How to configure TF-A BL2

Revision as of 14:41, 29 May 2020 by Registered User (Add SSP section)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Article Purpose[edit source]

This section details the process used to build TF-A from sources and to deploy it on your target.
The build example is based on the OpenSTLinux environment:

  • Developer Package
  • Distribution Package

2. Overview[edit source]

TF-A is the FSBL for the ST trusted boot chain. It must be configured or updated depending on your platform.

Cross compilation of TF-A is only required if it is to be modified. By default, in the Starter Package, the TF-A image is named: tf-<board>-trusted.stm32.
In changes are made, you must rebuild TF-A and update all the FSBL partitions of your boot device with this new image. A second FSBL image is used as a backup image.

The build process creates a full STM32 image that can be used for Flash integrating a specific header.
This trusted firmware-A image contains a device tree, a BL2 and a BL32 stage.
These binaries are built in a single step during the build process.

Atf.stm32.png


3. Developer Package[edit source]

3.1. Install sources[edit source]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

3.2. Official source tree[edit source]

Warning white.png Warning
The STM32MP1 platform is not yet fully upstreamed. So features are not available from this repository

Download source code from the official github 

  git clone https://github.com/ARM-software/arm-trusted-firmware.git


3.3. Build Process[edit source]

3.3.1. Initialize the cross compile environment[edit source]

Setup Cross compile environment

3.3.2. TF-A Build flags[edit source]

Mandatory flags:

  • ARM_ARCH_MAJOR=7: the major version of ARM Architecture to target (STM32MP15 is ARMv7 architecture based)
  • ARCH=aarch32: specify aarch32 architecture to be built
  • PLAT=stm32mp1: builds an stm32mp1 platform
  • DTB_FILE_NAME=<fdt file name>.dtb: this must be defined to build the proper target and include the correct DTB file into the final file
  • AARCH32_SP=<monitor>
    • sp_min: builds the BL32 secure monitor if required
    • optee: do not include BL32 and prepare BL2 for optee-specific load.
  • The boot device(s) you use, one (or more) of:
    • STM32MP_EMMC=1
    • STM32MP_SDMMC=1
    • STM32MP_RAW_NAND=1
    • STM32MP_SPI_NAND=1
    • STM32MP_SPI_NOR=1
  • Or a programming interface (you cannot use AARCH32_SP=optee with those flags):
    • STM32MP_UART_PROGRAMMER=1
    • STM32MP_USB_PROGRAMMER=1


Optional flags:

  • DEBUG=1: add debug information in all binaries
  • V=1: print verbose compilation traces


3.4. Build command[edit source]

From the Developer Package tarball, a Makefile.sdk is present and must be used to build the target. It automatically sets the proper configuration for the TF-A build.

  make -f Makefile.sdk TF_A_CONFIG=trusted TFA_DEVICETREE=<board>

The latest version of the helper file is also available in GitHub: README_HOWTO.txt .

Warning white.png Warning
The DTB_FILE_NAME flag must be set to select the correct board configuration.

The device tree file for the target must be located in fdts folder (<board>.dts)

If no Makefile.sdk exists, you must add your own environment flags: 

  unset LDFLAGS;
  unset CFLAGS;

Then you will have to compile 2 TF-A binaries: one for flash programming (USB or UART), one for device boot (SD-card, eMMC, SPI-NOR, SPI-NAND or parallel NAND (through FMC)): 

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min DTB_FILE_NAME=<board>.dtb STM32MP_UART_PROGRAMMER=1 STM32MP_USB_PROGRAMMER=1
  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min DTB_FILE_NAME=<board>.dtb STM32MP_EMMC=1 STM32MP_SDMMC=1 STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1

It is advised to remove from the command line the devices you do not use to boot.

3.5. Final image[edit source]

Final image is available for Flash or SD card update in the corresponding folder: 

build/<target>/<debug|release>/tf-a-<target>.stm32
Ex:
build/stm32mp1/debug/tf-a-stm32mp157c-ev1.stm32

4. Distribution Package[edit source]

For an OpenSTLinux distribution, the TF-A image is built in release mode by default. The yocto recipe can be found in:

meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_<version>.bb

If you want to modify the TF-A code source, use the following steps starting from an already downloaded and built OpenSTLinux distribution.

4.1. Access sources[edit source]

You can use devtool to access the source. 

  cd <baseline root directory>
  devtool modify tf-a-stm32mp sources/boot/tf-a

By going to the sources/boot/tf-a folder, you can manage and modify the TF-A sources. To rebuild it, go back to the build-<distribution> folder and launch the TF-A recipe: 

  bitbake tf-a-stm32mp

The final image is deployed in the image default output folder.

5. Update software on board[edit source]

5.1. Partitioning of binaries[edit source]

The TF-A build provides a binary named tf-a-stm32mp157c-<board>.stm32 that MUST be copied to a dedicated partition named "fsblX" (X depends of needed backup).

Warning white.png Warning
TF-A must be located in the first partition of your boot device.

You can just update the first partition for a simple test, but all backup partitions must contain the same image at the end.

5.2. Update via SDCARD[edit source]

If you use an SD card, you can simply update TF-A using the dd command on your host.
Plug your SD card into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "fsbl1" partition is partition 1: 

 - SDCARD: /dev/mmcblkXp1 (where X is the instance number)
 - SDCARD via USB reader: /dev/sdX1 (where X is the instance number)
  • Linux
  dd if=<tf-a file> of=/dev/<device partition> bs=1M conv=fdatasync
Info white.png Information
To find the partition associated to a specific label, just plug the

SDCARD/USB disk into your PC and call the following command: 

  ls -l /dev/disk/by-partlabel/
 total 0
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 bootfs -> ../../mmcblk0p4
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl1 -> ../../mmcblk0p1          ➔ FSBL1 (TF-A)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl2 -> ../../mmcblk0p2          ➔ FSBL2 (TF-A backup – same content as FSBL)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 rootfs -> ../../mmcblk0p5
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 ssbl -> ../../mmcblk0p3           ➔ SSBL (U-Boot)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 userfs -> ../../mmcblk0p6
  • Windows

There is an existing dd for Windows that makes binary copying possible.

5.3. Update via USB mass storage on U-boot[edit source]

See How to use USB mass storage in U-Boot

Follow the previous section to put tf-a-<board>.stm32 onto SDCard/USB disk

5.4. Update your boot device (including SD card on the target)[edit source]

Refer to the STM32CubeProgrammer documentation to update your target.

6. Secure secret provisioning[edit source]

A specific TF-A build is required to manage SSP.

A dedicated branch is delivered on top of the official TF-A release that contains the specific Makefile for the TF-A SSP.
The TF-A SSP is a subset part of the TF-A that only includes:

  • BL2 device tree
  • BL2 image with limited support to the serial link device.

6.1. Developer Package[edit source]

6.1.1. Install sources[edit source]

The Developer Package contains OpenSTLinux and TF-A-SSP sources: TF-A-SSP Installation

Warning white.png Warning
The SSP is a specific ST feature and will never be upstreamed.

6.1.2. Additional Flags[edit source]

Mandatory flags to build the TF-A SSP are:

  • STM32MP_SSP=1

For the serial link storage

  • STM32MP_UART_PROGRAMMER=1
  • STM32MP_USB_PROGRAMMER=1

6.1.3. Build command[edit source]

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 DTB_FILE_NAME=<board>.dtb STM32MP_SSP=1 STM32MP_UART_PROGRAMMER=1 STM32MP_USB_PROGRAMMER=1

6.1.4. Final image[edit source]

Final image is available for Flash or SD card update in the corresponding folder: 

build/<target>/<debug|release>/tf-a-ssp-<target>.stm32
Ex:
build/stm32mp1/debug/tf-a-ssp-stm32mp157c-ev1.stm32

6.2. Distribution Package[edit source]

For an OpenSTLinux distribution, the TF-A SSP image is not built in release mode by default. The yocto recipe can be found in:

meta-st/meta-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp-ssp_<version>.bb

If you want to modify the TF-A SSP code source, use the following steps starting from an already downloaded and built OpenSTLinux distribution.

6.2.1. Access sources[edit source]

You can use devtool to access the source. 

  cd <baseline root directory>
  devtool modify tf-a-stm32mp-ssp sources/boot/tf-a_ssp

By going to the sources/boot/tf-a_ssp folder, you can manage and modify the TF-A sources. To rebuild it, go back to the build-<distribution> folder and launch the TF-A recipe: 

  bitbake tf-a-stm32mp-ssp

The final image is deployed in the image default output folder.



Trusted firmware for Arm® Cortex®-A

First stage boot loader

Flash memory shortened to gain space in titles, tables and block diagrams

Boot loader stage 2

Boot loader stage 3-2

Device tree binary (or Blob)

Serial peripheral interface

Universal asynchronous receiver/transmitter

Secure digital

Embedded multi-media card, Former spelling for e•MMC ('e' in italic)

SD memory card (https://www.sdcard.org)

Linux® is a registered trademark of Linus Torvalds.

Second stage boot loader

Das U-Boot -- the universal boot loader (see U-Boot)

Secure secret provisioning

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=How_to_configure_TF-A_BL2&oldid=70779"