119 lines
3.6 KiB
Diff
119 lines
3.6 KiB
Diff
From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001
|
|
From: Simon Glass <sjg@chromium.org>
|
|
Date: Mon, 15 Feb 2021 17:08:10 -0700
|
|
Subject: [PATCH] image: Add an option to do a full check of the FIT
|
|
|
|
Some strange modifications of the FIT can introduce security risks. Add an
|
|
option to check it thoroughly, using libfdt's fdt_check_full() function.
|
|
|
|
Enable this by default if signature verification is enabled.
|
|
|
|
CVE-2021-27097
|
|
|
|
Signed-off-by: Simon Glass <sjg@chromium.org>
|
|
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
|
|
Reported-by: Arie Haenel <arie.haenel@intel.com>
|
|
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
|
|
---
|
|
Kconfig | 19 +++++++++++++++++++
|
|
common/image-fit.c | 18 +++++++++++++++++-
|
|
2 files changed, 36 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/Kconfig b/Kconfig
|
|
index 8f3fba08..11b480f6 100644
|
|
--- a/Kconfig
|
|
+++ b/Kconfig
|
|
@@ -365,6 +365,15 @@ config FIT_ENABLE_SHA256_SUPPORT
|
|
SHA256 variant is supported: SHA512 and others are not currently
|
|
supported in U-Boot.
|
|
|
|
+config FIT_FULL_CHECK
|
|
+ bool "Do a full check of the FIT before using it"
|
|
+ default y
|
|
+ help
|
|
+ Enable this do a full check of the FIT to make sure it is valid. This
|
|
+ helps to protect against carefully crafted FITs which take advantage
|
|
+ of bugs or omissions in the code. This includes a bad structure,
|
|
+ multiple root nodes and the like.
|
|
+
|
|
config FIT_SIGNATURE
|
|
bool "Enable signature verification of FIT uImages"
|
|
depends on DM
|
|
@@ -372,6 +381,7 @@ config FIT_SIGNATURE
|
|
select RSA
|
|
select RSA_VERIFY
|
|
select IMAGE_SIGN_INFO
|
|
+ select FIT_FULL_CHECK
|
|
help
|
|
This option enables signature verification of FIT uImages,
|
|
using a hash signed and verified using RSA. If
|
|
@@ -455,6 +465,14 @@ config SPL_FIT_PRINT
|
|
help
|
|
Support printing the content of the fitImage in a verbose manner in SPL.
|
|
|
|
+config SPL_FIT_FULL_CHECK
|
|
+ bool "Do a full check of the FIT before using it"
|
|
+ help
|
|
+ Enable this do a full check of the FIT to make sure it is valid. This
|
|
+ helps to protect against carefully crafted FITs which take advantage
|
|
+ of bugs or omissions in the code. This includes a bad structure,
|
|
+ multiple root nodes and the like.
|
|
+
|
|
config SPL_FIT_SIGNATURE
|
|
bool "Enable signature verification of FIT firmware within SPL"
|
|
depends on SPL_DM
|
|
@@ -462,6 +480,7 @@ config SPL_FIT_SIGNATURE
|
|
select SPL_RSA
|
|
select SPL_RSA_VERIFY
|
|
select SPL_IMAGE_SIGN_INFO
|
|
+ select SPL_FIT_FULL_CHECK
|
|
|
|
config SPL_LOAD_FIT
|
|
bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
|
|
diff --git a/common/image-fit.c b/common/image-fit.c
|
|
index 470321c5..e49baea7 100644
|
|
--- a/common/image-fit.c
|
|
+++ b/common/image-fit.c
|
|
@@ -17,7 +17,6 @@
|
|
#include <u-boot/crc.h>
|
|
#else
|
|
#include <linux/compiler.h>
|
|
-#include <linux/kconfig.h>
|
|
#include <common.h>
|
|
#include <errno.h>
|
|
#include <log.h>
|
|
@@ -29,6 +28,7 @@ DECLARE_GLOBAL_DATA_PTR;
|
|
|
|
#include <bootm.h>
|
|
#include <image.h>
|
|
+#include <linux/kconfig.h>
|
|
#include <bootstage.h>
|
|
#include <u-boot/crc.h>
|
|
#include <u-boot/md5.h>
|
|
@@ -1547,6 +1547,22 @@ int fit_check_format(const void *fit, ulong size)
|
|
return -ENOEXEC;
|
|
}
|
|
|
|
+ if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
|
|
+ /*
|
|
+ * If we are not given the size, make do wtih calculating it.
|
|
+ * This is not as secure, so we should consider a flag to
|
|
+ * control this.
|
|
+ */
|
|
+ if (size == IMAGE_SIZE_INVAL)
|
|
+ size = fdt_totalsize(fit);
|
|
+ ret = fdt_check_full(fit, size);
|
|
+
|
|
+ if (ret) {
|
|
+ log_debug("FIT check error %d\n", ret);
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ }
|
|
+
|
|
/* mandatory / node 'description' property */
|
|
if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
|
|
log_debug("Wrong FIT format: no description\n");
|
|
--
|
|
2.23.0
|
|
|