[RFC PATCH v1 4/4] cmd: Kconfig: disable loading raw images in secure os boot
Anshul Dalal
anshuld at ti.com
Fri Jun 27 01:53:59 CEST 2025
On Fri Jun 27, 2025 at 5:17 AM IST, Tom Rini wrote:
> On Thu, Jun 26, 2025 at 05:34:42PM +0530, Anshul Dalal wrote:
>
>> Raw kernel images can not be authenticated so disable loading such
>> binaries in secure falcon mode. This change restricts the falcon mode
>> SPL to FIT as the only viable boot image which can be authenticated.
>>
>> Signed-off-by: Anshul Dalal <anshuld at ti.com>
>> ---
>> cmd/Kconfig | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/cmd/Kconfig b/cmd/Kconfig
>> index ed741d43cea..8eb55dd7f6e 100644
>> --- a/cmd/Kconfig
>> +++ b/cmd/Kconfig
>> @@ -353,12 +353,13 @@ config BOOTM_ELF
>>
>> config CMD_BOOTZ
>> bool "bootz"
>> + depends on !SPL_SECURE_OS_BOOT
>> help
>> Boot the Linux zImage
>>
>> config CMD_BOOTI
>> bool "booti"
>> - depends on ARM64 || RISCV || SANDBOX
>> + depends on (ARM64 || RISCV || SANDBOX) && !SPL_SECURE_OS_BOOT
>> default y
>> help
>> Boot an AArch64 Linux Kernel image from memory.
>
> This is just pushing things too far and we need to step back and fix it,
> sorry. We need BOOTZ_IMAGE_FORMAT and BOOTI_IMAGE_FORMAT to go with
> LEGACY_IMAGE_FORMAT, and then SPL_... variants too, and then use those
> symbols.
I can respin one of my earlier patch series[1] that migrated these
CMD_BOOTx symbols to SPL. But we should still disable those new symbols
to prevent loading of unverifiable raw kernel images in secure os boot
right?
[1]: https://lore.kernel.org/u-boot/20250408141436.712387-1-anshuld@ti.com/
More information about the U-Boot
mailing list