[PATCH v2 5/5] doc: develop: falcon: document unsetting CMD_BOOTx
Anshul Dalal
anshuld at ti.com
Wed Oct 15 12:46:47 CEST 2025
Currently secure falcon mode still allows for booting from raw kernel
images if the support is enabled by (CMD_BOOTI or CMD_BOOTZ).
So, this patch documents the need to explicitly disable those config
options to ensure only a verifiable FIT is a valid payload.
Signed-off-by: Anshul Dalal <anshuld at ti.com>
---
doc/develop/falcon.rst | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/doc/develop/falcon.rst b/doc/develop/falcon.rst
index 528a9c389bf..e40595f49d4 100644
--- a/doc/develop/falcon.rst
+++ b/doc/develop/falcon.rst
@@ -357,6 +357,10 @@ following configuration fragment to enable Falcon Mode:
CONFIG_SPL_FIT_SIGNATURE=y
CONFIG_SPL_RSA=y
+ # Disable support for booting raw kernel image
+ CONFIG_CMD_BOOTI=n
+ CONFIG_CMD_BOOTZ=n
+
# Only support MMC falcon mode
CONFIG_SPL_SPI_FLASH_SUPPORT=n
CONFIG_SPL_NOR_SUPPORT=n
--
2.51.0
More information about the U-Boot
mailing list