image: Add an option to do a full check of the FIT

Some strange modifications of the FIT can introduce security risks. Add an option to check it thoroughly, using libfdt's fdt_check_full() function. Enable this by default if signature verification is enabled. CVE-2021-27097 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2025-03-17 12:41:32 +00:00 · 2021-02-15 17:08:10 -07:00 · 2021-02-15 17:08:10 -07:00 · 6f3c2d8aa5
commit 6f3c2d8aa5
parent c5819701a3
2 changed files with 36 additions and 0 deletions
--- a/common/Kconfig.boot
+++ b/common/Kconfig.boot
@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT
 	  SHA512 checksum is a 512-bit (64-byte) hash value used to check that
 	  the image contents have not been corrupted.

+config FIT_FULL_CHECK
+	bool "Do a full check of the FIT before using it"
+	default y
+	help
+	  Enable this do a full check of the FIT to make sure it is valid. This
+	  helps to protect against carefully crafted FITs which take advantage
+	  of bugs or omissions in the code. This includes a bad structure,
+	  multiple root nodes and the like.
+
 config FIT_SIGNATURE
 	bool "Enable signature verification of FIT uImages"
 	depends on DM
@ -70,6 +79,7 @@ config FIT_SIGNATURE
 	select RSA
 	select RSA_VERIFY
 	select IMAGE_SIGN_INFO
+	select FIT_FULL_CHECK
 	help
 	  This option enables signature verification of FIT uImages,
 	  using a hash signed and verified using RSA. If
@ -159,6 +169,15 @@ config SPL_FIT_PRINT
 	help
 	  Support printing the content of the fitImage in a verbose manner in SPL.

+config SPL_FIT_FULL_CHECK
+	bool "Do a full check of the FIT before using it"
+	help
+	  Enable this do a full check of the FIT to make sure it is valid. This
+	  helps to protect against carefully crafted FITs which take advantage
+	  of bugs or omissions in the code. This includes a bad structure,
+	  multiple root nodes and the like.
+
+
 config SPL_FIT_SIGNATURE
 	bool "Enable signature verification of FIT firmware within SPL"
 	depends on SPL_DM
@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
 	select SPL_RSA
 	select SPL_RSA_VERIFY
 	select SPL_IMAGE_SIGN_INFO
+	select SPL_FIT_FULL_CHECK

 config SPL_LOAD_FIT
 	bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
--- a/common/image-fit.c
+++ b/common/image-fit.c
@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
 		return -ENOEXEC;
 	}

+	if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
+		/*
+		 * If we are not given the size, make do wtih calculating it.
+		 * This is not as secure, so we should consider a flag to
+		 * control this.
+		 */
+		if (size == IMAGE_SIZE_INVAL)
+			size = fdt_totalsize(fit);
+		ret = fdt_check_full(fit, size);
+
+		if (ret) {
+			log_debug("FIT check error %d\n", ret);
+			return -EINVAL;
+		}
+	}
+
 	/* mandatory / node 'description' property */
 	if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
 		log_debug("Wrong FIT format: no description\n");