[PATCH v2] environment: add explicit option to allow searching for environment devices

[PATCH v2] environment: add explicit option to allow searching for environment devices

[Sascha Hauer]

Add an explicit Kconfig option to allow searching the environment storage
path based on the barebox environment partition GUID.

So far this depended on CONFIG_INSECURE being set, but that's not the whole
picture. Loading an unsigned environment is inherently insecure, allowing
to find the partition by partition UUID just adds one point to the top:
With it we potentially allow loading the environment from external storage
devices like SD card slots that could be plugged without opening a device.

So instead of implying that partition UUID is insecure, or no partition UUID
is secure, just add a specific option to let the user decide on this option.

The new Kconfig option defaults to the setting of CONFIG_INSECURE. This makes
sure that users which previously had CONFIG_INSECURE disabled the new option
doesn't leak in unnoticed on a barebox update. Also it preserves the behaviour
of in-tree defconfigs which all have CONFIG_INSECURE enabled.

This also removes the globalvar global.env.autoprobe. It turned out that this
option doesn't work: The content of that variable is evaluated before the
default environment is loaded, so we never actually had a chance to set it
from the environment.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 .../migration-guides/migration-master.rst          |  7 +++++++
 common/Kconfig                                     | 14 ++++++++++++++
 common/environment.c                               | 14 +-------------
 3 files changed, 22 insertions(+), 13 deletions(-)

Changes since v1:
- Change reasoning for the patch
- remove non functional global.env.autoprobe
- add note to migration guide

diff --git a/Documentation/migration-guides/migration-master.rst b/Documentation/migration-guides/migration-master.rst
index 026dbe8588..b5435f4e0c 100644
--- a/Documentation/migration-guides/migration-master.rst
+++ b/Documentation/migration-guides/migration-master.rst
@@ -1,2 +1,9 @@
 :orphan:
 
+Removal of global.env.autoprobe
+===============================
+
+The global.env.autoprobe variable introduced with v2025.02.0 is removed and
+now replaced with CONFIG_ENV_HANDLING_AUTOPROBE. It has never worked. If you
+want to load a barebox environment based on its partition UUID enable
+CONFIG_ENV_HANDLING_AUTOPROBE.
\ No newline at end of file
diff --git a/common/Kconfig b/common/Kconfig
index cd002865f7..6c190c6c5e 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -979,6 +979,20 @@ config ENV_HANDLING
 	  A safe use of the mutable environment may be possible if board code only
 	  mounts it after verifying a JSON Web Token that enables a debug mode.
 
+config ENV_HANDLING_AUTOPROBE
+	depends on ENV_HANDLING
+	bool "Autoprobe for environment devices"
+	default CONFIG_INSECURE
+	help
+	  There are two ways for specifying where the barebox environment is. The first one
+	  specifies the path explicitly in the device tree or board code. The other one is
+	  to automatically search it on block devices which is enabled with this option.
+	  Here a partition with the barebox environment GUID is searched. If this option
+	  is enabled and no environment is chosen by device tree or board code then a block
+	  device containing a partition with the barebox environment GUID is used for the
+	  environment. A block device barebox has booted from is preferred over other block
+	  devices.
+
 config DEFAULT_ENVIRONMENT
 	select CRC32
 	bool
diff --git a/common/environment.c b/common/environment.c
index ec14d0629a..9d3607a70e 100644
--- a/common/environment.c
+++ b/common/environment.c
@@ -53,7 +53,6 @@ struct action_data {
 
 #define TMPDIR "/.defaultenv"
 
-static int global_env_autoprobe = IS_ENABLED(CONFIG_INSECURE);
 static char *default_environment_path;
 
 void default_environment_path_set(const char *path)
@@ -83,7 +82,7 @@ static struct cdev *default_environment_path_search(void)
 	struct cdev *env_cdev = NULL;
 	struct block_device *blk;
 
-	if (!IS_ENABLED(CONFIG_BLOCK) || !global_env_autoprobe)
+	if (!IS_ENABLED(CONFIG_BLOCK) || !IS_ENABLED(CONFIG_ENV_HANDLING_AUTOPROBE))
 		return NULL;
 
 	boot_node = bootsource_of_node_get(NULL);
@@ -544,14 +543,3 @@ int envfs_load(const char *filename, const char *dir, unsigned flags)
 
 	return ret;
 }
-
-#ifdef __BAREBOX__
-static int register_env_vars(void)
-{
-	globalvar_add_simple_bool("env.autoprobe", &global_env_autoprobe);
-	return 0;
-}
-postcore_initcall(register_env_vars);
-BAREBOX_MAGICVAR(global.env.autoprobe,
-                 "Automatically probe known block devices for environment");
-#endif
-- 
2.47.3

Re: [PATCH v2] environment: add explicit option to allow searching for environment devices

[Ahmad Fatoum]

On 5/8/26 12:58 PM, Sascha Hauer wrote:
> Add an explicit Kconfig option to allow searching the environment storage
> path based on the barebox environment partition GUID.
> 
> So far this depended on CONFIG_INSECURE being set, but that's not the whole
> picture. Loading an unsigned environment is inherently insecure, allowing
> to find the partition by partition UUID just adds one point to the top:
> With it we potentially allow loading the environment from external storage
> devices like SD card slots that could be plugged without opening a device.
> 
> So instead of implying that partition UUID is insecure, or no partition UUID
> is secure, just add a specific option to let the user decide on this option.
> 
> The new Kconfig option defaults to the setting of CONFIG_INSECURE. This makes
> sure that users which previously had CONFIG_INSECURE disabled the new option
> doesn't leak in unnoticed on a barebox update. Also it preserves the behaviour
> of in-tree defconfigs which all have CONFIG_INSECURE enabled.
> 
> This also removes the globalvar global.env.autoprobe. It turned out that this
> option doesn't work: The content of that variable is evaluated before the
> default environment is loaded, so we never actually had a chance to set it
> from the environment.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>

Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>


> ---
>  .../migration-guides/migration-master.rst          |  7 +++++++
>  common/Kconfig                                     | 14 ++++++++++++++
>  common/environment.c                               | 14 +-------------
>  3 files changed, 22 insertions(+), 13 deletions(-)
> 
> Changes since v1:
> - Change reasoning for the patch
> - remove non functional global.env.autoprobe
> - add note to migration guide
> 
> diff --git a/Documentation/migration-guides/migration-master.rst b/Documentation/migration-guides/migration-master.rst
> index 026dbe8588..b5435f4e0c 100644
> --- a/Documentation/migration-guides/migration-master.rst
> +++ b/Documentation/migration-guides/migration-master.rst
> @@ -1,2 +1,9 @@
>  :orphan:
>  
> +Removal of global.env.autoprobe
> +===============================
> +
> +The global.env.autoprobe variable introduced with v2025.02.0 is removed and
> +now replaced with CONFIG_ENV_HANDLING_AUTOPROBE. It has never worked. If you
> +want to load a barebox environment based on its partition UUID enable
> +CONFIG_ENV_HANDLING_AUTOPROBE.
> \ No newline at end of file
> diff --git a/common/Kconfig b/common/Kconfig
> index cd002865f7..6c190c6c5e 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -979,6 +979,20 @@ config ENV_HANDLING
>  	  A safe use of the mutable environment may be possible if board code only
>  	  mounts it after verifying a JSON Web Token that enables a debug mode.
>  
> +config ENV_HANDLING_AUTOPROBE
> +	depends on ENV_HANDLING
> +	bool "Autoprobe for environment devices"
> +	default CONFIG_INSECURE
> +	help
> +	  There are two ways for specifying where the barebox environment is. The first one
> +	  specifies the path explicitly in the device tree or board code. The other one is
> +	  to automatically search it on block devices which is enabled with this option.
> +	  Here a partition with the barebox environment GUID is searched. If this option
> +	  is enabled and no environment is chosen by device tree or board code then a block
> +	  device containing a partition with the barebox environment GUID is used for the
> +	  environment. A block device barebox has booted from is preferred over other block
> +	  devices.
> +
>  config DEFAULT_ENVIRONMENT
>  	select CRC32
>  	bool
> diff --git a/common/environment.c b/common/environment.c
> index ec14d0629a..9d3607a70e 100644
> --- a/common/environment.c
> +++ b/common/environment.c
> @@ -53,7 +53,6 @@ struct action_data {
>  
>  #define TMPDIR "/.defaultenv"
>  
> -static int global_env_autoprobe = IS_ENABLED(CONFIG_INSECURE);
>  static char *default_environment_path;
>  
>  void default_environment_path_set(const char *path)
> @@ -83,7 +82,7 @@ static struct cdev *default_environment_path_search(void)
>  	struct cdev *env_cdev = NULL;
>  	struct block_device *blk;
>  
> -	if (!IS_ENABLED(CONFIG_BLOCK) || !global_env_autoprobe)
> +	if (!IS_ENABLED(CONFIG_BLOCK) || !IS_ENABLED(CONFIG_ENV_HANDLING_AUTOPROBE))
>  		return NULL;
>  
>  	boot_node = bootsource_of_node_get(NULL);
> @@ -544,14 +543,3 @@ int envfs_load(const char *filename, const char *dir, unsigned flags)
>  
>  	return ret;
>  }
> -
> -#ifdef __BAREBOX__
> -static int register_env_vars(void)
> -{
> -	globalvar_add_simple_bool("env.autoprobe", &global_env_autoprobe);
> -	return 0;
> -}
> -postcore_initcall(register_env_vars);
> -BAREBOX_MAGICVAR(global.env.autoprobe,
> -                 "Automatically probe known block devices for environment");
> -#endif

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |