[PATCH v1 0/8] Add support for secure falcon mode: disable fallback

[PATCH v1 0/8] Add support for secure falcon mode: disable fallback

[Anshul Dalal]

Hi all,

Continuing from the last series[1], this patch series addresses the requirement
of allowing no fallbacks in secure falcon mode.

To do this in a clean way, all the falcon mode logic for each boot media was
refactored to a corresponding *_load_image_os function whereas the regular
boot is implemented in *_load_image, this allows us to easily return early in
case the *_load_image_os function fails with secure mode enabled.

The series also introduces the new SPL_OS_BOOT_SECURE config symbol which
enables secure falcon boot flow.

The generic flow after the patch series looks as follows:

	static int spl_<bootmedia>_load_image(...) {
		if (CONFIG_IS_ENABLED(OS_BOOT)) {

			ret = spl_<bootmedia>_load_image_os(...);

			if (CONFIG_IS_ENABLED(OS_BOOT_SECURE)) {
				printf("Falcon mode failed, no fallback allowed!\n");
				return ret;
			}

			printf("Falcon mode failed, falling back to default\n");
		}

		/* Regular boot flow */
	}

Regards,
Anshul

[1]: https://lore.kernel.org/u-boot/20250916103542.104773-1-anshuld@ti.com/
Depends-on: https://lore.kernel.org/u-boot/20250916103542.104773-1-anshuld@ti.com/

---
Anshul Dalal (8):
  spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol
  spl: Kconfig: allow K3 devices to use falcon mode
  spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot
  spl: ubi: refactor spl_ubi_load_image for falcon mode
  spl: spi: refactor spl_spi_load_image for falcon mode
  spl: nor: refactor spl_nor_load_image for falcon mode
  spl: nand: refactor spl_nand_load_image for falcon mode
  spl: falcon: disable fallback to U-Boot on failure

 common/spl/Kconfig    |  10 +++-
 common/spl/spl_mmc.c  |  84 ++++++++++++++++++++++------------
 common/spl/spl_nand.c |  95 +++++++++++++++++++++-----------------
 common/spl/spl_nor.c  | 104 ++++++++++++++++++++++++------------------
 common/spl/spl_spi.c  |  33 +++++++++++---
 common/spl/spl_ubi.c  |  46 ++++++++++++++-----
 6 files changed, 235 insertions(+), 137 deletions(-)

-- 
2.51.0

[PATCH v1 1/8] spl: Kconfig: add SPL_OS_BOOT_SECURE config symbol

[Anshul Dalal]

This patch adds the new SPL_OS_BOOT_SECURE symbol that enables secure
boot flow in falcon mode. This symbol can be used to disable certain
inherently insecure options during falcon boot.

Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/Kconfig | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index ab05536bd02..7e87e50f693 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1206,6 +1206,14 @@ config SPL_OS_BOOT
 	  Enable booting directly to an OS from SPL.
 	  for more info read doc/README.falcon
 
+config SPL_OS_BOOT_SECURE
+	bool "Allow Falcon Mode on secure devices"
+	depends on SPL_OS_BOOT
+	help
+	  This allows for secure devices with signature verification capabilities
+	  to use falcon mode by disabling certain inherently non-securable options
+	  in the SPL boot flow.
+
 config SPL_PAYLOAD_ARGS_ADDR
 	hex "Address in memory to load 'args' file for Falcon Mode to"
 	depends on SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT
-- 
2.51.0

[PATCH v1 2/8] spl: Kconfig: allow K3 devices to use falcon mode

[Anshul Dalal]

Falcon mode was disabled for TI_SECURE_DEVICE at commit e95b9b4437bc
("ti_armv7_common: Disable Falcon Mode on HS devices") for older 32-bit
HS devices and but can now be enabled with the addition of
OS_BOOT_SECURE.

For secure boot, the kernel with x509 headers can be packaged in a fit
container (fitImage) signed with TIFS keys for authentication.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/spl/Kconfig b/common/spl/Kconfig
index 7e87e50f693..ab780da9e1c 100644
--- a/common/spl/Kconfig
+++ b/common/spl/Kconfig
@@ -1201,7 +1201,7 @@ config SPL_ONENAND_SUPPORT
 
 config SPL_OS_BOOT
 	bool "Activate Falcon Mode"
-	depends on !TI_SECURE_DEVICE
+	select SPL_OS_BOOT_SECURE if TI_SECURE_DEVICE
 	help
 	  Enable booting directly to an OS from SPL.
 	  for more info read doc/README.falcon
-- 
2.51.0

[PATCH v1 3/8] spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot

[Anshul Dalal]

Currently the logic to handle falcon mode as well as the regular boot is
inside spl_mmc_do_fs_boot, this prevents us from cleanly extending
falcon mode functionality like toggleable fallback to U-Boot proper.

Therefore this patch splits the logic into spl_mmc_fs_load and
spl_mmc_fs_load_os to handle the regular boot and falcon mode use case.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_mmc.c | 80 +++++++++++++++++++++++++++-----------------
 1 file changed, 50 insertions(+), 30 deletions(-)

diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c
index cd56cf71055..c5585d8e0d2 100644
--- a/common/spl/spl_mmc.c
+++ b/common/spl/spl_mmc.c
@@ -193,6 +193,46 @@ int spl_start_uboot(void)
 }
 #endif
 
+static int spl_mmc_fs_load_os(struct spl_image_info *spl_image,
+			      struct spl_boot_device *bootdev,
+			      struct blk_desc *blk_dev, int part)
+{
+	int err = -ENOSYS;
+
+	if (CONFIG_IS_ENABLED(FS_FAT)) {
+		err = spl_load_image_fat_os(spl_image, bootdev, blk_dev, part);
+		if (!err)
+			return 0;
+	}
+	if (CONFIG_IS_ENABLED(FS_EXT4)) {
+		err = spl_load_image_ext_os(spl_image, bootdev, blk_dev, part);
+		if (!err)
+			return 0;
+	}
+
+	return err;
+}
+
+static int spl_mmc_fs_load(struct spl_image_info *spl_image,
+			   struct spl_boot_device *bootdev,
+			   struct blk_desc *blk_dev, int part, const char *file)
+{
+	int err = -ENOENT;
+
+	if (CONFIG_IS_ENABLED(FS_FAT)) {
+		err = spl_load_image_fat(spl_image, bootdev, blk_dev, part, file);
+		if (!err)
+			return 0;
+	}
+	if (CONFIG_IS_ENABLED(FS_EXT4)) {
+		err = spl_load_image_ext(spl_image, bootdev, blk_dev, part, file);
+		if (!err)
+			return 0;
+	}
+
+	return err;
+}
+
 #ifdef CONFIG_SYS_MMCSD_FS_BOOT
 static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 			      struct spl_boot_device *bootdev,
@@ -225,42 +265,22 @@ static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 	}
 #endif
 
-#ifdef CONFIG_SPL_FS_FAT
 	if (!spl_start_uboot()) {
-		ret = spl_load_image_fat_os(spl_image, bootdev, mmc_get_blk_desc(mmc),
-					    partition);
+		ret = spl_mmc_fs_load_os(spl_image, bootdev,
+					 mmc_get_blk_desc(mmc), partition);
 		if (!ret)
 			return 0;
+		printf("%s, Failed to load falcon payload: %d\n", __func__,
+		       ret);
+		printf("Fallback to U-Boot\n");
 	}
-#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
-	ret = spl_load_image_fat(spl_image, bootdev, mmc_get_blk_desc(mmc),
-				 partition,
-				 filename);
-	if (!ret)
-		return ret;
-#endif
-#endif
-#ifdef CONFIG_SPL_FS_EXT4
-	if (!spl_start_uboot()) {
-		ret = spl_load_image_ext_os(spl_image, bootdev, mmc_get_blk_desc(mmc),
-					    partition);
-		if (!ret)
-			return 0;
-	}
-#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
-	ret = spl_load_image_ext(spl_image, bootdev, mmc_get_blk_desc(mmc),
-				 partition,
-				 filename);
-	if (!ret)
-		return 0;
-#endif
-#endif
-
-#if defined(CONFIG_SPL_FS_FAT) || defined(CONFIG_SPL_FS_EXT4)
-	ret = -ENOENT;
-#endif
 
+#ifdef CONFIG_SPL_FS_LOAD_PAYLOAD_NAME
+	return spl_mmc_fs_load(spl_image, bootdev, mmc_get_blk_desc(mmc),
+			       partition, filename);
+#else
 	return ret;
+#endif
 }
 #endif
 
-- 
2.51.0

[PATCH v1 4/8] spl: ubi: refactor spl_ubi_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_ubi.c | 44 ++++++++++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 12 deletions(-)

diff --git a/common/spl/spl_ubi.c b/common/spl/spl_ubi.c
index a8d3f43b452..09b9bbc5c47 100644
--- a/common/spl/spl_ubi.c
+++ b/common/spl/spl_ubi.c
@@ -11,6 +11,32 @@
 #include <ubispl.h>
 #include <spl.h>
 
+#if CONFIG_IS_ENABLED(OS_BOOT)
+int spl_ubi_load_image_os(struct spl_image_info *spl_image,
+			  struct spl_boot_device *bootdev,
+			  struct ubispl_info *info)
+{
+	struct legacy_img_hdr *header;
+	struct ubispl_load volumes[2];
+	int err;
+
+	volumes[0].vol_id = CONFIG_SPL_UBI_LOAD_KERNEL_ID;
+	volumes[0].load_addr = (void *)CONFIG_SYS_LOAD_ADDR;
+	volumes[1].vol_id = CONFIG_SPL_UBI_LOAD_ARGS_ID;
+	volumes[1].load_addr = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
+
+	err = ubispl_load_volumes(info, volumes, 2);
+	if (err)
+		return err;
+
+	header = (struct legacy_img_hdr *)volumes[0].load_addr;
+	spl_parse_image_header(spl_image, bootdev, header);
+	puts("Linux loaded.\n");
+
+	return 0;
+}
+#endif
+
 int spl_ubi_load_image(struct spl_image_info *spl_image,
 		       struct spl_boot_device *bootdev)
 {
@@ -46,21 +72,15 @@ int spl_ubi_load_image(struct spl_image_info *spl_image,
 
 #if CONFIG_IS_ENABLED(OS_BOOT)
 	if (!spl_start_uboot()) {
-		volumes[0].vol_id = CONFIG_SPL_UBI_LOAD_KERNEL_ID;
-		volumes[0].load_addr = (void *)CONFIG_SYS_LOAD_ADDR;
-		volumes[1].vol_id = CONFIG_SPL_UBI_LOAD_ARGS_ID;
-		volumes[1].load_addr = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
+		ret = spl_ubi_load_image_os(spl_image, bootdev, &info);
+		if (!ret)
+			return 0;
 
-		ret = ubispl_load_volumes(&info, volumes, 2);
-		if (!ret) {
-			header = (struct legacy_img_hdr *)volumes[0].load_addr;
-			spl_parse_image_header(spl_image, bootdev, header);
-			puts("Linux loaded.\n");
-			goto out;
-		}
-		puts("Loading Linux failed, falling back to U-Boot.\n");
+		printf("%s: Failed in falcon boot: %d", __func__, ret);
+		printf("Fallback to U-Boot\n");
 	}
 #endif
+
 	header = spl_get_load_buffer(-sizeof(*header), sizeof(header));
 #ifdef CONFIG_SPL_UBI_LOAD_BY_VOLNAME
 	volumes[0].vol_id = -1;
-- 
2.51.0

