmos_default 256 none
cmos_layout.bin 0x2f900 cmos_layout 1804 none
fallback/dsdt.aml 0x30080 raw 13646 none
fallback/payload 0x33640 simple elf 6851524 none
(empty) 0x6bc240 null 143768 none
bootblock 0x6df400 bootblock 3000 none
2020-12-03 22:12:25+00:00 INSTALL build/coreboot-4.8.1/x230/coreboot.rom => build/x230/heads-x230-v0.2.0-972-g671522e.rom
So a change from 6851524 -> 6863812 in consumed compressed space. Coherent reduction of free space being 143768 -> 131480 being useable.
TL;DR: when x230 board will start to fail building in CI, this will be the sign that some modules will need to be removed even more and modules, specialized, or when users will need to consider moving away of basic boards to their maximized counterpart.
Apologies is this is patently obvious but isn't the most obvious thing to do is to set the -Os flag in gcc? Currently the Makefiles all use the -O2 flag. Using GPG2 as my test, I manually patched all the generated Makefiles using
find . | grep "Makefile" | grep -v "Makefile." | xargs sed -i 's/O2/Os/g'
and running make, which yielded about 15% space reduction in the gpg2 binary and about 5% in the scdaemon and 5% in gpg-agent. Is there some limitation (breaking reproducibility? just really hard to patch the makefiles?) preventhing this?
find . | grep "Makefile" | grep -v "Makefile." | xargs sed -i 's/O2/Os/g'
@aesrentai excellent insight! Yes, this would require creation of patches under patches/* to patch all related Makefiles after decompresion of the archives and prior of compilation.
On reproducibility, as far as I know, since musl-cross-make is used to create the final binaries, it should be a magic gain without impact. Note that kernel modules are stripped prior of being injected into modules.cpio and prior en compression of that cpio into modules.cpio.xz
Do you have a PoC of this?
Quick test i'm doing locally right now:
make BOARD=t430-hotp-verification modules.clean
find . | grep "Makefile" | grep -v "Makefile." | xargs sed -i 's/O2/Os/g'
make BOARD=t430-hotp-verification
Before:
FMAP REGION: COREBOOT
Name Offset Type Size Comp
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 87948 none
fallback/ramstage 0x15880 stage 99973 none
config 0x2df40 raw 684 none
revision 0x2e240 raw 690 none
fallback/dsdt.aml 0x2e540 raw 14609 none
cmos.default 0x31ec0 cmos_default 256 none
vbt.bin 0x32000 raw 1409 LZMA (4459 decompressed)
cmos_layout.bin 0x325c0 cmos_layout 1980 none
fallback/postcar 0x32dc0 stage 27288 none
fallback/payload 0x398c0 simple elf 6854599 none
(empty) 0x6c30c0 null 117976 none
bootblock 0x6dfdc0 bootblock 65536 none
After:
FMAP REGION: COREBOOT
Name Offset Type Size Comp
cbfs master header 0x0 cbfs header 32 none
fallback/romstage 0x80 stage 87948 none
fallback/ramstage 0x15880 stage 99973 none
config 0x2df40 raw 684 none
revision 0x2e240 raw 690 none
fallback/dsdt.aml 0x2e540 raw 14609 none
cmos.default 0x31ec0 cmos_default 256 none
vbt.bin 0x32000 raw 1409 LZMA (4459 decompressed)
cmos_layout.bin 0x325c0 cmos_layout 1980 none
fallback/postcar 0x32dc0 stage 27288 none
fallback/payload 0x398c0 simple elf 6839751 none
(empty) 0x6bf6c0 null 132824 none
bootblock 0x6dfdc0 bootblock 65536 none
With:
user@heads-tests:~/heads/build/x230-hotp-maximized$ git diff
diff --git a/modules/cairo b/modules/cairo
index 647ed2ca..217137c0 100644
--- a/modules/cairo
+++ b/modules/cairo
@@ -8,7 +8,7 @@ cairo_hash := 8c90f00c500b2299c0a323dd9beead2a00353752b2092ead558139bd67f7bf16
cairo_configure := \
$(CROSS_TOOLS) \
- CFLAGS="-DCAIRO_NO_MUTEX=1 -O3" \
+ CFLAGS="-DCAIRO_NO_MUTEX=1 -O2" \
./configure \
--host i386-elf-linux \
--prefix="/" \
Before:
3434539 740 -rwx------ 1 user user 757232 Feb 21 16:48 ./lib/libcairo.so.2
After:
284396 740 -rwx------ 1 user user 757232 Feb 21 17:08 ./lib/libcairo.so.2