[U-Boot] [PATCH 05/10] arm: Add CONFIG_DELAY_ENVIRONMENT to delay environment loading
Simon Glass
sjg at chromium.org
Fri Jan 18 14:29:02 CET 2013
Hi Lucas,
On Fri, Jan 18, 2013 at 4:06 AM, Lucas Stach <dev at lynxeye.de> wrote:
> Am Donnerstag, den 01.11.2012, 16:42 -0700 schrieb Simon Glass:
>> This option delays loading of the environment until later, so that only the
>> default environment will be available to U-Boot.
>>
>> This can address the security risk of untrusted data being used during boot.
>>
>> When CONFIG_DELAY_ENVIRONMENT is defined, it is convenient to have a
>> run-time way of enabling loadinlg of the environment. Add this to the
>> fdt as /config/delay-environment.
>>
> It's really unfortunate to only realize this after the final release of
> v2013.01 as I haven't tested the -rc3, but this breaks environment for
> almost all Tegra boards. I haven't checked all of them, but the ones I
> looked at have CONFIG_OF_CONTROL defined, but no load-environment node
> in the FDT.
>
> So they're all going straight into "secure boot" mode, because of the
> bogus standard value of not allowing env to load, which is probably not
> what most people want.
Hmmm yes I think you are right - the value would be better the other
way around. I will create a patch for this and see what people think.
I have tended to create my own FDT file but I'm sure many will not.
Regards,
Simon
>
> Regards,
> Lucas
>> ---
> [...]
>> /*
>> - ************************************************************************
>> + * Tell if it's OK to load the environment early in boot.
>> + *
>> + * If CONFIG_OF_CONFIG is defined, we'll check with the FDT to see
>> + * if this is OK (defaulting to saying it's not OK).
>> + *
>> + * NOTE: Loading the environment early can be a bad idea if security is
>> + * important, since no verification is done on the environment.
>> + *
>> + * @return 0 if environment should not be loaded, !=0 if it is ok to load
>> + */
>> +static int should_load_env(void)
>> +{
>> +#ifdef CONFIG_OF_CONTROL
>> + return fdtdec_get_config_int(gd->fdt_blob, "load-environment", 0);
>> +#elif defined CONFIG_DELAY_ENVIRONMENT
>> + return 0;
>> +#else
>> + return 1;
>> +#endif
>> +}
>> +
> [...]
>
More information about the U-Boot
mailing list