From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@barebox.org>,
Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH 00/24] Add security policy support
Date: Wed, 20 Aug 2025 15:17:44 +0200 [thread overview]
Message-ID: <20250820-security-policies-v1-0-76fde70fdbd8@pengutronix.de> (raw)
Security policies are a mechanism for barebox to prevent, when so
desired, security relevant code from being executed.
Security policies are controlled via a second Kconfig menu structure
(called Sconfig) which collects security relevant options.
While the normal Kconfig menu structure is about feature support
enabled at compile time, a security policy determines whether a
feature is allowed or prohibited at runtime with an explicit focus
on security.
Except for a security policy's name, all security options are
boolean and control whether a built-in feature is allowed:
config FASTBOOT_CMD_BASE
bool
prompt "Allow fastboot flash/erase commands"
depends on $(kconfig-enabled,FASTBOOT_BASE)
help
This option enables the fastboot "flash" and "erase" commands.
The depends directive ensures the option is hidden when Fastboot support
isn't compiled in anyway. Otherwise, enabling the option should permit
normal operation as if the security policy support was disabled.
Disabling the option, will have the relevant functions return early,
often with a permission denied error.
Checking the state of a security config option is done with the
IS_ALLOWED macro. The macro evaluates to true if the option is
defined and enabled in the active security policy and false otherwise.
A partial manipulation of the active security policy is not desirable
as it makes security posture at runtime harder to reason about.
It's expected that boards will define a fixed set of policies,
e.g. devel, factory, lockdown and then consult eFuses or JSON web tokens
to determine which policy is to be applied.
Some precautions have been made to make sure the security policies have
been reviewed and changes to the security options do not go through
unnoticed during barebox updates: Automatic config updates are
prohibited, so if new options are not present or the other way round,
the build will just fail. The user is expected to run e.g.
make security_olddefconfig to explicitly sync the configuration and
commit the changes.
Changes in v1:
- Link to RFC:
https://lore.kernel.org/all/20250814130702.4039241-1-a.fatoum@pengutronix.de/
- Add more actual security policies
- Fix some typos in Documentation
- Catch invalid policy names in sconfig command
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Ahmad Fatoum (16):
kconfig: allow setting CONFIG_ from the outside
scripts: include scripts/include for all host tools
kbuild: implement loopable loop_cmd
Add security policy support
kbuild: allow security config use without source tree modification
defaultenv: update PS1 according to security policy
security: policy: support externally provided configs
docs: security-policies: add documentation
commands: go: add security config option
console: ratp: add security config option
bootm: support calling bootm_optional_signed_images at any time
bootm: make unsigned image support runtime configurable
ARM: configs: add virt32_secure_defconfig
boards: qemu-virt: add security policies
boards: qemu-virt: allow setting policy from command line
test: py: add basic security policy test
Sascha Hauer (8):
commands: implement sconfig command
usbserial: add inline wrappers
security: usbgadget: add usbgadget security policy
security: fastboot: add security policy for fastboot oem
security: shell: add policy for executing the shell
security: add security policy for loading barebox environment
security: add filesystem security policies
security: console: add security policy for console input
.gitignore | 4 +
Documentation/devel/devel.rst | 1 +
Documentation/devel/security-policies.rst | 96 ++++
Documentation/user/defaultenv-2.rst | 2 +
Documentation/user/security-policies.rst | 121 +++++
Documentation/user/user-manual.rst | 1 +
Makefile | 81 +++-
Sconfig | 11 +
arch/arm/configs/virt32_secure_defconfig | 302 ++++++++++++
commands/Kconfig | 23 +
commands/Makefile | 1 +
commands/Sconfig | 12 +
commands/go.c | 4 +
commands/sconfig.c | 227 +++++++++
common/Kconfig | 5 +
common/Sconfig | 63 +++
common/boards/qemu-virt/Makefile | 5 +-
common/boards/qemu-virt/board.c | 11 +
common/boards/qemu-virt/commandline.c | 74 +++
