Frans Hendriks has uploaded this change for review.

View Change

device/pci_device.c: Use verified boot to check oprom

Before oprom is executed, no check is performed if rom passes verification.
Add call to verified_boot_should_run_oprom() to verify the oprom.

BUG=N/A
TEST=Created verified binary and verify logging on Portwell PQ-M107

Change-Id: Iec5092e85d34940ea3a3bb1192ea49f3bc3e5b27
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
---
M src/device/pci_device.c
M src/include/device/pci_rom.h
2 files changed, 22 insertions(+), 0 deletions(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/10/30810/1
diff --git a/src/device/pci_device.c b/src/device/pci_device.c
index 82033a6..40012f9 100644
--- a/src/device/pci_device.c
+++ b/src/device/pci_device.c
@@ -16,6 +16,7 @@
  * Copyright (C) 2005-2009 coresystems GmbH
  * (Written by Stefan Reinauer <stepan@coresystems.de> for coresystems GmbH)
  * Copyright (C) 2014 Sage Electronic Engineering, LLC.
+ * Copyright (C) 2018 Eltan B.V.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -802,6 +803,10 @@
 	if (!should_run_oprom(dev))
 		return;
 
+	if (IS_ENABLED(CONFIG_VERIFIED_BOOT))
+		if (!verified_boot_should_run_oprom(rom))
+			return;
+
 	run_bios(dev, (unsigned long)ram);
 	gfx_set_init_done(1);
 	printk(BIOS_DEBUG, "VGA Option ROM was run\n");
diff --git a/src/include/device/pci_rom.h b/src/include/device/pci_rom.h
index a4aa52a..865fea3 100644
--- a/src/include/device/pci_rom.h
+++ b/src/include/device/pci_rom.h
@@ -1,3 +1,19 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2015 Google Inc.
+ * Copyright (C) 2018 Eltan B.V.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
 #ifndef PCI_ROM_H
 #define PCI_ROM_H
 #include <endian.h>
@@ -47,4 +63,5 @@
 
 u32 map_oprom_vendev(u32 vendev);
 
+int verified_boot_should_run_oprom(struct rom_header *rom_header);
 #endif

To view, visit change 30810. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Iec5092e85d34940ea3a3bb1192ea49f3bc3e5b27
Gerrit-Change-Number: 30810
Gerrit-PatchSet: 1
Gerrit-Owner: Frans Hendriks <fhendriks@eltan.com>
Gerrit-MessageType: newchange