Locking down U-Boot env with ENV_WRITEABLE_LIST
Stefano Babic
sbabic at denx.de
Fri Mar 26 21:41:05 CET 2021
Hi Tim,
On 26.03.21 19:34, Marek Vasut wrote:
> On 3/26/21 7:15 PM, Tim Harvey wrote:
>> Greetings,
>
> Hi,
>
>> I'm trying to understand best how to lock down a U-Boot environment
>> using ENV_WRITEABLE_LIST=y.
>>
>> My understanding is that I should define all vars that I wish to be
>> able to be loaded from a FLASH env in CONFIG_ENV_FLAGS_LIST_DEFAULT. I
>> would think this would be something in Kconfig but it's not so I
>> wonder if I'm misunderstanding something or if I truly need to patch a
>> config.h when using this feature.
>
> You do need to patch board config in include/configs/ , since the flags
> were note converted to Kconfig. And make sure you only use integer or
> bool vars, since strings might contain scripts, which you want to avoid.
>
>> What is the best way to actively see your static U-Boot env that gets
>> linked into U-Boot? I can see it with a hexdump but there must be a
>> better way by looking at an include file?
>
> From running u-boot, => env print
>
From host:
make u-boot-initial-env
cat u-boot-initial-env
Best regards,
Stefano
>> What is the best way to set the list of vars that you wish to be
>> allowed to be imported from a FLASH env?
>
> Ideally none, and if you really want to make sure something can be
> pulled in from external env, then:
> #define CONFIG_ENV_FLAGS_LIST_STATIC "var1:dw,var2:dw"
>
> And those config options I had enabled in u-boot defconfig:
>
> CONFIG_CMD_ENV_CALLBACK=y
> CONFIG_CMD_ENV_FLAGS=y
> CONFIG_ENV_IS_NOWHERE=y
> CONFIG_ENV_IS_IN_MMC=y
> CONFIG_ENV_APPEND=y
> CONFIG_ENV_WRITEABLE_LIST=y
> CONFIG_ENV_ACCESS_IGNORE_FORCE=y
More information about the U-Boot
mailing list