2 title: Communication modes
7 ## Disable USB, Serial and DOCSIS Support
9 To disable USB support in U-Boot, following config's shall not be defined:
12 CONFIG_CMD_USB: Enables basic USB support and the usb command.
13 CONFIG_USB_UHCI: Defines the lowlevel part.
14 CONFIG_USB_KEYBOARD: Enables the USB Keyboard.
15 CONFIG_USB_STORAGE: Enables the USB storage devices.
16 CONFIG_USB_HOST_ETHER: Enables USB Ethernet adapter support.
19 In addition, disable unnecessary communication modes like Ethernet, Serial
20 ports, DOCSIS in U-Boot and sboot that are not necessary.
22 Linux Kernel support for USB should be compiled-out if not required. If it is
23 needed, the Linux Kernel should be configured to only enable the minimum
24 required USB devices. User-initiated USB-filesystems should be treated with
25 special care. Whether or not the filesystems are mounted in userspace
26 (**FUSE**), restricted mount options should be observed.
28 <!-- section-config -->
30 Domain | Communication modes | _State_
31 -------------------- | ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------
32 Boot-Communication-1 | `USB` | _Disabled_ and _Compiled-out_ if not required.
33 Boot-Communication-2 | `USB` | Else, Kernel should be configured to only enable the minimum required USB devices and filesystems should be treated with special care.
34 Boot-Communication-3 | `Ethernet` | _Disabled_
35 Boot-Communication-4 | U-boot and sboot `DOCSIS` | _Disabled_
36 Boot-Communication-5 | `Serial ports` | _Disabled_
38 <!-- end-section-config --> <!-- section-config -->
40 Domain | `Config` name | _State_
41 ------------------------ | ----------------------- | -------------
42 Boot-Communication-USB-1 | `CONFIG_CMD_USB` | _Not defined_
43 Boot-Communication-USB-2 | `CONFIG_USB_UHCI` | _Not defined_
44 Boot-Communication-USB-3 | `CONFIG_USB_KEYBOARD` | _Not defined_
45 Boot-Communication-USB-4 | `CONFIG_USB_STORAGE` | _Not defined_
46 Boot-Communication-USB-5 | `CONFIG_USB_HOST_ETHER` | _Not defined_
48 <!-- end-section-config -->
50 --------------------------------------------------------------------------------
52 ## Disable all unused Network Interfaces
54 Only used network interfaces should be enabled. Where possible, services should
55 also be limited to those necessary.
57 <!-- section-config -->
59 Domain | Communication modes | _State_
60 -------------------- | -------------------- | ---------------------------------------------------------------------------------------------
61 Boot-Communication-1 | `Network interfaces` | Preferably _no network interface is allowed_, otherwise, restrict the services to those used.
63 <!-- end-section-config -->
65 ## Remove or Disable Unnecessary Services, Ports, and Devices
67 Restrict the `services`, `ports` and `devices` to those used.
69 <!-- section-config -->
71 Domain | Object | Recommendations
72 -------------------- | --------------------------------- | -------------------------------------------------------------
73 Boot-Communication-1 | `Services`, `ports` and `devices` | Restrict the `services`, `ports` and `devices` to those used.
75 <!-- end-section-config -->
77 ## Disable flash access
81 In U-Boot following flash memory commands shall be disabled:
83 **NAND**: Support for nand flash access available through `do_nand` has to be
86 <!-- section-config -->
88 Domain | `Command` name | _State_
89 -------------------------- | -------------- | ---------
90 Boot-Communication-Flash-1 | `do_nand` | _Disable_
92 <!-- end-section-config -->
94 Similarly sboot should disable flash access support through command line if any.
Code Review / AGL / documentation.git / blob