[PATCH 0/2] security: policy: implement age verification

[PATCH 0/2] security: policy: implement age verification

[Ahmad Fatoum]

With barebox providing a UEFI environment, scheduling green threads
and running DOOM, barebOS is ever more becoming a reality.

But with great power, comes great responsibility - in the form of
government mandated age checking.

Fortunately, barebox's security policy framework already cleanly
separates policy from mechanism: Sconfig options define what is
permitted and IS_ALLOWED() guards enforce it at runtime.

This is a textbook fit for age verification: The age brackets are
just another axis of policy, and different security profiles can set
age thresholds appropriate to their deployment context.

This series adds SCONFIG_AB1043_AGE_{13,16,18} to represent the age
classes mandated by California's Digital Age Assurance Act (AB1043) and
puts them to use to gate access to dangerous subsystems:

  - beep: Audible tone generation constitutes noise pollution (13+)
  - I2C: Two-Wire vehicles (Mopeds) require only a learner's permit (16+)
  - SPI: Drives 4+ signals, requires full driving permit (18+)
  - CAAM: Cryptography is classified as a munition (18+)
  - fastboot: Exceeds posted speed limits (18+)

Future work would include integrating with the kernel-side support[1]
by leveraging barebox' new support for concatenating initramfs[2] to
inject a custom ramdisk init that does the appropriate prctl.

[1]: https://lore.kernel.org/all/20260401-i-hope-someone-believes-this-is-real-04f24e03944e@brauner

Ahmad Fatoum (2):
  security: policy: support age verification
  security: policy: add first age verification

 Sconfig                                       |  1 +
 commands/beep.c                               |  5 +++++
 .../qemu-virt/qemu-virt-factory.sconfig       |  8 ++++++++
 .../qemu-virt/qemu-virt-lockdown.sconfig      |  8 ++++++++
 drivers/crypto/caam/ctrl.c                    |  5 +++++
 drivers/i2c/i2c.c                             |  5 +++++
 drivers/spi/spi.c                             |  5 +++++
 drivers/usb/gadget/function/f_fastboot.c      |  5 +++++
 include/security/age.h                        | 14 +++++++++++++
 security/Sconfig.age                          | 20 +++++++++++++++++++
 security/qemu-virt-devel.sconfig              |  8 ++++++++
 security/qemu-virt-tamper.sconfig             |  8 ++++++++
 12 files changed, 92 insertions(+)
 create mode 100644 include/security/age.h
 create mode 100644 security/Sconfig.age

-- 
2.47.3

[PATCH 1/2] security: policy: support age verification

[Ahmad Fatoum]

California's Digital Age Assurance Act mandates age-appropriate feature
gating for operating systems. As barebOS qualifies, implement compliance
via the security policy framework.

The security policies for virt32_secure_defconfig have been updated
accordingly:

 - lockdown: field-deployed devices are unsupervised and adult operators
   can not be assumed

 - tamper: Tampering is clearly a sign of immaturity

 - devel: Much barebox development relates to drivers, which requires
   at least 16+ with adult supervision

 - factory: all age brackets allowed, because child labor laws
   already imply factory workers to be 18+

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
 Sconfig                                       |  1 +
 .../qemu-virt/qemu-virt-factory.sconfig       |  8 ++++++++
 .../qemu-virt/qemu-virt-lockdown.sconfig      |  8 ++++++++
 include/security/age.h                        | 14 +++++++++++++
 security/Sconfig.age                          | 20 +++++++++++++++++++
 security/qemu-virt-devel.sconfig              |  8 ++++++++
 security/qemu-virt-tamper.sconfig             |  8 ++++++++
 7 files changed, 67 insertions(+)
 create mode 100644 include/security/age.h
 create mode 100644 security/Sconfig.age

diff --git a/Sconfig b/Sconfig
index cdb2ceccb1b4..2c7804453cb9 100644
--- a/Sconfig
+++ b/Sconfig
@@ -9,3 +9,4 @@ source "common/Sconfig"
 source "drivers/usb/gadget/Sconfig"
 source "commands/Sconfig"
 source "fs/Sconfig"
+source "security/Sconfig.age"
diff --git a/common/boards/qemu-virt/qemu-virt-factory.sconfig b/common/boards/qemu-virt/qemu-virt-factory.sconfig
index 7fb35e9b722d..a9d9f021e832 100644
--- a/common/boards/qemu-virt/qemu-virt-factory.sconfig
+++ b/common/boards/qemu-virt/qemu-virt-factory.sconfig
@@ -34,3 +34,11 @@ SCONFIG_USB_GADGET=y
 # end of Command Policy
 
 SCONFIG_FS_EXTERNAL=y
+
+#
+# AB1043 Age Verification
+#
+SCONFIG_AB1043_AGE_13=y
+SCONFIG_AB1043_AGE_16=y
+SCONFIG_AB1043_AGE_18=y
+# end of AB1043 Age Verification
diff --git a/common/boards/qemu-virt/qemu-virt-lockdown.sconfig b/common/boards/qemu-virt/qemu-virt-lockdown.sconfig
index 04763d2233b4..1683d16b47f9 100644
--- a/common/boards/qemu-virt/qemu-virt-lockdown.sconfig
+++ b/common/boards/qemu-virt/qemu-virt-lockdown.sconfig
@@ -33,3 +33,11 @@ SCONFIG_SHELL=y
 # end of Command Policy
 
 # SCONFIG_FS_EXTERNAL is not set
+
+#
+# AB1043 Age Verification
+#
+# SCONFIG_AB1043_AGE_13 is not set
+# SCONFIG_AB1043_AGE_16 is not set
+# SCONFIG_AB1043_AGE_18 is not set
+# end of AB1043 Age Verification
diff --git a/include/security/age.h b/include/security/age.h
new file mode 100644
index 000000000000..609defde04fb
--- /dev/null
+++ b/include/security/age.h
@@ -0,0 +1,14 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+#ifndef __SECURITY_AGE_H
+#define __SECURITY_AGE_H
+
+#include <security/config.h>
+
+/*
+ * California AB1043 Digital Age Verification Act compliance.
+ * Maps age brackets to Sconfig security policy options.
+ */
+
+#define IS_OF_AGE(n)	IS_ALLOWED(SCONFIG_AB1043_AGE_##n)
+
+#endif /* __SECURITY_AGE_H */
diff --git a/security/Sconfig.age b/security/Sconfig.age
new file mode 100644
index 000000000000..f403e8757a0c
--- /dev/null
+++ b/security/Sconfig.age
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+menu "AB1043 Age Verification"
+
+config AB1043_AGE_13
+	bool "Allow operators aged 13+"
+	help
+	  Permit access to features requiring a minimum operator age of 13.
+
+config AB1043_AGE_16
+	bool "Allow operators aged 16+"
+	help
+	  Permit access to features requiring a minimum operator age of 16.
+
+config AB1043_AGE_18
+	bool "Allow operators aged 18+"
+	help
+	  Permit access to features requiring a minimum operator age of 18.
+
+endmenu
diff --git a/security/qemu-virt-devel.sconfig b/security/qemu-virt-devel.sconfig
index 423374dfbdef..1fde43a95456 100644
--- a/security/qemu-virt-devel.sconfig
+++ b/security/qemu-virt-devel.sconfig
@@ -34,3 +34,11 @@ SCONFIG_CMD_GO=y
 # end of Command Policy
 
 SCONFIG_FS_EXTERNAL=y
+
+#
+# AB1043 Age Verification
+#
+SCONFIG_AB1043_AGE_13=y
+SCONFIG_AB1043_AGE_16=y
+# SCONFIG_AB1043_AGE_18 is not set
+# end of AB1043 Age Verification
diff --git a/security/qemu-virt-tamper.sconfig b/security/qemu-virt-tamper.sconfig
index 10058c5b6101..1eaa0d64042a 100644
--- a/security/qemu-virt-tamper.sconfig
+++ b/security/qemu-virt-tamper.sconfig
@@ -33,3 +33,11 @@ SCONFIG_POLICY_NAME="tamper"
 # end of Command Policy
 
 # SCONFIG_FS_EXTERNAL is not set
+
+#
+# AB1043 Age Verification
+#
+SCONFIG_AB1043_AGE_13=y
+# SCONFIG_AB1043_AGE_16 is not set
+# SCONFIG_AB1043_AGE_18 is not set
+# end of AB1043 Age Verification
-- 
2.47.3

[PATCH 2/2] security: policy: add first age verification

[Ahmad Fatoum]

California's Digital Age Assurance Act mandates age-appropriate feature
gating for operating systems. As barebOS qualifies, implement compliance
via the security policy framework.

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
 commands/beep.c                          | 5 +++++
 drivers/crypto/caam/ctrl.c               | 5 +++++
 drivers/i2c/i2c.c                        | 5 +++++
 drivers/spi/spi.c                        | 5 +++++
 drivers/usb/gadget/function/f_fastboot.c | 5 +++++
 5 files changed, 25 insertions(+)

diff --git a/commands/beep.c b/commands/beep.c
index 29569fb51a3b..83ae9319522c 100644
--- a/commands/beep.c
+++ b/commands/beep.c
@@ -5,9 +5,14 @@
 #include <command.h>
 #include <sound.h>
 #include <getopt.h>
+#include <security/age.h>
 
 static int do_beep(int argc, char *argv[])
 {
+	/* AB1043: Audible tone generation constitutes noise pollution */
+	if (!IS_OF_AGE(13))
+		return -EPERM;
+
 	int ret, i, opt;
 	u32 tempo, total_us = 0;
 	bool wait = false;
diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
index 24a01ca0943e..69e388455cce 100644
--- a/drivers/crypto/caam/ctrl.c
+++ b/drivers/crypto/caam/ctrl.c
@@ -14,6 +14,7 @@
 #include <linux/barebox-wrapper.h>
 #include <linux/spinlock.h>
 #include <linux/clk.h>
+#include <security/age.h>
 
 #include "regs.h"
 #include "intern.h"
@@ -358,6 +359,10 @@ static int caam_get_era(struct caam_ctrl __iomem *ctrl)
 /* Probe routine for CAAM top (controller) level */
 static int caam_probe(struct device *dev)
 {
+	/* AB1043: cryptography is classified as a munition */
+	if (!IS_OF_AGE(18))
+		return -EPERM;
+
 	int ret, ring, rspec, gen_sk, ent_delay = RTSDCTL_ENT_DLY_MIN;
 	u64 caam_id;
 	struct device_node *nprop, *np;
diff --git a/drivers/i2c/i2c.c b/drivers/i2c/i2c.c
index 407c4db8a76a..8b852225502b 100644
--- a/drivers/i2c/i2c.c
+++ b/drivers/i2c/i2c.c
@@ -24,6 +24,7 @@
 #include <of.h>
 #include <gpio.h>
 #include <slice.h>
+#include <security/age.h>
 
 #include <i2c/i2c.h>
 
@@ -711,6 +712,10 @@ int i2c_add_numbered_adapter(struct i2c_adapter *adapter)
 	struct device *hw_dev;
 	int ret;
 
+	/* AB1043: Two-Wire vehicles (mopeds) require only a learner's permit */
+	if (!IS_OF_AGE(16))
+		return -EPERM;
+
 	if (adapter->nr < 0 && dev_of_node(&adapter->dev))
 		adapter->nr = of_alias_get_id(adapter->dev.of_node, "i2c");
 
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index b64e20664985..7bab1de79cdc 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -18,6 +18,7 @@
 #include <errno.h>
 #include <init.h>
 #include <of.h>
+#include <security/age.h>
 
 /* SPI devices should normally not be created by SPI device drivers; that
  * would make them board-specific.  Similarly with SPI master drivers.
@@ -538,6 +539,10 @@ int spi_register_controller(struct spi_controller *ctrl)
 	static int dyn_bus_id = (1 << 15) - 1;
 	int			status = -ENODEV;
 
+	/* AB1043: SPI drives 4+ signals and thus requires full driving permit */
+	if (!IS_OF_AGE(18))
+		return -EPERM;
+
 	debug("%s: %s:%d\n", __func__, ctrl->dev->name, ctrl->dev->id);
 
 	/*
diff --git a/drivers/usb/gadget/function/f_fastboot.c b/drivers/usb/gadget/function/f_fastboot.c
index 85732802ff80..516e80735e51 100644
--- a/drivers/usb/gadget/function/f_fastboot.c
+++ b/drivers/usb/gadget/function/f_fastboot.c
@@ -26,6 +26,7 @@
 #include <progress.h>
 #include <fastboot.h>
 #include <linux/usb/fastboot.h>
+#include <security/age.h>
 
 #define FASTBOOT_INTERFACE_CLASS	0xff
 #define FASTBOOT_INTERFACE_SUB_CLASS	0x42
@@ -221,6 +222,10 @@ static void fastboot_complete(struct usb_ep *ep, struct usb_request *req)
 
 static int fastboot_bind(struct usb_configuration *c, struct usb_function *f)
 {
+	/* AB1043: FAST boot exceeds posted speed limits */
+	if (!IS_OF_AGE(18))
+		return -EPERM;
+
 	struct usb_composite_dev *cdev = c->cdev;
 	int id, ret;
 	struct usb_gadget *gadget = c->cdev->gadget;
-- 
2.47.3

Re: [PATCH 0/2] security: policy: implement age verification

[Sascha Hauer]

On Wed, 01 Apr 2026 17:07:14 +0200, Ahmad Fatoum wrote:
> With barebox providing a UEFI environment, scheduling green threads
> and running DOOM, barebOS is ever more becoming a reality.
> 
> But with great power, comes great responsibility - in the form of
> government mandated age checking.
> 
> Fortunately, barebox's security policy framework already cleanly
> separates policy from mechanism: Sconfig options define what is
> permitted and IS_ALLOWED() guards enforce it at runtime.
> 
> [...]

Applied, thanks!

[1/2] security: policy: support age verification
      https://git.pengutronix.de/cgit/barebox/commit/?id=b8ca49771821 (link may not be stable)
[2/2] security: policy: add first age verification
      https://git.pengutronix.de/cgit/barebox/commit/?id=1b02a8f091e6 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>

Re: [PATCH 0/2] security: policy: implement age verification

[Sascha Hauer]

On Wed, Apr 01, 2026 at 05:35:41PM +0200, Sascha Hauer wrote:
> 
> On Wed, 01 Apr 2026 17:07:14 +0200, Ahmad Fatoum wrote:
> > With barebox providing a UEFI environment, scheduling green threads
> > and running DOOM, barebOS is ever more becoming a reality.
> > 
> > But with great power, comes great responsibility - in the form of
> > government mandated age checking.
> > 
> > Fortunately, barebox's security policy framework already cleanly
> > separates policy from mechanism: Sconfig options define what is
> > permitted and IS_ALLOWED() guards enforce it at runtime.
> > 
> > [...]
> 
> Applied, thanks!
> 
> [1/2] security: policy: support age verification
>       https://git.pengutronix.de/cgit/barebox/commit/?id=b8ca49771821 (link may not be stable)
> [2/2] security: policy: add first age verification
>       https://git.pengutronix.de/cgit/barebox/commit/?id=1b02a8f091e6 (link may not be stable)

Queued as urgent fix, thanks

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |