diff options
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/cbfs.h | 10 | ||||
-rw-r--r-- | src/include/cbfs_glue.h | 15 | ||||
-rw-r--r-- | src/include/metadata_hash.h | 21 |
3 files changed, 44 insertions, 2 deletions
diff --git a/src/include/cbfs.h b/src/include/cbfs.h index 8d4c2209d2..cad01c623d 100644 --- a/src/include/cbfs.h +++ b/src/include/cbfs.h @@ -7,6 +7,7 @@ #include <commonlib/cbfs.h> #include <program_loading.h> #include <types.h> +#include <vb2_sha.h> /*********************************************** * Perform CBFS operations on the boot device. * @@ -74,4 +75,13 @@ void cbfs_boot_device_find_mcache(struct cbfs_boot_device *cbd, uint32_t id); */ const struct cbfs_boot_device *cbfs_get_boot_device(bool force_ro); +/* + * Builds the mcache (if |cbd->mcache| is set) and verifies |metadata_hash| (if + * it is not NULL). If CB_CBFS_CACHE_FULL is returned, the mcache is incomplete + * but still valid and the metadata hash was still verified. Should be called + * once per *boot* (not once per stage) before the first CBFS access. + */ +cb_err_t cbfs_init_boot_device(const struct cbfs_boot_device *cbd, + struct vb2_hash *metadata_hash); + #endif diff --git a/src/include/cbfs_glue.h b/src/include/cbfs_glue.h index ebfbc2e7ae..ffca83ef06 100644 --- a/src/include/cbfs_glue.h +++ b/src/include/cbfs_glue.h @@ -5,8 +5,19 @@ #include <commonlib/region.h> #include <console/console.h> - -#define CBFS_ENABLE_HASHING 0 +#include <rules.h> + +/* + * This flag prevents linking hashing functions into stages where they're not required. We don't + * need them at all if verification is disabled. If verification is enabled without TOCTOU + * safety, we only need to verify the metadata hash in the initial stage and can assume it stays + * valid in later stages. If TOCTOU safety is required, we may need them in every stage to + * reverify metadata that had to be reloaded from flash (e.g. because it didn't fit the mcache). + * Note that this only concerns metadata hashing -- file access functions may still link hashing + * routines independently for file data hashing. + */ +#define CBFS_ENABLE_HASHING (CONFIG(CBFS_VERIFICATION) && \ + (CONFIG(TOCTOU_SAFETY) || ENV_INITIAL_STAGE)) #define ERROR(...) printk(BIOS_ERR, "CBFS ERROR: " __VA_ARGS__) #define LOG(...) printk(BIOS_ERR, "CBFS: " __VA_ARGS__) diff --git a/src/include/metadata_hash.h b/src/include/metadata_hash.h new file mode 100644 index 0000000000..2d3b8a86bc --- /dev/null +++ b/src/include/metadata_hash.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* This file is part of the coreboot project. */ + +#ifndef _METADATA_HASH_H_ +#define _METADATA_HASH_H_ + +#include <commonlib/bsd/metadata_hash.h> + +/* Verify the an FMAP data structure with the FMAP hash that is stored together with the CBFS + metadata hash in the bootblock's metadata hash anchor (when CBFS verification is enabled). */ +vb2_error_t metadata_hash_verify_fmap(const void *fmap_base, size_t fmap_size); + +#if CONFIG(CBFS_VERIFICATION) +/* Get the (RO) CBFS metadata hash for this CBFS image, which forms the root of trust for CBFS + verification. This function is only available in the bootblock. */ +struct vb2_hash *metadata_hash_get(void); +#else +static inline struct vb2_hash *metadata_hash_get(void) { return NULL; } +#endif + +#endif |