From: Sascha Hauer <s.hauer@pengutronix.de>
To: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
Cc: barebox@lists.infradead.org
Subject: Re: [PATCH 4/5] boot: if we are in secure boot mode
Date: Mon, 13 Mar 2017 08:50:18 +0100 [thread overview]
Message-ID: <20170313075018.566tqqmhoymv5v66@pengutronix.de> (raw)
In-Reply-To: <1489070050-16024-4-git-send-email-plagnioj@jcrosoft.com>
On Thu, Mar 09, 2017 at 03:34:09PM +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> request confirmation before booting an unsigned image
>
> with a default timeout
>
> Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
> ---
> commands/go.c | 7 +++++++
> common/Kconfig | 8 ++++++++
> common/Makefile | 1 +
> common/bootm.c | 7 +++++++
> common/secure_boot.c | 43 +++++++++++++++++++++++++++++++++++++++++++
> include/bootm.h | 1 +
> include/secure_boot.h | 25 +++++++++++++++++++++++++
> 7 files changed, 92 insertions(+)
> create mode 100644 common/secure_boot.c
> create mode 100644 include/secure_boot.h
>
> diff --git a/commands/go.c b/commands/go.c
> index fb319b320..61c9ce43f 100644
> --- a/commands/go.c
> +++ b/commands/go.c
> @@ -26,6 +26,7 @@
> #include <fcntl.h>
> #include <linux/ctype.h>
> #include <errno.h>
> +#include <secure_boot.h>
>
> static int do_go(int argc, char *argv[])
> {
> @@ -37,6 +38,12 @@ static int do_go(int argc, char *argv[])
> if (argc < 2)
> return COMMAND_ERROR_USAGE;
>
> + rcode = secure_boot_start_unsigned();
> + if (rcode)
> + return rcode ? 1 : 0;
When rcode is true, then if rcode is true, return 1, otherwise return 0?
> +
> + rcode = 1;
> +
> if (!isdigit(*argv[1])) {
> fd = open(argv[1], O_RDONLY);
> if (fd < 0) {
> diff --git a/common/Kconfig b/common/Kconfig
> index f7ff04664..9e7d027a2 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -21,6 +21,9 @@ config HAS_KALLSYMS
> config HAS_MODULES
> bool
>
> +config HAS_SECURE_BOOT
> + bool
> +
> config HAS_CACHE
> bool
> help
> @@ -184,6 +187,11 @@ config NVVAR
> while global variables can be changed during runtime without changing the
> default.
>
> +config SECURE_BOOT_TIMEOUT
> + prompt "Secure Boot unsigned boot timeout"
> + int
> + default 3
> +
> menu "memory layout"
>
> source "pbl/Kconfig"
> diff --git a/common/Makefile b/common/Makefile
> index 5f58c81d2..e57cc2c15 100644
> --- a/common/Makefile
> +++ b/common/Makefile
> @@ -61,6 +61,7 @@ obj-$(CONFIG_UBIFORMAT) += ubiformat.o
> obj-$(CONFIG_BAREBOX_UPDATE_IMX_NAND_FCB) += imx-bbu-nand-fcb.o
> obj-$(CONFIG_CONSOLE_RATP) += ratp.o
> obj-$(CONFIG_BOOT) += boot.o
> +obj-$(CONFIG_HAS_SECURE_BOOT) += secure_boot.o
>
> quiet_cmd_pwd_h = PWDH $@
> ifdef CONFIG_PASSWORD
> diff --git a/common/bootm.c b/common/bootm.c
> index 81625d915..0ebf65681 100644
> --- a/common/bootm.c
> +++ b/common/bootm.c
> @@ -23,6 +23,7 @@
> #include <environment.h>
> #include <linux/stat.h>
> #include <magicvar.h>
> +#include <secure_boot.h>
>
> static LIST_HEAD(handler_list);
>
> @@ -625,6 +626,12 @@ int bootm_boot(struct bootm_data *bootm_data)
> printf("Passing control to %s handler\n", handler->name);
> }
>
> + if (!handler->is_secure_supported && is_secure_mode()) {
> + ret = secure_boot_start_unsigned();
> + if (ret)
> + goto err_out;
> + }
> +
> ret = handler->bootm(data);
> if (data->dryrun)
> printf("Dryrun. Aborted\n");
> diff --git a/common/secure_boot.c b/common/secure_boot.c
> new file mode 100644
> index 000000000..e625ef4e1
> --- /dev/null
> +++ b/common/secure_boot.c
> @@ -0,0 +1,43 @@
> +/*
> + * Copyright (c) 2017 Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
> + *
> + * Under GPLv2 Only
> + */
> +#include <common.h>
> +#include <secure_boot.h>
> +#include <console_countdown.h>
> +#include <globalvar.h>
> +#include <magicvar.h>
> +#include <init.h>
> +
> +static unsigned int sb_confirm_timeout = CONFIG_SECURE_BOOT_TIMEOUT;
Use globalvar_add_simple_int instead of putting this into the config.
> +
> +int secure_boot_start_unsigned(void)
This function name is very misleading. It sounds like it starts an
unsigned image, but this function doesn't start anything. Second guess
is that it returns a boolean whether it's allowed to start an unsigned
image, but actually it returns the opposite.
> +{
> + int ret;
> + char str[2] = { };
> + int timeout = sb_confirm_timeout;
> +
> + if (!is_secure_mode())
> + return 0;
> +
> + printf("Are you sure you wish to run an unsigned binary\n");
> + printf("in a secure environment?\n");
> + printf("press y to confirm\n");
> +
> + ret = console_countdown(timeout, CONSOLE_COUNTDOWN_ANYKEY, str);
console_countdown puts exactly one character in *str, no need to pass an
array.
> + if (ret != -EINTR)
> + return -EINVAL;
> +
> + return str[0] == 'y' ? 0 : -EINVAL;
> +}
> +
> +static int init_sb_confirm_timeout(void)
> +{
> + return globalvar_add_simple_int("sb.confirm_timeout",
> + &sb_confirm_timeout, "%u");
> +}
Ok, you already made it a globalvar. No need to put the default into
kconfig then.
Sascha
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2017-03-13 7:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-09 14:31 [PATCH 0/5] EFI Secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-09 14:34 ` [PATCH 1/5] efi: add more security related guid for the efivars Jean-Christophe PLAGNIOL-VILLARD
2017-03-09 14:34 ` [PATCH 2/5] efi: fix lds for secure boot support Jean-Christophe PLAGNIOL-VILLARD
2017-03-09 17:24 ` Lucas Stach
2017-03-10 10:17 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-10 11:05 ` Lucas Stach
2017-03-10 13:54 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-10 13:57 ` Lucas Stach
2017-03-10 14:13 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-09 14:34 ` [PATCH 3/5] efi: fix secure and setup mode report Jean-Christophe PLAGNIOL-VILLARD
2017-03-13 7:34 ` Sascha Hauer
2017-03-14 8:15 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-09 14:34 ` [PATCH 4/5] boot: if we are in secure boot mode Jean-Christophe PLAGNIOL-VILLARD
2017-03-13 7:50 ` Sascha Hauer [this message]
2017-03-14 8:14 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-13 7:55 ` Sascha Hauer
2017-03-14 8:07 ` Jean-Christophe PLAGNIOL-VILLARD
2017-03-14 9:48 ` Sascha Hauer
2017-03-09 14:34 ` [PATCH 5/5] efi: enable sercure boot support Jean-Christophe PLAGNIOL-VILLARD
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170313075018.566tqqmhoymv5v66@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=plagnioj@jcrosoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox