[PATCH v2 1/5] security: add new top-level menu

[PATCH v2 1/5] security: add new top-level menu

[Ahmad Fatoum]

From: Ahmad Fatoum <a.fatoum@barebox.org>

Instead of distributing security-related options and code across lib/,
common/ and crypto/, let's collect them in a new security/ top-level
directory and give it its own top-level menu for visibility.

The new security/ exists alongside crypto/, where the latter is for algorithms
and the former is for concrete implementations like JWT.

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
v1 -> v2:
  - move warning about HAS_INSECURE_DEFAULTS to the end
  - drop wrongly squashed SECURITY_POLICY options
  - move blobgen.c
---
 Kconfig                         |   3 +-
 Makefile                        |   2 +-
 common/Kconfig                  | 142 --------------------------
 common/Makefile                 |  24 -----
 crypto/Kconfig                  |  12 ---
 crypto/Makefile                 |   2 -
 lib/Kconfig                     |   6 --
 lib/Kconfig.hardening           |   8 +-
 lib/Makefile                    |   1 -
 security/Kconfig                | 176 ++++++++++++++++++++++++++++++++
 security/Makefile               |  29 ++++++
 {lib => security}/blobgen.c     |   0
 {crypto => security}/jwt.c      |   0
 {crypto => security}/keystore.c |   0
 {common => security}/optee.c    |   0
 {common => security}/password.c |   0
 16 files changed, 210 insertions(+), 195 deletions(-)
 create mode 100644 security/Kconfig
 create mode 100644 security/Makefile
 rename {lib => security}/blobgen.c (100%)
 rename {crypto => security}/jwt.c (100%)
 rename {crypto => security}/keystore.c (100%)
 rename {common => security}/optee.c (100%)
 rename {common => security}/password.c (100%)

diff --git a/Kconfig b/Kconfig
index 9c3a20a9a9a3..db6aad2e4f55 100644
--- a/Kconfig
+++ b/Kconfig
@@ -16,8 +16,9 @@ source "commands/Kconfig"
 source "net/Kconfig"
 source "drivers/Kconfig"
 source "fs/Kconfig"
-source "lib/Kconfig"
+source "security/Kconfig"
 source "crypto/Kconfig"
+source "lib/Kconfig"
 source "firmware/Kconfig"
 source "scripts/Kconfig"
 source "test/Kconfig"
diff --git a/Makefile b/Makefile
index 0a3043c6e2a8..836176d541c3 100644
--- a/Makefile
+++ b/Makefile
@@ -664,7 +664,7 @@ endif
 include $(srctree)/scripts/Makefile.lib
 
 # Objects we will link into barebox / subdirs we need to visit
-common-y		:= common/ drivers/ commands/ lib/ crypto/ net/ fs/ firmware/
+common-y		:= common/ drivers/ commands/ lib/ security/ crypto/ net/ fs/ firmware/
 
 include $(srctree)/arch/$(SRCARCH)/Makefile
 
diff --git a/common/Kconfig b/common/Kconfig
index b2449207eff9..a8e62600c4ee 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -141,28 +141,6 @@ config LOCALVERSION_AUTO
 
 	  which is done within the script "scripts/setlocalversion".)
 
-config HAS_INSECURE_DEFAULTS
-	bool
-	help
-	  This is selected by options that have potentially insecure defaults.
-	  Extra care needs to be taken when these options are not disabled
-	  in secure booted systems.
-
-	  Any option selecting this should include in its help text
-	  an explanation of the security considerations.
-
-config INSECURE
-	bool "enable convenient defaults that are unsuitable for secure-booting systems"
-	default y
-	select HAS_INSECURE_DEFAULTS
-	help
-	  Say n here when barebox is part of a secure boot chain and you
-	  want to disable defaults that may compromise the boot chain.
-
-	  This option is a moving target. Currently it:
-
-	    - changes the default of global.env.autoprobe to 1
-
 config BANNER
 	bool "display banner"
 	default y
@@ -535,53 +513,6 @@ config MENU
 	  a menu framework that allow us to create list menu to simplify
 	  barebox and make it more user-friendly
 
-config PASSWORD
-	bool
-	prompt "Password Framework"
-	select DIGEST
-	help
-	  allow you to have password protection framework
-
-config PASSWORD_DEFAULT
-	string
-	prompt "Password default file"
-	depends on PASSWORD
-	help
-	  Set this to a file which is used as default password file. This file
-	  has to contain the passwd encoded with the selected password digest.
-	  i.e.:
-	  echo -ne "MyPassword" | md5sum | while read a b; do echo $a > passwdfile; done
-
-
-if PASSWORD
-
-choice
-	prompt "passwd checksum"
-
-config PASSWD_SUM_MD5
-	bool "MD5"
-	select DIGEST_MD5_GENERIC
-
-config PASSWD_SUM_SHA1
-	bool "SHA1"
-	select DIGEST_SHA1_GENERIC
-
-config PASSWD_SUM_SHA256
-	bool "SHA256"
-	select DIGEST_SHA256_GENERIC
-
-config PASSWD_SUM_SHA512
-	bool "SHA512"
-	select DIGEST_SHA512_GENERIC
-
-config PASSWD_CRYPTO_PBKDF2
-	bool "PBKDF2"
-	select CRYPTO_PBKDF2
-
-endchoice
-
-endif
-
 config ERRNO_MESSAGES
 	bool
 	prompt "print error values as text"
@@ -1347,79 +1278,6 @@ config EXTERNAL_DTS_FRAGMENTS
 	  to add dts fragments from outside the Barebox source tree into the
 	  Barebox build.
 
-menu "OP-TEE loading"
-
-config HAVE_OPTEE
-	bool
-	help
-	  This symbol is selected by configuration where barebox either
-	  starts OP-TEE or runs while OP-TEE is running. Actual
-	  bidirectional communication with OP-TEE is enabled via
-	  CONFIG_OPTEE.
-
-config OPTEE_SIZE
-	hex
-	default 0x02000000
-	prompt "OP-TEE Memory Size"
-	depends on HAVE_OPTEE
-	help
-	  Size to reserve in main memory for OP-TEE, including its shared memory.
-	  Can be larger than the actual size used by OP-TEE, this is used to prevent
-	  barebox from using or speculating into this area.
-	  On i.MX, this should be at least OP-TEE CFG_TZDRAM + CFG_SHMEM_SIZE.
-	  The name of the CFG_ options may differ on other platforms.
-
-config OPTEE_SHM_SIZE
-	hex
-	default 0x400000
-	prompt "OP-TEE Shared Memory Size"
-	depends on HAVE_OPTEE
-	help
-	  Size to reserve in main memory for static OP-TEE shared memory
-	  communication. The OP-TEE shared memory starts directly after
-	  the OPTEE TZDRAM region. It should be chosen to be equivalent
-	  to CFG_SHMEM_SIZE in OP-TEE.
-
-	  This value can be used for fixing up the OP-TEE OF node.
-
-	  A shared memory size of 0 means that only dynamic shared memory
-	  will be supported for communication with OP-TEE. This is the only
-	  mode supported by barebox anyway, but support needs to be enabled
-	  in OP-TEE at compile-time.
-
-config BOOTM_OPTEE
-	bool
-	prompt "support booting OP-TEE"
-	depends on BOOTM && ARM32
-	select HAVE_OPTEE
-	select HAS_INSECURE_DEFAULTS
-	help
-	  OP-TEE is a trusted execution environment (TEE). With this option
-	  enabled barebox supports starting optee_os as part of the bootm command.
-	  Instead of the kernel bootm starts the optee_os binary which then starts
-	  the kernel in nonsecure mode. Pass the optee_os binary with the -t option
-	  or in the global.bootm.tee variable.
-
-	  This mode of late loading OP-TEE just before the kernel is deprecated
-	  in favor of early loading OP-TEE in the PBL (CONFIG_PBL_OPTEE).
-	  Early-loading greatly reduces the attack surface and is the only mode
-	  supported outside of ARMv7.
-
-config PBL_OPTEE
-	bool "Enable OP-TEE early start"
-	depends on ARM
-	select HAVE_OPTEE
-	help
-	  Allows starting OP-TEE during lowlevel initialization of the PBL.
-	  Requires explicit support in the board's lowlevel file (for ARM32)
-	  or the generic SoC support (for ARM64).
-
-	  OP-TEE versions older than 3.11.0 do not support jumping back from OP-TEE
-	  to barebox in THUMB2 mode. Make sure you do not compile barebox in THUMB2
-	  mode for OP-TEE versions older than this.
-
-endmenu
-
 config FILETYPE_STRINGS
 	bool "Print file types as strings"
 	default y
diff --git a/common/Makefile b/common/Makefile
index 0cead5e8b094..b50b92122293 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -59,7 +59,6 @@ obj-$(CONFIG_MODULES)		+= module.o
 extra-$(CONFIG_MODULES)		+= module.lds
 obj-$(CONFIG_OFTREE)		+= oftree.o
 obj-$(CONFIG_PARTITION_DISK)	+= partitions.o partitions/
-obj-$(CONFIG_PASSWORD)		+= password.o
 obj-$(CONFIG_HAS_SCHED)		+= sched.o
 obj-$(CONFIG_POLLER)		+= poller.o
 obj-$(CONFIG_BTHREAD)		+= bthread.o
@@ -83,32 +82,9 @@ obj-$(CONFIG_BOOT)		+= boot.o bootscan.o
 obj-$(CONFIG_BOOT_DEFAULTS)	+= bootdef.o
 obj-$(CONFIG_SERIAL_DEV_BUS)	+= serdev.o
 obj-$(CONFIG_USB_GADGET)	+= usbgadget.o
-obj-pbl-$(CONFIG_HAVE_OPTEE)	+= optee.o
 obj-$(CONFIG_FASTBOOT_BASE)	+= fastboot.o
 obj-$(CONFIG_CDEV_ALIAS)	+= cdev-alias.o
 
-ifdef CONFIG_PASSWORD
-
-ifeq ($(CONFIG_PASSWORD_DEFAULT),"")
-define filechk_passwd
-	echo "static const char default_passwd[] = \"\";"
-endef
-else
-define filechk_passwd
-(							\
-echo -n "static const char default_passwd[] = \"";	\
-cat $(shell find $(srctree) -name $(CONFIG_PASSWORD_DEFAULT) -type f) | tr -d '\n';\
-echo "\";"						\
-)
-endef
-endif
-
-include/generated/passwd.h: FORCE
-	$(call filechk,passwd)
-
-$(obj)/password.o: include/generated/passwd.h
-endif # CONFIG_PASSWORD
-
 # dependencies on generated files need to be listed explicitly
 $(obj)/version.o: include/generated/compile.h
 $(obj)/imd-barebox.o: include/generated/compile.h
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 14728be4aa91..6136c7e8ccfd 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -148,16 +148,4 @@ config CRYPTO_PUBLIC_KEYS
 	  corresponding value in the environment variable VAR_NAME for both
 	  public key paths/URIs as well as key name hints.
 
-config CRYPTO_KEYSTORE
-	bool "Keystore"
-	help
-	  This is a simple keystore, which can be used to pass keys
-	  between several components via simple interface.
-
-config JWT
-	bool "JSON Web Token support" if COMPILE_TEST
-	select JSMN
-	select BASE64
-	select CRYPTO_RSA
-
 endmenu
diff --git a/crypto/Makefile b/crypto/Makefile
index 7148aecb4a8e..76b12bef50e2 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -17,12 +17,10 @@ obj-pbl-y	+= memneq.o
 
 obj-$(CONFIG_CRYPTO_PBKDF2)	+= pbkdf2.o
 obj-$(CONFIG_CRYPTO_RSA)	+= rsa.o
-obj-$(CONFIG_CRYPTO_KEYSTORE)	+= keystore.o
 obj-$(CONFIG_CRYPTO_BUILTIN_KEYS)      += public-keys.o
 obj-$(CONFIG_CRYPTO_ECC)	+= ecc.o
 obj-$(CONFIG_CRYPTO_ECDSA) 	+= ecdsa.o
 
-obj-$(CONFIG_JWT)		+= jwt.o
 
 extra-$(CONFIG_CRYPTO_BUILTIN_KEYS) += public-keys.h
 
diff --git a/lib/Kconfig b/lib/Kconfig
index 0cb3a136b38e..d07e2f3b6959 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -210,10 +210,6 @@ config GENERIC_LIB_MULDI3
 config NLS
 	bool "Native language support"
 
-config BLOBGEN
-	select BASE64
-	bool "include blob encode/decode support"
-
 config GENERIC_ALLOCATOR
 	bool
 	help
@@ -223,5 +219,3 @@ config IDR
 	bool
 
 endmenu
-
-source "lib/Kconfig.hardening"
diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening
index d9f6909eca51..3b3ba6267aec 100644
--- a/lib/Kconfig.hardening
+++ b/lib/Kconfig.hardening
@@ -1,10 +1,6 @@
-menu "Hardening options"
+# SPDX-License-Identifier: GPL-2.0
 
-if HAS_INSECURE_DEFAULTS
-comment "This barebox configuration has CONFIG_HAS_INSECURE_DEFAULTS=y indicating"
-comment "that some of the configured options have potentially insecure defaults."
-comment "Extra care needs to be taken in secure booted systems."
-endif
+menu "Hardening options"
 
 config BUG_ON_DATA_CORRUPTION
 	bool "Trigger a BUG when data corruption is detected"
diff --git a/lib/Makefile b/lib/Makefile
index e95c91d5c211..9592ccb68312 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -24,7 +24,6 @@ obj-y			+= libbb.o
 obj-y			+= libgen.o
 obj-$(CONFIG_FIP)	+= fip.o tbbr_config.o
 obj-$(CONFIG_JSMN)	+= jsmn.o
-obj-$(CONFIG_BLOBGEN)	+= blobgen.o
 obj-y			+= stringlist.o
 obj-y			+= scatterlist.o
 obj-y			+= cmdlinepart.o
diff --git a/security/Kconfig b/security/Kconfig
new file mode 100644
index 000000000000..95c062201acf
--- /dev/null
+++ b/security/Kconfig
@@ -0,0 +1,176 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Security configuration
+#
+
+menu "Security options"
+
+config INSECURE
+	bool "enable convenient defaults that are unsuitable for secure-booting systems"
+	default y
+	select HAS_INSECURE_DEFAULTS
+	help
+	  Say n here when barebox is part of a secure boot chain and you
+	  want to disable defaults that may compromise the boot chain.
+
+	  This option is a moving target. Currently it:
+
+	    - changes the default of global.env.autoprobe to 1
+
+config PASSWORD
+	bool
+	prompt "Password Framework"
+	select DIGEST
+	help
+	  allow you to have password protection framework
+
+config PASSWORD_DEFAULT
+	string
+	prompt "Password default file"
+	depends on PASSWORD
+	help
+	  Set this to a file which is used as default password file. This file
+	  has to contain the passwd encoded with the selected password digest.
+	  i.e.:
+	  echo -ne "MyPassword" | md5sum | while read a b; do echo $a > passwdfile; done
+
+
+if PASSWORD
+
+choice
+	prompt "passwd checksum"
+
+config PASSWD_SUM_MD5
+	bool "MD5"
+	select DIGEST_MD5_GENERIC
+
+config PASSWD_SUM_SHA1
+	bool "SHA1"
+	select DIGEST_SHA1_GENERIC
+
+config PASSWD_SUM_SHA256
+	bool "SHA256"
+	select DIGEST_SHA256_GENERIC
+
+config PASSWD_SUM_SHA512
+	bool "SHA512"
+	select DIGEST_SHA512_GENERIC
+
+config PASSWD_CRYPTO_PBKDF2
+	bool "PBKDF2"
+	select CRYPTO_PBKDF2
+
+endchoice
+
+endif
+
+
+config CRYPTO_KEYSTORE
+	bool "Keystore"
+	help
+	  This is a simple keystore, which can be used to pass keys
+	  between several components via simple interface.
+
+config BLOBGEN
+	select BASE64
+	bool "include blob encode/decode support"
+
+config JWT
+	bool "JSON Web Token support" if COMPILE_TEST
+	select JSMN
+	select BASE64
+	select CRYPTO_RSA
+
+menu "OP-TEE loading"
+
+config HAVE_OPTEE
+	bool
+	help
+	  This symbol is selected by configuration where barebox either
+	  starts OP-TEE or runs while OP-TEE is running. Actual
+	  bidirectional communication with OP-TEE is enabled via
+	  CONFIG_OPTEE.
+
+config OPTEE_SIZE
+	hex
+	default 0x02000000
+	prompt "OP-TEE Memory Size"
+	depends on HAVE_OPTEE
+	help
+	  Size to reserve in main memory for OP-TEE, including its shared memory.
+	  Can be larger than the actual size used by OP-TEE, this is used to prevent
+	  barebox from using or speculating into this area.
+	  On i.MX, this should be at least OP-TEE CFG_TZDRAM + CFG_SHMEM_SIZE.
+	  The name of the CFG_ options may differ on other platforms.
+
+config OPTEE_SHM_SIZE
+	hex
+	default 0x400000
+	prompt "OP-TEE Shared Memory Size"
+	depends on HAVE_OPTEE
+	help
+	  Size to reserve in main memory for static OP-TEE shared memory
+	  communication. The OP-TEE shared memory starts directly after
+	  the OPTEE TZDRAM region. It should be chosen to be equivalent
+	  to CFG_SHMEM_SIZE in OP-TEE.
+
+	  This value can be used for fixing up the OP-TEE OF node.
+
+	  A shared memory size of 0 means that only dynamic shared memory
+	  will be supported for communication with OP-TEE. This is the only
+	  mode supported by barebox anyway, but support needs to be enabled
+	  in OP-TEE at compile-time.
+
+config BOOTM_OPTEE
+	bool
+	prompt "support booting OP-TEE"
+	depends on BOOTM && ARM32
+	select HAVE_OPTEE
+	select HAS_INSECURE_DEFAULTS
+	help
+	  OP-TEE is a trusted execution environment (TEE). With this option
+	  enabled barebox supports starting optee_os as part of the bootm command.
+	  Instead of the kernel bootm starts the optee_os binary which then starts
+	  the kernel in nonsecure mode. Pass the optee_os binary with the -t option
+	  or in the global.bootm.tee variable.
+
+	  This mode of late loading OP-TEE just before the kernel is deprecated
+	  in favor of early loading OP-TEE in the PBL (CONFIG_PBL_OPTEE).
+	  Early-loading greatly reduces the attack surface and is the only mode
+	  supported outside of ARMv7.
+
+config PBL_OPTEE
+	bool "Enable OP-TEE early start"
+	depends on ARM
+	select HAVE_OPTEE
+	help
+	  Allows starting OP-TEE during lowlevel initialization of the PBL.
+	  Requires explicit support in the board's lowlevel file (for ARM32)
+	  or the generic SoC support (for ARM64).
+
+	  OP-TEE versions older than 3.11.0 do not support jumping back from OP-TEE
+	  to barebox in THUMB2 mode. Make sure you do not compile barebox in THUMB2
+	  mode for OP-TEE versions older than this.
+
+endmenu
+
+source "lib/Kconfig.hardening"
+
+config HAS_INSECURE_DEFAULTS
+	bool
+	help
+	  This is selected by options that have potentially insecure defaults.
+	  Extra care needs to be taken when these options are not disabled
+	  in secure booted systems.
+
+	  Any option selecting this should include in its help text
+	  an explanation of the security considerations.
+
+if HAS_INSECURE_DEFAULTS
+comment "This barebox configuration has CONFIG_HAS_INSECURE_DEFAULTS=y indicating"
+comment "that some of the configured options have potentially insecure defaults."
+comment "Extra care needs to be taken in secure booted systems."
+endif
+
+
+endmenu
diff --git a/security/Makefile b/security/Makefile
new file mode 100644
index 000000000000..de9778620d28
--- /dev/null
+++ b/security/Makefile
@@ -0,0 +1,29 @@
+# SPDX-License-Identifier: GPL-2.0-only
+
+obj-$(CONFIG_CRYPTO_KEYSTORE)	+= keystore.o
+obj-$(CONFIG_JWT)		+= jwt.o
+obj-pbl-$(CONFIG_HAVE_OPTEE)	+= optee.o
+obj-$(CONFIG_BLOBGEN)		+= blobgen.o
+obj-$(CONFIG_PASSWORD)		+= password.o
+
+ifdef CONFIG_PASSWORD
+
+ifeq ($(CONFIG_PASSWORD_DEFAULT),"")
+define filechk_passwd
+	echo "static const char default_passwd[] = \"\";"
+endef
+else
+define filechk_passwd
+(							\
+echo -n "static const char default_passwd[] = \"";	\
+cat $(shell find $(srctree) -name $(CONFIG_PASSWORD_DEFAULT) -type f) | tr -d '\n';\
+echo "\";"						\
+)
+endef
+endif
+
+include/generated/passwd.h: FORCE
+	$(call filechk,passwd)
+
+$(obj)/password.o: include/generated/passwd.h
+endif # CONFIG_PASSWORD
diff --git a/lib/blobgen.c b/security/blobgen.c
similarity index 100%
rename from lib/blobgen.c
rename to security/blobgen.c
diff --git a/crypto/jwt.c b/security/jwt.c
similarity index 100%
rename from crypto/jwt.c
rename to security/jwt.c
diff --git a/crypto/keystore.c b/security/keystore.c
similarity index 100%
rename from crypto/keystore.c
rename to security/keystore.c
diff --git a/common/optee.c b/security/optee.c
similarity index 100%
rename from common/optee.c
rename to security/optee.c
diff --git a/common/password.c b/security/password.c
similarity index 100%
rename from common/password.c
rename to security/password.c
-- 
2.39.5

[PATCH v2 2/5] security: mark weaker passwords hashing algorithms insecure

[Ahmad Fatoum]

From: Ahmad Fatoum <a.fatoum@barebox.org>

It's well known that MD5 and SHA1 aren't suitable password hashing
algorithms. Let's alert users to that fact by selecting
HAS_INSECURE_DEFAULTS.

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
v1 -> v2:
  - unchanged
---
 security/Kconfig | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/security/Kconfig b/security/Kconfig
index 95c062201acf..b9447e73fc6f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -43,10 +43,21 @@ choice
 config PASSWD_SUM_MD5
 	bool "MD5"
 	select DIGEST_MD5_GENERIC
+	select HAS_INSECURE_DEFAULTS
+	help
+	  MD5 had been widely used historically as a cryptographic hash function,
+	  but has been found to suffer from extensive vulnerabilities.
+	  Use of MD5 to hash passwords is strongly discouraged.
 
 config PASSWD_SUM_SHA1
 	bool "SHA1"
 	select DIGEST_SHA1_GENERIC
+	select HAS_INSECURE_DEFAULTS
+	help
+	  SHA1 had been widely used historically as a cryptographic hash function,
+	  but has since been cryptographically broken.
+	  SHA-1 was designed for speed and thus use as password hash is strongly
+	  discouraged as it's easier for an attacker to brute force.
 
 config PASSWD_SUM_SHA256
 	bool "SHA256"
-- 
2.39.5

[PATCH v2 3/5] commands: introduce new security command group

[Ahmad Fatoum]

From: Ahmad Fatoum <a.fatoum@barebox.org>

Instead of putting security-related commands into misc, let's give them
their own group.

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
v1 -> v2:
  - unchanged
---
 commands/avb_pvalue.c | 2 +-
 commands/blobgen.c    | 2 +-
 commands/help.c       | 1 +
 commands/keystore.c   | 2 +-
 include/command.h     | 3 ++-
 5 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/commands/avb_pvalue.c b/commands/avb_pvalue.c
index d91c311de5ec..70d39b8e84f8 100644
--- a/commands/avb_pvalue.c
+++ b/commands/avb_pvalue.c
@@ -134,5 +134,5 @@ BAREBOX_CMD_START(avb_pvalue)
 	BAREBOX_CMD_DESC("AVB persistent variable store")
 	BAREBOX_CMD_OPTS("[-rwf] [VARNAME/VALUE]")
 	BAREBOX_CMD_HELP(cmd_avb_pvalue_help)
-	BAREBOX_CMD_GROUP(CMD_GRP_CONSOLE)
+	BAREBOX_CMD_GROUP(CMD_GRP_SECURITY)
 BAREBOX_CMD_END
diff --git a/commands/blobgen.c b/commands/blobgen.c
index 8ff2cc2c1142..4bbbc24b3b6d 100644
--- a/commands/blobgen.c
+++ b/commands/blobgen.c
@@ -118,6 +118,6 @@ BAREBOX_CMD_START(blobgen)
 	.cmd	= do_blobgen,
 	BAREBOX_CMD_DESC("en/decrypt blobs")
 	BAREBOX_CMD_OPTS("[-edmVb] <plaintext/ciphertext>")
-	BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
+	BAREBOX_CMD_GROUP(CMD_GRP_SECURITY)
 	BAREBOX_CMD_HELP(cmd_blobgen_help)
 BAREBOX_CMD_END
diff --git a/commands/help.c b/commands/help.c
index ba8542b90f01..6851c652ac09 100644
--- a/commands/help.c
+++ b/commands/help.c
@@ -59,6 +59,7 @@ static void list_commands(int verbose)
 	list_group(verbose, "Console",               CMD_GRP_CONSOLE);
 	list_group(verbose, "Memory",                CMD_GRP_MEM);
 	list_group(verbose, "Hardware manipulation", CMD_GRP_HWMANIP);
+	list_group(verbose, "Security",              CMD_GRP_SECURITY);
 	list_group(verbose, "Miscellaneous",         CMD_GRP_MISC);
 	list_group(verbose, "Ungrouped",             0);
 	printf("Use 'help COMMAND' for more details.\n\n");
diff --git a/commands/keystore.c b/commands/keystore.c
index 8679a840e8d9..fe5cede951f3 100644
--- a/commands/keystore.c
+++ b/commands/keystore.c
@@ -97,6 +97,6 @@ BAREBOX_CMD_START(keystore)
 	.cmd	= do_keystore,
 	BAREBOX_CMD_DESC("manage keys")
 	BAREBOX_CMD_OPTS("[-rsf] <keyname>")
-	BAREBOX_CMD_GROUP(CMD_GRP_MISC)
+	BAREBOX_CMD_GROUP(CMD_GRP_SECURITY)
 	BAREBOX_CMD_HELP(cmd_keystore_help)
 BAREBOX_CMD_END
diff --git a/include/command.h b/include/command.h
index 03ac270d1305..378e1458a589 100644
--- a/include/command.h
+++ b/include/command.h
@@ -79,7 +79,8 @@ static inline int run_command(const char *cmd) { return -ENOSYS; }
 #define CMD_GRP_CONSOLE		8
 #define CMD_GRP_MEM		9
 #define CMD_GRP_HWMANIP		10
-#define CMD_GRP_MISC		11
+#define CMD_GRP_SECURITY	11
+#define CMD_GRP_MISC		12
 
 #endif	/* __ASSEMBLY__ */
 
-- 
2.39.5

[PATCH v2 4/5] security: password: make PBKDF2 the default instead of MD5

[Ahmad Fatoum]

From: Ahmad Fatoum <a.fatoum@barebox.org>

MD5 was the first entry in the choice and thus automatically the
default. This is a bad idea, so make PBKDF2 the explicit default.

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
v1 -> v2:
  - unchanged
---
 security/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/Kconfig b/security/Kconfig
index b9447e73fc6f..372fd275fde9 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -39,6 +39,7 @@ if PASSWORD
 
 choice
 	prompt "passwd checksum"
+	default PASSWD_CRYPTO_PBKDF2
 
 config PASSWD_SUM_MD5
 	bool "MD5"
-- 
2.39.5

[PATCH v2 5/5] commands: move login/passwd into security section

[Ahmad Fatoum]

From: Ahmad Fatoum <a.fatoum@barebox.org>

These fit thematically better to the security commands instead of the
console commands they are currently grouped with.

Signed-off-by: Ahmad Fatoum <a.fatoum@barebox.org>
---
v1 -> v2:
  - unchanged
---
 commands/Kconfig  | 97 ++++++++++++++++++++++++-----------------------
 commands/login.c  |  2 +-
 commands/passwd.c |  2 +-
 3 files changed, 51 insertions(+), 50 deletions(-)

diff --git a/commands/Kconfig b/commands/Kconfig
index 6c61bff1cd12..16b995cb3b7c 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -1535,23 +1535,6 @@ config CMD_EDIT
 
 	  Use cursor keys, Ctrl-C to exit and Ctrl-D to exit-with-save.
 
-config CMD_LOGIN
-	tristate
-	select PASSWORD
-	depends on !CONSOLE_NONE
-	prompt "login"
-	help
-	  Ask for a password
-
-	  Usage: login [-t TIMEOUT] COMMAND
-
-	  Asks for a password from the console before script execution continues.
-	  The password can be set with the 'passwd' command. Instead of specifying
-	  a TIMEOUT the magic variable 'global.login.timeout' could be set.
-
-	  Options:
-		  -t TIMEOUT	Execute COMMAND if no login withing TIMEOUT seconds
-
 config CMD_MENU
 	tristate
 	depends on MENU
@@ -1645,37 +1628,6 @@ config CMD_MENUTREE
 	  Options:
 		  -m DIR	directory where the menu starts (Default: /env/menu)
 
-config CMD_PASSWD
-	tristate
-	depends on CMD_LOGIN
-	prompt "passwd"
-	help
-	  Set password
-
-	  Interactively asks for a password. The digest of this password will be
-	  stored in /env/etc/passwd. This is then used by the 'login' command.
-
-	  Passwords can be generated on the host machine using barebox sandbox.
-
-	  Entering an empty string will disable the password function.
-
-if CMD_LOGIN || CMD_PASSWD
-
-choice
-	prompt "passwd mode"
-
-config PASSWD_MODE_HIDE
-	bool "Hide"
-
-config PASSWD_MODE_STAR
-	bool "Star"
-
-config PASSWD_MODE_CLEAR
-	bool "Clear"
-
-endchoice
-
-endif
 config CMD_SPLASH
 	bool
 	select IMAGE_RENDERER
@@ -2354,6 +2306,55 @@ config CMD_KEYSTORE
 	help
 	  keystore provides access to the barebox keystore.
 
+config CMD_LOGIN
+	tristate
+	select PASSWORD
+	depends on !CONSOLE_NONE
+	prompt "login"
+	help
+	  Ask for a password
+
+	  Usage: login [-t TIMEOUT] COMMAND
+
+	  Asks for a password from the console before script execution continues.
+	  The password can be set with the 'passwd' command. Instead of specifying
+	  a TIMEOUT the magic variable 'global.login.timeout' could be set.
+
+	  Options:
+		  -t TIMEOUT	Execute COMMAND if no login withing TIMEOUT seconds
+
+config CMD_PASSWD
+	tristate
+	depends on CMD_LOGIN
+	prompt "passwd"
+	help
+	  Set password
+
+	  Interactively asks for a password. The digest of this password will be
+	  stored in /env/etc/passwd. This is then used by the 'login' command.
+
+	  Passwords can be generated on the host machine using barebox sandbox.
+
+	  Entering an empty string will disable the password function.
+
+if CMD_LOGIN || CMD_PASSWD
+
+choice
+	prompt "passwd mode"
+
+config PASSWD_MODE_HIDE
+	bool "Hide"
+
+config PASSWD_MODE_STAR
+	bool "Star"
+
+config PASSWD_MODE_CLEAR
+	bool "Clear"
+
+endchoice
+
+endif
+
 # end Security commands
 endmenu
 
diff --git a/commands/login.c b/commands/login.c
index 7085f3885cf9..a78b729d5483 100644
--- a/commands/login.c
+++ b/commands/login.c
@@ -21,7 +21,7 @@ BAREBOX_CMD_HELP_END
 BAREBOX_CMD_START(login)
 	.cmd		= do_login,
 	BAREBOX_CMD_DESC("ask for a password")
-	BAREBOX_CMD_GROUP(CMD_GRP_CONSOLE)
+	BAREBOX_CMD_GROUP(CMD_GRP_SECURITY)
 	BAREBOX_CMD_HELP(cmd_login_help)
 	BAREBOX_CMD_COMPLETE(empty_complete)
 BAREBOX_CMD_END
diff --git a/commands/passwd.c b/commands/passwd.c
index dfcc63623a7f..5d3435f8cc4e 100644
--- a/commands/passwd.c
+++ b/commands/passwd.c
@@ -79,7 +79,7 @@ BAREBOX_CMD_HELP_END
 BAREBOX_CMD_START(passwd)
 	.cmd		= do_passwd,
 	BAREBOX_CMD_DESC("set password")
-	BAREBOX_CMD_GROUP(CMD_GRP_CONSOLE)
+	BAREBOX_CMD_GROUP(CMD_GRP_SECURITY)
 	BAREBOX_CMD_HELP(cmd_passwd_help)
 	BAREBOX_CMD_COMPLETE(empty_complete)
 BAREBOX_CMD_END
-- 
2.39.5

Re: [PATCH v2 1/5] security: add new top-level menu

[Sascha Hauer]

On Thu, 07 Aug 2025 10:19:38 +0200, Ahmad Fatoum wrote:
> Instead of distributing security-related options and code across lib/,
> common/ and crypto/, let's collect them in a new security/ top-level
> directory and give it its own top-level menu for visibility.
> 
> The new security/ exists alongside crypto/, where the latter is for algorithms
> and the former is for concrete implementations like JWT.
> 
> [...]

Applied, thanks!

[1/5] security: add new top-level menu
      https://git.pengutronix.de/cgit/barebox/commit/?id=854e27fed9f2 (link may not be stable)
[2/5] security: mark weaker passwords hashing algorithms insecure
      https://git.pengutronix.de/cgit/barebox/commit/?id=9170ec0423c0 (link may not be stable)
[3/5] commands: introduce new security command group
      https://git.pengutronix.de/cgit/barebox/commit/?id=9721a352c009 (link may not be stable)
[4/5] security: password: make PBKDF2 the default instead of MD5
      https://git.pengutronix.de/cgit/barebox/commit/?id=d663ac87055a (link may not be stable)
[5/5] commands: move login/passwd into security section
      https://git.pengutronix.de/cgit/barebox/commit/?id=5ba7720c6ee0 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>