Instead of falling back to the standard U-Boot boot flow, we should just
halt boot if the expected boot flow in falcon mode fails.
This prevents a malicious actor from accessing U-Boot proper if they can
cause a boot failure on falcon mode.
Signed-off-by: Anshul Dalal <ansh...@ti.com>
---
common/spl/spl_mmc.c | 4 ++++
common/spl/spl_nand.c | 6 ++++--
common/spl/spl_nor.c | 6 ++++--
common/spl/spl_spi.c | 6 ++++--
common/spl/spl_ubi.c | 2 ++
5 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c
index c5585d8e0d2..d0dad6ea8fd 100644
--- a/common/spl/spl_mmc.c
+++ b/common/spl/spl_mmc.c
@@ -272,6 +272,8 @@ static int spl_mmc_do_fs_boot(struct spl_image_info
*spl_image,
return 0;
printf("%s, Failed to load falcon payload: %d\n", __func__,
ret);
+ if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+ return ret;
printf("Fallback to U-Boot\n");
}
@@ -412,6 +414,8 @@ int spl_mmc_load(struct spl_image_info *spl_image,
ret = mmc_load_image_raw_os(spl_image, bootdev, mmc);
if (!ret)
return 0;
+ if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+ return ret;
}
raw_sect = spl_mmc_get_uboot_raw_sector(mmc, raw_sect);
diff --git a/common/spl/spl_nand.c b/common/spl/spl_nand.c
index f37baefb372..93ef2d1c02c 100644
--- a/common/spl/spl_nand.c
+++ b/common/spl/spl_nand.c
@@ -138,8 +138,10 @@ static int spl_nand_load_image(struct spl_image_info
*spl_image,
err = spl_nand_load_image_os(spl_image, bootdev);
if (!err)
return 0;
- printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
- __func__, err);
+ printf("%s: Failed in falcon boot: %d", __func__, err);
+ if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+ return err;
+ printf("Fallback to U-Boot\n");
}
#endif
diff --git a/common/spl/spl_nor.c b/common/spl/spl_nor.c
index 9c037bd62eb..6f9ff91bef7 100644
--- a/common/spl/spl_nor.c
+++ b/common/spl/spl_nor.c
@@ -95,8 +95,10 @@ static int spl_nor_load_image(struct spl_image_info
*spl_image,
if (!err)
return 0;
- printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
- __func__, err);
+ printf("%s: Failed in falcon boot: %d", __func__, err);
+ if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+ return err;
+ printf("Fallback to U-Boot\n");
}
#endif
diff --git a/common/spl/spl_spi.c b/common/spl/spl_spi.c
index 2a6098a4dc3..cbc864809fe 100644
--- a/common/spl/spl_spi.c
+++ b/common/spl/spl_spi.c
@@ -105,8 +105,10 @@ static int spl_spi_load_image(struct spl_image_info
*spl_image,
if (!err)
return 0;
- printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
- __func__, err);
+ printf("%s: Failed in falcon boot: %d", __func__, err);
+ if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+ return err;
+ printf("Fallback to U-Boot\n");
}
#endif
diff --git a/common/spl/spl_ubi.c b/common/spl/spl_ubi.c
index 09b9bbc5c47..3c6f80de7d9 100644
--- a/common/spl/spl_ubi.c
+++ b/common/spl/spl_ubi.c
@@ -77,6 +77,8 @@ int spl_ubi_load_image(struct spl_image_info *spl_image,
return 0;
printf("%s: Failed in falcon boot: %d", __func__, ret);
+ if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+ return ret;
printf("Fallback to U-Boot\n");
}
#endif
--
2.51.0
