Dear Tom,
In message 20191007223650.GR6716@bill-the-cat you wrote:
Do I understand correctly that all of this is obsolete and no longer needed after Tom's commit d90fc9c3de ``Revert "env: solve compilation error in SPL"'' ?
So, I think there's a new topic here. I seem to recall a concern from the previous thread that we could have less restrictive environment protections in SPL/TPL than we do in full U-Boot and thus open ourselves to a potential problem. As of today, U-Boot is back to where it was prior to the problematic patch being applied. But do we not have the potential problem above and thus need to evaluate the rest of the series (as the revert was largely the same as the first patch in the series) ? Thanks!
The (potential) problem of having less restrictive/secure code in SPL than in U-Boot proper resulted from the fact that the patch series allowed different configurations of the U-Boot environment features in these stages.
After the revert of the original problem, I don't see the need for any such configuration, so if we simply do nothing we are as secure as we have been before.
When accepting this new patch series, a full review of the impacts (size, security) is needed.
Best regards,
Wolfgang Denk