[U-Boot] Using CONFIG_ENV_FLAGS_LIST

Claudius Heine ch at denx.de
Mon Sep 9 11:06:27 UTC 2019 

Hi Lukasz,

On 07/09/2019 00.23, Lukasz Majewski wrote:
> Hi Claudius,
> 
>> Hi,
>>
>> I am currently looking into variable flags in order to make some
>> variables read-only for secure boot.
>>
>> The idea is that the u-boot binary is signed, while the environment
>> file/partition is not. So the built-in default environment of u-boot
>> can be trusted, while the external environment cannot. The assumption
>> is that those flags can be used to customize the validation when the
>> external environment is loaded or scripts/commands are executed.
>>
>> From the '/README' I gather that the access attributes can be any of
>> "any", "read-only", "write-once" or "change-default".
>>
>> I first tried to restrict the variables by choosing 'read-only', but
>> apparently this applies to the internal environment as well, and now
>> those variables are not loaded from the internal environment.
>>
>> Then I tried 'write-once', this worked now as expected from within
>> u-boot, but I could modify the environment from the linux userspace
>> via fw_setenv and those changes appear in u-boot as well. The same for
>> 'change-default'.
>>
>> Is there another way to fill the internal environment variable hash
>> table, so that 'read-only' works as expected?
>>
>> Heiko wrote some patches that change the behavior of the environment
>> loading so that the internal environment is loaded first before the
>> external environment. This way 'write-once' should work as expected,
>> but I think 'read-only' should work that way already and we are
>> missing something here.
> 
> I think that Wolfgang had a long discussion with Takahiro AKASHI (both
> CC'ed) about similar problem with u-boot envs.

Were there any conclusions here?

For me this 'flags' feature looks more and more like its was not build
to save guard the loading from unsigned and untrusted external
environments. I think what we would need here is some sort of variable
whitelist with some additional checks (type and size), but still allow
the u-boot scripts and commands to modify the variables in the hash
table (for filesize, ipaddr etc.) at boot time.

regards,
Claudius

> 
> For example:
> https://patchwork.ozlabs.org/patch/1158770/
> 
>>
>> Thanks,
>> Claudius
>>
> 
> 
> 
> Best regards,
> 
> Lukasz Majewski
> 
> --
> 
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de
> 

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch at denx.de

           PGP key: 6FF2 E59F 00C6 BC28 31D8 64C1 1173 CB19 9808 B153
                             Keyserver: hkp://pool.sks-keyservers.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20190909/217a4c9c/attachment.sig>

More information about the U-Boot mailing list