[PATCH v6 1/9] spl: Kconfig: allow K3 devices to use falcon mode

Andrew Davis afd at ti.com
Wed May 7 20:06:19 CEST 2025 

On 5/6/25 10:33 PM, Anshul Dalal wrote:
> On Tue May 6, 2025 at 8:03 PM IST, Andrew Davis wrote:
>> On 4/28/25 9:12 AM, Anshul Dalal wrote:
>>> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
>>> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
>>> HS devices and can be enabled on K3 devices.
>>>
>>> For secure boot, the kernel with x509 headers can be packaged in a fit
>>
>> "can be", this is the issue. Security is not just allowing methods that
>> are security checked, but forcing the use of such methods. Setting
>> OS_BOOT opens up several paths that look for non-FIT images. These
>> images do not enforce authentication like FIT does. This means one can
>> bypass secure boot when OS_BOOT is enabled by simply placing a non-FIT
>> boot image on the boot media.
>>
> 
> As per spl_load_image_ext_os, the SPL first tries to load the file set
> in falcon_args_file env variable but since it's not set in our case. And
> the only way to set them is by rebuilding u-boot as uEnv.txt is not
> supported at SPL stage.
> 
> This means the SPL only loads CONFIG_SPL_FS_LOAD_ARGS_NAME and
> CONFIG_SPL_FS_LOAD_KERNEL_NAME which are set as the DTB and fitImage

What is stopping me from replacing the content of the file "fitImage"
with a normal kernel image? When loading that image the file type
will be detected as a normal kernel image and all FIT logic bypassed,
including authentication, breaking our secure chain of trust.

Andrew

> respectively. Following that, authentication is enforced during FIT
> loading by the call to board_fit_image_post_process in load_simple_fit.
> 
> So even if the fitImage was modified, boot would fail without valid
> signatures on HS-SE devices.
> 
> - Anshul
> 
>>> container (fitImage) signed with TIFS keys for authentication.
>>>
>>> Signed-off-by: Anshul Dalal <anshuld at ti.com>
>>> ---
>>>    common/spl/Kconfig | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
>>> index c08045f9c8d..68e900e9b91 100644
>>> --- a/common/spl/Kconfig
>>> +++ b/common/spl/Kconfig
>>> @@ -1165,7 +1165,7 @@ config SPL_ONENAND_SUPPORT
>>>    
>>>    config SPL_OS_BOOT
>>>    	bool "Activate Falcon Mode"
>>> -	depends on !TI_SECURE_DEVICE
>>> +	depends on !TI_SECURE_DEVICE || ARCH_K3
>>>    	help
>>>    	  Enable booting directly to an OS from SPL.
>>>    	  for more info read doc/README.falcon
>

More information about the U-Boot mailing list