[PATCH 4/5] boot: if we are in secure boot mode

Jean-Christophe PLAGNIOL-VILLARD plagnioj at jcrosoft.com
Tue Mar 14 01:14:26 PDT 2017 

On 08:50 Mon 13 Mar     , Sascha Hauer wrote:
> On Thu, Mar 09, 2017 at 03:34:09PM +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > request confirmation before booting an unsigned image
> > 
> > with a default timeout
> > 
> > Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj at jcrosoft.com>
> > ---
> >  commands/go.c         |  7 +++++++
> >  common/Kconfig        |  8 ++++++++
> >  common/Makefile       |  1 +
> >  common/bootm.c        |  7 +++++++
> >  common/secure_boot.c  | 43 +++++++++++++++++++++++++++++++++++++++++++
> >  include/bootm.h       |  1 +
> >  include/secure_boot.h | 25 +++++++++++++++++++++++++
> >  7 files changed, 92 insertions(+)
> >  create mode 100644 common/secure_boot.c
> >  create mode 100644 include/secure_boot.h
> > 
> > diff --git a/commands/go.c b/commands/go.c
> > index fb319b320..61c9ce43f 100644
> > --- a/commands/go.c
> > +++ b/commands/go.c
> > @@ -26,6 +26,7 @@
> >  #include <fcntl.h>
> >  #include <linux/ctype.h>
> >  #include <errno.h>
> > +#include <secure_boot.h>
> >  
> >  static int do_go(int argc, char *argv[])
> >  {
> > @@ -37,6 +38,12 @@ static int do_go(int argc, char *argv[])
> >  	if (argc < 2)
> >  		return COMMAND_ERROR_USAGE;
> >  
> > +	rcode = secure_boot_start_unsigned();
> > +	if (rcode)
> > +		return rcode ? 1 : 0;
> 
> When rcode is true, then if rcode is true, return 1, otherwise return 0?

I forget we could return a negative error on command too
> 
> > +
> > +	rcode = 1;
> > +
> >  	if (!isdigit(*argv[1])) {
> >  		fd = open(argv[1], O_RDONLY);
> >  		if (fd < 0) {
> > diff --git a/common/Kconfig b/common/Kconfig
> > index f7ff04664..9e7d027a2 100644
> > --- a/common/Kconfig
> > +++ b/common/Kconfig
> > @@ -21,6 +21,9 @@ config HAS_KALLSYMS
> >  config HAS_MODULES
> >  	bool
> >  
> > +config HAS_SECURE_BOOT
> > +	bool
> > +
> >  config HAS_CACHE
> >  	bool
> >  	help
> > @@ -184,6 +187,11 @@ config NVVAR
> >  	  while global variables can be changed during runtime without changing the
> >  	  default.
> >  
> > +config SECURE_BOOT_TIMEOUT
> > +	prompt "Secure Boot unsigned boot timeout"
> > +	int
> > +	default 3
> > +
> >  menu "memory layout"
> >  
> >  source "pbl/Kconfig"
> > diff --git a/common/Makefile b/common/Makefile
> > index 5f58c81d2..e57cc2c15 100644
> > --- a/common/Makefile
> > +++ b/common/Makefile
> > @@ -61,6 +61,7 @@ obj-$(CONFIG_UBIFORMAT)		+= ubiformat.o
> >  obj-$(CONFIG_BAREBOX_UPDATE_IMX_NAND_FCB) += imx-bbu-nand-fcb.o
> >  obj-$(CONFIG_CONSOLE_RATP)	+= ratp.o
> >  obj-$(CONFIG_BOOT)		+= boot.o
> > +obj-$(CONFIG_HAS_SECURE_BOOT)	+= secure_boot.o
> >  
> >  quiet_cmd_pwd_h = PWDH    $@
> >  ifdef CONFIG_PASSWORD
> > diff --git a/common/bootm.c b/common/bootm.c
> > index 81625d915..0ebf65681 100644
> > --- a/common/bootm.c
> > +++ b/common/bootm.c
> > @@ -23,6 +23,7 @@
> >  #include <environment.h>
> >  #include <linux/stat.h>
> >  #include <magicvar.h>
> > +#include <secure_boot.h>
> >  
> >  static LIST_HEAD(handler_list);
> >  
> > @@ -625,6 +626,12 @@ int bootm_boot(struct bootm_data *bootm_data)
> >  		printf("Passing control to %s handler\n", handler->name);
> >  	}
> >  
> > +	if (!handler->is_secure_supported && is_secure_mode()) {
> > +		ret = secure_boot_start_unsigned();
> > +		if (ret)
> > +			goto err_out;
> > +	}
> > +
> >  	ret = handler->bootm(data);
> >  	if (data->dryrun)
> >  		printf("Dryrun. Aborted\n");
> > diff --git a/common/secure_boot.c b/common/secure_boot.c
> > new file mode 100644
> > index 000000000..e625ef4e1
> > --- /dev/null
> > +++ b/common/secure_boot.c
> > @@ -0,0 +1,43 @@
> > +/*
> > + * Copyright (c) 2017 Jean-Christophe PLAGNIOL-VILLARD <plagnioj at jcrosoft.com>
> > + *
> > + * Under GPLv2 Only
> > + */
> > +#include <common.h>
> > +#include <secure_boot.h>
> > +#include <console_countdown.h>
> > +#include <globalvar.h>
> > +#include <magicvar.h>
> > +#include <init.h>
> > +
> > +static unsigned int sb_confirm_timeout = CONFIG_SECURE_BOOT_TIMEOUT;
> 
> Use globalvar_add_simple_int instead of putting this into the config.
> 
> > +
> > +int secure_boot_start_unsigned(void)
> 
> This function name is very misleading. It sounds like it starts an
> unsigned image, but this function doesn't start anything. Second guess
> is that it returns a boolean whether it's allowed to start an unsigned
> image, but actually it returns the opposite.

secure_boot_can_start_unsigned could be better

it return 0 if ok
an error otherwise

as we can return an security violation or other error

Best Regards,
J.

More information about the barebox mailing list