From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH 16/24] boards: qemu-virt: allow setting policy from command line
Date: Wed, 20 Aug 2025 15:18:00 +0200 [thread overview]
Message-ID: <20250820-security-policies-v1-16-76fde70fdbd8@pengutronix.de> (raw)
In-Reply-To: <20250820-security-policies-v1-0-76fde70fdbd8@pengutronix.de>
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
Security policies will normally be selected after consulting efuses,
secure boot status from the EEPROM or unlock tokens.
For easier experimentation in QEMU, allow setting the security policy
via the command line arguments, e.g.:
pytest --bootarg barebox.security.policy=lockdown
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
common/boards/qemu-virt/Makefile | 2 +-
common/boards/qemu-virt/board.c | 3 ++
common/boards/qemu-virt/commandline.c | 74 +++++++++++++++++++++++++++++++++++
common/boards/qemu-virt/commandline.h | 9 +++++
test/arm/virt32_secure_defconfig.yaml | 1 +
5 files changed, 88 insertions(+), 1 deletion(-)
diff --git a/common/boards/qemu-virt/Makefile b/common/boards/qemu-virt/Makefile
index 2caa6a20c522ac68fd629f38e51fdf1423db4b09..7e1440aecff08942269d60f5d221fc4e69e95ea6 100644
--- a/common/boards/qemu-virt/Makefile
+++ b/common/boards/qemu-virt/Makefile
@@ -1,6 +1,6 @@
# SPDX-License-Identifier: GPL-2.0-only
-obj-y += board.o
+obj-y += board.o commandline.o
obj-y += qemu-virt-flash.dtbo.o fitimage-pubkey.dtb.o
ifeq ($(CONFIG_RISCV),y)
DTC_CPP_FLAGS_qemu-virt-flash.dtbo := -DCONFIG_RISCV
diff --git a/common/boards/qemu-virt/board.c b/common/boards/qemu-virt/board.c
index 6f88f24b0690c2562b3b3718a56c9f5c46a4455a..6ad35421892703eea32a36a913bc92dbb44acc14 100644
--- a/common/boards/qemu-virt/board.c
+++ b/common/boards/qemu-virt/board.c
@@ -9,6 +9,7 @@
#include <deep-probe.h>
#include <security/policy.h>
#include "qemu-virt-flash.h"
+#include "commandline.h"
#ifdef CONFIG_64BIT
#define MACHINE "virt64"
@@ -91,6 +92,8 @@ static int virt_board_driver_init(void)
* so the test suite can exercise CONFIG_SECURITY_POLICY_PATH.
*/
+ qemu_virt_parse_commandline(root);
+
return 0;
}
postcore_initcall(virt_board_driver_init);
diff --git a/common/boards/qemu-virt/commandline.c b/common/boards/qemu-virt/commandline.c
new file mode 100644
index 0000000000000000000000000000000000000000..16e4750e123dee69c612de52c855889372f2cbc3
--- /dev/null
+++ b/common/boards/qemu-virt/commandline.c
@@ -0,0 +1,74 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+#define pr_fmt(fmt) "qemu-virt-commandline: " fmt
+
+#include <linux/parser.h>
+#include <of.h>
+#include <string.h>
+#include <security/policy.h>
+#include <xfuncs.h>
+#include <stdio.h>
+#include "commandline.h"
+
+enum {
+ /* String options */
+ Opt_policy,
+ /* Error token */
+ Opt_err
+};
+
+static const match_table_t tokens = {
+ {Opt_policy, "barebox.security.policy=%s"},
+ {Opt_err, NULL}
+};
+
+int qemu_virt_parse_commandline(struct device_node *np)
+{
+ const char *bootargs;
+ char *p, *options, *tmp_options, *policy = NULL;
+ substring_t args[MAX_OPT_ARGS];
+ int ret;
+
+ np = of_get_child_by_name(np, "chosen");
+ if (!np)
+ return -ENOENT;
+
+ ret = of_property_read_string(np, "bootargs", &bootargs);
+ if (ret < 0)
+ return 0;
+
+ options = tmp_options = xstrdup(bootargs);
+
+ while ((p = strsep(&options, " ")) != NULL) {
+ int token;
+
+ if (!*p)
+ continue;
+
+ token = match_token(p, tokens, args);
+ switch (token) {
+ case Opt_policy:
+ if (!IS_ENABLED(CONFIG_SECURITY_POLICY)) {
