Merge patch series "Add support for secure falcon mode: disable args file"

Anshul Dalal <anshuld@ti.com> says:

Continuing from the last series[1], this patch series addresses the requirement
to disable the args file in falcon mode.

The args file is used in falcon mode for loading the device-tree for the kernel.
However in secure falcon mode, the expected payload is a FIT containing a signed
device-tree and kernel image. Thus removing the need to load the extra args
file in the first place. Also, loading the extra file without any authentication
mechanism exposes an attack vector and should therefore be disabled to keep the
boot secure.

This patch set builds on the last few to first optionally allow for loading the
args file in non-secure falcon boot flow [1/3] and then disable them altogether
in the next patch [2/3] for secure falcon mode.

[1]: https://lore.kernel.org/u-boot/20251006101057.4172248-1-anshuld@ti.com/
Link: https://lore.kernel.org/r/20251009115846.897186-1-anshuld@ti.com

common/spl/Kconfig

@@ -796,6 +796,7 @@ config SPL_FS_LOAD_PAYLOAD_NAME
 config SPL_FS_LOAD_KERNEL_NAME
 	string "File to load for the OS kernel from the filesystem"
 	depends on (SPL_FS_EXT4 || SPL_FS_FAT || SPL_FS_SQUASHFS) && SPL_OS_BOOT
+	default "fitImage" if SPL_OS_BOOT_SECURE
 	default "uImage"
 	help
 	  Filename to read to load for the OS kernel when reading from the
@@ -803,7 +804,7 @@ config SPL_FS_LOAD_KERNEL_NAME
 
 config SPL_FS_LOAD_ARGS_NAME
 	string "File to load for the OS kernel argument parameters from the filesystem"
-	depends on (SPL_FS_EXT4 || SPL_FS_FAT || SPL_FS_SQUASHFS) && SPL_OS_BOOT
+	depends on (SPL_FS_EXT4 || SPL_FS_FAT || SPL_FS_SQUASHFS) && SPL_OS_BOOT_ARGS
 	default "args"
 	help
 	  Filename to read to load for the OS kernel argument parameters from
@@ -1121,7 +1122,7 @@ config SPL_UBI_LOAD_KERNEL_ID
 
 config SPL_UBI_LOAD_ARGS_ID
 	int "id of kernel args volume"
-	depends on SPL_OS_BOOT
+	depends on SPL_OS_BOOT_ARGS
 	help
 	  The UBI volume id from which to load the device tree
 
@@ -1215,9 +1216,16 @@ config SPL_OS_BOOT_SECURE
 	  to use falcon mode by disabling certain inherently non-securable options
 	  in the SPL boot flow.
 
+config SPL_OS_BOOT_ARGS
+	bool "Allow SPL to load args for kernel in falcon mode"
+	depends on (SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT) && !SPL_OS_BOOT_SECURE
+	help
+	  This option enables the SPL to load an args file (usually the FDT)
+	  alongside the kernel image in falcon boot mode.
+
 config SPL_PAYLOAD_ARGS_ADDR
 	hex "Address in memory to load 'args' file for Falcon Mode to"
-	depends on SPL_OS_BOOT || SPL_LOAD_FIT_OPENSBI_OS_BOOT
+	depends on SPL_OS_BOOT_ARGS
 	default 0x88000000 if ARCH_OMAP2PLUS
 	default 0x99000000 if ARCH_SC5XX && SC59X_64
 	default 0xA0000000 if ARCH_SC5XX && TARGET_SC594_SOM_EZKIT
@@ -1257,7 +1265,7 @@ config SYS_MMCSD_RAW_MODE_KERNEL_SECTOR
 
 config SYS_MMCSD_RAW_MODE_ARGS_SECTOR
 	hex "Falcon mode: Sector to load 'args' from MMC"
-	depends on SPL_FALCON_BOOT_MMCSD
+	depends on SPL_FALCON_BOOT_MMCSD && SPL_OS_BOOT_ARGS
 	help
 	  When Falcon mode is used with an MMC or SD media, SPL needs to know
 	  where to look for the OS 'args', typically a device tree. The
@@ -1267,7 +1275,7 @@ config SYS_MMCSD_RAW_MODE_ARGS_SECTOR
 
 config SYS_MMCSD_RAW_MODE_ARGS_SECTORS
 	hex "Falcon mode: Number of sectors to load for 'args' from MMC"
-	depends on SPL_FALCON_BOOT_MMCSD && SYS_MMCSD_RAW_MODE_ARGS_SECTOR != 0x0
+	depends on SPL_FALCON_BOOT_MMCSD && SPL_OS_BOOT_ARGS
 
 config SPL_PAYLOAD
 	string "SPL payload"
@@ -1503,14 +1511,14 @@ config SYS_SPI_KERNEL_OFFS
 
 config SYS_SPI_ARGS_OFFS
 	hex "Falcon mode: address of args payload in SPI flash"
-	depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT
+	depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT_ARGS
 	help
 	 Address within SPI-Flash from where the args payload (usually the
 	 dtb) is fetched in falcon boot.
 
 config SYS_SPI_ARGS_SIZE
 	hex "Falcon mode: size of args payload in SPI flash"
-	depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT
+	depends on SPL_SPI_FLASH_SUPPORT && SPL_OS_BOOT_ARGS
 
 config SPL_THERMAL
 	bool "Driver support for thermal devices"

common/spl/spl.c

@@ -692,6 +692,7 @@ void board_init_r(gd_t *dummy1, ulong dummy2)
 	spl_jump_to_image_t jumper = &jump_to_image;
 	struct spl_image_info spl_image;
 	int ret, os;
+	void *fdt;
 
 	debug(">>" PHASE_PROMPT "board_init_r()\n");
 
@@ -793,9 +794,13 @@ void board_init_r(gd_t *dummy1, ulong dummy2)
 		jumper = &spl_invoke_opensbi;
 	} else if (CONFIG_IS_ENABLED(OS_BOOT) && os == IH_OS_LINUX) {
 		debug("Jumping to Linux\n");
-		if (IS_ENABLED(CONFIG_SPL_OS_BOOT))
-			spl_fixup_fdt((void *)SPL_PAYLOAD_ARGS_ADDR);
+		if (CONFIG_IS_ENABLED(OS_BOOT_ARGS))
+			fdt = (void *)SPL_PAYLOAD_ARGS_ADDR;
+		else
+			fdt = spl_image_fdt_addr(&spl_image);
+		spl_fixup_fdt(fdt);
 		spl_board_prepare_for_linux();
+		spl_image.arg = fdt;
 		jumper = &jump_to_image_linux;
 	} else {
 		debug("Unsupported OS image.. Jumping nevertheless..\n");

common/spl/spl_ext.c

@@ -103,6 +103,7 @@ int spl_load_image_ext_os(struct spl_image_info *spl_image,
 			goto defaults;
 		}
 
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 		ext4fs_set_blk_dev(block_dev, &part_info);
 		ext4fs_mount();
 		file = env_get("falcon_args_file");
@@ -123,6 +124,7 @@ int spl_load_image_ext_os(struct spl_image_info *spl_image,
 		} else {
 			puts("spl: falcon_args_file not set in environment, falling back to default\n");
 		}
+#endif
 	} else {
 		puts("spl: falcon_image_file not set in environment, falling back to default\n");
 	}
@@ -135,6 +137,7 @@ defaults:
 	if (err)
 		return err;
 
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 	ext4fs_set_blk_dev(block_dev, &part_info);
 	ext4fs_mount();
 	err = ext4fs_open(CONFIG_SPL_FS_LOAD_ARGS_NAME, &filelen);
@@ -147,6 +150,7 @@ defaults:
 		       __func__, CONFIG_SPL_FS_LOAD_ARGS_NAME, err);
 		return -1;
 	}
+#endif
 
 	return 0;
 }

common/spl/spl_fat.c

@@ -127,6 +127,7 @@ int spl_load_image_fat_os(struct spl_image_info *spl_image,
 			goto defaults;
 		}
 
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 		file = env_get("falcon_args_file");
 		if (file) {
 			err = file_fat_read(
@@ -139,6 +140,8 @@ int spl_load_image_fat_os(struct spl_image_info *spl_image,
 			return 0;
 		} else
 			puts("spl: falcon_args_file not set in environment, falling back to default\n");
+#endif
+
 	} else
 		puts("spl: falcon_image_file not set in environment, falling back to default\n");
 
@@ -150,6 +153,7 @@ defaults:
 	if (err)
 		return err;
 
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 	err = file_fat_read(CONFIG_SPL_FS_LOAD_ARGS_NAME,
 			    (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR, 0);
 	if (err <= 0) {
@@ -157,6 +161,7 @@ defaults:
 		       __func__, CONFIG_SPL_FS_LOAD_ARGS_NAME, err);
 		return -1;
 	}
+#endif
 
 	return 0;
 }

common/spl/spl_nand.c

@@ -79,7 +79,7 @@ static int spl_nand_load_element(struct spl_image_info *spl_image,
 static int spl_nand_load_image_os(struct spl_image_info *spl_image,
 				  struct spl_boot_device *bootdev)
 {
-	int *src, *dst, err;
+	int err;
 	struct legacy_img_hdr *header = spl_get_load_buffer(0, sizeof(*header));
 
 	/* load linux */
@@ -101,12 +101,14 @@ static int spl_nand_load_image_os(struct spl_image_info *spl_image,
 	if (err)
 		return err;
 
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 	/*
 	 * load parameter image load to temp position since nand_spl_load_image
 	 * reads a whole block which is typically larger than
 	 * CONFIG_CMD_SPL_WRITE_SIZE therefore may overwrite following sections
 	 * like BSS
 	 */
+	int *src, *dst;
 	nand_spl_load_image(CONFIG_CMD_SPL_NAND_OFS, CONFIG_CMD_SPL_WRITE_SIZE,
 			    (void *)CONFIG_TEXT_BASE);
 	/* copy to destintion */
@@ -116,6 +118,7 @@ static int spl_nand_load_image_os(struct spl_image_info *spl_image,
 	     src++, dst++) {
 		writel(readl(src), dst);
 	}
+#endif
 
 	return 0;
 }

common/spl/spl_nor.c

@@ -69,10 +69,6 @@ static int spl_nor_load_image_os(struct spl_image_info *spl_image,
 	       (void *)(CONFIG_SYS_OS_BASE + sizeof(struct legacy_img_hdr)),
 	       spl_image->size);
 
-#ifdef CONFIG_SPL_PAYLOAD_ARGS_ADDR
-	spl_image->arg = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
-#endif
-
 	return 0;
 }
 #endif

common/spl/spl_spi.c

@@ -61,10 +61,15 @@ static int spl_spi_load_image_os(struct spl_image_info *spl_image,
 	if (err)
 		return err;
 
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 	/* Read device tree. */
 	return spi_flash_read(flash, CONFIG_SYS_SPI_ARGS_OFFS,
 			      CONFIG_SYS_SPI_ARGS_SIZE,
 			      (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR);
+#else
+	return 0;
+#endif
+
 }
 #endif
 

common/spl/spl_ubi.c

@@ -22,10 +22,14 @@ int spl_ubi_load_image_os(struct spl_image_info *spl_image,
 
 	volumes[0].vol_id = CONFIG_SPL_UBI_LOAD_KERNEL_ID;
 	volumes[0].load_addr = (void *)CONFIG_SYS_LOAD_ADDR;
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 	volumes[1].vol_id = CONFIG_SPL_UBI_LOAD_ARGS_ID;
 	volumes[1].load_addr = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
 
 	err = ubispl_load_volumes(info, volumes, 2);
+#else
+	err = ubispl_load_volumes(info, volumes, 1);
+#endif
 	if (err)
 		return err;
 

common/spl/spl_xip.c

@@ -14,7 +14,6 @@ static int spl_xip(struct spl_image_info *spl_image,
 {
 #if CONFIG_IS_ENABLED(OS_BOOT)
 	if (!spl_start_uboot()) {
-		spl_image->arg = (void *)CONFIG_SPL_PAYLOAD_ARGS_ADDR;
 		spl_image->name = "Linux";
 		spl_image->os = IH_OS_LINUX;
 		spl_image->load_addr = CONFIG_SYS_LOAD_ADDR;

include/system-constants.h

@@ -37,7 +37,7 @@
 	IF_ENABLED_INT(CONFIG_SPL_SYS_MALLOC, CONFIG_SPL_SYS_MALLOC_SIZE)
 
 /* deal with an optional value */
-#ifdef CONFIG_SPL_OS_BOOT
+#if IS_ENABLED(CONFIG_SPL_OS_BOOT_ARGS)
 #define SPL_PAYLOAD_ARGS_ADDR	CONFIG_SPL_PAYLOAD_ARGS_ADDR
 #else
 #define SPL_PAYLOAD_ARGS_ADDR	0