group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1831942] Re: u-boot Flat Image Tree (FIT) signing support

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1831942@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Jan 2021 16:48:32 -0000
Reply-to: Bug 1831942 <1831942@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package u-boot - 2020.10+dfsg-1ubuntu0~20.10.1

---------------
u-boot (2020.10+dfsg-1ubuntu0~20.10.1) groovy; urgency=medium

  * SRU of changes through to 2020.10+dfsg-1ubuntu6 to fix Pi4-8GB & CM4 support,
    and add support for risc-v unleashed board:

  [ Dave Jones ]
  * Add d/p/rpi-8gb-pci.patch for Pi400 and Pi4-8Gb support (LP: #1906552)
  * Add d/p/rpi-cm4-sdhci.patch for CM4 eMMC support
  * Add d/p/rpi-maxargs.patch for new Core 18 boot-env (LP: #1910094)
  * Remove redundant d/targets entries

  [ Dimitri John Ledkov ]
  * Enable u-boot spl for unleashed. LP: #1905274

u-boot (2020.10+dfsg-1ubuntu0~20.10) groovy; urgency=low

  * SRU of 2020.10+dfsg-1 to support Raspberry Pi 4 ethernet (LP:
#1903054)

  [ Dave Jones ]
  * Merge from Debian unstable.  Remaining changes:
    - Enable Ubuntu support for the Nitrogen6x board (LP: #1838064)
      - Add d/p/ubuntu-nitrogen6q2g-config-tweaks.patch to tweak the
        nitrogen6q2g configs to better fit our Ubuntu usage.
      - Start building the nitrogen6x2g target for u-boot.
    - Enable FIT signing support (LP: #1831942)
      - Enable CONFIG_FIT_SIGNATURE so we can sign FIT images.
      - Add libssl-dev to Build-Depends: to enable crypto functionality.
      - Limit key names to keys within the keydir.
    - d/p/rpi-config-tweaks.patch: Configuration adjustments to the RPi
      configs
    - d/p/rpi-board-dt.patch: use the board's device-tree instead of an
      embedded one

  * Removed obsolete patches/changes:
    - d/p/lzo-to-lzno.patch: use gzip instead of lzo compression for FIT
      images as lzop in Ubuntu is in universe. This should be temporary and in
      the next releases ideally we should follow what Debian does.

u-boot (2020.10+dfsg-1) unstable; urgency=medium

  * New upstream release.

u-boot (2020.10~rc5+dfsg-1) experimental; urgency=medium

  [ Vagrant Cascadian ]
  * New upstream release candidate.
  * debian/control: u-boot-qemu: Set Multi-Arch: foreign.

  [ Uwe Kleine-König ]
  * control: Use https for upstream homepage

u-boot (2020.10~rc3+dfsg-1) experimental; urgency=medium

  * New upstream release candidate.
  * debian/patches: Refresh and remove obsolete patches.
  * [armhf] u-boot-sunxi: Add Bananapi_M2_Ultra (Closes: #962931). Thanks
    to Bernhard Wörner.
  * [arm64] u-boot-rockchip: Update rock-pi-4 .dtb names.
  * u-boot-qemu: Build firmware for qemu ppc e500 (Closes: #966624).

u-boot (2020.07+dfsg-2) unstable; urgency=medium

  [ Vagrant Cascadian ]
  * u-boot-install-rockchip: Update with additional RockPro64 names from
    linux 5.7 device-trees.

  [ Denis Pynkin ]
  * u-boot-rpi: Add rpi_arm64 target for arm64 (Closes: #966078).

  [ Vagrant Cascadian ]
  * debian/patches: Fix reproducibility of mx6cuboxi target.

u-boot (2020.07+dfsg-1) unstable; urgency=medium

  * New upstream release.
  * [armhf] u-boot-omap: Drop omap3_pandora, removed upstream.
  * [arm64] u-boot-amlogic: Install new board-specific documentation.
  * debian/patches: Fix riscv64 support for extlinux.
  * debian/control:
    - Upgrade to debhelper compat 13.
    - Update Build-Depends on arm-trusted-firmware.

u-boot (2020.07~rc4+dfsg-1) experimental; urgency=medium

  * New upstream release candidate.
  * debian/patches:
    - Remove pinebook-pro patches, applied upstream.
    - Remove riscv64 patches, applied upstream.
  * u-boot-rockchip: Update puma-rk3399 to include new
    rk3399-puma-haikou.dtb file.
  * Update lintian overrides to use "shared-library-lacks-prerequisites"
    instead of older tag name.

u-boot (2020.07~rc3+dfsg-1) experimental; urgency=medium

  [ Andreas Henriksson ]
  * u-boot-rpi: Enable rpi4 target on armhf and arm64 (Closes: #958668)

  [ Vagrant Cascadian ]
  * New upstream release candidate.
  * debian/patches: Refresh n900 patch.

u-boot (2020.07~rc2+dfsg-1) experimental; urgency=medium

  * New upstream release candidate.
  * debian/patches: Refresh.

 -- Dimitri John Ledkov <xnox@xxxxxxxxxx>  Fri, 08 Jan 2021 14:32:32
+0000

** Changed in: u-boot (Ubuntu Groovy)
       Status: Fix Committed => Fix Released

** Changed in: u-boot (Ubuntu Focal)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-8432

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1831942

Title:
  u-boot Flat Image Tree (FIT) signing support

Status in Launchpad itself:
  Fix Released
Status in u-boot package in Ubuntu:
  Fix Released
Status in u-boot source package in Xenial:
  Fix Released
Status in u-boot source package in Bionic:
  Fix Committed
Status in u-boot source package in Cosmic:
  Fix Released
Status in u-boot source package in Disco:
  Fix Released
Status in u-boot source package in Eoan:
  Fix Released
Status in u-boot source package in Focal:
  Fix Released
Status in u-boot source package in Groovy:
  Fix Released

Bug description:
  [Impact] the existing mkimage/dumpimage tools are unable to make or
  dump out the contents of a u-boot FIT image.

  [Test Case] run mkimage with no arguments, note that FIT images and
  signing are shown as disabled.  Install the updated version and note
  that FIT images and signing are now shown as enabled.  Run the
  attached TEST-FIT script which will put together a sample image,
  generate some keys, and sign the resulting image contents.  You will
  see "kernel.img: Device Tree Blob version 17,..." if the image is
  created and you will see dumpimage output showing it is not yet signed
  (Sign value: unavailable).  The signatures will then be applied and
  the image redumped and you will see it is now signed (Sign value:
  <hex>).

  [Regression Potential] though this changes the u-boot boot loader
  package, only the build of the u-boot-utils package contents is
  modified.  This primarily enabled FIT_SIGNATURE support in the
  configuration before building those tools.  The majority of the tools
  we ship do not have configuration support even and so should not be
  affected.  mkimage et al are not normally used during a
  kernel/bootloader update and so the risk to a pre-installed system
  should be low.  There is slightly higher risk in the xenial changes as
  the enablement has enabled some additional tool builds, but none of
  those are shipped in the resulting binaries.

  ===

  We need a mechanism for securely signing Flat Image Tree binaries.
  This will be performed in a similar manner to UEFI signing support via
  a custom binary upload to launchpad.  We will also need a u-boot
  update to enable image creation and signing support in mkimage.

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1831942/+subscriptions