diff options
| author | Anshul Dalal <[email protected]> | 2025-10-09 18:04:34 +0530 |
|---|---|---|
| committer | Tom Rini <[email protected]> | 2025-10-16 15:02:14 -0600 |
| commit | 1e470ddd0743bbd1f229421e11e9ad2093f7fd20 (patch) | |
| tree | 620f71bc83efc814a40db782cfeffecf3445f5a1 /env/Kconfig | |
| parent | 3a71bae9af71515893483be2c022f05c8d4704aa (diff) | |
env: Kconfig: disable external env in secure os boot
Falcon mode uses falcon_image_file from the env during mmc fs boot, but
external env can be compromised. Therefore disable access to external
env by setting SPL_ENV_IS_NOWHERE when SPL_OS_BOOT_SECURE is set.
Signed-off-by: Anshul Dalal <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Diffstat (limited to 'env/Kconfig')
| -rw-r--r-- | env/Kconfig | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/env/Kconfig b/env/Kconfig index 678f362c455..4430669964c 100644 --- a/env/Kconfig +++ b/env/Kconfig @@ -827,12 +827,14 @@ if SPL_ENV_SUPPORT config SPL_ENV_IS_NOWHERE bool "SPL Environment is not stored" default y if ENV_IS_NOWHERE + default y if SPL_OS_BOOT_SECURE help Similar to ENV_IS_NOWHERE, used for SPL environment. config SPL_ENV_IS_IN_MMC bool "SPL Environment in an MMC device" depends on !SPL_ENV_IS_NOWHERE + depends on !SPL_OS_BOOT_SECURE depends on ENV_IS_IN_MMC default y help @@ -841,6 +843,7 @@ config SPL_ENV_IS_IN_MMC config SPL_ENV_IS_IN_FAT bool "SPL Environment is in a FAT filesystem" depends on !SPL_ENV_IS_NOWHERE + depends on !SPL_OS_BOOT_SECURE depends on ENV_IS_IN_FAT default y help @@ -849,6 +852,7 @@ config SPL_ENV_IS_IN_FAT config SPL_ENV_IS_IN_EXT4 bool "SPL Environment is in a EXT4 filesystem" depends on !SPL_ENV_IS_NOWHERE + depends on !SPL_OS_BOOT_SECURE depends on ENV_IS_IN_EXT4 default y help @@ -857,6 +861,7 @@ config SPL_ENV_IS_IN_EXT4 config SPL_ENV_IS_IN_NAND bool "SPL Environment in a NAND device" depends on !SPL_ENV_IS_NOWHERE + depends on !SPL_OS_BOOT_SECURE depends on ENV_IS_IN_NAND default y help @@ -865,6 +870,7 @@ config SPL_ENV_IS_IN_NAND config SPL_ENV_IS_IN_SPI_FLASH bool "SPL Environment is in SPI flash" depends on !SPL_ENV_IS_NOWHERE + depends on !SPL_OS_BOOT_SECURE depends on ENV_IS_IN_SPI_FLASH default y help @@ -873,6 +879,7 @@ config SPL_ENV_IS_IN_SPI_FLASH config SPL_ENV_IS_IN_FLASH bool "SPL Environment in flash memory" depends on !SPL_ENV_IS_NOWHERE + depends on !SPL_OS_BOOT_SECURE depends on ENV_IS_IN_FLASH default y help |