[PATCH v2 07/24] security: policy: support externally provided configs

Sascha Hauer s.hauer at pengutronix.de
Wed Sep 17 06:53:27 PDT 2025 

From: Ahmad Fatoum <a.fatoum at barebox.org>

The enforcement of security policies to be up-to-date and removal of
implicit syncing nudges users into checking in the actual security
policy into version control. To allow the policies to live outside the
barebox tree, introduce CONFIG_SECURITY_POLICY_PATH that takes a
space-separated list of configs.

For now, the option is very strict: All files referenced must be placed
into security/ in the barebox source directory. Different build rules
sharing the same source directory can install their configs with
different names and customize via CONFIG_SECURITY_POLICY_PATH which options
to include.

sconfigpost also supports iterating over directories, but this feature
is left out for now, as it needs more extensive testing to verify that
targets are rebuilt as often as needed and not more.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 security/Kconfig.policy | 15 +++++++++++++++
 security/Makefile       | 37 +++++++++++++++++++++++++++++++++++++
 security/policy.c       |  3 +++
 3 files changed, 55 insertions(+)

diff --git a/security/Kconfig.policy b/security/Kconfig.policy
index 9ea52e91dad3f2c97768fc804203ddc0cad36f79..1f3becd4fba7ee94d4b24980fa0f54ad3cba675a 100644
--- a/security/Kconfig.policy
+++ b/security/Kconfig.policy
@@ -83,6 +83,21 @@ config SECURITY_POLICY_PATH
 
 	  Absolute paths are disallowed.
 
+config SECURITY_POLICY_PATH
+	string
+	depends on SECURITY_POLICY
+	prompt "Paths to additional security policies"
+	help
+	  Space separated list of security policies that should be
+	  compiled into barebox and registered. This option currently
+	  requires each security policy to match security/*.sconfig, i.e.
+	  be directly located in the security/ directory of the source
+	  source tree and have the .sconfig extension.
+	  If left empty, only security policies explicitly provided
+	  and registered by board code will be available.
+
+	  Absolute paths are disallowed.
+
 config SECURITY_POLICY_NAMES
 	bool
 
diff --git a/security/Makefile b/security/Makefile
index 16b328266a1b35861ee263e8026fc8ebd704aedb..1096cbfb9b16eef1e98c8301762acf4ef1ba4c17 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -8,6 +8,9 @@ obj-pbl-$(CONFIG_HAVE_OPTEE)	+= optee.o
 obj-$(CONFIG_BLOBGEN)		+= blobgen.o
 obj-$(CONFIG_PASSWORD)		+= password.o
 
+# Default password handling
+# ---------------------------------------------------------------------------
+#
 ifdef CONFIG_PASSWORD
 
 ifeq ($(CONFIG_PASSWORD_DEFAULT),"")
@@ -29,3 +32,37 @@ include/generated/passwd.h: FORCE
 
 $(obj)/password.o: include/generated/passwd.h
 endif # CONFIG_PASSWORD
+
+# External security policy handling
+# ---------------------------------------------------------------------------
+
+external-policy := $(foreach p, \
+	$(call remove_quotes,$(CONFIG_SECURITY_POLICY_PATH)), \
+		$(p:security/%=%))
+
+external-policy-tmp := $(addsuffix .tmp,$(external-policy))
+real-external-policy-tmp := $(addprefix $(obj)/,$(external-policy-tmp))
+
+ifneq ($(external-policy),)
+obj-y	+= default.sconfig.o
+extra-y	+= default.sconfig.c
+always-y += policy-list
+$(foreach p, $(external-policy), \
+	$(if $(findstring /,$p),$(error \
+	CONFIG_SECURITY_POLICY_PATH contains path separators.\
+	$(newline)"$p" must start with security/)))
+$(foreach p, $(external-policy), \
+	$(if $(wildcard $(srctree)/$(src)/$p),,$(error \
+	CONFIG_SECURITY_POLICY_PATH contains non-existent files.\
+	$(newline)"$p" does not exist in $$(srctree)/security)))
+endif
+
+$(obj)/policy-list: $(addprefix $(src)/,$(external-policy)) FORCE
+	$(call if_changed,gen_order_src)
+
+targets += $(external-policy-tmp)
+
+$(obj)/default.sconfig.c: $(real-external-policy-tmp) FORCE
+	+$(Q)$(foreach p, $(real-external-policy-tmp), \
+		$(call noop_cmd,security_checkconfig,$p) ;)
+	$(call if_changed_dep,sconfigpost_c,$(real-external-policy-tmp))
diff --git a/security/policy.c b/security/policy.c
index 0984bb6555cc2417ace290af8db7b6a5b6da0d86..44e58157d8416665117096df75edf5688d032106 100644
--- a/security/policy.c
+++ b/security/policy.c
@@ -231,6 +231,9 @@ static int security_init(void)
 	dev_add_param_string(&security_device, "policy", param_set_readonly,
 			     security_policy_get_name, &policy_name, NULL);
 
+	if (*CONFIG_SECURITY_POLICY_PATH)
+		security_policy_add(default);
+
 	return 0;
 }
 pure_initcall(security_init);

-- 
2.47.3

More information about the barebox mailing list