* [PATCH] kernel-fitimage: Don't use unit addresses on FIT
@ 2021-02-21 19:22 Klaus Heinrich Kiwi
2021-02-22 8:24 ` [OE-core] " Richard Purdie
0 siblings, 1 reply; 7+ messages in thread
From: Klaus Heinrich Kiwi @ 2021-02-21 19:22 UTC (permalink / raw)
To: openembedded-core; +Cc: Klaus Heinrich Kiwi
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
---
meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++--------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 2414870817..f5082c93df 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
fi
cat << EOF >> ${1}
- kernel@${2} {
+ kernel-${2} {
description = "Linux kernel";
data = /incbin/("${3}");
type = "kernel";
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
compression = "${4}";
load = <${UBOOT_LOADADDRESS}>;
entry = <${ENTRYPOINT}>;
- hash@1 {
+ hash-1 {
algo = "${kernel_csum}";
};
};
@@ -179,7 +179,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${kernel_csum},${kernel_sign_algo}";
key-name-hint = "${kernel_sign_keyname}";
};
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> ${1}
- fdt@${2} {
+ fdt-${2} {
description = "Flattened Device Tree blob";
data = /incbin/("${3}");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
${dtb_loadline}
- hash@1 {
+ hash-1 {
algo = "${dtb_csum}";
};
};
@@ -226,7 +226,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${dtb_csum},${dtb_sign_algo}";
key-name-hint = "${dtb_sign_keyname}";
};
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1}
- setup@${2} {
+ setup-${2} {
description = "Linux setup.bin";
data = /incbin/("${3}");
type = "x86_setup";
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
- hash@1 {
+ hash-1 {
algo = "${setup_csum}";
};
};
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
fi
cat << EOF >> ${1}
- ramdisk@${2} {
+ ramdisk-${2} {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("${3}");
type = "ramdisk";
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
compression = "none";
${ramdisk_loadline}
${ramdisk_entryline}
- hash@1 {
+ hash-1 {
algo = "${ramdisk_csum}";
};
};
@@ -339,7 +339,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${ramdisk_csum},${ramdisk_sign_algo}";
key-name-hint = "${ramdisk_sign_keyname}";
};
@@ -377,7 +377,7 @@ fitimage_emit_section_config() {
# Test if we have any DTBs at all
sep=""
conf_desc=""
- conf_node="conf@"
+ conf_node="conf-"
kernel_line=""
fdt_line=""
ramdisk_line=""
@@ -396,19 +396,19 @@ fitimage_emit_section_config() {
if [ -n "${kernel_id}" ]; then
conf_desc="Linux kernel"
sep=", "
- kernel_line="kernel = \"kernel@${kernel_id}\";"
+ kernel_line="kernel = \"kernel-${kernel_id}\";"
fi
if [ -n "${dtb_image}" ]; then
conf_desc="${conf_desc}${sep}FDT blob"
sep=", "
- fdt_line="fdt = \"fdt@${dtb_image}\";"
+ fdt_line="fdt = \"fdt-${dtb_image}\";"
fi
if [ -n "${ramdisk_id}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
- ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
+ ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
fi
if [ -n "${bootscr_id}" ]; then
@@ -419,16 +419,16 @@ fitimage_emit_section_config() {
if [ -n "${config_id}" ]; then
conf_desc="${conf_desc}${sep}setup"
- setup_line="setup = \"setup@${config_id}\";"
+ setup_line="setup = \"setup-${config_id}\";"
fi
if [ "${default_flag}" = "1" ]; then
# default node is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "${dtb_image}" ]; then
- default_line="default = \"conf@${dtb_image}\";"
+ default_line="default = \"conf-${dtb_image}\";"
else
- default_line="default = \"conf@${kernel_id}\";"
+ default_line="default = \"conf-${kernel_id}\";"
fi
fi
@@ -441,7 +441,7 @@ fitimage_emit_section_config() {
${ramdisk_line}
${bootscr_line}
${setup_line}
- hash@1 {
+ hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -478,7 +478,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${its_file}
- signature@1 {
+ signature-1 {
algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}";
${sign_line}
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH] kernel-fitimage: Don't use unit addresses on FIT
2021-02-21 19:22 [PATCH] kernel-fitimage: Don't use unit addresses on FIT Klaus Heinrich Kiwi
@ 2021-02-22 8:24 ` Richard Purdie
2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi
2021-02-22 18:42 ` [OE-core] [PATCH] " Klaus Heinrich Kiwi
0 siblings, 2 replies; 7+ messages in thread
From: Richard Purdie @ 2021-02-22 8:24 UTC (permalink / raw)
To: Klaus Heinrich Kiwi, openembedded-core
On Sun, 2021-02-21 at 16:22 -0300, Klaus Heinrich Kiwi wrote:
> Das U-Boot 2021.4-rc1 has the following commit:
>
> commit 3f04db891a353f4b127ed57279279f851c6b4917
> Author: Simon Glass <sjg@chromium.org>
> Date: Mon Feb 15 17:08:12 2021 -0700
>
> image: Check for unit addresses in FITs
>
> Using unit addresses in a FIT is a security risk. Add a check for
> this and disallow it.
>
> CVE-2021-27138
>
> Adjust the kernel-fitimage.bbclass accordingly to not use unit
> addresses. This changte is required before we can bump U-Boot to 2021.4.
>
> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
> ---
> meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++++--------------
> 1 file changed, 20 insertions(+), 20 deletions(-)
This caused some tests to fail:
https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/1855/steps/15/logs/stdio
Do we need to update the tests as well?
Cheers,
Richard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT
2021-02-22 8:24 ` [OE-core] " Richard Purdie
@ 2021-02-22 18:38 ` Klaus Heinrich Kiwi
2021-05-31 14:59 ` [OE-core] " Frieder Schrempf
2021-02-22 18:42 ` [OE-core] [PATCH] " Klaus Heinrich Kiwi
1 sibling, 1 reply; 7+ messages in thread
From: Klaus Heinrich Kiwi @ 2021-02-22 18:38 UTC (permalink / raw)
To: openembedded-core; +Cc: Klaus Heinrich Kiwi
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <sjg@chromium.org>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
---
Notes:
V2 Notes:
- Adjusted testcases
(reported by Richard Purdie <richard.purdie@linuxfoundation.org>)
meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------
meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++-----------
2 files changed, 38 insertions(+), 38 deletions(-)
diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 2414870817..f5082c93df 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
fi
cat << EOF >> ${1}
- kernel@${2} {
+ kernel-${2} {
description = "Linux kernel";
data = /incbin/("${3}");
type = "kernel";
@@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
compression = "${4}";
load = <${UBOOT_LOADADDRESS}>;
entry = <${ENTRYPOINT}>;
- hash@1 {
+ hash-1 {
algo = "${kernel_csum}";
};
};
@@ -179,7 +179,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${kernel_csum},${kernel_sign_algo}";
key-name-hint = "${kernel_sign_keyname}";
};
@@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi
cat << EOF >> ${1}
- fdt@${2} {
+ fdt-${2} {
description = "Flattened Device Tree blob";
data = /incbin/("${3}");
type = "flat_dt";
arch = "${UBOOT_ARCH}";
compression = "none";
${dtb_loadline}
- hash@1 {
+ hash-1 {
algo = "${dtb_csum}";
};
};
@@ -226,7 +226,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${dtb_csum},${dtb_sign_algo}";
key-name-hint = "${dtb_sign_keyname}";
};
@@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1}
- setup@${2} {
+ setup-${2} {
description = "Linux setup.bin";
data = /incbin/("${3}");
type = "x86_setup";
@@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
compression = "none";
load = <0x00090000>;
entry = <0x00090000>;
- hash@1 {
+ hash-1 {
algo = "${setup_csum}";
};
};
@@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
fi
cat << EOF >> ${1}
- ramdisk@${2} {
+ ramdisk-${2} {
description = "${INITRAMFS_IMAGE}";
data = /incbin/("${3}");
type = "ramdisk";
@@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
compression = "none";
${ramdisk_loadline}
${ramdisk_entryline}
- hash@1 {
+ hash-1 {
algo = "${ramdisk_csum}";
};
};
@@ -339,7 +339,7 @@ EOF
if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
sed -i '$ d' ${1}
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${ramdisk_csum},${ramdisk_sign_algo}";
key-name-hint = "${ramdisk_sign_keyname}";
};
@@ -377,7 +377,7 @@ fitimage_emit_section_config() {
# Test if we have any DTBs at all
sep=""
conf_desc=""
- conf_node="conf@"
+ conf_node="conf-"
kernel_line=""
fdt_line=""
ramdisk_line=""
@@ -396,19 +396,19 @@ fitimage_emit_section_config() {
if [ -n "${kernel_id}" ]; then
conf_desc="Linux kernel"
sep=", "
- kernel_line="kernel = \"kernel@${kernel_id}\";"
+ kernel_line="kernel = \"kernel-${kernel_id}\";"
fi
if [ -n "${dtb_image}" ]; then
conf_desc="${conf_desc}${sep}FDT blob"
sep=", "
- fdt_line="fdt = \"fdt@${dtb_image}\";"
+ fdt_line="fdt = \"fdt-${dtb_image}\";"
fi
if [ -n "${ramdisk_id}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
- ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
+ ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
fi
if [ -n "${bootscr_id}" ]; then
@@ -419,16 +419,16 @@ fitimage_emit_section_config() {
if [ -n "${config_id}" ]; then
conf_desc="${conf_desc}${sep}setup"
- setup_line="setup = \"setup@${config_id}\";"
+ setup_line="setup = \"setup-${config_id}\";"
fi
if [ "${default_flag}" = "1" ]; then
# default node is selected based on dtb ID if it is present,
# otherwise its selected based on kernel ID
if [ -n "${dtb_image}" ]; then
- default_line="default = \"conf@${dtb_image}\";"
+ default_line="default = \"conf-${dtb_image}\";"
else
- default_line="default = \"conf@${kernel_id}\";"
+ default_line="default = \"conf-${kernel_id}\";"
fi
fi
@@ -441,7 +441,7 @@ fitimage_emit_section_config() {
${ramdisk_line}
${bootscr_line}
${setup_line}
- hash@1 {
+ hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -478,7 +478,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${its_file}
- signature@1 {
+ signature-1 {
algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}";
${sign_line}
diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
index 0958036a6f..02692de822 100644
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -69,9 +69,9 @@ FIT_DESC = "A model description"
'type = "ramdisk";',
'load = <0x88000000>;',
'entry = <0x88000000>;',
- 'default = "conf@1";',
- 'kernel = "kernel@1";',
- 'ramdisk = "ramdisk@1";'
+ 'default = "conf-1";',
+ 'kernel = "kernel-1";',
+ 'ramdisk = "ramdisk-1";'
]
with open(fitimage_its_path) as its_file:
@@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
"%s FIT image doesn't exist" % (fitimage_path))
req_itspaths = [
- ['/', 'images', 'kernel@1'],
- ['/', 'images', 'kernel@1', 'signature@1'],
- ['/', 'images', 'fdt@am335x-boneblack.dtb'],
- ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'],
- ['/', 'configurations', 'conf@am335x-boneblack.dtb'],
- ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'],
+ ['/', 'images', 'kernel-1'],
+ ['/', 'images', 'kernel-1', 'signature-1'],
+ ['/', 'images', 'fdt-am335x-boneblack.dtb'],
+ ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'],
+ ['/', 'configurations', 'conf-am335x-boneblack.dtb'],
+ ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'],
]
itspath = []
@@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
elif line.endswith('{'):
itspath.append(line[:-1].strip())
itspaths.append(itspath[:])
- elif itspath and itspath[-1] == 'signature@1':
+ elif itspath and itspath[-1] == 'signature-1':
itsdotpath = '.'.join(itspath)
if not itsdotpath in sigs:
sigs[itsdotpath] = {}
@@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
}
for itspath, values in sigs.items():
- if 'conf@' in itspath:
+ if 'conf-' in itspath:
reqsigvalues = reqsigvalues_config
else:
reqsigvalues = reqsigvalues_image
@@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
signed_sections[in_signed] = {}
key, value = line.split(':', 1)
signed_sections[in_signed][key.strip()] = value.strip()
- self.assertIn('kernel@1', signed_sections)
- self.assertIn('fdt@am335x-boneblack.dtb', signed_sections)
- self.assertIn('conf@am335x-boneblack.dtb', signed_sections)
+ self.assertIn('kernel-1', signed_sections)
+ self.assertIn('fdt-am335x-boneblack.dtb', signed_sections)
+ self.assertIn('conf-am335x-boneblack.dtb', signed_sections)
for signed_section, values in signed_sections.items():
value = values.get('Sign algo', None)
self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
@@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256"
its_lines = [line.strip() for line in its_file.readlines()]
exp_node_lines = [
- 'kernel@1 {',
+ 'kernel-1 {',
'description = "Linux kernel";',
'data = /incbin/("' + initramfs_bundle + '");',
'type = "kernel";',
@@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256"
'compression = "none";',
'load = <' + kernel_load + '>;',
'entry = <' + kernel_entry + '>;',
- 'hash@1 {',
+ 'hash-1 {',
'algo = "' + fit_hash_alg +'";',
'};',
'};'
@@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256"
else:
self.assertTrue(test_passed == True,"kernel node does not match expectation")
- rx_configs = re.compile("^conf@.*")
+ rx_configs = re.compile("^conf-.*")
its_configs = list(filter(rx_configs.match, its_lines))
for cfg_str in its_configs:
@@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256"
else:
print("kernel keyword found in the description line")
- if 'kernel = "kernel@1";' not in node:
+ if 'kernel = "kernel-1";' not in node:
self.assertTrue(test_passed == True,"kernel line not found")
break
else:
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH] kernel-fitimage: Don't use unit addresses on FIT
2021-02-22 8:24 ` [OE-core] " Richard Purdie
2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi
@ 2021-02-22 18:42 ` Klaus Heinrich Kiwi
1 sibling, 0 replies; 7+ messages in thread
From: Klaus Heinrich Kiwi @ 2021-02-22 18:42 UTC (permalink / raw)
To: Richard Purdie, openembedded-core
>
> This caused some tests to fail:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/1855/steps/15/logs/stdio
>
> Do we need to update the tests as well?
Thanks, I missed that completely. Adjusted the testcases for V2 and, even if locally I'm
seeing a strange FAIL on the sign test with UBOOT_MKIMAGE_SIGN_ARGS not showing-up, I think
it is unrelated and perhaps something of my environment (tested on another environment
that succeeded).
Sent a V2.
-Klaus
--
Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT
2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi
@ 2021-05-31 14:59 ` Frieder Schrempf
2021-05-31 15:59 ` Steve Sakoman
0 siblings, 1 reply; 7+ messages in thread
From: Frieder Schrempf @ 2021-05-31 14:59 UTC (permalink / raw)
To: Steve Sakoman; +Cc: klaus, openembedded-core
Hi Steve,
On 22.02.21 19:38, Klaus Heinrich Kiwi via lists.openembedded.org wrote:
> Das U-Boot 2021.4-rc1 has the following commit:
>
> commit 3f04db891a353f4b127ed57279279f851c6b4917
> Author: Simon Glass <sjg@chromium.org>
> Date: Mon Feb 15 17:08:12 2021 -0700
>
> image: Check for unit addresses in FITs
>
> Using unit addresses in a FIT is a security risk. Add a check for
> this and disallow it.
>
> CVE-2021-27138
>
> Adjust the kernel-fitimage.bbclass accordingly to not use unit
> addresses. This changte is required before we can bump U-Boot to 2021.4.
>
> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Could you pick this and the follow-up patch 0ef3a5e2a6d4 ("kernel-fitimage.bbclass: drop unit addresses from bootscr sections") to the dunfell branch to fix FIT images on U-Boot 2021.01 or later with dunfell?
Thanks
Frieder
> ---
>
> Notes:
> V2 Notes:
> - Adjusted testcases
> (reported by Richard Purdie <richard.purdie@linuxfoundation.org>)
>
> meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------
> meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++-----------
> 2 files changed, 38 insertions(+), 38 deletions(-)
>
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index 2414870817..f5082c93df 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
> fi
>
> cat << EOF >> ${1}
> - kernel@${2} {
> + kernel-${2} {
> description = "Linux kernel";
> data = /incbin/("${3}");
> type = "kernel";
> @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
> compression = "${4}";
> load = <${UBOOT_LOADADDRESS}>;
> entry = <${ENTRYPOINT}>;
> - hash@1 {
> + hash-1 {
> algo = "${kernel_csum}";
> };
> };
> @@ -179,7 +179,7 @@ EOF
> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
> sed -i '$ d' ${1}
> cat << EOF >> ${1}
> - signature@1 {
> + signature-1 {
> algo = "${kernel_csum},${kernel_sign_algo}";
> key-name-hint = "${kernel_sign_keyname}";
> };
> @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
> dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
> fi
> cat << EOF >> ${1}
> - fdt@${2} {
> + fdt-${2} {
> description = "Flattened Device Tree blob";
> data = /incbin/("${3}");
> type = "flat_dt";
> arch = "${UBOOT_ARCH}";
> compression = "none";
> ${dtb_loadline}
> - hash@1 {
> + hash-1 {
> algo = "${dtb_csum}";
> };
> };
> @@ -226,7 +226,7 @@ EOF
> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
> sed -i '$ d' ${1}
> cat << EOF >> ${1}
> - signature@1 {
> + signature-1 {
> algo = "${dtb_csum},${dtb_sign_algo}";
> key-name-hint = "${dtb_sign_keyname}";
> };
> @@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
> setup_csum="${FIT_HASH_ALG}"
>
> cat << EOF >> ${1}
> - setup@${2} {
> + setup-${2} {
> description = "Linux setup.bin";
> data = /incbin/("${3}");
> type = "x86_setup";
> @@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
> compression = "none";
> load = <0x00090000>;
> entry = <0x00090000>;
> - hash@1 {
> + hash-1 {
> algo = "${setup_csum}";
> };
> };
> @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
> fi
>
> cat << EOF >> ${1}
> - ramdisk@${2} {
> + ramdisk-${2} {
> description = "${INITRAMFS_IMAGE}";
> data = /incbin/("${3}");
> type = "ramdisk";
> @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
> compression = "none";
> ${ramdisk_loadline}
> ${ramdisk_entryline}
> - hash@1 {
> + hash-1 {
> algo = "${ramdisk_csum}";
> };
> };
> @@ -339,7 +339,7 @@ EOF
> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
> sed -i '$ d' ${1}
> cat << EOF >> ${1}
> - signature@1 {
> + signature-1 {
> algo = "${ramdisk_csum},${ramdisk_sign_algo}";
> key-name-hint = "${ramdisk_sign_keyname}";
> };
> @@ -377,7 +377,7 @@ fitimage_emit_section_config() {
> # Test if we have any DTBs at all
> sep=""
> conf_desc=""
> - conf_node="conf@"
> + conf_node="conf-"
> kernel_line=""
> fdt_line=""
> ramdisk_line=""
> @@ -396,19 +396,19 @@ fitimage_emit_section_config() {
> if [ -n "${kernel_id}" ]; then
> conf_desc="Linux kernel"
> sep=", "
> - kernel_line="kernel = \"kernel@${kernel_id}\";"
> + kernel_line="kernel = \"kernel-${kernel_id}\";"
> fi
>
> if [ -n "${dtb_image}" ]; then
> conf_desc="${conf_desc}${sep}FDT blob"
> sep=", "
> - fdt_line="fdt = \"fdt@${dtb_image}\";"
> + fdt_line="fdt = \"fdt-${dtb_image}\";"
> fi
>
> if [ -n "${ramdisk_id}" ]; then
> conf_desc="${conf_desc}${sep}ramdisk"
> sep=", "
> - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
> + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
> fi
>
> if [ -n "${bootscr_id}" ]; then
> @@ -419,16 +419,16 @@ fitimage_emit_section_config() {
>
> if [ -n "${config_id}" ]; then
> conf_desc="${conf_desc}${sep}setup"
> - setup_line="setup = \"setup@${config_id}\";"
> + setup_line="setup = \"setup-${config_id}\";"
> fi
>
> if [ "${default_flag}" = "1" ]; then
> # default node is selected based on dtb ID if it is present,
> # otherwise its selected based on kernel ID
> if [ -n "${dtb_image}" ]; then
> - default_line="default = \"conf@${dtb_image}\";"
> + default_line="default = \"conf-${dtb_image}\";"
> else
> - default_line="default = \"conf@${kernel_id}\";"
> + default_line="default = \"conf-${kernel_id}\";"
> fi
> fi
>
> @@ -441,7 +441,7 @@ fitimage_emit_section_config() {
> ${ramdisk_line}
> ${bootscr_line}
> ${setup_line}
> - hash@1 {
> + hash-1 {
> algo = "${conf_csum}";
> };
> EOF
> @@ -478,7 +478,7 @@ EOF
> sign_line="${sign_line};"
>
> cat << EOF >> ${its_file}
> - signature@1 {
> + signature-1 {
> algo = "${conf_csum},${conf_sign_algo}";
> key-name-hint = "${conf_sign_keyname}";
> ${sign_line}
> diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
> index 0958036a6f..02692de822 100644
> --- a/meta/lib/oeqa/selftest/cases/fitimage.py
> +++ b/meta/lib/oeqa/selftest/cases/fitimage.py
> @@ -69,9 +69,9 @@ FIT_DESC = "A model description"
> 'type = "ramdisk";',
> 'load = <0x88000000>;',
> 'entry = <0x88000000>;',
> - 'default = "conf@1";',
> - 'kernel = "kernel@1";',
> - 'ramdisk = "ramdisk@1";'
> + 'default = "conf-1";',
> + 'kernel = "kernel-1";',
> + 'ramdisk = "ramdisk-1";'
> ]
>
> with open(fitimage_its_path) as its_file:
> @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> "%s FIT image doesn't exist" % (fitimage_path))
>
> req_itspaths = [
> - ['/', 'images', 'kernel@1'],
> - ['/', 'images', 'kernel@1', 'signature@1'],
> - ['/', 'images', 'fdt@am335x-boneblack.dtb'],
> - ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'],
> - ['/', 'configurations', 'conf@am335x-boneblack.dtb'],
> - ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'],
> + ['/', 'images', 'kernel-1'],
> + ['/', 'images', 'kernel-1', 'signature-1'],
> + ['/', 'images', 'fdt-am335x-boneblack.dtb'],
> + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'],
> + ['/', 'configurations', 'conf-am335x-boneblack.dtb'],
> + ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'],
> ]
>
> itspath = []
> @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> elif line.endswith('{'):
> itspath.append(line[:-1].strip())
> itspaths.append(itspath[:])
> - elif itspath and itspath[-1] == 'signature@1':
> + elif itspath and itspath[-1] == 'signature-1':
> itsdotpath = '.'.join(itspath)
> if not itsdotpath in sigs:
> sigs[itsdotpath] = {}
> @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> }
>
> for itspath, values in sigs.items():
> - if 'conf@' in itspath:
> + if 'conf-' in itspath:
> reqsigvalues = reqsigvalues_config
> else:
> reqsigvalues = reqsigvalues_image
> @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> signed_sections[in_signed] = {}
> key, value = line.split(':', 1)
> signed_sections[in_signed][key.strip()] = value.strip()
> - self.assertIn('kernel@1', signed_sections)
> - self.assertIn('fdt@am335x-boneblack.dtb', signed_sections)
> - self.assertIn('conf@am335x-boneblack.dtb', signed_sections)
> + self.assertIn('kernel-1', signed_sections)
> + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections)
> + self.assertIn('conf-am335x-boneblack.dtb', signed_sections)
> for signed_section, values in signed_sections.items():
> value = values.get('Sign algo', None)
> self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
> @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256"
> its_lines = [line.strip() for line in its_file.readlines()]
>
> exp_node_lines = [
> - 'kernel@1 {',
> + 'kernel-1 {',
> 'description = "Linux kernel";',
> 'data = /incbin/("' + initramfs_bundle + '");',
> 'type = "kernel";',
> @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256"
> 'compression = "none";',
> 'load = <' + kernel_load + '>;',
> 'entry = <' + kernel_entry + '>;',
> - 'hash@1 {',
> + 'hash-1 {',
> 'algo = "' + fit_hash_alg +'";',
> '};',
> '};'
> @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256"
> else:
> self.assertTrue(test_passed == True,"kernel node does not match expectation")
>
> - rx_configs = re.compile("^conf@.*")
> + rx_configs = re.compile("^conf-.*")
> its_configs = list(filter(rx_configs.match, its_lines))
>
> for cfg_str in its_configs:
> @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256"
> else:
> print("kernel keyword found in the description line")
>
> - if 'kernel = "kernel@1";' not in node:
> + if 'kernel = "kernel-1";' not in node:
> self.assertTrue(test_passed == True,"kernel line not found")
> break
> else:
>
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT
2021-05-31 14:59 ` [OE-core] " Frieder Schrempf
@ 2021-05-31 15:59 ` Steve Sakoman
2021-06-01 9:15 ` Frieder Schrempf
0 siblings, 1 reply; 7+ messages in thread
From: Steve Sakoman @ 2021-05-31 15:59 UTC (permalink / raw)
To: Frieder Schrempf; +Cc: klaus, Patches and discussions about the oe-core layer
On Mon, May 31, 2021 at 4:59 AM Frieder Schrempf
<frieder.schrempf@kontron.de> wrote:
>
> Hi Steve,
>
> On 22.02.21 19:38, Klaus Heinrich Kiwi via lists.openembedded.org wrote:
> > Das U-Boot 2021.4-rc1 has the following commit:
> >
> > commit 3f04db891a353f4b127ed57279279f851c6b4917
> > Author: Simon Glass <sjg@chromium.org>
> > Date: Mon Feb 15 17:08:12 2021 -0700
> >
> > image: Check for unit addresses in FITs
> >
> > Using unit addresses in a FIT is a security risk. Add a check for
> > this and disallow it.
> >
> > CVE-2021-27138
> >
> > Adjust the kernel-fitimage.bbclass accordingly to not use unit
> > addresses. This changte is required before we can bump U-Boot to 2021.4.
> >
> > Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
>
> Could you pick this and the follow-up patch 0ef3a5e2a6d4 ("kernel-fitimage.bbclass: drop unit addresses from bootscr sections") to the dunfell branch to fix FIT images on U-Boot 2021.01 or later with dunfell?
I can't do a clean cherry-pick of this patch. If you'd like to submit
dunfell versions of these two patches I will add them to my testing
queue.
Steve
>
> Thanks
> Frieder
>
> > ---
> >
> > Notes:
> > V2 Notes:
> > - Adjusted testcases
> > (reported by Richard Purdie <richard.purdie@linuxfoundation.org>)
> >
> > meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------
> > meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++-----------
> > 2 files changed, 38 insertions(+), 38 deletions(-)
> >
> > diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> > index 2414870817..f5082c93df 100644
> > --- a/meta/classes/kernel-fitimage.bbclass
> > +++ b/meta/classes/kernel-fitimage.bbclass
> > @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
> > fi
> >
> > cat << EOF >> ${1}
> > - kernel@${2} {
> > + kernel-${2} {
> > description = "Linux kernel";
> > data = /incbin/("${3}");
> > type = "kernel";
> > @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
> > compression = "${4}";
> > load = <${UBOOT_LOADADDRESS}>;
> > entry = <${ENTRYPOINT}>;
> > - hash@1 {
> > + hash-1 {
> > algo = "${kernel_csum}";
> > };
> > };
> > @@ -179,7 +179,7 @@ EOF
> > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
> > sed -i '$ d' ${1}
> > cat << EOF >> ${1}
> > - signature@1 {
> > + signature-1 {
> > algo = "${kernel_csum},${kernel_sign_algo}";
> > key-name-hint = "${kernel_sign_keyname}";
> > };
> > @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
> > dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
> > fi
> > cat << EOF >> ${1}
> > - fdt@${2} {
> > + fdt-${2} {
> > description = "Flattened Device Tree blob";
> > data = /incbin/("${3}");
> > type = "flat_dt";
> > arch = "${UBOOT_ARCH}";
> > compression = "none";
> > ${dtb_loadline}
> > - hash@1 {
> > + hash-1 {
> > algo = "${dtb_csum}";
> > };
> > };
> > @@ -226,7 +226,7 @@ EOF
> > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
> > sed -i '$ d' ${1}
> > cat << EOF >> ${1}
> > - signature@1 {
> > + signature-1 {
> > algo = "${dtb_csum},${dtb_sign_algo}";
> > key-name-hint = "${dtb_sign_keyname}";
> > };
> > @@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
> > setup_csum="${FIT_HASH_ALG}"
> >
> > cat << EOF >> ${1}
> > - setup@${2} {
> > + setup-${2} {
> > description = "Linux setup.bin";
> > data = /incbin/("${3}");
> > type = "x86_setup";
> > @@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
> > compression = "none";
> > load = <0x00090000>;
> > entry = <0x00090000>;
> > - hash@1 {
> > + hash-1 {
> > algo = "${setup_csum}";
> > };
> > };
> > @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
> > fi
> >
> > cat << EOF >> ${1}
> > - ramdisk@${2} {
> > + ramdisk-${2} {
> > description = "${INITRAMFS_IMAGE}";
> > data = /incbin/("${3}");
> > type = "ramdisk";
> > @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
> > compression = "none";
> > ${ramdisk_loadline}
> > ${ramdisk_entryline}
> > - hash@1 {
> > + hash-1 {
> > algo = "${ramdisk_csum}";
> > };
> > };
> > @@ -339,7 +339,7 @@ EOF
> > if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
> > sed -i '$ d' ${1}
> > cat << EOF >> ${1}
> > - signature@1 {
> > + signature-1 {
> > algo = "${ramdisk_csum},${ramdisk_sign_algo}";
> > key-name-hint = "${ramdisk_sign_keyname}";
> > };
> > @@ -377,7 +377,7 @@ fitimage_emit_section_config() {
> > # Test if we have any DTBs at all
> > sep=""
> > conf_desc=""
> > - conf_node="conf@"
> > + conf_node="conf-"
> > kernel_line=""
> > fdt_line=""
> > ramdisk_line=""
> > @@ -396,19 +396,19 @@ fitimage_emit_section_config() {
> > if [ -n "${kernel_id}" ]; then
> > conf_desc="Linux kernel"
> > sep=", "
> > - kernel_line="kernel = \"kernel@${kernel_id}\";"
> > + kernel_line="kernel = \"kernel-${kernel_id}\";"
> > fi
> >
> > if [ -n "${dtb_image}" ]; then
> > conf_desc="${conf_desc}${sep}FDT blob"
> > sep=", "
> > - fdt_line="fdt = \"fdt@${dtb_image}\";"
> > + fdt_line="fdt = \"fdt-${dtb_image}\";"
> > fi
> >
> > if [ -n "${ramdisk_id}" ]; then
> > conf_desc="${conf_desc}${sep}ramdisk"
> > sep=", "
> > - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
> > + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
> > fi
> >
> > if [ -n "${bootscr_id}" ]; then
> > @@ -419,16 +419,16 @@ fitimage_emit_section_config() {
> >
> > if [ -n "${config_id}" ]; then
> > conf_desc="${conf_desc}${sep}setup"
> > - setup_line="setup = \"setup@${config_id}\";"
> > + setup_line="setup = \"setup-${config_id}\";"
> > fi
> >
> > if [ "${default_flag}" = "1" ]; then
> > # default node is selected based on dtb ID if it is present,
> > # otherwise its selected based on kernel ID
> > if [ -n "${dtb_image}" ]; then
> > - default_line="default = \"conf@${dtb_image}\";"
> > + default_line="default = \"conf-${dtb_image}\";"
> > else
> > - default_line="default = \"conf@${kernel_id}\";"
> > + default_line="default = \"conf-${kernel_id}\";"
> > fi
> > fi
> >
> > @@ -441,7 +441,7 @@ fitimage_emit_section_config() {
> > ${ramdisk_line}
> > ${bootscr_line}
> > ${setup_line}
> > - hash@1 {
> > + hash-1 {
> > algo = "${conf_csum}";
> > };
> > EOF
> > @@ -478,7 +478,7 @@ EOF
> > sign_line="${sign_line};"
> >
> > cat << EOF >> ${its_file}
> > - signature@1 {
> > + signature-1 {
> > algo = "${conf_csum},${conf_sign_algo}";
> > key-name-hint = "${conf_sign_keyname}";
> > ${sign_line}
> > diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
> > index 0958036a6f..02692de822 100644
> > --- a/meta/lib/oeqa/selftest/cases/fitimage.py
> > +++ b/meta/lib/oeqa/selftest/cases/fitimage.py
> > @@ -69,9 +69,9 @@ FIT_DESC = "A model description"
> > 'type = "ramdisk";',
> > 'load = <0x88000000>;',
> > 'entry = <0x88000000>;',
> > - 'default = "conf@1";',
> > - 'kernel = "kernel@1";',
> > - 'ramdisk = "ramdisk@1";'
> > + 'default = "conf-1";',
> > + 'kernel = "kernel-1";',
> > + 'ramdisk = "ramdisk-1";'
> > ]
> >
> > with open(fitimage_its_path) as its_file:
> > @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> > "%s FIT image doesn't exist" % (fitimage_path))
> >
> > req_itspaths = [
> > - ['/', 'images', 'kernel@1'],
> > - ['/', 'images', 'kernel@1', 'signature@1'],
> > - ['/', 'images', 'fdt@am335x-boneblack.dtb'],
> > - ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'],
> > - ['/', 'configurations', 'conf@am335x-boneblack.dtb'],
> > - ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'],
> > + ['/', 'images', 'kernel-1'],
> > + ['/', 'images', 'kernel-1', 'signature-1'],
> > + ['/', 'images', 'fdt-am335x-boneblack.dtb'],
> > + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'],
> > + ['/', 'configurations', 'conf-am335x-boneblack.dtb'],
> > + ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'],
> > ]
> >
> > itspath = []
> > @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> > elif line.endswith('{'):
> > itspath.append(line[:-1].strip())
> > itspaths.append(itspath[:])
> > - elif itspath and itspath[-1] == 'signature@1':
> > + elif itspath and itspath[-1] == 'signature-1':
> > itsdotpath = '.'.join(itspath)
> > if not itsdotpath in sigs:
> > sigs[itsdotpath] = {}
> > @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> > }
> >
> > for itspath, values in sigs.items():
> > - if 'conf@' in itspath:
> > + if 'conf-' in itspath:
> > reqsigvalues = reqsigvalues_config
> > else:
> > reqsigvalues = reqsigvalues_image
> > @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
> > signed_sections[in_signed] = {}
> > key, value = line.split(':', 1)
> > signed_sections[in_signed][key.strip()] = value.strip()
> > - self.assertIn('kernel@1', signed_sections)
> > - self.assertIn('fdt@am335x-boneblack.dtb', signed_sections)
> > - self.assertIn('conf@am335x-boneblack.dtb', signed_sections)
> > + self.assertIn('kernel-1', signed_sections)
> > + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections)
> > + self.assertIn('conf-am335x-boneblack.dtb', signed_sections)
> > for signed_section, values in signed_sections.items():
> > value = values.get('Sign algo', None)
> > self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
> > @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256"
> > its_lines = [line.strip() for line in its_file.readlines()]
> >
> > exp_node_lines = [
> > - 'kernel@1 {',
> > + 'kernel-1 {',
> > 'description = "Linux kernel";',
> > 'data = /incbin/("' + initramfs_bundle + '");',
> > 'type = "kernel";',
> > @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256"
> > 'compression = "none";',
> > 'load = <' + kernel_load + '>;',
> > 'entry = <' + kernel_entry + '>;',
> > - 'hash@1 {',
> > + 'hash-1 {',
> > 'algo = "' + fit_hash_alg +'";',
> > '};',
> > '};'
> > @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256"
> > else:
> > self.assertTrue(test_passed == True,"kernel node does not match expectation")
> >
> > - rx_configs = re.compile("^conf@.*")
> > + rx_configs = re.compile("^conf-.*")
> > its_configs = list(filter(rx_configs.match, its_lines))
> >
> > for cfg_str in its_configs:
> > @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256"
> > else:
> > print("kernel keyword found in the description line")
> >
> > - if 'kernel = "kernel@1";' not in node:
> > + if 'kernel = "kernel-1";' not in node:
> > self.assertTrue(test_passed == True,"kernel line not found")
> > break
> > else:
> >
> >
> >
> >
> >
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH v2] kernel-fitimage: Don't use unit addresses on FIT
2021-05-31 15:59 ` Steve Sakoman
@ 2021-06-01 9:15 ` Frieder Schrempf
0 siblings, 0 replies; 7+ messages in thread
From: Frieder Schrempf @ 2021-06-01 9:15 UTC (permalink / raw)
To: Steve Sakoman; +Cc: klaus, Patches and discussions about the oe-core layer
On 31.05.21 17:59, Steve Sakoman wrote:
> On Mon, May 31, 2021 at 4:59 AM Frieder Schrempf
> <frieder.schrempf@kontron.de> wrote:
>>
>> Hi Steve,
>>
>> On 22.02.21 19:38, Klaus Heinrich Kiwi via lists.openembedded.org wrote:
>>> Das U-Boot 2021.4-rc1 has the following commit:
>>>
>>> commit 3f04db891a353f4b127ed57279279f851c6b4917
>>> Author: Simon Glass <sjg@chromium.org>
>>> Date: Mon Feb 15 17:08:12 2021 -0700
>>>
>>> image: Check for unit addresses in FITs
>>>
>>> Using unit addresses in a FIT is a security risk. Add a check for
>>> this and disallow it.
>>>
>>> CVE-2021-27138
>>>
>>> Adjust the kernel-fitimage.bbclass accordingly to not use unit
>>> addresses. This changte is required before we can bump U-Boot to 2021.4.
>>>
>>> Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
>>
>> Could you pick this and the follow-up patch 0ef3a5e2a6d4 ("kernel-fitimage.bbclass: drop unit addresses from bootscr sections") to the dunfell branch to fix FIT images on U-Boot 2021.01 or later with dunfell?
>
> I can't do a clean cherry-pick of this patch. If you'd like to submit
> dunfell versions of these two patches I will add them to my testing
> queue.
Sorry, I should have looked at this more closely. I just sent a backport patch for dunfell. The second patch covers code that is not available in dunfell, so it's not needed anyway.
>
> Steve
>
>>
>> Thanks
>> Frieder
>>
>>> ---
>>>
>>> Notes:
>>> V2 Notes:
>>> - Adjusted testcases
>>> (reported by Richard Purdie <richard.purdie@linuxfoundation.org>)
>>>
>>> meta/classes/kernel-fitimage.bbclass | 40 ++++++++++++------------
>>> meta/lib/oeqa/selftest/cases/fitimage.py | 36 ++++++++++-----------
>>> 2 files changed, 38 insertions(+), 38 deletions(-)
>>>
>>> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
>>> index 2414870817..f5082c93df 100644
>>> --- a/meta/classes/kernel-fitimage.bbclass
>>> +++ b/meta/classes/kernel-fitimage.bbclass
>>> @@ -161,7 +161,7 @@ fitimage_emit_section_kernel() {
>>> fi
>>>
>>> cat << EOF >> ${1}
>>> - kernel@${2} {
>>> + kernel-${2} {
>>> description = "Linux kernel";
>>> data = /incbin/("${3}");
>>> type = "kernel";
>>> @@ -170,7 +170,7 @@ fitimage_emit_section_kernel() {
>>> compression = "${4}";
>>> load = <${UBOOT_LOADADDRESS}>;
>>> entry = <${ENTRYPOINT}>;
>>> - hash@1 {
>>> + hash-1 {
>>> algo = "${kernel_csum}";
>>> };
>>> };
>>> @@ -179,7 +179,7 @@ EOF
>>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${kernel_sign_keyname}" ] ; then
>>> sed -i '$ d' ${1}
>>> cat << EOF >> ${1}
>>> - signature@1 {
>>> + signature-1 {
>>> algo = "${kernel_csum},${kernel_sign_algo}";
>>> key-name-hint = "${kernel_sign_keyname}";
>>> };
>>> @@ -210,14 +210,14 @@ fitimage_emit_section_dtb() {
>>> dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
>>> fi
>>> cat << EOF >> ${1}
>>> - fdt@${2} {
>>> + fdt-${2} {
>>> description = "Flattened Device Tree blob";
>>> data = /incbin/("${3}");
>>> type = "flat_dt";
>>> arch = "${UBOOT_ARCH}";
>>> compression = "none";
>>> ${dtb_loadline}
>>> - hash@1 {
>>> + hash-1 {
>>> algo = "${dtb_csum}";
>>> };
>>> };
>>> @@ -226,7 +226,7 @@ EOF
>>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${dtb_sign_keyname}" ] ; then
>>> sed -i '$ d' ${1}
>>> cat << EOF >> ${1}
>>> - signature@1 {
>>> + signature-1 {
>>> algo = "${dtb_csum},${dtb_sign_algo}";
>>> key-name-hint = "${dtb_sign_keyname}";
>>> };
>>> @@ -283,7 +283,7 @@ fitimage_emit_section_setup() {
>>> setup_csum="${FIT_HASH_ALG}"
>>>
>>> cat << EOF >> ${1}
>>> - setup@${2} {
>>> + setup-${2} {
>>> description = "Linux setup.bin";
>>> data = /incbin/("${3}");
>>> type = "x86_setup";
>>> @@ -292,7 +292,7 @@ fitimage_emit_section_setup() {
>>> compression = "none";
>>> load = <0x00090000>;
>>> entry = <0x00090000>;
>>> - hash@1 {
>>> + hash-1 {
>>> algo = "${setup_csum}";
>>> };
>>> };
>>> @@ -321,7 +321,7 @@ fitimage_emit_section_ramdisk() {
>>> fi
>>>
>>> cat << EOF >> ${1}
>>> - ramdisk@${2} {
>>> + ramdisk-${2} {
>>> description = "${INITRAMFS_IMAGE}";
>>> data = /incbin/("${3}");
>>> type = "ramdisk";
>>> @@ -330,7 +330,7 @@ fitimage_emit_section_ramdisk() {
>>> compression = "none";
>>> ${ramdisk_loadline}
>>> ${ramdisk_entryline}
>>> - hash@1 {
>>> + hash-1 {
>>> algo = "${ramdisk_csum}";
>>> };
>>> };
>>> @@ -339,7 +339,7 @@ EOF
>>> if [ "${UBOOT_SIGN_ENABLE}" = "1" -a "${FIT_SIGN_INDIVIDUAL}" = "1" -a -n "${ramdisk_sign_keyname}" ] ; then
>>> sed -i '$ d' ${1}
>>> cat << EOF >> ${1}
>>> - signature@1 {
>>> + signature-1 {
>>> algo = "${ramdisk_csum},${ramdisk_sign_algo}";
>>> key-name-hint = "${ramdisk_sign_keyname}";
>>> };
>>> @@ -377,7 +377,7 @@ fitimage_emit_section_config() {
>>> # Test if we have any DTBs at all
>>> sep=""
>>> conf_desc=""
>>> - conf_node="conf@"
>>> + conf_node="conf-"
>>> kernel_line=""
>>> fdt_line=""
>>> ramdisk_line=""
>>> @@ -396,19 +396,19 @@ fitimage_emit_section_config() {
>>> if [ -n "${kernel_id}" ]; then
>>> conf_desc="Linux kernel"
>>> sep=", "
>>> - kernel_line="kernel = \"kernel@${kernel_id}\";"
>>> + kernel_line="kernel = \"kernel-${kernel_id}\";"
>>> fi
>>>
>>> if [ -n "${dtb_image}" ]; then
>>> conf_desc="${conf_desc}${sep}FDT blob"
>>> sep=", "
>>> - fdt_line="fdt = \"fdt@${dtb_image}\";"
>>> + fdt_line="fdt = \"fdt-${dtb_image}\";"
>>> fi
>>>
>>> if [ -n "${ramdisk_id}" ]; then
>>> conf_desc="${conf_desc}${sep}ramdisk"
>>> sep=", "
>>> - ramdisk_line="ramdisk = \"ramdisk@${ramdisk_id}\";"
>>> + ramdisk_line="ramdisk = \"ramdisk-${ramdisk_id}\";"
>>> fi
>>>
>>> if [ -n "${bootscr_id}" ]; then
>>> @@ -419,16 +419,16 @@ fitimage_emit_section_config() {
>>>
>>> if [ -n "${config_id}" ]; then
>>> conf_desc="${conf_desc}${sep}setup"
>>> - setup_line="setup = \"setup@${config_id}\";"
>>> + setup_line="setup = \"setup-${config_id}\";"
>>> fi
>>>
>>> if [ "${default_flag}" = "1" ]; then
>>> # default node is selected based on dtb ID if it is present,
>>> # otherwise its selected based on kernel ID
>>> if [ -n "${dtb_image}" ]; then
>>> - default_line="default = \"conf@${dtb_image}\";"
>>> + default_line="default = \"conf-${dtb_image}\";"
>>> else
>>> - default_line="default = \"conf@${kernel_id}\";"
>>> + default_line="default = \"conf-${kernel_id}\";"
>>> fi
>>> fi
>>>
>>> @@ -441,7 +441,7 @@ fitimage_emit_section_config() {
