1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
From 9cf936493388897379f33b511ec869c6fa5409ce Mon Sep 17 00:00:00 2001
From: Andrey Zhizhikin <andrey.z@gmail.com>
Date: Thu, 22 Apr 2021 12:20:28 +0000
Subject: [PATCH] mkimage_fit_atf: fix fit generator node naming
Since upstream commit 79af75f777 ("fit: Don't allow verification of images
with @ nodes") [1], unit addresses on the nodes are prohibited and nodes
that do contain those addresses are ignored during the ITS parsing. This
is done in an effort to cover the CVE-2021-27138, where nodes with unit
addresses can be mis-interpreted by libfdt.
Correct FIT generator script and replace nodes with unit addresses to
plain node names with "-" instead of "@" to create a unique naming.
In addition, extend sections which contains "firmware" in their types
with "os" parameter to conform to the latest FIT specification.
Indicate that load and entry addresses are covered by one 32-bit value
by adding "address-cells" in the root node of the generated ITS.
Upstream-Status: Inappropriate [script is imx-boot specific]
Link: [1] https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4
Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
Cc: Tom Hochstein <tom.hochstein@nxp.com>
---
iMX8M/mkimage_fit_atf.sh | 40 ++++++++++++++++++++++------------------
1 file changed, 22 insertions(+), 18 deletions(-)
diff --git a/iMX8M/mkimage_fit_atf.sh b/iMX8M/mkimage_fit_atf.sh
index 95749b1..10903ea 100755
--- a/iMX8M/mkimage_fit_atf.sh
+++ b/iMX8M/mkimage_fit_atf.sh
@@ -23,7 +23,7 @@ else
fi
BL32="tee.bin"
-LOADABLES="\"atf@1\""
+LOADABLES="\"atf-1\""
if [ ! -f $BL32 ]; then
BL32=/dev/null
@@ -31,7 +31,7 @@ else
echo "Building with TEE support, make sure your bl31 is compiled with spd. If you do not want tee, please delete tee.bin" >&2
echo "tee.bin size: " >&2
ls -lct tee.bin | awk '{print $5}' >&2
- LOADABLES="$LOADABLES, \"tee@1\""
+ LOADABLES="$LOADABLES, \"tee-1\""
fi
BL33="u-boot-nodtb.bin"
@@ -41,7 +41,7 @@ if [ ! -f $DEK_BLOB ]; then
DEK_BLOB=/dev/null
else
echo "Building with encrypted boot support, make sure to replace DEK Blob in final image." >&2
- LOADABLES="\"dek_blob@1\", $LOADABLES"
+ LOADABLES="\"dek_blob-1\", $LOADABLES"
fi
if [ ! -f $BL33 ]; then
@@ -64,10 +64,12 @@ cat << __HEADER_EOF
/ {
description = "Configuration to load ATF before U-Boot";
+ #address-cells = <1>;
images {
- uboot@1 {
+ uboot-1 {
description = "U-Boot (64-bit)";
+ os = "u-boot";
data = /incbin/("$BL33");
type = "standalone";
arch = "arm64";
@@ -80,7 +82,7 @@ cnt=1
for dtname in $*
do
cat << __FDT_IMAGE_EOF
- fdt@$cnt {
+ fdt-$cnt {
description = "$(basename $dtname .dtb)";
data = /incbin/("$dtname");
type = "flat_dt";
@@ -91,8 +93,9 @@ cnt=$((cnt+1))
done
cat << __HEADER_EOF
- atf@1 {
+ atf-1 {
description = "ARM Trusted Firmware";
+ os = "arm-trusted-firmware";
data = /incbin/("$BL31");
type = "firmware";
arch = "arm64";
@@ -104,8 +107,9 @@ __HEADER_EOF
if [ -f $BL32 ]; then
cat << __HEADER_EOF
- tee@1 {
+ tee-1 {
description = "TEE firmware";
+ os = "op-tee-firmware";
data = /incbin/("$BL32");
type = "firmware";
arch = "arm64";
@@ -118,7 +122,7 @@ fi
if [ -f $DEK_BLOB ]; then
cat << __HEADER_EOF
- dek_blob@1 {
+ dek_blob-1 {
description = "dek_blob";
data = /incbin/("$DEK_BLOB");
type = "script";
@@ -131,7 +135,7 @@ fi
cat << __CONF_HEADER_EOF
};
configurations {
- default = "config@1";
+ default = "config-1";
__CONF_HEADER_EOF
@@ -141,31 +145,31 @@ do
if [ -f $BL32 ]; then
if [ $ROLLBACK_INDEX_IN_FIT ]; then
cat << __CONF_SECTION_EOF
- config@$cnt {
+ config-$cnt {
description = "$(basename $dtname .dtb)";
- firmware = "uboot@1";
+ firmware = "uboot-1";
loadables = $LOADABLES;
- fdt = "fdt@$cnt";
+ fdt = "fdt-$cnt";
rbindex = "$ROLLBACK_INDEX_IN_FIT";
};
__CONF_SECTION_EOF
else
cat << __CONF_SECTION_EOF
- config@$cnt {
+ config-$cnt {
description = "$(basename $dtname .dtb)";
- firmware = "uboot@1";
+ firmware = "uboot-1";
loadables = $LOADABLES;
- fdt = "fdt@$cnt";
+ fdt = "fdt-$cnt";
};
__CONF_SECTION_EOF
fi
else
cat << __CONF_SECTION1_EOF
- config@$cnt {
+ config-$cnt {
description = "$(basename $dtname .dtb)";
- firmware = "uboot@1";
+ firmware = "uboot-1";
loadables = $LOADABLES;
- fdt = "fdt@$cnt";
+ fdt = "fdt-$cnt";
};
__CONF_SECTION1_EOF
fi
--
2.17.1
|
