On Tue May 6, 2025 at 8:03 PM IST, Andrew Davis wrote:
> On 4/28/25 9:12 AM, Anshul Dalal wrote:
>> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
>> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
>> HS devices and can be enabled on K3 devices.
>>
>> For secure boot, the kernel with x509 headers can be packaged in a fit
>
> "can be", this is the issue. Security is not just allowing methods that
> are security checked, but forcing the use of such methods. Setting
> OS_BOOT opens up several paths that look for non-FIT images. These
> images do not enforce authentication like FIT does. This means one can
> bypass secure boot when OS_BOOT is enabled by simply placing a non-FIT
> boot image on the boot media.
>
As per spl_load_image_ext_os, the SPL first tries to load the file set
in falcon_args_file env variable but since it's not set in our case. And
the only way to set them is by rebuilding u-boot as uEnv.txt is not
supported at SPL stage.
This means the SPL only loads CONFIG_SPL_FS_LOAD_ARGS_NAME and
CONFIG_SPL_FS_LOAD_KERNEL_NAME which are set as the DTB and fitImage
respectively. Following that, authentication is enforced during FIT
loading by the call to board_fit_image_post_process in load_simple_fit.
So even if the fitImage was modified, boot would fail without valid
signatures on HS-SE devices.
- Anshul
>> container (fitImage) signed with TIFS keys for authentication.
>>
>> Signed-off-by: Anshul Dalal <ansh...@ti.com>
>> ---
>> common/spl/Kconfig | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
>> index c08045f9c8d..68e900e9b91 100644
>> --- a/common/spl/Kconfig
>> +++ b/common/spl/Kconfig
>> @@ -1165,7 +1165,7 @@ config SPL_ONENAND_SUPPORT
>>
>> config SPL_OS_BOOT
>> bool "Activate Falcon Mode"
>> - depends on !TI_SECURE_DEVICE
>> + depends on !TI_SECURE_DEVICE || ARCH_K3
>> help
>> Enable booting directly to an OS from SPL.
>> for more info read doc/README.falcon
