# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later # # This file is sourced from src/security/Kconfig for menuconfig convenience. menu "CBFS verification" config CBFS_VERIFICATION bool "Enable CBFS verification" depends on !VBOOT_STARTS_BEFORE_BOOTBLOCK # this is gonna get tricky... select VBOOT_LIB help Say yes here to enable code that cryptographically verifies each CBFS file as it gets loaded by chaining it to a trust anchor that is embedded in the bootblock. This only makes sense if you use some out-of-band mechanism to guarantee the integrity of the bootblock itself, such as Intel BootGuard or flash write-protection. If a CBFS image was created with this option enabled, cbfstool will automatically update the hash embedded in the bootblock whenever it modifies the CBFS. if CBFS_VERIFICATION config TOCTOU_SAFETY bool "Protect against time-of-check vs. time-of-use vulnerabilities" depends on !NO_FMAP_CACHE depends on !NO_CBFS_MCACHE depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init depends on !VBOOT # TODO: can only allow this once vboot fully integrated depends on NO_XIP_EARLY_STAGES help Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities for CBFS verification. This means that data from flash must be verified every time it is loaded (not just the first time), which requires a bit more overhead and is incompatible with certain configurations. Using this option only makes sense when the mechanism securing the bootblock is also safe against these vulnerabilities (i.e. there's no point in enabling this when you just rely on flash write-protection). config CBFS_HASH_ALGO int default 1 if CBFS_HASH_SHA1 default 2 if CBFS_HASH_SHA256 default 3 if CBFS_HASH_SHA512 choice prompt "Hash algorithm" default CBFS_HASH_SHA256 help Select the hash algorithm used in CBFS verification. Note that SHA-1 is generally considered insecure today and should not be used without good reason. When using CBFS verification together with measured boot, using the same hash algorithm (usually SHA-256) for both is more efficient. config CBFS_HASH_SHA1 bool "SHA-1" config CBFS_HASH_SHA256 bool "SHA-256" config CBFS_HASH_SHA512 bool "SHA-512" endchoice endif endmenu