From: Anshul Dalal <anshuld@ti.com>
To: Andrew Davis <afd@ti.com>,
"Raghavendra, Vignesh" <vigneshr@ti.com>, <u-boot@lists.denx.de>
Cc: <trini@konsulko.com>, <m-chawdhry@ti.com>, <n-francis@ti.com>,
<b-liu@ti.com>
Subject: Re: [PATCH v6 1/9] spl: Kconfig: allow K3 devices to use falcon mode
Date: Fri, 30 May 2025 14:47:12 +0530 [thread overview]
Message-ID: <DA9DRVD9402Z.3USEIDF3PCOY0@ti.com> (raw)
In-Reply-To: <5a92b8f0-c320-4f76-95be-f3f96e558237@ti.com>
On Thu May 29, 2025 at 7:06 AM IST, Andrew Davis wrote:
> On 5/28/25 8:08 PM, Anshul Dalal wrote:
>> On Wed May 28, 2025 at 9:09 PM IST, Andrew Davis wrote:
>>> On 5/8/25 6:37 AM, Anshul Dalal wrote:
>>>> On Thu May 8, 2025 at 9:32 AM IST, Vignesh Raghavendra wrote:
>>>>>
>>>>>
>>>>> On 5/8/2025 8:42 AM, Anshul Dalal wrote:
>>>>>> On Wed May 7, 2025 at 11:36 PM IST, Andrew Davis wrote:
>>>>>>> On 5/6/25 10:33 PM, Anshul Dalal wrote:
>>>>>>>> On Tue May 6, 2025 at 8:03 PM IST, Andrew Davis wrote:
>>>>>>>>> On 4/28/25 9:12 AM, Anshul Dalal wrote:
>>>>>>>>>> Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
>>>>>>>>>> ("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
>>>>>>>>>> HS devices and can be enabled on K3 devices.
>>>>>>>>>>
>>>>>>>>>> For secure boot, the kernel with x509 headers can be packaged in a fit
>>>>>>>>> "can be", this is the issue. Security is not just allowing methods that
>>>>>>>>> are security checked, but forcing the use of such methods. Setting
>>>>>>>>> OS_BOOT opens up several paths that look for non-FIT images. These
>>>>>>>>> images do not enforce authentication like FIT does. This means one can
>>>>>>>>> bypass secure boot when OS_BOOT is enabled by simply placing a non-FIT
>>>>>>>>> boot image on the boot media.
>>>>>>>>>
>>>>>>>> As per spl_load_image_ext_os, the SPL first tries to load the file set
>>>>>>>> in falcon_args_file env variable but since it's not set in our case. And
>>>>>>>> the only way to set them is by rebuilding u-boot as uEnv.txt is not
>>>>>>>> supported at SPL stage.
>>>>>>>>
>>>>>>>> This means the SPL only loads CONFIG_SPL_FS_LOAD_ARGS_NAME and
>>>>>>>> CONFIG_SPL_FS_LOAD_KERNEL_NAME which are set as the DTB and fitImage
>>>>>>> What is stopping me from replacing the content of the file "fitImage"
>>>>>>> with a normal kernel image? When loading that image the file type
>>>>>>> will be detected as a normal kernel image and all FIT logic bypassed,
>>>>>>> including authentication, breaking our secure chain of trust.
>>>>>>>
>>>>>>> Andrew
>>>>>> That would require booti_setup to be executed in spl_parse_image_header,
>>>>>> which is not possible on the R5 SPL since the required config symbol
>>>>>> CMD_BOOTI is only available for ARM64 platforms.
>>>>>>
>>>>>> In the worst case we end up loading a 32-bit zImage which wouldn't
>>>>>> boot on the Cortex-A cores anyway and would additionally require
>>>>>> enabling CMD_BOOTZ (currently disabled) at build time.
>>>>>
>>>>> Is there any path where R5 SPL can be tricked to load and jump to
>>>>> arbitrary binary? zImage, Image, elf, bin whatever?
>>>>>
>>>>> IOW, does SPL_OS_BOOT always check for some sort of header for the image
>>>>> that it loads and the only type of header we have enabled here is fitImage?
>>>>
>>>> It does check for the header and proceeds only with the desired security
>>>> enforced execution flow if the loaded image is FIT. For all other image
>>>> types, they are guarded by config symbols that are set unset in our case
>>>
>>> Are you sure?
>>>
>>> The only thing preventing this from continuing in spl_parse_image_header()
>>> is a check for CONFIG_SPL_PANIC_ON_RAW_IMAGE. Which is not set for us.
>>>
>>> After that we check if OS_BOOT is enabled and if so allow for kernel
>>> images to also pass[0]. What stops this from functioning?
>>>
>>> Andrew
>>>
>>> [0] https://github.com/u-boot/u-boot/blob/master/common/spl/spl.c#L338
>>>
>>
>> It would not function because of the unset CONFIG_CMD_BOOTI which can
>> only be set on 64 bit platforms anyway[1]. Hence the following check
>> would fail in spl_parse_image_header:
>>
>> if (CONFIG_IS_ENABLED(OS_BOOT) && IS_ENABLED(CONFIG_CMD_BOOTI))
>>
>
> I linked the wrong line, the line a couple below for CONFIG_CMD_BOOTZ
> is the one that concerns me.
>
>> And as I said previously in the thread[2]; worst case is we load a
>> 32-bit zImage, support for which would have to be explicitly enabled at
>> build time as the respective config CMD_BOOTZ is kept unset currently.
>>
>
> What forces CMD_BOOTZ to not be set? Can it be enabled in SPL at all?
> If it can you should make it "depends on !TI_SECURE_DEVICE" like other
> dangerous to the secure chain of trust configs.
>
Sure, I'll update Kconfig to make CMD_BOOTZ and TI_SECURE_DEVICE
mutually exclusive in the next revision just like SPL_RAW_IMAGE_SUPPORT.
Thanks for the review!
~ Anshul
next prev parent reply other threads:[~2025-05-30 9:17 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-28 14:12 [PATCH v6 0/9] Add falcon support for am62a, 62p and 62x Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 1/9] spl: Kconfig: allow K3 devices to use falcon mode Anshul Dalal
2025-05-06 14:33 ` Andrew Davis
2025-05-07 3:33 ` Anshul Dalal
2025-05-07 18:06 ` Andrew Davis
2025-05-08 3:12 ` Anshul Dalal
2025-05-08 4:02 ` Raghavendra, Vignesh
2025-05-08 11:37 ` Anshul Dalal
2025-05-28 15:39 ` Andrew Davis
2025-05-29 1:08 ` Anshul Dalal
2025-05-29 1:36 ` Andrew Davis
2025-05-30 9:17 ` Anshul Dalal [this message]
2025-04-28 14:12 ` [PATCH v6 2/9] mach-k3: fix reading size and addr from fdt on R5 Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 3/9] arch: arm: k3-binman: add fit for falcon boot Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 4/9] mach-k3: sysfw-loader: update img_hdr for falcon Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 5/9] config: add falcon boot config fragment for am62x Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 6/9] board: ti: add default dtb for am62 in falcon mode Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 7/9] mach-k3: common: enable falcon mode for 62 platform Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 8/9] Makefile: update tispl regex to also clean falcon spl Anshul Dalal
2025-04-28 14:12 ` [PATCH v6 9/9] doc: ti: am62: add falcon mode documentation Anshul Dalal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DA9DRVD9402Z.3USEIDF3PCOY0@ti.com \
--to=anshuld@ti.com \
--cc=afd@ti.com \
--cc=b-liu@ti.com \
--cc=m-chawdhry@ti.com \
--cc=n-francis@ti.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox