kernel-fitimage: Don't use unit addresses on FIT

Das U-Boot 2021.4-rc1 has the following commit: commit 3f04db891a353f4b127ed57279279f851c6b4917 Author: Simon Glass <sjg@chromium.org> Date: Mon Feb 15 17:08:12 2021 -0700 image: Check for unit addresses in FITs Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Adjust the kernel-fitimage.bbclass accordingly to not use unit addresses. This changte is required before we can bump U-Boot to 2021.4. (From OE-Core rev: 14eec2f7c3bbb36de8198989bf772135aa117963) Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> [Backport for Dunfell] Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> 2021-06-01 11:35:37 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-06-11 22:45:27 +0100
commit: ab6b5e97cebe19938baa403da6307ca320294b3a (patch)
tree: fe232998756c14a1c02b20ce2e86835c7e44090a /meta
parent: ca9cb3f3e6507dd536683cdf5b1e3e288c79fdd1 (diff)
download: poky-ab6b5e97cebe19938baa403da6307ca320294b3a.tar.gz
1 files changed, 16 insertions, 16 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index b4d8ff8309..5f5e9dd444 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -124,7 +124,7 @@ fitimage_emit_section_kernel() {
        fi
        cat << EOF >> ${1}
-                kernel@${2} {
+                kernel-${2} {
                        description = "Linux kernel";
                        data = /incbin/("${3}");
                        type = "kernel";
@@ -133,7 +133,7 @@ fitimage_emit_section_kernel() {
                        compression = "${4}";
                        load = <${UBOOT_LOADADDRESS}>;
                        entry = <${ENTRYPOINT}>;
-                        hash@1 {
+                        hash-1 {
                                algo = "${kernel_csum}";
                        };
                };
@@ -160,14 +160,14 @@ fitimage_emit_section_dtb() {
                dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
        fi
        cat << EOF >> ${1}
-                fdt@${2} {
+                fdt-${2} {
                        description = "Flattened Device Tree blob";
                        data = /incbin/("${3}");
                        type = "flat_dt";
                        arch = "${UBOOT_ARCH}";
                        compression = "none";
                        ${dtb_loadline}
-                        hash@1 {
+                        hash-1 {
                                algo = "${dtb_csum}";
                        };
                };
@@ -185,7 +185,7 @@ fitimage_emit_section_setup() {
        setup_csum="${FIT_HASH_ALG}"
        cat << EOF >> ${1}
-                setup@${2} {
+                setup-${2} {
                        description = "Linux setup.bin";
                        data = /incbin/("${3}");
                        type = "x86_setup";
@@ -194,7 +194,7 @@ fitimage_emit_section_setup() {
                        compression = "none";
                        load = <0x00090000>;
                        entry = <0x00090000>;
-                        hash@1 {
+                        hash-1 {
                                algo = "${setup_csum}";
                        };
                };
@@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() {
        fi
        cat << EOF >> ${1}
-                ramdisk@${2} {
+                ramdisk-${2} {
                        description = "${INITRAMFS_IMAGE}";
                        data = /incbin/("${3}");
                        type = "ramdisk";
@@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() {
                        compression = "none";
                        ${ramdisk_loadline}
                        ${ramdisk_entryline}
-                        hash@1 {
+                        hash-1 {
                                algo = "${ramdisk_csum}";
                        };
                };
@@ -266,39 +266,39 @@ fitimage_emit_section_config() {
        if [ -n "${2}" ]; then
                conf_desc="Linux kernel"
                sep=", "
-                kernel_line="kernel = \"kernel@${2}\";"
+                kernel_line="kernel = \"kernel-${2}\";"
        fi
        if [ -n "${3}" ]; then
                conf_desc="${conf_desc}${sep}FDT blob"
                sep=", "
-                fdt_line="fdt = \"fdt@${3}\";"
+                fdt_line="fdt = \"fdt-${3}\";"
        fi
        if [ -n "${4}" ]; then
                conf_desc="${conf_desc}${sep}ramdisk"
                sep=", "
-                ramdisk_line="ramdisk = \"ramdisk@${4}\";"
+                ramdisk_line="ramdisk = \"ramdisk-${4}\";"
        fi
        if [ -n "${5}" ]; then
                conf_desc="${conf_desc}${sep}setup"
-                setup_line="setup = \"setup@${5}\";"
+                setup_line="setup = \"setup-${5}\";"
        fi
        if [ "${6}" = "1" ]; then
-                default_line="default = \"conf@${3}\";"
+                default_line="default = \"conf-${3}\";"
        fi
        cat << EOF >> ${1}
                ${default_line}
-                conf@${3} {
+                conf-${3} {
                        description = "${6} ${conf_desc}";
                        ${kernel_line}
                        ${fdt_line}
                        ${ramdisk_line}
                        ${setup_line}
-                        hash@1 {
+                        hash-1 {
                                algo = "${conf_csum}";
                        };
 EOF
@@ -330,7 +330,7 @@ EOF
                sign_line="${sign_line};"
                cat << EOF >> ${1}
-                        signature@1 {
+                        signature-1 {
                                algo = "${conf_csum},${conf_sign_algo}";
                                key-name-hint = "${conf_sign_keyname}";
                                ${sign_line}
author	Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>	2021-06-01 11:35:37 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-06-11 22:45:27 +0100
commit	ab6b5e97cebe19938baa403da6307ca320294b3a (patch)
tree	fe232998756c14a1c02b20ce2e86835c7e44090a /meta
parent	ca9cb3f3e6507dd536683cdf5b1e3e288c79fdd1 (diff)
download	poky-ab6b5e97cebe19938baa403da6307ca320294b3a.tar.gz

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index b4d8ff8309..5f5e9dd444 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass
@@ -124,7 +124,7 @@ fitimage_emit_section_kernel() {
124	fi	124	fi
125		125
126	cat << EOF >> ${1}	126	cat << EOF >> ${1}
127	kernel@${2} {	127	kernel-${2} {
128	description = "Linux kernel";	128	description = "Linux kernel";
129	data = /incbin/("${3}");	129	data = /incbin/("${3}");
130	type = "kernel";	130	type = "kernel";
@@ -133,7 +133,7 @@ fitimage_emit_section_kernel() {
133	compression = "${4}";	133	compression = "${4}";
134	load = <${UBOOT_LOADADDRESS}>;	134	load = <${UBOOT_LOADADDRESS}>;
135	entry = <${ENTRYPOINT}>;	135	entry = <${ENTRYPOINT}>;
136	hash@1 {	136	hash-1 {
137	algo = "${kernel_csum}";	137	algo = "${kernel_csum}";
138	};	138	};
139	};	139	};
@@ -160,14 +160,14 @@ fitimage_emit_section_dtb() {
160	dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"	160	dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
161	fi	161	fi
162	cat << EOF >> ${1}	162	cat << EOF >> ${1}
163	fdt@${2} {	163	fdt-${2} {
164	description = "Flattened Device Tree blob";	164	description = "Flattened Device Tree blob";
165	data = /incbin/("${3}");	165	data = /incbin/("${3}");
166	type = "flat_dt";	166	type = "flat_dt";
167	arch = "${UBOOT_ARCH}";	167	arch = "${UBOOT_ARCH}";
168	compression = "none";	168	compression = "none";
169	${dtb_loadline}	169	${dtb_loadline}
170	hash@1 {	170	hash-1 {
171	algo = "${dtb_csum}";	171	algo = "${dtb_csum}";
172	};	172	};
173	};	173	};
@@ -185,7 +185,7 @@ fitimage_emit_section_setup() {
185	setup_csum="${FIT_HASH_ALG}"	185	setup_csum="${FIT_HASH_ALG}"
186		186
187	cat << EOF >> ${1}	187	cat << EOF >> ${1}
188	setup@${2} {	188	setup-${2} {
189	description = "Linux setup.bin";	189	description = "Linux setup.bin";
190	data = /incbin/("${3}");	190	data = /incbin/("${3}");
191	type = "x86_setup";	191	type = "x86_setup";
@@ -194,7 +194,7 @@ fitimage_emit_section_setup() {
194	compression = "none";	194	compression = "none";
195	load = <0x00090000>;	195	load = <0x00090000>;
196	entry = <0x00090000>;	196	entry = <0x00090000>;
197	hash@1 {	197	hash-1 {
198	algo = "${setup_csum}";	198	algo = "${setup_csum}";
199	};	199	};
200	};	200	};
@@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() {
221	fi	221	fi
222		222
223	cat << EOF >> ${1}	223	cat << EOF >> ${1}
224	ramdisk@${2} {	224	ramdisk-${2} {
225	description = "${INITRAMFS_IMAGE}";	225	description = "${INITRAMFS_IMAGE}";
226	data = /incbin/("${3}");	226	data = /incbin/("${3}");
227	type = "ramdisk";	227	type = "ramdisk";
@@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() {
230	compression = "none";	230	compression = "none";
231	${ramdisk_loadline}	231	${ramdisk_loadline}
232	${ramdisk_entryline}	232	${ramdisk_entryline}
233	hash@1 {	233	hash-1 {
234	algo = "${ramdisk_csum}";	234	algo = "${ramdisk_csum}";
235	};	235	};
236	};	236	};
@@ -266,39 +266,39 @@ fitimage_emit_section_config() {
266	if [ -n "${2}" ]; then	266	if [ -n "${2}" ]; then
267	conf_desc="Linux kernel"	267	conf_desc="Linux kernel"
268	sep=", "	268	sep=", "
269	kernel_line="kernel = \"kernel@${2}\";"	269	kernel_line="kernel = \"kernel-${2}\";"
270	fi	270	fi
271		271
272	if [ -n "${3}" ]; then	272	if [ -n "${3}" ]; then
273	conf_desc="${conf_desc}${sep}FDT blob"	273	conf_desc="${conf_desc}${sep}FDT blob"
274	sep=", "	274	sep=", "
275	fdt_line="fdt = \"fdt@${3}\";"	275	fdt_line="fdt = \"fdt-${3}\";"
276	fi	276	fi
277		277
278	if [ -n "${4}" ]; then	278	if [ -n "${4}" ]; then
279	conf_desc="${conf_desc}${sep}ramdisk"	279	conf_desc="${conf_desc}${sep}ramdisk"
280	sep=", "	280	sep=", "
281	ramdisk_line="ramdisk = \"ramdisk@${4}\";"	281	ramdisk_line="ramdisk = \"ramdisk-${4}\";"
282	fi	282	fi
283		283
284	if [ -n "${5}" ]; then	284	if [ -n "${5}" ]; then
285	conf_desc="${conf_desc}${sep}setup"	285	conf_desc="${conf_desc}${sep}setup"
286	setup_line="setup = \"setup@${5}\";"	286	setup_line="setup = \"setup-${5}\";"
287	fi	287	fi
288		288
289	if [ "${6}" = "1" ]; then	289	if [ "${6}" = "1" ]; then
290	default_line="default = \"conf@${3}\";"	290	default_line="default = \"conf-${3}\";"
291	fi	291	fi
292		292
293	cat << EOF >> ${1}	293	cat << EOF >> ${1}
294	${default_line}	294	${default_line}
295	conf@${3} {	295	conf-${3} {
296	description = "${6} ${conf_desc}";	296	description = "${6} ${conf_desc}";
297	${kernel_line}	297	${kernel_line}
298	${fdt_line}	298	${fdt_line}
299	${ramdisk_line}	299	${ramdisk_line}
300	${setup_line}	300	${setup_line}
301	hash@1 {	301	hash-1 {
302	algo = "${conf_csum}";	302	algo = "${conf_csum}";
303	};	303	};
304	EOF	304	EOF
@@ -330,7 +330,7 @@ EOF
330	sign_line="${sign_line};"	330	sign_line="${sign_line};"
331		331
332	cat << EOF >> ${1}	332	cat << EOF >> ${1}
333	signature@1 {	333	signature-1 {
334	algo = "${conf_csum},${conf_sign_algo}";	334	algo = "${conf_csum},${conf_sign_algo}";
335	key-name-hint = "${conf_sign_keyname}";	335	key-name-hint = "${conf_sign_keyname}";
336	${sign_line}	336	${sign_line}