diff options
Diffstat (limited to 'recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch')
| -rw-r--r-- | recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch | 135 |
1 files changed, 12 insertions, 123 deletions
diff --git a/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch b/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch index 3c2842af..5a4a895b 100644 --- a/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch +++ b/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch @@ -1,19 +1,10 @@ -From 9cf936493388897379f33b511ec869c6fa5409ce Mon Sep 17 00:00:00 2001 +From f281b935985f1b592534ee2837ce0d0b28c7dc43 Mon Sep 17 00:00:00 2001 From: Andrey Zhizhikin <andrey.z@gmail.com> -Date: Thu, 22 Apr 2021 12:20:28 +0000 +Date: Tue, 11 Jan 2022 15:32:05 -0600 Subject: [PATCH] mkimage_fit_atf: fix fit generator node naming -Since upstream commit 79af75f777 ("fit: Don't allow verification of images -with @ nodes") [1], unit addresses on the nodes are prohibited and nodes -that do contain those addresses are ignored during the ITS parsing. This -is done in an effort to cover the CVE-2021-27138, where nodes with unit -addresses can be mis-interpreted by libfdt. - -Correct FIT generator script and replace nodes with unit addresses to -plain node names with "-" instead of "@" to create a unique naming. - -In addition, extend sections which contains "firmware" in their types -with "os" parameter to conform to the latest FIT specification. +Extend sections which contains "firmware" in their types with "os" +parameter to conform to the latest FIT specification. Indicate that load and entry addresses are covered by one 32-bit value by adding "address-cells" in the root node of the generated ITS. @@ -23,40 +14,13 @@ Link: [1] https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com> Cc: Tom Hochstein <tom.hochstein@nxp.com> --- - iMX8M/mkimage_fit_atf.sh | 40 ++++++++++++++++++++++------------------ - 1 file changed, 22 insertions(+), 18 deletions(-) + iMX8M/mkimage_fit_atf.sh | 4 ++++ + 1 file changed, 4 insertions(+) diff --git a/iMX8M/mkimage_fit_atf.sh b/iMX8M/mkimage_fit_atf.sh -index 95749b1..10903ea 100755 +index 4f2b3f3..10903ea 100755 --- a/iMX8M/mkimage_fit_atf.sh +++ b/iMX8M/mkimage_fit_atf.sh -@@ -23,7 +23,7 @@ else - fi - - BL32="tee.bin" --LOADABLES="\"atf@1\"" -+LOADABLES="\"atf-1\"" - - if [ ! -f $BL32 ]; then - BL32=/dev/null -@@ -31,7 +31,7 @@ else - echo "Building with TEE support, make sure your bl31 is compiled with spd. If you do not want tee, please delete tee.bin" >&2 - echo "tee.bin size: " >&2 - ls -lct tee.bin | awk '{print $5}' >&2 -- LOADABLES="$LOADABLES, \"tee@1\"" -+ LOADABLES="$LOADABLES, \"tee-1\"" - fi - - BL33="u-boot-nodtb.bin" -@@ -41,7 +41,7 @@ if [ ! -f $DEK_BLOB ]; then - DEK_BLOB=/dev/null - else - echo "Building with encrypted boot support, make sure to replace DEK Blob in final image." >&2 -- LOADABLES="\"dek_blob@1\", $LOADABLES" -+ LOADABLES="\"dek_blob-1\", $LOADABLES" - fi - - if [ ! -f $BL33 ]; then @@ -64,10 +64,12 @@ cat << __HEADER_EOF / { @@ -64,103 +28,28 @@ index 95749b1..10903ea 100755 + #address-cells = <1>; images { -- uboot@1 { -+ uboot-1 { + uboot-1 { description = "U-Boot (64-bit)"; + os = "u-boot"; data = /incbin/("$BL33"); type = "standalone"; arch = "arm64"; -@@ -80,7 +82,7 @@ cnt=1 - for dtname in $* - do - cat << __FDT_IMAGE_EOF -- fdt@$cnt { -+ fdt-$cnt { - description = "$(basename $dtname .dtb)"; - data = /incbin/("$dtname"); - type = "flat_dt"; -@@ -91,8 +93,9 @@ cnt=$((cnt+1)) - done - +@@ -93,6 +95,7 @@ done cat << __HEADER_EOF -- atf@1 { -+ atf-1 { + atf-1 { description = "ARM Trusted Firmware"; + os = "arm-trusted-firmware"; data = /incbin/("$BL31"); type = "firmware"; arch = "arm64"; -@@ -104,8 +107,9 @@ __HEADER_EOF - - if [ -f $BL32 ]; then +@@ -106,6 +109,7 @@ if [ -f $BL32 ]; then cat << __HEADER_EOF -- tee@1 { -+ tee-1 { + tee-1 { description = "TEE firmware"; + os = "op-tee-firmware"; data = /incbin/("$BL32"); type = "firmware"; arch = "arm64"; -@@ -118,7 +122,7 @@ fi - - if [ -f $DEK_BLOB ]; then - cat << __HEADER_EOF -- dek_blob@1 { -+ dek_blob-1 { - description = "dek_blob"; - data = /incbin/("$DEK_BLOB"); - type = "script"; -@@ -131,7 +135,7 @@ fi - cat << __CONF_HEADER_EOF - }; - configurations { -- default = "config@1"; -+ default = "config-1"; - - __CONF_HEADER_EOF - -@@ -141,31 +145,31 @@ do - if [ -f $BL32 ]; then - if [ $ROLLBACK_INDEX_IN_FIT ]; then - cat << __CONF_SECTION_EOF -- config@$cnt { -+ config-$cnt { - description = "$(basename $dtname .dtb)"; -- firmware = "uboot@1"; -+ firmware = "uboot-1"; - loadables = $LOADABLES; -- fdt = "fdt@$cnt"; -+ fdt = "fdt-$cnt"; - rbindex = "$ROLLBACK_INDEX_IN_FIT"; - }; - __CONF_SECTION_EOF - else - cat << __CONF_SECTION_EOF -- config@$cnt { -+ config-$cnt { - description = "$(basename $dtname .dtb)"; -- firmware = "uboot@1"; -+ firmware = "uboot-1"; - loadables = $LOADABLES; -- fdt = "fdt@$cnt"; -+ fdt = "fdt-$cnt"; - }; - __CONF_SECTION_EOF - fi - else - cat << __CONF_SECTION1_EOF -- config@$cnt { -+ config-$cnt { - description = "$(basename $dtname .dtb)"; -- firmware = "uboot@1"; -+ firmware = "uboot-1"; - loadables = $LOADABLES; -- fdt = "fdt@$cnt"; -+ fdt = "fdt-$cnt"; - }; - __CONF_SECTION1_EOF - fi -- 2.17.1 |