summaryrefslogtreecommitdiffstats
path: root/security-blueprint/part-2/3-Consoles.md
blob: 0a8faed539f41586fef1198ee42577ef87e0c196 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Consoles

## Disable serial console

Serial console output shall be disabled. To disable console output in U-Boot,
set the following macros:

<!-- section-config -->

Domain                 | `Config` name                           | `Value`
---------------------- | --------------------------------------- | ---------
Boot-Consoles-Serial-1 | `CONFIG_SILENT_CONSOLE`                 | `Disable`
Boot-Consoles-Serial-2 | `CONFIG_SYS_DEVICE_NULLDEV`             | `Disable`
Boot-Consoles-Serial-3 | `CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC` | `Disable`

<!-- end-section-config --> <!-- section-todo -->

Domain          | Improvement
--------------- | ------------------------------------
Boot-Consoles-1 | Secure loader: No reference earlier?

<!-- end-section-todo -->

And set "**silent**" environment variable. For the Secure loader,
disable the traces by not defining the below macro:

<!-- section-config -->

Domain                 | `Environment variable` name | _State_
---------------------- | --------------------------- | -------------
Boot-Consoles-Serial-1 | `INC_DEBUG_PRINT`           | _Not defined_

<!-- end-section-config -->

For sboot proper configuration needs to be done to disable the serial console.

--------------------------------------------------------------------------------

<!-- pagebreak -->

## Immutable environment variables

In U-Boot, ensure Kernel command line, boot commands, boot delay and other
environment variables are immutable. This will prevent side-loading of alternate
images, by restricting the boot selection to only the image in FLASH.

The environment variables shall be part of the text region in U-Boot as default
environment variable and not in non-volatile memory.

Remove configuration options related to non-volatile memory, such as:

<!-- section-config -->

Domain                     | `Config` name                | _State_
-------------------------- | ---------------------------- | ---------
Boot-Consoles-Variables-1  | `CONFIG_ENV_IS_IN_MMC`       | `#undef`
Boot-Consoles-Variables-2  | `CONFIG_ENV_IS_IN_EEPROM`    | `#undef`
Boot-Consoles-Variables-3  | `CONFIG_ENV_IS_IN_FLASH`     | `#undef`
Boot-Consoles-Variables-4  | `CONFIG_ENV_IS_IN_DATAFLASH` | `#undef`
Boot-Consoles-Variables-5  | `CONFIG_ENV_IS_IN_FAT`       | `#undef`
Boot-Consoles-Variables-6  | `CONFIG_ENV_IS_IN_NAND`      | `#undef`
Boot-Consoles-Variables-7  | `CONFIG_ENV_IS_IN_NVRAM`     | `#undef`
Boot-Consoles-Variables-8  | `CONFIG_ENV_IS_IN_ONENAND`   | `#undef`
Boot-Consoles-Variables-9  | `CONFIG_ENV_IS_IN_SPI_FLASH` | `#undef`
Boot-Consoles-Variables-10 | `CONFIG_ENV_IS_IN_REMOTE`    | `#undef`
Boot-Consoles-Variables-11 | `CONFIG_ENV_IS_IN_UBI`       | `#undef`
Boot-Consoles-Variables-12 | `CONFIG_ENV_IS_NOWHERE`      | `#define`

<!-- end-section-config -->

--------------------------------------------------------------------------------

<!-- pagebreak -->

## (Recommendation) Removal of memory dump commands

In U-Boot, following commands shall be disabled to avoid memory dumps:

```
md : Memory Display command.
mm : Memory modify command - auto incrementing address.
nm : Memory modify command - constant address.
mw : Memory write.
cp : Memory copy.
mwc : Memory write cyclic.
mdc : Memory display cyclic.
mtest : Simple ram read/write test.
loopw : Infinite write loop on address range.
```

<!-- section-config -->

Domain                  | `Command` name | _State_
----------------------- | -------------- | ----------
Boot-Consoles-MemDump-1 | `md`           | _Disabled_
Boot-Consoles-MemDump-2 | `mm`           | _Disabled_
Boot-Consoles-MemDump-3 | `nm`           | _Disabled_
Boot-Consoles-MemDump-4 | `mw`           | _Disabled_
Boot-Consoles-MemDump-5 | `cp`           | _Disabled_
Boot-Consoles-MemDump-6 | `mwc`          | _Disabled_
Boot-Consoles-MemDump-7 | `mdc`          | _Disabled_
Boot-Consoles-MemDump-8 | `mtest`        | _Disabled_
Boot-Consoles-MemDump-9 | `loopw`        | _Disabled_

<!-- end-section-config -->

Similarly, memory dump support shall be disabled from sboot.