sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
e20a2b442710e56bae43cefb87936af6ca7979be
system76-coreboot/src/include/cbfs.h
Julius Werner fdabf3fcd7 cbfs: Add verification for RO CBFS metadata hash 
This patch adds the first stage of the new CONFIG_CBFS_VERIFICATION
feature. It's not useful to end-users in this stage so it cannot be
selected in menuconfig (and should not be used other than for
development) yet. With this patch coreboot can verify the metadata hash
of the RO CBFS when it starts booting, but it does not verify individual
files yet. Likewise, verifying RW CBFSes with vboot is not yet
supported.

Verification is bootstrapped from a "metadata hash anchor" structure
that is embedded in the bootblock code and marked by a unique magic
number.  This anchor contains both the CBFS metadata hash and a separate
hash for the FMAP which is required to find the primary CBFS. Both are
verified on first use in the bootblock (and halt the system on failure).

The CONFIG_TOCTOU_SAFETY option is also added for illustrative purposes
to show some paths that need to be different when full protection
against TOCTOU (time-of-check vs. time-of-use) attacks is desired. For
normal verification it is sufficient to check the FMAP and the CBFS
metadata hash only once in the bootblock -- for TOCTOU verification we
do the same, but we need to be extra careful that we do not re-read the
FMAP or any CBFS metadata in later stages. This is mostly achieved by
depending on the CBFS metadata cache and FMAP cache features, but we
allow for one edge case in case the RW CBFS metadata cache overflows
(which may happen during an RW update and could otherwise no longer be
fixed because mcache size is defined by RO code). This code is added to
demonstrate design intent but won't really matter until RW CBFS
verification can be supported.

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I8930434de55eb938b042fdada9aa90218c0b5a34
Reviewed-on: https://review.coreboot.org/c/coreboot/+/41120
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2020-12-03 00:11:08 +00:00

88 lines
4.1 KiB
C
Raw Blame History

/* SPDX-License-Identifier: GPL-2.0-only */
#ifndef _CBFS_H_
#define _CBFS_H_
#include <cbmem.h>
#include <commonlib/cbfs.h>
#include <program_loading.h>
#include <types.h>
#include <vb2_sha.h>
/***********************************************
* Perform CBFS operations on the boot device. *
***********************************************/
/* Return mapping of option ROM found in boot device. NULL on error. */
void *cbfs_boot_map_optionrom(uint16_t vendor, uint16_t device);
/* Return mapping of option ROM with revision number. Returns NULL on error. */
void *cbfs_boot_map_optionrom_revision(uint16_t vendor, uint16_t device, uint8_t rev);
/* Locate file by name and optional type. Return 0 on success. < 0 on error. */
int cbfs_boot_locate(struct cbfsf *fh, const char *name, uint32_t *type);
/* Map file into memory, returning a pointer to the mapping or NULL on error.
If |size_out| is not NULL, it will pass out the size of the mapped file.
NOTE: Since this may return a direct pointer to memory-mapped hardware,
compressed files are NOT transparently decompressed (unlike cbfs_load()). */
void *cbfs_map(const char *name, size_t *size_out);
/* Like cbfs_map(), except that it will always read from the read-only CBFS
("COREBOOT" FMAP region), even when CONFIG(VBOOT) is enabled. */
void *cbfs_ro_map(const char *name, size_t *size_out);
/* Removes a previously allocated CBFS mapping. Should try to unmap mappings in
strict LIFO order where possible, since mapping backends often don't support
more complicated cases. */
int cbfs_unmap(void *mapping);
/* Locate file in a specific region of fmap. Return 0 on success. < 0 on error*/
int cbfs_locate_file_in_region(struct cbfsf *fh, const char *region_name,
const char *name, uint32_t *type);
/* Load a file from CBFS into a buffer. Returns amount of loaded bytes on
success or 0 on error. File will get decompressed as necessary. Same
decompression requirements as cbfs_load_and_decompress(). */
size_t cbfs_load(const char *name, void *buf, size_t buf_size);
/* Like cbfs_load(), except that it will always read from the read-only CBFS
("COREBOOT" FMAP region), even when CONFIG(VBOOT) is enabled. */
size_t cbfs_ro_load(const char *name, void *buf, size_t buf_size);
/* Load |in_size| bytes from |rdev| at |offset| to the |buffer_size| bytes
* large |buffer|, decompressing it according to |compression| in the process.
* Returns the decompressed file size, or 0 on error.
* LZMA files will be mapped for decompression. LZ4 files will be decompressed
* in-place with the buffer size requirements outlined in compression.h. */
size_t cbfs_load_and_decompress(const struct region_device *rdev, size_t offset,
size_t in_size, void *buffer, size_t buffer_size, uint32_t compression);
/* Load stage into memory filling in prog. Return 0 on success. < 0 on error. */
int cbfs_prog_stage_load(struct prog *prog);
/*
* Data structure that represents "a" CBFS boot device, with optional metadata
* cache. Generally we only have one of these, or two (RO and RW) when
* CONFIG(VBOOT) is set. The region device stored here must always be a
* subregion of boot_device_ro().
*/
struct cbfs_boot_device {
struct region_device rdev;
void *mcache;
size_t mcache_size;
};
/* Helper to fill out |mcache| and |mcache_size| in a cbfs_boot_device. */
void cbfs_boot_device_find_mcache(struct cbfs_boot_device *cbd, uint32_t id);
/*
* Retrieves the currently active CBFS boot device. If |force_ro| is set, will
* always return the read-only CBFS instead (this only makes a difference when
* CONFIG(VBOOT) is enabled). May perform certain CBFS initialization tasks.
* Returns NULL on error (e.g. boot device IO error).
*/
const struct cbfs_boot_device *cbfs_get_boot_device(bool force_ro);
/*
* Builds the mcache (if |cbd->mcache| is set) and verifies |metadata_hash| (if
* it is not NULL). If CB_CBFS_CACHE_FULL is returned, the mcache is incomplete
* but still valid and the metadata hash was still verified. Should be called
* once per *boot* (not once per stage) before the first CBFS access.
*/
cb_err_t cbfs_init_boot_device(const struct cbfs_boot_device *cbd,
struct vb2_hash *metadata_hash);
#endif
Reference in New Issue View Git Blame Copy Permalink