Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/30811 )
Change subject: lib/prog_loaders.c: Add prog_locate_hook() ......................................................................
lib/prog_loaders.c: Add prog_locate_hook()
There is no posibility to prevent loading images from cbfs at this stage For security features prog_locate_hook() is added. This hook can be used to prevent loading the image.
BUG=N/A TEST=Created verified binary and verify logging on Facebook FBG-1701
Change-Id: I12207fc8f2e9ca45d048cf8c8d9c057f53e5c2c7 Signed-off-by: Frans Hendriks fhendriks@eltan.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/30811 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Aaron Durbin adurbin@chromium.org --- M src/include/program_loading.h M src/lib/prog_loaders.c 2 files changed, 13 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Aaron Durbin: Looks good to me, approved
diff --git a/src/include/program_loading.h b/src/include/program_loading.h index 6dec192..601847d 100644 --- a/src/include/program_loading.h +++ b/src/include/program_loading.h @@ -3,6 +3,7 @@ * * Copyright 2015 Google Inc. * Copyright (C) 2014 Imagination Technologies + * Copyright (C) 2018 Eltan B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -138,6 +139,12 @@
/* Locate the identified program to run. Return 0 on success. < 0 on error. */ int prog_locate(struct prog *prog); +/* The prog_locate_hook() is called prior to CBFS traversal. The hook can be + * used to implement policy that allows or prohibits further progress through + * prog_locate(). The type and name field within struct prog are the only valid + * fields. A 0 return value allows further progress while a non-zero return + * value prohibits further progress */ +int prog_locate_hook(struct prog *prog);
/* Run the program described by prog. */ void prog_run(struct prog *prog); diff --git a/src/lib/prog_loaders.c b/src/lib/prog_loaders.c index 2ef6bdf..5048c99 100644 --- a/src/lib/prog_loaders.c +++ b/src/lib/prog_loaders.c @@ -2,6 +2,7 @@ * This file is part of the coreboot project. * * Copyright 2015 Google Inc. + * Copyright (C) 2018-2019 Eltan B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -38,6 +39,9 @@ { struct cbfsf file;
+ if (prog_locate_hook(prog)) + return -1; + cbfs_prepare_program_locate();
if (cbfs_boot_locate(&file, prog_name(prog), NULL)) @@ -74,6 +78,8 @@ halt(); }
+int __weak prog_locate_hook(struct prog *prog) { return 0; } + static void ramstage_cache_invalid(void) { printk(BIOS_ERR, "ramstage cache invalid.\n");