[coreboot-gerrit] Change in coreboot[master]: sb/intel/common/firmware: Add Intel ME/TXE firmware check
Martin Roth (Code Review)
gerrit at coreboot.org
Sun Mar 19 21:38:00 CET 2017
Martin Roth has submitted this change and it was merged. ( https://review.coreboot.org/18768 )
Change subject: sb/intel/common/firmware: Add Intel ME/TXE firmware check
......................................................................
sb/intel/common/firmware: Add Intel ME/TXE firmware check
Ensure that the provided ME/TXE firmware is valid, using the
check capabilities of me_cleaner.
me_cleaner checks that the fundamental partition is available and
it has a correct signature. The checks performed by me_cleaner
aren't exhaustive, but they should find at least whether the user
has provided an empty or corrupted firmware.
me_cleaner has been tested on all the ME (6-11.6) and TXE (1-3)
firmwares available here [1], and it hasn't reported any false
positive.
[1] http://www.win-raid.com/t832f39-Intel-Engine-Firmware-Repositories.html
Change-Id: Ie6ea3b4e637dca4097b9377bd0507e84c4e8f687
Signed-off-by: Nicola Corna <nicola at corna.info>
Reviewed-on: https://review.coreboot.org/18768
Tested-by: build bot (Jenkins)
Reviewed-by: Paul Menzel <paulepanter at users.sourceforge.net>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philippe.mathieu.daude at gmail.com>
---
M src/southbridge/intel/common/firmware/Kconfig
M src/southbridge/intel/common/firmware/Makefile.inc
2 files changed, 16 insertions(+), 0 deletions(-)
Approvals:
Philippe Mathieu-Daudé: Looks good to me, but someone else must approve
Paul Menzel: Looks good to me, but someone else must approve
Philipp Deppenwiese: Looks good to me, approved
build bot (Jenkins): Verified
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index da40db0..f4be93c 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -58,6 +58,19 @@
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin"
depends on HAVE_ME_BIN
+config CHECK_ME
+ bool "Verify the integrity of the supplied ME/TXE firmware"
+ default y
+ depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_NEHALEM || \
+ NORTHBRIDGE_INTEL_SANDYBRIDGE || \
+ NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \
+ SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
+ SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
+ help
+ Verify the integrity of the supplied Intel ME/TXE firmware before
+ proceeding with the build, in order to prevent an accidental loading
+ of a corrupted ME/TXE image.
+
config USE_ME_CLEANER
bool "Strip down the Intel ME/TXE firmware"
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc
index 98a36d3..eb4c07e 100644
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@@ -58,6 +58,9 @@
$(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
endif
+ifeq ($(CONFIG_CHECK_ME),y)
+ util/me_cleaner/me_cleaner.py -c $(obj)/coreboot.pre > /dev/null
+endif
ifeq ($(CONFIG_USE_ME_CLEANER),y)
printf " ME_CLEANER coreboot.pre\n"
util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \
--
To view, visit https://review.coreboot.org/18768
To unsubscribe, visit https://review.coreboot.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ie6ea3b4e637dca4097b9377bd0507e84c4e8f687
Gerrit-PatchSet: 4
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Owner: Nicola Corna <nicola at corna.info>
Gerrit-Reviewer: Martin Roth <martinroth at google.com>
Gerrit-Reviewer: Paul Menzel <paulepanter at users.sourceforge.net>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Philippe Mathieu-Daudé <philippe.mathieu.daude at gmail.com>
Gerrit-Reviewer: build bot (Jenkins)
More information about the coreboot-gerrit
mailing list