From 77c1954572cf9a21a5b5efebb570f22a36fbad7f Mon Sep 17 00:00:00 2001
From: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Date: Fri, 16 Sep 2016 10:33:20 +0200
Subject: spl: Provide a FIT-only policy via SPL_LOAD_FIT_ONLY

When probing multiple interfaces (according to the result from the
board_boot_order function), we need to ensure that only valid FIT
images are considered and disable the fallback to assuming that
a raw (binary-only) U-Boot image is loaded (to avoid hangs/crashes
from jumping to random content loaded from devices that in the
probing order which do not contain a valid image).

When the SPL_LOAD_FIT configuration option is enabled, the new
SPL_LOAD_FIT_ONLY option becomes available to disable such fallback
paths.

Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
---
 Kconfig              | 18 +++++++++---------
 common/spl/spl_mmc.c |  9 +++++++++
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/Kconfig b/Kconfig
index d5ab9e3a2c..cac3a75f1d 100644
--- a/Kconfig
+++ b/Kconfig
@@ -284,6 +284,15 @@ config SPL_LOAD_FIT
 	  particular it can handle selecting from multiple device tree
 	  and passing the correct one to U-Boot.
 
+config SPL_LOAD_FIT_ONLY
+        bool "Force SPL to on load images with FIT header"
+	depends on SPL_LOAD_FIT
+	help
+	  Normally SPL falls back to assuming that loaded images are raw
+	  U-Boot binaries, when no FIT header is present.  This will cause
+	  a crash when probing boot devices and touching one that does not
+	  contain a valid image.
+
 config SPL_FIT_IMAGE_POST_PROCESS
 	bool "Enable post-processing of FIT artifacts after loading by the SPL"
 	depends on SPL_LOAD_FIT && TI_SECURE_DEVICE
@@ -298,15 +307,6 @@ config SPL_FIT_IMAGE_POST_PROCESS
 	  injected into the FIT creation (i.e. the blobs would have been pre-
 	  processed before being added to the FIT image).
 
-config SPL_LOAD_FIT_ONLY
-        bool "Force SPL to on load images with FIT header"
-	depends on SPL_LOAD_FIT
-	help
-	  Normally SPL falls back to assuming that loaded images are raw
-	  U-Boot binaries, when no FIT header is present.  This will cause
-	  a crash when probing boot devices and touching one that does not
-	  contain a valid image.
-
 config SYS_CLK_FREQ
 	depends on ARC || ARCH_SUNXI
 	int "CPU clock frequency"
diff --git a/common/spl/spl_mmc.c b/common/spl/spl_mmc.c
index 04b7540226..d7f0648d92 100644
--- a/common/spl/spl_mmc.c
+++ b/common/spl/spl_mmc.c
@@ -78,7 +78,16 @@ static int mmc_load_image_raw_sector(struct mmc *mmc, unsigned long sector)
 		load.read = h_spl_load_read;
 		ret = spl_load_simple_fit(&load, sector, header);
 	} else {
+#if !defined(CONFIG_SPL_LOAD_FIT_ONLY)
 		ret = mmc_load_legacy(mmc, sector, header);
+#else
+		/* legacy (raw binary) images must be disallowed when
+		 * SPL_LOAD_FIT_ONLY is configured to support the
+		 * probing of multiple boot-devices (where some might
+		 * contain 'random' data and cause a crash).
+		 */
+		ret = -1;
+#endif
 	}
 
 end:
-- 
cgit v1.2.3