From patchwork Tue Oct 11 23:25:25 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Anderson <sean.anderson@seco.com>
X-Patchwork-Id: 1689008
X-Patchwork-Delegate: sjg@chromium.org
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=seco.com header.i=@seco.com header.a=rsa-sha256
 header.s=selector1 header.b=Yw1V6DAl;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4MnBjf04Mtz23jX
	for <incoming@patchwork.ozlabs.org>; Wed, 12 Oct 2022 10:25:55 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id DC61484DB7;
	Wed, 12 Oct 2022 01:25:41 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=seco.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=seco.com header.i=@seco.com header.b="Yw1V6DAl";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 80FDF84EF6; Wed, 12 Oct 2022 01:25:40 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,
 SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Received: from EUR02-AM0-obe.outbound.protection.outlook.com
 (mail-am0eur02on2089.outbound.protection.outlook.com [40.107.247.89])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 97F7684233
 for <u-boot@lists.denx.de>; Wed, 12 Oct 2022 01:25:37 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=reject dis=none) header.from=seco.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=sean.anderson@seco.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=VLjVHMSlfwSNmE4UmLZt/FuelXf6Nz+5onPWJ4kM/vGfmUkZP5veoe0vOzo0IVvL36zlKU9Ujxxc+6hDv5X6ICspcwQGT9IP/t45c8BtSeSSNlXLOJF2DdtKJoPQSXOEi9YYqqNeRLdaqRgLrh92agxD+OcNSMokPykNX9ivVQFxtSL3DEpJw2yMfY0hHhkZFO0ywC9QsU77rqXKJGOx2KvPXD+LmNffTcdvsbfi9OglliS4sK7ZhUuLQ+EaP7XBrws/YPOOwq+np8MZd8HHrhRUv9srrh55vEuI8Hw52VP4PYRzlq3QVP0bm8i1aDLDDLERi9P1OJ5udyDFssYpew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=w7QLqhvjQUXkHlliRKxKkKZD10DxCsF8O+2g348kQhI=;
 b=L/JPAXezXDfuIegTAuQBr893vAFYfSvjRJhqB5WGB+2g6u0PIjDO56lCDfCqDiXCj3jKR2S+QwQ6V1F5BG9Z1UNMrXjyF5nbk+BZe7mHmu1xLJRSeWHhij62x/m46oFTTC2kAXUShfFMf0u9TjXw2vMlPJ54ux6a9OjJkmLJQjXz3jAqUWlYnV/chnUlufEYx7Lxh2Z0XGzaAxwwjwSl4WC2VY8GG/BjxLuBQvuIFRbuFnA2FlUqOKACntMA2lzc2YkrxZfBfjGpMhosc31Iiwjv/fh42YhD4zSUknJJKHXHgO9QXPS8mfOMoNCExA6R/ayqNsK7EjBuPE0iorEW4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=seco.com; dmarc=pass action=none header.from=seco.com;
 dkim=pass header.d=seco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seco.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=w7QLqhvjQUXkHlliRKxKkKZD10DxCsF8O+2g348kQhI=;
 b=Yw1V6DAl/soRWPIs7F3wqVRjjRkx4lKBk022cqlznZxk78wErKFh/IqbvA96KlRr3PMgkPtvVHhmt+o3KwIM+4WOHVtiP5u/WAvnCh7mC3/gd7UQIb20i3Um1cEFXVaexMNxhs844+CDd0WUouIFVDkc51KN08f5BnzhoCnfZex3n1tW3qchGefI5IwZ1aw+B7tpZBTzY0kiml5+bwBVmIZw0kinv1wdsoYgYx+cwUmeTANJTr4MeV7XB+On+Z+svk75pW9UxYEbVynLFUOLBDH4ahst+L2VhDZeI5GBPzUe5pDiMwnzDq/jKJ1juN8uzjX8ke+ENkcOAR7bc2puGA==
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=seco.com;
Received: from DB7PR03MB4972.eurprd03.prod.outlook.com (2603:10a6:10:7d::22)
 by AM7PR03MB6449.eurprd03.prod.outlook.com (2603:10a6:20b:1b8::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5709.15; Tue, 11 Oct
 2022 23:25:36 +0000
Received: from DB7PR03MB4972.eurprd03.prod.outlook.com
 ([fe80::204a:de22:b651:f86d]) by DB7PR03MB4972.eurprd03.prod.outlook.com
 ([fe80::204a:de22:b651:f86d%6]) with mapi id 15.20.5709.015; Tue, 11 Oct 2022
 23:25:35 +0000
From: Sean Anderson <sean.anderson@seco.com>
To: u-boot@lists.denx.de,
	Peng Fan <peng.fan@nxp.com>
Cc: Simon Glass <sjg@chromium.org>,
	Sean Anderson <sean.anderson@seco.com>
Subject: [PATCH] image: fit: Fix not verifying data configuration
Date: Tue, 11 Oct 2022 19:25:25 -0400
Message-Id: <20221011232525.186166-1-sean.anderson@seco.com>
X-Mailer: git-send-email 2.35.1.1320.gc452695387.dirty
X-ClientProxiedBy: BL1PR13CA0419.namprd13.prod.outlook.com
 (2603:10b6:208:2c2::34) To DB7PR03MB4972.eurprd03.prod.outlook.com
