summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRizwan Qureshi <rizwan.qureshi@intel.com>2023-09-29 07:31:17 +0530
committerLean Sheng Tan <sheng.tan@9elements.com>2023-10-27 06:37:35 +0000
commitd81d80c554a2549720ce2114a1a84720d0605192 (patch)
tree3bd232330514c0f92c20892efc6ed81496c35569
parent952a4473ec233af74a458ffc8db987429cbb8fce (diff)
soc/intel/cse: remove cbfs_unverified_area_map() API in cse_lite
With CBFS verification feature (CONFIG_VBOOT_CBFS_INTEGRATION) being enabled, we can now remove cbfs_unverified_area_map() APIs which are potential cause of security issues as they skip verification. These APIs were used earlier to skip verification and hence save boot time. With CBFS verification enabled, the files are verified only when being loaded so we can now use cbfs_cbmem_alloc()/cbfs_map function to load them. BUG=b:284382452 Change-Id: Ie0266e50463926b8d377825142afda7f44754eb7 Signed-off-by: Rizwan Qureshi <rizwan.qureshi@intel.com> Reviewed-on: https://review.coreboot.org/c/coreboot/+/78214 Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>
-rw-r--r--src/soc/intel/common/block/cse/Makefile.inc14
-rw-r--r--src/soc/intel/common/block/cse/cse_lite.c62
2 files changed, 7 insertions, 69 deletions
diff --git a/src/soc/intel/common/block/cse/Makefile.inc b/src/soc/intel/common/block/cse/Makefile.inc
index 6798c684e5..33277571f6 100644
--- a/src/soc/intel/common/block/cse/Makefile.inc
+++ b/src/soc/intel/common/block/cse/Makefile.inc
@@ -82,8 +82,9 @@ CSE_RW_FILE := $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_FILE))
endif
CSE_LITE_ME_RW = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME))
-regions-for-file-$(CSE_LITE_ME_RW) = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME)), \
- $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME))
+
+regions-for-file-$(CSE_LITE_ME_RW) = FW_MAIN_A,FW_MAIN_B
+
cbfs-files-y += $(CSE_LITE_ME_RW)
$(CSE_LITE_ME_RW)-file := $(CSE_RW_FILE)
$(CSE_LITE_ME_RW)-name := $(CSE_LITE_ME_RW)
@@ -102,15 +103,6 @@ $(CSE_RW_VERSION)-file := $(obj)/cse_rw.version
$(CSE_RW_VERSION)-name := $(CSE_RW_VERSION)
$(CSE_RW_VERSION)-type := raw
-$(obj)/cse_rw.hash: $(CSE_RW_FILE)
- openssl dgst -sha256 -binary $< > $@
-
-CSE_RW_HASH = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME))
-regions-for-file-$(CSE_RW_HASH) = FW_MAIN_A,FW_MAIN_B
-cbfs-files-y += $(CSE_RW_HASH)
-$(CSE_RW_HASH)-file := $(obj)/cse_rw.hash
-$(CSE_RW_HASH)-name := $(CSE_RW_HASH)
-$(CSE_RW_HASH)-type := raw
endif
ifeq ($(CONFIG_SOC_INTEL_CSE_SUB_PART_UPDATE),y)
diff --git a/src/soc/intel/common/block/cse/cse_lite.c b/src/soc/intel/common/block/cse/cse_lite.c
index d21c933dca..8e8e221687 100644
--- a/src/soc/intel/common/block/cse/cse_lite.c
+++ b/src/soc/intel/common/block/cse/cse_lite.c
@@ -785,18 +785,6 @@ static enum cb_err cse_get_target_rdev(struct region_device *target_rdev)
return CB_SUCCESS;
}
-static const char *cse_get_source_rdev_fmap(void)
-{
- struct vb2_context *ctx = vboot_get_context();
- if (ctx == NULL)
- return NULL;
-
- if (vboot_is_firmware_slot_a(ctx))
- return CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME;
