[U-Boot] Using CONFIG_ENV_FLAGS_LIST
lukma at denx.de
Fri Sep 6 22:23:18 UTC 2019
> I am currently looking into variable flags in order to make some
> variables read-only for secure boot.
> The idea is that the u-boot binary is signed, while the environment
> file/partition is not. So the built-in default environment of u-boot
> can be trusted, while the external environment cannot. The assumption
> is that those flags can be used to customize the validation when the
> external environment is loaded or scripts/commands are executed.
> From the '/README' I gather that the access attributes can be any of
> "any", "read-only", "write-once" or "change-default".
> I first tried to restrict the variables by choosing 'read-only', but
> apparently this applies to the internal environment as well, and now
> those variables are not loaded from the internal environment.
> Then I tried 'write-once', this worked now as expected from within
> u-boot, but I could modify the environment from the linux userspace
> via fw_setenv and those changes appear in u-boot as well. The same for
> Is there another way to fill the internal environment variable hash
> table, so that 'read-only' works as expected?
> Heiko wrote some patches that change the behavior of the environment
> loading so that the internal environment is loaded first before the
> external environment. This way 'write-once' should work as expected,
> but I think 'read-only' should work that way already and we are
> missing something here.
I think that Wolfgang had a long discussion with Takahiro AKASHI (both
CC'ed) about similar problem with u-boot envs.
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the U-Boot