Attention is currently required from: Angel Pons, Benjamin Doron, Jakub Czapiga, Maximilian Brune, Paul Menzel, Subrata Banik, Yu-Ping Wu.
Hello Angel Pons, Benjamin Doron, Jakub Czapiga, Maximilian Brune, Paul Menzel, Subrata Banik, Yu-Ping Wu, build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/75457?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed: Code-Review+1 by Jakub Czapiga, Code-Review+1 by Paul Menzel, Verified+1 by build bot (Jenkins)
Change subject: cbfs: Allow controlling decompression of unverified files ......................................................................
cbfs: Allow controlling decompression of unverified files
This patch adds a new Kconfig that controls whether CBFS APIs for unverified areas will allow file decompression when CBFS verification is enabled. This should be disallowed by default because it exposes the attack surface of all supported decompression algorithms. Make allowances for one legacy use case with CONFIG_SOC_INTEL_CSE_LITE_ COMPRESS_ME_RW that should become obsolete with VBOOT_CBFS_INTEGRATION.
Signed-off-by: Julius Werner jwerner@chromium.org Change-Id: Ieae420f51cbc01dae2ab265414219cc9c288087b --- M src/lib/Kconfig.cbfs_verification M src/lib/cbfs.c M src/soc/intel/common/block/cse/Kconfig 3 files changed, 22 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/57/75457/3