diff options
| -rw-r--r-- | src/security/vboot/Makefile.inc | 2 | ||||
| -rw-r--r-- | src/soc/intel/common/Makefile.inc | 9 |
2 files changed, 11 insertions, 0 deletions
diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc index faa79cb183..d38fbace49 100644 --- a/src/security/vboot/Makefile.inc +++ b/src/security/vboot/Makefile.inc @@ -292,6 +292,8 @@ endif fmap-section-offset-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \ grep '^$(1) ' | cut '-d ' -f2 +fmap-section-size-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \ + grep '^$(1) ' | cut '-d ' -f3 ifeq ($(CONFIG_VBOOT_GSCVD),y) # diff --git a/src/soc/intel/common/Makefile.inc b/src/soc/intel/common/Makefile.inc index 43fc2f8146..28842da0ba 100644 --- a/src/soc/intel/common/Makefile.inc +++ b/src/soc/intel/common/Makefile.inc @@ -68,4 +68,13 @@ $(foreach mma_test, $(MMA_TEST_CONFIG_NAMES),\ endif +# SI_DESC contains soft straps that may modify security-relevant behavior, so it should be +# verified by GSCVD. +vboot-gscvd-ranges += $(shell ( \ + offset=$$($(call fmap-section-offset-cmd,SI_DESC)) ;\ + if [ -n "$$offset" ]; then \ + printf "%x:%x" $$offset $$($(call fmap-section-size-cmd,SI_DESC)) ;\ + fi ;\ +)) + endif |