From: Graeme Russ <graeme.russ@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] Password protection of U-Boot command line
Date: Fri, 10 Feb 2012 22:56:40 +1100 [thread overview]
Message-ID: <4F3505F8.1070504@gmail.com> (raw)
In-Reply-To: <20120210113838.35473193BB44@gemini.denx.de>
Hi Wolfgang,
On 02/10/2012 10:38 PM, Wolfgang Denk wrote:
> Dear Graeme Russ,
>
> In message <CALButCLT2o=7QO4GbM0M5Tp3BYXPCpqr7Sx6WYH09JKcUdMFSA@mail.gmail.com> you wrote:
>>
>> As an adjunct to a recent discussion, I wonder if there would be much
>> point in password protecting access to the U-Boot command line. The
>> password could be saved in an environment variable as an MD-5 or SHA-256
>> hash.
>
> We already have such protection, even if it's very simplistic: see
> doc/README.autoboot (search for CONFIG_AUTOBOOT_DELAY_STR,
> CONFIG_AUTOBOOT_STOP_STR resp. "bootdelaykey" and "bootstopkey").
OK, so the thought of protecting the shell with a password has already
happened...But the implementation is to hard-code the password in the
U-Boot image or to have it unencrypted in the environment
I think we can agree that there is room for improvement :)
>> But I wonder if:
>>
>> a) It's worth it, and;
>> b) If it would be secure anyway...
>>
>> When U-Boot environment editing tools available in the host OS, it would
>> be fairly trivial to overwrite the password variable - Unless, of course,
>> the host OS did not support that functionality.
>>
>> This feature may be usefull for devices where every part of the system
>> must be tightly controlled (medical devices, voting machines etc)
>
> Well, in such devices you will typically disable interactive access at
> all.
Yes, but if you don't allow setting of environment variables from the host
OS, how can you change the settings if you need to
Sounds like it's not a 'completely ruled out' idea...
Regards,
Graeme
next prev parent reply other threads:[~2012-02-10 11:56 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 5:16 [U-Boot] Password protection of U-Boot command line Graeme Russ
2012-02-10 11:38 ` Wolfgang Denk
2012-02-10 11:56 ` Graeme Russ [this message]
2012-02-10 12:30 ` Marek Vasut
2012-02-10 13:31 ` Wolfgang Denk
2012-02-10 14:12 ` Frans Meulenbroeks
2012-02-10 14:27 ` Wolfgang Denk
2012-02-10 21:14 ` Frans Meulenbroeks
2012-02-11 0:44 ` Wolfgang Denk
2012-02-10 20:29 ` Mike Frysinger
2012-02-10 20:37 ` Mike Frysinger
2012-02-11 4:17 ` Graeme Russ
2012-02-11 9:00 ` Frans Meulenbroeks
2012-02-11 20:14 ` Wolfgang Denk
2012-02-12 10:03 ` Graeme Russ
2012-02-11 20:09 ` Wolfgang Denk
2012-02-12 9:33 ` Graeme Russ
2012-02-12 17:52 ` Mike Frysinger
2012-02-12 19:17 ` Wolfgang Denk
2012-02-12 22:31 ` Graeme Russ
2012-02-13 7:31 ` Wolfgang Denk
2012-02-13 11:50 ` Graeme Russ
2012-02-13 14:10 ` Wolfgang Denk
2012-02-10 13:27 ` Wolfgang Denk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F3505F8.1070504@gmail.com \
--to=graeme.russ@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox