u-boot Flat Image Tree (FIT) signing support
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Undecided
|
Andy Whitcroft | ||
u-boot (Ubuntu) |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Xenial |
Fix Released
|
High
|
Andy Whitcroft | ||
Bionic |
Fix Released
|
High
|
Andy Whitcroft | ||
Cosmic |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Disco |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Eoan |
Fix Released
|
Medium
|
Andy Whitcroft | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact] the existing mkimage/dumpimage tools are unable to make or dump out the contents of a u-boot FIT image.
[Test Case] run mkimage with no arguments, note that FIT images and signing are shown as disabled. Install the updated version and note that FIT images and signing are now shown as enabled. Run the attached TEST-FIT script which will put together a sample image, generate some keys, and sign the resulting image contents. You will see "kernel.img: Device Tree Blob version 17,..." if the image is created and you will see dumpimage output showing it is not yet signed (Sign value: unavailable). The signatures will then be applied and the image redumped and you will see it is now signed (Sign value: <hex>).
[Regression Potential] though this changes the u-boot boot loader package, only the build of the u-boot-utils package contents is modified. This primarily enabled FIT_SIGNATURE support in the configuration before building those tools. The majority of the tools we ship do not have configuration support even and so should not be affected. mkimage et al are not normally used during a kernel/bootloader update and so the risk to a pre-installed system should be low. There is slightly higher risk in the xenial changes as the enablement has enabled some additional tool builds, but none of those are shipped in the resulting binaries.
===
We need a mechanism for securely signing Flat Image Tree binaries. This will be performed in a similar manner to UEFI signing support via a custom binary upload to launchpad. We will also need a u-boot update to enable image creation and signing support in mkimage.
Related branches
- Colin Watson: Approve
-
Diff: 513 lines (+208/-15)2 files modifiedlib/lp/archivepublisher/signing.py (+42/-9)
lib/lp/archivepublisher/tests/test_signing.py (+166/-6)
CVE References
Changed in launchpad: | |
status: | New → In Progress |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in u-boot (Ubuntu): | |
importance: | Undecided → High |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in u-boot (Ubuntu Eoan): | |
status: | New → In Progress |
Changed in u-boot (Ubuntu Disco): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in u-boot (Ubuntu Cosmic): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in u-boot (Ubuntu Bionic): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Andy Whitcroft (apw) |
Changed in u-boot (Ubuntu Eoan): | |
importance: | High → Medium |
Changed in u-boot (Ubuntu Xenial): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Andy Whitcroft (apw) |
description: | updated |
description: | updated |
tags: |
added: verification-done-disco removed: verification-needed-disco |
tags: |
added: verification-done-xenial removed: verification-done verification-needed-xenial |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
summary: |
- support u-boot Flat Image Tree (FIT) signing support + u-boot Flat Image Tree (FIT) signing support |
Changed in u-boot (Ubuntu Focal): | |
milestone: | none → ubuntu-20.04.2 |
Hello Andy, or anyone else affected,
Accepted u-boot into disco-proposed. The package will build now and be available at https:/ /launchpad. net/ubuntu/ +source/ u-boot/ 2018.07~ rc3+dfsg1- 0ubuntu3 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification- needed- disco to verification- done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed- disco. In either case, without details of your testing we will not be able to proceed.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance for helping!
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.