[PATCH v2 0/8] Add support for secure falcon mode: disable fallback

[PATCH v2 0/8] Add support for secure falcon mode: disable fallback

[Anshul Dalal]

Hi all,

Continuing from the last series[1], this patch series addresses the requirement
of allowing no fallbacks in secure falcon mode.

To do this in a clean way, all the falcon mode logic for each boot media was
refactored to a corresponding *_load_image_os function whereas the regular
boot is implemented in *_load_image, this allows us to easily return early in
case the *_load_image_os function fails with secure mode enabled.

The series also introduces the new SPL_OS_BOOT_SECURE config symbol which
enables secure falcon boot flow.

The generic flow after the patch series looks as follows:

	static int spl_<bootmedia>_load_image(...) {
		if (CONFIG_IS_ENABLED(OS_BOOT)) {

			ret = spl_<bootmedia>_load_image_os(...);

			puts("Failcon mode failed\n");
			if (CONFIG_IS_ENABLED(OS_BOOT_SECURE)) {
				puts("no fallback allowed!\n");
				return ret;
			}

			puts("Falling back to U-Boot\n");
		}

		/* Regular boot flow */
	}

Regards,
Anshul

[1]: https://lore.kernel.org/u-boot/20250923124639.667718-1-anshuld@ti.com/
Depends-on: https://lore.kernel.org/u-boot/20250923124639.667718-1-anshuld@ti.com/
---
Changes in v2:
 - Remove extra printf to address SPL size concerns

v1: https://lore.kernel.org/u-boot/20250916105857.163951-1-anshuld@ti.com/
---
Anshul Dalal (8):
  spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol
  spl: Kconfig: allow K3 devices to use falcon mode
  spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot
  spl: ubi: refactor spl_ubi_load_image for falcon mode
  spl: spi: refactor spl_spi_load_image for falcon mode
  spl: nor: refactor spl_nor_load_image for falcon mode
  spl: nand: refactor spl_nand_load_image for falcon mode
  spl: falcon: disable fallback to U-Boot on failure

 common/spl/Kconfig    |  10 +++-
 common/spl/spl_mmc.c  |  81 ++++++++++++++++++++------------
 common/spl/spl_nand.c |  96 +++++++++++++++++++++-----------------
 common/spl/spl_nor.c  | 104 ++++++++++++++++++++++++------------------
 common/spl/spl_spi.c  |  31 ++++++++++---
 common/spl/spl_ubi.c  |  43 ++++++++++++-----
 6 files changed, 229 insertions(+), 136 deletions(-)

-- 
2.51.0

[PATCH v2 1/8] spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol

[Anshul Dalal]

This patch adds the new SPL_OS_BOOT_SECURE symbol that enables secure
boot flow in falcon mode. This symbol can be used to disable certain
inherently insecure options during falcon boot.

Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index ab05536bd02..7e87e50f693 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1206,6 +1206,14 @@ config SPL_OS_BOOT
 	  Enable booting directly to an OS from SPL.
 	  for more info read doc/README.falcon
 
+config SPL_OS_BOOT_SECURE
+	bool "Allow Falcon Mode on secure devices"
+	depends on SPL_OS_BOOT
+	help
+	  This allows for secure devices with signature verification capabilities
+	  to use falcon mode by disabling certain inherently non-securable options
+	  in the SPL boot flow.
+
 config SPL_PAYLOAD_ARGS_ADDR
 	hex "Address in memory to load 'args' file for Falcon Mode to"
 	depends on SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT
-- 
2.51.0

[PATCH v2 2/8] spl: Kconfig: allow K3 devices to use falcon mode

[Anshul Dalal]

Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
HS devices and but can now be enabled with the addition of
OS_BOOT_SECURE.

For secure boot, the kernel with x509 headers can be packaged in a fit
container (fitImage) signed with TIFS keys for authentication.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index 7e87e50f693..ab780da9e1c 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1201,7 +1201,7 @@ config SPL_ONENAND_SUPPORT
 
 config SPL_OS_BOOT
 	bool "Activate Falcon Mode"
-	depends on !TI_SECURE_DEVICE
+	select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
 	help
 	  Enable booting directly to an OS from SPL.
 	  for more info read doc/README.falcon
-- 
2.51.0

[PATCH v2 3/8] spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot

[Anshul Dalal]

Currently the logic to handle falcon mode as well as the regular boot is
inside spl_mmc_do_fs_boot, this prevents us from cleanly extending
falcon mode functionality like toggleable fallback to U-Boot proper.

Therefore this patch splits the logic into spl_mmc_fs_load and
spl_mmc_fs_load_os to handle the regular boot and falcon mode use case.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_mmc.c | 77 +++++++++++++++++++++++++++-----------------
 1 file changed, 47 insertions(+), 30 deletions(-)

diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c
index cd56cf71055..e26f1087d45 100644
--- a/common/spl/spl_mmc.c
+++ b/common/spl/spl_mmc.c
@@ -193,6 +193,46 @@ int spl_start_uboot(void)
 }
 #endif
 
+static int spl_mmc_fs_load_os(struct spl_image_info *spl_image,
+			      struct spl_boot_device *bootdev,
+			      struct blk_desc *blk_dev, int part)
+{
+	int err = -ENOSYS;
+
+	if (CONFIG_IS_ENABLED(FS_FAT)) {
+		err = spl_load_image_fat_os(spl_image, bootdev, blk_dev, part);
+		if (!err)
+			return 0;
+	}
+	if (CONFIG_IS_ENABLED(FS_EXT4)) {
+		err = spl_load_image_ext_os(spl_image, bootdev, blk_dev, part);
+		if (!err)
+			return 0;
+	}
+
+	return err;
+}
+
+static int spl_mmc_fs_load(struct spl_image_info *spl_image,
+			   struct spl_boot_device *bootdev,
+			   struct blk_desc *blk_dev, int part, const char *file)
+{
+	int err = -ENOENT;
+
+	if (CONFIG_IS_ENABLED(FS_FAT)) {
+		err = spl_load_image_fat(spl_image, bootdev, blk_dev, part, file);
+		if (!err)
+			return 0;
+	}
+	if (CONFIG_IS_ENABLED(FS_EXT4)) {
+		err = spl_load_image_ext(spl_image, bootdev, blk_dev, part, file);
+		if (!err)
+			return 0;
+	}
+
+	return err;
+}
+
 #ifdef CONFIG_SYS_MMCSD_FS_BOOT
 static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 			      struct spl_boot_device *bootdev,
@@ -225,42 +265,19 @@ static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 	}
 #endif
 
-#ifdef CONFIG_SPL_FS_FAT
 	if (!spl_start_uboot()) {
-		ret = spl_load_image_fat_os(spl_image, bootdev, mmc_get_blk_desc(mmc),
-					    partition);
+		ret = spl_mmc_fs_load_os(spl_image, bootdev,
+					 mmc_get_blk_desc(mmc), partition);
 		if (!ret)
 			return 0;
 	}
-#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
-	ret = spl_load_image_fat(spl_image, bootdev, mmc_get_blk_desc(mmc),
-				 partition,
-				 filename);
-	if (!ret)
-		return ret;
-#endif
-#endif
-#ifdef CONFIG_SPL_FS_EXT4
-	if (!spl_start_uboot()) {
-		ret = spl_load_image_ext_os(spl_image, bootdev, mmc_get_blk_desc(mmc),
-					    partition);
-		if (!ret)
-			return 0;
-	}
-#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
-	ret = spl_load_image_ext(spl_image, bootdev, mmc_get_blk_desc(mmc),
-				 partition,
-				 filename);
-	if (!ret)
-		return 0;
-#endif
-#endif
-
-#if defined(CONFIG_SPL_FS_FAT) || defined(CONFIG_SPL_FS_EXT4)
-	ret = -ENOENT;
-#endif
 
+#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
+	return spl_mmc_fs_load(spl_image, bootdev, mmc_get_blk_desc(mmc),
+			       partition, filename);
+#else
 	return ret;
+#endif
 }
 #endif
 
-- 
2.51.0

[PATCH v2 4/8] spl: ubi: refactor spl_ubi_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_ubi.c | 41 ++++++++++++++++++++++++++++++-----------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/common/spl/spl_ubi.c b/common/spl/spl_ubi.c
index a8d3f43b452..162ec0f2f9b 100644
--- a/common/spl/spl_ubi.c
+++ b/common/spl/spl_ubi.c
@@ -11,6 +11,32 @@
 #include <ubispl.h>
 #include <spl.h>
 
+#if CONFIG_IS_ENABLED(OS_BOOT)
+int spl_ubi_load_image_os(struct spl_image_info *spl_image,
+			  struct spl_boot_device *bootdev,
+			  struct ubispl_info *info)
+{
+	struct legacy_img_hdr *header;
+	struct ubispl_load volumes[2];
+	int err;
+
+	volumes[0].vol_id = CONFIG_SPL_UBI_LOAD_KERNEL_ID;
+	volumes[0].load_addr = (void *)CONFIG_SYS_LOAD_ADDR;
+	volumes[1].vol_id = CONFIG_SPL_UBI_LOAD_ARGS_ID;
+	volumes[1].load_addr = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
+
+	err = ubispl_load_volumes(info, volumes, 2);
+	if (err)
+		return err;
+
+	header = (struct legacy_img_hdr *)volumes[0].load_addr;
+	spl_parse_image_header(spl_image, bootdev, header);
+	puts("Linux loaded.\n");
+
+	return 0;
+}
+#endif
+
 int spl_ubi_load_image(struct spl_image_info *spl_image,
 		       struct spl_boot_device *bootdev)
 {
@@ -46,21 +72,14 @@ int spl_ubi_load_image(struct spl_image_info *spl_image,
 
 #if CONFIG_IS_ENABLED(OS_BOOT)
 	if (!spl_start_uboot()) {
-		volumes[0].vol_id = CONFIG_SPL_UBI_LOAD_KERNEL_ID;
-		volumes[0].load_addr = (void *)CONFIG_SYS_LOAD_ADDR;
-		volumes[1].vol_id = CONFIG_SPL_UBI_LOAD_ARGS_ID;
-		volumes[1].load_addr = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
+		ret = spl_ubi_load_image_os(spl_image, bootdev, &info);
+		if (!ret)
+			return 0;
 
-		ret = ubispl_load_volumes(&info, volumes, 2);
-		if (!ret) {
-			header = (struct legacy_img_hdr *)volumes[0].load_addr;
-			spl_parse_image_header(spl_image, bootdev, header);
-			puts("Linux loaded.\n");
-			goto out;
-		}
 		puts("Loading Linux failed, falling back to U-Boot.\n");
 	}
 #endif
+
 	header = spl_get_load_buffer(-sizeof(*header), sizeof(header));
 #ifdef CONFIG_SPL_UBI_LOAD_BY_VOLNAME
 	volumes[0].vol_id = -1;
-- 
2.51.0

[PATCH v2 5/8] spl: spi: refactor spl_spi_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_spi_load_image to spl_spi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_spi.c | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/common/spl/spl_spi.c b/common/spl/spl_spi.c
index c2b188371c2..1ada37f5c21 100644
--- a/common/spl/spl_spi.c
+++ b/common/spl/spl_spi.c
@@ -49,6 +49,25 @@ u32 __weak spl_spi_boot_cs(void)
 	return CONFIG_SF_DEFAULT_CS;
 }
 
+#if CONFIG_IS_ENABLED(OS_BOOT)
+static int spl_spi_load_image_os(struct spl_image_info *spl_image,
+				 struct spl_boot_device *bootdev,
+				 struct spi_flash *flash,
+				 struct spl_load_info *load)
+{
+	int err = spl_load(spl_image, bootdev, load, 0,
+			   CONFIG_SYS_SPI_KERNEL_OFFS);
+
+	if (err)
+		return err;
+
+	/* Read device tree. */
+	return spi_flash_read(flash, CONFIG_SYS_SPI_ARGS_OFFS,
+			      CONFIG_SYS_SPI_ARGS_SIZE,
+			      (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR);
+}
+#endif
+
 /*
  * The main entry for SPI booting. It's necessary that SDRAM is already
  * configured and available since this code loads the main U-Boot image
@@ -81,15 +100,10 @@ static int spl_spi_load_image(struct spl_image_info *spl_image,
 
 #if CONFIG_IS_ENABLED(OS_BOOT)
 	if (!spl_start_uboot()) {
-		int err = spl_load(spl_image, bootdev, &load, 0,
-				   CONFIG_SYS_SPI_KERNEL_OFFS);
+		err = spl_spi_load_image_os(spl_image, bootdev, flash, &load);
 
 		if (!err)
-			/* Read device tree. */
-			return spi_flash_read(
-				flash, CONFIG_SYS_SPI_ARGS_OFFS,
-				CONFIG_SYS_SPI_ARGS_SIZE,
-				(void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR);
+			return 0;
 	}
 #endif
 
-- 
2.51.0

[PATCH v2 6/8] spl: nor: refactor spl_nor_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_nor_load_image to spl_nor_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_nor.c | 94 +++++++++++++++++++++++++-------------------
 1 file changed, 54 insertions(+), 40 deletions(-)

diff --git a/common/spl/spl_nor.c b/common/spl/spl_nor.c
index 1021d933999..e999dcc4fcf 100644
--- a/common/spl/spl_nor.c
+++ b/common/spl/spl_nor.c
@@ -25,60 +25,74 @@ unsigned long __weak spl_nor_get_uboot_base(void)
 	return CFG_SYS_UBOOT_BASE;
 }
 
-static int spl_nor_load_image(struct spl_image_info *spl_image,
-			      struct spl_boot_device *bootdev)
+#if CONFIG_IS_ENABLED(OS_BOOT)
+static int spl_nor_load_image_os(struct spl_image_info *spl_image,
+				 struct spl_boot_device *bootdev)
 {
-	struct spl_load_info load;
-
 	/*
-	 * Loading of the payload to SDRAM is done with skipping of
-	 * the mkimage header in this SPL NOR driver
+	 * Load Linux from its location in NOR flash to its defined
+	 * location in SDRAM
 	 */
-	spl_image->flags |= SPL_COPY_PAYLOAD_ONLY;
+	const struct legacy_img_hdr *header =
+		(const struct legacy_img_hdr *)CONFIG_SYS_OS_BASE;
+	struct spl_load_info load;
 
-#if CONFIG_IS_ENABLED(OS_BOOT)
-	if (!spl_start_uboot()) {
-		/*
-		 * Load Linux from its location in NOR flash to its defined
-		 * location in SDRAM
-		 */
-		const struct legacy_img_hdr *header =
-			(const struct legacy_img_hdr *)CONFIG_SYS_OS_BASE;
 #ifdef CONFIG_SPL_LOAD_FIT
-		if (image_get_magic(header) == FDT_MAGIC) {
-			int ret;
+	if (image_get_magic(header) == FDT_MAGIC) {
+		int ret;
 
-			debug("Found FIT\n");
-			spl_load_init(&load, spl_nor_load_read, NULL, 1);
+		debug("Found FIT\n");
+		spl_load_init(&load, spl_nor_load_read, NULL, 1);
 
-			ret = spl_load_simple_fit(spl_image, &load,
-						  CONFIG_SYS_OS_BASE,
-						  (void *)header);
+		ret = spl_load_simple_fit(spl_image, &load, CONFIG_SYS_OS_BASE,
+					  (void *)header);
 
 #if defined CONFIG_SPL_PAYLOAD_ARGS_ADDR && defined CONFIG_CMD_SPL_NOR_OFS
-			memcpy((void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
-			       (void *)CONFIG_CMD_SPL_NOR_OFS,
-			       CONFIG_CMD_SPL_WRITE_SIZE);
+		memcpy((void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
+		       (void *)CONFIG_CMD_SPL_NOR_OFS,
+		       CONFIG_CMD_SPL_WRITE_SIZE);
 #endif
-			return ret;
-		}
+		return ret;
+	}
 #endif
-		if (image_get_os(header) == IH_OS_LINUX) {
-			/* happy - was a Linux */
-			int ret;
-
-			ret = spl_parse_image_header(spl_image, bootdev, header);
-			if (ret)
-				return ret;
-
-			memcpy((void *)spl_image->load_addr,
-			       (void *)(CONFIG_SYS_OS_BASE +
-					sizeof(struct legacy_img_hdr)),
-			       spl_image->size);
+	if (image_get_os(header) != IH_OS_LINUX)
+		return -EINVAL;
+
+	/* happy - was a Linux */
+	int ret;
+
+	ret = spl_parse_image_header(spl_image, bootdev, header);
+	if (ret)
+		return ret;
+
+	memcpy((void *)spl_image->load_addr,
+	       (void *)(CONFIG_SYS_OS_BASE + sizeof(struct legacy_img_hdr)),
+	       spl_image->size);
+
 #ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
-			spl_image->arg = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
+	spl_image->arg = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
 #endif
 
+	return 0;
+}
+#endif
+
+static int spl_nor_load_image(struct spl_image_info *spl_image,
+			      struct spl_boot_device *bootdev)
+{
+	int err;
+	struct spl_load_info load;
+
+	/*
+	 * Loading of the payload to SDRAM is done with skipping of
+	 * the mkimage header in this SPL NOR driver
+	 */
+	spl_image->flags |= SPL_COPY_PAYLOAD_ONLY;
+
+#if CONFIG_IS_ENABLED(OS_BOOT)
+	if (!spl_start_uboot()) {
+		err = spl_nor_load_image_os(spl_image, bootdev);
+		if (!err)
 			return 0;
 		} else {
 			puts("The Expected Linux image was not found.\n"
-- 
2.51.0

[PATCH v2 7/8] spl: nand: refactor spl_nand_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_nand.c | 87 +++++++++++++++++++++++++------------------
 1 file changed, 50 insertions(+), 37 deletions(-)

diff --git a/common/spl/spl_nand.c b/common/spl/spl_nand.c
index 22883f4e8b9..8993e304c26 100644
--- a/common/spl/spl_nand.c
+++ b/common/spl/spl_nand.c
@@ -75,6 +75,52 @@ static int spl_nand_load_element(struct spl_image_info *spl_image,
 	return spl_load(spl_image, bootdev, &load, 0, offset);
 }
 
+#if CONFIG_IS_ENABLED(OS_BOOT)
+static int spl_nand_load_image_os(struct spl_image_info *spl_image,
+				  struct spl_boot_device *bootdev)
+{
+	int *src, *dst, err;
+	struct legacy_img_hdr *header = spl_get_load_buffer(0, sizeof(*header));
+
+	/* load linux */
+	nand_spl_load_image(CONFIG_SYS_NAND_SPL_KERNEL_OFFS, sizeof(*header),
+			    (void *)header);
+	err = spl_parse_image_header(spl_image, bootdev, header);
+	if (err)
+		return err;
+
+	if (header->ih_os != IH_OS_LINUX)
+		return -EINVAL;
+
+	/* happy - was a linux */
+	err = nand_spl_load_image(CONFIG_SYS_NAND_SPL_KERNEL_OFFS,
+				  spl_image->size,
+				  (void *)spl_image->load_addr);
+	nand_deselect();
+
+	if (err)
+		return err;
+
+	/*
+	 * load parameter image load to temp position since nand_spl_load_image
+	 * reads a whole block which is typically larger than
+	 * CONFIG_CMD_SPL_WRITE_SIZE therefore may overwrite following sections
+	 * like BSS
+	 */
+	nand_spl_load_image(CONFIG_CMD_SPL_NAND_OFS, CONFIG_CMD_SPL_WRITE_SIZE,
+			    (void *)CONFIG_TEXT_BASE);
+	/* copy to destintion */
+	for (dst = (int *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
+	    src = (int *)CONFIG_TEXT_BASE;
+	     src < (int *)(CONFIG_TEXT_BASE + CONFIG_CMD_SPL_WRITE_SIZE);
+	     src++, dst++) {
+		writel(readl(src), dst);
+	}
+
+	return 0;
+}
+#endif
+
 static int spl_nand_load_image(struct spl_image_info *spl_image,
 			       struct spl_boot_device *bootdev)
 {
@@ -89,43 +135,9 @@ static int spl_nand_load_image(struct spl_image_info *spl_image,
 
 #if CONFIG_IS_ENABLED(OS_BOOT)
 	if (!spl_start_uboot()) {
-		int *src, *dst;
-		struct legacy_img_hdr *header =
-			spl_get_load_buffer(0, sizeof(*header));
-
-		/*
-		 * load parameter image
-		 * load to temp position since nand_spl_load_image reads
-		 * a whole block which is typically larger than
-		 * CONFIG_CMD_SPL_WRITE_SIZE therefore may overwrite
-		 * following sections like BSS
-		 */
-		nand_spl_load_image(CONFIG_CMD_SPL_NAND_OFS,
-			CONFIG_CMD_SPL_WRITE_SIZE,
-			(void *)CONFIG_TEXT_BASE);
-		/* copy to destintion */
-		for (dst = (int *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
-		     src = (int *)CONFIG_TEXT_BASE;
-			src < (int *)(CONFIG_TEXT_BASE +
-				      CONFIG_CMD_SPL_WRITE_SIZE);
-		     src++, dst++) {
-			writel(readl(src), dst);
-		}
-
-		/* load linux */
-		nand_spl_load_image(CONFIG_SYS_NAND_SPL_KERNEL_OFFS,
-			sizeof(*header), (void *)header);
-		err = spl_parse_image_header(spl_image, bootdev, header);
-		if (err)
-			return err;
-		if (header->ih_os == IH_OS_LINUX) {
-			/* happy - was a linux */
-			err = nand_spl_load_image(
-				CONFIG_SYS_NAND_SPL_KERNEL_OFFS,
-				spl_image->size,
-				(void *)spl_image->load_addr);
-			nand_deselect();
-			return err;
+		err = spl_nand_load_image_os(spl_image, bootdev);
+		if (!err)
+			return 0;
 		} else {
 			puts("The Expected Linux image was not "
 				"found. Please check your NAND "
@@ -134,6 +146,7 @@ static int spl_nand_load_image(struct spl_image_info *spl_image,
 		}
 	}
 #endif
+
 #ifdef CONFIG_NAND_ENV_DST
 	spl_nand_load_element(spl_image, bootdev, CONFIG_ENV_OFFSET);
 #ifdef CONFIG_ENV_OFFSET_REDUND
-- 
2.51.0

[PATCH v2 8/8] spl: falcon: disable fallback to U-Boot on failure

[Anshul Dalal]

Instead of falling back to the standard U-Boot boot flow, we should just
halt boot if the expected boot flow in falcon mode fails.

This prevents a malicious actor from accessing U-Boot proper if they can
cause a boot failure on falcon mode.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_mmc.c  |  4 ++++
 common/spl/spl_nand.c | 11 +++++------
 common/spl/spl_nor.c  | 10 +++++-----
 common/spl/spl_spi.c  |  3 +++
 common/spl/spl_ubi.c  |  2 ++
 5 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c
index e26f1087d45..c9637399c15 100644
--- a/common/spl/spl_mmc.c
+++ b/common/spl/spl_mmc.c
@@ -270,6 +270,8 @@ static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 					 mmc_get_blk_desc(mmc), partition);
 		if (!ret)
 			return 0;
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return ret;
 	}
 
 #ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
@@ -409,6 +411,8 @@ int spl_mmc_load(struct spl_image_info *spl_image,
 			ret = mmc_load_image_raw_os(spl_image, bootdev, mmc);
 			if (!ret)
 				return 0;
+			if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+				return ret;
 		}
 
 		raw_sect = spl_mmc_get_uboot_raw_sector(mmc, raw_sect);
diff --git a/common/spl/spl_nand.c b/common/spl/spl_nand.c
index 8993e304c26..7d1b55b2311 100644
--- a/common/spl/spl_nand.c
+++ b/common/spl/spl_nand.c
@@ -138,12 +138,11 @@ static int spl_nand_load_image(struct spl_image_info *spl_image,
 		err = spl_nand_load_image_os(spl_image, bootdev);
 		if (!err)
 			return 0;
-		} else {
-			puts("The Expected Linux image was not "
-				"found. Please check your NAND "
-				"configuration.\n");
-			puts("Trying to start u-boot now...\n");
-		}
+
+		puts("%s: Failed in falcon boot: %d", __func__, err);
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return err;
+		puts("Fallback to U-Boot\n");
 	}
 #endif
 
diff --git a/common/spl/spl_nor.c b/common/spl/spl_nor.c
index e999dcc4fcf..6f8149cac53 100644
--- a/common/spl/spl_nor.c
+++ b/common/spl/spl_nor.c
@@ -94,11 +94,11 @@ static int spl_nor_load_image(struct spl_image_info *spl_image,
 		err = spl_nor_load_image_os(spl_image, bootdev);
 		if (!err)
 			return 0;
-		} else {
-			puts("The Expected Linux image was not found.\n"
-			     "Please check your NOR configuration.\n"
-			     "Trying to start u-boot now...\n");
-		}
+
+		puts("%s: Failed in falcon boot: %d", __func__, err);
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return err;
+		puts("Fallback to U-Boot\n");
 	}
 #endif
 
diff --git a/common/spl/spl_spi.c b/common/spl/spl_spi.c
index 1ada37f5c21..863be144316 100644
--- a/common/spl/spl_spi.c
+++ b/common/spl/spl_spi.c
@@ -104,6 +104,9 @@ static int spl_spi_load_image(struct spl_image_info *spl_image,
 
 		if (!err)
 			return 0;
+
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return err;
 	}
 #endif
 
diff --git a/common/spl/spl_ubi.c b/common/spl/spl_ubi.c
index 162ec0f2f9b..95676975e76 100644
--- a/common/spl/spl_ubi.c
+++ b/common/spl/spl_ubi.c
@@ -77,6 +77,8 @@ int spl_ubi_load_image(struct spl_image_info *spl_image,
 			return 0;
 
 		puts("Loading Linux failed, falling back to U-Boot.\n");
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return ret;
 	}
 #endif
 
-- 
2.51.0

Re: [PATCH v2 2/8] spl: Kconfig: allow K3 devices to use falcon mode

[Andrew Davis]

On 9/23/25 8:08 AM, Anshul Dalal wrote:
> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
> HS devices and but can now be enabled with the addition of
> OS_BOOT_SECURE.
> 
> For secure boot, the kernel with x509 headers can be packaged in a fit
> container (fitImage) signed with TIFS keys for authentication.
> 
> Signed-off-by: Anshul Dalal <anshuld@ti.com>
> ---
>   common/spl/Kconfig | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
> index 7e87e50f693..ab780da9e1c 100644
> --- a/common/spl/Kconfig
> +++ b/common/spl/Kconfig
> @@ -1201,7 +1201,7 @@ config SPL_ONENAND_SUPPORT
>   
>   config SPL_OS_BOOT
>   	bool "Activate Falcon Mode"
> -	depends on !TI_SECURE_DEVICE
> +	select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
>   	help
>   	  Enable booting directly to an OS from SPL.
>   	  for more info read doc/README.falcon

The subject doesn't need to include "K3", this is for all
TI secure devices.

This patch should also go last in the series. Not that it
causes any break, but feels like a "security bisectability"
problem to allow something and then after make it secure.

Andrew

Re: [PATCH v2 2/8] spl: Kconfig: allow K3 devices to use falcon mode

[Anshul Dalal]

On Tue Sep 23, 2025 at 9:48 PM IST, Andrew Davis wrote:
> On 9/23/25 8:08 AM, Anshul Dalal wrote:
>> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
>> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
>> HS devices and but can now be enabled with the addition of
>> OS_BOOT_SECURE.
>> 
>> For secure boot, the kernel with x509 headers can be packaged in a fit
>> container (fitImage) signed with TIFS keys for authentication.
>> 
>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
>> ---
>>   common/spl/Kconfig | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
>> index 7e87e50f693..ab780da9e1c 100644
>> --- a/common/spl/Kconfig
>> +++ b/common/spl/Kconfig
>> @@ -1201,7 +1201,7 @@ config SPL_ONENAND_SUPPORT
>>   
>>   config SPL_OS_BOOT
>>   	bool "Activate Falcon Mode"
>> -	depends on !TI_SECURE_DEVICE
>> +	select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
>>   	help
>>   	  Enable booting directly to an OS from SPL.
>>   	  for more info read doc/README.falcon
>
> The subject doesn't need to include "K3", this is for all
> TI secure devices.
>

Oh yeah, will fix in the next revision.

> This patch should also go last in the series. Not that it
> causes any break, but feels like a "security bisectability"
> problem to allow something and then after make it secure.
>

I was more looking at it from the ability to test the subsequent patches
in the series on any TI platform which would depend on this [2/8] patch.

Though your concern is valid too but there are still a few things
remaining from this series that would need to be implemented to make
falcon mode truly secure on TI_SECURE_DEVICE. Perhaps we should drop
this patch until everything's in place?

Regards,
Anshul

Re: [PATCH v2 2/8] spl: Kconfig: allow K3 devices to use falcon mode

[Andrew Davis]

On 9/24/25 7:55 AM, Anshul Dalal wrote:
> On Tue Sep 23, 2025 at 9:48 PM IST, Andrew Davis wrote:
>> On 9/23/25 8:08 AM, Anshul Dalal wrote:
>>> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
>>> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
>>> HS devices and but can now be enabled with the addition of
>>> OS_BOOT_SECURE.
>>>
>>> For secure boot, the kernel with x509 headers can be packaged in a fit
>>> container (fitImage) signed with TIFS keys for authentication.
>>>
>>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
>>> ---
>>>    common/spl/Kconfig | 2 +-
>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
>>> index 7e87e50f693..ab780da9e1c 100644
>>> --- a/common/spl/Kconfig
>>> +++ b/common/spl/Kconfig
>>> @@ -1201,7 +1201,7 @@ config SPL_ONENAND_SUPPORT
>>>    
>>>    config SPL_OS_BOOT
>>>    	bool "Activate Falcon Mode"
>>> -	depends on !TI_SECURE_DEVICE
>>> +	select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
>>>    	help
>>>    	  Enable booting directly to an OS from SPL.
>>>    	  for more info read doc/README.falcon
>>
>> The subject doesn't need to include "K3", this is for all
>> TI secure devices.
>>
> 
> Oh yeah, will fix in the next revision.
> 
>> This patch should also go last in the series. Not that it
>> causes any break, but feels like a "security bisectability"
>> problem to allow something and then after make it secure.
>>
> 
> I was more looking at it from the ability to test the subsequent patches
> in the series on any TI platform which would depend on this [2/8] patch.
> 
> Though your concern is valid too but there are still a few things
> remaining from this series that would need to be implemented to make
> falcon mode truly secure on TI_SECURE_DEVICE. Perhaps we should drop
> this patch until everything's in place?
> 
Yeah, I'd save this to the very end of all your series here, that way
it signals that we now think SPL_OS_BOOT_SECURE is functional and secure.

Andrew