From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH RFC 13/17] bootm: make unsigned image support runtime configurable
Date: Thu, 14 Aug 2025 15:06:58 +0200 [thread overview]
Message-ID: <20250814130702.4039241-14-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20250814130702.4039241-1-a.fatoum@pengutronix.de>
To allow runtime unlocking of a device via security policies, add a new
SCONFIG_BOOT_UNSIGNED_IMAGES option and consult it.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
common/Sconfig | 15 +++++++++++++++
common/bootm.c | 26 +++++++++++++++++++++++++-
2 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/common/Sconfig b/common/Sconfig
index 479ac5cdf2e5..edbc4bc028af 100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -7,3 +7,18 @@ config RATP
depends on $(kconfig-enabled,CONSOLE_RATP)
endmenu
+
+menu "Boot Policy"
+
+config BOOT_UNSIGNED_IMAGES
+ bool "Allow booting unsigned images"
+ depends on $(kconfig-enabled,BOOTM_OPTIONAL_SIGNED_IMAGES)
+ help
+ Say y here if you want to allow booting of images with
+ an invalid signature or no signature at all.
+
+ Systems with verified boot chains should say y here
+ or force it at compile time irrespective of policy
+ with CONFIG_BOOTM_FORCE_SIGNED_IMAGES
+
+endmenu
diff --git a/common/bootm.c b/common/bootm.c
index 5c129cd4b579..c417e760595a 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -16,8 +16,10 @@
#include <magicvar.h>
#include <uncompress.h>
#include <zero_page.h>
+#include <security/config.h>
static LIST_HEAD(handler_list);
+static struct sconfig_notifier_block sconfig_notifier;
static __maybe_unused struct bootm_overrides bootm_overrides;
@@ -114,6 +116,13 @@ static const char * const bootm_verify_names[] = {
[BOOTM_VERIFY_SIGNATURE] = "signature",
};
+/*
+ * There's three ways to influence whether signed images are forced:
+ * 1) CONFIG_BOOTM_FORCE_SIGNED_IMAGES: forced at compile time
+ * 2) SCONFIG_BOOT_UNSIGNED_IMAGES: determined by the active security policy
+ * 3) bootm_force_signed_images(): forced dynamically by board code.
+ * will be deprecated in favor of 2)
+ */
static bool force_signed_images = IS_ENABLED(CONFIG_BOOTM_FORCE_SIGNED_IMAGES);
static void bootm_optional_signed_images(void)
@@ -141,6 +150,16 @@ static void bootm_require_signed_images(void)
bootm_verify_mode = BOOTM_VERIFY_SIGNATURE;
}
+static void bootm_unsigned_sconfig_update(struct sconfig_notifier_block *nb,
+ enum security_config_option opt,
+ bool allowed)
+{
+ if (!allowed)
+ bootm_require_signed_images();
+ else
+ bootm_optional_signed_images();
+}
+
void bootm_force_signed_images(void)
{
bootm_require_signed_images();
@@ -149,7 +168,7 @@ void bootm_force_signed_images(void)
bool bootm_signed_images_are_forced(void)
{
- return force_signed_images;
+ return force_signed_images || !IS_ALLOWED(SCONFIG_BOOT_UNSIGNED_IMAGES);
}
static int uimage_part_num(const char *partname)
@@ -1098,6 +1117,11 @@ static int bootm_init(void)
else
bootm_optional_signed_images();
+ sconfig_register_handler_filtered(&sconfig_notifier,
+ bootm_unsigned_sconfig_update,
+ SCONFIG_BOOT_UNSIGNED_IMAGES);
+
+
if (IS_ENABLED(CONFIG_ROOTWAIT_BOOTARG))
globalvar_add_simple_int("linux.rootwait",
&linux_rootwait_secs, "%d");
--
2.39.5
next prev parent reply other threads:[~2025-08-14 15:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:06 [PATCH RFC 00/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 01/17] kconfig: allow setting CONFIG_ from the outside Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 02/17] scripts: include scripts/include for all host tools Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 03/17] kbuild: implement loopable loop_cmd Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 04/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 05/17] kbuild: allow security config use without source tree modification Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 06/17] defaultenv: update PS1 according to security policy Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 07/17] security: policy: support externally provided configs Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 08/17] commands: implement sconfig command Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 09/17] docs: security-policies: add documentation Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 10/17] commands: go: add security config option Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 11/17] console: ratp: " Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 12/17] bootm: support calling bootm_optional_signed_images at any time Ahmad Fatoum
2025-08-14 13:06 ` Ahmad Fatoum [this message]
2025-08-14 13:06 ` [PATCH RFC 14/17] ARM: configs: add virt32_secure_defconfig Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 15/17] boards: qemu-virt: add security policies Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 16/17] boards: qemu-virt: allow setting policy from command line Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 17/17] test: py: add basic security policy test Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814130702.4039241-14-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox