|
[isar-cip-core][PATCH 0/8] Secureboot on QEMU with EDK2, OP-TEE and RPBM
Schultschik, Sven
From: Sven Schultschik <sven.schultschik@...>
This series of patches will add recipes to build a QEMU setup which uses OP-TEE to use RPBM (Replay protected memory) of an EMMC for a secure storage. Which is used within Secureboot on ARM64. QEMU itself does not have an implementation of a virtual RPBM. Therefore a patch for u-boot is needed which adds this feature to u-boot, but breaks hardware compatibility within u-boot. As soon as QEMU has a native RPMB support included, the patch can be removed. The last patch is ment for manually test and verify the patches, but should not be merged. Sven Schultschik (8): add recipe for edk2 add recipe for optee qemu arm64 Include optee into u-boot add u-boot patch for qemu to support RPMB add recipe for trusted firmware a qemu arm64 add kas files for building qemu secure boot images enhance start-qemu.sh for arm64 secure boot no merge - manually instructions test secure boot README.md | 65 + kas/opt/u-boot-efi-ebg-op-tee-qemu.yml | 11 + keys/helloworld.efi | Bin 0 -> 4576 bytes recipes-bsp/edk2/edk2_202205.bb | 43 + recipes-bsp/edk2/files/rules.tmpl | 61 + .../op-tee/optee-os-qemu-arm64_3.17.0.bb | 54 + .../trusted-firmware-a-qemu-arm64_2.7.0.bb | 61 + ...hack.-Breaks-proper-hardware-support.patch | 1375 +++++++++++++++++ recipes-bsp/u-boot/files/secure-boot.cfg.tmpl | 9 +- recipes-bsp/u-boot/u-boot-qemu-common.inc | 5 + start-qemu.sh | 14 +- 11 files changed, 1695 insertions(+), 3 deletions(-) create mode 100644 kas/opt/u-boot-efi-ebg-op-tee-qemu.yml create mode 100644 keys/helloworld.efi create mode 100644 recipes-bsp/edk2/edk2_202205.bb create mode 100755 recipes-bsp/edk2/files/rules.tmpl create mode 100644 recipes-bsp/op-tee/optee-os-qemu-arm64_3.17.0.bb create mode 100644 recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemu-arm64_2.7.0.bb create mode 100644 recipes-bsp/u-boot/files/0002-rpmb-emulation-hack.-Breaks-proper-hardware-support.patch -- 2.30.2
|
|
|
|
Re: [isar-cip-core] doc/README.secureboot.md : Add method to check secure boot status in arm arch.
Jan Kiszka
On 21.10.22 13:16, Sai.Sathujoda@... wrote:
From: Sai <Sai.Sathujoda@...>Indeed - thanks, applied. Jan -- Siemens AG, Technology Competence Center Embedded Linux
|
|
|
|
[isar-cip-core] doc/README.secureboot.md : Add method to check secure boot status in arm arch.
sai.sathujoda@...
From: Sai <Sai.Sathujoda@...>
The dmesg will not show secure boot status for arm64 or armhf architectures. Signed-off-by: Sai <Sai.Sathujoda@...> --- doc/README.secureboot.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/README.secureboot.md b/doc/README.secureboot.md index 26d8c87..714331f 100644 --- a/doc/README.secureboot.md +++ b/doc/README.secureboot.md @@ -217,6 +217,10 @@ After boot check the dmesg for secure boot status like below: root@demo:~# dmesg | grep Secure [ 0.008368] Secure boot enabled ``` +In case of arm64 or armhf architectures, the secure boot status can be found in bootloader logs like below: +``` +EFI stub: UEFI Secure Boot is enabled. +``` ## Example: Update the image For updating the image, the following steps are necessary: -- 2.20.1
|
|
|
|
Re: KernelCI, gitlab testing notes
Florian Bezdeka
Hi all,
On Thu, 2022-10-20 at 18:08 +0200, Pavel Machek via lists.cip- project.org wrote: Hi!Great, so the filtering seems to work as expected. According to line 174 of the referenced job log above /dev/kvm is mounted into the container running what they seem to call "qemu emulator" and -enable-kvm is given. Depending on the concrete hardware this test is scheduled on, it might deliver different results. That seems to be a general issue. I can try to address that. Is the 4.4 series missing the backport of the mitigation for this CVE or is that really a "can be fixed by microcode only" thing? I don't want to silence a real issue. My question is: If we would run a newer kernel, would we still be affected on the same (virtual) hardware? [snip, I don't know the gitlab infrastructure]
|
|
|
|
Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
Jan Kiszka
On 20.10.22 18:24, Schultschik, Sven wrote:
Indeed, seems revisions are managed via the tags in edk2 and the-----Ursprüngliche Nachricht-----I checked and edk2-platforms does not have any tags. In theory you could use always the latest. But then you can't reproduce the builds. submodule shas there. Or via edk2-edkrepo-manifest (sigh...). Jan -- Siemens AG, Technology Competence Center Embedded Linux
|
|
|
|
Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
Schultschik, Sven
-----Ursprüngliche Nachricht-----Currently strugling with the "true" cross compile. At some point it seems to use the wrong compiler. gcc: error: unrecognized command-line option ‘-mlittle-endian’ | Building ... /<<PKGBUILDDIR>>/edk2/MdePkg/Library/StandaloneMmDriverEntryPoint/StandaloneMmDriverEntryPoint.inf [AARCH64] | gcc: error: unrecognized command-line option ‘-mstrict-align’; did you mean ‘-Wstrict-aliasing’? | gcc: error: unrecognized command-line option ‘-mstrict-align’; did you mean ‘-Wstrict-aliasing’?
|
|
|
|
Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
Schultschik, Sven
-----Ursprüngliche Nachricht-----I checked and edk2-platforms does not have any tags. In theory you could use always the latest. But then you can't reproduce the builds. The version of the recipe is the tag for the edk2 repository, which is already in use
|
|
|
|
KernelCI, gitlab testing notes
Pavel Machek
Hi!
* 4.4 kernelci warnings https://linux.kernelci.org/build/cip/branch/linux-4.4.y-cip/kernel/v4.4.302-cip70-98-g7f7838c92740f/ Thanks for pointer. This looks good. Most of warnings are "net/ipv4/inet_hashtables.c:608:68: warning: suggest parentheses around ‘+’ in operand of ‘&’ [-Wparentheses]" which is my fault and on my TODO list. * SMC QEMU x86-64 https://storage.kernelci.org/cip/linux-4.4.y-cip/v4.4.302-cip70-98-g7f7838c92740f/x86_64/x86_64_defconfig/gcc-10/lab-collabora/smc-qemu_x86_64.html Ok, I'll need to know more about the config. Is it possible that qemu runs paravirtualized -- KVM? If yes, we are basically testing whatever hardware it happens to run on. Not good. If no... the "soft" cpu it runs on does not have those bugs. * Understanding gitlab results +https://gitlab.com/cip-project/cip-kernel/linux-cip/-/jobs/3184699360 Ok, so what should I be looking at? ----------------------------------- 374All submitted tests were successful 375----------------------------------- 376------------------------------ 377Job Summary 378------------------------------ 379Job #763143 Finished. Job health: Complete. URL: https://lava.ciplatform.org/scheduler/job/763143 380Job #763147 Finished. Job health: Complete. URL: https://lava.ciplatform.org/scheduler/job/763147 382 I have see. "Job health: incomplete" and that indicated problems. I see "All submitted tests were successful". I guess that's ok. https://gitlab.com/cip-project/cip-kernel/linux-cip/-/jobs/3141003858 Now that's pretty evil: * 0_spectre-meltdown-checker-test.CVE-2018-12126 [fail] 266* 0_spectre-meltdown-checker-test.CVE-2018-3646 [pass] ... 288----------------------------------- 289All submitted tests were successful 290----------------------------------- 291 First, make it stand out visually. [pass] => [ok] and [fail] => [FAILURE] or something like that. Second, saying all tests were successful (line 289) when there's failure is ... confusing. * LTP failures I'm not sure where we run this or how. Anyway. https://lava.ciplatform.org/scheduler/job/763461 I picked up one failure randomly, and that's config failure, not kernel failure: utimensat01 1 TBROK: can't read /etc/sudoers Not sure what is going there: quotactl01. Do we have quotas enabled? syslog01 and friends is also failing. Is syslog configured correctly? I guess best way would be to run ltp on 4.4-mainline, 4.4.302, 4.4-cip and compare the results. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
Re: New CVE entries this week
Masami Ichikawa
Hi.
On Thu, Oct 20, 2022 at 4:58 PM Pavel Machek <pavel@...> wrote: oops, you're right. 4.19 is affected. 4.19 is not listed in the ignore section in CVE-2022-3535.yml. so I made a mistake when writing this report. I think it is not a critical vulnerability. Sometimes NVD'sCVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers"Critial" -- really? mISDN does not have much to do with bluetooth. i description is exaggerated :( I think it is okay to ignore low score vulnerabilities.CVE-2022-3566: tcp: Fix data races around icsk->icsk_af_ops.There's no race in the compile code assuming sane compiler; this is I think it is okay to ignore low score vulnerabilities. I think if vulnerability to local privilege escalation/remote code execution/remote DoS, the score will get high or at least medium. rc-v5.10.132.list:a just a READ_ONCE annotation |dd36fc0e5 1f1be0 o: 5.10| sysctl: Fix data races in proc_dointvec().yeah, even though remote user could write lots of data in the syslog with this issue, it seems to be a normal bug. Best regards,Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@...
|
|
|
|
Re: New CVE entries this week
Pavel Machek
Hi!
CVE-2022-3523: mm/memory.c: fix race when faulting a device private page... This fix is based on Memory folios feature so that it cannot apply toSounds like fun, but changelog also says: During normal usage it is unlikely these will cause any problems. However without these fixes it is possible to crash the kernel from userspace. These crashes can be triggered either by unloading the kernel module or unbinding the device from the driver prior to a userspace task exiting. Yeah, so.. don't let untrusted users play with modules / device bindings. We don't do that by default. CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options().Sounds like more fun. CVE-2022-3535: net: mvpp2: fix mvpp2 debugfs leak4.19-rc1 means that 4.19 is affected, and indeed that commit is in 4.19-stable. Due to severity of the vulnerability (very low), I don't think we care much. CVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers"Critial" -- really? mISDN does not have much to do with bluetooth. i don't think we care. CVE-2022-3566: tcp: Fix data races around icsk->icsk_af_ops.There's no race in the compile code assuming sane compiler; this is just READ_ONCE() annotation for the tools. I wonder if we should simply ignore anything that is "medium" or lower? This is not too useful. There are _lot_ of READ_ONCE annotations: rc-v5.10.132.list:a just a READ_ONCE annotation |dd36fc0e5 1f1be0 o: 5.10| sysctl: Fix data races in proc_dointvec(). rc-v5.10.132.list:a just a READ_ONCE annotation |3c353ca70 4762b5 o: 5.10| sysctl: Fix data races in proc_douintvec(). rc-v5.10.132.list:a just a READ_ONCE annotation |2d706aadb f613d8 o: 5.10| sysctl: Fix data races in proc_dointvec_minmax(). rc-v5.10.132.list:a just a READ_ONCE annotation |23f9db9f8 2d3b55 o: 5.10| sysctl: Fix data races in proc_douintvec_minmax(). rc-v5.10.132.list:a just a READ_ONCE annotation |3b18d2877 c31bcc o: 5.10| sysctl: Fix data races in proc_doulongvec_minmax(). rc-v5.10.132.list:a just a READ_ONCE annotation |fbb481c6c e87782 o: 5.10| sysctl: Fix data races in proc_dointvec_jiffies(). rc-v5.10.132.list:a just a READ_ONCE annotation |569565b31 47e6ab o: 5.10| tcp: Fix a data-race around sysctl_tcp_max_orphans. rc-v5.10.132.list:a just a READ_ONCE annotation |1ffd2f3ca 3d32ed o: 4.19| inetpeer: Fix data-races around sysctl. rc-v5.10.132.list:a just a READ_ONCE annotation |759957e29 310731 o: 4.19| net: Fix data-races around sysctl_mem. rc-v5.10.132.list:a not a minimum fix, just a READ_ONCE annotation |2afb079f1 dd44f0 o: 4.9| cipso: Fix data-races around sysctl. rc-v5.10.132.list:a just a READ_ONCE annotation |cc7dc7f73 48d7ee o: 4.9| icmp: Fix data-races around sysctl. rc-v5.10.132.list:a just a READ_ONCE annotation |ecc3b5b6d 73318c o: 5.10| ipv4: Fix a data-race around sysctl_fib_sync_mem. rc-v5.10.132.list:a just a READ_ONCE annotation |8c0062e3d 2a4eb7 o: 4.19| icmp: Fix a data-race around sysctl_icmp_ratelimit. rc-v5.10.132.list:a just a READ_ONCE annotation |abf7c1c68 1ebcb2 o: 4.19| icmp: Fix a data-race around sysctl_icmp_ratemask. rc-v5.10.132.list:a not a minimum fix, just a READ_ONCE annotation |66a01e657 e49e4a o: 4.9| ipv4: Fix data-races around sysctl_ip_dynaddr. rc-v5.10.132.list:a just a READ_ONCE annotation |a9f8eb955 bdf00b o: 5.10| nexthop: Fix data-races around nexthop_compat_mode. rc-v5.10.137.list:a just a READ_ONCE annotation |6a5c5b381 4915d5 o: 5.10| inet: add READ_ONCE(sk->sk_bound_dev_if) in INET_MATCH() rc-v5.10.137.list:a just a READ_ONCE annotation, not a minimum fix |8d69424fb 5d368f o: 5.10| ipv6: add READ_ONCE(sk->sk_bound_dev_if) in INET6_MATCH() rc-v5.10.137.list:a just a READ_ONCE annotation |1651eed8e 08a75f o: 5.10| tcp: Fix data-races around sysctl_tcp_l3mdev_accept. rc-v5.10.140.list:a just a READ_ONCE annotation |1cf035989 027395 o: 5.10| net: Fix data-races around sysctl_[rw]mem(_offset)?. rc-v5.10.140.list:a just a READ_ONCE annotation |c430cce0f 1227c1 o: 5.10| net: Fix data-races around sysctl_[rw]mem_(max|default). rc-v5.10.140.list:a just a READ_ONCE annotation |0ca09591c 5dcd08 o: 5.10| net: Fix data-races around netdev_max_backlog. rc-v5.10.140.list:a just a READ_ONCE annotation |c9a25e523 61adf4 o: 4.19| net: Fix data-races around netdev_tstamp_prequeue. rc-v5.10.140.list:a just a READ_ONCE annotation |33a56c470 7de6d0 o: 5.10| net: Fix data-races around sysctl_optmem_max. rc-v5.10.140.list:a just a READ_ONCE annotation |b88a8545b d2154b o: 4.9| net: Fix a data-race around sysctl_tstamp_allow_data. rc-v5.10.140.list:a just a READ_ONCE annotation |ff5a88e37 c42b7c o: 4.9| net: Fix a data-race around sysctl_net_busy_poll. rc-v5.10.140.list:a just a READ_ONCE annotation |b99764a7c e59ef3 o: 4.9| net: Fix a data-race around sysctl_net_busy_read. rc-v5.10.140.list:a just a READ_ONCE annotation |6d73091c1 fa45d4 o: 4.19| net: Fix a data-race around netdev_budget_usecs. rc-v5.10.140.list:a just a READ_ONCE annotation |99e03c89b 3c9ba8 o: 4.9| net: Fix a data-race around sysctl_somaxconn. rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |b88a8545b d2154b o: 4.9| net: Fix a data-race around sysctl_tstamp_allow_data. rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |ff5a88e37 c42b7c o: 4.9| net: Fix a data-race around sysctl_net_busy_poll. rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |b99764a7c e59ef3 o: 4.9| net: Fix a data-race around sysctl_net_busy_read. rc-v5.10.140-sep7.list:a just a READ_ONCE annotation |99e03c89b 3c9ba8 o: 4.9| net: Fix a data-race around sysctl_somaxconn. rc-v5.10.14X-pre.list:a just a READ_ONCE annotation 5.10 05/16] cgroup: Remove data-race around cgrp_dfl_visible rc-v5.10.150.list:a just a READ_ONCE annotation |1b3ae95b2 aacd46 o: 4.9| tcp: annotate data-race around tcp_md5sig_pool_populated CVE-2022-3567: ipv6: Fix data races around sk->sk_prot.This is a tiny bit more serious than usual READ_ONCE annotations, but... CVE-2022-3541: eth: sp7021: fix use after free bug inComponent BPF? CVE-2022-3594: r8152: Rate limit overflow messagesThe "attack" is writing line to syslog. Seems like every bug can get a CVE if someone tries. Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
|
|
|
|
CIP IRC weekly meeting today on libera.chat
Jan Kiszka
Hi all,
Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today. Our channel is the following: irc:irc.libera.chat:6667/cip The IRC meeting is scheduled to UTC (GMT) 12:00: https://www.timeanddate.com/worldclock/meetingdetails.html?year=2022&month=10&day=20&hour=12&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248 USWest USEast UK DE TW JP 05:00 08:00 13:00 14:00 20:00 21:00 Last meeting minutes: https://ircbot.wl.linuxfoundation.org/meetings/cip/2022/10/cip.2022-10-13-12.03.log.html * Action items 1. Add qemu-riscv to cip-kernel-config - patersonc 2. Ask Florian to support with 4.4 kernel-ci reports - jki * Kernel maintenance updates * Kernel testing * AOB Jan
|
|
|
|
New CVE entries this week
Masami Ichikawa
Hi !
It's this week's CVE report. This week reported 23 new CVEs and 2 updated CVEs. CVE-2022-41674, CVE-2022-42719, and CVE-2022-42720 are remote code execution vulnerabilities. These CVEs are already fixed. * New CVEs CVE-2022-41674: fix u8 overflow in cfg80211_update_notlisted_nontrans CVSS v3 score is 8.1 HIGH. There is a buffer overflow bug in cfg80211_update_notlisted_nontrans() which causes 2 bytes to be overwritten. This overflow result leads to remote code execution. This bug was introduced by commit 0b8fb82 ("cfg80211: Parsing of Multiple BSSID information in scanning") in 5.1-rc1. This commit isn't backported to 4.x kernels so 4.x kernels aren't affected by this vulnerability. Fixed status mainline: [aebe9f4639b13a1f4e9a6b42cdd2e38c617b442d] stable/5.10: [a6408e0b694c1bdd8ae7dd0464a86b98518145ec] stable/5.15: [9a8ef2030510a9d6ce86fd535b8d10720230811f] stable/5.19: [42ea11a81ac853c3e870c70d61ab435d0b09b851] stable/5.4: [020402c7dd587a8a4725d32bbd172a5f7ecc5f8f] stable/6.0: [fc1ed6d0c9898a68da7f1f7843560dfda57683e2] CVE-2022-42719: wifi: mac80211: fix MBSSID parsing use-after-free CVSS v3 score is 8.8 HIGH. There is a use-after-free bug in the mac80211 subsystem. The result will cause a remote code execution. This vulnerability was introduced by commit 5023b14 ("mac80211: support profile split between elements") in 5.2-rc1. The commit 5023b14cf4df is not backported to 4.x kernels. so they aren't affected by this vulnerability. Fixed status mainline: [ff05d4b45dd89b922578dac497dcabf57cf771c6] stable/5.10: [31ce5da48a845bac48930bbde1d45e7449591728] stable/5.15: [de124365a7d2deed22cf706583930f28d537ff0f] stable/5.19: [e6d77ac0132da7e73fdcc4a38dd4c40ac0226466] stable/6.0: [4afcb8886800131f8dd58d82754ee0c508303d46] CVE-2022-42720: wifi: cfg80211: fix BSS refcounting bugs CVSS v3 score is 7.8 HIGH. There is a use-after-free bug in cfg80211 subsystem. The result will cause a remote code execution. Introduced by commit a3584f5 ("cfg80211: Properly track transmitting and non-transmitting BSS") which is not backported to 4.x kernels. so they aren't affected by this vulnerability. Fixed status mainline: [0b7808818cb9df6680f98996b8e9a439fa7bcc2f] stable/5.10: [6b944845031356f3e0c0f6695f9252a8ddc8b02f] stable/5.15: [bfe29873454f38eb1a511a76144ad1a4848ca176] stable/5.19: [46b23a9559580a72d8cc5811b1bce8db099806d6] stable/5.4: [785eaabfe3103e8bfa36aebacff6e8f69f092ed7] stable/6.0: [e97a5d7091e6d2df05f8378a518a9bbf81688b77] CVE-2022-42721: wifi: cfg80211: avoid non transmitted BSS list corruption CVSS v3 score is 5.5 MEDIUM. If there is an invalid BSS(Basic Service Set), the cfg80211 subsystem will loop the data forever. That causes DoS attacks. Introduced by commit 0b8fb82 ("cfg80211: Parsing of Multiple BSSID information in scanning") which is not backported to 4.x kernels. so they aren't affected by this vulnerability. Fixed status mainline: [bcca852027e5878aec911a347407ecc88d6fff7f] stable/5.10: [b0e5c5deb7880be5b8a459d584e13e1f9879d307] stable/5.15: [0a8ee682e4f992eccce226b012bba600bb2251e2] stable/5.19: [1d73c990e9bafc2754b1ced71345f73f5beb1781] stable/5.4: [77bb20ccb9dfc9ed4f9c93788c90d08cfd891cdc] stable/6.0: [377cb1ce85878c197904ca8383e6b41886e3994d] CVE-2022-42722: wifi: mac80211: fix crash in beacon protection for P2P-device CVSS v3 score is 5.5 MEDIUM. There is a NULL pointer dereference bug in ieee80211_rx_h_decrypt() and ieee80211_rx_h_decrypt() when processing beacon protection for P2P-device. This bug leads to DoS attacks. This bug was introduced by commit 9eaf183 ("mac80211: Report beacon protection failures to user space") which is not backported to 5.4 and 4.x kernels. so they aren't affected by this vulnerability. Fixed status mainline: [b2d03cabe2b2e150ff5a381731ea0355459be09f] stable/5.10: [58c0306d0bcd5f541714bea8765d23111c9af68a] stable/5.15: [93a3a32554079432b49cf87f326607b2a2fab4f2] stable/5.19: [fa63b5f6f8853ace755d9a23fb75817d5ba20df5] stable/6.0: [8ed62f2df8ebcf79c185f1bc3e4f346ea0905da6] CVE-2022-3521: kcm: avoid potential race in kcm_tx_work CVSS v3 score is 2.5 LOW(NIST). CVSS v3 score is 2.6 LOW(VulDB). A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function kcm_tx_work of the file net/kcm/kcmsock.c of the component kcm. The manipulation leads to race conditions. This bug was introduced by ab7ac4e ("kcm: Kernel Connection Multiplexor module") in 4.6-rc1. The kcm was introduced in 4.6 so 4.4 kernel is not affected by this issue. Fixed status mainline: [ec7eede369fe5b0d085ac51fdbb95184f87bfc6c] CVE-2022-3522: mm/hugetlb: use hugetlb_pte_stable in migration race check CVSS v3 score is 7.0 HIGH(NIST). CVSS v3 score is 4.6 MEDIUM(VulDB). A vulnerability was found in Linux Kernel and classified as problematic. This issue affects the function hugetlb_no_page of the file mm/hugetlb.c. The manipulation leads to race conditions. Commit 2ea7ff1 ("mm/hugetlb: fix race condition of uffd missing/minor handling") in 6.1-rc1 added a new function called hugetlb_pte_stable(). Commit f9bf6c0 ("mm/hugetlb: use hugetlb_pte_stable in migration race check") uses the function so applying this patch requires commit 2ea7ff1. Fixed status mainline: [f9bf6c03eca1077cae8de0e6d86427656fa42a9b] CVE-2022-3523: mm/memory.c: fix race when faulting a device private page CVSS v3 score is not provided(NIST). CVSS v3 score is 5.3 MEDIUM(VulDB). A vulnerability was found in Linux Kernel. It has been classified as problematic. Affected is an unknown function of the file mm/memory.c of the component Driver Handler. The manipulation leads to use after free. Commit log said that. ``` When the CPU tries to access a device private page the migrate_to_ram() callback associated with the pgmap for the page is called. However no reference is taken on the faulting page. Therefore a concurrent migration of the device private page can free the page and possibly the underlying pgmap. This results in a race which can crash the kernel due to the migrate_to_ram() function pointer becoming invalid. It also means drivers can't reliably read the zone_device_data field because the page may have been freed with memunmap_pages(). ``` According to the above commit log, accessing invalid migrate_to_ram pointer will cause a bug. This migrate_to_ram pointer was added by commit 897e636 ("memremap: add a migrate_to_ram method to struct dev_pagemap_ops") in 5.3-rc1. Therefore, kernel versions from 5.3-rc1 to 6.1-rc1 are affected by thid vulnerability. This fix is based on Memory folios feature so that it cannot apply to older kernels straightly. - mm/migrate_device.c was introduced by commit 76cbbea ("mm: move the migrate_vma_* device migration code into its own file") in 5.18-rc1. - migrate_folio() was added into include/linux/migrate.h by commit 5418465 ("mm/migrate: Convert migrate_page() to migrate_folio()") in 6.0-rc1. - Memory folios feature was introduced in 5.16. Fixed status mainline: [16ce101db85db694a91380aa4c89b25530871d33] CVE-2022-3524: tcp/udp: Fix memory leak in ipv6_renew_options(). A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function ipv6_renew_options of the component IPv6 Handler. The manipulation leads to memory leak. The attack can be launched remotely. CVSS v3 score is 7.5 HIGH(NIST). CVSS v3 score is 4.3 MEDIUM(VulDB). Kernel 4.4 is also affected by this issue. applying this fix needs to modify the patch. Fixed status mainline: [3c52c6bb831f6335c176a0fc7214e26f43adbd11] CVE-2022-3526: macvlan: Fix leaking skb in source mode with nodst option CVSS v3 score is 7.5 HIGH(NIST). CVSS v3 score is 5.3 MEDIUM(VulDB). A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function macvlan_handle_frame of the file drivers/net/macvlan.c of the component skb. The manipulation leads to memory leak. The attack can be initiated remotely. Introduced by 427f0c8 ("macvlan: Add nodst option to macvlan type source") in 5.13-rc1. Before 5.13-rc1 kernels are not affected. Fixed status mainline: [e16b859872b87650bb55b12cca5a5fcdc49c1442] stable/5.15: [8f79ce226ad2e9b2ec598de2b9560863b7549d1b] CVE-2022-3531: selftest/bpf: Fix memory leak in kprobe_multi_test CVSS v3 score is 5.7 MEDIUM(NIST). CVSS v3 score is 3.5 LOW(VulDB). A vulnerability was found in Linux Kernel. It has been classified as problematic. This affects the function get_syms of the file tools/testing/selftests/bpf/prog_tests/kprobe_multi_test.c of the component BPF. The manipulation leads to memory leak. Introduced by commit 5b6c7e5c4434 ("selftests/bpf: Add attach bench test") in 5.19-rc1. It isn't backported to older kernels. btw, users shouldn't run kselftest on their production environment, anyway. Fixed status Fixed in bpf-next tree as of 2022-10-18. CVE-2022-3532: selftests/bpf: Fix memory leak caused by not destroying skeleton CVSS v3 score is 5.7 MEDIUM(NIST). CVSS v3 score is 3.5 LOW(VulDB). A vulnerability was found in Linux Kernel. It has been declared as problematic. This vulnerability affects the function test_map_kptr_success/test_fentry of the component BPF. The manipulation leads to memory leak. Introduced by commit 0ef6740e9777 ("selftests/bpf: Add tests for kptr_ref refcounting") in 5.19-rc1 and 1642a3945e22 ("selftests/bpf: Add struct argument tests with fentry/fexit programs.") in 6.1-rc1. These commits are not backported to stable kernels. Users shouldn't run kselftest on their production environment, anyway. 4.4, 4.9, 4.14, 4.19, 5.4, and 5.10 kernels are not affected by this issue. Fixed status Fixed in bpf-next tree as of 2022-10-18. CVE-2022-3535: net: mvpp2: fix mvpp2 debugfs leak CVSS v3 score is not provided(NIST). CVSS v3 score is 3.5 LOW(VulDB). A vulnerability classified as problematic was found in Linux Kernel. Affected by this vulnerability is the function mvpp2_dbgfs_port_init of the file drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c of the component mvpp2. The manipulation leads to memory leak. Introduced by commit 21da57a ("net: mvpp2: add a debugfs interface for the Header Parser") in 4.19-rc1. 4.4, 4.9, 4.10, and 4.19 kernels are not affected by this issue. Fixed status mainline: [0152dfee235e87660f52a117fc9f70dc55956bb4] CVE-2022-3543: af_unix: Fix memory leaks of the whole sk due to OOB skb. CVSS v3 score is 5.5 MEDIUM(NIST). CVSS v3 score is 3.5 LOW(VulDB). A vulnerability, which was classified as problematic, has been found in Linux Kernel. This issue affects the function unix_sock_destructor/unix_release_sock of the file net/unix/af_unix.c of the component BPF. The manipulation leads to memory leak. Introduced by commit 314001f ("af_unix: Add OOB support") in 5.15-rc1. This commit is not backported to older kernels. 4.4, 4.9, 4.14, 4.19, 5.4, and 5.10 kernels are not affected by this issue. Fixed status. mainline: [7a62ed61367b8fd01bae1e18e30602c25060d824] CVE-2022-3564: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu CVSS v3 score is not provided(NIST). CVSS v3 score is 5.5 MEDIUM(VulDB). A vulnerability classified as critical was found in Linux Kernel. Affected by this vulnerability is the function l2cap_reassemble_sdu of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. I Introduced by commit d2a7ac5d5d3a ("Bluetooth: Add the ERTM receive state machine") in 3.6-rc1 and 4b51dae96731 ("Bluetooth: Add streaming mode receive and incoming packet classifier") in 3.6-rc1. Fixed status fixed in bluetooth-next tree as of 2022-10-18 CVE-2022-3565: mISDN: fix use-after-free bugs in l1oip timer handlers CVSS v3 score is not provided(NIST). CVSS v3 score is 4.6 MEDIUM(VulDB). A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. Fixed status mainline: [2568a7e0832ee30b0a351016d03062ab4e0e0a3f] CVE-2022-3566: tcp: Fix data races around icsk->icsk_af_ops. CVSS v3 score is not provided(NIST). CVSS v3 score is 4.6 MEDIUM(VulDB). A vulnerability, which was classified as problematic, was found in Linux Kernel. This affects the function tcp_getsockopt/tcp_setsockopt of the component TCP Handler. The manipulation leads to race conditions. Fixed status mainline: [f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57] CVE-2022-3567: ipv6: Fix data races around sk->sk_prot. CVSS v3 score is not provided(NIST). CVSS v3 score is 4.6 MEDIUM(VulDB). A vulnerability has been found in Linux Kernel and classified as problematic. This vulnerability affects the function inet6_stream_ops/inet6_dgram_ops of the component IPv6 Handler. The manipulation leads to race conditions. According to the commit log, commit 086d490 ("ipv6: annotate some data-races around sk->sk_prot") fixes a race condition bug but it was not enough. Therefore it seems that both commit 086d490 and 364f997 need to fix this issue. Fixed status mainline: [364f997b5cfe1db0d63a390fe7c801fa2b3115f6] CVE-2022-2602: io_uring/af_unix: defer registered files gc to io_uring release CVSS v3 score is not provided. A use-after-free bug was found in the io_uring subsystem. When io_uring releasing registered fds, Unix socket Garbage Collection process is used. If Unix GC is run before io_uring released fds, a use-after-free bug will happen. That causes local privilege escalation vulnerability. Fixed status mainline: [0091bfc81741b8d3aeb3b7ab8636f911b2de6e80] CVE-2022-3542: bnx2x: fix potential memory leak in bnx2x_tpa_stop() CVSS v3 score is 5.5 MEDIUM(NIST). CVSS v3 score is 3.5 LOW(VulDB). A vulnerability classified as problematic was found in Linux Kernel. This vulnerability affects the function bnx2x_tpa_stop of the file drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c of the component BPF. The manipulation leads to memory leak. This bug was in a driver for Broadcom NetXtremeII 10 gigabit Ethernet cards (CONFIG_BNX2X). Fixed status mainline: [b43f9acbb8942b05252be83ac25a81cec70cc192] CVE-2022-3545: nfp: fix use-after-free in area_cache_get() CVSS v3 score is 7.8 HIGH(NIST). CVSS v3 score is 5.5 MEDIUM(VulDB). A vulnerability has been found in Linux Kernel and classified as critical. Affected by this vulnerability is the function area_cache_get of the file drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c of the component IPsec. The manipulation leads to use after free. The nfp/nfpcore was added by 4cb584e0 ("nfp: add CPP access core") in 4.11-rc1. So, 4.4 and 4.9 are not affected. Fixed status mainline: [02e1a114fdb71e59ee6770294166c30d437bf86a] CVE-2022-3541: eth: sp7021: fix use after free bug in spl2sw_nvmem_get_mac_address CVSS v3 score is 7.8 HIGH(NIST). CVSS v3 score is 5.5 MEDIUM(VulDB). A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The manipulation leads to use after free. This issue was introduced by commit fd3040b ("net: ethernet: Add driver for Sunplus SP7021") in 5.19-rc1. Therefore, 4.x, 5.10, and 5.15 kernels are not affected by this issue. Fixed status mainline: [12aece8b01507a2d357a1861f470e83621fbb6f2] CVE-2022-3594: r8152: Rate limit overflow messages CVSS v3 score is not provided(NIST). CVSS v3 score is 5.3 MEDIUM(VulDB). A vulnerability was found in Linux Kernel. It has been declared as problematic. Affected by this vulnerability is the function intr_callback of the file drivers/net/usb/r8152.c of the component BPF. The manipulation leads to logging of excessive data. The attack can be launched remotely. Fixed status mainline: [93e2be344a7db169b7119de21ac1bf253b8c6907] * Updated CVEs CVE-2022-3303: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC 5.10 was fixed this week. Fixed status mainline: [8423f0b6d513b259fdab9c9bf4aaa6188d054c2d] stable/5.10: [fce793a056c604b41a298317cf704dae255f1b36] stable/5.15: [8015ef9e8a0ee5cecfd0cb6805834d007ab26f86] stable/5.19: [723ac5ab2891b6c10dd6cc78ef5456af593490eb] stable/5.4: [4051324a6dafd7053c74c475e80b3ba10ae672b0] CVE-2022-40768: scsi: stex: properly zero out the passthrough command structure stable 5.10, 5.15, 5.19, 5.4, and 6.0 were fixed this week. Fixed status mainline: [6022f210461fef67e6e676fd8544ca02d1bcfa7a] stable/5.10: [36b33c63515a93246487691046d18dd37a9f589b] stable/5.15: [76efb4897bc38b2f16176bae27ae801037ebf49a] stable/5.19: [6ae8aa5dcf0d7ada07964c8638e55d3af5896a86] stable/5.4: [20a5bde605979af270f94b9151f753ec2caf8b05] stable/6.0: [b9b7369d89924a366b20045dc26dc4dc6b0567a4] Currently tracking CVEs CVE-2021-31615: Unencrypted Bluetooth Low Energy baseband links in Bluetooth Core Specifications 4.0 through 5.2 There is no fix information. CVE-2020-26556: kernel: malleable commitment Bluetooth Mesh Provisioning No fix information. CVE-2020-26557: kernel: predictable Authvalue in Bluetooth Mesh Provisioning Leads to MITM No fix information. CVE-2020-26559: kernel: Authvalue leak in Bluetooth Mesh Provisioning No fix information. CVE-2020-26560: kernel: impersonation attack in Bluetooth Mesh Provisioning No fix information. Regards, -- Masami Ichikawa Cybertrust Japan Co., Ltd. Email :masami.ichikawa@... :masami.ichikawa@...
|
|
|
|
Re: [isar-cip-core][PATCH] Update ISAR revision
Jan Kiszka
On 19.10.22 15:43, Quirin Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@...>Thanks, applied. Jan -- Siemens AG, Technology Competence Center Embedded Linux
|
|
|
|
[isar-cip-core][PATCH] Update ISAR revision
Quirin Gylstorff
From: Quirin Gylstorff <quirin.gylstorff@...>
Update for downstream layers. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@...> --- kas-cip.yml | 2 +- kas/opt/swupdate.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/kas-cip.yml b/kas-cip.yml index 24062c5..10f4594 100644 --- a/kas-cip.yml +++ b/kas-cip.yml @@ -22,7 +22,7 @@ repos: isar: url: https://github.com/ilbers/isar.git - refspec: 0daa55195f0f55465a367aec1ceeec5f26c161af + refspec: fc4f004eb67237d9d09b1ffad0de1a19217fa94a layers: meta: diff --git a/kas/opt/swupdate.yml b/kas/opt/swupdate.yml index b2bff64..f0d3f1b 100644 --- a/kas/opt/swupdate.yml +++ b/kas/opt/swupdate.yml @@ -24,3 +24,4 @@ local_conf_header: IMAGE_FSTYPES = "wic" WKS_FILE ?= "${MACHINE}-${SWUPDATE_BOOTLOADER}.wks.in" INITRAMFS_INSTALL_append = " initramfs-squashfs-hook" + WIC_DEPLOY_PARTITIONS = "1" -- 2.35.1
|
|
|
|
Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
Jan Kiszka
On 19.10.22 15:21, Schultschik, Sven (DI PA DCP R&D 2) wrote:
Right, it gives you an even better suggestion than I what to do /wrt-----Ursprüngliche Nachricht-----cip- SRCREV when you have multiple repos (not here but in edk2). -- Siemens AG, Technology Competence Center Embedded Linux
|
|
|
|
Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
Schultschik, Sven
-----Ursprüngliche Nachricht-----cip- dev@..."https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c om%2FOP-I tried your suggestion and removed destsuffix and rev and now I remember why I added it initially: SRC_URI += " \ git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https" optee-os-qemu-arm64-3.17.0-r0 do_fetch: Fetcher failure for URL: 'git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https'. Please set a valid SRCREV for url ['SRCREV_default_pn-optee-os-qemu-arm64', 'SRCREV_default', 'SRCREV_pn-optee-os-qemu-arm64', 'SRCREV'] (possible key names are git://github.com/OP-TEE/optee_os.git;branch=master;protocol=https, or use a ;rev=X URL parameter)
|
|
|
|
Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
Jan Kiszka
On 19.10.22 15:14, Schultschik, Sven (DI PA DCP R&D 2) wrote:
Cross-compile should give you some relevant toolchain bits and libs at-----Ursprüngliche Nachricht-----EDK2 really uses submodules which need to be pulled least. And it makes sure that you have a native toolchain for the build environment, rather than running with emulation for that. If you need different compiler settings, adjust the rules file. Jan -- Siemens AG, Technology Competence Center Embedded Linux
|
|
|
|
Re: [isar-cip-core][PATCH 2/7] add recipe for for edk2
Schultschik, Sven
-----Ursprüngliche Nachricht-----EDK2 really uses submodules which need to be pulled - please factor out revisions into separate variablesEDK2 has it's own build parameter for the target architecture, which activates cross compile Within EDK2 build which breaks if isar cross is activated. build -p $(ACTIVE_PLATFORM) -b RELEASE -a $(TARGET_ARCH) -t GCC5 -n $(shell nproc) You suggest to turn it off and try if isar cross compile could be enough? Sven
|
|
|
|
Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
Jan Kiszka
On 19.10.22 15:05, Schultschik, Sven (DI PA DCP R&D 2) wrote:
That is at least not generally true:-----Ursprüngliche Nachricht-----Optee has it's own weired way to cross compile. If you configure optee for arm64 and activate ISAR cross compile it breaks. https://github.com/siemens/meta-iot2050/blob/master/recipes-bsp/optee-os/optee-os-iot2050_3.18.0.bb Will be curious to see the result. Jan -- Siemens AG, Technology Competence Center Embedded Linux
|
|
|
|
Re: [isar-cip-core][PATCH 1/7] add recipe for optee qemu arm64
Schultschik, Sven
-----Ursprüngliche Nachricht-----Optee has it's own weired way to cross compile. If you configure optee for arm64 and activate ISAR cross compile it breaks. Just come in my mind. I could delete the exports completly and set isar cross compile to true. So deactivate the Cross compile of optee and use the isar one. I will test if this will work. Sven+Armv8-A.
|
|
|