imx-mkimage: fix node name generations

FIT node names generated by imx-mkimage script are not conformant to the latest version of mkimage tool and are caused to be skipped at parsing stage, leading to build errors. Introduce the patch to correct generated node names (drop unit address fields and replace with names-only). Fixes: #741 https://github.com/Freescale/meta-freescale/issues/741 Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com> Cc: Tom Hochstein <tom.hochstein@nxp.com>
author: Andrey Zhizhikin <andrey.z@gmail.com> 2021-04-22 12:49:13 +0000
committer: Otavio Salvador <otavio@ossystems.com.br> 2021-04-22 10:39:22 -0300
commit: 31d58f1791e1535b650739a07c835f272882863a (patch)
tree: 28405a3b08f2c62ca51f0bb8c556287050e0e320
parent: dd29cf97a2bb65c5fdbfa49f2785c8466e479cf7 (diff)
download: meta-freescale-31d58f1791e1535b650739a07c835f272882863a.tar.gz
2 files changed, 170 insertions, 1 deletions
diff --git a/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch b/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch
new file mode 100644
index 00000000..3c2842af
--- /dev/null
+++ b/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch
@@ -0,0 +1,166 @@
+From 9cf936493388897379f33b511ec869c6fa5409ce Mon Sep 17 00:00:00 2001
+From: Andrey Zhizhikin <andrey.z@gmail.com>
+Date: Thu, 22 Apr 2021 12:20:28 +0000
+Subject: [PATCH] mkimage_fit_atf: fix fit generator node naming
+Since upstream commit 79af75f777 ("fit: Don't allow verification of images
+with @ nodes") [1], unit addresses on the nodes are prohibited and nodes
+that do contain those addresses are ignored during the ITS parsing. This
+is done in an effort to cover the CVE-2021-27138, where nodes with unit
+addresses can be mis-interpreted by libfdt.
+Correct FIT generator script and replace nodes with unit addresses to
+plain node names with "-" instead of "@" to create a unique naming.
+In addition, extend sections which contains "firmware" in their types
+with "os" parameter to conform to the latest FIT specification.
+Indicate that load and entry addresses are covered by one 32-bit value
+by adding "address-cells" in the root node of the generated ITS.
+Upstream-Status: Inappropriate [script is imx-boot specific]
+Link: [1] https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4
+Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
+Cc: Tom Hochstein <tom.hochstein@nxp.com>
+---
+ iMX8M/mkimage_fit_atf.sh | 40 ++++++++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+diff --git a/iMX8M/mkimage_fit_atf.sh b/iMX8M/mkimage_fit_atf.sh
+index 95749b1..10903ea 100755
+--- a/iMX8M/mkimage_fit_atf.sh
+++ b/iMX8M/mkimage_fit_atf.sh
+@@ -23,7 +23,7 @@ else
+ fi
+ 
+ BL32="tee.bin"
+-LOADABLES="\"atf@1\""
+LOADABLES="\"atf-1\""
+ 
+ if [ ! -f $BL32 ]; then
+        BL32=/dev/null
+@@ -31,7 +31,7 @@ else
+        echo "Building with TEE support, make sure your bl31 is compiled with spd. If you do not want tee, please delete tee.bin" >&2
+        echo "tee.bin size: " >&2
+        ls -lct tee.bin | awk '{print $5}' >&2
+-       LOADABLES="$LOADABLES, \"tee@1\""
+       LOADABLES="$LOADABLES, \"tee-1\""
+ fi
+ 
+ BL33="u-boot-nodtb.bin"
+@@ -41,7 +41,7 @@ if [ ! -f $DEK_BLOB ]; then
+        DEK_BLOB=/dev/null
+ else
+        echo "Building with encrypted boot support, make sure to replace DEK Blob in final image." >&2
+-       LOADABLES="\"dek_blob@1\", $LOADABLES"
+       LOADABLES="\"dek_blob-1\", $LOADABLES"
+ fi
+ 
+ if [ ! -f $BL33 ]; then
+@@ -64,10 +64,12 @@ cat << __HEADER_EOF
+ 
+ / {
+        description = "Configuration to load ATF before U-Boot";
+       #address-cells = <1>;
+ 
+        images {
+-               uboot@1 {
+               uboot-1 {
+                        description = "U-Boot (64-bit)";
+                       os = "u-boot";
+                        data = /incbin/("$BL33");
+                        type = "standalone";
+                        arch = "arm64";
+@@ -80,7 +82,7 @@ cnt=1
+ for dtname in $*
+ do
+        cat << __FDT_IMAGE_EOF
+-               fdt@$cnt {
+               fdt-$cnt {
+                        description = "$(basename $dtname .dtb)";
+                        data = /incbin/("$dtname");
+                        type = "flat_dt";
+@@ -91,8 +93,9 @@ cnt=$((cnt+1))
+ done
+ 
+ cat << __HEADER_EOF
+-               atf@1 {
+               atf-1 {
+                        description = "ARM Trusted Firmware";
