diff options
author | Mathew King <mathewk@chromium.org> | 2019-08-09 10:55:37 -0600 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2019-10-03 15:28:58 +0000 |
commit | d8b150f0d578a5182ce11698906776c0d1d448e9 (patch) | |
tree | 1a444eced43425db51e5b2d7fab4ef87115188b5 /src/southbridge/intel/common/Kconfig | |
parent | c7ddc999fc076bf6871e3b5e641c07f17b0b1746 (diff) | |
download | coreboot-d8b150f0d578a5182ce11698906776c0d1d448e9.tar.xz |
southbridge/intel: Add config option to validate firmware descriptor
Add new config option to validate the Intel firmware descriptor against
the fmap layout. This will prevent a firmware descriptor from being used
that could corrupt regions of the bootimage in certian circumstances.
BUG=chromium:992215
TEST=Build firmware image with mismached decriptor and fmp
Without VALIDATE_INTEL_DESCRIPTOR set firmware builds
With VALIDATE_INTEL_DESCRIPTOR set error is shown with mismached
regions
Change-Id: I9e8bb20485e96026cd594cf4e9d6b11b2bf20e1f
Signed-off-by: Mathew King <mathewk@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34816
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
Diffstat (limited to 'src/southbridge/intel/common/Kconfig')
-rw-r--r-- | src/southbridge/intel/common/Kconfig | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/southbridge/intel/common/Kconfig b/src/southbridge/intel/common/Kconfig index dfd89755ec..31039b68b4 100644 --- a/src/southbridge/intel/common/Kconfig +++ b/src/southbridge/intel/common/Kconfig @@ -55,6 +55,15 @@ config INTEL_DESCRIPTOR_MODE_REQUIRED This config states descriptor mode is *required* for the platform to function properly, or to function at all. +config VALIDATE_INTEL_DESCRIPTOR + depends on INTEL_DESCRIPTOR_MODE_CAPABLE + bool "Validate Intel firmware descriptor" + default n + help + This config enables validating the Intel firmware descriptor against the + fmap layout. If the firmware descriptor layout does not match the fmap + then the bootimage cannot be built. + config INTEL_CHIPSET_LOCKDOWN depends on HAVE_INTEL_CHIPSET_LOCKDOWN && HAVE_SMI_HANDLER && !CHROMEOS #ChromeOS's payload seems to handle finalization on its on. |