From 6e303aa89b906dc12b0bbf6024a23de339634eb1 Mon Sep 17 00:00:00 2001
From: Julius Werner <jwerner@chromium.org>
Date: Thu, 25 May 2023 18:26:32 -0700
Subject: cbfs: Allow controlling decompression of unverified files

This patch adds a new Kconfig that controls whether CBFS APIs for
unverified areas will allow file decompression when CBFS verification is
enabled. This should be disallowed by default because it exposes the
attack surface of all supported decompression algorithms. Make
allowances for one legacy use case with CONFIG_SOC_INTEL_CSE_LITE_
COMPRESS_ME_RW that should become obsolete with VBOOT_CBFS_INTEGRATION.

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ieae420f51cbc01dae2ab265414219cc9c288087b
Reviewed-on: https://review.coreboot.org/c/coreboot/+/75457
Reviewed-by: Jakub Czapiga <jacz@semihalf.com>
Reviewed-by: Subrata Banik <subratabanik@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Yu-Ping Wu <yupingso@google.com>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
---
 src/soc/intel/common/block/cse/Kconfig | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/soc/intel/common/block')

diff --git a/src/soc/intel/common/block/cse/Kconfig b/src/soc/intel/common/block/cse/Kconfig
index d809e03e9f..876ec51169 100644
--- a/src/soc/intel/common/block/cse/Kconfig
+++ b/src/soc/intel/common/block/cse/Kconfig
@@ -223,6 +223,7 @@ config SOC_INTEL_CSE_LITE_COMPRESS_ME_RW
 	bool
 	default n
 	depends on SOC_INTEL_CSE_LITE_SKU
+	select CBFS_ALLOW_UNVERIFIED_DECOMPRESSION if CBFS_VERIFICATION && !VBOOT_CBFS_INTEGRATION
 	help
 	 Enable compression on Intel CSE CBFS RW blob
 
-- 
cgit v1.2.3