When reading data from a FIT image, we must verify the configuration we get it from. This is because when we have a key with required = "conf", the image does not need any particular signature or hash. The configuration is the only required verification, so we must verify it.
Users of fit_get_data_node are liable to load unsigned data unless the user has set required = "image". Even then, they are vulnerable to mix-and-match attacks. This also affects other callers of fit_image_verify which don't first call fit_config_verify, such as source and imxtract. I don't think there is a backwards-compatible way to fix these interfaces. Fundamentally, selecting data by image when images are not required to be verified is unsafe.
Fixes: 37feaf2f727 ("image: fit: Add some helpers for getting data") Signed-off-by: Sean Anderson sean.anderson@seco.com ---
boot/image-fit.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/boot/image-fit.c b/boot/image-fit.c index 9c04ff78a15..632fd405e29 100644 --- a/boot/image-fit.c +++ b/boot/image-fit.c @@ -1948,7 +1948,14 @@ int fit_get_data_node(const void *fit, const char *image_uname, int fit_get_data_conf_prop(const void *fit, const char *prop_name, const void **data, size_t *size) { - int noffset = fit_conf_get_node(fit, NULL); + int ret, noffset = fit_conf_get_node(fit, NULL); + + if (noffset < 0) + return noffset; + + ret = fit_config_verify(fit, noffset); + if (ret) + return ret;
noffset = fit_conf_get_prop_node(fit, noffset, prop_name); return fit_get_data_tail(fit, noffset, data, size);