From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1itd7S-0003nT-Ip for barebox@lists.infradead.org; Mon, 20 Jan 2020 19:53:56 +0000 Date: Mon, 20 Jan 2020 20:53:51 +0100 From: Sascha Hauer Message-ID: <20200120195351.skm7ujz7yjr6mu32@pengutronix.de> References: <2198510.7r5C0NBLhF@n95hx1g2> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <2198510.7r5C0NBLhF@n95hx1g2> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "barebox" Errors-To: barebox-bounces+u.kleine-koenig=pengutronix.de@lists.infradead.org Subject: Re: Configuring for secure boot To: Christian Eggers Cc: barebox@lists.infradead.org Hi Christian, On Mon, Jan 20, 2020 at 05:38:36PM +0100, Christian Eggers wrote: > Board: phytec-som-imx6 > > I need to configure barebox in a way, that a malicious attacker can not break > into the system. It looks like I need to perform the following steps: > > 1. Enforce signature verification of FIT image > --> CONFIG_BOOTM_FORCE_SIGNED_IMAGES Yes. > > 2. Prevent manipulation of the saved environment in flash > --> Do not load any environment settings from flash, only use compiled in > default environment. > --> Remove / permanently disable "barebox,environment" node in device-tree? > --> Compile without CONFIG_OF_BAREBOX_DRIVERS? Disable CONFIG_ENV_HANDLING, that alone is sufficient. > > 3. Prevent access to the barebox shell > --> CONFIG_CMD_LOGIN? > --> CONFIG_SHELL_NONE? I wouldn't trust CONFIG_CMD_LOGIN that much. If you do, at least make sure to use a safe hash function for the password, i.e. not the default md5. Disabling the shell entirely with CONFIG_SHELL_NONE is the best you can do. This also forces you to program your boot process in C which helps you to get a well defined boot without diving into potentially unsafe shell commands. To state the obvious, you have to enable HAB support, sign your barebox images and burn the necessary fuses to forbid loading unsigned images. Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox