This series fixes some vulnerabilities in U-Boot identified by:
Julien Lenoir <julien.len...@intel.com>
Bruce Monroe <bruce.mon...@intel.com>
Arie Haenel <arie.hae...@intel.com>
First problem
-------------
CVE ID - CVE-2021-27097
Reference URL - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27097
Note this CVE ID will so reserved until a few days after publication.
CVE Description:
Improper input validation in U-Boot boot loader before version 2021.04-rc2
may allow an authenticated user escalate privileges via local access.
CVSS Base Score: 7.8 High
CVSS Vector -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
U-Boot fetches the signature from the "/configuration" node and later the
code from the "/images" node, once signature is verified.
The list of nodes to hash is stored in the 'hashed-nodes' property of the
signature node:
hashed-nodes = b'/\x00/configurations/conf@1\x00
/images/kernel@1\x00/images/kernel@1/hash@1\x00'
Signature is computed on memory blocks fetched by the
fdt_find_regions_function() function. This matches the blocks based on
their 'path', based on the nodes/prop names of the tree.
The problem is: the fact that the first node is the root, i.e. a node with
an empty name, seems to be a convention that UBoot assumes to be true, but
it does not check it explicitly.
It is possible to build a FIT in which the first node has a non-empty
name, for example 'f@kenode' followed by a genuine root node (with an
empty name). U-Boot will then fetch the configuration and images from the
fake node, thus fetching from '/f@kenode/configuration' and
'/f@kenode/images".
Contrarywise, the fdt_find_regions_function() function, matches nodes on
their full path, without this assumption.
As a result: signature is checked on the 'real' root node while code is
loaded from the fake one.
Second problem
--------------
CVE ID - CVE-2021-27138
CVE Description:
Improper input validation in Das U-Boot before version 2020.04-rc2 may
allow an authenticated user escalate privileges via local access.
CVSS Base Score: 7.8 High
CVSS Vector -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID - CVE-2021-27138 - Reference URL -
http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2021-27138. Note this CVE ID
will so reserved until a few days after publication.
A second problem is noticed when an @ symbol is added to a node that does
not already have one. In 2017 U-Boot moved away from using @ in node names
due to the devicetree compiler warning about them, e.g. in this commit:
838404054e4 ("doc: FIT image: fix incorrect description of DT node unit
address")
This means that it is possible to add a node name, like fdt-1@evil before
the existing fdt-1 node, and U-Boot will use the first one, due to the way
the unit-address matching works. Of course, people may still be using the
older @ nodes and thus avoiding this problem, but the examples were
updated to use a hyphen so this is unlikely.
This series corrects the above vulnerabilities.
Simon Glass (8):
fdt_region: Check for a single root node of the correct name
fit: Don't allow verification of images with @ nodes
test: Add vboot_evil implementation
test: Add tests for the 'evil' vboot attacks
image: Adjust the workings of fit_check_format()
image: Add an option to do a full check of the FIT
libfdt: Check for multiple/invalid root nodes
image: Check for unit addresses in FITs
arch/arm/cpu/armv8/sec_firmware.c | 2 +-
cmd/bootefi.c | 2 +-
cmd/bootm.c | 6 +-
cmd/disk.c | 2 +-
cmd/fpga.c | 2 +-
cmd/nand.c | 2 +-
cmd/source.c | 2 +-
cmd/ximg.c | 2 +-
common/Kconfig.boot | 20 ++
common/fdt_region.c | 11 +
common/image-fdt.c | 2 +-
common/image-fit-sig.c | 22 +-
common/image-fit.c | 126 ++++++--
common/splash_source.c | 6 +-
common/update.c | 4 +-
drivers/fpga/socfpga_arria10.c | 6 +-
drivers/net/fsl-mc/mc.c | 2 +-
drivers/net/pfe_eth/pfe_firmware.c | 2 +-
include/image.h | 21 +-
scripts/dtc/libfdt/fdt_ro.c | 17 +
test/py/tests/test_fit.py | 24 +-
test/py/tests/test_vboot.py | 95 ++++--
test/py/tests/vboot_evil.py | 485 +++++++++++++++++++++++++++++
test/py/tests/vboot_forge.py | 12 +-
tools/fit_common.c | 3 +-
tools/fit_image.c | 2 +-
tools/mkimage.h | 2 +
27 files changed, 781 insertions(+), 101 deletions(-)
create mode 100644 test/py/tests/vboot_evil.py
--
2.30.0.478.g8a0d178c01-goog
