Re: [PATCH 6/8] image: Add an option to do a full check of the FIT

2021-02-15 Thread Tom Rini 
On Mon, Feb 15, 2021 at 05:08:10PM -0700, Simon Glass wrote:

> Some strange modifications of the FIT can introduce security risks. Add an
> option to check it thoroughly, using libfdt's fdt_check_full() function.
> 
> Enable this by default if signature verification is enabled.
> 
> CVE-2021-27097
> 
> Signed-off-by: Simon Glass 
> Reported-by: Bruce Monroe 
> Reported-by: Arie Haenel 
> Reported-by: Julien Lenoir 

Applied to u-boot/master, thanks!

-- 
Tom


signature.asc
Description: PGP signature

[PATCH 6/8] image: Add an option to do a full check of the FIT

2021-02-15 Thread Simon Glass 
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.

Enable this by default if signature verification is enabled.

CVE-2021-27097

Signed-off-by: Simon Glass 
Reported-by: Bruce Monroe 
Reported-by: Arie Haenel 
Reported-by: Julien Lenoir 
---

 common/Kconfig.boot | 20 
 common/image-fit.c  | 16 
 2 files changed, 36 insertions(+)

diff --git a/common/Kconfig.boot b/common/Kconfig.boot
index 5eaabdfc27f..7532e55edb8 100644
--- a/common/Kconfig.boot
+++ b/common/Kconfig.boot
@@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT
  SHA512 checksum is a 512-bit (64-byte) hash value used to check that
  the image contents have not been corrupted.
 
+config FIT_FULL_CHECK
+   bool "Do a full check of the FIT before using it"
+   default y
+   help
+ Enable this do a full check of the FIT to make sure it is valid. This
+ helps to protect against carefully crafted FITs which take advantage
+ of bugs or omissions in the code. This includes a bad structure,
+ multiple root nodes and the like.
+
 config FIT_SIGNATURE
bool "Enable signature verification of FIT uImages"
depends on DM
@@ -70,6 +79,7 @@ config FIT_SIGNATURE
select RSA
select RSA_VERIFY
select IMAGE_SIGN_INFO
+   select FIT_FULL_CHECK
help
  This option enables signature verification of FIT uImages,
  using a hash signed and verified using RSA. If
@@ -159,6 +169,15 @@ config SPL_FIT_PRINT
help
  Support printing the content of the fitImage in a verbose manner in 
SPL.
 
+config SPL_FIT_FULL_CHECK
+   bool "Do a full check of the FIT before using it"
+   help
+ Enable this do a full check of the FIT to make sure it is valid. This
+ helps to protect against carefully crafted FITs which take advantage
+ of bugs or omissions in the code. This includes a bad structure,
+ multiple root nodes and the like.
+
+
 config SPL_FIT_SIGNATURE
bool "Enable signature verification of FIT firmware within SPL"
depends on SPL_DM
@@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
select SPL_RSA
select SPL_RSA_VERIFY
select SPL_IMAGE_SIGN_INFO
+   select SPL_FIT_FULL_CHECK
 
 config SPL_LOAD_FIT
bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"
diff --git a/common/image-fit.c b/common/image-fit.c
index f6c0428a96b..bcf395f6a18 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
return -ENOEXEC;
}
 
+   if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
+   /*
+* If we are not given the size, make do wtih calculating it.
+* This is not as secure, so we should consider a flag to
+* control this.
+*/
+   if (size == IMAGE_SIZE_INVAL)
+   size = fdt_totalsize(fit);
+   ret = fdt_check_full(fit, size);
+
+   if (ret) {
+   log_debug("FIT check error %d\n", ret);
+   return -EINVAL;
+   }
+   }
+
/* mandatory / node 'description' property */
if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
log_debug("Wrong FIT format: no description\n");
-- 
2.30.0.478.g8a0d178c01-goog