From: Sascha Hauer <s.hauer@pengutronix.de>
To: Christian Eggers <ceggers@arri.de>
Cc: barebox@lists.infradead.org
Subject: Re: Configuring for secure boot
Date: Mon, 20 Jan 2020 20:53:51 +0100 [thread overview]
Message-ID: <20200120195351.skm7ujz7yjr6mu32@pengutronix.de> (raw)
In-Reply-To: <2198510.7r5C0NBLhF@n95hx1g2>
Hi Christian,
On Mon, Jan 20, 2020 at 05:38:36PM +0100, Christian Eggers wrote:
> Board: phytec-som-imx6
>
> I need to configure barebox in a way, that a malicious attacker can not break
> into the system. It looks like I need to perform the following steps:
>
> 1. Enforce signature verification of FIT image
> --> CONFIG_BOOTM_FORCE_SIGNED_IMAGES
Yes.
>
> 2. Prevent manipulation of the saved environment in flash
> --> Do not load any environment settings from flash, only use compiled in
> default environment.
> --> Remove / permanently disable "barebox,environment" node in device-tree?
> --> Compile without CONFIG_OF_BAREBOX_DRIVERS?
Disable CONFIG_ENV_HANDLING, that alone is sufficient.
>
> 3. Prevent access to the barebox shell
> --> CONFIG_CMD_LOGIN?
> --> CONFIG_SHELL_NONE?
I wouldn't trust CONFIG_CMD_LOGIN that much. If you do, at least make
sure to use a safe hash function for the password, i.e. not the default
md5.
Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can
do. This also forces you to program your boot process in C which helps
you to get a well defined boot without diving into potentially unsafe
shell commands.
To state the obvious, you have to enable HAB support, sign your barebox
images and burn the necessary fuses to forbid loading unsigned images.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2020-01-20 19:53 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 16:38 Christian Eggers
2020-01-20 19:53 ` Sascha Hauer [this message]
2020-01-21 10:52 ` Ahmad Fatoum
2020-01-21 11:11 ` Sascha Hauer
2020-01-23 10:29 ` Configuring for secure boot / Using bootchooser Christian Eggers
2020-01-27 10:07 ` Sascha Hauer
2020-01-27 10:18 ` [RFC PATCH] bootm: Register as bootentry provider Christian Eggers
2020-01-27 12:49 ` Sascha Hauer
2020-01-27 19:26 ` Christian Eggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200120195351.skm7ujz7yjr6mu32@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=ceggers@arri.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox