[PATCH] gadget: f_fastboot: New Kconfig option USB_GADGET_FASTBOOT_CMD_OEM

[PATCH] gadget: f_fastboot: New Kconfig option USB_GADGET_FASTBOOT_CMD_OEM

[Christian Eggers]

Most fastboot commands are suitable for a secure boot environment as
they only allow to download/flash/erase to files/partitions which were
explicitly specified in the usbgadget command.

The "oem" group of commands allows execution of arbitrary barebox
commands. This needs to be disabled for secure boot devices.

Signed-off-by: Christian Eggers <ceggers@arri.de>
---
 drivers/usb/gadget/Kconfig      | 11 +++++++++++
 drivers/usb/gadget/f_fastboot.c |  4 +++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/Kconfig b/drivers/usb/gadget/Kconfig
index 9d6a262038..a3e2a8b4e3 100644
--- a/drivers/usb/gadget/Kconfig
+++ b/drivers/usb/gadget/Kconfig
@@ -58,6 +58,7 @@ config USB_GADGET_FASTBOOT
 
 config USB_GADGET_FASTBOOT_SPARSE
 	bool
+	depends on USB_GADGET_FASTBOOT
 	select IMAGE_SPARSE
 	prompt "Enable Fastboot sparse image support"
 	help
@@ -77,4 +78,14 @@ config USB_GADGET_FASTBOOT_BUF
 	  a buffer, then using a buffer might be better.
 
 	  Say no here unless you know what you are doing.
+
+config USB_GADGET_FASTBOOT_CMD_OEM
+	bool
+	depends on USB_GADGET_FASTBOOT
+	prompt "Enable OEM commands"
+	help
+	  This option enables the fastboot "oem" group of commands. They allow to
+	  executing arbitrary barebox commands and may be disabled in secure
+	  environments.
+
 endif
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c
index 0a3aff3cf0..2d760867ad 100644
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@@ -1251,7 +1251,7 @@ static const struct cmd_dispatch_info cmd_oem_dispatch_info[] = {
 	},
 };
 
-static void cb_oem(struct f_fastboot *f_fb, const char *cmd)
+static void __maybe_unused cb_oem(struct f_fastboot *f_fb, const char *cmd)
 {
 	pr_debug("%s: \"%s\"\n", __func__, cmd);
 
@@ -1279,9 +1279,11 @@ static const struct cmd_dispatch_info cmd_dispatch_info[] = {
 	}, {
 		.cmd = "erase:",
 		.cb = cb_erase,
+#if defined(CONFIG_USB_GADGET_FASTBOOT_CMD_OEM)
 	}, {
 		.cmd = "oem ",
 		.cb = cb_oem,
+#endif
 	},
 };
 
-- 
Christian Eggers
Embedded software developer

Arnold & Richter Cine Technik GmbH & Co. Betriebs KG
Sitz: Muenchen - Registergericht: Amtsgericht Muenchen - Handelsregisternummer: HRA 57918
Persoenlich haftender Gesellschafter: Arnold & Richter Cine Technik GmbH
Sitz: Muenchen - Registergericht: Amtsgericht Muenchen - Handelsregisternummer: HRB 54477
Geschaeftsfuehrer: Dr. Michael Neuhaeuser; Stephan Schenk; Walter Trauninger; Markus Zeiler


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH] gadget: f_fastboot: New Kconfig option USB_GADGET_FASTBOOT_CMD_OEM

[Sascha Hauer]

On Fri, Feb 21, 2020 at 01:15:12PM +0100, Christian Eggers wrote:
> Most fastboot commands are suitable for a secure boot environment as
> they only allow to download/flash/erase to files/partitions which were
> explicitly specified in the usbgadget command.
> 
> The "oem" group of commands allows execution of arbitrary barebox
> commands. This needs to be disabled for secure boot devices.
> 
> Signed-off-by: Christian Eggers <ceggers@arri.de>
> ---
>  drivers/usb/gadget/Kconfig      | 11 +++++++++++
>  drivers/usb/gadget/f_fastboot.c |  4 +++-
>  2 files changed, 14 insertions(+), 1 deletion(-)

Applied, thanks

I squashed some defconfig changes into this so that the configs that has
the oem commands before this still have it.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox