Consoles
Disable serial console
Serial console output shall be disabled. To disable console output in U-Boot, set the following macros:
| Domain | Config name |
Value |
|---|---|---|
| Boot-Consoles-Serial-1 | CONFIG_SILENT_CONSOLE |
Disable |
| Boot-Consoles-Serial-2 | CONFIG_SYS_DEVICE_NULLDEV |
Disable |
| Boot-Consoles-Serial-3 | CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC |
Disable |
| Domain | Improvement |
|---|---|
| Boot-Consoles-1 | Secure loader: No reference earlier? |
And set "silent" environment variable. For the Secure loader, disable the traces by not defining the below macro:
| Domain | Environment variable name |
State |
|---|---|---|
| Boot-Consoles-Serial-1 | INC_DEBUG_PRINT |
Not defined |
For sboot proper configuration needs to be done to disable the serial console.
Immutable environment variables
In U-Boot, ensure Kernel command line, boot commands, boot delay and other environment variables are immutable. This will prevent side-loading of alternate images, by restricting the boot selection to only the image in FLASH.
The environment variables shall be part of the text region in U-Boot as default environment variable and not in non-volatile memory.
Remove configuration options related to non-volatile memory, such as:
| Domain | Config name |
State |
|---|---|---|
| Boot-Consoles-Variables-1 | CONFIG_ENV_IS_IN_MMC |
#undef |
| Boot-Consoles-Variables-2 | CONFIG_ENV_IS_IN_EEPROM |
#undef |
| Boot-Consoles-Variables-3 | CONFIG_ENV_IS_IN_FLASH |
#undef |
| Boot-Consoles-Variables-4 | CONFIG_ENV_IS_IN_DATAFLASH |
#undef |
| Boot-Consoles-Variables-5 | CONFIG_ENV_IS_IN_FAT |
#undef |
| Boot-Consoles-Variables-6 | CONFIG_ENV_IS_IN_NAND |
#undef |
| Boot-Consoles-Variables-7 | CONFIG_ENV_IS_IN_NVRAM |
#undef |
| Boot-Consoles-Variables-8 | CONFIG_ENV_IS_IN_ONENAND |
#undef |
| Boot-Consoles-Variables-9 | CONFIG_ENV_IS_IN_SPI_FLASH |
#undef |
| Boot-Consoles-Variables-10 | CONFIG_ENV_IS_IN_REMOTE |
#undef |
| Boot-Consoles-Variables-11 | CONFIG_ENV_IS_IN_UBI |
#undef |
| Boot-Consoles-Variables-12 | CONFIG_ENV_IS_NOWHERE |
#define |
(Recommendation) Removal of memory dump commands
In U-Boot, following commands shall be disabled to avoid memory dumps:
md : Memory Display command.
mm : Memory modify command - auto incrementing address.
nm : Memory modify command - constant address.
mw : Memory write.
cp : Memory copy.
mwc : Memory write cyclic.
mdc : Memory display cyclic.
mtest : Simple ram read/write test.
loopw : Infinite write loop on address range.
| Domain | Command name |
State |
|---|---|---|
| Boot-Consoles-MemDump-1 | md |
Disabled |
| Boot-Consoles-MemDump-2 | mm |
Disabled |
| Boot-Consoles-MemDump-3 | nm |
Disabled |
| Boot-Consoles-MemDump-4 | mw |
Disabled |
| Boot-Consoles-MemDump-5 | cp |
Disabled |
| Boot-Consoles-MemDump-6 | mwc |
Disabled |
| Boot-Consoles-MemDump-7 | mdc |
Disabled |
| Boot-Consoles-MemDump-8 | mtest |
Disabled |
| Boot-Consoles-MemDump-9 | loopw |
Disabled |
Similarly, memory dump support shall be disabled from sboot.