diff options
author | Doug Anderson <dianders@chromium.org> | 2012-10-25 16:31:09 +0000 |
---|---|---|
committer | Gerald Van Baren <gvb@unssw.com> | 2012-11-12 23:14:57 -0500 |
commit | 67e1ea26e89e19a550d86d6408f39d815eedaa7f (patch) | |
tree | fca9c04ffdf30b650a13a0c8528fdcc7b54f771f | |
parent | 3b73459ea3421e9f8c6c8c62e1d3fe458ca5bc56 (diff) | |
download | u-boot-imx-67e1ea26e89e19a550d86d6408f39d815eedaa7f.zip u-boot-imx-67e1ea26e89e19a550d86d6408f39d815eedaa7f.tar.gz u-boot-imx-67e1ea26e89e19a550d86d6408f39d815eedaa7f.tar.bz2 |
fdt: Allow device tree to specify secure booting
When secure booting is chosen:
* The u-boot shell is never invoked during boot--we just do a simple
table lookup to find the command. This means we could even remove
the shell parsing from u-boot and still be able to boot.
* The boot command can't be interruped.
* Failure doesn't cause us to fall back to the shell.
Signed-off-by: Gabe Black <gabeblack@google.com>
Signed-off-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
-rw-r--r-- | common/main.c | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/common/main.c b/common/main.c index fd70928..61c6cac 100644 --- a/common/main.c +++ b/common/main.c @@ -283,6 +283,59 @@ int abortboot(int bootdelay) # endif /* CONFIG_AUTOBOOT_KEYED */ #endif /* CONFIG_BOOTDELAY >= 0 */ +/* + * Runs the given boot command securely. Specifically: + * - Doesn't run the command with the shell (run_command or parse_string_outer), + * since that's a lot of code surface that an attacker might exploit. + * Because of this, we don't do any argument parsing--the secure boot command + * has to be a full-fledged u-boot command. + * - Doesn't check for keypresses before booting, since that could be a + * security hole; also disables Ctrl-C. + * - Doesn't allow the command to return. + * + * Upon any failures, this function will drop into an infinite loop after + * printing the error message to console. + */ + +#if defined(CONFIG_BOOTDELAY) && (CONFIG_BOOTDELAY >= 0) && \ + defined(CONFIG_OF_CONTROL) +static void secure_boot_cmd(char *cmd) +{ + cmd_tbl_t *cmdtp; + int rc; + + if (!cmd) { + printf("## Error: Secure boot command not specified\n"); + goto err; + } + + /* Disable Ctrl-C just in case some command is used that checks it. */ + disable_ctrlc(1); + + /* Find the command directly. */ + cmdtp = find_cmd(cmd); + if (!cmdtp) { + printf("## Error: \"%s\" not defined\n", cmd); + goto err; + } + + /* Run the command, forcing no flags and faking argc and argv. */ + rc = (cmdtp->cmd)(cmdtp, 0, 1, &cmd); + + /* Shouldn't ever return from boot command. */ + printf("## Error: \"%s\" returned (code %d)\n", cmd, rc); + +err: + /* + * Not a whole lot to do here. Rebooting won't help much, since we'll + * just end up right back here. Just loop. + */ + hang(); +} + +#endif /* CONFIG_OF_CONTROL */ + + /****************************************************************************/ void main_loop (void) @@ -397,6 +450,15 @@ void main_loop (void) env = fdtdec_get_config_string(gd->fdt_blob, "bootcmd"); if (env) s = env; + + /* + * If the bootsecure option was chosen, use secure_boot_cmd(). + * Always use 'env' in this case, since bootsecure requres that the + * bootcmd was specified in the FDT too. + */ + if (fdtdec_get_config_int(gd->fdt_blob, "bootsecure", 0)) + secure_boot_cmd(env); + #endif /* CONFIG_OF_CONTROL */ debug ("### main_loop: bootcmd=\"%s\"\n", s ? s : "<UNDEFINED>"); |