[U-Boot] [PATCH v2] autoboot.c: Add feature to stop autobooting via SHA256 encrypted password
Stefan Roese
sr at denx.de
Thu Mar 12 11:10:35 CET 2015
This patch adds the feature to only stop the autobooting, and therefor
boot into the U-Boot prompt, when the input string / password matches
a values that is encypted via a SHA256 hash and saved in the environment.
This feature is enabled by defined these config options:
CONFIG_AUTOBOOT_KEYED
CONFIG_AUTOBOOT_STOP_STR_SHA256
Signed-off-by: Stefan Roese <sr at denx.de>
Cc: Tom Rini <trini at konsulko.com>
---
v2:
- Extracted the passwd checking functions (sha256 and non-sha256)
into passwd_abort(). Resulting in an easier to read code with
less #ifdef's.
common/autoboot.c | 90 +++++++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 74 insertions(+), 16 deletions(-)
diff --git a/common/autoboot.c b/common/autoboot.c
index c27cc2c..def1612 100644
--- a/common/autoboot.c
+++ b/common/autoboot.c
@@ -12,6 +12,7 @@
#include <fdtdec.h>
#include <menu.h>
#include <post.h>
+#include <u-boot/sha256.h>
DECLARE_GLOBAL_DATA_PTR;
@@ -26,15 +27,58 @@ DECLARE_GLOBAL_DATA_PTR;
/* Stored value of bootdelay, used by autoboot_command() */
static int stored_bootdelay;
-/***************************************************************************
- * Watch for 'delay' seconds for autoboot stop or autoboot delay string.
- * returns: 0 - no key string, allow autoboot 1 - got key string, abort
- */
-# if defined(CONFIG_AUTOBOOT_KEYED)
-static int abortboot_keyed(int bootdelay)
+#if defined(CONFIG_AUTOBOOT_KEYED)
+#if defined(CONFIG_AUTOBOOT_STOP_STR_SHA256)
+static int passwd_abort(uint64_t etime)
+{
+ const char *sha_env_str = getenv("bootstopkeysha256");
+ u8 sha_env[SHA256_SUM_LEN];
+ u8 sha[SHA256_SUM_LEN];
+ char presskey[MAX_DELAY_STOP_STR];
+ u_int presskey_len = 0;
+ int i;
+ int abort = 0;
+
+ if (sha_env_str == NULL)
+ sha_env_str = CONFIG_AUTOBOOT_STOP_STR_SHA256;
+
+ /*
+ * Generate the binary value from the environment hash value
+ * so that we can compare this value with the computed hash
+ * from the user input
+ */
+ for (i = 0; i < SHA256_SUM_LEN; i++) {
+ char chr[3];
+
+ strncpy(chr, &sha_env_str[i * 2], 2);
+ sha_env[i] = simple_strtoul(chr, NULL, 16);
+ }
+
+ /*
+ * We don't know how long the stop-string is, so we need to
+ * generate the sha256 hash upon each input character and
+ * compare the value with the one saved in the environment
+ */
+ do {
+ if (tstc()) {
+ presskey[presskey_len++] = getc();
+
+ /* Calculate sha256 upon each new char */
+ sha256_csum_wd((unsigned char *)presskey, presskey_len,
+ sha, CHUNKSZ_SHA256);
+
+ /* And check if sha matches saved value in env */
+ if (memcmp(sha, sha_env, SHA256_SUM_LEN) == 0)
+ abort = 1;
+ }
+ } while (!abort && get_ticks() <= etime);
+
+ return abort;
+}
+#else
+static int passwd_abort(uint64_t etime)
{
int abort = 0;
- uint64_t etime = endtick(bootdelay);
struct {
char *str;
u_int len;
@@ -52,15 +96,6 @@ static int abortboot_keyed(int bootdelay)
u_int presskey_max = 0;
u_int i;
-#ifndef CONFIG_ZERO_BOOTDELAY_CHECK
- if (bootdelay == 0)
- return 0;
-#endif
-
-# ifdef CONFIG_AUTOBOOT_PROMPT
- printf(CONFIG_AUTOBOOT_PROMPT);
-# endif
-
# ifdef CONFIG_AUTOBOOT_DELAY_STR
if (delaykey[0].str == NULL)
delaykey[0].str = CONFIG_AUTOBOOT_DELAY_STR;
@@ -125,6 +160,29 @@ static int abortboot_keyed(int bootdelay)
}
} while (!abort && get_ticks() <= etime);
+ return abort;
+}
+#endif
+
+/***************************************************************************
+ * Watch for 'delay' seconds for autoboot stop or autoboot delay string.
+ * returns: 0 - no key string, allow autoboot 1 - got key string, abort
+ */
+static int abortboot_keyed(int bootdelay)
+{
+ int abort;
+ uint64_t etime = endtick(bootdelay);
+
+#ifndef CONFIG_ZERO_BOOTDELAY_CHECK
+ if (bootdelay == 0)
+ return 0;
+#endif
+
+# ifdef CONFIG_AUTOBOOT_PROMPT
+ printf(CONFIG_AUTOBOOT_PROMPT);
+# endif
+
+ abort = passwd_abort(etime);
if (!abort)
debug_bootkeys("key timeout\n");
--
2.3.2
More information about the U-Boot
mailing list