[RFC PATCH 0/3] boot/fit: fix CVE-2021-27138 while keeping '@' node names

[Lorenz Kofler]

CVE-2021-27138 was fixed by rejecting any FIT node whose name contains '@'.
That stops libfdt's unit-address matching from resolving a reference such
as "kernel" to a node named "kernel at 1".

Rejecting '@' outright, however, is a regression. We have a customer with
signed FIT images deployed in the field that use '@' in node names, and
with signature verification enabled those images are now rejected and fail
to boot.

Such names are admittedly not ideal. The devicetree specification only
allows a unit address when the node has a matching 'reg' property, and
newer dtc versions warn about violations. New FIT images should therefore
avoid such names, but existing deployed images still need to keep working.

This series fixes CVE-2021-27138 without that regression. The root cause is
not the '@' character itself, but accepting a non-exact node-name match
when resolving a FIT reference. Patch 1 hardens the lookups so the
requested name and the resolved node name must match exactly: an inserted
"kernel at 1" can no longer stand in for the "kernel" node. Patches 2 and 3
then drop the now-redundant blanket '@' rejection.

Review is welcome, especially on whether I missed any place that looks up a
FIT node by name.

Lorenz Kofler (3):
  boot/fit: require exact subnode matches for FIT references
  boot/fit: stop rejecting '@' during image and config verification
  boot/fit: stop rejecting '@' during FIT format checking

 boot/image-fit-sig.c        | 21 +-----------
 boot/image-fit.c            | 65 +++----------------------------------
 common/spl/spl_fit.c        |  4 +--
 include/image.h             | 28 ++++++++++++++++
 test/py/tests/test_vboot.py |  7 ++--
 5 files changed, 39 insertions(+), 86 deletions(-)

-- 
2.54.0