soc/intel/cse: remove cbfs_unverified_area_map() API in cse_lite
With CBFS verification feature (CONFIG_VBOOT_CBFS_INTEGRATION)
being enabled, we can now remove cbfs_unverified_area_map() APIs
which are potential cause of security issues as they skip verification.
These APIs were used earlier to skip verification and hence save
boot time. With CBFS verification enabled, the files are verified
only when being loaded so we can now use cbfs_cbmem_alloc()/cbfs_map
function to load them.
BUG=b:284382452
Change-Id: Ie0266e50463926b8d377825142afda7f44754eb7
Signed-off-by: Rizwan Qureshi <rizwan.qureshi@intel.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/78214
Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Jamie Ryu <jamie.m.ryu@intel.com>
diff --git a/src/soc/intel/common/block/cse/Makefile.inc b/src/soc/intel/common/block/cse/Makefile.inc
index 6798c68..3327757 100644
--- a/src/soc/intel/common/block/cse/Makefile.inc
+++ b/src/soc/intel/common/block/cse/Makefile.inc
@@ -82,8 +82,9 @@
endif
CSE_LITE_ME_RW = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME))
-regions-for-file-$(CSE_LITE_ME_RW) = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME)), \
- $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME))
+
+regions-for-file-$(CSE_LITE_ME_RW) = FW_MAIN_A,FW_MAIN_B
+
cbfs-files-y += $(CSE_LITE_ME_RW)
$(CSE_LITE_ME_RW)-file := $(CSE_RW_FILE)
$(CSE_LITE_ME_RW)-name := $(CSE_LITE_ME_RW)
@@ -102,15 +103,6 @@
$(CSE_RW_VERSION)-name := $(CSE_RW_VERSION)
$(CSE_RW_VERSION)-type := raw
-$(obj)/cse_rw.hash: $(CSE_RW_FILE)
- openssl dgst -sha256 -binary $< > $@
-
-CSE_RW_HASH = $(call strip_quotes,$(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME))
-regions-for-file-$(CSE_RW_HASH) = FW_MAIN_A,FW_MAIN_B
-cbfs-files-y += $(CSE_RW_HASH)
-$(CSE_RW_HASH)-file := $(obj)/cse_rw.hash
-$(CSE_RW_HASH)-name := $(CSE_RW_HASH)
-$(CSE_RW_HASH)-type := raw
endif
ifeq ($(CONFIG_SOC_INTEL_CSE_SUB_PART_UPDATE),y)
diff --git a/src/soc/intel/common/block/cse/cse_lite.c b/src/soc/intel/common/block/cse/cse_lite.c
index d21c933..8e8e221 100644
--- a/src/soc/intel/common/block/cse/cse_lite.c
+++ b/src/soc/intel/common/block/cse/cse_lite.c
@@ -785,18 +785,6 @@
return CB_SUCCESS;
}
-static const char *cse_get_source_rdev_fmap(void)
-{
- struct vb2_context *ctx = vboot_get_context();
- if (ctx == NULL)
- return NULL;
-
- if (vboot_is_firmware_slot_a(ctx))
- return CONFIG_SOC_INTEL_CSE_RW_A_FMAP_NAME;
-
- return CONFIG_SOC_INTEL_CSE_RW_B_FMAP_NAME;
-}
-
/*
* Compare versions of CSE CBFS sub-component and CSE sub-component partition
* In case of CSE component comparison:
@@ -816,29 +804,6 @@
return a->build - b->build;
}
-/* The function calculates SHA-256 of CSE RW blob and compares it with the provided SHA value */
-static bool cse_verify_cbfs_rw_sha256(const uint8_t *expected_rw_blob_sha,
- const void *rw_blob, const size_t rw_blob_sz)
-
-{
- struct vb2_hash calculated;
-
- if (vb2_hash_calculate(vboot_hwcrypto_allowed(), rw_blob, rw_blob_sz,
- VB2_HASH_SHA256, &calculated)) {
- printk(BIOS_ERR, "cse_lite: CSE CBFS RW's SHA-256 calculation has failed\n");
- return false;
- }
-
- if (memcmp(expected_rw_blob_sha, calculated.sha256, sizeof(calculated.sha256))) {
- printk(BIOS_ERR, "cse_lite: Computed CBFS RW's SHA-256 does not match with"
- "the provided SHA in the metadata\n");
- return false;
- }
- printk(BIOS_SPEW, "cse_lite: Computed SHA of CSE CBFS RW Image matches the"
- " provided hash in the metadata\n");
- return true;
-}
-
static enum cb_err cse_erase_rw_region(const struct region_device *target_rdev)
{
if (rdev_eraseat(target_rdev, 0, region_device_sz(target_rdev)) < 0) {
@@ -1014,39 +979,21 @@
struct region_device *target_rdev)
{
enum csme_failure_reason rv;
- uint8_t *cbfs_rw_hash;
void *cse_cbfs_rw = NULL;
size_t size;
- const char *area_name = cse_get_source_rdev_fmap();
- if (!area_name)
- return CSE_LITE_SKU_RW_BLOB_NOT_FOUND;
-
if (CONFIG(SOC_INTEL_CSE_LITE_COMPRESS_ME_RW)) {
- cse_cbfs_rw = cbfs_unverified_area_cbmem_alloc(area_name,
- CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, CBMEM_ID_CSE_UPDATE, &size);
+ cse_cbfs_rw = cbfs_cbmem_alloc(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME,
+ CBMEM_ID_CSE_UPDATE, &size);
} else {
- cse_cbfs_rw = cbfs_unverified_area_map(area_name,
- CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size);
+ cse_cbfs_rw = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_CBFS_NAME, &size);
}
+
if (!cse_cbfs_rw) {
printk(BIOS_ERR, "cse_lite: CSE CBFS RW blob could not be mapped\n");
return CSE_LITE_SKU_RW_BLOB_NOT_FOUND;
}
- cbfs_rw_hash = cbfs_map(CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME, NULL);
- if (!cbfs_rw_hash) {
- printk(BIOS_ERR, "cse_lite: Failed to get %s\n",
- CONFIG_SOC_INTEL_CSE_RW_HASH_CBFS_NAME);
- rv = CSE_LITE_SKU_RW_METADATA_NOT_FOUND;
- goto error_exit;
- }
-
- if (!cse_verify_cbfs_rw_sha256(cbfs_rw_hash, cse_cbfs_rw, size)) {
- rv = CSE_LITE_SKU_RW_BLOB_SHA256_MISMATCH;
- goto error_exit;
- }
-
if (cse_prep_for_rw_update(status) != CB_SUCCESS) {
rv = CSE_COMMUNICATION_ERROR;
goto error_exit;
@@ -1056,7 +1003,6 @@
rv = cse_update_rw(cse_cbfs_rw, size, target_rdev);
error_exit:
- cbfs_unmap(cbfs_rw_hash);
cbfs_unmap(cse_cbfs_rw);
return rv;
}