Mathew King has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/34816 )
Change subject: southbridge/intel: Add config option to validate firmware descriptor ......................................................................
southbridge/intel: Add config option to validate firmware descriptor
Add new config option to validate the Intel firmware descriptor against the fmap layout. This will prevent a firmware descriptor from being used that could corrupt regions of the bootimage in certian circumstances.
BUG=chromium:992215 TEST=Coming
Change-Id: I9e8bb20485e96026cd594cf4e9d6b11b2bf20e1f Signed-off-by: Mathew King mathewk@chromium.org --- M src/southbridge/intel/common/Kconfig M src/southbridge/intel/common/firmware/Makefile.inc 2 files changed, 12 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/16/34816/1
diff --git a/src/southbridge/intel/common/Kconfig b/src/southbridge/intel/common/Kconfig index c3bd90d..6b7b5e6 100644 --- a/src/southbridge/intel/common/Kconfig +++ b/src/southbridge/intel/common/Kconfig @@ -54,6 +54,13 @@ This config states descriptor mode is *required* for the platform to function properly, or to function at all.
+config VALIDATE_INTEL_DESCRIPTOR + def_bool n if INTEL_DESCRIPTOR_MODE_CAPABLE + help + This config enables validating the Intel firmware descriptor against the + fmap layout. If the firmware descriptor layout does not match the fmap + then the bootimage cannot be built. + config INTEL_CHIPSET_LOCKDOWN depends on HAVE_INTEL_CHIPSET_LOCKDOWN && HAVE_SMI_HANDLER && !CHROMEOS #ChromeOS's payload seems to handle finalization on its on. diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc index 898ab60..3b14f75 100644 --- a/src/southbridge/intel/common/firmware/Makefile.inc +++ b/src/southbridge/intel/common/firmware/Makefile.inc @@ -35,6 +35,11 @@ printf " DD Adding Intel Firmware Descriptor\n" dd if=$(IFD_BIN_PATH) \ of=$(obj)/coreboot.pre conv=notrunc >/dev/null 2>&1 +ifeq ($(CONFIG_VALIDATE_INTEL_DESCRIPTOR),y) + $(objutil)/ifdtool/ifdtool \ + $(IFDTOOL_USE_CHIPSET) \ + -t $(obj)/coreboot.pre +endif ifeq ($(CONFIG_HAVE_ME_BIN),y) printf " IFDTOOL me.bin -> coreboot.pre\n" $(objutil)/ifdtool/ifdtool \