cbfs: Add verification for RO CBFS metadata hash

This patch adds the first stage of the new CONFIG_CBFS_VERIFICATION
feature. It's not useful to end-users in this stage so it cannot be
selected in menuconfig (and should not be used other than for
development) yet. With this patch coreboot can verify the metadata hash
of the RO CBFS when it starts booting, but it does not verify individual
files yet. Likewise, verifying RW CBFSes with vboot is not yet
supported.

Verification is bootstrapped from a "metadata hash anchor" structure
that is embedded in the bootblock code and marked by a unique magic
number.  This anchor contains both the CBFS metadata hash and a separate
hash for the FMAP which is required to find the primary CBFS. Both are
verified on first use in the bootblock (and halt the system on failure).

The CONFIG_TOCTOU_SAFETY option is also added for illustrative purposes
to show some paths that need to be different when full protection
against TOCTOU (time-of-check vs. time-of-use) attacks is desired. For
normal verification it is sufficient to check the FMAP and the CBFS
metadata hash only once in the bootblock -- for TOCTOU verification we
do the same, but we need to be extra careful that we do not re-read the
FMAP or any CBFS metadata in later stages. This is mostly achieved by
depending on the CBFS metadata cache and FMAP cache features, but we
allow for one edge case in case the RW CBFS metadata cache overflows
(which may happen during an RW update and could otherwise no longer be
fixed because mcache size is defined by RO code). This code is added to
demonstrate design intent but won't really matter until RW CBFS
verification can be supported.

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I8930434de55eb938b042fdada9aa90218c0b5a34
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41120
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>

2 files changed, 13 insertions, 12 deletions

diff --git a/src/security/Kconfig b/src/security/Kconfig
index 54d38fb5c2..abbd0b86b8 100644
--- a/src/security/Kconfig
+++ b/src/security/Kconfig
@@ -1,5 +1,9 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
+# These features are implemented in src/lib/cbfs.c, but they are security
+# features so sort them in here for menuconfig.
+source "src/lib/Kconfig.cbfs_verification"
+
 source "src/security/vboot/Kconfig"
 source "src/security/tpm/Kconfig"
 source "src/security/memory/Kconfig"
diff --git a/src/security/vboot/vboot_loader.c b/src/security/vboot/vboot_loader.c
index 9c6e56e9af..56a0664328 100644
--- a/src/security/vboot/vboot_loader.c
+++ b/src/security/vboot/vboot_loader.c
@@ -25,18 +25,17 @@ _Static_assert(!CONFIG(VBOOT_RETURN_FROM_VERSTAGE) ||
 
 int vboot_executed;
 
-static void build_rw_mcache(void)
+static void after_verstage(void)
 {
-	if (CONFIG(NO_CBFS_MCACHE))
-		return;
+	vboot_executed = 1;	/* Mark verstage execution complete. */
 
 	const struct cbfs_boot_device *cbd = vboot_get_cbfs_boot_device();
-	if (!cbd)	/* Don't build RW mcache in recovery mode. */
+	if (!cbd)	/* Can't initialize RW CBFS in recovery mode. */
 		return;
-	cb_err_t err = cbfs_mcache_build(&cbd->rdev, cbd->mcache,
-					 cbd->mcache_size, NULL);
-	if (err && err != CB_CBFS_CACHE_FULL)
-		die("Failed to build RW mcache.");	/* TODO: -> recovery? */
+
+	cb_err_t err = cbfs_init_boot_device(cbd, NULL); /* TODO: RW hash */
+	if (err && err != CB_CBFS_CACHE_FULL)	/* TODO: -> recovery? */
+		die("RW CBFS initialization failure: %d", err);
 }
 
 void vboot_run_logic(void)
@@ -44,8 +43,7 @@ void vboot_run_logic(void)
 	if (verification_should_run()) {
 		/* Note: this path is not used for VBOOT_RETURN_FROM_VERSTAGE */
 		verstage_main();
-		vboot_executed = 1;
-		build_rw_mcache();
+		after_verstage();
 	} else if (verstage_should_load()) {
 		struct cbfsf file;
 		struct prog verstage =
@@ -72,8 +70,7 @@ void vboot_run_logic(void)
 		if (!CONFIG(VBOOT_RETURN_FROM_VERSTAGE))
 			return;
 
-		vboot_executed = 1;
-		build_rw_mcache();
+		after_verstage();
 	}
 }