aboutsummaryrefslogtreecommitdiff
path: root/src/include/cbfs_glue.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/include/cbfs_glue.h')
-rw-r--r--src/include/cbfs_glue.h15
1 files changed, 13 insertions, 2 deletions
diff --git a/src/include/cbfs_glue.h b/src/include/cbfs_glue.h
index ebfbc2e7ae..ffca83ef06 100644
--- a/src/include/cbfs_glue.h
+++ b/src/include/cbfs_glue.h
@@ -5,8 +5,19 @@
#include <commonlib/region.h>
#include <console/console.h>
-
-#define CBFS_ENABLE_HASHING 0
+#include <rules.h>
+
+/*
+ * This flag prevents linking hashing functions into stages where they're not required. We don't
+ * need them at all if verification is disabled. If verification is enabled without TOCTOU
+ * safety, we only need to verify the metadata hash in the initial stage and can assume it stays
+ * valid in later stages. If TOCTOU safety is required, we may need them in every stage to
+ * reverify metadata that had to be reloaded from flash (e.g. because it didn't fit the mcache).
+ * Note that this only concerns metadata hashing -- file access functions may still link hashing
+ * routines independently for file data hashing.
+ */
+#define CBFS_ENABLE_HASHING (CONFIG(CBFS_VERIFICATION) && \
+ (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE))
#define ERROR(...) printk(BIOS_ERR, "CBFS ERROR: " __VA_ARGS__)
#define LOG(...) printk(BIOS_ERR, "CBFS: " __VA_ARGS__)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-05 03:58:03 +0000