[PATCH v2 00/14] vboot: Fix forged-configuration vulnerability
Tom Rini
trini at konsulko.com
Tue Mar 31 15:26:34 CEST 2020
On Mon, Mar 30, 2020 at 05:11:38PM -0600, Simon Glass wrote:
> Hi,
>
> On Wed, 18 Mar 2020 at 11:44, Simon Glass <sjg at chromium.org> wrote:
> >
> > When booting a FIT, if 'bootm' is used without a specified configuration,
> > U-Boot will use the default one provided in the FIT. But it does not
> > actually check that the signature is for that configuration.
> >
> > This means that it is possible to duplicate a configuration conf-1 to
> > produce conf-2 (with all the signatures intact), set the default
> > configuration to conf-2 and then boot the image. U-Boot will verify conf-2
> > (in fact since hashed-nodes specifies the conf-1 nodes it will effectively
> > verify conf-1). Then it will happily boot conf-2 even though it might have
> > a different kernel.
> >
> > This series corrects this problem and adds a test to verify it. It also
> > updates fit_check_sign to allow the configuration to be specified.
> >
> > This vulnerability was found by Dmitry Janushkevich and Andrea Barisani of
> > F-Secure, who also wrote the vboot_forge script included here.
> >
> > This is CVE-2020-10648
> >
> > Changes in v2:
> > - Bring in new vboot_forge file from the authors
> >
> > Simon Glass (14):
> > image: Correct comment for fit_conf_get_node()
> > image: Be a little more verbose when checking signatures
> > image: Return an error message from fit_config_verify_sig()
> > test: vboot: Drop unnecessary parameter for fit_check_sign
> > test: vboot: Add a test for a forged configuration
> > test: vboot: Parameterise the test
> > image: Check hash-nodes when checking configurations
> > image: Load the correct configuration in fit_check_sign
> > fit_check_sign: Allow selecting the configuration to verify
> > test: vboot: Tidy up the code a little
> > test: vboot: Fix pylint errors
> > image: Use constants for 'required' and 'key-name-hint'
> > test: vboot: Move key creation into a function
> > test: vboot: Reduce fake kernel size to 500 bytes
> >
> > common/bootm.c | 6 +-
> > common/image-cipher.c | 2 +-
> > common/image-fit.c | 26 +--
> > common/image-sig.c | 49 +++-
> > include/image.h | 24 +-
> > lib/rsa/rsa-sign.c | 6 +-
> > test/py/tests/test_vboot.py | 155 +++++++------
> > test/py/tests/vboot_forge.py | 423 +++++++++++++++++++++++++++++++++++
> > tools/fdt_host.h | 3 +-
> > tools/fit_check_sign.c | 8 +-
> > tools/image-host.c | 17 +-
> > 11 files changed, 601 insertions(+), 118 deletions(-)
> > create mode 100644 test/py/tests/vboot_forge.py
>
> This is applied to dm/master.
>
> Tom, shall I send a pull request?
Yes please, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200331/8494af8e/attachment.sig>
More information about the U-Boot
mailing list