[coreboot] Patch set updated for coreboot: 463a858 Don't run any Option ROMs stored outside of the system flash
Stefan Reinauer (email@example.com)
gerrit at coreboot.org
Fri Mar 9 02:22:57 CET 2012
Stefan Reinauer (stefan.reinauer at coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/730
Author: Stefan Reinauer <reinauer at chromium.org>
Date: Thu Oct 6 16:47:51 2011 -0700
Don't run any Option ROMs stored outside of the system flash
Right now coreboot only executes VGA Option ROMs. However, this is not
good enough. For security reasons we want to execute only Option ROMs
stored in our r/o CBFS.
This patch adds a new option to disable execution of arbitrary Option
Also fix the capitalization of Option ROM in src/devices/Kconfig
Signed-off-by: Stefan Reinauer <reinauer at google.com>
src/devices/Kconfig | 43 ++++++++++++++++++++++++++++---------------
src/devices/pci_rom.c | 8 +++++++-
2 files changed, 35 insertions(+), 16 deletions(-)
diff --git a/src/devices/Kconfig b/src/devices/Kconfig
index 572addc..a731f44 100644
@@ -27,28 +27,41 @@ config VGA_BRIDGE_SETUP
# TODO: Explain differences (if any) for onboard cards.
- bool "Run VGA option ROMs"
+ bool "Run VGA Option ROMs"
- Execute VGA option ROMs, if found. This is required to enable
+ Execute VGA Option ROMs, if found. This is required to enable
PCI/AGP/PCI-E video cards.
- bool "Re-run VGA option ROMs on S3 resume"
+ bool "Re-run VGA Option ROMs on S3 resume"
depends on VGA_ROM_RUN && HAVE_ACPI_RESUME
- Execute VGA option ROMs when coming out of an S3 resume.
+ Execute VGA Option ROMs when coming out of an S3 resume.
- bool "Run non-VGA option ROMs"
+ bool "Run non-VGA Option ROMs"
- Execute non-VGA PCI option ROMs, if found.
+ Execute non-VGA PCI Option ROMs, if found.
- Examples include IDE/SATA controller option ROMs and option ROMs
+ Examples include IDE/SATA controller Option ROMs and Option ROMs
for network cards (NICs).
+ bool "Run Option ROMs on PCI devices"
+ default y
+ Execute Option ROMs that are stored on PCI/PCIe/AGP devices.
+ If disabled, only Option ROMs stored in CBFS will be executed. If
+ you are concerned about security, you might want to disable this
+ option, but it might leave your system in a state of degraded
+ If unsure, say Y
prompt "Option ROM execution type"
default PCI_OPTION_ROM_RUN_YABEL if !ARCH_X86
@@ -60,7 +73,7 @@ config PCI_OPTION_ROM_RUN_REALMODE
depends on ARCH_X86
- If you select this option, PCI option ROMs will be executed
+ If you select this option, PCI Option ROMs will be executed
natively on the CPU in real mode. No CPU emulation is involved,
so this is the fastest, but also the least secure option.
(only works on x86/x64 systems)
@@ -71,11 +84,11 @@ config PCI_OPTION_ROM_RUN_YABEL
depends on !GEODE_VSA
If you select this option, the x86emu CPU emulator will be used to
- execute PCI option ROMs.
+ execute PCI Option ROMs.
- This option prevents option ROMs from doing dirty tricks with the
+ This option prevents Option ROMs from doing dirty tricks with the
system (such as installing SMM modules or hypervisors), but it is
- also significantly slower than the native option ROM initialization
+ also significantly slower than the native Option ROM initialization
This is the default choice for non-x86 systems.
@@ -83,13 +96,13 @@ config PCI_OPTION_ROM_RUN_YABEL
- prompt "Allow option ROMs to access other devices"
+ prompt "Allow Option ROMs to access other devices"
depends on PCI_OPTION_ROM_RUN_YABEL
- Per default, YABEL only allows option ROMs to access the PCI device
+ Per default, YABEL only allows Option ROMs to access the PCI device
that they are associated with. However, this causes trouble for some
- onboard graphics chips whose option ROM needs to reconfigure the
+ onboard graphics chips whose Option ROM needs to reconfigure the
@@ -118,7 +131,7 @@ config YABEL_DIRECTHW
When choosing this option, x86emu will pass through all hardware
accesses to memory and I/O devices to the underlying memory and I/O
- addresses. While this option prevents option ROMs from doing dirty
+ addresses. While this option prevents Option ROMs from doing dirty
tricks with the CPU (such as installing SMM modules or hypervisors),
they can still access all devices in the system.
Enable this option for a good compromise between security and speed.
diff --git a/src/devices/pci_rom.c b/src/devices/pci_rom.c
index 471c7e2..800776e 100644
@@ -71,9 +71,15 @@ struct rom_header *pci_rom_probe(struct device *dev)
- printk(BIOS_DEBUG, "On card, ROM address for %s = %lx\n",
+ printk(BIOS_DEBUG, "Option ROM address for %s = %lx\n",
dev_path(dev), (unsigned long)rom_address);
rom_header = (struct rom_header *)rom_address;
+ printk(BIOS_DEBUG, "Option ROM execution disabled "
+ "for %s\n", dev_path(dev));
+ return NULL;
printk(BIOS_SPEW, "PCI expansion ROM, signature 0x%04x, "
More information about the coreboot