From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Marco Felsch <m.felsch@pengutronix.de>,
Sascha Hauer <s.hauer@pengutronix.de>
Cc: BAREBOX <barebox@lists.infradead.org>
Subject: Re: [PATCH 3/3] environment: add explicit option to allow searching for environment devices
Date: Mon, 4 May 2026 14:02:16 +0200 [thread overview]
Message-ID: <12eb5638-f580-4b3b-9099-9d72ddeb4f16@pengutronix.de> (raw)
In-Reply-To: <rx3wbvvlr3x5iaaojqzqi34cpjrxbweo6y5ijkgiruqoq344ty@lpxohuiqqvwr>
Hello,
On 5/4/26 1:35 PM, Marco Felsch wrote:
> Hi Sascha,
>
> On 26-04-28, Sascha Hauer wrote:
>> Add an explicit Kconfig option to allow searching the environment storage path
>> based on the barebox environment partition GUID.
>>
>> So far this depended on CONFIG_INSECURE being set. First of all loading the
>> barebox environment from storage is always insecure as the barebox environment
>> doesn't have any security measures.
It's possible to only allow environment loading after having verified
that the system is in development mode for example.
Autoloading the environment can't be secured as you note.
>> The difference that comes with loading
>> the environment from an explicitly specified storage device and autoprobing
>> it from the available block devices is that with the former an attacker would
>> need access to the internal storage whereas with the latter barebox could
>> be tricked into loading an environment from an external SD card.
>>
>> Whether or not this is acceptable depends on the case, so ask the user for it.
>>
>> Real security can only be provided by not loading an environment from storage
>> at all, but that can be controlled at compile time by disabling CONFIG_ENV_HANDLING
>> or at runtime by security policies.
>
> TBH I actually don't see why this option can't follow the
> CONFIG_INSECURE.
>
> Since ENV handling is enabled you do pull the HAS_INSECURE_DEFAULTS=y.
> As you written above env handling is always insecure as of now.
>
> So it seems that you want to get rid of the CONFIG_INSECURE=y in your
> setup. The only users of this CONFIG switch are global_env_autoprobe and
> lib/random.c. Therefore my question, that I don't see why we can't stick
> with the CONFIG_INSECURE switch.
I also don't understand Sascha's motivation here.
You can add global.env.autoprobe=1 to your environment to opt-in despite
CONFIG_INSECURE being disabled. What's the new Kconfig option needed for?
Cheers,
Ahmad
>
> Regards,
> Marco
>
>
>>
>> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>> ---
>> common/Kconfig | 14 ++++++++++++++
>> common/environment.c | 2 +-
>> 2 files changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/common/Kconfig b/common/Kconfig
>> index fd422714d5..f74f06b4ad 100644
>> --- a/common/Kconfig
>> +++ b/common/Kconfig
>> @@ -987,6 +987,20 @@ config ENV_HANDLING
>> A safe use of the mutable environment may be possible if board code only
>> mounts it after verifying a JSON Web Token that enables a debug mode.
>>
>> +config ENV_HANDLING_AUTOPROBE
>> + depends on ENV_HANDLING
>> + bool "Autoprobe for environment devices"
>> + default y
>> + help
>> + There are two ways for specifying where the barebox environment is. The first one
>> + specifies the path explicitly in the device tree or board code. The other one is
>> + to automatically search it on block devices which is enabled with this option.
>> + Here a partition with the barebox environment GUID is searched. If this option
>> + is enabled and no environment is chosen by device tree or board code then a block
>> + device containing a partition with the barebox environment GUID is used for the
>> + environment. A block device barebox has booted from is preferred over other block
>> + devices.
>> +
>> config DEFAULT_ENVIRONMENT
>> select CRC32
>> bool
>> diff --git a/common/environment.c b/common/environment.c
>> index f883a520c6..a3281feca2 100644
>> --- a/common/environment.c
>> +++ b/common/environment.c
>> @@ -53,7 +53,7 @@ struct action_data {
>>
>> #define TMPDIR "/.defaultenv"
>>
>> -static int global_env_autoprobe = IS_ENABLED(CONFIG_INSECURE);
>> +static int global_env_autoprobe = IS_ENABLED(CONFIG_ENV_HANDLING_AUTOPROBE);
>> static char *default_environment_path;
>>
>> void default_environment_path_set(const char *path)
>>
>> --
>> 2.47.3
>>
>>
>>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2026-05-04 12:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-28 9:24 [PATCH 0/3] environment: Allow autoprobing env devices without CONFIG_INSECURE Sascha Hauer
2026-04-28 9:24 ` [PATCH 1/3] environment: Drop /dev/env0 default Sascha Hauer
2026-04-28 9:24 ` [PATCH 2/3] environment: add global.env.path Sascha Hauer
2026-04-28 9:24 ` [PATCH 3/3] environment: add explicit option to allow searching for environment devices Sascha Hauer
2026-05-04 11:35 ` Marco Felsch
2026-05-04 12:02 ` Ahmad Fatoum [this message]
2026-05-04 13:39 ` Sascha Hauer
2026-05-04 13:52 ` Ahmad Fatoum
2026-05-04 14:55 ` Sascha Hauer
2026-05-07 11:22 ` (subset) [PATCH 0/3] environment: Allow autoprobing env devices without CONFIG_INSECURE Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12eb5638-f580-4b3b-9099-9d72ddeb4f16@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=m.felsch@pengutronix.de \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox