diff options
author | Rizwan Qureshi <rizwan.qureshi@intel.com> | 2023-09-29 07:31:17 +0530 |
---|---|---|
committer | Lean Sheng Tan <sheng.tan@9elements.com> | 2023-10-27 06:37:35 +0000 |
commit | d81d80c554a2549720ce2114a1a84720d0605192 (patch) | |
tree | 3bd232330514c0f92c20892efc6ed81496c35569 /src/soc/intel/common | |
parent | 952a4473ec233af74a458ffc8db987429cbb8fce (diff) |
soc/intel/cse: remove cbfs_unverified_area_map() API in cse_lite
With CBFS verification feature (CONFIG_VBOOT_CBFS_INTEGRATION)
being enabled, we can now remove cbfs_unverified_area_map() APIs
which are potential cause of security issues as they skip verification.
These APIs were used earlier to skip verification and hence save
boot time. With CBFS verification enabled, the files are verified
only when being loaded so we can now use cbfs_cbmem_alloc()/cbfs_map
function to load them.
BUG=b:284382452
Change-Id: Ie0266e50463926b8d377825142afda7f44754eb7
Signed-off-by: Rizwan Qureshi <rizwan.qureshi@intel.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/78214
Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>
Diffstat (limited to 'src/soc/intel/common')
-rw-r--r-- | src/soc/intel/common/block/cse/Makefile.inc | 14 | ||||
-rw-r--r-- | src/soc/intel/common/block/cse/cse_lite.c | 62 |
2 files changed, 7 insertions, 69 deletions
diff --git a/src/soc/intel/common/block/cse/Makefile.inc b/src/soc/intel/common/block/cse/Makefile.inc index 6798c684e5..33277571f6 100644 --- a/src/soc/intel/common/block/cse/Makefile.inc +++ b/src/soc/intel/common/block/cse/Makefile.inc @@ -82,8 +82,9 @@ CSE_RW_FILE := $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_FILE)) endif CSE_LITE_ME_RW = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME)) -regions-for-file-$(CSE_LITE_ME_RW) = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME)), \ - $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME)) + +regions-for-file-$(CSE_LITE_ME_RW) = FW_MAIN_A,FW_MAIN_B + cbfs-files-y += $(CSE_LITE_ME_RW) $(CSE_LITE_ME_RW)-file := $(CSE_RW_FILE) $(CSE_LITE_ME_RW)-name := $(CSE_LITE_ME_RW) @@ -102,15 +103,6 @@ $(CSE_RW_VERSION)-file := $(obj)/cse_rw.version $(CSE_RW_VERSION)-name := $(CSE_RW_VERSION) $(CSE_RW_VERSION)-type := raw -$(obj)/cse_rw.hash: $(CSE_RW_FILE) - openssl dgst -sha256 -binary $< > $@ - -CSE_RW_HASH = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME)) -regions-for-file-$(CSE_RW_HASH) = FW_MAIN_A,FW_MAIN_B -cbfs-files-y += $(CSE_RW_HASH) -$(CSE_RW_HASH)-file := $(obj)/cse_rw.hash -$(CSE_RW_HASH)-name := $(CSE_RW_HASH) -$(CSE_RW_HASH)-type := raw endif ifeq ($(CONFIG_SOC_INTEL_CSE_SUB_PART_UPDATE),y) diff --git a/src/soc/intel/common/block/cse/cse_lite.c b/src/soc/intel/common/block/cse/cse_lite.c index d21c933dca..8e8e221687 100644 --- a/src/soc/intel/common/block/cse/cse_lite.c +++ b/src/soc/intel/common/block/cse/cse_lite.c @@ -785,18 +785,6 @@ static enum cb_err cse_get_target_rdev(struct region_device *target_rdev) return CB_SUCCESS; } -static const char *cse_get_source_rdev_fmap(void) -{ - struct vb2_context *ctx = vboot_get_context(); - if (ctx == NULL) - return NULL; - - if (vboot_is_firmware_slot_a(ctx)) - return CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME; - - return CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME; -} - /* * Compare versions of CSE CBFS sub-component and CSE sub-component partition * In case of CSE component comparison: @@ -816,29 +804,6 @@ static int cse_compare_sub_part_version(const struct fw_version *a, const struct return a->build - b->build; } -/* The function calculates SHA-256 of CSE RW blob and compares it with the provided SHA value */ -static bool cse_verify_cbfs_rw_sha256(const uint8_t *expected_rw_blob_sha, - const void *rw_blob, const size_t rw_blob_sz) - -{ - struct vb2_hash calculated; - - if (vb2_hash_calculate(vboot_hwcrypto_allowed(), rw_blob, rw_blob_sz, - VB2_HASH_SHA256, &calculated)) { - printk(BIOS_ERR, "cse_lite: CSE CBFS RW's SHA-256 calculation has failed\n"); - return false; - } - - if (memcmp(expected_rw_blob_sha, calculated.sha256, sizeof(calculated.sha256))) { - printk(BIOS_ERR, "cse_lite: Computed CBFS RW's SHA-256 does not match with" - "the provided SHA in the metadata\n"); - return false; - } - printk(BIOS_SPEW, "cse_lite: Computed SHA of CSE CBFS RW Image matches the" - " provided hash in the metadata\n"); - return true; -} - static enum cb_err cse_erase_rw_region(const struct region_device *target_rdev) { if (rdev_eraseat(target_rdev, 0, region_device_sz(target_rdev)) < 0) { @@ -1014,39 +979,21 @@ static enum csme_failure_reason cse_trigger_fw_update(enum cse_update_status sta struct region_device *target_rdev) { enum csme_failure_reason rv; - uint8_t *cbfs_rw_hash; void *cse_cbfs_rw = NULL; size_t size; - const char *area_name = cse_get_source_rdev_fmap(); - if (!area_name) - return CSE_LITE_SKU_RW_BLOB_NOT_FOUND; - if (CONFIG(SOC_INTEL_CSE_LITE_COMPRESS_ME_RW)) { - cse_cbfs_rw = cbfs_unverified_area_cbmem_alloc(area_name, - CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, CBMEM_ID_CSE_UPDATE, &size); + cse_cbfs_rw = cbfs_cbmem_alloc(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, + CBMEM_ID_CSE_UPDATE, &size); } else { - cse_cbfs_rw = cbfs_unverified_area_map(area_name, - CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size); + cse_cbfs_rw = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size); } + if (!cse_cbfs_rw) { printk(BIOS_ERR, "cse_lite: CSE CBFS RW blob could not be mapped\n"); return CSE_LITE_SKU_RW_BLOB_NOT_FOUND; } - cbfs_rw_hash = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME, NULL); - if (!cbfs_rw_hash) { - printk(BIOS_ERR, "cse_lite: Failed to get %s\n", - CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME); - rv = CSE_LITE_SKU_RW_METADATA_NOT_FOUND; - goto error_exit; - } - - if (!cse_verify_cbfs_rw_sha256(cbfs_rw_hash, cse_cbfs_rw, size)) { - rv = CSE_LITE_SKU_RW_BLOB_SHA256_MISMATCH; - goto error_exit; - } - if (cse_prep_for_rw_update(status) != CB_SUCCESS) { rv = CSE_COMMUNICATION_ERROR; goto error_exit; @@ -1056,7 +1003,6 @@ static enum csme_failure_reason cse_trigger_fw_update(enum cse_update_status sta rv = cse_update_rw(cse_cbfs_rw, size, target_rdev); error_exit: - cbfs_unmap(cbfs_rw_hash); cbfs_unmap(cse_cbfs_rw); return rv; } |