southbridge/intel: Add config option to validate firmware descriptor
Add new config option to validate the Intel firmware descriptor against the fmap layout. This will prevent a firmware descriptor from being used that could corrupt regions of the bootimage in certian circumstances. BUG=chromium:992215 TEST=Build firmware image with mismached decriptor and fmp Without VALIDATE_INTEL_DESCRIPTOR set firmware builds With VALIDATE_INTEL_DESCRIPTOR set error is shown with mismached regions Change-Id: I9e8bb20485e96026cd594cf4e9d6b11b2bf20e1f Signed-off-by: Mathew King <mathewk@chromium.org> Reviewed-on: https://review.coreboot.org/c/coreboot/+/34816 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
This commit is contained in:
parent
c7ddc999fc
commit
d8b150f0d5
2 changed files with 14 additions and 0 deletions
|
@ -55,6 +55,15 @@ config INTEL_DESCRIPTOR_MODE_REQUIRED
|
|||
This config states descriptor mode is *required* for the platform to
|
||||
function properly, or to function at all.
|
||||
|
||||
config VALIDATE_INTEL_DESCRIPTOR
|
||||
depends on INTEL_DESCRIPTOR_MODE_CAPABLE
|
||||
bool "Validate Intel firmware descriptor"
|
||||
default n
|
||||
help
|
||||
This config enables validating the Intel firmware descriptor against the
|
||||
fmap layout. If the firmware descriptor layout does not match the fmap
|
||||
then the bootimage cannot be built.
|
||||
|
||||
config INTEL_CHIPSET_LOCKDOWN
|
||||
depends on HAVE_INTEL_CHIPSET_LOCKDOWN && HAVE_SMI_HANDLER && !CHROMEOS
|
||||
#ChromeOS's payload seems to handle finalization on its on.
|
||||
|
|
|
@ -45,6 +45,11 @@ add_intel_firmware: $(obj)/coreboot.pre $(IFDTOOL)
|
|||
printf " DD Adding Intel Firmware Descriptor\n"
|
||||
dd if=$(IFD_BIN_PATH) \
|
||||
of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1
|
||||
ifeq ($(CONFIG_VALIDATE_INTEL_DESCRIPTOR),y)
|
||||
$(objutil)/ifdtool/ifdtool \
|
||||
$(IFDTOOL_USE_CHIPSET) \
|
||||
-t $(obj)/coreboot.pre
|
||||
endif
|
||||
ifeq ($(CONFIG_HAVE_ME_BIN),y)
|
||||
printf " IFDTOOL me.bin -> coreboot.pre\n"
|
||||
$(objutil)/ifdtool/ifdtool \
|
||||
|
|
Loading…
Reference in a new issue