From: Klaus Heinrich Kiwi <[email protected]>
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <[email protected]>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
Signed-off-by: Klaus Heinrich Kiwi <[email protected]>
Signed-off-by: Richard Purdie <[email protected]>
[Backport for Dunfell]
Signed-off-by: Frieder Schrempf <[email protected]>
---
Resending with ML alias set up for sender address.
---
meta/classes/kernel-fitimage.bbclass | 32 ++++++++++++++--------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass
b/meta/classes/kernel-fitimage.bbclass
index 72b05ff8d1..d91128de9c 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -124,7 +124,7 @@ fitimage_emit_section_kernel() {
fi
cat << EOF >> ${1}
- kernel@${2} {
+ kernel-${2} {
description = "Linux kernel";
data = /incbin/("${3}");
type = "kernel";
@@ -133,7 +133,7 @@ fitimage_emit_section_kernel() {
compression = "${4}";
load = <${UBOOT_LOADADDRESS}>;
entry = <${ENTRYPOINT}>;
- hash@1 {
+ hash-1 {
algo = "${kernel_csum}";
};
};
@@ -160,14 +160,14 @@ fitimage_emit_section_dtb() {
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> ${1}
- fdt@${2} {
+ fdt-${2} {
description = "Flattened Device Tree blob";
data = /incbin/("${3}");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
${dtb_loadline}
- hash@1 {
+ hash-1 {
algo = "${dtb_csum}";
};
};
@@ -185,7 +185,7 @@ fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1}
- setup@${2} {
+ setup-${2} {
description = "Linux setup.bin";
data = /incbin/("${3}");
type = "x86_setup";
@@ -194,7 +194,7 @@ fitimage_emit_section_setup() {
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
- hash@1 {
+ hash-1 {
algo = "${setup_csum}";
};
};
@@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() {
fi
cat << EOF >> ${1}
- ramdisk@${2} {
+ ramdisk-${2} {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("${3}");
type = "ramdisk";
@@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() {
compression = "none";
${ramdisk_loadline}
${ramdisk_entryline}
- hash@1 {
+ hash-1 {
algo = "${ramdisk_csum}";
};
};
@@ -266,39 +266,39 @@ fitimage_emit_section_config() {
if [ -n "${2}" ]; then
conf_desc="Linux kernel"
sep=", "
- kernel_line="kernel = \"kernel@${2}\";"
+ kernel_line="kernel = \"kernel-${2}\";"
fi
if [ -n "${3}" ]; then
conf_desc="${conf_desc}${sep}FDT blob"
sep=", "
- fdt_line="fdt = \"fdt@${3}\";"
+ fdt_line="fdt = \"fdt-${3}\";"
fi
if [ -n "${4}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
- ramdisk_line="ramdisk = \"ramdisk@${4}\";"
+ ramdisk_line="ramdisk = \"ramdisk-${4}\";"
fi
if [ -n "${5}" ]; then
conf_desc="${conf_desc}${sep}setup"
- setup_line="setup = \"setup@${5}\";"
+ setup_line="setup = \"setup-${5}\";"
fi
if [ "${6}" = "1" ]; then
- default_line="default = \"conf@${3}\";"
+ default_line="default = \"conf-${3}\";"
fi
cat << EOF >> ${1}
${default_line}
- conf@${3} {
+ conf-${3} {
description = "${6} ${conf_desc}";
${kernel_line}
${fdt_line}
${ramdisk_line}
${setup_line}
- hash@1 {
+ hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -330,7 +330,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}";
${sign_line}
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#152492):
https://lists.openembedded.org/g/openembedded-core/message/152492
Mute This Topic: https://lists.openembedded.org/mt/83228361/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
