On 3/26/21 7:15 PM, Tim Harvey wrote:
Greetings,
Hi,
I'm trying to understand best how to lock down a U-Boot environment using ENV_WRITEABLE_LIST=y.
My understanding is that I should define all vars that I wish to be able to be loaded from a FLASH env in CONFIG_ENV_FLAGS_LIST_DEFAULT. I would think this would be something in Kconfig but it's not so I wonder if I'm misunderstanding something or if I truly need to patch a config.h when using this feature.
You do need to patch board config in include/configs/ , since the flags were note converted to Kconfig. And make sure you only use integer or bool vars, since strings might contain scripts, which you want to avoid.
What is the best way to actively see your static U-Boot env that gets linked into U-Boot? I can see it with a hexdump but there must be a better way by looking at an include file?
From running u-boot, => env print
What is the best way to set the list of vars that you wish to be allowed to be imported from a FLASH env?
Ideally none, and if you really want to make sure something can be pulled in from external env, then: #define CONFIG_ENV_FLAGS_LIST_STATIC "var1:dw,var2:dw"
And those config options I had enabled in u-boot defconfig:
CONFIG_CMD_ENV_CALLBACK=y CONFIG_CMD_ENV_FLAGS=y CONFIG_ENV_IS_NOWHERE=y CONFIG_ENV_IS_IN_MMC=y CONFIG_ENV_APPEND=y CONFIG_ENV_WRITEABLE_LIST=y CONFIG_ENV_ACCESS_IGNORE_FORCE=y