diff --git a/0001-atf-2.8-fix-linking.patch b/0001-atf-2.8-fix-linking.patch deleted file mode 100644 index 09357a4f8ad642cfbbe261b0af0bb394a804ba93..0000000000000000000000000000000000000000 --- a/0001-atf-2.8-fix-linking.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- arm-trusted-firmware-2.8/Makefile.orig 2022-11-24 12:09:34.740595091 +0000 -+++ arm-trusted-firmware-2.8/Makefile 2022-11-24 12:11:00.923109191 +0000 -@@ -442,7 +442,7 @@ - - # LD = gcc-ld (ld) or llvm-ld (ld.lld) or other - else --TF_LDFLAGS += --fatal-warnings -O1 -+TF_LDFLAGS += --fatal-warnings -O1 --no-warn-rwx-segments - TF_LDFLAGS += --gc-sections - # ld.lld doesn't recognize the errata flags, - # therefore don't add those in that case diff --git a/CVE-2022-47630-1.patch b/CVE-2022-47630-1.patch deleted file mode 100644 index 1efce78d14a57da6d55e47b3c40aee8c9027c71d..0000000000000000000000000000000000000000 --- a/CVE-2022-47630-1.patch +++ /dev/null @@ -1,50 +0,0 @@ -From fd37982a19a4a2911912ce321b9468993a0919ad Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Thu, 8 Dec 2022 15:23:56 -0500 -Subject: fix(auth): forbid junk after extensions - -The extensions must use all remaining bytes in the TBSCertificate. - -Change-Id: Idf48f7168e146d050ba62dbc732638946fcd6c92 -Signed-off-by: Demi Marie Obenour ---- - drivers/auth/mbedtls/mbedtls_x509_parser.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c -index 49bc008ed1..8c78003bb2 100644 ---- a/drivers/auth/mbedtls/mbedtls_x509_parser.c -+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c -@@ -304,24 +304,26 @@ static int cert_parse(void *img, unsigned int img_len) - - /* - * extensions [3] EXPLICIT Extensions OPTIONAL -+ * -- must use all remaining bytes in TBSCertificate - */ - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONTEXT_SPECIFIC | - MBEDTLS_ASN1_CONSTRUCTED | 3); -- if (ret != 0) { -+ if ((ret != 0) || (len != (size_t)(end - p))) { - return IMG_PARSER_ERR_FORMAT; - } - - /* - * Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension -+ * -- must use all remaining bytes in TBSCertificate - */ - v3_ext.p = p; - ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE); -- if (ret != 0) { -+ if ((ret != 0) || (len != (size_t)(end - p))) { - return IMG_PARSER_ERR_FORMAT; - } -- v3_ext.len = (p + len) - v3_ext.p; -+ v3_ext.len = end - v3_ext.p; - - /* - * Check extensions integrity --- -cgit v1.2.3 - diff --git a/CVE-2022-47630-2.patch b/CVE-2022-47630-2.patch deleted file mode 100644 index 4a2a118bcff0e2aa8786b3693975a7d607e41292..0000000000000000000000000000000000000000 --- a/CVE-2022-47630-2.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 72460f50e2437a85ce5229c430931aab8f4a0d5b Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Thu, 8 Dec 2022 15:23:58 -0500 -Subject: fix(auth): require at least one extension to be present - -X.509 and RFC5280 allow omitting the extensions entirely, but require -that if the extensions field is present at all, it must contain at least -one certificate. TF-A already requires the extensions to be present, -but allows them to be empty. However, a certificate with an empty -extensions field will always fail later on, as the extensions contain -the information needed to validate the next stage in the boot chain. -Therefore, it is simpler to require the extension field to be present -and contain at least one extension. Also add a comment explaining why -the extensions field is required, even though it is OPTIONAL in the -ASN.1 syntax. - -Change-Id: Ie26eed8a7924bf50937a6b27ccdf7cc9a390588d -Signed-off-by: Demi Marie Obenour ---- - drivers/auth/mbedtls/mbedtls_x509_parser.c | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c -index 8c78003bb2..9cccd964d4 100644 ---- a/drivers/auth/mbedtls/mbedtls_x509_parser.c -+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c -@@ -304,7 +304,18 @@ static int cert_parse(void *img, unsigned int img_len) - - /* - * extensions [3] EXPLICIT Extensions OPTIONAL -- * -- must use all remaining bytes in TBSCertificate -+ * } -+ * -+ * X.509 and RFC5280 allow omitting the extensions entirely. -+ * However, in TF-A, a certificate with no extensions would -+ * always fail later on, as the extensions contain the -+ * information needed to authenticate the next stage in the -+ * boot chain. Furthermore, get_ext() assumes that the -+ * extensions have been parsed into v3_ext, and allowing -+ * there to be no extensions would pointlessly complicate -+ * the code. Therefore, just reject certificates without -+ * extensions. This is also why version 1 and 2 certificates -+ * are rejected above. - */ - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONTEXT_SPECIFIC | -@@ -326,9 +337,12 @@ static int cert_parse(void *img, unsigned int img_len) - v3_ext.len = end - v3_ext.p; - - /* -- * Check extensions integrity -+ * Check extensions integrity. At least one extension is -+ * required: the ASN.1 specifies a minimum size of 1, and at -+ * least one extension is needed to authenticate the next stage -+ * in the boot chain. - */ -- while (p < end) { -+ do { - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE); -@@ -356,7 +370,7 @@ static int cert_parse(void *img, unsigned int img_len) - return IMG_PARSER_ERR_FORMAT; - } - p += len; -- } -+ } while (p < end); - - if (p != end) { - return IMG_PARSER_ERR_FORMAT; --- -cgit v1.2.3 - diff --git a/CVE-2022-47630-3.patch b/CVE-2022-47630-3.patch deleted file mode 100644 index f79c23d507179a814df61e625955b4e1caf7a5eb..0000000000000000000000000000000000000000 --- a/CVE-2022-47630-3.patch +++ /dev/null @@ -1,84 +0,0 @@ -From f5c51855d36e399e6e22cc1eb94f6b58e51b3b6d Mon Sep 17 00:00:00 2001 -From: Demi Marie Obenour -Date: Fri, 9 Dec 2022 17:19:08 -0500 -Subject: fix(auth): properly validate X.509 extensions - -get_ext() does not check the return value of the various mbedtls_* -functions, as cert_parse() is assumed to have guaranteed that they will -always succeed. However, it passes the end of an extension as the end -pointer to these functions, whereas cert_parse() passes the end of the -TBSCertificate. Furthermore, cert_parse() does *not* check that the -contents of the extension have the same length as the extension itself. -Before fd37982a19a4a291 ("fix(auth): forbid junk after extensions"), -cert_parse() also does not check that the extension block extends to the -end of the TBSCertificate. - -This is a problem, as mbedtls_asn1_get_tag() leaves *p and *len -undefined on failure. In practice, this results in get_ext() continuing -to parse at different offsets than were used (and validated) by -cert_parse(), which means that the in-bounds guarantee provided by -cert_parse() no longer holds. - -This patch fixes the remaining flaw by enforcing that the contents of an -extension are the same length as the extension itself. - -Change-Id: Id4570f911402e34d5d6c799ae01a01f184c68d7c -Signed-off-by: Demi Marie Obenour -Signed-off-by: Sandrine Bailleux ---- - drivers/auth/mbedtls/mbedtls_x509_parser.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c -index 44b25ba72b..bef2f3d0a6 100644 ---- a/drivers/auth/mbedtls/mbedtls_x509_parser.c -+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c -@@ -355,33 +355,39 @@ static int cert_parse(void *img, unsigned int img_len) - * in the boot chain. - */ - do { -+ unsigned char *end_ext_data; -+ - ret = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE); - if (ret != 0) { - return IMG_PARSER_ERR_FORMAT; - } -+ end_ext_data = p + len; - - /* Get extension ID */ -- ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID); -+ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, MBEDTLS_ASN1_OID); - if (ret != 0) { - return IMG_PARSER_ERR_FORMAT; - } - p += len; - - /* Get optional critical */ -- ret = mbedtls_asn1_get_bool(&p, end, &is_critical); -+ ret = mbedtls_asn1_get_bool(&p, end_ext_data, &is_critical); - if ((ret != 0) && (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG)) { - return IMG_PARSER_ERR_FORMAT; - } - -- /* Data should be octet string type */ -- ret = mbedtls_asn1_get_tag(&p, end, &len, -+ /* -+ * Data should be octet string type and must use all bytes in -+ * the Extension. -+ */ -+ ret = mbedtls_asn1_get_tag(&p, end_ext_data, &len, - MBEDTLS_ASN1_OCTET_STRING); -- if (ret != 0) { -+ if ((ret != 0) || ((p + len) != end_ext_data)) { - return IMG_PARSER_ERR_FORMAT; - } -- p += len; -+ p = end_ext_data; - } while (p < end); - - if (p != end) { --- -cgit v1.2.3 - diff --git a/v2.8.tar.gz b/arm-trusted-firmware-2.12.1.tar.gz similarity index 42% rename from v2.8.tar.gz rename to arm-trusted-firmware-2.12.1.tar.gz index 191e6e2d3238cff2262d16f947a6e702d0c077f6..8673417199b8e5bef282f2974ccf65a1fa70ae54 100644 Binary files a/v2.8.tar.gz and b/arm-trusted-firmware-2.12.1.tar.gz differ diff --git a/arm-trusted-firmware.spec b/arm-trusted-firmware.spec index 87b20c6a951ff9fd7f906d8ae21d34a1a855a217..1372690dc9d209b218beab0845eb94ead37673eb 100644 --- a/arm-trusted-firmware.spec +++ b/arm-trusted-firmware.spec @@ -1,25 +1,18 @@ -%define anolis_release 3 +%define anolis_release 1 %global debug_package %{nil} Name: arm-trusted-firmware -Version: 2.8 +Version: 2.12.1 Release: %{anolis_release}%{dist} Summary: ARM Trusted Firmware -License: BSD +License: BSD-3-clause URL: https://github.com/ARM-software/arm-trusted-firmware -Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/refs/tags/v%{version}.tar.gz +Source0: https://github.com/ARM-software/arm-trusted-firmware/archive/lts-v%{version}/%{name}-%{version}.tar.gz Source1: aarch64-bl31 -Patch0001: 0001-atf-2.8-fix-linking.patch -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=fd37982a19a4a291 -Patch0002: CVE-2022-47630-1.patch -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=72460f50e2437a85 -Patch0003: CVE-2022-47630-2.patch -# https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=f5c51855d36e399e -Patch0004: CVE-2022-47630-3.patch ExclusiveArch: aarch64 -BuildRequires: gcc dtc +BuildRequires: gcc dtc openssl-devel %description ARM Trusted firmware is a reference implementation of secure world software for @@ -50,7 +43,7 @@ BuildArch: noarch The arm-trusted-firmware-armv8-doc package contains documentation files for arm-trusted-firmware-armv8. %prep -%autosetup -n %{name}-%{version} -p1 +%autosetup -p1 -n %{name}-lts-v%{version} cp %SOURCE1 . sed -i 's/arm-none-eabi-/arm-linux-gnu-/' plat/rockchip/rk3399/drivers/m0/Makefile @@ -107,6 +100,9 @@ done %doc readme.rst %changelog +* Thu Sep 18 2025 zhoujiajia111 - 2.11.0-1 +- Fix CVE-2023-49100,CVE-2024-6564 + * Wed Dec 04 2024 Zhongkun He - 2.8-3 - Fix CVE-2022-47630 @@ -115,3 +111,4 @@ done * Sat Apr 15 2023 yuanhui - 2.8-1 - Init package from upstream +