From: Simon Glass Date: Tue, 16 Feb 2021 00:08:10 +0000 (-0700) Subject: image: Add an option to do a full check of the FIT X-Git-Tag: archive/raspbian/2021.01+dfsg-5+rpi1+deb11u2^2~3 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7aca3f15e1ff9c4e4083c5d522209fe840c46423;p=u-boot.git image: Add an option to do a full check of the FIT Some strange modifications of the FIT can introduce security risks. Add an option to check it thoroughly, using libfdt's fdt_check_full() function. Enable this by default if signature verification is enabled. CVE-2021-27097 Signed-off-by: Simon Glass Reported-by: Bruce Monroe Reported-by: Arie Haenel Reported-by: Julien Lenoir Reviewed-By: Daniel Leidert Origin: https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Bug: https://github.com/advisories/GHSA-3w66-96j7-fmcp Bug-Debian: https://bugs.debian.org/983270 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-27097 Bug-Freexian-Security: https://deb.freexian.com/extended-lts/tracker/CVE-2021-27097 Gbp-Pq: Name CVE-2021-27097-3.patch --- diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 3f6d9c1a2..af906306d 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT SHA512 checksum is a 512-bit (64-byte) hash value used to check that the image contents have not been corrupted. +config FIT_FULL_CHECK + bool "Do a full check of the FIT before using it" + default y + help + Enable this do a full check of the FIT to make sure it is valid. This + helps to protect against carefully crafted FITs which take advantage + of bugs or omissions in the code. This includes a bad structure, + multiple root nodes and the like. + config FIT_SIGNATURE bool "Enable signature verification of FIT uImages" depends on DM @@ -70,6 +79,7 @@ config FIT_SIGNATURE select RSA select RSA_VERIFY select IMAGE_SIGN_INFO + select FIT_FULL_CHECK help This option enables signature verification of FIT uImages, using a hash signed and verified using RSA. If @@ -153,6 +163,15 @@ config SPL_FIT_PRINT help Support printing the content of the fitImage in a verbose manner in SPL. +config SPL_FIT_FULL_CHECK + bool "Do a full check of the FIT before using it" + help + Enable this do a full check of the FIT to make sure it is valid. This + helps to protect against carefully crafted FITs which take advantage + of bugs or omissions in the code. This includes a bad structure, + multiple root nodes and the like. + + config SPL_FIT_SIGNATURE bool "Enable signature verification of FIT firmware within SPL" depends on SPL_DM @@ -162,6 +181,7 @@ config SPL_FIT_SIGNATURE select SPL_RSA select SPL_RSA_VERIFY select SPL_IMAGE_SIGN_INFO + select SPL_FIT_FULL_CHECK config SPL_LOAD_FIT bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" diff --git a/common/image-fit.c b/common/image-fit.c index 442433e55..b9edcc7a4 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1564,6 +1564,22 @@ int fit_check_format(const void *fit, ulong size) return -ENOEXEC; } + if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) { + /* + * If we are not given the size, make do wtih calculating it. + * This is not as secure, so we should consider a flag to + * control this. + */ + if (size == IMAGE_SIZE_INVAL) + size = fdt_totalsize(fit); + ret = fdt_check_full(fit, size); + + if (ret) { + log_debug("FIT check error %d\n", ret); + return -EINVAL; + } + } + /* mandatory / node 'description' property */ if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) { log_debug("Wrong FIT format: no description\n");