mirror of
https://git.yoctoproject.org/poky
synced 2026-04-13 05:02:24 +02:00
kernel-fitimage: Don't use unit addresses on FIT
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
(From OE-Core rev: 6047be9f8f0f5d616fda11d83b682c1b8aeaa0ae)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Klaus Heinrich Kiwi
committed by
Richard Purdie
Richard Purdie
parent
b2d8e3cf62
commit
cfc0e21b10
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
|
||||
fi
|
||||
|
||||
cat << EOF >> ${1}
|
||||
kernel@${2} {
|
||||
kernel-${2} {
|
||||
description = "Linux kernel";
|
||||
data = /incbin/("${3}");
|
||||
type = "kernel";
|
||||
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
|
||||
compression = "${4}";
|
||||
load = <${UBOOT_LOADADDRESS}>;
|
||||
entry = <${ENTRYPOINT}>;
|
||||
hash@1 {
|
||||
hash-1 {
|
||||
algo = "${kernel_csum}";
|
||||
};
|
||||
};
|
||||
@@ -179,7 +179,7 @@ EOF
|
||||
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
|
||||
sed -i '$ d' ${1}
|
||||
cat << EOF >> ${1}
|
||||
signature@1 {
|
||||
signature-1 {
|
||||
algo = "${kernel_csum},${kernel_sign_algo}";
|
||||
key-name-hint = "${kernel_sign_keyname}";
|
||||
};
|
||||
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
|
||||
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
|
||||
fi
|
||||
cat << EOF >> ${1}
|
||||
fdt@${2} {
|
||||
fdt-${2} {
|
||||
description = "Flattened Device Tree blob";
|
||||
data = /incbin/("${3}");
|
||||
type = "flat_dt";
|
||||
arch = "${UBOOT_ARCH}";
|
||||
compression = "none";
|
||||
${dtb_loadline}
|
||||
hash@1 {
|
||||
hash-1 {
|
||||
algo = "${dtb_csum}";
|
||||
};
|
||||
};
|
||||
@@ -226,7 +226,7 @@ EOF
|
||||
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
|
||||
sed -i '$ d' ${1}
|
||||
cat << EOF >> ${1}
|
||||
signature@1 {
|
||||
signature-1 {
|
||||
algo = "${dtb_csum},${dtb_sign_algo}";
|
||||
key-name-hint = "${dtb_sign_keyname}";
|
||||
};
|
||||
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
|
||||
setup_csum="${FIT_HASH_ALG}"
|
||||
|
||||
cat << EOF >> ${1}
|
||||
setup@${2} {
|
||||
setup-${2} {
|
||||
description = "Linux setup.bin";
|
||||
data = /incbin/("${3}");
|
||||
type = "x86_setup";
|
||||
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
|
||||
compression = "none";
|
||||
load = <0x00090000>;
|
||||
entry = <0x00090000>;
|
||||
hash@1 {
|
||||
hash-1 {
|
||||
algo = "${setup_csum}";
|
||||
};
|
||||
};
|
||||
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
|
||||
fi
|
||||
|
||||
cat << EOF >> ${1}
|
||||
ramdisk@${2} {
|
||||
ramdisk-${2} {
|
||||
description = "${INITRAMFS_IMAGE}";
|
||||
data = /incbin/("${3}");
|
||||
type = "ramdisk";
|
||||
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
|
||||
compression = "none";
|
||||
${ramdisk_loadline}
|
||||
${ramdisk_entryline}
|
||||
hash@1 {
|
||||
hash-1 {
|
||||
algo = "${ramdisk_csum}";
|
||||
};
|
||||
};
|
||||
@@ -339,7 +339,7 @@ EOF
|
||||
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
|
||||
sed -i '$ d' ${1}
|
||||
cat << EOF >> ${1}
|
||||
signature@1 {
|
||||
signature-1 {
|
||||
algo = "${ramdisk_csum},${ramdisk_sign_algo}";
|
||||
key-name-hint = "${ramdisk_sign_keyname}";
|
||||
};
|
||||
@@ -377,7 +377,7 @@ fitimage_emit_section_config() {
|
||||
# Test if we have any DTBs at all
|
||||
sep=""
|
||||
conf_desc=""
|
||||
conf_node="conf@"
|
||||
conf_node="conf-"
|
||||
kernel_line=""
|
||||
fdt_line=""
|
||||
ramdisk_line=""
|
||||
@@ -396,19 +396,19 @@ fitimage_emit_section_config() {
|
||||
if [ -n "${kernel_id}" ]; then
|
||||
conf_desc="Linux kernel"
|
||||
sep=", "
|
||||
kernel_line="kernel = \"kernel@${kernel_id}\";"
|
||||
kernel_line="kernel = \"kernel-${kernel_id}\";"
|
||||
fi
|
||||
|
||||
if [ -n "${dtb_image}" ]; then
|
||||
conf_desc="${conf_desc}${sep}FDT blob"
|
||||
sep=", "
|
||||
fdt_line="fdt = \"fdt@${dtb_image}\";"
|
||||
fdt_line="fdt = \"fdt-${dtb_image}\";"
|
||||
fi
|
||||
|
||||
if [ -n "${ramdisk_id}" ]; then
|
||||
conf_desc="${conf_desc}${sep}ramdisk"
|
||||
sep=", "
|
||||
ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
|
||||
ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
|
||||
fi
|
||||
|
||||
if [ -n "${bootscr_id}" ]; then
|
||||
@@ -419,16 +419,16 @@ fitimage_emit_section_config() {
|
||||
|
||||
if [ -n "${config_id}" ]; then
|
||||
conf_desc="${conf_desc}${sep}setup"
|
||||
setup_line="setup = \"setup@${config_id}\";"
|
||||
setup_line="setup = \"setup-${config_id}\";"
|
||||
fi
|
||||
|
||||
if [ "${default_flag}" = "1" ]; then
|
||||
# default node is selected based on dtb ID if it is present,
|
||||
# otherwise its selected based on kernel ID
|
||||
if [ -n "${dtb_image}" ]; then
|
||||
default_line="default = \"conf@${dtb_image}\";"
|
||||
default_line="default = \"conf-${dtb_image}\";"
|
||||
else
|
||||
default_line="default = \"conf@${kernel_id}\";"
|
||||
default_line="default = \"conf-${kernel_id}\";"
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -441,7 +441,7 @@ fitimage_emit_section_config() {
|
||||
${ramdisk_line}
|
||||
${bootscr_line}
|
||||
${setup_line}
|
||||
hash@1 {
|
||||
hash-1 {
|
||||
algo = "${conf_csum}";
|
||||
};
|
||||
EOF
|
||||
@@ -478,7 +478,7 @@ EOF
|
||||
sign_line="${sign_line};"
|
||||
|
||||
cat << EOF >> ${its_file}
|
||||
signature@1 {
|
||||
signature-1 {
|
||||
algo = "${conf_csum},${conf_sign_algo}";
|
||||
key-name-hint = "${conf_sign_keyname}";
|
||||
${sign_line}
|
||||
|
||||
@@ -69,9 +69,9 @@ FIT_DESC = "A model description"
|
||||
'type = "ramdisk";',
|
||||
'load = <0x88000000>;',
|
||||
'entry = <0x88000000>;',
|
||||
'default = "conf@1";',
|
||||
'kernel = "kernel@1";',
|
||||
'ramdisk = "ramdisk@1";'
|
||||
'default = "conf-1";',
|
||||
'kernel = "kernel-1";',
|
||||
'ramdisk = "ramdisk-1";'
|
||||
]
|
||||
|
||||
with open(fitimage_its_path) as its_file:
|
||||
@@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
|
||||
"%s FIT image doesn't exist" % (fitimage_path))
|
||||
|
||||
req_itspaths = [
|
||||
['/', 'images', 'kernel@1'],
|
||||
['/', 'images', 'kernel@1', 'signature@1'],
|
||||
['/', 'images', 'fdt@am335x-boneblack.dtb'],
|
||||
['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'],
|
||||
['/', 'configurations', 'conf@am335x-boneblack.dtb'],
|
||||
['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'],
|
||||
['/', 'images', 'kernel-1'],
|
||||
['/', 'images', 'kernel-1', 'signature-1'],
|
||||
['/', 'images', 'fdt-am335x-boneblack.dtb'],
|
||||
['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'],
|
||||
['/', 'configurations', 'conf-am335x-boneblack.dtb'],
|
||||
['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'],
|
||||
]
|
||||
|
||||
itspath = []
|
||||
@@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
|
||||
elif line.endswith('{'):
|
||||
itspath.append(line[:-1].strip())
|
||||
itspaths.append(itspath[:])
|
||||
elif itspath and itspath[-1] == 'signature@1':
|
||||
elif itspath and itspath[-1] == 'signature-1':
|
||||
itsdotpath = '.'.join(itspath)
|
||||
if not itsdotpath in sigs:
|
||||
sigs[itsdotpath] = {}
|
||||
@@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
|
||||
}
|
||||
|
||||
for itspath, values in sigs.items():
|
||||
if 'conf@' in itspath:
|
||||
if 'conf-' in itspath:
|
||||
reqsigvalues = reqsigvalues_config
|
||||
else:
|
||||
reqsigvalues = reqsigvalues_image
|
||||
@@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
|
||||
signed_sections[in_signed] = {}
|
||||
key, value = line.split(':', 1)
|
||||
signed_sections[in_signed][key.strip()] = value.strip()
|
||||
self.assertIn('kernel@1', signed_sections)
|
||||
self.assertIn('fdt@am335x-boneblack.dtb', signed_sections)
|
||||
self.assertIn('conf@am335x-boneblack.dtb', signed_sections)
|
||||
self.assertIn('kernel-1', signed_sections)
|
||||
self.assertIn('fdt-am335x-boneblack.dtb', signed_sections)
|
||||
self.assertIn('conf-am335x-boneblack.dtb', signed_sections)
|
||||
for signed_section, values in signed_sections.items():
|
||||
value = values.get('Sign algo', None)
|
||||
self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
|
||||
@@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256"
|
||||
its_lines = [line.strip() for line in its_file.readlines()]
|
||||
|
||||
exp_node_lines = [
|
||||
'kernel@1 {',
|
||||
'kernel-1 {',
|
||||
'description = "Linux kernel";',
|
||||
'data = /incbin/("' + initramfs_bundle + '");',
|
||||
'type = "kernel";',
|
||||
@@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256"
|
||||
'compression = "none";',
|
||||
'load = <' + kernel_load + '>;',
|
||||
'entry = <' + kernel_entry + '>;',
|
||||
'hash@1 {',
|
||||
'hash-1 {',
|
||||
'algo = "' + fit_hash_alg +'";',
|
||||
'};',
|
||||
'};'
|
||||
@@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256"
|
||||
else:
|
||||
self.assertTrue(test_passed == True,"kernel node does not match expectation")
|
||||
|
||||
rx_configs = re.compile("^conf@.*")
|
||||
rx_configs = re.compile("^conf-.*")
|
||||
its_configs = list(filter(rx_configs.match, its_lines))
|
||||
|
||||
for cfg_str in its_configs:
|
||||
@@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256"
|
||||
else:
|
||||
print("kernel keyword found in the description line")
|
||||
|
||||
if 'kernel = "kernel@1";' not in node:
|
||||
if 'kernel = "kernel-1";' not in node:
|
||||
self.assertTrue(test_passed == True,"kernel line not found")
|
||||
break
|
||||
else:
|
||||
|
||||
Reference in New Issue
Block a user