+ pr_err("CONFIG_SECURITY_POLICY support is missing\n");
+ continue;
+ }
+
+ policy = match_strdup(&args[0]);
+ if (!policy) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ ret = security_policy_select(policy);
+ if (ret)
+ goto out;
+ default:
+ continue;
+ }
+ }
+
+ ret = 0;
+out:
+ free(policy);
+ free(tmp_options);
+ return ret;
+}
diff --git a/common/boards/qemu-virt/commandline.h b/common/boards/qemu-virt/commandline.h
new file mode 100644
index 0000000000000000000000000000000000000000..8759784e07c57e3492dbabaa8ab9b4d50cc6f73a
--- /dev/null
+++ b/common/boards/qemu-virt/commandline.h
@@ -0,0 +1,9 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+#ifndef QEMU_VIRT_COMMANDLINE_H_
+#define QEMU_VIRT_COMMANDLINE_H_
+
+struct device_node;
+
+int qemu_virt_parse_commandline(struct device_node *root);
+
+#endif
diff --git a/test/arm/virt32_secure_defconfig.yaml b/test/arm/virt32_secure_defconfig.yaml
index 618cb6a0fb05a4703c1fe25e159a257ed775d7c8..a1537c634811d10957b7fd0cc49d6b66c1b80e06 100644
--- a/test/arm/virt32_secure_defconfig.yaml
+++ b/test/arm/virt32_secure_defconfig.yaml
@@ -7,6 +7,7 @@ targets:
cpu: cortex-a7
memory: 1024M
kernel: barebox-dt-2nd.img
+ boot_args: barebox.security.policy=devel
display: qemu-default
BareboxDriver:
prompt: 'barebox@[^:]+:[^ ]+ '
--
2.39.5
next prev parent reply other threads:[~2025-08-20 14:32 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 13:17 [PATCH 00/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-08-20 13:17 ` [PATCH 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-08-20 13:17 ` [PATCH 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-08-20 13:17 ` [PATCH 04/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-08-20 13:17 ` [PATCH 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-08-20 15:33 ` [PATCH] fixup! " Ahmad Fatoum
2025-08-20 13:17 ` [PATCH 07/24] security: policy: support externally provided configs Sascha Hauer
2025-08-20 13:17 ` [PATCH 08/24] commands: implement sconfig command Sascha Hauer
2025-08-20 13:17 ` [PATCH 09/24] docs: security-policies: add documentation Sascha Hauer
2025-08-20 13:17 ` [PATCH 10/24] commands: go: add security config option Sascha Hauer
2025-08-20 13:17 ` [PATCH 11/24] console: ratp: " Sascha Hauer
2025-08-20 13:17 ` [PATCH 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-08-20 13:17 ` [PATCH 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-08-20 13:17 ` [PATCH 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-08-20 13:17 ` [PATCH 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-08-21 6:57 ` Ahmad Fatoum
2025-08-21 14:15 ` Sascha Hauer
2025-08-21 14:22 ` Ahmad Fatoum
2025-08-20 13:18 ` Sascha Hauer [this message]
2025-08-20 13:18 ` [PATCH 17/24] test: py: add basic security policy test Sascha Hauer
2025-08-20 13:18 ` [PATCH 18/24] usbserial: add inline wrappers Sascha Hauer
2025-08-20 13:18 ` [PATCH 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-08-20 13:18 ` [PATCH 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-08-20 13:18 ` [PATCH 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-08-20 13:18 ` [PATCH 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-08-20 13:18 ` [PATCH 23/24] security: add filesystem security policies Sascha Hauer
2025-08-20 14:39 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 24/24] security: console: add security policy for console input Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250820-security-policies-v1-16-76fde70fdbd8@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox