kernel-fitimage: Don't use unit addresses on FIT

Das U-Boot 2021.4-rc1 has the following commit:

    commit 3f04db891a353f4b127ed57279279f851c6b4917
    Author: Simon Glass <sjg@chromium.org>
    Date:   Mon Feb 15 17:08:12 2021 -0700

        image: Check for unit addresses in FITs

        Using unit addresses in a FIT is a security risk. Add a check for
        this and disallow it.

        CVE-2021-27138

Adjust the kernel-fitimage.bbclass accordingly to not use unit
addresses. This changte is required before we can bump U-Boot to 2021.4.

Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Backport for Dunfell]
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index b4d8ff830927a28807d0c0bdffe291c4760a8c75..5f5e9dd444803d0011173fcf6a3d211a825e93aa 100644 (file)
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -124,7 +124,7 @@ fitimage_emit_section_kernel() {
        fi
 
        cat << EOF >> ${1}
-                kernel@${2} {
+                kernel-${2} {
                         description = "Linux kernel";
                         data = /incbin/("${3}");
                         type = "kernel";
@@ -133,7 +133,7 @@ fitimage_emit_section_kernel() {
                         compression = "${4}";
                         load = <${UBOOT_LOADADDRESS}>;
                         entry = <${ENTRYPOINT}>;
-                        hash@1 {
+                        hash-1 {
                                 algo = "${kernel_csum}";
                         };
                 };
@@ -160,14 +160,14 @@ fitimage_emit_section_dtb() {
                dtb_loadline="load = <${UBOOT_DTB_LOADADDRESS}>;"
        fi
        cat << EOF >> ${1}
-                fdt@${2} {
+                fdt-${2} {
                         description = "Flattened Device Tree blob";
                         data = /incbin/("${3}");
                         type = "flat_dt";
                         arch = "${UBOOT_ARCH}";
                         compression = "none";
                         ${dtb_loadline}
-                        hash@1 {
+                        hash-1 {
                                 algo = "${dtb_csum}";
                         };
                 };
@@ -185,7 +185,7 @@ fitimage_emit_section_setup() {
        setup_csum="${FIT_HASH_ALG}"
 
        cat << EOF >> ${1}
-                setup@${2} {
+                setup-${2} {
                         description = "Linux setup.bin";
                         data = /incbin/("${3}");
                         type = "x86_setup";
@@ -194,7 +194,7 @@ fitimage_emit_section_setup() {
                         compression = "none";
                         load = <0x00090000>;
                         entry = <0x00090000>;
-                        hash@1 {
+                        hash-1 {
                                 algo = "${setup_csum}";
                         };
                 };
@@ -221,7 +221,7 @@ fitimage_emit_section_ramdisk() {
        fi
 
        cat << EOF >> ${1}
-                ramdisk@${2} {
+                ramdisk-${2} {
                         description = "${INITRAMFS_IMAGE}";
                         data = /incbin/("${3}");
                         type = "ramdisk";
@@ -230,7 +230,7 @@ fitimage_emit_section_ramdisk() {
                         compression = "none";
                         ${ramdisk_loadline}
                         ${ramdisk_entryline}
-                        hash@1 {
+                        hash-1 {
                                 algo = "${ramdisk_csum}";
                         };
                 };
@@ -266,39 +266,39 @@ fitimage_emit_section_config() {
        if [ -n "${2}" ]; then
                conf_desc="Linux kernel"
                sep=", "
-               kernel_line="kernel = \"kernel@${2}\";"
+               kernel_line="kernel = \"kernel-${2}\";"
        fi
 
        if [ -n "${3}" ]; then
                conf_desc="${conf_desc}${sep}FDT blob"
                sep=", "
-               fdt_line="fdt = \"fdt@${3}\";"
+               fdt_line="fdt = \"fdt-${3}\";"
        fi
 
        if [ -n "${4}" ]; then
                conf_desc="${conf_desc}${sep}ramdisk"
                sep=", "
-               ramdisk_line="ramdisk = \"ramdisk@${4}\";"
+               ramdisk_line="ramdisk = \"ramdisk-${4}\";"
        fi
 
        if [ -n "${5}" ]; then
                conf_desc="${conf_desc}${sep}setup"
-               setup_line="setup = \"setup@${5}\";"
+               setup_line="setup = \"setup-${5}\";"
        fi
 
        if [ "${6}" = "1" ]; then
-               default_line="default = \"conf@${3}\";"
+               default_line="default = \"conf-${3}\";"
        fi
 
        cat << EOF >> ${1}
                 ${default_line}
-                conf@${3} {
+                conf-${3} {
                        description = "${6} ${conf_desc}";
                        ${kernel_line}
                        ${fdt_line}
                        ${ramdisk_line}
                        ${setup_line}
-                        hash@1 {
+                        hash-1 {
                                 algo = "${conf_csum}";
                         };
 EOF
@@ -330,7 +330,7 @@ EOF
                sign_line="${sign_line};"
 
                cat << EOF >> ${1}
-                        signature@1 {
+                        signature-1 {
                                 algo = "${conf_csum},${conf_sign_algo}";
                                 key-name-hint = "${conf_sign_keyname}";
                                ${sign_line}