Difference between revisions of "How to configure TF-A FIP"

[quality revision] [quality revision]
m
m
 
Applicable for STM32MP13x lines, STM32MP15x lines

1 Article purpose[edit]

This section details the TFTrusted Firmware-A FIP (Trusted Firmware -A Firmware Image Package) binary management for usage in the STM32 MPU boot chain. It explains how to use it in STM32 MPU context and describes the build/update process that is required to deploy it on your target.

2 Overview[edit]

As explained in the TF-A Overview, this binary The FIP is used by the TFTrusted Firmware-A BL2 firmware to load and authenticate the next stage binaries. It can

The FIP follows the Trusted Firmware-A specification[1].

It must contains:

  • Boot stage binaries
  • Configuration file (Device tree)
  • Certificate All the boot stage firmware loaded by Trusted Firmware-A BL2.
  • Configuration files.
Warning white.png Warning
If Trusted Firmware-A BL2 is built with TRUSTED_BOARD_BOOT enabled, the FIP must also contains:
  • Certificates (X509.3 based) for authentication.

3 Firmware Image Package structurecreation tool[edit]

The FIP binary has a specific layout that is parsed by the BL2 during the load processing.

FIP layout.png

The FIP binary starts with a table of contents (ToC) that is recognized by the BL2. Each entry is identified by its UUID, offset in the package, size and flags. The end-of-ToC marker is used to define the start of the binary section. All the corresponding binaries are appended according to the offset defined in the ToC entry.

This structure is automatically built using the fiptool command. It appends all the binaries and creates the associated ToC.

4 Fiptool command[edit]

fiptool is a host tool that must be used to generate the proper FIP binary.

Trusted Firmware-A provides a dedicated tool name fiptool to create a FIP.[2]

Info white.png Information
By default, the OpenSTLinux SDK provides the fiptool command. You do not need to regenerate it to update (or create) a FIP binary.

fiptool provides a set of useful commands to manage the FIP binary. All options can be listed using the following command:

fiptool help
  • info: The fiptool info provides information on a generated FIP binary
fiptool info fip.bin

If you want to regenerate it, you must follow the official documentation..[3]
The official documentation introduces the different available options.

Here is the list of the most useful options:

Options Description Example
help Show all available options supported fiptool help
info List the content of a FIP:
  • offset in the FIP
  • size in the FIP
  • cmdline option to modify the binary
fiptool info fip.bin
Secure Payload BL32 (Trusted OS): offset=
0x100
0x128, size=
0x1347C
0x2C, cmdline="--tos-fw"
Secure Payload BL32 Extra1 
Non-
(Trusted 
Firmware
OS 
BL33
Extra1): offset=
0x1357C
0x154,

size=
0xEDDE2
0x18750, cmdline="--
nt
tos-fw-extra1"
Secure Payload BL32 
FW_CONFIG
Extra2 (Trusted OS Extra2): offset=
0x10135E
0x188A4,

size=
0x226
0x56000, cmdline="--tos-fw-
config
extra2"
Non-Trusted Firmware BL33: 
HW
offset=0x6E8A4, size=0xECE98, cmdline="--nt-fw"
FW_CONFIG: offset=
0x101584
0x15B73C, size=
0x1E412
0x1FA, cmdline="--
hw
fw-config"

TOS_FW_
HW_CONFIG: offset=
0x11F996
0x15B936, size=
0x45AC
0x1BC08, cmdline="--
tos
hw-
fw-
config"

update
:
Update allows one or more images to be replaced in an existing FIP binary
fiptool
update
--tos-fw
bl32.bin
fip.bin

The optional argument below can be used to avoid erasing the initial FIP binary:

fiptool update --tos-fw bl32.bin --out new_fip.bin fip.bin unpack:
unpack Extracts all binaries from a FIP binary
fiptool
unpack
fip.bin
remove
:
Removes a binary from FIP binary
fiptool
remove
--tos-fw
bl32.bin
fip.bin

4

.1 Tool generation[edit]

The tool is provided within the TF-A sources tools/fiptool . It can be built for Linux® or Windows® platforms. A dedicated rule is available to generate the tool:

make fiptool

It generates the tool under the tools/fiptool/fiptool source path.

4.2 TF-A build[edit]

When the TF-A component build process is complete, the

FIP binary

can be automatically generated. In this case the fiptool is automatically generated too and the FIP binaries are part of the output folder.

5 Cert_create command[edit]

When the TRUSTED_BOARD_BOOT feature is enabled, the FIP must contain the binaries and their associated certificate as described in the TBBR[1] Chain of Trust (CoT). These certificates can be created using the cert_create command that is provided in the TF-A sources tools/cert_create .

By default, the OpenSTLinux SDK provides the cert_create. You do not need to regenerate it to regenerate certificates.

The cert_create tool is able to generate the self-signed certificate used to complete the trusted boot chain. It requires a large set of arguments linked to the CoT.

cert_create --help

cert_create creates the certificate if it does not exist yet or uses the available one to generate the CoT. The certificate content must be regenerated if the associated binary has been updated.

5.1 TF-A build[edit]

TF-A generic Makefile can help to automatically build the certificate using some dedicated flags that can be enabled to generate the certificate and append them into the FIP:

  • GENERATE_COT=1 : Enable the cert_create tool
  • ROT_KEY : Specify the root private key to be used

6 FIP binary creation[edit]

Below the list of the different ways by which the FIP binary can be generated:

  • Using the dedicated fiptool command
  • Using the TFTrusted Firmware-A official Makefile

The FIP binary content may depend on the TRUSTED_BOARD_BOOT feature enable. In this case, a prior certificate generation is mandatory to include them into the FIP binary.

6.4.1 STM32MP1[edit]

The OpenSTLinux boot flow requires the following stages to be loaded:

  • BL32: Secure OS and OP-TEE OS (or Secure Monitor (it can be eiher SP-MIN or OP-TEE OS on STM32MP15x lines More info.png)
  • BL33: The non-secure firmware (recommended U-Boot)
  • HW_config: The OpenSTLinux uses the hw_config as the non-secure device tree
  • FW_config: Firmware configuration file listing the previous images and defining their size and the load address

To create the FIP binary, all the following binaries must be built:

Info white.png Information
* The build can be made in a single step using the TF-A Makefile

When the TRUSTED_BOARD_BOOT feature is enabled in BL2, the associated certificate must be generated as per the TBBR CoT requirements.

The fiptool is used to create or update a FIP file.

The TF-A Makefile The Trusted Firmware-A Makefile with fip target and some variables uses fiptool to automatically create the new FIP after the TFTrusted Firmware-A compilation.

With U-Boot as a non-secure firmware, the paths for the files used in next chapters are the following:

Description Makefile
variable
fiptool option file File path for OP-TEE file File path for SP_MIN
Limited to STM32MP15x lines More info.png
Secure OS (OP-TEE)
or Secure Monitor (SPMIN)
BL32 --tos-fw <optee_path>/tee-header_v2.bin <tfa_path>/bl32.bin
OP-TEE pager BL32_EXTRA1 --tos-fw-extra1 <optee_path>/tee-pager_v2.bin -
OPTEE pageable BL32_EXTRA2 --tos-fw-extra2 <optee_path>/tee-pageable_v2.bin -
Firmware configuration file FW_CONFIG --fw-config <tfa_path>/fw-config.dtb
U-Boot device tree BL33_CFG --hw-config <u-boot_path>/u-boot.dtb
U-Boot BL33 --nt-fw <u-boot_path>/u-boot-nodtb.bin

In the next chapter, all the files are assumed present in the current directory.

6.1.1 Trusted boot chain[edit]

6.1.1.1 Non-secure boot[edit]

The following command generates the FIP package that is required by the BL2 to boot. You can create the FIP binary by using the fiptool command:

fiptool create --fw-config fw-config.dtb \ --hw-config u-boot.dtb \ --tos-fw-config bl32.dtb \ --tos-fw bl32.bin \ --nt-fw u-boot-nodtb.bin \ fip.bin

You can also use the TF-A Makefile:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \ BL33=<u-boot_path>/u-boot-nodtb.bin \ BL33_CFG=<u-boot_path>/u-boot.dtb \ BL32=<tfa_path>/bl32.bin \ FW_CONFIG=<tfa_path>/fw-config.dtb \ fip

Adding the AARCH32_SP=sp_min automatically manages the BL32 and FW_CONFIG path:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \ AARCH32_SP=sp_min \ BL33=<u-boot_path>/u-boot-nodtb.bin \ BL33_CFG=<u-boot_path>/u-boot.dtb \ fip
6.1.1.2 Secure boot[edit]

You can create the certificate and FIP binary by using the cert_create and fiptool command:

cert_create \ -n --tfw-nvctr 0 --ntfw-nvctr 0 \ --key-alg ecdsa --hash-alg sha256 \ --rot-key privateKey.pem \ --tb-fw bl2.bin \ --tb-fw-cert tb_fw.crt \ --tos-fw-config bl32.dtb \ --fw-config fw-config.dtb \ --hw-config u-boot.dtb \ --trusted-key-cert trusted_key.crt \ --tos-fw-key-cert tos_fw_key.crt \ --tos-fw-cert tos_fw_content.crt \ --tos-fw bl32.bin \ --nt-fw-key-cert nt_fw_key.crt \ --nt-fw-cert nt_fw_content.crt \ --nt-fw u-boot-nodtb.bin

You can now generate the FIP trusted package:

fiptool create \ --tb-fw-cert tb_fw.crt \ --fw-config fw-config.dtb \ --hw-config u-boot.dtb \ --trusted-key-cert trusted_key.crt \ --tos-fw-key-cert tos_fw_key.crt \ --tos-fw-config bl32.dtb \ --tos-fw-cert tos_fw_content.crt \ --tos-fw bl32.bin \ --nt-fw-cert nt_fw_content.crt \ --nt-fw-key-cert nt_fw_key.crt \ --nt-fw u-boot-nodtb.bin \ fip-trusted.bin

You can also use the TF-A Makefile:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \ BL33=<u-boot_path>/u-boot-nodtb.bin \ BL33_CFG=<u-boot_path>/u-boot.dtb \ BL32=<tfa_path>/bl32.bin \ FW_CONFIG=<tfa_path>/fw-config.dtb \ TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem \ fip

Adding the AARCH32_SP=sp_min automatically manages the BL32 and FW_CONFIG path:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \ AARCH32_SP=sp_min \ BL33=<u-boot_path>/u-boot-nodtb.bin \ BL33_CFG=<u-boot_path>/u-boot.dtb TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem \ fip

6.1.2 OP-TEE boot chain[edit]

6.1.2.1 Non-secure boot[edit]

You can create the FIP binary by using the fiptool command:

fiptool create --fw-config fw-config.dtb \ --hw-config u-boot.dtb \ --nt-fw u-boot-nodtb.bin \ --tos-fw tee-header_v2.bin \ --tos-fw-extra1 tee-pager_v2.bin \ --tos-fw-extra2 tee-pageable_v2.bin \ fip-optee.bin

You can also use the TF-A Makefile:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \ BL33=<u-boot_path>/u-boot-nodtb.bin BL33_CFG=<u-boot_path>/u-boot.dtb \ BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \ BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin FW_CONFIG=<tfa_path>/fw-config.dtb fip

Adding the AARCH32_SP=optee automatically manages the FW_CONFIG path:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=optee \ BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \ BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin fip
6.1.2.2 Secure boot[edit]

You can create the certificate and FIP binary by using the cert_create and fiptool command:

cert_create \ -n --tfw-nvctr 0 --ntfw-nvctr 0 \ --key-alg ecdsa --hash-alg sha256 \ --rot-key privateKey.pem \ --tb-fw bl2.bin \ --tb-fw-cert tb_fw.crt \ --tos-fw tee-header_v2.bin \ --tos-fw-extra1 tee-pager_v2.bin \ --tos-fw-extra2 tee-pageable_v2.bin \ --fw-config fw-config.dtb \ --hw-config u-boot.dtb \ --trusted-key-cert trusted_key.crt \ --tos-fw-key-cert tos_fw_key.crt \ --tos-fw-cert tos_fw_content.crt \ --nt-fw-key-cert nt_fw_key.crt \ --nt-fw-cert nt_fw_content.crt \ --nt-fw u-boot-nodtb.bin

You can now generate the FIP trusted package:

fiptool create \ --tb-fw-cert tb_fw.crt \ --fw-config fw-config.dtb \ --hw-config u-boot.dtb \ --trusted-key-cert trusted_key.crt \ --tos-fw-key-cert tos_fw_key.crt \ --tos-fw-cert tos_fw_content.crt \ --tos-fw tee-header_v2.bin \ --tos-fw-extra1 tee-pager_v2.bin \ --tos-fw-extra2 tee-pageable_v2.bin \ --nt-fw-cert nt_fw_content.crt \ --nt-fw-key-cert nt_fw_key.crt \ --nt-fw u-boot-nodtb.bin \ fip-optee-trusted.bin

You can also use the TF-A Makefile:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \ BL33=<u-boot_path>/u-boot-nodtb.bin BL33_CFG=<u-boot_path>/u-boot.dtb \ BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \ BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin FW_CONFIG=<tfa_path>/fw-config.dtb \ TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem fip

Adding the AARCH32_SP=optee automatically manages the FW_CONFIG path:

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=optee \ BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \ BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin \ TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem fip 6.2
Warning white.png Warning
If Trusted Firmware-A BL2 is built with TRUSTED_BOARD_BOOT enabled, some specific options and files are required. See the Trusted boot page for more details.

4.2 Updating the FIP binary[edit]

When modifying a component included in the FIP binary, it is possible to update only part of the binary. To do this, use the fiptool update command:

Warning white.png Warning
When updating a binary in the FIP when the TRUSTED_BOARD_BOOT is enabled, the content certificate must be updated too. In this case the cert_create must be called with the previous generated certificate to avoid regenerating the whole CoT.

6.2.1 Updating TF-A SP-MIN[edit]

When a modification is made in the SP-MIN binary (or its device tree), the SP-MIN must be updated in the FIP binary:

  • Full SP-MIN update
fiptool update --tos-fw BL32=<tfa_path>/bl32.bin --tos-fw-config <tfa_path>/bl32.dtb fip.bin
  • SP-MIN core binary
fiptool update --tos-fw BL32=<tfa_path>/bl32.bin fip.bin
  • SP-MIN device tree update
fiptool update --tos-fw-config <tfa_path>/bl32.dtb fip.bin

6.2.2 Updating U-Boot[edit]

When a .

Example when a new U-Boot is generated, the FIP must be updated using the following commands:

  • Full U-Boot update (U-Boot Binary and U-Boot Device tree)
   fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin --hw-config u-boot.dtb fip.bin

  • U-Boot core binary
   fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin fip.bin

  • U-Boot device tree update
   fiptool update --hw-config u-boot.dtb fip.bin

6.2.3 Updating OP-TEE[edit]

The OP-TEE OS rebuild is required to update the FIP package.

Warning white.png Warning
It is recommended to update all OP-TEE OS images rather than just update the required one.
fiptool update --tos-fw <optee_path>/tee-header_v2.bin \ --tos-fw-extra1 <optee_path>/tee-pager_v2.bin \ --tos-fw-extra2 <optee_path>/tee-pageable_v2.bin \ fip-optee.bin

The OP-TEE OS build process generates the static binary location.
In case of mapping modification, the firmware configuration file must be adapted accordingly

6.2.4 Updating FW_CONFIG[edit]

In case of change in the firmware configuration file, you must also update the FIP binary:

fiptool update --fw-config fw-config.dtb fip.bin 7
Warning white.png Warning
When updating a binary in the FIP when the Trusted Firmware-A BL2 is built with TRUSTED_BOARD_BOOT enabled, the content certificate must be updated too. See the Trusted Board Boot for more details.

5 Updating the software on board[edit]

75.1 Partitioning of binaries[edit]

The FIP build provides a binary named fip.bin (or fip-<board-name>-<bootchain>.bin from official release) that MUST be copied to a dedicated partition named "fip".

7

fip, fip-a or fip-b when Secure Firmware Update is enabled.

5.2 Updating via SDCard[edit]

If you use an SDCard, simply update the FIP binary by using the dd command on your host.
Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "fip" partition is partition 3 partition or fip-a/fip-b when Secure Firmware Update is enabled:

 - SDCard: /dev/mmcblkXp3mmcblkXpY (where X is the instance number, Y is the partition number of the FIP)
 - SDCardviaSDCard via USB reader: /dev/sdX3sdXY (where X is the instance number, Y is the partition number of the FIP))

  • Under Linux®
  
 dd if=<fip binary file> of=/dev/<device partition> bs=1M conv=fdatasync
Info white.png Information
To find the partition associated to a specific label, just plug the SDCard/USB disk into your PC and call the following command:
  
 ls -l /dev/disk/by-partlabel/
 total 0
 lrwxrwxrwx 1 root root 10 JanMay 17 173 15:3814 bootfs -> ../../mmcblk0p4sda8
 lrwxrwxrwx 1 root root 10 JanMay 17 173 15:38 14 fip-a -> ../../sda5           FIP (Image A)
 lrwxrwxrwx 1 root root 10 May  3 15:14 fip-b -> ../../sda6           FIP (Image B)
 lrwxrwxrwx 1 root root 10 May  3 15:14 fsbl1 -> ../../mmcblk0p1sda1           FSBL1 (TFTrusted Firmware-A BL2)
 lrwxrwxrwx 1 root root 10 JanMay 17 173 15:3814 fsbl2 -> ../../mmcblk0p2sda2           FSBL2 (TFTrusted Firmware-A BL2 backup)
/ samelrwxrwxrwx content1 asroot FSBL)root 10 May  3 15:14 metadata1 -> ../../sda3
 lrwxrwxrwx 1 root root 10 JanMay 17 173 15:38 14 metadata2 -> ../../sda4
 lrwxrwxrwx 1 root root 11 May  3 15:14 rootfs -> ../../mmcblk0p5sda10
 lrwxrwxrwx 1 root root 10 JanMay 17 173 15:38 fip14 u-boot-env -> ../../mmcblk0p3sda7
 lrwxrwxrwx 1 root root 11 May  3 15:14 userfs FIP
 -> ../../sda11
 lrwxrwxrwx 1 root root 10 JanMay 17 173 15:3814 userfsvendorfs -> ../../mmcblk0p6sda9


  • Under Windows®

CoreUtils [24] that includes the dd command is available for Windows.

75.3 Updating via USB mass storage on U-boot[edit]

See How to use USB mass storage in U-Boot.

Refer to the previous section to put FIP binary into SDCard/USB disk.

75.4 Updating your boot device via STM32CubeProgrammer[edit]

Refer to the STM32CubeProgrammer documentation for details on how to update your target.

8 6 References[edit]


== {{ApplicableFor
|MPUs list=STM32MP13x, STM32MP15x
|MPUs checklist=STM32MP13x, STM32MP15x
}}<noinclude></noinclude>

== Article purpose ==
This section details the TFTrusted Firmware-A FIP (Trusted Firmware-A Firmware  Image Package) binary management for usage in the STM32 MPU boot chain. It explains how to use it in STM32 MPU context and describes the build/update process that is required to deploy it on your target.

== Overview ==As explained in the [[TF-A_overview#FIP|TF-A Overview]], this binary The FIP is used by the [[How to configure TF-A BL2|TFTrusted Firmware-A BL2]] firmware to load and authenticate the next stage binaries.It can contains:
* Boot stage binaries
* Configuration file (Device tree)
* Certificate (X509.3 based) for authentication

== Package structure ==
The FIP binary has a specific layout that is parsed by the BL2 during the load processing.

[[File:FIP_layout.png|500px|center|link=]]

The FIP binary starts with a table of contents (ToC) that is recognized by the BL2.
Each entry is identified by its UUID, offset in the package, size and flags.
The end-of-ToC marker is used to define the start of the binary section.
All the corresponding binaries are appended according to the offset defined in the ToC entry.

This structure is automatically built using 

The FIP follows the Trusted Firmware-A specification<ref>{{DocSource | domain=TF-A | path=design/firmware-design.html#firmware-image-package-fip  | text=Firmware Image Package design}}</ref>.

It must contains:
* All the boot stage firmware loaded by [[TF-A_BL2_overview|Trusted Firmware-A BL2]].
* Configuration files.

{{Warning| If [[TF-A_BL2_overview|Trusted Firmware-A BL2]] is built with [[TF-A_BL2_Trusted_Board_Boot|TRUSTED_BOARD_BOOT]] enabled, the FIP must also contains:
* Certificates (X509.3 based) for authentication.
}}

== Firmware Image Package creation tool ==

Trusted Firmware-A provides a dedicated tool name <code>fiptool</code> to create a FIP.<ref>{{DocSource | domain=TF-A | path=design/firmware-design.html#firmware-image-package-creation-tool | text=Firmware Image Package tool}}</ref>


{{Info|By default, the OpenSTLinux SDK provides the <code>fiptool</code> command. It appends all the binaries and creates the associated ToC.

== Fiptool command ==<code>fiptool</code> is a host tool that must be used to generate the proper FIP binary.

By default, the OpenSTLinux SDK provides the <code>fiptool</code>. You do not need to regenerate it to update (or create) a FIP binary.
<code>fiptool</code> provides a set of useful commands to manage the FIP binary.
All options can be listed using the following command:
   {{PC$}} fiptool help

* info: The <code>fiptool</code> info provides information on a generated FIP binaryYou do not need to regenerate it to update (or create) a FIP binary.}}

If you want to regenerate it, you must follow the official documentation..<ref>{{DocSource | domain=TF-A | path=getting_started/tools-build.html#building-and-using-the-fip-tool | text= Building and using the fiptool}}</ref><br>

The official documentation introduces the different available options.

Here is the list of the most useful options:
{| class="st-table"
|-
! Options  !! Description !! Example
|-
| help || Show all available options supported || {{PC$}} fiptool help
|-
| info || List the content of a FIP:
*offset in the FIP
*size in the FIP
*cmdline option to modify the binary
|| {{PC$}} fiptool info fip.bin     Secure Payload BL32 (Trusted OS): offset=0x1000x128, size=0x1347C0x2C, cmdline="--tos-fw"    Non-Trusted Firmware BL33: offset=0x1357C, size=0xEDDE2, cmdline="--nt-fw"
     FW_CONFIG: offset=0x10135E, size=0x226, cmdline="--fw-config"
     HW_CONFIG: offset=0x101584, size=0x1E412, cmdline="--hw-config"
     TOS_FW_CONFIG: offset=0x11F996, size=0x45AC, cmdline="--tos-fw-config"

* update: Secure Payload BL32 Extra1 (Trusted OS Extra1): offset=0x154,<br> size=0x18750, cmdline="--tos-fw-extra1"
 Secure Payload BL32 Extra2 (Trusted OS Extra2): offset=0x188A4,<br> size=0x56000, cmdline="--tos-fw-extra2"
 Non-Trusted Firmware BL33: offset=0x6E8A4, size=0xECE98, cmdline="--nt-fw"
 FW_CONFIG: offset=0x15B73C, size=0x1FA, cmdline="--fw-config"
 HW_CONFIG: offset=0x15B936, size=0x1BC08, cmdline="--hw-config"
|-
| update ||  Update allows one or more images to be replaced in an existing FIP binary    || {{PC$}} fiptool update --tos-fw bl32.bin fip.bin

The optional argument below can be used to avoid erasing the initial FIP binary:
   {{PC$}} fiptool update --tos-fw bl32.bin --out new_fip.bin fip.bin

* unpack: |-
| unpack || Extracts all binaries from a FIP binary    || {{PC$}} fiptool unpack fip.bin

*|-
| remove:  || Removes a binary from FIP binary    || {{PC$}} fiptool remove --tos-fw bl32.bin fip.bin

=== Tool generation ===
The tool is provided within the TF-A sources {{ CodeSource | TF-A | tools/fiptool}}. It can be built for Linux<sup>&reg;</sup> or Windows<sup>&reg;</sup> platforms.
A dedicated rule is available to generate the tool:
   {{PC$}} make fiptool

It generates the tool under the <code>tools/fiptool/fiptool</code> source path.

=== TF-A build ===
When  the TF-A component build process is complete, the FIP binary can be automatically generated. In this case the <code>fiptool</code> is automatically generated too and the FIP binaries are part of the output folder.

== Cert_create command ==
When the TRUSTED_BOARD_BOOT feature is enabled, the FIP must contain the binaries and their associated certificate as described in the TBBR<ref>https://developer.arm.com/documentation/den0006/latest/</ref> Chain of Trust (CoT).
These certificates can be created using the <code>cert_create</code> command that is provided in the TF-A sources {{ CodeSource | TF-A | tools/cert_create}}.

By default, the OpenSTLinux SDK provides the <code>cert_create</code>. You do not need to regenerate it to regenerate certificates.

The <code>cert_create</code> tool is able to generate the self-signed certificate used to complete the trusted boot chain. It requires a large set of arguments linked to the CoT.
   {{PC$}} cert_create --help
<code>cert_create</code> creates the certificate if it does not exist yet or uses the available one to generate the CoT.
The certificate content must be regenerated if the associated binary has been updated.

=== TF-A build ===
TF-A generic Makefile can help to automatically build the certificate using some dedicated flags that can be enabled to generate the certificate and append them into the FIP:
* GENERATE_COT=1 : Enable the <code>cert_create</code> tool
* ROT_KEY : Specify the root '''private''' key to be used

== FIP binary |}

== FIP binary creation ==
Below the list of the different ways by which the FIP binary can be generated:
* Using the dedicated <code>fiptool</code> command
* Using the TFTrusted Firmware-A official Makefile
The FIP binary content may depend on the TRUSTED_BOARD_BOOT feature enable. In this case, a prior certificate generation is mandatory to include them into the FIP binary.
=== STM32MP1 ===
The OpenSTLinux boot flow requires the following stages to be loaded:
* BL32: Secure OS and Secure Monitor (it can be eiher [[How to configure OP-TEE|OP-TEE OS]] (or Secure Monitor [[How to configure TF-A SP-MIN|SP-MIN]] or [[How to configure OP-TEE|OP-TEE OS]]on {{MicroprocessorDevice | device=15}})
* BL33: The non-secure firmware (recommended [[STM32MP15_U-Boot|U-Boot]])
* HW_config: The OpenSTLinux uses the hw_config as the non-secure device tree
* FW_config: [[How to configure TF-A FW CONFIG|Firmware configuration file]] listing the previous images and defining their size and the load address
To create the FIP binary, all the following binaries must be built:
* Secure OS or Secure Monitor
** [[How to configure TF-A SP-MIN#Build_Process|SP-MIN]] in case of trusted boot chain*.
** [[How to configure OP-TEE#Build_OP-TEE_OS|OP-TEE]] in case of OP-TEE Secure OS usage.
* [[STM32MP15_U-Boot#Compilation|U-Boot]].
* [[How to configure TF-A FW CONFIG|Firmware configuration file]] related to the loaded binaries*.

{{Info|* The build can be made in a single step using the TF-A Makefile}}

When the TRUSTED_BOARD_BOOT feature is enabled in BL2, the associated certificate must be generated as per the TBBR CoT requirements.

The <code>fiptool</code> is used to create or update a FIP file.

The TF-A Makefile The Trusted Firmware-A Makefile with '''fip''' target and some variables uses <code>fiptool</code> to automatically create the new FIP after the TFTrusted Firmware-A compilation.

With U-Boot as a non-secure firmware, the paths for the files used in next chapters are the following:

{| class="st-table"
|-
! Description  !! Makefile<br/>variable!! fiptool option !! fileFile path for OP-TEE !! fileFile path for SP_MIN |<br> Limited to {{MicroprocessorDevice | device=15}}
|-
| Secure OS (OP-TEE) <br/>or  Secure Monitor (SPMIN) || BL32 || --tos-fw || [[How to configure OP-TEE #Build_OP-TEE_OS|<optee_path>/tee-header_v2.bin]] || [[How to configure TF-A SP-MIN#Build_Process|<tfa_path>/bl32.bin]]
|-
| OP-TEE pager || BL32_EXTRA1 || --tos-fw-extra1 || [[How to configure OP-TEE #Build_OP-TEE_OS|<optee_path>/tee-pager_v2.bin]] || -
|-
| OPTEE pageable ||  BL32_EXTRA2 || --tos-fw-extra2 || [[How to configure OP-TEE#Build_OP-TEE_OS|<optee_path>/tee-pageable_v2.bin]]|| -
|-
| Firmware configuration file || FW_CONFIG|| --fw-config || colspan="2" | [[How to configure TF-A FW CONFIG|<tfa_path>/fw-config.dtb]]
|-
| U-Boot device tree || BL33_CFG || --hw-config || colspan="2" | [[STM32MP15_U-Boot#Compilation|<u-boot_path>/u-boot.dtb]]
|- | U-Boot  || BL33||  --nt-fw || colspan="2" | [[STM32MP15_U-Boot#Compilation|<u-boot_path>/u-boot-nodtb.bin]]
|-
|}
In the next chapter, all the files are assumed present in the current directory.

==== Trusted boot chain ====
===== Non-secure boot =====
The following command generates the FIP package that is required by the BL2 to boot.
You can create the FIP binary by using the fiptool command:
   {{PC$}} fiptool create --fw-config fw-config.dtb \
           --hw-config u-boot.dtb \
           --tos-fw-config bl32.dtb \
           --tos-fw bl32.bin \ 
           --nt-fw u-boot-nodtb.bin \
           fip.bin

You can also use the TF-A Makefile:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
           BL33=<u-boot_path>/u-boot-nodtb.bin \
           BL33_CFG=<u-boot_path>/u-boot.dtb \
           BL32=<tfa_path>/bl32.bin \
           FW_CONFIG=<tfa_path>/fw-config.dtb \
           fip

Adding the AARCH32_SP=sp_min automatically manages the BL32 and FW_CONFIG path:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
           '''AARCH32_SP=sp_min''' \
           BL33=<u-boot_path>/u-boot-nodtb.bin \
           BL33_CFG=<u-boot_path>/u-boot.dtb \
           fip

===== Secure boot =====
You can create the certificate and FIP binary by using the cert_create and <code>fiptool</code> command:
   {{PC$}} cert_create \
           -n --tfw-nvctr 0 --ntfw-nvctr 0 \
           --key-alg ecdsa --hash-alg sha256 \
           --rot-key privateKey.pem \
           --tb-fw bl2.bin \
           --tb-fw-cert tb_fw.crt \
           --tos-fw-config bl32.dtb \
           --fw-config fw-config.dtb \
           --hw-config u-boot.dtb \
           --trusted-key-cert trusted_key.crt \
           --tos-fw-key-cert tos_fw_key.crt \
           --tos-fw-cert tos_fw_content.crt \
           --tos-fw bl32.bin \
           --nt-fw-key-cert nt_fw_key.crt \
           --nt-fw-cert nt_fw_content.crt \
           --nt-fw u-boot-nodtb.bin

You can now generate the FIP trusted package:
   {{PC$}} fiptool create \
           --tb-fw-cert tb_fw.crt \
           --fw-config fw-config.dtb \
           --hw-config u-boot.dtb \
           --trusted-key-cert trusted_key.crt \
           --tos-fw-key-cert tos_fw_key.crt \
           --tos-fw-config bl32.dtb \
           --tos-fw-cert tos_fw_content.crt \
           --tos-fw bl32.bin \
           --nt-fw-cert nt_fw_content.crt \
           --nt-fw-key-cert nt_fw_key.crt \
           --nt-fw u-boot-nodtb.bin \
           fip-trusted.bin

You can also use the TF-A Makefile:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
           BL33=<u-boot_path>/u-boot-nodtb.bin \
           BL33_CFG=<u-boot_path>/u-boot.dtb \
           BL32=<tfa_path>/bl32.bin \
           FW_CONFIG=<tfa_path>/fw-config.dtb \
           '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' \
           fip

Adding the AARCH32_SP=sp_min automatically manages the BL32 and FW_CONFIG path:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
           '''AARCH32_SP=sp_min''' \
           BL33=<u-boot_path>/u-boot-nodtb.bin \
           BL33_CFG=<u-boot_path>/u-boot.dtb
           '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' \
           fip

==== OP-TEE boot chain ====
===== Non-secure boot =====
You can create the FIP binary by using the <code>fiptool</code> command:
   {{PC$}} fiptool create --fw-config fw-config.dtb \
                --hw-config u-boot.dtb \
                --nt-fw u-boot-nodtb.bin \
                --tos-fw tee-header_v2.bin \
                --tos-fw-extra1 tee-pager_v2.bin \
                --tos-fw-extra2 tee-pageable_v2.bin \
                fip-optee.bin

You can also use the TF-A Makefile:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
            BL33=<u-boot_path>/u-boot-nodtb.bin BL33_CFG=<u-boot_path>/u-boot.dtb \
            BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
            BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin FW_CONFIG=<tfa_path>/fw-config.dtb fip

Adding the AARCH32_SP=optee automatically manages the FW_CONFIG path:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 '''AARCH32_SP=optee''' \
        BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
        BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin fip

===== Secure boot =====
You can create the certificate and FIP binary by using the <code>cert_create</code> and <code>fiptool</code> command:
   {{PC$}} cert_create \
           -n --tfw-nvctr 0 --ntfw-nvctr 0 \
           --key-alg ecdsa --hash-alg sha256 \
           --rot-key privateKey.pem \
           --tb-fw bl2.bin \
           --tb-fw-cert tb_fw.crt \
           --tos-fw tee-header_v2.bin \
           --tos-fw-extra1 tee-pager_v2.bin \
           --tos-fw-extra2 tee-pageable_v2.bin \
           --fw-config fw-config.dtb \
           --hw-config u-boot.dtb \
           --trusted-key-cert trusted_key.crt \
           --tos-fw-key-cert tos_fw_key.crt \
           --tos-fw-cert tos_fw_content.crt \
           --nt-fw-key-cert nt_fw_key.crt \
           --nt-fw-cert nt_fw_content.crt \
           --nt-fw u-boot-nodtb.bin

You can now generate the FIP trusted package:
   {{PC$}} fiptool create \
           --tb-fw-cert tb_fw.crt \
           --fw-config fw-config.dtb \
           --hw-config u-boot.dtb \
           --trusted-key-cert trusted_key.crt \
           --tos-fw-key-cert tos_fw_key.crt \
           --tos-fw-cert tos_fw_content.crt \
           --tos-fw tee-header_v2.bin \
           --tos-fw-extra1 tee-pager_v2.bin \
           --tos-fw-extra2 tee-pageable_v2.bin \
           --nt-fw-cert nt_fw_content.crt \
           --nt-fw-key-cert nt_fw_key.crt \
           --nt-fw u-boot-nodtb.bin \
           fip-optee-trusted.bin

You can also use the TF-A Makefile:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
            BL33=<u-boot_path>/u-boot-nodtb.bin BL33_CFG=<u-boot_path>/u-boot.dtb \
            BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
            BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin FW_CONFIG=<tfa_path>/fw-config.dtb \
            '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' fip

Adding the AARCH32_SP=optee automatically manages the FW_CONFIG path:
   {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 '''AARCH32_SP=optee''' \
        BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
        BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin \
        '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' fip

=== {{Warning| If [[TF-A_BL2_overview|Trusted Firmware-A BL2]] is built with [[TODO link to secure boot|TRUSTED_BOARD_BOOT]] enabled, some specific options and files are required. See the [[TODO|Trusted boot page]] for more details.}}

=== Updating the FIP binary ===
When modifying a component included in the FIP binary, it is possible to update only part of the binary. To do this, use the <code>fiptool</code> update command:

{{Warning | When updating a binary in the FIP when the TRUSTED_BOARD_BOOT is enabled, the content certificate must be updated too. In this case the <code>cert_create</code> must be called with the previous generated certificate to avoid regenerating the whole CoT.}}

==== Updating TF-A SP-MIN ====
When a modification is made in the SP-MIN binary (or its device tree), the SP-MIN must be updated in the FIP binary:
* Full SP-MIN update
   {{PC$}} fiptool update --tos-fw BL32=<tfa_path>/bl32.bin --tos-fw-config <tfa_path>/bl32.dtb fip.bin

* SP-MIN core binary
   {{PC$}} fiptool update --tos-fw BL32=<tfa_path>/bl32.bin fip.bin

* SP-MIN device tree update
   {{PC$}} fiptool update --tos-fw-config <tfa_path>/bl32.dtb fip.bin

==== Updating U-Boot ====
When a .

Example when a new U-Boot is generated, the FIP must be updated using the following commands:
* Full U-Boot update    {{PC$}} fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin --hw-config u-boot.dtb fip.bin

* U-Boot core binary(U-Boot Binary and U-Boot Device tree){{PC$}} fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin fip.bin

* U-Boot device tree update
   {{PC$}} fiptool update --hw-config --hw-config <u-boot_path>/u-boot.dtb fip.bin
==== Updating OP-TEE ====
The OP-TEE OS rebuild is required to update the FIP package.
{{Warning | It is recommended to update all OP-TEE OS images rather than just update the required one.}}

   {{PC$}} fiptool update --tos-fw <optee_path>/tee-header_v2.bin \
           --tos-fw-extra1 <optee_path>/tee-pager_v2.bin \
           --tos-fw-extra2 <optee_path>/tee-pageable_v2.bin \
           fip-optee.bin

The OP-TEE OS build process generates the static binary location.<br>

In case of mapping modification, the firmware configuration file must be adapted accordingly

==== Updating FW_CONFIG ====
In case of change in the firmware configuration file, you must also update the FIP binary:
   {{PC$}} fiptool update --fw-config fw-config.dtb fip.bin
{{Warning | When updating a binary in the FIP when the [[TF-A_BL2_overview|Trusted Firmware-A BL2]] is built with [[TF-A_BL2_Trusted_Board_Boot|TRUSTED_BOARD_BOOT]] enabled, the content certificate must be updated too. See the [[TF-A_BL2_Trusted_Board_Boot|Trusted Board Boot]] for more details.}}
== Updating the software on board ==
=== Partitioning of binaries ===
The FIP build provides a binary named fip.bin (or fip-<board-name>-<bootchain>.bin from official release) that MUST be copied to a dedicated partition named "'''fip"''', '''fip-a''' or '''fip-b''' when [[Secure Firmware Update]] is enabled.

=== Updating via SDCard ===
If you use an SDCard, simply update the FIP binary by using the dd command on your host.<br>

Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "'''fip"''' partition is partition 3:
  - SDCard: /dev/mmcblkXp3or '''fip-a'''/'''fip-b''' when [[Secure Firmware Update]] is enabled:
  - SDCard: /dev/mmcblkXpY (where X is the instance number)
  - SDCardvia USB reader: /dev/sdX3, Y is the partition number of the FIP)
  - SDCard via USB reader: /dev/sdXY (where X is the instance number), Y is the partition number of the FIP))

* Under Linux<sup>&reg;</sup>

   {{PC$}} dd if=<fip binary file> of=/dev/<device partition> bs=1M conv=fdatasync

{{Info| To find the partition associated to a specific label, just plug the SDCard/USB disk into your PC and call the following command:

   {{PC$}} ls -l /dev/disk/by-partlabel/
  total 0
  lrwxrwxrwx 1 root root 10 Jan 17 17:38 bootfs -> ../../mmcblk0p4May  3 15:14 bootfs -> ../../sda8

  lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl1 -> ../../mmcblk0p1           FSBL1 (TF-AMay  3 15:14 fip-a -> ../../sda5           FIP (Image A)
  lrwxrwxrwx 1 root root 10 May  3 15:14 fip-b -> ../../sda6           FIP (Image B)
  lrwxrwxrwx 1 root root 10 May  3 15:14 fsbl1 -> ../../sda1           FSBL1 (Trusted Firmware-A BL2)
  lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl2 -> ../../mmcblk0p2           FSBL2 (TF-A backup / same content as FSBL)May  3 15:14 fsbl2 -> ../../sda2           FSBL2 (Trusted Firmware-A BL2 backup)
  lrwxrwxrwx 1 root root 10 May  3 15:14 metadata1 -> ../../sda3lrwxrwxrwx 1 root root 10 Jan 17 17:38 rootfs -> ../../mmcblk0p5May  3 15:14 metadata2 -> ../../sda4
  lrwxrwxrwx 1 root root 11 May  3 15:14 rootfs -> ../../sda10

  lrwxrwxrwx 1 root root 10 Jan 17 17:38 {{Highlight|'''fip'''}} -> ../../mmcblk0p3            FIPMay  3 15:14 u-boot-env -> ../../sda7
  lrwxrwxrwx 1 root root 11 May  3 15:14 userfs -> ../../sda11lrwxrwxrwx 1 root root 10 Jan 17 17:38 userfs -> ../../mmcblk0p6May  3 15:14 vendorfs -> ../../sda9

}}<br>

* Under Windows<sup>&reg;</sup>

CoreUtils <ref>http://gnuwin32.sourceforge.net/packages/coreutils.htm</ref> that includes the dd command is available for Windows.

=== Updating via USB mass storage on U-boot ===
See [[How to use USB mass storage in U-Boot]].

Refer to the previous section to put FIP binary into SDCard/USB disk.

=== Updating your boot device via STM32CubeProgrammer ===
Refer to the [[STM32CubeProgrammer]] documentation for details on how to update your target.

== References ==<references />

<noinclude>

[[Category:Platform configurationTrusted Firmware-A (BL2)|04]]
{{PublicationRequestId | 19289 | 2120-03-10 | }}</noinclude>
(18 intermediate revisions by 5 users not shown)
Line 1: Line 1:
  +
{{ApplicableFor
  +
|MPUs list=STM32MP13x, STM32MP15x
  +
|MPUs checklist=STM32MP13x, STM32MP15x
  +
}}
  +
<noinclude></noinclude>
 
== Article purpose ==
 
== Article purpose ==
This section details the TF-A FIP (Trusted Firmware-A Firmware Image Package) binary management for the STM32 MPU boot chain. It explains how to use it in STM32 MPU context and describes the build/update process that is required to deploy it on your target.
+
This section details the Trusted Firmware-A FIP (Firmware Image Package) usage in the STM32 MPU boot chain. It explains how to use it in STM32 MPU context and describes the build/update process that is required to deploy it on your target.
   
 
== Overview ==
 
== Overview ==
As explained in the [[TF-A_overview#FIP|TF-A Overview]], this binary is used by the [[How to configure TF-A BL2|TF-A BL2]] to load and authenticate the next stage binaries.
+
The FIP is used by the [[How to configure TF-A BL2|Trusted Firmware-A BL2]] firmware to load and authenticate the next stage binaries.
It can contains:
 
* Boot stage binaries
 
* Configuration file (Device tree)
 
* Certificate (X509.3 based) for authentication
 
   
== Package structure ==
+
The FIP follows the Trusted Firmware-A specification<ref>{{DocSource | domain=TF-A | path=design/firmware-design.html#firmware-image-package-fip  | text=Firmware Image Package design}}</ref>.
The FIP binary has a specific layout that is parsed by the BL2 during the load processing.
 
   
[[File:FIP_layout.png|500px|center|link=]]
+
It must contains:
  +
* All the boot stage firmware loaded by [[TF-A_BL2_overview|Trusted Firmware-A BL2]].
  +
* Configuration files.
   
The FIP binary starts with a table of contents (ToC) that is recognized by the BL2.
+
{{Warning| If [[TF-A_BL2_overview|Trusted Firmware-A BL2]] is built with [[TF-A_BL2_Trusted_Board_Boot|TRUSTED_BOARD_BOOT]] enabled, the FIP must also contains:
Each entry is identified by its UUID, offset in the package, size and flags.
+
* Certificates (X509.3 based) for authentication.
The end-of-ToC marker is used to define the start of the binary section.
+
}}
All the corresponding binaries are appended according to the offset defined in the ToC entry.
 
   
This structure is automatically built using the <code>fiptool</code> command. It appends all the binaries and creates the associated ToC.
+
== Firmware Image Package creation tool ==
   
== Fiptool command ==
+
Trusted Firmware-A provides a dedicated tool name <code>fiptool</code> to create a FIP.<ref>{{DocSource | domain=TF-A | path=design/firmware-design.html#firmware-image-package-creation-tool | text=Firmware Image Package tool}}</ref>
<code>fiptool</code> is a host tool that must be used to generate the proper FIP binary.
 
   
By default, the OpenSTLinux SDK provides the <code>fiptool</code>. You do not need to regenerate it to update (or create) a FIP binary.
+
{{Info|By default, the OpenSTLinux SDK provides the <code>fiptool</code> command. You do not need to regenerate it to update (or create) a FIP binary.}}
   
<code>fiptool</code> provides a set of useful commands to manage the FIP binary.
+
If you want to regenerate it, you must follow the official documentation..<ref>{{DocSource | domain=TF-A | path=getting_started/tools-build.html#building-and-using-the-fip-tool | text= Building and using the fiptool}}</ref><br>
All options can be listed using the following command:
+
The official documentation introduces the different available options.
  {{PC$}} fiptool help
 
   
* info: The <code>fiptool</code> info provides information on a generated FIP binary
+
Here is the list of the most useful options:
  {{PC$}} fiptool info fip.bin  
+
{| class="st-table"
    Secure Payload BL32 (Trusted OS): offset=0x100, size=0x1347C, cmdline="--tos-fw"
+
|-
    Non-Trusted Firmware BL33: offset=0x1357C, size=0xEDDE2, cmdline="--nt-fw"
+
! Options  !! Description !! Example
    FW_CONFIG: offset=0x10135E, size=0x226, cmdline="--fw-config"
+
|-
    HW_CONFIG: offset=0x101584, size=0x1E412, cmdline="--hw-config"
+
| help || Show all available options supported || {{PC$}} fiptool help
    TOS_FW_CONFIG: offset=0x11F996, size=0x45AC, cmdline="--tos-fw-config"
+
|-
 
+
| info || List the content of a FIP:
* update: Update allows one or more images to be replaced in an existing FIP binary
+
*offset in the FIP
  {{PC$}} fiptool update --tos-fw bl32.bin fip.bin
+
*size in the FIP
 
+
*cmdline option to modify the binary
The optional argument below can be used to avoid erasing the initial FIP binary:
+
|| {{PC$}} fiptool info fip.bin  
  {{PC$}} fiptool update --tos-fw bl32.bin --out new_fip.bin fip.bin
+
Secure Payload BL32 (Trusted OS): offset=0x128, size=0x2C, cmdline="--tos-fw"
 
+
Secure Payload BL32 Extra1 (Trusted OS Extra1): offset=0x154,<br> size=0x18750, cmdline="--tos-fw-extra1"
* unpack: Extracts all binaries from a FIP binary
+
Secure Payload BL32 Extra2 (Trusted OS Extra2): offset=0x188A4,<br> size=0x56000, cmdline="--tos-fw-extra2"
  {{PC$}} fiptool unpack fip.bin
+
Non-Trusted Firmware BL33: offset=0x6E8A4, size=0xECE98, cmdline="--nt-fw"
 
+
FW_CONFIG: offset=0x15B73C, size=0x1FA, cmdline="--fw-config"
* remove: Removes a binary from FIP binary
+
HW_CONFIG: offset=0x15B936, size=0x1BC08, cmdline="--hw-config"
  {{PC$}} fiptool remove --tos-fw bl32.bin fip.bin
+
|-
 
+
| update ||  Update allows one or more images to be replaced in an existing FIP binary || {{PC$}} fiptool update --tos-fw bl32.bin fip.bin
=== Tool generation ===
+
|-
The tool is provided within the TF-A sources {{ CodeSource | TF-A | tools/fiptool}}. It can be built for Linux<sup>&reg;</sup> or Windows<sup>&reg;</sup> platforms.
+
| unpack || Extracts all binaries from a FIP binary || {{PC$}} fiptool unpack fip.bin
A dedicated rule is available to generate the tool:
+
|-
  {{PC$}} make fiptool
+
| remove || Removes a binary from FIP binary || {{PC$}} fiptool remove --tos-fw bl32.bin fip.bin
 
+
|}
It generates the tool under the <code>tools/fiptool/fiptool</code> source path.
 
 
 
=== TF-A build ===
 
When  the TF-A component build process is complete, the FIP binary can be automatically generated. In this case the <code>fiptool</code> is automatically generated too and the FIP binaries are part of the output folder.
 
 
 
== Cert_create command ==
 
When the TRUSTED_BOARD_BOOT feature is enabled, the FIP must contain the binaries and their associated certificate as described in the TBBR<ref>https://developer.arm.com/documentation/den0006/latest/</ref> Chain of Trust (CoT).
 
These certificates can be created using the <code>cert_create</code> command that is provided in the TF-A sources {{ CodeSource | TF-A | tools/cert_create}}.
 
 
 
By default, the OpenSTLinux SDK provides the <code>cert_create</code>. You do not need to regenerate it to regenerate certificates.
 
 
 
The <code>cert_create</code> tool is able to generate the self-signed certificate used to complete the trusted boot chain. It requires a large set of arguments linked to the CoT.
 
  {{PC$}} cert_create --help
 
 
 
<code>cert_create</code> creates the certificate if it does not exist yet or uses the available one to generate the CoT.
 
