* [PATCH] [meta-oe] kernel-fitimage: Fix CVE-2021-27138
@ 2021-02-20 21:40 Klaus Heinrich Kiwi
2021-02-21 18:02 ` [oe] " Scott Murray
0 siblings, 1 reply; 4+ messages in thread
From: Klaus Heinrich Kiwi @ 2021-02-20 21:40 UTC (permalink / raw)
To: openembedded-devel; +Cc: Klaus Heinrich Kiwi
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. In addition to fixing a CVE, this is also required before we
can bump U-Boot to 2021.4.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
---
meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++--------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 2414870817..f5082c93df 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
fi
cat << EOF >> ${1}
- kernel@${2} {
+ kernel-${2} {
description = "Linux kernel";
data = /incbin/("${3}");
type = "kernel";
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
compression = "${4}";
load = <${UBOOT_LOADADDRESS}>;
entry = <${ENTRYPOINT}>;
- hash@1 {
+ hash-1 {
algo = "${kernel_csum}";
};
};
@@ -179,7 +179,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${kernel_csum},${kernel_sign_algo}";
key-name-hint = "${kernel_sign_keyname}";
};
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> ${1}
- fdt@${2} {
+ fdt-${2} {
description = "Flattened Device Tree blob";
data = /incbin/("${3}");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
${dtb_loadline}
- hash@1 {
+ hash-1 {
algo = "${dtb_csum}";
};
};
@@ -226,7 +226,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${dtb_csum},${dtb_sign_algo}";
key-name-hint = "${dtb_sign_keyname}";
};
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1}
- setup@${2} {
+ setup-${2} {
description = "Linux setup.bin";
data = /incbin/("${3}");
type = "x86_setup";
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
- hash@1 {
+ hash-1 {
algo = "${setup_csum}";
};
};
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
fi
cat << EOF >> ${1}
- ramdisk@${2} {
+ ramdisk-${2} {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("${3}");
type = "ramdisk";
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
compression = "none";
${ramdisk_loadline}
${ramdisk_entryline}
- hash@1 {
+ hash-1 {
algo = "${ramdisk_csum}";
};
};
@@ -339,7 +339,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${ramdisk_csum},${ramdisk_sign_algo}";
key-name-hint = "${ramdisk_sign_keyname}";
};
@@ -377,7 +377,7 @@ fitimage_emit_section_config() {
# Test if we have any DTBs at all
sep=""
conf_desc=""
- conf_node="conf@"
+ conf_node="conf-"
kernel_line=""
fdt_line=""
ramdisk_line=""
@@ -396,19 +396,19 @@ fitimage_emit_section_config() {
if [ -n "${kernel_id}" ]; then
conf_desc="Linux kernel"
sep=", "
- kernel_line="kernel = \"kernel@${kernel_id}\";"
+ kernel_line="kernel = \"kernel-${kernel_id}\";"
fi
if [ -n "${dtb_image}" ]; then
conf_desc="${conf_desc}${sep}FDT blob"
sep=", "
- fdt_line="fdt = \"fdt@${dtb_image}\";"
+ fdt_line="fdt = \"fdt-${dtb_image}\";"
fi
if [ -n "${ramdisk_id}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
- ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
+ ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
fi
if [ -n "${bootscr_id}" ]; then
@@ -419,16 +419,16 @@ fitimage_emit_section_config() {
if [ -n "${config_id}" ]; then
conf_desc="${conf_desc}${sep}setup"
- setup_line="setup = \"setup@${config_id}\";"
+ setup_line="setup = \"setup-${config_id}\";"
fi
if [ "${default_flag}" = "1" ]; then
# default node is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "${dtb_image}" ]; then
- default_line="default = \"conf@${dtb_image}\";"
+ default_line="default = \"conf-${dtb_image}\";"
else
- default_line="default = \"conf@${kernel_id}\";"
+ default_line="default = \"conf-${kernel_id}\";"
fi
fi
@@ -441,7 +441,7 @@ fitimage_emit_section_config() {
${ramdisk_line}
${bootscr_line}
${setup_line}
- hash@1 {
+ hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -478,7 +478,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${its_file}
- signature@1 {
+ signature-1 {
algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}";
${sign_line}
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [oe] [PATCH] [meta-oe] kernel-fitimage: Fix CVE-2021-27138
2021-02-20 21:40 [PATCH] [meta-oe] kernel-fitimage: Fix CVE-2021-27138 Klaus Heinrich Kiwi
@ 2021-02-21 18:02 ` Scott Murray
2021-02-21 19:13 ` Klaus Heinrich Kiwi
0 siblings, 1 reply; 4+ messages in thread
From: Scott Murray @ 2021-02-21 18:02 UTC (permalink / raw)
To: Klaus Heinrich Kiwi; +Cc: openembedded-devel
On Sat, 20 Feb 2021, Klaus Heinrich Kiwi wrote:
> Das U-Boot 2021.4-rc1 has the following commit:
>
> commit 3f04db891a353f4b127ed57279279f851c6b4917
> Author: Simon Glass <sjg@chromium.org>
> Date: Mon Feb 15 17:08:12 2021 -0700
>
> image: Check for unit addresses in FITs
>
> Using unit addresses in a FIT is a security risk. Add a check for
> this and disallow it.
>
> CVE-2021-27138
>
> Adjust the kernel-fitimage.bbclass accordingly to not use unit
> addresses. In addition to fixing a CVE, this is also required before we
> can bump U-Boot to 2021.4.
>
> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
[snip]
Please send this to the oe-core list since kernel-fitimage.bbclass is in
it, not meta-openembedded. I would also perhaps be inclined to not
describe this change itself as "fixing a CVE", since it is the change in
U-Boot that actually does that IMO.
Thanks,
Scott
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe] [PATCH] [meta-oe] kernel-fitimage: Fix CVE-2021-27138
2021-02-21 18:02 ` [oe] " Scott Murray
@ 2021-02-21 19:13 ` Klaus Heinrich Kiwi
2021-02-21 22:07 ` Scott Murray
0 siblings, 1 reply; 4+ messages in thread
From: Klaus Heinrich Kiwi @ 2021-02-21 19:13 UTC (permalink / raw)
To: Scott Murray; +Cc: openembedded-devel
>> CVE-2021-27138
>>
>> Adjust the kernel-fitimage.bbclass accordingly to not use unit
>> addresses. In addition to fixing a CVE, this is also required before we
>> can bump U-Boot to 2021.4.
>>
>> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
> [snip]
>
> Please send this to the oe-core list since kernel-fitimage.bbclass is in
> it, not meta-openembedded. I would also perhaps be inclined to not
Thanks, for some reason I thought that -core was discussed here, but I have
read the README more carefully since then.
> describe this change itself as "fixing a CVE", since it is the change in
> U-Boot that actually does that IMO.
>
Yeah I was unsure how to summarize that, since the CVE 'fix' in U-boot is
to really disallow unit addresses, and looks like it's not going to be
applied to released branches, but instead only on 2021.4 onwards. So I
opted to call out the CVE in the title, as it is, in practical terms,
addressing a CVE (if it's a workaround or a proper fix is debatable I
guess).
Thanks,
-K
--
Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe] [PATCH] [meta-oe] kernel-fitimage: Fix CVE-2021-27138
2021-02-21 19:13 ` Klaus Heinrich Kiwi
@ 2021-02-21 22:07 ` Scott Murray
0 siblings, 0 replies; 4+ messages in thread
From: Scott Murray @ 2021-02-21 22:07 UTC (permalink / raw)
To: Klaus Heinrich Kiwi; +Cc: openembedded-devel
On Sun, 21 Feb 2021, Klaus Heinrich Kiwi wrote:
> >> CVE-2021-27138
> >>
> >> Adjust the kernel-fitimage.bbclass accordingly to not use unit
> >> addresses. In addition to fixing a CVE, this is also required before we
> >> can bump U-Boot to 2021.4.
> >>
> >> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
> > [snip]
> >
> > Please send this to the oe-core list since kernel-fitimage.bbclass is in
> > it, not meta-openembedded. I would also perhaps be inclined to not
>
> Thanks, for some reason I thought that -core was discussed here, but I have
> read the README more carefully since then.
>
> > describe this change itself as "fixing a CVE", since it is the change in
> > U-Boot that actually does that IMO.
> >
>
> Yeah I was unsure how to summarize that, since the CVE 'fix' in U-boot is
> to really disallow unit addresses, and looks like it's not going to be
> applied to released branches, but instead only on 2021.4 onwards. So I
> opted to call out the CVE in the title, as it is, in practical terms,
> addressing a CVE (if it's a workaround or a proper fix is debatable I
> guess).
My concern is more about trying to avoid giving people the impression this
change somehow fixes the U-Boot vulnerability, as it is entirely possible
they might not being using kernel-fitimage.bbclass to generate their
fitimages. I'd be okay with something along the lines of "In addition
to not generating fitimage configurations vulnerable to the CVE, this is
also required before we can bump U-Boot to 2021.4, which removes unit
address support to fix the CVE."
Thanks,
Scott
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-02-21 22:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-20 21:40 [PATCH] [meta-oe] kernel-fitimage: Fix CVE-2021-27138 Klaus Heinrich Kiwi
2021-02-21 18:02 ` [oe] " Scott Murray
2021-02-21 19:13 ` Klaus Heinrich Kiwi
2021-02-21 22:07 ` Scott Murray
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.