[coreboot] New patch to review for coreboot: f2462af Don't run any option roms stored outside of the system flash

Mon, 05 Mar 2012 16:15:54 -0800 

Stefan Reinauer ([email protected]) just uploaded a new patch set to 
gerrit, which you can find at http://review.coreboot.org/730

-gerrit

commit f2462af4c374f16da3fbd7bc630652623acf260e
Author: Stefan Reinauer <[email protected]>
Date:   Thu Oct 6 16:47:51 2011 -0700

    Don't run any option roms stored outside of the system flash
    
    Right now coreboot only executes vga option roms. However, this is not
    good enough. For security reasons we want to execute only option roms
    stored in our RO CBFS.
    
    This patch adds a new option to disable execution of arbitrary option
    ROMs and enables it for all our boards.
    
    Change-Id: I485291c06ec5cd1f875357401831fe32ccfc5f2f
    Signed-off-by: Stefan Reinauer <[email protected]>
---
 src/devices/Kconfig   |   13 +++++++++++++
 src/devices/pci_rom.c |    6 ++++++
 2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/src/devices/Kconfig b/src/devices/Kconfig
index 572addc..98e8d9f 100644
--- a/src/devices/Kconfig
+++ b/src/devices/Kconfig
@@ -49,6 +49,19 @@ config PCI_ROM_RUN
          Examples include IDE/SATA controller option ROMs and option ROMs
          for network cards (NICs).
 
+config ON_DEVICE_ROM_RUN
+       bool "Run option ROMs on PCI devices"
+       default y
+       help
+         Execute option ROMs that are stored on PCI/PCIe/AGP devices.
+
+         If disabled, only option ROMs stored in CBFS will be executed. If
+         you are concerned about security, you might want to disable this
+         option, but it might leave your system in a state of degraded
+         functionality.
+
+         If unsure, say Y
+
 choice
        prompt "Option ROM execution type"
        default PCI_OPTION_ROM_RUN_YABEL if !ARCH_X86
diff --git a/src/devices/pci_rom.c b/src/devices/pci_rom.c
index 471c7e2..1b6f1da 100644
--- a/src/devices/pci_rom.c
+++ b/src/devices/pci_rom.c
@@ -71,9 +71,15 @@ struct rom_header *pci_rom_probe(struct device *dev)
                                           rom_address|PCI_ROM_ADDRESS_ENABLE);
                }
 
+#if CONFIG_ON_DEVICE_ROM_RUN
                printk(BIOS_DEBUG, "On card, ROM address for %s = %lx\n",
                       dev_path(dev), (unsigned long)rom_address);
                rom_header = (struct rom_header *)rom_address;
+#else
+               printk(BIOS_DEBUG, "On card option ROM execution disabled "
+                       "for %s\n", dev_path(dev));
+               return NULL;
+#endif
        }
 
        printk(BIOS_SPEW, "PCI expansion ROM, signature 0x%04x, "

-- 
coreboot mailing list: [email protected]
http://www.coreboot.org/mailman/listinfo/coreboot

Reply via email to