device/pci_device.c: Use verified boot to check oprom

Before oprom is executed, no check is performed if rom passes verification.
Add call to verified_boot_should_run_oprom() to verify the oprom.

verified_boot_should_run_oprom() expects and rom address as input pointer.
*rom is added as input parameter to should_run_oprom() which must be parsed
to verified_boot_should_run_oprom()..

BUG=N/A
TEST=Created verified binary and verify logging on Facebook FBG1701

Change-Id: Iec5092e85d34940ea3a3bb1192ea49f3bc3e5b27
Signed-off-by: Frans Hendriks <fhendriks@eltan.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/30810
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>

1 files changed, 8 insertions, 3 deletions

diff --git a/src/device/pci_device.c b/src/device/pci_device.c
index c043dd6591..0a4b69bfb2 100644
--- a/src/device/pci_device.c
+++ b/src/device/pci_device.c
@@ -679,10 +679,15 @@ void pci_dev_set_subsystem(struct device *dev, unsigned int vendor,
 	}
 }
 
-static int should_run_oprom(struct device *dev)
+static int should_run_oprom(struct device *dev, struct rom_header *rom)
 {
 	static int should_run = -1;
 
+	if (CONFIG(VENDORCODE_ELTAN_VBOOT))
+		if (rom != NULL)
+			if (!verified_boot_should_run_oprom(rom))
+				return 0;
+
 	if (should_run >= 0)
 		return should_run;
 
@@ -711,7 +716,7 @@ static int should_load_oprom(struct device *dev)
 		return 0;
 	if (CONFIG(ALWAYS_LOAD_OPROM))
 		return 1;
-	if (should_run_oprom(dev))
+	if (should_run_oprom(dev, NULL))
 		return 1;
 
 	return 0;
@@ -742,7 +747,7 @@ void pci_dev_init(struct device *dev)
 		return;
 	timestamp_add_now(TS_OPROM_COPY_END);
 
-	if (!should_run_oprom(dev))
+	if (!should_run_oprom(dev, rom))
 		return;
 
 	run_bios(dev, (unsigned long)ram);