diff options
Diffstat (limited to 'meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch')
-rw-r--r-- | meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch new file mode 100644 index 000000000..3094e7ecc --- /dev/null +++ b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch @@ -0,0 +1,101 @@ +From 77b652268cacc0f114ba9e92b79e7ff372ec62ee Mon Sep 17 00:00:00 2001 +From: Simon Glass <sjg@chromium.org> +Date: Tue, 31 Mar 2020 18:43:55 +0200 +Subject: [PATCH] fit_check_sign: Allow selecting the configuration to verify + +This tool always verifies the default configuration. It is useful to be +able to verify a specific one. Add a command-line flag for this and plumb +the logic through. + +Signed-off-by: Simon Glass <sjg@chromium.org> +Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com> +--- + tools/fdt_host.h | 3 ++- + tools/fit_check_sign.c | 8 ++++++-- + tools/image-host.c | 6 ++++-- + 3 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/tools/fdt_host.h b/tools/fdt_host.h +index 99b009b22109..15c07c7a96ed 100644 +--- a/tools/fdt_host.h ++++ b/tools/fdt_host.h +@@ -27,6 +27,7 @@ + */ + int fdt_remove_unused_strings(const void *old, void *new); + +-int fit_check_sign(const void *working_fdt, const void *key); ++int fit_check_sign(const void *fit, const void *key, ++ const char *fit_uname_config); + + #endif /* __FDT_HOST_H__ */ +diff --git a/tools/fit_check_sign.c b/tools/fit_check_sign.c +index 62adc751cbce..303e878ddb4d 100644 +--- a/tools/fit_check_sign.c ++++ b/tools/fit_check_sign.c +@@ -41,6 +41,7 @@ int main(int argc, char **argv) + void *fit_blob; + char *fdtfile = NULL; + char *keyfile = NULL; ++ char *config_name = NULL; + char cmdname[256]; + int ret; + void *key_blob; +@@ -48,7 +49,7 @@ int main(int argc, char **argv) + + strncpy(cmdname, *argv, sizeof(cmdname) - 1); + cmdname[sizeof(cmdname) - 1] = '\0'; +- while ((c = getopt(argc, argv, "f:k:")) != -1) ++ while ((c = getopt(argc, argv, "f:k:c:")) != -1) + switch (c) { + case 'f': + fdtfile = optarg; +@@ -56,6 +57,9 @@ int main(int argc, char **argv) + case 'k': + keyfile = optarg; + break; ++ case 'c': ++ config_name = optarg; ++ break; + default: + usage(cmdname); + break; +@@ -78,7 +82,7 @@ int main(int argc, char **argv) + return EXIT_FAILURE; + + image_set_host_blob(key_blob); +- ret = fit_check_sign(fit_blob, key_blob); ++ ret = fit_check_sign(fit_blob, key_blob, config_name); + if (!ret) { + ret = EXIT_SUCCESS; + fprintf(stderr, "Signature check OK\n"); +diff --git a/tools/image-host.c b/tools/image-host.c +index 8e94ee8f3e31..28474bc7fc8b 100644 +--- a/tools/image-host.c ++++ b/tools/image-host.c +@@ -734,12 +734,13 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit, + } + + #ifdef CONFIG_FIT_SIGNATURE +-int fit_check_sign(const void *fit, const void *key) ++int fit_check_sign(const void *fit, const void *key, ++ const char *fit_uname_config) + { + int cfg_noffset; + int ret; + +- cfg_noffset = fit_conf_get_node(fit, NULL); ++ cfg_noffset = fit_conf_get_node(fit, fit_uname_config); + if (!cfg_noffset) + return -1; + +@@ -748,6 +749,7 @@ int fit_check_sign(const void *fit, const void *key) + ret = fit_config_verify(fit, cfg_noffset); + if (ret) + return ret; ++ printf("Verified OK, loading images\n"); + ret = bootm_host_load_images(fit, cfg_noffset); + + return ret; +-- +2.17.1 + |