[PATCH v1 0/5] Allow falcon boot from A-core SPL on K3 devices

[PATCH v1 0/5] Allow falcon boot from A-core SPL on K3 devices

[Anshul Dalal]

Hi all,

With the addition of secure falcon mode from my last few series[1], this series
now adds support for the same to TI's K3 devices and documents the feature
taking AM62x EVM as an example.

The patch [5/5] (doc: develop: falcon: document unsetting CMD_BOOTx) of the
series is a workaround for now since we first need to refactor out the usage of
CMD_BOOTI/CMD_BOOTZ options from the SPL boot flow[2].

I will be working on a respin of my older series[3] addressing the same but for
now the workaround of disabling respective CMD_BOOTx option works well enough.
With that in place we should be able to revert the patch [5/5].

Regards,
Anshul

[1]: Patch series adding secure falcon mode support (in order of dependency):
  https://lore.kernel.org/u-boot/20250923124639.667718-1-anshuld@ti.com/ [MERGED]
  https://lore.kernel.org/u-boot/20251006101057.4172248-1-anshuld@ti.com/
  https://lore.kernel.org/u-boot/20251009115846.897186-1-anshuld@ti.com/
[2]: https://lore.kernel.org/u-boot/20250310135544.GV2640854@bill-the-cat/
[3]: https://lore.kernel.org/u-boot/20250408141436.712387-1-anshuld@ti.com/
---
Anshul Dalal (5):
  spl: Kconfig: allow falcon mode for TI secure devices
  board: ti: common: Kconfig: add CMD_SPL
  arm: mach-k3: enable support for falcon mode
  doc: develop: add docs for secure falcon mode
  doc: develop: falcon: document unsetting CMD_BOOTI

 arch/arm/mach-k3/common.c |   7 ++
 board/ti/common/Kconfig   |   1 +
 common/spl/Kconfig        |   2 +-
 doc/develop/falcon.rst    | 255 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 264 insertions(+), 1 deletion(-)

-- 
2.51.0

[PATCH v1 1/5] spl: Kconfig: allow falcon mode for TI secure devices

[Anshul Dalal]

Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
HS devices and but can now be enabled with the addition of
OS_BOOT_SECURE.

For secure boot, the kernel with x509 headers can be packaged in a fit
container (fitImage) signed with TIFS keys for authentication.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index 59be80dc55b..4810cec79f4 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1202,7 +1202,7 @@ config SPL_ONENAND_SUPPORT
 
 config SPL_OS_BOOT
 	bool "Activate Falcon Mode"
-	depends on !TI_SECURE_DEVICE
+	select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
 	help
 	  Enable booting directly to an OS from SPL.
 	  for more info read doc/README.falcon
-- 
2.51.0

[PATCH v1 2/5] board: ti: common: Kconfig: add CMD_SPL

[Anshul Dalal]

Add CMD_CACHE to list of configs implied by TI_COMMON_CMD_OPTIONS. This
allows the use of 'spl export'[1] command for preparing a device-tree
for falcon boot.

[1]: https://docs.u-boot.org/en/v2025.10/develop/falcon.html#using-spl-command

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 board/ti/common/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/board/ti/common/Kconfig b/board/ti/common/Kconfig
index f481812247c..fa8260e3fa4 100644
--- a/board/ti/common/Kconfig
+++ b/board/ti/common/Kconfig
@@ -53,6 +53,7 @@ config TI_COMMON_CMD_OPTIONS
 	imply CMD_REGULATOR if DM_REGULATOR
 	imply CMD_SF if SPI_FLASH
 	imply CMD_SPI
+	imply CMD_SPL
 	imply CMD_TIME
 	imply CMD_USB if USB
 
-- 
2.51.0

Re: [PATCH v1 2/5] board: ti: common: Kconfig: add CMD_SPL

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 908 bytes --]

On Fri, Oct 10, 2025 at 06:48:24PM +0530, Anshul Dalal wrote:
> Add CMD_CACHE to list of configs implied by TI_COMMON_CMD_OPTIONS. This
> allows the use of 'spl export'[1] command for preparing a device-tree
> for falcon boot.
> 
> [1]: https://docs.u-boot.org/en/v2025.10/develop/falcon.html#using-spl-command
> 
> Signed-off-by: Anshul Dalal <anshuld@ti.com>
> ---
>  board/ti/common/Kconfig | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/board/ti/common/Kconfig b/board/ti/common/Kconfig
> index f481812247c..fa8260e3fa4 100644
> --- a/board/ti/common/Kconfig
> +++ b/board/ti/common/Kconfig
> @@ -53,6 +53,7 @@ config TI_COMMON_CMD_OPTIONS
>  	imply CMD_REGULATOR if DM_REGULATOR
>  	imply CMD_SF if SPI_FLASH
>  	imply CMD_SPI
> +	imply CMD_SPL
>  	imply CMD_TIME
>  	imply CMD_USB if USB

Commit message says adding CMD_CACHE, content is adding CMD_SPL.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v1 2/5] board: ti: common: Kconfig: add CMD_SPL

[Anshul Dalal]

On Fri Oct 10, 2025 at 9:33 PM IST, Tom Rini wrote:
> On Fri, Oct 10, 2025 at 06:48:24PM +0530, Anshul Dalal wrote:
>> Add CMD_CACHE to list of configs implied by TI_COMMON_CMD_OPTIONS. This
>> allows the use of 'spl export'[1] command for preparing a device-tree
>> for falcon boot.
>> 
>> [1]: https://docs.u-boot.org/en/v2025.10/develop/falcon.html#using-spl-command
>> 
>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
>> ---
>>  board/ti/common/Kconfig | 1 +
>>  1 file changed, 1 insertion(+)
>> 
>> diff --git a/board/ti/common/Kconfig b/board/ti/common/Kconfig
>> index f481812247c..fa8260e3fa4 100644
>> --- a/board/ti/common/Kconfig
>> +++ b/board/ti/common/Kconfig
>> @@ -53,6 +53,7 @@ config TI_COMMON_CMD_OPTIONS
>>  	imply CMD_REGULATOR if DM_REGULATOR
>>  	imply CMD_SF if SPI_FLASH
>>  	imply CMD_SPI
>> +	imply CMD_SPL
>>  	imply CMD_TIME
>>  	imply CMD_USB if USB
>
> Commit message says adding CMD_CACHE, content is adding CMD_SPL.

Oh my bad, I guess I forgot to edit the message I copied from an older
commit. Will fix in the next revision.

[PATCH v1 3/5] arm: mach-k3: enable support for falcon mode

[Anshul Dalal]

With CONFIG_SPL_OS_BOOT enabled, U-Boot checks for the return value of
spl_start_uboot to select between falcon or the regular boot flow. With
a return value of 0 implying falcon mode.

This patch overrides the weak definition form common/spl/spl.c to allow
K3 devices to use falcon mode with SPL_OS_BOOT enabled.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 arch/arm/mach-k3/common.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/arch/arm/mach-k3/common.c b/arch/arm/mach-k3/common.c
index 5483ac9906c..41c96cbd4c5 100644
--- a/arch/arm/mach-k3/common.c
+++ b/arch/arm/mach-k3/common.c
@@ -425,3 +425,10 @@ release_proc_ctrl:
 	proc_ops->proc_release(ti_sci, PROC_ID_MCU_R5FSS0_CORE1);
 	return ret;
 }
+
+#if CONFIG_IS_ENABLED(OS_BOOT)
+int spl_start_uboot(void)
+{
+	return 0;
+}
+#endif
-- 
2.51.0

Re: [PATCH v1 3/5] arm: mach-k3: enable support for falcon mode

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 1256 bytes --]

On Fri, Oct 10, 2025 at 06:48:25PM +0530, Anshul Dalal wrote:

> With CONFIG_SPL_OS_BOOT enabled, U-Boot checks for the return value of
> spl_start_uboot to select between falcon or the regular boot flow. With
> a return value of 0 implying falcon mode.
> 
> This patch overrides the weak definition form common/spl/spl.c to allow
> K3 devices to use falcon mode with SPL_OS_BOOT enabled.
> 
> Signed-off-by: Anshul Dalal <anshuld@ti.com>
> ---
>  arch/arm/mach-k3/common.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/arch/arm/mach-k3/common.c b/arch/arm/mach-k3/common.c
> index 5483ac9906c..41c96cbd4c5 100644
> --- a/arch/arm/mach-k3/common.c
> +++ b/arch/arm/mach-k3/common.c
> @@ -425,3 +425,10 @@ release_proc_ctrl:
>  	proc_ops->proc_release(ti_sci, PROC_ID_MCU_R5FSS0_CORE1);
>  	return ret;
>  }
> +
> +#if CONFIG_IS_ENABLED(OS_BOOT)
> +int spl_start_uboot(void)
> +{
> +	return 0;
> +}
> +#endif

I've seen this in other parts of the series too, sorry.
CONFIG_IS_ENABLED(OS_BOOT) doesn't make sense, it should be
IS_ENABLED(CONFIG_SPL_OS_BOOT) or just a regular #ifdef. Also for this
example please add a comment to the function explaining why it's always
enabling falcon mode.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v1 3/5] arm: mach-k3: enable support for falcon mode

[Anshul Dalal]

Hi Tom,

On Fri Oct 10, 2025 at 9:35 PM IST, Tom Rini wrote:
> On Fri, Oct 10, 2025 at 06:48:25PM +0530, Anshul Dalal wrote:
>
>> With CONFIG_SPL_OS_BOOT enabled, U-Boot checks for the return value of
>> spl_start_uboot to select between falcon or the regular boot flow. With
>> a return value of 0 implying falcon mode.
>> 
>> This patch overrides the weak definition form common/spl/spl.c to allow
>> K3 devices to use falcon mode with SPL_OS_BOOT enabled.
>> 
>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
>> ---
>>  arch/arm/mach-k3/common.c | 7 +++++++
>>  1 file changed, 7 insertions(+)
>> 
>> diff --git a/arch/arm/mach-k3/common.c b/arch/arm/mach-k3/common.c
>> index 5483ac9906c..41c96cbd4c5 100644
>> --- a/arch/arm/mach-k3/common.c
>> +++ b/arch/arm/mach-k3/common.c
>> @@ -425,3 +425,10 @@ release_proc_ctrl:
>>  	proc_ops->proc_release(ti_sci, PROC_ID_MCU_R5FSS0_CORE1);
>>  	return ret;
>>  }
>> +
>> +#if CONFIG_IS_ENABLED(OS_BOOT)
>> +int spl_start_uboot(void)
>> +{
>> +	return 0;
>> +}
>> +#endif
>
> I've seen this in other parts of the series too, sorry.
> CONFIG_IS_ENABLED(OS_BOOT) doesn't make sense, it should be

Is that because OS_BOOT by itself is meaningless and
CONFIG_IS_ENABLED(OS_BOOT) would always fall to checking for
CONFIG_SPL_OS_BOOT? I mostly stuck with CONFIG_IS_ENABLED to avoid the
extra three characters when using IS_ENABLED instead.

> IS_ENABLED(CONFIG_SPL_OS_BOOT) or just a regular #ifdef. Also for this
> example please add a comment to the function explaining why it's always
> enabling falcon mode.

Will add an explantory comment in the next revision.

Regards,
Anshul

Re: [PATCH v1 3/5] arm: mach-k3: enable support for falcon mode

[Anshul Dalal]

On Sat Oct 11, 2025 at 3:26 PM IST, Anshul Dalal wrote:
> Hi Tom,
>
> On Fri Oct 10, 2025 at 9:35 PM IST, Tom Rini wrote:
>> On Fri, Oct 10, 2025 at 06:48:25PM +0530, Anshul Dalal wrote:
>>
>>> With CONFIG_SPL_OS_BOOT enabled, U-Boot checks for the return value of
>>> spl_start_uboot to select between falcon or the regular boot flow. With
>>> a return value of 0 implying falcon mode.
>>> 
>>> This patch overrides the weak definition form common/spl/spl.c to allow
>>> K3 devices to use falcon mode with SPL_OS_BOOT enabled.
>>> 
>>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
>>> ---
>>>  arch/arm/mach-k3/common.c | 7 +++++++
>>>  1 file changed, 7 insertions(+)
>>> 
>>> diff --git a/arch/arm/mach-k3/common.c b/arch/arm/mach-k3/common.c
>>> index 5483ac9906c..41c96cbd4c5 100644
>>> --- a/arch/arm/mach-k3/common.c
>>> +++ b/arch/arm/mach-k3/common.c
>>> @@ -425,3 +425,10 @@ release_proc_ctrl:
>>>  	proc_ops->proc_release(ti_sci, PROC_ID_MCU_R5FSS0_CORE1);
>>>  	return ret;
>>>  }
>>> +
>>> +#if CONFIG_IS_ENABLED(OS_BOOT)
>>> +int spl_start_uboot(void)
>>> +{
>>> +	return 0;
>>> +}
>>> +#endif
>>
>> I've seen this in other parts of the series too, sorry.
>> CONFIG_IS_ENABLED(OS_BOOT) doesn't make sense, it should be
>
> Is that because OS_BOOT by itself is meaningless and
> CONFIG_IS_ENABLED(OS_BOOT) would always fall to checking for
> CONFIG_SPL_OS_BOOT? I mostly stuck with CONFIG_IS_ENABLED to avoid the
> extra three characters when using IS_ENABLED instead.
>

Apparently there are quite a few instances of CONFIG_IS_ENABLED(OS_BOOT)
in the source even before this patch series. I'll change it to
IS_ENABLED for this series in a v2 but for the existing instances, I
think it's better to follow up with a clean up patch once all other
remaining falcon series are merged.

>> IS_ENABLED(CONFIG_SPL_OS_BOOT) or just a regular #ifdef. Also for this
>> example please add a comment to the function explaining why it's always
>> enabling falcon mode.
>
> Will add an explantory comment in the next revision.
>
> Regards,
> Anshul

Re: [PATCH v1 3/5] arm: mach-k3: enable support for falcon mode

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 2037 bytes --]

On Wed, Oct 15, 2025 at 02:31:49PM +0530, Anshul Dalal wrote:
> On Sat Oct 11, 2025 at 3:26 PM IST, Anshul Dalal wrote:
> > Hi Tom,
> >
> > On Fri Oct 10, 2025 at 9:35 PM IST, Tom Rini wrote:
> >> On Fri, Oct 10, 2025 at 06:48:25PM +0530, Anshul Dalal wrote:
> >>
> >>> With CONFIG_SPL_OS_BOOT enabled, U-Boot checks for the return value of
> >>> spl_start_uboot to select between falcon or the regular boot flow. With
> >>> a return value of 0 implying falcon mode.
> >>> 
> >>> This patch overrides the weak definition form common/spl/spl.c to allow
> >>> K3 devices to use falcon mode with SPL_OS_BOOT enabled.
> >>> 
> >>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
> >>> ---
> >>>  arch/arm/mach-k3/common.c | 7 +++++++
> >>>  1 file changed, 7 insertions(+)
> >>> 
> >>> diff --git a/arch/arm/mach-k3/common.c b/arch/arm/mach-k3/common.c
> >>> index 5483ac9906c..41c96cbd4c5 100644
> >>> --- a/arch/arm/mach-k3/common.c
> >>> +++ b/arch/arm/mach-k3/common.c
> >>> @@ -425,3 +425,10 @@ release_proc_ctrl:
> >>>  	proc_ops->proc_release(ti_sci, PROC_ID_MCU_R5FSS0_CORE1);
> >>>  	return ret;
> >>>  }
> >>> +
> >>> +#if CONFIG_IS_ENABLED(OS_BOOT)
> >>> +int spl_start_uboot(void)
> >>> +{
> >>> +	return 0;
> >>> +}
> >>> +#endif
> >>
> >> I've seen this in other parts of the series too, sorry.
> >> CONFIG_IS_ENABLED(OS_BOOT) doesn't make sense, it should be
> >
> > Is that because OS_BOOT by itself is meaningless and
> > CONFIG_IS_ENABLED(OS_BOOT) would always fall to checking for
> > CONFIG_SPL_OS_BOOT? I mostly stuck with CONFIG_IS_ENABLED to avoid the
> > extra three characters when using IS_ENABLED instead.
> >
> 
> Apparently there are quite a few instances of CONFIG_IS_ENABLED(OS_BOOT)
> in the source even before this patch series. I'll change it to
> IS_ENABLED for this series in a v2 but for the existing instances, I
> think it's better to follow up with a clean up patch once all other
> remaining falcon series are merged.

Sounds good, thanks.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

[PATCH v1 4/5] doc: develop: add docs for secure falcon mode

[Anshul Dalal]

This patch documents the newly added SPL_OS_BOOT_SECURE option that
enables authenticated boot in falcon mode.

The document provides steps for using secure falcon mode on ARM64 taking
TI's AM62x EVM as an example.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 doc/develop/falcon.rst | 251 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 251 insertions(+)

diff --git a/doc/develop/falcon.rst b/doc/develop/falcon.rst
index 5689d5b93a7..add0376d272 100644
--- a/doc/develop/falcon.rst
+++ b/doc/develop/falcon.rst
@@ -82,6 +82,14 @@ CONFIG_CMD_SPL_WRITE_SIZE
 CONFIG_SPL_OS_BOOT
     Activate Falcon Mode.
 
+CONFIG_SPL_OS_BOOT_ARGS
+    Allow SPL to load args file for the kernel in Falcon Mode. This option can
+    be disabled if the device-tree is packaged directly in the FIT payload.
+
+CONFIG_SPL_OS_BOOT_SECURE
+    Enable secure boot for Falcon Mode, which provides an additional layer of
+    security by authenticating the boot process using a signed FIT image.
+
 Function that a board must implement
 ------------------------------------
 
@@ -187,6 +195,249 @@ Falcon Mode was presented at the RMLL 2012. Slides are available at:
 
 http://schedule2012.rmll.info/IMG/pdf/LSM2012_UbootFalconMode_Babic.pdf
 
+Secure Falcon Mode
+------------------
+
+Introduction
+~~~~~~~~~~~~
+
+Secure Falcon Mode is an enhancement to Falcon Mode that provides additional
+security features. It authenticates the boot process using a signed FIT Image
+and restricts certain features that are inherently insecure.
+
+Configuration
+~~~~~~~~~~~~~
+
+To enable Secure Falcon Mode, the ``CONFIG_SPL_OS_BOOT_SECURE`` option must be
+set. This option modifies the behavior of Falcon Mode in the following ways:
+
+1. Fallback Mechanism:
+^^^^^^^^^^^^^^^^^^^^^^
+
+Unlike regular Falcon Mode, which falls back to the standard U-Boot boot flow
+if kernel booting fails, Secure Falcon Mode disables this fallback mechanism. If
+the secure boot process fails, the boot process will not proceed.
+
+2. Signed FIT Image:
+^^^^^^^^^^^^^^^^^^^^
+
+Secure Falcon Mode requires a signed FIT, which contains the kernel and
+device tree, to boot the system. The ``falcon_args_file`` environment variable
+is ignored, and instead, the device tree is read from the signed FIT. This
+ensures the authenticity and integrity of the boot process.
+
+Example
+~~~~~~~
+
+Secure falcon mode can be enabled on TI AM62x EVM as follows with SD boot mode:
+
+1. Prepare the device-tree:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To optimize performance, the SPL in Falcon Mode expects the FIT to contain a
+device-tree with fixups already applied. Such a device-tree can be generated
+using the spl export command as follows:
+
+**Setting bootargs**
+
+Set the bootargs environment variable to the desired value:
+
+.. prompt:: bash =>
+
+        env set bootargs 'console=ttyS2,115200n8 root=/dev/mmcblk1p2 rw rootfstype=ext4 rootwait'
+
+**Read FIT from SD**
+
+Load the FIT image from the SD card:
+
+.. prompt:: bash =>
+
+        load mmc 1:2 0x90000000 /boot/fitImage
+
+**Generate device-tree**
+
+Use the ``spl export`` command to generate a device-tree with fixups applied:
+
+.. prompt:: bash =>
+
+        spl export fdt 0x90000000
+
+**Save the device-tree**
+
+Write the generated device-tree to the SD card:
+
+.. prompt:: bash =>
+
+        fatwrite mmc 1:1 $fdtargsaddr k3-am625-sk-falcon.dtb $fdtargslen
+
+2. Create the FIT Image:
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+Create a new FIT image that includes the fixed device-tree generated in the
+previous step. You will also need to add a signed node to the SPL's FDT.
+
+Create a ``fitImage.its`` file with the following contents:
+
+.. code-block:: dts
+
+    /dts-v1/;
+
+    / {
+        description = "Kernel fitImage";
+        #address-cells = <1>;
+
+        images {
+            kernel {
+                description = "Linux kernel";
+                data = /incbin/("Image");
+                type = "kernel";
+                arch = "arm64";
+                os = "linux";
+                compression = "none";
+                load = <0x82000000>;
+                entry = <0x82000000>;
+                hash-1 {
+                    algo = "sha512";
+                };
+            };
+
+            fdt-falcon {
+                description = "Flattened Device Tree blob";
+                data = /incbin/("k3-am625-sk-falcon.dtb");
+                type = "flat_dt";
+                arch = "arm64";
+                compression = "none";
+                load = <0x88000000>;
+                entry = <0x88000000>;
+                hash-1 {
+                    algo = "sha512";
+                };
+            };
+        };
+
+        configurations {
+            default = "conf-ti_am625";
+
+            conf-ti_am625 {
+                description = "Linux kernel, FDT blob";
+                kernel = "kernel";
+                fdt = "fdt-falcon";
+                hash-1 {
+                    algo = "sha512";
+                };
+
+                signature-1 {
+                    algo = "sha512,rsa4096";
+                    key-name-hint = "custMpk";
+                    padding = "pkcs-1.5";
+                    sign-images = "kernel", "fdt-falcon";
+                };
+            };
+        };
+    };
+
+Then, use the mkimage tool to create the FIT image:
+
+.. prompt:: bash $
+
+        tools/mkimage -f fitImage.its -K build/spl/dts/ti/k3-am625-sk.dtb -k arch/arm/mach-k3/keys -r fitImage
+
+3. Rebuild U-Boot SPL:
+^^^^^^^^^^^^^^^^^^^^^^
+
+With the newly created ``fitImage`` written to the boot partition of the SD card
+and the keys added to the SPL's device-tree, you can rebuild the SPL with the
+following configuration fragment to enable Falcon Mode:
+
+::
+
+        CONFIG_SPL_OS_BOOT=y
+        CONFIG_SPL_OS_BOOT_SECURE=y
+        CONFIG_SPL_FIT_SIGNATURE=y
+        CONFIG_SPL_RSA=y
+
+        # Only support MMC falcon mode
+        CONFIG_SPL_SPI_FLASH_SUPPORT=n
+        CONFIG_SPL_NOR_SUPPORT=n
+        CONFIG_SPL_NAND_SUPPORT=n
+
+        # We don't need TIFS authenticating the FIT
+        CONFIG_SPL_FIT_IMAGE_POST_PROCESS=n
+
+        # Modify memory map to allow more space for the larger FIT
+        CONFIG_SPL_STACK_R_ADDR=0x88000000
+        CONFIG_SPL_LOAD_FIT_ADDRESS=0x82000000
+        CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN=0x4000000
+
+Console Log
+~~~~~~~~~~~
+
+The following console log output shows the boot process with Secure Falcon Mode
+enabled:
+
+::
+
+        U-Boot SPL 2025.10-rc5-00482-ge14055bfa9d1-dirty (Oct 09 2025 - 14:31:50 +0530)
+        SYSFW ABI: 4.0 (firmware rev 0x000b '11.0.7--v11.00.07 (Fancy Rat)')
+        SPL initial stack usage: 1968 bytes
+        Trying to boot from MMC2
+        ## Checking hash(es) for config conf-ti_am625 ... sha512,rsa4096:custMpk+ OK
+        ## Checking hash(es) for Image kernel ... sha512+ OK
+        ## Checking hash(es) for Image fdt-falcon ... sha512+ OK
+        [    0.000000] Booting Linux on physical CPU 0x0000000000 [0x410fd034]
+        [    0.000000] Linux version 6.6.58-ti-01497-ga7758da17c28-dirty (oe-user@oe-host) (aarch64-oe-linux-gcc (GCC) 14.2.0, GNU ld (GNU Binutils) 2.43.1
+        .20241111) #1 SMP PREEMPT Wed Nov 27 13:23:15 UTC 2024
+        [    0.000000] KASLR enabled
+        [    0.000000] Machine model: Texas Instruments AM625 SK
+        [    0.000000] efi: UEFI not found.
+        [    0.000000] Reserved memory: created CMA memory pool at 0x00000000f8000000, size 128 MiB
+        [    0.000000] OF: reserved mem: initialized node linux,cma, compatible id shared-dma-pool
+        [    0.000000] OF: reserved mem: 0x00000000f8000000..0x00000000ffffffff (131072 KiB) map reusable linux,cma
+        [    0.000000] OF: reserved mem: 0x0000000080000000..0x000000008007ffff (512 KiB) nomap non-reusable tfa@80000000
+        [    0.000000] OF: reserved mem: 0x000000009c700000..0x000000009c7fffff (1024 KiB) map non-reusable ramoops@9c700000
+        [    0.000000] Reserved memory: created DMA memory pool at 0x000000009c800000, size 3 MiB
+        [    0.000000] OF: reserved mem: initialized node ipc-memories@9c800000, compatible id shared-dma-pool
+        [    0.000000] OF: reserved mem: 0x000000009c800000..0x000000009cafffff (3072 KiB) nomap non-reusable ipc-memories@9c800000
+        [    0.000000] Reserved memory: created DMA memory pool at 0x000000009cb00000, size 1 MiB
+        [    0.000000] OF: reserved mem: initialized node m4f-dma-memory@9cb00000, compatible id shared-dma-pool
+        [    0.000000] OF: reserved mem: 0x000000009cb00000..0x000000009cbfffff (1024 KiB) nomap non-reusable m4f-dma-memory@9cb00000
+        [    0.000000] Reserved memory: created DMA memory pool at 0x000000009cc00000, size 14 MiB
+        [    0.000000] OF: reserved mem: initialized node m4f-memory@9cc00000, compatible id shared-dma-pool
+        [    0.000000] OF: reserved mem: 0x000000009cc00000..0x000000009d9fffff (14336 KiB) nomap non-reusable m4f-memory@9cc00000
+        [    0.000000] Reserved memory: created DMA memory pool at 0x000000009da00000, size 1 MiB
+        [    0.000000] OF: reserved mem: initialized node r5f-dma-memory@9da00000, compatible id shared-dma-pool
+        [    0.000000] OF: reserved mem: 0x000000009da00000..0x000000009dafffff (1024 KiB) nomap non-reusable r5f-dma-memory@9da00000
+        [    0.000000] Reserved memory: created DMA memory pool at 0x000000009db00000, size 12 MiB
+        [    0.000000] OF: reserved mem: initialized node r5f-memory@9db00000, compatible id shared-dma-pool
+        [    0.000000] OF: reserved mem: 0x000000009db00000..0x000000009e6fffff (12288 KiB) nomap non-reusable r5f-memory@9db00000
+        [    0.000000] OF: reserved mem: 0x000000009e800000..0x000000009fffffff (24576 KiB) nomap non-reusable optee@9e800000
+        [    0.000000] Zone ranges:
+        [    0.000000]   DMA      [mem 0x0000000080000000-0x00000000ffffffff]
+        [    0.000000]   DMA32    empty
+        [    0.000000]   Normal   empty
+        [    0.000000] Movable zone start for each node
+        [    0.000000] Early memory node ranges
+        [    0.000000]   node   0: [mem 0x0000000080000000-0x000000008007ffff]
+        [    0.000000]   node   0: [mem 0x0000000080080000-0x000000009c7fffff]
+        [    0.000000]   node   0: [mem 0x000000009c800000-0x000000009e6fffff]
+        [    0.000000]   node   0: [mem 0x000000009e700000-0x000000009e7fffff]
+        [    0.000000]   node   0: [mem 0x000000009e800000-0x000000009fffffff]
+        [    0.000000]   node   0: [mem 0x00000000a0000000-0x00000000ffffffff]
+        [    0.000000] Initmem setup node 0 [mem 0x0000000080000000-0x00000000ffffffff]
+        [    0.000000] psci: probing for conduit method from DT.
+        [    0.000000] psci: PSCIv1.1 detected in firmware.
+        [    0.000000] psci: Using standard PSCI v0.2 function IDs
+        [    0.000000] psci: Trusted OS migration not required
+        [    0.000000] psci: SMC Calling Convention v1.5
+        [    0.000000] percpu: Embedded 20 pages/cpu s43176 r8192 d30552 u81920
+        [    0.000000] Detected VIPT I-cache on CPU0
+        [    0.000000] CPU features: detected: GIC system register CPU interface
+        [    0.000000] CPU features: kernel page table isolation forced ON by KASLR
+        [    0.000000] CPU features: detected: Kernel page table isolation (KPTI)
+        [    0.000000] CPU features: detected: ARM erratum 845719
+        [    0.000000] alternatives: applying boot alternatives
+        [    0.000000] Kernel command line: console=ttyS2,115200n8 root=/dev/mmcblk1p2 rw rootfstype=ext4 rootwait
+
 Falcon Mode Boot on RISC-V
 --------------------------
 
-- 
2.51.0

[PATCH v1 5/5] doc: develop: falcon: document unsetting CMD_BOOTx

[Anshul Dalal]

Currently secure falcon mode still allows for booting from raw kernel
images if the support is enabled by (CMD_BOOTI or CMD_BOOTZ).

So, this patch documents the need to explicitly disable those config
options to ensure only a verifiable FIT is a valid payload.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 doc/develop/falcon.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/develop/falcon.rst b/doc/develop/falcon.rst
index add0376d272..5fe45b175d6 100644
--- a/doc/develop/falcon.rst
+++ b/doc/develop/falcon.rst
@@ -356,6 +356,10 @@ following configuration fragment to enable Falcon Mode:
         CONFIG_SPL_FIT_SIGNATURE=y
         CONFIG_SPL_RSA=y
 
+        # Disable support for booting raw kernel image
+        CONFIG_CMD_BOOTI=n
+        CONFIG_CMD_BOOTZ=n
+
         # Only support MMC falcon mode
         CONFIG_SPL_SPI_FLASH_SUPPORT=n
         CONFIG_SPL_NOR_SUPPORT=n
-- 
2.51.0