Patch set updated for coreboot: bb711d3 Don't run any option roms stored outside of the system flash - coreboot

7 Mar 2012

Stefan Reinauer (stefan.reinauer@coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/730
-gerrit
commit bb711d3f6dbde4db589fefb0cc10d49a62a944ba
Author: Stefan Reinauer reinauer@chromium.org
Date:   Thu Oct 6 16:47:51 2011 -0700
Don't run any option roms stored outside of the system flash
Right now coreboot only executes vga option roms. However, this is not
    good enough. For security reasons we want to execute only option roms
    stored in our RO CBFS.
This patch adds a new option to disable execution of arbitrary option
    ROMs and enables it for all our boards.
Change-Id: I485291c06ec5cd1f875357401831fe32ccfc5f2f
    Signed-off-by: Stefan Reinauer reinauer@google.com
---
 src/devices/Kconfig   |   13 +++++++++++++
 src/devices/pci_rom.c |    6 ++++++
 2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/src/devices/Kconfig b/src/devices/Kconfig
index 572addc..98e8d9f 100644
--- a/src/devices/Kconfig
+++ b/src/devices/Kconfig
@@ -49,6 +49,19 @@ config PCI_ROM_RUN
      Examples include IDE/SATA controller option ROMs and option ROMs
      for network cards (NICs).
+config ON_DEVICE_ROM_RUN
+	bool "Run option ROMs on PCI devices"
+	default y
+	help
+	  Execute option ROMs that are stored on PCI/PCIe/AGP devices.
+
+	  If disabled, only option ROMs stored in CBFS will be executed. If
+	  you are concerned about security, you might want to disable this
+	  option, but it might leave your system in a state of degraded
+	  functionality.
+
+	  If unsure, say Y
+
 choice
    prompt "Option ROM execution type"
    default PCI_OPTION_ROM_RUN_YABEL if !ARCH_X86
diff --git a/src/devices/pci_rom.c b/src/devices/pci_rom.c
index 471c7e2..1b6f1da 100644
--- a/src/devices/pci_rom.c
+++ b/src/devices/pci_rom.c
@@ -71,9 +71,15 @@ struct rom_header *pci_rom_probe(struct device *dev)
    				   rom_address|PCI_ROM_ADDRESS_ENABLE);
    	}
+#if CONFIG_ON_DEVICE_ROM_RUN
    	printk(BIOS_DEBUG, "On card, ROM address for %s = %lx\n",
    	       dev_path(dev), (unsigned long)rom_address);
    	rom_header = (struct rom_header *)rom_address;
+#else
+		printk(BIOS_DEBUG, "On card option ROM execution disabled "
+			"for %s\n", dev_path(dev));
+		return NULL;
+#endif
    }
printk(BIOS_SPEW, "PCI expansion ROM, signature 0x%04x, "

    