[RFC PATCH v1 4/4] cmd: Kconfig: disable loading raw images in secure os boot
Tom Rini
trini at konsulko.com
Fri Jun 27 01:47:41 CEST 2025
On Thu, Jun 26, 2025 at 05:34:42PM +0530, Anshul Dalal wrote:
> Raw kernel images can not be authenticated so disable loading such
> binaries in secure falcon mode. This change restricts the falcon mode
> SPL to FIT as the only viable boot image which can be authenticated.
>
> Signed-off-by: Anshul Dalal <anshuld at ti.com>
> ---
> cmd/Kconfig | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index ed741d43cea..8eb55dd7f6e 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -353,12 +353,13 @@ config BOOTM_ELF
>
> config CMD_BOOTZ
> bool "bootz"
> + depends on !SPL_SECURE_OS_BOOT
> help
> Boot the Linux zImage
>
> config CMD_BOOTI
> bool "booti"
> - depends on ARM64 || RISCV || SANDBOX
> + depends on (ARM64 || RISCV || SANDBOX) && !SPL_SECURE_OS_BOOT
> default y
> help
> Boot an AArch64 Linux Kernel image from memory.
This is just pushing things too far and we need to step back and fix it,
sorry. We need BOOTZ_IMAGE_FORMAT and BOOTI_IMAGE_FORMAT to go with
LEGACY_IMAGE_FORMAT, and then SPL_... variants too, and then use those
symbols.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250626/d71ce072/attachment-0001.sig>
More information about the U-Boot
mailing list