[PATCH v3 11/11] siemens: capricorn: protect environment

Schweizer, Walter walter.schweizer at siemens.com
Wed Feb 18 18:19:12 CET 2026 

Hello Heiko

Recently we discovered that we need to add "bootcmd:sw" to the CFG_ENV_FLAGS_LIST_STATIC list.

Best Regards
Walter

-----Original Message-----
From: Heiko Schocher <hs at nabladev.com> 
Sent: Tuesday, February 17, 2026 5:39 PM
To: U-Boot Mailing List <u-boot at lists.denx.de>
Cc: Fabio Estevam <festevam at gmail.com>; Peng Fan <peng.fan at oss.nxp.com>; Freihofer, Adrian (SI B PRO TI EAC CCP) <adrian.freihofer at siemens.com>; Heiko Schocher <hs at nabladev.com>; Peng Fan <peng.fan at nxp.com>; Sverdlin, Alexander (SI B PRO TI EAC CCP) <alexander.sverdlin at siemens.com>; Marek Vasut <marek.vasut+renesas at mailbox.org>; Simon Glass <sjg at chromium.org>; Tom Rini <trini at konsulko.com>; Schweizer, Walter (SI B PRO TI EAC CCP) <walter.schweizer at siemens.com>
Subject: [PATCH v3 11/11] siemens: capricorn: protect environment

From: Adrian Freihofer <adrian.freihofer at siemens.com>

With ENV_WRITEABLE_LIST only specific environment variables lisetd in CFG_ENV_FLAGS_LIST_STATIC are read from the u-boot environment storage.
All other environment variables are set to default values and are not written back to the storage.

The u-boot environment usually stays for the lifetime of the product.
There is no A/B copy mechanism as for the firmware itself. That means that incompatible changes to environment variables in future u-boot versions may lead to serious issues if the old environment is used with a new u-boot version or vice versa.

Having this protection in place ensures that only a limited set of environment variables are persisted across u-boot versions. All the macros not listed in CFG_ENV_FLAGS_LIST_STATIC are now part of the u-boot binary which is redundant and immutable. This guarantees that the u-boot version and the default values of these environment variables are always in sync and cannot be changed at runtime.

ustate and rastate are not relevant for u-boot itself. ustate is used by swupdate which persists the transaction state in the environment.
rastate is a similar variable used by another user space application.

Signed-off-by: Adrian Freihofer <adrian.freihofer at siemens.com>
Signed-off-by: Heiko Schocher <hs at nabladev.com>
Reviewed-by: Peng Fan <peng.fan at nxp.com>

---

(no changes since v2)

Changes in v2:
Added Reviewed-by from Peng
Reworked writeable variable list, as we dropped patch
"env: add w flags for net config in explicit write mode"

 configs/imx8qxp_capricorn.config   |  1 +
 include/configs/capricorn-common.h | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/configs/imx8qxp_capricorn.config b/configs/imx8qxp_capricorn.config
index 626634cb09c..2bae5b1a862 100644
--- a/configs/imx8qxp_capricorn.config
+++ b/configs/imx8qxp_capricorn.config
@@ -12,6 +12,7 @@ CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x80200000
 CONFIG_ENV_SIZE=0x2000
 CONFIG_ENV_REDUNDANT=y
 CONFIG_ENV_MMC_EMMC_HW_PARTITION=2
+CONFIG_ENV_WRITEABLE_LIST=y
 
 CONFIG_DM_GPIO=y
 CONFIG_AHAB_BOOT=y
diff --git a/include/configs/capricorn-common.h b/include/configs/capricorn-common.h
index 7120a44d186..ee13d2ab950 100644
--- a/include/configs/capricorn-common.h
+++ b/include/configs/capricorn-common.h
@@ -38,6 +38,19 @@
 #define CFG_EXTRA_ENV_SETTINGS \
 	AHAB_ENV
 
+#ifdef CONFIG_ENV_WRITEABLE_LIST
+#define CFG_ENV_FLAGS_LIST_STATIC \
+	"bootcount:dw," \
+	"bootdelay:sw," \
+	"bootlimit:dw," \
+	"partitionset_active:sw," \
+	"rastate:dw," \
+	"sig_a:sw,sig_b:sw," \
+	"target_env:sw," \
+	"upgrade_available:dw," \
+	"ustate:dw"
+#endif
+
 /* Default location for tftp and bootm */
 
 /* On CCP board, USDHC1 is for eMMC */
--
2.20.1

More information about the U-Boot mailing list