mirror of
https://github.com/Fishwaldo/u-boot.git
synced 2025-03-17 12:41:32 +00:00
image: Add an option to do a full check of the FIT
Some strange modifications of the FIT can introduce security risks. Add an option to check it thoroughly, using libfdt's fdt_check_full() function. Enable this by default if signature verification is enabled. CVE-2021-27097 Signed-off-by: Simon Glass <sjg@chromium.org> Reported-by: Bruce Monroe <bruce.monroe@intel.com> Reported-by: Arie Haenel <arie.haenel@intel.com> Reported-by: Julien Lenoir <julien.lenoir@intel.com>
This commit is contained in:
parent
c5819701a3
commit
6f3c2d8aa5
2 changed files with 36 additions and 0 deletions
|
@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT
|
|||
SHA512 checksum is a 512-bit (64-byte) hash value used to check that
|
||||
the image contents have not been corrupted.
|
||||
|
||||
config FIT_FULL_CHECK
|
||||
bool "Do a full check of the FIT before using it"
|
||||
default y
|
||||
help
|
||||
Enable this do a full check of the FIT to make sure it is valid. This
|
||||
helps to protect against carefully crafted FITs which take advantage
|
||||
of bugs or omissions in the code. This includes a bad structure,
|
||||
multiple root nodes and the like.
|
||||
|
||||
config FIT_SIGNATURE
|
||||
bool "Enable signature verification of FIT uImages"
|
||||
depends on DM
|
||||
|
@ -70,6 +79,7 @@ config FIT_SIGNATURE
|
|||
select RSA
|
||||
select RSA_VERIFY
|
||||
select IMAGE_SIGN_INFO
|
||||
select FIT_FULL_CHECK
|
||||
help
|
||||
This option enables signature verification of FIT uImages,
|
||||
using a hash signed and verified using RSA. If
|
||||
|
@ -159,6 +169,15 @@ config SPL_FIT_PRINT
|
|||
help
|
||||
Support printing the content of the fitImage in a verbose manner in SPL.
|
||||
|
||||
config SPL_FIT_FULL_CHECK
|
||||
bool "Do a full check of the FIT before using it"
|
||||
help
|
||||
Enable this do a full check of the FIT to make sure it is valid. This
|
||||
helps to protect against carefully crafted FITs which take advantage
|
||||
of bugs or omissions in the code. This includes a bad structure,
|
||||
multiple root nodes and the like.
|
||||
|
||||
|
||||
config SPL_FIT_SIGNATURE
|
||||
bool "Enable signature verification of FIT firmware within SPL"
|
||||
depends on SPL_DM
|
||||
|
@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
|
|||
select SPL_RSA
|
||||
select SPL_RSA_VERIFY
|
||||
select SPL_IMAGE_SIGN_INFO
|
||||
select SPL_FIT_FULL_CHECK
|
||||
|
||||
config SPL_LOAD_FIT
|
||||
bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
|
||||
|
|
|
@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
|
|||
return -ENOEXEC;
|
||||
}
|
||||
|
||||
if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
|
||||
/*
|
||||
* If we are not given the size, make do wtih calculating it.
|
||||
* This is not as secure, so we should consider a flag to
|
||||
* control this.
|
||||
*/
|
||||
if (size == IMAGE_SIZE_INVAL)
|
||||
size = fdt_totalsize(fit);
|
||||
ret = fdt_check_full(fit, size);
|
||||
|
||||
if (ret) {
|
||||
log_debug("FIT check error %d\n", ret);
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
|
||||
/* mandatory / node 'description' property */
|
||||
if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
|
||||
log_debug("Wrong FIT format: no description\n");
|
||||
|
|
Loading…
Add table
Reference in a new issue