From: Denys Dmytriyenko <[email protected]>
Das U-Boot 2021.4-rc1 has the following commit:
commit 3f04db891a353f4b127ed57279279f851c6b4917
Author: Simon Glass <[email protected]>
Date: Mon Feb 15 17:08:12 2021 -0700
image: Check for unit addresses in FITs
Using unit addresses in a FIT is a security risk. Add a check for
this and disallow it.
CVE-2021-27138
Adjust the kernel-fitimage-legacyhs.bbclass accordingly to not use unit
addresses. This corresponds to a similar change in kernel-fitimage.bbclass
upstream in OE-Core [1], as we still need to carry heavily modified class
for legacy HS devices. And uboot-mkimage comes from u-boot-tools-native
version 2022.01 in OE-Core and not u-boot-ti-staging 2021.01 in meta-ti.
[1]
https://git.openembedded.org/openembedded-core/commit/?id=6047be9f8f0f5d616fda11d83b682c1b8aeaa0ae
Signed-off-by: Denys Dmytriyenko <[email protected]>
---
.../classes/kernel-fitimage-legacyhs.bbclass | 48 +++++++++----------
1 file changed, 24 insertions(+), 24 deletions(-)
diff --git a/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass
b/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass
index 4a006eb6..69fa0ed2 100644
--- a/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass
+++ b/meta-arago-distro/classes/kernel-fitimage-legacyhs.bbclass
@@ -127,7 +127,7 @@ fitimage_emit_section_kernel() {
fi
cat << EOF >> ${1}
- kernel@${2} {
+ kernel-${2} {
description = "Linux kernel";
data = /incbin/("${3}");
type = "kernel";
@@ -139,7 +139,7 @@ fitimage_emit_section_kernel() {
EOF
if test -n "${FITIMAGE_HASH_ALGO}"; then
cat << EOF >> ${1}
- hash@1 {
+ hash-1 {
algo = "${kernel_csum}";
};
EOF
@@ -172,7 +172,7 @@ fitimage_emit_section_dtb() {
EOF
if test -n "${FITIMAGE_HASH_ALGO}"; then
cat << EOF >> ${1}
- hash@1 {
+ hash-1 {
algo = "${dtb_csum}";
};
EOF
@@ -202,7 +202,7 @@ fitimage_emit_section_tee() {
EOF
if test -n "${FITIMAGE_HASH_ALGO}"; then
cat << EOF >> ${1}
- hash@1 {
+ hash-1 {
algo = "${tee_csum}";
};
EOF
@@ -223,7 +223,7 @@ fitimage_emit_section_setup() {
setup_csum=${FITIMAGE_HASH_ALGO}
cat << EOF >> ${1}
- setup@${2} {
+ setup-${2} {
description = "Linux setup.bin";
data = /incbin/("${3}");
type = "x86_setup";
@@ -235,7 +235,7 @@ fitimage_emit_section_setup() {
EOF
if test -n "${FITIMAGE_HASH_ALGO}"; then
cat << EOF >> ${1}
- hash@1 {
+ hash-1 {
algo = "${setup_csum}";
};
EOF
@@ -275,7 +275,7 @@ fitimage_emit_section_ramdisk() {
esac
cat << EOF >> ${1}
- ramdisk@${2} {
+ ramdisk-${2} {
description = "ramdisk image";
data = /incbin/("${3}");
type = "ramdisk";
@@ -297,7 +297,7 @@ EOF
if test -n "${FITIMAGE_HASH_ALGO}"; then
cat << EOF >> ${1}
- hash@1 {
+ hash-1 {
algo = "${ramdisk_csum}";
};
EOF
@@ -334,7 +334,7 @@ fitimage_emit_section_config() {
if [ -n "${2}" ]; then
conf_desc="Linux kernel"
sep=", "
- kernel_line="kernel = \"kernel@${2}\";"
+ kernel_line="kernel = \"kernel-${2}\";"
fi
if [ -n "${3}" ]; then
@@ -345,13 +345,13 @@ fitimage_emit_section_config() {
if [ -n "${4}" ]; then
conf_desc="${conf_desc}${sep}ramdisk"
sep=", "
- ramdisk_line="ramdisk = \"ramdisk@${4}\";"
+ ramdisk_line="ramdisk = \"ramdisk-${4}\";"
fi
if [ -n "${5}" ]; then
conf_desc="${conf_desc}${sep}setup"
sep=", "
- setup_line="setup = \"setup@${5}\";"
+ setup_line="setup = \"setup-${5}\";"
fi
if [ -n "${6}" -a "x${FITIMAGE_PACK_TEE}" = "x1" ]; then
@@ -359,9 +359,9 @@ fitimage_emit_section_config() {
loadables_line="loadables = \"${6}.optee\";"
loadables_pager_line="loadables = \"${6}-pager.optee\";"
else
- loadables_line="loadables = \"tee@${6}\";"
+ loadables_line="loadables = \"tee-${6}\";"
nextnum=`expr ${6} + 1`
- loadables_pager_line="loadables = \"tee@${nextnum}\";"
+ loadables_pager_line="loadables = \"tee-${nextnum}\";"
fi
final_conf_desc="${conf_desc}${sep}OPTEE OS Image"
else
@@ -377,13 +377,13 @@ fitimage_emit_section_config() {
if [ "x${FITIMAGE_CONF_BY_NAME}" = "x1" ] ; then
conf_name="${DTB}"
else
- conf_name="conf@${dtbcount}"
+ conf_name="conf-${dtbcount}"
fi
if [ "x${FITIMAGE_DTB_BY_NAME}" = "x1" ] ; then
fdt_line="fdt = \"${DTB}\";"
else
- fdt_line="fdt = \"fdt@${dtbcount}\";"
+ fdt_line="fdt = \"fdt-${dtbcount}\";"
fi
if [ "x${dtbcount}" = "x1" ]; then
@@ -408,7 +408,7 @@ EOF
fi
if test -n "${FITIMAGE_HASH_ALGO}"; then
cat << EOF >> ${1}
- hash@1 {
+ hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -433,7 +433,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${conf_csum},rsa2048";
key-name-hint = "${conf_sign_keyname}";
${sign_line}
@@ -451,7 +451,7 @@ EOF
if [ "x${FITIMAGE_CONF_BY_NAME}" = "x1" ] ; then
conf_name="${DTB}-pager"
else
- conf_name="conf@${dtbcount}"
+ conf_name="conf-${dtbcount}"
fi
cat << EOF >> ${1}
@@ -469,7 +469,7 @@ EOF
fi
if test -n "${FITIMAGE_HASH_ALGO}"; then
cat << EOF >> ${1}
- hash@1 {
+ hash-1 {
algo = "${conf_csum}";
};
EOF
@@ -494,7 +494,7 @@ EOF
sign_line="${sign_line};"
cat << EOF >> ${1}
- signature@1 {
+ signature-1 {
algo = "${conf_csum},rsa2048";
key-name-hint = "${conf_sign_keyname}";
${sign_line}
@@ -571,7 +571,7 @@ fitimage_assemble() {
if [ "x${FITIMAGE_DTB_BY_NAME}" = "x1" ] ; then
fitimage_emit_section_dtb ${1} ${DTB}
${DTB_PATH}.sec "${dtb_loadline}"
else
- fitimage_emit_section_dtb ${1}
"fdt@${dtbcount}" ${DTB_PATH}.sec "${dtb_loadline}"
+ fitimage_emit_section_dtb ${1}
"fdt-${dtbcount}" ${DTB_PATH}.sec "${dtb_loadline}"
fi
if [ "x${dtbcount}" = "x1" ]; then
dtbref=${DTB}
@@ -594,7 +594,7 @@ fitimage_assemble() {
if [ "x${FITIMAGE_TEE_BY_NAME}" = "x1" ] ; then
fitimage_emit_section_tee ${1} ${OPTEEFLAVOR}.optee
${TEE_PATH}.sec
else
- fitimage_emit_section_tee ${1} "tee@${teecount}"
${TEE_PATH}.sec
+ fitimage_emit_section_tee ${1} "tee-${teecount}"
${TEE_PATH}.sec
fi
if [ "${OPTEEPAGER}" = "y" ]; then
@@ -608,7 +608,7 @@ fitimage_assemble() {
if [ "x${FITIMAGE_TEE_BY_NAME}" = "x1" ] ; then
fitimage_emit_section_tee ${1}
${OPTEEFLAVOR}-pager.optee ${TEE_PATH}.sec
else
- fitimage_emit_section_tee ${1}
"tee@${teecount}" ${TEE_PATH}.sec
+ fitimage_emit_section_tee ${1}
"tee-${teecount}" ${TEE_PATH}.sec
fi
fi
fi
@@ -653,7 +653,7 @@ fitimage_assemble() {
fitimage_emit_section_maint ${1} confstart
if [ "x${FITIMAGE_DTB_BY_NAME}" != "x1" ] ; then
- dtbref="fdt@${dtbcount}"
+ dtbref="fdt-${dtbcount}"
fi
if [ "x${FITIMAGE_TEE_BY_NAME}" = "x1" ] ; then
teeref="${OPTEEFLAVOR}"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14112):
https://lists.yoctoproject.org/g/meta-arago/message/14112
Mute This Topic: https://lists.yoctoproject.org/mt/95060668/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-arago/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
