commit b71181adc336625ee6ecae7a46c6926cb7c3c28c
author Frans Hendriks <fhendriks@eltan.com> Fri Oct 04 14:06:33 2019 +0200
committer Patrick Georgi <pgeorgi@google.com> Fri Oct 04 16:24:44 2019 +0000
tree af9e27d8c1a8bd47cbd8ef6b859ce9eacebb662b
parent 9d68cb214488b4f3f7f2bd74c30d674318db4252

device/pci_device.c: Use verified boot to check oprom

Before oprom is executed, no check is performed if rom passes verification.
Add call to verified_boot_should_run_oprom() to verify the oprom.

verified_boot_should_run_oprom() expects and rom address as input pointer.
*rom is added as input parameter to should_run_oprom() which must be parsed
to verified_boot_should_run_oprom()..

BUG=N/A
TEST=Created verified binary and verify logging on Facebook FBG1701

Change-Id: Iec5092e85d34940ea3a3bb1192ea49f3bc3e5b27
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30810
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>

src/device/pci_device.c

diff --git a/src/device/pci_device.c b/src/device/pci_device.c
index c043dd6..0a4b69b 100644
--- a/src/device/pci_device.c
+++ b/src/device/pci_device.c
@@ -679,10 +679,15 @@
 	}
 }
 
-static int should_run_oprom(struct device *dev)
+static int should_run_oprom(struct device *dev, struct rom_header *rom)
 {
 	static int should_run = -1;
 
+	if (CONFIG(VENDORCODE_ELTAN_VBOOT))
+		if (rom != NULL)
+			if (!verified_boot_should_run_oprom(rom))
+				return 0;
+
 	if (should_run >= 0)
 		return should_run;
 
@@ -711,7 +716,7 @@
 		return 0;
 	if (CONFIG(ALWAYS_LOAD_OPROM))
 		return 1;
-	if (should_run_oprom(dev))
+	if (should_run_oprom(dev, NULL))
 		return 1;
 
 	return 0;
@@ -742,7 +747,7 @@
 		return;
 	timestamp_add_now(TS_OPROM_COPY_END);
 
-	if (!should_run_oprom(dev))
+	if (!should_run_oprom(dev, rom))
 		return;
 
 	run_bios(dev, (unsigned long)ram);