Julius Werner has submitted this change. ( https://review.coreboot.org/c/coreboot/+/66346 )
(
1 is the latest approved patch-set. No files were changed between the latest approved patch-set and the submitted one. )Change subject: soc/intel: Add SI_DESC region to GSCVD ranges ......................................................................
soc/intel: Add SI_DESC region to GSCVD ranges
Intel platforms have soft straps stored in the SI_DESC FMAP section which can alter boot behavior and may open up a security risk if they can be modified by an attacker. This patch adds the SI_DESC region to the list of ranges covered by GSC verification (CONFIG_VBOOT_GSCVD).
Signed-off-by: Julius Werner jwerner@chromium.org Change-Id: I0f1b297e207d3c6152bf99ec5a5b0983f01b2d0b Reviewed-on: https://review.coreboot.org/c/coreboot/+/66346 Reviewed-by: Yu-Ping Wu yupingso@google.com Tested-by: build bot (Jenkins) no-reply@coreboot.org --- M src/security/vboot/Makefile.inc M src/soc/intel/common/Makefile.inc 2 files changed, 29 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Yu-Ping Wu: Looks good to me, approved
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index faa79cb..d38fbac 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -292,6 +292,8 @@
fmap-section-offset-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \ grep '^$(1) ' | cut '-d ' -f2 +fmap-section-size-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \ + grep '^$(1) ' | cut '-d ' -f3
ifeq ($(CONFIG_VBOOT_GSCVD),y) # diff --git a/src/soc/intel/common/Makefile.inc b/src/soc/intel/common/Makefile.inc index 43fc2f8..28842da 100644 --- a/src/soc/intel/common/Makefile.inc +++ b/src/soc/intel/common/Makefile.inc @@ -68,4 +68,13 @@
endif
+# SI_DESC contains soft straps that may modify security-relevant behavior, so it should be +# verified by GSCVD. +vboot-gscvd-ranges += $(shell ( \ + offset=$$($(call fmap-section-offset-cmd,SI_DESC)) ;\ + if [ -n "$$offset" ]; then \ + printf "%x:%x" $$offset $$($(call fmap-section-size-cmd,SI_DESC)) ;\ + fi ;\ +)) + endif