[coreboot] New patch to review for coreboot: f2462af Don't run any option roms stored outside of the system flash

Stefan Reinauer (stefan.reinauer@coreboot.org) gerrit at coreboot.org
Tue Mar 6 00:52:56 CET 2012

Stefan Reinauer (stefan.reinauer at coreboot.org) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/730


commit f2462af4c374f16da3fbd7bc630652623acf260e
Author: Stefan Reinauer <reinauer at chromium.org>
Date:   Thu Oct 6 16:47:51 2011 -0700

    Don't run any option roms stored outside of the system flash
    Right now coreboot only executes vga option roms. However, this is not
    good enough. For security reasons we want to execute only option roms
    stored in our RO CBFS.
    This patch adds a new option to disable execution of arbitrary option
    ROMs and enables it for all our boards.
    Change-Id: I485291c06ec5cd1f875357401831fe32ccfc5f2f
    Signed-off-by: Stefan Reinauer <reinauer at google.com>
 src/devices/Kconfig   |   13 +++++++++++++
 src/devices/pci_rom.c |    6 ++++++
 2 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/src/devices/Kconfig b/src/devices/Kconfig
index 572addc..98e8d9f 100644
--- a/src/devices/Kconfig
+++ b/src/devices/Kconfig
@@ -49,6 +49,19 @@ config PCI_ROM_RUN
 	  Examples include IDE/SATA controller option ROMs and option ROMs
 	  for network cards (NICs).
+	bool "Run option ROMs on PCI devices"
+	default y
+	help
+	  Execute option ROMs that are stored on PCI/PCIe/AGP devices.
+	  If disabled, only option ROMs stored in CBFS will be executed. If
+	  you are concerned about security, you might want to disable this
+	  option, but it might leave your system in a state of degraded
+	  functionality.
+	  If unsure, say Y
 	prompt "Option ROM execution type"
diff --git a/src/devices/pci_rom.c b/src/devices/pci_rom.c
index 471c7e2..1b6f1da 100644
--- a/src/devices/pci_rom.c
+++ b/src/devices/pci_rom.c
@@ -71,9 +71,15 @@ struct rom_header *pci_rom_probe(struct device *dev)
 		printk(BIOS_DEBUG, "On card, ROM address for %s = %lx\n",
 		       dev_path(dev), (unsigned long)rom_address);
 		rom_header = (struct rom_header *)rom_address;
+		printk(BIOS_DEBUG, "On card option ROM execution disabled "
+			"for %s\n", dev_path(dev));
+		return NULL;
 	printk(BIOS_SPEW, "PCI expansion ROM, signature 0x%04x, "

More information about the coreboot mailing list