[U-Boot] [PATCH v9 10/10] arm: bootm: fix sp detection at end of address range

Simon Goldschmidt simon.k.r.goldschmidt at gmail.com
Fri Dec 21 13:17:15 UTC 2018


Am 21.12.2018 um 14:09 schrieb Frank Wunderlich:
> just a thought, that someone load a script from tftp (scr) which will be executed locally and imho can also contain mw-commands (like my one adding 0-characters). this can be modified from remote...

Well, from a security point of view, you can't just load a script and 
execut it.

The problem with 'load' and 'tftp' is that these are used in secure boot 
environments to load the next stage (signed FIT image). This next stage 
must be authenticated before being used, so you can't just instert wrong 
'mw' statements into a signed image (as an attacker, I mean).

The CVE reported that you can attack a target without having a valid 
signature just by loading a file that is too big. To me, that's a big 
difference to the 'mw' case.

> 
> i will not say that this have to be done, just a thought :)
> 
> for loading from filesystem/fat with modified address there is also the need for local access right? or do you mean that this can be modified (local uenv.txt) from operation system and applied by next reboot?

No, you just need a big file. E.g. if you have 1GB of RAM, you "just" 
need to update the file loaded from disk to be 1GB big and you'll 
overwrite U-Boot for sure (on the next reboot, that is).

Regards,
Simon

>   
> regards Frank
>   
> 
> Gesendet: Freitag, 21. Dezember 2018 um 13:56 Uhr
> Von: "Simon Goldschmidt" <simon.k.r.goldschmidt at gmail.com>
> 
> Well, the idea of the CVE was that you can overwrite U-Boot in RAM without actually having access. You "only" need to control the file system or tftp server.
>   
> When doing 'mw', you actually need to have access to the U-Boot shell. That's a different level. I'm not sure we need to limit access there...
> 



More information about the U-Boot mailing list