STM32MPU OP-TEE profiles

Revision as of 11:34, 30 April 2024 by Registered User (→‎OP-TEE system services profile: minor rewording)
Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP25x lines


1. Purpose[edit source]

This article present the main profiles for STM32MPU OP-TEE OS image configuration. Last section gives references to OP-TEE build commands where to apply the configuration tuning.

For information on the many configuration switches of OP-TEE, refer the the mainline documentation [1] and to OP-TEE configuration switches article.

2. Overview[edit source]

As detailed in STM32MPU OP-TEE Overview article, OP-TEE is used both as a system resource manager and as a secure service provider in STM32MPU software deliveries. Support for these services can be set from specific CFG_xxx configuration switches (see OP-TEE configuration switches) however STM32MPU defines an OP-TEE configuration profile directive, CFG_STM32MP_PROFILE, that allows to set whether OP-TEE embeds secure services or only the system resource management service. This article describes these profiles and the related services embedded in OP-TEE OS.

3. OP-TEE system services profile[edit source]

OP-TEE system resource management profile is enabled with CFG_STM32MP_PROFILE=system_services.

OpenSTLinux is designed to run a Linux ® kernel on an Arm Cortex-A processor. In this architecture, Linux © kernel is designed to execute in the non-secure state of the processor. Arm specifies several standard interfaces for Linux ® kernel (more generally Cortex-A non-secure world software) to access resources that are under secure world control by processor and/or chip architecture design, even if these resources may not strictly require Root of Trust (RoT) constraints on their use. STM32MPU OP-TEE system resource management profile configures OP-TEE to embed only these services, disabling all secure services.

These services are exposed through several standard interfaces:

  • Arm PSCI specification [2] covers CPU and system low power modes.
  • Arm defines a secure watchdog service interface bound on an Arm SMCCC function ID.
    The interface was introduced in Linux ® kernel v5.8 [3].
  • Arm SCMI specification [4] covers system resources as clocks, voltage regulators, power domains.
  • STM32MP15 exposes platform SiP and OEM SMC function IDs in the scope of the Arm SMCCC specification [5].
    These SMC function IDs are used in early OpenSTLinux distribution OTP fuses access services and up to now for low power domains and voltage regulators control.
  • OP-TEE OS defines so-called PTA services, as standardized interfaces for few system resource.

The tables below lists the resource management services available by OP-TEE. Some of these services are default enabled in applicable STM32MP product lines but can be individually disabled with their related CFG_xxx configuration switch.

OP-TEE system services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
SCMI services required required required
PSCI services required required required
for PMIC services
Oscillator calibration service optional
(CFG_STM32_CLKCALIB=y)		 optional
(CFG_STM32_CLKCALIB=y)		 required
Wakeup source management require required not applicable
Power Domain service required required not applicable
OTP access services recommended
(CFG_BSEC_PTA=y)		 recommended
(CFG_BSEC_PTA=y)		 optional
(CFG_BSEC_PTA=y)

3.1. SCMI services[edit source]

SCMI services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
Clock management required required required
Reset management required required required
Performance management
(CPU DVFS)		 recommended
(CFG_STM32_CPU_OPP=y)		 optional
(n.a. if done by Linux®)		 recommended
(CFG_STM32_CPU_OPP=y)
Regulator management required optional
(default under Linux® control)		 required

3.2. PSCI services[edit source]

PSCI services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
CPU hotplug required required required
System reset required required not applicable
done by TF-A
System power off required required required
System standby required required required
Info white.png Information
On STM32MP25x lines More info.png, the PSCI services are handled by secure monitor level firmware that is TF-A/BL31. However TF-A/BL31 calls OP-TEE OS for voltage regulator controls during low power state transitions.

4. OP-TEE secure services profile[edit source]

OP-TEE secure services profile is enabled with CFG_STM32MP_PROFILE=system_and_secure_services.

This profile embeds all the system service describes in the previous section OP-TEE system services profile and embeds secure services as support for Trusted Applications (TAs, see [6]), secure remote co-processor loading, random number generation and more.
All secure services are built as OP-TEE TAs, executed in Cortex-A secure unprivileged level, or as OP-TEE core built-in services (named PTAs, part of OP-TEE core firmware image). When secure services are used, STM32MPU hardware assistance can greatly enhance the security hardening of the platform.

OP-TEE secure services are listed in the table below. Each of these services is default enabled in applicable STM32MP product line default configuration but can be individually disabled from their related CFG_ configuration switch.

OP-TEE secure services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
Trustworthiness of secure services
(External TAs and internal PTAs)		 required required required
Random generation service
(CFG_HWRNG_PTA=y)		 required required required
OTP access services
(CFG_BSEC_PTA=y)		 required required required
NVMEM provisioning services
(stm32mp_nvmem TA)		 optional optional optional
User Trusted application support
(CFG_WITH_USER_TA=y)		 recommended recommended recommended
Remote proc services
(CFG_STM32MP_REMOTEPROC=y
and remoteproc TA)		 not applicable optional
(default embedded)		 optional
(default embedded)
OP-TEE trusted keys wrapping
(CFG_IN_TREE_EARLY_TAS+=trusted_keys/...)		 optional optional optional
OP-TEE PKCS#11 token
(CFG_PKCS11_TA+=trusted_keys/...)		 optional optional optional
OP-TEE StMM for EFI secure variables
(CFG_STMM_PATH=...)		 optional optional optional

5. Platform default configuration and constraints[edit source]

5.1. STM32MP13 default profile[edit source]

Platform default configuration for STM32MP13x lines More info.png enables both system and secure service:

  • CFG_STM32MP_PROFILE=system_and_secure_services

On STM32MP13x lines More info.png, OP-TEE OS is loaded in the external memory (DDR) that is encrypted thanks to DDRMCE. On STM32MP13x lines More info.png, secure services needs some STM32MPU subsystems be assigned to the secure world (STM32 RNG, STM32 AES, STM32 IWDG, etc...)

5.2. STM32MP15 default profile[edit source]

Platform default configuration for STM32MP15x lines More info.png enables only system resource management services:

  • CFG_STM32MP_PROFILE=system_services

Because STM32MP15x lines More info.png does not offer DDR encryption support, enabling the secure services profile requires OP-TEE to execute in the small secure internal SYSRAM thanks to its "pager" mode (memory page swapping). The paging mechanism can affect OP-TEE service perfomances. This mode also require saving and restorage of the secure memory in the unsecure DDR, using STM32 CRYP and STM32 RNG assistance. Therefore STM32MP15A* and STM32MP15D* chips cannot support low power state when secure services are enabled. It is possible to assign SRAM1 and some other SRAMx if they are not used by the Cortex-M processor. In order to enable OP-TEE secure services on STM32MP15x lines More info.png, one shall set CFG_STM32MP_PROFILE=system_and_secure_services.

Info white.png Information
Knowledge corner: running OP-TEE pager in SYSRAM:

OP-TEE OS requires more than 256Ko RAM to execute. STM32MP15x lines More info.png SYSRAM is only 256Ko large therefore OP-TEE core must enable its "pager" mode (configuration switch CFG_WITH_PAGER=y) to extend secure memory using virtual memory mapping and a dynamic paging on demand mechanism to backup secure data into DDR, protected by hash tables and software AE encryption keys.
When so, OP-TEE boot image is made of 2 binary images: one (the unpaged part) is loaded at the beginning of the SYSRAM by the FSBL, the second (the pageable part) is loaded in DDR by the FSBL, in a DDR area that can be accessed by the CPU secure world.
OP-TEE OS manages low power mode by saving an encrypted image of the SYSRAM content in DDR before it is suspended. OP-TEE restores this content back into the SYSRAM when it resumes from the suspended state. This sequence is achieved using CPU instructions and encryption keys saved in the secure and retained backup SRAM.
For more information on OP-TEE's pager implementation and integration, one can refer to the OP-TEE documenation related to pager [1]

Warning white.png Warning
When STM32MP15 is configured with CFG_STM32MP_PROFILE=system_and_secure_services, TF-A configuration must reflect that OP-TEE is loaded in and boots from secure SYSRAM instead of external DDR. This requires TF-A to be configured with STM32MP1_OPTEE_IN_SYSRAM=1 (1 means enabled, 0 means disabled) for both T-A BL2 and TF-A FIP image.

5.3. STM32MP25 default profile[edit source]

Platform default configuration for STM32MP25x lines More info.png enables both system and secure services:

  • CFG_STM32MP_PROFILE=system_and_secure_services

OP-TEE OS is loaded in DDR, in memory areas protected thanks to RISAF memory region encryption and secure level management.

On STM32MP25x lines More info.png, secure services needs some STM32MPU subsystems be assigned to the secure world (STM32 RNG, STM32 AES, STM32 IWDG, etc...)

6. Details on build directives[edit source]

Article OP-TEE configuration switches details the CFG_xxx variable that are default set when building an OP-TEE image. The build environment can override some of the configuration switch values defined for a platform. How to pass these changes depends on the build environment, refer to these 3 sections:

Info white.png Information

For ecosystem release ≤ v3.0.0 compatibility:
It is still possible to generate the the STM32 binary files with an option flag:
CFG_STM32MP15x_STM32IMAGE=1: Generate the STM32 files for ecosystem release ≤ v3.0.0 compatibility.


7. References[edit source]

  1. https://optee.readthedocs.io/en/latest/architecture/core.html#pager



Open portable trusted execution environment

Operating system

Linux® is a registered trademark of Linus Torvalds.

Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. Arm logo.png

Cortex®

Power state coordination interface

Central processing unit

Secure monitor call (SMC) calling convention

System control and management interface

Silicon provider

Original equipment manufacturer

Secure monitor call

One time programmed

Pseudo Trusted Application

Power management integrated circuit

Boot and Security and OTP control

Dynamic voltage and frequency scaling

Operating performance point (link to voltage and frequency scaling)

Trusted firmware for Arm® Cortex®-A

Trusted application

Doubledata rate (memory domain)

Random number generator

Advanced encryption standard

Independent watchdog

Cryptographic processor

Random access memory (Early computer memories generally hadserial access. Memories where any given address can be accessed when desired were then called "random access" to distinguish them from the memories where contents can only be accessed in a fixed order. The term is used today for volatile random-acces ssemiconductor memories.)

First stage boot loader

Boot loader stage 2

Firmware image package is a packaging format used by TF-A

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=STM32MPU_OP-TEE_profiles&oldid=101521"