From: Anshul Dalal <anshuld@ti.com>
To: Andrew Davis <afd@ti.com>, Anshul Dalal <anshuld@ti.com>,
<u-boot@lists.denx.de>
Cc: <vigneshr@ti.com>, <trini@konsulko.com>, <m-chawdhry@ti.com>,
<n-francis@ti.com>, <b-liu@ti.com>, <nm@ti.com>, <bb@ti.com>,
<kever.yang@rock-chips.com>, <hl@rock-chips.com>,
<tim@feathertop.org>, <marek.vasut+renesas@mailbox.org>
Subject: Re: [PATCH v2 2/8] spl: Kconfig: allow K3 devices to use falcon mode
Date: Wed, 24 Sep 2025 18:25:25 +0530 [thread overview]
Message-ID: <DD11OP1DYB5Y.4ABDK7GP4SSO@ti.com> (raw)
In-Reply-To: <134414a0-8fcc-4fb0-9f53-3dc803d41b70@ti.com>
On Tue Sep 23, 2025 at 9:48 PM IST, Andrew Davis wrote:
> On 9/23/25 8:08 AM, Anshul Dalal wrote:
>> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
>> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
>> HS devices and but can now be enabled with the addition of
>> OS_BOOT_SECURE.
>>
>> For secure boot, the kernel with x509 headers can be packaged in a fit
>> container (fitImage) signed with TIFS keys for authentication.
>>
>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
>> ---
>> common/spl/Kconfig | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/common/spl/Kconfig b/common/spl/Kconfig
>> index 7e87e50f693..ab780da9e1c 100644
>> --- a/common/spl/Kconfig
>> +++ b/common/spl/Kconfig
>> @@ -1201,7 +1201,7 @@ config SPL_ONENAND_SUPPORT
>>
>> config SPL_OS_BOOT
>> bool "Activate Falcon Mode"
>> - depends on !TI_SECURE_DEVICE
>> + select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
>> help
>> Enable booting directly to an OS from SPL.
>> for more info read doc/README.falcon
>
> The subject doesn't need to include "K3", this is for all
> TI secure devices.
>
Oh yeah, will fix in the next revision.
> This patch should also go last in the series. Not that it
> causes any break, but feels like a "security bisectability"
> problem to allow something and then after make it secure.
>
I was more looking at it from the ability to test the subsequent patches
in the series on any TI platform which would depend on this [2/8] patch.
Though your concern is valid too but there are still a few things
remaining from this series that would need to be implemented to make
falcon mode truly secure on TI_SECURE_DEVICE. Perhaps we should drop
this patch until everything's in place?
Regards,
Anshul
next prev parent reply other threads:[~2025-09-24 12:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-23 13:08 [PATCH v2 0/8] Add support for secure falcon mode: disable fallback Anshul Dalal
2025-09-23 13:08 ` [PATCH v2 1/8] spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol Anshul Dalal
2025-09-23 13:08 ` [PATCH v2 2/8] spl: Kconfig: allow K3 devices to use falcon mode Anshul Dalal
2025-09-23 16:18 ` Andrew Davis
2025-09-24 12:55 ` Anshul Dalal [this message]
2025-09-24 14:00 ` Andrew Davis
2025-09-23 13:08 ` [PATCH v2 3/8] spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot Anshul Dalal
2025-09-23 13:08 ` [PATCH v2 4/8] spl: ubi: refactor spl_ubi_load_image for falcon mode Anshul Dalal
2025-09-23 13:08 ` [PATCH v2 5/8] spl: spi: refactor spl_spi_load_image " Anshul Dalal
2025-09-23 13:08 ` [PATCH v2 6/8] spl: nor: refactor spl_nor_load_image " Anshul Dalal
2025-09-23 13:08 ` [PATCH v2 7/8] spl: nand: refactor spl_nand_load_image " Anshul Dalal
2025-09-23 13:09 ` [PATCH v2 8/8] spl: falcon: disable fallback to U-Boot on failure Anshul Dalal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DD11OP1DYB5Y.4ABDK7GP4SSO@ti.com \
--to=anshuld@ti.com \
--cc=afd@ti.com \
--cc=b-liu@ti.com \
--cc=bb@ti.com \
--cc=hl@rock-chips.com \
--cc=kever.yang@rock-chips.com \
--cc=m-chawdhry@ti.com \
--cc=marek.vasut+renesas@mailbox.org \
--cc=n-francis@ti.com \
--cc=nm@ti.com \
--cc=tim@feathertop.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.