summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMathew King <mathewk@chromium.org>2019-08-09 10:55:37 -0600
committerPatrick Georgi <pgeorgi@google.com>2019-10-03 15:28:58 +0000
commitd8b150f0d578a5182ce11698906776c0d1d448e9 (patch)
tree1a444eced43425db51e5b2d7fab4ef87115188b5
parentc7ddc999fc076bf6871e3b5e641c07f17b0b1746 (diff)
downloadcoreboot-d8b150f0d578a5182ce11698906776c0d1d448e9.tar.xz
southbridge/intel: Add config option to validate firmware descriptor
Add new config option to validate the Intel firmware descriptor against the fmap layout. This will prevent a firmware descriptor from being used that could corrupt regions of the bootimage in certian circumstances. BUG=chromium:992215 TEST=Build firmware image with mismached decriptor and fmp Without VALIDATE_INTEL_DESCRIPTOR set firmware builds With VALIDATE_INTEL_DESCRIPTOR set error is shown with mismached regions Change-Id: I9e8bb20485e96026cd594cf4e9d6b11b2bf20e1f Signed-off-by: Mathew King <mathewk@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/34816 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
-rw-r--r--src/southbridge/intel/common/Kconfig9
-rw-r--r--src/southbridge/intel/common/firmware/Makefile.inc5
2 files changed, 14 insertions, 0 deletions
diff --git a/src/southbridge/intel/common/Kconfig b/src/southbridge/intel/common/Kconfig
index dfd89755ec..31039b68b4 100644
--- a/src/southbridge/intel/common/Kconfig
+++ b/src/southbridge/intel/common/Kconfig
@@ -55,6 +55,15 @@ config INTEL_DESCRIPTOR_MODE_REQUIRED
This config states descriptor mode is *required* for the platform to
function properly, or to function at all.
+config VALIDATE_INTEL_DESCRIPTOR
+ depends on INTEL_DESCRIPTOR_MODE_CAPABLE
+ bool "Validate Intel firmware descriptor"
+ default n
+ help
+ This config enables validating the Intel firmware descriptor against the
+ fmap layout. If the firmware descriptor layout does not match the fmap
+ then the bootimage cannot be built.
+
config INTEL_CHIPSET_LOCKDOWN
depends on HAVE_INTEL_CHIPSET_LOCKDOWN && HAVE_SMI_HANDLER && !CHROMEOS
#ChromeOS's payload seems to handle finalization on its on.
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc
index e7060361bd..5f3212f487 100644
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@@ -45,6 +45,11 @@ add_intel_firmware: $(obj)/coreboot.pre $(IFDTOOL)
printf " DD Adding Intel Firmware Descriptor\n"
dd if=$(IFD_BIN_PATH) \
of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1
+ifeq ($(CONFIG_VALIDATE_INTEL_DESCRIPTOR),y)
+ $(objutil)/ifdtool/ifdtool \
+ $(IFDTOOL_USE_CHIPSET) \
+ -t $(obj)/coreboot.pre
+endif
ifeq ($(CONFIG_HAVE_ME_BIN),y)
printf " IFDTOOL me.bin -> coreboot.pre\n"
$(objutil)/ifdtool/ifdtool \