On Tue, Jan 21, 2020 at 11:52:02AM +0100, Ahmad Fatoum wrote: > Hello, > > On 1/20/20 8:53 PM, Sascha Hauer wrote: > > Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can > > do. This also forces you to program your boot process in C which helps > > you to get a well defined boot without diving into potentially unsafe > > shell commands. > > > > To state the obvious, you have to enable HAB support, sign your barebox > > images and burn the necessary fuses to forbid loading unsigned images. > > I think it would be great to have a CONFIG_LOCKDOWN option that has inverse > dependencies on the stuff that should not be enabled and normal dependencies > on the stuff that should be. Such a CONFIG_LOCKDOWN barebox can then be used in > secure boot scenarios or for fuzzing efforts. > > Thoughts? I don't think this is feasible. There are too many different expectations what is secure and what is not. loadenv/saveenv might be desired at some point (at least when we add signing support), for others it's a no-go. Some accept the potential security risk of having a shell, others don't. You might want to build a device which can boot in a secure mode with signed kernels only, or alternatively any other kernel after dropping the security privileges in the CAAM or whatever. That's just some examples off the top of my head, there are surely more. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox