From patchwork Wed Nov 16 04:44:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Denys Dmytriyenko X-Patchwork-Id: 15511 X-Patchwork-Delegate: reatmon@ti.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B743EC4332F for ; Wed, 16 Nov 2022 04:44:31 +0000 (UTC) Received: from mailout4.zoneedit.com (mailout4.zoneedit.com [64.68.198.64]) by mx.groups.io with SMTP id smtpd.web09.3188.1668573869823795849 for ; Tue, 15 Nov 2022 20:44:30 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=none, err=permanent DNS error (domain: denix.org, ip: 64.68.198.64, mailfrom: denis@denix.org) Received: from localhost (localhost [127.0.0.1]) by mailout4.zoneedit.com (Postfix) with ESMTP id F400340D53; Wed, 16 Nov 2022 04:44:28 +0000 (UTC) Received: from mailout4.zoneedit.com ([127.0.0.1]) by localhost (zmo14-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Jp9QuT4upsd; Wed, 16 Nov 2022 04:44:28 +0000 (UTC) Received: from mail.denix.org (pool-100-15-88-116.washdc.fios.verizon.net [100.15.88.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout4.zoneedit.com (Postfix) with ESMTPSA id D8D7640D43; Wed, 16 Nov 2022 04:44:27 +0000 (UTC) Received: from thorin.denix (thorin.denix [192.168.30.9]) by mail.denix.org (Postfix) with ESMTP id E88A8163674; Tue, 15 Nov 2022 23:44:22 -0500 (EST) From: Denys Dmytriyenko To: meta-arago@lists.yoctoproject.org Cc: Denys Dmytriyenko Subject: [master/kirkstone][PATCH] kernel-fitimage-legacyhs: don't use unit addresses in FIT Date: Wed, 16 Nov 2022 04:44:26 +0000 Message-Id: <20221116044426.2893659-1-denis@denix.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Nov 2022 04:44:31 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arago/message/14112 From: Denys Dmytriyenko Das U-Boot 2021.4-rc1 has the following commit: commit 3f04db891a353f4b127ed57279279f851c6b4917 Author: Simon Glass Date: Mon Feb 15 17:08:12 2021 -0700 image: Check for unit addresses in FITs Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Adjust the kernel-fitimage-legacyhs.bbclass accordingly to not use unit addresses. This corresponds to a similar change in kernel-fitimage.bbclass upstream in OE-Core [1], as we still need to carry heavily modified class for legacy HS devices. And uboot-mkimage comes from u-boot-tools-native version 2022.01 in OE-Core and not u-boot-ti-staging 2021.01 in meta-ti. [1] https://git.openembedded.org/openembedded-core/commit/?id=6047be9f8f0f5d616fda11d83b682c1b8aeaa0ae Signed-off-by: Denys Dmytriyenko --- .../classes/kernel-fitimage-legacyhs.bbclass | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass b/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass index 4a006eb6..69fa0ed2 100644 --- a/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass +++ b/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass @@ -127,7 +127,7 @@ fitimage_emit_section_kernel() { fi cat << EOF >> ${1} - kernel@${2} { + kernel-${2} { description = "Linux kernel"; data = /incbin/("${3}"); type = "kernel"; @@ -139,7 +139,7 @@ fitimage_emit_section_kernel() { EOF if test -n "${FITIMAGE_HASH_ALGO}"; then cat << EOF >> ${1} - hash@1 { + hash-1 { algo = "${kernel_csum}"; }; EOF @@ -172,7 +172,7 @@ fitimage_emit_section_dtb() { EOF if test -n "${FITIMAGE_HASH_ALGO}"; then cat << EOF >> ${1} - hash@1 { + hash-1 { algo = "${dtb_csum}"; }; EOF @@ -202,7 +202,7 @@ fitimage_emit_section_tee() { EOF if test -n "${FITIMAGE_HASH_ALGO}"; then cat << EOF >> ${1} - hash@1 { + hash-1 { algo = "${tee_csum}"; }; EOF @@ -223,7 +223,7 @@ fitimage_emit_section_setup() { setup_csum=${FITIMAGE_HASH_ALGO} cat << EOF >> ${1} - setup@${2} { + setup-${2} { description = "Linux setup.bin"; data = /incbin/("${3}"); type = "x86_setup"; @@ -235,7 +235,7 @@ fitimage_emit_section_setup() { EOF if test -n "${FITIMAGE_HASH_ALGO}"; then cat << EOF >> ${1} - hash@1 { + hash-1 { algo = "${setup_csum}"; }; EOF @@ -275,7 +275,7 @@ fitimage_emit_section_ramdisk() { esac cat << EOF >> ${1} - ramdisk@${2} { + ramdisk-${2} { description = "ramdisk image"; data = /incbin/("${3}"); type = "ramdisk"; @@ -297,7 +297,7 @@ EOF if test -n "${FITIMAGE_HASH_ALGO}"; then cat << EOF >> ${1} - hash@1 { + hash-1 { algo = "${ramdisk_csum}"; }; EOF @@ -334,7 +334,7 @@ fitimage_emit_section_config() { if [ -n "${2}" ]; then conf_desc="Linux kernel" sep=", " - kernel_line="kernel = \"kernel@${2}\";" + kernel_line="kernel = \"kernel-${2}\";" fi if [ -n "${3}" ]; then @@ -345,13 +345,13 @@ fitimage_emit_section_config() { if [ -n "${4}" ]; then conf_desc="${conf_desc}${sep}ramdisk" sep=", " - ramdisk_line="ramdisk = \"ramdisk@${4}\";" + ramdisk_line="ramdisk = \"ramdisk-${4}\";" fi if [ -n "${5}" ]; then conf_desc="${conf_desc}${sep}setup" sep=", " - setup_line="setup = \"setup@${5}\";" + setup_line="setup = \"setup-${5}\";" fi if [ -n "${6}" -a "x${FITIMAGE_PACK_TEE}" = "x1" ]; then @@ -359,9 +359,9 @@ fitimage_emit_section_config() { loadables_line="loadables = \"${6}.optee\";" loadables_pager_line="loadables = \"${6}-pager.optee\";" else - loadables_line="loadables = \"tee@${6}\";" + loadables_line="loadables = \"tee-${6}\";" nextnum=`expr ${6} + 1` - loadables_pager_line="loadables = \"tee@${nextnum}\";" + loadables_pager_line="loadables = \"tee-${nextnum}\";" fi final_conf_desc="${conf_desc}${sep}OPTEE OS Image" else @@ -377,13 +377,13 @@ fitimage_emit_section_config() { if [ "x${FITIMAGE_CONF_BY_NAME}" = "x1" ] ; then conf_name="${DTB}" else - conf_name="conf@${dtbcount}" + conf_name="conf-${dtbcount}" fi if [ "x${FITIMAGE_DTB_BY_NAME}" = "x1" ] ; then fdt_line="fdt = \"${DTB}\";" else - fdt_line="fdt = \"fdt@${dtbcount}\";" + fdt_line="fdt = \"fdt-${dtbcount}\";" fi if [ "x${dtbcount}" = "x1" ]; then @@ -408,7 +408,7 @@ EOF fi if test -n "${FITIMAGE_HASH_ALGO}"; then cat << EOF >> ${1} - hash@1 { + hash-1 { algo = "${conf_csum}"; }; EOF @@ -433,7 +433,7 @@ EOF sign_line="${sign_line};" cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${conf_csum},rsa2048"; key-name-hint = "${conf_sign_keyname}"; ${sign_line} @@ -451,7 +451,7 @@ EOF if [ "x${FITIMAGE_CONF_BY_NAME}" = "x1" ] ; then conf_name="${DTB}-pager" else - conf_name="conf@${dtbcount}" + conf_name="conf-${dtbcount}" fi cat << EOF >> ${1} @@ -469,7 +469,7 @@ EOF fi if test -n "${FITIMAGE_HASH_ALGO}"; then cat << EOF >> ${1} - hash@1 { + hash-1 { algo = "${conf_csum}"; }; EOF @@ -494,7 +494,7 @@ EOF sign_line="${sign_line};" cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${conf_csum},rsa2048"; key-name-hint = "${conf_sign_keyname}"; ${sign_line} @@ -571,7 +571,7 @@ fitimage_assemble() { if [ "x${FITIMAGE_DTB_BY_NAME}" = "x1" ] ; then fitimage_emit_section_dtb ${1} ${DTB} ${DTB_PATH}.sec "${dtb_loadline}" else - fitimage_emit_section_dtb ${1} "fdt@${dtbcount}" ${DTB_PATH}.sec "${dtb_loadline}" + fitimage_emit_section_dtb ${1} "fdt-${dtbcount}" ${DTB_PATH}.sec "${dtb_loadline}" fi if [ "x${dtbcount}" = "x1" ]; then dtbref=${DTB} @@ -594,7 +594,7 @@ fitimage_assemble() { if [ "x${FITIMAGE_TEE_BY_NAME}" = "x1" ] ; then fitimage_emit_section_tee ${1} ${OPTEEFLAVOR}.optee ${TEE_PATH}.sec else - fitimage_emit_section_tee ${1} "tee@${teecount}" ${TEE_PATH}.sec + fitimage_emit_section_tee ${1} "tee-${teecount}" ${TEE_PATH}.sec fi if [ "${OPTEEPAGER}" = "y" ]; then @@ -608,7 +608,7 @@ fitimage_assemble() { if [ "x${FITIMAGE_TEE_BY_NAME}" = "x1" ] ; then fitimage_emit_section_tee ${1} ${OPTEEFLAVOR}-pager.optee ${TEE_PATH}.sec else - fitimage_emit_section_tee ${1} "tee@${teecount}" ${TEE_PATH}.sec + fitimage_emit_section_tee ${1} "tee-${teecount}" ${TEE_PATH}.sec fi fi fi @@ -653,7 +653,7 @@ fitimage_assemble() { fitimage_emit_section_maint ${1} confstart if [ "x${FITIMAGE_DTB_BY_NAME}" != "x1" ] ; then - dtbref="fdt@${dtbcount}" + dtbref="fdt-${dtbcount}" fi if [ "x${FITIMAGE_TEE_BY_NAME}" = "x1" ] ; then teeref="${OPTEEFLAVOR}"