From 16719ad143e823a3cdab8ebde3b599488d861331 Mon Sep 17 00:00:00 2001 From: Nicola Corna Date: Fri, 10 Mar 2017 11:27:39 +0100 Subject: sb/intel/common/firmware: Add Intel ME/TXE firmware check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ensure that the provided ME/TXE firmware is valid, using the check capabilities of me_cleaner. me_cleaner checks that the fundamental partition is available and it has a correct signature. The checks performed by me_cleaner aren't exhaustive, but they should find at least whether the user has provided an empty or corrupted firmware. me_cleaner has been tested on all the ME (6-11.6) and TXE (1-3) firmwares available here [1], and it hasn't reported any false positive. [1] http://www.win-raid.com/t832f39-Intel-Engine-Firmware-Repositories.html Change-Id: Ie6ea3b4e637dca4097b9377bd0507e84c4e8f687 Signed-off-by: Nicola Corna Reviewed-on: https://review.coreboot.org/18768 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel Reviewed-by: Philipp Deppenwiese Reviewed-by: Philippe Mathieu-Daudé --- src/southbridge/intel/common/firmware/Kconfig | 13 +++++++++++++ src/southbridge/intel/common/firmware/Makefile.inc | 3 +++ 2 files changed, 16 insertions(+) (limited to 'src/southbridge') diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig index da40db0fd1..f4be93cc07 100644 --- a/src/southbridge/intel/common/firmware/Kconfig +++ b/src/southbridge/intel/common/firmware/Kconfig @@ -58,6 +58,19 @@ config ME_BIN_PATH default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin" depends on HAVE_ME_BIN +config CHECK_ME + bool "Verify the integrity of the supplied ME/TXE firmware" + default y + depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_NEHALEM || \ + NORTHBRIDGE_INTEL_SANDYBRIDGE || \ + NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \ + SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \ + SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL) + help + Verify the integrity of the supplied Intel ME/TXE firmware before + proceeding with the build, in order to prevent an accidental loading + of a corrupted ME/TXE image. + config USE_ME_CLEANER bool "Strip down the Intel ME/TXE firmware" depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \ diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 98a36d3b81..eb4c07e91d 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -58,6 +58,9 @@ ifeq ($(CONFIG_HAVE_ME_BIN),y) $(obj)/coreboot.pre mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre endif +ifeq ($(CONFIG_CHECK_ME),y) + util/me_cleaner/me_cleaner.py -c $(obj)/coreboot.pre > /dev/null +endif ifeq ($(CONFIG_USE_ME_CLEANER),y) printf " ME_CLEANER coreboot.pre\n" util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \ -- cgit v1.2.3