diff options
-rw-r--r-- | src/lib/Kconfig.cbfs_verification | 14 | ||||
-rw-r--r-- | src/lib/cbfs.c | 7 | ||||
-rw-r--r-- | src/soc/intel/common/block/cse/Kconfig | 1 |
3 files changed, 22 insertions, 0 deletions
diff --git a/src/lib/Kconfig.cbfs_verification b/src/lib/Kconfig.cbfs_verification index 9b053e1c16..12aaf81fab 100644 --- a/src/lib/Kconfig.cbfs_verification +++ b/src/lib/Kconfig.cbfs_verification @@ -37,6 +37,20 @@ config TOCTOU_SAFETY bootblock is also safe against these vulnerabilities (i.e. there's no point in enabling this when you just rely on flash write-protection). +config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION + bool "Run decompression algorithms on potentially untrusted code" + default n + help + This controls whether cbfs_unverified_area_...() access functions may + decompress files. This exposes the attack surface of all supported + decompression algorithms. Even if you don't compress the files you are + planning to load with these functions, since file metadata is also + unverified, an attacker can potentially replace them with compressed + files to access a vulnerability in the decompression code. + + If you don't need to load compressed files from unverified areas, say + no here for tighter security. + config CBFS_HASH_ALGO int default 1 if CBFS_HASH_SHA1 diff --git a/src/lib/cbfs.c b/src/lib/cbfs.c index 4e25d27cfb..78eeb3bfb2 100644 --- a/src/lib/cbfs.c +++ b/src/lib/cbfs.c @@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n", in_size, mdata->h.filename, buffer, compression); + if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) && + skip_verification && compression != CBFS_COMPRESS_NONE) { + ERROR("Refusing to decompress unverified file '%s' with algo %d\n", + mdata->h.filename, compression); + return 0; + } + switch (compression) { case CBFS_COMPRESS_NONE: if (buffer_size < in_size) diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig index d809e03e9f..876ec51169 100644 --- a/src/soc/intel/common/block/cse/Kconfig +++ b/src/soc/intel/common/block/cse/Kconfig @@ -223,6 +223,7 @@ config SOC_INTEL_CSE_LITE_COMPRESS_ME_RW bool default n depends on SOC_INTEL_CSE_LITE_SKU + select CBFS_ALLOW_UNVERIFIED_DECOMPRESSION if CBFS_VERIFICATION && !VBOOT_CBFS_INTEGRATION help Enable compression on Intel CSE CBFS RW blob |