diff options
author | Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> | 2021-06-01 11:35:37 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-06-11 22:45:27 +0100 |
commit | ab6b5e97cebe19938baa403da6307ca320294b3a (patch) | |
tree | fe232998756c14a1c02b20ce2e86835c7e44090a /meta/classes/kernel-fitimage.bbclass | |
parent | ca9cb3f3e6507dd536683cdf5b1e3e288c79fdd1 (diff) | |
download | poky-ab6b5e97cebe19938baa403da6307ca320294b3a.tar.gz |
kernel-fitimage: Don't use unit addresses on FIT
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
(From OE-Core rev: 14eec2f7c3bbb36de8198989bf772135aa117963)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport for Dunfell]
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/kernel-fitimage.bbclass')
-rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index b4d8ff8309..5f5e9dd444 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
@@ -124,7 +124,7 @@ fitimage_emit_section_kernel() { | |||
124 | fi | 124 | fi |
125 | 125 | ||
126 | cat << EOF >> ${1} | 126 | cat << EOF >> ${1} |
127 | kernel@${2} { | 127 | kernel-${2} { |
128 | description = "Linux kernel"; | 128 | description = "Linux kernel"; |
129 | data = /incbin/("${3}"); | 129 | data = /incbin/("${3}"); |
130 | type = "kernel"; | 130 | type = "kernel"; |
@@ -133,7 +133,7 @@ fitimage_emit_section_kernel() { | |||
133 | compression = "${4}"; | 133 | compression = "${4}"; |
134 | load = <${UBOOT_LOADADDRESS}>; | 134 | load = <${UBOOT_LOADADDRESS}>; |
135 | entry = <${ENTRYPOINT}>; | 135 | entry = <${ENTRYPOINT}>; |
136 | hash@1 { | 136 | hash-1 { |
137 | algo = "${kernel_csum}"; | 137 | algo = "${kernel_csum}"; |
138 | }; | 138 | }; |
139 | }; | 139 | }; |
@@ -160,14 +160,14 @@ fitimage_emit_section_dtb() { | |||
160 | dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" | 160 | dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" |
161 | fi | 161 | fi |
162 | cat << EOF >> ${1} | 162 | cat << EOF >> ${1} |
163 | fdt@${2} { | 163 | fdt-${2} { |
164 | description = "Flattened Device Tree blob"; | 164 | description = "Flattened Device Tree blob"; |
165 | data = /incbin/("${3}"); | 165 | data = /incbin/("${3}"); |
166 | type = "flat_dt"; | 166 | type = "flat_dt"; |
167 | arch = "${UBOOT_ARCH}"; | 167 | arch = "${UBOOT_ARCH}"; |
168 | compression = "none"; | 168 | compression = "none"; |
169 | ${dtb_loadline} | 169 | ${dtb_loadline} |
170 | hash@1 { | 170 | hash-1 { |
171 | algo = "${dtb_csum}"; | 171 | algo = "${dtb_csum}"; |
172 | }; | 172 | }; |
173 | }; | 173 | }; |
@@ -185,7 +185,7 @@ fitimage_emit_section_setup() { | |||
185 | setup_csum="${FIT_HASH_ALG}" | 185 | setup_csum="${FIT_HASH_ALG}" |
186 | 186 | ||
187 | cat << EOF >> ${1} | 187 | cat << EOF >> ${1} |
188 | setup@${2} { | 188 | setup-${2} { |
189 | description = "Linux setup.bin"; | 189 | description = "Linux setup.bin"; |
190 | data = /incbin/("${3}"); | 190 | data = /incbin/("${3}"); |
191 | type = "x86_setup"; | 191 | type = "x86_setup"; |
@@ -194,7 +194,7 @@ fitimage_emit_section_setup() { | |||
194 | compression = "none"; | 194 | compression = "none"; |
195 | load = <0x00090000>; | 195 | load = <0x00090000>; |
196 | entry = <0x00090000>; | 196 | entry = <0x00090000>; |
197 | hash@1 { | 197 | hash-1 { |
198 | algo = "${setup_csum}"; | 198 | algo = "${setup_csum}"; |
199 | }; | 199 | }; |
200 | }; | 200 | }; |
@@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() { | |||
221 | fi | 221 | fi |
222 | 222 | ||
223 | cat << EOF >> ${1} | 223 | cat << EOF >> ${1} |
224 | ramdisk@${2} { | 224 | ramdisk-${2} { |
225 | description = "${INITRAMFS_IMAGE}"; | 225 | description = "${INITRAMFS_IMAGE}"; |
226 | data = /incbin/("${3}"); | 226 | data = /incbin/("${3}"); |
227 | type = "ramdisk"; | 227 | type = "ramdisk"; |
@@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() { | |||
230 | compression = "none"; | 230 | compression = "none"; |
231 | ${ramdisk_loadline} | 231 | ${ramdisk_loadline} |
232 | ${ramdisk_entryline} | 232 | ${ramdisk_entryline} |
233 | hash@1 { | 233 | hash-1 { |
234 | algo = "${ramdisk_csum}"; | 234 | algo = "${ramdisk_csum}"; |
235 | }; | 235 | }; |
236 | }; | 236 | }; |
@@ -266,39 +266,39 @@ fitimage_emit_section_config() { | |||
266 | if [ -n "${2}" ]; then | 266 | if [ -n "${2}" ]; then |
267 | conf_desc="Linux kernel" | 267 | conf_desc="Linux kernel" |
268 | sep=", " | 268 | sep=", " |
269 | kernel_line="kernel = \"kernel@${2}\";" | 269 | kernel_line="kernel = \"kernel-${2}\";" |
270 | fi | 270 | fi |
271 | 271 | ||
272 | if [ -n "${3}" ]; then | 272 | if [ -n "${3}" ]; then |
273 | conf_desc="${conf_desc}${sep}FDT blob" | 273 | conf_desc="${conf_desc}${sep}FDT blob" |
274 | sep=", " | 274 | sep=", " |
275 | fdt_line="fdt = \"fdt@${3}\";" | 275 | fdt_line="fdt = \"fdt-${3}\";" |
276 | fi | 276 | fi |
277 | 277 | ||
278 | if [ -n "${4}" ]; then | 278 | if [ -n "${4}" ]; then |
279 | conf_desc="${conf_desc}${sep}ramdisk" | 279 | conf_desc="${conf_desc}${sep}ramdisk" |
280 | sep=", " | 280 | sep=", " |
281 | ramdisk_line="ramdisk = \"ramdisk@${4}\";" | 281 | ramdisk_line="ramdisk = \"ramdisk-${4}\";" |
282 | fi | 282 | fi |
283 | 283 | ||
284 | if [ -n "${5}" ]; then | 284 | if [ -n "${5}" ]; then |
285 | conf_desc="${conf_desc}${sep}setup" | 285 | conf_desc="${conf_desc}${sep}setup" |
286 | setup_line="setup = \"setup@${5}\";" | 286 | setup_line="setup = \"setup-${5}\";" |
287 | fi | 287 | fi |
288 | 288 | ||
289 | if [ "${6}" = "1" ]; then | 289 | if [ "${6}" = "1" ]; then |
290 | default_line="default = \"conf@${3}\";" | 290 | default_line="default = \"conf-${3}\";" |
291 | fi | 291 | fi |
292 | 292 | ||
293 | cat << EOF >> ${1} | 293 | cat << EOF >> ${1} |
294 | ${default_line} | 294 | ${default_line} |
295 | conf@${3} { | 295 | conf-${3} { |
296 | description = "${6} ${conf_desc}"; | 296 | description = "${6} ${conf_desc}"; |
297 | ${kernel_line} | 297 | ${kernel_line} |
298 | ${fdt_line} | 298 | ${fdt_line} |
299 | ${ramdisk_line} | 299 | ${ramdisk_line} |
300 | ${setup_line} | 300 | ${setup_line} |
301 | hash@1 { | 301 | hash-1 { |
302 | algo = "${conf_csum}"; | 302 | algo = "${conf_csum}"; |
303 | }; | 303 | }; |
304 | EOF | 304 | EOF |
@@ -330,7 +330,7 @@ EOF | |||
330 | sign_line="${sign_line};" | 330 | sign_line="${sign_line};" |
331 | 331 | ||
332 | cat << EOF >> ${1} | 332 | cat << EOF >> ${1} |
333 | signature@1 { | 333 | signature-1 { |
334 | algo = "${conf_csum},${conf_sign_algo}"; | 334 | algo = "${conf_csum},${conf_sign_algo}"; |
335 | key-name-hint = "${conf_sign_keyname}"; | 335 | key-name-hint = "${conf_sign_keyname}"; |
336 | ${sign_line} | 336 | ${sign_line} |