How to configure TF-M

Applicable for

1. Article purpose[edit source]

This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in STM32 MPU context, describes the build process from sources, and shows how to deploy it on your target.

2. Source code access and build process[edit source]

2.1. Prerequisites[edit source]

Please

2.2. Install sources[edit source]

2.2.1. From the Developer package[edit source]

Not available in developer package...

2.2.2. Official source tree[edit source]

Download the source code from the official Trusted Firmware-A git repository.

  git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/

Warning

The STM32MP2 platform is not yet upstreamed.

For a full-featured software, go to STMicroelectronics github:

  git clone https://github.com/STMicroelectronics/trusted-firmware-m.git
  git clone https://github.com/STMicroelectronics/tf-m-tests.git

2.2.3. Distribution Package[edit source]

Not possible to build TF-M inside distribution package.

2.3. Build process[edit source]

2.3.1. TF-M Build flags[edit source]

Generic build flags for TF-A are described in the Build Options page of the official TF-A documentation^[1].

Generic build flags for STM32 MPU platforms can be found in the build instruction chapter in docs/plat/st/stm32mpus.rst .
Specific STM32MP1 series platform flags can be found in the build instruction chapter of the official TF-A documentation ^[2].
Specific STM32MP2 series platform flags can be found in the build instruction chapter in docs/plat/st/stm32mp2.rst .

Other optional flags:

CONFIG_STM32MP25X_REVA (only for STM32MP2 series): Set this flag to 1 if the STM32MP2 chip is a revision A. Default: 0 (chip revision B)
STM32MP1_OPTEE_IN_SYSRAM (only for STM32MP15x lines ): To put OP-TEE pager in SYSRAM. Default: 0 (OP-TEE is in DDR)
STM32MP_FORCE_MTD_START_OFFSET = <value>: overrides the default start offset to read FIP on MTD devices (need to be aligned with FlashLayout).

Information

Default offsets are STM32MP_NOR_FIP_OFFSET = 0x00080000 and STM32MP_NAND_FIP_OFFSET = 0x00200000

2.4. Build command[edit source]

2.4.1. Build command details[edit source]

For example, default build command for STM32MP25 EV1 board is:

  cmake -S <SRC_DIRECTORY> -B <BUILD_DIRECTORY> \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_small \
       -DCMAKE_BUILD_TYPE=debug \
       -DNS=OFF

Example mp25 ev1 board in profile medium:

  cmake -S . -B build \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=debug \
       -DNS=OFF

2.4.2. OSTL device tree for STM32MP2 series[edit source]

For STM32MP257F-EV1 Evaluation board , ST provides OSTL device tree configurations in a dedicated git repository: tf-a/stm32mp257f-ev1-ca35tdcid-ostl.dts . You can use the git submodule command:

  git submodule add https://github.com/STMicroelectronics/dt-stm32mp fdts/external-dt
  make PLAT=stm32mp2 DTB_FILE_NAME=stm32mp257f-ev1-ca35tdcid-ostl.dtb STM32MP_SDMMC=1 \
         SPD=opteed STM32MP_DDR4_TYPE=1

or git clone command with TFA_EXTERNAL_DT:

  git clone https://github.com/STMicroelectronics/dt-stm32mp ${DT_PATH}
  make PLAT=stm32mp2 DTB_FILE_NAME=stm32mp257f-ev1-ca35tdcid-ostl.dtb STM32MP_SDMMC=1 \
         SPD=opteed STM32MP_DDR4_TYPE=1 TFA_EXTERNAL_DT=${DT_PATH}/tf-a

Here DT_PATH can be chosen to whatever you wish, but it must not be a relative path, for example:

  export DT_PATH=`pwd`/../dt-stm32mp

2.5. Final image[edit source]

The final image is available for Flash memory or SDCard update in the corresponding folder:

<BUILD_PLAT>/tf-a-<board>.stm32
Ex:
build/stm32mp1/release/tf-a-stm32mp157c-ev1.stm32

3. Updating the software on board[edit source]

[1] TF-A Build Options

[2] STM32MP1 specific build options

[1]

[2]