Re: [PATCH v6 1/9] spl: Kconfig: allow K3 devices to use falcon mode

Wed, 07 May 2025 11:06:40 -0700 

On 5/6/25 10:33 PM, Anshul Dalal wrote:

On Tue May 6, 2025 at 8:03 PM IST, Andrew Davis wrote:

On 4/28/25 9:12 AM, Anshul Dalal wrote:

Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
HS devices and can be enabled on K3 devices.

For secure boot, the kernel with x509 headers can be packaged in a fit


"can be", this is the issue. Security is not just allowing methods that
are security checked, but forcing the use of such methods. Setting
OS_BOOT opens up several paths that look for non-FIT images. These
images do not enforce authentication like FIT does. This means one can
bypass secure boot when OS_BOOT is enabled by simply placing a non-FIT
boot image on the boot media.



As per spl_load_image_ext_os, the SPL first tries to load the file set
in falcon_args_file env variable but since it's not set in our case. And
the only way to set them is by rebuilding u-boot as uEnv.txt is not
supported at SPL stage.

This means the SPL only loads CONFIG_SPL_FS_LOAD_ARGS_NAME and
CONFIG_SPL_FS_LOAD_KERNEL_NAME which are set as the DTB and fitImage


What is stopping me from replacing the content of the file "fitImage"
with a normal kernel image? When loading that image the file type
will be detected as a normal kernel image and all FIT logic bypassed,
including authentication, breaking our secure chain of trust.

Andrew


respectively. Following that, authentication is enforced during FIT
loading by the call to board_fit_image_post_process in load_simple_fit.

So even if the fitImage was modified, boot would fail without valid
signatures on HS-SE devices.

- Anshul


container (fitImage) signed with TIFS keys for authentication.

Signed-off-by: Anshul Dalal <ansh...@ti.com>
---
   common/spl/Kconfig | 2 +-
   1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index c08045f9c8d..68e900e9b91 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1165,7 +1165,7 @@ config SPL_ONENAND_SUPPORT
config SPL_OS_BOOT 
        bool "Activate Falcon Mode"
-       depends on !TI_SECURE_DEVICE
+       depends on !TI_SECURE_DEVICE || ARCH_K3
        help
          Enable booting directly to an OS from SPL.
          for more info read doc/README.falcon

Reply via email to