* [PATCH] kernel-fitimage: Don't use unit addresses on FIT
@ 2021-02-21 19:22 Klaus Heinrich Kiwi
2021-02-22 8:24 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 7+ messages in thread
From: Klaus Heinrich Kiwi @ 2021-02-21 19:22 UTC (permalink / raw)
To: openembedded-core; +Cc: Klaus Heinrich Kiwi
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
---
meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++--------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 2414870817..f5082c93df 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
fi
cat << EOF >> ${1}
- kernel@${2} {
+ kernel-${2} {
description = "Linux kernel";
data = /incbin/("${3}");
type = "kernel";
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
compression = "${4}";
load = <${UBOOT_LOADADDRESS}>;
entry = <${ENTRYPOINT}>;
- hash@1 {
+ hash-1 {
algo = "${kernel_csum}";
};
};
@@ -179,7 +179,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${kernel_csum},${kernel_sign_algo}";
key-name-hint = "${kernel_sign_keyname}";
};
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> ${1}
- fdt@${2} {
+ fdt-${2} {
description = "Flattened Device Tree blob";
data = /incbin/("${3}");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
${dtb_loadline}
- hash@1 {
+ hash-1 {
algo = "${dtb_csum}";
};
};
@@ -226,7 +226,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${dtb_csum},${dtb_sign_algo}";
key-name-hint = "${dtb_sign_keyname}";
};
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1}
- setup@${2} {
+ setup-${2} {
description = "Linux setup.bin";
data = /incbin/("${3}");
type = "x86_setup";
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
- hash@1 {
+ hash-1 {
algo = "${setup_csum}";
};
};
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
fi
cat << EOF >> ${1}
- ramdisk@${2} {
+ ramdisk-${2} {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("${3}");
type = "ramdisk";
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
compression = "none";
${ramdisk_loadline}
${ramdisk_entryline}
- hash@1 {
+ hash-1 {
algo = "${ramdisk_csum}";
};
};
@@ -339,7 +339,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${ramdisk_csum},${ramdisk_sign_algo}";
key-name-hint = "${ramdisk_sign_keyname}";
};
@@ -377,7 +377,7 @@ fitimage_emit_section_config() {
# Test if we have any DTBs at all
sep=""
conf_desc=""
- conf_node="conf@"
+ conf_node="conf-"
kernel_line=""
fdt_line=""
ramdisk_line=""
@@ -396,19 +396,19 @@ fitimage_emit_section_config() {
if [ -n "${kernel_id}" ]; then
conf_desc="Linux kernel"
sep=", "
- kernel_line="kernel = \"kernel@${kernel_id}\";"
+ kernel_line="kernel = \"kernel-${kernel_id}\";"
fi
if [ -n "${dtb_image}" ]; then
conf_desc="${conf_desc}${sep}FDT blob"
sep=", "
- fdt_line="fdt = \"fdt@${dtb_image}\";"
+ fdt_line="fdt = \"fdt-${dtb_image}\";"
fi
if [ -n "${ramdisk_id}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
- ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
+ ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
fi
if [ -n "${bootscr_id}" ]; then
@@ -419,16 +419,16 @@ fitimage_emit_section_config() {
if [ -n "${config_id}" ]; then
conf_desc="${conf_desc}${sep}setup"
- setup_line="setup = \"setup@${config_id}\";"
+ setup_line="setup = \"setup-${config_id}\";"
fi
if [ "${default_flag}" = "1" ]; then
# default node is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "${dtb_image}" ]; then
- default_line="default = \"conf@${dtb_image}\";"
+ default_line="default = \"conf-${dtb_image}\";"
else
- default_line="default = \"conf@${kernel_id}\";"
+ default_line="default = \"conf-${kernel_id}\";"
fi
fi
@@ -441,7 +441,7 @@ fitimage_emit_section_config() {
${ramdisk_line}
${bootscr_line}
${setup_line}
- hash@1 {
+ hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -478,7 +478,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${its_file}
- signature@1 {
+ signature-1 {
algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}";
${sign_line}
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [OE-core] [PATCH] kernel-fitimage: Don't use unit addresses on FIT 2021-02-21 19:22 [PATCH] kernel-fitimage: Don't use unit addresses on FIT Klaus Heinrich Kiwi @ 2021-02-22 8:24 ` Richard Purdie 2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi 2021-02-22 18:42 ` [OE-core] [PATCH] " Klaus Heinrich Kiwi 0 siblings, 2 replies; 7+ messages in thread From: Richard Purdie @ 2021-02-22 8:24 UTC (permalink / raw) To: Klaus Heinrich Kiwi, openembedded-core On Sun, 2021-02-21 at 16:22 -0300, Klaus Heinrich Kiwi wrote: > Das U-Boot 2021.4-rc1 has the following commit: > > commit 3f04db891a353f4b127ed57279279f851c6b4917 > Author: Simon Glass <sjg@chromium.org> > Date: Mon Feb 15 17:08:12 2021 -0700 > > image: Check for unit addresses in FITs > > Using unit addresses in a FIT is a security risk. Add a check for > this and disallow it. > > CVE-2021-27138 > > Adjust the kernel-fitimage.bbclass accordingly to not use unit > addresses. This changte is required before we can bump U-Boot to 2021.4. > > Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> > --- > meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++-------------- > 1 file changed, 20 insertions(+), 20 deletions(-) This caused some tests to fail: https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/1855/steps/15/logs/stdio Do we need to update the tests as well? Cheers, Richard ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT 2021-02-22 8:24 ` [OE-core] " Richard Purdie @ 2021-02-22 18:38 ` Klaus Heinrich Kiwi 2021-05-31 14:59 ` [OE-core] " Frieder Schrempf 2021-02-22 18:42 ` [OE-core] [PATCH] " Klaus Heinrich Kiwi 1 sibling, 1 reply; 7+ messages in thread From: Klaus Heinrich Kiwi @ 2021-02-22 18:38 UTC (permalink / raw) To: openembedded-core; +Cc: Klaus Heinrich Kiwi Das U-Boot 2021.4-rc1 has the following commit: commit 3f04db891a353f4b127ed57279279f851c6b4917 Author: Simon Glass <sjg@chromium.org> Date: Mon Feb 15 17:08:12 2021 -0700 image: Check for unit addresses in FITs Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Adjust the kernel-fitimage.bbclass accordingly to not use unit addresses. This changte is required before we can bump U-Boot to 2021.4. Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> --- Notes: V2 Notes: - Adjusted testcases (reported by Richard Purdie <richard.purdie@linuxfoundation.org>) meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------ meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++----------- 2 files changed, 38 insertions(+), 38 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index 2414870817..f5082c93df 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() { fi cat << EOF >> ${1} - kernel@${2} { + kernel-${2} { description = "Linux kernel"; data = /incbin/("${3}"); type = "kernel"; @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() { compression = "${4}"; load = <${UBOOT_LOADADDRESS}>; entry = <${ENTRYPOINT}>; - hash@1 { + hash-1 { algo = "${kernel_csum}"; }; }; @@ -179,7 +179,7 @@ EOF if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then sed -i '$ d' ${1} cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${kernel_csum},${kernel_sign_algo}"; key-name-hint = "${kernel_sign_keyname}"; }; @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() { dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" fi cat << EOF >> ${1} - fdt@${2} { + fdt-${2} { description = "Flattened Device Tree blob"; data = /incbin/("${3}"); type = "flat_dt"; arch = "${UBOOT_ARCH}"; compression = "none"; ${dtb_loadline} - hash@1 { + hash-1 { algo = "${dtb_csum}"; }; }; @@ -226,7 +226,7 @@ EOF if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then sed -i '$ d' ${1} cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${dtb_csum},${dtb_sign_algo}"; key-name-hint = "${dtb_sign_keyname}"; }; @@ -283,7 +283,7 @@ fitimage_emit_section_setup() { setup_csum="${FIT_HASH_ALG}" cat << EOF >> ${1} - setup@${2} { + setup-${2} { description = "Linux setup.bin"; data = /incbin/("${3}"); type = "x86_setup"; @@ -292,7 +292,7 @@ fitimage_emit_section_setup() { compression = "none"; load = <0x00090000>; entry = <0x00090000>; - hash@1 { + hash-1 { algo = "${setup_csum}"; }; }; @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() { fi cat << EOF >> ${1} - ramdisk@${2} { + ramdisk-${2} { description = "${INITRAMFS_IMAGE}"; data = /incbin/("${3}"); type = "ramdisk"; @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() { compression = "none"; ${ramdisk_loadline} ${ramdisk_entryline} - hash@1 { + hash-1 { algo = "${ramdisk_csum}"; }; }; @@ -339,7 +339,7 @@ EOF if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then sed -i '$ d' ${1} cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${ramdisk_csum},${ramdisk_sign_algo}"; key-name-hint = "${ramdisk_sign_keyname}"; }; @@ -377,7 +377,7 @@ fitimage_emit_section_config() { # Test if we have any DTBs at all sep="" conf_desc="" - conf_node="conf@" + conf_node="conf-" kernel_line="" fdt_line="" ramdisk_line="" @@ -396,19 +396,19 @@ fitimage_emit_section_config() { if [ -n "${kernel_id}" ]; then conf_desc="Linux kernel" sep=", " - kernel_line="kernel = \"kernel@${kernel_id}\";" + kernel_line="kernel = \"kernel-${kernel_id}\";" fi if [ -n "${dtb_image}" ]; then conf_desc="${conf_desc}${sep}FDT blob" sep=", " - fdt_line="fdt = \"fdt@${dtb_image}\";" + fdt_line="fdt = \"fdt-${dtb_image}\";" fi if [ -n "${ramdisk_id}" ]; then conf_desc="${conf_desc}${sep}ramdisk" sep=", " - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";" + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";" fi if [ -n "${bootscr_id}" ]; then @@ -419,16 +419,16 @@ fitimage_emit_section_config() { if [ -n "${config_id}" ]; then conf_desc="${conf_desc}${sep}setup" - setup_line="setup = \"setup@${config_id}\";" + setup_line="setup = \"setup-${config_id}\";" fi if [ "${default_flag}" = "1" ]; then # default node is selected based on dtb ID if it is present, # otherwise its selected based on kernel ID if [ -n "${dtb_image}" ]; then - default_line="default = \"conf@${dtb_image}\";" + default_line="default = \"conf-${dtb_image}\";" else - default_line="default = \"conf@${kernel_id}\";" + default_line="default = \"conf-${kernel_id}\";" fi fi @@ -441,7 +441,7 @@ fitimage_emit_section_config() { ${ramdisk_line} ${bootscr_line} ${setup_line} - hash@1 { + hash-1 { algo = "${conf_csum}"; }; EOF @@ -478,7 +478,7 @@ EOF sign_line="${sign_line};" cat << EOF >> ${its_file} - signature@1 { + signature-1 { algo = "${conf_csum},${conf_sign_algo}"; key-name-hint = "${conf_sign_keyname}"; ${sign_line} diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py index 0958036a6f..02692de822 100644 --- a/meta/lib/oeqa/selftest/cases/fitimage.py +++ b/meta/lib/oeqa/selftest/cases/fitimage.py @@ -69,9 +69,9 @@ FIT_DESC = "A model description" 'type = "ramdisk";', 'load = <0x88000000>;', 'entry = <0x88000000>;', - 'default = "conf@1";', - 'kernel = "kernel@1";', - 'ramdisk = "ramdisk@1";' + 'default = "conf-1";', + 'kernel = "kernel-1";', + 'ramdisk = "ramdisk-1";' ] with open(fitimage_its_path) as its_file: @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" "%s FIT image doesn't exist" % (fitimage_path)) req_itspaths = [ - ['/', 'images', 'kernel@1'], - ['/', 'images', 'kernel@1', 'signature@1'], - ['/', 'images', 'fdt@am335x-boneblack.dtb'], - ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'], - ['/', 'configurations', 'conf@am335x-boneblack.dtb'], - ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'], + ['/', 'images', 'kernel-1'], + ['/', 'images', 'kernel-1', 'signature-1'], + ['/', 'images', 'fdt-am335x-boneblack.dtb'], + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'], + ['/', 'configurations', 'conf-am335x-boneblack.dtb'], + ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'], ] itspath = [] @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" elif line.endswith('{'): itspath.append(line[:-1].strip()) itspaths.append(itspath[:]) - elif itspath and itspath[-1] == 'signature@1': + elif itspath and itspath[-1] == 'signature-1': itsdotpath = '.'.join(itspath) if not itsdotpath in sigs: sigs[itsdotpath] = {} @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" } for itspath, values in sigs.items(): - if 'conf@' in itspath: + if 'conf-' in itspath: reqsigvalues = reqsigvalues_config else: reqsigvalues = reqsigvalues_image @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" signed_sections[in_signed] = {} key, value = line.split(':', 1) signed_sections[in_signed][key.strip()] = value.strip() - self.assertIn('kernel@1', signed_sections) - self.assertIn('fdt@am335x-boneblack.dtb', signed_sections) - self.assertIn('conf@am335x-boneblack.dtb', signed_sections) + self.assertIn('kernel-1', signed_sections) + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections) + self.assertIn('conf-am335x-boneblack.dtb', signed_sections) for signed_section, values in signed_sections.items(): value = values.get('Sign algo', None) self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section) @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256" its_lines = [line.strip() for line in its_file.readlines()] exp_node_lines = [ - 'kernel@1 {', + 'kernel-1 {', 'description = "Linux kernel";', 'data = /incbin/("' + initramfs_bundle + '");', 'type = "kernel";', @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256" 'compression = "none";', 'load = <' + kernel_load + '>;', 'entry = <' + kernel_entry + '>;', - 'hash@1 {', + 'hash-1 {', 'algo = "' + fit_hash_alg +'";', '};', '};' @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256" else: self.assertTrue(test_passed == True,"kernel node does not match expectation") - rx_configs = re.compile("^conf@.*") + rx_configs = re.compile("^conf-.*") its_configs = list(filter(rx_configs.match, its_lines)) for cfg_str in its_configs: @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256" else: print("kernel keyword found in the description line") - if 'kernel = "kernel@1";' not in node: + if 'kernel = "kernel-1";' not in node: self.assertTrue(test_passed == True,"kernel line not found") break else: -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT 2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi @ 2021-05-31 14:59 ` Frieder Schrempf 2021-05-31 15:59 ` Steve Sakoman 0 siblings, 1 reply; 7+ messages in thread From: Frieder Schrempf @ 2021-05-31 14:59 UTC (permalink / raw) To: Steve Sakoman; +Cc: klaus, openembedded-core Hi Steve, On 22.02.21 19:38, Klaus Heinrich Kiwi via lists.openembedded.org wrote: > Das U-Boot 2021.4-rc1 has the following commit: > > commit 3f04db891a353f4b127ed57279279f851c6b4917 > Author: Simon Glass <sjg@chromium.org> > Date: Mon Feb 15 17:08:12 2021 -0700 > > image: Check for unit addresses in FITs > > Using unit addresses in a FIT is a security risk. Add a check for > this and disallow it. > > CVE-2021-27138 > > Adjust the kernel-fitimage.bbclass accordingly to not use unit > addresses. This changte is required before we can bump U-Boot to 2021.4. > > Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> Could you pick this and the follow-up patch 0ef3a5e2a6d4 ("kernel-fitimage.bbclass: drop unit addresses from bootscr sections") to the dunfell branch to fix FIT images on U-Boot 2021.01 or later with dunfell? Thanks Frieder > --- > > Notes: > V2 Notes: > - Adjusted testcases > (reported by Richard Purdie <richard.purdie@linuxfoundation.org>) > > meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------ > meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++----------- > 2 files changed, 38 insertions(+), 38 deletions(-) > > diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass > index 2414870817..f5082c93df 100644 > --- a/meta/classes/kernel-fitimage.bbclass > +++ b/meta/classes/kernel-fitimage.bbclass > @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() { > fi > > cat << EOF >> ${1} > - kernel@${2} { > + kernel-${2} { > description = "Linux kernel"; > data = /incbin/("${3}"); > type = "kernel"; > @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() { > compression = "${4}"; > load = <${UBOOT_LOADADDRESS}>; > entry = <${ENTRYPOINT}>; > - hash@1 { > + hash-1 { > algo = "${kernel_csum}"; > }; > }; > @@ -179,7 +179,7 @@ EOF > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then > sed -i '$ d' ${1} > cat << EOF >> ${1} > - signature@1 { > + signature-1 { > algo = "${kernel_csum},${kernel_sign_algo}"; > key-name-hint = "${kernel_sign_keyname}"; > }; > @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() { > dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" > fi > cat << EOF >> ${1} > - fdt@${2} { > + fdt-${2} { > description = "Flattened Device Tree blob"; > data = /incbin/("${3}"); > type = "flat_dt"; > arch = "${UBOOT_ARCH}"; > compression = "none"; > ${dtb_loadline} > - hash@1 { > + hash-1 { > algo = "${dtb_csum}"; > }; > }; > @@ -226,7 +226,7 @@ EOF > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then > sed -i '$ d' ${1} > cat << EOF >> ${1} > - signature@1 { > + signature-1 { > algo = "${dtb_csum},${dtb_sign_algo}"; > key-name-hint = "${dtb_sign_keyname}"; > }; > @@ -283,7 +283,7 @@ fitimage_emit_section_setup() { > setup_csum="${FIT_HASH_ALG}" > > cat << EOF >> ${1} > - setup@${2} { > + setup-${2} { > description = "Linux setup.bin"; > data = /incbin/("${3}"); > type = "x86_setup"; > @@ -292,7 +292,7 @@ fitimage_emit_section_setup() { > compression = "none"; > load = <0x00090000>; > entry = <0x00090000>; > - hash@1 { > + hash-1 { > algo = "${setup_csum}"; > }; > }; > @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() { > fi > > cat << EOF >> ${1} > - ramdisk@${2} { > + ramdisk-${2} { > description = "${INITRAMFS_IMAGE}"; > data = /incbin/("${3}"); > type = "ramdisk"; > @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() { > compression = "none"; > ${ramdisk_loadline} > ${ramdisk_entryline} > - hash@1 { > + hash-1 { > algo = "${ramdisk_csum}"; > }; > }; > @@ -339,7 +339,7 @@ EOF > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then > sed -i '$ d' ${1} > cat << EOF >> ${1} > - signature@1 { > + signature-1 { > algo = "${ramdisk_csum},${ramdisk_sign_algo}"; > key-name-hint = "${ramdisk_sign_keyname}"; > }; > @@ -377,7 +377,7 @@ fitimage_emit_section_config() { > # Test if we have any DTBs at all > sep="" > conf_desc="" > - conf_node="conf@" > + conf_node="conf-" > kernel_line="" > fdt_line="" > ramdisk_line="" > @@ -396,19 +396,19 @@ fitimage_emit_section_config() { > if [ -n "${kernel_id}" ]; then > conf_desc="Linux kernel" > sep=", " > - kernel_line="kernel = \"kernel@${kernel_id}\";" > + kernel_line="kernel = \"kernel-${kernel_id}\";" > fi > > if [ -n "${dtb_image}" ]; then > conf_desc="${conf_desc}${sep}FDT blob" > sep=", " > - fdt_line="fdt = \"fdt@${dtb_image}\";" > + fdt_line="fdt = \"fdt-${dtb_image}\";" > fi > > if [ -n "${ramdisk_id}" ]; then > conf_desc="${conf_desc}${sep}ramdisk" > sep=", " > - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";" > + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";" > fi > > if [ -n "${bootscr_id}" ]; then > @@ -419,16 +419,16 @@ fitimage_emit_section_config() { > > if [ -n "${config_id}" ]; then > conf_desc="${conf_desc}${sep}setup" > - setup_line="setup = \"setup@${config_id}\";" > + setup_line="setup = \"setup-${config_id}\";" > fi > > if [ "${default_flag}" = "1" ]; then > # default node is selected based on dtb ID if it is present, > # otherwise its selected based on kernel ID > if [ -n "${dtb_image}" ]; then > - default_line="default = \"conf@${dtb_image}\";" > + default_line="default = \"conf-${dtb_image}\";" > else > - default_line="default = \"conf@${kernel_id}\";" > + default_line="default = \"conf-${kernel_id}\";" > fi > fi > > @@ -441,7 +441,7 @@ fitimage_emit_section_config() { > ${ramdisk_line} > ${bootscr_line} > ${setup_line} > - hash@1 { > + hash-1 { > algo = "${conf_csum}"; > }; > EOF > @@ -478,7 +478,7 @@ EOF > sign_line="${sign_line};" > > cat << EOF >> ${its_file} > - signature@1 { > + signature-1 { > algo = "${conf_csum},${conf_sign_algo}"; > key-name-hint = "${conf_sign_keyname}"; > ${sign_line} > diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py > index 0958036a6f..02692de822 100644 > --- a/meta/lib/oeqa/selftest/cases/fitimage.py > +++ b/meta/lib/oeqa/selftest/cases/fitimage.py > @@ -69,9 +69,9 @@ FIT_DESC = "A model description" > 'type = "ramdisk";', > 'load = <0x88000000>;', > 'entry = <0x88000000>;', > - 'default = "conf@1";', > - 'kernel = "kernel@1";', > - 'ramdisk = "ramdisk@1";' > + 'default = "conf-1";', > + 'kernel = "kernel-1";', > + 'ramdisk = "ramdisk-1";' > ] > > with open(fitimage_its_path) as its_file: > @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > "%s FIT image doesn't exist" % (fitimage_path)) > > req_itspaths = [ > - ['/', 'images', 'kernel@1'], > - ['/', 'images', 'kernel@1', 'signature@1'], > - ['/', 'images', 'fdt@am335x-boneblack.dtb'], > - ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'], > - ['/', 'configurations', 'conf@am335x-boneblack.dtb'], > - ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'], > + ['/', 'images', 'kernel-1'], > + ['/', 'images', 'kernel-1', 'signature-1'], > + ['/', 'images', 'fdt-am335x-boneblack.dtb'], > + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'], > + ['/', 'configurations', 'conf-am335x-boneblack.dtb'], > + ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'], > ] > > itspath = [] > @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > elif line.endswith('{'): > itspath.append(line[:-1].strip()) > itspaths.append(itspath[:]) > - elif itspath and itspath[-1] == 'signature@1': > + elif itspath and itspath[-1] == 'signature-1': > itsdotpath = '.'.join(itspath) > if not itsdotpath in sigs: > sigs[itsdotpath] = {} > @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > } > > for itspath, values in sigs.items(): > - if 'conf@' in itspath: > + if 'conf-' in itspath: > reqsigvalues = reqsigvalues_config > else: > reqsigvalues = reqsigvalues_image > @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > signed_sections[in_signed] = {} > key, value = line.split(':', 1) > signed_sections[in_signed][key.strip()] = value.strip() > - self.assertIn('kernel@1', signed_sections) > - self.assertIn('fdt@am335x-boneblack.dtb', signed_sections) > - self.assertIn('conf@am335x-boneblack.dtb', signed_sections) > + self.assertIn('kernel-1', signed_sections) > + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections) > + self.assertIn('conf-am335x-boneblack.dtb', signed_sections) > for signed_section, values in signed_sections.items(): > value = values.get('Sign algo', None) > self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section) > @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256" > its_lines = [line.strip() for line in its_file.readlines()] > > exp_node_lines = [ > - 'kernel@1 {', > + 'kernel-1 {', > 'description = "Linux kernel";', > 'data = /incbin/("' + initramfs_bundle + '");', > 'type = "kernel";', > @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256" > 'compression = "none";', > 'load = <' + kernel_load + '>;', > 'entry = <' + kernel_entry + '>;', > - 'hash@1 {', > + 'hash-1 {', > 'algo = "' + fit_hash_alg +'";', > '};', > '};' > @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256" > else: > self.assertTrue(test_passed == True,"kernel node does not match expectation") > > - rx_configs = re.compile("^conf@.*") > + rx_configs = re.compile("^conf-.*") > its_configs = list(filter(rx_configs.match, its_lines)) > > for cfg_str in its_configs: > @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256" > else: > print("kernel keyword found in the description line") > > - if 'kernel = "kernel@1";' not in node: > + if 'kernel = "kernel-1";' not in node: > self.assertTrue(test_passed == True,"kernel line not found") > break > else: > > > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT 2021-05-31 14:59 ` [OE-core] " Frieder Schrempf @ 2021-05-31 15:59 ` Steve Sakoman 2021-06-01 9:15 ` Frieder Schrempf 0 siblings, 1 reply; 7+ messages in thread From: Steve Sakoman @ 2021-05-31 15:59 UTC (permalink / raw) To: Frieder Schrempf; +Cc: klaus, Patches and discussions about the oe-core layer On Mon, May 31, 2021 at 4:59 AM Frieder Schrempf <frieder.schrempf@kontron.de> wrote: > > Hi Steve, > > On 22.02.21 19:38, Klaus Heinrich Kiwi via lists.openembedded.org wrote: > > Das U-Boot 2021.4-rc1 has the following commit: > > > > commit 3f04db891a353f4b127ed57279279f851c6b4917 > > Author: Simon Glass <sjg@chromium.org> > > Date: Mon Feb 15 17:08:12 2021 -0700 > > > > image: Check for unit addresses in FITs > > > > Using unit addresses in a FIT is a security risk. Add a check for > > this and disallow it. > > > > CVE-2021-27138 > > > > Adjust the kernel-fitimage.bbclass accordingly to not use unit > > addresses. This changte is required before we can bump U-Boot to 2021.4. > > > > Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> > > Could you pick this and the follow-up patch 0ef3a5e2a6d4 ("kernel-fitimage.bbclass: drop unit addresses from bootscr sections") to the dunfell branch to fix FIT images on U-Boot 2021.01 or later with dunfell? I can't do a clean cherry-pick of this patch. If you'd like to submit dunfell versions of these two patches I will add them to my testing queue. Steve > > Thanks > Frieder > > > --- > > > > Notes: > > V2 Notes: > > - Adjusted testcases > > (reported by Richard Purdie <richard.purdie@linuxfoundation.org>) > > > > meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------ > > meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++----------- > > 2 files changed, 38 insertions(+), 38 deletions(-) > > > > diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass > > index 2414870817..f5082c93df 100644 > > --- a/meta/classes/kernel-fitimage.bbclass > > +++ b/meta/classes/kernel-fitimage.bbclass > > @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() { > > fi > > > > cat << EOF >> ${1} > > - kernel@${2} { > > + kernel-${2} { > > description = "Linux kernel"; > > data = /incbin/("${3}"); > > type = "kernel"; > > @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() { > > compression = "${4}"; > > load = <${UBOOT_LOADADDRESS}>; > > entry = <${ENTRYPOINT}>; > > - hash@1 { > > + hash-1 { > > algo = "${kernel_csum}"; > > }; > > }; > > @@ -179,7 +179,7 @@ EOF > > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then > > sed -i '$ d' ${1} > > cat << EOF >> ${1} > > - signature@1 { > > + signature-1 { > > algo = "${kernel_csum},${kernel_sign_algo}"; > > key-name-hint = "${kernel_sign_keyname}"; > > }; > > @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() { > > dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" > > fi > > cat << EOF >> ${1} > > - fdt@${2} { > > + fdt-${2} { > > description = "Flattened Device Tree blob"; > > data = /incbin/("${3}"); > > type = "flat_dt"; > > arch = "${UBOOT_ARCH}"; > > compression = "none"; > > ${dtb_loadline} > > - hash@1 { > > + hash-1 { > > algo = "${dtb_csum}"; > > }; > > }; > > @@ -226,7 +226,7 @@ EOF > > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then > > sed -i '$ d' ${1} > > cat << EOF >> ${1} > > - signature@1 { > > + signature-1 { > > algo = "${dtb_csum},${dtb_sign_algo}"; > > key-name-hint = "${dtb_sign_keyname}"; > > }; > > @@ -283,7 +283,7 @@ fitimage_emit_section_setup() { > > setup_csum="${FIT_HASH_ALG}" > > > > cat << EOF >> ${1} > > - setup@${2} { > > + setup-${2} { > > description = "Linux setup.bin"; > > data = /incbin/("${3}"); > > type = "x86_setup"; > > @@ -292,7 +292,7 @@ fitimage_emit_section_setup() { > > compression = "none"; > > load = <0x00090000>; > > entry = <0x00090000>; > > - hash@1 { > > + hash-1 { > > algo = "${setup_csum}"; > > }; > > }; > > @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() { > > fi > > > > cat << EOF >> ${1} > > - ramdisk@${2} { > > + ramdisk-${2} { > > description = "${INITRAMFS_IMAGE}"; > > data = /incbin/("${3}"); > > type = "ramdisk"; > > @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() { > > compression = "none"; > > ${ramdisk_loadline} > > ${ramdisk_entryline} > > - hash@1 { > > + hash-1 { > > algo = "${ramdisk_csum}"; > > }; > > }; > > @@ -339,7 +339,7 @@ EOF > > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then > > sed -i '$ d' ${1} > > cat << EOF >> ${1} > > - signature@1 { > > + signature-1 { > > algo = "${ramdisk_csum},${ramdisk_sign_algo}"; > > key-name-hint = "${ramdisk_sign_keyname}"; > > }; > > @@ -377,7 +377,7 @@ fitimage_emit_section_config() { > > # Test if we have any DTBs at all > > sep="" > > conf_desc="" > > - conf_node="conf@" > > + conf_node="conf-" > > kernel_line="" > > fdt_line="" > > ramdisk_line="" > > @@ -396,19 +396,19 @@ fitimage_emit_section_config() { > > if [ -n "${kernel_id}" ]; then > > conf_desc="Linux kernel" > > sep=", " > > - kernel_line="kernel = \"kernel@${kernel_id}\";" > > + kernel_line="kernel = \"kernel-${kernel_id}\";" > > fi > > > > if [ -n "${dtb_image}" ]; then > > conf_desc="${conf_desc}${sep}FDT blob" > > sep=", " > > - fdt_line="fdt = \"fdt@${dtb_image}\";" > > + fdt_line="fdt = \"fdt-${dtb_image}\";" > > fi > > > > if [ -n "${ramdisk_id}" ]; then > > conf_desc="${conf_desc}${sep}ramdisk" > > sep=", " > > - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";" > > + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";" > > fi > > > > if [ -n "${bootscr_id}" ]; then > > @@ -419,16 +419,16 @@ fitimage_emit_section_config() { > > > > if [ -n "${config_id}" ]; then > > conf_desc="${conf_desc}${sep}setup" > > - setup_line="setup = \"setup@${config_id}\";" > > + setup_line="setup = \"setup-${config_id}\";" > > fi > > > > if [ "${default_flag}" = "1" ]; then > > # default node is selected based on dtb ID if it is present, > > # otherwise its selected based on kernel ID > > if [ -n "${dtb_image}" ]; then > > - default_line="default = \"conf@${dtb_image}\";" > > + default_line="default = \"conf-${dtb_image}\";" > > else > > - default_line="default = \"conf@${kernel_id}\";" > > + default_line="default = \"conf-${kernel_id}\";" > > fi > > fi > > > > @@ -441,7 +441,7 @@ fitimage_emit_section_config() { > > ${ramdisk_line} > > ${bootscr_line} > > ${setup_line} > > - hash@1 { > > + hash-1 { > > algo = "${conf_csum}"; > > }; > > EOF > > @@ -478,7 +478,7 @@ EOF > > sign_line="${sign_line};" > > > > cat << EOF >> ${its_file} > > - signature@1 { > > + signature-1 { > > algo = "${conf_csum},${conf_sign_algo}"; > > key-name-hint = "${conf_sign_keyname}"; > > ${sign_line} > > diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py > > index 0958036a6f..02692de822 100644 > > --- a/meta/lib/oeqa/selftest/cases/fitimage.py > > +++ b/meta/lib/oeqa/selftest/cases/fitimage.py > > @@ -69,9 +69,9 @@ FIT_DESC = "A model description" > > 'type = "ramdisk";', > > 'load = <0x88000000>;', > > 'entry = <0x88000000>;', > > - 'default = "conf@1";', > > - 'kernel = "kernel@1";', > > - 'ramdisk = "ramdisk@1";' > > + 'default = "conf-1";', > > + 'kernel = "kernel-1";', > > + 'ramdisk = "ramdisk-1";' > > ] > > > > with open(fitimage_its_path) as its_file: > > @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > > "%s FIT image doesn't exist" % (fitimage_path)) > > > > req_itspaths = [ > > - ['/', 'images', 'kernel@1'], > > - ['/', 'images', 'kernel@1', 'signature@1'], > > - ['/', 'images', 'fdt@am335x-boneblack.dtb'], > > - ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'], > > - ['/', 'configurations', 'conf@am335x-boneblack.dtb'], > > - ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'], > > + ['/', 'images', 'kernel-1'], > > + ['/', 'images', 'kernel-1', 'signature-1'], > > + ['/', 'images', 'fdt-am335x-boneblack.dtb'], > > + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'], > > + ['/', 'configurations', 'conf-am335x-boneblack.dtb'], > > + ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'], > > ] > > > > itspath = [] > > @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > > elif line.endswith('{'): > > itspath.append(line[:-1].strip()) > > itspaths.append(itspath[:]) > > - elif itspath and itspath[-1] == 'signature@1': > > + elif itspath and itspath[-1] == 'signature-1': > > itsdotpath = '.'.join(itspath) > > if not itsdotpath in sigs: > > sigs[itsdotpath] = {} > > @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > > } > > > > for itspath, values in sigs.items(): > > - if 'conf@' in itspath: > > + if 'conf-' in itspath: > > reqsigvalues = reqsigvalues_config > > else: > > reqsigvalues = reqsigvalues_image > > @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" > > signed_sections[in_signed] = {} > > key, value = line.split(':', 1) > > signed_sections[in_signed][key.strip()] = value.strip() > > - self.assertIn('kernel@1', signed_sections) > > - self.assertIn('fdt@am335x-boneblack.dtb', signed_sections) > > - self.assertIn('conf@am335x-boneblack.dtb', signed_sections) > > + self.assertIn('kernel-1', signed_sections) > > + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections) > > + self.assertIn('conf-am335x-boneblack.dtb', signed_sections) > > for signed_section, values in signed_sections.items(): > > value = values.get('Sign algo', None) > > self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section) > > @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256" > > its_lines = [line.strip() for line in its_file.readlines()] > > > > exp_node_lines = [ > > - 'kernel@1 {', > > + 'kernel-1 {', > > 'description = "Linux kernel";', > > 'data = /incbin/("' + initramfs_bundle + '");', > > 'type = "kernel";', > > @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256" > > 'compression = "none";', > > 'load = <' + kernel_load + '>;', > > 'entry = <' + kernel_entry + '>;', > > - 'hash@1 {', > > + 'hash-1 {', > > 'algo = "' + fit_hash_alg +'";', > > '};', > > '};' > > @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256" > > else: > > self.assertTrue(test_passed == True,"kernel node does not match expectation") > > > > - rx_configs = re.compile("^conf@.*") > > + rx_configs = re.compile("^conf-.*") > > its_configs = list(filter(rx_configs.match, its_lines)) > > > > for cfg_str in its_configs: > > @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256" > > else: > > print("kernel keyword found in the description line") > > > > - if 'kernel = "kernel@1";' not in node: > > + if 'kernel = "kernel-1";' not in node: > > self.assertTrue(test_passed == True,"kernel line not found") > > break > > else: > > > > > > > > > > > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT 2021-05-31 15:59 ` Steve Sakoman @ 2021-06-01 9:15 ` Frieder Schrempf 0 siblings, 0 replies; 7+ messages in thread From: Frieder Schrempf @ 2021-06-01 9:15 UTC (permalink / raw) To: Steve Sakoman; +Cc: klaus, Patches and discussions about the oe-core layer On 31.05.21 17:59, Steve Sakoman wrote: > On Mon, May 31, 2021 at 4:59 AM Frieder Schrempf > <frieder.schrempf@kontron.de> wrote: >> >> Hi Steve, >> >> On 22.02.21 19:38, Klaus Heinrich Kiwi via lists.openembedded.org wrote: >>> Das U-Boot 2021.4-rc1 has the following commit: >>> >>> commit 3f04db891a353f4b127ed57279279f851c6b4917 >>> Author: Simon Glass <sjg@chromium.org> >>> Date: Mon Feb 15 17:08:12 2021 -0700 >>> >>> image: Check for unit addresses in FITs >>> >>> Using unit addresses in a FIT is a security risk. Add a check for >>> this and disallow it. >>> >>> CVE-2021-27138 >>> >>> Adjust the kernel-fitimage.bbclass accordingly to not use unit >>> addresses. This changte is required before we can bump U-Boot to 2021.4. >>> >>> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> >> >> Could you pick this and the follow-up patch 0ef3a5e2a6d4 ("kernel-fitimage.bbclass: drop unit addresses from bootscr sections") to the dunfell branch to fix FIT images on U-Boot 2021.01 or later with dunfell? > > I can't do a clean cherry-pick of this patch. If you'd like to submit > dunfell versions of these two patches I will add them to my testing > queue. Sorry, I should have looked at this more closely. I just sent a backport patch for dunfell. The second patch covers code that is not available in dunfell, so it's not needed anyway. > > Steve > >> >> Thanks >> Frieder >> >>> --- >>> >>> Notes: >>> V2 Notes: >>> - Adjusted testcases >>> (reported by Richard Purdie <richard.purdie@linuxfoundation.org>) >>> >>> meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------ >>> meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++----------- >>> 2 files changed, 38 insertions(+), 38 deletions(-) >>> >>> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass >>> index 2414870817..f5082c93df 100644 >>> --- a/meta/classes/kernel-fitimage.bbclass >>> +++ b/meta/classes/kernel-fitimage.bbclass >>> @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() { >>> fi >>> >>> cat << EOF >> ${1} >>> - kernel@${2} { >>> + kernel-${2} { >>> description = "Linux kernel"; >>> data = /incbin/("${3}"); >>> type = "kernel"; >>> @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() { >>> compression = "${4}"; >>> load = <${UBOOT_LOADADDRESS}>; >>> entry = <${ENTRYPOINT}>; >>> - hash@1 { >>> + hash-1 { >>> algo = "${kernel_csum}"; >>> }; >>> }; >>> @@ -179,7 +179,7 @@ EOF >>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then >>> sed -i '$ d' ${1} >>> cat << EOF >> ${1} >>> - signature@1 { >>> + signature-1 { >>> algo = "${kernel_csum},${kernel_sign_algo}"; >>> key-name-hint = "${kernel_sign_keyname}"; >>> }; >>> @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() { >>> dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" >>> fi >>> cat << EOF >> ${1} >>> - fdt@${2} { >>> + fdt-${2} { >>> description = "Flattened Device Tree blob"; >>> data = /incbin/("${3}"); >>> type = "flat_dt"; >>> arch = "${UBOOT_ARCH}"; >>> compression = "none"; >>> ${dtb_loadline} >>> - hash@1 { >>> + hash-1 { >>> algo = "${dtb_csum}"; >>> }; >>> }; >>> @@ -226,7 +226,7 @@ EOF >>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then >>> sed -i '$ d' ${1} >>> cat << EOF >> ${1} >>> - signature@1 { >>> + signature-1 { >>> algo = "${dtb_csum},${dtb_sign_algo}"; >>> key-name-hint = "${dtb_sign_keyname}"; >>> }; >>> @@ -283,7 +283,7 @@ fitimage_emit_section_setup() { >>> setup_csum="${FIT_HASH_ALG}" >>> >>> cat << EOF >> ${1} >>> - setup@${2} { >>> + setup-${2} { >>> description = "Linux setup.bin"; >>> data = /incbin/("${3}"); >>> type = "x86_setup"; >>> @@ -292,7 +292,7 @@ fitimage_emit_section_setup() { >>> compression = "none"; >>> load = <0x00090000>; >>> entry = <0x00090000>; >>> - hash@1 { >>> + hash-1 { >>> algo = "${setup_csum}"; >>> }; >>> }; >>> @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() { >>> fi >>> >>> cat << EOF >> ${1} >>> - ramdisk@${2} { >>> + ramdisk-${2} { >>> description = "${INITRAMFS_IMAGE}"; >>> data = /incbin/("${3}"); >>> type = "ramdisk"; >>> @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() { >>> compression = "none"; >>> ${ramdisk_loadline} >>> ${ramdisk_entryline} >>> - hash@1 { >>> + hash-1 { >>> algo = "${ramdisk_csum}"; >>> }; >>> }; >>> @@ -339,7 +339,7 @@ EOF >>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then >>> sed -i '$ d' ${1} >>> cat << EOF >> ${1} >>> - signature@1 { >>> + signature-1 { >>> algo = "${ramdisk_csum},${ramdisk_sign_algo}"; >>> key-name-hint = "${ramdisk_sign_keyname}"; >>> }; >>> @@ -377,7 +377,7 @@ fitimage_emit_section_config() { >>> # Test if we have any DTBs at all >>> sep="" >>> conf_desc="" >>> - conf_node="conf@" >>> + conf_node="conf-" >>> kernel_line="" >>> fdt_line="" >>> ramdisk_line="" >>> @@ -396,19 +396,19 @@ fitimage_emit_section_config() { >>> if [ -n "${kernel_id}" ]; then >>> conf_desc="Linux kernel" >>> sep=", " >>> - kernel_line="kernel = \"kernel@${kernel_id}\";" >>> + kernel_line="kernel = \"kernel-${kernel_id}\";" >>> fi >>> >>> if [ -n "${dtb_image}" ]; then >>> conf_desc="${conf_desc}${sep}FDT blob" >>> sep=", " >>> - fdt_line="fdt = \"fdt@${dtb_image}\";" >>> + fdt_line="fdt = \"fdt-${dtb_image}\";" >>> fi >>> >>> if [ -n "${ramdisk_id}" ]; then >>> conf_desc="${conf_desc}${sep}ramdisk" >>> sep=", " >>> - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";" >>> + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";" >>> fi >>> >>> if [ -n "${bootscr_id}" ]; then >>> @@ -419,16 +419,16 @@ fitimage_emit_section_config() { >>> >>> if [ -n "${config_id}" ]; then >>> conf_desc="${conf_desc}${sep}setup" >>> - setup_line="setup = \"setup@${config_id}\";" >>> + setup_line="setup = \"setup-${config_id}\";" >>> fi >>> >>> if [ "${default_flag}" = "1" ]; then >>> # default node is selected based on dtb ID if it is present, >>> # otherwise its selected based on kernel ID >>> if [ -n "${dtb_image}" ]; then >>> - default_line="default = \"conf@${dtb_image}\";" >>> + default_line="default = \"conf-${dtb_image}\";" >>> else >>> - default_line="default = \"conf@${kernel_id}\";" >>> + default_line="default = \"conf-${kernel_id}\";" >>> fi >>> fi >>> >>> @@ -441,7 +441,7 @@ fitimage_emit_section_config() { >>> ${ramdisk_line} >>> ${bootscr_line} >>> ${setup_line} >>> - hash@1 { >>> + hash-1 { >>> algo = "${conf_csum}"; >>> }; >>> EOF >>> @@ -478,7 +478,7 @@ EOF >>> sign_line="${sign_line};" >>> >>> cat << EOF >> ${its_file} >>> - signature@1 { >>> + signature-1 { >>> algo = "${conf_csum},${conf_sign_algo}"; >>> key-name-hint = "${conf_sign_keyname}"; >>> ${sign_line} >>> diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py >>> index 0958036a6f..02692de822 100644 >>> --- a/meta/lib/oeqa/selftest/cases/fitimage.py >>> +++ b/meta/lib/oeqa/selftest/cases/fitimage.py >>> @@ -69,9 +69,9 @@ FIT_DESC = "A model description" >>> 'type = "ramdisk";', >>> 'load = <0x88000000>;', >>> 'entry = <0x88000000>;', >>> - 'default = "conf@1";', >>> - 'kernel = "kernel@1";', >>> - 'ramdisk = "ramdisk@1";' >>> + 'default = "conf-1";', >>> + 'kernel = "kernel-1";', >>> + 'ramdisk = "ramdisk-1";' >>> ] >>> >>> with open(fitimage_its_path) as its_file: >>> @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> "%s FIT image doesn't exist" % (fitimage_path)) >>> >>> req_itspaths = [ >>> - ['/', 'images', 'kernel@1'], >>> - ['/', 'images', 'kernel@1', 'signature@1'], >>> - ['/', 'images', 'fdt@am335x-boneblack.dtb'], >>> - ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'], >>> - ['/', 'configurations', 'conf@am335x-boneblack.dtb'], >>> - ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'], >>> + ['/', 'images', 'kernel-1'], >>> + ['/', 'images', 'kernel-1', 'signature-1'], >>> + ['/', 'images', 'fdt-am335x-boneblack.dtb'], >>> + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'], >>> + ['/', 'configurations', 'conf-am335x-boneblack.dtb'], >>> + ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'], >>> ] >>> >>> itspath = [] >>> @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> elif line.endswith('{'): >>> itspath.append(line[:-1].strip()) >>> itspaths.append(itspath[:]) >>> - elif itspath and itspath[-1] == 'signature@1': >>> + elif itspath and itspath[-1] == 'signature-1': >>> itsdotpath = '.'.join(itspath) >>> if not itsdotpath in sigs: >>> sigs[itsdotpath] = {} >>> @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> } >>> >>> for itspath, values in sigs.items(): >>> - if 'conf@' in itspath: >>> + if 'conf-' in itspath: >>> reqsigvalues = reqsigvalues_config >>> else: >>> reqsigvalues = reqsigvalues_image >>> @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'" >>> signed_sections[in_signed] = {} >>> key, value = line.split(':', 1) >>> signed_sections[in_signed][key.strip()] = value.strip() >>> - self.assertIn('kernel@1', signed_sections) >>> - self.assertIn('fdt@am335x-boneblack.dtb', signed_sections) >>> - self.assertIn('conf@am335x-boneblack.dtb', signed_sections) >>> + self.assertIn('kernel-1', signed_sections) >>> + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections) >>> + self.assertIn('conf-am335x-boneblack.dtb', signed_sections) >>> for signed_section, values in signed_sections.items(): >>> value = values.get('Sign algo', None) >>> self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section) >>> @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256" >>> its_lines = [line.strip() for line in its_file.readlines()] >>> >>> exp_node_lines = [ >>> - 'kernel@1 {', >>> + 'kernel-1 {', >>> 'description = "Linux kernel";', >>> 'data = /incbin/("' + initramfs_bundle + '");', >>> 'type = "kernel";', >>> @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256" >>> 'compression = "none";', >>> 'load = <' + kernel_load + '>;', >>> 'entry = <' + kernel_entry + '>;', >>> - 'hash@1 {', >>> + 'hash-1 {', >>> 'algo = "' + fit_hash_alg +'";', >>> '};', >>> '};' >>> @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256" >>> else: >>> self.assertTrue(test_passed == True,"kernel node does not match expectation") >>> >>> - rx_configs = re.compile("^conf@.*") >>> + rx_configs = re.compile("^conf-.*") >>> its_configs = list(filter(rx_configs.match, its_lines)) >>> >>> for cfg_str in its_configs: >>> @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256" >>> else: >>> print("kernel keyword found in the description line") >>> >>> - if 'kernel = "kernel@1";' not in node: >>> + if 'kernel = "kernel-1";' not in node: >>> self.assertTrue(test_passed == True,"kernel line not found") >>> break >>> else: >>> >>> >>> >>> >>> >> >> >> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH] kernel-fitimage: Don't use unit addresses on FIT 2021-02-22 8:24 ` [OE-core] " Richard Purdie 2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi @ 2021-02-22 18:42 ` Klaus Heinrich Kiwi 1 sibling, 0 replies; 7+ messages in thread From: Klaus Heinrich Kiwi @ 2021-02-22 18:42 UTC (permalink / raw) To: Richard Purdie, openembedded-core > > This caused some tests to fail: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/1855/steps/15/logs/stdio > > Do we need to update the tests as well? Thanks, I missed that completely. Adjusted the testcases for V2 and, even if locally I'm seeing a strange FAIL on the sign test with UBOOT_MKIMAGE_SIGN_ARGS not showing-up, I think it is unrelated and perhaps something of my environment (tested on another environment that succeeded). Sent a V2. -Klaus -- Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com> ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-01 9:15 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-02-21 19:22 [PATCH] kernel-fitimage: Don't use unit addresses on FIT Klaus Heinrich Kiwi 2021-02-22 8:24 ` [OE-core] " Richard Purdie 2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi 2021-05-31 14:59 ` [OE-core] " Frieder Schrempf 2021-05-31 15:59 ` Steve Sakoman 2021-06-01 9:15 ` Frieder Schrempf 2021-02-22 18:42 ` [OE-core] [PATCH] " Klaus Heinrich Kiwi
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.