[PATCH master] environment: autoprobe environment only when CONFIG_INSECURE=y
Marco Felsch
m.felsch at pengutronix.de
Thu Jan 23 09:09:17 PST 2025
Hi Ahmad,
On 25-01-23, Ahmad Fatoum wrote:
> As things are, secure booting systems are expected to disable
> CONFIG_ENV_HANDLING to avoid their behavior changing due to a barebox
> environment loaded at runtime.
>
> Still, some users may want to keep CONFIG_ENV_HANDLING enabled, but
> activated only selectively. For those users, barebox autoprobing block
> devices for a GPT partition with the matching UUID is undesirable.
Good catch!
> Therefore, allow disabling this autoprobe behavior via a globalvar.
> To balance convenience against security, the default for the globalvar
> will depend on whether the CONFIG_INSECURE option is set.
A global INSECURE option like OP-TEE does seems reasonable to avoid
flooding the Kconfig.
> Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
Reviewed-by: Marco Felsch <m.felsch at pengutronix.de>
More information about the barebox
mailing list