diff options
author | Teddy Reed <teddy.reed@gmail.com> | 2018-06-09 11:38:05 -0400 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2018-07-10 16:55:58 -0400 |
commit | 72239fc85f3eda078547956608c063ab965e90e9 (patch) | |
tree | c4184de3db8760dafc7086c02e989ad208b85304 /Kconfig | |
parent | 894c3ad27fa940beb7fdc07d01dcfe81c03d0481 (diff) | |
download | u-boot-72239fc85f3eda078547956608c063ab965e90e9.tar.gz |
vboot: Add FIT_SIGNATURE_MAX_SIZE protection
This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the
max size of a FIT header's totalsize field. The field is checked before
signature checks are applied to protect from reading past the intended
FIT regions.
This field is not part of the vboot signature so it should be sanity
checked. If the field is corrupted then the structure or string region
reads may have unintended behavior, such as reading from device memory.
A default value of 256MB is set and intended to support most max storage
sizes.
Suggested-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'Kconfig')
-rw-r--r-- | Kconfig | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -267,6 +267,16 @@ config FIT_SIGNATURE format support in this case, enable it using CONFIG_IMAGE_FORMAT_LEGACY. +config FIT_SIGNATURE_MAX_SIZE + hex "Max size of signed FIT structures" + depends on FIT_SIGNATURE + default 0x10000000 + help + This option sets a max size in bytes for verified FIT uImages. + A sane value of 256MB protects corrupted DTB structures from overlapping + device memory. Assure this size does not extend past expected storage + space. + config FIT_VERBOSE bool "Show verbose messages when FIT images fail" help |