From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH 11/24] console: ratp: add security config option
Date: Wed, 20 Aug 2025 15:17:55 +0200 [thread overview]
Message-ID: <20250820-security-policies-v1-11-76fde70fdbd8@pengutronix.de> (raw)
In-Reply-To: <20250820-security-policies-v1-0-76fde70fdbd8@pengutronix.de>
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
For secure systems that disable the regular console, RATP should be
disabled as well, so add an option to do so.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
Sconfig | 1 +
common/Sconfig | 9 +++++++++
common/console.c | 4 +++-
common/ratp/ratp.c | 17 +++++++++++++++++
4 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/Sconfig b/Sconfig
index 93f5760ad96fdde7141c47e2680dc5f4bc142ca7..899a1fb5783fb79def32e5af160b39208fea2edc 100644
--- a/Sconfig
+++ b/Sconfig
@@ -5,4 +5,5 @@ mainmenu "Barebox/$(ARCH) Security Configuration"
source "scripts/Sconfig.include"
source "security/Sconfig"
+source "common/Sconfig"
source "commands/Sconfig"
diff --git a/common/Sconfig b/common/Sconfig
new file mode 100644
index 0000000000000000000000000000000000000000..479ac5cdf2e560a638d39abbc9f91afe2edd7403
--- /dev/null
+++ b/common/Sconfig
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+menu "General Settings"
+
+config RATP
+ bool "Allow remote control via RATP"
+ depends on $(kconfig-enabled,CONSOLE_RATP)
+
+endmenu
diff --git a/common/console.c b/common/console.c
index dc552e4c5dacafd6649ee4ddea86084d0b7278ad..65e4f1f852243fa15d19e68d724cf340b950df06 100644
--- a/common/console.c
+++ b/common/console.c
@@ -5,6 +5,7 @@
*/
#include <config.h>
+#include <security/config.h>
#include <common.h>
#include <stdarg.h>
#include <malloc.h>
@@ -492,7 +493,8 @@ static int getc_raw(void)
if (cdev->tstc(cdev)) {
int ch = cdev->getc(cdev);
- if (IS_ENABLED(CONFIG_RATP) && ch == 0x01) {
+ if (IS_ENABLED(CONFIG_RATP) && ch == 0x01 &&
+ IS_ALLOWED(SCONFIG_RATP)) {
barebox_ratp(cdev);
return -1;
}
diff --git a/common/ratp/ratp.c b/common/ratp/ratp.c
index 2906f5a09098bd1aa61e7450a035a0e7b2327195..f2735fa885315f95b7a754d12de04c15b36fa822 100644
--- a/common/ratp/ratp.c
+++ b/common/ratp/ratp.c
@@ -14,6 +14,7 @@
#define pr_fmt(fmt) "barebox-ratp: " fmt
#include <common.h>
+#include <security/config.h>
#include <command.h>
#include <malloc.h>
#include <init.h>
@@ -46,6 +47,7 @@ struct ratp_ctx {
struct ratp_bb_pkt *fs_rx;
+ struct sconfig_notifier_block sconfig_notifier;
struct poller_struct poller;
struct work_queue wq;
@@ -456,11 +458,22 @@ static void ratp_work_cancel(struct work_struct *w)
free(rw);
}
+static void barebox_ratp_sconfig_update(struct sconfig_notifier_block *nb,
+ enum security_config_option opt,
+ bool allowed)
+{
+ if (!allowed && ratp_ctx)
+ ratp_unregister(ratp_ctx);
+}
+
int barebox_ratp(struct console_device *cdev)
{
int ret;
struct ratp_ctx *ctx;
+ if (!IS_ALLOWED(SCONFIG_RATP))
+ return -EPERM;
+
if (!cdev->getc || !cdev->putc)
return -EINVAL;
@@ -515,6 +528,10 @@ int barebox_ratp(struct console_device *cdev)
console_set_active(&ctx->ratp_console, CONSOLE_STDOUT | CONSOLE_STDERR |
CONSOLE_STDIN);
+ sconfig_register_handler_filtered(&ctx->sconfig_notifier,
+ barebox_ratp_sconfig_update,
+ SCONFIG_RATP);
+
return 0;
out:
--
2.39.5
next prev parent reply other threads:[~2025-08-20 14:32 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 13:17 [PATCH 00/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-08-20 13:17 ` [PATCH 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-08-20 13:17 ` [PATCH 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-08-20 13:17 ` [PATCH 04/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-08-20 13:17 ` [PATCH 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-08-20 15:33 ` [PATCH] fixup! " Ahmad Fatoum
2025-08-20 13:17 ` [PATCH 07/24] security: policy: support externally provided configs Sascha Hauer
2025-08-20 13:17 ` [PATCH 08/24] commands: implement sconfig command Sascha Hauer
2025-08-20 13:17 ` [PATCH 09/24] docs: security-policies: add documentation Sascha Hauer
2025-08-20 13:17 ` [PATCH 10/24] commands: go: add security config option Sascha Hauer
2025-08-20 13:17 ` Sascha Hauer [this message]
2025-08-20 13:17 ` [PATCH 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-08-20 13:17 ` [PATCH 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-08-20 13:17 ` [PATCH 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-08-20 13:17 ` [PATCH 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-08-21 6:57 ` Ahmad Fatoum
2025-08-21 14:15 ` Sascha Hauer
2025-08-21 14:22 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-08-20 13:18 ` [PATCH 17/24] test: py: add basic security policy test Sascha Hauer
2025-08-20 13:18 ` [PATCH 18/24] usbserial: add inline wrappers Sascha Hauer
2025-08-20 13:18 ` [PATCH 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-08-20 13:18 ` [PATCH 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-08-20 13:18 ` [PATCH 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-08-20 13:18 ` [PATCH 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-08-20 13:18 ` [PATCH 23/24] security: add filesystem security policies Sascha Hauer
2025-08-20 14:39 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 24/24] security: console: add security policy for console input Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250820-security-policies-v1-11-76fde70fdbd8@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox