[FEA] Support for pci and nvme commands in u-boot hardening

toradex / meta-toradex-security

MIT License

4 stars 9 forks source link

[FEA] Support for pci and nvme commands in u-boot hardening #75

Open fboudra opened 1 month ago

fboudra commented 1 month ago

Hi,

The U-Boot hardening implementation lacks the support for pci and nvme commands.

## WARNING: Command execution denied (name not in whitelist) for `pci enum`.
## WARNING: Command execution denied (name not in whitelist) for `nvme scan`.
## WARNING: Command execution denied (name not in whitelist) for `nvme dev`.

As a workaround, I added locally the categories and commands.

Update:

Building Torizon OS 7 for verdin-imx8mp

rborn-tx commented 4 weeks ago

@fboudra Thanks for reporting.

Let me ask you:

For what machine are you building?
What kind of image are you building: Torizon OS, Toradex BSP or something else?

fboudra commented 4 weeks ago

I'm building Torizon OS 7 for verdin-imx8mp. For info, I have a NVMe SSD on PCIe on the platform. I can successfully boot with nvme_boot command once I closed the device and my local patch.

rborn-tx commented 4 weeks ago

@fboudra Thanks for the information.

I think it's perfectly acceptable for us to add the commands you mentioned to the whitelist. We're also considering making the default list of allowed/denied categories more easily configurable for Yocto users. We have internal discussions to decide when to do that though.