mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-18 03:32:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

kernel-fitimage: Don't use unit addresses on FIT

Browse Source 
Das U-Boot 2021.4-rc1 has the following commit:

    commit 3f04db891a353f4b127ed57279279f851c6b4917
    Author: Simon Glass <sjg@chromium.org>
    Date:   Mon Feb 15 17:08:12 2021 -0700

        image: Check for unit addresses in FITs

        Using unit addresses in a FIT is a security risk. Add a check for
        this and disallow it.

        CVE-2021-27138

Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.

(From OE-Core rev: 14eec2f7c3bbb36de8198989bf772135aa117963)

Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport for Dunfell]
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Klaus Heinrich Kiwi
2021-06-01 11:35:37 +02:00
committed by Richard Purdie
parent ca9cb3f3e6
commit ab6b5e97ce
1 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
meta/classes/kernel-fitimage.bbclass
View File

@@ -124,7 +124,7 @@ fitimage_emit_section_kernel() {
fi
cat << EOF >> ${1}
kernel@${2} {
kernel-${2} {
description = "Linux kernel";
data = /incbin/("${3}");
type = "kernel";
@@ -133,7 +133,7 @@ fitimage_emit_section_kernel() {
compression = "${4}";
load = <${UBOOT_LOADADDRESS}>;
entry = <${ENTRYPOINT}>;
hash@1 {
hash-1 {
algo = "${kernel_csum}";
};
};
@@ -160,14 +160,14 @@ fitimage_emit_section_dtb() {
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> ${1}
fdt@${2} {
fdt-${2} {
description = "Flattened Device Tree blob";
data = /incbin/("${3}");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
${dtb_loadline}
hash@1 {
hash-1 {
algo = "${dtb_csum}";
};
};
@@ -185,7 +185,7 @@ fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1}
setup@${2} {
setup-${2} {
description = "Linux setup.bin";
data = /incbin/("${3}");
type = "x86_setup";
@@ -194,7 +194,7 @@ fitimage_emit_section_setup() {
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
hash@1 {
hash-1 {
algo = "${setup_csum}";
};
};
@@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() {
fi
cat << EOF >> ${1}
ramdisk@${2} {
ramdisk-${2} {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("${3}");
type = "ramdisk";
@@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() {
compression = "none";
${ramdisk_loadline}
${ramdisk_entryline}
hash@1 {
hash-1 {
algo = "${ramdisk_csum}";
};
};
@@ -266,39 +266,39 @@ fitimage_emit_section_config() {
if [ -n "${2}" ]; then
conf_desc="Linux kernel"
sep=", "
kernel_line="kernel = \"kernel@${2}\";"
kernel_line="kernel = \"kernel-${2}\";"
fi
if [ -n "${3}" ]; then
conf_desc="${conf_desc}${sep}FDT blob"
sep=", "
fdt_line="fdt = \"fdt@${3}\";"
fdt_line="fdt = \"fdt-${3}\";"
fi
if [ -n "${4}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
ramdisk_line="ramdisk = \"ramdisk@${4}\";"
ramdisk_line="ramdisk = \"ramdisk-${4}\";"
fi
if [ -n "${5}" ]; then
conf_desc="${conf_desc}${sep}setup"
setup_line="setup = \"setup@${5}\";"
setup_line="setup = \"setup-${5}\";"
fi
if [ "${6}" = "1" ]; then
default_line="default = \"conf@${3}\";"
default_line="default = \"conf-${3}\";"
fi
cat << EOF >> ${1}
${default_line}
conf@${3} {
conf-${3} {
description = "${6} ${conf_desc}";
${kernel_line}
${fdt_line}
${ramdisk_line}
${setup_line}
hash@1 {
hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -330,7 +330,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${1}
signature@1 {
signature-1 {
algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}";
${sign_line}