diff options
author | Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> | 2021-02-22 15:38:19 -0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-02-23 22:35:01 +0000 |
commit | cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d (patch) | |
tree | 7d0a439625f01351a6a2baa152c21f3d5988da69 /meta/classes | |
parent | b2d8e3cf620133ea8121b67dc6b449cd7d4ebc02 (diff) | |
download | poky-cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d.tar.gz |
kernel-fitimage: Don't use unit addresses on FIT
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
(From OE-Core rev: 6047be9f8f0f5d616fda11d83b682c1b8aeaa0ae)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
-rw-r--r-- | meta/classes/kernel-fitimage.bbclass | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 2414870817..f5082c93df 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass | |||
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() { | |||
161 | fi | 161 | fi |
162 | 162 | ||
163 | cat << EOF >> ${1} | 163 | cat << EOF >> ${1} |
164 | kernel@${2} { | 164 | kernel-${2} { |
165 | description = "Linux kernel"; | 165 | description = "Linux kernel"; |
166 | data = /incbin/("${3}"); | 166 | data = /incbin/("${3}"); |
167 | type = "kernel"; | 167 | type = "kernel"; |
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() { | |||
170 | compression = "${4}"; | 170 | compression = "${4}"; |
171 | load = <${UBOOT_LOADADDRESS}>; | 171 | load = <${UBOOT_LOADADDRESS}>; |
172 | entry = <${ENTRYPOINT}>; | 172 | entry = <${ENTRYPOINT}>; |
173 | hash@1 { | 173 | hash-1 { |
174 | algo = "${kernel_csum}"; | 174 | algo = "${kernel_csum}"; |
175 | }; | 175 | }; |
176 | }; | 176 | }; |
@@ -179,7 +179,7 @@ EOF | |||
179 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then | 179 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then |
180 | sed -i '$ d' ${1} | 180 | sed -i '$ d' ${1} |
181 | cat << EOF >> ${1} | 181 | cat << EOF >> ${1} |
182 | signature@1 { | 182 | signature-1 { |
183 | algo = "${kernel_csum},${kernel_sign_algo}"; | 183 | algo = "${kernel_csum},${kernel_sign_algo}"; |
184 | key-name-hint = "${kernel_sign_keyname}"; | 184 | key-name-hint = "${kernel_sign_keyname}"; |
185 | }; | 185 | }; |
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() { | |||
210 | dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" | 210 | dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" |
211 | fi | 211 | fi |
212 | cat << EOF >> ${1} | 212 | cat << EOF >> ${1} |
213 | fdt@${2} { | 213 | fdt-${2} { |
214 | description = "Flattened Device Tree blob"; | 214 | description = "Flattened Device Tree blob"; |
215 | data = /incbin/("${3}"); | 215 | data = /incbin/("${3}"); |
216 | type = "flat_dt"; | 216 | type = "flat_dt"; |
217 | arch = "${UBOOT_ARCH}"; | 217 | arch = "${UBOOT_ARCH}"; |
218 | compression = "none"; | 218 | compression = "none"; |
219 | ${dtb_loadline} | 219 | ${dtb_loadline} |
220 | hash@1 { | 220 | hash-1 { |
221 | algo = "${dtb_csum}"; | 221 | algo = "${dtb_csum}"; |
222 | }; | 222 | }; |
223 | }; | 223 | }; |
@@ -226,7 +226,7 @@ EOF | |||
226 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then | 226 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then |
227 | sed -i '$ d' ${1} | 227 | sed -i '$ d' ${1} |
228 | cat << EOF >> ${1} | 228 | cat << EOF >> ${1} |
229 | signature@1 { | 229 | signature-1 { |
230 | algo = "${dtb_csum},${dtb_sign_algo}"; | 230 | algo = "${dtb_csum},${dtb_sign_algo}"; |
231 | key-name-hint = "${dtb_sign_keyname}"; | 231 | key-name-hint = "${dtb_sign_keyname}"; |
232 | }; | 232 | }; |
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() { | |||
283 | setup_csum="${FIT_HASH_ALG}" | 283 | setup_csum="${FIT_HASH_ALG}" |
284 | 284 | ||
285 | cat << EOF >> ${1} | 285 | cat << EOF >> ${1} |
286 | setup@${2} { | 286 | setup-${2} { |
287 | description = "Linux setup.bin"; | 287 | description = "Linux setup.bin"; |
288 | data = /incbin/("${3}"); | 288 | data = /incbin/("${3}"); |
289 | type = "x86_setup"; | 289 | type = "x86_setup"; |
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() { | |||
292 | compression = "none"; | 292 | compression = "none"; |
293 | load = <0x00090000>; | 293 | load = <0x00090000>; |
294 | entry = <0x00090000>; | 294 | entry = <0x00090000>; |
295 | hash@1 { | 295 | hash-1 { |
296 | algo = "${setup_csum}"; | 296 | algo = "${setup_csum}"; |
297 | }; | 297 | }; |
298 | }; | 298 | }; |
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() { | |||
321 | fi | 321 | fi |
322 | 322 | ||
323 | cat << EOF >> ${1} | 323 | cat << EOF >> ${1} |
324 | ramdisk@${2} { | 324 | ramdisk-${2} { |
325 | description = "${INITRAMFS_IMAGE}"; | 325 | description = "${INITRAMFS_IMAGE}"; |
326 | data = /incbin/("${3}"); | 326 | data = /incbin/("${3}"); |
327 | type = "ramdisk"; | 327 | type = "ramdisk"; |
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() { | |||
330 | compression = "none"; | 330 | compression = "none"; |
331 | ${ramdisk_loadline} | 331 | ${ramdisk_loadline} |
332 | ${ramdisk_entryline} | 332 | ${ramdisk_entryline} |
333 | hash@1 { | 333 | hash-1 { |
334 | algo = "${ramdisk_csum}"; | 334 | algo = "${ramdisk_csum}"; |
335 | }; | 335 | }; |
336 | }; | 336 | }; |
@@ -339,7 +339,7 @@ EOF | |||
339 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then | 339 | if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then |
340 | sed -i '$ d' ${1} | 340 | sed -i '$ d' ${1} |
341 | cat << EOF >> ${1} | 341 | cat << EOF >> ${1} |
342 | signature@1 { | 342 | signature-1 { |
343 | algo = "${ramdisk_csum},${ramdisk_sign_algo}"; | 343 | algo = "${ramdisk_csum},${ramdisk_sign_algo}"; |
344 | key-name-hint = "${ramdisk_sign_keyname}"; | 344 | key-name-hint = "${ramdisk_sign_keyname}"; |
345 | }; | 345 | }; |
@@ -377,7 +377,7 @@ fitimage_emit_section_config() { | |||
377 | # Test if we have any DTBs at all | 377 | # Test if we have any DTBs at all |
378 | sep="" | 378 | sep="" |
379 | conf_desc="" | 379 | conf_desc="" |
380 | conf_node="conf@" | 380 | conf_node="conf-" |
381 | kernel_line="" | 381 | kernel_line="" |
382 | fdt_line="" | 382 | fdt_line="" |
383 | ramdisk_line="" | 383 | ramdisk_line="" |
@@ -396,19 +396,19 @@ fitimage_emit_section_config() { | |||
396 | if [ -n "${kernel_id}" ]; then | 396 | if [ -n "${kernel_id}" ]; then |
397 | conf_desc="Linux kernel" | 397 | conf_desc="Linux kernel" |
398 | sep=", " | 398 | sep=", " |
399 | kernel_line="kernel = \"kernel@${kernel_id}\";" | 399 | kernel_line="kernel = \"kernel-${kernel_id}\";" |
400 | fi | 400 | fi |
401 | 401 | ||
402 | if [ -n "${dtb_image}" ]; then | 402 | if [ -n "${dtb_image}" ]; then |
403 | conf_desc="${conf_desc}${sep}FDT blob" | 403 | conf_desc="${conf_desc}${sep}FDT blob" |
404 | sep=", " | 404 | sep=", " |
405 | fdt_line="fdt = \"fdt@${dtb_image}\";" | 405 | fdt_line="fdt = \"fdt-${dtb_image}\";" |
406 | fi | 406 | fi |
407 | 407 | ||
408 | if [ -n "${ramdisk_id}" ]; then | 408 | if [ -n "${ramdisk_id}" ]; then |
409 | conf_desc="${conf_desc}${sep}ramdisk" | 409 | conf_desc="${conf_desc}${sep}ramdisk" |
410 | sep=", " | 410 | sep=", " |
411 | ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";" | 411 | ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";" |
412 | fi | 412 | fi |
413 | 413 | ||
414 | if [ -n "${bootscr_id}" ]; then | 414 | if [ -n "${bootscr_id}" ]; then |
@@ -419,16 +419,16 @@ fitimage_emit_section_config() { | |||
419 | 419 | ||
420 | if [ -n "${config_id}" ]; then | 420 | if [ -n "${config_id}" ]; then |
421 | conf_desc="${conf_desc}${sep}setup" | 421 | conf_desc="${conf_desc}${sep}setup" |
422 | setup_line="setup = \"setup@${config_id}\";" | 422 | setup_line="setup = \"setup-${config_id}\";" |
423 | fi | 423 | fi |
424 | 424 | ||
425 | if [ "${default_flag}" = "1" ]; then | 425 | if [ "${default_flag}" = "1" ]; then |
426 | # default node is selected based on dtb ID if it is present, | 426 | # default node is selected based on dtb ID if it is present, |
427 | # otherwise its selected based on kernel ID | 427 | # otherwise its selected based on kernel ID |
428 | if [ -n "${dtb_image}" ]; then | 428 | if [ -n "${dtb_image}" ]; then |
429 | default_line="default = \"conf@${dtb_image}\";" | 429 | default_line="default = \"conf-${dtb_image}\";" |
430 | else | 430 | else |
431 | default_line="default = \"conf@${kernel_id}\";" | 431 | default_line="default = \"conf-${kernel_id}\";" |
432 | fi | 432 | fi |
433 | fi | 433 | fi |
434 | 434 | ||
@@ -441,7 +441,7 @@ fitimage_emit_section_config() { | |||
441 | ${ramdisk_line} | 441 | ${ramdisk_line} |
442 | ${bootscr_line} | 442 | ${bootscr_line} |
443 | ${setup_line} | 443 | ${setup_line} |
444 | hash@1 { | 444 | hash-1 { |
445 | algo = "${conf_csum}"; | 445 | algo = "${conf_csum}"; |
446 | }; | 446 | }; |
447 | EOF | 447 | EOF |
@@ -478,7 +478,7 @@ EOF | |||
478 | sign_line="${sign_line};" | 478 | sign_line="${sign_line};" |
479 | 479 | ||
480 | cat << EOF >> ${its_file} | 480 | cat << EOF >> ${its_file} |
481 | signature@1 { | 481 | signature-1 { |
482 | algo = "${conf_csum},${conf_sign_algo}"; | 482 | algo = "${conf_csum},${conf_sign_algo}"; |
483 | key-name-hint = "${conf_sign_keyname}"; | 483 | key-name-hint = "${conf_sign_keyname}"; |
484 | ${sign_line} | 484 | ${sign_line} |