[PATCH v3 7/8] common: add support to fallback to plain SHA256
Steffen Jaeckel
jaeckel-floss at eyet-services.de
Mon Jun 21 22:23:50 CEST 2021
In case crypt-based hashing is enabled this will be the default mechanism
that is used. If a user wants to have support for both, the environment
variable `bootstopusesha256` can be set to `true` to allow plain SHA256
based hashing of the password.
Signed-off-by: Steffen Jaeckel <jaeckel-floss at eyet-services.de>
---
(no changes since v1)
common/Kconfig.boot | 8 ++++++++
common/autoboot.c | 22 +++++++++++++++++++++-
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/common/Kconfig.boot b/common/Kconfig.boot
index d19bc32836..b04a6c98e5 100644
--- a/common/Kconfig.boot
+++ b/common/Kconfig.boot
@@ -834,6 +834,14 @@ config AUTOBOOT_ENCRYPTION
This provides a way to ship a secure production device which can also
be accessed at the U-Boot command line.
+config AUTOBOOT_SHA256_FALLBACK_ENABLE
+ bool "Allow fallback from crypt-hashed password to sha256"
+ depends on AUTOBOOT_ENCRYPTION && CRYPT_PW
+ help
+ This option adds support to fall back from crypt-hashed
+ passwords to checking a SHA256 hashed password in case the
+ 'bootstopusesha256' environment variable is set to 'true'.
+
config AUTOBOOT_DELAY_STR
string "Delay autobooting via specific input key / string"
depends on AUTOBOOT_KEYED && !AUTOBOOT_ENCRYPTION
diff --git a/common/autoboot.c b/common/autoboot.c
index 1eeabf0b1a..c6f550b8a7 100644
--- a/common/autoboot.c
+++ b/common/autoboot.c
@@ -305,6 +305,26 @@ static void flush_stdin(void)
(void)getchar();
}
+/**
+ * fallback_to_sha256() - check whether we should fall back to sha256
+ * password checking
+ *
+ * This checks for the environment variable `bootstopusesha256` in case
+ * sha256-fallback has been enabled via the config setting
+ * `AUTOBOOT_SHA256_FALLBACK_ENABLE`.
+ *
+ * @return 0 if we must not fall-back, 1 if plain sha256 should be tried
+ */
+static int fallback_to_sha256(void)
+{
+ if (IS_ENABLED(CONFIG_AUTOBOOT_SHA256_FALLBACK_ENABLE))
+ return env_get_yesno("bootstopusesha256") == 1;
+ else if (IS_ENABLED(CONFIG_CRYPT_PW))
+ return 0;
+ else
+ return 1;
+}
+
/***************************************************************************
* Watch for 'delay' seconds for autoboot stop or autoboot delay string.
* returns: 0 - no key string, allow autoboot 1 - got key string, abort
@@ -325,7 +345,7 @@ static int abortboot_key_sequence(int bootdelay)
# endif
if (IS_ENABLED(CONFIG_AUTOBOOT_ENCRYPTION)) {
- if (IS_ENABLED(CONFIG_CRYPT_PW))
+ if (IS_ENABLED(CONFIG_CRYPT_PW) && !fallback_to_sha256())
abort = passwd_abort_crypt(etime);
else
abort = passwd_abort_sha256(etime);
--
2.31.1
More information about the U-Boot
mailing list