Claudius Heine ch at denx.de
Mon Sep 2 14:02:28 UTC 2019


I am currently looking into variable flags in order to make some
variables read-only for secure boot.

The idea is that the u-boot binary is signed, while the environment
file/partition is not. So the built-in default environment of u-boot can
be trusted, while the external environment cannot. The assumption is
that those flags can be used to customize the validation when the
external environment is loaded or scripts/commands are executed.

From the '/README' I gather that the access attributes can be any of
"any", "read-only", "write-once" or "change-default".

I first tried to restrict the variables by choosing 'read-only', but
apparently this applies to the internal environment as well, and now
those variables are not loaded from the internal environment.

Then I tried 'write-once', this worked now as expected from within
u-boot, but I could modify the environment from the linux userspace via
fw_setenv and those changes appear in u-boot as well. The same for

Is there another way to fill the internal environment variable hash
table, so that 'read-only' works as expected?

Heiko wrote some patches that change the behavior of the environment
loading so that the internal environment is loaded first before the
external environment. This way 'write-once' should work as expected, but
I think 'read-only' should work that way already and we are missing
something here.


DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch at denx.de

           PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153
                             Keyserver: hkp://pool.sks-keyservers.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20190902/b8c69565/attachment.sig>

More information about the U-Boot mailing list