[PATCH RFT v1 00/17] Add support for secure falcon mode
Anshul Dalal
anshuld at ti.com
Thu Sep 11 15:13:56 CEST 2025
Hi all,
During the implementation of falcon mode for TI's K3 devices [1], I encountered
several limitations in regards to the current falcon mode support in U-Boot
especially in ensuring a secure boot flow.
Although the current implementation allows for loading of a signed fitImage as
the SPL payload, there are still a few edge cases that might allow bypassing the
verified boot path.
This series is my attempt in adding a secure variant to the existing falcon
boot mode. Overall the issues with current falcon mode can be boiled down to
the following:
1) No fallback:
We currently fallback to regular boot flow if falcon mode fails,
this might not be secure.
2) No arguments file:
We currently load a kernel file (which could be a raw image or FIT)
alongside an args file (usually the DT). The args file here doesn't have
any verification mechanism, so should be skipped altogether as the FIT can
contain the DT.
3) No access to env:
In ext and fat fs boot, currently we also reads the environment to get the
names of the kernel and the arg file. This should be disabled in secure
falcon flow as the env might not be secure.
4) No raw image boot:
Boot should fail when the kernel file is a raw kernel image, only FIT should
be allowed.
The series has been tested on TI's AM62x EVM with SPI, MMC Raw and MMC FS with
the fitImage build following TI's linux SDK[2]. I'm looking for boot tests on
platforms with existing falcon support to ensure no regressions as well as
tests on NAND and NOR boot modes with/without secure falcon boot enabled.
Regards,
Anshul
[1]: https://lore.kernel.org/u-boot/20250603142452.2707171-1-anshuld@ti.com/
[2]: https://software-dl.ti.com/processor-sdk-linux/esd/AM62X/latest/exports/docs/linux/Foundational_Components/U-Boot/UG-Falcon-Mode.html#custom-fitimage-creation
Anshul Dalal (17):
spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol
arm: Kconfig: add per device symbols for TI_SECURE
spl: Kconfig: allow K3 devices to use falcon mode
spl: fat: load kernel image before args in falcon
spl: ext: load kernel image before args in falcon
spl: mmc: load kernel image before args in falcon
spl: ext,fat: cleanup use of CONFIG_SPL_LIBCOMMON_SUPPORT
spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot
spl: ubi: refactor spl_ubi_load_image for falcon mode
spl: spi: refactor spl_spi_load_image for falcon mode
spl: nor: refactor spl_nor_load_image for falcon mode
spl: nand: refactor spl_nand_load_image for falcon mode
spl: falcon: disable fallback to U-Boot on failure
spl: falcon: prevent loading args file in secure os boot
env: Kconfig: disable external env in secure os boot
Kconfig: disable raw image boot in secure falcon mode
arm: spl: use fdt addr if arg is unset in falcon mode
arch/arm/Kconfig | 8 +++
arch/arm/lib/spl.c | 2 +
boot/Kconfig | 4 +-
cmd/Kconfig | 3 +-
common/spl/Kconfig | 29 +++++++---
common/spl/spl_ext.c | 63 ++++++++++++----------
common/spl/spl_fat.c | 60 ++++++++++++---------
common/spl/spl_mmc.c | 104 ++++++++++++++++++++++--------------
common/spl/spl_nand.c | 99 +++++++++++++++++++---------------
common/spl/spl_nor.c | 105 +++++++++++++++++++++----------------
common/spl/spl_spi.c | 38 +++++++++++---
common/spl/spl_ubi.c | 50 +++++++++++++-----
env/Kconfig | 1 +
include/system-constants.h | 2 +-
14 files changed, 358 insertions(+), 210 deletions(-)
--
2.51.0
More information about the U-Boot
mailing list