Re: [PATCH 1/4] common: bootm: add policy to commandline

[Fabian Pflug <f.pflug@pengutronix.de>]

On Fri, 2026-03-13 at 14:36 +0100, Sascha Hauer wrote:
> On Thu, Mar 12, 2026 at 10:16:42AM +0100, Fabian Pflug wrote:
> > If security policies are used, then the variable bootm.provide_policy
> > can be set to automatically append the currently selected security
> > policy to the kernel commandline with the prefix
> > barebox.security.policy=
> > This allows the the system to behave different based on the selected
> > security policy.
> > 
> > Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> > ---
> >  common/bootm.c  | 23 +++++++++++++++++++++++
> >  include/bootm.h |  5 +++++
> >  2 files changed, 28 insertions(+)
> > 
> > diff --git a/common/bootm.c b/common/bootm.c
> > index 6318509884..cd90aa81e1 100644
> > --- a/common/bootm.c
> > +++ b/common/bootm.c
> > @@ -22,6 +22,7 @@
> >  #include <uncompress.h>
> >  #include <zero_page.h>
> >  #include <security/config.h>
> > +#include <security/policy.h>
> >  
> >  static LIST_HEAD(handler_list);
> >  static struct sconfig_notifier_block sconfig_notifier;
> > @@ -75,6 +76,7 @@ static int bootm_dryrun;
> >  static int bootm_earlycon;
> >  static int bootm_provide_machine_id;
> >  static int bootm_provide_hostname;
> > +static int bootm_provide_policy;
> >  static int bootm_verbosity;
> >  static int bootm_efi_mode = BOOTM_EFI_AVAILABLE;
> >  
> > @@ -97,6 +99,7 @@ void bootm_data_init_defaults(struct bootm_data *data)
> >  	data->appendroot = bootm_appendroot;
> >  	data->provide_machine_id = bootm_provide_machine_id;
> >  	data->provide_hostname = bootm_provide_hostname;
> > +	data->provide_policy = bootm_provide_policy;
> >  	data->verbose = bootm_verbosity;
> >  	data->dryrun = bootm_dryrun;
> >  	data->efi_boot = bootm_efi_mode;
> > @@ -118,6 +121,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
> >  	bootm_appendroot = data->appendroot;
> >  	bootm_provide_machine_id = data->provide_machine_id;
> >  	bootm_provide_hostname = data->provide_hostname;
> > +	bootm_provide_policy = data->provide_policy;
> >  	bootm_verbosity = data->verbose;
> >  	bootm_dryrun = data->dryrun;
> >  	bootm_efi_mode = data->efi_boot;
> > @@ -712,6 +716,20 @@ int bootm_boot(struct bootm_data *bootm_data)
> >  		free(hostname_bootarg);
> >  	}
> >  
> > +	if (IS_ENABLED(CONFIG_SECURITY_POLICY) && bootm_data->provide_policy) {
> > +		char *policy_bootargs;
> > +
> > +		if (!active_policy->name) {
> 
> Could active_policy be NULL here?
I'm not totally sure. If you have activated security policies, then did not specify any policy, it may be NULL.
Or if you have activated security policies, but never ran into a path, where 'is_allowed' is checked, because everything
that could be configured by security policies is disabled by Kconfig and you did not set an initial policy, then it
might be NULL.
Will add an extra check.
> 
> > +			pr_err("Providing policy is enabled but policy has no name\n");
> > +			ret = -EINVAL;
> > +			goto err_out;
> > +		}
> > +
> > +		policy_bootargs = basprintf("barebox.security.policy=%s", active_policy->name);
> > +		globalvar_add_simple("linux.bootargs.policy", policy_bootargs);
> 
> Should be linux.bootargs.dyn.policy to make sure it gets cleared after a
> boot attempt.

Will change.

Fabian

> 
> Sascha
>