On 31.05.21 17:59, Steve Sakoman wrote: > On Mon, May 31, 2021 at 4:59 AM Frieder Schrempf > <[email protected]> wrote: >> >> Hi Steve, >> >> On 22.02.21 19:38, Klaus Heinrich Kiwi via lists.openembedded.org wrote: >>> Das U-Boot 2021.4-rc1 has the following commit: >>> >>> commit 3f04db891a353f4b127ed57279279f851c6b4917 >>> Author: Simon Glass <[email protected]> >>> Date: Mon Feb 15 17:08:12 2021 -0700 >>> >>> image: Check for unit addresses in FITs >>> >>> Using unit addresses in a FIT is a security risk. Add a check for >>> this and disallow it. >>> >>> CVE-2021-27138 >>> >>> Adjust the kernel-fitimage.bbclass accordingly to not use unit >>> addresses. This changte is required before we can bump U-Boot to 2021.4. >>> >>> Signed-off-by: Klaus Heinrich Kiwi <[email protected]> >> >> Could you pick this and the follow-up patch 0ef3a5e2a6d4 >> ("kernel-fitimage.bbclass: drop unit addresses from bootscr sections") to >> the dunfell branch to fix FIT images on U-Boot 2021.01 or later with dunfell? > > I can't do a clean cherry-pick of this patch. If you'd like to submit > dunfell versions of these two patches I will add them to my testing > queue.
Sorry, I should have looked at this more closely. I just sent a backport patch for dunfell. The second patch covers code that is not available in dunfell, so it's not needed anyway. > > Steve > >> >> Thanks >> Frieder >> >>> --- >>> >>> Notes: >>> V2 Notes: >>> - Adjusted testcases >>> (reported by Richard Purdie <[email protected]>) >>> >>> meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------ >>> meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++----------- >>> 2 files changed, 38 insertions(+), 38 deletions(-) >>> >>> diff --git a/meta/classes/kernel-fitimage.bbclass >>> b/meta/classes/kernel-fitimage.bbclass >>> index 2414870817..f5082c93df 100644 >>> --- a/meta/classes/kernel-fitimage.bbclass >>> +++ b/meta/classes/kernel-fitimage.bbclass >>> @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() { >>> fi >>> >>> cat << EOF >> ${1} >>> - kernel@${2} { >>> + kernel-${2} { >>> description = "Linux kernel"; >>> data = /incbin/("${3}"); >>> type = "kernel"; >>> @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() { >>> compression = "${4}"; >>> load = <${UBOOT_LOADADDRESS}>; >>> entry = <${ENTRYPOINT}>; >>> - hash@1 { >>> + hash-1 { >>> algo = "${kernel_csum}"; >>> }; >>> }; >>> @@ -179,7 +179,7 @@ EOF >>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" >>> -a -n "${kernel_sign_keyname}" ] ; then >>> sed -i '$ d' ${1} >>> cat << EOF >> ${1} >>> - signature@1 { >>> + signature-1 { >>> algo = >>> "${kernel_csum},${kernel_sign_algo}"; >>> key-name-hint = "${kernel_sign_keyname}"; >>> }; >>> @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() { >>> dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" >>> fi >>> cat << EOF >> ${1} >>> - fdt@${2} { >>> + fdt-${2} { >>> description = "Flattened Device Tree blob"; >>> data = /incbin/("${3}"); >>> type = "flat_dt"; >>> arch = "${UBOOT_ARCH}"; >>> compression = "none"; >>> ${dtb_loadline} >>> - hash@1 { >>> + hash-1 { >>> algo = "${dtb_csum}"; >>> }; >>> }; >>> @@ -226,7 +226,7 @@ EOF >>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" >>> -a -n "${dtb_sign_keyname}" ] ; then >>> sed -i '$ d' ${1} >>> cat << EOF >> ${1} >>> - signature@1 { >>> + signature-1 { >>> algo = "${dtb_csum},${dtb_sign_algo}"; >>> key-name-hint = "${dtb_sign_keyname}"; >>> }; >>> @@ -283,7 +283,7 @@ fitimage_emit_section_setup() { >>> setup_csum="${FIT_HASH_ALG}" >>> >>> cat << EOF >> ${1} >>> - setup@${2} { >>> + setup-${2} { >>> description = "Linux setup.bin"; >>> data = /incbin/("${3}"); >>> type = "x86_setup"; >>> @@ -292,7 +292,7 @@ fitimage_emit_section_setup() { >>> compression = "none"; >>> load = <0x00090000>; >>> entry = <0x00090000>; >>> - hash@1 { >>> + hash-1 { >>> algo = "${setup_csum}"; >>> }; >>> }; >>> @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() { >>> fi >>> >>> cat << EOF >> ${1} >>> - ramdisk@${2} { >>> + ramdisk-${2} { >>> description = "${INITRAMFS_IMAGE}"; >>> data = /incbin/("${3}"); >>> type = "ramdisk"; >>> @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() { >>> compression = "none"; >>> ${ramdisk_loadline} >>> ${ramdisk_entryline} >>> - hash@1 { >>> + hash-1 { >>> algo = "${ramdisk_csum}"; >>> }; >>> }; >>> @@ -339,7 +339,7 @@ EOF >>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" >>> -a -n "${ramdisk_sign_keyname}" ] ; then >>> sed -i '$ d' ${1} >>> cat << EOF >> ${1} >>> - signature@1 { >>> + signature-1 { >>> algo = >>> "${ramdisk_csum},${ramdisk_sign_algo}"; >>> key-name-hint = "${ramdisk_sign_keyname}"; >>> }; >>> @@ -377,7 +377,7 @@ fitimage_emit_section_config() { >>> # Test if we have any DTBs at all >>> sep="" >>> conf_desc="" >>> - conf_node="conf@" >>> + conf_node="conf-" >>> kernel_line="" >>> fdt_line="" >>> ramdisk_line="" >>> @@ -396,19 +396,19 @@ fitimage_emit_section_config() { >>> if [ -n "${kernel_id}" ]; then >>> conf_desc="Linux kernel" >>> sep=", " >>> - kernel_line="kernel = \"kernel@${kernel_id}\";" >>> + kernel_line="kernel = \"kernel-${kernel_id}\";" >>> fi >>> >>> if [ -n "${dtb_image}" ]; then >>> conf_desc="${conf_desc}${sep}FDT blob" >>> sep=", " >>> - fdt_line="fdt = \"fdt@${dtb_image}\";" >>> + fdt_line="fdt = \"fdt-${dtb_image}\";" >>> fi >>> >>> if [ -n "${ramdisk_id}" ]; then >>> conf_desc="${conf_desc}${sep}ramdisk" >>> sep=", " >>> - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";" >>> + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";" >>> fi >>> >>> if [ -n "${bootscr_id}" ]; then >>> @@ -419,16 +419,16 @@ fitimage_emit_section_config() { >>> >>> if [ -n "${config_id}" ]; then >>> conf_desc="${conf_desc}${sep}setup" >>> - setup_line="setup = \"setup@${config_id}\";" >>> + setup_line="setup = \"setup-${config_id}\";" >>> fi >>> >>> if [ "${default_flag}" = "1" ]; then >>> # default node is selected based on dtb ID if it is present, >>> # otherwise its selected based on kernel ID >>> if [ -n "${dtb_image}" ]; then >>> - default_line="default = \"conf@${dtb_image}\";" >>> + default_line="default = \"conf-${dtb_image}\";" >>> else >>> - default_line="default = \"conf@${kernel_id}\";" >>> + default_line="default = \"conf-${kernel_id}\";" >>> fi >>> fi >>> >>> @@ -441,7 +441,7 @@ fitimage_emit_section_config() { >>> ${ramdisk_line} >>> ${bootscr_line} >>> ${setup_line} >>> - hash@1 { >>> + hash-1 { >>> algo = "${conf_csum}"; >>> }; >>> EOF >>> @@ -478,7 +478,7 @@ EOF >>> sign_line="${sign_line};" >>> >>> cat << EOF >> ${its_file} >>> - signature@1 { >>> + signature-1 { >>> algo = "${conf_csum},${conf_sign_algo}"; >>> key-name-hint = "${conf_sign_keyname}"; >>> ${sign_line} >>> diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py >>> b/meta/lib/oeqa/selftest/cases/fitimage.py >>> index 0958036a6f..02692de822 100644 >>> --- a/meta/lib/oeqa/selftest/cases/fitimage.py >>> +++ b/meta/lib/oeqa/selftest/cases/fitimage.py >>> @@ -69,9 +69,9 @@ FIT_DESC = "A model description" >>> 'type = "ramdisk";', >>> 'load = <0x88000000>;', >>> 'entry = <0x88000000>;', >>> - 'default = "conf@1";', >>> - 'kernel = "kernel@1";', >>> - 'ramdisk = "ramdisk@1";' >>> + 'default = "conf-1";', >>> + 'kernel = "kernel-1";', >>> + 'ramdisk = "ramdisk-1";' >>> ] >>> >>> with open(fitimage_its_path) as its_file: >>> @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> "%s FIT image doesn't exist" % (fitimage_path)) >>> >>> req_itspaths = [ >>> - ['/', 'images', 'kernel@1'], >>> - ['/', 'images', 'kernel@1', 'signature@1'], >>> - ['/', 'images', '[email protected]'], >>> - ['/', 'images', '[email protected]', 'signature@1'], >>> - ['/', 'configurations', '[email protected]'], >>> - ['/', 'configurations', '[email protected]', >>> 'signature@1'], >>> + ['/', 'images', 'kernel-1'], >>> + ['/', 'images', 'kernel-1', 'signature-1'], >>> + ['/', 'images', 'fdt-am335x-boneblack.dtb'], >>> + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'], >>> + ['/', 'configurations', 'conf-am335x-boneblack.dtb'], >>> + ['/', 'configurations', 'conf-am335x-boneblack.dtb', >>> 'signature-1'], >>> ] >>> >>> itspath = [] >>> @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> elif line.endswith('{'): >>> itspath.append(line[:-1].strip()) >>> itspaths.append(itspath[:]) >>> - elif itspath and itspath[-1] == 'signature@1': >>> + elif itspath and itspath[-1] == 'signature-1': >>> itsdotpath = '.'.join(itspath) >>> if not itsdotpath in sigs: >>> sigs[itsdotpath] = {} >>> @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> } >>> >>> for itspath, values in sigs.items(): >>> - if 'conf@' in itspath: >>> + if 'conf-' in itspath: >>> reqsigvalues = reqsigvalues_config >>> else: >>> reqsigvalues = reqsigvalues_image >>> @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> signed_sections[in_signed] = {} >>> key, value = line.split(':', 1) >>> signed_sections[in_signed][key.strip()] = value.strip() >>> - self.assertIn('kernel@1', signed_sections) >>> - self.assertIn('[email protected]', signed_sections) >>> - self.assertIn('[email protected]', signed_sections) >>> + self.assertIn('kernel-1', signed_sections) >>> + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections) >>> + self.assertIn('conf-am335x-boneblack.dtb', signed_sections) >>> for signed_section, values in signed_sections.items(): >>> value = values.get('Sign algo', None) >>> self.assertEqual(value, 'sha256,rsa2048:oe-selftest', >>> 'Signature algorithm for %s not expected value' % signed_section) >>> @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256" >>> its_lines = [line.strip() for line in its_file.readlines()] >>> >>> exp_node_lines = [ >>> - 'kernel@1 {', >>> + 'kernel-1 {', >>> 'description = "Linux kernel";', >>> 'data = /incbin/("' + initramfs_bundle + '");', >>> 'type = "kernel";', >>> @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256" >>> 'compression = "none";', >>> 'load = <' + kernel_load + '>;', >>> 'entry = <' + kernel_entry + '>;', >>> - 'hash@1 {', >>> + 'hash-1 {', >>> 'algo = "' + fit_hash_alg +'";', >>> '};', >>> '};' >>> @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256" >>> else: >>> self.assertTrue(test_passed == True,"kernel node does not >>> match expectation") >>> >>> - rx_configs = re.compile("^conf@.*") >>> + rx_configs = re.compile("^conf-.*") >>> its_configs = list(filter(rx_configs.match, its_lines)) >>> >>> for cfg_str in its_configs: >>> @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256" >>> else: >>> print("kernel keyword found in the description line") >>> >>> - if 'kernel = "kernel@1";' not in node: >>> + if 'kernel = "kernel-1";' not in node: >>> self.assertTrue(test_passed == True,"kernel line not >>> found") >>> break >>> else: >>> >>> >>> >>> >>> >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#152491): https://lists.openembedded.org/g/openembedded-core/message/152491 Mute This Topic: https://lists.openembedded.org/mt/80833295/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
