From: Ahmad Fatoum <[email protected]> To allow runtime unlocking of a device via security policies, add a new SCONFIG_BOOT_UNSIGNED_IMAGES option and consult it.
Signed-off-by: Ahmad Fatoum <[email protected]> --- common/Sconfig | 15 +++++++++++++++ common/bootm.c | 26 +++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/common/Sconfig b/common/Sconfig index 479ac5cdf2e560a638d39abbc9f91afe2edd7403..edbc4bc028af79e2a72bb86de94ecce5c7b7643d 100644 --- a/common/Sconfig +++ b/common/Sconfig @@ -7,3 +7,18 @@ config RATP depends on $(kconfig-enabled,CONSOLE_RATP) endmenu + +menu "Boot Policy" + +config BOOT_UNSIGNED_IMAGES + bool "Allow booting unsigned images" + depends on $(kconfig-enabled,BOOTM_OPTIONAL_SIGNED_IMAGES) + help + Say y here if you want to allow booting of images with + an invalid signature or no signature at all. + + Systems with verified boot chains should say y here + or force it at compile time irrespective of policy + with CONFIG_BOOTM_FORCE_SIGNED_IMAGES + +endmenu diff --git a/common/bootm.c b/common/bootm.c index 755c9358ce3a17c8ce37a9db13cf18d0aea1b5e7..17792b2a1d81a0d0164d9b899093395341475fc9 100644 --- a/common/bootm.c +++ b/common/bootm.c @@ -16,8 +16,10 @@ #include <magicvar.h> #include <uncompress.h> #include <zero_page.h> +#include <security/config.h> static LIST_HEAD(handler_list); +static struct sconfig_notifier_block sconfig_notifier; static __maybe_unused struct bootm_overrides bootm_overrides; @@ -114,6 +116,13 @@ static const char * const bootm_verify_names[] = { [BOOTM_VERIFY_SIGNATURE] = "signature", }; +/* + * There's three ways to influence whether signed images are forced: + * 1) CONFIG_BOOTM_FORCE_SIGNED_IMAGES: forced at compile time + * 2) SCONFIG_BOOT_UNSIGNED_IMAGES: determined by the active security policy + * 3) bootm_force_signed_images(): forced dynamically by board code. + * will be deprecated in favor of 2) + */ static bool force_signed_images = IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES); static void bootm_optional_signed_images(void) @@ -141,6 +150,16 @@ static void bootm_require_signed_images(void) bootm_verify_mode = BOOTM_VERIFY_SIGNATURE; } +static void bootm_unsigned_sconfig_update(struct sconfig_notifier_block *nb, + enum security_config_option opt, + bool allowed) +{ + if (!allowed) + bootm_require_signed_images(); + else + bootm_optional_signed_images(); +} + void bootm_force_signed_images(void) { bootm_require_signed_images(); @@ -149,7 +168,7 @@ void bootm_force_signed_images(void) bool bootm_signed_images_are_forced(void) { - return force_signed_images; + return force_signed_images || !IS_ALLOWED(SCONFIG_BOOT_UNSIGNED_IMAGES); } static int uimage_part_num(const char *partname) @@ -1109,6 +1128,11 @@ static int bootm_init(void) else bootm_optional_signed_images(); + sconfig_register_handler_filtered(&sconfig_notifier, + bootm_unsigned_sconfig_update, + SCONFIG_BOOT_UNSIGNED_IMAGES); + + if (IS_ENABLED(CONFIG_ROOTWAIT_BOOTARG)) globalvar_add_simple_int("linux.rootwait", &linux_rootwait_secs, "%d"); -- 2.39.5
