summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/lib/Kconfig.cbfs_verification14
-rw-r--r--src/lib/cbfs.c7
-rw-r--r--src/soc/intel/common/block/cse/Kconfig1
3 files changed, 22 insertions, 0 deletions
diff --git a/src/lib/Kconfig.cbfs_verification b/src/lib/Kconfig.cbfs_verification
index 9b053e1c16..12aaf81fab 100644
--- a/src/lib/Kconfig.cbfs_verification
+++ b/src/lib/Kconfig.cbfs_verification
@@ -37,6 +37,20 @@ config TOCTOU_SAFETY
bootblock is also safe against these vulnerabilities (i.e. there's no
point in enabling this when you just rely on flash write-protection).
+config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
+ bool "Run decompression algorithms on potentially untrusted code"
+ default n
+ help
+ This controls whether cbfs_unverified_area_...() access functions may
+ decompress files. This exposes the attack surface of all supported
+ decompression algorithms. Even if you don't compress the files you are
+ planning to load with these functions, since file metadata is also
+ unverified, an attacker can potentially replace them with compressed
+ files to access a vulnerability in the decompression code.
+
+ If you don't need to load compressed files from unverified areas, say
+ no here for tighter security.
+
config CBFS_HASH_ALGO
int
default 1 if CBFS_HASH_SHA1
diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c
index 4e25d27cfb..78eeb3bfb2 100644
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b
DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n",
in_size, mdata->h.filename, buffer, compression);
+ if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) &&
+ skip_verification && compression != CBFS_COMPRESS_NONE) {
+ ERROR("Refusing to decompress unverified file '%s' with algo %d\n",
+ mdata->h.filename, compression);
+ return 0;
+ }
+
switch (compression) {
case CBFS_COMPRESS_NONE:
if (buffer_size < in_size)
diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig
index d809e03e9f..876ec51169 100644
--- a/src/soc/intel/common/block/cse/Kconfig
+++ b/src/soc/intel/common/block/cse/Kconfig
@@ -223,6 +223,7 @@ config SOC_INTEL_CSE_LITE_COMPRESS_ME_RW
bool
default n
depends on SOC_INTEL_CSE_LITE_SKU
+ select CBFS_ALLOW_UNVERIFIED_DECOMPRESSION if CBFS_VERIFICATION && !VBOOT_CBFS_INTEGRATION
help
Enable compression on Intel CSE CBFS RW blob