Gitiles
Code Review Sign In
review.coreboot.org / coreboot / d13118320030c6df48ad33243d48c3ff34cb67d7 / . / src / lib / Kconfig.cbfs_verification
blob: 9b053e1c1658cf4b45787fdf10926368d07a94bd [file] [log] [blame]
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]1# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
2#
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]3# This file is sourced from src/security/Kconfig for menuconfig convenience.
4
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]5menu "CBFS verification"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]6
7config CBFS_VERIFICATION
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]8 bool "Enable CBFS verification"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]9 select VBOOT_LIB
10 help
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]11 Say yes here to enable code that cryptographically verifies each CBFS
12 file as it gets loaded by chaining it to a trust anchor that is
13 embedded in the bootblock. This only makes sense if you use some
14 out-of-band mechanism to guarantee the integrity of the bootblock
Paul Menzel7f5a1ee2021-12-15 10:47:05 +0100[diff] [blame]15 itself, such as Intel Boot Guard or flash write-protection.
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]16
17 If a CBFS image was created with this option enabled, cbfstool will
18 automatically update the hash embedded in the bootblock whenever it
19 modifies the CBFS.
20
21if CBFS_VERIFICATION
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]22
23config TOCTOU_SAFETY
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]24 bool "Protect against time-of-check vs. time-of-use vulnerabilities"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]25 depends on !NO_FMAP_CACHE
26 depends on !NO_CBFS_MCACHE
Julius Werner34cf0732020-12-08 14:21:43 -0800[diff] [blame]27 depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]28 depends on !VBOOT # TODO: can only allow this once vboot fully integrated
29 depends on NO_XIP_EARLY_STAGES
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]30 help
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]31 Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities
32 for CBFS verification. This means that data from flash must be verified
33 every time it is loaded (not just the first time), which requires a bit
34 more overhead and is incompatible with certain configurations.
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]35
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]36 Using this option only makes sense when the mechanism securing the
37 bootblock is also safe against these vulnerabilities (i.e. there's no
38 point in enabling this when you just rely on flash write-protection).
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]39
40config CBFS_HASH_ALGO
41 int
42 default 1 if CBFS_HASH_SHA1
43 default 2 if CBFS_HASH_SHA256
44 default 3 if CBFS_HASH_SHA512
45
46choice
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]47 prompt "Hash algorithm"
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]48 default CBFS_HASH_SHA256
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]49 help
50 Select the hash algorithm used in CBFS verification. Note that SHA-1 is
51 generally considered insecure today and should not be used without good
52 reason. When using CBFS verification together with measured boot, using
53 the same hash algorithm (usually SHA-256) for both is more efficient.
Julius Wernerfdabf3f2020-05-06 17:06:35 -0700[diff] [blame]54
55config CBFS_HASH_SHA1
56 bool "SHA-1"
57
58config CBFS_HASH_SHA256
59 bool "SHA-256"
60
61config CBFS_HASH_SHA512
62 bool "SHA-512"
63
64endchoice
65
Julius Werner25096eb2021-12-08 10:04:25 -0800[diff] [blame]66endif
67
68endmenu