Re: [PATCH v2] Documentation: migration-guides: mention possible FIT compat break

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sascha Hauer <s.hauer@pengutronix.de>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: barebox@lists.infradead.org, str@pengutronix.de
Subject: Re: [PATCH v2] Documentation: migration-guides: mention possible FIT compat break
Date: Fri, 17 Apr 2026 11:14:05 +0200	[thread overview]
Message-ID: <aeH53Z0JFPsKA_eE@pengutronix.de> (raw)
In-Reply-To: <20260416153455.2630276-1-a.fatoum@pengutronix.de>

On Thu, Apr 16, 2026 at 05:34:37PM +0200, Ahmad Fatoum wrote:
> With manually written ITS, it's easy to omit signing some of the images.
> This flew under the radar so far, but with v2026.03.0 (or v2025.09.3),
> this will lead to verification failure.
> 
> The security advisory has been updated, but it's nonetheless worth an
> addition to the migration guide.
> 
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> v1 -> v2:
>   - add same notice for v2025.09.3 as well
> ---
>  .../migration-guides/migration-2025.09.3.rst  | 21 +++++++++++++++++++
>  .../migration-guides/migration-2026.03.0.rst  | 19 +++++++++++++++++
>  2 files changed, 40 insertions(+)
>  create mode 100644 Documentation/migration-guides/migration-2025.09.3.rst
> 
> diff --git a/Documentation/migration-guides/migration-2025.09.3.rst b/Documentation/migration-guides/migration-2025.09.3.rst
> new file mode 100644
> index 000000000000..7fbea78a46d0
> --- /dev/null
> +++ b/Documentation/migration-guides/migration-2025.09.3.rst
> @@ -0,0 +1,21 @@
> +Release v2025.09.3
> +==================
> +
> +FIT Images
> +----------
> +
> +The fix for `CVE-2026-33243 <https://nvd.nist.gov/vuln/detail/CVE-2026-33243>`_
> +has the side effect that barebox after v2026.03.0 will not boot a signed

Shouldn't we mention the corresponding stable versions here?

> +configuration that excludes some images from the signature.
> +
> +Previously, it was possible to generate readily exploitable FIT images
> +by omitting them from ``sign-images`` in the ITS.
> +
> +If a FIT fails to boot with **v2026.03.1**, when it succesfully booted
> +v2026.02.0 or earlier, it's likely that it was vulnerable even without

and here?

Sascha

> +knowledge of CVE-2026-33243.
> +
> +Recommendation is to not write FIT ITS manually, but to use higher level
> +tooling that generates the ITS and feeds it to ``mkimage(1)``.
> +
> +For more details, refer to the `security advisory <https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4>`_.
> diff --git a/Documentation/migration-guides/migration-2026.03.0.rst b/Documentation/migration-guides/migration-2026.03.0.rst
> index 1bd06ac7b743..f23001886b8b 100644
> --- a/Documentation/migration-guides/migration-2026.03.0.rst
> +++ b/Documentation/migration-guides/migration-2026.03.0.rst
> @@ -8,3 +8,22 @@ On NXP i.MX8MP the SoC UID was read out wrong. It really is 128bit from which
>  barebox only read 64bit. barebox now does it correctly, but rolled out devices
>  might depend on the SoC UID being constant. In that case
>  CONFIG_ARCH_IMX8MP_KEEP_COMPATIBLE_SOC_UID should be enabled.
> +
> +FIT Images
> +----------
> +
> +The fix for `CVE-2026-33243 <https://nvd.nist.gov/vuln/detail/CVE-2026-33243>`_
> +has the side effect that barebox after v2026.03.0 will not boot a signed
> +configuration that excludes some images from the signature.
> +
> +Previously, it was possible to generate readily exploitable FIT images
> +by omitting them from ``sign-images`` in the ITS.
> +
> +If a FIT fails to boot with **v2026.03.1**, when it succesfully booted
> +v2026.02.0 or earlier, it's likely that it was vulnerable even without
> +knowledge of CVE-2026-33243.
> +
> +Recommendation is to not write FIT ITS manually, but to use higher level
> +tooling that generates the ITS and feeds it to ``mkimage(1)``.
> +
> +For more details, refer to the `security advisory <https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4>`_.
> -- 
> 2.47.3
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

     prev parent reply	other threads:[~2026-04-17  9:14 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-16 15:34 [PATCH v2] Documentation: migration-guides: mention possible FIT compat break Ahmad Fatoum
2026-04-17  9:14 ` Sascha Hauer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aeH53Z0JFPsKA_eE@pengutronix.de \
    --to=s.hauer@pengutronix.de \
    --cc=a.fatoum@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=str@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.