1. Purpose of article[edit source]
This article describes how to update the STM32 MPU embedded Software distribution to a specific 256Mo DDR mapping in a STM32MP13x based product.
Note that the 256Mo software configuration can be performed on a STM32MP13 DK board (512Mo of DDR), in order to prototype the new mapping memory, but for this exercise, further software updates are requested , there are highlight in the article with the label (DDR512Mo).
2. Pre-requesites[edit source]
You are already familiar with the Yocto build process and OpenSTLinux distribution.
3. Introduction[edit source]
This article is a guideline for the user to update the STM32 MPU embedded Software in a distribution package of the OpenSTLinux distribution, according to his 256Mo hardware configuration. The process is based on a OpenSTlinux configured for the STM32MP13 DK board (512Mo of DDR), with the following DDR mapping. The default mapping defined for The OpenSTLinux on the STM32MP13 DK board for a st-image-weston image is : 0xe0000000 (end optee fw/TZDRAM) 0xde200000 (DDR_SEC_BASE/TZDRAM_START size 1e00000 protected by TZC 400, deb optee fw .text , DDR encrypted DDRMCE size 1e00000) 0xde000000 (SHMEM_START size 200000 no secure, optee mem size 2000000) 0xdd000000 (framebuffer protected access by DDR TZC size 1000000) 0xd0000000 (End of DDR cacheable in U-Boot) 0xc0000000 (DDR non secure) The target is to update is to target the following 260Mo mapping : 0xd0000000 0xcfc00000 (DDR_SEC_BASE/TZDRAM_START size DDR_NS_SIZE (400000/4Mo) protected by TZC 400, deb optee fw .txt, DDR encrypted DDRMCE) 0xcfb00000 (DDR_SHARE_BASE size DDR_SHARE_SIZE (100000/1Mo no secure , optee memmory reserved size 500000/5Mo) 0xceb00000 (optee-framebuffer) protected access by TZC 400 size 1000000/16Mo) 0xc8000000 (End of DDR cacheable in U-Boot, begin of linux CMA reserved size 8000000/128Mo) 0xc0000000 (DDR_NS_BASE/STM32MP_DDR_BASE)
The software modification requested in the STM32MP1 Distribution Package, have been performed with the "devtool" and "bitbake" tools. The following component need to be modified (TF-A, U-boot, OP-TEE, Linux Kernel).
4. DDR configuration[edit source]
The DDR is configured with the STM32CubeMX DDR tool, the tool creates the device tree source include file.
5. TF-A updates[edit source]
To update the TF-A firmware in the STM32MP1 Distribution Package, use the devtool tool: $PC > devtool modify tf-a-stm32mp The updates requested according to new mapping: Modify the DDR_SIZE (512Mo->256Mo) defined in file fdts/stm32mp135f-dk-config.dts
- define DDR_SIZE 0x10000000
Modify the DDR_SEC_SIZE (30 Mo -> 4Mo) and DDR_SHARE_SIZE (2Mo->1Mo) defined in file fdts/stm32mp13-fw-config.dtsi
- define DDR_SEC_SIZE 0x400000
- define DDR_SHARE_SIZE 0x100000
DDR512Mo: Modify the DDR_MEM_SIZE in the file fdts/stm32mp-ddr3-1x4Gb-1066-binF.dtsi . :
- define DDR_MEM_SIZE 0x10000000
5.1. Description of the TF-A updates[edit source]
- Firewall configuration (link to the page How to configure TF-A FW CONFIG)
The DDR firewall is configured to restrict access to specific areas.The TZC is configured at boot time to setup DDR accesses by the TF-A, redefined by OP-TEE. (link to the page How to configure TF-A FW CONFIG) Three regions are defined : Start address = 0xC000 0000: 251-Mbyte region where secure accesses are forbidden and to which all non-secure peripherals can access Start address = 0xCFB0 0000: 1-Mbyte (SHM) region where secure accesses are forbidden and non-secure accesses are possible only from an A7 CPU Start address = 0xCFC0 0000: 4-Mbyte (OP-TEE) region where only secure accesses are allowed
OP-TEE is the secure OS executed in DDR protected by TZC, the size allocated to OP-TEE depend on how the OP-TEE is configured and used, it includes the firmware Optee-os size, the stack and heap size, stack and heap are almost dedicated to Trusted Applications. SHM is the share memory between non secure and secure OS (?? usage buffer for TA access ??;..)
The configuration of the mem firewall is defined in the file fdts/stm32mp13-fw-config.dtsi DDR_NS_BASE : STM32MP_DDR_BASE : 0xc0000000 (default OpenSTLInux RAM mapping)) DDR_SEC_SIZE : 0x00400000 (4 Mo allocated to OP-TEE). DDR_SEC_BASE : STM32MP_DDR_BASE + DDR_SIZE - DDR_SEC_SIZE : 0xc0000000 + 0x10000000 - 0x00400000 : 0xcfc00000 DDR_SHARE_SIZE : 0x00100000 (1 Mo allocated for Share memory) DDR_SHARE_BASE : DDR_SEC_BASE - DDR_SHARE_SIZE : 0xcfc00000 - 0x00100000 : 0xcfb00000 DDR_NS_SIZE : DDR_SHARE_BASE - DDR_NS_BASE : 0xcfb00000 - 0xc0000000 : 0x0fb00000 : 251 Mo
- DDR Encryption area (link to the page How to configure TF-A FW CONFIG)
The memory region encrypted is defined in fdts/stm32mp13-fw-config-mem-encrypt.dtsi. The memory region defined by default in OpenSTLinux configuration is the region allocated to OP-TEE, so defined with parameters DDR_SEC_BASE and DDR_SEC_SIZE.
- Firmware configuration file
The FW_CONFIG define all binaries to be loading in internal RAM or DDR, with for each image the load adress, the maximum binary size to be loaded, and the ID of the image . The FW_CONFIG and all binaries are embedded in a TF-A FIP (Firmware Image Package). (link to How to configure TF-A FIP) The TF-A FIP contains all boot binaries and optionally their certificates, installed by the TF-A. (U-Boot, U-Boot dtb, OP-TEE, FW_CONFIG)
The configuration is defined in the file fdts/stm32mp13-fw-config.dtsi The structure of the tos-fw (secure os) depend on the parameter DDR_SEC_BASE an DDR_SEC_SIZE.
6. OP-TEE updates[edit source]
To update the OP-TEE firmware in the STM32MP1 Distribution Package, use the devtool tool : $PC > devtool modify optee-os-stm32mp
The updates requested according to new mapping: in the file core/arch/arm/plat-stm32mp1/conf.mk CFG_DRAM_SIZE ?= 0x10000000 (256Mo) CFG_TZDRAM_SIZE ?= 0x00400000 (4Mo) CFG_SHMEM_SIZE ?= 0x00100000 (1Mo) in the file core/arch/arm/dts/stm32mp135f-dk.dts memory@c0000000 { device_type = "memory"; reg = <0xc0000000 0x10000000>; };
reserved-memory { #address-cells = <1>; #size-cells = <1>; ranges;
optee_framebuffer: optee-framebuffer@ceb00000 {
/* Secure framebuffer memory */
reg = <0xceb00000 0x1000000>;
st,protreg = <TZC_REGION_S_RDWR 0>;
};
6.1. Description of the updates[edit source]
- memory secure and share memory
The OP-TEE memory configuration is defined in the file core/arch/arm/plat-stm32mp1/conf.mk CFG_TZDRAM_START ?= ($(CFG_DRAM_BASE) + $(CFG_DRAM_SIZE) - $(CFG_TZDRAM_SIZE)) = 0xc0000000 + 0x10000000 - 0x400000 = 0xcfc00000 CFG_SHMEM_START ?= ($(CFG_TZDRAM_START) - $(CFG_SHMEM_SIZE)) = 0xcfc00000 - 0x100000 = 0xcfb00000
The memory size CFG_TZDRAM_SIZE and mapping reserved for OP-TEE depend on the task allocated to the secure OS. The memory allocated include the size of the Optee-os firmware, the stack and heap size, almost of stack and heap are reserved to the Trusted applications. see the FAQ ion OP-TEE documentation the https://optee.readthedocs.io/en/latest/faq/faq.html#q-what-is-the-size-of-op-tee-itself
- OP-TEE frame buffer
The OP-TEE frame buffer is a secure memory region dedicated to the display, used by Trusted UI in OP-TEE, protected by TZC, This region named optee-framebuffer is configured in OP-TEE device tree source core/arch/arm/dts/stm32mp135f-dk.dts.