mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Christian Eggers <ceggers@arri.de>
To: barebox@lists.infradead.org
Subject: Configuring for secure boot
Date: Mon, 20 Jan 2020 17:38:36 +0100	[thread overview]
Message-ID: <2198510.7r5C0NBLhF@n95hx1g2> (raw)

Board: phytec-som-imx6

I need to configure barebox in a way, that a malicious attacker can not break
into the system. It looks like I need to perform the following steps:

1. Enforce signature verification of FIT image
--> CONFIG_BOOTM_FORCE_SIGNED_IMAGES

2. Prevent manipulation of the saved environment in flash
--> Do not load any environment settings from flash, only use compiled in
default environment.
--> Remove / permanently disable "barebox,environment" node in device-tree?
--> Compile without CONFIG_OF_BAREBOX_DRIVERS?

3. Prevent access to the barebox shell
--> CONFIG_CMD_LOGIN?
--> CONFIG_SHELL_NONE?

What is the best way to prevent (offline) manipulation of the barebox
environment? What is the best way to block the shell access?

regards
Christian



________________________________
 [http://assets.arri.com/media/sign/2019-12-13a-ARRI-E-mail-Signatur-Parkstadt.jpg] <https://www.google.com/maps/place/Herbert-Bayer-Stra%C3%9Fe+10,+80807+M%C3%BCnchen/data=!4m2!3m1!1s0x479e74379489f045:0x4bbf0c7a9e893d66?sa=X&ved=2ahUKEwjjvdSlh8TmAhWIp4sKHe3vDlQQ8gEwAHoECAsQAQ>

Get all the latest information from www.arri.com<https://www.arri.com/>, Facebook<https://www.facebook.com/TeamARRI>, Twitter<https://twitter.com/ARRIChannel>, Instagram<https://instagram.com/arri> and YouTube<https://www.youtube.com/user/ARRIChannel>.

Arnold & Richter Cine Technik GmbH & Co. Betriebs KG
Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRA 57918
Persönlich haftender Gesellschafter: Arnold & Richter Cine Technik GmbH
Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRB 54477
Geschäftsführer: Dr. Michael Neuhäuser; Stephan Schenk; Walter Trauninger; Markus Zeiler

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

             reply	other threads:[~2020-01-20 16:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-20 16:38 Christian Eggers [this message]
2020-01-20 19:53 ` Sascha Hauer
2020-01-21 10:52   ` Ahmad Fatoum
2020-01-21 11:11     ` Sascha Hauer
2020-01-23 10:29   ` Configuring for secure boot / Using bootchooser Christian Eggers
2020-01-27 10:07     ` Sascha Hauer
2020-01-27 10:18       ` [RFC PATCH] bootm: Register as bootentry provider Christian Eggers
2020-01-27 12:49         ` Sascha Hauer
2020-01-27 19:26           ` Christian Eggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2198510.7r5C0NBLhF@n95hx1g2 \
    --to=ceggers@arri.de \
    --cc=barebox@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox