Gitiles
Code Review Sign In
review.coreboot.org / coreboot / ad6157ebdfddc39b95e388487e00cadd2bbf368b / . / src / lib / Kconfig.cbfs_verification
blob: 9a9ba3189dea5443451feae8154ba4050a7c3503 [file] [log] [blame]
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]1# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
2#
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]3# This file is sourced from src/security/Kconfig for menuconfig convenience.
4
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]5menu "CBFS verification"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]6
7config CBFS_VERIFICATION
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]8 bool "Enable CBFS verification"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]9 depends on !VBOOT_STARTS_BEFORE_BOOTBLOCK # this is gonna get tricky...
10 select VBOOT_LIB
11 help
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]12 Say yes here to enable code that cryptographically verifies each CBFS
13 file as it gets loaded by chaining it to a trust anchor that is
14 embedded in the bootblock. This only makes sense if you use some
15 out-of-band mechanism to guarantee the integrity of the bootblock
Paul Menzel7f5a1ee2021-12-15 10:47:05 +0100[diff] [blame]16 itself, such as Intel Boot Guard or flash write-protection.
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]17
18 If a CBFS image was created with this option enabled, cbfstool will
19 automatically update the hash embedded in the bootblock whenever it
20 modifies the CBFS.
21
22if CBFS_VERIFICATION
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]23
24config TOCTOU_SAFETY
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]25 bool "Protect against time-of-check vs. time-of-use vulnerabilities"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]26 depends on !NO_FMAP_CACHE
27 depends on !NO_CBFS_MCACHE
Julius Werner34cf0732020-12-08 14:21:43 -0800[diff] [blame]28 depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]29 depends on !VBOOT # TODO: can only allow this once vboot fully integrated
30 depends on NO_XIP_EARLY_STAGES
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]31 help
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]32 Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities
33 for CBFS verification. This means that data from flash must be verified
34 every time it is loaded (not just the first time), which requires a bit
35 more overhead and is incompatible with certain configurations.
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]36
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]37 Using this option only makes sense when the mechanism securing the
38 bootblock is also safe against these vulnerabilities (i.e. there's no
39 point in enabling this when you just rely on flash write-protection).
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]40
41config CBFS_HASH_ALGO
42 int
43 default 1 if CBFS_HASH_SHA1
44 default 2 if CBFS_HASH_SHA256
45 default 3 if CBFS_HASH_SHA512
46
47choice
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]48 prompt "Hash algorithm"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]49 default CBFS_HASH_SHA256
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]50 help
51 Select the hash algorithm used in CBFS verification. Note that SHA-1 is
52 generally considered insecure today and should not be used without good
53 reason. When using CBFS verification together with measured boot, using
54 the same hash algorithm (usually SHA-256) for both is more efficient.
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]55
56config CBFS_HASH_SHA1
57 bool "SHA-1"
58
59config CBFS_HASH_SHA256
60 bool "SHA-256"
61
62config CBFS_HASH_SHA512
63 bool "SHA-512"
64
65endchoice
66
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]67endif
68
69endmenu