From: Lukasz Majewski <lukma@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] Using CONFIG_ENV_FLAGS_LIST
Date: Sat, 7 Sep 2019 00:23:18 +0200 [thread overview]
Message-ID: <20190907002318.363808bd@jawa> (raw)
In-Reply-To: <3bc23f5e-0f30-1003-6d08-d648eeaa7205@denx.de>
Hi Claudius,
> Hi,
>
> I am currently looking into variable flags in order to make some
> variables read-only for secure boot.
>
> The idea is that the u-boot binary is signed, while the environment
> file/partition is not. So the built-in default environment of u-boot
> can be trusted, while the external environment cannot. The assumption
> is that those flags can be used to customize the validation when the
> external environment is loaded or scripts/commands are executed.
>
> From the '/README' I gather that the access attributes can be any of
> "any", "read-only", "write-once" or "change-default".
>
> I first tried to restrict the variables by choosing 'read-only', but
> apparently this applies to the internal environment as well, and now
> those variables are not loaded from the internal environment.
>
> Then I tried 'write-once', this worked now as expected from within
> u-boot, but I could modify the environment from the linux userspace
> via fw_setenv and those changes appear in u-boot as well. The same for
> 'change-default'.
>
> Is there another way to fill the internal environment variable hash
> table, so that 'read-only' works as expected?
>
> Heiko wrote some patches that change the behavior of the environment
> loading so that the internal environment is loaded first before the
> external environment. This way 'write-once' should work as expected,
> but I think 'read-only' should work that way already and we are
> missing something here.
I think that Wolfgang had a long discussion with Takahiro AKASHI (both
CC'ed) about similar problem with u-boot envs.
For example:
https://patchwork.ozlabs.org/patch/1158770/
>
> Thanks,
> Claudius
>
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20190907/2930c4ad/attachment.sig>
next prev parent reply other threads:[~2019-09-06 22:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-02 14:02 [U-Boot] Using CONFIG_ENV_FLAGS_LIST Claudius Heine
2019-09-06 22:23 ` Lukasz Majewski [this message]
2019-09-09 11:06 ` Claudius Heine
2019-09-09 12:04 ` Lukasz Majewski
2019-09-10 0:45 ` AKASHI Takahiro
2019-09-09 11:26 ` Stefano Babic
2019-09-09 12:54 ` Claudius Heine
2019-09-09 13:10 ` Stefano Babic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190907002318.363808bd@jawa \
--to=lukma@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox