c672a72135
CBFS verification on boards where VBOOT starts before bootblock eg. PSP verstage has been accommodated by keeping metadata hash outside the bootblock. Hence the dependency can be removed. BUG=b:227809919 TEST=Build and boot to OS in skyrim with CBFS verification enabled using both x86 verstage and PSP verstage. Change-Id: I0a3254728a51a8ee7d7782afcea15ea06d93da7d Signed-off-by: Karthikeyan Ramasubramanian <kramasub@google.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/66947 Reviewed-by: Julius Werner <jwerner@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Raul Rangel <rrangel@chromium.org>
68 lines
2.2 KiB
Text
68 lines
2.2 KiB
Text
# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
|
|
#
|
|
# This file is sourced from src/security/Kconfig for menuconfig convenience.
|
|
|
|
menu "CBFS verification"
|
|
|
|
config CBFS_VERIFICATION
|
|
bool "Enable CBFS verification"
|
|
select VBOOT_LIB
|
|
help
|
|
Say yes here to enable code that cryptographically verifies each CBFS
|
|
file as it gets loaded by chaining it to a trust anchor that is
|
|
embedded in the bootblock. This only makes sense if you use some
|
|
out-of-band mechanism to guarantee the integrity of the bootblock
|
|
itself, such as Intel Boot Guard or flash write-protection.
|
|
|
|
If a CBFS image was created with this option enabled, cbfstool will
|
|
automatically update the hash embedded in the bootblock whenever it
|
|
modifies the CBFS.
|
|
|
|
if CBFS_VERIFICATION
|
|
|
|
config TOCTOU_SAFETY
|
|
bool "Protect against time-of-check vs. time-of-use vulnerabilities"
|
|
depends on !NO_FMAP_CACHE
|
|
depends on !NO_CBFS_MCACHE
|
|
depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init
|
|
depends on !VBOOT # TODO: can only allow this once vboot fully integrated
|
|
depends on NO_XIP_EARLY_STAGES
|
|
help
|
|
Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities
|
|
for CBFS verification. This means that data from flash must be verified
|
|
every time it is loaded (not just the first time), which requires a bit
|
|
more overhead and is incompatible with certain configurations.
|
|
|
|
Using this option only makes sense when the mechanism securing the
|
|
bootblock is also safe against these vulnerabilities (i.e. there's no
|
|
point in enabling this when you just rely on flash write-protection).
|
|
|
|
config CBFS_HASH_ALGO
|
|
int
|
|
default 1 if CBFS_HASH_SHA1
|
|
default 2 if CBFS_HASH_SHA256
|
|
default 3 if CBFS_HASH_SHA512
|
|
|
|
choice
|
|
prompt "Hash algorithm"
|
|
default CBFS_HASH_SHA256
|
|
help
|
|
Select the hash algorithm used in CBFS verification. Note that SHA-1 is
|
|
generally considered insecure today and should not be used without good
|
|
reason. When using CBFS verification together with measured boot, using
|
|
the same hash algorithm (usually SHA-256) for both is more efficient.
|
|
|
|
config CBFS_HASH_SHA1
|
|
bool "SHA-1"
|
|
|
|
config CBFS_HASH_SHA256
|
|
bool "SHA-256"
|
|
|
|
config CBFS_HASH_SHA512
|
|
bool "SHA-512"
|
|
|
|
endchoice
|
|
|
|
endif
|
|
|
|
endmenu
|