blob: 6482e06b200fc436ea55374eeafd7b5415486cdb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
#
# This file is sourced from src/security/Kconfig for menuconfig convenience.
menu "CBFS verification"
config CBFS_VERIFICATION
bool "Enable CBFS verification"
select VBOOT_LIB
help
Say yes here to enable code that cryptographically verifies each CBFS
file as it gets loaded by chaining it to a trust anchor that is
embedded in the bootblock. This only makes sense if you use some
out-of-band mechanism to guarantee the integrity of the bootblock
itself, such as Intel Boot Guard or flash write-protection.
If a CBFS image was created with this option enabled, cbfstool will
automatically update the hash embedded in the bootblock whenever it
modifies the CBFS.
if CBFS_VERIFICATION
config TOCTOU_SAFETY
bool "Protect against time-of-check vs. time-of-use vulnerabilities"
depends on !NO_FMAP_CACHE
depends on !NO_CBFS_MCACHE
depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init
depends on !VBOOT || VBOOT_CBFS_INTEGRATION
depends on NO_XIP_EARLY_STAGES
help
Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities
for CBFS verification. This means that data from flash must be verified
every time it is loaded (not just the first time), which requires a bit
more overhead and is incompatible with certain configurations.
Using this option only makes sense when the mechanism securing the
bootblock is also safe against these vulnerabilities (i.e. there's no
point in enabling this when you just rely on flash write-protection).
config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
bool "Run decompression algorithms on potentially untrusted code"
default n
help
This controls whether cbfs_unverified_area_...() access functions may
decompress files. This exposes the attack surface of all supported
decompression algorithms. Even if you don't compress the files you are
planning to load with these functions, since file metadata is also
unverified, an attacker can potentially replace them with compressed
files to access a vulnerability in the decompression code.
If you don't need to load compressed files from unverified areas, say
no here for tighter security.
config CBFS_HASH_ALGO
int
default 1 if CBFS_HASH_SHA1
default 2 if CBFS_HASH_SHA256
default 3 if CBFS_HASH_SHA512
choice
prompt "Hash algorithm"
default CBFS_HASH_SHA256
help
Select the hash algorithm used in CBFS verification. Note that SHA-1 is
generally considered insecure today and should not be used without good
reason. When using CBFS verification together with measured boot, using
the same hash algorithm (usually SHA-256) for both is more efficient.
config CBFS_HASH_SHA1
bool "SHA-1"
config CBFS_HASH_SHA256
bool "SHA-256"
config CBFS_HASH_SHA512
bool "SHA-512"
endchoice
endif
endmenu
|