Hi Andrej,
On 20/06/2016 18:18, Andrej Rosano wrote:
I ten to NACK this. You can do exactly the same with a U-Boot script, and if you want to have this as default, you can change your default environment. This is just a wrapper around the hush shell.
The intention of the patch is to boot the kernel while having the CLI disabled (CONFIG_CMDLINE=n). The U-Boot script needs the CLI to be enabled AFAIK.
It is better having the CLI disabled when using the Verified Boot, otherwise there are chances to bypass the FIT image verification (e.g. using md/mw commands in case are available):
Why is it not enough to disable the CONSOLE ? I mean, if there is no user interface (and this is done in a lot of ways, for example setting stdin / stdout), there is no ways to bypass it because the interface is not availabel. Or is there some other security issues I am not aware of ?
Best regards, Stefano Babic