summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulius Werner <jwerner@chromium.org>2023-05-25 18:26:32 -0700
committerLean Sheng Tan <sheng.tan@9elements.com>2023-06-19 12:27:15 +0000
commit6e303aa89b906dc12b0bbf6024a23de339634eb1 (patch)
tree13c7fed064b5e00eed7a81744439619006fdff48
parent3f1e034835fc40b43b95746b37b291de8c860810 (diff)
cbfs: Allow controlling decompression of unverified files
This patch adds a new Kconfig that controls whether CBFS APIs for unverified areas will allow file decompression when CBFS verification is enabled. This should be disallowed by default because it exposes the attack surface of all supported decompression algorithms. Make allowances for one legacy use case with CONFIG_SOC_INTEL_CSE_LITE_ COMPRESS_ME_RW that should become obsolete with VBOOT_CBFS_INTEGRATION. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: Ieae420f51cbc01dae2ab265414219cc9c288087b Reviewed-on: https://review.coreboot.org/c/coreboot/+/75457 Reviewed-by: Jakub Czapiga <jacz@semihalf.com> Reviewed-by: Subrata Banik <subratabanik@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Yu-Ping Wu <yupingso@google.com> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
-rw-r--r--src/lib/Kconfig.cbfs_verification14
-rw-r--r--src/lib/cbfs.c7
-rw-r--r--src/soc/intel/common/block/cse/Kconfig1
3 files changed, 22 insertions, 0 deletions
diff --git a/src/lib/Kconfig.cbfs_verification b/src/lib/Kconfig.cbfs_verification
index 9b053e1c16..12aaf81fab 100644
--- a/src/lib/Kconfig.cbfs_verification
+++ b/src/lib/Kconfig.cbfs_verification
@@ -37,6 +37,20 @@ config TOCTOU_SAFETY
bootblock is also safe against these vulnerabilities (i.e. there's no
point in enabling this when you just rely on flash write-protection).
+config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
+ bool "Run decompression algorithms on potentially untrusted code"
+ default n
+ help
+ This controls whether cbfs_unverified_area_...() access functions may
+ decompress files. This exposes the attack surface of all supported
+ decompression algorithms. Even if you don't compress the files you are
+ planning to load with these functions, since file metadata is also
+ unverified, an attacker can potentially replace them with compressed
+ files to access a vulnerability in the decompression code.
+
+ If you don't need to load compressed files from unverified areas, say
+ no here for tighter security.
+
config CBFS_HASH_ALGO
int
default 1 if CBFS_HASH_SHA1
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
index 4e25d27cfb..78eeb3bfb2 100644
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b
DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n",
in_size, mdata->h.filename, buffer, compression);
+ if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) &&
+ skip_verification && compression != CBFS_COMPRESS_NONE) {
+ ERROR("Refusing to decompress unverified file '%s' with algo %d\n",
+ mdata->h.filename, compression);
+ return 0;
+ }
+
switch (compression) {
case CBFS_COMPRESS_NONE:
if (buffer_size < in_size)
diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig
index d809e03e9f..876ec51169 100644
--- a/src/soc/intel/common/block/cse/Kconfig
+++ b/src/soc/intel/common/block/cse/Kconfig
@@ -223,6 +223,7 @@ config SOC_INTEL_CSE_LITE_COMPRESS_ME_RW
bool
default n
depends on SOC_INTEL_CSE_LITE_SKU
+ select CBFS_ALLOW_UNVERIFIED_DECOMPRESSION if CBFS_VERIFICATION && !VBOOT_CBFS_INTEGRATION
help
Enable compression on Intel CSE CBFS RW blob