brain-hackers_pepepper-mirror/u-boot-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/u-boot-brain synced 2024-06-09 15:26:03 +09:00
Code Issues Projects Releases Wiki Activity

image: Add an option to do a full check of the FIT

Browse Source 
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.

Enable this by default if signature verification is enabled.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
This commit is contained in:
Simon Glass 2021-02-15 17:08:10 -07:00 committed by Tom Rini
parent c5819701a3
commit 6f3c2d8aa5
2 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
common/Kconfig.boot
View File

@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT
SHA512 checksum is a 512-bit (64-byte) hash value used to check that
the image contents have not been corrupted.
config FIT_FULL_CHECK
bool "Do a full check of the FIT before using it"
default y
help
Enable this do a full check of the FIT to make sure it is valid. This
helps to protect against carefully crafted FITs which take advantage
of bugs or omissions in the code. This includes a bad structure,
multiple root nodes and the like.
config FIT_SIGNATURE
bool "Enable signature verification of FIT uImages"
depends on DM
@ -70,6 +79,7 @@ config FIT_SIGNATURE
select RSA
select RSA_VERIFY
select IMAGE_SIGN_INFO
select FIT_FULL_CHECK
help
This option enables signature verification of FIT uImages,
using a hash signed and verified using RSA. If
@ -159,6 +169,15 @@ config SPL_FIT_PRINT
help
Support printing the content of the fitImage in a verbose manner in SPL.
config SPL_FIT_FULL_CHECK
bool "Do a full check of the FIT before using it"
help
Enable this do a full check of the FIT to make sure it is valid. This
helps to protect against carefully crafted FITs which take advantage
of bugs or omissions in the code. This includes a bad structure,
multiple root nodes and the like.
config SPL_FIT_SIGNATURE
bool "Enable signature verification of FIT firmware within SPL"
depends on SPL_DM
@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
select SPL_RSA
select SPL_RSA_VERIFY
select SPL_IMAGE_SIGN_INFO
select SPL_FIT_FULL_CHECK
config SPL_LOAD_FIT
bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"

16
common/image-fit.c
View File

@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
return -ENOEXEC;
}
if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
/*
* If we are not given the size, make do wtih calculating it.
* This is not as secure, so we should consider a flag to
* control this.
*/
if (size == IMAGE_SIZE_INVAL)
size = fdt_totalsize(fit);
ret = fdt_check_full(fit, size);
if (ret) {
log_debug("FIT check error %d\n", ret);
return -EINVAL;
}
}
/* mandatory / node 'description' property */
if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
log_debug("Wrong FIT format: no description\n");