From: Johann Neuhauser <jneuhauser@dh-electronics.com>
To: Simon Glass <sjg@chromium.org>
Cc: "u-boot@lists.denx.de" <u-boot@lists.denx.de>
Subject: RE: Compile error with SPL_FIT_FULL_CHECK and SPL_LOAD_FIT_FULL enabled
Date: Wed, 9 Feb 2022 07:31:01 +0000 [thread overview]
Message-ID: <7d4b4c909ddf45c28ef5e81f498d9f1f@dh-electronics.com> (raw)
In-Reply-To: <CAPnjgZ16hA1-GhCjN-QR2aeJHUjoBtzKDvmOR=9J1=zkyLB6Rg@mail.gmail.com>
> -----Original Message-----
> From: Simon Glass [mailto:sjg@chromium.org]
> Sent: Tuesday, February 8, 2022 6:13 PM
>
> Hi Johann,
>
Hi Simon,
thanks for your fast answer.
> On Tue, 8 Feb 2022 at 08:44, Johann Neuhauser
> <jneuhauser@dh-electronics.com> wrote:
> >
> > Dear developers and Simon,
> >
> > we wanna run secure boot with U-Boot's SPL_FIT_SIGNATURE and FIT_SIGNATURE on our STM32MP1 boards and discovered the CVE-2021-27097.
>
> That is already fixed in 2021.04 so you can just use a mainline U-Boot
> to avoid it.
>
So we don't need the FIT_FULL_CHECK config symbols to mitigate against
CVE-2021-27097 andwe're save if we use anything after 2021.04?
> > To mitigate this vulnerability we wanna enable SPL_LOAD_FIT_FULL and SPL_FIT_FULL_CHECK.
> > If I compile any U-Boot SPL with the mentioned config symbols after commit 6f3c2d8a, it fails always with the following error message:
> >
> > Used defconfig: stm32mp15_dhcom_basic_defconfig (+ mentioned configs enabled)
> > ```
> > ...
> > LD spl/lib/built-in.o
> > LD spl/u-boot-spl
> > /usr/bin/arm-linux-gnueabihf-ld.bfd: common/built-in.o: in function `fit_check_format':
> > /mnt/work/dev/u-boot/common/image-fit.c:1591: undefined reference to `fdt_check_full'
> > make[1]: *** [scripts/Makefile.spl:432: spl/u-boot-spl] Error 1
> > make: *** [Makefile:1941: spl/u-boot-spl] Error 2
> > ```
> > After diging around to find the cause, we're out of ideas.
> > Does anyone have a clue why the needed function is not compiled in libfdt for the spl build?
>
> SPL_OF_LIBFDT_ASSUME_MASK is set to 0xff so this check is not enabled.
> I suspect that the value of that setting should change to 0 or 1 if
> the full check is enabled.
>
I have come across this symbol before, but I did not pay any attention to it and
rather looked for the problem in Makefile's related to SPL build.
Many thanks for the hint.
> Regards,
> Simon
Best regards,
Johann
prev parent reply other threads:[~2022-02-09 7:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-08 15:43 Compile error with SPL_FIT_FULL_CHECK and SPL_LOAD_FIT_FULL enabled Johann Neuhauser
2022-02-08 17:12 ` Philippe REYNES
2022-02-08 22:28 ` Simon Glass
2022-02-08 17:13 ` Simon Glass
2022-02-09 7:31 ` Johann Neuhauser [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7d4b4c909ddf45c28ef5e81f498d9f1f@dh-electronics.com \
--to=jneuhauser@dh-electronics.com \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox