[PATCH v2 3/7] common: integrate crypt-based passwords

Steffen Jaeckel jaeckel-floss at eyet-services.de
Tue May 11 20:29:53 CEST 2021

Hi Simon,

On 5/11/21 5:27 PM, Simon Glass wrote:
>> [snip]
>>>> diff --git a/common/autoboot.c b/common/autoboot.c
>>>> index 50ab9281e7..6f55abe388 100644
>>>> --- a/common/autoboot.c
>>>> +++ b/common/autoboot.c
>>>> @@ -316,3 +316,4 @@ static int abortboot_key_sequence(int bootdelay)
>>>> -               if (IS_ENABLED(CONFIG_CRYPT_PW))
>>>> +               if (IS_ENABLED(CONFIG_CRYPT_PW) &&
>>>> +                   env_get_yesno("bootstopusesha256") != 1)
>>>>                         abort = passwd_abort_crypt(etime);
>>> Yes, and then you can enable both in sandbox and potentially have a
>>> test for your code within the standard sandbox build.
>> What kind of tests do you want to have added? Python based or C based ones?
>> TBH I don't see an easy way (yet) to add more tests than the ones I
>> already added, as enabling AUTOBOOT_KEYED (which is required for both,
>> crypt and sha256) would change the startup behavior of the sandbox...
> Here is my idea...we have console monitoring, like this:
> console_record_reset();
> run_command("acpi dump rdst", 0);
> ut_assert_nextline("Table 'RDST' not found");
> ut_assert_console_end();
> What is needed is the ability to inject console input. We have
> gd->console_in (in console.c) but there is currently no function to
> add input to it. Something similar to console_record_puts() is needed,
> perhaps called console_write_in(), which does a
> membuff_put(&gd->console_in, ...) with some input data (the hash).
> That way the input can be read by sandbox.
> Then I think you could write a test like this:
> console_record_reset();
> console_write_in(hash_string, strlen(hash_string));
> ut_assertok(autoboot_command(""));
> ut_assert_nextline("whatever indicates success");
> ut_assert_console_end();

OK, that sounds fine, with the only problem that there's no way to
enable the necessary features without also having them enabled in the
autoboot flow!?
i.e. instead of having a single keypress to enable the console of the
sandbox, one would always have to enter the password, or am I missing


More information about the U-Boot mailing list