From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH master 1/3] common: introduce CONFIG_HAS_INSECURE_DEFAULT
Date: Fri, 14 Feb 2025 15:23:54 +0100 [thread overview]
Message-ID: <20250214142356.3624561-1-a.fatoum@pengutronix.de> (raw)
Unlike the functionality controlled by CONFIG_INSECURE, most
functionality in barebox is not as clear-cut: In secure systems, it's
better to turn off the option, but with enough care, board code may
disable the option later on.
To help with securing barebox, let's identify these options that need a
more thorough look by having them select HAS_INSECURE_DEFAULT.
In the future, we will start selecting HAS_INSECURE_DEFAULT when
hardening options are missing. We may also drop HAS_INSECURE_DEFAULT
again from options that are changed to minimize potential for abuse.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
common/Kconfig | 49 ++++++++++++++++++++++++++++++++++++++++---
lib/Kconfig.hardening | 6 ++++++
net/Kconfig | 4 ++++
3 files changed, 56 insertions(+), 3 deletions(-)
diff --git a/common/Kconfig b/common/Kconfig
index 0ce99e98286c..fc29d1ca9427 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -149,9 +149,20 @@ config LOCALVERSION_AUTO
which is done within the script "scripts/setlocalversion".)
+config HAS_INSECURE_DEFAULT
+ bool
+ help
+ This is selected by options that have potentially insecure defaults.
+ Extra care needs to be taken when these options are not disabled
+ in secure booted systems.
+
+ Any option selecting this should include in its help text
+ an explanation of the security considerations.
+
config INSECURE
bool "enable convenient defaults that are unsuitable for secure-booting systems"
default y
+ select HAS_INSECURE_DEFAULT
help
Say n here when barebox is part of a secure boot chain and you
want to disable defaults that may compromise the boot chain.
@@ -344,13 +355,17 @@ endchoice
config MODULES
depends on HAS_MODULES
depends on EXPERIMENTAL
+ select HAS_INSECURE_DEFAULT
bool "module support"
modules
help
This option enables support for loadable modules via insmod. Module
support is quite experimental at the moment. There is no convenient
way to compile modules and the list of exported symbols to actually
- make use of modules is short to nonexistent
+ make use of modules is short to nonexistent.
+
+ As modules aren't be signed, loading external modules is not
+ recommended for secure systems.
config HAVE_MOD_ARCH_SPECIFIC
bool
@@ -750,6 +765,15 @@ config BOOTM_FORCE_SIGNED_IMAGES
are refused to boot. Effectively this means only FIT images can be booted
since they are the only supported image type that support signing.
+config BOOTM_OPTIONAL_SIGNED_IMAGES
+ def_bool !BOOTM_FORCE_SIGNED_IMAGES
+ select HAS_INSECURE_DEFAULT
+ help
+ With this option enabled, barebox can be reconfigured to not verify signed
+ images. It's the board code's responsibility to call the function
+ bootm_force_signed_images() when secure booted to ensure that runtime
+ reconfiguration is no longer possible.
+
config BLSPEC
depends on FLEXIBLE_BOOTARGS
depends on !SHELL_NONE
@@ -964,6 +988,7 @@ source "common/partitions/Kconfig"
config ENV_HANDLING
select CRC32
+ select HAS_INSECURE_DEFAULT
bool "Support environment files storage"
default y if !SHELL_NONE
help
@@ -972,6 +997,17 @@ config ENV_HANDLING
the persistent environment, the "loadenv" command (also executed during
startup) will bring them back. If unsure, say yes.
+ As the environment is not cryptographically verified, an attacker with
+ raw access to the environment storage may set any nv variable and
+ inject shell scripts to be run by barebox.
+
+ In general, secure systems should rely exclusively on the barebox
+ built-in environment, disable the mutable environment and use the
+ barebox-state framework for persisting a fixed set of variables.
+
+ A safe use of the mutable environment may be possible if board code only
+ mounts it after verifying a JSON Web Token that enables a debug mode.
+
config DEFAULT_ENVIRONMENT
select CRC32
bool
@@ -1271,8 +1307,9 @@ config OPTEE_SHM_SIZE
config BOOTM_OPTEE
bool
prompt "support booting OP-TEE"
- depends on BOOTM && ARM && 32BIT
+ depends on BOOTM && ARM32
select HAVE_OPTEE
+ select HAS_INSECURE_DEFAULT
help
OP-TEE is a trusted execution environment (TEE). With this option
enabled barebox supports starting optee_os as part of the bootm command.
@@ -1280,6 +1317,11 @@ config BOOTM_OPTEE
the kernel in nonsecure mode. Pass the optee_os binary with the -t option
or in the global.bootm.tee variable.
+ This mode of late loading OP-TEE just before the kernel is deprecated
+ in favor of early loading OP-TEE in the PBL (CONFIG_PBL_OPTEE).
+ Early-loading greatly reduces the attack surface and is the only mode
+ supported outside of ARMv7.
+
config PBL_OPTEE
bool "Enable OP-TEE early start"
depends on ARM
@@ -1307,9 +1349,10 @@ config FASTBOOT_SPARSE
config FASTBOOT_CMD_OEM
bool
prompt "Enable OEM commands"
+ select HAS_INSECURE_DEFAULT
help
This option enables the fastboot "oem" group of commands. They allow to
- executing arbitrary barebox commands and may be disabled in secure
+ executing arbitrary barebox commands and should be disabled in secure
environments.
endmenu
diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening
index 6457d24c7382..53d824af7615 100644
--- a/lib/Kconfig.hardening
+++ b/lib/Kconfig.hardening
@@ -1,5 +1,11 @@
menu "Hardening options"
+if HAS_INSECURE_DEFAULT
+comment "This barebox configuration has CONFIG_HAS_INSECURE_DEFAULT=y indicating"
+comment "that some of the configured options have potentially insecure defaults."
+comment "Extra care needs to be in secure booted systems."
+endif
+
config BUG_ON_DATA_CORRUPTION
bool "Trigger a BUG when data corruption is detected"
select DEBUG_LIST
diff --git a/net/Kconfig b/net/Kconfig
index 2491c497bdfc..fc70efb97aa8 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -31,9 +31,13 @@ config NET_NETCONSOLE
bool
depends on !CONSOLE_NONE
prompt "network console support"
+ select HAS_INSECURE_DEFAULT
help
This option adds support for a simple udp based network console.
+ This console's communication is not encrypted and is thus not
+ suitable for use in untrusted networks.
+
config NET_RESOLV
bool
prompt "dns support"
--
2.39.5
next reply other threads:[~2025-02-14 14:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-14 14:23 Ahmad Fatoum [this message]
2025-02-14 14:23 ` [PATCH master 2/3] Documentation: user: optee: bring up-to-date Ahmad Fatoum
2025-02-14 14:23 ` [PATCH master 3/3] Documentation: user: add security consideration for using barebox Ahmad Fatoum
2025-02-14 14:27 ` [PATCH] fixup! " Ahmad Fatoum
2025-02-17 8:58 ` [PATCH master 3/3] " Sascha Hauer
2025-02-17 10:32 ` Marco Felsch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250214142356.3624561-1-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox