From patchwork Fri Nov 30 23:01:17 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@chromium.org>
X-Patchwork-Id: 203077
X-Patchwork-Delegate: albert.aribaud@free.fr
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id D61282C0082
	for <incoming@patchwork.ozlabs.org>;
	Sat,  1 Dec 2012 10:03:18 +1100 (EST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 7A0CF4A109;
	Sat,  1 Dec 2012 00:02:53 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id z3WPx1dHqsmN; Sat,  1 Dec 2012 00:02:53 +0100 (CET)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id C2B5B4A10D;
	Sat,  1 Dec 2012 00:02:16 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 5C5E14A0FC
	for <u-boot@lists.denx.de>; Sat,  1 Dec 2012 00:02:10 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id m+8M43ImRNsg for <u-boot@lists.denx.de>;
	Sat,  1 Dec 2012 00:02:05 +0100 (CET)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from mail-vb0-f74.google.com (mail-vb0-f74.google.com
	[209.85.212.74]) by theia.denx.de (Postfix) with ESMTPS id 38A7A4A087
	for <u-boot@lists.denx.de>; Sat,  1 Dec 2012 00:01:50 +0100 (CET)
Received: by mail-vb0-f74.google.com with SMTP id s24so1997157vbi.3
	for <u-boot@lists.denx.de>; Fri, 30 Nov 2012 15:01:48 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
	:x-gm-message-state;
	bh=jfsPZRu3bdGViNJD0HXITSve7vR1Po1bG7GIcNMkzk8=;
	b=X+zg9Gj4do0jgx0qVF0kiooGkAfF/9sqjXk87Yl1gayeuLeaBPWXsI2BMv3s60vl5P
	q739qEKXrwhyx57tAJmv5/wy6H94HRNjK3FMMnZNH8uv3VXUzvIQHrVbFsBsupLkhxf/
	wEAeGEFqFMj782I5xksVGY7StERwgIowafbvlsJZ/3x6XY2rET8PrrwbpnE6CdtO3mkX
	h/y/o4suGzEik16+Dol8zPOvEq4mbht6ISfJquQeux9LQNZhAV00BGYkSyzQvUi/SPi9
	o0rv+0YsX1AOvzmDzHJvddmNpWO/BpiGH7ynyGpCYQKtZUT6BHiNZkn+ZhFmLBpff8Y6
	0Nbg==
Received: by 10.236.173.130 with SMTP id v2mr1696212yhl.41.1354316508506;
	Fri, 30 Nov 2012 15:01:48 -0800 (PST)
Received: from wpzn4.hot.corp.google.com (216-239-44-65.google.com
	[216.239.44.65]) by gmr-mx.google.com with ESMTPS id
	i27si410888yhe.4.2012.11.30.15.01.48
	(version=TLSv1/SSLv3 cipher=AES128-SHA);
	Fri, 30 Nov 2012 15:01:48 -0800 (PST)
Received: from kaka.mtv.corp.google.com (kaka.mtv.corp.google.com
	[172.22.73.79])
	by wpzn4.hot.corp.google.com (Postfix) with ESMTP id 504A982004A;
	Fri, 30 Nov 2012 15:01:48 -0800 (PST)
Received: by kaka.mtv.corp.google.com (Postfix, from userid 121222)
	id CC642160872; Fri, 30 Nov 2012 15:01:32 -0800 (PST)
From: Simon Glass <sjg@chromium.org>
To: U-Boot Mailing List <u-boot@lists.denx.de>
Date: Fri, 30 Nov 2012 15:01:17 -0800
Message-Id: <1354316484-23515-4-git-send-email-sjg@chromium.org>
X-Mailer: git-send-email 1.7.7.3
In-Reply-To: <1354316484-23515-1-git-send-email-sjg@chromium.org>
References: <1354316484-23515-1-git-send-email-sjg@chromium.org>
X-Gm-Message-State: 
 ALoCoQlY3c3II+8e/5penNLtJeeGqZIKzWxKzhsh/lc/pbRRnKu2Ckctb9UxxIgJ8YAE1B8/t5NzL9djsI+C4NMgcE1KDxhs05GJI1rQqXkGIGc3g0HYUZh2HCe5sQYke7pKb4JMfcCL0nTf2qjoOVEJNRAKu7p9qxflhFYBpr1PLat/UcMZKRTHAx9H1kUxB3yi+1LfeRpW
Subject: [U-Boot] [PATCH v2 04/10] arm: Add CONFIG_DELAY_ENVIRONMENT to
	delay environment loading
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de

This option delays loading of the environment until later, so that only the
default environment will be available to U-Boot.

This can address the security risk of untrusted data being used during boot.

Any time you load untrusted data you expose yourself to a bug in the
code. The attacker gets to choose the data so can sometimes carefully
craft it to exploit a bug. We try to avoid touching user-controlled
data during a verified boot unless strictly necessary. Since the
default environment is good enough in this case (or you would just
change it), this gets around the problem by just not loading the
environment.

When CONFIG_DELAY_ENVIRONMENT is defined, it is convenient to have a
run-time way of enabling loading of the environment. Add this to the
fdt as /config/delay-environment.

Note: This patch depends on http://patchwork.ozlabs.org/patch/194342/

Signed-off-by: Doug Anderson <dianders@chromium.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Doug Anderson <dianders@chromium.org>
---
Changes in v2:
- Update commit message to provide more detail

 README               |    9 +++++++++
 arch/arm/lib/board.c |   29 +++++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/README b/README
index b9a3685..d26ce5b 100644
--- a/README
+++ b/README
@@ -2329,6 +2329,15 @@ CBFS (Coreboot Filesystem) support
 		run-time determined information about the hardware to the
 		environment.  These will be named board_name, board_rev.
 
+		CONFIG_DELAY_ENVIRONMENT
+
+		Normally the environment is loaded when the board is
+		intialised so that it is available to U-Boot. This inhibits
+		that so that the environment is not available until
+		explicitly loaded later by U-Boot code. With CONFIG_OF_CONTROL
+		this is instead controlled by the value of
+		/config/load-environment.
+
 - DataFlash Support:
 		CONFIG_HAS_DATAFLASH
 
diff --git a/arch/arm/lib/board.c b/arch/arm/lib/board.c
index 262a3ca..7d1927e 100644
--- a/arch/arm/lib/board.c
+++ b/arch/arm/lib/board.c
@@ -40,6 +40,7 @@
 
 #include <common.h>
 #include <command.h>
+#include <environment.h>
 #include <malloc.h>
 #include <stdio_dev.h>
 #include <version.h>
@@ -476,7 +477,28 @@ static char *failed = "*** failed ***\n";
 #endif
 
 /*
- ************************************************************************
+ * Tell if it's OK to load the environment early in boot.
+ *
+ * If CONFIG_OF_CONFIG is defined, we'll check with the FDT to see
+ * if this is OK (defaulting to saying it's not OK).
+ *
+ * NOTE: Loading the environment early can be a bad idea if security is
+ *       important, since no verification is done on the environment.
+ *
+ * @return 0 if environment should not be loaded, !=0 if it is ok to load
+ */
+static int should_load_env(void)
+{
+#ifdef CONFIG_OF_CONTROL
+	return fdtdec_get_config_int(gd->fdt_blob, "load-environment", 0);
+#elif defined CONFIG_DELAY_ENVIRONMENT
+	return 0;
+#else
+	return 1;
+#endif
+}
+
+/************************************************************************
  *
  * This is the next part if the initialization sequence: we are now
  * running from RAM and have a "normal" C environment, i. e. global
@@ -583,7 +605,10 @@ void board_init_r(gd_t *id, ulong dest_addr)
 #endif
 
 	/* initialize environment */
-	env_relocate();
+	if (should_load_env())
+		env_relocate();
+	else
+		set_default_env(NULL);
 
 #if defined(CONFIG_CMD_PCI) || defined(CONFIG_PCI)
 	arm_pci_init();