mirror of
https://github.com/u-boot/u-boot.git
synced 2024-11-24 12:44:23 +08:00
03f1f78a9b
Fit images were loaded to a buffer provided by spl_get_load_buffer(). This may work when the FIT image is small and fits between the start of DRAM and SYS_TEXT_BASE. One problem with this approach is that the location of the buffer may be manipulated by changing the 'size' field of the FIT. A maliciously crafted FIT image could place the buffer over executable code and be able to take control of SPL. This is unacceptable for secure boot of signed FIT images. Another problem is with larger FIT images, usually containing one or more linux kernels. In such cases the buffer be be large enough so as to start before DRAM (Figure I). Trying to load an image in this case has undefined behavior. For example, on stm32mp1, the MMC controller hits a RX overrun error, and aborts loading. _________________ | FIT Image | | | /===================\ /=====================\ || DRAM || | DRAM | || || | | ||_________________|| SYS_TEXT_BASE | ___________________ | | | || FIT Image || | | || || | _________________ | SYS_SPL_MALLOC_START || _________________ || || malloc() data || ||| malloc() data ||| ||_________________|| |||_________________||| | | ||___________________|| | | | | Figure I Figure II One possibility that was analyzed was to remove the negative offset, such that the buffer starts at SYS_TEXT_BASE. This is not a proper solution because on a number of platforms, the malloc buffer() is placed at a fixed address, usually after SYS_TEXT_BASE. A large enough FIT image could cause the malloc()'d data to be overwritten (Figure II) when loading. /======================\ | DRAM | | | | | CONFIG_SYS_TEXT_BASE | | | | | ____________________ | CONFIG_SYS_SPL_MALLOC_START || malloc() data || || || || __________________ || ||| FIT Image ||| ||| ||| ||| ||| Figure III The solution proposed here is to replace the ad-hoc heuristics of spl_get_load_buffer() with malloc(). This provides two advantages: * Bounds checking of the buffer region * Guarantees the buffer does not conflict with other memory The first problem is solved by constraining the buffer such that it will not overlap currently executing code. This eliminates the chance of a malicious FIT being able to replace the executing SPL code prior to signature checking. The second problem is solved in conjunction with increasing CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is carefully crafted on a per-platform basis, the chances of memory conflicts are virtually eliminated. Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com> |
||
---|---|---|
.. | ||
eeprom | ||
init | ||
spl | ||
android_ab.c | ||
autoboot.c | ||
avb_verify.c | ||
bedbug.c | ||
bloblist.c | ||
board_f.c | ||
board_info.c | ||
board_r.c | ||
boot_fit.c | ||
bootm_os.c | ||
bootm.c | ||
bootretry.c | ||
bootstage.c | ||
bouncebuf.c | ||
cli_hush.c | ||
cli_readline.c | ||
cli_simple.c | ||
cli.c | ||
command.c | ||
common_fit.c | ||
console.c | ||
cros_ec.c | ||
ddr_spd.c | ||
dfu.c | ||
dlmalloc.c | ||
dlmalloc.src | ||
edid.c | ||
exports.c | ||
fdt_region.c | ||
fdt_support.c | ||
flash.c | ||
hash.c | ||
hwconfig.c | ||
image-android-dt.c | ||
image-android.c | ||
image-cipher.c | ||
image-fdt.c | ||
image-fit-sig.c | ||
image-fit.c | ||
image-sig.c | ||
image.c | ||
iomux.c | ||
iotrace.c | ||
kallsyms.c | ||
Kconfig | ||
Kconfig.boot | ||
kgdb_stubs.c | ||
kgdb.c | ||
lcd_console_rotation.c | ||
lcd_console.c | ||
lcd_simplefb.c | ||
lcd.c | ||
log_console.c | ||
log_syslog.c | ||
log.c | ||
lynxkdi.c | ||
main.c | ||
Makefile | ||
malloc_simple.c | ||
memsize.c | ||
menu.c | ||
miiphyutil.c | ||
s_record.c | ||
splash_source.c | ||
splash.c | ||
stdio.c | ||
system_map.c | ||
update.c | ||
usb_hub.c | ||
usb_kbd.c | ||
usb_storage.c | ||
usb.c | ||
xyzModem.c |