summaryrefslogtreecommitdiff
path: root/payloads
diff options
context:
space:
mode:
Diffstat (limited to 'payloads')
-rw-r--r--payloads/libpayload/include/cbfs_glue.h4
-rw-r--r--payloads/libpayload/libcbfs/cbfs.c9
-rw-r--r--payloads/libpayload/tests/libcbfs/cbfs-verification-test.c4
3 files changed, 15 insertions, 2 deletions
diff --git a/payloads/libpayload/include/cbfs_glue.h b/payloads/libpayload/include/cbfs_glue.h
index 00d0ea943a..bff63eea4a 100644
--- a/payloads/libpayload/include/cbfs_glue.h
+++ b/payloads/libpayload/include/cbfs_glue.h
@@ -5,9 +5,11 @@
#include <libpayload-config.h>
#include <boot_device.h>
+#include <stdbool.h>
#include <stdio.h>
#define CBFS_ENABLE_HASHING CONFIG(LP_CBFS_VERIFICATION)
+#define CBFS_HASH_HWCRYPTO cbfs_hwcrypto_allowed()
#define ERROR(...) printf("CBFS ERROR: " __VA_ARGS__)
#define LOG(...) printf("CBFS: " __VA_ARGS__)
@@ -43,4 +45,6 @@ static inline size_t cbfs_dev_size(cbfs_dev_t dev)
return dev->size;
}
+bool cbfs_hwcrypto_allowed(void);
+
#endif /* _CBFS_CBFS_GLUE_H */
diff --git a/payloads/libpayload/libcbfs/cbfs.c b/payloads/libpayload/libcbfs/cbfs.c
index 0694c4f7c5..a158ba8fa1 100644
--- a/payloads/libpayload/libcbfs/cbfs.c
+++ b/payloads/libpayload/libcbfs/cbfs.c
@@ -89,7 +89,7 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size,
ERROR("'%s' does not have a file hash!\n", mdata->h.filename);
return true;
}
- if (vb2_hash_verify(buffer, size, hash) != VB2_SUCCESS) {
+ if (vb2_hash_verify(cbfs_hwcrypto_allowed(), buffer, size, hash) != VB2_SUCCESS) {
ERROR("'%s' file hash mismatch!\n", mdata->h.filename);
return true;
}
@@ -223,3 +223,10 @@ void *_cbfs_unverified_area_load(const char *area, const char *name, void *buf,
return do_load(&mdata, dev.offset + data_offset, buf, size_inout, true);
}
+
+/* This should be overridden by payloads that want to enforce more explicit
+ policy on using HW crypto. */
+__weak bool cbfs_hwcrypto_allowed(void)
+{
+ return true;
+}
diff --git a/payloads/libpayload/tests/libcbfs/cbfs-verification-test.c b/payloads/libpayload/tests/libcbfs/cbfs-verification-test.c
index 8e50f39d45..25e402cca3 100644
--- a/payloads/libpayload/tests/libcbfs/cbfs-verification-test.c
+++ b/payloads/libpayload/tests/libcbfs/cbfs-verification-test.c
@@ -23,8 +23,10 @@ size_t vb2_digest_size(enum vb2_hash_algorithm hash_alg)
return VB2_SHA256_DIGEST_SIZE;
}
-vb2_error_t vb2_hash_verify(const void *buf, uint32_t size, const struct vb2_hash *hash)
+vb2_error_t vb2_hash_verify(bool allow_hwcrypto, const void *buf, uint32_t size,
+ const struct vb2_hash *hash)
{
+ assert_true(allow_hwcrypto);
check_expected_ptr(buf);
check_expected(size);
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-08 10:37:27 +0000