kernel-fitimage: Don't use unit addresses on FIT

Das U-Boot 2021.4-rc1 has the following commit: commit 3f04db891a353f4b127ed57279279f851c6b4917 Author: Simon Glass <sjg@chromium.org> Date: Mon Feb 15 17:08:12 2021 -0700 image: Check for unit addresses in FITs Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Adjust the kernel-fitimage.bbclass accordingly to not use unit addresses. This changte is required before we can bump U-Boot to 2021.4. (From OE-Core rev: 6047be9f8f0f5d616fda11d83b682c1b8aeaa0ae) Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> 2021-02-22 15:38:19 -0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-02-23 22:35:01 +0000
commit: cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d (patch)
tree: 7d0a439625f01351a6a2baa152c21f3d5988da69 /meta/classes
parent: b2d8e3cf620133ea8121b67dc6b449cd7d4ebc02 (diff)
download: poky-cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d.tar.gz
1 files changed, 20 insertions, 20 deletions
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 2414870817..f5082c93df 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
        fi
        cat << EOF >> ${1}
-                kernel@${2} {
+                kernel-${2} {
                        description = "Linux kernel";
                        data = /incbin/("${3}");
                        type = "kernel";
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
                        compression = "${4}";
                        load = <${UBOOT_LOADADDRESS}>;
                        entry = <${ENTRYPOINT}>;
-                        hash@1 {
+                        hash-1 {
                                algo = "${kernel_csum}";
                        };
                };
@@ -179,7 +179,7 @@ EOF
        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
                sed -i '$ d' ${1}
                cat << EOF >> ${1}
-                        signature@1 {
+                        signature-1 {
                                algo = "${kernel_csum},${kernel_sign_algo}";
                                key-name-hint = "${kernel_sign_keyname}";
                        };
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
                dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
        fi
        cat << EOF >> ${1}
-                fdt@${2} {
+                fdt-${2} {
                        description = "Flattened Device Tree blob";
                        data = /incbin/("${3}");
                        type = "flat_dt";
                        arch = "${UBOOT_ARCH}";
                        compression = "none";
                        ${dtb_loadline}
-                        hash@1 {
+                        hash-1 {
                                algo = "${dtb_csum}";
                        };
                };
@@ -226,7 +226,7 @@ EOF
        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
                sed -i '$ d' ${1}
                cat << EOF >> ${1}
-                        signature@1 {
+                        signature-1 {
                                algo = "${dtb_csum},${dtb_sign_algo}";
                                key-name-hint = "${dtb_sign_keyname}";
                        };
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
        setup_csum="${FIT_HASH_ALG}"
        cat << EOF >> ${1}
-                setup@${2} {
+                setup-${2} {
                        description = "Linux setup.bin";
                        data = /incbin/("${3}");
                        type = "x86_setup";
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
                        compression = "none";
                        load = <0x00090000>;
                        entry = <0x00090000>;
-                        hash@1 {
+                        hash-1 {
                                algo = "${setup_csum}";
                        };
                };
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
        fi
        cat << EOF >> ${1}
-                ramdisk@${2} {
+                ramdisk-${2} {
                        description = "${INITRAMFS_IMAGE}";
                        data = /incbin/("${3}");
                        type = "ramdisk";
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
                        compression = "none";
                        ${ramdisk_loadline}
                        ${ramdisk_entryline}
-                        hash@1 {
+                        hash-1 {
                                algo = "${ramdisk_csum}";
                        };
                };
@@ -339,7 +339,7 @@ EOF
        if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
                sed -i '$ d' ${1}
                cat << EOF >> ${1}
-                        signature@1 {
+                        signature-1 {
                                algo = "${ramdisk_csum},${ramdisk_sign_algo}";
                                key-name-hint = "${ramdisk_sign_keyname}";
                        };
@@ -377,7 +377,7 @@ fitimage_emit_section_config() {
        # Test if we have any DTBs at all
        sep=""
        conf_desc=""
-        conf_node="conf@"
+        conf_node="conf-"
        kernel_line=""
        fdt_line=""
        ramdisk_line=""
@@ -396,19 +396,19 @@ fitimage_emit_section_config() {
        if [ -n "${kernel_id}" ]; then
                conf_desc="Linux kernel"
                sep=", "
-                kernel_line="kernel = \"kernel@${kernel_id}\";"
+                kernel_line="kernel = \"kernel-${kernel_id}\";"
        fi
        if [ -n "${dtb_image}" ]; then
                conf_desc="${conf_desc}${sep}FDT blob"
                sep=", "
-                fdt_line="fdt = \"fdt@${dtb_image}\";"
+                fdt_line="fdt = \"fdt-${dtb_image}\";"
        fi
        if [ -n "${ramdisk_id}" ]; then
                conf_desc="${conf_desc}${sep}ramdisk"
                sep=", "
-                ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
+                ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
        fi
        if [ -n "${bootscr_id}" ]; then
@@ -419,16 +419,16 @@ fitimage_emit_section_config() {
        if [ -n "${config_id}" ]; then
                conf_desc="${conf_desc}${sep}setup"
-                setup_line="setup = \"setup@${config_id}\";"
+                setup_line="setup = \"setup-${config_id}\";"
        fi
        if [ "${default_flag}" = "1" ]; then
                # default node is selected based on dtb ID if it is present,
                # otherwise its selected based on kernel ID
                if [ -n "${dtb_image}" ]; then
-                        default_line="default = \"conf@${dtb_image}\";"
+                        default_line="default = \"conf-${dtb_image}\";"
                else
-                        default_line="default = \"conf@${kernel_id}\";"
+                        default_line="default = \"conf-${kernel_id}\";"
                fi
        fi
@@ -441,7 +441,7 @@ fitimage_emit_section_config() {
                        ${ramdisk_line}
                        ${bootscr_line}
                        ${setup_line}
-                        hash@1 {
+                        hash-1 {
                                algo = "${conf_csum}";
                        };
 EOF
@@ -478,7 +478,7 @@ EOF
                sign_line="${sign_line};"
                cat << EOF >> ${its_file}
-                        signature@1 {
+                        signature-1 {
                                algo = "${conf_csum},${conf_sign_algo}";
                                key-name-hint = "${conf_sign_keyname}";
                                ${sign_line}
author	Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>	2021-02-22 15:38:19 -0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-02-23 22:35:01 +0000
commit	cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d (patch)
tree	7d0a439625f01351a6a2baa152c21f3d5988da69 /meta/classes
parent	b2d8e3cf620133ea8121b67dc6b449cd7d4ebc02 (diff)
download	poky-cfc0e21b1066b5d5d0fc37fbc5d79f40f4576f1d.tar.gz

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 2414870817..f5082c93df 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
161	fi	161	fi
162		162
163	cat << EOF >> ${1}	163	cat << EOF >> ${1}
164	kernel@${2} {	164	kernel-${2} {
165	description = "Linux kernel";	165	description = "Linux kernel";
166	data = /incbin/("${3}");	166	data = /incbin/("${3}");
167	type = "kernel";	167	type = "kernel";
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
170	compression = "${4}";	170	compression = "${4}";
171	load = <${UBOOT_LOADADDRESS}>;	171	load = <${UBOOT_LOADADDRESS}>;
172	entry = <${ENTRYPOINT}>;	172	entry = <${ENTRYPOINT}>;
173	hash@1 {	173	hash-1 {
174	algo = "${kernel_csum}";	174	algo = "${kernel_csum}";
175	};	175	};
176	};	176	};
@@ -179,7 +179,7 @@ EOF
179	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then	179	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
180	sed -i '$ d' ${1}	180	sed -i '$ d' ${1}
181	cat << EOF >> ${1}	181	cat << EOF >> ${1}
182	signature@1 {	182	signature-1 {
183	algo = "${kernel_csum},${kernel_sign_algo}";	183	algo = "${kernel_csum},${kernel_sign_algo}";
184	key-name-hint = "${kernel_sign_keyname}";	184	key-name-hint = "${kernel_sign_keyname}";
185	};	185	};
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
210	dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"	210	dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
211	fi	211	fi
212	cat << EOF >> ${1}	212	cat << EOF >> ${1}
213	fdt@${2} {	213	fdt-${2} {
214	description = "Flattened Device Tree blob";	214	description = "Flattened Device Tree blob";
215	data = /incbin/("${3}");	215	data = /incbin/("${3}");
216	type = "flat_dt";	216	type = "flat_dt";
217	arch = "${UBOOT_ARCH}";	217	arch = "${UBOOT_ARCH}";
218	compression = "none";	218	compression = "none";
219	${dtb_loadline}	219	${dtb_loadline}
220	hash@1 {	220	hash-1 {
221	algo = "${dtb_csum}";	221	algo = "${dtb_csum}";
222	};	222	};
223	};	223	};
@@ -226,7 +226,7 @@ EOF
226	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then	226	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
227	sed -i '$ d' ${1}	227	sed -i '$ d' ${1}
228	cat << EOF >> ${1}	228	cat << EOF >> ${1}
229	signature@1 {	229	signature-1 {
230	algo = "${dtb_csum},${dtb_sign_algo}";	230	algo = "${dtb_csum},${dtb_sign_algo}";
231	key-name-hint = "${dtb_sign_keyname}";	231	key-name-hint = "${dtb_sign_keyname}";
232	};	232	};
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
283	setup_csum="${FIT_HASH_ALG}"	283	setup_csum="${FIT_HASH_ALG}"
284		284
285	cat << EOF >> ${1}	285	cat << EOF >> ${1}
286	setup@${2} {	286	setup-${2} {
287	description = "Linux setup.bin";	287	description = "Linux setup.bin";
288	data = /incbin/("${3}");	288	data = /incbin/("${3}");
289	type = "x86_setup";	289	type = "x86_setup";
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
292	compression = "none";	292	compression = "none";
293	load = <0x00090000>;	293	load = <0x00090000>;
294	entry = <0x00090000>;	294	entry = <0x00090000>;
295	hash@1 {	295	hash-1 {
296	algo = "${setup_csum}";	296	algo = "${setup_csum}";
297	};	297	};
298	};	298	};
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
321	fi	321	fi
322		322
323	cat << EOF >> ${1}	323	cat << EOF >> ${1}
324	ramdisk@${2} {	324	ramdisk-${2} {
325	description = "${INITRAMFS_IMAGE}";	325	description = "${INITRAMFS_IMAGE}";
326	data = /incbin/("${3}");	326	data = /incbin/("${3}");
327	type = "ramdisk";	327	type = "ramdisk";
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
330	compression = "none";	330	compression = "none";
331	${ramdisk_loadline}	331	${ramdisk_loadline}
332	${ramdisk_entryline}	332	${ramdisk_entryline}
333	hash@1 {	333	hash-1 {
334	algo = "${ramdisk_csum}";	334	algo = "${ramdisk_csum}";
335	};	335	};
336	};	336	};
@@ -339,7 +339,7 @@ EOF
339	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then	339	if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
340	sed -i '$ d' ${1}	340	sed -i '$ d' ${1}
341	cat << EOF >> ${1}	341	cat << EOF >> ${1}
342	signature@1 {	342	signature-1 {
343	algo = "${ramdisk_csum},${ramdisk_sign_algo}";	343	algo = "${ramdisk_csum},${ramdisk_sign_algo}";
344	key-name-hint = "${ramdisk_sign_keyname}";	344	key-name-hint = "${ramdisk_sign_keyname}";
345	};	345	};
@@ -377,7 +377,7 @@ fitimage_emit_section_config() {
377	# Test if we have any DTBs at all	377	# Test if we have any DTBs at all
378	sep=""	378	sep=""
379	conf_desc=""	379	conf_desc=""
380	conf_node="conf@"	380	conf_node="conf-"
381	kernel_line=""	381	kernel_line=""
382	fdt_line=""	382	fdt_line=""
383	ramdisk_line=""	383	ramdisk_line=""
@@ -396,19 +396,19 @@ fitimage_emit_section_config() {
396	if [ -n "${kernel_id}" ]; then	396	if [ -n "${kernel_id}" ]; then
397	conf_desc="Linux kernel"	397	conf_desc="Linux kernel"
398	sep=", "	398	sep=", "
399	kernel_line="kernel = \"kernel@${kernel_id}\";"	399	kernel_line="kernel = \"kernel-${kernel_id}\";"
400	fi	400	fi
401		401
402	if [ -n "${dtb_image}" ]; then	402	if [ -n "${dtb_image}" ]; then
403	conf_desc="${conf_desc}${sep}FDT blob"	403	conf_desc="${conf_desc}${sep}FDT blob"
404	sep=", "	404	sep=", "
405	fdt_line="fdt = \"fdt@${dtb_image}\";"	405	fdt_line="fdt = \"fdt-${dtb_image}\";"
406	fi	406	fi
407		407
408	if [ -n "${ramdisk_id}" ]; then	408	if [ -n "${ramdisk_id}" ]; then
409	conf_desc="${conf_desc}${sep}ramdisk"	409	conf_desc="${conf_desc}${sep}ramdisk"
410	sep=", "	410	sep=", "
411	ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"	411	ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
412	fi	412	fi
413		413
414	if [ -n "${bootscr_id}" ]; then	414	if [ -n "${bootscr_id}" ]; then
@@ -419,16 +419,16 @@ fitimage_emit_section_config() {
419		419
420	if [ -n "${config_id}" ]; then	420	if [ -n "${config_id}" ]; then
421	conf_desc="${conf_desc}${sep}setup"	421	conf_desc="${conf_desc}${sep}setup"
422	setup_line="setup = \"setup@${config_id}\";"	422	setup_line="setup = \"setup-${config_id}\";"
423	fi	423	fi
424		424
425	if [ "${default_flag}" = "1" ]; then	425	if [ "${default_flag}" = "1" ]; then
426	# default node is selected based on dtb ID if it is present,	426	# default node is selected based on dtb ID if it is present,
427	# otherwise its selected based on kernel ID	427	# otherwise its selected based on kernel ID
428	if [ -n "${dtb_image}" ]; then	428	if [ -n "${dtb_image}" ]; then
429	default_line="default = \"conf@${dtb_image}\";"	429	default_line="default = \"conf-${dtb_image}\";"
430	else	430	else
431	default_line="default = \"conf@${kernel_id}\";"	431	default_line="default = \"conf-${kernel_id}\";"
432	fi	432	fi
433	fi	433	fi
434		434
@@ -441,7 +441,7 @@ fitimage_emit_section_config() {
441	${ramdisk_line}	441	${ramdisk_line}
442	${bootscr_line}	442	${bootscr_line}
443	${setup_line}	443	${setup_line}
444	hash@1 {	444	hash-1 {
445	algo = "${conf_csum}";	445	algo = "${conf_csum}";
446	};	446	};
447	EOF	447	EOF
@@ -478,7 +478,7 @@ EOF
478	sign_line="${sign_line};"	478	sign_line="${sign_line};"
479		479
480	cat << EOF >> ${its_file}	480	cat << EOF >> ${its_file}
481	signature@1 {	481	signature-1 {
482	algo = "${conf_csum},${conf_sign_algo}";	482	algo = "${conf_csum},${conf_sign_algo}";
483	key-name-hint = "${conf_sign_keyname}";	483	key-name-hint = "${conf_sign_keyname}";
484	${sign_line}	484	${sign_line}