diff options
author | Tom Rini <trini@konsulko.com> | 2025-10-07 13:02:52 -0600 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2025-10-07 13:02:52 -0600 |
commit | 6f180984700fdff706e3a0ed6d84ce7ca50f17fc (patch) | |
tree | 108db3d329fa72282961432300f06ff62983a2a2 | |
parent | 0eaa4b337336dbbe93395d1f2ccc18937eaafea2 (diff) | |
parent | d0b5b33c4fa7555d142a02edf07ba259691360b3 (diff) |
Merge patch series "Add support for secure falcon mode: load kernel image before args"
Anshul Dalal <anshuld@ti.com> says:
During the implementation of falcon mode for TI's K3 devices [1], I encountered
several limitations in regards to the current falcon mode support in U-Boot
especially in ensuring a secure boot flow.
Although the current implementation allows for loading of a signed fitImage as
the SPL payload, there are still a few edge cases that might allow bypassing the
verified boot path.
The following issues with current falcon mode need to be resolved:
1) No fallback:
We currently fallback to regular boot flow if falcon mode fails,
this might not be secure.
2) No arguments file:
We currently load a kernel file (which could be a raw image or FIT)
alongside an args file (usually the DT). The args file here doesn't have
any verification mechanism, so should be skipped altogether as the FIT can
contain the DT.
3) No access to env:
In ext and fat fs boot, currently we also reads the environment to get the
names of the kernel and the arg file. This should be disabled in secure
falcon flow as the env might not be secure.
4) No raw image boot:
Boot should fail when the kernel file is a raw kernel image, only FIT should
be allowed.
As per the recommendation of maintainers[2], I have decided to split the above
set of tasks into multiple patch series. This is the first one which fixes the
load order of kernel image and the args file in falcon mode. Along with some
minor cleanup.
[1]: https://lore.kernel.org/u-boot/20250603142452.2707171-1-anshuld@ti.com/
[2]: https://lore.kernel.org/u-boot/20250911172313.GT124814@bill-the-cat/
Link: https://lore.kernel.org/r/20250923124639.667718-1-anshuld@ti.com
-rw-r--r-- | common/spl/spl_ext.c | 64 | ||||
-rw-r--r-- | common/spl/spl_fat.c | 47 | ||||
-rw-r--r-- | common/spl/spl_mmc.c | 20 |
3 files changed, 68 insertions, 63 deletions
diff --git a/common/spl/spl_ext.c b/common/spl/spl_ext.c index 7e0274a3058..c66ba03feb2 100644 --- a/common/spl/spl_ext.c +++ b/common/spl/spl_ext.c @@ -47,9 +47,7 @@ int spl_load_image_ext(struct spl_image_info *spl_image, err = ext4fs_mount(); if (!err) { -#ifdef CONFIG_SPL_LIBCOMMON_SUPPORT printf("%s: ext4fs mount err - %d\n", __func__, err); -#endif return -1; } @@ -63,11 +61,9 @@ int spl_load_image_ext(struct spl_image_info *spl_image, err = spl_load(spl_image, bootdev, &load, filelen, 0); end: -#ifdef CONFIG_SPL_LIBCOMMON_SUPPORT if (err < 0) printf("%s: error reading image %s, err - %d\n", __func__, filename, err); -#endif return err < 0; } @@ -91,60 +87,68 @@ int spl_load_image_ext_os(struct spl_image_info *spl_image, err = ext4fs_mount(); if (!err) { -#ifdef CONFIG_SPL_LIBCOMMON_SUPPORT printf("%s: ext4fs mount err - %d\n", __func__, err); -#endif return -1; } -#if defined(CONFIG_SPL_ENV_SUPPORT) - file = env_get("falcon_args_file"); + + if (!CONFIG_IS_ENABLED(ENV_SUPPORT)) + goto defaults; + + file = env_get("falcon_image_file"); if (file) { - err = ext4fs_open(file, &filelen); - if (err < 0) { - puts("spl: ext4fs_open failed\n"); - goto defaults; - } - err = ext4fs_read((void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, 0, filelen, &actlen); - if (err < 0) { - printf("spl: error reading image %s, err - %d, falling back to default\n", - file, err); + err = spl_load_image_ext(spl_image, bootdev, block_dev, + partition, file); + if (err != 0) { + puts("spl: falling back to default\n"); goto defaults; } - file = env_get("falcon_image_file"); + + ext4fs_set_blk_dev(block_dev, &part_info); + ext4fs_mount(); + file = env_get("falcon_args_file"); if (file) { - err = spl_load_image_ext(spl_image, bootdev, block_dev, - partition, file); - if (err != 0) { - puts("spl: falling back to default\n"); + err = ext4fs_open(file, &filelen); + if (err < 0) { + puts("spl: ext4fs_open failed\n"); + goto defaults; + } + err = ext4fs_read((void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, + 0, filelen, &actlen); + if (err < 0) { + printf("spl: error reading args %s, err - %d, falling back to default\n", + file, err); goto defaults; } - return 0; } else { - puts("spl: falcon_image_file not set in environment, falling back to default\n"); + puts("spl: falcon_args_file not set in environment, falling back to default\n"); } } else { - puts("spl: falcon_args_file not set in environment, falling back to default\n"); + puts("spl: falcon_image_file not set in environment, falling back to default\n"); } defaults: -#endif + err = spl_load_image_ext(spl_image, bootdev, block_dev, partition, + CONFIG_SPL_FS_LOAD_KERNEL_NAME); + + if (err) + return err; + + ext4fs_set_blk_dev(block_dev, &part_info); + ext4fs_mount(); err = ext4fs_open(CONFIG_SPL_FS_LOAD_ARGS_NAME, &filelen); if (err < 0) puts("spl: ext4fs_open failed\n"); err = ext4fs_read((void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, 0, filelen, &actlen); if (err < 0) { -#ifdef CONFIG_SPL_LIBCOMMON_SUPPORT printf("%s: error reading image %s, err - %d\n", __func__, CONFIG_SPL_FS_LOAD_ARGS_NAME, err); -#endif return -1; } - return spl_load_image_ext(spl_image, bootdev, block_dev, partition, - CONFIG_SPL_FS_LOAD_KERNEL_NAME); + return 0; } #else int spl_load_image_ext_os(struct spl_image_info *spl_image, diff --git a/common/spl/spl_fat.c b/common/spl/spl_fat.c index 8b7cafa7291..dc52bd13cec 100644 --- a/common/spl/spl_fat.c +++ b/common/spl/spl_fat.c @@ -34,9 +34,7 @@ static int spl_register_fat_device(struct blk_desc *block_dev, int partition) err = fat_register_device(block_dev, partition); if (err) { -#ifdef CONFIG_SPL_LIBCOMMON_SUPPORT printf("%s: fat register err - %d\n", __func__, err); -#endif return err; } @@ -98,11 +96,9 @@ int spl_load_image_fat(struct spl_image_info *spl_image, err = spl_load(spl_image, bootdev, &load, size, 0); end: -#ifdef CONFIG_SPL_LIBCOMMON_SUPPORT if (err < 0) printf("%s: error reading image %s, err - %d\n", __func__, filename, err); -#endif return err; } @@ -119,45 +115,50 @@ int spl_load_image_fat_os(struct spl_image_info *spl_image, if (err) return err; -#if defined(CONFIG_SPL_ENV_SUPPORT) && defined(CONFIG_SPL_OS_BOOT) - file = env_get("falcon_args_file"); + if (!CONFIG_IS_ENABLED(ENV_SUPPORT)) + goto defaults; + + file = env_get("falcon_image_file"); if (file) { - err = file_fat_read(file, (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, 0); - if (err <= 0) { - printf("spl: error reading image %s, err - %d, falling back to default\n", - file, err); + err = spl_load_image_fat(spl_image, bootdev, block_dev, + partition, file); + if (err != 0) { + puts("spl: falling back to default\n"); goto defaults; } - file = env_get("falcon_image_file"); + + file = env_get("falcon_args_file"); if (file) { - err = spl_load_image_fat(spl_image, bootdev, block_dev, - partition, file); - if (err != 0) { - puts("spl: falling back to default\n"); + err = file_fat_read( + file, (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, 0); + if (err <= 0) { + printf("spl: error reading args %s, err - %d, falling back to default\n", + file, err); goto defaults; } - return 0; } else - puts("spl: falcon_image_file not set in environment, falling back to default\n"); + puts("spl: falcon_args_file not set in environment, falling back to default\n"); } else - puts("spl: falcon_args_file not set in environment, falling back to default\n"); + puts("spl: falcon_image_file not set in environment, falling back to default\n"); defaults: -#endif + + err = spl_load_image_fat(spl_image, bootdev, block_dev, partition, + CONFIG_SPL_FS_LOAD_KERNEL_NAME); + + if (err) + return err; err = file_fat_read(CONFIG_SPL_FS_LOAD_ARGS_NAME, (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, 0); if (err <= 0) { -#ifdef CONFIG_SPL_LIBCOMMON_SUPPORT printf("%s: error reading image %s, err - %d\n", __func__, CONFIG_SPL_FS_LOAD_ARGS_NAME, err); -#endif return -1; } - return spl_load_image_fat(spl_image, bootdev, block_dev, partition, - CONFIG_SPL_FS_LOAD_KERNEL_NAME); + return 0; } #else int spl_load_image_fat_os(struct spl_image_info *spl_image, diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c index d06f9f0dee6..cd56cf71055 100644 --- a/common/spl/spl_mmc.c +++ b/common/spl/spl_mmc.c @@ -152,6 +152,16 @@ static int mmc_load_image_raw_os(struct spl_image_info *spl_image, { int ret; + ret = mmc_load_image_raw_sector(spl_image, bootdev, mmc, + CONFIG_SYS_MMCSD_RAW_MODE_KERNEL_SECTOR); + if (ret) + return ret; + + if (spl_image->os != IH_OS_LINUX && spl_image->os != IH_OS_TEE) { + puts("Expected image is not found. Trying to start U-Boot\n"); + return -ENOENT; + } + #if defined(CONFIG_SYS_MMCSD_RAW_MODE_ARGS_SECTOR) unsigned long count; @@ -165,16 +175,6 @@ static int mmc_load_image_raw_os(struct spl_image_info *spl_image, } #endif /* CONFIG_SYS_MMCSD_RAW_MODE_ARGS_SECTOR */ - ret = mmc_load_image_raw_sector(spl_image, bootdev, mmc, - CONFIG_SYS_MMCSD_RAW_MODE_KERNEL_SECTOR); - if (ret) - return ret; - - if (spl_image->os != IH_OS_LINUX && spl_image->os != IH_OS_TEE) { - puts("Expected image is not found. Trying to start U-Boot\n"); - return -ENOENT; - } - return 0; } #else |