Consoles

Disable serial console

Serial console output shall be disabled. To disable console output in U-Boot, set the following macros:

Domain Config name Value
Boot-Consoles-Serial-1 CONFIG_SILENT_CONSOLE Disable
Boot-Consoles-Serial-2 CONFIG_SYS_DEVICE_NULLDEV Disable
Boot-Consoles-Serial-3 CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC Disable

Domain Improvement
Boot-Consoles-1 Secure loader: No reference earlier?

And set “silent” environment variable. For the Secure loader, disable the traces by not defining the below macro:

Domain Environment variable name State
Boot-Consoles-Serial-1 INC_DEBUG_PRINT Not defined

For sboot proper configuration needs to be done to disable the serial console.


Immutable environment variables

In U-Boot, ensure Kernel command line, boot commands, boot delay and other environment variables are immutable. This will prevent side-loading of alternate images, by restricting the boot selection to only the image in FLASH.

The environment variables shall be part of the text region in U-Boot as default environment variable and not in non-volatile memory.

Remove configuration options related to non-volatile memory, such as:

Domain Config name State
Boot-Consoles-Variables-1 CONFIG_ENV_IS_IN_MMC #undef
Boot-Consoles-Variables-2 CONFIG_ENV_IS_IN_EEPROM #undef
Boot-Consoles-Variables-3 CONFIG_ENV_IS_IN_FLASH #undef
Boot-Consoles-Variables-4 CONFIG_ENV_IS_IN_DATAFLASH #undef
Boot-Consoles-Variables-5 CONFIG_ENV_IS_IN_FAT #undef
Boot-Consoles-Variables-6 CONFIG_ENV_IS_IN_NAND #undef
Boot-Consoles-Variables-7 CONFIG_ENV_IS_IN_NVRAM #undef
Boot-Consoles-Variables-8 CONFIG_ENV_IS_IN_ONENAND #undef
Boot-Consoles-Variables-9 CONFIG_ENV_IS_IN_SPI_FLASH #undef
Boot-Consoles-Variables-10 CONFIG_ENV_IS_IN_REMOTE #undef
Boot-Consoles-Variables-11 CONFIG_ENV_IS_IN_UBI #undef
Boot-Consoles-Variables-12 CONFIG_ENV_IS_NOWHERE #define

(Recommendation) Removal of memory dump commands

In U-Boot, following commands shall be disabled to avoid memory dumps:

md : Memory Display command.
mm : Memory modify command - auto incrementing address.
nm : Memory modify command - constant address.
mw : Memory write.
cp : Memory copy.
mwc : Memory write cyclic.
mdc : Memory display cyclic.
mtest : Simple ram read/write test.
loopw : Infinite write loop on address range.
Domain Command name State
Boot-Consoles-MemDump-1 md Disabled
Boot-Consoles-MemDump-2 mm Disabled
Boot-Consoles-MemDump-3 nm Disabled
Boot-Consoles-MemDump-4 mw Disabled
Boot-Consoles-MemDump-5 cp Disabled
Boot-Consoles-MemDump-6 mwc Disabled
Boot-Consoles-MemDump-7 mdc Disabled
Boot-Consoles-MemDump-8 mtest Disabled
Boot-Consoles-MemDump-9 loopw Disabled

Similarly, memory dump support shall be disabled from sboot.