From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Cc: Ahmad Fatoum <a.fatoum@barebox.org>
Subject: Re: [PATCH v2 00/24] Add security policy support
Date: Mon, 22 Sep 2025 18:18:45 +0200 [thread overview]
Message-ID: <3bcd5400-5905-41b2-8879-1ebdea6eee23@pengutronix.de> (raw)
In-Reply-To: <20250917-security-policies-v2-0-f30769a3ff51@pengutronix.de>
Hello Sascha,
On 17.09.25 15:53, Sascha Hauer wrote:
> Changes in v2:
Thanks for taking over. I have no further comments besides the two I just
sent. I think this is ready to go into next with the two comments addressed.
Cheers,
Ahmad
> - drop security policies for each filesystem. This needs to be reworked.
> A filesystem can safely be mounted when the source is trusted (i.e.
> the fs image is compiled into barebox, or is authorized using upcoming
> dm-verity support) no matter which filesystem type is mounted.
> Therefore just add a policy which selects between "all fs allowed" and
> "no fs allowed except ramfs".
> - fix adding policy-y to non leaf directories
> - remove policy-list files before recreating them to avoid stale entries
> - Drop $(ARCH) string from .sconfig files
> - bail out with a user friendly message when make security_* is invoked
> with security policies being disabled in the config
> - document that policies should always go from restrictive to relaxed,
> not the other way round
> - Link to v1: https://lore.barebox.org/20250820-security-policies-v1-0-76fde70fdbd8@pengutronix.de
>
> Changes in v1:
> - Link to RFC:
> https://lore.kernel.org/all/20250814130702.4039241-1-a.fatoum@pengutronix.de/
> - Add more actual security policies
> - Fix some typos in Documentation
> - Catch invalid policy names in sconfig command
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> ---
> Ahmad Fatoum (16):
> kconfig: allow setting CONFIG_ from the outside
> scripts: include scripts/include for all host tools
> kbuild: implement loopable loop_cmd
> Add security policy support
> kbuild: allow security config use without source tree modification
> defaultenv: update PS1 according to security policy
> security: policy: support externally provided configs
> docs: security-policies: add documentation
> commands: go: add security config option
> console: ratp: add security config option
> bootm: support calling bootm_optional_signed_images at any time
> bootm: make unsigned image support runtime configurable
> ARM: configs: add virt32_secure_defconfig
> boards: qemu-virt: add security policies
> boards: qemu-virt: allow setting policy from command line
> test: py: add basic security policy test
>
> Sascha Hauer (8):
> commands: implement sconfig command
> usbserial: add inline wrappers
> security: usbgadget: add usbgadget security policy
> security: fastboot: add security policy for fastboot oem
> security: shell: add policy for executing the shell
> security: add security policy for loading barebox environment
> security: add filesystem security policies
> security: console: add security policy for console input
>
> .gitignore | 4 +
> Documentation/devel/devel.rst | 1 +
> Documentation/devel/security-policies.rst | 96 ++++
> Documentation/user/defaultenv-2.rst | 2 +
> Documentation/user/security-policies.rst | 131 +++++
> Documentation/user/user-manual.rst | 1 +
> Makefile | 95 +++-
> Sconfig | 11 +
> arch/arm/configs/virt32_secure_defconfig | 302 ++++++++++++
> commands/Kconfig | 23 +
> commands/Makefile | 1 +
> commands/Sconfig | 12 +
> commands/go.c | 4 +
> commands/sconfig.c | 227 +++++++++
> common/Kconfig | 5 +
> common/Sconfig | 63 +++
> common/boards/qemu-virt/Makefile | 5 +-
> common/boards/qemu-virt/board.c | 11 +
> common/boards/qemu-virt/commandline.c | 74 +++
> common/boards/qemu-virt/commandline.h | 9 +
> common/boards/qemu-virt/qemu-virt-factory.sconfig | 36 ++
> common/boards/qemu-virt/qemu-virt-lockdown.sconfig | 35 ++
> common/bootm.c | 58 ++-
> common/console.c | 11 +-
> common/console_ctrlc.c | 4 +
> common/console_simple.c | 7 +
> common/environment.c | 6 +
> common/fastboot.c | 6 +
> common/hush.c | 13 +
> common/parser.c | 7 +
> common/ratp/ratp.c | 17 +
> common/usbgadget.c | 26 +
> defaultenv/Makefile | 1 +
> .../defaultenv-2-security-policy/bin/ps1-policy | 20 +
> .../defaultenv-2-security-policy/init/ps1-policy | 1 +
> .../init/source-colors | 1 +
> defaultenv/defaultenv.c | 2 +
> drivers/usb/gadget/Sconfig | 11 +
> drivers/usb/gadget/composite.c | 4 +
> drivers/usb/gadget/legacy/serial.c | 4 +
> fs/Sconfig | 5 +
> fs/fs.c | 4 +
> include/linux/usb/usbserial.h | 11 +
> include/security/config.h | 76 +++
> include/security/defs.h | 22 +
> include/security/policy.h | 54 +++
> scripts/Kbuild.include | 41 ++
> scripts/Makefile | 1 -
> scripts/Makefile.build | 18 +-
> scripts/Makefile.lib | 47 ++
> scripts/Makefile.policy | 38 ++
> scripts/Sconfig.include | 6 +
> scripts/basic/.gitignore | 1 +
> scripts/basic/Makefile | 4 +-
> scripts/basic/sconfigpost.c | 540 +++++++++++++++++++++
> scripts/include/list.h | 7 +
> scripts/kconfig/Makefile | 3 +
> scripts/kconfig/list.h | 132 -----
> security/Kconfig | 2 +
> security/Kconfig.policy | 104 ++++
> security/Makefile | 39 ++
> security/Sconfig | 34 ++
> security/policy.c | 239 +++++++++
> security/qemu-virt-devel.sconfig | 36 ++
> security/qemu-virt-tamper.sconfig | 35 ++
> security/sconfig_names.c | 18 +
> test/arm/virt32_secure_defconfig.yaml | 22 +
> test/py/test_policies.py | 48 ++
> 68 files changed, 2778 insertions(+), 156 deletions(-)
> ---
> base-commit: f3be3a8e9ae884bdfb116238e9049b1eb2759810
> change-id: 20250820-security-policies-43f73477d321
>
> Best regards,
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2025-09-22 16:19 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 13:53 Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 01/24] kconfig: allow setting CONFIG_ from the outside Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 02/24] scripts: include scripts/include for all host tools Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 03/24] kbuild: implement loopable loop_cmd Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 04/24] Add security policy support Sascha Hauer
2025-09-22 16:14 ` Ahmad Fatoum
2025-09-23 8:11 ` Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 05/24] kbuild: allow security config use without source tree modification Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 06/24] defaultenv: update PS1 according to security policy Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 07/24] security: policy: support externally provided configs Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 08/24] commands: implement sconfig command Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 09/24] docs: security-policies: add documentation Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 10/24] commands: go: add security config option Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 11/24] console: ratp: " Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 12/24] bootm: support calling bootm_optional_signed_images at any time Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 13/24] bootm: make unsigned image support runtime configurable Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 14/24] ARM: configs: add virt32_secure_defconfig Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 15/24] boards: qemu-virt: add security policies Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 16/24] boards: qemu-virt: allow setting policy from command line Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 17/24] test: py: add basic security policy test Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 18/24] usbserial: add inline wrappers Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 19/24] security: usbgadget: add usbgadget security policy Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 20/24] security: fastboot: add security policy for fastboot oem Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 21/24] security: shell: add policy for executing the shell Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 22/24] security: add security policy for loading barebox environment Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 23/24] security: add filesystem security policies Sascha Hauer
2025-09-22 16:16 ` Ahmad Fatoum
2025-09-23 8:08 ` Sascha Hauer
2025-09-17 13:53 ` [PATCH v2 24/24] security: console: add security policy for console input Sascha Hauer
2025-09-22 16:18 ` Ahmad Fatoum [this message]
2025-09-23 8:08 ` [PATCH v2 00/24] Add security policy support Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3bcd5400-5905-41b2-8879-1ebdea6eee23@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=a.fatoum@barebox.org \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox