From: Christian Eggers <ceggers@arri.de>
To: barebox@lists.infradead.org
Subject: Configuring for secure boot
Date: Mon, 20 Jan 2020 17:38:36 +0100 [thread overview]
Message-ID: <2198510.7r5C0NBLhF@n95hx1g2> (raw)
Board: phytec-som-imx6
I need to configure barebox in a way, that a malicious attacker can not break
into the system. It looks like I need to perform the following steps:
1. Enforce signature verification of FIT image
--> CONFIG_BOOTM_FORCE_SIGNED_IMAGES
2. Prevent manipulation of the saved environment in flash
--> Do not load any environment settings from flash, only use compiled in
default environment.
--> Remove / permanently disable "barebox,environment" node in device-tree?
--> Compile without CONFIG_OF_BAREBOX_DRIVERS?
3. Prevent access to the barebox shell
--> CONFIG_CMD_LOGIN?
--> CONFIG_SHELL_NONE?
What is the best way to prevent (offline) manipulation of the barebox
environment? What is the best way to block the shell access?
regards
Christian
________________________________
[http://assets.arri.com/media/sign/2019-12-13a-ARRI-E-mail-Signatur-Parkstadt.jpg] <https://www.google.com/maps/place/Herbert-Bayer-Stra%C3%9Fe+10,+80807+M%C3%BCnchen/data=!4m2!3m1!1s0x479e74379489f045:0x4bbf0c7a9e893d66?sa=X&ved=2ahUKEwjjvdSlh8TmAhWIp4sKHe3vDlQQ8gEwAHoECAsQAQ>
Get all the latest information from www.arri.com<https://www.arri.com/>, Facebook<https://www.facebook.com/TeamARRI>, Twitter<https://twitter.com/ARRIChannel>, Instagram<https://instagram.com/arri> and YouTube<https://www.youtube.com/user/ARRIChannel>.
Arnold & Richter Cine Technik GmbH & Co. Betriebs KG
Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRA 57918
Persönlich haftender Gesellschafter: Arnold & Richter Cine Technik GmbH
Sitz: München - Registergericht: Amtsgericht München - Handelsregisternummer: HRB 54477
Geschäftsführer: Dr. Michael Neuhäuser; Stephan Schenk; Walter Trauninger; Markus Zeiler
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next reply other threads:[~2020-01-20 16:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-20 16:38 Christian Eggers [this message]
2020-01-20 19:53 ` Sascha Hauer
2020-01-21 10:52 ` Ahmad Fatoum
2020-01-21 11:11 ` Sascha Hauer
2020-01-23 10:29 ` Configuring for secure boot / Using bootchooser Christian Eggers
2020-01-27 10:07 ` Sascha Hauer
2020-01-27 10:18 ` [RFC PATCH] bootm: Register as bootentry provider Christian Eggers
2020-01-27 12:49 ` Sascha Hauer
2020-01-27 19:26 ` Christian Eggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2198510.7r5C0NBLhF@n95hx1g2 \
--to=ceggers@arri.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox