From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>,
Ahmad Fatoum <a.fatoum@barebox.org>
Subject: [PATCH v2 15/24] boards: qemu-virt: add security policies
Date: Wed, 17 Sep 2025 15:53:35 +0200 [thread overview]
Message-ID: <20250917-security-policies-v2-15-f30769a3ff51@pengutronix.de> (raw)
In-Reply-To: <20250917-security-policies-v2-0-f30769a3ff51@pengutronix.de>
From: Ahmad Fatoum <a.fatoum@barebox.org>
To make it easier to experiment with security policies, add four example
configurations, two via the build system and two "externally".
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
arch/arm/configs/virt32_secure_defconfig | 1 +
common/boards/qemu-virt/Makefile | 3 ++
common/boards/qemu-virt/board.c | 8 +++++
common/boards/qemu-virt/qemu-virt-factory.sconfig | 36 ++++++++++++++++++++++
common/boards/qemu-virt/qemu-virt-lockdown.sconfig | 35 +++++++++++++++++++++
security/qemu-virt-devel.sconfig | 36 ++++++++++++++++++++++
security/qemu-virt-tamper.sconfig | 35 +++++++++++++++++++++
7 files changed, 154 insertions(+)
diff --git a/arch/arm/configs/virt32_secure_defconfig b/arch/arm/configs/virt32_secure_defconfig
index 34cc49405495b33b4f78e078dfbcd951c433fcd8..09c98e5e4dc88aa22b3aa10db38efd7b7cac2310 100644
--- a/arch/arm/configs/virt32_secure_defconfig
+++ b/arch/arm/configs/virt32_secure_defconfig
@@ -292,6 +292,7 @@ CONFIG_FS_UBOOTVARFS=y
CONFIG_SECURITY_POLICY=y
CONFIG_SECURITY_POLICY_INIT="lockdown"
CONFIG_SECURITY_POLICY_DEFAULT_PANIC=y
+CONFIG_SECURITY_POLICY_PATH="security/qemu-virt-devel.sconfig security/qemu-virt-tamper.sconfig"
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_DIGEST_SHA1_ARM=y
CONFIG_DIGEST_SHA256_ARM=y
diff --git a/common/boards/qemu-virt/Makefile b/common/boards/qemu-virt/Makefile
index 30bf4f1955ee9d306b46523863e247e4cf94ab75..2caa6a20c522ac68fd629f38e51fdf1423db4b09 100644
--- a/common/boards/qemu-virt/Makefile
+++ b/common/boards/qemu-virt/Makefile
@@ -9,5 +9,8 @@ ifeq ($(CONFIG_ARM),y)
DTC_CPP_FLAGS_qemu-virt-flash.dtbo := -DCONFIG_ARM
endif
+policy-y += qemu-virt-factory.sconfig
+policy-y += qemu-virt-lockdown.sconfig
+
clean-files := *.dtb *.dtb.S .*.dtc .*.pre .*.dts *.dtb.z
clean-files += *.dtbo *.dtbo.S .*.dtso
diff --git a/common/boards/qemu-virt/board.c b/common/boards/qemu-virt/board.c
index 9882b0c31a3cf9a97ef0e963653c85a3ead961bb..6f88f24b0690c2562b3b3718a56c9f5c46a4455a 100644
--- a/common/boards/qemu-virt/board.c
+++ b/common/boards/qemu-virt/board.c
@@ -7,6 +7,7 @@
#include <init.h>
#include <of.h>
#include <deep-probe.h>
+#include <security/policy.h>
#include "qemu-virt-flash.h"
#ifdef CONFIG_64BIT
@@ -83,6 +84,13 @@ static int virt_board_driver_init(void)
/* of_probe() will happen later at of_populate_initcall */
+ security_policy_add(qemu_virt_factory);
+ security_policy_add(qemu_virt_lockdown);
+ /*
+ * qemu_virt_devel & qemu_virt_tamper intentionally not added here,
+ * so the test suite can exercise CONFIG_SECURITY_POLICY_PATH.
+ */
+
return 0;
}
postcore_initcall(virt_board_driver_init);
diff --git a/common/boards/qemu-virt/qemu-virt-factory.sconfig b/common/boards/qemu-virt/qemu-virt-factory.sconfig
new file mode 100644
index 0000000000000000000000000000000000000000..7fb35e9b722d1694ed089f209c9d1af5892557ca
--- /dev/null
+++ b/common/boards/qemu-virt/qemu-virt-factory.sconfig
@@ -0,0 +1,36 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Barebox Security Configuration
+#
+SCONFIG_POLICY_NAME="factory"
+
+#
+# General Settings
+#
+SCONFIG_CONSOLE_INPUT=y
+SCONFIG_SHELL=y
+SCONFIG_SHELL_INTERACTIVE=y
+SCONFIG_ENVIRONMENT_LOAD=y
+SCONFIG_RATP=y
+# SCONFIG_FASTBOOT_CMD_OEM is not set
+# end of General Settings
+
+#
+# Boot Policy
+#
+# SCONFIG_BOOT_UNSIGNED_IMAGES is not set
+# end of Boot Policy
+
+#
+# USB Gadget Policy
+#
+SCONFIG_USB_GADGET=y
+# end of USB Gadget Policy
+
+#
+# Command Policy
+#
+# SCONFIG_CMD_GO is not set
+# end of Command Policy
+
+SCONFIG_FS_EXTERNAL=y
diff --git a/common/boards/qemu-virt/qemu-virt-lockdown.sconfig b/common/boards/qemu-virt/qemu-virt-lockdown.sconfig
new file mode 100644
index 0000000000000000000000000000000000000000..04763d2233b41dc53e187641c45c48c9c1115a7d
--- /dev/null
+++ b/common/boards/qemu-virt/qemu-virt-lockdown.sconfig
@@ -0,0 +1,35 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Barebox Security Configuration
+#
+SCONFIG_POLICY_NAME="lockdown"
+
+#
+# General Settings
+#
+# SCONFIG_CONSOLE_INPUT is not set
+SCONFIG_SHELL=y
+# SCONFIG_ENVIRONMENT_LOAD is not set
+# SCONFIG_RATP is not set
+# SCONFIG_FASTBOOT_CMD_OEM is not set
+# end of General Settings
+
+#
+# Boot Policy
+#
+# SCONFIG_BOOT_UNSIGNED_IMAGES is not set
+# end of Boot Policy
+
+#
+# USB Gadget Policy
+#
+# SCONFIG_USB_GADGET is not set
+# end of USB Gadget Policy
+
+#
+# Command Policy
+#
+# SCONFIG_CMD_GO is not set
+# end of Command Policy
+
+# SCONFIG_FS_EXTERNAL is not set
diff --git a/security/qemu-virt-devel.sconfig b/security/qemu-virt-devel.sconfig
new file mode 100644
index 0000000000000000000000000000000000000000..423374dfbdef5a22f40d30872f6eeb05590e9f3f
--- /dev/null
+++ b/security/qemu-virt-devel.sconfig
@@ -0,0 +1,36 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Barebox Security Configuration
+#
+SCONFIG_POLICY_NAME="devel"
+
+#
+# General Settings
+#
+SCONFIG_CONSOLE_INPUT=y
+SCONFIG_SHELL=y
+SCONFIG_SHELL_INTERACTIVE=y
+SCONFIG_ENVIRONMENT_LOAD=y
+SCONFIG_RATP=y
+SCONFIG_FASTBOOT_CMD_OEM=y
+# end of General Settings
+
+#
+# Boot Policy
+#
+SCONFIG_BOOT_UNSIGNED_IMAGES=y
+# end of Boot Policy
+
+#
+# USB Gadget Policy
+#
+SCONFIG_USB_GADGET=y
+# end of USB Gadget Policy
+
+#
+# Command Policy
+#
+SCONFIG_CMD_GO=y
+# end of Command Policy
+
+SCONFIG_FS_EXTERNAL=y
diff --git a/security/qemu-virt-tamper.sconfig b/security/qemu-virt-tamper.sconfig
new file mode 100644
index 0000000000000000000000000000000000000000..10058c5b61010e64356df62269260c7a5bb33120
--- /dev/null
+++ b/security/qemu-virt-tamper.sconfig
@@ -0,0 +1,35 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Barebox Security Configuration
+#
+SCONFIG_POLICY_NAME="tamper"
+
+#
+# General Settings
+#
+# SCONFIG_CONSOLE_INPUT is not set
+# SCONFIG_SHELL is not set
+# SCONFIG_ENVIRONMENT_LOAD is not set
+# SCONFIG_RATP is not set
+# SCONFIG_FASTBOOT_CMD_OEM is not set
+# end of General Settings
+
+#
+# Boot Policy
+#
+# SCONFIG_BOOT_UNSIGNED_IMAGES is not set
+# end of Boot Policy
+
+#
+# USB Gadget Policy
+#
+# SCONFIG_USB_GADGET is not set
+# end of USB Gadget Policy
+
+#
+# Command Policy
+#
+# SCONFIG_CMD_GO is not set
+# end of Command Policy
+
+# SCONFIG_FS_EXTERNAL is not set
--
2.47.3
next prev parent reply other threads:[~2025-09-17 14:19 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 13:53 [PATCH v2 00/24] Add security policy support Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 04/24] Add security policy support Sascha Hauer
2025-09-22 16:14 ` Ahmad Fatoum
2025-09-23 8:11 ` Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 07/24] security: policy: support externally provided configs Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 08/24] commands: implement sconfig command Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 09/24] docs: security-policies: add documentation Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 10/24] commands: go: add security config option Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 11/24] console: ratp: " Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-09-17 13:53 ` Sascha Hauer [this message]
2025-09-17 13:53 ` [PATCH v2 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 17/24] test: py: add basic security policy test Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 18/24] usbserial: add inline wrappers Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 23/24] security: add filesystem security policies Sascha Hauer
2025-09-22 16:16 ` Ahmad Fatoum
2025-09-23 8:08 ` Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 24/24] security: console: add security policy for console input Sascha Hauer
2025-09-22 16:18 ` [PATCH v2 00/24] Add security policy support Ahmad Fatoum
2025-09-23 8:08 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250917-security-policies-v2-15-f30769a3ff51@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=a.fatoum@barebox.org \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox