How to configure TF-M

Revision as of 10:29, 9 January 2024 by Registered User (→‎Install a toolchain)
Applicable for STM32MP25x lines

1. Article purpose[edit source]

This section details the TF-M stage (Trusted Firmware-M). It explains how to configure and build TF-M in STM32 MPU context, describes the build process from sources, and shows how to deploy it on your target.

2. Source code access and build process[edit source]

2.1. Prerequisites[edit source]

2.1.1. Linux® PC[edit source]

2.1.1.1. Install build environment[edit source]

install dependencies: 

 sudo apt-get install -y git curl wget build-essential libssl-dev python3 \
           python3-pip cmake make

add CMake path into environment: 

 export PATH=<CMake path>/bin:$PATH
2.1.1.2. Install python dependencies[edit source]

From the TF-M source code installed in your PC: 

 pip3 install --upgrade pip \
           pip3 install -r tools/requirements.txt
2.1.1.3. Install a toolchain[edit source]

If you use STM32CubeIDE to build TFM, you do not need to install a toolchain as STM32CubeIDE uses its own toolchain
If you build by command line, you have to download a toolchain from here and add GNU arm into environment: 

 export PATH=$PATH:<toolchain installation directory>/sysroots/x86_64-ostl_sdk-linux/usr/share/gcc-arm-none-eabi/bin

2.1.2. Windows PC[edit source]

2.1.2.1. Install build environment[edit source]

install dependencies: 

- Git client latest version (https://git-scm.com/download/win)
- CMake (`native Windows version <https://cmake.org/download/>`)
- GNU make (http://gnuwin32.sourceforge.net/packages/make.htm)
- Python3 `(native Windows version) <https://www.python.org/downloads/>` and
         the pip package manager (from Python 3.4 it's included)

add CMake path into environment: 

 set PATH=<CMake_Path>\bin;%PATH%
2.1.2.2. Install python dependencies[edit source]

From the TF-M source code installed in your PC: 

 cd trusted-firmware-m \
           pip3 install -r tools/requirements.txt
2.1.2.3. Install a toolchain[edit source]

If you use STM32CubeIDE, you do not need to install a toolchain as STM32CubeIDE uses its own toolchain
If you build by command line, you can use the toolchain from STM32CubeIDE and you need to update the path as follow in your .bashrc: 

- PATH="/c/ST/<STM32 CubeIDE path>/STM32CubeIDE\plugins\com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.11.3.rel1.win32_1.1.2.202309201523\tools\bin":$PATH

Note: plugin version can differ from a STM32CubeIDE version to another, so you should adapt it accordingly

2.2. Install sources[edit source]

2.2.1. From the Developer package[edit source]

Not available in developer package...

2.2.2. Official source tree[edit source]

Download the source code from the official Trusted Firmware-A git repository. 

  git clone https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/
Warning white.png Warning
The STM32MP2 platform is not yet upstreamed.


For a full-featured software, go to STMicroelectronics github: 

  git clone https://github.com/STMicroelectronics/trusted-firmware-m.git
  git clone https://github.com/STMicroelectronics/tf-m-tests.git


2.2.3. Distribution Package[edit source]

Not possible to build TF-M inside distribution package.

2.3. Build process[edit source]

2.3.1. With STM32CubeIDE[edit source]

2.3.2. With Build command lines[edit source]

Please find an example stm32mp257f_ev1 board in profile medium with 'build' directory to generate Secure firmware only (no NS tests) :
By default, the following device tree is used : platform/ext/target/stm/common/devicetree/dts/arm/stm/stm32mp257f-ev1-revB_s.dts 

  cmake -S . -B build \
       -DTFM_PLATFORM=stm/stm32mp257f_ev1 \
       -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake \
       -DTFM_PROFILE=profile_medium \
       -DCMAKE_BUILD_TYPE=debug \
       -G "Unix Makefiles" \
       -DNS=OFF

  make  -C build/ install

2.3.3. OSTL device tree for STM32MP2 series[edit source]

For STM32MP257F-EV1 Evaluation board More info green.png, ST provides OSTL device tree configurations in a dedicated git repository: tf-a/stm32mp257f-ev1-ca35tdcid-ostl.dts . You can use the git submodule command: 


  git submodule add https://github.com/STMicroelectronics/dt-stm32mp fdts/external-dt
  make PLAT=stm32mp2 DTB_FILE_NAME=stm32mp257f-ev1-ca35tdcid-ostl.dtb STM32MP_SDMMC=1 \
         SPD=opteed STM32MP_DDR4_TYPE=1

or git clone command with TFA_EXTERNAL_DT: 

  git clone https://github.com/STMicroelectronics/dt-stm32mp ${DT_PATH}
  make PLAT=stm32mp2 DTB_FILE_NAME=stm32mp257f-ev1-ca35tdcid-ostl.dtb STM32MP_SDMMC=1 \
         SPD=opteed STM32MP_DDR4_TYPE=1 TFA_EXTERNAL_DT=${DT_PATH}/tf-a

Here DT_PATH can be chosen to whatever you wish, but it must not be a relative path, for example: 

  export DT_PATH=`pwd`/../dt-stm32mp

2.4. Final image[edit source]

The final image is available for Flash memory or SDCard update in the corresponding folder: 

<BUILD_PLAT>/tf-a-<board>.stm32
Ex:
build/stm32mp1/release/tf-a-stm32mp157c-ev1.stm32

3. Updating the software on board[edit source]

Microprocessor unit

Linux® is a registered trademark of Linus Torvalds.

Device tree binary (or Blob)

Device tree

Flash memories combine high density and cost effectiveness of EPROMs with the electrical erasability of EEPROMs. For this reason, the Flash memory market is one of the most exciting areas of the semiconductor industry today and new applications requiring in system reprogramming, such as cellular telephones, automotive engine management systems, hard disk drives, PC BIOS software for Plug & Play, digital TV, set top boxes, fax and other modems, PC cards and multimedia CD-ROMs, offer the prospect of very high volume demand.

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=How_to_configure_TF-M&oldid=100632"