diff options
| author | Steffen Jaeckel <jaeckel-floss@eyet-services.de> | 2021-07-08 16:57:39 +0300 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2021-07-23 20:36:20 +0300 |
| commit | 33198740aca2d68e9760cfd6ebb5a55894431966 (patch) | |
| tree | 51aa2df2efe3c3cd581f59bfd82ac88892c1826f /common | |
| parent | d199c3ab1c3afa7a17259f4045516f5fbfaaa446 (diff) | |
| download | u-boot-33198740aca2d68e9760cfd6ebb5a55894431966.tar.xz | |
common: add support to fallback to plain SHA256
In case crypt-based hashing is enabled this will be the default mechanism
that is used. If a user wants to have support for both, the environment
variable `bootstopusesha256` can be set to `true` to allow plain SHA256
based hashing of the password.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'common')
| -rw-r--r-- | common/Kconfig.boot | 8 | ||||
| -rw-r--r-- | common/autoboot.c | 22 |
2 files changed, 29 insertions, 1 deletions
diff --git a/common/Kconfig.boot b/common/Kconfig.boot index e0cca226da..49e28b2ef2 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -835,6 +835,14 @@ config AUTOBOOT_ENCRYPTION This provides a way to ship a secure production device which can also be accessed at the U-Boot command line. +config AUTOBOOT_SHA256_FALLBACK + bool "Allow fallback from crypt-hashed password to sha256" + depends on AUTOBOOT_ENCRYPTION && CRYPT_PW + help + This option adds support to fall back from crypt-hashed + passwords to checking a SHA256 hashed password in case the + 'bootstopusesha256' environment variable is set to 'true'. + config AUTOBOOT_DELAY_STR string "Delay autobooting via specific input key / string" depends on AUTOBOOT_KEYED && !AUTOBOOT_ENCRYPTION diff --git a/common/autoboot.c b/common/autoboot.c index 35ef526c42..8b9e9aa878 100644 --- a/common/autoboot.c +++ b/common/autoboot.c @@ -306,6 +306,26 @@ static void flush_stdin(void) (void)getchar(); } +/** + * fallback_to_sha256() - check whether we should fall back to sha256 + * password checking + * + * This checks for the environment variable `bootstopusesha256` in case + * sha256-fallback has been enabled via the config setting + * `AUTOBOOT_SHA256_FALLBACK`. + * + * @return `false` if we must not fall-back, `true` if plain sha256 should be tried + */ +static bool fallback_to_sha256(void) +{ + if (IS_ENABLED(CONFIG_AUTOBOOT_SHA256_FALLBACK)) + return env_get_yesno("bootstopusesha256") == 1; + else if (IS_ENABLED(CONFIG_CRYPT_PW)) + return false; + else + return true; +} + /*************************************************************************** * Watch for 'delay' seconds for autoboot stop or autoboot delay string. * returns: 0 - no key string, allow autoboot 1 - got key string, abort @@ -326,7 +346,7 @@ static int abortboot_key_sequence(int bootdelay) # endif if (IS_ENABLED(CONFIG_AUTOBOOT_ENCRYPTION)) { - if (IS_ENABLED(CONFIG_CRYPT_PW)) + if (IS_ENABLED(CONFIG_CRYPT_PW) && !fallback_to_sha256()) abort = passwd_abort_crypt(etime); else abort = passwd_abort_sha256(etime); |