+                       os = "arm-trusted-firmware";
+                        data = /incbin/("$BL31");
+                        type = "firmware";
+                        arch = "arm64";
+@@ -104,8 +107,9 @@ __HEADER_EOF
+ 
+ if [ -f $BL32 ]; then
+ cat << __HEADER_EOF
+-               tee@1 {
+               tee-1 {
+                        description = "TEE firmware";
+                       os = "op-tee-firmware";
+                        data = /incbin/("$BL32");
+                        type = "firmware";
+                        arch = "arm64";
+@@ -118,7 +122,7 @@ fi
+ 
+ if [ -f $DEK_BLOB ]; then
+ cat << __HEADER_EOF
+-               dek_blob@1 {
+               dek_blob-1 {
+                        description = "dek_blob";
+                        data = /incbin/("$DEK_BLOB");
+                        type = "script";
+@@ -131,7 +135,7 @@ fi
+ cat << __CONF_HEADER_EOF
+        };
+        configurations {
+-               default = "config@1";
+               default = "config-1";
+ 
+ __CONF_HEADER_EOF
+ 
+@@ -141,31 +145,31 @@ do
+ if [ -f $BL32 ]; then
+ if [ $ROLLBACK_INDEX_IN_FIT ]; then
+ cat << __CONF_SECTION_EOF
+-               config@$cnt {
+               config-$cnt {
+                        description = "$(basename $dtname .dtb)";
+-                       firmware = "uboot@1";
+                       firmware = "uboot-1";
+                        loadables = $LOADABLES;
+-                       fdt = "fdt@$cnt";
+                       fdt = "fdt-$cnt";
+                        rbindex = "$ROLLBACK_INDEX_IN_FIT";
+                };
+ __CONF_SECTION_EOF
+ else
+ cat << __CONF_SECTION_EOF
+-               config@$cnt {
+               config-$cnt {
+                        description = "$(basename $dtname .dtb)";
+-                       firmware = "uboot@1";
+                       firmware = "uboot-1";
+                        loadables = $LOADABLES;
+-                       fdt = "fdt@$cnt";
+                       fdt = "fdt-$cnt";
+                };
+ __CONF_SECTION_EOF
+ fi
+ else
+ cat << __CONF_SECTION1_EOF
+-               config@$cnt {
+               config-$cnt {
+                        description = "$(basename $dtname .dtb)";
+-                       firmware = "uboot@1";
+                       firmware = "uboot-1";
+                        loadables = $LOADABLES;
+-                       fdt = "fdt@$cnt";
+                       fdt = "fdt-$cnt";
+                };
+ __CONF_SECTION1_EOF
+ fi
+-- 
+2.17.1
diff --git a/recipes-bsp/imx-mkimage/imx-mkimage_git.inc b/recipes-bsp/imx-mkimage/imx-mkimage_git.inc
index 1eba5109..e52fd722 100644
--- a/recipes-bsp/imx-mkimage/imx-mkimage_git.inc
+++ b/recipes-bsp/imx-mkimage/imx-mkimage_git.inc
@@ -3,7 +3,10 @@
 DEPENDS = "zlib-native openssl-native"
 SRCBRANCH = "imx_5.4.70_2.3.0"
-SRC_URI = "git://source.codeaurora.org/external/imx/imx-mkimage.git;protocol=https;branch=${SRCBRANCH}"
+SRC_URI = "git://source.codeaurora.org/external/imx/imx-mkimage.git;protocol=https;branch=${SRCBRANCH} \
+           file://0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch \
+"
 SRCREV = "8947fea369ab3932259630232cfb9f87b8f9dda1"
 S = "${WORKDIR}/git"
author	Andrey Zhizhikin <andrey.z@gmail.com>	2021-04-22 12:49:13 +0000
committer	Otavio Salvador <otavio@ossystems.com.br>	2021-04-22 10:39:22 -0300
commit	31d58f1791e1535b650739a07c835f272882863a (patch)
tree	28405a3b08f2c62ca51f0bb8c556287050e0e320
parent	dd29cf97a2bb65c5fdbfa49f2785c8466e479cf7 (diff)
download	meta-freescale-31d58f1791e1535b650739a07c835f272882863a.tar.gz

diff --git a/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch b/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch new file mode 100644 index 00000000..3c2842af --- /dev/null +++ b/recipes-bsp/imx-mkimage/files/0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch
@@ -0,0 +1,166 @@
		1	From 9cf936493388897379f33b511ec869c6fa5409ce Mon Sep 17 00:00:00 2001
		2	From: Andrey Zhizhikin <andrey.z@gmail.com>
		3	Date: Thu, 22 Apr 2021 12:20:28 +0000
		4	Subject: [PATCH] mkimage_fit_atf: fix fit generator node naming
		5
		6	Since upstream commit 79af75f777 ("fit: Don't allow verification of images
		7	with @ nodes") [1], unit addresses on the nodes are prohibited and nodes
		8	that do contain those addresses are ignored during the ITS parsing. This
		9	is done in an effort to cover the CVE-2021-27138, where nodes with unit
		10	addresses can be mis-interpreted by libfdt.
