7 ## Disable serial console
9 Serial console output shall be disabled. To disable console output in U-Boot,
10 set the following macros:
12 <!-- section-config -->
14 Domain | `Config` name | `Value`
15 ---------------------- | --------------------------------------- | ---------
16 Boot-Consoles-Serial-1 | `CONFIG_SILENT_CONSOLE` | `Disable`
17 Boot-Consoles-Serial-2 | `CONFIG_SYS_DEVICE_NULLDEV` | `Disable`
18 Boot-Consoles-Serial-3 | `CONFIG_SILENT_CONSOLE_UPDATE_ON_RELOC` | `Disable`
20 <!-- end-section-config --> <!-- section-todo -->
23 --------------- | ------------------------------------
24 Boot-Consoles-1 | Secure loader: No reference earlier?
26 <!-- end-section-todo -->
28 And set "**silent**" environment variable. For the Secure loader,
29 disable the traces by not defining the below macro:
31 <!-- section-config -->
33 Domain | `Environment variable` name | _State_
34 ---------------------- | --------------------------- | -------------
35 Boot-Consoles-Serial-1 | `INC_DEBUG_PRINT` | _Not defined_
37 <!-- end-section-config -->
39 For sboot proper configuration needs to be done to disable the serial console.
41 --------------------------------------------------------------------------------
45 ## Immutable environment variables
47 In U-Boot, ensure Kernel command line, boot commands, boot delay and other
48 environment variables are immutable. This will prevent side-loading of alternate
49 images, by restricting the boot selection to only the image in FLASH.
51 The environment variables shall be part of the text region in U-Boot as default
52 environment variable and not in non-volatile memory.
54 Remove configuration options related to non-volatile memory, such as:
56 <!-- section-config -->
58 Domain | `Config` name | _State_
59 -------------------------- | ---------------------------- | ---------
60 Boot-Consoles-Variables-1 | `CONFIG_ENV_IS_IN_MMC` | `#undef`
61 Boot-Consoles-Variables-2 | `CONFIG_ENV_IS_IN_EEPROM` | `#undef`
62 Boot-Consoles-Variables-3 | `CONFIG_ENV_IS_IN_FLASH` | `#undef`
63 Boot-Consoles-Variables-4 | `CONFIG_ENV_IS_IN_DATAFLASH` | `#undef`
64 Boot-Consoles-Variables-5 | `CONFIG_ENV_IS_IN_FAT` | `#undef`
65 Boot-Consoles-Variables-6 | `CONFIG_ENV_IS_IN_NAND` | `#undef`
66 Boot-Consoles-Variables-7 | `CONFIG_ENV_IS_IN_NVRAM` | `#undef`
67 Boot-Consoles-Variables-8 | `CONFIG_ENV_IS_IN_ONENAND` | `#undef`
68 Boot-Consoles-Variables-9 | `CONFIG_ENV_IS_IN_SPI_FLASH` | `#undef`
69 Boot-Consoles-Variables-10 | `CONFIG_ENV_IS_IN_REMOTE` | `#undef`
70 Boot-Consoles-Variables-11 | `CONFIG_ENV_IS_IN_UBI` | `#undef`
71 Boot-Consoles-Variables-12 | `CONFIG_ENV_IS_NOWHERE` | `#define`
73 <!-- end-section-config -->
75 --------------------------------------------------------------------------------
79 ## (Recommendation) Removal of memory dump commands
81 In U-Boot, following commands shall be disabled to avoid memory dumps:
84 md : Memory Display command.
85 mm : Memory modify command - auto incrementing address.
86 nm : Memory modify command - constant address.
89 mwc : Memory write cyclic.
90 mdc : Memory display cyclic.
91 mtest : Simple ram read/write test.
92 loopw : Infinite write loop on address range.
95 <!-- section-config -->
97 Domain | `Command` name | _State_
98 ----------------------- | -------------- | ----------
99 Boot-Consoles-MemDump-1 | `md` | _Disabled_
100 Boot-Consoles-MemDump-2 | `mm` | _Disabled_
101 Boot-Consoles-MemDump-3 | `nm` | _Disabled_
102 Boot-Consoles-MemDump-4 | `mw` | _Disabled_
103 Boot-Consoles-MemDump-5 | `cp` | _Disabled_
104 Boot-Consoles-MemDump-6 | `mwc` | _Disabled_
105 Boot-Consoles-MemDump-7 | `mdc` | _Disabled_
106 Boot-Consoles-MemDump-8 | `mtest` | _Disabled_
107 Boot-Consoles-MemDump-9 | `loopw` | _Disabled_
109 <!-- end-section-config -->
111 Similarly, memory dump support shall be disabled from sboot.