[RFC PATCH v1 3/4] spl: Kconfig: disallow loading args in falcon mode

Anshul Dalal anshuld at ti.com
Thu Jun 26 14:04:41 CEST 2025 

The current falcon boot requires loading of an args file (usually the
DTB) and a kernel image file to boot. But with secure boot, the dtb is
expected to be packaged inside the fitImage that kernel image (path set
by SPL_FS_LOAD_KERNEL_NAME) points to making loading the args file
unnecessary.

Secondly the args file causes security issues since it can not be
authenticated unlike a fitImage.

Furthermore current falcon boot flow provides added flexibility that
might not be desired in the interest of security, in the current flow
SPL first looks for files pointed to by the environment variables
'falcon_args_file' and 'falcon_image_file'. This could be compromised by
modifying the env data.

Therefore this patch introduces a new boolean config symbol
SPL_FALCON_LOAD_ARGS that simplifies the boot flow to only load the
kernel image file set by SPL_FS_LOAD_KERNEL_NAME if disabled.

Signed-off-by: Anshul Dalal <anshuld at ti.com>
---
 common/spl/Kconfig   | 10 ++++++++++
 common/spl/spl_ext.c |  5 +++++
 common/spl/spl_fat.c |  5 +++++
 3 files changed, 20 insertions(+)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index d5d3a41ce61..b2dbe2eea65 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1213,6 +1213,16 @@ config SPL_FALCON_ALLOW_FALLBACK
 	  When enabled, u-boot will to load SPL_FS_LOAD_PAYLOAD_NAME from MMC
 	  if loading SPL_FS_LOAD_KERNEL_NAME fails.
 
+config SPL_FALCON_LOAD_ARGS
+	bool "Allow loading of args file in falcon mode"
+	depends on SPL_OS_BOOT && SYS_MMCSD_FS_BOOT && !SPL_SECURE_OS_BOOT
+	default y
+	help
+	  Say y to enable loading of SPL_FS_LOAD_ARGS_NAME which is used as
+	  the OS kernel argument from the filesystem (typically the DTB).
+	  This could be disabled if the falcon payload itself contains the
+	  argument (or DTB) like in a FIT container.
+
 config SPL_PAYLOAD_ARGS_ADDR
 	hex "Address in memory to load 'args' file for Falcon Mode to"
 	depends on SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT
diff --git a/common/spl/spl_ext.c b/common/spl/spl_ext.c
index 7e0274a3058..f299587d73e 100644
--- a/common/spl/spl_ext.c
+++ b/common/spl/spl_ext.c
@@ -82,6 +82,11 @@ int spl_load_image_ext_os(struct spl_image_info *spl_image,
 	struct disk_partition part_info = {};
 	__maybe_unused char *file;
 
+	if (!CONFIG_IS_ENABLED(FALCON_LOAD_ARGS))
+		return spl_load_image_ext(spl_image, bootdev, block_dev,
+					  partition,
+					  CONFIG_SPL_FS_LOAD_KERNEL_NAME);
+
 	if (part_get_info(block_dev, partition, &part_info)) {
 		printf("spl: no partition table found\n");
 		return -1;
diff --git a/common/spl/spl_fat.c b/common/spl/spl_fat.c
index 8b7cafa7291..f3d8a88a8a4 100644
--- a/common/spl/spl_fat.c
+++ b/common/spl/spl_fat.c
@@ -115,6 +115,11 @@ int spl_load_image_fat_os(struct spl_image_info *spl_image,
 	int err;
 	__maybe_unused char *file;
 
+	if (!CONFIG_IS_ENABLED(FALCON_LOAD_ARGS))
+		return spl_load_image_fat(spl_image, bootdev, block_dev,
+					  partition,
+					  CONFIG_SPL_FS_LOAD_KERNEL_NAME);
+
 	err = spl_register_fat_device(block_dev, partition);
 	if (err)
 		return err;
-- 
2.49.0

More information about the U-Boot mailing list