Locking down U-Boot env with ENV_WRITEABLE_LIST

Stefano Babic sbabic at denx.de
Fri Mar 26 21:41:05 CET 2021


Hi Tim,

On 26.03.21 19:34, Marek Vasut wrote:
> On 3/26/21 7:15 PM, Tim Harvey wrote:
>> Greetings,
> 
> Hi,
> 
>> I'm trying to understand best how to lock down a U-Boot environment
>> using ENV_WRITEABLE_LIST=y.
>>
>> My understanding is that I should define all vars that I wish to be
>> able to be loaded from a FLASH env in CONFIG_ENV_FLAGS_LIST_DEFAULT. I
>> would think this would be something in Kconfig but it's not so I
>> wonder if I'm misunderstanding something or if I truly need to patch a
>> config.h when using this feature.
> 
> You do need to patch board config in include/configs/ , since the flags 
> were note converted to Kconfig. And make sure you only use integer or 
> bool vars, since strings might contain scripts, which you want to avoid.
> 
>> What is the best way to actively see your static U-Boot env that gets
>> linked into U-Boot? I can see it with a hexdump but there must be a
>> better way by looking at an include file?
> 
>  From running u-boot, => env print
> 

 From host:
	make u-boot-initial-env
	cat u-boot-initial-env

Best regards,
Stefano

>> What is the best way to set the list of vars that you wish to be
>> allowed to be imported from a FLASH env?
> 
> Ideally none, and if you really want to make sure something can be 
> pulled in from external env, then:
> #define CONFIG_ENV_FLAGS_LIST_STATIC "var1:dw,var2:dw"
> 
> And those config options I had enabled in u-boot defconfig:
> 
> CONFIG_CMD_ENV_CALLBACK=y
> CONFIG_CMD_ENV_FLAGS=y
> CONFIG_ENV_IS_NOWHERE=y
> CONFIG_ENV_IS_IN_MMC=y
> CONFIG_ENV_APPEND=y
> CONFIG_ENV_WRITEABLE_LIST=y
> CONFIG_ENV_ACCESS_IGNORE_FORCE=y


More information about the U-Boot mailing list