Difuse/difos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

treewide: validate unified uImage.FIT images before flashing

Browse source 
Prevent flashing truncated or otherwise corrupted uImage.FIT images
by verifying checksums and hashes of all sub-images before flashing
using the newly packaged fit_check_sign tool.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle 2025-03-29 05:09:09 +00:00
parent 5175d0a623
commit 29ec74b8c7
6 changed files with 19 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
package/utils/fitblk/Makefile
View file

@ -16,6 +16,7 @@ define Package/fitblk
SECTION:=base SECTION:=base
CATEGORY:=Base system CATEGORY:=Base system
TITLE:=fitblk firmware release tool TITLE:=fitblk firmware release tool
DEPENDS:=+fit-check-sign
endef endef
define Package/fitblk/description define Package/fitblk/description

10
package/utils/fitblk/files/fit.sh
View file

@ -61,3 +61,13 @@ fit_do_upgrade() {
;; ;;
esac esac
} }
fit_check_image() {
local magic="$(get_magic_long "$1")"
[ "$magic" != "d00dfeed" ] && {
echo "Invalid image type."
return 74
}
fit_check_sign -f "$1" >/dev/null || return 74
}

9
target/linux/mediatek/filogic/base-files/lib/upgrade/platform.sh
View file

@ -1,5 +1,5 @@
REQUIRE_IMAGE_METADATA=1 REQUIRE_IMAGE_METADATA=1
RAMFS_COPY_BIN='fitblk' RAMFS_COPY_BIN='fitblk fit_check_sign'
asus_initial_setup() asus_initial_setup()
{ {
@ -224,11 +224,8 @@ platform_check_image() {
xiaomi,redmi-router-ax6000-ubootmod|\ xiaomi,redmi-router-ax6000-ubootmod|\
xiaomi,mi-router-wr30u-ubootmod|\ xiaomi,mi-router-wr30u-ubootmod|\
zyxel,ex5601-t0-ubootmod) zyxel,ex5601-t0-ubootmod)
[ "$magic" != "d00dfeed" ] && { fit_check_image "$1"
echo "Invalid image type." return $?
return 1
}
return 0
;; ;;
nradio,c8-668gl) nradio,c8-668gl)
# tar magic `ustar` # tar magic `ustar`

2
target/linux/mediatek/mt7622/base-files/lib/upgrade/platform.sh
View file

@ -1,5 +1,5 @@
REQUIRE_IMAGE_METADATA=1 REQUIRE_IMAGE_METADATA=1
RAMFS_COPY_BIN='fitblk' RAMFS_COPY_BIN='fitblk fit_check_sign'
platform_do_upgrade() { platform_do_upgrade() {
local board=$(board_name) local board=$(board_name)

2
target/linux/mediatek/mt7623/base-files/lib/upgrade/platform.sh
View file

@ -1,5 +1,5 @@
REQUIRE_IMAGE_METADATA=1 REQUIRE_IMAGE_METADATA=1
RAMFS_COPY_BIN='fitblk' RAMFS_COPY_BIN='fitblk fit_check_sign'
# Legacy full system upgrade including preloader for MediaTek SoCs on eMMC or SD # Legacy full system upgrade including preloader for MediaTek SoCs on eMMC or SD
legacy_mtk_mmc_full_upgrade() { legacy_mtk_mmc_full_upgrade() {

10
target/linux/siflower/sf21/base-files/lib/upgrade/platform.sh
View file

@ -1,5 +1,5 @@
REQUIRE_IMAGE_METADATA=1 REQUIRE_IMAGE_METADATA=1
RAMFS_COPY_BIN='fitblk' RAMFS_COPY_BIN='fitblk fit_check_sign'
platform_do_upgrade() { platform_do_upgrade() {
local board=$(board_name) local board=$(board_name)
@ -18,17 +18,13 @@ PART_NAME=firmware
platform_check_image() { platform_check_image() {
local board=$(board_name) local board=$(board_name)
local magic="$(get_magic_long "$1")"
[ "$#" -gt 1 ] && return 1 [ "$#" -gt 1 ] && return 1
case "$board" in case "$board" in
*) *)
[ "$magic" != "d00dfeed" ] && { fit_check_image "$1"
echo "Invalid image type." return $?
return 1
}
return 0
;; ;;
esac esac