[RFC PATCH v1 0/4] Add support for secure boot in falcon mode
Anshul Dalal
anshuld at ti.com
Thu Jun 26 14:04:38 CEST 2025
Hi all,
With my ongoing work in supporting falcon mode on TI's AM62 platforms[1], I
have encountered several limitations of falcon boot flow from a security PoV.
Currently falcon mode requires an args binary (usually a DTB) and the kernel
image to boot.
This conflicts with secure boot which requires a signed fitImage to be loaded
with the kernel and dtb packaged in a single FIT container among other issues.
This patch series adds a new SPL_SECURE_OS_BOOT config symbols which disables
loading the args file as well as fallback to U-Boot if enabled.
The changes have currently only been verified on MMC FS boot but I can expand
support to other boot media if this is the right direction for achieving secure
falcon boot.
Happy booting,
Anshul
---
[1]: https://lore.kernel.org/u-boot/20250603142452.2707171-1-anshuld@ti.com/
---
Anshul Dalal (4):
spl: Kconfig: add SPL_SECURE_OS_BOOT config symbol
spl: Kconfig: allow disabling fallback during os boot
spl: Kconfig: disallow loading args in falcon mode
cmd: Kconfig: disable loading raw images in secure os boot
cmd/Kconfig | 3 +-
common/spl/Kconfig | 27 ++++++++++++++
common/spl/spl_ext.c | 5 +++
common/spl/spl_fat.c | 5 +++
common/spl/spl_mmc.c | 87 ++++++++++++++++++++++++++++----------------
5 files changed, 94 insertions(+), 33 deletions(-)
--
2.49.0
More information about the U-Boot
mailing list