soc/intel/cse: remove cbfs_unverified_area_map() API in cse_lite

With CBFS verification feature (CONFIG_VBOOT_CBFS_INTEGRATION) being enabled, we can now remove cbfs_unverified_area_map() APIs which are potential cause of security issues as they skip verification. These APIs were used earlier to skip verification and hence save boot time. With CBFS verification enabled, the files are verified only when being loaded so we can now use cbfs_cbmem_alloc()/cbfs_map function to load them. BUG=b:284382452 Change-Id: Ie0266e50463926b8d377825142afda7f44754eb7 Signed-off-by: Rizwan Qureshi <rizwan.qureshi@intel.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/78214 Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>
2023-09-29 07:31:17 +05:30 · 2023-09-29 07:31:17 +05:30 · d81d80c554
parent 952a4473ec
commit d81d80c554
2 changed files with 7 additions and 69 deletions
--- a/src/soc/intel/common/block/cse/Makefile.inc
+++ b/src/soc/intel/common/block/cse/Makefile.inc
@ -82,8 +82,9 @@ CSE_RW_FILE := $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_FILE))
 endif

 CSE_LITE_ME_RW = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME))
-regions-for-file-$(CSE_LITE_ME_RW) = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME)), \
-					$(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME))
+
+regions-for-file-$(CSE_LITE_ME_RW) = FW_MAIN_A,FW_MAIN_B
+
 cbfs-files-y += $(CSE_LITE_ME_RW)
 $(CSE_LITE_ME_RW)-file := $(CSE_RW_FILE)
 $(CSE_LITE_ME_RW)-name := $(CSE_LITE_ME_RW)
@ -102,15 +103,6 @@ $(CSE_RW_VERSION)-file := $(obj)/cse_rw.version
 $(CSE_RW_VERSION)-name := $(CSE_RW_VERSION)
 $(CSE_RW_VERSION)-type := raw

-$(obj)/cse_rw.hash: $(CSE_RW_FILE)
-	openssl dgst -sha256 -binary $< > $@
-
-CSE_RW_HASH = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME))
-regions-for-file-$(CSE_RW_HASH) = FW_MAIN_A,FW_MAIN_B
-cbfs-files-y += $(CSE_RW_HASH)
-$(CSE_RW_HASH)-file := $(obj)/cse_rw.hash
-$(CSE_RW_HASH)-name := $(CSE_RW_HASH)
-$(CSE_RW_HASH)-type := raw
 endif

 ifeq ($(CONFIG_SOC_INTEL_CSE_SUB_PART_UPDATE),y)
--- a/src/soc/intel/common/block/cse/cse_lite.c
+++ b/src/soc/intel/common/block/cse/cse_lite.c
@ -785,18 +785,6 @@ static enum cb_err cse_get_target_rdev(struct region_device *target_rdev)
 	return CB_SUCCESS;
 }

-static const char *cse_get_source_rdev_fmap(void)
-{
-	struct vb2_context *ctx = vboot_get_context();
-	if (ctx == NULL)
-		return NULL;
-
-	if (vboot_is_firmware_slot_a(ctx))
-		return CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME;
-
-	return CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME;
-}
-
 /*
 * Compare versions of CSE CBFS sub-component and CSE sub-component partition
 * In case of CSE component comparison:
@ -816,29 +804,6 @@ static int cse_compare_sub_part_version(const struct fw_version *a, const struct
 		return a->build - b->build;
 }

-/* The function calculates SHA-256 of CSE RW blob and compares it with the provided SHA value */
-static bool cse_verify_cbfs_rw_sha256(const uint8_t *expected_rw_blob_sha,
-		const void *rw_blob, const size_t rw_blob_sz)
-
-{
-	struct vb2_hash calculated;
-
-	if (vb2_hash_calculate(vboot_hwcrypto_allowed(), rw_blob, rw_blob_sz,
-			       VB2_HASH_SHA256, &calculated)) {
-		printk(BIOS_ERR, "cse_lite: CSE CBFS RW's SHA-256 calculation has failed\n");
-		return false;
-	}
-
-	if (memcmp(expected_rw_blob_sha, calculated.sha256, sizeof(calculated.sha256))) {
-		printk(BIOS_ERR, "cse_lite: Computed CBFS RW's SHA-256 does not match with"
-				"the provided SHA in the metadata\n");
-		return false;
-	}
-	printk(BIOS_SPEW, "cse_lite: Computed SHA of CSE CBFS RW Image matches the"
-			" provided hash in the metadata\n");
-	return true;
-}
-
 static enum cb_err cse_erase_rw_region(const struct region_device *target_rdev)
 {
 	if (rdev_eraseat(target_rdev, 0, region_device_sz(target_rdev)) < 0) {
@ -1014,39 +979,21 @@ static enum csme_failure_reason cse_trigger_fw_update(enum cse_update_status sta
 		struct region_device *target_rdev)
 {
 	enum csme_failure_reason rv;
-	uint8_t *cbfs_rw_hash;
 	void *cse_cbfs_rw = NULL;
 	size_t size;

-	const char *area_name = cse_get_source_rdev_fmap();
-	if (!area_name)
-		return CSE_LITE_SKU_RW_BLOB_NOT_FOUND;
-
 	if (CONFIG(SOC_INTEL_CSE_LITE_COMPRESS_ME_RW)) {
-		cse_cbfs_rw = cbfs_unverified_area_cbmem_alloc(area_name,
-			CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, CBMEM_ID_CSE_UPDATE, &size);
+		cse_cbfs_rw = cbfs_cbmem_alloc(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME,
+			CBMEM_ID_CSE_UPDATE, &size);
 	} else {
-		cse_cbfs_rw = cbfs_unverified_area_map(area_name,
-			CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size);
+		cse_cbfs_rw = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size);
 	}
+
 	if (!cse_cbfs_rw) {
 		printk(BIOS_ERR, "cse_lite: CSE CBFS RW blob could not be mapped\n");
 		return CSE_LITE_SKU_RW_BLOB_NOT_FOUND;
 	}

-	cbfs_rw_hash = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME, NULL);
-	if (!cbfs_rw_hash) {
-		printk(BIOS_ERR, "cse_lite: Failed to get %s\n",
-		       CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME);
-		rv = CSE_LITE_SKU_RW_METADATA_NOT_FOUND;
-		goto error_exit;
-	}
-
-	if (!cse_verify_cbfs_rw_sha256(cbfs_rw_hash, cse_cbfs_rw, size)) {
-		rv = CSE_LITE_SKU_RW_BLOB_SHA256_MISMATCH;
-		goto error_exit;
-	}
-
 	if (cse_prep_for_rw_update(status) != CB_SUCCESS) {
 		rv = CSE_COMMUNICATION_ERROR;
 		goto error_exit;
@ -1056,7 +1003,6 @@ static enum csme_failure_reason cse_trigger_fw_update(enum cse_update_status sta
 	rv = cse_update_rw(cse_cbfs_rw, size, target_rdev);

 error_exit:
-	cbfs_unmap(cbfs_rw_hash);
 	cbfs_unmap(cse_cbfs_rw);
 	return rv;
 }