[U-Boot] Using CONFIG_ENV_FLAGS_LIST

[Lukasz Majewski <lukma@denx.de>]

Hi Claudius,

> Hi Lukasz,
> 
> On 07/09/2019 00.23, Lukasz Majewski wrote:
> > Hi Claudius,
> >   
> >> Hi,
> >>
> >> I am currently looking into variable flags in order to make some
> >> variables read-only for secure boot.
> >>
> >> The idea is that the u-boot binary is signed, while the environment
> >> file/partition is not. So the built-in default environment of
> >> u-boot can be trusted, while the external environment cannot. The
> >> assumption is that those flags can be used to customize the
> >> validation when the external environment is loaded or
> >> scripts/commands are executed.
> >>
> >> From the '/README' I gather that the access attributes can be any
> >> of "any", "read-only", "write-once" or "change-default".
> >>
> >> I first tried to restrict the variables by choosing 'read-only',
> >> but apparently this applies to the internal environment as well,
> >> and now those variables are not loaded from the internal
> >> environment.
> >>
> >> Then I tried 'write-once', this worked now as expected from within
> >> u-boot, but I could modify the environment from the linux userspace
> >> via fw_setenv and those changes appear in u-boot as well. The same
> >> for 'change-default'.
> >>
> >> Is there another way to fill the internal environment variable hash
> >> table, so that 'read-only' works as expected?
> >>
> >> Heiko wrote some patches that change the behavior of the
> >> environment loading so that the internal environment is loaded
> >> first before the external environment. This way 'write-once'
> >> should work as expected, but I think 'read-only' should work that
> >> way already and we are missing something here.  
> > 
> > I think that Wolfgang had a long discussion with Takahiro AKASHI
> > (both CC'ed) about similar problem with u-boot envs.  
> 
> Were there any conclusions here?

I don't know if there was any conclusion (or patches).

> 
> For me this 'flags' feature looks more and more like its was not build
> to save guard the loading from unsigned and untrusted external
> environments. I think what we would need here is some sort of variable
> whitelist with some additional checks (type and size), but still allow
> the u-boot scripts and commands to modify the variables in the hash
> table (for filesize, ipaddr etc.) at boot time.


Maybe Takahiro could shed some light on his work and you could discuss
if your both work could be aligned?


> 
> regards,
> Claudius
> 
> > 
> > For example:
> > https://patchwork.ozlabs.org/patch/1158770/
> >   
> >>
> >> Thanks,
> >> Claudius
> >>  
> > 
> > 
> > 
> > Best regards,
> > 
> > Lukasz Majewski
> > 
> > --
> > 
> > DENX Software Engineering GmbH,      Managing Director: Wolfgang
> > Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell,
> > Germany Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email:
> > lukma at denx.de 
> 



Best regards,

Lukasz Majewski

--

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20190909/90e43786/attachment.sig>