From: Tom Rini <trini@konsulko.com>
To: Simon Glass <sjg@chromium.org>
Cc: Nathan Chancellor <nathan@kernel.org>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
U-Boot Mailing List <u-boot@lists.denx.de>,
linux-mips@vger.kernel.org
Subject: Re: mkimage regression when building ARCH=mips defconfig Linux kernel
Date: Fri, 9 Apr 2021 13:47:34 -0400 [thread overview]
Message-ID: <20210409174734.GJ1310@bill-the-cat> (raw)
In-Reply-To: <CAPnjgZ1ks+JfqO581veycOoLFRLzsXPZBMVSRrDATfukh4z_sw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 5056 bytes --]
On Fri, Apr 09, 2021 at 11:55:52AM +1200, Simon Glass wrote:
> +Tom Rini
>
> Hi Nathan,
>
> On Fri, 9 Apr 2021 at 06:23, Nathan Chancellor <nathan@kernel.org> wrote:
> >
> > Hi Simon,
> >
> > Apologies if this is not the proper way to report a regression, this is my first
> > time interacting with the U-Boot community.
> >
> > My distribution updated the uboot-tools package to 2021.04, which broke my
> > Linux kernel builds for ARCH=mips:
> >
> > $ make -skj"$(nproc)" ARCH=mips CROSS_COMPILE=mips-linux- defconfig all
> > ...
> > /usr/bin/mkimage: verify_header failed for FIT Image support with exit code 1
> > make[2]: *** [arch/mips/boot/Makefile:173: arch/mips/boot/vmlinux.gz.itb] Error 1
> > ...
> >
> > I bisected this down to your commit:
> >
> > 3f04db891a353f4b127ed57279279f851c6b4917 is the first bad commit
> > commit 3f04db891a353f4b127ed57279279f851c6b4917
> > Author: Simon Glass <sjg@chromium.org>
> > Date: Mon Feb 15 17:08:12 2021 -0700
> >
> > image: Check for unit addresses in FITs
> >
> > Using unit addresses in a FIT is a security risk. Add a check for this
> > and disallow it.
> >
> > CVE-2021-27138
> >
> > Signed-off-by: Simon Glass <sjg@chromium.org>
> > Reported-by: Bruce Monroe <bruce.monroe@intel.com>
> > Reported-by: Arie Haenel <arie.haenel@intel.com>
> > Reported-by: Julien Lenoir <julien.lenoir@intel.com>
> >
> > common/image-fit.c | 56 +++++++++++++++++++++++++++++++++++++++++----
> > test/py/tests/test_vboot.py | 9 ++++----
> > 2 files changed, 57 insertions(+), 8 deletions(-)
> > bisect run success
> >
> > $ git bisect log
> > # bad: [e9c99db7787e3b5c2ef05701177c43ed1c023c27] Merge branch '2021-04-07-CI-improvements'
> > # good: [c4fddedc48f336eabc4ce3f74940e6aa372de18c] Prepare v2021.01
> > git bisect start 'e9c99db7787e3b5c2ef05701177c43ed1c023c27' 'v2021.01'
> > # good: [b2c86f596cfb1ea9f7f5138f72f1c5c49e3ae3f1] arm: dts: r8a774a1: Import DTS queued for Linux 5.12-rc1
> > git bisect good b2c86f596cfb1ea9f7f5138f72f1c5c49e3ae3f1
> > # bad: [74f4929c2c73beb595faf7d5d9bb6a78d710c2fd] ddr: marvell: axp: fix array types have different bounds warning
> > git bisect bad 74f4929c2c73beb595faf7d5d9bb6a78d710c2fd
> > # bad: [cbe607b920bc0827d8fe379ed4f5ae4e2058513e] Merge tag 'xilinx-for-v2021.04-rc3' of https://gitlab.denx.de/u-boot/custodians/u-boot-microblaze
> > git bisect bad cbe607b920bc0827d8fe379ed4f5ae4e2058513e
> > # good: [d5f3aadacbc63df3b690d6fd9f0aa3f575b43356] test: Add tests for the 'evil' vboot attacks
> > git bisect good d5f3aadacbc63df3b690d6fd9f0aa3f575b43356
> > # bad: [a1a652e8016426e2d67148cab225cd5ec45189fb] Merge tag 'mmc-2021-2-19' of https://gitlab.denx.de/u-boot/custodians/u-boot-mmc
> > git bisect bad a1a652e8016426e2d67148cab225cd5ec45189fb
> > # bad: [aeedeae40733131467de72c68e639cf9d795e059] spl: fit: Replace #ifdef blocks with more readable constructs
> > git bisect bad aeedeae40733131467de72c68e639cf9d795e059
> > # bad: [eb5fd9e46c11ea41430d9c5bcc81d4583424216e] usb: kbd: destroy device after console is stopped
> > git bisect bad eb5fd9e46c11ea41430d9c5bcc81d4583424216e
> > # bad: [99cb2b996bd649d98069a95941beaaade0a4447a] stdio: Split out nulldev_register() and move it under #if
> > git bisect bad 99cb2b996bd649d98069a95941beaaade0a4447a
> > # bad: [3f04db891a353f4b127ed57279279f851c6b4917] image: Check for unit addresses in FITs
> > git bisect bad 3f04db891a353f4b127ed57279279f851c6b4917
> > # good: [6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01] image: Add an option to do a full check of the FIT
> > git bisect good 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01
> > # good: [124c255731c76a2b09587378b2bcce561bcd3f2d] libfdt: Check for multiple/invalid root nodes
> > git bisect good 124c255731c76a2b09587378b2bcce561bcd3f2d
> > # first bad commit: [3f04db891a353f4b127ed57279279f851c6b4917] image: Check for unit addresses in FITs
> >
> > Is this an actual regression or is this now the expected behavior? I have added
> > Thomas and the linux-mips mailing list to take a look and see if the Linux
> > kernel needs to have its sources updated.
>
> It is expected. See the code in that commit:
>
> /*
> * U-Boot stopped using unit addressed in 2017. Since libfdt
> * can match nodes ignoring any unit address, signature
> * verification can see the wrong node if one is inserted with
> * the same name as a valid node but with a unit address
> * attached. Protect against this by disallowing unit addresses.
> */
> if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
> ret = fdt_check_no_at(fit, 0);
>
> if (ret) {
> log_debug("FIT check error %d\n", ret);
> return ret;
> }
> }
>
> Possibly you are using @ nodes in your FIT files in the kernel. Is it
> possible to use a hyphen instead?
Yeah, it looks like arch/mips/generic/*.its.S in the kernel will need to
be updated.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Subject: mkimage regression when building ARCH=mips defconfig Linux kernel
Date: Fri, 9 Apr 2021 13:47:34 -0400 [thread overview]
Message-ID: <20210409174734.GJ1310@bill-the-cat> (raw)
In-Reply-To: <CAPnjgZ1ks+JfqO581veycOoLFRLzsXPZBMVSRrDATfukh4z_sw@mail.gmail.com>
On Fri, Apr 09, 2021 at 11:55:52AM +1200, Simon Glass wrote:
> +Tom Rini
>
> Hi Nathan,
>
> On Fri, 9 Apr 2021 at 06:23, Nathan Chancellor <nathan@kernel.org> wrote:
> >
> > Hi Simon,
> >
> > Apologies if this is not the proper way to report a regression, this is my first
> > time interacting with the U-Boot community.
> >
> > My distribution updated the uboot-tools package to 2021.04, which broke my
> > Linux kernel builds for ARCH=mips:
> >
> > $ make -skj"$(nproc)" ARCH=mips CROSS_COMPILE=mips-linux- defconfig all
> > ...
> > /usr/bin/mkimage: verify_header failed for FIT Image support with exit code 1
> > make[2]: *** [arch/mips/boot/Makefile:173: arch/mips/boot/vmlinux.gz.itb] Error 1
> > ...
> >
> > I bisected this down to your commit:
> >
> > 3f04db891a353f4b127ed57279279f851c6b4917 is the first bad commit
> > commit 3f04db891a353f4b127ed57279279f851c6b4917
> > Author: Simon Glass <sjg@chromium.org>
> > Date: Mon Feb 15 17:08:12 2021 -0700
> >
> > image: Check for unit addresses in FITs
> >
> > Using unit addresses in a FIT is a security risk. Add a check for this
> > and disallow it.
> >
> > CVE-2021-27138
> >
> > Signed-off-by: Simon Glass <sjg@chromium.org>
> > Reported-by: Bruce Monroe <bruce.monroe@intel.com>
> > Reported-by: Arie Haenel <arie.haenel@intel.com>
> > Reported-by: Julien Lenoir <julien.lenoir@intel.com>
> >
> > common/image-fit.c | 56 +++++++++++++++++++++++++++++++++++++++++----
> > test/py/tests/test_vboot.py | 9 ++++----
> > 2 files changed, 57 insertions(+), 8 deletions(-)
> > bisect run success
> >
> > $ git bisect log
> > # bad: [e9c99db7787e3b5c2ef05701177c43ed1c023c27] Merge branch '2021-04-07-CI-improvements'
> > # good: [c4fddedc48f336eabc4ce3f74940e6aa372de18c] Prepare v2021.01
> > git bisect start 'e9c99db7787e3b5c2ef05701177c43ed1c023c27' 'v2021.01'
> > # good: [b2c86f596cfb1ea9f7f5138f72f1c5c49e3ae3f1] arm: dts: r8a774a1: Import DTS queued for Linux 5.12-rc1
> > git bisect good b2c86f596cfb1ea9f7f5138f72f1c5c49e3ae3f1
> > # bad: [74f4929c2c73beb595faf7d5d9bb6a78d710c2fd] ddr: marvell: axp: fix array types have different bounds warning
> > git bisect bad 74f4929c2c73beb595faf7d5d9bb6a78d710c2fd
> > # bad: [cbe607b920bc0827d8fe379ed4f5ae4e2058513e] Merge tag 'xilinx-for-v2021.04-rc3' of https://gitlab.denx.de/u-boot/custodians/u-boot-microblaze
> > git bisect bad cbe607b920bc0827d8fe379ed4f5ae4e2058513e
> > # good: [d5f3aadacbc63df3b690d6fd9f0aa3f575b43356] test: Add tests for the 'evil' vboot attacks
> > git bisect good d5f3aadacbc63df3b690d6fd9f0aa3f575b43356
> > # bad: [a1a652e8016426e2d67148cab225cd5ec45189fb] Merge tag 'mmc-2021-2-19' of https://gitlab.denx.de/u-boot/custodians/u-boot-mmc
> > git bisect bad a1a652e8016426e2d67148cab225cd5ec45189fb
> > # bad: [aeedeae40733131467de72c68e639cf9d795e059] spl: fit: Replace #ifdef blocks with more readable constructs
> > git bisect bad aeedeae40733131467de72c68e639cf9d795e059
> > # bad: [eb5fd9e46c11ea41430d9c5bcc81d4583424216e] usb: kbd: destroy device after console is stopped
> > git bisect bad eb5fd9e46c11ea41430d9c5bcc81d4583424216e
> > # bad: [99cb2b996bd649d98069a95941beaaade0a4447a] stdio: Split out nulldev_register() and move it under #if
> > git bisect bad 99cb2b996bd649d98069a95941beaaade0a4447a
> > # bad: [3f04db891a353f4b127ed57279279f851c6b4917] image: Check for unit addresses in FITs
> > git bisect bad 3f04db891a353f4b127ed57279279f851c6b4917
> > # good: [6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01] image: Add an option to do a full check of the FIT
> > git bisect good 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01
> > # good: [124c255731c76a2b09587378b2bcce561bcd3f2d] libfdt: Check for multiple/invalid root nodes
> > git bisect good 124c255731c76a2b09587378b2bcce561bcd3f2d
> > # first bad commit: [3f04db891a353f4b127ed57279279f851c6b4917] image: Check for unit addresses in FITs
> >
> > Is this an actual regression or is this now the expected behavior? I have added
> > Thomas and the linux-mips mailing list to take a look and see if the Linux
> > kernel needs to have its sources updated.
>
> It is expected. See the code in that commit:
>
> /*
> * U-Boot stopped using unit addressed in 2017. Since libfdt
> * can match nodes ignoring any unit address, signature
> * verification can see the wrong node if one is inserted with
> * the same name as a valid node but with a unit address
> * attached. Protect against this by disallowing unit addresses.
> */
> if (!ret && CONFIG_IS_ENABLED(FIT_SIGNATURE)) {
> ret = fdt_check_no_at(fit, 0);
>
> if (ret) {
> log_debug("FIT check error %d\n", ret);
> return ret;
> }
> }
>
> Possibly you are using @ nodes in your FIT files in the kernel. Is it
> possible to use a hyphen instead?
Yeah, it looks like arch/mips/generic/*.its.S in the kernel will need to
be updated.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210409/96ba943c/attachment.sig>
next prev parent reply other threads:[~2021-04-09 17:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-08 18:22 mkimage regression when building ARCH=mips defconfig Linux kernel Nathan Chancellor
2021-04-08 18:22 ` Nathan Chancellor
2021-04-08 23:55 ` Simon Glass
2021-04-08 23:55 ` Simon Glass
2021-04-09 17:47 ` Tom Rini [this message]
2021-04-09 17:47 ` Tom Rini
2021-04-09 19:21 ` [PATCH] MIPS: generic: Update node names to avoid unit addresses Nathan Chancellor
2021-04-09 19:41 ` Tom Rini
2021-04-12 15:05 ` Thomas Bogendoerfer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210409174734.GJ1310@bill-the-cat \
--to=trini@konsulko.com \
--cc=linux-mips@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=sjg@chromium.org \
--cc=tsbogend@alpha.franken.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.