[U-Boot] Disable command at runtime

Simon Glass sjg at chromium.org
Tue Aug 9 20:20:45 CEST 2016


Hi,

On 29 July 2016 at 07:31, Tom Rini <trini at konsulko.com> wrote:
> On Thu, Jul 28, 2016 at 04:40:29AM -0700, kubiznak.petr wrote:
>
>> Hello,
>>
>> I wonder whether it is possible to dynamically enable/disable a command.
>> Since u-boot does not provide any secure authentication method, it is
>> dangerous to keep some commands available to a potential hacker. E.g.
>> the "fuse" command. On the other hand, I need these commands during the
>> manufacturing process. So my idea is to enable/disable the commands
>> dynamically based on some obscure logic. Is there a way to do it without
>> need to deeply hack the code?
>
> Well, there's a few ways to do this.  The first way would simply be to
> install a different build of U-Boot onto the board than the one used
> during flashing as part of the manufacturing process.

Also see cli_process_fdt() which allows you to lock out commands using
a device-tree setting. This avoids changing the U-Boot binary - it is
easy enough to update the device tree using fdtput. This is how Chrome
OS did it.

Regards,
Simon


More information about the U-Boot mailing list