[U-Boot] Password protection of U-Boot command line
Marek Vasut
marek.vasut at gmail.com
Fri Feb 10 13:30:13 CET 2012
> Hi Wolfgang,
>
> On 02/10/2012 10:38 PM, Wolfgang Denk wrote:
> > Dear Graeme Russ,
> >
> > In message
<CALButCLT2o=7QO4GbM0M5Tp3BYXPCpqr7Sx6WYH09JKcUdMFSA at mail.gmail.com> you wrote:
> >> As an adjunct to a recent discussion, I wonder if there would be much
> >> point in password protecting access to the U-Boot command line. The
> >> password could be saved in an environment variable as an MD-5 or SHA-256
> >> hash.
> >
> > We already have such protection, even if it's very simplistic: see
> > doc/README.autoboot (search for CONFIG_AUTOBOOT_DELAY_STR,
> > CONFIG_AUTOBOOT_STOP_STR resp. "bootdelaykey" and "bootstopkey").
>
> OK, so the thought of protecting the shell with a password has already
> happened...But the implementation is to hard-code the password in the
> U-Boot image or to have it unencrypted in the environment
>
> I think we can agree that there is room for improvement :)
>
> >> But I wonder if:
> >> a) It's worth it, and;
> >> b) If it would be secure anyway...
> >>
> >> When U-Boot environment editing tools available in the host OS, it would
> >> be fairly trivial to overwrite the password variable - Unless, of
> >> course, the host OS did not support that functionality.
> >>
> >> This feature may be usefull for devices where every part of the system
> >> must be tightly controlled (medical devices, voting machines etc)
> >
> > Well, in such devices you will typically disable interactive access at
> > all.
>
> Yes, but if you don't allow setting of environment variables from the host
> OS, how can you change the settings if you need to
You usually don't want to frob with ie. CPU speed of your Xray :-D
M
>
> Sounds like it's not a 'completely ruled out' idea...
>
> Regards,
>
> Graeme
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> http://lists.denx.de/mailman/listinfo/u-boot
More information about the U-Boot
mailing list