southbridge/intel: Add config option to validate firmware descriptor

Add new config option to validate the Intel firmware descriptor against
the fmap layout. This will prevent a firmware descriptor from being used
that could corrupt regions of the bootimage in certian circumstances.

BUG=chromium:992215
TEST=Build firmware image with mismached decriptor and fmp
     Without VALIDATE_INTEL_DESCRIPTOR set firmware builds
     With VALIDATE_INTEL_DESCRIPTOR set error is shown with mismached
     regions

Change-Id: I9e8bb20485e96026cd594cf4e9d6b11b2bf20e1f
Signed-off-by: Mathew King <mathewk@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34816
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Stefan Reinauer <stefan.reinauer@coreboot.org>
This commit is contained in:
Mathew King 2019-08-09 10:55:37 -06:00 committed by Patrick Georgi
parent c7ddc999fc
commit d8b150f0d5
2 changed files with 14 additions and 0 deletions

View file

@ -55,6 +55,15 @@ config INTEL_DESCRIPTOR_MODE_REQUIRED
This config states descriptor mode is *required* for the platform to
function properly, or to function at all.
config VALIDATE_INTEL_DESCRIPTOR
depends on INTEL_DESCRIPTOR_MODE_CAPABLE
bool "Validate Intel firmware descriptor"
default n
help
This config enables validating the Intel firmware descriptor against the
fmap layout. If the firmware descriptor layout does not match the fmap
then the bootimage cannot be built.
config INTEL_CHIPSET_LOCKDOWN
depends on HAVE_INTEL_CHIPSET_LOCKDOWN && HAVE_SMI_HANDLER && !CHROMEOS
#ChromeOS's payload seems to handle finalization on its on.

View file

@ -45,6 +45,11 @@ add_intel_firmware: $(obj)/coreboot.pre $(IFDTOOL)
printf " DD Adding Intel Firmware Descriptor\n"
dd if=$(IFD_BIN_PATH) \
of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1
ifeq ($(CONFIG_VALIDATE_INTEL_DESCRIPTOR),y)
$(objutil)/ifdtool/ifdtool \
$(IFDTOOL_USE_CHIPSET) \
-t $(obj)/coreboot.pre
endif
ifeq ($(CONFIG_HAVE_ME_BIN),y)
printf " IFDTOOL me.bin -> coreboot.pre\n"
$(objutil)/ifdtool/ifdtool \