cbfs: Allow controlling decompression of unverified files

This patch adds a new Kconfig that controls whether CBFS APIs for unverified areas will allow file decompression when CBFS verification is enabled. This should be disallowed by default because it exposes the attack surface of all supported decompression algorithms. Make allowances for one legacy use case with CONFIG_SOC_INTEL_CSE_LITE_ COMPRESS_ME_RW that should become obsolete with VBOOT_CBFS_INTEGRATION. Signed-off-by: Julius Werner <jwerner@chromium.org> Change-Id: Ieae420f51cbc01dae2ab265414219cc9c288087b Reviewed-on: https://review.coreboot.org/c/coreboot/+/75457 Reviewed-by: Jakub Czapiga <jacz@semihalf.com> Reviewed-by: Subrata Banik <subratabanik@google.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Yu-Ping Wu <yupingso@google.com> Reviewed-by: Angel Pons <th3fanbus@gmail.com>
2023-05-25 18:26:32 -07:00
parent 3f1e034835
commit 6e303aa89b
3 changed files with 22 additions and 0 deletions
--- a/src/lib/cbfs.c
+++ b/src/lib/cbfs.c
@ -208,6 +208,13 @@ static size_t cbfs_load_and_decompress(const struct region_device *rdev, void *b
 	DEBUG("Decompressing %zu bytes from '%s' to %p with algo %d\n",
 	      in_size, mdata->h.filename, buffer, compression);

+	if (CONFIG(CBFS_VERIFICATION) && !CONFIG(CBFS_ALLOW_UNVERIFIED_DECOMPRESSION) &&
+	    skip_verification && compression != CBFS_COMPRESS_NONE) {
+		ERROR("Refusing to decompress unverified file '%s' with algo %d\n",
+		      mdata->h.filename, compression);
+		return 0;
+	}
+
 	switch (compression) {
 	case CBFS_COMPRESS_NONE:
 		if (buffer_size < in_size)