Skip to content
Permalink
Browse files Browse the repository at this point in the history
image: Add an option to do a full check of the FIT
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.

Enable this by default if signature verification is enabled.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
  • Loading branch information
sjg20 authored and trini committed Feb 16, 2021
1 parent c581970 commit 6f3c2d8
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 0 deletions.
20 changes: 20 additions & 0 deletions common/Kconfig.boot
Expand Up @@ -63,13 +63,23 @@ config FIT_ENABLE_SHA512_SUPPORT
SHA512 checksum is a 512-bit (64-byte) hash value used to check that
the image contents have not been corrupted.

config FIT_FULL_CHECK
bool "Do a full check of the FIT before using it"
default y
help
Enable this do a full check of the FIT to make sure it is valid. This
helps to protect against carefully crafted FITs which take advantage
of bugs or omissions in the code. This includes a bad structure,
multiple root nodes and the like.

config FIT_SIGNATURE
bool "Enable signature verification of FIT uImages"
depends on DM
select HASH
select RSA
select RSA_VERIFY
select IMAGE_SIGN_INFO
select FIT_FULL_CHECK
help
This option enables signature verification of FIT uImages,
using a hash signed and verified using RSA. If
Expand Down Expand Up @@ -159,6 +169,15 @@ config SPL_FIT_PRINT
help
Support printing the content of the fitImage in a verbose manner in SPL.

config SPL_FIT_FULL_CHECK
bool "Do a full check of the FIT before using it"
help
Enable this do a full check of the FIT to make sure it is valid. This
helps to protect against carefully crafted FITs which take advantage
of bugs or omissions in the code. This includes a bad structure,
multiple root nodes and the like.


config SPL_FIT_SIGNATURE
bool "Enable signature verification of FIT firmware within SPL"
depends on SPL_DM
Expand All @@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
select SPL_RSA
select SPL_RSA_VERIFY
select SPL_IMAGE_SIGN_INFO
select SPL_FIT_FULL_CHECK

config SPL_LOAD_FIT
bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
Expand Down
16 changes: 16 additions & 0 deletions common/image-fit.c
Expand Up @@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
return -ENOEXEC;
}

if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
/*
* If we are not given the size, make do wtih calculating it.
* This is not as secure, so we should consider a flag to
* control this.
*/
if (size == IMAGE_SIZE_INVAL)
size = fdt_totalsize(fit);
ret = fdt_check_full(fit, size);

if (ret) {
log_debug("FIT check error %d\n", ret);
return -EINVAL;
}
}

/* mandatory / node 'description' property */
if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
log_debug("Wrong FIT format: no description\n");
Expand Down

0 comments on commit 6f3c2d8

Please sign in to comment.