[PATCH v2 1/3] startup: check for console before showing menu

[PATCH v2 1/3] startup: check for console before showing menu

[Fabian Pflug]

If there is no input available or possible due to policy settings, it
does not make sense to show a menu and ask for input.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
v2:
Remove CONSOLE_DISABLE_INPUT from check
 common/startup.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/common/startup.c b/common/startup.c
index 8d36ffceb4..4313435f05 100644
--- a/common/startup.c
+++ b/common/startup.c
@@ -45,6 +45,7 @@
 #include <pbl/handoff-data.h>
 #include <libfile.h>
 #include <fuzz.h>
+#include <security/config.h>
 
 extern initcall_t __barebox_initcalls_start[], __barebox_early_initcalls_end[],
 		  __barebox_initcalls_end[];
@@ -361,14 +362,15 @@ static int run_init(void)
 		run_shell();
 	}
 
-	do {
-		/*
-		 * Let's run the command once at least, so an error
-		 * message is printed if the file doesn't exist
-		 */
-		run_command(MENUFILE);
-	} while (stat(MENUFILE, &s) == 0);
-
+	if(IS_ALLOWED(SCONFIG_CONSOLE_INPUT)) {
+		do {
+			/*
+			* Let's run the command once at least, so an error
+			* message is printed if the file doesn't exist
+			*/
+			run_command(MENUFILE);
+		} while (stat(MENUFILE, &s) == 0);
+	}
 	hang();
 }
 
-- 
2.47.3

[PATCH v2 2/3] console_common: get_first_active: respect security policy

[Fabian Pflug]

If the console input is deactivated through a security policy, then
there is no need to iterate over the current consoles, as none should
have a STDIN.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
v2:
Fix in console common instead of working around it in startup.c
 common/console_common.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/common/console_common.c b/common/console_common.c
index 5b7a64c99c..a8319c20f3 100644
--- a/common/console_common.c
+++ b/common/console_common.c
@@ -23,6 +23,7 @@
 #include <linux/math64.h>
 #include <linux/sizes.h>
 #include <linux/overflow.h>
+#include <security/config.h>
 
 #ifndef CONFIG_CONSOLE_NONE
 
@@ -331,6 +332,11 @@ struct console_device *console_get_first_active(void)
 {
 	struct console_device *cdev;
 	const unsigned char active = CONSOLE_STDIN | CONSOLE_STDOUT;
+
+	/* if no console input is allows, then we can't have STDIN on any. */
+	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT))
+		return NULL;
+
 	/*
 	 * Assumption to have BOTH CONSOLE_STDIN AND STDOUT in the
 	 * same output console
-- 
2.47.3

Re: [PATCH v2 2/3] console_common: get_first_active: respect security policy

[Ahmad Fatoum]

Hi,

On 28.10.25 16:43, Fabian Pflug wrote:
> If the console input is deactivated through a security policy, then
> there is no need to iterate over the current consoles, as none should
> have a STDIN.
> 
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> ---
> v2:
> Fix in console common instead of working around it in startup.c
>  common/console_common.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/common/console_common.c b/common/console_common.c
> index 5b7a64c99c..a8319c20f3 100644
> --- a/common/console_common.c
> +++ b/common/console_common.c
> @@ -23,6 +23,7 @@
>  #include <linux/math64.h>
>  #include <linux/sizes.h>
>  #include <linux/overflow.h>
> +#include <security/config.h>
>  
>  #ifndef CONFIG_CONSOLE_NONE
>  
> @@ -331,6 +332,11 @@ struct console_device *console_get_first_active(void)
>  {
>  	struct console_device *cdev;
>  	const unsigned char active = CONSOLE_STDIN | CONSOLE_STDOUT;
> +
> +	/* if no console input is allows, then we can't have STDIN on any. */
> +	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT))
> +		return NULL;

This stretches the definition of an "active" console, because the console
is still usable for output. Please rename to console_get_first_interactive()
as requested on v1.

Thanks,
Ahmad

> +
>  	/*
>  	 * Assumption to have BOTH CONSOLE_STDIN AND STDOUT in the
>  	 * same output console


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[PATCH 3/3] startup: mount ps only on policy FS_EXTERNAL

[Fabian Pflug]

Without the SCONFIG_FS_EXTERNAL, the bus of the driver for pstore will
not load, resulting in a missing driver for pstore and an error during
bootup.
Only mount the /pstore if FS_EXTERNAL is allowed by the security policy.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
v2:
remove the umount
add unregister_handler
 common/startup.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/common/startup.c b/common/startup.c
index 4313435f05..7cf7088ad6 100644
--- a/common/startup.c
+++ b/common/startup.c
@@ -55,6 +55,22 @@ extern exitcall_t __barebox_exitcalls_start[], __barebox_exitcalls_end[];
 enum system_states barebox_system_state;
 
 #if defined CONFIG_FS_RAMFS && defined CONFIG_FS_DEVFS
+static struct sconfig_notifier_block sconfig_notifier;
+
+static void mount_pstore(struct sconfig_notifier_block *nb,
+			 enum security_config_option opt, bool allowed)
+{
+	if (allowed) {
+		mkdir("/pstore", 0);
+		mount("none", "pstore", "/pstore", NULL);
+		sconfig_unregister_handler(&sconfig_notifier);
+	}
+	/*
+	* no need to umount, since the permission is only needed for mounting,
+	* not for accessing the content.
+	*/
+}
+
 static int mount_root(void)
 {
 	mount("none", "ramfs", "/", NULL);
@@ -69,8 +85,14 @@ static int mount_root(void)
 	}
 
 	if (IS_ENABLED(CONFIG_FS_PSTORE)) {
-		mkdir("/pstore", 0);
-		mount("none", "pstore", "/pstore", NULL);
+		if (IS_ALLOWED(SCONFIG_FS_EXTERNAL)) {
+			mkdir("/pstore", 0);
+			mount("none", "pstore", "/pstore", NULL);
+		} else {
+			sconfig_register_handler_filtered(&sconfig_notifier,
+							  mount_pstore,
+							  SCONFIG_FS_EXTERNAL);
+		}
 	}
 
 	if (IS_ENABLED(CONFIG_9P_FS))
-- 
2.47.3

Re: [PATCH v2 1/3] startup: check for console before showing menu

[Sascha Hauer]

On Tue, Oct 28, 2025 at 04:43:24PM +0100, Fabian Pflug wrote:
> If there is no input available or possible due to policy settings, it
> does not make sense to show a menu and ask for input.
> 
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> ---
> v2:
> Remove CONSOLE_DISABLE_INPUT from check
>  common/startup.c | 18 ++++++++++--------
>  1 file changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/common/startup.c b/common/startup.c
> index 8d36ffceb4..4313435f05 100644
> --- a/common/startup.c
> +++ b/common/startup.c
> @@ -45,6 +45,7 @@
>  #include <pbl/handoff-data.h>
>  #include <libfile.h>
>  #include <fuzz.h>
> +#include <security/config.h>
>  
>  extern initcall_t __barebox_initcalls_start[], __barebox_early_initcalls_end[],
>  		  __barebox_initcalls_end[];
> @@ -361,14 +362,15 @@ static int run_init(void)
>  		run_shell();
>  	}
>  
> -	do {
> -		/*
> -		 * Let's run the command once at least, so an error
> -		 * message is printed if the file doesn't exist
> -		 */
> -		run_command(MENUFILE);
> -	} while (stat(MENUFILE, &s) == 0);
> -
> +	if(IS_ALLOWED(SCONFIG_CONSOLE_INPUT)) {
> +		do {
> +			/*
> +			* Let's run the command once at least, so an error
> +			* message is printed if the file doesn't exist
> +			*/
> +			run_command(MENUFILE);
> +		} while (stat(MENUFILE, &s) == 0);
> +	}

When console input is not allowed then there's no point in calling
run_shell() right above, also calling eth_open_all() likely isn't
useful.

I think the last useful thing we do with console input disabled is this:

	if (autoboot == AUTOBOOT_BOOT)
		run_command("boot");

After that point there's nothing left to do, so we could directly
do a

	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT))
		hang();

This only misses one point that is currently not handled: autoboot could
have been interrupted because console_countdown_abort() has been called,
for example by fastboot in which case we don't want to hang() but
instead sleep forever.

So the whole logic would be:

	if (autoboot == AUTOBOOT_BOOT)
                run_command("boot");

	if (!IS_ALLOWED(SCONFIG_CONSOLE_INPUT)) {
		if (autoboot == AUTOBOOT_BOOT) {
			hang();
		} else {
			while (true) {
				sleep(1);
			}
		}
	}

	... run_shell(), call menu, ...

Maybe this needs some refactoring for readability.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

[PATCH 1/3] startup: check for console before showing menu

[Fabian Pflug]

If there is no input available or possible due to policy settings, it
does not make sense to show a menu and ask for input.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 common/startup.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/common/startup.c b/common/startup.c
index 8d36ffceb4..3bc2609006 100644
--- a/common/startup.c
+++ b/common/startup.c
@@ -45,6 +45,7 @@
 #include <pbl/handoff-data.h>
 #include <libfile.h>
 #include <fuzz.h>
+#include <security/config.h>
 
 extern initcall_t __barebox_initcalls_start[], __barebox_early_initcalls_end[],
 		  __barebox_initcalls_end[];
@@ -361,14 +362,15 @@ static int run_init(void)
 		run_shell();
 	}
 
-	do {
-		/*
-		 * Let's run the command once at least, so an error
-		 * message is printed if the file doesn't exist
-		 */
-		run_command(MENUFILE);
-	} while (stat(MENUFILE, &s) == 0);
-
+	if(!IS_ENABLED(CONFIG_CONSOLE_DISABLE_INPUT) && IS_ALLOWED(SCONFIG_CONSOLE_INPUT)) {
+		do {
+			/*
+			* Let's run the command once at least, so an error
+			* message is printed if the file doesn't exist
+			*/
+			run_command(MENUFILE);
+		} while (stat(MENUFILE, &s) == 0);
+	}
 	hang();
 }
 
-- 
2.47.3

[PATCH 3/3] startup: mount ps only on policy FS_EXTERNAL

[Fabian Pflug]

Without the SCONFIG_FS_EXTERNAL, the bus of the driver for pstore will
not load, resulting in a missing driver for pstore and an error during
bootup.
Only mount the /pstore if FS_EXTERNAL is allowed by the security policy.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 common/startup.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/common/startup.c b/common/startup.c
index ea5436afa6..f16a99f7e4 100644
--- a/common/startup.c
+++ b/common/startup.c
@@ -55,6 +55,19 @@ extern exitcall_t __barebox_exitcalls_start[], __barebox_exitcalls_end[];
 enum system_states barebox_system_state;
 
 #if defined CONFIG_FS_RAMFS && defined CONFIG_FS_DEVFS
+static struct sconfig_notifier_block sconfig_notifier;
+static void u_mount_pstore(struct sconfig_notifier_block *nb,
+			   enum security_config_option opt, bool allowed)
+{
+	if (allowed) {
+		mkdir("/pstore", 0);
+		mount("none", "pstore", "/pstore", NULL);
+	} else {
+		umount("/pstore");
+		rmdir("/pstore");
+	}
+}
+
 static int mount_root(void)
 {
 	mount("none", "ramfs", "/", NULL);
@@ -69,8 +82,13 @@ static int mount_root(void)
 	}
 
 	if (IS_ENABLED(CONFIG_FS_PSTORE)) {
-		mkdir("/pstore", 0);
-		mount("none", "pstore", "/pstore", NULL);
+		if (IS_ALLOWED(SCONFIG_FS_EXTERNAL)) {
+			mkdir("/pstore", 0);
+			mount("none", "pstore", "/pstore", NULL);
+		}
+		sconfig_register_handler_filtered(&sconfig_notifier,
+						  u_mount_pstore,
+						  SCONFIG_FS_EXTERNAL);
 	}
 
 	if (IS_ENABLED(CONFIG_9P_FS))
-- 
2.47.3

Re: [PATCH 3/3] startup: mount ps only on policy FS_EXTERNAL

[Ahmad Fatoum]

Hi,

On 10/28/25 1:18 PM, Fabian Pflug wrote:
> Without the SCONFIG_FS_EXTERNAL, the bus of the driver for pstore will
> not load, resulting in a missing driver for pstore and an error during
> bootup.
> Only mount the /pstore if FS_EXTERNAL is allowed by the security policy.
> > Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> ---
>  common/startup.c | 22 ++++++++++++++++++++--
>  1 file changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/common/startup.c b/common/startup.c
> index ea5436afa6..f16a99f7e4 100644
> --- a/common/startup.c
> +++ b/common/startup.c
> @@ -55,6 +55,19 @@ extern exitcall_t __barebox_exitcalls_start[], __barebox_exitcalls_end[];
>  enum system_states barebox_system_state;
>  
>  #if defined CONFIG_FS_RAMFS && defined CONFIG_FS_DEVFS
> +static struct sconfig_notifier_block sconfig_notifier;
> +static void u_mount_pstore(struct sconfig_notifier_block *nb,
> +			   enum security_config_option opt, bool allowed)
> +{
> +	if (allowed) {
> +		mkdir("/pstore", 0);

I think we should create the directory unconditionally without paying
respect to whether we can mount or not.

> +		mount("none", "pstore", "/pstore", NULL);
> +	} else {
> +		umount("/pstore");

The harm is already done when loosening security mode, so I don't think
we want to start unmounting things.

As mentioned, I'd prefer replacing SCONFIG_FS_EXTERNAL altogether with a
whitelist of mounts, so common code calls:

  allow_mount("none", "ramfs", "/", NULL);
  allow_mount("none", "devfs", "/dev", NULL);

and board code can call:

  allow_mount("non", "pstore", "/pstore", NULL);

and we won't need any special handling here. Waiting to see what Sascha
thinks.

Cheers,
Ahmad

> +		rmdir("/pstore");
> +	}
> +}
> +
>  static int mount_root(void)
>  {
>  	mount("none", "ramfs", "/", NULL);
> @@ -69,8 +82,13 @@ static int mount_root(void)
>  	}
>  
>  	if (IS_ENABLED(CONFIG_FS_PSTORE)) {
> -		mkdir("/pstore", 0);
> -		mount("none", "pstore", "/pstore", NULL);
> +		if (IS_ALLOWED(SCONFIG_FS_EXTERNAL)) {
> +			mkdir("/pstore", 0);
> +			mount("none", "pstore", "/pstore", NULL);
> +		}
> +		sconfig_register_handler_filtered(&sconfig_notifier,
> +						  u_mount_pstore,
> +						  SCONFIG_FS_EXTERNAL);
>  	}
>  
>  	if (IS_ENABLED(CONFIG_9P_FS))

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |

Re: [PATCH 3/3] startup: mount ps only on policy FS_EXTERNAL

[Fabian Pflug]

Hey :)

On Tue, 2025-10-28 at 13:56 +0100, Ahmad Fatoum wrote:
> Hi,
> 
> On 10/28/25 1:18 PM, Fabian Pflug wrote:
> > Without the SCONFIG_FS_EXTERNAL, the bus of the driver for pstore will
> > not load, resulting in a missing driver for pstore and an error during
> > bootup.
> > Only mount the /pstore if FS_EXTERNAL is allowed by the security policy.
> > > Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> > ---
> >  common/startup.c | 22 ++++++++++++++++++++--
> >  1 file changed, 20 insertions(+), 2 deletions(-)
> > 
> > diff --git a/common/startup.c b/common/startup.c
> > index ea5436afa6..f16a99f7e4 100644
> > --- a/common/startup.c
> > +++ b/common/startup.c
> > @@ -55,6 +55,19 @@ extern exitcall_t __barebox_exitcalls_start[], __barebox_exitcalls_end[];
> >  enum system_states barebox_system_state;
> >  
> >  #if defined CONFIG_FS_RAMFS && defined CONFIG_FS_DEVFS
> > +static struct sconfig_notifier_block sconfig_notifier;
> > +static void u_mount_pstore(struct sconfig_notifier_block *nb,
> > +			   enum security_config_option opt, bool allowed)
> > +{
> > +	if (allowed) {
> > +		mkdir("/pstore", 0);
> 
> I think we should create the directory unconditionally without paying
> respect to whether we can mount or not.

I think that could irritate people into thinking, that there is nothing inside the pstore.
When there is no /pstore directory, it is clear, that the mount is not there and one gets to wonder why and what happens
here instead of chasing around, why the pstore is empty.

> 
> > +		mount("none", "pstore", "/pstore", NULL);
> > +	} else {
> > +		umount("/pstore");
> 
> The harm is already done when loosening security mode, so I don't think
> we want to start unmounting things.

That I can do. :)

> 
> As mentioned, I'd prefer replacing SCONFIG_FS_EXTERNAL altogether with a
> whitelist of mounts, so common code calls:
> 
>   allow_mount("none", "ramfs", "/", NULL);
>   allow_mount("none", "devfs", "/dev", NULL);
> 
> and board code can call:
> 
>   allow_mount("non", "pstore", "/pstore", NULL);
> 
> and we won't need any special handling here. Waiting to see what Sascha
> thinks.


I see your Idea and think this could be good, but also need something fast for me now and this works in that regard. I
see yours as a long term solution that is a bit more complicated that what I know about barebox.

Kind regards
Fabian

> 
> Cheers,
> Ahmad
> 
> > +		rmdir("/pstore");
> > +	}
> > +}
> > +
> >  static int mount_root(void)
> >  {
> >  	mount("none", "ramfs", "/", NULL);
> > @@ -69,8 +82,13 @@ static int mount_root(void)
> >  	}
> >  
> >  	if (IS_ENABLED(CONFIG_FS_PSTORE)) {
> > -		mkdir("/pstore", 0);
> > -		mount("none", "pstore", "/pstore", NULL);
> > +		if (IS_ALLOWED(SCONFIG_FS_EXTERNAL)) {
> > +			mkdir("/pstore", 0);
> > +			mount("none", "pstore", "/pstore", NULL);
> > +		}
> > +		sconfig_register_handler_filtered(&sconfig_notifier,
> > +						  u_mount_pstore,
> > +						  SCONFIG_FS_EXTERNAL);
> >  	}
> >  
> >  	if (IS_ENABLED(CONFIG_9P_FS))