Cradicle Explorer
coreboot
/ src / lib / Kconfig.cbfs_verification
Kconfig.cbfs_verification
 1  # SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later
 2  #
 3  # This file is sourced from src/security/Kconfig for menuconfig convenience.
 4  
 5  menu "CBFS verification"
 6  
 7  config CBFS_VERIFICATION
 8  	bool "Enable CBFS verification"
 9  	select VBOOT_LIB
10  	help
11  	  Say yes here to enable code that cryptographically verifies each CBFS
12  	  file as it gets loaded by chaining it to a trust anchor that is
13  	  embedded in the bootblock. This only makes sense if you use some
14  	  out-of-band mechanism to guarantee the integrity of the bootblock
15  	  itself, such as Intel Boot Guard or flash write-protection.
16  
17  	  If a CBFS image was created with this option enabled, cbfstool will
18  	  automatically update the hash embedded in the bootblock whenever it
19  	  modifies the CBFS.
20  
21  if CBFS_VERIFICATION
22  
23  config TOCTOU_SAFETY
24  	bool "Protect against time-of-check vs. time-of-use vulnerabilities"
25  	depends on !NO_FMAP_CACHE
26  	depends on !NO_CBFS_MCACHE
27  	depends on !USE_OPTION_TABLE && !FSP_CAR  # Known to access CBFS before CBMEM init
28  	depends on !VBOOT || VBOOT_CBFS_INTEGRATION
29  	depends on NO_XIP_EARLY_STAGES
30  	help
31  	  Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities
32  	  for CBFS verification. This means that data from flash must be verified
33  	  every time it is loaded (not just the first time), which requires a bit
34  	  more overhead and is incompatible with certain configurations.
35  
36  	  Using this option only makes sense when the mechanism securing the
37  	  bootblock is also safe against these vulnerabilities (i.e. there's no
38  	  point in enabling this when you just rely on flash write-protection).
39  
40  config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION
41  	bool "Run decompression algorithms on potentially untrusted code"
42  	default n
43  	help
44  	  This controls whether cbfs_unverified_area_...() access functions may
45  	  decompress files. This exposes the attack surface of all supported
46  	  decompression algorithms. Even if you don't compress the files you are
47  	  planning to load with these functions, since file metadata is also
48  	  unverified, an attacker can potentially replace them with compressed
49  	  files to access a vulnerability in the decompression code.
50  
51  	  If you don't need to load compressed files from unverified areas, say
52  	  no here for tighter security.
53  
54  config CBFS_HASH_ALGO
55  	int
56  	default 1 if CBFS_HASH_SHA1
57  	default 2 if CBFS_HASH_SHA256
58  	default 3 if CBFS_HASH_SHA512
59  
60  choice
61  	prompt "Hash algorithm"
62  	default CBFS_HASH_SHA256
63  	help
64  	  Select the hash algorithm used in CBFS verification. Note that SHA-1 is
65  	  generally considered insecure today and should not be used without good
66  	  reason. When using CBFS verification together with measured boot, using
67  	  the same hash algorithm (usually SHA-256) for both is more efficient.
68  
69  config CBFS_HASH_SHA1
70  	bool "SHA-1"
71  
72  config CBFS_HASH_SHA256
73  	bool "SHA-256"
74  
75  config CBFS_HASH_SHA512
76  	bool "SHA-512"
77  
78  endchoice
79  
80  endif
81  
82  endmenu