1# SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later 2# 3# This file is sourced from src/security/Kconfig for menuconfig convenience. 4 5menu "CBFS verification" 6 7config CBFS_VERIFICATION 8 bool "Enable CBFS verification" 9 select VBOOT_LIB 10 help 11 Say yes here to enable code that cryptographically verifies each CBFS 12 file as it gets loaded by chaining it to a trust anchor that is 13 embedded in the bootblock. This only makes sense if you use some 14 out-of-band mechanism to guarantee the integrity of the bootblock 15 itself, such as Intel Boot Guard or flash write-protection. 16 17 If a CBFS image was created with this option enabled, cbfstool will 18 automatically update the hash embedded in the bootblock whenever it 19 modifies the CBFS. 20 21if CBFS_VERIFICATION 22 23config TOCTOU_SAFETY 24 bool "Protect against time-of-check vs. time-of-use vulnerabilities" 25 depends on !NO_FMAP_CACHE 26 depends on !NO_CBFS_MCACHE 27 depends on !USE_OPTION_TABLE && !FSP_CAR # Known to access CBFS before CBMEM init 28 depends on !VBOOT || VBOOT_CBFS_INTEGRATION 29 depends on NO_XIP_EARLY_STAGES 30 help 31 Say yes here to eliminate time-of-check vs. time-of-use vulnerabilities 32 for CBFS verification. This means that data from flash must be verified 33 every time it is loaded (not just the first time), which requires a bit 34 more overhead and is incompatible with certain configurations. 35 36 Using this option only makes sense when the mechanism securing the 37 bootblock is also safe against these vulnerabilities (i.e. there's no 38 point in enabling this when you just rely on flash write-protection). 39 40config CBFS_ALLOW_UNVERIFIED_DECOMPRESSION 41 bool "Run decompression algorithms on potentially untrusted code" 42 default n 43 help 44 This controls whether cbfs_unverified_area_...() access functions may 45 decompress files. This exposes the attack surface of all supported 46 decompression algorithms. Even if you don't compress the files you are 47 planning to load with these functions, since file metadata is also 48 unverified, an attacker can potentially replace them with compressed 49 files to access a vulnerability in the decompression code. 50 51 If you don't need to load compressed files from unverified areas, say 52 no here for tighter security. 53 54config CBFS_HASH_ALGO 55 int 56 default 1 if CBFS_HASH_SHA1 57 default 2 if CBFS_HASH_SHA256 58 default 3 if CBFS_HASH_SHA512 59 60choice 61 prompt "Hash algorithm" 62 default CBFS_HASH_SHA256 63 help 64 Select the hash algorithm used in CBFS verification. Note that SHA-1 is 65 generally considered insecure today and should not be used without good 66 reason. When using CBFS verification together with measured boot, using 67 the same hash algorithm (usually SHA-256) for both is more efficient. 68 69config CBFS_HASH_SHA1 70 bool "SHA-1" 71 72config CBFS_HASH_SHA256 73 bool "SHA-256" 74 75config CBFS_HASH_SHA512 76 bool "SHA-512" 77 78endchoice 79 80endif 81 82endmenu 83