[U-Boot] [PATCH v2 07/18] autoboot: Improve docs for CONFIG_AUTOBOOT_ENCRYPTION
Simon Glass
sjg at chromium.org
Sun Jul 21 02:51:17 UTC 2019
This option is not documented properly at present. Fix it.
Signed-off-by: Simon Glass <sjg at chromium.org>
---
Changes in v2: None
README | 2 ++
cmd/Kconfig | 9 ++++++++-
common/autoboot.c | 16 ++++++++++++++++
doc/README.autoboot | 15 +++++++++++++++
4 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/README b/README
index f513af0b67..a2aaba818d 100644
--- a/README
+++ b/README
@@ -3425,6 +3425,8 @@ List of environment variables (most likely not complete):
allowed for use by the bootm command. See also "bootm_low"
environment variable.
+ bootstopkeysha256, bootdelaykey, bootstopkey - See README.autoboot
+
updatefile - Location of the software update file on a TFTP server, used
by the automatic software update feature. Please refer to
documentation in doc/README.update for more details.
diff --git a/cmd/Kconfig b/cmd/Kconfig
index 175c6ad9e3..37da17ff7f 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -101,7 +101,14 @@ config AUTOBOOT_PROMPT
config AUTOBOOT_ENCRYPTION
bool "Enable encryption in autoboot stopping"
depends on AUTOBOOT_KEYED
- default n
+ help
+ This option allows a string to be entered into U-Boot to stop the
+ autoboot. The string itself is hashed and compared against the hash
+ in the environment variable 'bootstopkeysha256'. If it matches then
+ boot stops and a command-line prompt is presented.
+
+ This provides a way to ship a secure production device which can also
+ be accessed at the U-Boot command line.
config AUTOBOOT_DELAY_STR
string "Delay autobooting via specific input key / string"
diff --git a/common/autoboot.c b/common/autoboot.c
index 5a0dac8d79..f832808b71 100644
--- a/common/autoboot.c
+++ b/common/autoboot.c
@@ -54,6 +54,14 @@ static int slow_equals(u8 *a, u8 *b, int len)
return diff == 0;
}
+/**
+ * passwd_abort_sha256() - check for a hashed key sequence to abort booting
+ *
+ * This checks for the user entering a SHA256 hash within a given time.
+ *
+ * @etime: Timeout value ticks (stop when get_ticks() reachs this)
+ * @return 0 if autoboot should continue, 1 if it should stop
+ */
static int passwd_abort_sha256(uint64_t etime)
{
const char *sha_env_str = env_get("bootstopkeysha256");
@@ -106,6 +114,14 @@ static int passwd_abort_sha256(uint64_t etime)
return abort;
}
+/**
+ * passwd_abort_key() - check for a key sequence to aborted booting
+ *
+ * This checks for the user entering a string within a given time.
+ *
+ * @etime: Timeout value ticks (stop when get_ticks() reachs this)
+ * @return 0 if autoboot should continue, 1 if it should stop
+ */
static int passwd_abort_key(uint64_t etime)
{
int abort = 0;
diff --git a/doc/README.autoboot b/doc/README.autoboot
index eeb7e4c662..de35f3093d 100644
--- a/doc/README.autoboot
+++ b/doc/README.autoboot
@@ -132,6 +132,21 @@ What they do
provides an escape sequence from the limited "password"
strings.
+ CONFIG_AUTOBOOT_ENCRYPTION
+
+ "bootstopkeysha256" environment variable
+
+ - Hash value of the input which unlocks the device and
+ stops autoboot.
+
+ This option allows a string to be entered into U-Boot to stop the
+ autoboot. The string itself is hashed and compared against the hash
+ in the environment variable 'bootstopkeysha256'. If it matches then
+ boot stops and a command-line prompt is presented.
+
+ This provides a way to ship a secure production device which can also
+ be accessed at the U-Boot command line.
+
CONFIG_RESET_TO_RETRY
(Only effective when CONFIG_BOOT_RETRY_TIME is also set)
--
2.22.0.657.g960e92d24f-goog
More information about the U-Boot
mailing list