From patchwork Fri Dec 22 21:13:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Quentin Schulz X-Patchwork-Id: 122659 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp2742458qgn; Fri, 22 Dec 2017 13:14:22 -0800 (PST) X-Google-Smtp-Source: ACJfBotIz/i8J4p8MJVBnAiTJ07ndn21BMFxRb0E4uZ7tlg3OppBOhBQDi2t8YYxgOz7GldEhzCR X-Received: by 10.80.227.193 with SMTP id c1mr16882374edm.16.1513977262289; Fri, 22 Dec 2017 13:14:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1513977262; cv=none; d=google.com; s=arc-20160816; b=bgMERPCdd9vnztUeBA6v4dkfO2DoIAZF0wSp7bhCgecxY8WDtgwKU/oLhmbFBZcfts wrTeiAqNVXBIW+YJsAYqP8I24DoGSVpsRAnZ4MGfmyR6Q5g4mMEGzfuOJP4BLUaCPeur 1A3nWkiYcGUovMb7hbizRpcL+c9O9kVssbmJeT+HXih6xqzEKZuOFUc1Boow/VIeVIuT eNoPnxtPzGDqDuotsr0XoeWRqbsCn2rJ497wbeRnUfpiDMjD4KxUYAHwUcgSUIzR5u44 JKUNU56GibJCnXAkrVdE2FHByfQ8fxEovrtKIFD+3r+Gb62kD++1Q6SWzhjKX4MFtTfw oJSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:cc:message-id:date:to:from :arc-authentication-results; bh=+ylTU96OcHn28oxxDpCubQzqrdTE4Prd0s85oGTK2yc=; b=qnIiX5IgE+p0Dl1jO4yRfghIAjhc5WsCcWAjvcWPnwDqYaypX2sbfAJNzurMxOEb1E m3H0zBYseBLWUJwhWInAlPVNGPjqfGCEy+/9SrQSLQ7X5UoV7UQWvSvHAyqBK1EfNfrZ hwt+zQS0Mde+xxc1jyOolHKTU9vXK6Sm4ZNQ0qRgBlkIW8/k0+BwGLI9nwUcOhJZ6IU0 ONs2+1QBUFiNH9FLODUXRCNlumvYGyPL4hJ79umHnhROVHgW9s0oCJHisibL/0YuA7/R wIsbXoktstAHVy5JvhAPu9sG9OAoF2jH5BajKB4JXlBEIn7X13i8Zapqa8acSel89lYr Hc+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de Return-Path: Received: from lists.denx.de (dione.denx.de. [81.169.180.215]) by mx.google.com with ESMTP id k62si678215edc.303.2017.12.22.13.14.21; Fri, 22 Dec 2017 13:14:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by lists.denx.de (Postfix, from userid 105) id 34843C221C9; Fri, 22 Dec 2017 21:14:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 4D209C21F2D; Fri, 22 Dec 2017 21:14:15 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 8EFBDC21F3F; Fri, 22 Dec 2017 21:14:13 +0000 (UTC) Received: from mail.free-electrons.com (mail.free-electrons.com [62.4.15.54]) by lists.denx.de (Postfix) with ESMTP id E4EDBC21EF1 for ; Fri, 22 Dec 2017 21:14:12 +0000 (UTC) Received: by mail.free-electrons.com (Postfix, from userid 110) id E48F120737; Fri, 22 Dec 2017 22:14:11 +0100 (CET) Received: from localhost.localdomain (unknown [80.12.41.248]) by mail.free-electrons.com (Postfix) with ESMTPSA id 4C470203A1; Fri, 22 Dec 2017 22:14:11 +0100 (CET) From: Quentin Schulz To: jagan@openedev.com, maxime.ripard@free-electrons.com, hdegoede@redhat.com, sjg@chromium.org, wd@denx.de, andre.przywara@arm.com, lukma@denx.de Date: Fri, 22 Dec 2017 22:13:34 +0100 Message-Id: X-Mailer: git-send-email 2.14.1 Cc: thomas.petazzoni@free-electrons.com, u-boot@lists.denx.de Subject: [U-Boot] [PATCH 00/11] Introduce variables whitelisting in environment X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" This patch series is based on this[1] patch series from Maxime. This is an RFC. It's been only tested in a specific use case on a custom i.MX6 board. It's known to break compilation on a few boards. I have a use case where we want some variables from a first environment to be overriden by variables from a second environment. For example, we want to load variables from the default env (ENV_IS_NOWHERE) and then load only a handful of other variables from, e.g., NAND. In our use case, we basically can be sure that the default env in the U-Boot binary is secure but we want only a few variables to be modified, thus keeping control over the overall behaviour of U-Boot in secure mode. It works in that way: - from highest to lowest priority, the first environment that can be loaded (that has successfully init and whose load function has returned no errors) will be the main environment, - then, all the following environment that could be successfully loaded (same conditions as the main environment) are secondary environment. The env variables that are defined both in CONFIG_ENV_VAR_WHITELIST_LIST and in the secondary environments override the ones in the main environment, - for saving, we save the whole environment to all environments available, be they main or secondary (it does not matter to save the whole environment on secondary environments as only the whitelisted variables will be overriden in the loading process, I have also a few questions that could help me to get the whole thing to work. 1) I can't really get my head around the use of gd->env_addr, what is it used for? It is set in a bunch of different places but only once is it explicitly used (basically to alternate the env_addr between the one associated to main and redundant environment (in NAND for example)). 2) Why do we consider ENV_IS_NOWHERE an invalid environment? The only place I found a use for it was to just say that if the environment is invalid, we should set to default environment (in env_relocate in env/common.c). With my patch series I guess that we could remove this fallback and force ENV_IS_NOWHERE to be always there. 3) There are a few (20) boards that set gd->env_addr and gd->env_valid in their board file. What is the reason to do such a thing? Isn't those overriden anyway by the environment driver? I'm looking forward to getting your feedback on this patch series. Thanks, Quentin [1] https://patchwork.ozlabs.org/cover/842057/ Quentin Schulz (11): env: fix ret not being set and fails when no env could have been init lib: hashtable: support whitelisting env variables env: add support for whitelisting variables from secondary environments env: make nowhere an env medium like the others cmd: saveenv: enable the saveenv command when ENV_IS_NOWHERE is defined but another env medium is enabled too env: add env_driver to env_driver functions' arguments env: gd flags without ENV_READY is enough to discriminate in env_get_default env: add env_driver parameter to env_import_redund env: make env_locations a global variable env: introducing env_info struct for storing info per env env: store information about each environment in gd board/sunxi/board.c | 2 +- cmd/nvedit.c | 16 ++- common/board_r.c | 8 +- env/Kconfig | 29 +++--- env/common.c | 45 ++++++---- env/eeprom.c | 40 ++++----- env/env.c | 142 +++++++++++++++++++++++++------ env/ext4.c | 4 +- env/fat.c | 4 +- env/flash.c | 58 ++++++------- env/mmc.c | 14 +-- env/nand.c | 46 +++++----- env/nowhere.c | 12 ++- env/nvram.c | 18 ++-- env/onenand.c | 6 +- env/remote.c | 10 +- env/sata.c | 4 +- env/sf.c | 34 +++---- env/ubi.c | 14 +-- include/asm-generic/global_data.h | 5 +- include/environment.h | 59 ++++++++----- include/search.h | 2 +- lib/hashtable.c | 17 +++- 23 files changed, 379 insertions(+), 210 deletions(-) base-commit: 5d41e28058e7b378c9fa5c61ecc074a682ba2db4