On 4/28/25 9:12 AM, Anshul Dalal wrote:
Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
HS devices and can be enabled on K3 devices.
For secure boot, the kernel with x509 headers can be packaged in a fit
"can be", this is the issue. Security is not just allowing methods that
are security checked, but forcing the use of such methods. Setting
OS_BOOT opens up several paths that look for non-FIT images. These
images do not enforce authentication like FIT does. This means one can
bypass secure boot when OS_BOOT is enabled by simply placing a non-FIT
boot image on the boot media.
Andrew
container (fitImage) signed with TIFS keys for authentication.
Signed-off-by: Anshul Dalal <ansh...@ti.com>
---
common/spl/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index c08045f9c8d..68e900e9b91 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1165,7 +1165,7 @@ config SPL_ONENAND_SUPPORT
config SPL_OS_BOOT
bool "Activate Falcon Mode"
- depends on !TI_SECURE_DEVICE
+ depends on !TI_SECURE_DEVICE || ARCH_K3
help
Enable booting directly to an OS from SPL.
for more info read doc/README.falcon
