mbox series

[v2,00/14] vboot: Fix forged-configuration vulnerability

Message ID 20200318174408.77473-1-sjg@chromium.org
Headers show
Series vboot: Fix forged-configuration vulnerability | expand

Message

Simon Glass March 18, 2020, 5:43 p.m. UTC
When booting a FIT, if 'bootm' is used without a specified configuration,
U-Boot will use the default one provided in the FIT. But it does not
actually check that the signature is for that configuration.

This means that it is possible to duplicate a configuration conf-1 to
produce conf-2 (with all the signatures intact), set the default
configuration to conf-2 and then boot the image. U-Boot will verify conf-2
(in fact since hashed-nodes specifies the conf-1 nodes it will effectively
verify conf-1). Then it will happily boot conf-2 even though it might have
a different kernel.

This series corrects this problem and adds a test to verify it. It also
updates fit_check_sign to allow the configuration to be specified.

This vulnerability was found by Dmitry Janushkevich and Andrea Barisani of
F-Secure, who also wrote the vboot_forge script included here.

This is CVE-2020-10648

Changes in v2:
- Bring in new vboot_forge file from the authors

Simon Glass (14):
  image: Correct comment for fit_conf_get_node()
  image: Be a little more verbose when checking signatures
  image: Return an error message from fit_config_verify_sig()
  test: vboot: Drop unnecessary parameter for fit_check_sign
  test: vboot: Add a test for a forged configuration
  test: vboot: Parameterise the test
  image: Check hash-nodes when checking configurations
  image: Load the correct configuration in fit_check_sign
  fit_check_sign: Allow selecting the configuration to verify
  test: vboot: Tidy up the code a little
  test: vboot: Fix pylint errors
  image: Use constants for 'required' and 'key-name-hint'
  test: vboot: Move key creation into a function
  test: vboot: Reduce fake kernel size to 500 bytes

 common/bootm.c               |   6 +-
 common/image-cipher.c        |   2 +-
 common/image-fit.c           |  26 +--
 common/image-sig.c           |  49 +++-
 include/image.h              |  24 +-
 lib/rsa/rsa-sign.c           |   6 +-
 test/py/tests/test_vboot.py  | 155 +++++++------
 test/py/tests/vboot_forge.py | 423 +++++++++++++++++++++++++++++++++++
 tools/fdt_host.h             |   3 +-
 tools/fit_check_sign.c       |   8 +-
 tools/image-host.c           |  17 +-
 11 files changed, 601 insertions(+), 118 deletions(-)
 create mode 100644 test/py/tests/vboot_forge.py

Comments

Simon Glass March 30, 2020, 11:11 p.m. UTC | #1
Hi,

On Wed, 18 Mar 2020 at 11:44, Simon Glass <sjg at chromium.org> wrote:
>
> When booting a FIT, if 'bootm' is used without a specified configuration,
> U-Boot will use the default one provided in the FIT. But it does not
> actually check that the signature is for that configuration.
>
> This means that it is possible to duplicate a configuration conf-1 to
> produce conf-2 (with all the signatures intact), set the default
> configuration to conf-2 and then boot the image. U-Boot will verify conf-2
> (in fact since hashed-nodes specifies the conf-1 nodes it will effectively
> verify conf-1). Then it will happily boot conf-2 even though it might have
> a different kernel.
>
> This series corrects this problem and adds a test to verify it. It also
> updates fit_check_sign to allow the configuration to be specified.
>
> This vulnerability was found by Dmitry Janushkevich and Andrea Barisani of
> F-Secure, who also wrote the vboot_forge script included here.
>
> This is CVE-2020-10648
>
> Changes in v2:
> - Bring in new vboot_forge file from the authors
>
> Simon Glass (14):
>   image: Correct comment for fit_conf_get_node()
>   image: Be a little more verbose when checking signatures
>   image: Return an error message from fit_config_verify_sig()
>   test: vboot: Drop unnecessary parameter for fit_check_sign
>   test: vboot: Add a test for a forged configuration
>   test: vboot: Parameterise the test
>   image: Check hash-nodes when checking configurations
>   image: Load the correct configuration in fit_check_sign
>   fit_check_sign: Allow selecting the configuration to verify
>   test: vboot: Tidy up the code a little
>   test: vboot: Fix pylint errors
>   image: Use constants for 'required' and 'key-name-hint'
>   test: vboot: Move key creation into a function
>   test: vboot: Reduce fake kernel size to 500 bytes
>
>  common/bootm.c               |   6 +-
>  common/image-cipher.c        |   2 +-
>  common/image-fit.c           |  26 +--
>  common/image-sig.c           |  49 +++-
>  include/image.h              |  24 +-
>  lib/rsa/rsa-sign.c           |   6 +-
>  test/py/tests/test_vboot.py  | 155 +++++++------
>  test/py/tests/vboot_forge.py | 423 +++++++++++++++++++++++++++++++++++
>  tools/fdt_host.h             |   3 +-
>  tools/fit_check_sign.c       |   8 +-
>  tools/image-host.c           |  17 +-
>  11 files changed, 601 insertions(+), 118 deletions(-)
>  create mode 100644 test/py/tests/vboot_forge.py

This is applied to dm/master.

Tom, shall I send a pull request?

Regards,
Simon
Tom Rini March 31, 2020, 1:26 p.m. UTC | #2
On Mon, Mar 30, 2020 at 05:11:38PM -0600, Simon Glass wrote:
> Hi,
> 
> On Wed, 18 Mar 2020 at 11:44, Simon Glass <sjg at chromium.org> wrote:
> >
> > When booting a FIT, if 'bootm' is used without a specified configuration,
> > U-Boot will use the default one provided in the FIT. But it does not
> > actually check that the signature is for that configuration.
> >
> > This means that it is possible to duplicate a configuration conf-1 to
> > produce conf-2 (with all the signatures intact), set the default
> > configuration to conf-2 and then boot the image. U-Boot will verify conf-2
> > (in fact since hashed-nodes specifies the conf-1 nodes it will effectively
> > verify conf-1). Then it will happily boot conf-2 even though it might have
> > a different kernel.
> >
> > This series corrects this problem and adds a test to verify it. It also
> > updates fit_check_sign to allow the configuration to be specified.
> >
> > This vulnerability was found by Dmitry Janushkevich and Andrea Barisani of
> > F-Secure, who also wrote the vboot_forge script included here.
> >
> > This is CVE-2020-10648
> >
> > Changes in v2:
> > - Bring in new vboot_forge file from the authors
> >
> > Simon Glass (14):
> >   image: Correct comment for fit_conf_get_node()
> >   image: Be a little more verbose when checking signatures
> >   image: Return an error message from fit_config_verify_sig()
> >   test: vboot: Drop unnecessary parameter for fit_check_sign
> >   test: vboot: Add a test for a forged configuration
> >   test: vboot: Parameterise the test
> >   image: Check hash-nodes when checking configurations
> >   image: Load the correct configuration in fit_check_sign
> >   fit_check_sign: Allow selecting the configuration to verify
> >   test: vboot: Tidy up the code a little
> >   test: vboot: Fix pylint errors
> >   image: Use constants for 'required' and 'key-name-hint'
> >   test: vboot: Move key creation into a function
> >   test: vboot: Reduce fake kernel size to 500 bytes
> >
> >  common/bootm.c               |   6 +-
> >  common/image-cipher.c        |   2 +-
> >  common/image-fit.c           |  26 +--
> >  common/image-sig.c           |  49 +++-
> >  include/image.h              |  24 +-
> >  lib/rsa/rsa-sign.c           |   6 +-
> >  test/py/tests/test_vboot.py  | 155 +++++++------
> >  test/py/tests/vboot_forge.py | 423 +++++++++++++++++++++++++++++++++++
> >  tools/fdt_host.h             |   3 +-
> >  tools/fit_check_sign.c       |   8 +-
> >  tools/image-host.c           |  17 +-
> >  11 files changed, 601 insertions(+), 118 deletions(-)
> >  create mode 100644 test/py/tests/vboot_forge.py
> 
> This is applied to dm/master.
> 
> Tom, shall I send a pull request?


Yes please, thanks!