image: Add an option to do a full check of the FIT

Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.

Enable this by default if signature verification is enabled.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>

diff --git a/common/Kconfig.boot b/common/Kconfig.boot
index 5eaabdf..7532e55 100644 (file)
--- a/common/Kconfig.boot
+++ b/common/Kconfig.boot
@@ -63,6 +63,15 @@ config FIT_ENABLE_SHA512_SUPPORT
          SHA512 checksum is a 512-bit (64-byte) hash value used to check that
          the image contents have not been corrupted.
 
+config FIT_FULL_CHECK
+       bool "Do a full check of the FIT before using it"
+       default y
+       help
+         Enable this do a full check of the FIT to make sure it is valid. This
+         helps to protect against carefully crafted FITs which take advantage
+         of bugs or omissions in the code. This includes a bad structure,
+         multiple root nodes and the like.
+
 config FIT_SIGNATURE
        bool "Enable signature verification of FIT uImages"
        depends on DM
@@ -70,6 +79,7 @@ config FIT_SIGNATURE
        select RSA
        select RSA_VERIFY
        select IMAGE_SIGN_INFO
+       select FIT_FULL_CHECK
        help
          This option enables signature verification of FIT uImages,
          using a hash signed and verified using RSA. If
@@ -159,6 +169,15 @@ config SPL_FIT_PRINT
        help
          Support printing the content of the fitImage in a verbose manner in SPL.
 
+config SPL_FIT_FULL_CHECK
+       bool "Do a full check of the FIT before using it"
+       help
+         Enable this do a full check of the FIT to make sure it is valid. This
+         helps to protect against carefully crafted FITs which take advantage
+         of bugs or omissions in the code. This includes a bad structure,
+         multiple root nodes and the like.
+
+
 config SPL_FIT_SIGNATURE
        bool "Enable signature verification of FIT firmware within SPL"
        depends on SPL_DM
@@ -168,6 +187,7 @@ config SPL_FIT_SIGNATURE
        select SPL_RSA
        select SPL_RSA_VERIFY
        select SPL_IMAGE_SIGN_INFO
+       select SPL_FIT_FULL_CHECK
 
 config SPL_LOAD_FIT
        bool "Enable SPL loading U-Boot as a FIT (basic fitImage features)"

diff --git a/common/image-fit.c b/common/image-fit.c
index f6c0428..bcf395f 100644 (file)
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1580,6 +1580,22 @@ int fit_check_format(const void *fit, ulong size)
                return -ENOEXEC;
        }
 
+       if (CONFIG_IS_ENABLED(FIT_FULL_CHECK)) {
+               /*
+                * If we are not given the size, make do wtih calculating it.
+                * This is not as secure, so we should consider a flag to
+                * control this.
+                */
+               if (size == IMAGE_SIZE_INVAL)
+                       size = fdt_totalsize(fit);
+               ret = fdt_check_full(fit, size);
+
+               if (ret) {
+                       log_debug("FIT check error %d\n", ret);
+                       return -EINVAL;
+               }
+       }
+
        /* mandatory / node 'description' property */
        if (!fdt_getprop(fit, 0, FIT_DESC_PROP, NULL)) {
                log_debug("Wrong FIT format: no description\n");