How to configure TF-A SP-MIN

Revision as of 09:42, 17 February 2021 by Registered User

1. Article Purpose[edit source]

This section details the TF-A SP-MIN (BL32) component. It will explain the usage in STM32 MPU runtime context and the build process from sources and how to deploy it on your target.
The build examples are based on the OpenSTLinux environment:

  • Developer Package
  • Distribution Package

2. Overview[edit source]

TF-A SP-MIN is a secure partition that can be used for the ST boot chain. It is loaded by TF-A BL2.
This secure partition executed in monitor mode is a secure implementation for limited services:

  • PSCI
  • SCMI
  • SiP services

OP-TEE OS must be chosen for a most complete secure implementation.

3. Configuration[edit source]

TF-A SP-MIN is based on device tree configuration.
Its device tree is also loaded by the TF-A BL2 and the address is given to SP-MIN as second argument. It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.

4. Memory layout[edit source]

SP-MIN binary (bl32.bin) is embedded in the FIP binary and identified as tos-fw.
The SP-MIN device tree is also embedded in the FIP and identified as tos-fw-config.

The SP-MIN is built with the PIE option which make the code executable from a configurable address. The load addresses for SP-MIN and the device tree is configurable thanks to TF-A firmware configuration framework. If required, the load address could be independently change by modifying the STM32 MPU firmware configuration file.

5. Source code access and build process[edit source]

Cross compilation of TF-A SP-MIN is only required if it is to be modified.
By default, in the Starter Package, the TF-A SP-MIN images are embedded in the trusted FIP: fip-<board>-trusted.bin.
If changes are made, you must rebuild TF-A (SP-MIN) and update the FIP. You must have to udpate the associated FIP partitions of your boot device with this new image.

The build process creates a TF-A SP-MIN image and its device tree.

5.1. Developer Package[edit source]

5.1.1. Install sources[edit source]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

5.1.2. Official source tree[edit source]

Download source code from the official Trusted Firmware-A github.

  git clone https://github.com/ARM-software/arm-trusted-firmware.git
Warning white.png Warning
The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.


For a full feature software, a STMicroelectronics github is available:

  git clone https://github.com/STMicroelectronics/arm-trusted-firmware.git


5.1.3. Build Process[edit source]

5.1.3.1. Initialize the cross compile environment[edit source]

Setup Cross compile environment

5.1.3.2. TF-A Build flags[edit source]

Here is the list of the mandatory flags that needs to be specify to complete the TF-A BL2 build:

  • ARM_ARCH_MAJOR=7: the major version of ARM Architecture to target (STM32MP1 is ARMv7 architecture based)
  • ARCH=aarch32: specify aarch32 architecture to be built
  • PLAT=stm32mp1: builds an stm32mp1 platform
  • DTB_FILE_NAME=<fdt file name>.dtb: this must be defined to build the proper target and include the correct DTB file into the final file
  • AARCH32_SP=sp_min: select SP-MIN as secure partition

Optional flags:

  • DEBUG=1: add debug information in all binaries
  • V=1: print verbose compilation traces


5.1.4. Build command[edit source]

Warning white.png Warning
Please read carefully

You must add your own environment flags:

  unset LDFLAGS;
  unset CFLAGS;

Then you will have to compile the TF-A SP-MIN (BL32).
To avoid binary override, it is recommended to specify BUILD_PLAT per selected storage.

The default build command for STM32MP15 is:

  make -j4 ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min DTB_FILE_NAME=<board_name>.dtb BUILD_PLAT=build/sp_min bl32 dtbs

Here is build command for the stm32mp157c-ev1 board:

  make -j4 ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32=sp_min DTB_FILE_NAME=stm32mp157c-ev1.dtb BUILD_PLAT=build/sp_min/ bl32 dtbs
 

From the Developer Package tarball, a Makefile.sdk is present and must be used to build the target. It automatically sets the proper configuration for the TF-A build.

  make -f Makefile.sdk TF_A_CONFIG=trusted TF_A_DEVICETREE=<board>

The latest version of the helper file is also available in GitHub: README_HOWTO.txt .

5.1.5. Final image[edit source]

Final images are available for updating the FIP binary (including the associated firmware configuration file):

<BUILD_PLAT>/sp_min/bl32.bin
<BUILD_PLAT>/sp_min/fdts/<board>.dtb
<BUILD_PLAT>/sp_min/fdts/<board>-fw-config.dtb
Ex:
build/sp_min/bl32.bin
build/sp_min/fdts/stm32mp157c-ev1.dtb
build/sp_min/fdts/stm32mp157c-ev1-fw-config.dtb

5.2. Distribution Package[edit source]

For an OpenSTLinux distribution, the TF-A SP-MIN image is built in release mode by default. The yocto recipe can be found in:

meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_<version>.bb

If you want to modify the TF-A SP-MIN code source, use the following steps starting from an already downloaded and built OpenSTLinux distribution.

5.2.1. Access sources[edit source]

You can use devtool to access the source.

  cd <baseline root directory>
  devtool modify tf-a-stm32mp sources/boot/tf-a

By going to the sources/boot/tf-a folder, you can manage and modify the TF-A sources. To rebuild it, go back to the build-<distribution> folder and launch the TF-A recipe:

  bitbake tf-a-stm32mp

The final image is deployed in the image default output folder.

5.3. Update software on board[edit source]

5.3.1. Update the FIP[edit source]

From the generated binary and an existing FIP, you are able to update only the binaries using the fiptool command.

  • Update all SP-MIN (including firmare configuration)
fiptool update --tos-fw bl32.bin --tos-fw-config <board>.dtb --fw-config fw-config.dtb fip-<board>-trusted.bin
  • Update only SP-MIN device tree
fiptool update --tos-fw bl32.bin fip-<board>-trusted.bin
  • Update SP-MIN binary
fiptool update --tos-fw bl32.bin fip-<board>-trusted.bin

5.3.2. Partitioning of binaries[edit source]

The TF-A build provides a binary named fip.bin (or fip-<board>-trusted.bin from Makefile.sdk) that MUST be copied to a dedicated partition named "fip".

5.3.3. Update via SDCARD[edit source]

If you use an SD card, you can simply update TF-A using the dd command on your host.
Plug your SD card into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "fip" partition is partition 3:

 - SDCARD: /dev/mmcblkXp1 (where X is the instance number)
 - SDCARD via USB reader: /dev/sdX1 (where X is the instance number)
  • Linux
  dd if=fip-<board>-trusted.bin of=/dev/<device partition> bs=1M conv=fdatasync
Info white.png Information
To find the partition associated to a specific label, just plug the

SDCARD/USB disk into your PC and call the following command:

  ls -l /dev/disk/by-partlabel/
 total 0
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 bootfs -> ../../mmcblk0p4
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fip -> ../../mmcblk0p3 		  ➔ FIP
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl1 -> ../../mmcblk0p1          ➔ FSBL1 (TF-A BL2)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl2 -> ../../mmcblk0p2          ➔ FSBL2 (TF-A BL2 backup – same content as FSBL)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 rootfs -> ../../mmcblk0p5
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 userfs -> ../../mmcblk0p6


  • Windows

CoreUtils [1] that includes the dd command is available for Windows.

5.3.4. Update via USB mass storage on U-boot[edit source]

See How to use USB mass storage in U-Boot

Follow the previous section to put fip-<board>-trusted.bin onto SDCard/USB disk

5.3.5. Update your boot device via STM32CubeProgrammer[edit source]

Refer to the STM32CubeProgrammer documentation to update your target.