From: Ahmad Fatoum <a.fat...@barebox.org>
Instead of distributing security-related options and code across lib/,
common/ and crypto/, let's collect them in a new security/ top-level
directory and give it its own top-level menu for visibility.
The new security/ exists alongside crypto/, where the latter is for algorithms
and the former is for concrete implementations like JWT.
Signed-off-by: Ahmad Fatoum <a.fat...@barebox.org>
---
v1 -> v2:
- move warning about HAS_INSECURE_DEFAULTS to the end
- drop wrongly squashed SECURITY_POLICY options
- move blobgen.c
---
Kconfig | 3 +-
Makefile | 2 +-
common/Kconfig | 142 --------------------------
common/Makefile | 24 -----
crypto/Kconfig | 12 ---
crypto/Makefile | 2 -
lib/Kconfig | 6 --
lib/Kconfig.hardening | 8 +-
lib/Makefile | 1 -
security/Kconfig | 176 ++++++++++++++++++++++++++++++++
security/Makefile | 29 ++++++
{lib => security}/blobgen.c | 0
{crypto => security}/jwt.c | 0
{crypto => security}/keystore.c | 0
{common => security}/optee.c | 0
{common => security}/password.c | 0
16 files changed, 210 insertions(+), 195 deletions(-)
create mode 100644 security/Kconfig
create mode 100644 security/Makefile
rename {lib => security}/blobgen.c (100%)
rename {crypto => security}/jwt.c (100%)
rename {crypto => security}/keystore.c (100%)
rename {common => security}/optee.c (100%)
rename {common => security}/password.c (100%)
diff --git a/Kconfig b/Kconfig
index 9c3a20a9a9a3..db6aad2e4f55 100644
--- a/Kconfig
+++ b/Kconfig
@@ -16,8 +16,9 @@ source "commands/Kconfig"
source "net/Kconfig"
source "drivers/Kconfig"
source "fs/Kconfig"
-source "lib/Kconfig"
+source "security/Kconfig"
source "crypto/Kconfig"
+source "lib/Kconfig"
source "firmware/Kconfig"
source "scripts/Kconfig"
source "test/Kconfig"
diff --git a/Makefile b/Makefile
index 0a3043c6e2a8..836176d541c3 100644
--- a/Makefile
+++ b/Makefile
@@ -664,7 +664,7 @@ endif
include $(srctree)/scripts/Makefile.lib
# Objects we will link into barebox / subdirs we need to visit
-common-y := common/ drivers/ commands/ lib/ crypto/ net/ fs/
firmware/
+common-y := common/ drivers/ commands/ lib/ security/ crypto/
net/ fs/ firmware/
include $(srctree)/arch/$(SRCARCH)/Makefile
diff --git a/common/Kconfig b/common/Kconfig
index b2449207eff9..a8e62600c4ee 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -141,28 +141,6 @@ config LOCALVERSION_AUTO
which is done within the script "scripts/setlocalversion".)
-config HAS_INSECURE_DEFAULTS
- bool
- help
- This is selected by options that have potentially insecure defaults.
- Extra care needs to be taken when these options are not disabled
- in secure booted systems.
-
- Any option selecting this should include in its help text
- an explanation of the security considerations.
-
-config INSECURE
- bool "enable convenient defaults that are unsuitable for secure-booting
systems"
- default y
- select HAS_INSECURE_DEFAULTS
- help
- Say n here when barebox is part of a secure boot chain and you
- want to disable defaults that may compromise the boot chain.
-
- This option is a moving target. Currently it:
-
- - changes the default of global.env.autoprobe to 1
-
config BANNER
bool "display banner"
default y
@@ -535,53 +513,6 @@ config MENU
a menu framework that allow us to create list menu to simplify
barebox and make it more user-friendly
-config PASSWORD
- bool
- prompt "Password Framework"
- select DIGEST
- help
- allow you to have password protection framework
-
-config PASSWORD_DEFAULT
- string
- prompt "Password default file"
- depends on PASSWORD
- help
- Set this to a file which is used as default password file. This file
- has to contain the passwd encoded with the selected password digest.
- i.e.:
- echo -ne "MyPassword" | md5sum | while read a b; do echo $a >
passwdfile; done
-
-
-if PASSWORD
-
-choice
- prompt "passwd checksum"
-
-config PASSWD_SUM_MD5
- bool "MD5"
- select DIGEST_MD5_GENERIC
-
-config PASSWD_SUM_SHA1
- bool "SHA1"
- select DIGEST_SHA1_GENERIC
-
-config PASSWD_SUM_SHA256
- bool "SHA256"
- select DIGEST_SHA256_GENERIC
-
-config PASSWD_SUM_SHA512
- bool "SHA512"
- select DIGEST_SHA512_GENERIC
-
-config PASSWD_CRYPTO_PBKDF2
- bool "PBKDF2"
- select CRYPTO_PBKDF2
-
-endchoice
-
-endif
-
config ERRNO_MESSAGES
bool
prompt "print error values as text"
@@ -1347,79 +1278,6 @@ config EXTERNAL_DTS_FRAGMENTS
to add dts fragments from outside the Barebox source tree into the
Barebox build.
-menu "OP-TEE loading"
-
-config HAVE_OPTEE
- bool
- help
- This symbol is selected by configuration where barebox either
- starts OP-TEE or runs while OP-TEE is running. Actual
- bidirectional communication with OP-TEE is enabled via
- CONFIG_OPTEE.
-
-config OPTEE_SIZE
- hex
- default 0x02000000
- prompt "OP-TEE Memory Size"
- depends on HAVE_OPTEE
- help
- Size to reserve in main memory for OP-TEE, including its shared
memory.
- Can be larger than the actual size used by OP-TEE, this is used to
prevent
- barebox from using or speculating into this area.
- On i.MX, this should be at least OP-TEE CFG_TZDRAM + CFG_SHMEM_SIZE.
- The name of the CFG_ options may differ on other platforms.
-
-config OPTEE_SHM_SIZE
- hex
- default 0x400000
- prompt "OP-TEE Shared Memory Size"
- depends on HAVE_OPTEE
- help
- Size to reserve in main memory for static OP-TEE shared memory
- communication. The OP-TEE shared memory starts directly after
- the OPTEE TZDRAM region. It should be chosen to be equivalent
- to CFG_SHMEM_SIZE in OP-TEE.
-
- This value can be used for fixing up the OP-TEE OF node.
-
- A shared memory size of 0 means that only dynamic shared memory
- will be supported for communication with OP-TEE. This is the only
- mode supported by barebox anyway, but support needs to be enabled
- in OP-TEE at compile-time.
-
-config BOOTM_OPTEE
- bool
- prompt "support booting OP-TEE"
- depends on BOOTM && ARM32
- select HAVE_OPTEE
- select HAS_INSECURE_DEFAULTS
- help
- OP-TEE is a trusted execution environment (TEE). With this option
- enabled barebox supports starting optee_os as part of the bootm
command.
- Instead of the kernel bootm starts the optee_os binary which then
starts
- the kernel in nonsecure mode. Pass the optee_os binary with the -t
option
- or in the global.bootm.tee variable.
-
- This mode of late loading OP-TEE just before the kernel is deprecated
- in favor of early loading OP-TEE in the PBL (CONFIG_PBL_OPTEE).
- Early-loading greatly reduces the attack surface and is the only mode
- supported outside of ARMv7.
-
-config PBL_OPTEE
- bool "Enable OP-TEE early start"
- depends on ARM
- select HAVE_OPTEE
- help
- Allows starting OP-TEE during lowlevel initialization of the PBL.
- Requires explicit support in the board's lowlevel file (for ARM32)
- or the generic SoC support (for ARM64).
-
- OP-TEE versions older than 3.11.0 do not support jumping back from
OP-TEE
- to barebox in THUMB2 mode. Make sure you do not compile barebox in
THUMB2
- mode for OP-TEE versions older than this.
-
-endmenu
-
config FILETYPE_STRINGS
bool "Print file types as strings"
default y
diff --git a/common/Makefile b/common/Makefile
index 0cead5e8b094..b50b92122293 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -59,7 +59,6 @@ obj-$(CONFIG_MODULES) += module.o
extra-$(CONFIG_MODULES) += module.lds
obj-$(CONFIG_OFTREE) += oftree.o
obj-$(CONFIG_PARTITION_DISK) += partitions.o partitions/
-obj-$(CONFIG_PASSWORD) += password.o
obj-$(CONFIG_HAS_SCHED) += sched.o
obj-$(CONFIG_POLLER) += poller.o
obj-$(CONFIG_BTHREAD) += bthread.o
@@ -83,32 +82,9 @@ obj-$(CONFIG_BOOT) += boot.o bootscan.o
obj-$(CONFIG_BOOT_DEFAULTS) += bootdef.o
obj-$(CONFIG_SERIAL_DEV_BUS) += serdev.o
obj-$(CONFIG_USB_GADGET) += usbgadget.o
-obj-pbl-$(CONFIG_HAVE_OPTEE) += optee.o
obj-$(CONFIG_FASTBOOT_BASE) += fastboot.o
obj-$(CONFIG_CDEV_ALIAS) += cdev-alias.o
-ifdef CONFIG_PASSWORD
-
-ifeq ($(CONFIG_PASSWORD_DEFAULT),"")
-define filechk_passwd
- echo "static const char default_passwd[] = \"\";"
-endef
-else
-define filechk_passwd
-( \
-echo -n "static const char default_passwd[] = \""; \
-cat $(shell find $(srctree) -name $(CONFIG_PASSWORD_DEFAULT) -type f) | tr -d
'\n';\
-echo "\";" \
-)
-endef
-endif
-
-include/generated/passwd.h: FORCE
- $(call filechk,passwd)
-
-$(obj)/password.o: include/generated/passwd.h
-endif # CONFIG_PASSWORD
-
# dependencies on generated files need to be listed explicitly
$(obj)/version.o: include/generated/compile.h
$(obj)/imd-barebox.o: include/generated/compile.h
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 14728be4aa91..6136c7e8ccfd 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -148,16 +148,4 @@ config CRYPTO_PUBLIC_KEYS
corresponding value in the environment variable VAR_NAME for both
public key paths/URIs as well as key name hints.
-config CRYPTO_KEYSTORE
- bool "Keystore"
- help
- This is a simple keystore, which can be used to pass keys
- between several components via simple interface.
-
-config JWT
- bool "JSON Web Token support" if COMPILE_TEST
- select JSMN
- select BASE64
- select CRYPTO_RSA
-
endmenu
diff --git a/crypto/Makefile b/crypto/Makefile
index 7148aecb4a8e..76b12bef50e2 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -17,12 +17,10 @@ obj-pbl-y += memneq.o
obj-$(CONFIG_CRYPTO_PBKDF2) += pbkdf2.o
obj-$(CONFIG_CRYPTO_RSA) += rsa.o
-obj-$(CONFIG_CRYPTO_KEYSTORE) += keystore.o
obj-$(CONFIG_CRYPTO_BUILTIN_KEYS) += public-keys.o
obj-$(CONFIG_CRYPTO_ECC) += ecc.o
obj-$(CONFIG_CRYPTO_ECDSA) += ecdsa.o
-obj-$(CONFIG_JWT) += jwt.o
extra-$(CONFIG_CRYPTO_BUILTIN_KEYS) += public-keys.h
diff --git a/lib/Kconfig b/lib/Kconfig
index 0cb3a136b38e..d07e2f3b6959 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -210,10 +210,6 @@ config GENERIC_LIB_MULDI3
config NLS
bool "Native language support"
-config BLOBGEN
- select BASE64
- bool "include blob encode/decode support"
-
config GENERIC_ALLOCATOR
bool
help
@@ -223,5 +219,3 @@ config IDR
bool
endmenu
-
-source "lib/Kconfig.hardening"
diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening
index d9f6909eca51..3b3ba6267aec 100644
--- a/lib/Kconfig.hardening
+++ b/lib/Kconfig.hardening
@@ -1,10 +1,6 @@
-menu "Hardening options"
+# SPDX-License-Identifier: GPL-2.0
-if HAS_INSECURE_DEFAULTS
-comment "This barebox configuration has CONFIG_HAS_INSECURE_DEFAULTS=y
indicating"
-comment "that some of the configured options have potentially insecure
defaults."
-comment "Extra care needs to be taken in secure booted systems."
-endif
+menu "Hardening options"
config BUG_ON_DATA_CORRUPTION
bool "Trigger a BUG when data corruption is detected"
diff --git a/lib/Makefile b/lib/Makefile
index e95c91d5c211..9592ccb68312 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -24,7 +24,6 @@ obj-y += libbb.o
obj-y += libgen.o
obj-$(CONFIG_FIP) += fip.o tbbr_config.o
obj-$(CONFIG_JSMN) += jsmn.o
-obj-$(CONFIG_BLOBGEN) += blobgen.o
obj-y += stringlist.o
obj-y += scatterlist.o
obj-y += cmdlinepart.o
diff --git a/security/Kconfig b/security/Kconfig
new file mode 100644
index 000000000000..95c062201acf
--- /dev/null
+++ b/security/Kconfig
@@ -0,0 +1,176 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Security configuration
+#
+
+menu "Security options"
+
+config INSECURE
+ bool "enable convenient defaults that are unsuitable for secure-booting
systems"
+ default y
+ select HAS_INSECURE_DEFAULTS
+ help
+ Say n here when barebox is part of a secure boot chain and you
+ want to disable defaults that may compromise the boot chain.
+
+ This option is a moving target. Currently it:
+
+ - changes the default of global.env.autoprobe to 1
+
+config PASSWORD
+ bool
+ prompt "Password Framework"
+ select DIGEST
+ help
+ allow you to have password protection framework
+
+config PASSWORD_DEFAULT
+ string
+ prompt "Password default file"
+ depends on PASSWORD
+ help
+ Set this to a file which is used as default password file. This file
+ has to contain the passwd encoded with the selected password digest.
+ i.e.:
+ echo -ne "MyPassword" | md5sum | while read a b; do echo $a >
passwdfile; done
+
+
+if PASSWORD
+
+choice
+ prompt "passwd checksum"
+
+config PASSWD_SUM_MD5
+ bool "MD5"
+ select DIGEST_MD5_GENERIC
+
+config PASSWD_SUM_SHA1
+ bool "SHA1"
+ select DIGEST_SHA1_GENERIC
+
+config PASSWD_SUM_SHA256
+ bool "SHA256"
+ select DIGEST_SHA256_GENERIC
+
+config PASSWD_SUM_SHA512
+ bool "SHA512"
+ select DIGEST_SHA512_GENERIC
+
+config PASSWD_CRYPTO_PBKDF2
+ bool "PBKDF2"
+ select CRYPTO_PBKDF2
+
+endchoice
+
+endif
+
+
+config CRYPTO_KEYSTORE
+ bool "Keystore"
+ help
+ This is a simple keystore, which can be used to pass keys
+ between several components via simple interface.
+
+config BLOBGEN
+ select BASE64
+ bool "include blob encode/decode support"
+
+config JWT
+ bool "JSON Web Token support" if COMPILE_TEST
+ select JSMN
+ select BASE64
+ select CRYPTO_RSA
+
+menu "OP-TEE loading"
+
+config HAVE_OPTEE
+ bool
+ help
+ This symbol is selected by configuration where barebox either
+ starts OP-TEE or runs while OP-TEE is running. Actual
+ bidirectional communication with OP-TEE is enabled via
+ CONFIG_OPTEE.
+
+config OPTEE_SIZE
+ hex
+ default 0x02000000
+ prompt "OP-TEE Memory Size"
+ depends on HAVE_OPTEE
+ help
+ Size to reserve in main memory for OP-TEE, including its shared
memory.
+ Can be larger than the actual size used by OP-TEE, this is used to
prevent
+ barebox from using or speculating into this area.
+ On i.MX, this should be at least OP-TEE CFG_TZDRAM + CFG_SHMEM_SIZE.
+ The name of the CFG_ options may differ on other platforms.
+
+config OPTEE_SHM_SIZE
+ hex
+ default 0x400000
+ prompt "OP-TEE Shared Memory Size"
+ depends on HAVE_OPTEE
+ help
+ Size to reserve in main memory for static OP-TEE shared memory
+ communication. The OP-TEE shared memory starts directly after
+ the OPTEE TZDRAM region. It should be chosen to be equivalent
+ to CFG_SHMEM_SIZE in OP-TEE.
+
+ This value can be used for fixing up the OP-TEE OF node.
+
+ A shared memory size of 0 means that only dynamic shared memory
+ will be supported for communication with OP-TEE. This is the only
+ mode supported by barebox anyway, but support needs to be enabled
+ in OP-TEE at compile-time.
+
+config BOOTM_OPTEE
+ bool
+ prompt "support booting OP-TEE"
+ depends on BOOTM && ARM32
+ select HAVE_OPTEE
+ select HAS_INSECURE_DEFAULTS
+ help
+ OP-TEE is a trusted execution environment (TEE). With this option
+ enabled barebox supports starting optee_os as part of the bootm
command.
+ Instead of the kernel bootm starts the optee_os binary which then
starts
+ the kernel in nonsecure mode. Pass the optee_os binary with the -t
option
+ or in the global.bootm.tee variable.
+
+ This mode of late loading OP-TEE just before the kernel is deprecated
+ in favor of early loading OP-TEE in the PBL (CONFIG_PBL_OPTEE).
+ Early-loading greatly reduces the attack surface and is the only mode
+ supported outside of ARMv7.
+
+config PBL_OPTEE
+ bool "Enable OP-TEE early start"
+ depends on ARM
+ select HAVE_OPTEE
+ help
+ Allows starting OP-TEE during lowlevel initialization of the PBL.
+ Requires explicit support in the board's lowlevel file (for ARM32)
+ or the generic SoC support (for ARM64).
+
+ OP-TEE versions older than 3.11.0 do not support jumping back from
OP-TEE
+ to barebox in THUMB2 mode. Make sure you do not compile barebox in
THUMB2
+ mode for OP-TEE versions older than this.
+
+endmenu
+
+source "lib/Kconfig.hardening"
+
+config HAS_INSECURE_DEFAULTS
+ bool
+ help
+ This is selected by options that have potentially insecure defaults.
+ Extra care needs to be taken when these options are not disabled
+ in secure booted systems.
+
+ Any option selecting this should include in its help text
+ an explanation of the security considerations.
+
+if HAS_INSECURE_DEFAULTS
+comment "This barebox configuration has CONFIG_HAS_INSECURE_DEFAULTS=y
indicating"
+comment "that some of the configured options have potentially insecure
defaults."
+comment "Extra care needs to be taken in secure booted systems."
+endif
+
+
+endmenu
diff --git a/security/Makefile b/security/Makefile
new file mode 100644
index 000000000000..de9778620d28
--- /dev/null
+++ b/security/Makefile
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+obj-$(CONFIG_CRYPTO_KEYSTORE) += keystore.o
+obj-$(CONFIG_JWT) += jwt.o
+obj-pbl-$(CONFIG_HAVE_OPTEE) += optee.o
+obj-$(CONFIG_BLOBGEN) += blobgen.o
+obj-$(CONFIG_PASSWORD) += password.o
+
+ifdef CONFIG_PASSWORD
+
+ifeq ($(CONFIG_PASSWORD_DEFAULT),"")
+define filechk_passwd
+ echo "static const char default_passwd[] = \"\";"
+endef
+else
+define filechk_passwd
+( \
+echo -n "static const char default_passwd[] = \""; \
+cat $(shell find $(srctree) -name $(CONFIG_PASSWORD_DEFAULT) -type f) | tr -d
'\n';\
+echo "\";" \
+)
+endef
+endif
+
+include/generated/passwd.h: FORCE
+ $(call filechk,passwd)
+
+$(obj)/password.o: include/generated/passwd.h
+endif # CONFIG_PASSWORD
diff --git a/lib/blobgen.c b/security/blobgen.c
similarity index 100%
rename from lib/blobgen.c
rename to security/blobgen.c
diff --git a/crypto/jwt.c b/security/jwt.c
similarity index 100%
rename from crypto/jwt.c
rename to security/jwt.c
diff --git a/crypto/keystore.c b/security/keystore.c
similarity index 100%
rename from crypto/keystore.c
rename to security/keystore.c
diff --git a/common/optee.c b/security/optee.c
similarity index 100%
rename from common/optee.c
rename to security/optee.c
diff --git a/common/password.c b/security/password.c
similarity index 100%
rename from common/password.c
rename to security/password.c
--
2.39.5
