| From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001 |
| From: Simon Glass <sjg@chromium.org> |
| Date: Mon, 15 Feb 2021 17:08:10 -0700 |
| Subject: [PATCH] image: Add an option to do a full check of the FIT |
| |
| Some strange modifications of the FIT can introduce security risks. Add an |
| option to check it thoroughly, using libfdt's fdt_check_full() function. |
| |
| Enable this by default if signature verification is enabled. |
| |
| CVE-2021-27097 |
| |
| Signed-off-by: Simon Glass <sjg@chromium.org> |
| Reported-by: Bruce Monroe <bruce.monroe@intel.com> |
| Reported-by: Arie Haenel <arie.haenel@intel.com> |
| Reported-by: Julien Lenoir <julien.lenoir@intel.com> |
| |
| CVE: CVE-2021-27097 |
| Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01] |
| Signed-off-by: Scott Murray <scott.murray@konsulko.com> |
| |
| --- |
| common/Kconfig.boot | 20 ++++++++++++++++++++ |
| common/image-fit.c | 16 ++++++++++++++++ |
| 2 files changed, 36 insertions(+) |
| |
| diff --git a/common/Kconfig.boot b/common/Kconfig.boot |
| index 5eaabdfc27..7532e55edb 100644 |
| --- a/common/Kconfig.boot |
| +++ b/common/Kconfig.boot |
| @@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT |
| SHA512 checksum is a 512-bit (64-byte) hash value used to check that |
| the image contents have not been corrupted. |
| |
| +config FIT_FULL_CHECK |
| + bool "Do a full check of the FIT before using it" |
| + default y |
| + help |
| + Enable this do a full check of the FIT to make sure it is valid. This |
| + helps to protect against carefully crafted FITs which take advantage |
| + of bugs or omissions in the code. This includes a bad structure, |
| + multiple root nodes and the like. |
| + |
| config FIT_SIGNATURE |
| bool "Enable signature verification of FIT uImages" |
| depends on DM |
| @@ -70,6 +79,7 @@ config FIT_SIGNATURE |
| select RSA |
| select RSA_VERIFY |
| select IMAGE_SIGN_INFO |
| + select FIT_FULL_CHECK |
| help |
| This option enables signature verification of FIT uImages, |
| using a hash signed and verified using RSA. If |
| @@ -159,6 +169,15 @@ config SPL_FIT_PRINT |
| help |
| Support printing the content of the fitImage in a verbose manner in SPL. |
| |
| +config SPL_FIT_FULL_CHECK |
| + bool "Do a full check of the FIT before using it" |
| + help |
| + Enable this do a full check of the FIT to make sure it is valid. This |
| + helps to protect against carefully crafted FITs which take advantage |
| + of bugs or omissions in the code. This includes a bad structure, |
| + multiple root nodes and the like. |
| + |
| + |
| config SPL_FIT_SIGNATURE |
| bool "Enable signature verification of FIT firmware within SPL" |
| depends on SPL_DM |
| @@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE |
| select SPL_RSA |
| select SPL_RSA_VERIFY |
| select SPL_IMAGE_SIGN_INFO |
| + select SPL_FIT_FULL_CHECK |
| |
| config SPL_LOAD_FIT |
| bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" |
| diff --git a/common/image-fit.c b/common/image-fit.c |
| index f6c0428a96..bcf395f6a1 100644 |
| --- a/common/image-fit.c |
| +++ b/common/image-fit.c |
| @@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size) |
| return -ENOEXEC; |
| } |
| |
| + if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) { |
| + /* |
| + * If we are not given the size, make do wtih calculating it. |
| + * This is not as secure, so we should consider a flag to |
| + * control this. |
| + */ |
| + if (size == IMAGE_SIZE_INVAL) |
| + size = fdt_totalsize(fit); |
| + ret = fdt_check_full(fit, size); |
| + |
| + if (ret) { |
| + log_debug("FIT check error %d\n", ret); |
| + return -EINVAL; |
| + } |
| + } |
| + |
| /* mandatory / node 'description' property */ |
| if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) { |
| log_debug("Wrong FIT format: no description\n"); |