[U-Boot] Password protection of U-Boot command line

Wolfgang Denk wd at denx.de
Fri Feb 10 12:38:38 CET 2012


Dear Graeme Russ,

In message <CALButCLT2o=7QO4GbM0M5Tp3BYXPCpqr7Sx6WYH09JKcUdMFSA at mail.gmail.com> you wrote:
> 
> As an adjunct to a recent discussion, I wonder if there would be much
> point in password protecting access to the U-Boot command line. The
> password could be saved in an environment variable as an MD-5 or SHA-256
> hash.

We already have such protection, even if it's very simplistic: see
doc/README.autoboot (search for CONFIG_AUTOBOOT_DELAY_STR,
CONFIG_AUTOBOOT_STOP_STR resp. "bootdelaykey" and "bootstopkey").

> But I wonder if:
> 
>  a) It's worth it, and;
>  b) If it would be secure anyway...
> 
> When U-Boot environment editing tools available in the host OS, it would
> be fairly trivial to overwrite the password variable - Unless, of course,
> the host OS did not support that functionality.
> 
> This feature may be usefull for devices where every part of the system
> must be tightly controlled (medical devices, voting machines etc)

Well, in such devices you will typically disable interactive access at
all.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
Extended Epstein-Heisenberg Principle: In an R & D orbit, only  2  of
the  existing 3 parameters can be defined simultaneously. The parame-
ters are: task, time and resources ($).


More information about the U-Boot mailing list