Partially revert commit 79af75f7776f ("fit: Don't allow verification of
images with @ nodes").That commit rejected any FIT node whose name contains '@' in fit_image_verify(), fit_image_verify_sig() and fit_config_verify_required_keys(). FIT references are now resolved with an exact subnode-name match, so the aliasing weakness behind CVE-2021-27138 can no longer be exploited even when '@' node names are present. These checks are therefore no longer needed, so drop them to restore support for FIT images that use unit addresses in their node names. This is not a full revert. That commit's fit_image_verify() error-path refactor and its test_fit.py and vboot_forge.py renames (replacing '@' unit addresses with '-' in the test FIT node names) are kept. Signed-off-by: Lorenz Kofler <[email protected]> --- boot/image-fit-sig.c | 21 +-------------------- boot/image-fit.c | 9 --------- 2 files changed, 1 insertion(+), 29 deletions(-) diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c index 433df20281f..a30a2ccd8a1 100644 --- a/boot/image-fit-sig.c +++ b/boot/image-fit-sig.c @@ -148,14 +148,6 @@ static int fit_image_verify_sig(const void *fit, int image_noffset, fdt_for_each_subnode(noffset, fit, image_noffset) { const char *name = fit_get_name(fit, noffset, NULL); - /* - * We don't support this since libfdt considers names with the - * name root but different @ suffix to be equal - */ - if (strchr(name, '@')) { - err_msg = "Node name contains @"; - goto error; - } if (!strncmp(name, FIT_SIG_NODENAME, strlen(FIT_SIG_NODENAME))) { ret = fit_image_check_sig(fit, noffset, data, size, @@ -608,13 +600,11 @@ error: * @conf_noffset: Offset of the configuration node to check (e.g. * /configurations/conf-1) * @key_blob: Blob containing the keys to check against - * @return 0 if OK, -EPERM if any signatures did not verify, or the - * configuration node has an invalid name + * @return 0 if OK, -EPERM if any signatures did not verify */ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, const void *key_blob) { - const char *name = fit_get_name(fit, conf_noffset, NULL); int noffset; int key_node; int verified = 0; @@ -627,15 +617,6 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset, return 0; #endif - /* - * We don't support this since libfdt considers names with the - * name root but different @ suffix to be equal - */ - if (strchr(name, '@')) { - printf("Configuration node '%s' contains '@'\n", name); - return -EPERM; - } - /* Work out what we need to verify */ key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME); if (key_node < 0) { diff --git a/boot/image-fit.c b/boot/image-fit.c index a6504cd8041..d82603ae557 100644 --- a/boot/image-fit.c +++ b/boot/image-fit.c @@ -1434,19 +1434,10 @@ error: */ int fit_image_verify(const void *fit, int image_noffset) { - const char *name = fit_get_name(fit, image_noffset, NULL); const void *data; size_t size; char *err_msg = ""; - if (IS_ENABLED(CONFIG_FIT_SIGNATURE) && strchr(name, '@')) { - /* - * We don't support this since libfdt considers names with the - * name root but different @ suffix to be equal - */ - err_msg = "Node name contains @"; - goto err; - } /* Get image data and data length */ if (fit_image_get_data(fit, image_noffset, &data, &size)) { err_msg = "Can't get image data/size"; -- 2.54.0
