Locking down U-Boot env with ENV_WRITEABLE_LIST
sbabic at denx.de
Fri Mar 26 21:41:05 CET 2021
On 26.03.21 19:34, Marek Vasut wrote:
> On 3/26/21 7:15 PM, Tim Harvey wrote:
>> I'm trying to understand best how to lock down a U-Boot environment
>> using ENV_WRITEABLE_LIST=y.
>> My understanding is that I should define all vars that I wish to be
>> able to be loaded from a FLASH env in CONFIG_ENV_FLAGS_LIST_DEFAULT. I
>> would think this would be something in Kconfig but it's not so I
>> wonder if I'm misunderstanding something or if I truly need to patch a
>> config.h when using this feature.
> You do need to patch board config in include/configs/ , since the flags
> were note converted to Kconfig. And make sure you only use integer or
> bool vars, since strings might contain scripts, which you want to avoid.
>> What is the best way to actively see your static U-Boot env that gets
>> linked into U-Boot? I can see it with a hexdump but there must be a
>> better way by looking at an include file?
> From running u-boot, => env print
>> What is the best way to set the list of vars that you wish to be
>> allowed to be imported from a FLASH env?
> Ideally none, and if you really want to make sure something can be
> pulled in from external env, then:
> #define CONFIG_ENV_FLAGS_LIST_STATIC "var1:dw,var2:dw"
> And those config options I had enabled in u-boot defconfig:
More information about the U-Boot