>>> ${ramdisk_line}
>>> ${bootscr_line}
>>> ${setup_line}
>>> - hash@1 {
>>> + hash-1 {
>>> algo = "${conf_csum}";
>>> };
>>> EOF
>>> @@ -478,7 +478,7 @@ EOF
>>> sign_line="${sign_line};"
>>>
>>> cat << EOF >> ${its_file}
>>> - signature@1 {
>>> + signature-1 {
>>> algo = "${conf_csum},${conf_sign_algo}";
>>> key-name-hint = "${conf_sign_keyname}";
>>> ${sign_line}
>>> diff --git a/meta/lib/oeqa/selftest/cases/fitimage.py b/meta/lib/oeqa/selftest/cases/fitimage.py
>>> index 0958036a6f..02692de822 100644
>>> --- a/meta/lib/oeqa/selftest/cases/fitimage.py
>>> +++ b/meta/lib/oeqa/selftest/cases/fitimage.py
>>> @@ -69,9 +69,9 @@ FIT_DESC = "A model description"
>>> 'type = "ramdisk";',
>>> 'load = <0x88000000>;',
>>> 'entry = <0x88000000>;',
>>> - 'default = "conf@1";',
>>> - 'kernel = "kernel@1";',
>>> - 'ramdisk = "ramdisk@1";'
>>> + 'default = "conf-1";',
>>> + 'kernel = "kernel-1";',
>>> + 'ramdisk = "ramdisk-1";'
>>> ]
>>>
>>> with open(fitimage_its_path) as its_file:
>>> @@ -137,12 +137,12 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
>>> "%s FIT image doesn't exist" % (fitimage_path))
>>>
>>> req_itspaths = [
>>> - ['/', 'images', 'kernel@1'],
>>> - ['/', 'images', 'kernel@1', 'signature@1'],
>>> - ['/', 'images', 'fdt@am335x-boneblack.dtb'],
>>> - ['/', 'images', 'fdt@am335x-boneblack.dtb', 'signature@1'],
>>> - ['/', 'configurations', 'conf@am335x-boneblack.dtb'],
>>> - ['/', 'configurations', 'conf@am335x-boneblack.dtb', 'signature@1'],
>>> + ['/', 'images', 'kernel-1'],
>>> + ['/', 'images', 'kernel-1', 'signature-1'],
>>> + ['/', 'images', 'fdt-am335x-boneblack.dtb'],
>>> + ['/', 'images', 'fdt-am335x-boneblack.dtb', 'signature-1'],
>>> + ['/', 'configurations', 'conf-am335x-boneblack.dtb'],
>>> + ['/', 'configurations', 'conf-am335x-boneblack.dtb', 'signature-1'],
>>> ]
>>>
>>> itspath = []
>>> @@ -158,7 +158,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
>>> elif line.endswith('{'):
>>> itspath.append(line[:-1].strip())
>>> itspaths.append(itspath[:])
>>> - elif itspath and itspath[-1] == 'signature@1':
>>> + elif itspath and itspath[-1] == 'signature-1':
>>> itsdotpath = '.'.join(itspath)
>>> if not itsdotpath in sigs:
>>> sigs[itsdotpath] = {}
>>> @@ -182,7 +182,7 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
>>> }
>>>
>>> for itspath, values in sigs.items():
>>> - if 'conf@' in itspath:
>>> + if 'conf-' in itspath:
>>> reqsigvalues = reqsigvalues_config
>>> else:
>>> reqsigvalues = reqsigvalues_image
>>> @@ -210,9 +210,9 @@ UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
>>> signed_sections[in_signed] = {}
>>> key, value = line.split(':', 1)
>>> signed_sections[in_signed][key.strip()] = value.strip()
>>> - self.assertIn('kernel@1', signed_sections)
>>> - self.assertIn('fdt@am335x-boneblack.dtb', signed_sections)
>>> - self.assertIn('conf@am335x-boneblack.dtb', signed_sections)
>>> + self.assertIn('kernel-1', signed_sections)
>>> + self.assertIn('fdt-am335x-boneblack.dtb', signed_sections)
>>> + self.assertIn('conf-am335x-boneblack.dtb', signed_sections)
>>> for signed_section, values in signed_sections.items():
>>> value = values.get('Sign algo', None)
>>> self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
>>> @@ -298,7 +298,7 @@ FIT_HASH_ALG = "sha256"
>>> its_lines = [line.strip() for line in its_file.readlines()]
>>>
>>> exp_node_lines = [
>>> - 'kernel@1 {',
>>> + 'kernel-1 {',
>>> 'description = "Linux kernel";',
>>> 'data = /incbin/("' + initramfs_bundle + '");',
>>> 'type = "kernel";',
>>> @@ -307,7 +307,7 @@ FIT_HASH_ALG = "sha256"
>>> 'compression = "none";',
>>> 'load = <' + kernel_load + '>;',
>>> 'entry = <' + kernel_entry + '>;',
>>> - 'hash@1 {',
>>> + 'hash-1 {',
>>> 'algo = "' + fit_hash_alg +'";',
>>> '};',
>>> '};'
>>> @@ -327,7 +327,7 @@ FIT_HASH_ALG = "sha256"
>>> else:
>>> self.assertTrue(test_passed == True,"kernel node does not match expectation")
>>>
>>> - rx_configs = re.compile("^conf@.*")
>>> + rx_configs = re.compile("^conf-.*")
>>> its_configs = list(filter(rx_configs.match, its_lines))
>>>
>>> for cfg_str in its_configs:
>>> @@ -348,7 +348,7 @@ FIT_HASH_ALG = "sha256"
>>> else:
>>> print("kernel keyword found in the description line")
>>>
>>> - if 'kernel = "kernel@1";' not in node:
>>> + if 'kernel = "kernel-1";' not in node:
>>> self.assertTrue(test_passed == True,"kernel line not found")
>>> break
>>> else:
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-06-01 9:15 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-21 19:22 [PATCH] kernel-fitimage: Don't use unit addresses on FIT Klaus Heinrich Kiwi
2021-02-22 8:24 ` [OE-core] " Richard Purdie
2021-02-22 18:38 ` [PATCH v2] " Klaus Heinrich Kiwi
2021-05-31 14:59 ` [OE-core] " Frieder Schrempf
2021-05-31 15:59 ` Steve Sakoman
2021-06-01 9:15 ` Frieder Schrempf
2021-02-22 18:42 ` [OE-core] [PATCH] " Klaus Heinrich Kiwi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.