diff options
author | Steffen Jaeckel <jaeckel-floss@eyet-services.de> | 2021-07-08 16:57:35 +0300 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2021-07-23 20:36:20 +0300 |
commit | 1a4a778666842f22752c3af93f5cd8b94948cb9e (patch) | |
tree | c1d882cb476ed09b7a25c52a3426af1c6d796633 /common/Kconfig.boot | |
parent | 29bbe71ccfef3440b4881259c6f8e39b6e7924c6 (diff) | |
download | u-boot-1a4a778666842f22752c3af93f5cd8b94948cb9e.tar.xz |
common: integrate crypt-based passwords
Hook into the autoboot flow as an alternative to the existing
mechanisms.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
Diffstat (limited to 'common/Kconfig.boot')
-rw-r--r-- | common/Kconfig.boot | 38 |
1 files changed, 33 insertions, 5 deletions
diff --git a/common/Kconfig.boot b/common/Kconfig.boot index b4dc49e019..fe60ad0171 100644 --- a/common/Kconfig.boot +++ b/common/Kconfig.boot @@ -812,10 +812,17 @@ config AUTOBOOT_ENCRYPTION depends on AUTOBOOT_KEYED help This option allows a string to be entered into U-Boot to stop the - autoboot. The string itself is hashed and compared against the hash - in the environment variable 'bootstopkeysha256'. If it matches then - boot stops and a command-line prompt is presented. - + autoboot. + The behavior depends whether CONFIG_CRYPT_PW from lib is enabled + or not. + In case CONFIG_CRYPT_PW is enabled, the string will be forwarded + to the crypt-based functionality and be compared against the + string in the environment variable 'bootstopkeycrypt'. + In case CONFIG_CRYPT_PW is disabled the string itself is hashed + and compared against the hash in the environment variable + 'bootstopkeysha256'. + If it matches in either case then boot stops and + a command-line prompt is presented. This provides a way to ship a secure production device which can also be accessed at the U-Boot command line. @@ -853,9 +860,30 @@ config AUTOBOOT_KEYED_CTRLC Setting this variable provides an escape sequence from the limited "password" strings. +config AUTOBOOT_STOP_STR_ENABLE + bool "Enable fixed string to stop autobooting" + depends on AUTOBOOT_KEYED && AUTOBOOT_ENCRYPTION + help + This option enables the feature to add a fixed stop + string that is defined at compile time. + In every case it will be tried to load the stop + string from the environment. + In case this is enabled and there is no stop string + in the environment, this will be used as default value. + +config AUTOBOOT_STOP_STR_CRYPT + string "Stop autobooting via crypt-hashed password" + depends on AUTOBOOT_STOP_STR_ENABLE && CRYPT_PW + help + This option adds the feature to only stop the autobooting, + and therefore boot into the U-Boot prompt, when the input + string / password matches a values that is hashed via + one of the supported crypt-style password hashing options + and saved in the environment variable "bootstopkeycrypt". + config AUTOBOOT_STOP_STR_SHA256 string "Stop autobooting via SHA256 encrypted password" - depends on AUTOBOOT_KEYED && AUTOBOOT_ENCRYPTION + depends on AUTOBOOT_STOP_STR_ENABLE help This option adds the feature to only stop the autobooting, and therefore boot into the U-Boot prompt, when the input |