Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 95ac1b8d7409c14ee15ddcb7e5dd3d28b24caa7f / . / poky / meta / recipes-bsp / u-boot / files / CVE-2021-27097-3.patch
blob: 86f7e8ce558939b9d3d36f8dcdf342cd1319fef5 [file] [log] [blame]
Andrew Geissler95ac1b82021-03-31 14:34:31 -0500[diff] [blame^]1From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001
2From: Simon Glass <sjg@chromium.org>
3Date: Mon, 15 Feb 2021 17:08:10 -0700
4Subject: [PATCH] image: Add an option to do a full check of the FIT
5
6Some strange modifications of the FIT can introduce security risks. Add an
7option to check it thoroughly, using libfdt's fdt_check_full() function.
8
9Enable this by default if signature verification is enabled.
10
11CVE-2021-27097
12
13Signed-off-by: Simon Glass <sjg@chromium.org>
14Reported-by: Bruce Monroe <bruce.monroe@intel.com>
15Reported-by: Arie Haenel <arie.haenel@intel.com>
16Reported-by: Julien Lenoir <julien.lenoir@intel.com>
17
18CVE: CVE-2021-27097
19Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01]
20Signed-off-by: Scott Murray <scott.murray@konsulko.com>
21
22---
23 common/Kconfig.boot | 20 ++++++++++++++++++++
24 common/image-fit.c | 16 ++++++++++++++++
25 2 files changed, 36 insertions(+)
26
27diff --git a/common/Kconfig.boot b/common/Kconfig.boot
28index 5eaabdfc27..7532e55edb 100644
29--- a/common/Kconfig.boot
30+++ b/common/Kconfig.boot
31@@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT
32 SHA512 checksum is a 512-bit (64-byte) hash value used to check that
33 the image contents have not been corrupted.
34
35+config FIT_FULL_CHECK
36+ bool "Do a full check of the FIT before using it"
37+ default y
38+ help
39+ Enable this do a full check of the FIT to make sure it is valid. This
40+ helps to protect against carefully crafted FITs which take advantage
41+ of bugs or omissions in the code. This includes a bad structure,
42+ multiple root nodes and the like.
43+
44 config FIT_SIGNATURE
45 bool "Enable signature verification of FIT uImages"
46 depends on DM
47@@ -70,6 +79,7 @@ config FIT_SIGNATURE
48 select RSA
49 select RSA_VERIFY
50 select IMAGE_SIGN_INFO
51+ select FIT_FULL_CHECK
52 help
53 This option enables signature verification of FIT uImages,
54 using a hash signed and verified using RSA. If
55@@ -159,6 +169,15 @@ config SPL_FIT_PRINT
56 help
57 Support printing the content of the fitImage in a verbose manner in SPL.
58
59+config SPL_FIT_FULL_CHECK
60+ bool "Do a full check of the FIT before using it"
61+ help
62+ Enable this do a full check of the FIT to make sure it is valid. This
63+ helps to protect against carefully crafted FITs which take advantage
64+ of bugs or omissions in the code. This includes a bad structure,
65+ multiple root nodes and the like.
66+
67+
68 config SPL_FIT_SIGNATURE
69 bool "Enable signature verification of FIT firmware within SPL"
70 depends on SPL_DM
71@@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
72 select SPL_RSA
73 select SPL_RSA_VERIFY
74 select SPL_IMAGE_SIGN_INFO
75+ select SPL_FIT_FULL_CHECK
76
77 config SPL_LOAD_FIT
78 bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
79diff --git a/common/image-fit.c b/common/image-fit.c
80index f6c0428a96..bcf395f6a1 100644
81--- a/common/image-fit.c
82+++ b/common/image-fit.c
83@@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
84 return -ENOEXEC;
85 }
86
87+ if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
88+ /*
89+ * If we are not given the size, make do wtih calculating it.
90+ * This is not as secure, so we should consider a flag to
91+ * control this.
92+ */
93+ if (size == IMAGE_SIZE_INVAL)
94+ size = fdt_totalsize(fit);
95+ ret = fdt_check_full(fit, size);
96+
97+ if (ret) {
98+ log_debug("FIT check error %d\n", ret);
99+ return -EINVAL;
100+ }
101+ }
102+
103 /* mandatory / node 'description' property */
104 if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
105 log_debug("Wrong FIT format: no description\n");