-
- return CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME;
-}
-
/*
* Compare versions of CSE CBFS sub-component and CSE sub-component partition
* In case of CSE component comparison:
@@ -816,29 +804,6 @@ static int cse_compare_sub_part_version(const struct fw_version *a, const struct
return a->build - b->build;
}
-/* The function calculates SHA-256 of CSE RW blob and compares it with the provided SHA value */
-static bool cse_verify_cbfs_rw_sha256(const uint8_t *expected_rw_blob_sha,
- const void *rw_blob, const size_t rw_blob_sz)
-
-{
- struct vb2_hash calculated;
-
- if (vb2_hash_calculate(vboot_hwcrypto_allowed(), rw_blob, rw_blob_sz,
- VB2_HASH_SHA256, &calculated)) {
- printk(BIOS_ERR, "cse_lite: CSE CBFS RW's SHA-256 calculation has failed\n");
- return false;
- }
-
- if (memcmp(expected_rw_blob_sha, calculated.sha256, sizeof(calculated.sha256))) {
- printk(BIOS_ERR, "cse_lite: Computed CBFS RW's SHA-256 does not match with"
- "the provided SHA in the metadata\n");
- return false;
- }
- printk(BIOS_SPEW, "cse_lite: Computed SHA of CSE CBFS RW Image matches the"
- " provided hash in the metadata\n");
- return true;
-}
-
static enum cb_err cse_erase_rw_region(const struct region_device *target_rdev)
{
if (rdev_eraseat(target_rdev, 0, region_device_sz(target_rdev)) < 0) {
@@ -1014,39 +979,21 @@ static enum csme_failure_reason cse_trigger_fw_update(enum cse_update_status sta
struct region_device *target_rdev)
{
enum csme_failure_reason rv;
- uint8_t *cbfs_rw_hash;
void *cse_cbfs_rw = NULL;
size_t size;
- const char *area_name = cse_get_source_rdev_fmap();
- if (!area_name)
- return CSE_LITE_SKU_RW_BLOB_NOT_FOUND;
-
if (CONFIG(SOC_INTEL_CSE_LITE_COMPRESS_ME_RW)) {
- cse_cbfs_rw = cbfs_unverified_area_cbmem_alloc(area_name,
- CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, CBMEM_ID_CSE_UPDATE, &size);
+ cse_cbfs_rw = cbfs_cbmem_alloc(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME,
+ CBMEM_ID_CSE_UPDATE, &size);
} else {
- cse_cbfs_rw = cbfs_unverified_area_map(area_name,
- CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size);
+ cse_cbfs_rw = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size);
}
+
if (!cse_cbfs_rw) {
printk(BIOS_ERR, "cse_lite: CSE CBFS RW blob could not be mapped\n");
return CSE_LITE_SKU_RW_BLOB_NOT_FOUND;
}
- cbfs_rw_hash = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME, NULL);
- if (!cbfs_rw_hash) {
- printk(BIOS_ERR, "cse_lite: Failed to get %s\n",
- CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME);
- rv = CSE_LITE_SKU_RW_METADATA_NOT_FOUND;
- goto error_exit;
- }
-
- if (!cse_verify_cbfs_rw_sha256(cbfs_rw_hash, cse_cbfs_rw, size)) {
- rv = CSE_LITE_SKU_RW_BLOB_SHA256_MISMATCH;
- goto error_exit;
- }
-
if (cse_prep_for_rw_update(status) != CB_SUCCESS) {
rv = CSE_COMMUNICATION_ERROR;
goto error_exit;
@@ -1056,7 +1003,6 @@ static enum csme_failure_reason cse_trigger_fw_update(enum cse_update_status sta
rv = cse_update_rw(cse_cbfs_rw, size, target_rdev);
error_exit:
- cbfs_unmap(cbfs_rw_hash);
cbfs_unmap(cse_cbfs_rw);
return rv;
}