From cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d Mon Sep 17 00:00:00 2001 From: Klaus Heinrich Kiwi Date: Mon, 22 Feb 2021 15:38:19 -0300 Subject: kernel-fitimage: Don't use unit addresses on FIT Das U-Boot 2021.4-rc1 has the following commit: commit 3f04db891a353f4b127ed57279279f851c6b4917 Author: Simon Glass Date: Mon Feb 15 17:08:12 2021 -0700 image: Check for unit addresses in FITs Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Adjust the kernel-fitimage.bbclass accordingly to not use unit addresses. This changte is required before we can bump U-Boot to 2021.4. (From OE-Core rev: 6047be9f8f0f5d616fda11d83b682c1b8aeaa0ae) Signed-off-by: Klaus Heinrich Kiwi Signed-off-by: Richard Purdie --- meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) (limited to 'meta/classes') diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 2414870817..f5082c93df 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() { fi cat << EOF >> ${1} - kernel@${2} { + kernel-${2} { description = "Linux kernel"; data = /incbin/("${3}"); type = "kernel"; @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() { compression = "${4}"; load = <${UBOOT_LOADADDRESS}>; entry = <${ENTRYPOINT}>; - hash@1 { + hash-1 { algo = "${kernel_csum}"; }; }; @@ -179,7 +179,7 @@ EOF if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then sed -i '$ d' ${1} cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${kernel_csum},${kernel_sign_algo}"; key-name-hint = "${kernel_sign_keyname}"; }; @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() { dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" fi cat << EOF >> ${1} - fdt@${2} { + fdt-${2} { description = "Flattened Device Tree blob"; data = /incbin/("${3}"); type = "flat_dt"; arch = "${UBOOT_ARCH}"; compression = "none"; ${dtb_loadline} - hash@1 { + hash-1 { algo = "${dtb_csum}"; }; }; @@ -226,7 +226,7 @@ EOF if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then sed -i '$ d' ${1} cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${dtb_csum},${dtb_sign_algo}"; key-name-hint = "${dtb_sign_keyname}"; }; @@ -283,7 +283,7 @@ fitimage_emit_section_setup() { setup_csum="${FIT_HASH_ALG}" cat << EOF >> ${1} - setup@${2} { + setup-${2} { description = "Linux setup.bin"; data = /incbin/("${3}"); type = "x86_setup"; @@ -292,7 +292,7 @@ fitimage_emit_section_setup() { compression = "none"; load = <0x00090000>; entry = <0x00090000>; - hash@1 { + hash-1 { algo = "${setup_csum}"; }; }; @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() { fi cat << EOF >> ${1} - ramdisk@${2} { + ramdisk-${2} { description = "${INITRAMFS_IMAGE}"; data = /incbin/("${3}"); type = "ramdisk"; @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() { compression = "none"; ${ramdisk_loadline} ${ramdisk_entryline} - hash@1 { + hash-1 { algo = "${ramdisk_csum}"; }; }; @@ -339,7 +339,7 @@ EOF if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then sed -i '$ d' ${1} cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${ramdisk_csum},${ramdisk_sign_algo}"; key-name-hint = "${ramdisk_sign_keyname}"; }; @@ -377,7 +377,7 @@ fitimage_emit_section_config() { # Test if we have any DTBs at all sep="" conf_desc="" - conf_node="conf@" + conf_node="conf-" kernel_line="" fdt_line="" ramdisk_line="" @@ -396,19 +396,19 @@ fitimage_emit_section_config() { if [ -n "${kernel_id}" ]; then conf_desc="Linux kernel" sep=", " - kernel_line="kernel = \"kernel@${kernel_id}\";" + kernel_line="kernel = \"kernel-${kernel_id}\";" fi if [ -n "${dtb_image}" ]; then conf_desc="${conf_desc}${sep}FDT blob" sep=", " - fdt_line="fdt = \"fdt@${dtb_image}\";" + fdt_line="fdt = \"fdt-${dtb_image}\";" fi if [ -n "${ramdisk_id}" ]; then conf_desc="${conf_desc}${sep}ramdisk" sep=", " - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";" + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";" fi if [ -n "${bootscr_id}" ]; then @@ -419,16 +419,16 @@ fitimage_emit_section_config() { if [ -n "${config_id}" ]; then conf_desc="${conf_desc}${sep}setup" - setup_line="setup = \"setup@${config_id}\";" + setup_line="setup = \"setup-${config_id}\";" fi if [ "${default_flag}" = "1" ]; then # default node is selected based on dtb ID if it is present, # otherwise its selected based on kernel ID if [ -n "${dtb_image}" ]; then - default_line="default = \"conf@${dtb_image}\";" + default_line="default = \"conf-${dtb_image}\";" else - default_line="default = \"conf@${kernel_id}\";" + default_line="default = \"conf-${kernel_id}\";" fi fi @@ -441,7 +441,7 @@ fitimage_emit_section_config() { ${ramdisk_line} ${bootscr_line} ${setup_line} - hash@1 { + hash-1 { algo = "${conf_csum}"; }; EOF @@ -478,7 +478,7 @@ EOF sign_line="${sign_line};" cat << EOF >> ${its_file} - signature@1 { + signature-1 { algo = "${conf_csum},${conf_sign_algo}"; key-name-hint = "${conf_sign_keyname}"; ${sign_line} -- cgit v1.2.3-54-g00ecf