 (2603:10a6:10:7d::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR03MB4972:EE_|AM7PR03MB6449:EE_
X-MS-Office365-Filtering-Correlation-Id: 399c81b7-9bb5-42fe-7811-08daabdfe64f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 uRyh/JIh3rGPi4UDxy2gdd9fAIuiHD91TEaWec3fwXsT1YVgJWfqi4FctyKY7T/jNVLIizZleIX+jrbUrY3C07+/RrxWLhrtvPWUuOLq1w45OjGgTRmwxurziCRUzoiuUWc/2BujAbiVPfZP1zcXsbZsR6w4mdgfUX9AlbTfw6EnaHx/hOgCuMEsWvflys8/ZZKJUp2WOwJSFF60WnStaSPObsugJbsnN1nCxFwiVEN1XJf/IBjr5QmUmsENTLwLToe7ZC8LZjslwX8ZneiObtT6CCkhbcs3wsecfHN3XqVIjvtHBpDMlBszer26/OZVYWsapPzrE2a9DiUZrjOLh1eofM2vCCRHmFXG6S8styF6ZkLuSI3z0tbQm03BdRMT1eB39WWlXVSsYtULkuS8hz3rVXoCyco8CjBV6/uDEDHdKCgVUBDzX5c++z7NUyklay6I3UNPneC82n6P57EauZrGyxN3KbK2tPBMDJPAe0+MzHcQdVcTez4c4cl+2GNbl1m18UlQR7LtTTLJRUvD5/EMLFqBunbykA822oyHRtkZ7EVIcceCUULkx9n5wNdcxH4y6RvMHh4EaQp/wAHVum4+uw9hfu9NNoMN8zTsG83Ks08r2mq+9AQMz0ocR36t1c3H5bSMEUbWL7EtCBvsdfb1oAv1cL2foFwvRZeLW/amZ7GN1HOfdhjFmmeRbKv+JpitKQHcw3J1FjbCNPxwRsPdpJL39EOVHOkOwy9KbSqSeXZSgFy2Qx2QgdKLz2vSfTZibomARAF0Qb0TguP+JQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DB7PR03MB4972.eurprd03.prod.outlook.com; PTR:; CAT:NONE;
 SFS:(13230022)(366004)(136003)(39840400004)(376002)(396003)(346002)(451199015)(2906002)(6916009)(4326008)(44832011)(5660300002)(316002)(86362001)(66946007)(8676002)(66556008)(66476007)(54906003)(36756003)(6666004)(41300700001)(8936002)(478600001)(83380400001)(52116002)(6512007)(15650500001)(2616005)(6506007)(107886003)(6486002)(38100700002)(26005)(186003)(38350700002)(1076003);
 DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 j94tyWQVMNBDEB8YcJAB1QTLHoXPCORxbvrECvSdn55HVKMY9KZBJHPr8r6dUnMYfn5K25PjfJR+/HVd5oVKUkHzErtuqRh1skHQHohonXx66lKyol+RGiWtL5S6L8azzDdUSZTzIowBVHbJqWwr5AoB8pBf4N9iOdwXokgHC24d2lph2UcAZLUYP5dgGBAsORc4ivoYK4Q5S3vFCrp4d/k3dvuPxOsSiFH4pdt09QVhJ+aGBJrF95CkjsxoYH01kfHZIK/cMosdeJkClTYaLsob20ixxXIAfcWi1lL7NylDDMk/lzgEABAkPZAiObJxUzZGYMG98ru5qvSnXXPUBwaFd5lseCD6Ok2HDDDqW6de0wfs2ug0HWfTAV1gRYzrZucNArawCfZ0zTej5RxUMQ8xxHEXQMBcKCqkovgITwuZ4WQQbCfS1eCs9pDnV6PYZY/4bpaCn7T8Q79IAbTfOcpkOc8NgXLbMdaGY6YeFvSlEveSpUSVvQnAHlP2eS98OVZJ/56KzNYAkf0DOikWToqWJdCNF5mhQGzCM5cUe9ndmVFRM/MENCbFnBokYJ/kRMXhgSmOVzTiJTqoi9EyDQJtWK9pUqmQV9X9r7ZDA9tKP2AoGWkIY2iTW21TEz1NBO9UtexSgwWEgOZkg700jwLQB8IhfrOFBub8P7rKuhkwAdP1mNYS1Vz29ZlEnPHG8FDpSOQT8ZuyQf/NSmK+HU0rP9F31WeXagOfOg80WPw+TLOkDKY7wTC83S5XT6/mOpvqE1Yd2eG5TGT47INxdWjdMxe8wBogsERJKVourHYOJFmgWBycbz+2rcjuG7pEoEUUAAipve6SWKqy+b4y5hJ3hQ2EHxfxonzZdQE8NIzqnWArXN0/SnJbsBmyCzvQ6WL1fHryTiVyZ5No94U4LBAJBoG5qlChMDO1OjMQDKSMdDd3ZLabVIpI742GR9xU5NLAs6TbE0wSsXXpU6Awf4c2htWAsSDrnwmDWmEGTsJmK0es5yIzqDPZwYq/avWl2HvL6B9EU6XDdWxM7yISLTgoRQViAGefd5Ki9tPopIdU4soo7W6dZKGtxvOcm4agIqZWLK2dBhcOyXvAjb9TP+M4OUpylZQ8DT4PmwkXxHjkF1tIpUIBRlYS8PtmFELL5JojojpN11jU0F3WNijMvcl529lwmVq3L6o+9MmgpdXGrlICxG43GkWgpmRhFd8xPYIKJKpaRXlOpArjci0q0zD+2Xho3Z8ZfNSjFjoSUvWBscyD2NtKRexRZ/SjrJh24Yx7tSi/oQJtzMgYiydFGl6UYRG0TQY4vElPpwvwir2RzGT/hkM1oeLbMZpr8Ih2qh3f/PtWP1MzGAqUrgcVBMAdmAc+DoS+ph3d6W6e7YBG5gKyvcB5hepOja08raakf0amfDTwZzb9XakCQxHB8CYutBPuFzvgETT2nyaxOaT6/scyh+zfY2hfKAK/U/Mej+7UtCWOer0kvKFqKbh6FqkbbfXvSGYAD4eBCGBua5MY2rDsPTy6Hyp2YpRIh9CRDDmyLO8NE8H42sJDUmjKPI3v7DkVeOep4YEQIOHhNnQW7dxlUkm5fZ1+79Jgn9LnP7OMOihsPkOAkiBl0WzeKA==
X-OriginatorOrg: seco.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 399c81b7-9bb5-42fe-7811-08daabdfe64f
X-MS-Exchange-CrossTenant-AuthSource: DB7PR03MB4972.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Oct 2022 23:25:35.8245 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: bebe97c3-6438-442e-ade3-ff17aa50e733
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 VrXRNY0D3QxWRs2xOB8lJpCweySTyAIQGAu/9+CdPyXfYiF7uAWThEuaCqyIe9FRCU7J/jjgdgEnhucOmUUUzg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR03MB6449
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

When reading data from a FIT image, we must verify the configuration we
get it from. This is because when we have a key with required = "conf",
the image does not need any particular signature or hash. The
configuration is the only required verification, so we must verify it.

Users of fit_get_data_node are liable to load unsigned data unless the
user has set required = "image". Even then, they are vulnerable to
mix-and-match attacks. This also affects other callers of
fit_image_verify which don't first call fit_config_verify, such as
source and imxtract. I don't think there is a backwards-compatible way
to fix these interfaces. Fundamentally, selecting data by image when
images are not required to be verified is unsafe.

Fixes: 37feaf2f727 ("image: fit: Add some helpers for getting data")
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
---

 boot/image-fit.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/boot/image-fit.c b/boot/image-fit.c
index 9c04ff78a15..632fd405e29 100644
--- a/boot/image-fit.c
+++ b/boot/image-fit.c
@@ -1948,7 +1948,14 @@ int fit_get_data_node(const void *fit, const char *image_uname,
 int fit_get_data_conf_prop(const void *fit, const char *prop_name,
 			   const void **data, size_t *size)
 {
-	int noffset = fit_conf_get_node(fit, NULL);
+	int ret, noffset = fit_conf_get_node(fit, NULL);
+
+	if (noffset < 0)
+		return noffset;
+
+	ret = fit_config_verify(fit, noffset);
+	if (ret)
+		return ret;
 
 	noffset = fit_conf_get_prop_node(fit, noffset, prop_name);
 	return fit_get_data_tail(fit, noffset, data, size);