soc/intel: Add SI_DESC region to GSCVD ranges

Intel platforms have soft straps stored in the SI_DESC FMAP section
which can alter boot behavior and may open up a security risk if they
can be modified by an attacker. This patch adds the SI_DESC region to
the list of ranges covered by GSC verification (CONFIG_VBOOT_GSCVD).

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I0f1b297e207d3c6152bf99ec5a5b0983f01b2d0b
Reviewed-on: https://review.coreboot.org/c/coreboot/+/66346
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

2 files changed, 11 insertions, 0 deletions

diff --git a/src/security/vboot/Makefile.inc b/src/security/vboot/Makefile.inc
index faa79cb18319..d38fbace4980 100644
--- a/src/security/vboot/Makefile.inc
+++ b/src/security/vboot/Makefile.inc
@@ -292,6 +292,8 @@ endif
 
 fmap-section-offset-cmd = $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
 					grep '^$(1) ' | cut '-d ' -f2
+fmap-section-size-cmd =   $(FUTILITY) dump_fmap -p $(obj)/coreboot.rom | \
+					grep '^$(1) ' | cut '-d ' -f3
 
 ifeq ($(CONFIG_VBOOT_GSCVD),y)
 #
diff --git a/src/soc/intel/common/Makefile.inc b/src/soc/intel/common/Makefile.inc
index 43fc2f8146b3..28842da0ba7c 100644
--- a/src/soc/intel/common/Makefile.inc
+++ b/src/soc/intel/common/Makefile.inc
@@ -68,4 +68,13 @@ $(foreach mma_test, $(MMA_TEST_CONFIG_NAMES),\
 
 endif
 
+# SI_DESC contains soft straps that may modify security-relevant behavior, so it should be
+# verified by GSCVD.
+vboot-gscvd-ranges += $(shell ( \
+	offset=$$($(call fmap-section-offset-cmd,SI_DESC)) ;\
+	if [ -n "$$offset" ]; then \
+		printf "%x:%x" $$offset $$($(call fmap-section-size-cmd,SI_DESC)) ;\
+	fi ;\
+))
+
 endif