[U-Boot] Using CONFIG_ENV_FLAGS_LIST

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] Using CONFIG_ENV_FLAGS_LIST
Date: Tue, 10 Sep 2019 09:45:33 +0900	[thread overview]
Message-ID: <20190910004532.GK4398@linaro.org> (raw)
In-Reply-To: <20190909140450.365f6ad0@jawa>

On Mon, Sep 09, 2019 at 02:04:50PM +0200, Lukasz Majewski wrote:
> Hi Claudius,
> 
> > Hi Lukasz,
> > 
> > On 07/09/2019 00.23, Lukasz Majewski wrote:
> > > Hi Claudius,
> > >   
> > >> Hi,
> > >>
> > >> I am currently looking into variable flags in order to make some
> > >> variables read-only for secure boot.
> > >>
> > >> The idea is that the u-boot binary is signed, while the environment
> > >> file/partition is not. So the built-in default environment of
> > >> u-boot can be trusted, while the external environment cannot. The
> > >> assumption is that those flags can be used to customize the
> > >> validation when the external environment is loaded or
> > >> scripts/commands are executed.
> > >>
> > >> From the '/README' I gather that the access attributes can be any
> > >> of "any", "read-only", "write-once" or "change-default".
> > >>
> > >> I first tried to restrict the variables by choosing 'read-only',
> > >> but apparently this applies to the internal environment as well,
> > >> and now those variables are not loaded from the internal
> > >> environment.
> > >>
> > >> Then I tried 'write-once', this worked now as expected from within
> > >> u-boot, but I could modify the environment from the linux userspace
> > >> via fw_setenv and those changes appear in u-boot as well. The same
> > >> for 'change-default'.
> > >>
> > >> Is there another way to fill the internal environment variable hash
> > >> table, so that 'read-only' works as expected?
> > >>
> > >> Heiko wrote some patches that change the behavior of the
> > >> environment loading so that the internal environment is loaded
> > >> first before the external environment. This way 'write-once'
> > >> should work as expected, but I think 'read-only' should work that
> > >> way already and we are missing something here.  
> > > 
> > > I think that Wolfgang had a long discussion with Takahiro AKASHI
> > > (both CC'ed) about similar problem with u-boot envs.  
> > 
> > Were there any conclusions here?
> 
> I don't know if there was any conclusion (or patches).

No. As a matter of fact, I gave up my idea of modifying flags
(attributes) features of U-Boot environment.

> > 
> > For me this 'flags' feature looks more and more like its was not build
> > to save guard the loading from unsigned and untrusted external
> > environments. I think what we would need here is some sort of variable
> > whitelist with some additional checks (type and size), but still allow
> > the u-boot scripts and commands to modify the variables in the hash
> > table (for filesize, ipaddr etc.) at boot time.
> 
> 
> Maybe Takahiro could shed some light on his work and you could discuss
> if your both work could be aligned?

Instead, I'm proposing 'multiple contexts' to be allowed for U-Boot
environment[1]. The idea here is that we may have separated backing
storage areas, for different variable domains with different needs
in U-Boot environment.
For example, in my implementation of UEFI variables,
one for volatile (non-persistent) variables and
another for non-volatile (persistent and auto-saved) variables.
(Please note that a context is allowed *not* to have any backing storage.)

while I'm not sure yet exactly what Claudius's requirement is,
please take a look at my patch below and find out if my work will
fit your expectation.

[1] https://lists.denx.de/pipermail/u-boot/2019-September/382835.html

Thanks,
-Takahiro Akashi

> 
> > 
> > regards,
> > Claudius
> > 
> > > 
> > > For example:
> > > https://patchwork.ozlabs.org/patch/1158770/
> > >   
> > >>
> > >> Thanks,
> > >> Claudius
> > >>  
> > > 
> > > 
> > > 
> > > Best regards,
> > > 
> > > Lukasz Majewski
> > > 
> > > --
> > > 
> > > DENX Software Engineering GmbH,      Managing Director: Wolfgang
> > > Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell,
> > > Germany Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email:
> > > lukma at denx.de 
> > 
> 
> 
> 
> Best regards,
> 
> Lukasz Majewski
> 
> --
> 
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de

next prev parent reply	other threads:[~2019-09-10  0:45 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-02 14:02 [U-Boot] Using CONFIG_ENV_FLAGS_LIST Claudius Heine
2019-09-06 22:23 ` Lukasz Majewski
2019-09-09 11:06   ` Claudius Heine
2019-09-09 12:04     ` Lukasz Majewski
2019-09-10  0:45       ` AKASHI Takahiro [this message]
2019-09-09 11:26 ` Stefano Babic
2019-09-09 12:54   ` Claudius Heine
2019-09-09 13:10     ` Stefano Babic

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190910004532.GK4398@linaro.org \
    --to=takahiro.akashi@linaro.org \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox