On 11.05.26 20:20, James Hilliard wrote: > Environment callbacks can already be configured from Kconfig with > CONFIG_ENV_CALLBACK_LIST_STATIC, but static environment flags still > require board headers to define CFG_ENV_FLAGS_LIST_STATIC. > > Add CONFIG_ENV_FLAGS_LIST_STATIC and use it as the only board-provided > static environment flags list. Convert the remaining default-config users > from CFG_ENV_FLAGS_LIST_STATIC to defconfig settings and drop the legacy > header macro from ENV_FLAGS_LIST_STATIC. > > Move the environment flags format documentation out of README and into > the developer environment documentation. Include the format in the > Kconfig help as well. > > This lets boards configure writeable-list policy and type validation > from defconfig without adding a config header solely for env flags. > > This preserves the behavior of default configs. Header-only cases that > were inactive in upstream defconfigs are not converted into defconfig > entries: iot2050 can add its list when enabling ENV_WRITEABLE_LIST, and > smegw01 can add mmcdev:dw support if the unlocked SYS_BOOT_LOCKED=n > configuration is needed. > > Signed-off-by: James Hilliard <[email protected]> > Reviewed-by: Tom Rini <[email protected]> > Reviewed-by: Simon Glass <[email protected]> > --- > Changes v2 -> v3: > - Note that inactive header-only iot2050 flags and the smegw01 > SYS_BOOT_LOCKED=n mmcdev:dw flag are not converted into defconfigs. >
Colleagues, you want to have an eye on this because it could silently unlock the (downstream) secure boot config profile [1] on next update. This makes me wonder if U-Boot shouldn't carry such profiles as well, either in form of a generic Kconfig switch or some defconfig variants. It's a very common pattern to shoot yourself into the foot while trying to lock down the typical try-out upstream defconfigs for secure boot. Jan [1] https://github.com/siemens/meta-iot2050/blob/master/meta/recipes-bsp/u-boot/files/secure-boot.cfg -- Siemens AG, Foundational Technologies Linux Expert Center
