From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH RFC 09/17] docs: security-policies: add documentation
Date: Thu, 14 Aug 2025 15:06:54 +0200 [thread overview]
Message-ID: <20250814130702.4039241-10-a.fatoum@pengutronix.de> (raw)
In-Reply-To: <20250814130702.4039241-1-a.fatoum@pengutronix.de>
From: Ahmad Fatoum <a.fatoum@barebox.org>
Let's add some first documentation for the newly added security policy
support.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
Documentation/devel/devel.rst | 1 +
Documentation/devel/security-policies.rst | 89 +++++++++++++++++
Documentation/user/security-policies.rst | 110 ++++++++++++++++++++++
Documentation/user/user-manual.rst | 1 +
4 files changed, 201 insertions(+)
create mode 100644 Documentation/devel/security-policies.rst
create mode 100644 Documentation/user/security-policies.rst
diff --git a/Documentation/devel/devel.rst b/Documentation/devel/devel.rst
index b90805263bbd..84074d142e03 100644
--- a/Documentation/devel/devel.rst
+++ b/Documentation/devel/devel.rst
@@ -13,6 +13,7 @@ Contents:
troubleshooting
filesystems
background-execution
+ security-policies
project-ideas
fuzzing
diff --git a/Documentation/devel/security-policies.rst b/Documentation/devel/security-policies.rst
new file mode 100644
index 000000000000..af2faa7352fe
--- /dev/null
+++ b/Documentation/devel/security-policies.rst
@@ -0,0 +1,89 @@
+.. _develop_security-policies:
+
+Security Policies (Developer Manual)
+====================================
+
+Overview
+--------
+
+This document describes how to define new SConfig symbols and integrate them
+into Barebox security policies. SConfig uses the same backend as Kconfig, and
+its configuration files live alongside Kconfig files (e.g. ``common/Sconfig``).
+
+Key principles:
+
+- Except for the name, symbols are always ``bool``.
+- Policies are board-specific and described in ``.sconfig`` files at build-time.
+- Every policy is complete and no implicit defaults are applied by mere building
+- Policy ``.sconfig`` files are post-processed into ``.sconfig.c`` files and
+ then compiled and linked into the final barebox binary.
+
+Creating New Symbols
+--------------------
+
+1. **Add a new symbol** to the appropriate ``Sconfig`` file, such as ``common/Sconfig``:
+
+ .. code-block:: kconfig
+
+ config ENV_HANDLING
+ bool "Allow persisting and loading the environment from storage"
+ depends on $(kconfig-enabled ENV_HANDLING)
+
+2. **Reference it in code** using:
+
+ .. code-block:: c
+
+ #include <security/config.h>
+
+ if (!IS_ALLOWS(SCONFIG_ENV_HANDLING))
+ return -EPERM;
+
+3. **Update policies**:
+
+ Every existing ``.sconfig`` policy must define a value for the new symbol
+ as there are no implicit defaults to ensure every policy explicitly encodes
+ all options in accordance with its security requirements.
+
+ Example in ``lockdown.sconfig``:
+
+ .. code-block:: none
+
+ SCONFIG_ENV_HANDLING=n
+
+ And in ``devel.sconfig``:
+
+ .. code-block:: none
+
+ SCONFIG_ENV_HANDLING=y
+
+Linking Policy Files
+--------------------
+
+Policies must be added to the build using ``policy-y`` in the board’s
+Makefile:
+
+.. code-block:: make
+
+ policy-y += lockdown.sconfig
+
+Tips for Symbol Design
+----------------------
+
+- Avoid naming symbols after board names. Favor functionality.
+- Prefer giving Sconfig symbols the same name as Kconfig symbols, when they
+ address the same goal, but at runtime instead of build-time.
+- When possible, reuse logic in core code by wrapping around
+ ``IS_ALLOWED()`` checks.
+
+Validation & Maintenance
+------------------------
+
+Always run ``make security_olddconfig`` for the security policy reference
+configuration ``virt32_policy_defconfig``::
+
+ export ARCH=arm
+ export CROSS_COMPILE=...
+ make virt32_policy_defconfig
+ make security_olddefconfig
+
+CI also checks this configuration and verifies that it's up-to-date.
diff --git a/Documentation/user/security-policies.rst b/Documentation/user/security-policies.rst
new file mode 100644
index 000000000000..b1002285b414
--- /dev/null
+++ b/Documentation/user/security-policies.rst
@@ -0,0 +1,110 @@
+.. _use_security-policies:
+
+Security Policies (User Manual)
+===============================
+
+Overview
+--------
+
+Barebox supports structured security configuration through **security policies**,
+a runtime configuration mechanism that allows switching between multiple
+predefined security policies (e.g. ``lockdown``, ``devel``),
+depending on operational requirements.
+
+This replaces ad-hoc board code with a clean, reproducible, and
+auditable configuration-based model.
+
+Concepts
+--------
+
+- **SConfig**: A configuration system using the same backend as
+ Kconfig, designed for **runtime security policies**.
+- **Policies**: Named configurations like ``lockdown.sconfig``,
+ ``open.sconfig`` specific to each board.
+
+Usage
+-----
+
+1. **Configure a policy** using menuconfig (or another frontend):
+
+ .. code-block:: shell
+
+ make KPOLICY=arch/arm/boards/myboard/lockdown.sconfig security_oldconfig
+ make sercurity_menuconfig # Iterates over all policies
+
+2. **Configuration files** (e.g. ``lockdown.sconfig``) are in Kconfig
+ format with ``SCONFIG_``-prefixed entries.
+
+3. **Build integration**:
+
+ The sconfig files for the board are placed into the ``security/``
+ directory in the source tree and their file names (without slashes)
+ are added to ``CONFIG_SECURITY_POLICY_PATH``.
+
+ Alternatively, policies can also be be referenced in a board's
+ Makefile::
+
+ .. code-block:: make
+
+ lwl-y += lowlevel.o
+ obj-y += board.o
+ policy-y += myboard-lockdown.sconfig myboard-devel.sconfig
+
+ This latter method can be useful when building multiple boards in
+ the same build, but with different security policies.
+
+4. **Registration**:
+
+ Policies added with ``CONFIG_SECURITY_POLICY_PATH`` are automatically
+ registered for all enabled boards.
+
+ Policies added with policy-y need to be explicitly added by symbol
+ to the set of registered policies in board code:
+
+ .. code-block:: c
+
+ #include <security/policy.h>
+
+ security_policy_add(myboard_lockdown)
+ security_policy_add(myboard_devel)
+
+5. **Runtime selection**:
+
+ In board code, switch to a policy by name:
+
+ .. code-block:: c
+
+ #include <security/policy.h>
+
+ sconfig_set_policy("lockdown");
+
+Differences from Kconfig
+------------------------
+
++-------------------------+------------------------------+-----------------------------+
+| Feature | Kconfig | SConfig |
++=========================+==============================+=============================+
+| Purpose | Build-time configuration | Runtime security policy |
++-------------------------+------------------------------+-----------------------------+
+| File name | .config | ${policy}.sconfig |
++-------------------------+------------------------------+-----------------------------+
+| policies per build | One | Multiple |
++-------------------------+------------------------------+-----------------------------+
+| Symbol types | bool, int, string, ... etc. | bool only |
++-------------------------+------------------------------+-----------------------------+
+| Symbol dependencies | Kconfig symbols | Both Kconfig and Sconfig |
+| | | symbols |
++-------------------------+------------------------------+-----------------------------+
+
+Best Practices
+--------------
+
+- Maintain all ``.sconfig`` files under version control,
+ either as part of the barebox patch stack or in your BSP
+
+- Document reasoning when changing every single security option
+ (even when doing ``security_olddefconfig``).
+
+- Avoid logic duplication in board code — rely on SConfig conditionals.
+
+- Name policies meaningfully: e.g. ``lockdown``, ``tamper``, ``return``.
diff --git a/Documentation/user/user-manual.rst b/Documentation/user/user-manual.rst
index ce0792000a3c..cb01721863dd 100644
--- a/Documentation/user/user-manual.rst
+++ b/Documentation/user/user-manual.rst
@@ -29,6 +29,7 @@ Contents:
bootchooser
remote-control
security
+ security-policies
reset-reason
system-reset
state
--
2.39.5
next prev parent reply other threads:[~2025-08-14 13:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-14 13:06 [PATCH RFC 00/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 01/17] kconfig: allow setting CONFIG_ from the outside Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 02/17] scripts: include scripts/include for all host tools Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 03/17] kbuild: implement loopable loop_cmd Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 04/17] Add security policy support Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 05/17] kbuild: allow security config use without source tree modification Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 06/17] defaultenv: update PS1 according to security policy Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 07/17] security: policy: support externally provided configs Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 08/17] commands: implement sconfig command Ahmad Fatoum
2025-08-14 13:06 ` Ahmad Fatoum [this message]
2025-08-14 13:06 ` [PATCH RFC 10/17] commands: go: add security config option Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 11/17] console: ratp: " Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 12/17] bootm: support calling bootm_optional_signed_images at any time Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 13/17] bootm: make unsigned image support runtime configurable Ahmad Fatoum
2025-08-14 13:06 ` [PATCH RFC 14/17] ARM: configs: add virt32_secure_defconfig Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 15/17] boards: qemu-virt: add security policies Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 16/17] boards: qemu-virt: allow setting policy from command line Ahmad Fatoum
2025-08-14 13:07 ` [PATCH RFC 17/17] test: py: add basic security policy test Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250814130702.4039241-10-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox