From affb215626f91e717088a27081d24c473895d47d Mon Sep 17 00:00:00 2001 From: Simon Glass Date: Thu, 10 Apr 2014 20:01:35 -0600 Subject: [PATCH] main: Make the execution path a little clearer in main.c bootdelay_process() never returns in some circumstances, whichs makes the control flow confusing. Change it so that the decision about how to execute the boot command is made in the main_loop() code, so it is easier to follow. Move CLI stuff to cli.c. Signed-off-by: Simon Glass --- common/autoboot.c | 81 +++++++--------------------------------------- common/cli.c | 66 +++++++++++++++++++++++++++++++++++++ common/main.c | 12 ++++--- include/autoboot.h | 28 ++++++++++++++-- include/cli.h | 33 +++++++++++++++++++ 5 files changed, 145 insertions(+), 75 deletions(-) diff --git a/common/autoboot.c b/common/autoboot.c index 984389885f..dc24cae612 100644 --- a/common/autoboot.c +++ b/common/autoboot.c @@ -22,6 +22,9 @@ DECLARE_GLOBAL_DATA_PTR; #define debug_bootkeys(fmt, args...) \ debug_cond(DEBUG_BOOTKEYS, fmt, ##args) +/* Stored value of bootdelay, used by autoboot_command() */ +static int stored_bootdelay; + /*************************************************************************** * Watch for 'delay' seconds for autoboot stop or autoboot delay string. * returns: 0 - no key string, allow autoboot 1 - got key string, abort @@ -205,57 +208,9 @@ static int abortboot(int bootdelay) #endif } -/* - * Runs the given boot command securely. Specifically: - * - Doesn't run the command with the shell (run_command or parse_string_outer), - * since that's a lot of code surface that an attacker might exploit. - * Because of this, we don't do any argument parsing--the secure boot command - * has to be a full-fledged u-boot command. - * - Doesn't check for keypresses before booting, since that could be a - * security hole; also disables Ctrl-C. - * - Doesn't allow the command to return. - * - * Upon any failures, this function will drop into an infinite loop after - * printing the error message to console. - */ - -#if defined(CONFIG_OF_CONTROL) -static void secure_boot_cmd(char *cmd) -{ - cmd_tbl_t *cmdtp; - int rc; - - if (!cmd) { - printf("## Error: Secure boot command not specified\n"); - goto err; - } - - /* Disable Ctrl-C just in case some command is used that checks it. */ - disable_ctrlc(1); - - /* Find the command directly. */ - cmdtp = find_cmd(cmd); - if (!cmdtp) { - printf("## Error: \"%s\" not defined\n", cmd); - goto err; - } - - /* Run the command, forcing no flags and faking argc and argv. */ - rc = (cmdtp->cmd)(cmdtp, 0, 1, &cmd); - - /* Shouldn't ever return from boot command. */ - printf("## Error: \"%s\" returned (code %d)\n", cmd, rc); - -err: - /* - * Not a whole lot to do here. Rebooting won't help much, since we'll - * just end up right back here. Just loop. - */ - hang(); -} - static void process_fdt_options(const void *blob) { +#if defined(CONFIG_OF_CONTROL) ulong addr; /* Add an env variable to point to a kernel payload, if available */ @@ -267,14 +222,11 @@ static void process_fdt_options(const void *blob) addr = fdtdec_get_config_int(gd->fdt_blob, "rootdisk-offset", 0); if (addr) setenv_addr("rootaddr", (void *)(CONFIG_SYS_TEXT_BASE + addr)); -} #endif /* CONFIG_OF_CONTROL */ +} -void bootdelay_process(void) +const char *bootdelay_process(void) { -#ifdef CONFIG_OF_CONTROL - char *env; -#endif char *s; int bootdelay; #ifdef CONFIG_BOOTCOUNT_LIMIT @@ -318,27 +270,18 @@ void bootdelay_process(void) } else #endif /* CONFIG_BOOTCOUNT_LIMIT */ s = getenv("bootcmd"); -#ifdef CONFIG_OF_CONTROL - /* Allow the fdt to override the boot command */ - env = fdtdec_get_config_string(gd->fdt_blob, "bootcmd"); - if (env) - s = env; process_fdt_options(gd->fdt_blob); + stored_bootdelay = bootdelay; - /* - * If the bootsecure option was chosen, use secure_boot_cmd(). - * Always use 'env' in this case, since bootsecure requres that the - * bootcmd was specified in the FDT too. - */ - if (fdtdec_get_config_int(gd->fdt_blob, "bootsecure", 0)) - secure_boot_cmd(env); - -#endif /* CONFIG_OF_CONTROL */ + return s; +} +void autoboot_command(const char *s) +{ debug("### main_loop: bootcmd=\"%s\"\n", s ? s : ""); - if (bootdelay != -1 && s && !abortboot(bootdelay)) { + if (stored_bootdelay != -1 && s && !abortboot(stored_bootdelay)) { #if defined(CONFIG_AUTOBOOT_KEYED) && !defined(CONFIG_AUTOBOOT_KEYED_CTRLC) int prev = disable_ctrlc(1); /* disable Control C checking */ #endif diff --git a/common/cli.c b/common/cli.c index 4ac9b3f017..ea6bfb3165 100644 --- a/common/cli.c +++ b/common/cli.c @@ -12,8 +12,11 @@ #include #include #include +#include #include +DECLARE_GLOBAL_DATA_PTR; + /* * Run a command using the selected parser. * @@ -105,6 +108,69 @@ int do_run(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) } #endif +#ifdef CONFIG_OF_CONTROL +bool cli_process_fdt(const char **cmdp) +{ + /* Allow the fdt to override the boot command */ + char *env = fdtdec_get_config_string(gd->fdt_blob, "bootcmd"); + if (env) + *cmdp = env; + /* + * If the bootsecure option was chosen, use secure_boot_cmd(). + * Always use 'env' in this case, since bootsecure requres that the + * bootcmd was specified in the FDT too. + */ + return fdtdec_get_config_int(gd->fdt_blob, "bootsecure", 0) != 0; +} + +/* + * Runs the given boot command securely. Specifically: + * - Doesn't run the command with the shell (run_command or parse_string_outer), + * since that's a lot of code surface that an attacker might exploit. + * Because of this, we don't do any argument parsing--the secure boot command + * has to be a full-fledged u-boot command. + * - Doesn't check for keypresses before booting, since that could be a + * security hole; also disables Ctrl-C. + * - Doesn't allow the command to return. + * + * Upon any failures, this function will drop into an infinite loop after + * printing the error message to console. + */ +void cli_secure_boot_cmd(const char *cmd) +{ + cmd_tbl_t *cmdtp; + int rc; + + if (!cmd) { + printf("## Error: Secure boot command not specified\n"); + goto err; + } + + /* Disable Ctrl-C just in case some command is used that checks it. */ + disable_ctrlc(1); + + /* Find the command directly. */ + cmdtp = find_cmd(cmd); + if (!cmdtp) { + printf("## Error: \"%s\" not defined\n", cmd); + goto err; + } + + /* Run the command, forcing no flags and faking argc and argv. */ + rc = (cmdtp->cmd)(cmdtp, 0, 1, (char **)&cmd); + + /* Shouldn't ever return from boot command. */ + printf("## Error: \"%s\" returned (code %d)\n", cmd, rc); + +err: + /* + * Not a whole lot to do here. Rebooting won't help much, since we'll + * just end up right back here. Just loop. + */ + hang(); +} +#endif /* CONFIG_OF_CONTROL */ + void cli_loop(void) { #ifdef CONFIG_SYS_HUSH_PARSER diff --git a/common/main.c b/common/main.c index 8c846c84c8..ce45127417 100644 --- a/common/main.c +++ b/common/main.c @@ -55,8 +55,11 @@ static void run_preboot_environment_command(void) #endif /* CONFIG_PREBOOT */ } +/* We come here after U-Boot is initialised and ready to process commands */ void main_loop(void) { + const char *s; + bootstage_mark_name(BOOTSTAGE_ID_MAIN_LOOP, "main_loop"); #ifndef CONFIG_SYS_GENERIC_BOARD @@ -78,10 +81,11 @@ void main_loop(void) update_tftp(0UL); #endif /* CONFIG_UPDATE_TFTP */ - bootdelay_process(); - /* - * Main Loop for Monitor Command Processing - */ + s = bootdelay_process(); + if (cli_process_fdt(&s)) + cli_secure_boot_cmd(s); + + autoboot_command(s); cli_loop(); } diff --git a/include/autoboot.h b/include/autoboot.h index aaae4afff4..3a9059a0b9 100644 --- a/include/autoboot.h +++ b/include/autoboot.h @@ -13,9 +13,33 @@ #define __AUTOBOOT_H #ifdef CONFIG_BOOTDELAY -void bootdelay_process(void); +/** + * bootdelay_process() - process the bootd delay + * + * Process the boot delay, boot limit, then get the value of either + * bootcmd, failbootcmd or altbootcmd depending on the current state. + * Return this command so it can be executed. + * + * @return command to executed + */ +const char *bootdelay_process(void); + +/** + * autoboot_command() - run the autoboot command + * + * If enabled, run the autoboot command returned from bootdelay_process(). + * Also do the CONFIG_MENUKEY processing if enabled. + * + * @cmd: Command to run + */ +void autoboot_command(const char *cmd); #else -static inline void bootdelay_process(void) +static inline const char *bootdelay_process(void) +{ + return NULL; +} + +static inline void autoboot_command(const char *s) { } #endif diff --git a/include/cli.h b/include/cli.h index 5158976b8d..699426252c 100644 --- a/include/cli.h +++ b/include/cli.h @@ -100,6 +100,39 @@ int cli_readline_into_buffer(const char *const prompt, char *buffer, */ int cli_simple_parse_line(char *line, char *argv[]); +#ifdef CONFIG_OF_CONTROL +/** + * cli_process_fdt() - process the boot command from the FDT + * + * If bootcmmd is defined in the /config node of the FDT, we use that + * as the boot command. Further, if bootsecure is set to 1 (in the same + * node) then we return true, indicating that the command should be executed + * as securely as possible, avoiding the CLI parser. + * + * @cmdp: On entry, the command that will be executed if the FDT does + * not have a command. Returns the command to execute after + * checking the FDT. + * @return true to execute securely, else false + */ +bool cli_process_fdt(const char **cmdp); + +/** cli_secure_boot_cmd() - execute a command as securely as possible + * + * This avoids using the parser, thus executing the command with the + * smallest amount of code. Parameters are not supported. + */ +void cli_secure_boot_cmd(const char *cmd); +#else +static inline bool cli_process_fdt(const char **cmdp) +{ + return false; +} + +static inline void cli_secure_boot_cmd(const char *cmd) +{ +} +#endif /* CONFIG_OF_CONTROL */ + /** * Go into the command loop * -- 2.39.5