1 files changed, 101 insertions, 0 deletions

diff --git a/meta-openbmc-mods/meta-ast2500/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch b/meta-openbmc-mods/meta-ast2500/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch
new file mode 100644
index 000000000..687946e4c
--- /dev/null
+++ b/meta-openbmc-mods/meta-ast2500/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch
@@ -0,0 +1,101 @@
+From 86a746eecc231886fbca97db6c6544997b95e49a Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Tue, 31 Mar 2020 18:43:55 +0200
+Subject: [PATCH] fit_check_sign: Allow selecting the configuration to verify
+
+This tool always verifies the default configuration. It is useful to be
+able to verify a specific one. Add a command-line flag for this and plumb
+the logic through.
+
+Signed-off-by: Simon Glass <sjg@chromium.org>
+Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+---
+ tools/fdt_host.h       | 3 ++-
+ tools/fit_check_sign.c | 8 ++++++--
+ tools/image-host.c     | 6 ++++--
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/tools/fdt_host.h b/tools/fdt_host.h
+index 134d9657139b..4eceab19dd3a 100644
+--- a/tools/fdt_host.h
++++ b/tools/fdt_host.h
+@@ -11,6 +11,7 @@
+ #include "../include/libfdt.h"
+ #include "../include/fdt_support.h"
+ 
+-int fit_check_sign(const void *working_fdt, const void *key);
++int fit_check_sign(const void *fit, const void *key,
++		   const char *fit_uname_config);
+ 
+ #endif /* __FDT_HOST_H__ */
+diff --git a/tools/fit_check_sign.c b/tools/fit_check_sign.c
+index d9361b00950c..e9a489db3920 100644
+--- a/tools/fit_check_sign.c
++++ b/tools/fit_check_sign.c
+@@ -42,6 +42,7 @@ int main(int argc, char **argv)
+ 	void *fit_blob;
+ 	char *fdtfile = NULL;
+ 	char *keyfile = NULL;
++	char *config_name = NULL;
+ 	char cmdname[256];
+ 	int ret;
+ 	void *key_blob;
+@@ -49,7 +50,7 @@ int main(int argc, char **argv)
+ 
+ 	strncpy(cmdname, *argv, sizeof(cmdname) - 1);
+ 	cmdname[sizeof(cmdname) - 1] = '\0';
+-	while ((c = getopt(argc, argv, "f:k:")) != -1)
++	while ((c = getopt(argc, argv, "f:k:c:")) != -1)
+ 		switch (c) {
+ 		case 'f':
+ 			fdtfile = optarg;
+@@ -57,6 +58,9 @@ int main(int argc, char **argv)
+ 		case 'k':
+ 			keyfile = optarg;
+ 			break;
++		case 'c':
++			config_name = optarg;
++			break;
+ 		default:
+ 			usage(cmdname);
+ 			break;
+@@ -79,7 +83,7 @@ int main(int argc, char **argv)
+ 		return EXIT_FAILURE;
+ 
+ 	image_set_host_blob(key_blob);
+-	ret = fit_check_sign(fit_blob, key_blob);
++	ret = fit_check_sign(fit_blob, key_blob, config_name);
+ 	if (!ret) {
+ 		ret = EXIT_SUCCESS;
+ 		fprintf(stderr, "Signature check OK\n");
+diff --git a/tools/image-host.c b/tools/image-host.c
+index 01fdec276da4..da374eeabf5e 100644
+--- a/tools/image-host.c
++++ b/tools/image-host.c
+@@ -708,12 +708,13 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
+ }
+ 
+ #ifdef CONFIG_FIT_SIGNATURE
+-int fit_check_sign(const void *fit, const void *key)
++int fit_check_sign(const void *fit, const void *key,
++		   const char *fit_uname_config)
+ {
+ 	int cfg_noffset;
+ 	int ret;
+ 
+-	cfg_noffset = fit_conf_get_node(fit, NULL);
++	cfg_noffset = fit_conf_get_node(fit, fit_uname_config);
+ 	if (!cfg_noffset)
+ 		return -1;
+ 
+@@ -722,6 +723,7 @@ int fit_check_sign(const void *fit, const void *key)
+ 	ret = fit_config_verify(fit, cfg_noffset);
+ 	if (ret)
+ 		return ret;
++	printf("Verified OK, loading images\n");
+ 	ret = bootm_host_load_images(fit, cfg_noffset);
+ 
+ 	return ret;
+-- 
+2.17.1
+