common/boards/qemu-virt/commandline.h | 9 +
common/boards/qemu-virt/qemu-virt-factory.sconfig | 24 +
common/boards/qemu-virt/qemu-virt-lockdown.sconfig | 24 +
common/bootm.c | 58 ++-
common/console.c | 15 +-
common/console_simple.c | 11 +
common/environment.c | 6 +
common/fastboot.c | 6 +
common/hush.c | 13 +
common/parser.c | 7 +
common/ratp/ratp.c | 17 +
common/usbgadget.c | 26 +
defaultenv/Makefile | 1 +
.../defaultenv-2-security-policy/bin/ps1-policy | 20 +
.../defaultenv-2-security-policy/init/ps1-policy | 1 +
.../init/source-colors | 1 +
defaultenv/defaultenv.c | 2 +
drivers/usb/gadget/Sconfig | 11 +
drivers/usb/gadget/composite.c | 4 +
drivers/usb/gadget/legacy/serial.c | 4 +
fs/9p/vfs_super.c | 4 +
fs/Sconfig | 76 +++
fs/cramfs/cramfs.c | 4 +
fs/efi.c | 4 +
fs/efivarfs.c | 4 +
fs/ext4/ext_barebox.c | 5 +
fs/fat/fat.c | 5 +
fs/jffs2/fs.c | 5 +
fs/nfs.c | 6 +
fs/pstore/ram.c | 4 +
fs/qemu_fw_cfg.c | 6 +
fs/smhfs.c | 5 +
fs/squashfs/squashfs.c | 4 +
fs/tftp.c | 6 +
fs/ubifs/ubifs.c | 6 +
fs/ubootvarfs.c | 6 +
fs/uimagefs.c | 4 +
include/linux/usb/usbserial.h | 11 +
include/security/config.h | 76 +++
include/security/defs.h | 22 +
include/security/policy.h | 54 +++
scripts/Kbuild.include | 41 ++
scripts/Makefile | 1 -
scripts/Makefile.build | 18 +-
scripts/Makefile.lib | 47 ++
scripts/Makefile.policy | 43 ++
scripts/Sconfig.include | 6 +
scripts/basic/.gitignore | 1 +
scripts/basic/Makefile | 4 +-
scripts/basic/sconfigpost.c | 540 +++++++++++++++++++++
scripts/include/list.h | 7 +
scripts/kconfig/Makefile | 3 +
scripts/kconfig/list.h | 132 -----
security/Kconfig | 2 +
security/Kconfig.policy | 101 ++++
security/Makefile | 39 ++
security/Sconfig | 42 ++
security/policy.c | 246 ++++++++++
security/qemu-virt-devel.sconfig | 24 +
security/qemu-virt-tamper.sconfig | 24 +
security/sconfig_names.c | 18 +
test/arm/virt32_secure_defconfig.yaml | 22 +
test/py/test_policies.py | 49 ++
82 files changed, 2875 insertions(+), 156 deletions(-)
---
base-commit: 284e9d9c4a7d3037c8cf97acc63c6153a83f8652
change-id: 20250820-security-policies-43f73477d321
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
next reply other threads:[~2025-08-20 14:08 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 13:17 Sascha Hauer [this message]
2025-08-20 13:17 ` [PATCH 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-08-20 13:17 ` [PATCH 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-08-20 13:17 ` [PATCH 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-08-20 13:17 ` [PATCH 04/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-08-20 13:17 ` [PATCH 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-08-20 15:33 ` [PATCH] fixup! " Ahmad Fatoum
2025-08-20 13:17 ` [PATCH 07/24] security: policy: support externally provided configs Sascha Hauer
2025-08-20 13:17 ` [PATCH 08/24] commands: implement sconfig command Sascha Hauer
2025-08-20 13:17 ` [PATCH 09/24] docs: security-policies: add documentation Sascha Hauer
2025-08-20 13:17 ` [PATCH 10/24] commands: go: add security config option Sascha Hauer
2025-08-20 13:17 ` [PATCH 11/24] console: ratp: " Sascha Hauer
2025-08-20 13:17 ` [PATCH 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-08-20 13:17 ` [PATCH 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-08-20 13:17 ` [PATCH 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-08-20 13:17 ` [PATCH 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-08-21 6:57 ` Ahmad Fatoum
2025-08-21 14:15 ` Sascha Hauer
2025-08-21 14:22 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-08-20 13:18 ` [PATCH 17/24] test: py: add basic security policy test Sascha Hauer
2025-08-20 13:18 ` [PATCH 18/24] usbserial: add inline wrappers Sascha Hauer
2025-08-20 13:18 ` [PATCH 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-08-20 13:18 ` [PATCH 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-08-20 13:18 ` [PATCH 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-08-20 13:18 ` [PATCH 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-08-20 13:18 ` [PATCH 23/24] security: add filesystem security policies Sascha Hauer
2025-08-20 14:39 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 24/24] security: console: add security policy for console input Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250820-security-policies-v1-0-76fde70fdbd8@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=a.fatoum@barebox.org \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox