From 6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01 Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Mon, 15 Feb 2021 17:08:10 -0700 Subject: [PATCH] image: Add an option to do a full check of the FIT Some strange modifications of the FIT can introduce security risks. Add an option to check it thoroughly, using libfdt's fdt_check_full() function. Enable this by default if signature verification is enabled. CVE-2021-27097 Signed-off-by: Simon Glass Reported-by: Bruce Monroe Reported-by: Arie Haenel Reported-by: Julien Lenoir CVE: CVE-2021-27097 Upstream-Status: Backport[https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01] Signed-off-by: Scott Murray --- common/Kconfig.boot | 20 ++++++++++++++++++++ common/image-fit.c | 16 ++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/common/Kconfig.boot b/common/Kconfig.boot index 5eaabdfc27..7532e55edb 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT SHA512 checksum is a 512-bit (64-byte) hash value used to check that the image contents have not been corrupted. +config FIT_FULL_CHECK + bool "Do a full check of the FIT before using it" + default y + help + Enable this do a full check of the FIT to make sure it is valid. This + helps to protect against carefully crafted FITs which take advantage + of bugs or omissions in the code. This includes a bad structure, + multiple root nodes and the like. + config FIT_SIGNATURE bool "Enable signature verification of FIT uImages" depends on DM @@ -70,6 +79,7 @@ config FIT_SIGNATURE select RSA select RSA_VERIFY select IMAGE_SIGN_INFO + select FIT_FULL_CHECK help This option enables signature verification of FIT uImages, using a hash signed and verified using RSA. If @@ -159,6 +169,15 @@ config SPL_FIT_PRINT help Support printing the content of the fitImage in a verbose manner in SPL. +config SPL_FIT_FULL_CHECK + bool "Do a full check of the FIT before using it" + help + Enable this do a full check of the FIT to make sure it is valid. This + helps to protect against carefully crafted FITs which take advantage + of bugs or omissions in the code. This includes a bad structure, + multiple root nodes and the like. + + config SPL_FIT_SIGNATURE bool "Enable signature verification of FIT firmware within SPL" depends on SPL_DM @@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE select SPL_RSA select SPL_RSA_VERIFY select SPL_IMAGE_SIGN_INFO + select SPL_FIT_FULL_CHECK config SPL_LOAD_FIT bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)" diff --git a/common/image-fit.c b/common/image-fit.c index f6c0428a96..bcf395f6a1 100644 --- a/common/image-fit.c +++ b/common/image-fit.c @@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size) return -ENOEXEC; } + if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) { + /* + * If we are not given the size, make do wtih calculating it. + * This is not as secure, so we should consider a flag to + * control this. + */ + if (size == IMAGE_SIZE_INVAL) + size = fdt_totalsize(fit); + ret = fdt_check_full(fit, size); + + if (ret) { + log_debug("FIT check error %d\n", ret); + return -EINVAL; + } + } + /* mandatory / node 'description' property */ if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) { log_debug("Wrong FIT format: no description\n");