sonyan11 0 Posted April 4 Hi all, I'm deploying Tinker Board 3S units in an embedded product where physical debug interfaces need to be locked down for security. I want to completely disable the debug UART console (3-pin header, ttyFIQ0 @ 1500000 baud) so that no shell access or boot log output is possible through the serial port. What I've considered so far: - Removing "console=ttyFIQ0,1500000" from the kernel command line - Masking getty@ttyFIQ0.service - Disabling the UART node in the device tree (status = "disabled") My questions: 1. Is removing the kernel console parameter + masking getty sufficient, or does U-Boot itself also output to this UART before the kernel takes over? If so, is there a way to silence U-Boot output as well? 2. Is there a recommended device tree overlay approach to fully disable this UART on the RK3566? 3. Are there any side effects to disabling this UART (e.g., boot failures, watchdog issues)? Environment: - TinkerOS Debian on eMMC - Headless deployment, SSH-only access over Ethernet Any guidance or experience with production hardening on TB3S would be appreciated. Thanks! Share this post Link to post Share on other sites
Frank_Chiang 2 Posted April 8 Hi Sonyan, In general, we don’t recommend disabling the UART log, since it removes an important recovery and debugging channel. If you still need to disable it, please try to disable the status of /fiq-debugger in device tree. This will stop console output during the kernel and system stages. For U-Boot, we recommend using CONFIG_SILENT_CONSOLE to silence its output. Thank you. 1 Share this post Link to post Share on other sites
sonyan11 0 Posted April 9 @Frank_Chiang Thank you so much for your kind response! Best. Share this post Link to post Share on other sites
