[RFC PATCH v1 2/4] spl: Kconfig: allow disabling fallback during os boot

Thu Jun 26 14:04:40 CEST 2025

During falcon boot in FS mode, if the SPL fails to load the payload
(kernel image and args), the execution fallbacks to standard u-boot boot
mode.

This might not be desired in cases when u-boot payload (tifalcon.bin in
our case) is dysfuncitonal by itself or user's access to standard u-boot
should be restricted (for security reasons for example).

In our falcon use case, this fallback allows the user to bypass
authenticated boot by just deleting the fitImage which causes SPL to
reload tifalcon.bin. The boot proceeds as usual until ATF jumps to
PRELOADED_BL33_BASE where the kernel has not been loaded causing the
core to execute whatever else was written at that address.

Therefore this patch adds a new config symbol SPL_FALCON_ALLOW_FALLBACK
that explicitly toggles the fallback for MMC FS boot. It is set to 'y'
by default so as to not break any existing falcon mode systems.

Signed-off-by: Anshul Dalal <anshuld at ti.com>
---
 common/spl/Kconfig   | 10 +++++
 common/spl/spl_mmc.c | 87 ++++++++++++++++++++++++++++----------------
 2 files changed, 65 insertions(+), 32 deletions(-)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index 8d153c2e9c9..d5d3a41ce61 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1203,6 +1203,16 @@ config SPL_SECURE_OS_BOOT
 	  Enables support for secure boot in falcon mode by restricting the SPL to
 	  only loading a fitImage instead of raw kernel images or DTBs.
 
+config SPL_FALCON_ALLOW_FALLBACK
+	bool "Allow fallback to regular boot if falcon mode fails"
+	depends on SPL_OS_BOOT && SYS_MMCSD_FS_BOOT && !SPL_SECURE_OS_BOOT
+	default y
+	help
+	  Enable support to fallback to regular boot if falcon mode fails in
+	  MMC FS boot.
+	  When enabled, u-boot will to load SPL_FS_LOAD_PAYLOAD_NAME from MMC
+	  if loading SPL_FS_LOAD_KERNEL_NAME fails.
+
 config SPL_PAYLOAD_ARGS_ADDR
 	hex "Address in memory to load 'args' file for Falcon Mode to"
 	depends on SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT
diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c
index d06f9f0dee6..77ef3190fb3 100644
--- a/common/spl/spl_mmc.c
+++ b/common/spl/spl_mmc.c
@@ -193,6 +193,46 @@ int spl_start_uboot(void)
 }
 #endif
 
+static int spl_mmc_fs_load_os(struct spl_image_info *spl_image,
+			      struct spl_boot_device *bootdev,
+			      struct blk_desc *blk_dev, int part)
+{
+	int err = -ENOENT;
+
+	if (CONFIG_IS_ENABLED(FS_FAT)) {
+		err = spl_load_image_fat_os(spl_image, bootdev, blk_dev, part);
+		if (!err)
+			return 0;
+	}
+	if (CONFIG_IS_ENABLED(FS_EXT4)) {
+		err = spl_load_image_ext_os(spl_image, bootdev, blk_dev, part);
+		if (!err)
+			return 0;
+	}
+
+	return err;
+}
+
+static int spl_mmc_fs_load(struct spl_image_info *spl_image,
+			   struct spl_boot_device *bootdev,
+			   struct blk_desc *blk_dev, int part, const char *file)
+{
+	int err = -ENOENT;
+
+	if (CONFIG_IS_ENABLED(FS_FAT)) {
+		err = spl_load_image_fat(spl_image, bootdev, blk_dev, part, file);
+		if (!err)
+			return 0;
+	}
+	if (CONFIG_IS_ENABLED(FS_EXT4)) {
+		err = spl_load_image_ext(spl_image, bootdev, blk_dev, part, file);
+		if (!err)
+			return 0;
+	}
+
+	return err;
+}
+
 #ifdef CONFIG_SYS_MMCSD_FS_BOOT
 static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 			      struct spl_boot_device *bootdev,
@@ -225,42 +265,25 @@ static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 	}
 #endif
 
-#ifdef CONFIG_SPL_FS_FAT
-	if (!spl_start_uboot()) {
-		ret = spl_load_image_fat_os(spl_image, bootdev, mmc_get_blk_desc(mmc),
-					    partition);
-		if (!ret)
-			return 0;
-	}
-#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
-	ret = spl_load_image_fat(spl_image, bootdev, mmc_get_blk_desc(mmc),
-				 partition,
-				 filename);
-	if (!ret)
-		return ret;
-#endif
-#endif
-#ifdef CONFIG_SPL_FS_EXT4
 	if (!spl_start_uboot()) {
-		ret = spl_load_image_ext_os(spl_image, bootdev, mmc_get_blk_desc(mmc),
-					    partition);
-		if (!ret)
-			return 0;
+		ret = spl_mmc_fs_load_os(spl_image, bootdev,
+					 mmc_get_blk_desc(mmc), partition);
+		if (!CONFIG_IS_ENABLED(FALCON_ALLOW_FALLBACK)) {
+			if (ret) {
+				printf("Failed to load falcon payload: %d\n",
+				       ret);
+				printf("Set CONFIG_SPL_FALCON_ALLOW_FALLBACK to allow fallback\n");
+			}
+			return ret;
+		}
 	}
-#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
-	ret = spl_load_image_ext(spl_image, bootdev, mmc_get_blk_desc(mmc),
-				 partition,
-				 filename);
-	if (!ret)
-		return 0;
-#endif
-#endif
-
-#if defined(CONFIG_SPL_FS_FAT) || defined(CONFIG_SPL_FS_EXT4)
-	ret = -ENOENT;
-#endif
 
+#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
+	return spl_mmc_fs_load(spl_image, bootdev, mmc_get_blk_desc(mmc),
+			       partition, filename);
+#else
 	return ret;
+#endif
 }
 #endif
 
-- 
2.49.0

