From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH 08/24] commands: implement sconfig command
Date: Wed, 20 Aug 2025 15:17:52 +0200 [thread overview]
Message-ID: <20250820-security-policies-v1-8-76fde70fdbd8@pengutronix.de> (raw)
In-Reply-To: <20250820-security-policies-v1-0-76fde70fdbd8@pengutronix.de>
The sconfig command provides a convenient interface to test the new
security policy support. It allows inspecting available policies
and optionally switching between them and enabling/disabling them
piecewise for interactive testing of code that is gated behind these
security options.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de
Co-developed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
commands/Kconfig | 23 +++++
commands/Makefile | 1 +
commands/sconfig.c | 227 ++++++++++++++++++++++++++++++++++++++++++++++
include/security/policy.h | 4 +
4 files changed, 255 insertions(+)
diff --git a/commands/Kconfig b/commands/Kconfig
index 02b45d8cbe09da68b4a032c83d6f8ba3cca6d5ee..9b9dc57599f60ae415fac4ceb48b0b780d69fb13 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -2288,6 +2288,29 @@ endmenu
menu "Security"
+config CMD_SCONFIG
+ depends on SECURITY_POLICY
+ select SECURITY_POLICY_NAMES
+ default y
+ bool "sconfig"
+ help
+ Interact with security policies. By default, this only
+ allows read-access and not selection of new policies
+
+config CMD_SCONFIG_MODIFY
+ depends on CMD_SCONFIG
+ select HAS_INSECURE_DEFAULTS
+ bool "support policy modification"
+ help
+ Say y here if you are developing and want to extend the sconfig
+ command to support selecting a different active policy and
+ modifying it.
+
+ This is an very priviliged operation and the recommendation is
+ to hardcode policy transitions in board code and not from scripts.
+
+ Say n here if unsure.
+
config CMD_AVB_PVALUE
depends on OPTEE_AVB_PERSISTENT_VALUES
tristate
diff --git a/commands/Makefile b/commands/Makefile
index fadf9e7cc7e0e2d58a3a51b303b1d6a58f772f7a..211f92d4f38c9b18d64c2d1c1f8f3b6f109f9732 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -165,4 +165,5 @@ obj-$(CONFIG_CMD_STACKSMASH) += stacksmash.o
obj-$(CONFIG_CMD_PARTED) += parted.o
obj-$(CONFIG_CMD_EFI_HANDLE_DUMP) += efi_handle_dump.o
obj-$(CONFIG_CMD_HOST) += host.o
+obj-$(CONFIG_CMD_SCONFIG) += sconfig.o
UBSAN_SANITIZE_ubsan.o := y
diff --git a/commands/sconfig.c b/commands/sconfig.c
new file mode 100644
index 0000000000000000000000000000000000000000..bd354c6301e04a6ea293d806554b6152010b0bc2
--- /dev/null
+++ b/commands/sconfig.c
@@ -0,0 +1,227 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <linux/kernel.h>
+#include <command.h>
+#include <environment.h>
+#include <getopt.h>
+#include <globalvar.h>
+#include <linux/ctype.h>
+#include <stdio.h>
+
+#include <security/policy.h>
+#include <security/config.h>
+
+#define RED "\e[1;31m"
+#define GREEN "\e[1;32m"
+#define YELLOW "\e[1;33m"
+#define PINK "\e[1;35m"
+#define CYAN "\e[1;36m"
+#define NC "\e[0m"
+
+static struct security_policy *last_override;
+static int debug_iteration;
+static struct notifier_block sconfig_notifier;
+
+static const char *red, *green, *nc;
+
+static void sconfig_print(const struct security_policy *policy)
+{
+ for (int i = 0; i < SCONFIG_NUM; i++) {
+ bool allow = is_allowed(policy, i);
+
+ printf("[%s%s%s] %s\n", allow ? green : red,
+ allow ? "✓" : "✗", nc, sconfig_names[i]);
+ }
+}
+
+static int sconfig_command_notify(struct notifier_block *nb,
+ unsigned long opt, void *unused)
+{
+ bool allow = is_allowed(NULL, opt);
+
+ printf("%s%s%s%s\n", allow ? green : red, allow ? "+" : "-", nc,
+ sconfig_names[opt]);
+
+ return 0;
+}
+
+static int do_sconfig_flags(int argc, char *argv[])
+{
+ const struct security_policy *policy;
+ const char *set = NULL;
+ int ret = 0, opt;
+
+ while ((opt = getopt(argc, argv, "li:vs:")) > 0) {
+ switch (opt) {
+ case 'l':
+ security_policy_list();
+ break;
+ case 'i':
+ policy = security_policy_get(optarg);
+ if (!policy) {
+ ret = -ENOENT;
+ goto out;
+ }
+
+ sconfig_print(policy);
+ break;
+ case 'v':
+ if (!IS_ENABLED(CONFIG_CMD_SCONFIG_MODIFY))
+ return COMMAND_ERROR_USAGE;
+ sconfig_register_handler(&sconfig_notifier,
+ sconfig_command_notify);
+ break;
+ case 's':
+ if (!IS_ENABLED(CONFIG_CMD_SCONFIG_MODIFY))
+ return COMMAND_ERROR_USAGE;
+ set = optarg;
+ break;
+ default:
+ ret = COMMAND_ERROR_USAGE;
+ goto out;
+ }
+ }
+
+ if (argc != optind) {
+ ret = COMMAND_ERROR_USAGE;
+ goto out;
+ }
+
+ if (set) {
+ policy = security_policy_get(set);
+ if (!policy) {
+ printf("Policy '%s' not found\n", set);
+ ret = -ENOENT;
+ goto out;
+ }
+
+ ret = security_policy_activate(policy);
+ }
+out:
+ if (sconfig_notifier.notifier_call) {
+ sconfig_unregister_handler(&sconfig_notifier);
+ sconfig_notifier.notifier_call = NULL;
+ }
+
+ return ret;
+}
+
+static struct security_policy *alloc_policy(void)
+{
+ struct security_policy *override;
+
+ override = xmalloc(sizeof(*override));
+
+ if (active_policy)
+ memcpy(override->policy, active_policy->policy,
+ sizeof(override->policy));
+ else
+ memset(override->policy, 0x1, sizeof(override->policy));
+
+ override->name = xasprintf("debug%u", debug_iteration++);
+ override->chained = false;
+
+ return override;
+}
+
+static void free_policy(struct security_policy *policy)
+{
+ security_policy_unregister_one(policy);
+ free(policy);
+}
+
+static int do_sconfig(int argc, char *argv[])
+{
+ struct security_policy *override;
+ bool allow_color;
+ int i, ret;
+
+ allow_color = !streq_ptr(globalvar_get("allow_color"), "0");
+ if (allow_color) {
+ red = RED;
+ green = GREEN;
+ nc = NC;
+ } else {
+ red = green = nc = "";
+ }
+
+ if (argc == 1) {
+ if (active_policy)
+ printf("Active Policy: %s\n\n", active_policy->name);
+ else
+ printf("No Policy is Active\n\n");
+
+ sconfig_print(NULL);
+ return 0;
+ }
+
+ for (i = 1; i < argc; i++) {
+ if ((*argv[i] != '-' && *argv[i] != '+' ) ||
+ !strstarts(argv[i] + 1, "SCONFIG_"))
+ return do_sconfig_flags(argc, argv);;
+ }
+
+ if (!IS_ENABLED(CONFIG_CMD_SCONFIG_MODIFY)) {
+ printf("Runtime security policy modification disallowed\n");
+ return COMMAND_ERROR_USAGE;
+ }
+
+ override = alloc_policy();
+
+ for (i = 1; i < argc; i++) {
+ char ch_action = *argv[i];
+ enum security_config_option sopt;
+
+ ret = sconfig_lookup(argv[i] + 1);
+ if (ret < 0) {
+ printf("No such option: %s\n", argv[i] + 1);
+ return ret;
+ }
+
+ sopt = ret;
+
+ switch (ch_action) {
+ case '+':
+ override->policy[sopt] = true;
+ break;
+ case '-':
+ override->policy[sopt] = false;
+ break;
+ default:
+ return COMMAND_ERROR_USAGE;
+ }
+ }
+
+ __security_policy_register(override);
+
+ ret = security_policy_activate(override);
+ if (ret) {
+ free_policy(override);
+ return ret;
+ }
+
+ free_policy(last_override);
+ last_override = override;
+
+ return 0;
+}
+
+BAREBOX_CMD_HELP_START(sconfig)
+BAREBOX_CMD_HELP_TEXT("Interact with security policies")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_TEXT("Options:")
+BAREBOX_CMD_HELP_OPT ("-l", "list registered security policies")
+BAREBOX_CMD_HELP_OPT ("-i POLICY", "show security options of specified POLICY")
+#ifdef CONFIG_CMD_SCONFIG_MODIFY
+BAREBOX_CMD_HELP_OPT ("-v", "verbose output: report options as they are modified")
+BAREBOX_CMD_HELP_OPT ("-s POLICY", "select specified POLICY")
+#endif
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(sconfig)
+ .cmd = do_sconfig,
+ BAREBOX_CMD_DESC("interact with security policies")
+ BAREBOX_CMD_OPTS("[-vlsi] [<+->CAP]...")
+ BAREBOX_CMD_GROUP(CMD_GRP_SECURITY)
+ BAREBOX_CMD_HELP(cmd_sconfig_help)
+BAREBOX_CMD_END
diff --git a/include/security/policy.h b/include/security/policy.h
index 6f270793bc80b03966c1b47fe9c44c9bfb9263a5..c41220ef3b96fb78862ae28340e41221f3c97781 100644
--- a/include/security/policy.h
+++ b/include/security/policy.h
@@ -42,6 +42,10 @@ static inline int __security_policy_register(const struct security_policy policy
}
#endif
+#ifdef CONFIG_CMD_SCONFIG
+void security_policy_unregister_one(const struct security_policy *policy);
+#endif
+
#define security_policy_add(name) ({ \
extern const struct security_policy __policy_##name[]; \
__security_policy_register(__policy_##name); \
--
2.39.5
next prev parent reply other threads:[~2025-08-20 14:08 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-20 13:17 [PATCH 00/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-08-20 13:17 ` [PATCH 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-08-20 13:17 ` [PATCH 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-08-20 13:17 ` [PATCH 04/24] Add security policy support Sascha Hauer
2025-08-20 13:17 ` [PATCH 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-08-20 13:17 ` [PATCH 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-08-20 15:33 ` [PATCH] fixup! " Ahmad Fatoum
2025-08-20 13:17 ` [PATCH 07/24] security: policy: support externally provided configs Sascha Hauer
2025-08-20 13:17 ` Sascha Hauer [this message]
2025-08-20 13:17 ` [PATCH 09/24] docs: security-policies: add documentation Sascha Hauer
2025-08-20 13:17 ` [PATCH 10/24] commands: go: add security config option Sascha Hauer
2025-08-20 13:17 ` [PATCH 11/24] console: ratp: " Sascha Hauer
2025-08-20 13:17 ` [PATCH 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-08-20 13:17 ` [PATCH 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-08-20 13:17 ` [PATCH 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-08-20 13:17 ` [PATCH 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-08-21 6:57 ` Ahmad Fatoum
2025-08-21 14:15 ` Sascha Hauer
2025-08-21 14:22 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-08-20 13:18 ` [PATCH 17/24] test: py: add basic security policy test Sascha Hauer
2025-08-20 13:18 ` [PATCH 18/24] usbserial: add inline wrappers Sascha Hauer
2025-08-20 13:18 ` [PATCH 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-08-20 13:18 ` [PATCH 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-08-20 13:18 ` [PATCH 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-08-20 13:18 ` [PATCH 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-08-20 13:18 ` [PATCH 23/24] security: add filesystem security policies Sascha Hauer
2025-08-20 14:39 ` Ahmad Fatoum
2025-08-20 13:18 ` [PATCH 24/24] security: console: add security policy for console input Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250820-security-policies-v1-8-76fde70fdbd8@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox