[PATCH v7 02/10] spl: make CMD_BOOTZ exclusive with TI_SECURE_DEVICE
Anshul Dalal
anshuld at ti.com
Tue Jun 3 16:24:42 CEST 2025
In the secure OS_BOOT spl execution code path, CMD_BOOTZ enables loading
of a zImage which might allow an attacker to bypass the authenticated
boot with fitImage by replacing it with a malicious image with header
identical to zImage.
Disabling CMD_BOOTZ ensures this code path is never hit inside
spl_parse_image_header.
Signed-off-by: Anshul Dalal <anshuld at ti.com>
---
cmd/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/cmd/Kconfig b/cmd/Kconfig
index f21d27cb27f..4c23f04c699 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -353,6 +353,7 @@ config BOOTM_ELF
config CMD_BOOTZ
bool "bootz"
+ depends on !TI_SECURE_DEVICE
help
Boot the Linux zImage
--
2.49.0
More information about the U-Boot
mailing list