From 14eec2f7c3bbb36de8198989bf772135aa117963 Mon Sep 17 00:00:00 2001 From: Klaus Heinrich Kiwi Date: Tue, 1 Jun 2021 11:35:37 +0200 Subject: kernel-fitimage: Don't use unit addresses on FIT Das U-Boot 2021.4-rc1 has the following commit: commit 3f04db891a353f4b127ed57279279f851c6b4917 Author: Simon Glass Date: Mon Feb 15 17:08:12 2021 -0700 image: Check for unit addresses in FITs Using unit addresses in a FIT is a security risk. Add a check for this and disallow it. CVE-2021-27138 Adjust the kernel-fitimage.bbclass accordingly to not use unit addresses. This changte is required before we can bump U-Boot to 2021.4. Signed-off-by: Klaus Heinrich Kiwi Signed-off-by: Richard Purdie [Backport for Dunfell] Signed-off-by: Frieder Schrempf Signed-off-by: Steve Sakoman --- meta/classes/kernel-fitimage.bbclass | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass index b4d8ff8309..5f5e9dd444 100644 --- a/meta/classes/kernel-fitimage.bbclass +++ b/meta/classes/kernel-fitimage.bbclass @@ -124,7 +124,7 @@ fitimage_emit_section_kernel() { fi cat << EOF >> ${1} - kernel@${2} { + kernel-${2} { description = "Linux kernel"; data = /incbin/("${3}"); type = "kernel"; @@ -133,7 +133,7 @@ fitimage_emit_section_kernel() { compression = "${4}"; load = <${UBOOT_LOADADDRESS}>; entry = <${ENTRYPOINT}>; - hash@1 { + hash-1 { algo = "${kernel_csum}"; }; }; @@ -160,14 +160,14 @@ fitimage_emit_section_dtb() { dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;" fi cat << EOF >> ${1} - fdt@${2} { + fdt-${2} { description = "Flattened Device Tree blob"; data = /incbin/("${3}"); type = "flat_dt"; arch = "${UBOOT_ARCH}"; compression = "none"; ${dtb_loadline} - hash@1 { + hash-1 { algo = "${dtb_csum}"; }; }; @@ -185,7 +185,7 @@ fitimage_emit_section_setup() { setup_csum="${FIT_HASH_ALG}" cat << EOF >> ${1} - setup@${2} { + setup-${2} { description = "Linux setup.bin"; data = /incbin/("${3}"); type = "x86_setup"; @@ -194,7 +194,7 @@ fitimage_emit_section_setup() { compression = "none"; load = <0x00090000>; entry = <0x00090000>; - hash@1 { + hash-1 { algo = "${setup_csum}"; }; }; @@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() { fi cat << EOF >> ${1} - ramdisk@${2} { + ramdisk-${2} { description = "${INITRAMFS_IMAGE}"; data = /incbin/("${3}"); type = "ramdisk"; @@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() { compression = "none"; ${ramdisk_loadline} ${ramdisk_entryline} - hash@1 { + hash-1 { algo = "${ramdisk_csum}"; }; }; @@ -266,39 +266,39 @@ fitimage_emit_section_config() { if [ -n "${2}" ]; then conf_desc="Linux kernel" sep=", " - kernel_line="kernel = \"kernel@${2}\";" + kernel_line="kernel = \"kernel-${2}\";" fi if [ -n "${3}" ]; then conf_desc="${conf_desc}${sep}FDT blob" sep=", " - fdt_line="fdt = \"fdt@${3}\";" + fdt_line="fdt = \"fdt-${3}\";" fi if [ -n "${4}" ]; then conf_desc="${conf_desc}${sep}ramdisk" sep=", " - ramdisk_line="ramdisk = \"ramdisk@${4}\";" + ramdisk_line="ramdisk = \"ramdisk-${4}\";" fi if [ -n "${5}" ]; then conf_desc="${conf_desc}${sep}setup" - setup_line="setup = \"setup@${5}\";" + setup_line="setup = \"setup-${5}\";" fi if [ "${6}" = "1" ]; then - default_line="default = \"conf@${3}\";" + default_line="default = \"conf-${3}\";" fi cat << EOF >> ${1} ${default_line} - conf@${3} { + conf-${3} { description = "${6} ${conf_desc}"; ${kernel_line} ${fdt_line} ${ramdisk_line} ${setup_line} - hash@1 { + hash-1 { algo = "${conf_csum}"; }; EOF @@ -330,7 +330,7 @@ EOF sign_line="${sign_line};" cat << EOF >> ${1} - signature@1 { + signature-1 { algo = "${conf_csum},${conf_sign_algo}"; key-name-hint = "${conf_sign_keyname}"; ${sign_line} -- cgit 1.2.3-korg