From afaa25776ff2f42293e6ef48fdaddfa8104bbe50 Mon Sep 17 00:00:00 2001
From: Stefan Reinauer <reinauer@chromium.org>
Date: Thu, 6 Oct 2011 16:47:51 -0700
Subject: Don't run any Option ROMs stored outside of the system flash

Right now coreboot only executes VGA Option ROMs. However, this is not
good enough. For security reasons we want to execute only Option ROMs
stored in our r/o CBFS.

This patch adds a new option to disable execution of arbitrary Option
ROMs.

Also fix the capitalization of Option ROM in src/devices/Kconfig

Change-Id: I485291c06ec5cd1f875357401831fe32ccfc5f2f
Signed-off-by: Stefan Reinauer <reinauer@google.com>
Reviewed-on: http://review.coreboot.org/730
Tested-by: build bot (Jenkins)
Reviewed-by: Ronald G. Minnich <rminnich@gmail.com>
Reviewed-by: Mathias Krause <minipli@googlemail.com>
---
 src/devices/pci_rom.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'src/devices/pci_rom.c')

diff --git a/src/devices/pci_rom.c b/src/devices/pci_rom.c
index 471c7e2a7a..800776e8df 100644
--- a/src/devices/pci_rom.c
+++ b/src/devices/pci_rom.c
@@ -71,9 +71,15 @@ struct rom_header *pci_rom_probe(struct device *dev)
 					   rom_address|PCI_ROM_ADDRESS_ENABLE);
 		}
 
-		printk(BIOS_DEBUG, "On card, ROM address for %s = %lx\n",
+#if CONFIG_ON_DEVICE_ROM_RUN
+		printk(BIOS_DEBUG, "Option ROM address for %s = %lx\n",
 		       dev_path(dev), (unsigned long)rom_address);
 		rom_header = (struct rom_header *)rom_address;
+#else
+		printk(BIOS_DEBUG, "Option ROM execution disabled "
+			"for %s\n", dev_path(dev));
+		return NULL;
+#endif
 	}
 
 	printk(BIOS_SPEW, "PCI expansion ROM, signature 0x%04x, "
-- 
cgit v1.2.3