mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-03 13:49:49 +00:00
Code Issues Projects Releases Wiki Activity

kernel-fitimage: Don't use unit addresses on FIT

Browse Source 
Das U-Boot 2021.4-rc1 has the following commit:

    commit 3f04db891a353f4b127ed57279279f851c6b4917
    Author: Simon Glass <sjg@chromium.org>
    Date:   Mon Feb 15 17:08:12 2021 -0700

        image: Check for unit addresses in FITs

        Using unit addresses in a FIT is a security risk. Add a check for
        this and disallow it.

        CVE-2021-27138

Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.

(From OE-Core rev: 14eec2f7c3bbb36de8198989bf772135aa117963)

Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport for Dunfell]
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Klaus Heinrich Kiwi
2021-06-01 11:35:37 +02:00
committed by Richard Purdie
parent ca9cb3f3e6
commit ab6b5e97ce
1 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/classes/kernel-fitimage.bbclass
+16 -16
View File
@@ -124,7 +124,7 @@ fitimage_emit_section_kernel() {
fi fi
cat << EOF >> ${1} cat << EOF >> ${1}
kernel@${2} { kernel-${2} {
description = "Linux kernel"; description = "Linux kernel";
data = /incbin/("${3}"); data = /incbin/("${3}");
type = "kernel"; type = "kernel";
@@ -133,7 +133,7 @@ fitimage_emit_section_kernel() {
compression = "${4}"; compression = "${4}";
load = <${UBOOT_LOADADDRESS}>; load = <${UBOOT_LOADADDRESS}>;
entry = <${ENTRYPOINT}>; entry = <${ENTRYPOINT}>;
hash@1 { hash-1 {
algo = "${kernel_csum}"; algo = "${kernel_csum}";
}; };
}; };
@@ -160,14 +160,14 @@ fitimage_emit_section_dtb() {
dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
fi fi
cat << EOF >> ${1} cat << EOF >> ${1}
fdt@${2} { fdt-${2} {
description = "Flattened Device Tree blob"; description = "Flattened Device Tree blob";
data = /incbin/("${3}"); data = /incbin/("${3}");
type = "flat_dt"; type = "flat_dt";
arch = "${UBOOT_ARCH}"; arch = "${UBOOT_ARCH}";
compression = "none"; compression = "none";
${dtb_loadline} ${dtb_loadline}
hash@1 { hash-1 {
algo = "${dtb_csum}"; algo = "${dtb_csum}";
}; };
}; };
@@ -185,7 +185,7 @@ fitimage_emit_section_setup() {
setup_csum="${FIT_HASH_ALG}" setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1} cat << EOF >> ${1}
setup@${2} { setup-${2} {
description = "Linux setup.bin"; description = "Linux setup.bin";
data = /incbin/("${3}"); data = /incbin/("${3}");
type = "x86_setup"; type = "x86_setup";
@@ -194,7 +194,7 @@ fitimage_emit_section_setup() {
compression = "none"; compression = "none";
load = <0x00090000>; load = <0x00090000>;
entry = <0x00090000>; entry = <0x00090000>;
hash@1 { hash-1 {
algo = "${setup_csum}"; algo = "${setup_csum}";
}; };
}; };
@@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() {
fi fi
cat << EOF >> ${1} cat << EOF >> ${1}
ramdisk@${2} { ramdisk-${2} {
description = "${INITRAMFS_IMAGE}"; description = "${INITRAMFS_IMAGE}";
data = /incbin/("${3}"); data = /incbin/("${3}");
type = "ramdisk"; type = "ramdisk";
@@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() {
compression = "none"; compression = "none";
${ramdisk_loadline} ${ramdisk_loadline}
${ramdisk_entryline} ${ramdisk_entryline}
hash@1 { hash-1 {
algo = "${ramdisk_csum}"; algo = "${ramdisk_csum}";
}; };
}; };
@@ -266,39 +266,39 @@ fitimage_emit_section_config() {
if [ -n "${2}" ]; then if [ -n "${2}" ]; then
conf_desc="Linux kernel" conf_desc="Linux kernel"
sep=", " sep=", "
kernel_line="kernel = \"kernel@${2}\";" kernel_line="kernel = \"kernel-${2}\";"
fi fi
if [ -n "${3}" ]; then if [ -n "${3}" ]; then
conf_desc="${conf_desc}${sep}FDT blob" conf_desc="${conf_desc}${sep}FDT blob"
sep=", " sep=", "
fdt_line="fdt = \"fdt@${3}\";" fdt_line="fdt = \"fdt-${3}\";"
fi fi
if [ -n "${4}" ]; then if [ -n "${4}" ]; then
conf_desc="${conf_desc}${sep}ramdisk" conf_desc="${conf_desc}${sep}ramdisk"
sep=", " sep=", "
ramdisk_line="ramdisk = \"ramdisk@${4}\";" ramdisk_line="ramdisk = \"ramdisk-${4}\";"
fi fi
if [ -n "${5}" ]; then if [ -n "${5}" ]; then
conf_desc="${conf_desc}${sep}setup" conf_desc="${conf_desc}${sep}setup"
setup_line="setup = \"setup@${5}\";" setup_line="setup = \"setup-${5}\";"
fi fi
if [ "${6}" = "1" ]; then if [ "${6}" = "1" ]; then
default_line="default = \"conf@${3}\";" default_line="default = \"conf-${3}\";"
fi fi
cat << EOF >> ${1} cat << EOF >> ${1}
${default_line} ${default_line}
conf@${3} { conf-${3} {
description = "${6} ${conf_desc}"; description = "${6} ${conf_desc}";
${kernel_line} ${kernel_line}
${fdt_line} ${fdt_line}
${ramdisk_line} ${ramdisk_line}
${setup_line} ${setup_line}
hash@1 { hash-1 {
algo = "${conf_csum}"; algo = "${conf_csum}";
}; };
EOF EOF
@@ -330,7 +330,7 @@ EOF
sign_line="${sign_line};" sign_line="${sign_line};"
cat << EOF >> ${1} cat << EOF >> ${1}
signature@1 { signature-1 {
algo = "${conf_csum},${conf_sign_algo}"; algo = "${conf_csum},${conf_sign_algo}";
key-name-hint = "${conf_sign_keyname}"; key-name-hint = "${conf_sign_keyname}";
${sign_line} ${sign_line}