Locking down U-Boot env with ENV_WRITEABLE_LIST

[Marek Vasut]

On 4/3/21 4:21 AM, Tim Harvey wrote:
> On Fri, Mar 26, 2021 at 11:34 AM Marek Vasut <marex at denx.de> wrote:
>>
>> On 3/26/21 7:15 PM, Tim Harvey wrote:
>>> Greetings,
>>
>> Hi,
>>
>>> I'm trying to understand best how to lock down a U-Boot environment
>>> using ENV_WRITEABLE_LIST=y.
>>>
>>> My understanding is that I should define all vars that I wish to be
>>> able to be loaded from a FLASH env in CONFIG_ENV_FLAGS_LIST_DEFAULT. I
>>> would think this would be something in Kconfig but it's not so I
>>> wonder if I'm misunderstanding something or if I truly need to patch a
>>> config.h when using this feature.
>>
>> You do need to patch board config in include/configs/ , since the flags
>> were note converted to Kconfig. And make sure you only use integer or
>> bool vars, since strings might contain scripts, which you want to avoid.
>>
>>> What is the best way to actively see your static U-Boot env that gets
>>> linked into U-Boot? I can see it with a hexdump but there must be a
>>> better way by looking at an include file?
>>
>>   From running u-boot, => env print
>>
>>> What is the best way to set the list of vars that you wish to be
>>> allowed to be imported from a FLASH env?
>>
>> Ideally none, and if you really want to make sure something can be
>> pulled in from external env, then:
>> #define CONFIG_ENV_FLAGS_LIST_STATIC "var1:dw,var2:dw"
> 
> Marek,
> 
> I can't seem to understand CONFIG_ENV_FLAGS_LIST_STATIC vs
> CONFIG_ENF_FLAGS_LIST_DEFAULT. The code seems convoluted and
> experimentally I am just as confused.
> 
> It seems that as soon as you define CONFIG_ENV_WRITEABLE_LIST=y then
> all variables defined elsewhere (ie CONFIG_EXTRA_ENV_SETTINGS
> CONFIG_BOOTCOMMAND) can no longer be imported from an env (they are
> present if you clobber your flash env but not if anything is written
> to it).
> 
> I quite simply want only the following environment:
> kernel_addr_r=0x02000000
> mmcbootpart=4
> ustate=1
> bootcmd setenv bootargs root=/dev/mmcblk0p${mmcbootpart} rootwait rw;
> load mmc 0:${mmcbootpart} ${kernel_addr_r} boot/kernel.itb && bootm
> ${kernel_addr_r} - ${fdtcontroladdr}

This script is gonna be a problem, since it is something some external 
entity can overwrite and implant random script into your env. That's why 
I wrote you want minimal set of vars imported from external env and they 
should be boolean or integer.

> and the only variables with flags I want to be able to be overridden
> from MMC_ENV are:
> mmcbootpart:dw
> usate:dw
> 
> It is too bad this can't be done via defconfig - perhaps when I
> finally understand it I can submit a patch to move it to Kconfig.
> 
>>
>> And those config options I had enabled in u-boot defconfig:
>>
>> CONFIG_CMD_ENV_CALLBACK=y
>> CONFIG_CMD_ENV_FLAGS=y
>> CONFIG_ENV_IS_NOWHERE=y
>> CONFIG_ENV_IS_IN_MMC=y
>> CONFIG_ENV_APPEND=y
>> CONFIG_ENV_WRITEABLE_LIST=y
>> CONFIG_ENV_ACCESS_IGNORE_FORCE=y
> 
> Do you really define both ENV_IS_NOWHERE and ENV_IS_IN_MMC? From what
> I see if you define ENV_IS_NOWHERE none of the others will be used.

Yes, having two ENV drivers is mandatory. One provides the base env (the 
nowhere) and the other is used to import the filtered extras from 
external env.