From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>,
Ahmad Fatoum <a.fatoum@barebox.org>
Subject: [PATCH 06/24] defaultenv: update PS1 according to security policy
Date: Wed, 20 Aug 2025 15:17:50 +0200 [thread overview]
Message-ID: <20250820-security-policies-v1-6-76fde70fdbd8@pengutronix.de> (raw)
In-Reply-To: <20250820-security-policies-v1-0-76fde70fdbd8@pengutronix.de>
From: Ahmad Fatoum <a.fatoum@barebox.org>
This nifty optional feature makes it easy to see what security policy
is currently active.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
Documentation/user/defaultenv-2.rst | 2 ++
common/Kconfig | 5 +++++
defaultenv/Makefile | 1 +
.../defaultenv-2-security-policy/bin/ps1-policy | 20 ++++++++++++++++++++
.../defaultenv-2-security-policy/init/ps1-policy | 1 +
.../defaultenv-2-security-policy/init/source-colors | 1 +
defaultenv/defaultenv.c | 2 ++
7 files changed, 32 insertions(+)
diff --git a/Documentation/user/defaultenv-2.rst b/Documentation/user/defaultenv-2.rst
index a01a70fa9310be88c8666c40bcc3def33c48ac21..3715fd770d9d89d52172bcc1e7564d871977aa30 100644
--- a/Documentation/user/defaultenv-2.rst
+++ b/Documentation/user/defaultenv-2.rst
@@ -23,6 +23,7 @@ The default environment is composed from different directories during compilatio
defaultenv/defaultenv-2-dfu -> overlay for DFU
defaultenv/defaultenv-2-reboot-mode -> overlay for reboot modes
defaultenv/defaultenv-2-menu -> overlay for menus
+ defaultenv/defaultenv-2-security-policy -> overlay for security policy
arch/$ARCH/boards/<board>/defaultenv-<board> -> board specific overlay
$(CONFIG_DEFAULT_ENVIRONMENT_PATH) -> config specific overlay
@@ -43,6 +44,7 @@ and their respective included directories in ``defaultenv/Makefile``:
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_MENU) += defaultenv-2-menu
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_DFU) += defaultenv-2-dfu
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_REBOOT_MODE) += defaultenv-2-reboot-mode
+ bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_SECURITY_POLICY) += defaultenv-2-security-policy
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC) += defaultenv-1
/env/bin/init
diff --git a/common/Kconfig b/common/Kconfig
index ad211d1fa519547f128e982423071328235b8ea8..290aab447b6243e48bf51068d5295b08d9299db8 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -1091,6 +1091,11 @@ config DEFAULT_ENVIRONMENT_GENERIC_NEW_REBOOT_MODE
depends on DEFAULT_ENVIRONMENT_GENERIC_NEW
depends on REBOOT_MODE
+config DEFAULT_ENVIRONMENT_GENERIC_NEW_SECURITY_POLICY
+ bool "Update PS1 according to active security policy"
+ depends on DEFAULT_ENVIRONMENT_GENERIC_NEW
+ depends on SECURITY_POLICY
+
config DEFAULT_ENVIRONMENT_GENERIC_NEW_IKCONFIG
bool "Ship .config as /env/data/config"
depends on DEFAULT_ENVIRONMENT_GENERIC_NEW
diff --git a/defaultenv/Makefile b/defaultenv/Makefile
index 1eaca9f41087fdb893575db1ab2bf1f267185435..ab88ed739305d4157d6ec124b5330f002c577340 100644
--- a/defaultenv/Makefile
+++ b/defaultenv/Makefile
@@ -4,6 +4,7 @@ bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW) += defaultenv-2-base
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_MENU) += defaultenv-2-menu
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_DFU) += defaultenv-2-dfu
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_REBOOT_MODE) += defaultenv-2-reboot-mode
+bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_SECURITY_POLICY) += defaultenv-2-security-policy
bbenv-$(CONFIG_DEFAULT_ENVIRONMENT_GENERIC) += defaultenv-1
obj-$(CONFIG_DEFAULT_ENVIRONMENT) += defaultenv.o
extra-y += barebox_default_env barebox_default_env.h barebox_default_env$(DEFAULT_COMPRESSION_SUFFIX) barebox_zero_env
diff --git a/defaultenv/defaultenv-2-security-policy/bin/ps1-policy b/defaultenv/defaultenv-2-security-policy/bin/ps1-policy
new file mode 100755
index 0000000000000000000000000000000000000000..af121bbbaeedfbf6ade22431d3b7bf1de862701f
--- /dev/null
+++ b/defaultenv/defaultenv-2-security-policy/bin/ps1-policy
@@ -0,0 +1,20 @@
+if [ -n "$security.policy" ]; then
+ if [ "$security.policy" = "devel" ]; then
+ PS1_policy_color="$YELLOW"
+ elif [ "$security.policy" = "factory" ]; then
+ PS1_policy_color="$PINK"
+ elif [ "$security.policy" = "lockdown" ]; then
+ PS1_policy_color="$RED;"
+ elif [ "$security.policy" = "tamper" ]; then
+ PS1_policy_color="$RED_INV";
+ elif [ "$security.policy" = "return" ]; then
+ PS1_policy_color="$PINK_INV";
+ elif [[ "$security.policy" = "debug*" ]]; then
+ PS1_policy_color="$CYAN";
+ else
+ PS1_policy_color="$NC"
+ fi
+
+ . /env/init/ps1
+ export PS1="(${PS1_policy_color}${security.policy}${NC}) $PS1"
+fi
diff --git a/defaultenv/defaultenv-2-security-policy/init/ps1-policy b/defaultenv/defaultenv-2-security-policy/init/ps1-policy
new file mode 100644
index 0000000000000000000000000000000000000000..a76cd7fd17288da03ca7515f1422f9c596e90dcb
--- /dev/null
+++ b/defaultenv/defaultenv-2-security-policy/init/ps1-policy
@@ -0,0 +1 @@
+PROMPT_COMMAND=". /env/bin/ps1-policy"
diff --git a/defaultenv/defaultenv-2-security-policy/init/source-colors b/defaultenv/defaultenv-2-security-policy/init/source-colors
new file mode 100644
index 0000000000000000000000000000000000000000..3df8e02b0ebca4d0de41bf1a3ca3908650719dd1
--- /dev/null
+++ b/defaultenv/defaultenv-2-security-policy/init/source-colors
@@ -0,0 +1 @@
+. /env/data/ansi-colors
diff --git a/defaultenv/defaultenv.c b/defaultenv/defaultenv.c
index 2567653751cb36b3bb6b1a577360738bc3e0a30a..d6cca466a6835da0896823b1f8858d702a10770e 100644
--- a/defaultenv/defaultenv.c
+++ b/defaultenv/defaultenv.c
@@ -49,6 +49,8 @@ static void defaultenv_add_base(void)
defaultenv_append_directory(defaultenv_2_dfu);
if (IS_ENABLED(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_REBOOT_MODE))
defaultenv_append_directory(defaultenv_2_reboot_mode);
+ if (IS_ENABLED(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_SECURITY_POLICY))
+ defaultenv_append_directory(defaultenv_2_security_policy);
if (IS_ENABLED(CONFIG_DEFAULT_ENVIRONMENT_GENERIC_NEW_IKCONFIG))
defaultenv_append_directory(defaultenv_2_ikconfig);
if (IS_ENABLED(CONFIG_DEFAULT_ENVIRONMENT_GENERIC))
--
2.39.5
next prev parent reply other threads:[~2025-08-20 14:05 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 13:17 [PATCH 00/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-08-20 13:17 ` [PATCH 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-08-20 13:17 ` [PATCH 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-08-20 13:17 ` [PATCH 04/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-08-20 13:17 ` Sascha Hauer [this message]
2025-08-20 15:33 ` [PATCH] fixup! defaultenv: update PS1 according to security policy Ahmad Fatoum
2025-08-20 13:17 ` [PATCH 07/24] security: policy: support externally provided configs Sascha Hauer
2025-08-20 13:17 ` [PATCH 08/24] commands: implement sconfig command Sascha Hauer
2025-08-20 13:17 ` [PATCH 09/24] docs: security-policies: add documentation Sascha Hauer
2025-08-20 13:17 ` [PATCH 10/24] commands: go: add security config option Sascha Hauer
2025-08-20 13:17 ` [PATCH 11/24] console: ratp: " Sascha Hauer
2025-08-20 13:17 ` [PATCH 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-08-20 13:17 ` [PATCH 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-08-20 13:17 ` [PATCH 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-08-20 13:17 ` [PATCH 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-08-21 6:57 ` Ahmad Fatoum
2025-08-21 14:15 ` Sascha Hauer
2025-08-21 14:22 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-08-20 13:18 ` [PATCH 17/24] test: py: add basic security policy test Sascha Hauer
2025-08-20 13:18 ` [PATCH 18/24] usbserial: add inline wrappers Sascha Hauer
2025-08-20 13:18 ` [PATCH 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-08-20 13:18 ` [PATCH 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-08-20 13:18 ` [PATCH 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-08-20 13:18 ` [PATCH 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-08-20 13:18 ` [PATCH 23/24] security: add filesystem security policies Sascha Hauer
2025-08-20 14:39 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 24/24] security: console: add security policy for console input Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250820-security-policies-v1-6-76fde70fdbd8@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=a.fatoum@barebox.org \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox