summaryrefslogtreecommitdiff
path: root/arch
diff options
context:
space:
mode:
authorSimon Glass <sjg@chromium.org>2012-11-30 13:01:17 +0000
committerAlbert ARIBAUD <albert.u.boot@aribaud.net>2013-01-10 22:21:47 +0100
commit06fd853890f23491605bfd6c9ab0116b79e15aaa (patch)
tree7e780c8b3600ef37907e54ddfa46db177624092a /arch
parenteae78c3406e8b53950ab716567157aa836a5f398 (diff)
downloadu-boot-06fd853890f23491605bfd6c9ab0116b79e15aaa.tar.gz
u-boot-06fd853890f23491605bfd6c9ab0116b79e15aaa.tar.bz2
u-boot-06fd853890f23491605bfd6c9ab0116b79e15aaa.zip
arm: Add CONFIG_DELAY_ENVIRONMENT to delay environment loading
This option delays loading of the environment until later, so that only the default environment will be available to U-Boot. This can address the security risk of untrusted data being used during boot. Any time you load untrusted data you expose yourself to a bug in the code. The attacker gets to choose the data so can sometimes carefully craft it to exploit a bug. We try to avoid touching user-controlled data during a verified boot unless strictly necessary. Since the default environment is good enough in this case (or you would just change it), this gets around the problem by just not loading the environment. When CONFIG_DELAY_ENVIRONMENT is defined, it is convenient to have a run-time way of enabling loading of the environment. Add this to the fdt as /config/delay-environment. Note: This patch depends on http://patchwork.ozlabs.org/patch/194342/ Signed-off-by: Doug Anderson <dianders@chromium.org> Signed-off-by: Simon Glass <sjg@chromium.org> Reviewed-by: Doug Anderson <dianders@chromium.org>
Diffstat (limited to 'arch')
-rw-r--r--arch/arm/lib/board.c29
1 files changed, 27 insertions, 2 deletions
diff --git a/arch/arm/lib/board.c b/arch/arm/lib/board.c
index 864b53380b..a1eb7993ad 100644
--- a/arch/arm/lib/board.c
+++ b/arch/arm/lib/board.c
@@ -40,6 +40,7 @@
#include <common.h>
#include <command.h>
+#include <environment.h>
#include <malloc.h>
#include <stdio_dev.h>
#include <version.h>
@@ -467,7 +468,28 @@ static char *failed = "*** failed ***\n";
#endif
/*
- ************************************************************************
+ * Tell if it's OK to load the environment early in boot.
+ *
+ * If CONFIG_OF_CONFIG is defined, we'll check with the FDT to see
+ * if this is OK (defaulting to saying it's not OK).
+ *
+ * NOTE: Loading the environment early can be a bad idea if security is
+ * important, since no verification is done on the environment.
+ *
+ * @return 0 if environment should not be loaded, !=0 if it is ok to load
+ */
+static int should_load_env(void)
+{
+#ifdef CONFIG_OF_CONTROL
+ return fdtdec_get_config_int(gd->fdt_blob, "load-environment", 0);
+#elif defined CONFIG_DELAY_ENVIRONMENT
+ return 0;
+#else
+ return 1;
+#endif
+}
+
+/************************************************************************
*
* This is the next part if the initialization sequence: we are now
* running from RAM and have a "normal" C environment, i. e. global
@@ -570,7 +592,10 @@ void board_init_r(gd_t *id, ulong dest_addr)
#endif
/* initialize environment */
- env_relocate();
+ if (should_load_env())
+ env_relocate();
+ else
+ set_default_env(NULL);
#if defined(CONFIG_CMD_PCI) || defined(CONFIG_PCI)
arm_pci_init();