Locking down U-Boot env with ENV_WRITEABLE_LIST
Marek Vasut
marex at denx.de
Fri Mar 26 19:34:33 CET 2021
On 3/26/21 7:15 PM, Tim Harvey wrote:
> Greetings,
Hi,
> I'm trying to understand best how to lock down a U-Boot environment
> using ENV_WRITEABLE_LIST=y.
>
> My understanding is that I should define all vars that I wish to be
> able to be loaded from a FLASH env in CONFIG_ENV_FLAGS_LIST_DEFAULT. I
> would think this would be something in Kconfig but it's not so I
> wonder if I'm misunderstanding something or if I truly need to patch a
> config.h when using this feature.
You do need to patch board config in include/configs/ , since the flags
were note converted to Kconfig. And make sure you only use integer or
bool vars, since strings might contain scripts, which you want to avoid.
> What is the best way to actively see your static U-Boot env that gets
> linked into U-Boot? I can see it with a hexdump but there must be a
> better way by looking at an include file?
From running u-boot, => env print
> What is the best way to set the list of vars that you wish to be
> allowed to be imported from a FLASH env?
Ideally none, and if you really want to make sure something can be
pulled in from external env, then:
#define CONFIG_ENV_FLAGS_LIST_STATIC "var1:dw,var2:dw"
And those config options I had enabled in u-boot defconfig:
CONFIG_CMD_ENV_CALLBACK=y
CONFIG_CMD_ENV_FLAGS=y
CONFIG_ENV_IS_NOWHERE=y
CONFIG_ENV_IS_IN_MMC=y
CONFIG_ENV_APPEND=y
CONFIG_ENV_WRITEABLE_LIST=y
CONFIG_ENV_ACCESS_IGNORE_FORCE=y
More information about the U-Boot
mailing list