Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 1 | # SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later |
| 2 | # |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 3 | # This file is sourced from src/security/Kconfig for menuconfig convenience. |
| 4 | |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 5 | menu "CBFS verification" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 6 | |
| 7 | config CBFS_VERIFICATION |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 8 | bool "Enable CBFS verification" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 9 | select VBOOT_LIB |
| 10 | help |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 11 | Say yes here to enable code that cryptographically verifies each CBFS |
| 12 | file as it gets loaded by chaining it to a trust anchor that is |
| 13 | embedded in the bootblock. This only makes sense if you use some |
| 14 | out-of-band mechanism to guarantee the integrity of the bootblock |
Paul Menzel | 7f5a1ee | 2021-12-15 10:47:05 +0100 | [diff] [blame] | 15 | itself, such as Intel Boot Guard or flash write-protection. |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 16 | |
| 17 | If a CBFS image was created with this option enabled, cbfstool will |
| 18 | automatically update the hash embedded in the bootblock whenever it |
| 19 | modifies the CBFS. |
| 20 | |
| 21 | if CBFS_VERIFICATION |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 22 | |
| 23 | config TOCTOU_SAFETY |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 24 | bool "Protect against time-of-check vs. time-of-use vulnerabilities" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 25 | depends on !NO_FMAP_CACHE |
| 26 | depends on !NO_CBFS_MCACHE |
Julius Werner | 34cf073 | 2020-12-08 14:21:43 -0800 | [diff] [blame] | 27 | depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 28 | depends on !VBOOT # TODO: can only allow this once vboot fully integrated |
| 29 | depends on NO_XIP_EARLY_STAGES |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 30 | help |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 31 | Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities |
| 32 | for CBFS verification. This means that data from flash must be verified |
| 33 | every time it is loaded (not just the first time), which requires a bit |
| 34 | more overhead and is incompatible with certain configurations. |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 35 | |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 36 | Using this option only makes sense when the mechanism securing the |
| 37 | bootblock is also safe against these vulnerabilities (i.e. there's no |
| 38 | point in enabling this when you just rely on flash write-protection). |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 39 | |
Julius Werner | 6e303aa | 2023-05-25 18:26:32 -0700 | [diff] [blame] | 40 | config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION |
| 41 | bool "Run decompression algorithms on potentially untrusted code" |
| 42 | default n |
| 43 | help |
| 44 | This controls whether cbfs_unverified_area_...() access functions may |
| 45 | decompress files. This exposes the attack surface of all supported |
| 46 | decompression algorithms. Even if you don't compress the files you are |
| 47 | planning to load with these functions, since file metadata is also |
| 48 | unverified, an attacker can potentially replace them with compressed |
| 49 | files to access a vulnerability in the decompression code. |
| 50 | |
| 51 | If you don't need to load compressed files from unverified areas, say |
| 52 | no here for tighter security. |
| 53 | |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 54 | config CBFS_HASH_ALGO |
| 55 | int |
| 56 | default 1 if CBFS_HASH_SHA1 |
| 57 | default 2 if CBFS_HASH_SHA256 |
| 58 | default 3 if CBFS_HASH_SHA512 |
| 59 | |
| 60 | choice |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 61 | prompt "Hash algorithm" |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 62 | default CBFS_HASH_SHA256 |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 63 | help |
| 64 | Select the hash algorithm used in CBFS verification. Note that SHA-1 is |
| 65 | generally considered insecure today and should not be used without good |
| 66 | reason. When using CBFS verification together with measured boot, using |
| 67 | the same hash algorithm (usually SHA-256) for both is more efficient. |
Julius Werner | fdabf3f | 2020-05-06 17:06:35 -0700 | [diff] [blame] | 68 | |
| 69 | config CBFS_HASH_SHA1 |
| 70 | bool "SHA-1" |
| 71 | |
| 72 | config CBFS_HASH_SHA256 |
| 73 | bool "SHA-256" |
| 74 | |
| 75 | config CBFS_HASH_SHA512 |
| 76 | bool "SHA-512" |
| 77 | |
| 78 | endchoice |
| 79 | |
Julius Werner | 25096eb | 2021-12-08 10:04:25 -0800 | [diff] [blame] | 80 | endif |
| 81 | |
| 82 | endmenu |