diff options
author | growupboron <shankhoghosh123@gmail.com> | 2020-09-11 17:18:57 +0530 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2020-09-11 12:11:56 +0000 |
commit | 4aad369c9728061c97b3de792286e743ee884b09 (patch) | |
tree | 14bddddeab334e3fdbdcf29446a87aa11cf6cd97 /docs/1_Architecture_Guides/1.2_Security_Blueprint/2_Secure_Boot/1.2.2.3_Consoles.md | |
parent | 619a7e48085be1538c3b01eb93dcb9dc95bf0436 (diff) |
Simplified doc-site generationjellyfish_9.99.4jellyfish/9.99.49.99.4
Updated theme to windmill Using Mkdocs static site generator Deployed on readthedocs
Signed-off-by: growupboron <shankhoghosh123@gmail.com>
Change-Id: If62eaaea1855c91b64f687900f54eba6bc1caee8
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/documentation/+/25236
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Tested-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'docs/1_Architecture_Guides/1.2_Security_Blueprint/2_Secure_Boot/1.2.2.3_Consoles.md')
-rw-r--r-- | docs/1_Architecture_Guides/1.2_Security_Blueprint/2_Secure_Boot/1.2.2.3_Consoles.md | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/docs/1_Architecture_Guides/1.2_Security_Blueprint/2_Secure_Boot/1.2.2.3_Consoles.md b/docs/1_Architecture_Guides/1.2_Security_Blueprint/2_Secure_Boot/1.2.2.3_Consoles.md new file mode 100644 index 0000000..e578acd --- /dev/null +++ b/docs/1_Architecture_Guides/1.2_Security_Blueprint/2_Secure_Boot/1.2.2.3_Consoles.md @@ -0,0 +1,116 @@ +--- +edit_link: '' +title: Consoles +origin_url: >- + https://raw.githubusercontent.com/automotive-grade-linux/docs-sources/master/docs/security-blueprint/part-2/3-Consoles.md +--- + +<!-- WARNING: This file is generated by fetch_docs.js using /home/boron/Documents/AGL/docs-webtemplate/site/_data/tocs/architecture/master/security_blueprint-security-blueprint-book.yml --> + +# Consoles + +## Disable serial console + +Serial console output shall be disabled. To disable console output in U-Boot, +set the following macros: + +<!-- section-config --> + +Domain | `Config` name | `Value` +---------------------- | --------------------------------------- | --------- +Boot-Consoles-Serial-1 | `CONFIG_SILENT_CONSOLE` | `Disable` +Boot-Consoles-Serial-2 | `CONFIG_SYS_DEVICE_NULLDEV` | `Disable` +Boot-Consoles-Serial-3 | `CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC` | `Disable` + +<!-- end-section-config --> <!-- section-todo --> + +Domain | Improvement +--------------- | ------------------------------------ +Boot-Consoles-1 | Secure loader: No reference earlier? + +<!-- end-section-todo --> + +And set "**silent**" environment variable. For the Secure loader, +disable the traces by not defining the below macro: + +<!-- section-config --> + +Domain | `Environment variable` name | _State_ +---------------------- | --------------------------- | ------------- +Boot-Consoles-Serial-1 | `INC_DEBUG_PRINT` | _Not defined_ + +<!-- end-section-config --> + +For sboot proper configuration needs to be done to disable the serial console. + +-------------------------------------------------------------------------------- + +<!-- pagebreak --> + +## Immutable environment variables + +In U-Boot, ensure Kernel command line, boot commands, boot delay and other +environment variables are immutable. This will prevent side-loading of alternate +images, by restricting the boot selection to only the image in FLASH. + +The environment variables shall be part of the text region in U-Boot as default +environment variable and not in non-volatile memory. + +Remove configuration options related to non-volatile memory, such as: + +<!-- section-config --> + +Domain | `Config` name | _State_ +-------------------------- | ---------------------------- | --------- +Boot-Consoles-Variables-1 | `CONFIG_ENV_IS_IN_MMC` | `#undef` +Boot-Consoles-Variables-2 | `CONFIG_ENV_IS_IN_EEPROM` | `#undef` +Boot-Consoles-Variables-3 | `CONFIG_ENV_IS_IN_FLASH` | `#undef` +Boot-Consoles-Variables-4 | `CONFIG_ENV_IS_IN_DATAFLASH` | `#undef` +Boot-Consoles-Variables-5 | `CONFIG_ENV_IS_IN_FAT` | `#undef` +Boot-Consoles-Variables-6 | `CONFIG_ENV_IS_IN_NAND` | `#undef` +Boot-Consoles-Variables-7 | `CONFIG_ENV_IS_IN_NVRAM` | `#undef` +Boot-Consoles-Variables-8 | `CONFIG_ENV_IS_IN_ONENAND` | `#undef` +Boot-Consoles-Variables-9 | `CONFIG_ENV_IS_IN_SPI_FLASH` | `#undef` +Boot-Consoles-Variables-10 | `CONFIG_ENV_IS_IN_REMOTE` | `#undef` +Boot-Consoles-Variables-11 | `CONFIG_ENV_IS_IN_UBI` | `#undef` +Boot-Consoles-Variables-12 | `CONFIG_ENV_IS_NOWHERE` | `#define` + +<!-- end-section-config --> + +-------------------------------------------------------------------------------- + +<!-- pagebreak --> + +## (Recommendation) Removal of memory dump commands + +In U-Boot, following commands shall be disabled to avoid memory dumps: + +``` +md : Memory Display command. +mm : Memory modify command - auto incrementing address. +nm : Memory modify command - constant address. +mw : Memory write. +cp : Memory copy. +mwc : Memory write cyclic. +mdc : Memory display cyclic. +mtest : Simple ram read/write test. +loopw : Infinite write loop on address range. +``` + +<!-- section-config --> + +Domain | `Command` name | _State_ +----------------------- | -------------- | ---------- +Boot-Consoles-MemDump-1 | `md` | _Disabled_ +Boot-Consoles-MemDump-2 | `mm` | _Disabled_ +Boot-Consoles-MemDump-3 | `nm` | _Disabled_ +Boot-Consoles-MemDump-4 | `mw` | _Disabled_ +Boot-Consoles-MemDump-5 | `cp` | _Disabled_ +Boot-Consoles-MemDump-6 | `mwc` | _Disabled_ +Boot-Consoles-MemDump-7 | `mdc` | _Disabled_ +Boot-Consoles-MemDump-8 | `mtest` | _Disabled_ +Boot-Consoles-MemDump-9 | `loopw` | _Disabled_ + +<!-- end-section-config --> + +Similarly, memory dump support shall be disabled from sboot. |