[PATCH 24/24] security: console: add security policy for console input

[Sascha Hauer <s.hauer@pengutronix.de>]

Disabling the input path of the console is the safest bet to make
barebox fully non interactive. Add a security policy for this case.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 common/Sconfig          | 11 ++++++++++-
 common/console.c        |  6 ++++++
 common/console_simple.c |  6 ++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/common/Sconfig b/common/Sconfig
index ec68bc2737af02cff3ce38c7bc1b9d59af2336c5..b5c585b11b20a9f106f62813263f739d74f3667f 100644
--- a/common/Sconfig
+++ b/common/Sconfig
@@ -2,6 +2,15 @@
 
 menu "General Settings"
 
+config CONSOLE_INPUT
+	bool "Allow console input"
+	depends on $(kconfig-enabled,CONSOLE_SIMPLE) || $(kconfig-enabled,CONSOLE_FULL)
+	help
+	  Say y here if you want to allow input on consoles. Disabling this is the safest
+	  thing to make sure that a barebox build is fully non interactive. When you
+	  still need to react to input for example to trigger a recovery boot then consider
+	  disabling this option and disable SHELL_INTERACTIVE instead.
+
 config SHELL
 	bool "Allow executing shell scripts"
 	depends on $(kconfig-enabled,SHELL_HUSH) || $(kconfig-enabled,SHELL_SIMPLE)
@@ -13,7 +22,7 @@ config SHELL
 
 config SHELL_INTERACTIVE
 	bool "Allow executing interactive shell"
-	depends on SHELL
+	depends on SHELL && CONSOLE_INPUT
 	help
 	  An interactive shell cannot be safely executed in trusted environments. Disable
 	  this option in lockdown security configs.
diff --git a/common/console.c b/common/console.c
index ee498fadf3700376b6325be10911b2081ff1ebb3..24fbee6904d446ecb55f22f1e3e9beeddb3ceeb0 100644
--- a/common/console.c
+++ b/common/console.c
@@ -513,6 +513,9 @@ static int tstc_raw(void)
 {
 	struct console_device *cdev;
 
+	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT))
+		return 0;
+
 	for_each_console(cdev) {
 		if (!(cdev->f_active & CONSOLE_STDIN))
 			continue;
@@ -528,6 +531,9 @@ int getchar(void)
 	unsigned char ch;
 	uint64_t start;
 
+	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT))
+		return -1;
+
 	/*
 	 * For 100us we read the characters from the serial driver
 	 * into a kfifo. This helps us not to lose characters
diff --git a/common/console_simple.c b/common/console_simple.c
index f00fd567ed5d1ec7b0a8f00179953c08dda49de3..0e8a4bff2a692067765cb3d6feb93dd5b070ff82 100644
--- a/common/console_simple.c
+++ b/common/console_simple.c
@@ -45,6 +45,9 @@ EXPORT_SYMBOL(console_putc);
 
 int tstc(void)
 {
+	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT))
+		return 0;
+
 	if (!console)
 		return 0;
 
@@ -54,6 +57,9 @@ EXPORT_SYMBOL(tstc);
 
 int getchar(void)
 {
+	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT))
+		return -1;
+
 	if (!console)
 		return -EINVAL;
 	return console->getc(console);

-- 
2.39.5