[PATCH RFT v1 16/17] Kconfig: disable raw image boot in secure falcon mode
Anshul Dalal
anshuld at ti.com
Thu Sep 11 15:14:12 CEST 2025
CMD_BOOTI and CMD_BOOZ enable support for booting raw kernel images in
falcon mode. This is insecure since raw images can not be authenticated,
therefore disable those configs when SPL_OS_BOOT_SECURE is set.
Signed-off-by: Anshul Dalal <anshuld at ti.com>
---
boot/Kconfig | 4 ++--
cmd/Kconfig | 3 ++-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/boot/Kconfig b/boot/Kconfig
index 124f6db3e6e..ddb7a82b374 100644
--- a/boot/Kconfig
+++ b/boot/Kconfig
@@ -422,8 +422,8 @@ config BOOT_DEFAULTS_CMDS
select CMD_DHCP if CMD_NET
select CMD_PING if CMD_NET
select CMD_PXE if CMD_NET
- select CMD_BOOTI if ARM64
- select CMD_BOOTZ if ARM && !ARM64
+ select CMD_BOOTI if ARM64 && !SPL_OS_BOOT_SECURE
+ select CMD_BOOTZ if ARM && !ARM64 && !SPL_OS_BOOT_SECURE
imply CMD_MII if NET
config BOOT_DEFAULTS
diff --git a/cmd/Kconfig b/cmd/Kconfig
index 29de857ba7c..c4828ed90a4 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -360,12 +360,13 @@ config BOOTM_ELF
config CMD_BOOTZ
bool "bootz"
+ depends on !SPL_OS_BOOT_SECURE
help
Boot the Linux zImage
config CMD_BOOTI
bool "booti"
- depends on ARM64 || RISCV || SANDBOX
+ depends on (ARM64 || RISCV || SANDBOX) && !SPL_OS_BOOT_SECURE
default y
help
Boot an AArch64 Linux Kernel image from memory.
--
2.51.0
More information about the U-Boot
mailing list