1 files changed, 98 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
new file mode 100644
index 0000000000..d784452b44
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
@@ -0,0 +1,98 @@
+From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Wed, 18 Mar 2020 11:44:01 -0600
+Subject: [PATCH] image: Check hash-nodes when checking configurations
+It is currently possible to use a different configuration's signature and
+thus bypass the configuration check. Make sure that the configuration node
+that was hashed matches the one being checked, to catch this problem.
+Also add a proper function comment to fit_config_check_sig() and make it
+static.
+Signed-off-by: Simon Glass <sjg@chromium.org>
+CVE: CVE-2020-10648
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ common/image-sig.c | 36 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 33 insertions(+), 3 deletions(-)
+diff --git a/common/image-sig.c b/common/image-sig.c
+index 13ccd50bc5..03143a4040 100644
+--- a/common/image-sig.c
+++ b/common/image-sig.c
+@@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
+        return 0;
+ }
+ 
+-int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
+-                        char **err_msgp)
+/**
+ * fit_config_check_sig() - Check the signature of a config
+ *
+ * @fit: FIT to check
+ * @noffset: Offset of configuration node (e.g. /configurations/conf-1)
+ * @required_keynode:  Offset in the control FDT of the required key node,
+ *                     if any. If this is given, then the configuration wil not
+ *                     pass verification unless that key is used. If this is
+ *                     -1 then any signature will do.
+ * @conf_noffset: Offset of the configuration subnode being checked (e.g.
+ *      /configurations/conf-1/kernel)
+ * @err_msgp:          In the event of an error, this will be pointed to a
+ *                     help error string to display to the user.
+ * @return 0 if all verified ok, <0 on error
+ */
+static int fit_config_check_sig(const void *fit, int noffset,
+                               int required_keynode, int conf_noffset,
+                               char **err_msgp)
+ {
+        char * const exc_prop[] = {"data"};
+        const char *prop, *end, *name;
+        struct image_sign_info info;
+        const uint32_t *strings;
+       const char *config_name;
+        uint8_t *fit_value;
+        int fit_value_len;
+       bool found_config;
+        int max_regions;
+        int i, prop_len;
+        char path[200];
+        int count;
+ 
+       config_name = fit_get_name(fit, conf_noffset, NULL);
+        debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
+              fit_get_name(fit, noffset, NULL),
+              fit_get_name(gd_fdt_blob(), required_keynode, NULL));
+@@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
+        char *node_inc[count];
+ 
+        debug("Hash nodes (%d):\n", count);
+       found_config = false;
+        for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
+                debug("   '%s'\n", name);
+                node_inc[i] = (char *)name;
+               if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) &&
+                   name[sizeof(FIT_CONFS_PATH) - 1] == '/' &&
+                   !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) {
+                       debug("      (found config node %s)", config_name);
+                       found_config = true;
+               }
+       }
+       if (!found_config) {
+               *err_msgp = "Selected config not in hashed nodes";
+               return -1;
+        }
+ 
+        /*
+@@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset,
+                if (!strncmp(name, FIT_SIG_NODENAME,
+                             strlen(FIT_SIG_NODENAME))) {
+                        ret = fit_config_check_sig(fit, noffset, sig_offset,
+-                                                  &err_msg);
+                                                  conf_noffset, &err_msg);
+                        if (ret) {
+                                puts("- ");
+                        } else {

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch new file mode 100644 index 0000000000..d784452b44 --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-1.patch
@@ -0,0 +1,98 @@
	1	From 67acad3db71bb372458fbb8a77749f5eb88aa324 Mon Sep 17 00:00:00 2001
	2	From: Simon Glass <sjg@chromium.org>
	3	Date: Wed, 18 Mar 2020 11:44:01 -0600
	4	Subject: [PATCH] image: Check hash-nodes when checking configurations
	5
	6	It is currently possible to use a different configuration's signature and
	7	thus bypass the configuration check. Make sure that the configuration node
	8	that was hashed matches the one being checked, to catch this problem.
	9
	10	Also add a proper function comment to fit_config_check_sig() and make it
	11	static.
	12
	13	Signed-off-by: Simon Glass <sjg@chromium.org>
	14
	15	CVE: CVE-2020-10648
	16	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/67acad3db71bb372458fbb8a77749f5eb88aa324]
	17	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
	18
	19	---
	20	common/image-sig.c \| 36 +++++++++++++++++++++++++++++++++---
	21	1 file changed, 33 insertions(+), 3 deletions(-)
	22
	23	diff --git a/common/image-sig.c b/common/image-sig.c
	24	index 13ccd50bc5..03143a4040 100644
	25	--- a/common/image-sig.c
	26	+++ b/common/image-sig.c
	27	@@ -359,20 +359,39 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
	28	return 0;
	29	}
	30
	31	-int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
	32	- char **err_msgp)
	33	+/**
	34	+ * fit_config_check_sig() - Check the signature of a config
	35	+ *
	36	+ * @fit: FIT to check
	37	+ * @noffset: Offset of configuration node (e.g. /configurations/conf-1)
	38	+ * @required_keynode: Offset in the control FDT of the required key node,
	39	+ * if any. If this is given, then the configuration wil not
	40	+ * pass verification unless that key is used. If this is
	41	+ * -1 then any signature will do.
	42	+ * @conf_noffset: Offset of the configuration subnode being checked (e.g.
	43	+ * /configurations/conf-1/kernel)
	44	+ * @err_msgp: In the event of an error, this will be pointed to a
	45	+ * help error string to display to the user.
	46	+ * @return 0 if all verified ok, <0 on error
	47	+ */
	48	+static int fit_config_check_sig(const void *fit, int noffset,
	49	+ int required_keynode, int conf_noffset,
	50	+ char **err_msgp)
	51	{
	52	char * const exc_prop[] = {"data"};
	53	const char prop, end, *name;
	54	struct image_sign_info info;
	55	const uint32_t *strings;
	56	+ const char *config_name;
	57	uint8_t *fit_value;
	58	int fit_value_len;
	59	+ bool found_config;
	60	int max_regions;
	61	int i, prop_len;
	62	char path[200];
	63	int count;
	64
	65	+ config_name = fit_get_name(fit, conf_noffset, NULL);
	66	debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
	67	fit_get_name(fit, noffset, NULL),
	68	fit_get_name(gd_fdt_blob(), required_keynode, NULL));
	69	@@ -413,9 +432,20 @@ int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
	70	char *node_inc[count];
	71
	72	debug("Hash nodes (%d):\n", count);
	73	+ found_config = false;
	74	for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
	75	debug(" '%s'\n", name);
	76	node_inc[i] = (char *)name;
	77	+ if (!strncmp(FIT_CONFS_PATH, name, strlen(FIT_CONFS_PATH)) &&
	78	+ name[sizeof(FIT_CONFS_PATH) - 1] == '/' &&
	79	+ !strcmp(name + sizeof(FIT_CONFS_PATH), config_name)) {
	80	+ debug(" (found config node %s)", config_name);
	81	+ found_config = true;
	82	+ }
	83	+ }
	84	+ if (!found_config) {
	85	+ *err_msgp = "Selected config not in hashed nodes";
	86	+ return -1;
	87	}
	88
	89	/*
	90	@@ -483,7 +513,7 @@ static int fit_config_verify_sig(const void *fit, int conf_noffset,
	91	if (!strncmp(name, FIT_SIG_NODENAME,
	92	strlen(FIT_SIG_NODENAME))) {
	93	ret = fit_config_check_sig(fit, noffset, sig_offset,
	94	- &err_msg);
	95	+ conf_noffset, &err_msg);
	96	if (ret) {
	97	puts("- ");
	98	} else {