Don't run any Option ROMs stored outside of the system flash

Right now coreboot only executes VGA Option ROMs. However, this is not
good enough. For security reasons we want to execute only Option ROMs
stored in our r/o CBFS.

This patch adds a new option to disable execution of arbitrary Option
ROMs.

Also fix the capitalization of Option ROM in src/devices/Kconfig

Change-Id: I485291c06ec5cd1f875357401831fe32ccfc5f2f
Signed-off-by: Stefan Reinauer <reinauer@google.com>
Reviewed-on: http://review.coreboot.org/730
Tested-by: build bot (Jenkins)
Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
Reviewed-by: Mathias Krause <minipli@googlemail.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/src/devices/pci_rom.c b/src/devices/pci_rom.c
index 471c7e2a7a..800776e8df 100644
--- a/src/devices/pci_rom.c
+++ b/src/devices/pci_rom.c
@@ -71,9 +71,15 @@ struct rom_header *pci_rom_probe(struct device *dev)
 					   rom_address|PCI_ROM_ADDRESS_ENABLE);
 		}
 
-		printk(BIOS_DEBUG, "On card, ROM address for %s = %lx\n",
+#if CONFIG_ON_DEVICE_ROM_RUN
+		printk(BIOS_DEBUG, "Option ROM address for %s = %lx\n",
 		       dev_path(dev), (unsigned long)rom_address);
 		rom_header = (struct rom_header *)rom_address;
+#else
+		printk(BIOS_DEBUG, "Option ROM execution disabled "
+			"for %s\n", dev_path(dev));
+		return NULL;
+#endif
 	}
 
 	printk(BIOS_SPEW, "PCI expansion ROM, signature 0x%04x, "