Re: Configuring for secure boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jan 21, 2020 at 11:52:02AM +0100, Ahmad Fatoum wrote:
> Hello,
> 
> On 1/20/20 8:53 PM, Sascha Hauer wrote:
> > Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can
> > do. This also forces you to program your boot process in C which helps
> > you to get a well defined boot without diving into potentially unsafe
> > shell commands.
> > 
> > To state the obvious, you have to enable HAB support, sign your barebox
> > images and burn the necessary fuses to forbid loading unsigned images.
> 
> I think it would be great to have a CONFIG_LOCKDOWN option that has inverse
> dependencies on the stuff that should not be enabled and normal dependencies
> on the stuff that should be. Such a CONFIG_LOCKDOWN barebox can then be used in
> secure boot scenarios or for fuzzing efforts.
> 
> Thoughts?

I don't think this is feasible. There are too many different expectations
what is secure and what is not. loadenv/saveenv might be desired at some
point (at least when we add signing support), for others it's a no-go.
Some accept the potential security risk of having a shell, others don't.
You might want to build a device which can boot in a secure mode with
signed kernels only, or alternatively any other kernel after dropping
the security privileges in the CAAM or whatever. That's just some
examples off the top of my head, there are surely more.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox



[Index of Archives]     [Linux Embedded]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux