From a66ab5dbb0f5d8bbba2f7064d42cab56751f645b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 16 Jun 2023 10:43:01 +0100 Subject: [PATCH] Disable NFS --- 0001-disable-NFS-support-by-default.patch | 35 +++++++++++++++++++++++ uboot-tools.spec | 8 ++++-- 2 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 0001-disable-NFS-support-by-default.patch diff --git a/0001-disable-NFS-support-by-default.patch b/0001-disable-NFS-support-by-default.patch new file mode 100644 index 0000000..b520b15 --- /dev/null +++ b/0001-disable-NFS-support-by-default.patch @@ -0,0 +1,35 @@ +From 31dc49dee987500b0d5b5b536b6da2f3fbfd5b59 Mon Sep 17 00:00:00 2001 +From: Peter Robinson +Date: Tue, 13 Jun 2023 09:36:50 +0100 +Subject: [v1] disable NFS support by default + +While NFS is widely used in data centres, and private +networks it's quite a nuanced usecase for device firmware. +A lot of devices already disable it. + +Various network protocols should really be opt in, not opt +out, because they add extra size and are potential attack +vectors from a security PoV. In the NFS case it doesn't +really make sense for a lot of devices like tables, SBCs etc. +It's also something we don't really want for SystemReady-IR +due to security concerns. + +Signed-off-by: Peter Robinson +--- + +v1: drop RFC tag + + cmd/Kconfig | 1 - + +diff --git a/cmd/Kconfig b/cmd/Kconfig +index 365371fb511..a193929cec4 100644 +--- a/cmd/Kconfig ++++ b/cmd/Kconfig +@@ -1848,7 +1848,6 @@ config CMD_RARP + + config CMD_NFS + bool "nfs" +- default y + help + Boot image via network using NFS protocol. + diff --git a/uboot-tools.spec b/uboot-tools.spec index 0e2d64d..f035f7d 100644 --- a/uboot-tools.spec +++ b/uboot-tools.spec @@ -7,7 +7,7 @@ Name: uboot-tools Version: 2023.07 -Release: 0.3%{?candidate:.%{candidate}}%{?dist} +Release: 0.4%{?candidate:.%{candidate}}%{?dist} Summary: U-Boot utilities License: GPLv2+ BSD LGPL-2.1+ LGPL-2.0+ URL: http://www.denx.de/wiki/U-Boot @@ -20,10 +20,11 @@ Source1: aarch64-boards # Needed to find DT on boot partition that's not the first partition Patch1: uefi-distro-load-FDT-from-any-partition-on-boot-device.patch Patch2: smbios-Simplify-reporting-of-unknown-values.patch +Patch3: 0001-disable-NFS-support-by-default.patch # Board fixes and enablement # RPi - uses RPI firmware device tree for HAT support -Patch3: rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch +Patch5: rpi-Enable-using-the-DT-provided-by-the-Raspberry-Pi.patch # Rockchips improvements Patch6: rockchip-Add-initial-support-for-the-PinePhone-Pro.patch Patch7: rockchip-PinePhone-Pro-fixes.patch @@ -212,6 +213,9 @@ cp -p board/sunxi/README.nand builds/docs/README.sunxi-nand %endif %changelog +* Fri Jun 16 2023 Peter Robinson - 2023.07-0.4.rc4 +- Disable NFS by default + * Mon Jun 12 2023 Peter Robinson - 2023.07-0.3.rc4 - Update to 2023.07 RC4