Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 1 | # SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later |
| 2 | # |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 3 | # This file is sourced from src/security/Kconfig for menuconfig convenience. |
| 4 | |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 5 | menu "CBFS verification" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 6 | |
| 7 | config CBFS_VERIFICATION |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 8 | bool "Enable CBFS verification" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 9 | select VBOOT_LIB |
| 10 | help |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 11 | Say yes here to enable code that cryptographically verifies each CBFS |
| 12 | file as it gets loaded by chaining it to a trust anchor that is |
| 13 | embedded in the bootblock. This only makes sense if you use some |
| 14 | out-of-band mechanism to guarantee the integrity of the bootblock |
Paul Menzel | 7f5a1ee | 2021-12-15 10:47:05 +0100 | [diff] [blame] | 15 | itself, such as Intel Boot Guard or flash write-protection. |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 16 | |
| 17 | If a CBFS image was created with this option enabled, cbfstool will |
| 18 | automatically update the hash embedded in the bootblock whenever it |
| 19 | modifies the CBFS. |
| 20 | |
| 21 | if CBFS_VERIFICATION |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 22 | |
| 23 | config TOCTOU_SAFETY |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 24 | bool "Protect against time-of-check vs. time-of-use vulnerabilities" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 25 | depends on !NO_FMAP_CACHE |
| 26 | depends on !NO_CBFS_MCACHE |
Julius Werner | 34cf073 | 2020-12-08 14:21:43 -0800 | [diff] [blame] | 27 | depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 28 | depends on !VBOOT # TODO: can only allow this once vboot fully integrated |
| 29 | depends on NO_XIP_EARLY_STAGES |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 30 | help |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 31 | Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities |
| 32 | for CBFS verification. This means that data from flash must be verified |
| 33 | every time it is loaded (not just the first time), which requires a bit |
| 34 | more overhead and is incompatible with certain configurations. |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 35 | |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 36 | Using this option only makes sense when the mechanism securing the |
| 37 | bootblock is also safe against these vulnerabilities (i.e. there's no |
| 38 | point in enabling this when you just rely on flash write-protection). |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 39 | |
| 40 | config CBFS_HASH_ALGO |
| 41 | int |
| 42 | default 1 if CBFS_HASH_SHA1 |
| 43 | default 2 if CBFS_HASH_SHA256 |
| 44 | default 3 if CBFS_HASH_SHA512 |
| 45 | |
| 46 | choice |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 47 | prompt "Hash algorithm" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 48 | default CBFS_HASH_SHA256 |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 49 | help |
| 50 | Select the hash algorithm used in CBFS verification. Note that SHA-1 is |
| 51 | generally considered insecure today and should not be used without good |
| 52 | reason. When using CBFS verification together with measured boot, using |
| 53 | the same hash algorithm (usually SHA-256) for both is more efficient. |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 54 | |
| 55 | config CBFS_HASH_SHA1 |
| 56 | bool "SHA-1" |
| 57 | |
| 58 | config CBFS_HASH_SHA256 |
| 59 | bool "SHA-256" |
| 60 | |
| 61 | config CBFS_HASH_SHA512 |
| 62 | bool "SHA-512" |
| 63 | |
| 64 | endchoice |
| 65 | |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 66 | endif |
| 67 | |
| 68 | endmenu |