summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorTeddy Reed <teddy.reed@gmail.com>2018-06-09 11:38:05 -0400
committerTom Rini <trini@konsulko.com>2018-07-10 16:55:58 -0400
commit72239fc85f3eda078547956608c063ab965e90e9 (patch)
treec4184de3db8760dafc7086c02e989ad208b85304 /test
parent894c3ad27fa940beb7fdc07d01dcfe81c03d0481 (diff)
downloadu-boot-72239fc85f3eda078547956608c063ab965e90e9.tar.gz
u-boot-72239fc85f3eda078547956608c063ab965e90e9.tar.bz2
u-boot-72239fc85f3eda078547956608c063ab965e90e9.zip
vboot: Add FIT_SIGNATURE_MAX_SIZE protection
This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the max size of a FIT header's totalsize field. The field is checked before signature checks are applied to protect from reading past the intended FIT regions. This field is not part of the vboot signature so it should be sanity checked. If the field is corrupted then the structure or string region reads may have unintended behavior, such as reading from device memory. A default value of 256MB is set and intended to support most max storage sizes. Suggested-by: Simon Glass <sjg@chromium.org> Signed-off-by: Teddy Reed <teddy.reed@gmail.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'test')
-rw-r--r--test/py/tests/test_vboot.py33
1 files changed, 33 insertions, 0 deletions
diff --git a/test/py/tests/test_vboot.py b/test/py/tests/test_vboot.py
index ee939f2034..3d25ec3d66 100644
--- a/test/py/tests/test_vboot.py
+++ b/test/py/tests/test_vboot.py
@@ -26,6 +26,7 @@ Tests run with both SHA1 and SHA256 hashing.
import pytest
import sys
+import struct
import u_boot_utils as util
@pytest.mark.boardspec('sandbox')
@@ -105,6 +106,26 @@ def test_vboot(u_boot_console):
util.run_and_log(cons, [mkimage, '-F', '-k', tmpdir, '-K', dtb,
'-r', fit])
+ def replace_fit_totalsize(size):
+ """Replace FIT header's totalsize with something greater.
+
+ The totalsize must be less than or equal to FIT_SIGNATURE_MAX_SIZE.
+ If the size is greater, the signature verification should return false.
+
+ Args:
+ size: The new totalsize of the header
+
+ Returns:
+ prev_size: The previous totalsize read from the header
+ """
+ total_size = 0
+ with open(fit, 'r+b') as handle:
+ handle.seek(4)
+ total_size = handle.read(4)
+ handle.seek(4)
+ handle.write(struct.pack(">I", size))
+ return struct.unpack(">I", total_size)[0]
+
def test_with_algo(sha_algo):
"""Test verified boot with the given hash algorithm.
@@ -146,6 +167,18 @@ def test_vboot(u_boot_console):
util.run_and_log(cons, [fit_check_sign, '-f', fit, '-k', tmpdir,
'-k', dtb])
+ # Replace header bytes
+ bcfg = u_boot_console.config.buildconfig
+ max_size = int(bcfg.get('config_fit_signature_max_size', 0x10000000), 0)
+ existing_size = replace_fit_totalsize(max_size + 1)
+ run_bootm(sha_algo, 'Signed config with bad hash', 'Bad Data Hash', False)
+ cons.log.action('%s: Check overflowed FIT header totalsize' % sha_algo)
+
+ # Replace with existing header bytes
+ replace_fit_totalsize(existing_size)
+ run_bootm(sha_algo, 'signed config', 'dev+', True)
+ cons.log.action('%s: Check default FIT header totalsize' % sha_algo)
+
# Increment the first byte of the signature, which should cause failure
sig = util.run_and_log(cons, 'fdtget -t bx %s %s value' %
(fit, sig_node))