Re: [PATCH v2] Documentation: migration-guides: mention possible FIT compat break

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

From: Sascha Hauer <s.hauer@pengutronix.de>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: barebox@lists.infradead.org, str@pengutronix.de
Subject: Re: [PATCH v2] Documentation: migration-guides: mention possible FIT compat break
Date: Fri, 17 Apr 2026 11:14:05 +0200	[thread overview]
Message-ID: <aeH53Z0JFPsKA_eE@pengutronix.de> (raw)
In-Reply-To: <20260416153455.2630276-1-a.fatoum@pengutronix.de>

On Thu, Apr 16, 2026 at 05:34:37PM +0200, Ahmad Fatoum wrote:
> With manually written ITS, it's easy to omit signing some of the images.
> This flew under the radar so far, but with v2026.03.0 (or v2025.09.3),
> this will lead to verification failure.
> 
> The security advisory has been updated, but it's nonetheless worth an
> addition to the migration guide.
> 
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> v1 -> v2:
>   - add same notice for v2025.09.3 as well
> ---
>  .../migration-guides/migration-2025.09.3.rst  | 21 +++++++++++++++++++
>  .../migration-guides/migration-2026.03.0.rst  | 19 +++++++++++++++++
>  2 files changed, 40 insertions(+)
>  create mode 100644 Documentation/migration-guides/migration-2025.09.3.rst
> 
> diff --git a/Documentation/migration-guides/migration-2025.09.3.rst b/Documentation/migration-guides/migration-2025.09.3.rst
> new file mode 100644
> index 000000000000..7fbea78a46d0
> --- /dev/null
> +++ b/Documentation/migration-guides/migration-2025.09.3.rst
> @@ -0,0 +1,21 @@
> +Release v2025.09.3
> +==================
> +
> +FIT Images
> +----------
> +
> +The fix for `CVE-2026-33243 <https://nvd.nist.gov/vuln/detail/CVE-2026-33243>`_
> +has the side effect that barebox after v2026.03.0 will not boot a signed

Shouldn't we mention the corresponding stable versions here?

> +configuration that excludes some images from the signature.
> +
> +Previously, it was possible to generate readily exploitable FIT images
> +by omitting them from ``sign-images`` in the ITS.
> +
> +If a FIT fails to boot with **v2026.03.1**, when it succesfully booted
> +v2026.02.0 or earlier, it's likely that it was vulnerable even without

and here?

Sascha

> +knowledge of CVE-2026-33243.
> +
> +Recommendation is to not write FIT ITS manually, but to use higher level
> +tooling that generates the ITS and feeds it to ``mkimage(1)``.
> +
> +For more details, refer to the `security advisory <https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4>`_.
> diff --git a/Documentation/migration-guides/migration-2026.03.0.rst b/Documentation/migration-guides/migration-2026.03.0.rst
> index 1bd06ac7b743..f23001886b8b 100644
> --- a/Documentation/migration-guides/migration-2026.03.0.rst
> +++ b/Documentation/migration-guides/migration-2026.03.0.rst
> @@ -8,3 +8,22 @@ On NXP i.MX8MP the SoC UID was read out wrong. It really is 128bit from which
>  barebox only read 64bit. barebox now does it correctly, but rolled out devices
>  might depend on the SoC UID being constant. In that case
>  CONFIG_ARCH_IMX8MP_KEEP_COMPATIBLE_SOC_UID should be enabled.
> +
> +FIT Images
> +----------
> +
> +The fix for `CVE-2026-33243 <https://nvd.nist.gov/vuln/detail/CVE-2026-33243>`_
> +has the side effect that barebox after v2026.03.0 will not boot a signed
> +configuration that excludes some images from the signature.
> +
> +Previously, it was possible to generate readily exploitable FIT images
> +by omitting them from ``sign-images`` in the ITS.
> +
> +If a FIT fails to boot with **v2026.03.1**, when it succesfully booted
> +v2026.02.0 or earlier, it's likely that it was vulnerable even without
> +knowledge of CVE-2026-33243.
> +
> +Recommendation is to not write FIT ITS manually, but to use higher level
> +tooling that generates the ITS and feeds it to ``mkimage(1)``.
> +
> +For more details, refer to the `security advisory <https://github.com/barebox/barebox/security/advisories/GHSA-3fvj-q26p-j6h4>`_.
> -- 
> 2.47.3
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

     prev parent reply	other threads:[~2026-04-17  9:14 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-16 15:34 Ahmad Fatoum
2026-04-17  9:14 ` Sascha Hauer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aeH53Z0JFPsKA_eE@pengutronix.de \
    --to=s.hauer@pengutronix.de \
    --cc=a.fatoum@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=str@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox