Re: [PATCH 1/4] common: bootm: add policy to commandline

[Sascha Hauer <s.hauer@pengutronix.de>]

On Fri, Mar 13, 2026 at 03:26:34PM +0100, Fabian Pflug wrote:
> On Fri, 2026-03-13 at 14:36 +0100, Sascha Hauer wrote:
> > On Thu, Mar 12, 2026 at 10:16:42AM +0100, Fabian Pflug wrote:
> > > If security policies are used, then the variable bootm.provide_policy
> > > can be set to automatically append the currently selected security
> > > policy to the kernel commandline with the prefix
> > > barebox.security.policy=
> > > This allows the the system to behave different based on the selected
> > > security policy.
> > > 
> > > Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> > > ---
> > >  common/bootm.c  | 23 +++++++++++++++++++++++
> > >  include/bootm.h |  5 +++++
> > >  2 files changed, 28 insertions(+)
> > > 
> > > diff --git a/common/bootm.c b/common/bootm.c
> > > index 6318509884..cd90aa81e1 100644
> > > --- a/common/bootm.c
> > > +++ b/common/bootm.c
> > > @@ -22,6 +22,7 @@
> > >  #include <uncompress.h>
> > >  #include <zero_page.h>
> > >  #include <security/config.h>
> > > +#include <security/policy.h>
> > >  
> > >  static LIST_HEAD(handler_list);
> > >  static struct sconfig_notifier_block sconfig_notifier;
> > > @@ -75,6 +76,7 @@ static int bootm_dryrun;
> > >  static int bootm_earlycon;
> > >  static int bootm_provide_machine_id;
> > >  static int bootm_provide_hostname;
> > > +static int bootm_provide_policy;
> > >  static int bootm_verbosity;
> > >  static int bootm_efi_mode = BOOTM_EFI_AVAILABLE;
> > >  
> > > @@ -97,6 +99,7 @@ void bootm_data_init_defaults(struct bootm_data *data)
> > >  	data->appendroot = bootm_appendroot;
> > >  	data->provide_machine_id = bootm_provide_machine_id;
> > >  	data->provide_hostname = bootm_provide_hostname;
> > > +	data->provide_policy = bootm_provide_policy;
> > >  	data->verbose = bootm_verbosity;
> > >  	data->dryrun = bootm_dryrun;
> > >  	data->efi_boot = bootm_efi_mode;
> > > @@ -118,6 +121,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
> > >  	bootm_appendroot = data->appendroot;
> > >  	bootm_provide_machine_id = data->provide_machine_id;
> > >  	bootm_provide_hostname = data->provide_hostname;
> > > +	bootm_provide_policy = data->provide_policy;
> > >  	bootm_verbosity = data->verbose;
> > >  	bootm_dryrun = data->dryrun;
> > >  	bootm_efi_mode = data->efi_boot;
> > > @@ -712,6 +716,20 @@ int bootm_boot(struct bootm_data *bootm_data)
> > >  		free(hostname_bootarg);
> > >  	}
> > >  
> > > +	if (IS_ENABLED(CONFIG_SECURITY_POLICY) && bootm_data->provide_policy) {
> > > +		char *policy_bootargs;
> > > +
> > > +		if (!active_policy->name) {
> > 
> > Could active_policy be NULL here?
> I'm not totally sure. If you have activated security policies, then did not specify any policy, it may be NULL.
> Or if you have activated security policies, but never ran into a path, where 'is_allowed' is checked, because everything
> that could be configured by security policies is disabled by Kconfig and you did not set an initial policy, then it
> might be NULL.

I agree that in a sanely configured system it shouldn't be NULL.

> Will add an extra check.

Ok.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |