[PATCH RFT v1 14/17] spl: falcon: prevent loading args file in secure os boot
Anshul Dalal
anshuld at ti.com
Thu Sep 11 15:14:10 CEST 2025
The expected payload for the SPL in secure falcon mode is a fitImage
that contains the kernel image and the DT. This removes the need to load
an additional args file, which exposes an additional attack vector since
it can not be verified.
Therefore this patch disables loading of the arg file when
SPL_OS_BOOT_SECURE is set.
Signed-off-by: Anshul Dalal <anshuld at ti.com>
---
common/spl/Kconfig | 18 +++++++++++-------
common/spl/spl_ext.c | 4 ++++
common/spl/spl_fat.c | 5 +++++
common/spl/spl_nand.c | 5 ++++-
common/spl/spl_spi.c | 5 +++++
common/spl/spl_ubi.c | 4 ++++
include/system-constants.h | 2 +-
7 files changed, 34 insertions(+), 9 deletions(-)
diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index 4f817fd31c5..34e60a224ef 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -796,6 +796,7 @@ config SPL_FS_LOAD_PAYLOAD_NAME
config SPL_FS_LOAD_KERNEL_NAME
string "File to load for the OS kernel from the filesystem"
depends on (SPL_FS_EXT4 || SPL_FS_FAT || SPL_FS_SQUASHFS) && SPL_OS_BOOT
+ default "fitImage" if SPL_OS_BOOT_SECURE
default "uImage"
help
Filename to read to load for the OS kernel when reading from the
@@ -803,7 +804,8 @@ config SPL_FS_LOAD_KERNEL_NAME
config SPL_FS_LOAD_ARGS_NAME
string "File to load for the OS kernel argument parameters from the filesystem"
- depends on (SPL_FS_EXT4 || SPL_FS_FAT || SPL_FS_SQUASHFS) && SPL_OS_BOOT
+ depends on (SPL_FS_EXT4 || SPL_FS_FAT || SPL_FS_SQUASHFS) && SPL_OS_BOOT \
+ && !(SPL_OS_BOOT_SECURE)
default "args"
help
Filename to read to load for the OS kernel argument parameters from
@@ -1121,7 +1123,7 @@ config SPL_UBI_LOAD_KERNEL_ID
config SPL_UBI_LOAD_ARGS_ID
int "id of kernel args volume"
- depends on SPL_OS_BOOT
+ depends on SPL_OS_BOOT && !SPL_OS_BOOT_SECURE
help
The UBI volume id from which to load the device tree
@@ -1217,7 +1219,8 @@ config SPL_OS_BOOT_SECURE
config SPL_PAYLOAD_ARGS_ADDR
hex "Address in memory to load 'args' file for Falcon Mode to"
- depends on SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT
+ depends on (SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT) \
+ && !SPL_OS_BOOT_SECURE
default 0x88000000 if ARCH_OMAP2PLUS
default 0x99000000 if ARCH_SC5XX && SC59X_64
default 0xA0000000 if ARCH_SC5XX && TARGET_SC594_SOM_EZKIT
@@ -1257,7 +1260,7 @@ config SYS_MMCSD_RAW_MODE_KERNEL_SECTOR
config SYS_MMCSD_RAW_MODE_ARGS_SECTOR
hex "Falcon mode: Sector to load 'args' from MMC"
- depends on SPL_FALCON_BOOT_MMCSD
+ depends on SPL_FALCON_BOOT_MMCSD && !SPL_OS_BOOT_SECURE
help
When Falcon mode is used with an MMC or SD media, SPL needs to know
where to look for the OS 'args', typically a device tree. The
@@ -1267,7 +1270,8 @@ config SYS_MMCSD_RAW_MODE_ARGS_SECTOR
config SYS_MMCSD_RAW_MODE_ARGS_SECTORS
hex "Falcon mode: Number of sectors to load for 'args' from MMC"
- depends on SPL_FALCON_BOOT_MMCSD && SYS_MMCSD_RAW_MODE_ARGS_SECTOR != 0x0
+ depends on SPL_FALCON_BOOT_MMCSD && SYS_MMCSD_RAW_MODE_ARGS_SECTOR != 0x0 \
+ && !SPL_OS_BOOT_SECURE
config SPL_PAYLOAD
string "SPL payload"
@@ -1503,14 +1507,14 @@ config SYS_SPI_KERNEL_OFFS
config SYS_SPI_ARGS_OFFS
hex "Falcon mode: address of args payload in SPI flash"
- depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT
+ depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT && !SPL_OS_BOOT_SECURE
help
Address within SPI-Flash from where the args payload (usually the
dtb) is fetched in falcon boot.
config SYS_SPI_ARGS_SIZE
hex "Falcon mode: size of args payload in SPI flash"
- depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT
+ depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT && !SPL_OS_BOOT_SECURE
config SPL_THERMAL
bool "Driver support for thermal devices"
diff --git a/common/spl/spl_ext.c b/common/spl/spl_ext.c
index f556986bf5a..001060afe96 100644
--- a/common/spl/spl_ext.c
+++ b/common/spl/spl_ext.c
@@ -104,6 +104,7 @@ int spl_load_image_ext_os(struct spl_image_info *spl_image,
puts("spl: falling back to default\n");
goto defaults;
}
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
file = env_get("falcon_args_file");
if (file) {
err = ext4fs_open(file, &filelen);
@@ -122,6 +123,7 @@ int spl_load_image_ext_os(struct spl_image_info *spl_image,
} else {
puts("spl: falcon_args_file not set in environment, falling back to default\n");
}
+#endif
} else {
puts("spl: falcon_image_file not set in environment, falling back to default\n");
}
@@ -134,6 +136,7 @@ defaults:
if (err)
return err;
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
err = ext4fs_open(CONFIG_SPL_FS_LOAD_ARGS_NAME, &filelen);
if (err < 0) {
puts("spl: ext4fs_open failed\n");
@@ -148,6 +151,7 @@ defaults:
#endif
return -1;
}
+#endif
return 0;
}
diff --git a/common/spl/spl_fat.c b/common/spl/spl_fat.c
index 80e800b4755..8a724aa8acb 100644
--- a/common/spl/spl_fat.c
+++ b/common/spl/spl_fat.c
@@ -131,6 +131,7 @@ int spl_load_image_fat_os(struct spl_image_info *spl_image,
goto defaults;
}
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
file = env_get("falcon_args_file");
if (file) {
err = file_fat_read(
@@ -143,6 +144,8 @@ int spl_load_image_fat_os(struct spl_image_info *spl_image,
return 0;
} else
puts("spl: falcon_args_file not set in environment, falling back to default\n");
+#endif
+
} else
puts("spl: falcon_image_file not set in environment, falling back to default\n");
@@ -154,6 +157,7 @@ defaults:
if (err)
return err;
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
err = file_fat_read(CONFIG_SPL_FS_LOAD_ARGS_NAME,
(void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, 0);
if (err <= 0) {
@@ -161,6 +165,7 @@ defaults:
CONFIG_SPL_FS_LOAD_ARGS_NAME, err);
return err;
}
+#endif
return 0;
}
diff --git a/common/spl/spl_nand.c b/common/spl/spl_nand.c
index ff7087da1df..6c58a41ceef 100644
--- a/common/spl/spl_nand.c
+++ b/common/spl/spl_nand.c
@@ -79,7 +79,7 @@ static int spl_nand_load_element(struct spl_image_info *spl_image,
static int spl_nand_load_image_os(struct spl_image_info *spl_image,
struct spl_boot_device *bootdev)
{
- int *src, *dst, err;
+ int err;
struct legacy_img_hdr *header = spl_get_load_buffer(0, sizeof(*header));
/* load linux */
@@ -102,6 +102,8 @@ static int spl_nand_load_image_os(struct spl_image_info *spl_image,
if (err)
return err;
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
+ int *src, *dst;
/*
* load parameter image load to temp position since nand_spl_load_image
* reads a whole block which is typically larger than
@@ -117,6 +119,7 @@ static int spl_nand_load_image_os(struct spl_image_info *spl_image,
src++, dst++) {
writel(readl(src), dst);
}
+#endif
return 0;
}
diff --git a/common/spl/spl_spi.c b/common/spl/spl_spi.c
index cbc864809fe..5fe21f0bf0f 100644
--- a/common/spl/spl_spi.c
+++ b/common/spl/spl_spi.c
@@ -61,10 +61,15 @@ static int spl_spi_load_image_os(struct spl_image_info *spl_image,
if (err)
return err;
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
/* Read device tree. */
return spi_flash_read(flash, CONFIG_SYS_SPI_ARGS_OFFS,
CONFIG_SYS_SPI_ARGS_SIZE,
(void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR);
+#else
+ return 0;
+#endif
+
}
#endif
diff --git a/common/spl/spl_ubi.c b/common/spl/spl_ubi.c
index 3c6f80de7d9..c43182c6415 100644
--- a/common/spl/spl_ubi.c
+++ b/common/spl/spl_ubi.c
@@ -22,10 +22,14 @@ int spl_ubi_load_image_os(struct spl_image_info *spl_image,
volumes[0].vol_id = CONFIG_SPL_UBI_LOAD_KERNEL_ID;
volumes[0].load_addr = (void *)CONFIG_SYS_LOAD_ADDR;
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
volumes[1].vol_id = CONFIG_SPL_UBI_LOAD_ARGS_ID;
volumes[1].load_addr = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
err = ubispl_load_volumes(info, volumes, 2);
+#else
+ err = ubispl_load_volumes(info, volumes, 1);
+#endif
if (err)
return err;
diff --git a/include/system-constants.h b/include/system-constants.h
index e09fc418a47..d5300428a39 100644
--- a/include/system-constants.h
+++ b/include/system-constants.h
@@ -37,7 +37,7 @@
IF_ENABLED_INT(CONFIG_SPL_SYS_MALLOC, CONFIG_SPL_SYS_MALLOC_SIZE)
/* deal with an optional value */
-#ifdef CONFIG_SPL_OS_BOOT
+#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
#define SPL_PAYLOAD_ARGS_ADDR CONFIG_SPL_PAYLOAD_ARGS_ADDR
#else
#define SPL_PAYLOAD_ARGS_ADDR 0
--
2.51.0
More information about the U-Boot
mailing list