Hi Gianluca,
On 7/22/21 10:01 AM, gianluca wrote:
Hello list,
I was wondering what I am doing wrong following the procedure
explained in the doc/board/st/stm32mp1.rst documentation file.
I am using the latest git version (the Makefile says 2021.07).
My goal is to run from sdcard in trusted boot chain (TrustZone secure
monitor) the evaluation kit STM32MP157C-DK2.
The procedure says:
The **Trusted** boot chain
``````````````````````````
defconfig_file : stm32mp15_trusted_defconfig
+-------------+-------------------------+------------+-------+
| ROM code | FSBL | SSBL | OS |
+ +-------------------------+------------+-------+
| |Trusted Firmware-A (TF-A)| U-Boot | Linux |
+-------------+-------------------------+------------+-------+
| TrustZone |secure monitor |
+-------------+-------------------------+------------+-------+
TF-A performs a full initialization of Secure peripherals and installs a
secure monitor, BL32:
* SPMin provided by TF-A or
* OP-TEE from specific partitions (teeh, teed, teex).
U-Boot is running in normal world and uses the secure monitor to access
to secure resources.
As far as I understand there is only a single first-stage-boot-loader
(FSBL) and a second-stage-boot-loader (SSBL), otherwise in the *Basic
Boot Chain* I have FSBL1 and FSBL2 _and_ a SSBL.
FSBL1 / FBSL2 => can be use for basic or trusted boot chain = it is 2
copy for the FSBL for failsafe update
the ROM code will check integrity of FSBL1 ..... if it is failing, it
will use FSBL2 instead
This feature allo to always boot even if FSBL1 update is interrupted....
if this feature is not needed you can remove the second FSBL partition.
Build Procedure
---------------
1. Install the required tools for U-Boot
* install package needed in U-Boot makefile
(libssl-dev, swig, libpython-dev...)
* install ARMv7 toolchain for 32bit Cortex-A (from Linaro,
from SDK for STM32MP15x, or any crosstoolchains from your
distribution)
(you can use any gcc cross compiler compatible with U-Boot)
Done. I am in a Debian Buster DevelWorkstation, so everything is
coming from the official repos.
At the moment the arm toolchain is: > arm-linux-gnueabihf-gcc -v
(...)
6. Output files
BootRom and TF-A expect binaries with STM32 image header
SPL expects Gianlucafile with U-Boot uImage header
So in the output directory (selected by KBUILD_OUTPUT),
you can found the needed files:
- For **Trusted** boot (with or without OP-TEE)
- FSBL = **tf-a.stm32** (provided by TF-A compilation)
- SSBL = **u-boot.stm32**
No tf-a.stm32 for TrustZone Boot but only the u-boot.stm32 file.
"tf-a.stm32" is provided by TF-A compilation (see after.
- For Basic boot
- FSBL = spl/u-boot-spl.stm32
- SSBL = u-boot.img
find . -name 'tf-a.stm32'
find . -name '*tf-a*'
find . -name '*tfa*'
./include/config/tfaboot.h
./include/config/arch/support/tfaboot.h
Where is the tf-a.stm32?????
Something missing by my side???
Regards,
Gianluca Renzi
"TF-A" = "Trusted Firmware-A" is a separate component and it need to
be compiled separately.
TF-A references =
- https://www.trustedfirmware.org/projects/tf-a/
- https://trustedfirmware-a.readthedocs.io/en/latest/
=> https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/
For build information at upstream, you can check
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/stm32mp1.rst
For first test you can use SP_min as secure monitor:
|make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=stm32mp1 ARCH=aarch32
ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min STM32MP_SDMMC=1 STM32MP_EMMC=1
STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1
DTB_FILE_NAME=stm32mp157c-ev1.dtb |
I will update the stm32mp1 readme to indicate these missing information.
you need to compile 2 projects
- TF-A => FSBL
- U-Boot => SSBL
PS: to have a full secure support support with FIP (when it will be
supported on TF-A side),
you can use OP-TEE as the secure OS.... but it is a separate project
TF-A REF =
- https://www.op-tee.org/
- https://optee.readthedocs.io/en/latest/
- BUILD =
https://optee.readthedocs.io/en/latest/building/devices/stm32mp1.html
=> https://github.com/OP-TEE/optee_os
In this case you need to compile the binary include in FIP
- OP-TEE => Secure OS
- U-Boot => SSBL
Then you can compile:
- TF-A => FSBL & FIP (including OP-TEE and U-Boot)
Regards
Patrick
