Re: [RFC PATCH v1 4/4] cmd: Kconfig: disable loading raw images in secure os boot

Thu, 26 Jun 2025 17:01:14 -0700 

On Fri, Jun 27, 2025 at 05:23:59AM +0530, Anshul Dalal wrote:
> On Fri Jun 27, 2025 at 5:17 AM IST, Tom Rini wrote:
> > On Thu, Jun 26, 2025 at 05:34:42PM +0530, Anshul Dalal wrote:
> >
> >> Raw kernel images can not be authenticated so disable loading such
> >> binaries in secure falcon mode. This change restricts the falcon mode
> >> SPL to FIT as the only viable boot image which can be authenticated.
> >> 
> >> Signed-off-by: Anshul Dalal <ansh...@ti.com>
> >> ---
> >>  cmd/Kconfig | 3 ++-
> >>  1 file changed, 2 insertions(+), 1 deletion(-)
> >> 
> >> diff --git a/cmd/Kconfig b/cmd/Kconfig
> >> index ed741d43cea..8eb55dd7f6e 100644
> >> --- a/cmd/Kconfig
> >> +++ b/cmd/Kconfig
> >> @@ -353,12 +353,13 @@ config BOOTM_ELF
> >>  
> >>  config CMD_BOOTZ
> >>    bool "bootz"
> >> +  depends on !SPL_SECURE_OS_BOOT
> >>    help
> >>      Boot the Linux zImage
> >>  
> >>  config CMD_BOOTI
> >>    bool "booti"
> >> -  depends on ARM64 || RISCV || SANDBOX
> >> +  depends on (ARM64 || RISCV || SANDBOX) && !SPL_SECURE_OS_BOOT
> >>    default y
> >>    help
> >>      Boot an AArch64 Linux Kernel image from memory.
> >
> > This is just pushing things too far and we need to step back and fix it,
> > sorry. We need BOOTZ_IMAGE_FORMAT and BOOTI_IMAGE_FORMAT to go with
> > LEGACY_IMAGE_FORMAT, and then SPL_... variants too, and then use those
> > symbols.
> 
> I can respin one of my earlier patch series[1] that migrated these
> CMD_BOOTx symbols to SPL. But we should still disable those new symbols
> to prevent loading of unverifiable raw kernel images in secure os boot
> right?
> 
> [1]: https://lore.kernel.org/u-boot/20250408141436.712387-1-ansh...@ti.com/

I think I wasn't clear enough, sorry. We need in boot/Kconfig:

config BOOTZ_IMAGE_FORMAT
  bool
  help
    Support for the Linux Kernel "zImage" format on 32bit ARM systems.

config BOOT_IMAGE_FORMAT
  bool
  help
    Support for the Linux Kernel "Image" format found on 64bit ARM
    systems, RISC-V and other architectures within the Linux Kernel.

...
config SYS_BOOTM_LEN
  ...
  depends on ... BOOTZ_IMAGE_FORMAT || SPL_BOOTZ_IMAGE_FORMAT ...


in cmd/Kconfig
config CMD_BOOTZ
  bool ...
  depends on BOOTZ_IMAGE_FORMAT

And then code / Makefiles outside of the command should use the
appropriate new symbol. arch/arm/lib/Makefile for example:
obj-$(CONFIG_$(PHASE_)BOOTZ_IMAGE_FORMAT) += zimage.o
obj-$(CONFIG_$(PHASE_)BOOTI_IMAGE_FORMAT) += image.o

And then yes, the SPL variants need to depend on !SPL_OS_BOOT_SECURE

-- 
Tom

Attachment: signature.asc
Description: PGP signature

Reply via email to