On Tue Sep 23, 2025 at 9:48 PM IST, Andrew Davis wrote:
> On 9/23/25 8:08 AM, Anshul Dalal wrote:
>> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
>> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
>> HS devices and but can now be enabled with the addition of
>> OS_BOOT_SECURE.
>>
>> For secure boot, the kernel with x509 headers can be packaged in a fit
>> container (fitImage) signed with TIFS keys for authentication.
>>
>> Signed-off-by: Anshul Dalal <ansh...@ti.com>
>> ---
>> common/spl/Kconfig | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
>> index 7e87e50f693..ab780da9e1c 100644
>> --- a/common/spl/Kconfig
>> +++ b/common/spl/Kconfig
>> @@ -1201,7 +1201,7 @@ config SPL_ONENAND_SUPPORT
>>
>> config SPL_OS_BOOT
>> bool "Activate Falcon Mode"
>> - depends on !TI_SECURE_DEVICE
>> + select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
>> help
>> Enable booting directly to an OS from SPL.
>> for more info read doc/README.falcon
>
> The subject doesn't need to include "K3", this is for all
> TI secure devices.
>
Oh yeah, will fix in the next revision.
> This patch should also go last in the series. Not that it
> causes any break, but feels like a "security bisectability"
> problem to allow something and then after make it secure.
>
I was more looking at it from the ability to test the subsequent patches
in the series on any TI platform which would depend on this [2/8] patch.
Though your concern is valid too but there are still a few things
remaining from this series that would need to be implemented to make
falcon mode truly secure on TI_SECURE_DEVICE. Perhaps we should drop
this patch until everything's in place?
Regards,
Anshul
