With this implementation that is part of the hardening, U-Boot will show warning messages informing the users when a command that is accepted in open state would not be allowed when the device is closed. This is useful to let users know that closing the device would likely leave it in an unbootable state if any of the commands is part of their boot script.
Resolves #23
As an example of how this helps, running with the present implementation on a BSP image produces an output like this:
## WARNING: Command execution WOULD BE DENIED in closed state (blocked by category) for `part uuid mmc 0:2...`.
which shows that the boot script of a BSP image is running the "part uuid" command which would not be allowed in closed state; solving this will be the topic of an upcoming implementation.
IMPORTANT:
Since the hardening is implemented as a series of patches, it may be easier to review/understand the changes in this dummy pull request (where the relevant changes are in the last commit): https://github.com/rborn-tx/u-boot/pull/1
sergioprado
commented
2 months ago
With this implementation that is part of the hardening, U-Boot will show warning messages informing the users when a command that is accepted in open state would not be allowed when the device is closed. This is useful to let users know that closing the device would likely leave it in an unbootable state if any of the commands is part of their boot script.
Resolves #23
As an example of how this helps, running with the present implementation on a BSP image produces an output like this:
which shows that the boot script of a BSP image is running the "part uuid" command which would not be allowed in closed state; solving this will be the topic of an upcoming implementation.
IMPORTANT: