Board: phytec-som-imx6 I need to configure barebox in a way, that a malicious attacker can not break into the system. It looks like I need to perform the following steps: 1. Enforce signature verification of FIT image --> CONFIG_BOOTM_FORCE_SIGNED_IMAGES 2. Prevent manipulation of the saved environment in flash --> Do not load any environment settings from flash, only use compiled in default environment. --> Remove / permanently disable "barebox,environment" node in device-tree? --> Compile without CONFIG_OF_BAREBOX_DRIVERS? 3. Prevent access to the barebox shell --> CONFIG_CMD_LOGIN? --> CONFIG_SHELL_NONE? What is the best way to prevent (offline) manipulation of the barebox environment? What is the best way to block the shell access? regards Christian ________________________________ [http://assets.arri.com/media/sign/2019-12-13a-ARRI-E-mail-Signatur-Parkstadt.jpg] <https://www.google.com/maps/place/Herbert-Bayer-Stra%C3%9Fe+10,+80807+M%C3%BCnchen/data=!4m2!3m1!1s0x479e74379489f045:0x4bbf0c7a9e893d66?sa=X&ved=2ahUKEwjjvdSlh8TmAhWIp4sKHe3vDlQQ8gEwAHoECAsQAQ> Get all the latest information from www.arri.com<https://www.arri.com/>, Facebook<https://www.facebook.com/TeamARRI>, Twitter<https://twitter.com/ARRIChannel>, Instagram<https://instagram.com/arri> and YouTube<https://www.youtube.com/user/ARRIChannel>. Arnold & Richter Cine Technik GmbH & Co. Betriebs KG Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRA 57918 Persönlich haftender Gesellschafter: Arnold & Richter Cine Technik GmbH Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRB 54477 Geschäftsführer: Dr. Michael Neuhäuser; Stephan Schenk; Walter Trauninger; Markus Zeiler _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox