1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
new file mode 100644
index 0000000000..023f7eac0a
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
@@ -0,0 +1,52 @@
+From 8a9d03732e6d0f68107c80919096e7cf956dcb3d Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Wed, 18 Mar 2020 11:44:02 -0600
+Subject: [PATCH] image: Load the correct configuration in fit_check_sign
+At present bootm_host_load_images() is passed the configuration that has
+been verified, but ignores it and just uses the default configuration.
+This may not be the same.
+Update this function to use the selected configuration.
+Signed-off-by: Simon Glass <sjg@chromium.org>
+CVE: CVE-2020-10648
+Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a9d03732e6d0f68107c80919096e7cf956dcb3d]
+Signed-off-by: Scott Murray <scott.murray@konsulko.com>
+---
+ common/bootm.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/common/bootm.c b/common/bootm.c
+index 902c13880d..db4362a643 100644
+--- a/common/bootm.c
+++ b/common/bootm.c
+@@ -819,7 +819,8 @@ void __weak switch_to_non_secure_mode(void)
+ #else /* USE_HOSTCC */
+ 
+ #if defined(CONFIG_FIT_SIGNATURE)
+-static int bootm_host_load_image(const void *fit, int req_image_type)
+static int bootm_host_load_image(const void *fit, int req_image_type,
+                                int cfg_noffset)
+ {
+        const char *fit_uname_config = NULL;
+        ulong data, len;
+@@ -831,6 +832,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type)
+        void *load_buf;
+        int ret;
+ 
+       fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
+        memset(&images, '\0', sizeof(images));
+        images.verify = 1;
+        noffset = fit_image_load(&images, (ulong)fit,
+@@ -878,7 +880,7 @@ int bootm_host_load_images(const void *fit, int cfg_noffset)
+        for (i = 0; i < ARRAY_SIZE(image_types); i++) {
+                int ret;
+ 
+-               ret = bootm_host_load_image(fit, image_types[i]);
+               ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
+                if (!err && ret && ret != -ENOENT)
+                        err = ret;
+        }

diff --git a/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch new file mode 100644 index 0000000000..023f7eac0a --- /dev/null +++ b/meta/recipes-bsp/u-boot/files/CVE-2020-10648-2.patch
@@ -0,0 +1,52 @@
	1	From 8a9d03732e6d0f68107c80919096e7cf956dcb3d Mon Sep 17 00:00:00 2001
	2	From: Simon Glass <sjg@chromium.org>
	3	Date: Wed, 18 Mar 2020 11:44:02 -0600
	4	Subject: [PATCH] image: Load the correct configuration in fit_check_sign
	5
	6	At present bootm_host_load_images() is passed the configuration that has
	7	been verified, but ignores it and just uses the default configuration.
	8	This may not be the same.
	9
	10	Update this function to use the selected configuration.
	11
	12	Signed-off-by: Simon Glass <sjg@chromium.org>
	13
	14	CVE: CVE-2020-10648
	15	Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/8a9d03732e6d0f68107c80919096e7cf956dcb3d]
	16	Signed-off-by: Scott Murray <scott.murray@konsulko.com>
	17
	18	---
	19	common/bootm.c \| 6 ++++--
	20	1 file changed, 4 insertions(+), 2 deletions(-)
	21
	22	diff --git a/common/bootm.c b/common/bootm.c
	23	index 902c13880d..db4362a643 100644
	24	--- a/common/bootm.c
	25	+++ b/common/bootm.c
	26	@@ -819,7 +819,8 @@ void __weak switch_to_non_secure_mode(void)
	27	#else /* USE_HOSTCC */
	28
	29	#if defined(CONFIG_FIT_SIGNATURE)
	30	-static int bootm_host_load_image(const void *fit, int req_image_type)
	31	+static int bootm_host_load_image(const void *fit, int req_image_type,
	32	+ int cfg_noffset)
	33	{
	34	const char *fit_uname_config = NULL;
	35	ulong data, len;
	36	@@ -831,6 +832,7 @@ static int bootm_host_load_image(const void *fit, int req_image_type)
	37	void *load_buf;
	38	int ret;
	39
	40	+ fit_uname_config = fdt_get_name(fit, cfg_noffset, NULL);
	41	memset(&images, '\0', sizeof(images));
	42	images.verify = 1;
	43	noffset = fit_image_load(&images, (ulong)fit,
	44	@@ -878,7 +880,7 @@ int bootm_host_load_images(const void *fit, int cfg_noffset)
	45	for (i = 0; i < ARRAY_SIZE(image_types); i++) {
	46	int ret;
	47
	48	- ret = bootm_host_load_image(fit, image_types[i]);
	49	+ ret = bootm_host_load_image(fit, image_types[i], cfg_noffset);
	50	if (!err && ret && ret != -ENOENT)
	51	err = ret;
	52	}