Aaron Durbin has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41120 )
Change subject: cbfs: Add verification for RO CBFS metadata hash ......................................................................
Patch Set 10:
(2 comments)
https://review.coreboot.org/c/coreboot/+/41120/8/src/lib/cbfs.c File src/lib/cbfs.c:
https://review.coreboot.org/c/coreboot/+/41120/8/src/lib/cbfs.c@36 PS8, Line 36: if (cbd != vboot_get_cbfs_boot_device()) {
TOCTOU_SAFETY implies !NO_CBFS_MCACHE via Kconfig so I'm not checking it explicitly again. […]
I'm not completely following, but I'll take a look at the updated CL if it's clearer.
https://review.coreboot.org/c/coreboot/+/41120/8/src/lib/cbfs.c@471 PS8, Line 471: die("RO CBFS initialization error: %d", err);
See above -- if TOCTOU_SAFETY is enabled, then an overflow of the RO mcache is basically a fatal err […]
I think that's where I wasn't understanding. You had assembled almost everything required to be TOCTOU safe, and I was assuming we'd actually employ that for Chrome OS since we're so close. I absolutely think we should strive for that instead of leaving the opportunity open for attacks. i.e. we're tightening up the threat model.