summaryrefslogtreecommitdiff
path: root/src/lib/Kconfig.cbfs_verification
blob: 6482e06b200fc436ea55374eeafd7b5415486cdb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
#
# This file is sourced from src/security/Kconfig for menuconfig convenience.

menu "CBFS verification"

config CBFS_VERIFICATION
	bool "Enable CBFS verification"
	select VBOOT_LIB
	help
	  Say yes here to enable code that cryptographically verifies each CBFS
	  file as it gets loaded by chaining it to a trust anchor that is
	  embedded in the bootblock. This only makes sense if you use some
	  out-of-band mechanism to guarantee the integrity of the bootblock
	  itself, such as Intel Boot Guard or flash write-protection.

	  If a CBFS image was created with this option enabled, cbfstool will
	  automatically update the hash embedded in the bootblock whenever it
	  modifies the CBFS.

if CBFS_VERIFICATION

config TOCTOU_SAFETY
	bool "Protect against time-of-check vs. time-of-use vulnerabilities"
	depends on !NO_FMAP_CACHE
	depends on !NO_CBFS_MCACHE
	depends on !USE_OPTION_TABLE && !FSP_CAR  # Known to access CBFS before CBMEM init
	depends on !VBOOT || VBOOT_CBFS_INTEGRATION
	depends on NO_XIP_EARLY_STAGES
	help
	  Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities
	  for CBFS verification. This means that data from flash must be verified
	  every time it is loaded (not just the first time), which requires a bit
	  more overhead and is incompatible with certain configurations.

	  Using this option only makes sense when the mechanism securing the
	  bootblock is also safe against these vulnerabilities (i.e. there's no
	  point in enabling this when you just rely on flash write-protection).

config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
	bool "Run decompression algorithms on potentially untrusted code"
	default n
	help
	  This controls whether cbfs_unverified_area_...() access functions may
	  decompress files. This exposes the attack surface of all supported
	  decompression algorithms. Even if you don't compress the files you are
	  planning to load with these functions, since file metadata is also
	  unverified, an attacker can potentially replace them with compressed
	  files to access a vulnerability in the decompression code.

	  If you don't need to load compressed files from unverified areas, say
	  no here for tighter security.

config CBFS_HASH_ALGO
	int
	default 1 if CBFS_HASH_SHA1
	default 2 if CBFS_HASH_SHA256
	default 3 if CBFS_HASH_SHA512

choice
	prompt "Hash algorithm"
	default CBFS_HASH_SHA256
	help
	  Select the hash algorithm used in CBFS verification. Note that SHA-1 is
	  generally considered insecure today and should not be used without good
	  reason. When using CBFS verification together with measured boot, using
	  the same hash algorithm (usually SHA-256) for both is more efficient.

config CBFS_HASH_SHA1
	bool "SHA-1"

config CBFS_HASH_SHA256
	bool "SHA-256"

config CBFS_HASH_SHA512
	bool "SHA-512"

endchoice

endif

endmenu