summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Kconfig10
-rw-r--r--common/image-sig.c5
-rw-r--r--test/py/tests/test_vboot.py33
-rw-r--r--tools/Makefile1
4 files changed, 49 insertions, 0 deletions
diff --git a/Kconfig b/Kconfig
index 5a82c95dd8..c8b86cd384 100644
--- a/Kconfig
+++ b/Kconfig
@@ -267,6 +267,16 @@ config FIT_SIGNATURE
format support in this case, enable it using
CONFIG_IMAGE_FORMAT_LEGACY.
+config FIT_SIGNATURE_MAX_SIZE
+ hex "Max size of signed FIT structures"
+ depends on FIT_SIGNATURE
+ default 0x10000000
+ help
+ This option sets a max size in bytes for verified FIT uImages.
+ A sane value of 256MB protects corrupted DTB structures from overlapping
+ device memory. Assure this size does not extend past expected storage
+ space.
+
config FIT_VERBOSE
bool "Show verbose messages when FIT images fail"
help
diff --git a/common/image-sig.c b/common/image-sig.c
index f65d883994..8d2fd10db6 100644
--- a/common/image-sig.c
+++ b/common/image-sig.c
@@ -156,6 +156,11 @@ static int fit_image_setup_verify(struct image_sign_info *info,
{
char *algo_name;
+ if (fdt_totalsize(fit) > CONFIG_FIT_SIGNATURE_MAX_SIZE) {
+ *err_msgp = "Total size too large";
+ return 1;
+ }
+
if (fit_image_hash_get_algo(fit, noffset, &algo_name)) {
*err_msgp = "Can't get hash algo property";
return -1;
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index ee939f2034..3d25ec3d66 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -26,6 +26,7 @@ Tests run with both SHA1 and SHA256 hashing.
import pytest
import sys
+import struct
import u_boot_utils as util
@pytest.mark.boardspec('sandbox')
@@ -105,6 +106,26 @@ def test_vboot(u_boot_console):
util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
'-r', fit])
+ def replace_fit_totalsize(size):
+ """Replace FIT header's totalsize with something greater.
+
+ The totalsize must be less than or equal to FIT_SIGNATURE_MAX_SIZE.
+ If the size is greater, the signature verification should return false.
+
+ Args:
+ size: The new totalsize of the header
+
+ Returns:
+ prev_size: The previous totalsize read from the header
+ """
+ total_size = 0
+ with open(fit, 'r+b') as handle:
+ handle.seek(4)
+ total_size = handle.read(4)
+ handle.seek(4)
+ handle.write(struct.pack(">I", size))
+ return struct.unpack(">I", total_size)[0]
+
def test_with_algo(sha_algo):
"""Test verified boot with the given hash algorithm.
@@ -146,6 +167,18 @@ def test_vboot(u_boot_console):
util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
'-k', dtb])
+ # Replace header bytes
+ bcfg = u_boot_console.config.buildconfig
+ max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
+ existing_size = replace_fit_totalsize(max_size + 1)
+ run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
+ cons.log.action('%s: Check overflowed FIT header totalsize' % sha_algo)
+
+ # Replace with existing header bytes
+ replace_fit_totalsize(existing_size)
+ run_bootm(sha_algo, 'signed config', 'dev+', True)
+ cons.log.action('%s: Check default FIT header totalsize' % sha_algo)
+
# Increment the first byte of the signature, which should cause failure
sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
(fit, sig_node))
diff --git a/tools/Makefile b/tools/Makefile
index 5dd33ed4d5..0c3341e695 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -133,6 +133,7 @@ ifdef CONFIG_FIT_SIGNATURE
# This affects include/image.h, but including the board config file
# is tricky, so manually define this options here.
HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE
+HOST_EXTRACFLAGS += -DCONFIG_FIT_SIGNATURE_MAX_SIZE=$(CONFIG_FIT_SIGNATURE_MAX_SIZE)
endif
ifdef CONFIG_SYS_U_BOOT_OFFS