Security policies are a mechanism for barebox to prevent, when so
desired, security relevant code from being executed.
Security policies are controlled via a second Kconfig menu structure
(called Sconfig) which collects security relevant options.
While the normal Kconfig menu structure is about feature support
enabled at compile time, a security policy determines whether a
feature is allowed or prohibited at runtime with an explicit focus
on security.
Except for a security policy's name, all security options are
boolean and control whether a built-in feature is allowed:
config FASTBOOT_CMD_BASE
bool
prompt "Allow fastboot flash/erase commands"
depends on $(kconfig-enabled,FASTBOOT_BASE)
help
This option enables the fastboot "flash" and "erase" commands.
The depends directive ensures the option is hidden when Fastboot support
isn't compiled in anyway. Otherwise, enabling the option should permit
normal operation as if the security policy support was disabled.
Disabling the option, will have the relevant functions return early,
often with a permission denied error.
Checking the state of a security config option is done with the
IS_ALLOWED macro. The macro evaluates to true if the option is
defined and enabled in the active security policy and false otherwise.
A partial manipulation of the active security policy is not desirable
as it makes security posture at runtime harder to reason about.
It's expected that boards will define a fixed set of policies,
e.g. devel, factory, lockdown and then consult eFuses or JSON web tokens
to determine which policy is to be applied.
Some precautions have been made to make sure the security policies have
been reviewed and changes to the security options do not go through
unnoticed during barebox updates: Automatic config updates are
prohibited, so if new options are not present or the other way round,
the build will just fail. The user is expected to run e.g.
make security_olddefconfig to explicitly sync the configuration and
commit the changes.
Changes in v1:
- Link to RFC:
https://lore.kernel.org/all/20250814130702.4039241-1-a.fat...@pengutronix.de/
- Add more actual security policies
- Fix some typos in Documentation
- Catch invalid policy names in sconfig command
Signed-off-by: Sascha Hauer <s.ha...@pengutronix.de>
---
Ahmad Fatoum (16):
kconfig: allow setting CONFIG_ from the outside
scripts: include scripts/include for all host tools
kbuild: implement loopable loop_cmd
Add security policy support
kbuild: allow security config use without source tree modification
defaultenv: update PS1 according to security policy
security: policy: support externally provided configs
docs: security-policies: add documentation
commands: go: add security config option
console: ratp: add security config option
bootm: support calling bootm_optional_signed_images at any time
bootm: make unsigned image support runtime configurable
ARM: configs: add virt32_secure_defconfig
boards: qemu-virt: add security policies
boards: qemu-virt: allow setting policy from command line
test: py: add basic security policy test
Sascha Hauer (8):
commands: implement sconfig command
usbserial: add inline wrappers
security: usbgadget: add usbgadget security policy
security: fastboot: add security policy for fastboot oem
security: shell: add policy for executing the shell
security: add security policy for loading barebox environment
security: add filesystem security policies
security: console: add security policy for console input
.gitignore | 4 +
Documentation/devel/devel.rst | 1 +
Documentation/devel/security-policies.rst | 96 ++++
Documentation/user/defaultenv-2.rst | 2 +
Documentation/user/security-policies.rst | 121 +++++
Documentation/user/user-manual.rst | 1 +
Makefile | 81 +++-
Sconfig | 11 +
arch/arm/configs/virt32_secure_defconfig | 302 ++++++++++++
commands/Kconfig | 23 +
commands/Makefile | 1 +
commands/Sconfig | 12 +
commands/go.c | 4 +
commands/sconfig.c | 227 +++++++++
common/Kconfig | 5 +
common/Sconfig | 63 +++
common/boards/qemu-virt/Makefile | 5 +-
common/boards/qemu-virt/board.c | 11 +
common/boards/qemu-virt/commandline.c | 74 +++
common/boards/qemu-virt/commandline.h | 9 +
common/boards/qemu-virt/qemu-virt-factory.sconfig | 24 +
common/boards/qemu-virt/qemu-virt-lockdown.sconfig | 24 +
common/bootm.c | 58 ++-
common/console.c | 15 +-
common/console_simple.c | 11 +
common/environment.c | 6 +
common/fastboot.c | 6 +
common/hush.c | 13 +
common/parser.c | 7 +
common/ratp/ratp.c | 17 +
common/usbgadget.c | 26 +
defaultenv/Makefile | 1 +
.../defaultenv-2-security-policy/bin/ps1-policy | 20 +
.../defaultenv-2-security-policy/init/ps1-policy | 1 +
.../init/source-colors | 1 +
defaultenv/defaultenv.c | 2 +
drivers/usb/gadget/Sconfig | 11 +
drivers/usb/gadget/composite.c | 4 +
drivers/usb/gadget/legacy/serial.c | 4 +
fs/9p/vfs_super.c | 4 +
fs/Sconfig | 76 +++
fs/cramfs/cramfs.c | 4 +
fs/efi.c | 4 +
fs/efivarfs.c | 4 +
fs/ext4/ext_barebox.c | 5 +
fs/fat/fat.c | 5 +
fs/jffs2/fs.c | 5 +
fs/nfs.c | 6 +
fs/pstore/ram.c | 4 +
fs/qemu_fw_cfg.c | 6 +
fs/smhfs.c | 5 +
fs/squashfs/squashfs.c | 4 +
fs/tftp.c | 6 +
fs/ubifs/ubifs.c | 6 +
fs/ubootvarfs.c | 6 +
fs/uimagefs.c | 4 +
include/linux/usb/usbserial.h | 11 +
include/security/config.h | 76 +++
include/security/defs.h | 22 +
include/security/policy.h | 54 +++
scripts/Kbuild.include | 41 ++
scripts/Makefile | 1 -
scripts/Makefile.build | 18 +-
scripts/Makefile.lib | 47 ++
scripts/Makefile.policy | 43 ++
scripts/Sconfig.include | 6 +
scripts/basic/.gitignore | 1 +
scripts/basic/Makefile | 4 +-
scripts/basic/sconfigpost.c | 540 +++++++++++++++++++++
scripts/include/list.h | 7 +
scripts/kconfig/Makefile | 3 +
scripts/kconfig/list.h | 132 -----
security/Kconfig | 2 +
security/Kconfig.policy | 101 ++++
security/Makefile | 39 ++
security/Sconfig | 42 ++
security/policy.c | 246 ++++++++++
security/qemu-virt-devel.sconfig | 24 +
security/qemu-virt-tamper.sconfig | 24 +
security/sconfig_names.c | 18 +
test/arm/virt32_secure_defconfig.yaml | 22 +
test/py/test_policies.py | 49 ++
82 files changed, 2875 insertions(+), 156 deletions(-)
---
base-commit: 284e9d9c4a7d3037c8cf97acc63c6153a83f8652
change-id: 20250820-security-policies-43f73477d321
Best regards,
--
Sascha Hauer <s.ha...@pengutronix.de>
