diff --git a/configs/ls1021atwr_nor_SECURE_BOOT_defconfig b/configs/ls1021atwr_nor_SECURE_BOOT_defconfig
index cf99770a606139b9306ce4691fdc81b8780671a7..c8cb2153bfdf6dec0a7dfaf780d44f4c92ed994f 100644
--- a/configs/ls1021atwr_nor_SECURE_BOOT_defconfig
+++ b/configs/ls1021atwr_nor_SECURE_BOOT_defconfig
@@ -46,3 +46,4 @@ CONFIG_VIDEO_FSL_DCU_FB=y
# CONFIG_VIDEO_SW_CURSOR is not set
CONFIG_RSA=y
CONFIG_SPL_RSA=y
+CONFIG_DISTRO_DEFAULTS=y
diff --git a/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
index d13652a2f5c56e0abf4f7a17ae3e03668ca977b8..8689fa73368748037e7964f6932b7473577d6e4f 100644
--- a/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
+++ b/configs/ls1021atwr_sdcard_ifc_SECURE_BOOT_defconfig
@@ -61,3 +61,4 @@ CONFIG_VIDEO_FSL_DCU_FB=y
# CONFIG_VIDEO_SW_CURSOR is not set
CONFIG_RSA=y
CONFIG_SPL_RSA=y
+CONFIG_DISTRO_DEFAULTS=y
diff --git a/include/configs/ls1021atwr.h b/include/configs/ls1021atwr.h
index e46324ba8da6a150ec4b38d9c2938dc85c7d6e95..12413d054090ab2743849d47887f919b436aeb74 100644
--- a/include/configs/ls1021atwr.h
+++ b/include/configs/ls1021atwr.h
@@ -380,6 +380,7 @@
"fdt_addr=0x64f00000\0" \
"kernel_addr=0x65000000\0" \
"scriptaddr=0x80000000\0" \
+ "scripthdraddr=0x80080000\0" \
"fdtheader_addr_r=0x80100000\0" \
"kernelheader_addr_r=0x80200000\0" \
"kernel_addr_r=0x81000000\0" \
@@ -389,6 +390,7 @@
"kernel_size=0x2800000\0" \
BOOTENV \
"boot_scripts=ls1021atwr_boot.scr\0" \
+ "boot_script_hdr=hdr_ls1021atwr_bs.out\0" \
"scan_dev_for_boot_part=" \
"part list ${devtype} ${devnum} devplist; " \
"env exists devplist || setenv devplist 1; " \
@@ -399,6 +401,21 @@
"run scan_dev_for_boot; " \
"fi; " \
"done\0" \
+ "scan_dev_for_boot=" \
+ "echo Scanning ${devtype} " \
+ "${devnum}:${distro_bootpart}...; " \
+ "for prefix in ${boot_prefixes}; do " \
+ "run scan_dev_for_scripts; " \
+ "done;" \
+ "\0" \
+ "boot_a_script=" \
+ "load ${devtype} ${devnum}:${distro_bootpart} " \
+ "${scriptaddr} ${prefix}${script}; " \
+ "env exists secureboot && load ${devtype} " \
+ "${devnum}:${distro_bootpart} " \
+ "${scripthdraddr} ${prefix}${boot_script_hdr} " \
+ "&& esbc_validate ${scripthdraddr};" \
+ "source ${scriptaddr}\0" \
"installer=load mmc 0:2 $load_addr " \
"/flex_installer_arm32.itb; " \
"bootm $load_addr#ls1021atwr\0" \
@@ -416,6 +433,7 @@
"fdt_addr=0x64f00000\0" \
"kernel_addr=0x65000000\0" \
"scriptaddr=0x80000000\0" \
+ "scripthdraddr=0x80080000\0" \
"fdtheader_addr_r=0x80100000\0" \
"kernelheader_addr_r=0x80200000\0" \
"kernel_addr_r=0x81000000\0" \
@@ -425,6 +443,7 @@
"kernel_size=0x2800000\0" \
BOOTENV \
"boot_scripts=ls1021atwr_boot.scr\0" \
+ "boot_script_hdr=hdr_ls1021atwr_bs.out\0" \
"scan_dev_for_boot_part=" \
"part list ${devtype} ${devnum} devplist; " \
"env exists devplist || setenv devplist 1; " \
@@ -435,6 +454,21 @@
"run scan_dev_for_boot; " \
"fi; " \
"done\0" \
+ "scan_dev_for_boot=" \
+ "echo Scanning ${devtype} " \
+ "${devnum}:${distro_bootpart}...; " \
+ "for prefix in ${boot_prefixes}; do " \
+ "run scan_dev_for_scripts; " \
+ "done;" \
+ "\0" \
+ "boot_a_script=" \
+ "load ${devtype} ${devnum}:${distro_bootpart} " \
+ "${scriptaddr} ${prefix}${script}; " \
+ "env exists secureboot && load ${devtype} " \
+ "${devnum}:${distro_bootpart} " \
+ "${scripthdraddr} ${prefix}${boot_script_hdr} " \
+ "&& esbc_validate ${scripthdraddr};" \
+ "source ${scriptaddr}\0" \
"installer=load mmc 0:2 $load_addr " \
"/flex_installer_arm32.itb; " \
"bootm $load_addr#ls1021atwr\0" \
@@ -448,9 +482,11 @@
#undef CONFIG_BOOTCOMMAND
#if defined(CONFIG_QSPI_BOOT) || defined(CONFIG_SD_BOOT_QSPI)
-#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run qspi_bootcmd"
+#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \
+ "&& esbc_halt; run qspi_bootcmd;"
#else
-#define CONFIG_BOOTCOMMAND "run distro_bootcmd;run nor_bootcmd"
+#define CONFIG_BOOTCOMMAND "run distro_bootcmd; env exists secureboot" \
+ "&& esbc_halt; run nor_bootcmd;"
#endif
#define CONFIG_BOOTARGS "console=ttyS0,115200 root=/dev/ram0"