[PATCH v1 5/8] spl: spi: refactor spl_spi_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_spi_load_image to spl_spi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_spi.c | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/common/spl/spl_spi.c b/common/spl/spl_spi.c
index c2b188371c2..2a6098a4dc3 100644
--- a/common/spl/spl_spi.c
+++ b/common/spl/spl_spi.c
@@ -49,6 +49,25 @@ u32 __weak spl_spi_boot_cs(void)
 	return CONFIG_SF_DEFAULT_CS;
 }
 
+#if CONFIG_IS_ENABLED(OS_BOOT)
+static int spl_spi_load_image_os(struct spl_image_info *spl_image,
+				 struct spl_boot_device *bootdev,
+				 struct spi_flash *flash,
+				 struct spl_load_info *load)
+{
+	int err = spl_load(spl_image, bootdev, load, 0,
+			   CONFIG_SYS_SPI_KERNEL_OFFS);
+
+	if (err)
+		return err;
+
+	/* Read device tree. */
+	return spi_flash_read(flash, CONFIG_SYS_SPI_ARGS_OFFS,
+			      CONFIG_SYS_SPI_ARGS_SIZE,
+			      (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR);
+}
+#endif
+
 /*
  * The main entry for SPI booting. It's necessary that SDRAM is already
  * configured and available since this code loads the main U-Boot image
@@ -81,15 +100,13 @@ static int spl_spi_load_image(struct spl_image_info *spl_image,
 
 #if CONFIG_IS_ENABLED(OS_BOOT)
 	if (!spl_start_uboot()) {
-		int err = spl_load(spl_image, bootdev, &load, 0,
-				   CONFIG_SYS_SPI_KERNEL_OFFS);
+		err = spl_spi_load_image_os(spl_image, bootdev, flash, &load);
 
 		if (!err)
-			/* Read device tree. */
-			return spi_flash_read(
-				flash, CONFIG_SYS_SPI_ARGS_OFFS,
-				CONFIG_SYS_SPI_ARGS_SIZE,
-				(void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR);
+			return 0;
+
+		printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
+		       __func__, err);
 	}
 #endif
 
-- 
2.51.0

[PATCH v1 6/8] spl: nor: refactor spl_nor_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_nor_load_image to spl_nor_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_nor.c | 102 ++++++++++++++++++++++++-------------------
 1 file changed, 57 insertions(+), 45 deletions(-)

diff --git a/common/spl/spl_nor.c b/common/spl/spl_nor.c
index 1021d933999..9c037bd62eb 100644
--- a/common/spl/spl_nor.c
+++ b/common/spl/spl_nor.c
@@ -25,66 +25,78 @@ unsigned long __weak spl_nor_get_uboot_base(void)
 	return CFG_SYS_UBOOT_BASE;
 }
 
-static int spl_nor_load_image(struct spl_image_info *spl_image,
-			      struct spl_boot_device *bootdev)
+#if CONFIG_IS_ENABLED(OS_BOOT)
+static int spl_nor_load_image_os(struct spl_image_info *spl_image,
+				 struct spl_boot_device *bootdev)
 {
-	struct spl_load_info load;
-
 	/*
-	 * Loading of the payload to SDRAM is done with skipping of
-	 * the mkimage header in this SPL NOR driver
+	 * Load Linux from its location in NOR flash to its defined
+	 * location in SDRAM
 	 */
-	spl_image->flags |= SPL_COPY_PAYLOAD_ONLY;
+	const struct legacy_img_hdr *header =
+		(const struct legacy_img_hdr *)CONFIG_SYS_OS_BASE;
+	struct spl_load_info load;
 
-#if CONFIG_IS_ENABLED(OS_BOOT)
-	if (!spl_start_uboot()) {
-		/*
-		 * Load Linux from its location in NOR flash to its defined
-		 * location in SDRAM
-		 */
-		const struct legacy_img_hdr *header =
-			(const struct legacy_img_hdr *)CONFIG_SYS_OS_BASE;
 #ifdef CONFIG_SPL_LOAD_FIT
-		if (image_get_magic(header) == FDT_MAGIC) {
-			int ret;
+	if (image_get_magic(header) == FDT_MAGIC) {
+		int ret;
 
-			debug("Found FIT\n");
-			spl_load_init(&load, spl_nor_load_read, NULL, 1);
+		debug("Found FIT\n");
+		spl_load_init(&load, spl_nor_load_read, NULL, 1);
 
-			ret = spl_load_simple_fit(spl_image, &load,
-						  CONFIG_SYS_OS_BASE,
-						  (void *)header);
+		ret = spl_load_simple_fit(spl_image, &load, CONFIG_SYS_OS_BASE,
+					  (void *)header);
 
 #if defined CONFIG_SPL_PAYLOAD_ARGS_ADDR && defined CONFIG_CMD_SPL_NOR_OFS
-			memcpy((void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
-			       (void *)CONFIG_CMD_SPL_NOR_OFS,
-			       CONFIG_CMD_SPL_WRITE_SIZE);
+		memcpy((void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
+		       (void *)CONFIG_CMD_SPL_NOR_OFS,
+		       CONFIG_CMD_SPL_WRITE_SIZE);
 #endif
-			return ret;
-		}
+		return ret;
+	}
 #endif
-		if (image_get_os(header) == IH_OS_LINUX) {
-			/* happy - was a Linux */
-			int ret;
-
-			ret = spl_parse_image_header(spl_image, bootdev, header);
-			if (ret)
-				return ret;
-
-			memcpy((void *)spl_image->load_addr,
-			       (void *)(CONFIG_SYS_OS_BASE +
-					sizeof(struct legacy_img_hdr)),
-			       spl_image->size);
+	if (image_get_os(header) != IH_OS_LINUX)
+		return -EINVAL;
+
+	/* happy - was a Linux */
+	int ret;
+
+	ret = spl_parse_image_header(spl_image, bootdev, header);
+	if (ret)
+		return ret;
+
+	memcpy((void *)spl_image->load_addr,
+	       (void *)(CONFIG_SYS_OS_BASE + sizeof(struct legacy_img_hdr)),
+	       spl_image->size);
+
 #ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
-			spl_image->arg = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
+	spl_image->arg = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
 #endif
 
+	return 0;
+}
+#endif
+
+static int spl_nor_load_image(struct spl_image_info *spl_image,
+			      struct spl_boot_device *bootdev)
+{
+	int err;
+	struct spl_load_info load;
+
+	/*
+	 * Loading of the payload to SDRAM is done with skipping of
+	 * the mkimage header in this SPL NOR driver
+	 */
+	spl_image->flags |= SPL_COPY_PAYLOAD_ONLY;
+
+#if CONFIG_IS_ENABLED(OS_BOOT)
+	if (!spl_start_uboot()) {
+		err = spl_nor_load_image_os(spl_image, bootdev);
+		if (!err)
 			return 0;
-		} else {
-			puts("The Expected Linux image was not found.\n"
-			     "Please check your NOR configuration.\n"
-			     "Trying to start u-boot now...\n");
-		}
+
+		printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
+		       __func__, err);
 	}
 #endif
 
-- 
2.51.0

[PATCH v1 7/8] spl: nand: refactor spl_nand_load_image for falcon mode

[Anshul Dalal]

This patch moves the falcon mode handling logic out of
spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
handling for fallback to U-Boot in case falcon mode fails.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_nand.c | 95 +++++++++++++++++++++++--------------------
 1 file changed, 52 insertions(+), 43 deletions(-)

diff --git a/common/spl/spl_nand.c b/common/spl/spl_nand.c
index 22883f4e8b9..f37baefb372 100644
--- a/common/spl/spl_nand.c
+++ b/common/spl/spl_nand.c
@@ -75,6 +75,52 @@ static int spl_nand_load_element(struct spl_image_info *spl_image,
 	return spl_load(spl_image, bootdev, &load, 0, offset);
 }
 
+#if CONFIG_IS_ENABLED(OS_BOOT)
+static int spl_nand_load_image_os(struct spl_image_info *spl_image,
+				  struct spl_boot_device *bootdev)
+{
+	int *src, *dst, err;
+	struct legacy_img_hdr *header = spl_get_load_buffer(0, sizeof(*header));
+
+	/* load linux */
+	nand_spl_load_image(CONFIG_SYS_NAND_SPL_KERNEL_OFFS, sizeof(*header),
+			    (void *)header);
+	err = spl_parse_image_header(spl_image, bootdev, header);
+	if (err)
+		return err;
+
+	if (header->ih_os != IH_OS_LINUX)
+		return -EINVAL;
+
+	/* happy - was a linux */
+	err = nand_spl_load_image(CONFIG_SYS_NAND_SPL_KERNEL_OFFS,
+				  spl_image->size,
+				  (void *)spl_image->load_addr);
+	nand_deselect();
+
+	if (err)
+		return err;
+
+	/*
+	 * load parameter image load to temp position since nand_spl_load_image
+	 * reads a whole block which is typically larger than
+	 * CONFIG_CMD_SPL_WRITE_SIZE therefore may overwrite following sections
+	 * like BSS
+	 */
+	nand_spl_load_image(CONFIG_CMD_SPL_NAND_OFS, CONFIG_CMD_SPL_WRITE_SIZE,
+			    (void *)CONFIG_TEXT_BASE);
+	/* copy to destintion */
+	for (dst = (int *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
+	    src = (int *)CONFIG_TEXT_BASE;
+	     src < (int *)(CONFIG_TEXT_BASE + CONFIG_CMD_SPL_WRITE_SIZE);
+	     src++, dst++) {
+		writel(readl(src), dst);
+	}
+
+	return 0;
+}
+#endif
+
 static int spl_nand_load_image(struct spl_image_info *spl_image,
 			       struct spl_boot_device *bootdev)
 {
@@ -89,51 +135,14 @@ static int spl_nand_load_image(struct spl_image_info *spl_image,
 
 #if CONFIG_IS_ENABLED(OS_BOOT)
 	if (!spl_start_uboot()) {
-		int *src, *dst;
-		struct legacy_img_hdr *header =
-			spl_get_load_buffer(0, sizeof(*header));
-
-		/*
-		 * load parameter image
-		 * load to temp position since nand_spl_load_image reads
-		 * a whole block which is typically larger than
-		 * CONFIG_CMD_SPL_WRITE_SIZE therefore may overwrite
-		 * following sections like BSS
-		 */
-		nand_spl_load_image(CONFIG_CMD_SPL_NAND_OFS,
-			CONFIG_CMD_SPL_WRITE_SIZE,
-			(void *)CONFIG_TEXT_BASE);
-		/* copy to destintion */
-		for (dst = (int *)CONFIG_SPL_PAYLOAD_ARGS_ADDR,
-		     src = (int *)CONFIG_TEXT_BASE;
-			src < (int *)(CONFIG_TEXT_BASE +
-				      CONFIG_CMD_SPL_WRITE_SIZE);
-		     src++, dst++) {
-			writel(readl(src), dst);
-		}
-
-		/* load linux */
-		nand_spl_load_image(CONFIG_SYS_NAND_SPL_KERNEL_OFFS,
-			sizeof(*header), (void *)header);
-		err = spl_parse_image_header(spl_image, bootdev, header);
-		if (err)
-			return err;
-		if (header->ih_os == IH_OS_LINUX) {
-			/* happy - was a linux */
-			err = nand_spl_load_image(
-				CONFIG_SYS_NAND_SPL_KERNEL_OFFS,
-				spl_image->size,
-				(void *)spl_image->load_addr);
-			nand_deselect();
-			return err;
-		} else {
-			puts("The Expected Linux image was not "
-				"found. Please check your NAND "
-				"configuration.\n");
-			puts("Trying to start u-boot now...\n");
-		}
+		err = spl_nand_load_image_os(spl_image, bootdev);
+		if (!err)
+			return 0;
+		printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
+		       __func__, err);
 	}
 #endif
+
 #ifdef CONFIG_NAND_ENV_DST
 	spl_nand_load_element(spl_image, bootdev, CONFIG_ENV_OFFSET);
 #ifdef CONFIG_ENV_OFFSET_REDUND
-- 
2.51.0

[PATCH v1 8/8] spl: falcon: disable fallback to U-Boot on failure

[Anshul Dalal]

Instead of falling back to the standard U-Boot boot flow, we should just
halt boot if the expected boot flow in falcon mode fails.

This prevents a malicious actor from accessing U-Boot proper if they can
cause a boot failure on falcon mode.

Signed-off-by: Anshul Dalal <anshuld@ti.com>
---
 common/spl/spl_mmc.c  | 4 ++++
 common/spl/spl_nand.c | 6 ++++--
 common/spl/spl_nor.c  | 6 ++++--
 common/spl/spl_spi.c  | 6 ++++--
 common/spl/spl_ubi.c  | 2 ++
 5 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c
index c5585d8e0d2..d0dad6ea8fd 100644
--- a/common/spl/spl_mmc.c
+++ b/common/spl/spl_mmc.c
@@ -272,6 +272,8 @@ static int spl_mmc_do_fs_boot(struct spl_image_info *spl_image,
 			return 0;
 		printf("%s, Failed to load falcon payload: %d\n", __func__,
 		       ret);
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return ret;
 		printf("Fallback to U-Boot\n");
 	}
 
@@ -412,6 +414,8 @@ int spl_mmc_load(struct spl_image_info *spl_image,
 			ret = mmc_load_image_raw_os(spl_image, bootdev, mmc);
 			if (!ret)
 				return 0;
+			if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+				return ret;
 		}
 
 		raw_sect = spl_mmc_get_uboot_raw_sector(mmc, raw_sect);
diff --git a/common/spl/spl_nand.c b/common/spl/spl_nand.c
index f37baefb372..93ef2d1c02c 100644
--- a/common/spl/spl_nand.c
+++ b/common/spl/spl_nand.c
@@ -138,8 +138,10 @@ static int spl_nand_load_image(struct spl_image_info *spl_image,
 		err = spl_nand_load_image_os(spl_image, bootdev);
 		if (!err)
 			return 0;
-		printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
-		       __func__, err);
+		printf("%s: Failed in falcon boot: %d", __func__, err);
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return err;
+		printf("Fallback to U-Boot\n");
 	}
 #endif
 
diff --git a/common/spl/spl_nor.c b/common/spl/spl_nor.c
index 9c037bd62eb..6f9ff91bef7 100644
--- a/common/spl/spl_nor.c
+++ b/common/spl/spl_nor.c
@@ -95,8 +95,10 @@ static int spl_nor_load_image(struct spl_image_info *spl_image,
 		if (!err)
 			return 0;
 
-		printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
-		       __func__, err);
+		printf("%s: Failed in falcon boot: %d", __func__, err);
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return err;
+		printf("Fallback to U-Boot\n");
 	}
 #endif
 
diff --git a/common/spl/spl_spi.c b/common/spl/spl_spi.c
index 2a6098a4dc3..cbc864809fe 100644
--- a/common/spl/spl_spi.c
+++ b/common/spl/spl_spi.c
@@ -105,8 +105,10 @@ static int spl_spi_load_image(struct spl_image_info *spl_image,
 		if (!err)
 			return 0;
 
-		printf("%s: Failed in falcon boot: %d, fallback to U-Boot",
-		       __func__, err);
+		printf("%s: Failed in falcon boot: %d", __func__, err);
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return err;
+		printf("Fallback to U-Boot\n");
 	}
 #endif
 
diff --git a/common/spl/spl_ubi.c b/common/spl/spl_ubi.c
index 09b9bbc5c47..3c6f80de7d9 100644
--- a/common/spl/spl_ubi.c
+++ b/common/spl/spl_ubi.c
@@ -77,6 +77,8 @@ int spl_ubi_load_image(struct spl_image_info *spl_image,
 			return 0;
 
 		printf("%s: Failed in falcon boot: %d", __func__, ret);
+		if (CONFIG_IS_ENABLED(OS_BOOT_SECURE))
+			return ret;
 		printf("Fallback to U-Boot\n");
 	}
 #endif
-- 
2.51.0

Re: [PATCH v1 3/8] spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 678 bytes --]

On Tue, Sep 16, 2025 at 04:28:51PM +0530, Anshul Dalal wrote:

> Currently the logic to handle falcon mode as well as the regular boot is
> inside spl_mmc_do_fs_boot, this prevents us from cleanly extending
> falcon mode functionality like toggleable fallback to U-Boot proper.
> 
> Therefore this patch splits the logic into spl_mmc_fs_load and
> spl_mmc_fs_load_os to handle the regular boot and falcon mode use case.
> 
> Signed-off-by: Anshul Dalal <anshuld@ti.com>
[snip]
> +		printf("%s, Failed to load falcon payload: %d\n", __func__,
> +		       ret);
> +		printf("Fallback to U-Boot\n");

These are new. Do we really need to be adding them?

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v1 4/8] spl: ubi: refactor spl_ubi_load_image for falcon mode

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 676 bytes --]

On Tue, Sep 16, 2025 at 04:28:52PM +0530, Anshul Dalal wrote:

> This patch moves the falcon mode handling logic out of
> spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
> handling for fallback to U-Boot in case falcon mode fails.
> 
> Signed-off-by: Anshul Dalal <anshuld@ti.com>
[snip]
> -		puts("Loading Linux failed, falling back to U-Boot.\n");
> +		printf("%s: Failed in falcon boot: %d", __func__, ret);
> +		printf("Fallback to U-Boot\n");

Switching from puts to printf doesn't gain us new information here and
may pull in printf when we only had puts before. SPL needs more
consideration than usual about size growth.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: [PATCH v1 3/8] spl: mmc: split spl_mmc_do_fs_boot into regular/os_boot

[Anshul Dalal]

Hello Tom,

On Wed Sep 17, 2025 at 12:02 AM IST, Tom Rini wrote:
> On Tue, Sep 16, 2025 at 04:28:51PM +0530, Anshul Dalal wrote:
>
>> Currently the logic to handle falcon mode as well as the regular boot is
>> inside spl_mmc_do_fs_boot, this prevents us from cleanly extending
>> falcon mode functionality like toggleable fallback to U-Boot proper.
>> 
>> Therefore this patch splits the logic into spl_mmc_fs_load and
>> spl_mmc_fs_load_os to handle the regular boot and falcon mode use case.
>> 
>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
> [snip]
>> +		printf("%s, Failed to load falcon payload: %d\n", __func__,
>> +		       ret);
>> +		printf("Fallback to U-Boot\n");
>
> These are new. Do we really need to be adding them?

I think there should be some indication to the user that the intended
boot mode (falcon in this case) has failed and they are relying on a
fallback.

Perhaps we can switch to a debug instead of printf here?

Regards,
Anshul

Re: [PATCH v1 4/8] spl: ubi: refactor spl_ubi_load_image for falcon mode

[Anshul Dalal]

On Wed Sep 17, 2025 at 12:04 AM IST, Tom Rini wrote:
> On Tue, Sep 16, 2025 at 04:28:52PM +0530, Anshul Dalal wrote:
>
>> This patch moves the falcon mode handling logic out of
>> spl_ubi_load_image to spl_ubi_load_image_os, this allows for cleaner
>> handling for fallback to U-Boot in case falcon mode fails.
>> 
>> Signed-off-by: Anshul Dalal <anshuld@ti.com>
> [snip]
>> -		puts("Loading Linux failed, falling back to U-Boot.\n");
>> +		printf("%s: Failed in falcon boot: %d", __func__, ret);
>> +		printf("Fallback to U-Boot\n");
>
> Switching from puts to printf doesn't gain us new information here and
> may pull in printf when we only had puts before. SPL needs more
> consideration than usual about size growth.

You're right, I'll revert back to puts in the next revision. The
existing log should suffice.

Regards,
Anshul