Last edited 4 years ago

BSEC device tree configuration

1. Article purpose[edit source]

Warning white.png Warning
This article explains how to configure BSEC at boot time.

This article describes the BSEC configuration performed using the device tree mechanism, which provides a hardware description of the BSEC peripheral.

2. DT bindings documentation[edit source]

Generic information about NVMEM is available in the NVMEM overview.

The following binding-related documentation explains how to write device tree files for BSEC:

  • TF-A: tf-a/docs/devicetree/bindings/soc/st,stm32-romem.txt"[1]
  • Linux® BSEC devicetree bindings: Documentation/devicetree/bindings/nvmem/st,stm32-romem.txt[2]
  • Linux® generic NVMEM devicetree bindings: Documentation/devicetree/bindings/nvmem/nvmem.txt[3]

3. DT configuration[edit source]

This hardware description is a combination of the STM32 microprocessor device tree files (.dtsi extension) and board device tree files (.dts extension). See the Device tree for an explanation of the device-tree file split.

STM32CubeMX can be used to generate the board device tree. Refer to How to configure the DT using STM32CubeMX for more details.

3.1. DT configuration (STM32 level)[edit source]

The STM32MP1 BSEC node is located in the file stm32mp157c.dtsi[4] (see Device tree for further explanation).

 / {
 ...
 	soc {
 ...
 		bsec: nvmem@5c005000 {
 			compatible = "st,stm32mp15-bsec";
 			reg = <0x5c005000 0x400>;
 			#address-cells = <1>;
 			#size-cells = <1>;
 			ts_cal1: calib@5c {
 				reg = <0x5c 0x2>;
 			};
 			ts_cal2: calib@5e {
 				reg = <0x5e 0x2>;
 			};
		};
 ...
 	};
 ...
 };

Please refer to the NVMEM overview for the bindings common with the Linux® kernel.

3.2. DT configuration (board level)[edit source]

3.2.1. STM32MP1 BSEC node append[edit source]

The board definition in the device tree may include some additional board-specific OTP declarations:

For ecosystem release ≥ v1.2.0 More info.png

 &bsec {
 	board_id: board_id@ec {
 		reg = <0xec 0x4>;
 		st,non-secure-otp;
 	};
 };

With only 32 lower NVMEM 32-bit data words, the software needs to manage exceptions in order to allow some upper OTPs to be accessed by the non-secure world, through secure world services for very specific needs. The user can add an OTP declaration in the device tree, using the "st,non-secure-otp" property, with a 32-bit length granularity (that is, 4 bytes).

For ecosystem release v1.1.0 More info.png

 &bsec {
 	board_id: board_id@ec {
 		reg = <0xec 0x4>;
 		status = "okay";
 	};
 };

The upper OTPs are intended to contain sensitive data such as keys or passwords. However, with only 32 lower NVMEM 32-bit data words, the software may need more. It is therefore possible, for very specific needs, to manage exceptions in order to allow some upper OTPs to be accessed by the non-secure world through secure-world services.
The user can add upper OTP declarations in the device tree by using the status property to define accessibility conditions, as described in the following table:

status Upper OTP available from
disabled secure only (normal behavior)
okay non-secure and secure (exception)
Info white.png Information
When status property is not filled, this is implicitly set as an "okay" status by default.
Info white.png Information
secure-status property can appear in some OTP declarations, please don't care.

For ecosystem release v1.0.0 More info.png

 &bsec {
 	board_id: board_id@ec {
 		reg = <0xec 0x4>;
 	};
 };

As in the previous section, exceptions are managed, but they are only checked in the case of closed_device BSEC mode. In open_device mode, all upper-OTP non-secure accesses are allowed. See STM32MP15 reference manuals for more information about these modes.

3.2.2. STM32MP1 BSEC node append (bootloader specific)[edit source]

The bootloader-specific STM32MP1 BSEC node append data is located in the file stm32mp157c-security.dtsi[5] (see Device tree for further explanation).
This completes NVMEM data providers, for bootloader-specific purposes only, either for a driver, or the platform itself.

For ecosystem release ≥ v1.2.0 More info.png

 &bsec {
 	cfg0_otp: cfg0_otp@0 {
 		reg = <0x0 0x1>;
 	};
 	part_number_otp: part_number_otp@4 {
 		reg = <0x4 0x1>;
 	};
 	monotonic_otp: monotonic_otp@10 {
 		reg = <0x10 0x4>;
 	};
 	nand_otp: nand_otp@24 {
 		reg = <0x24 0x4>;
 	};
 	uid_otp: uid_otp@34 {
 		reg = <0x34 0xc>;
 	};
 	package_otp: package_otp@40 {
 		reg = <0x40 0x4>;
 	};
 	hw2_otp: hw2_otp@48 {
 		reg = <0x48 0x4>;
 	};
 	mac_addr: mac_addr@e4 {
 		reg = <0xe4 0x8>;
 		st,non-secure-otp;
 	};
 };

Please see the "st,non-secure-otp" definition in the previous section above. No more spare field declaration here.

For ecosystem release ≤ v1.1.0 More info.png

 &bsec {
 	mac_addr: mac_addr@e4 {
 		reg = <0xe4 0x6>;
 	};
 	/* Spare field to align on 32-bit OTP granularity  */
 	spare_ns_ea: spare_ns_ea@ea {
 		reg = <0xea 0x2>;
 	};
 };

3.2.3. STM32MP1 driver node append[edit source]


The driver can directly consume NVMEM data cells, as described in NVMEM overview.
The ADC_TEMP device is a good example, with a dedicated OTP containing calibration information.
The device node is located in the stm32mp157c.dtsi[6] file.

 adc_temp: temp {
 	compatible = "st,stm32mp1-adc-temp";
 	io-channels = <&adc2 12>;
 	nvmem-cells = <&ts_cal1>, <&ts_cal2>;
 	nvmem-cell-names = "ts_cal1", "ts_cal2";
 	#io-channel-cells = <0>;
 	#thermal-sensor-cells = <0>;
 	status = "disabled";
 };

With these nvmem-cells / nvmem-cell-names properties, the ADC_TEMP device can easily find the OTP number, in order to access calibration information.

STM32MP1 nvmem_layout node (bootloader specific) for ecosystem release ≥ v1.2.0 More info.png[edit source]

The STM32MP1 nvmem_layout node gathers all NVMEM platform-dependent layout information, including OTP names and phandles, in order to allow easy access for data consumers, using pre-defined string in the nvmem-cell-names property.

 nvmem_layout: nvmem_layout@0 {
 	compatible = "st,stm32mp1-nvmem-layout";
 	nvmem-cells = <&cfg0_otp>,
 		      <&part_number_otp>,
 		      <&monotonic_otp>,
 		      <&nand_otp>,
 		      <&uid_otp>,
 		      <&package_otp>,
 		      <&hw2_otp>,
 		      <&board_id>;
 	nvmem-cell-names = "cfg0_otp",
 			   "part_number_otp",
 			   "monotonic_otp",
 			   "uid_otp",
 			   "nand_otp",
 			   "package_otp",
 			   "hw2_otp",
 			   "board_id";
 };

With this new node, the platform can easily find the OTP numbers, in order to access all the necessary information.

4. How to configure the DT using STM32CubeMX[edit source]

The STM32CubeMX tool can be used to configure the STM32MPU device and get the corresponding platform configuration device tree files.
STM32CubeMX may not support all the properties described in the documents listed in DT bindings documentation above. If so, the tool inserts user sections in the generated device tree. These sections can then be edited to add some properties that are preserved from one generation to another. Refer to the STM32CubeMX user manual for further information.

5. References[edit source]

Please refer to the following links for additional information: