From 28e53cfa17bf8f34a7a35cc2dfee2095e4560052 Mon Sep 17 00:00:00 2001 From: Max Krummenacher Date: Mon, 3 May 2021 22:13:50 +0200 Subject: imx-mkimage, imx-boot: stop using unit addresses in fit image creation Related-to: ELB-3957 Signed-off-by: Max Krummenacher --- ...age_fit_atf-fix-fit-generator-node-naming.patch | 166 +++++++++++++++++++++ .../recipes-bsp/imx-mkimage/imx-mkimage_git.inc | 5 +- 2 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 backports/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch diff --git a/backports/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch b/backports/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch new file mode 100644 index 0000000..3c2842a --- /dev/null +++ b/backports/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch @@ -0,0 +1,166 @@ +From 9cf936493388897379f33b511ec869c6fa5409ce Mon Sep 17 00:00:00 2001 +From: Andrey Zhizhikin +Date: Thu, 22 Apr 2021 12:20:28 +0000 +Subject: [PATCH] mkimage_fit_atf: fix fit generator node naming + +Since upstream commit 79af75f777 ("fit: Don't allow verification of images +with @ nodes") [1], unit addresses on the nodes are prohibited and nodes +that do contain those addresses are ignored during the ITS parsing. This +is done in an effort to cover the CVE-2021-27138, where nodes with unit +addresses can be mis-interpreted by libfdt. + +Correct FIT generator script and replace nodes with unit addresses to +plain node names with "-" instead of "@" to create a unique naming. + +In addition, extend sections which contains "firmware" in their types +with "os" parameter to conform to the latest FIT specification. + +Indicate that load and entry addresses are covered by one 32-bit value +by adding "address-cells" in the root node of the generated ITS. + +Upstream-Status: Inappropriate [script is imx-boot specific] +Link: [1] https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4 +Signed-off-by: Andrey Zhizhikin +Cc: Tom Hochstein +--- + iMX8M/mkimage_fit_atf.sh | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/iMX8M/mkimage_fit_atf.sh b/iMX8M/mkimage_fit_atf.sh +index 95749b1..10903ea 100755 +--- a/iMX8M/mkimage_fit_atf.sh ++++ b/iMX8M/mkimage_fit_atf.sh +@@ -23,7 +23,7 @@ else + fi + + BL32="tee.bin" +-LOADABLES="\"atf@1\"" ++LOADABLES="\"atf-1\"" + + if [ ! -f $BL32 ]; then + BL32=/dev/null +@@ -31,7 +31,7 @@ else + echo "Building with TEE support, make sure your bl31 is compiled with spd. If you do not want tee, please delete tee.bin" >&2 + echo "tee.bin size: " >&2 + ls -lct tee.bin | awk '{print $5}' >&2 +- LOADABLES="$LOADABLES, \"tee@1\"" ++ LOADABLES="$LOADABLES, \"tee-1\"" + fi + + BL33="u-boot-nodtb.bin" +@@ -41,7 +41,7 @@ if [ ! -f $DEK_BLOB ]; then + DEK_BLOB=/dev/null + else + echo "Building with encrypted boot support, make sure to replace DEK Blob in final image." >&2 +- LOADABLES="\"dek_blob@1\", $LOADABLES" ++ LOADABLES="\"dek_blob-1\", $LOADABLES" + fi + + if [ ! -f $BL33 ]; then +@@ -64,10 +64,12 @@ cat << __HEADER_EOF + + / { + description = "Configuration to load ATF before U-Boot"; ++ #address-cells = <1>; + + images { +- uboot@1 { ++ uboot-1 { + description = "U-Boot (64-bit)"; ++ os = "u-boot"; + data = /incbin/("$BL33"); + type = "standalone"; + arch = "arm64"; +@@ -80,7 +82,7 @@ cnt=1 + for dtname in $* + do + cat << __FDT_IMAGE_EOF +- fdt@$cnt { ++ fdt-$cnt { + description = "$(basename $dtname .dtb)"; + data = /incbin/("$dtname"); + type = "flat_dt"; +@@ -91,8 +93,9 @@ cnt=$((cnt+1)) + done + + cat << __HEADER_EOF +- atf@1 { ++ atf-1 { + description = "ARM Trusted Firmware"; ++ os = "arm-trusted-firmware"; + data = /incbin/("$BL31"); + type = "firmware"; + arch = "arm64"; +@@ -104,8 +107,9 @@ __HEADER_EOF + + if [ -f $BL32 ]; then + cat << __HEADER_EOF +- tee@1 { ++ tee-1 { + description = "TEE firmware"; ++ os = "op-tee-firmware"; + data = /incbin/("$BL32"); + type = "firmware"; + arch = "arm64"; +@@ -118,7 +122,7 @@ fi + + if [ -f $DEK_BLOB ]; then + cat << __HEADER_EOF +- dek_blob@1 { ++ dek_blob-1 { + description = "dek_blob"; + data = /incbin/("$DEK_BLOB"); + type = "script"; +@@ -131,7 +135,7 @@ fi + cat << __CONF_HEADER_EOF + }; + configurations { +- default = "config@1"; ++ default = "config-1"; + + __CONF_HEADER_EOF + +@@ -141,31 +145,31 @@ do + if [ -f $BL32 ]; then + if [ $ROLLBACK_INDEX_IN_FIT ]; then + cat << __CONF_SECTION_EOF +- config@$cnt { ++ config-$cnt { + description = "$(basename $dtname .dtb)"; +- firmware = "uboot@1"; ++ firmware = "uboot-1"; + loadables = $LOADABLES; +- fdt = "fdt@$cnt"; ++ fdt = "fdt-$cnt"; + rbindex = "$ROLLBACK_INDEX_IN_FIT"; + }; + __CONF_SECTION_EOF + else + cat << __CONF_SECTION_EOF +- config@$cnt { ++ config-$cnt { + description = "$(basename $dtname .dtb)"; +- firmware = "uboot@1"; ++ firmware = "uboot-1"; + loadables = $LOADABLES; +- fdt = "fdt@$cnt"; ++ fdt = "fdt-$cnt"; + }; + __CONF_SECTION_EOF + fi + else + cat << __CONF_SECTION1_EOF +- config@$cnt { ++ config-$cnt { + description = "$(basename $dtname .dtb)"; +- firmware = "uboot@1"; ++ firmware = "uboot-1"; + loadables = $LOADABLES; +- fdt = "fdt@$cnt"; ++ fdt = "fdt-$cnt"; + }; + __CONF_SECTION1_EOF + fi +-- +2.17.1 + diff --git a/backports/recipes-bsp/imx-mkimage/imx-mkimage_git.inc b/backports/recipes-bsp/imx-mkimage/imx-mkimage_git.inc index 1eba510..e52fd72 100644 --- a/backports/recipes-bsp/imx-mkimage/imx-mkimage_git.inc +++ b/backports/recipes-bsp/imx-mkimage/imx-mkimage_git.inc @@ -3,7 +3,10 @@ DEPENDS = "zlib-native openssl-native" SRCBRANCH = "imx_5.4.70_2.3.0" -SRC_URI = "git://source.codeaurora.org/external/imx/imx-mkimage.git;protocol=https;branch=${SRCBRANCH}" +SRC_URI = "git://source.codeaurora.org/external/imx/imx-mkimage.git;protocol=https;branch=${SRCBRANCH} \ + file://0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch \ +" + SRCREV = "8947fea369ab3932259630232cfb9f87b8f9dda1" S = "${WORKDIR}/git" -- cgit v1.2.3