[coreboot-gerrit] Patch set updated for coreboot: sb/intel/common/firmware: Add Intel ME/TXE firmware check
Nicola Corna (nicola@corna.info)
gerrit at coreboot.org
Sun Mar 12 00:51:58 CET 2017
Nicola Corna (nicola at corna.info) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/18768
-gerrit
commit de4f57d08b81289999c7a409d1b07753dfa1dfb2
Author: Nicola Corna <nicola at corna.info>
Date: Fri Mar 10 11:27:39 2017 +0100
sb/intel/common/firmware: Add Intel ME/TXE firmware check
Ensure that the provided ME/TXE firmware is valid, using the
check capabilities of me_cleaner.
me_cleaner checks that the fundamental partition is available and
it has a correct signature. The checks performed by me_cleaner
aren't exhaustive, but they should find at least whether the user
has provided an empty or corrupted firmware.
me_cleaner has been tested on all the ME (6-11.6) and TXE (1-3)
firmwares available here [1], and it hasn't reported any false
positive.
[1] http://www.win-raid.com/t832f39-Intel-Engine-Firmware-Repositories.html
Change-Id: Ie6ea3b4e637dca4097b9377bd0507e84c4e8f687
Signed-off-by: Nicola Corna <nicola at corna.info>
---
src/southbridge/intel/common/firmware/Kconfig | 13 +++++++++++++
src/southbridge/intel/common/firmware/Makefile.inc | 3 +++
2 files changed, 16 insertions(+)
diff --git a/src/southbridge/intel/common/firmware/Kconfig b/src/southbridge/intel/common/firmware/Kconfig
index da40db0..cccc7fa 100644
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@@ -58,6 +58,19 @@ config ME_BIN_PATH
default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin"
depends on HAVE_ME_BIN
+config CHECK_ME
+ bool "Check the integrity of the supplied ME/TXE firmware"
+ default y
+ depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_NEHALEM || \
+ NORTHBRIDGE_INTEL_SANDYBRIDGE || \
+ NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \
+ SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
+ SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
+ help
+ Check the integrity of the supplied Intel ME/TXE firmware before
+ proceeding with the build, in order to prevent an accidental loading
+ of a corrupted ME/TXE image.
+
config USE_ME_CLEANER
bool "Strip down the Intel ME/TXE firmware"
depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \
diff --git a/src/southbridge/intel/common/firmware/Makefile.inc b/src/southbridge/intel/common/firmware/Makefile.inc
index 98a36d3..eb4c07e 100644
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@@ -58,6 +58,9 @@ ifeq ($(CONFIG_HAVE_ME_BIN),y)
$(obj)/coreboot.pre
mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
endif
+ifeq ($(CONFIG_CHECK_ME),y)
+ util/me_cleaner/me_cleaner.py -c $(obj)/coreboot.pre > /dev/null
+endif
ifeq ($(CONFIG_USE_ME_CLEANER),y)
printf " ME_CLEANER coreboot.pre\n"
util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \
More information about the coreboot-gerrit
mailing list