[PATCH 0/4] Add helper for security policies

[PATCH 0/4] Add helper for security policies

[Fabian Pflug]

This series adds helper functions to the security policy framework to
do additional work based on the selected policy.
Like adding the policy name to the commandline and configuring pinmux
based on the selected policy.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
Fabian Pflug (4):
      common: bootm: add policy to commandline
      security: policy: set active policy on boot
      security: configure pinctrl based on policy name
      security: kernel_pinctrl: fixup pinctrl in kernel dts

 common/bootm.c            | 23 ++++++++++++++++
 drivers/base/driver.c     | 12 +++++++-
 include/bootm.h           |  5 ++++
 security/Kconfig.policy   |  8 ++++++
 security/Makefile         |  1 +
 security/kernel_pinctrl.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++
 security/policy.c         | 15 ++++++++++
 7 files changed, 133 insertions(+), 1 deletion(-)
---
base-commit: 8c9d58cef2c65434e719ccbd3799b23014cb779d
change-id: 20260311-v2026-02-0-topic-sconfig_console-194842a14e1d

Best regards,
-- 
Fabian Pflug <f.pflug@pengutronix.de>

[PATCH 1/4] common: bootm: add policy to commandline

[Fabian Pflug]

If security policies are used, then the variable bootm.provide_policy
can be set to automatically append the currently selected security
policy to the kernel commandline with the prefix
barebox.security.policy=
This allows the the system to behave different based on the selected
security policy.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 common/bootm.c  | 23 +++++++++++++++++++++++
 include/bootm.h |  5 +++++
 2 files changed, 28 insertions(+)

diff --git a/common/bootm.c b/common/bootm.c
index 6318509884..cd90aa81e1 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -22,6 +22,7 @@
 #include <uncompress.h>
 #include <zero_page.h>
 #include <security/config.h>
+#include <security/policy.h>
 
 static LIST_HEAD(handler_list);
 static struct sconfig_notifier_block sconfig_notifier;
@@ -75,6 +76,7 @@ static int bootm_dryrun;
 static int bootm_earlycon;
 static int bootm_provide_machine_id;
 static int bootm_provide_hostname;
+static int bootm_provide_policy;
 static int bootm_verbosity;
 static int bootm_efi_mode = BOOTM_EFI_AVAILABLE;
 
@@ -97,6 +99,7 @@ void bootm_data_init_defaults(struct bootm_data *data)
 	data->appendroot = bootm_appendroot;
 	data->provide_machine_id = bootm_provide_machine_id;
 	data->provide_hostname = bootm_provide_hostname;
+	data->provide_policy = bootm_provide_policy;
 	data->verbose = bootm_verbosity;
 	data->dryrun = bootm_dryrun;
 	data->efi_boot = bootm_efi_mode;
@@ -118,6 +121,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
 	bootm_appendroot = data->appendroot;
 	bootm_provide_machine_id = data->provide_machine_id;
 	bootm_provide_hostname = data->provide_hostname;
+	bootm_provide_policy = data->provide_policy;
 	bootm_verbosity = data->verbose;
 	bootm_dryrun = data->dryrun;
 	bootm_efi_mode = data->efi_boot;
@@ -712,6 +716,20 @@ int bootm_boot(struct bootm_data *bootm_data)
 		free(hostname_bootarg);
 	}
 
+	if (IS_ENABLED(CONFIG_SECURITY_POLICY) && bootm_data->provide_policy) {
+		char *policy_bootargs;
+
+		if (!active_policy->name) {
+			pr_err("Providing policy is enabled but policy has no name\n");
+			ret = -EINVAL;
+			goto err_out;
+		}
+
+		policy_bootargs = basprintf("barebox.security.policy=%s", active_policy->name);
+		globalvar_add_simple("linux.bootargs.policy", policy_bootargs);
+		free(policy_bootargs);
+	}
+
 	pr_info("\nLoading %s '%s'", file_type_to_string(os_type),
 		data->os_file);
 	if (os_type == filetype_uimage &&
@@ -918,6 +936,8 @@ static int bootm_init(void)
 	globalvar_add_simple_bool("bootm.earlycon", &bootm_earlycon);
 	globalvar_add_simple_bool("bootm.provide_machine_id", &bootm_provide_machine_id);
 	globalvar_add_simple_bool("bootm.provide_hostname", &bootm_provide_hostname);
+	if (IS_ENABLED(CONFIG_SECURITY_POLICY))
+		globalvar_add_simple_bool("bootm.provide_policy", &bootm_provide_policy);
 	if (IS_ENABLED(CONFIG_BOOTM_INITRD)) {
 		globalvar_add_simple("bootm.initrd", NULL);
 		globalvar_add_simple("bootm.initrd.loadaddr", NULL);
@@ -981,3 +1001,6 @@ BAREBOX_MAGICVAR(global.bootm.root_dev, "bootm default root device (overrides de
 BAREBOX_MAGICVAR(global.bootm.root_param, "bootm root parameter name (normally 'root' for root=/dev/...)");
 BAREBOX_MAGICVAR(global.bootm.provide_machine_id, "If true, append systemd.machine_id=$global.machine_id to Kernel command line");
 BAREBOX_MAGICVAR(global.bootm.provide_hostname, "If true, append systemd.hostname=$global.hostname to Kernel command line");
+#ifdef CONFIG_SECURITY_POLICY
+BAREBOX_MAGICVAR(global.bootm.provide_policy, "Add barebox.security.policy= option to Kernel");
+#endif
diff --git a/include/bootm.h b/include/bootm.h
index e56a999f0b..1c3bd03d38 100644
--- a/include/bootm.h
+++ b/include/bootm.h
@@ -46,6 +46,11 @@ struct bootm_data {
 	 * of global.hostname to Kernel.
 	 */
 	bool provide_hostname;
+	/*
+	 * provide_policy - if true, try to add barebox.security.policy= with
+	 * with value of currently selected policy
+	 */
+	bool provide_policy;
 	enum bootm_efi_mode efi_boot;
 	unsigned long initrd_address;
 	unsigned long os_address;

-- 
2.47.3

[PATCH 2/4] security: policy: set active policy on boot

[Fabian Pflug]

If init name has been set at compiletime and the policy is available,
because it is part of the path, then set the active policy to the policy
selected by compiletime.
Since this is so early in the bootchain, there is no need to call
security_policy_activate, because there should not be any registered
callbacks at this moment in time.
If no policy could be found, then it will be filled as before by the
first call to is_allowed.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 security/policy.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/policy.c b/security/policy.c
index 85333d9e6f..e2d1b10a78 100644
--- a/security/policy.c
+++ b/security/policy.c
@@ -235,6 +235,9 @@ static int security_init(void)
 	if (*CONFIG_SECURITY_POLICY_PATH)
 		security_policy_add(default);
 
+	if (*CONFIG_SECURITY_POLICY_INIT)
+		active_policy = security_policy_get(CONFIG_SECURITY_POLICY_INIT);
+
 	return 0;
 }
 pure_initcall(security_init);

-- 
2.47.3

[PATCH 3/4] security: configure pinctrl based on policy name

[Fabian Pflug]

When using security policies to disable console input on the default
console, it might be more advantagous to also disable the RX pin hard
in pinctrl, so that if there is a software error with the security
policy implementation input does not reach to system and cannot be
exploited.

An example devicetree could look like this:
/ {
	chosen {
		stdout-path = &uart3;
	};
};

&uart3 {
	pinctrl-names = "default", "barebox,policy-devel";
	pinctrl-0 = <&pinctrl_uart3_tx_only>;
	pinctrl-1 = <&pinctrl_uart3_interactive>;
	status = "okay";
};

&iomuxc {
	pinctrl_uart3_interactive: uart3ingrp {
		fsl,pins = <MX8MP_IOMUXC_SD1_DATA6__UART3_DCE_TX	0x140>,
			   <MX8MP_IOMUXC_SD1_DATA7__UART3_DCE_RX	0x140>;
	};

	pinctrl_uart3_tx_only: uart3txgrp {
		fsl,pins = <MX8MP_IOMUXC_SD1_DATA6__UART3_DCE_TX	0x140>,
			   <MX8MP_IOMUXC_SD1_DATA7__GPIO2_IO09		0x140>;
	};
};

This would apply the devel pinmux on selecting the devel config and the
default on every other configuration.

A Kconfig option to enable this feature has been chosen, because parsing
pinctrl and mapping the names is a lot of string operations, that could
increase boottime for a feature, that is maybe not needed for everyone.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 drivers/base/driver.c   | 12 +++++++++++-
 security/Kconfig.policy |  8 ++++++++
 security/policy.c       | 12 ++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/drivers/base/driver.c b/drivers/base/driver.c
index 36a1fcda48..37c2d56c7a 100644
--- a/drivers/base/driver.c
+++ b/drivers/base/driver.c
@@ -30,6 +30,7 @@
 #include <pinctrl.h>
 #include <featctrl.h>
 #include <linux/clk/clk-conf.h>
+#include <security/policy.h>
 
 #ifdef CONFIG_DEBUG_PROBES
 #define pr_report_probe		pr_info
@@ -135,7 +136,16 @@ int device_probe(struct device *dev)
 
 	pr_report_probe("%*sprobe-> %s\n", depth * 4, "", dev_name(dev));
 
-	pinctrl_select_state_default(dev);
+
+	if (IS_ENABLED(CONFIG_SECURITY_POLICY_PINCTRL)) {
+		char *policy_pinctrl;
+
+		policy_pinctrl = basprintf("barebox,policy-%s", active_policy->name);
+		if (IS_ERR(pinctrl_get_select(dev, policy_pinctrl)))
+			pinctrl_select_state_default(dev);
+		free(policy_pinctrl);
+	} else
+		pinctrl_select_state_default(dev);
 	of_clk_set_defaults(dev->of_node, false);
 
 	list_add(&dev->active, &active_device_list);
diff --git a/security/Kconfig.policy b/security/Kconfig.policy
index 9ea52e91da..8ddb67ac2d 100644
--- a/security/Kconfig.policy
+++ b/security/Kconfig.policy
@@ -68,6 +68,14 @@ config SECURITY_POLICY_DEFAULT_PERMISSIVE
 	  A security policy should always be selected, either early on by
 	  board code or via CONFIG_SECURITY_POLICY_INIT.
 
+config SECURITY_POLICY_PINCTRL
+	bool "Update pinctrl based on policy-name"
+	help
+	  Changing the security policy, will look for a pinctrl with the name
+	  barebox,policy-<policyname>. If there is one, it will change the
+	  pinctrl for this. This could be used to disable the RX (and TX)
+	  Pin in lockdown mode for the console or disable the usage of SPI.
+
 config SECURITY_POLICY_PATH
 	string
 	depends on SECURITY_POLICY
diff --git a/security/policy.c b/security/policy.c
index e2d1b10a78..4d51af63e7 100644
--- a/security/policy.c
+++ b/security/policy.c
@@ -7,6 +7,7 @@
 #include <linux/bitmap.h>
 #include <param.h>
 #include <device.h>
+#include <pinctrl.h>
 #include <stdio.h>
 
 #include <security/policy.h>
@@ -90,12 +91,23 @@ bool is_allowed(const struct security_policy *policy, unsigned option)
 int security_policy_activate(const struct security_policy *policy)
 {
 	const struct security_policy *old_policy = active_policy;
+	struct device *dev;
+	char *policy_pinctrl;
 
 	if (policy == old_policy)
 		return 0;
 
 	active_policy = policy;
 
+	if (IS_ENABLED(CONFIG_SECURITY_POLICY_PINCTRL)) {
+		policy_pinctrl = basprintf("barebox,policy-%s", active_policy->name);
+		list_for_each_entry(dev, &active_device_list, active) {
+			if (IS_ERR(pinctrl_get_select(dev, policy_pinctrl)))
+				pinctrl_select_state_default(dev);
+		}
+		free(policy_pinctrl);
+	}
+
 	for (int i = 0; i < SCONFIG_NUM; i++) {
 		if (__is_allowed(policy, i) == __is_allowed(old_policy, i))
 			continue;

-- 
2.47.3

[PATCH 4/4] security: kernel_pinctrl: fixup pinctrl in kernel dts

[Fabian Pflug]

Going through the kernel dts and replacing
barebox,policy-<active_policy> with default in order to change pinctrl
not only for barebox, but also for kernel when booting with security
profiles.

Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
---
 security/Makefile         |  1 +
 security/kernel_pinctrl.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)

diff --git a/security/Makefile b/security/Makefile
index 1096cbfb9b..2e8cdfe7c2 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -2,6 +2,7 @@
 
 obj-$(CONFIG_SECURITY_POLICY)		+= policy.o
 obj-$(CONFIG_SECURITY_POLICY_NAMES)	+= sconfig_names.o
+obj-$(CONFIG_SECURITY_POLICY_PINCTRL)	+= kernel_pinctrl.o
 obj-$(CONFIG_CRYPTO_KEYSTORE)	+= keystore.o
 obj-$(CONFIG_JWT)		+= jwt.o
 obj-pbl-$(CONFIG_HAVE_OPTEE)	+= optee.o
diff --git a/security/kernel_pinctrl.c b/security/kernel_pinctrl.c
new file mode 100644
index 0000000000..6ad75eb113
--- /dev/null
+++ b/security/kernel_pinctrl.c
@@ -0,0 +1,70 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <common.h>
+#include <linux/printk.h>
+#include <pinctrl.h>
+#include <security/policy.h>
+#include <security/config.h>
+
+#define NUM_NAMES	10
+
+
+/**
+ * Replace 'default' with 'old_default' and 'barebox,policy-<active_policy>'
+ * with 'default', if both are found in pinctrl.
+ */
+static void kernel_of_fixup_pinctrl(struct device_node *node, char *policy_name)
+{
+	struct device_node *n;
+	const char *names[NUM_NAMES];
+	int num_read = of_property_read_string_array(node, "pinctrl-names", names, NUM_NAMES);
+	struct property *prop = of_find_property(node, "pinctrl-names", NULL);
+	int pos_default = -1, pos_policy = -1;
+
+	for (int i = 0; i < num_read; i++) {
+		if (strcmp(policy_name, names[i]) == 0)
+			pos_policy = i;
+		if (strcmp("default", names[i]) == 0)
+			pos_default = i;
+	}
+	if (pos_default >= 0 && pos_policy >= 0) {
+		// old_default is shorter then barebox,policy-*
+		char *val = malloc(prop->length);
+		char *cur = val;
+		const char *src;
+		int len;
+
+		for (int i = 0; i < num_read; i++) {
+			if (i == pos_policy)
+				src = "default";
+			else if (i == pos_default)
+				src = "old_default";
+			else
+				src = names[i];
+			len = strlen(src);
+			memcpy(cur, src, len);
+			cur += len;
+		}
+		of_set_property(node, "pinctrl-names", val, cur - val, false);
+	}
+
+	list_for_each_entry(n, &node->children, parent_list) {
+		kernel_of_fixup_pinctrl(n, policy_name);
+	}
+}
+
+static int kernel_of_fixup_pinctrl_start(struct device_node *root, void *unused)
+{
+	char *policy_pinctrl;
+
+	policy_pinctrl = basprintf("barebox,policy-%s", active_policy->name);
+	kernel_of_fixup_pinctrl(root, policy_pinctrl);
+	free(policy_pinctrl);
+	return 0;
+}
+
+static int policy_console_pinctrl_init(void)
+{
+	return of_register_fixup(kernel_of_fixup_pinctrl_start, NULL);
+}
+late_initcall(policy_console_pinctrl_init);

-- 
2.47.3

Re: [PATCH 1/4] common: bootm: add policy to commandline

[Sascha Hauer]

On Thu, Mar 12, 2026 at 10:16:42AM +0100, Fabian Pflug wrote:
> If security policies are used, then the variable bootm.provide_policy
> can be set to automatically append the currently selected security
> policy to the kernel commandline with the prefix
> barebox.security.policy=
> This allows the the system to behave different based on the selected
> security policy.
> 
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> ---
>  common/bootm.c  | 23 +++++++++++++++++++++++
>  include/bootm.h |  5 +++++
>  2 files changed, 28 insertions(+)
> 
> diff --git a/common/bootm.c b/common/bootm.c
> index 6318509884..cd90aa81e1 100644
> --- a/common/bootm.c
> +++ b/common/bootm.c
> @@ -22,6 +22,7 @@
>  #include <uncompress.h>
>  #include <zero_page.h>
>  #include <security/config.h>
> +#include <security/policy.h>
>  
>  static LIST_HEAD(handler_list);
>  static struct sconfig_notifier_block sconfig_notifier;
> @@ -75,6 +76,7 @@ static int bootm_dryrun;
>  static int bootm_earlycon;
>  static int bootm_provide_machine_id;
>  static int bootm_provide_hostname;
> +static int bootm_provide_policy;
>  static int bootm_verbosity;
>  static int bootm_efi_mode = BOOTM_EFI_AVAILABLE;
>  
> @@ -97,6 +99,7 @@ void bootm_data_init_defaults(struct bootm_data *data)
>  	data->appendroot = bootm_appendroot;
>  	data->provide_machine_id = bootm_provide_machine_id;
>  	data->provide_hostname = bootm_provide_hostname;
> +	data->provide_policy = bootm_provide_policy;
>  	data->verbose = bootm_verbosity;
>  	data->dryrun = bootm_dryrun;
>  	data->efi_boot = bootm_efi_mode;
> @@ -118,6 +121,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
>  	bootm_appendroot = data->appendroot;
>  	bootm_provide_machine_id = data->provide_machine_id;
>  	bootm_provide_hostname = data->provide_hostname;
> +	bootm_provide_policy = data->provide_policy;
>  	bootm_verbosity = data->verbose;
>  	bootm_dryrun = data->dryrun;
>  	bootm_efi_mode = data->efi_boot;
> @@ -712,6 +716,20 @@ int bootm_boot(struct bootm_data *bootm_data)
>  		free(hostname_bootarg);
>  	}
>  
> +	if (IS_ENABLED(CONFIG_SECURITY_POLICY) && bootm_data->provide_policy) {
> +		char *policy_bootargs;
> +
> +		if (!active_policy->name) {

Could active_policy be NULL here?

> +			pr_err("Providing policy is enabled but policy has no name\n");
> +			ret = -EINVAL;
> +			goto err_out;
> +		}
> +
> +		policy_bootargs = basprintf("barebox.security.policy=%s", active_policy->name);
> +		globalvar_add_simple("linux.bootargs.policy", policy_bootargs);

Should be linux.bootargs.dyn.policy to make sure it gets cleared after a
boot attempt.

Sascha


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [PATCH 4/4] security: kernel_pinctrl: fixup pinctrl in kernel dts

[Sascha Hauer]

On Thu, Mar 12, 2026 at 10:16:45AM +0100, Fabian Pflug wrote:
> Going through the kernel dts and replacing
> barebox,policy-<active_policy> with default in order to change pinctrl
> not only for barebox, but also for kernel when booting with security
> profiles.
> 
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> ---
>  security/Makefile         |  1 +
>  security/kernel_pinctrl.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 71 insertions(+)
> 
> diff --git a/security/Makefile b/security/Makefile
> index 1096cbfb9b..2e8cdfe7c2 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -2,6 +2,7 @@
>  
>  obj-$(CONFIG_SECURITY_POLICY)		+= policy.o
>  obj-$(CONFIG_SECURITY_POLICY_NAMES)	+= sconfig_names.o
> +obj-$(CONFIG_SECURITY_POLICY_PINCTRL)	+= kernel_pinctrl.o
>  obj-$(CONFIG_CRYPTO_KEYSTORE)	+= keystore.o
>  obj-$(CONFIG_JWT)		+= jwt.o
>  obj-pbl-$(CONFIG_HAVE_OPTEE)	+= optee.o
> diff --git a/security/kernel_pinctrl.c b/security/kernel_pinctrl.c
> new file mode 100644
> index 0000000000..6ad75eb113
> --- /dev/null
> +++ b/security/kernel_pinctrl.c
> @@ -0,0 +1,70 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +
> +#include <common.h>
> +#include <linux/printk.h>
> +#include <pinctrl.h>
> +#include <security/policy.h>
> +#include <security/config.h>
> +
> +#define NUM_NAMES	10
> +
> +
> +/**
> + * Replace 'default' with 'old_default' and 'barebox,policy-<active_policy>'
> + * with 'default', if both are found in pinctrl.
> + */
> +static void kernel_of_fixup_pinctrl(struct device_node *node, char *policy_name)
> +{
> +	struct device_node *n;
> +	const char *names[NUM_NAMES];
> +	int num_read = of_property_read_string_array(node, "pinctrl-names", names, NUM_NAMES);
> +	struct property *prop = of_find_property(node, "pinctrl-names", NULL);
> +	int pos_default = -1, pos_policy = -1;
> +
> +	for (int i = 0; i < num_read; i++) {
> +		if (strcmp(policy_name, names[i]) == 0)
> +			pos_policy = i;
> +		if (strcmp("default", names[i]) == 0)
> +			pos_default = i;
> +	}
> +	if (pos_default >= 0 && pos_policy >= 0) {
> +		// old_default is shorter then barebox,policy-*
> +		char *val = malloc(prop->length);
> +		char *cur = val;
> +		const char *src;
> +		int len;
> +
> +		for (int i = 0; i < num_read; i++) {
> +			if (i == pos_policy)
> +				src = "default";
> +			else if (i == pos_default)
> +				src = "old_default";
> +			else
> +				src = names[i];
> +			len = strlen(src);
> +			memcpy(cur, src, len);

A multistring property in the device tree has multiple strings with '\0'
om between, so I believe you have to copy (and add to cur) len + 1 bytes to make
this work.

However, how about a of_property_write_string_array() function instead?
It might be useful elsewhere and could make this code more readable.

> +			cur += len;
> +		}
> +		of_set_property(node, "pinctrl-names", val, cur - val, false);
> +	}
> +
> +	list_for_each_entry(n, &node->children, parent_list) {
> +		kernel_of_fixup_pinctrl(n, policy_name);
> +	}

No need to do this recursively. All nodes in a device tree are on a
list, see the of_tree_for_each_node_from macro.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Re: [PATCH 1/4] common: bootm: add policy to commandline

[Fabian Pflug]

On Fri, 2026-03-13 at 14:36 +0100, Sascha Hauer wrote:
> On Thu, Mar 12, 2026 at 10:16:42AM +0100, Fabian Pflug wrote:
> > If security policies are used, then the variable bootm.provide_policy
> > can be set to automatically append the currently selected security
> > policy to the kernel commandline with the prefix
> > barebox.security.policy=
> > This allows the the system to behave different based on the selected
> > security policy.
> > 
> > Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> > ---
> >  common/bootm.c  | 23 +++++++++++++++++++++++
> >  include/bootm.h |  5 +++++
> >  2 files changed, 28 insertions(+)
> > 
> > diff --git a/common/bootm.c b/common/bootm.c
> > index 6318509884..cd90aa81e1 100644
> > --- a/common/bootm.c
> > +++ b/common/bootm.c
> > @@ -22,6 +22,7 @@
> >  #include <uncompress.h>
> >  #include <zero_page.h>
> >  #include <security/config.h>
> > +#include <security/policy.h>
> >  
> >  static LIST_HEAD(handler_list);
> >  static struct sconfig_notifier_block sconfig_notifier;
> > @@ -75,6 +76,7 @@ static int bootm_dryrun;
> >  static int bootm_earlycon;
> >  static int bootm_provide_machine_id;
> >  static int bootm_provide_hostname;
> > +static int bootm_provide_policy;
> >  static int bootm_verbosity;
> >  static int bootm_efi_mode = BOOTM_EFI_AVAILABLE;
> >  
> > @@ -97,6 +99,7 @@ void bootm_data_init_defaults(struct bootm_data *data)
> >  	data->appendroot = bootm_appendroot;
> >  	data->provide_machine_id = bootm_provide_machine_id;
> >  	data->provide_hostname = bootm_provide_hostname;
> > +	data->provide_policy = bootm_provide_policy;
> >  	data->verbose = bootm_verbosity;
> >  	data->dryrun = bootm_dryrun;
> >  	data->efi_boot = bootm_efi_mode;
> > @@ -118,6 +121,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
> >  	bootm_appendroot = data->appendroot;
> >  	bootm_provide_machine_id = data->provide_machine_id;
> >  	bootm_provide_hostname = data->provide_hostname;
> > +	bootm_provide_policy = data->provide_policy;
> >  	bootm_verbosity = data->verbose;
> >  	bootm_dryrun = data->dryrun;
> >  	bootm_efi_mode = data->efi_boot;
> > @@ -712,6 +716,20 @@ int bootm_boot(struct bootm_data *bootm_data)
> >  		free(hostname_bootarg);
> >  	}
> >  
> > +	if (IS_ENABLED(CONFIG_SECURITY_POLICY) && bootm_data->provide_policy) {
> > +		char *policy_bootargs;
> > +
> > +		if (!active_policy->name) {
> 
> Could active_policy be NULL here?
I'm not totally sure. If you have activated security policies, then did not specify any policy, it may be NULL.
Or if you have activated security policies, but never ran into a path, where 'is_allowed' is checked, because everything
that could be configured by security policies is disabled by Kconfig and you did not set an initial policy, then it
might be NULL.
Will add an extra check.
> 
> > +			pr_err("Providing policy is enabled but policy has no name\n");
> > +			ret = -EINVAL;
> > +			goto err_out;
> > +		}
> > +
> > +		policy_bootargs = basprintf("barebox.security.policy=%s", active_policy->name);
> > +		globalvar_add_simple("linux.bootargs.policy", policy_bootargs);
> 
> Should be linux.bootargs.dyn.policy to make sure it gets cleared after a
> boot attempt.

Will change.

Fabian

> 
> Sascha
> 

Re: [PATCH 1/4] common: bootm: add policy to commandline

[Sascha Hauer]

On Fri, Mar 13, 2026 at 03:26:34PM +0100, Fabian Pflug wrote:
> On Fri, 2026-03-13 at 14:36 +0100, Sascha Hauer wrote:
> > On Thu, Mar 12, 2026 at 10:16:42AM +0100, Fabian Pflug wrote:
> > > If security policies are used, then the variable bootm.provide_policy
> > > can be set to automatically append the currently selected security
> > > policy to the kernel commandline with the prefix
> > > barebox.security.policy=
> > > This allows the the system to behave different based on the selected
> > > security policy.
> > > 
> > > Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> > > ---
> > >  common/bootm.c  | 23 +++++++++++++++++++++++
> > >  include/bootm.h |  5 +++++
> > >  2 files changed, 28 insertions(+)
> > > 
> > > diff --git a/common/bootm.c b/common/bootm.c
> > > index 6318509884..cd90aa81e1 100644
> > > --- a/common/bootm.c
> > > +++ b/common/bootm.c
> > > @@ -22,6 +22,7 @@
> > >  #include <uncompress.h>
> > >  #include <zero_page.h>
> > >  #include <security/config.h>
> > > +#include <security/policy.h>
> > >  
> > >  static LIST_HEAD(handler_list);
> > >  static struct sconfig_notifier_block sconfig_notifier;
> > > @@ -75,6 +76,7 @@ static int bootm_dryrun;
> > >  static int bootm_earlycon;
> > >  static int bootm_provide_machine_id;
> > >  static int bootm_provide_hostname;
> > > +static int bootm_provide_policy;
> > >  static int bootm_verbosity;
> > >  static int bootm_efi_mode = BOOTM_EFI_AVAILABLE;
> > >  
> > > @@ -97,6 +99,7 @@ void bootm_data_init_defaults(struct bootm_data *data)
> > >  	data->appendroot = bootm_appendroot;
> > >  	data->provide_machine_id = bootm_provide_machine_id;
> > >  	data->provide_hostname = bootm_provide_hostname;
> > > +	data->provide_policy = bootm_provide_policy;
> > >  	data->verbose = bootm_verbosity;
> > >  	data->dryrun = bootm_dryrun;
> > >  	data->efi_boot = bootm_efi_mode;
> > > @@ -118,6 +121,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
> > >  	bootm_appendroot = data->appendroot;
> > >  	bootm_provide_machine_id = data->provide_machine_id;
> > >  	bootm_provide_hostname = data->provide_hostname;
> > > +	bootm_provide_policy = data->provide_policy;
> > >  	bootm_verbosity = data->verbose;
> > >  	bootm_dryrun = data->dryrun;
> > >  	bootm_efi_mode = data->efi_boot;
> > > @@ -712,6 +716,20 @@ int bootm_boot(struct bootm_data *bootm_data)
> > >  		free(hostname_bootarg);
> > >  	}
> > >  
> > > +	if (IS_ENABLED(CONFIG_SECURITY_POLICY) && bootm_data->provide_policy) {
> > > +		char *policy_bootargs;
> > > +
> > > +		if (!active_policy->name) {
> > 
> > Could active_policy be NULL here?
> I'm not totally sure. If you have activated security policies, then did not specify any policy, it may be NULL.
> Or if you have activated security policies, but never ran into a path, where 'is_allowed' is checked, because everything
> that could be configured by security policies is disabled by Kconfig and you did not set an initial policy, then it
> might be NULL.

I agree that in a sanely configured system it shouldn't be NULL.

> Will add an extra check.

Ok.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |