diff options
| author | Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> | 2021-02-22 15:38:19 -0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-02-23 22:35:01 +0000 |
| commit | cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d (patch) | |
| tree | 7d0a439625f01351a6a2baa152c21f3d5988da69 /meta/lib | |
| parent | b2d8e3cf620133ea8121b67dc6b449cd7d4ebc02 (diff) | |
| download | poky-cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d.tar.gz | |
kernel-fitimage: Don't use unit addresses on FIT
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
(From OE-Core rev: 6047be9f8f0f5d616fda11d83b682c1b8aeaa0ae)
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib')
| -rw-r--r-- | meta/lib/oeqa/selftest/cases/fitimage.py | 36 |
1 files changed, 18 insertions, 18 deletions
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py index 0958036a6f..02692de822 100644 --- a/meta/lib/oeqa/selftest/cases/fitimage.py +++ b/meta/lib/oeqa/selftest/cases/fitimage.py | |||
| @@ -69,9 +69,9 @@ FIT_DESC = "A model description" | |||
| 69 | 'type = "ramdisk";', | 69 | 'type = "ramdisk";', |
| 70 | 'load = <0x88000000>;', | 70 | 'load = <0x88000000>;', |
| 71 | 'entry = <0x88000000>;', | 71 | 'entry = <0x88000000>;', |
| 72 | 'default = "conf@1";', | 72 | 'default = "conf-1";', |
| 73 | 'kernel = "kernel@1";', | 73 | 'kernel = "kernel-1";', |
| 74 | 'ramdisk = "ramdisk@1";' | 74 | 'ramdisk = "ramdisk-1";' |
| 75 | ] | 75 | ] |
| 76 | 76 | ||
| 77 | with open(fitimage_its_path) as its_file: | 77 | with open(fitimage_its_path) as its_file: |
| @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" | |||
| 137 | "%s FIT image doesn't exist" % (fitimage_path)) | 137 | "%s FIT image doesn't exist" % (fitimage_path)) |
| 138 | 138 | ||
| 139 | req_itspaths = [ | 139 | req_itspaths = [ |
| 140 | ['/', 'images', 'kernel@1'], | 140 | ['/', 'images', 'kernel-1'], |
| 141 | ['/', 'images', 'kernel@1', 'signature@1'], | 141 | ['/', 'images', 'kernel-1', 'signature-1'], |
| 142 | ['/', 'images', 'fdt@am335x-boneblack.dtb'], | 142 | ['/', 'images', 'fdt-am335x-boneblack.dtb'], |
| 143 | ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'], | 143 | ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'], |
| 144 | ['/', 'configurations', 'conf@am335x-boneblack.dtb'], | 144 | ['/', 'configurations', 'conf-am335x-boneblack.dtb'], |
| 145 | ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'], | 145 | ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'], |
| 146 | ] | 146 | ] |
| 147 | 147 | ||
| 148 | itspath = [] | 148 | itspath = [] |
| @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" | |||
| 158 | elif line.endswith('{'): | 158 | elif line.endswith('{'): |
| 159 | itspath.append(line[:-1].strip()) | 159 | itspath.append(line[:-1].strip()) |
| 160 | itspaths.append(itspath[:]) | 160 | itspaths.append(itspath[:]) |
| 161 | elif itspath and itspath[-1] == 'signature@1': | 161 | elif itspath and itspath[-1] == 'signature-1': |
| 162 | itsdotpath = '.'.join(itspath) | 162 | itsdotpath = '.'.join(itspath) |
| 163 | if not itsdotpath in sigs: | 163 | if not itsdotpath in sigs: |
| 164 | sigs[itsdotpath] = {} | 164 | sigs[itsdotpath] = {} |
| @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" | |||
| 182 | } | 182 | } |
| 183 | 183 | ||
| 184 | for itspath, values in sigs.items(): | 184 | for itspath, values in sigs.items(): |
| 185 | if 'conf@' in itspath: | 185 | if 'conf-' in itspath: |
| 186 | reqsigvalues = reqsigvalues_config | 186 | reqsigvalues = reqsigvalues_config |
| 187 | else: | 187 | else: |
| 188 | reqsigvalues = reqsigvalues_image | 188 | reqsigvalues = reqsigvalues_image |
| @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" | |||
| 210 | signed_sections[in_signed] = {} | 210 | signed_sections[in_signed] = {} |
| 211 | key, value = line.split(':', 1) | 211 | key, value = line.split(':', 1) |
| 212 | signed_sections[in_signed][key.strip()] = value.strip() | 212 | signed_sections[in_signed][key.strip()] = value.strip() |
| 213 | self.assertIn('kernel@1', signed_sections) | 213 | self.assertIn('kernel-1', signed_sections) |
| 214 | self.assertIn('fdt@am335x-boneblack.dtb', signed_sections) | 214 | self.assertIn('fdt-am335x-boneblack.dtb', signed_sections) |
| 215 | self.assertIn('conf@am335x-boneblack.dtb', signed_sections) | 215 | self.assertIn('conf-am335x-boneblack.dtb', signed_sections) |
| 216 | for signed_section, values in signed_sections.items(): | 216 | for signed_section, values in signed_sections.items(): |
| 217 | value = values.get('Sign algo', None) | 217 | value = values.get('Sign algo', None) |
| 218 | self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section) | 218 | self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section) |
| @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256" | |||
| 298 | its_lines = [line.strip() for line in its_file.readlines()] | 298 | its_lines = [line.strip() for line in its_file.readlines()] |
| 299 | 299 | ||
| 300 | exp_node_lines = [ | 300 | exp_node_lines = [ |
| 301 | 'kernel@1 {', | 301 | 'kernel-1 {', |
| 302 | 'description = "Linux kernel";', | 302 | 'description = "Linux kernel";', |
| 303 | 'data = /incbin/("' + initramfs_bundle + '");', | 303 | 'data = /incbin/("' + initramfs_bundle + '");', |
| 304 | 'type = "kernel";', | 304 | 'type = "kernel";', |
| @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256" | |||
| 307 | 'compression = "none";', | 307 | 'compression = "none";', |
| 308 | 'load = <' + kernel_load + '>;', | 308 | 'load = <' + kernel_load + '>;', |
| 309 | 'entry = <' + kernel_entry + '>;', | 309 | 'entry = <' + kernel_entry + '>;', |
| 310 | 'hash@1 {', | 310 | 'hash-1 {', |
| 311 | 'algo = "' + fit_hash_alg +'";', | 311 | 'algo = "' + fit_hash_alg +'";', |
| 312 | '};', | 312 | '};', |
| 313 | '};' | 313 | '};' |
| @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256" | |||
| 327 | else: | 327 | else: |
| 328 | self.assertTrue(test_passed == True,"kernel node does not match expectation") | 328 | self.assertTrue(test_passed == True,"kernel node does not match expectation") |
| 329 | 329 | ||
| 330 | rx_configs = re.compile("^conf@.*") | 330 | rx_configs = re.compile("^conf-.*") |
| 331 | its_configs = list(filter(rx_configs.match, its_lines)) | 331 | its_configs = list(filter(rx_configs.match, its_lines)) |
| 332 | 332 | ||
| 333 | for cfg_str in its_configs: | 333 | for cfg_str in its_configs: |
| @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256" | |||
| 348 | else: | 348 | else: |
| 349 | print("kernel keyword found in the description line") | 349 | print("kernel keyword found in the description line") |
| 350 | 350 | ||
| 351 | if 'kernel = "kernel@1";' not in node: | 351 | if 'kernel = "kernel-1";' not in node: |
| 352 | self.assertTrue(test_passed == True,"kernel line not found") | 352 | self.assertTrue(test_passed == True,"kernel line not found") |
| 353 | break | 353 | break |
| 354 | else: | 354 | else: |