From: Graeme Russ <graeme.russ@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] Password protection of U-Boot command line
Date: Fri, 10 Feb 2012 22:56:40 +1100 [thread overview]
Message-ID: <4F3505F8.1070504@gmail.com> (raw)
In-Reply-To: <20120210113838.35473193BB44@gemini.denx.de>
Hi Wolfgang,
On 02/10/2012 10:38 PM, Wolfgang Denk wrote:
> Dear Graeme Russ,
>
> In message <CALButCLT2o=7QO4GbM0M5Tp3BYXPCpqr7Sx6WYH09JKcUdMFSA@mail.gmail.com> you wrote:
>>
>> As an adjunct to a recent discussion, I wonder if there would be much
>> point in password protecting access to the U-Boot command line. The
>> password could be saved in an environment variable as an MD-5 or SHA-256
>> hash.
>
> We already have such protection, even if it's very simplistic: see
> doc/README.autoboot (search for CONFIG_AUTOBOOT_DELAY_STR,
> CONFIG_AUTOBOOT_STOP_STR resp. "bootdelaykey" and "bootstopkey").
OK, so the thought of protecting the shell with a password has already
happened...But the implementation is to hard-code the password in the
U-Boot image or to have it unencrypted in the environment
I think we can agree that there is room for improvement :)
>> But I wonder if:
>>
>> a) It's worth it, and;
>> b) If it would be secure anyway...
>>
>> When U-Boot environment editing tools available in the host OS, it would
>> be fairly trivial to overwrite the password variable - Unless, of course,
>> the host OS did not support that functionality.
>>
>> This feature may be usefull for devices where every part of the system
>> must be tightly controlled (medical devices, voting machines etc)
>
> Well, in such devices you will typically disable interactive access at
> all.
Yes, but if you don't allow setting of environment variables from the host
OS, how can you change the settings if you need to
Sounds like it's not a 'completely ruled out' idea...
Regards,
Graeme
next prev parent reply other threads:[~2012-02-10 11:56 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 5:16 [U-Boot] Password protection of U-Boot command line Graeme Russ
2012-02-10 11:38 ` Wolfgang Denk
2012-02-10 11:56 ` Graeme Russ [this message]
2012-02-10 12:30 ` Marek Vasut
2012-02-10 13:31 ` Wolfgang Denk
2012-02-10 14:12 ` Frans Meulenbroeks
2012-02-10 14:27 ` Wolfgang Denk
2012-02-10 21:14 ` Frans Meulenbroeks
2012-02-11 0:44 ` Wolfgang Denk
2012-02-10 20:29 ` Mike Frysinger
2012-02-10 20:37 ` Mike Frysinger
2012-02-11 4:17 ` Graeme Russ
2012-02-11 9:00 ` Frans Meulenbroeks
2012-02-11 20:14 ` Wolfgang Denk
2012-02-12 10:03 ` Graeme Russ
2012-02-11 20:09 ` Wolfgang Denk
2012-02-12 9:33 ` Graeme Russ
2012-02-12 17:52 ` Mike Frysinger
2012-02-12 19:17 ` Wolfgang Denk
2012-02-12 22:31 ` Graeme Russ
2012-02-13 7:31 ` Wolfgang Denk
2012-02-13 11:50 ` Graeme Russ
2012-02-13 14:10 ` Wolfgang Denk
2012-02-10 13:27 ` Wolfgang Denk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F3505F8.1070504@gmail.com \
--to=graeme.russ@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.