[PATCH RFC 16/17] boards: qemu-virt: allow setting policy from command line

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH RFC 16/17] boards: qemu-virt: allow setting policy from command line
Date: Thu, 14 Aug 2025 15:07:01 +0200	[thread overview]
Message-ID: <20250814130702.4039241-17-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20250814130702.4039241-1-a.fatoum@pengutronix.de>

Security policies will normally be selected after consulting efuses,
secure boot status from the EEPROM or unlock tokens.

For easier experimentation in QEMU, allow setting the security policy
via the command line arguments, e.g.:

  pytest --bootarg barebox.security.policy=lockdown

Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 common/boards/qemu-virt/Makefile      |  2 +-
 common/boards/qemu-virt/board.c       |  3 ++
 common/boards/qemu-virt/commandline.c | 74 +++++++++++++++++++++++++++
 common/boards/qemu-virt/commandline.h |  9 ++++
 test/arm/virt32_secure_defconfig.yaml |  1 +
 5 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 common/boards/qemu-virt/commandline.c
 create mode 100644 common/boards/qemu-virt/commandline.h

diff --git a/common/boards/qemu-virt/Makefile b/common/boards/qemu-virt/Makefile
index 2caa6a20c522..7e1440aecff0 100644
--- a/common/boards/qemu-virt/Makefile
+++ b/common/boards/qemu-virt/Makefile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
-obj-y += board.o
+obj-y += board.o commandline.o
 obj-y += qemu-virt-flash.dtbo.o fitimage-pubkey.dtb.o
 ifeq ($(CONFIG_RISCV),y)
 DTC_CPP_FLAGS_qemu-virt-flash.dtbo := -DCONFIG_RISCV
diff --git a/common/boards/qemu-virt/board.c b/common/boards/qemu-virt/board.c
index 6f88f24b0690..6ad354218927 100644
--- a/common/boards/qemu-virt/board.c
+++ b/common/boards/qemu-virt/board.c
@@ -9,6 +9,7 @@
 #include <deep-probe.h>
 #include <security/policy.h>
 #include "qemu-virt-flash.h"
+#include "commandline.h"
 
 #ifdef CONFIG_64BIT
 #define MACHINE "virt64"
@@ -91,6 +92,8 @@ static int virt_board_driver_init(void)
 	 * so the test suite can exercise CONFIG_SECURITY_POLICY_PATH.
 	 */
 
+	qemu_virt_parse_commandline(root);
+
 	return 0;
 }
 postcore_initcall(virt_board_driver_init);
diff --git a/common/boards/qemu-virt/commandline.c b/common/boards/qemu-virt/commandline.c
new file mode 100644
index 000000000000..16e4750e123d
--- /dev/null
+++ b/common/boards/qemu-virt/commandline.c
@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+#define pr_fmt(fmt) "qemu-virt-commandline: " fmt
+
+#include <linux/parser.h>
+#include <of.h>
+#include <string.h>
+#include <security/policy.h>
+#include <xfuncs.h>
+#include <stdio.h>
+#include "commandline.h"
+
+enum {
+	/* String options */
+	Opt_policy,
+	/* Error token */
+	Opt_err
+};
+
+static const match_table_t tokens = {
+	{Opt_policy, "barebox.security.policy=%s"},
+	{Opt_err, NULL}
+};
+
+int qemu_virt_parse_commandline(struct device_node *np)
+{
+	const char *bootargs;
+	char *p, *options, *tmp_options, *policy = NULL;
+	substring_t args[MAX_OPT_ARGS];
+	int ret;
+
+	np = of_get_child_by_name(np, "chosen");
+	if (!np)
+		return -ENOENT;
+
+	ret = of_property_read_string(np, "bootargs", &bootargs);
+	if (ret < 0)
+		return 0;
+
+	options = tmp_options = xstrdup(bootargs);
+
+	while ((p = strsep(&options, " ")) != NULL) {
+		int token;
+
+		if (!*p)
+			continue;
+
+		token = match_token(p, tokens, args);
+		switch (token) {
+		case Opt_policy:
+			if (!IS_ENABLED(CONFIG_SECURITY_POLICY)) {
+				pr_err("CONFIG_SECURITY_POLICY support is missing\n");
+				continue;
+			}
+
+			policy = match_strdup(&args[0]);
+			if (!policy) {
+				ret = -ENOMEM;
+				goto out;
+			}
+			ret = security_policy_select(policy);
+			if (ret)
+				goto out;
+		default:
+			continue;
+		}
+	}
+
+	ret = 0;
+out:
+	free(policy);
+	free(tmp_options);
+	return ret;
+}
diff --git a/common/boards/qemu-virt/commandline.h b/common/boards/qemu-virt/commandline.h
new file mode 100644
index 000000000000..8759784e07c5
--- /dev/null
+++ b/common/boards/qemu-virt/commandline.h
@@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+#ifndef QEMU_VIRT_COMMANDLINE_H_
+#define QEMU_VIRT_COMMANDLINE_H_
+
+struct device_node;
+
+int qemu_virt_parse_commandline(struct device_node *root);
+
+#endif
diff --git a/test/arm/virt32_secure_defconfig.yaml b/test/arm/virt32_secure_defconfig.yaml
index 618cb6a0fb05..a1537c634811 100644
--- a/test/arm/virt32_secure_defconfig.yaml
+++ b/test/arm/virt32_secure_defconfig.yaml
@@ -7,6 +7,7 @@ targets:
         cpu: cortex-a7
         memory: 1024M
         kernel: barebox-dt-2nd.img
+        boot_args: barebox.security.policy=devel
         display: qemu-default
       BareboxDriver:
         prompt: 'barebox@[^:]+:[^ ]+ '
-- 
2.39.5

next prev parent reply	other threads:[~2025-08-14 14:12 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-14 13:06 [PATCH RFC 00/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 01/17] kconfig: allow setting CONFIG_ from the outside Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 02/17] scripts: include scripts/include for all host tools Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 03/17] kbuild: implement loopable loop_cmd Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 04/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 05/17] kbuild: allow security config use without source tree modification Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 06/17] defaultenv: update PS1 according to security policy Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 07/17] security: policy: support externally provided configs Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 08/17] commands: implement sconfig command Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 09/17] docs: security-policies: add documentation Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 10/17] commands: go: add security config option Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 11/17] console: ratp: " Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 12/17] bootm: support calling bootm_optional_signed_images at any time Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 13/17] bootm: make unsigned image support runtime configurable Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 14/17] ARM: configs: add virt32_secure_defconfig Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 15/17] boards: qemu-virt: add security policies Ahmad Fatoum
2025-08-14 13:07 ` Ahmad Fatoum [this message]
2025-08-14 13:07 ` [PATCH RFC 17/17] test: py: add basic security policy test Ahmad Fatoum

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250814130702.4039241-17-a.fatoum@pengutronix.de \
    --to=a.fatoum@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox