Hi Claudius, > Hi Lukasz, > > On 07/09/2019 00.23, Lukasz Majewski wrote: > > Hi Claudius, > > > >> Hi, > >> > >> I am currently looking into variable flags in order to make some > >> variables read-only for secure boot. > >> > >> The idea is that the u-boot binary is signed, while the environment > >> file/partition is not. So the built-in default environment of > >> u-boot can be trusted, while the external environment cannot. The > >> assumption is that those flags can be used to customize the > >> validation when the external environment is loaded or > >> scripts/commands are executed. > >> > >> From the '/README' I gather that the access attributes can be any > >> of "any", "read-only", "write-once" or "change-default". > >> > >> I first tried to restrict the variables by choosing 'read-only', > >> but apparently this applies to the internal environment as well, > >> and now those variables are not loaded from the internal > >> environment. > >> > >> Then I tried 'write-once', this worked now as expected from within > >> u-boot, but I could modify the environment from the linux userspace > >> via fw_setenv and those changes appear in u-boot as well. The same > >> for 'change-default'. > >> > >> Is there another way to fill the internal environment variable hash > >> table, so that 'read-only' works as expected? > >> > >> Heiko wrote some patches that change the behavior of the > >> environment loading so that the internal environment is loaded > >> first before the external environment. This way 'write-once' > >> should work as expected, but I think 'read-only' should work that > >> way already and we are missing something here. > > > > I think that Wolfgang had a long discussion with Takahiro AKASHI > > (both CC'ed) about similar problem with u-boot envs. > > Were there any conclusions here?
I don't know if there was any conclusion (or patches). > > For me this 'flags' feature looks more and more like its was not build > to save guard the loading from unsigned and untrusted external > environments. I think what we would need here is some sort of variable > whitelist with some additional checks (type and size), but still allow > the u-boot scripts and commands to modify the variables in the hash > table (for filesize, ipaddr etc.) at boot time. Maybe Takahiro could shed some light on his work and you could discuss if your both work could be aligned? > > regards, > Claudius > > > > > For example: > > https://patchwork.ozlabs.org/patch/1158770/ > > > >> > >> Thanks, > >> Claudius > >> > > > > > > > > Best regards, > > > > Lukasz Majewski > > > > -- > > > > DENX Software Engineering GmbH, Managing Director: Wolfgang > > Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, > > Germany Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: > > lu...@denx.de > Best regards, Lukasz Majewski -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lu...@denx.de
pgpBTPVlKAXtN.pgp
Description: OpenPGP digital signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot