diff options
| author | Tom Rini <trini@konsulko.com> | 2025-10-07 13:02:52 -0600 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2025-10-07 13:02:52 -0600 |
| commit | 6f180984700fdff706e3a0ed6d84ce7ca50f17fc (patch) | |
| tree | 108db3d329fa72282961432300f06ff62983a2a2 /common/spl/spl_mmc.c | |
| parent | 0eaa4b337336dbbe93395d1f2ccc18937eaafea2 (diff) | |
| parent | d0b5b33c4fa7555d142a02edf07ba259691360b3 (diff) | |
Merge patch series "Add support for secure falcon mode: load kernel image before args"
Anshul Dalal <anshuld@ti.com> says:
During the implementation of falcon mode for TI's K3 devices [1], I encountered
several limitations in regards to the current falcon mode support in U-Boot
especially in ensuring a secure boot flow.
Although the current implementation allows for loading of a signed fitImage as
the SPL payload, there are still a few edge cases that might allow bypassing the
verified boot path.
The following issues with current falcon mode need to be resolved:
1) No fallback:
We currently fallback to regular boot flow if falcon mode fails,
this might not be secure.
2) No arguments file:
We currently load a kernel file (which could be a raw image or FIT)
alongside an args file (usually the DT). The args file here doesn't have
any verification mechanism, so should be skipped altogether as the FIT can
contain the DT.
3) No access to env:
In ext and fat fs boot, currently we also reads the environment to get the
names of the kernel and the arg file. This should be disabled in secure
falcon flow as the env might not be secure.
4) No raw image boot:
Boot should fail when the kernel file is a raw kernel image, only FIT should
be allowed.
As per the recommendation of maintainers[2], I have decided to split the above
set of tasks into multiple patch series. This is the first one which fixes the
load order of kernel image and the args file in falcon mode. Along with some
minor cleanup.
[1]: https://lore.kernel.org/u-boot/20250603142452.2707171-1-anshuld@ti.com/
[2]: https://lore.kernel.org/u-boot/20250911172313.GT124814@bill-the-cat/
Link: https://lore.kernel.org/r/20250923124639.667718-1-anshuld@ti.com
Diffstat (limited to 'common/spl/spl_mmc.c')
| -rw-r--r-- | common/spl/spl_mmc.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c index d06f9f0dee6..cd56cf71055 100644 --- a/common/spl/spl_mmc.c +++ b/common/spl/spl_mmc.c @@ -152,6 +152,16 @@ static int mmc_load_image_raw_os(struct spl_image_info *spl_image, { int ret; + ret = mmc_load_image_raw_sector(spl_image, bootdev, mmc, + CONFIG_SYS_MMCSD_RAW_MODE_KERNEL_SECTOR); + if (ret) + return ret; + + if (spl_image->os != IH_OS_LINUX && spl_image->os != IH_OS_TEE) { + puts("Expected image is not found. Trying to start U-Boot\n"); + return -ENOENT; + } + #if defined(CONFIG_SYS_MMCSD_RAW_MODE_ARGS_SECTOR) unsigned long count; @@ -165,16 +175,6 @@ static int mmc_load_image_raw_os(struct spl_image_info *spl_image, } #endif /* CONFIG_SYS_MMCSD_RAW_MODE_ARGS_SECTOR */ - ret = mmc_load_image_raw_sector(spl_image, bootdev, mmc, - CONFIG_SYS_MMCSD_RAW_MODE_KERNEL_SECTOR); - if (ret) - return ret; - - if (spl_image->os != IH_OS_LINUX && spl_image->os != IH_OS_TEE) { - puts("Expected image is not found. Trying to start U-Boot\n"); - return -ENOENT; - } - return 0; } #else |