On Thu, Sep 11, 2025 at 06:44:11PM +0530, Anshul Dalal wrote: > Falcon mode uses falcon_image_file from the env during mmc fs boot, but > external env can be compromised. Therefore disable access to external > env by setting SPL_ENV_IS_NOWHERE when SPL_OS_BOOT_SECURE is set. > > Signed-off-by: Anshul Dalal <[email protected]> > --- > env/Kconfig | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/env/Kconfig b/env/Kconfig > index 03c189b7266..d68cb90f3a4 100644 > --- a/env/Kconfig > +++ b/env/Kconfig > @@ -827,6 +827,7 @@ if SPL_ENV_SUPPORT > config SPL_ENV_IS_NOWHERE > bool "SPL Environment is not stored" > default y if ENV_IS_NOWHERE > + default y if SPL_OS_BOOT_SECURE > help > Similar to ENV_IS_NOWHERE, used for SPL environment.
You're going to need to do a bit more here on the symbols, this is the right default but you could still select other locations (so all of the SPL_ENV_... locations need a test on depends on .. && !SPL_OS_BOOT_SECURE too). -- Tom
signature.asc
Description: PGP signature
