From: Johann Neuhauser <jneuhauser@dh-electronics.com>
To: "u-boot@lists.denx.de" <u-boot@lists.denx.de>
Cc: "sjg@chromium.org" <sjg@chromium.org>
Subject: Compile error with SPL_FIT_FULL_CHECK and SPL_LOAD_FIT_FULL enabled
Date: Tue, 8 Feb 2022 15:43:35 +0000 [thread overview]
Message-ID: <a74fbec16f074944b1973d45372ac9fd@dh-electronics.com> (raw)
Dear developers and Simon,
we wanna run secure boot with U-Boot's SPL_FIT_SIGNATURE and FIT_SIGNATURE on our STM32MP1 boards and discovered the CVE-2021-27097.
To mitigate this vulnerability we wanna enable SPL_LOAD_FIT_FULL and SPL_FIT_FULL_CHECK.
If I compile any U-Boot SPL with the mentioned config symbols after commit 6f3c2d8a, it fails always with the following error message:
Used defconfig: stm32mp15_dhcom_basic_defconfig (+ mentioned configs enabled)
```
...
LD spl/lib/built-in.o
LD spl/u-boot-spl
/usr/bin/arm-linux-gnueabihf-ld.bfd: common/built-in.o: in function `fit_check_format':
/mnt/work/dev/u-boot/common/image-fit.c:1591: undefined reference to `fdt_check_full'
make[1]: *** [scripts/Makefile.spl:432: spl/u-boot-spl] Error 1
make: *** [Makefile:1941: spl/u-boot-spl] Error 2
```
After diging around to find the cause, we're out of ideas.
Does anyone have a clue why the needed function is not compiled in libfdt for the spl build?
Many thanks in advance.
Best regards,
Johann Neuhauser
DH electronics GmbH | Am Anger 8 | 83346 Bergen | Germany | Fon: +49 8662 4882 0
Board of Management: Stefan Daxenberger, Helmut Henschke | HRB Traunstein 9602
next reply other threads:[~2022-02-08 16:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-08 15:43 Johann Neuhauser [this message]
2022-02-08 17:12 ` Compile error with SPL_FIT_FULL_CHECK and SPL_LOAD_FIT_FULL enabled Philippe REYNES
2022-02-08 22:28 ` Simon Glass
2022-02-08 17:13 ` Simon Glass
2022-02-09 7:31 ` Johann Neuhauser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a74fbec16f074944b1973d45372ac9fd@dh-electronics.com \
--to=jneuhauser@dh-electronics.com \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.