Partially revert commit 3f04db891a35 ("image: Check for unit addresses in
FITs").FIT references are now resolved with an exact subnode-name match, so this blanket rejection is no longer needed, so drop it to restore support for FIT images that use unit addresses in their node names. Only the '@'-rejection logic is reverted. Signed-off-by: Lorenz Kofler <[email protected]> --- boot/image-fit.c | 49 +------------------------------------ test/py/tests/test_vboot.py | 7 +++--- 2 files changed, 5 insertions(+), 51 deletions(-) diff --git a/boot/image-fit.c b/boot/image-fit.c index d82603ae557..7f8c055326e 100644 --- a/boot/image-fit.c +++ b/boot/image-fit.c @@ -1627,34 +1627,6 @@ int fit_image_check_comp(const void *fit, int noffset, uint8_t comp) return (comp == image_comp); } -/** - * fdt_check_no_at() - Check for nodes whose names contain '@' - * - * This checks the parent node and all subnodes recursively - * - * @fit: FIT to check - * @parent: Parent node to check - * Return: 0 if OK, -EADDRNOTAVAIL is a node has a name containing '@' - */ -static int fdt_check_no_at(const void *fit, int parent) -{ - const char *name; - int node; - int ret; - - name = fdt_get_name(fit, parent, NULL); - if (!name || strchr(name, '@')) - return -EADDRNOTAVAIL; - - fdt_for_each_subnode(node, fit, parent) { - ret = fdt_check_no_at(fit, node); - if (ret) - return ret; - } - - return 0; -} - int fit_check_format(const void *fit, ulong size) { int ret; @@ -1676,27 +1648,10 @@ int fit_check_format(const void *fit, ulong size) if (size == IMAGE_SIZE_INVAL) size = fdt_totalsize(fit); ret = fdt_check_full(fit, size); - if (ret) - ret = -EINVAL; - /* - * U-Boot stopped using unit addressed in 2017. Since libfdt - * can match nodes ignoring any unit address, signature - * verification can see the wrong node if one is inserted with - * the same name as a valid node but with a unit address - * attached. Protect against this by disallowing unit addresses. - */ - if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) { - ret = fdt_check_no_at(fit, 0); - - if (ret) { - log_debug("FIT check error %d\n", ret); - return ret; - } - } if (ret) { log_debug("FIT check error %d\n", ret); - return ret; + return -EINVAL; } } @@ -2092,8 +2047,6 @@ int fit_image_load(struct bootm_headers *images, ulong addr, ret = fit_check_format(fit, IMAGE_SIZE_INVAL); if (ret) { printf("Bad FIT %s image format! (err=%d)\n", prop_name, ret); - if (CONFIG_IS_ENABLED(FIT_SIGNATURE) && ret == -EADDRNOTAVAIL) - printf("Signature checking prevents use of unit addresses (@) in nodes\n"); bootstage_error(bootstage_id + BOOTSTAGE_SUB_FORMAT); return ret; } diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py index 55518bed07e..9fdb649755a 100644 --- a/test/py/tests/test_vboot.py +++ b/test/py/tests/test_vboot.py @@ -368,9 +368,10 @@ def test_vboot(ubman, name, sha_algo, padding, sign_options, required, ubman, [fit_check_sign, '-f', efit, '-k', dtb], 1, 'Failed to verify required signature') - # bootm catches it earlier, at fit_check_format() time - msg = 'Signature checking prevents use of unit addresses (@) in nodes' - run_bootm(sha_algo, 'evil kernel@', msg, False, efit) + # bootm catches it during verification: the exact-match lookup + # refuses to resolve the real image name to the inserted '@' node, + # so the data hash no longer matches and the kernel is rejected + run_bootm(sha_algo, 'evil kernel@', 'Bad Data Hash', False, efit) # Try doing a clone of the images efit = '%stest.evilclone.fit' % tmpdir -- 2.54.0
