3.1.2.10. U-Boot Falcon Mode

U-Boot’s falcon mode on AM62x bypasses the A-core SPL and U-Boot stage, which allows for booting straight to Linux kernel after OP-TEE and ATF.

Normal boot flow:

  • R5 SPL -> ATF -> OP-TEE -> Cortex-A SPL -> U-Boot -> Linux

With falcon mode:

  • R5 SPL -> ATF -> OP-TEE -> Linux

Falcon boot support is added by the ti-falcon yocto override which can be enabled before building the SDK as follows:

$ echo 'DISTROOVERRIDES:append = ":ti-falcon"' >> conf/local.conf
$ # build the SDK
$ MACHINE=<machine> bitbake -k tisdk-default-image

The following set of patches are also required since they are not part of the 11.01 SDK release:

3.1.2.10.1. Changes made by ti-falcon override:

3.1.2.10.1.1. ATF:

To meet the 2MiB alignment requirement for the Linux kernel’s load address, the K3_HW_CONFIG_BASE (kernel address) is modified to 0x82000000 and PRELOADED_BL33_BASE (DTB address) is modified from the K3 default to 0x88000000.

3.1.2.10.1.2. TI-SPL:

Falcon mode makes use of a cut down variant of the tispl binary called tifalcon.bin with the Cortex-A SPL and its corresponding device-tree removed. This file is deployed to the boot directory inside the root filesystem so it can be picked by the R5 SPL at boot time.

3.1.2.10.1.3. R5 SPL:

The R5 SPL loads the kernel fitImage and tifalcon.bin file. An x509 certificate with TIFS keys verifies the fitImage for falcon boot instead of making use of signature nodes and keys present in the DT. This allows for faster authentication since TIFS uses the security accelerator for authentication, which is much faster than doing the same on R5 core.

This support is present alongside the standard R5 defconfig when ti-falcon is enabled due to U-Boot’s k3_r5_falcon.config fragment. This updates the R5 memory map at U-Boot SPL stage to the following:

0x80000000 +===============================+ Start of DDR
  512KiB   |   ATF reserved memory space   | CONFIG_K3_ATF_LOAD_ADDR
0x80080000 +-------------------------------+
 31.5MiB   |            Unused             |
0x82000000 +-------------------------------+ PRELOADED_BL33_BASE in ATF
           |                               | CONFIG_SYS_LOAD_ADDR
   57MiB   |   Kernel + initramfs Image    | CONFIG_SPL_LOAD_FIT_ADDRESS
           |                               |
0x85900000 +-------------------------------+
           |                               |
           |  R5 U-Boot SPL Stack + Heap   |
   39MiB   |       (size defined by        |
           | SPL_STACK_R_MALLOC_SIMPLE_LEN)|
           |                               |
0x88000000 +-------------------------------+ CONFIG_SPL_STACK_R_ADDR
           |                               | K3_HW_CONFIG_BASE in ATF
   16MiB   |          Kernel DTB           | CONFIG_SPL_PAYLOAD_ARGS_ADDR
           |                               |
0x89000000 +-------------------------------+
  331MiB   | Device Manager (DM) Load Addr |
0x9db00000 +-------------------------------+
   12MiB   |          DM Reserved          |
0x9e700000 +-------------------------------+
    1MiB   |            Unused             |
0x9e800000 +-------------------------------+ BL32_BASE in ATF
   24MiB   |             OPTEE             |
0xa0000000 +===============================+ End of DDR (512MiB)

3.1.2.10.1.4. fitImage:

The system produces the resulting fitImage file in the boot directory of the root filesystem. This file has its constituent binaries pre-signed with x509 certificates. At boot time, TIFS authenticates this file, which allows for a lower boot time compared to authenticating on the R5 core.

3.1.2.10.2. Extra Configuration

3.1.2.10.2.1. OSPI boot:

For OSPI boot, the tiboot3.bin and tifalcon.bin files should be flashed to the same addresses in flash as regular boot flow but the fitImage is read from the root filesystem’s boot directory. The MMC device is selected by the mmcdev env variable for R5 SPL.

Below U-Boot commands can be used to download tiboot3.bin and tifalcon.bin over tftp and then flash those to OSPI at their respective addresses.

=> sf probe
=> tftp ${loadaddr} tiboot3.bin
=> sf update $loadaddr 0x0 $filesize
=> tftp ${loadaddr} tifalcon.bin
=> sf update $loadaddr 0x80000 $filesize

3.1.2.10.2.2. eMMC Boot:

In eMMC boot mode, the tiboot3.bin file should be flashed to the hardware boot partition whereas tifalcon.bin and the fitImage are read from the root filesystem inside UDA. Use the U-Boot commands below to set the correct boot partition and write tiboot3.bin to the correct offset.

=> # Set boot0 as the boot partition
=> mmc partconf 0 1 1 1
=> mmc bootbus 0 2 0 0
=> # Flash tiboot3.bin to boot0
=> mmc dev 0 1
=> fatload mmc 1 ${loadaddr} tiboot3.bin
=> mmc write ${loadaddr} 0x0 0x400

For more information check: How to flash eMMC and boot with eMMC Boot.

3.1.2.10.2.3. Custom fitImage creation:

Clone the core-secdev-k3 source:

$ git clone https://git.ti.com/cgit/security-development-tools/core-secdev-k3

Copy the required kernel image renamed to Image and the device-tree renamed to falcon.dtb inside the core-secdev-k3 source directory.

Copy the following contents to a file named fitImage.its inside core-secdev-k3 source:

/dts-v1/;

/ {
    description = "Kernel fitImage for falcon mode";
    #address-cells = <1>;

    images {
        kernel-1 {
            description = "Linux kernel";
            data = /incbin/("Image.sec");
            type = "kernel";
            arch = "arm64";
            os = "linux";
            compression = "none";
            load = <0x82000000>;
            entry = <0x82000000>;
        };
        falcon.dtb {
            description = "Flattened Device Tree blob";
            data = /incbin/("falcon.dtb.sec");
            type = "flat_dt";
            arch = "arm64";
            compression = "none";
            load = <0x88000000>;
            entry = <0x88000000>;
        };
    };

    configurations {
        default = "conf-falcon";
        conf-falcon {
            description = "Presigned Linux kernel and DTB";
            kernel = "kernel-1";
            fdt = "falcon.dtb";
        };
    };
};

Sign the kernel and device-tree with secure-binary-image.sh and create the fitImage by using mkimage:

$ # inside core-secdev-k3 source
$ ./scripts/secure-binary-image.sh Image Image.sec
$ ./scripts/secure-binary-image.sh falcon.dtb falcon.dtb.sec
$ mkimage -f fitImage.its fitImage

3.1.2.10.3. Non-Yocto Users:

Following are the steps to build tiboot3.bin, tifalcon.bin and the fitImage required for falcon mode:

  1. For ATF build, use the following arguments to update the ATF’s jump address for the kernel and the device-tree: PRELOADED_BL33_BASE=0x82000000 K3_HW_CONFIG_BASE=0x88000000.

  2. For R5 U-Boot build, use the k3_r5_falcon.config fragment to enable flacon support at the R5 SPL stage.

  3. Refer to the fitImage creation step above for preparing a bootable fitImage with an appropriate kernel and device-tree.

  4. Copy the files generated to correct path on SD/eMMC as in the table below:

    File

    Destination path on SD/eMMC

    Partition

    Description

    tiboot3.bin

    /tiboot3.bin

    boot (fat)

    R5 SPL with falcon support

    tifalcon.bin

    /boot/tifalcon.bin

    root filesystem (ext4)

    tispl binary without SPL for the A core and device-tree

    fitImage

    /boot/fitImage

    root filesystem (ext4)

    fitImage with pre-signed kernel and device-tree

Note

The tifalcon.bin binary is generated by default for all falcon supported platforms at the A-Core U-Boot build step and can be found alongside the existing tispl.bin file in U-Boot build’s output directory.

3.1.2.10.4. Boot time comparisons:

Removing A-core SPL and U-Boot from the boot process leads to ~60% reduction in time to kernel. Saving about 1-2 seconds during boot depending on the platform.

falcon mode and regular boot mode comparison

Fig. 3.2 Falcon Mode (Left) vs Regular Boot (Right)