# SPDX-License-Identifier: GPL-2.0-only

menu "General Settings"

config CONSOLE_INPUT
	bool "Allow console input"
	depends on $(kconfig-enabled,CONSOLE_SIMPLE) || $(kconfig-enabled,CONSOLE_FULL)
	help
	  Say y here if you want to allow input on consoles. Disabling this is the safest
	  thing to make sure that a barebox build is fully non interactive. When you
	  still need to react to input for example to trigger a recovery boot then consider
	  disabling this option and disable SHELL_INTERACTIVE instead.

config SHELL
	bool "Allow executing shell scripts"
	depends on $(kconfig-enabled,SHELL_HUSH) || $(kconfig-enabled,SHELL_SIMPLE)
	help
	  Say y here if you want to allow executing shell scripts. Shell scripts are
	  potentially dangerous when coming from untrusted sources. Enable this option
	  only when only trusted scripts can be executed, i.e. ENVIRONMENT_LOAD and
	  untrusted filesystems are disabled.

config SHELL_INTERACTIVE
	bool "Allow executing interactive shell"
	depends on SHELL && CONSOLE_INPUT
	help
	  An interactive shell cannot be safely executed in trusted environments. Disable
	  this option in lockdown security configs.

	  Disabling this option also disables interruption with ctrl-c keystrokes.

config ENVIRONMENT_LOAD
	bool "Allow loading barebox environment from persistent media"
	depends on $(kconfig-enabled,ENV_HANDLING)
	help
	  The barebox environment doesn't have any security measures and could be
	  manipulated by an attacker. Loading it from persistent media imposes a
	  security risk and should thus be disabled.

config RATP
	bool "Allow remote control via RATP"
	depends on $(kconfig-enabled,CONSOLE_RATP)

config FASTBOOT_CMD_OEM
	bool "Allow Fastboot OEM commands"
	depends on $(kconfig-enabled,FASTBOOT_CMD_OEM)

endmenu

menu "Boot Policy"

config BOOT_UNSIGNED_IMAGES
	bool "Allow booting unsigned images"
	depends on $(kconfig-enabled,BOOTM_OPTIONAL_SIGNED_IMAGES)
	help
	  Say y here if you want to allow booting of images with
	  an invalid signature or no signature at all.

	  Systems with verified boot chains should say y here
	  or force it at compile time irrespective of policy
	  with CONFIG_BOOTM_FORCE_SIGNED_IMAGES

endmenu
