[coreboot] Patch set updated for coreboot: a9e4b1a Don't run any option roms stored outside of the system flash

Stefan Reinauer (stefan.reinauer@coreboot.org) gerrit at coreboot.org
Thu Mar 8 20:04:04 CET 2012


Stefan Reinauer (stefan.reinauer at coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/730

-gerrit

commit a9e4b1ace0c54ef84e4aba8907bc2ea5c090f7e4
Author: Stefan Reinauer <reinauer at chromium.org>
Date:   Thu Oct 6 16:47:51 2011 -0700

    Don't run any option roms stored outside of the system flash
    
    Right now coreboot only executes vga option roms. However, this is not
    good enough. For security reasons we want to execute only option roms
    stored in our RO CBFS.
    
    This patch adds a new option to disable execution of arbitrary option
    ROMs and enables it for all our boards.
    
    Change-Id: I485291c06ec5cd1f875357401831fe32ccfc5f2f
    Signed-off-by: Stefan Reinauer <reinauer at google.com>
---
 src/devices/Kconfig   |   13 +++++++++++++
 src/devices/pci_rom.c |    6 ++++++
 2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/src/devices/Kconfig b/src/devices/Kconfig
index 572addc..98e8d9f 100644
--- a/src/devices/Kconfig
+++ b/src/devices/Kconfig
@@ -49,6 +49,19 @@ config PCI_ROM_RUN
 	  Examples include IDE/SATA controller option ROMs and option ROMs
 	  for network cards (NICs).
 
+config ON_DEVICE_ROM_RUN
+	bool "Run option ROMs on PCI devices"
+	default y
+	help
+	  Execute option ROMs that are stored on PCI/PCIe/AGP devices.
+
+	  If disabled, only option ROMs stored in CBFS will be executed. If
+	  you are concerned about security, you might want to disable this
+	  option, but it might leave your system in a state of degraded
+	  functionality.
+
+	  If unsure, say Y
+
 choice
 	prompt "Option ROM execution type"
 	default PCI_OPTION_ROM_RUN_YABEL if !ARCH_X86
diff --git a/src/devices/pci_rom.c b/src/devices/pci_rom.c
index 471c7e2..1b6f1da 100644
--- a/src/devices/pci_rom.c
+++ b/src/devices/pci_rom.c
@@ -71,9 +71,15 @@ struct rom_header *pci_rom_probe(struct device *dev)
 					   rom_address|PCI_ROM_ADDRESS_ENABLE);
 		}
 
+#if CONFIG_ON_DEVICE_ROM_RUN
 		printk(BIOS_DEBUG, "On card, ROM address for %s = %lx\n",
 		       dev_path(dev), (unsigned long)rom_address);
 		rom_header = (struct rom_header *)rom_address;
+#else
+		printk(BIOS_DEBUG, "On card option ROM execution disabled "
+			"for %s\n", dev_path(dev));
+		return NULL;
+#endif
 	}
 
 	printk(BIOS_SPEW, "PCI expansion ROM, signature 0x%04x, "




More information about the coreboot mailing list