1 files changed, 101 insertions, 0 deletions

diff --git a/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch
new file mode 100644
index 000000000..3094e7ecc
--- /dev/null
+++ b/meta-openbmc-mods/meta-ast2600/recipes-bsp/u-boot/files/CVE-2020-10648/0009-fit_check_sign-Allow-selecting-the-configuration-to-.patch
@@ -0,0 +1,101 @@
+From 77b652268cacc0f114ba9e92b79e7ff372ec62ee Mon Sep 17 00:00:00 2001
+From: Simon Glass <sjg@chromium.org>
+Date: Tue, 31 Mar 2020 18:43:55 +0200
+Subject: [PATCH] fit_check_sign: Allow selecting the configuration to verify
+
+This tool always verifies the default configuration. It is useful to be
+able to verify a specific one. Add a command-line flag for this and plumb
+the logic through.
+
+Signed-off-by: Simon Glass <sjg@chromium.org>
+Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
+---
+ tools/fdt_host.h       | 3 ++-
+ tools/fit_check_sign.c | 8 ++++++--
+ tools/image-host.c     | 6 ++++--
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/tools/fdt_host.h b/tools/fdt_host.h
+index 99b009b22109..15c07c7a96ed 100644
+--- a/tools/fdt_host.h
++++ b/tools/fdt_host.h
+@@ -27,6 +27,7 @@
+  */
+ int fdt_remove_unused_strings(const void *old, void *new);
+ 
+-int fit_check_sign(const void *working_fdt, const void *key);
++int fit_check_sign(const void *fit, const void *key,
++		   const char *fit_uname_config);
+ 
+ #endif /* __FDT_HOST_H__ */
+diff --git a/tools/fit_check_sign.c b/tools/fit_check_sign.c
+index 62adc751cbce..303e878ddb4d 100644
+--- a/tools/fit_check_sign.c
++++ b/tools/fit_check_sign.c
+@@ -41,6 +41,7 @@ int main(int argc, char **argv)
+ 	void *fit_blob;
+ 	char *fdtfile = NULL;
+ 	char *keyfile = NULL;
++	char *config_name = NULL;
+ 	char cmdname[256];
+ 	int ret;
+ 	void *key_blob;
+@@ -48,7 +49,7 @@ int main(int argc, char **argv)
+ 
+ 	strncpy(cmdname, *argv, sizeof(cmdname) - 1);
+ 	cmdname[sizeof(cmdname) - 1] = '\0';
+-	while ((c = getopt(argc, argv, "f:k:")) != -1)
++	while ((c = getopt(argc, argv, "f:k:c:")) != -1)
+ 		switch (c) {
+ 		case 'f':
+ 			fdtfile = optarg;
+@@ -56,6 +57,9 @@ int main(int argc, char **argv)
+ 		case 'k':
+ 			keyfile = optarg;
+ 			break;
++		case 'c':
++			config_name = optarg;
++			break;
+ 		default:
+ 			usage(cmdname);
+ 			break;
+@@ -78,7 +82,7 @@ int main(int argc, char **argv)
+ 		return EXIT_FAILURE;
+ 
+ 	image_set_host_blob(key_blob);
+-	ret = fit_check_sign(fit_blob, key_blob);
++	ret = fit_check_sign(fit_blob, key_blob, config_name);
+ 	if (!ret) {
+ 		ret = EXIT_SUCCESS;
+ 		fprintf(stderr, "Signature check OK\n");
+diff --git a/tools/image-host.c b/tools/image-host.c
+index 8e94ee8f3e31..28474bc7fc8b 100644
+--- a/tools/image-host.c
++++ b/tools/image-host.c
+@@ -734,12 +734,13 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
+ }
+ 
+ #ifdef CONFIG_FIT_SIGNATURE
+-int fit_check_sign(const void *fit, const void *key)
++int fit_check_sign(const void *fit, const void *key,
++		   const char *fit_uname_config)
+ {
+ 	int cfg_noffset;
+ 	int ret;
+ 
+-	cfg_noffset = fit_conf_get_node(fit, NULL);
++	cfg_noffset = fit_conf_get_node(fit, fit_uname_config);
+ 	if (!cfg_noffset)
+ 		return -1;
+ 
+@@ -748,6 +749,7 @@ int fit_check_sign(const void *fit, const void *key)
+ 	ret = fit_config_verify(fit, cfg_noffset);
+ 	if (ret)
+ 		return ret;
++	printf("Verified OK, loading images\n");
+ 	ret = bootm_host_load_images(fit, cfg_noffset);
+ 
+ 	return ret;
+-- 
+2.17.1
+