		11
		12	Correct FIT generator script and replace nodes with unit addresses to
		13	plain node names with "-" instead of "@" to create a unique naming.
		14
		15	In addition, extend sections which contains "firmware" in their types
		16	with "os" parameter to conform to the latest FIT specification.
		17
		18	Indicate that load and entry addresses are covered by one 32-bit value
		19	by adding "address-cells" in the root node of the generated ITS.
		20
		21	Upstream-Status: Inappropriate [script is imx-boot specific]
		22	Link: [1] https://github.com/u-boot/u-boot/commit/79af75f7776fc20b0d7eb6afe1e27c00fdb4b9b4
		23	Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
		24	Cc: Tom Hochstein <tom.hochstein@nxp.com>
		25	---
		26	iMX8M/mkimage_fit_atf.sh \| 40 ++++++++++++++++++++++------------------
		27	1 file changed, 22 insertions(+), 18 deletions(-)
		28
		29	diff --git a/iMX8M/mkimage_fit_atf.sh b/iMX8M/mkimage_fit_atf.sh
		30	index 95749b1..10903ea 100755
		31	--- a/iMX8M/mkimage_fit_atf.sh
		32	+++ b/iMX8M/mkimage_fit_atf.sh
		33	@@ -23,7 +23,7 @@ else
		34	fi
		35
		36	BL32="tee.bin"
		37	-LOADABLES="\"atf@1\""
		38	+LOADABLES="\"atf-1\""
		39
		40	if [ ! -f $BL32 ]; then
		41	BL32=/dev/null
		42	@@ -31,7 +31,7 @@ else
		43	echo "Building with TEE support, make sure your bl31 is compiled with spd. If you do not want tee, please delete tee.bin" >&2
		44	echo "tee.bin size: " >&2
		45	ls -lct tee.bin \| awk '{print $5}' >&2
		46	- LOADABLES="$LOADABLES, \"tee@1\""
		47	+ LOADABLES="$LOADABLES, \"tee-1\""
		48	fi
		49
		50	BL33="u-boot-nodtb.bin"
		51	@@ -41,7 +41,7 @@ if [ ! -f $DEK_BLOB ]; then
		52	DEK_BLOB=/dev/null
		53	else
		54	echo "Building with encrypted boot support, make sure to replace DEK Blob in final image." >&2
		55	- LOADABLES="\"dek_blob@1\", $LOADABLES"
		56	+ LOADABLES="\"dek_blob-1\", $LOADABLES"
		57	fi
		58
		59	if [ ! -f $BL33 ]; then
		60	@@ -64,10 +64,12 @@ cat << __HEADER_EOF
		61
		62	/ {
		63	description = "Configuration to load ATF before U-Boot";
		64	+ #address-cells = <1>;
		65
		66	images {
		67	- uboot@1 {
		68	+ uboot-1 {
		69	description = "U-Boot (64-bit)";
		70	+ os = "u-boot";
		71	data = /incbin/("$BL33");
		72	type = "standalone";
		73	arch = "arm64";
		74	@@ -80,7 +82,7 @@ cnt=1
		75	for dtname in $*
		76	do
		77	cat << __FDT_IMAGE_EOF
		78	- fdt@$cnt {
		79	+ fdt-$cnt {
		80	description = "$(basename $dtname .dtb)";
		81	data = /incbin/("$dtname");
		82	type = "flat_dt";
		83	@@ -91,8 +93,9 @@ cnt=$((cnt+1))
		84	done
		85
		86	cat << __HEADER_EOF
		87	- atf@1 {
		88	+ atf-1 {
		89	description = "ARM Trusted Firmware";
		90	+ os = "arm-trusted-firmware";
		91	data = /incbin/("$BL31");
		92	type = "firmware";
		93	arch = "arm64";
		94	@@ -104,8 +107,9 @@ __HEADER_EOF
		95
		96	if [ -f $BL32 ]; then
		97	cat << __HEADER_EOF
		98	- tee@1 {
		99	+ tee-1 {
		100	description = "TEE firmware";
		101	+ os = "op-tee-firmware";
		102	data = /incbin/("$BL32");
		103	type = "firmware";
		104	arch = "arm64";
		105	@@ -118,7 +122,7 @@ fi
		106
		107	if [ -f $DEK_BLOB ]; then
		108	cat << __HEADER_EOF
		109	- dek_blob@1 {
		110	+ dek_blob-1 {
		111	description = "dek_blob";
		112	data = /incbin/("$DEK_BLOB");
		113	type = "script";
		114	@@ -131,7 +135,7 @@ fi
		115	cat << __CONF_HEADER_EOF
		116	};
		117	configurations {
		118	- default = "config@1";
		119	+ default = "config-1";
		120
		121	__CONF_HEADER_EOF
		122
		123	@@ -141,31 +145,31 @@ do
		124	if [ -f $BL32 ]; then
		125	if [ $ROLLBACK_INDEX_IN_FIT ]; then
		126	cat << __CONF_SECTION_EOF
		127	- config@$cnt {
		128	+ config-$cnt {
		129	description = "$(basename $dtname .dtb)";
		130	- firmware = "uboot@1";
		131	+ firmware = "uboot-1";
		132	loadables = $LOADABLES;
		133	- fdt = "fdt@$cnt";
		134	+ fdt = "fdt-$cnt";
		135	rbindex = "$ROLLBACK_INDEX_IN_FIT";
		136	};
		137	__CONF_SECTION_EOF
		138	else
		139	cat << __CONF_SECTION_EOF
		140	- config@$cnt {
		141	+ config-$cnt {
		142	description = "$(basename $dtname .dtb)";
		143	- firmware = "uboot@1";
		144	+ firmware = "uboot-1";
		145	loadables = $LOADABLES;
		146	- fdt = "fdt@$cnt";
		147	+ fdt = "fdt-$cnt";
		148	};
		149	__CONF_SECTION_EOF
		150	fi
		151	else
		152	cat << __CONF_SECTION1_EOF
		153	- config@$cnt {
		154	+ config-$cnt {
		155	description = "$(basename $dtname .dtb)";
		156	- firmware = "uboot@1";
		157	+ firmware = "uboot-1";
		158	loadables = $LOADABLES;
		159	- fdt = "fdt@$cnt";
		160	+ fdt = "fdt-$cnt";
		161	};
		162	__CONF_SECTION1_EOF
		163	fi
		164	--
		165	2.17.1
		166


diff --git a/recipes-bsp/imx-mkimage/imx-mkimage_git.inc b/recipes-bsp/imx-mkimage/imx-mkimage_git.inc index 1eba5109..e52fd722 100644 --- a/recipes-bsp/imx-mkimage/imx-mkimage_git.inc +++ b/recipes-bsp/imx-mkimage/imx-mkimage_git.inc
@@ -3,7 +3,10 @@
3	DEPENDS = "zlib-native openssl-native"	3	DEPENDS = "zlib-native openssl-native"
4		4
5	SRCBRANCH = "imx_5.4.70_2.3.0"	5	SRCBRANCH = "imx_5.4.70_2.3.0"
6	SRC_URI = "git://source.codeaurora.org/external/imx/imx-mkimage.git;protocol=https;branch=${SRCBRANCH}"	6	SRC_URI = "git://source.codeaurora.org/external/imx/imx-mkimage.git;protocol=https;branch=${SRCBRANCH} \
		7	file://0001-mkimage_fit_atf-fix-fit-generator-node-naming.patch \
		8	"
		9
7	SRCREV = "8947fea369ab3932259630232cfb9f87b8f9dda1"	10	SRCREV = "8947fea369ab3932259630232cfb9f87b8f9dda1"
8	S = "${WORKDIR}/git"	11	S = "${WORKDIR}/git"
9		12