Hi Claudius, > Hi, > > I am currently looking into variable flags in order to make some > variables read-only for secure boot. > > The idea is that the u-boot binary is signed, while the environment > file/partition is not. So the built-in default environment of u-boot > can be trusted, while the external environment cannot. The assumption > is that those flags can be used to customize the validation when the > external environment is loaded or scripts/commands are executed. > > From the '/README' I gather that the access attributes can be any of > "any", "read-only", "write-once" or "change-default". > > I first tried to restrict the variables by choosing 'read-only', but > apparently this applies to the internal environment as well, and now > those variables are not loaded from the internal environment. > > Then I tried 'write-once', this worked now as expected from within > u-boot, but I could modify the environment from the linux userspace > via fw_setenv and those changes appear in u-boot as well. The same for > 'change-default'. > > Is there another way to fill the internal environment variable hash > table, so that 'read-only' works as expected? > > Heiko wrote some patches that change the behavior of the environment > loading so that the internal environment is loaded first before the > external environment. This way 'write-once' should work as expected, > but I think 'read-only' should work that way already and we are > missing something here.
I think that Wolfgang had a long discussion with Takahiro AKASHI (both CC'ed) about similar problem with u-boot envs. For example: https://patchwork.ozlabs.org/patch/1158770/ > > Thanks, > Claudius > Best regards, Lukasz Majewski -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lu...@denx.de
pgpICVLMFd2UJ.pgp
Description: OpenPGP digital signature
_______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot