From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Subject: [PATCH RFC 00/17] Add security policy support
Date: Thu, 14 Aug 2025 15:06:45 +0200 [thread overview]
Message-ID: <20250814130702.4039241-1-a.fatoum@pengutronix.de> (raw)
Security policies are a mechanism for barebox to prevent, when so
desired, security relevant code from being executed.
Security policies are controlled via a second Kconfig menu structure
(called Sconfig) which collects security relevant options.
While the normal Kconfig menu structure is about feature support
enabled at compile time, a security policy determines whether a
feature is allowed or prohibited at runtime with an explicit focus
on security.
Except for a security policy's name, all security options are
boolean and control whether a built-in feature is allowed:
config FASTBOOT_CMD_BASE
bool
prompt "Allow fastboot flash/erase commands"
depends on $(kconfig-enabled,FASTBOOT_BASE)
help
This option enables the fastboot "flash" and "erase" commands.
The depends directive ensures the option is hidden when Fastboot support
isn't compiled in anyway. Otherwise, enabling the option should permit
normal operation as if the security policy support was disabled.
Disabling the option, will have the relevant functions return early,
often with a permission denied error.
Checking the state of a security config option is done with the
IS_ALLOWED macro. The macro evaluates to true if the option is
defined and enabled in the active security policy and false otherwise.
A partial manipulation of the active security policy is not desirable
as it makes security posture at runtime harder to reason about.
It's expected that boards will define a fixed set of policies,
e.g. devel, factory, lockdown and then consult eFuses or JSON web tokens
to determine which policy is to be applied.
Some precautions have been made to make sure the security policies have
been reviewed and changes to the security options do not go through
unnoticed during barebox updates: Automatic config updates are
prohibited, so if new options are not present or the other way round,
the build will just fail. The user is expected to run e.g.
make security_olddefconfig to explicitly sync the configuration and
commit the changes.
Ahmad Fatoum (16):
kconfig: allow setting CONFIG_ from the outside
scripts: include scripts/include for all host tools
kbuild: implement loopable loop_cmd
Add security policy support
kbuild: allow security config use without source tree modification
defaultenv: update PS1 according to security policy
security: policy: support externally provided configs
docs: security-policies: add documentation
commands: go: add security config option
console: ratp: add security config option
bootm: support calling bootm_optional_signed_images at any time
bootm: make unsigned image support runtime configurable
ARM: configs: add virt32_secure_defconfig
boards: qemu-virt: add security policies
boards: qemu-virt: allow setting policy from command line
test: py: add basic security policy test
Sascha Hauer (1):
commands: implement sconfig command
.gitignore | 4 +
Documentation/devel/devel.rst | 1 +
Documentation/devel/security-policies.rst | 89 +++
Documentation/user/defaultenv-2.rst | 2 +
Documentation/user/security-policies.rst | 110 ++++
Documentation/user/user-manual.rst | 1 +
Makefile | 81 ++-
Sconfig | 9 +
arch/arm/configs/virt32_secure_defconfig | 302 ++++++++++
commands/Kconfig | 23 +
commands/Makefile | 1 +
commands/Sconfig | 12 +
commands/go.c | 4 +
commands/sconfig.c | 219 +++++++
common/Kconfig | 5 +
common/Sconfig | 24 +
common/boards/qemu-virt/Makefile | 5 +-
common/boards/qemu-virt/board.c | 11 +
common/boards/qemu-virt/commandline.c | 74 +++
common/boards/qemu-virt/commandline.h | 9 +
.../qemu-virt/qemu-virt-factory.sconfig | 24 +
.../qemu-virt/qemu-virt-lockdown.sconfig | 24 +
common/bootm.c | 58 +-
common/console.c | 4 +-
common/ratp/ratp.c | 17 +
defaultenv/Makefile | 1 +
.../bin/ps1-policy | 20 +
.../init/ps1-policy | 1 +
.../init/source-colors | 1 +
defaultenv/defaultenv.c | 2 +
include/security/config.h | 76 +++
include/security/defs.h | 22 +
include/security/policy.h | 54 ++
scripts/Kbuild.include | 41 ++
scripts/Makefile | 1 -
scripts/Makefile.build | 18 +-
scripts/Makefile.lib | 47 ++
scripts/Makefile.policy | 43 ++
scripts/Sconfig.include | 6 +
scripts/basic/.gitignore | 1 +
scripts/basic/Makefile | 4 +-
scripts/basic/sconfigpost.c | 540 ++++++++++++++++++
scripts/include/list.h | 7 +
scripts/kconfig/Makefile | 3 +
scripts/kconfig/list.h | 132 -----
security/Kconfig | 2 +
security/Kconfig.policy | 101 ++++
security/Makefile | 38 ++
security/Sconfig | 42 ++
security/policy.c | 246 ++++++++
security/qemu-virt-devel.sconfig | 24 +
security/qemu-virt-tamper.sconfig | 24 +
security/sconfig_names.c | 18 +
test/arm/virt32_secure_defconfig.yaml | 22 +
test/py/test_policies.py | 49 ++
55 files changed, 2543 insertions(+), 156 deletions(-)
create mode 100644 Documentation/devel/security-policies.rst
create mode 100644 Documentation/user/security-policies.rst
create mode 100644 Sconfig
create mode 100644 arch/arm/configs/virt32_secure_defconfig
create mode 100644 commands/Sconfig
create mode 100644 commands/sconfig.c
create mode 100644 common/Sconfig
create mode 100644 common/boards/qemu-virt/commandline.c
create mode 100644 common/boards/qemu-virt/commandline.h
create mode 100644 common/boards/qemu-virt/qemu-virt-factory.sconfig
create mode 100644 common/boards/qemu-virt/qemu-virt-lockdown.sconfig
create mode 100755 defaultenv/defaultenv-2-security-policy/bin/ps1-policy
create mode 100644 defaultenv/defaultenv-2-security-policy/init/ps1-policy
create mode 100644 defaultenv/defaultenv-2-security-policy/init/source-colors
create mode 100644 include/security/config.h
create mode 100644 include/security/defs.h
create mode 100644 include/security/policy.h
create mode 100644 scripts/Makefile.policy
create mode 100644 scripts/Sconfig.include
create mode 100644 scripts/basic/sconfigpost.c
create mode 100644 scripts/include/list.h
delete mode 100644 scripts/kconfig/list.h
create mode 100644 security/Kconfig.policy
create mode 100644 security/Sconfig
create mode 100644 security/policy.c
create mode 100644 security/qemu-virt-devel.sconfig
create mode 100644 security/qemu-virt-tamper.sconfig
create mode 100644 security/sconfig_names.c
create mode 100644 test/arm/virt32_secure_defconfig.yaml
create mode 100644 test/py/test_policies.py
--
2.39.5
next reply other threads:[~2025-08-14 13:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:06 Ahmad Fatoum [this message]
2025-08-14 13:06 ` [PATCH RFC 01/17] kconfig: allow setting CONFIG_ from the outside Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 02/17] scripts: include scripts/include for all host tools Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 03/17] kbuild: implement loopable loop_cmd Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 04/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 05/17] kbuild: allow security config use without source tree modification Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 06/17] defaultenv: update PS1 according to security policy Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 07/17] security: policy: support externally provided configs Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 08/17] commands: implement sconfig command Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 09/17] docs: security-policies: add documentation Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 10/17] commands: go: add security config option Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 11/17] console: ratp: " Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 12/17] bootm: support calling bootm_optional_signed_images at any time Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 13/17] bootm: make unsigned image support runtime configurable Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 14/17] ARM: configs: add virt32_secure_defconfig Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 15/17] boards: qemu-virt: add security policies Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 16/17] boards: qemu-virt: allow setting policy from command line Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 17/17] test: py: add basic security policy test Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814130702.4039241-1-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox