summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDoug Anderson <dianders@chromium.org>2012-10-25 16:31:09 +0000
committerGerald Van Baren <gvb@unssw.com>2012-11-12 23:14:57 -0500
commit67e1ea26e89e19a550d86d6408f39d815eedaa7f (patch)
treefca9c04ffdf30b650a13a0c8528fdcc7b54f771f
parent3b73459ea3421e9f8c6c8c62e1d3fe458ca5bc56 (diff)
downloadu-boot-imx-67e1ea26e89e19a550d86d6408f39d815eedaa7f.zip
u-boot-imx-67e1ea26e89e19a550d86d6408f39d815eedaa7f.tar.gz
u-boot-imx-67e1ea26e89e19a550d86d6408f39d815eedaa7f.tar.bz2
fdt: Allow device tree to specify secure booting
When secure booting is chosen: * The u-boot shell is never invoked during boot--we just do a simple table lookup to find the command. This means we could even remove the shell parsing from u-boot and still be able to boot. * The boot command can't be interruped. * Failure doesn't cause us to fall back to the shell. Signed-off-by: Gabe Black <gabeblack@google.com> Signed-off-by: Doug Anderson <dianders@chromium.org> Signed-off-by: Simon Glass <sjg@chromium.org>
-rw-r--r--common/main.c62
1 files changed, 62 insertions, 0 deletions
diff --git a/common/main.c b/common/main.c
index fd70928..61c6cac 100644
--- a/common/main.c
+++ b/common/main.c
@@ -283,6 +283,59 @@ int abortboot(int bootdelay)
# endif /* CONFIG_AUTOBOOT_KEYED */
#endif /* CONFIG_BOOTDELAY >= 0 */
+/*
+ * Runs the given boot command securely. Specifically:
+ * - Doesn't run the command with the shell (run_command or parse_string_outer),
+ * since that's a lot of code surface that an attacker might exploit.
+ * Because of this, we don't do any argument parsing--the secure boot command
+ * has to be a full-fledged u-boot command.
+ * - Doesn't check for keypresses before booting, since that could be a
+ * security hole; also disables Ctrl-C.
+ * - Doesn't allow the command to return.
+ *
+ * Upon any failures, this function will drop into an infinite loop after
+ * printing the error message to console.
+ */
+
+#if defined(CONFIG_BOOTDELAY) && (CONFIG_BOOTDELAY >= 0) && \
+ defined(CONFIG_OF_CONTROL)
+static void secure_boot_cmd(char *cmd)
+{
+ cmd_tbl_t *cmdtp;
+ int rc;
+
+ if (!cmd) {
+ printf("## Error: Secure boot command not specified\n");
+ goto err;
+ }
+
+ /* Disable Ctrl-C just in case some command is used that checks it. */
+ disable_ctrlc(1);
+
+ /* Find the command directly. */
+ cmdtp = find_cmd(cmd);
+ if (!cmdtp) {
+ printf("## Error: \"%s\" not defined\n", cmd);
+ goto err;
+ }
+
+ /* Run the command, forcing no flags and faking argc and argv. */
+ rc = (cmdtp->cmd)(cmdtp, 0, 1, &cmd);
+
+ /* Shouldn't ever return from boot command. */
+ printf("## Error: \"%s\" returned (code %d)\n", cmd, rc);
+
+err:
+ /*
+ * Not a whole lot to do here. Rebooting won't help much, since we'll
+ * just end up right back here. Just loop.
+ */
+ hang();
+}
+
+#endif /* CONFIG_OF_CONTROL */
+
+
/****************************************************************************/
void main_loop (void)
@@ -397,6 +450,15 @@ void main_loop (void)
env = fdtdec_get_config_string(gd->fdt_blob, "bootcmd");
if (env)
s = env;
+
+ /*
+ * If the bootsecure option was chosen, use secure_boot_cmd().
+ * Always use 'env' in this case, since bootsecure requres that the
+ * bootcmd was specified in the FDT too.
+ */
+ if (fdtdec_get_config_int(gd->fdt_blob, "bootsecure", 0))
+ secure_boot_cmd(env);
+
#endif /* CONFIG_OF_CONTROL */
debug ("### main_loop: bootcmd=\"%s\"\n", s ? s : "<UNDEFINED>");