[PATCH RFT v1 15/17] env: Kconfig: disable external env in secure os boot
Tom Rini
trini at konsulko.com
Thu Sep 11 19:29:35 CEST 2025
On Thu, Sep 11, 2025 at 06:44:11PM +0530, Anshul Dalal wrote:
> Falcon mode uses falcon_image_file from the env during mmc fs boot, but
> external env can be compromised. Therefore disable access to external
> env by setting SPL_ENV_IS_NOWHERE when SPL_OS_BOOT_SECURE is set.
>
> Signed-off-by: Anshul Dalal <anshuld at ti.com>
> ---
> env/Kconfig | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/env/Kconfig b/env/Kconfig
> index 03c189b7266..d68cb90f3a4 100644
> --- a/env/Kconfig
> +++ b/env/Kconfig
> @@ -827,6 +827,7 @@ if SPL_ENV_SUPPORT
> config SPL_ENV_IS_NOWHERE
> bool "SPL Environment is not stored"
> default y if ENV_IS_NOWHERE
> + default y if SPL_OS_BOOT_SECURE
> help
> Similar to ENV_IS_NOWHERE, used for SPL environment.
You're going to need to do a bit more here on the symbols, this is the
right default but you could still select other locations (so all of the
SPL_ENV_... locations need a test on depends on .. &&
!SPL_OS_BOOT_SECURE too).
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250911/00e6a727/attachment.sig>
More information about the U-Boot
mailing list