[RFC PATCH 2/3] boot/fit: stop rejecting '@' during image and config verification
Lorenz Kofler
lorenz at sigma-star.at
Tue Jun 2 09:43:34 CEST 2026
Partially revert commit 79af75f7776f ("fit: Don't allow verification of
images with @ nodes").
That commit rejected any FIT node whose name contains '@' in
fit_image_verify(), fit_image_verify_sig() and
fit_config_verify_required_keys(). FIT references are now resolved with
an exact subnode-name match, so the aliasing weakness behind
CVE-2021-27138 can no longer be exploited even when '@' node names are
present. These checks are therefore no longer needed, so drop them to
restore support for FIT images that use unit addresses in their node
names.
This is not a full revert. That commit's fit_image_verify() error-path
refactor and its test_fit.py and vboot_forge.py renames (replacing '@'
unit addresses with '-' in the test FIT node names) are kept.
Signed-off-by: Lorenz Kofler <lorenz at sigma-star.at>
---
boot/image-fit-sig.c | 21 +--------------------
boot/image-fit.c | 9 ---------
2 files changed, 1 insertion(+), 29 deletions(-)
diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index 433df20281f..a30a2ccd8a1 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -148,14 +148,6 @@ static int fit_image_verify_sig(const void *fit, int image_noffset,
fdt_for_each_subnode(noffset, fit, image_noffset) {
const char *name = fit_get_name(fit, noffset, NULL);
- /*
- * We don't support this since libfdt considers names with the
- * name root but different @ suffix to be equal
- */
- if (strchr(name, '@')) {
- err_msg = "Node name contains @";
- goto error;
- }
if (!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_image_check_sig(fit, noffset, data, size,
@@ -608,13 +600,11 @@ error:
* @conf_noffset: Offset of the configuration node to check (e.g.
* /configurations/conf-1)
* @key_blob: Blob containing the keys to check against
- * @return 0 if OK, -EPERM if any signatures did not verify, or the
- * configuration node has an invalid name
+ * @return 0 if OK, -EPERM if any signatures did not verify
*/
static int fit_config_verify_required_keys(const void *fit, int conf_noffset,
const void *key_blob)
{
- const char *name = fit_get_name(fit, conf_noffset, NULL);
int noffset;
int key_node;
int verified = 0;
@@ -627,15 +617,6 @@ static int fit_config_verify_required_keys(const void *fit, int conf_noffset,
return 0;
#endif
- /*
- * We don't support this since libfdt considers names with the
- * name root but different @ suffix to be equal
- */
- if (strchr(name, '@')) {
- printf("Configuration node '%s' contains '@'\n", name);
- return -EPERM;
- }
-
/* Work out what we need to verify */
key_node = fdt_subnode_offset(key_blob, 0, FIT_SIG_NODENAME);
if (key_node < 0) {
diff --git a/boot/image-fit.c b/boot/image-fit.c
index a6504cd8041..d82603ae557 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1434,19 +1434,10 @@ error:
*/
int fit_image_verify(const void *fit, int image_noffset)
{
- const char *name = fit_get_name(fit, image_noffset, NULL);
const void *data;
size_t size;
char *err_msg = "";
- if (IS_ENABLED(CONFIG_FIT_SIGNATURE) && strchr(name, '@')) {
- /*
- * We don't support this since libfdt considers names with the
- * name root but different @ suffix to be equal
- */
- err_msg = "Node name contains @";
- goto err;
- }
/* Get image data and data length */
if (fit_image_get_data(fit, image_noffset, &data, &size)) {
err_msg = "Can't get image data/size";
--
2.54.0
More information about the U-Boot
mailing list