[PATCH v1] env: Kconfig: disable external env in secure os boot

Anshul Dalal anshuld at ti.com
Thu Oct 9 14:34:34 CEST 2025 

Falcon mode uses falcon_image_file from the env during mmc fs boot, but
external env can be compromised. Therefore disable access to external
env by setting SPL_ENV_IS_NOWHERE when SPL_OS_BOOT_SECURE is set.

Signed-off-by: Anshul Dalal <anshuld at ti.com>
---
This is a standalone patch from an older RFC:
https://lore.kernel.org/u-boot/20250911131414.3296697-16-anshuld@ti.com/

Changes:
 - Add a `depends on !SPL_OS_BOOT_SECURE` for each SPL_ENV_IS_IN_*

Depends on:
  [PATCH -next v3 1/7] spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol:
   - https://lore.kernel.org/u-boot/20251006101057.4172248-2-anshuld@ti.com/
---
 env/Kconfig | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/env/Kconfig b/env/Kconfig
index adea277470f..ce88d640156 100644
--- a/env/Kconfig
+++ b/env/Kconfig
@@ -827,12 +827,14 @@ if SPL_ENV_SUPPORT
 config SPL_ENV_IS_NOWHERE
 	bool "SPL Environment is not stored"
 	default y if ENV_IS_NOWHERE
+	default y if SPL_OS_BOOT_SECURE
 	help
 	  Similar to ENV_IS_NOWHERE, used for SPL environment.
 
 config SPL_ENV_IS_IN_MMC
 	bool "SPL Environment in an MMC device"
 	depends on !SPL_ENV_IS_NOWHERE
+	depends on !SPL_OS_BOOT_SECURE
 	depends on ENV_IS_IN_MMC
 	default y
 	help
@@ -841,6 +843,7 @@ config SPL_ENV_IS_IN_MMC
 config SPL_ENV_IS_IN_FAT
 	bool "SPL Environment is in a FAT filesystem"
 	depends on !SPL_ENV_IS_NOWHERE
+	depends on !SPL_OS_BOOT_SECURE
 	depends on ENV_IS_IN_FAT
 	default y
 	help
@@ -849,6 +852,7 @@ config SPL_ENV_IS_IN_FAT
 config SPL_ENV_IS_IN_EXT4
 	bool "SPL Environment is in a EXT4 filesystem"
 	depends on !SPL_ENV_IS_NOWHERE
+	depends on !SPL_OS_BOOT_SECURE
 	depends on ENV_IS_IN_EXT4
 	default y
 	help
@@ -857,6 +861,7 @@ config SPL_ENV_IS_IN_EXT4
 config SPL_ENV_IS_IN_NAND
 	bool "SPL Environment in a NAND device"
 	depends on !SPL_ENV_IS_NOWHERE
+	depends on !SPL_OS_BOOT_SECURE
 	depends on ENV_IS_IN_NAND
 	default y
 	help
@@ -865,6 +870,7 @@ config SPL_ENV_IS_IN_NAND
 config SPL_ENV_IS_IN_SPI_FLASH
 	bool "SPL Environment is in SPI flash"
 	depends on !SPL_ENV_IS_NOWHERE
+	depends on !SPL_OS_BOOT_SECURE
 	depends on ENV_IS_IN_SPI_FLASH
 	default y
 	help
@@ -873,6 +879,7 @@ config SPL_ENV_IS_IN_SPI_FLASH
 config SPL_ENV_IS_IN_FLASH
 	bool "SPL Environment in flash memory"
 	depends on !SPL_ENV_IS_NOWHERE
+	depends on !SPL_OS_BOOT_SECURE
 	depends on ENV_IS_IN_FLASH
 	default y
 	help
-- 
2.51.0

More information about the U-Boot mailing list