From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marek Vasut Date: Fri, 26 Mar 2021 19:34:33 +0100 Subject: Locking down U-Boot env with ENV_WRITEABLE_LIST In-Reply-To: References: Message-ID: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On 3/26/21 7:15 PM, Tim Harvey wrote: > Greetings, Hi, > I'm trying to understand best how to lock down a U-Boot environment > using ENV_WRITEABLE_LIST=y. > > My understanding is that I should define all vars that I wish to be > able to be loaded from a FLASH env in CONFIG_ENV_FLAGS_LIST_DEFAULT. I > would think this would be something in Kconfig but it's not so I > wonder if I'm misunderstanding something or if I truly need to patch a > config.h when using this feature. You do need to patch board config in include/configs/ , since the flags were note converted to Kconfig. And make sure you only use integer or bool vars, since strings might contain scripts, which you want to avoid. > What is the best way to actively see your static U-Boot env that gets > linked into U-Boot? I can see it with a hexdump but there must be a > better way by looking at an include file? From running u-boot, => env print > What is the best way to set the list of vars that you wish to be > allowed to be imported from a FLASH env? Ideally none, and if you really want to make sure something can be pulled in from external env, then: #define CONFIG_ENV_FLAGS_LIST_STATIC "var1:dw,var2:dw" And those config options I had enabled in u-boot defconfig: CONFIG_CMD_ENV_CALLBACK=y CONFIG_CMD_ENV_FLAGS=y CONFIG_ENV_IS_NOWHERE=y CONFIG_ENV_IS_IN_MMC=y CONFIG_ENV_APPEND=y CONFIG_ENV_WRITEABLE_LIST=y CONFIG_ENV_ACCESS_IGNORE_FORCE=y