On Sun, 05 Jul 2026 03:44:08 +0000, Aristo Chen wrote:

> vbe_read_fit() loads a firmware-phase FIT from a fixed firmware area on
> a block device and then issues a follow-up blk_read() to pull in the
> image, and optionally an FDT, referenced by the FIT's image node. The
> source offset on the device and the read length both come from the FIT
> itself, via data-position or data-offset and data-size. Those properties
> live on mutable boot media and can be controlled by an attacker with
> write access to the firmware area. On the TPL or VPL path, and on the
> bootmeth bootflow path reached via abrec_read_bootflow_fw() and
> vbe_simple_read_bootflow_fw(), the follow-up blk_read() runs before any
> signature or hash check on the loaded phase.
> 
> [...]

Applied to u-boot/main, thanks!

[1/3] sandbox: vbe: size firmware1 area to fit the binman fw-update section
      commit: a8fc408cdfcbc3d8a04b493510a54d852f60550d
[2/3] vbe: bound FIT external-data offset and size before blk_read
      commit: a84c7670a698c1d42a6da7e713afdeaaa51eae46
[3/3] test: vbe: cover vbe_read_fit() external-data bounds checks
      commit: 9fa00f563bea7ac4a4fda3220e05b21ebd4a242f
-- 
Tom


Reply via email to