• State
  • Locked Locked
  • Replies 8 replies
  • Subscribers 99 subscribers
  • Views 6983 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Confirming the behavior of setting a root password and u-boot single user mode

Anton North
Prodigy 40 points

The summary goal is: we want to understand if you can use u-boot to enter single user mode and reset a root password without needing any authentication. It looks like this is not possible with the current set up which is actually what we want. Our goal is to secure the u-boot environment to prevent a user from connecting a serial cable, accessing u-boot, and resetting a root password and gaining access to the command line by using "setenv" to pass an environment variable adding "single" to the boot command. From my testing, it looks like this is not possible which is what we want.

Is there a default maintenance password that we do not know of?
Is it by design that supplying the root password will not allow access to single user mode when a root password is set?

Some additional information:

When no root password is set, I can use u-boot to pass "single" to the boot command and access the system with no password.

When I set a root password, I can still use u-boot to pass "single" and boot the system, but then I am asked the following:


Login incorrect
Give root password for system maintenance
(or type Control-D for normal startup):

When I supply the root password, I cannot log in.
This behavior is ideal for our needs, as we want to be able to make sure that someone cannot reset the root password.

Thanks in advance for any assistance/clarification.
  • 0
    TI__Guru**** 393215 points
    Moving this to the Linux forum. This is not processor related.
  • 0
    TI__Guru**** 170625 points
    Anton,

    Are you using TI device? If yes, which exactly?

    Are you using TI SDK? If yes, which exactly?

    Regards,
    Pavel
  • 0 in reply to Pavel Botev
    Prodigy 40 points

    Yes we are using a TI device: Varsomam33

    No we are not using a TI SDK. We use:

    the arago project: http://arago-project.org/wiki/index.php/Main_Page .

  • 0 in reply to Anton North
    TI__Guru**** 170625 points
    Anton,

    VAR-SOM-AM33 is based on AM335x device, so that is your device.

    Do you want to set password for u-boot? Same kind of password when we enter in user space (after the kernel boot up and rootfs mounted)?

    BR
    Pavel
  • 0
    Guru 11260 points
    Hello,

    I haven’t read the recent uboot code, but if there is any password protection in it, it wouldn’t be fail safe, I fell the best option is to disable the console itself in uboot (CONFIG_SILENT_CONSOLE) & disable the console parameter in bootargs. When there is super user who wants to enable it, just give a update file(from usb/mmc an app which looks for this special file which is encrypted for more security ) which tweaks the bootargs from linux (fw_setenv).

    Cheers,
    --Prabhakar Lad
  • 0 in reply to Pavel Botev
    Prodigy 40 points
    Thanks for the clarification on the device being AM335x. I am not directly involved with the hardware side.

    I will try and re-phrase the goal:

    We want to secure the access to u-boot in some way. During my testing, I found that setting a root password on the linux OS, and then trying to boot into single user mode by modifying the u-boot image variable would prevent me from accessing the linux OS. We will have some applications and data on the linux OS that we want to try and prevent people from accessing. But, I was not sure if there was some other default password that would allow maintenance mode in the Linux OS to operate.

    I realize that this is not "complete" security. We are trying to make it more difficult for people to to gain access to the linux OS. This is one piece of that.

    I came across some mentions of a password for u-boot in my research. But it was not clear to me how easy it was to implement.

    It seems to me from my testing that all we require to do is set a root password on the linux OS (which is blank by default). Once that password is set, when you pass the "single" paramter to the image load using u-boot, it prompts you for the maintenance password to access the linux OS. No matter what password I type, the access fails. But resetting the password back to "blank" lets it succeed. It almost seems to me that some baked-in check is occurring that expects to see a "blank" password. Which basically addresses our issue.

    Could you shed more light on how easy it is to implement a u-boot password?

    Thanks in advance!
  • 0 in reply to Prabhakar Lad
    Prodigy 40 points
    In reply to Prabhakar Lad:

    Thanks for the information. I had come across disabling the console in u-boot. But it seemed there is conflicting information for u-boot bootdelay option.

    One article states:
    Set "bootdelay" to 0
    bootdelay: After reset, U-Boot will wait this number of seconds before it executes the contents of the bootcmd variable. During this time a countdown is printed, which can be interrupted by pressing any key. Set this variable to 0 boot without delay. Be careful: depending on the contents of your bootcmd variable, this can prevent you from entering interactive commands again forever!

    A conflicting document from TI states that " even if "bootdelay=0", it still checks for ctrl-C, so there still is a possibility of it halting.

    processors.wiki.ti.com/.../Change_U-Boot_bootdelay_setting

    If "bootdelay" is set to 0, will ctrl-C break into the u-boot console? At what point do you have to hit ctrl-C to interrupt the process?
  • 0 in reply to Anton North
    Guru 11260 points
    Hello,

    Here is the patch which I did for one of my board, basically what is does is it looks for the environment variable 'myboardconsole' in your environment if that is NULL, you wont get any prints on your tty for the uboot and linux, (note you need to change ttyO0 appropriately to your board). So there is no pint of other user accessing anything to it.
    Now comes the question on enabling back again, you can write app which looks for some special file in SD/USB... which instructs the linux to change the boot params and set 'myboardconsole' something (using fw_setenv), once you set all you have to do is reboot again and ull get back your console.

    Hope that helps.

    Note: The below patch which I did was for some old version of uboot, but you should be able to patch to newer version.

    Cheers,
    --Prabhakar Lad



    From 33c768c8a32825e6ef92e3b284c914713d956ae1 Mon Sep 17 00:00:00 2001
    From: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
    Date: Mon, 14 Mar 2016 10:30:15 +0000
    Subject: [PATCH] add support to disable/enable the console

    Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
    ---
    common/cmd_bootm.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
    common/console.c | 6 ++++++
    2 files changed, 62 insertions(+)

    diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
    index 3896b40..07578d9 100644
    --- a/common/cmd_bootm.c
    +++ b/common/cmd_bootm.c
    @@ -87,6 +87,14 @@ static void fixup_silent_linux (void);
    #endif
    #endif /* CONFIG_QUICK_INCLUDE */

    +#ifdef CONFIG_MYXXBOARD
    +#ifdef CONFIG_NAND
    +static void myboard_fixup_silent_linux(void);
    +#endif
    +#endif
    +
    static image_header_t *image_get_kernel (ulong img_addr, int verify);
    #if defined(CONFIG_FIT)
    static int fit_check_kernel (const void *fit, int os_noffset, int verify);
    @@ -690,6 +698,14 @@ int do_bootm (cmd_tbl_t *cmdtp, int flag, int argc, char *argv[])
    #endif
    #endif /* CONFIG_QUICK_INCLUDE */

    +#ifdef CONFIG_MYXXBOARD
    +#ifdef CONFIG_NAND
    + myboard_fixup_silent_linux();
    +#endif
    +#endif
    +
    boot_fn = boot_os[images.os.os];

    if (boot_fn == NULL) {
    @@ -1246,6 +1262,46 @@ static void fixup_silent_linux ()
    #endif /* CONFIG_SILENT_CONSOLE */
    #endif /* CONFIG_QUICK_INCLUDE */

    +#ifdef CONFIG_VVBOXHD2
    +#ifdef CONFIG_NAND
    +static void myboard_fixup_silent_linux ()
    +{
    + char buf[256], *start, *end;
    + char *cmdline1 = getenv ("myboardconsole");
    + char *cmdline = getenv ("bootargs");
    +
    + /* Only fix cmdline when requested */
    + if (!(gd->flags & GD_FLG_SILENT))
    + return;
    +
    + if (cmdline) {
    + if ((start = strstr (cmdline, "console=")) != NULL) {
    + end = strchr (start, ' ');
    + strncpy (buf, cmdline, (start - cmdline + 8));
    + if (end)
    + strcpy (buf + (start - cmdline + 8), end);
    + else
    + buf[start - cmdline + 8] = '\0';
    + } else {
    + strcpy (buf, cmdline);
    + strcat (buf, " console=");
    + }
    + }
    +
    + if (!cmdline1) {
    + strcat (buf, "console=");
    + } else {
    + strcat (buf, "console=ttyO0,115200n8");
    + }
    + setenv ("bootargs", buf);
    +
    +}
    +#endif
    +#endif
    +
    /*******************************************************************/
    /* OS booting routines */
    /*******************************************************************/
    diff --git a/common/console.c b/common/console.c
    index 51c6fb6..7d8507f 100644
    --- a/common/console.c
    +++ b/common/console.c
    @@ -656,6 +656,12 @@ int console_init_r(void)
    struct list_head *pos;
    struct stdio_dev *dev;

    +#ifdef CONFIG_SILENT_CONSOLE
    + if (getenv("myboardconsole") == NULL) {
    + gd->flags |= GD_FLG_SILENT;
    + }
    +#endif
    +
    #ifdef CONFIG_SPLASH_SCREEN
    /*
    * suppress all output if splash screen is enabled and we have
    --
    2.1.4