[PATCH v6 1/9] spl: Kconfig: allow K3 devices to use falcon mode
Andrew Davis
afd at ti.com
Tue May 6 16:33:07 CEST 2025
On 4/28/25 9:12 AM, Anshul Dalal wrote:
> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
> HS devices and can be enabled on K3 devices.
>
> For secure boot, the kernel with x509 headers can be packaged in a fit
"can be", this is the issue. Security is not just allowing methods that
are security checked, but forcing the use of such methods. Setting
OS_BOOT opens up several paths that look for non-FIT images. These
images do not enforce authentication like FIT does. This means one can
bypass secure boot when OS_BOOT is enabled by simply placing a non-FIT
boot image on the boot media.
Andrew
> container (fitImage) signed with TIFS keys for authentication.
>
> Signed-off-by: Anshul Dalal <anshuld at ti.com>
> ---
> common/spl/Kconfig | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
> index c08045f9c8d..68e900e9b91 100644
> --- a/common/spl/Kconfig
> +++ b/common/spl/Kconfig
> @@ -1165,7 +1165,7 @@ config SPL_ONENAND_SUPPORT
>
> config SPL_OS_BOOT
> bool "Activate Falcon Mode"
> - depends on !TI_SECURE_DEVICE
> + depends on !TI_SECURE_DEVICE || ARCH_K3
> help
> Enable booting directly to an OS from SPL.
> for more info read doc/README.falcon
More information about the U-Boot
mailing list