6e303aa89b
This patch adds a new Kconfig that controls whether CBFS APIs for unverified areas will allow file decompression when CBFS verification is enabled. This should be disallowed by default because it exposes the attack surface of all supported decompression algorithms. Make allowances for one legacy use case with CONFIG_SOC_INTEL_CSE_LITE_ COMPRESS_ME_RW that should become obsolete with VBOOT_CBFS_INTEGRATION. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: Ieae420f51cbc01dae2ab265414219cc9c288087b Reviewed-on: https://review.coreboot.org/c/coreboot/+/75457 Reviewed-by: Jakub Czapiga <jacz@semihalf.com> Reviewed-by: Subrata Banik <subratabanik@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Yu-Ping Wu <yupingso@google.com> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
82 lines
2.8 KiB
Text
82 lines
2.8 KiB
Text
# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
|
|
#
|
|
# This file is sourced from src/security/Kconfig for menuconfig convenience.
|
|
|
|
menu "CBFS verification"
|
|
|
|
config CBFS_VERIFICATION
|
|
bool "Enable CBFS verification"
|
|
select VBOOT_LIB
|
|
help
|
|
Say yes here to enable code that cryptographically verifies each CBFS
|
|
file as it gets loaded by chaining it to a trust anchor that is
|
|
embedded in the bootblock. This only makes sense if you use some
|
|
out-of-band mechanism to guarantee the integrity of the bootblock
|
|
itself, such as Intel Boot Guard or flash write-protection.
|
|
|
|
If a CBFS image was created with this option enabled, cbfstool will
|
|
automatically update the hash embedded in the bootblock whenever it
|
|
modifies the CBFS.
|
|
|
|
if CBFS_VERIFICATION
|
|
|
|
config TOCTOU_SAFETY
|
|
bool "Protect against time-of-check vs. time-of-use vulnerabilities"
|
|
depends on !NO_FMAP_CACHE
|
|
depends on !NO_CBFS_MCACHE
|
|
depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init
|
|
depends on !VBOOT # TODO: can only allow this once vboot fully integrated
|
|
depends on NO_XIP_EARLY_STAGES
|
|
help
|
|
Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities
|
|
for CBFS verification. This means that data from flash must be verified
|
|
every time it is loaded (not just the first time), which requires a bit
|
|
more overhead and is incompatible with certain configurations.
|
|
|
|
Using this option only makes sense when the mechanism securing the
|
|
bootblock is also safe against these vulnerabilities (i.e. there's no
|
|
point in enabling this when you just rely on flash write-protection).
|
|
|
|
config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
|
|
bool "Run decompression algorithms on potentially untrusted code"
|
|
default n
|
|
help
|
|
This controls whether cbfs_unverified_area_...() access functions may
|
|
decompress files. This exposes the attack surface of all supported
|
|
decompression algorithms. Even if you don't compress the files you are
|
|
planning to load with these functions, since file metadata is also
|
|
unverified, an attacker can potentially replace them with compressed
|
|
files to access a vulnerability in the decompression code.
|
|
|
|
If you don't need to load compressed files from unverified areas, say
|
|
no here for tighter security.
|
|
|
|
config CBFS_HASH_ALGO
|
|
int
|
|
default 1 if CBFS_HASH_SHA1
|
|
default 2 if CBFS_HASH_SHA256
|
|
default 3 if CBFS_HASH_SHA512
|
|
|
|
choice
|
|
prompt "Hash algorithm"
|
|
default CBFS_HASH_SHA256
|
|
help
|
|
Select the hash algorithm used in CBFS verification. Note that SHA-1 is
|
|
generally considered insecure today and should not be used without good
|
|
reason. When using CBFS verification together with measured boot, using
|
|
the same hash algorithm (usually SHA-256) for both is more efficient.
|
|
|
|
config CBFS_HASH_SHA1
|
|
bool "SHA-1"
|
|
|
|
config CBFS_HASH_SHA256
|
|
bool "SHA-256"
|
|
|
|
config CBFS_HASH_SHA512
|
|
bool "SHA-512"
|
|
|
|
endchoice
|
|
|
|
endif
|
|
|
|
endmenu
|