From c7120e38e784cf760c08044fe4671f1be1b0b06d Mon Sep 17 00:00:00 2001 From: Julius Werner Date: Mon, 6 Nov 2023 16:59:42 -0800 Subject: [PATCH] Kconfig.cbfs_verification: Update TOCTOU_SAFETY combination with VBOOT Now that VBOOT_CBFS_INTEGRATION exists, it is possible to use TOCTOU_SAFETY with VBOOT. Change-Id: I9f84574f611ec397060404c61e71312009d92ba7 Signed-off-by: Julius Werner Reviewed-on: https://review.coreboot.org/c/coreboot/+/78915 Reviewed-by: Yu-Ping Wu Tested-by: build bot (Jenkins) Reviewed-by: Arthur Heymans --- src/lib/Kconfig.cbfs_verification | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/Kconfig.cbfs_verification b/src/lib/Kconfig.cbfs_verification index 12aaf81fab..6482e06b20 100644 --- a/src/lib/Kconfig.cbfs_verification +++ b/src/lib/Kconfig.cbfs_verification @@ -25,7 +25,7 @@ config TOCTOU_SAFETY depends on !NO_FMAP_CACHE depends on !NO_CBFS_MCACHE depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init - depends on !VBOOT # TODO: can only allow this once vboot fully integrated + depends on !VBOOT || VBOOT_CBFS_INTEGRATION depends on NO_XIP_EARLY_STAGES help Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities