[PATCH v2 00/14] vboot: Fix forged-configuration vulnerability
sjg at chromium.org
Tue Mar 31 01:11:38 CEST 2020
On Wed, 18 Mar 2020 at 11:44, Simon Glass <sjg at chromium.org> wrote:
> When booting a FIT, if 'bootm' is used without a specified configuration,
> U-Boot will use the default one provided in the FIT. But it does not
> actually check that the signature is for that configuration.
> This means that it is possible to duplicate a configuration conf-1 to
> produce conf-2 (with all the signatures intact), set the default
> configuration to conf-2 and then boot the image. U-Boot will verify conf-2
> (in fact since hashed-nodes specifies the conf-1 nodes it will effectively
> verify conf-1). Then it will happily boot conf-2 even though it might have
> a different kernel.
> This series corrects this problem and adds a test to verify it. It also
> updates fit_check_sign to allow the configuration to be specified.
> This vulnerability was found by Dmitry Janushkevich and Andrea Barisani of
> F-Secure, who also wrote the vboot_forge script included here.
> This is CVE-2020-10648
> Changes in v2:
> - Bring in new vboot_forge file from the authors
> Simon Glass (14):
> image: Correct comment for fit_conf_get_node()
> image: Be a little more verbose when checking signatures
> image: Return an error message from fit_config_verify_sig()
> test: vboot: Drop unnecessary parameter for fit_check_sign
> test: vboot: Add a test for a forged configuration
> test: vboot: Parameterise the test
> image: Check hash-nodes when checking configurations
> image: Load the correct configuration in fit_check_sign
> fit_check_sign: Allow selecting the configuration to verify
> test: vboot: Tidy up the code a little
> test: vboot: Fix pylint errors
> image: Use constants for 'required' and 'key-name-hint'
> test: vboot: Move key creation into a function
> test: vboot: Reduce fake kernel size to 500 bytes
> common/bootm.c | 6 +-
> common/image-cipher.c | 2 +-
> common/image-fit.c | 26 +--
> common/image-sig.c | 49 +++-
> include/image.h | 24 +-
> lib/rsa/rsa-sign.c | 6 +-
> test/py/tests/test_vboot.py | 155 +++++++------
> test/py/tests/vboot_forge.py | 423 +++++++++++++++++++++++++++++++++++
> tools/fdt_host.h | 3 +-
> tools/fit_check_sign.c | 8 +-
> tools/image-host.c | 17 +-
> 11 files changed, 601 insertions(+), 118 deletions(-)
> create mode 100644 test/py/tests/vboot_forge.py
This is applied to dm/master.
Tom, shall I send a pull request?
More information about the U-Boot