From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <u-boot-bounces@lists.denx.de>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id CCD6AC433F5
	for <u-boot@archiver.kernel.org>; Wed,  4 May 2022 20:53:09 +0000 (UTC)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id D32CB83FE4;
	Wed,  4 May 2022 22:52:48 +0200 (CEST)
Authentication-Results: phobos.denx.de; dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (1024-bit key; unprotected) header.d=ti.com header.i=@ti.com header.b="wry24FOr";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id D33EB83F11; Wed,  4 May 2022 22:52:39 +0200 (CEST)
Received: from fllv0015.ext.ti.com (fllv0015.ext.ti.com [198.47.19.141])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 5D26583F2B
 for <u-boot@lists.denx.de>; Wed,  4 May 2022 22:52:35 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=afd@ti.com
Received: from lelv0265.itg.ti.com ([10.180.67.224])
 by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id 244KqU02010323;
 Wed, 4 May 2022 15:52:30 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com;
 s=ti-com-17Q1; t=1651697550;
 bh=/rYFgC0NTHuaGoxzZerYlSjaZ+3G4C83nTA9uJxVbKQ=;
 h=From:To:CC:Subject:Date:In-Reply-To:References;
 b=wry24FOrntQhvg+2+WbAUHI3hxcbbyiwbA7O4nDAXwfhoIwG27A0yRKhccf8KRsFl
 HTfDCQxQesI3lzuoHXr+cbaoO4NChTDFzNt+j81B897cAvMUbKe7GaGLoosoS2oaTg
 sSPYHzWhiZE3D9GHoezWCu4B1ay+yZUeTHuji8VU=
Received: from DFLE109.ent.ti.com (dfle109.ent.ti.com [10.64.6.30])
 by lelv0265.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 244KqUgC001526
 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL);
 Wed, 4 May 2022 15:52:30 -0500
Received: from DFLE112.ent.ti.com (10.64.6.33) by DFLE109.ent.ti.com
 (10.64.6.30) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14; Wed, 4
 May 2022 15:52:29 -0500
Received: from lelv0326.itg.ti.com (10.180.67.84) by DFLE112.ent.ti.com
 (10.64.6.33) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.14 via
 Frontend Transport; Wed, 4 May 2022 15:52:29 -0500
Received: from ula0226330.dal.design.ti.com (ileax41-snat.itg.ti.com
 [10.172.224.153])
 by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 244KqTXJ026299;
 Wed, 4 May 2022 15:52:29 -0500
From: Andrew Davis <afd@ti.com>
To: Simon Glass <sjg@chromium.org>, Tom Rini <trini@konsulko.com>,
 <u-boot@lists.denx.de>
CC: Andrew Davis <afd@ti.com>
Subject: [PATCH 2/4] spl: Force disable non-FIT loading for TI secure devices
Date: Wed, 4 May 2022 15:52:26 -0500
Message-ID: <20220504205228.5153-2-afd@ti.com>
X-Mailer: git-send-email 2.36.0
In-Reply-To: <20220504205228.5153-1-afd@ti.com>
References: <20220504205228.5153-1-afd@ti.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de
X-Virus-Status: Clean

Booting of non-FIT images bypass our chain-of-trust boot flow,
these options should not be allowed when high security is set.

Signed-off-by: Andrew Davis <afd@ti.com>
---
 common/spl/Kconfig | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index 43485af468..50ff113cab 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -219,7 +219,8 @@ config SPL_BOOTCOUNT_LIMIT
 config SPL_RAW_IMAGE_SUPPORT
 	bool "Support SPL loading and booting of RAW images"
 	default n if (ARCH_MX6 && (SPL_MMC || SPL_SATA))
-	default y if !TI_SECURE_DEVICE
+	default y
+	depends on !TI_SECURE_DEVICE
 	help
 	  SPL will support loading and booting a RAW image when this option
 	  is y. If this is not set, SPL will move on to other available
@@ -227,7 +228,8 @@ config SPL_RAW_IMAGE_SUPPORT
 
 config SPL_LEGACY_IMAGE_FORMAT
 	bool "Support SPL loading and booting of Legacy images"
-	default y if !TI_SECURE_DEVICE && !SPL_LOAD_FIT
+	default y if !SPL_LOAD_FIT
+	depends on !TI_SECURE_DEVICE
 	help
 	  SPL will support loading and booting Legacy images when this option
 	  is y. If this is not set, SPL will move on to other available
-- 
2.36.0