UPSTREAM: sb/intel/common/firmware: Add Intel ME/TXE firmware check

Ensure that the provided ME/TXE firmware is valid, using the check capabilities of me_cleaner. me_cleaner checks that the fundamental partition is available and it has a correct signature. The checks performed by me_cleaner aren't exhaustive, but they should find at least whether the user has provided an empty or corrupted firmware. me_cleaner has been tested on all the ME (6-11.6) and TXE (1-3) firmwares available here [1], and it hasn't reported any false positive. [1] http://www.win-raid.com/t832f39-Intel-Engine-Firmware-Repositories.html BUG=none BRANCH=none TEST=none CQ-DEPEND=CL:535697 Change-Id: Idcda139803b2d64813ece6cfbadac5ef0997483e Signed-off-by: Patrick Georgi <pgeorgi@google.com> Original-Commit-Id: 16719ad143 Original-Change-Id: Ie6ea3b4e637dca4097b9377bd0507e84c4e8f687 Original-Signed-off-by: Nicola Corna <nicola@corna.info> Original-Reviewed-on: https://review.coreboot.org/18768 Original-Tested-by: build bot (Jenkins) Original-Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Original-Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Original-Reviewed-by: Philippe Mathieu-Daud <philippe.mathieu.daude@gmail.com> Reviewed-on: https://chromium-review.googlesource.com/533094 Commit-Ready: Patrick Georgi <pgeorgi@chromium.org> Tested-by: Patrick Georgi <pgeorgi@chromium.org> Reviewed-by: Patrick Georgi <pgeorgi@chromium.org>
2017-03-10 11:27:39 +01:00 · 2017-03-10 11:27:39 +01:00 · 3a1de662ac
commit 3a1de662ac
parent 9c5abd4e0d
2 changed files with 16 additions and 0 deletions
--- a/src/southbridge/intel/common/firmware/Kconfig
+++ b/src/southbridge/intel/common/firmware/Kconfig
@ -58,6 +58,19 @@ config ME_BIN_PATH
 	default "3rdparty/blobs/mainboard/$(MAINBOARDDIR)/me.bin"
 	depends on HAVE_ME_BIN

+config CHECK_ME
+	bool "Verify the integrity of the supplied ME/TXE firmware"
+	default y
+	depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_NEHALEM || \
+		NORTHBRIDGE_INTEL_SANDYBRIDGE || \
+		NORTHBRIDGE_INTEL_IVYBRIDGE || NORTHBRIDGE_INTEL_HASWELL || \
+		SOC_INTEL_BROADWELL || SOC_INTEL_SKYLAKE || \
+		SOC_INTEL_BAYTRAIL || SOC_INTEL_BRASWELL)
+	help
+	  Verify the integrity of the supplied Intel ME/TXE firmware before
+	  proceeding with the build, in order to prevent an accidental loading
+	  of a corrupted ME/TXE image.
+
 config USE_ME_CLEANER
 	bool "Strip down the Intel ME/TXE firmware"
 	depends on HAVE_ME_BIN && (NORTHBRIDGE_INTEL_SANDYBRIDGE || \
--- a/src/southbridge/intel/common/firmware/Makefile.inc
+++ b/src/southbridge/intel/common/firmware/Makefile.inc
@ -58,6 +58,9 @@ ifeq ($(CONFIG_HAVE_ME_BIN),y)
 		$(obj)/coreboot.pre
 	mv $(obj)/coreboot.pre.new $(obj)/coreboot.pre
 endif
+ifeq ($(CONFIG_CHECK_ME),y)
+	util/me_cleaner/me_cleaner.py -c $(obj)/coreboot.pre > /dev/null
+endif
 ifeq ($(CONFIG_USE_ME_CLEANER),y)
 	printf "    ME_CLEANER coreboot.pre\n"
 	util/me_cleaner/me_cleaner.py $(obj)/coreboot.pre > \