cbfs: Allow controlling decompression of unverified files

This patch adds a new Kconfig that controls whether CBFS APIs for
unverified areas will allow file decompression when CBFS verification is
enabled. This should be disallowed by default because it exposes the
attack surface of all supported decompression algorithms. Make
allowances for one legacy use case with CONFIG_SOC_INTEL_CSE_LITE_
COMPRESS_ME_RW that should become obsolete with VBOOT_CBFS_INTEGRATION.

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ieae420f51cbc01dae2ab265414219cc9c288087b
Reviewed-on: https://review.coreboot.org/c/coreboot/+/75457
Reviewed-by: Jakub Czapiga <jacz@semihalf.com>
Reviewed-by: Subrata Banik <subratabanik@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
This commit is contained in:
Julius Werner 2023-05-25 18:26:32 -07:00 committed by Lean Sheng Tan
parent 3f1e034835
commit 6e303aa89b
3 changed files with 22 additions and 0 deletions

View File

@ -37,6 +37,20 @@ config TOCTOU_SAFETY
bootblock is also safe against these vulnerabilities (i.e. there's no bootblock is also safe against these vulnerabilities (i.e. there's no
point in enabling this when you just rely on flash write-protection). point in enabling this when you just rely on flash write-protection).
config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
bool "Run decompression algorithms on potentially untrusted code"
default n
help
This controls whether cbfs_unverified_area_...() access functions may
decompress files. This exposes the attack surface of all supported
decompression algorithms. Even if you don't compress the files you are
planning to load with these functions, since file metadata is also
unverified, an attacker can potentially replace them with compressed
files to access a vulnerability in the decompression code.
If you don't need to load compressed files from unverified areas, say
no here for tighter security.
config CBFS_HASH_ALGO config CBFS_HASH_ALGO
int int
default 1 if CBFS_HASH_SHA1 default 1 if CBFS_HASH_SHA1

View File

@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b
DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n", DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n",
in_size, mdata->h.filename, buffer, compression); in_size, mdata->h.filename, buffer, compression);
if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) &&
skip_verification && compression != CBFS_COMPRESS_NONE) {
ERROR("Refusing to decompress unverified file '%s' with algo %d\n",
mdata->h.filename, compression);
return 0;
}
switch (compression) { switch (compression) {
case CBFS_COMPRESS_NONE: case CBFS_COMPRESS_NONE:
if (buffer_size < in_size) if (buffer_size < in_size)

View File

@ -223,6 +223,7 @@ config SOC_INTEL_CSE_LITE_COMPRESS_ME_RW
bool bool
default n default n
depends on SOC_INTEL_CSE_LITE_SKU depends on SOC_INTEL_CSE_LITE_SKU
select CBFS_ALLOW_UNVERIFIED_DECOMPRESSION if CBFS_VERIFICATION && !VBOOT_CBFS_INTEGRATION
help help
Enable compression on Intel CSE CBFS RW blob Enable compression on Intel CSE CBFS RW blob