The certificate content must be regenerated if the associated binary has been updated.
 
 
 
=== TF-A build ===
 
TF-A generic Makefile can help to automatically build the certificate using some dedicated flags that can be enabled to generate the certificate and append them into the FIP:
 
* GENERATE_COT=1 : Enable the <code>cert_create</code> tool
 
* ROT_KEY : Specify the root '''private''' key to be used
 
   
 
== FIP binary creation ==
 
== FIP binary creation ==
 
Below the list of the different ways by which the FIP binary can be generated:
 
Below the list of the different ways by which the FIP binary can be generated:
 
* Using the dedicated <code>fiptool</code> command
 
* Using the dedicated <code>fiptool</code> command
* Using the TF-A official Makefile
+
* Using the Trusted Firmware-A official Makefile
 
 
The FIP binary content may depend on the TRUSTED_BOARD_BOOT feature enable. In this case, a prior certificate generation is mandatory to include them into the FIP binary.
 
   
 
=== STM32MP1 ===
 
=== STM32MP1 ===
 
The OpenSTLinux boot flow requires the following stages to be loaded:
 
The OpenSTLinux boot flow requires the following stages to be loaded:
* BL32: Secure OS and Secure Monitor (it can be eiher [[How to configure TF-A SP-MIN|SP-MIN]] or [[How to configure OP-TEE|OP-TEE OS]])
+
* BL32: Secure OS [[How to configure OP-TEE|OP-TEE OS]] (or Secure Monitor [[How to configure TF-A SP-MIN|SP-MIN]] on {{MicroprocessorDevice | device=15}})
* BL33: The non-secure firmware (recommended [[STM32MP15_U-Boot|U-Boot]])
+
* BL33: The non-secure firmware (recommended [[U-Boot|U-Boot]])
 
* HW_config: The OpenSTLinux uses the hw_config as the non-secure device tree
 
* HW_config: The OpenSTLinux uses the hw_config as the non-secure device tree
 
* FW_config: [[How to configure TF-A FW CONFIG|Firmware configuration file]] listing the previous images and defining their size and the load address
 
* FW_config: [[How to configure TF-A FW CONFIG|Firmware configuration file]] listing the previous images and defining their size and the load address
   
To create the FIP binary, all the following binaries must be built:
+
The Trusted Firmware-A Makefile with '''fip''' target and some variables uses <code>fiptool</code> to automatically create the new FIP after the Trusted Firmware-A compilation.
* Secure OS or Secure Monitor
 
** [[How to configure TF-A SP-MIN#Build_Process|SP-MIN]] in case of trusted boot chain*.
 
** [[How to configure OP-TEE#Build_OP-TEE_OS|OP-TEE]] in case of OP-TEE Secure OS usage.
 
* [[STM32MP15_U-Boot#Compilation|U-Boot]].
 
* [[How to configure TF-A FW CONFIG|Firmware configuration file]] related to the loaded binaries*.
 
 
 
{{Info|* The build can be made in a single step using the TF-A Makefile}}
 
 
 
When the TRUSTED_BOARD_BOOT feature is enabled in BL2, the associated certificate must be generated as per the TBBR CoT requirements.
 
 
 
The <code>fiptool</code> is used to create or update a FIP file.
 
 
 
The TF-A Makefile with '''fip''' target and some variables uses <code>fiptool</code> to automatically create the new FIP after the TF-A compilation.
 
   
 
With U-Boot as a non-secure firmware, the paths for the files used in next chapters are the following:
 
With U-Boot as a non-secure firmware, the paths for the files used in next chapters are the following:
Line 110: Line 73:
 
{| class="st-table"
 
{| class="st-table"
 
|-
 
|-
! Description  !! Makefile<br/>variable!! fiptool option !! file path for OP-TEE !! file path for SP_MIN
+
! Description  !! Makefile<br/>variable!! fiptool option !! File path for OP-TEE !! File path for SP_MIN <br> Limited to {{MicroprocessorDevice | device=15}}
 
|-
 
|-
 
| Secure OS (OP-TEE) <br/>or  Secure Monitor (SPMIN) || BL32 || --tos-fw || [[How to configure OP-TEE #Build_OP-TEE_OS|<optee_path>/tee-header_v2.bin]] || [[How to configure TF-A SP-MIN#Build_Process|<tfa_path>/bl32.bin]]
 
| Secure OS (OP-TEE) <br/>or  Secure Monitor (SPMIN) || BL32 || --tos-fw || [[How to configure OP-TEE #Build_OP-TEE_OS|<optee_path>/tee-header_v2.bin]] || [[How to configure TF-A SP-MIN#Build_Process|<tfa_path>/bl32.bin]]
Line 122: Line 85:
 
| U-Boot device tree || BL33_CFG || --hw-config || colspan="2" | [[STM32MP15_U-Boot#Compilation|<u-boot_path>/u-boot.dtb]]
 
| U-Boot device tree || BL33_CFG || --hw-config || colspan="2" | [[STM32MP15_U-Boot#Compilation|<u-boot_path>/u-boot.dtb]]
 
|-
 
|-
| U-Boot  || BL33||  --nt-fw || colspan="2" | [[STM32MP15_U-Boot#Compilation|<u-boot_path>/u-boot-nodtb.bin]]
+
| U-Boot  || BL33||  --nt-fw || colspan="2" | [[STM32MP15_U-Boot#Compilation|<u-boot_path>/u-boot-nodtb.bin]]
 
|-
 
|-
 
|}
 
|}
   
In the next chapter, all the files are assumed present in the current directory.
+
{{Warning| If [[TF-A_BL2_overview|Trusted Firmware-A BL2]] is built with [[TODO link to secure boot|TRUSTED_BOARD_BOOT]] enabled, some specific options and files are required. See the [[TODO|Trusted boot page]] for more details.}}
 
 
==== Trusted boot chain ====
 
===== Non-secure boot =====
 
The following command generates the FIP package that is required by the BL2 to boot.
 
You can create the FIP binary by using the fiptool command:
 
  {{PC$}} fiptool create --fw-config fw-config.dtb \
 
          --hw-config u-boot.dtb \
 
          --tos-fw-config bl32.dtb \
 
          --tos-fw bl32.bin \
 
          --nt-fw u-boot-nodtb.bin \
 
          fip.bin
 
 
 
You can also use the TF-A Makefile:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
 
          BL33=<u-boot_path>/u-boot-nodtb.bin \
 
          BL33_CFG=<u-boot_path>/u-boot.dtb \
 
          BL32=<tfa_path>/bl32.bin \
 
          FW_CONFIG=<tfa_path>/fw-config.dtb \
 
          fip
 
 
 
Adding the AARCH32_SP=sp_min automatically manages the BL32 and FW_CONFIG path:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
 
          '''AARCH32_SP=sp_min''' \
 
          BL33=<u-boot_path>/u-boot-nodtb.bin \
 
          BL33_CFG=<u-boot_path>/u-boot.dtb \
 
          fip
 
 
 
===== Secure boot =====
 
You can create the certificate and FIP binary by using the cert_create and <code>fiptool</code> command:
 
  {{PC$}} cert_create \
 
          -n --tfw-nvctr 0 --ntfw-nvctr 0 \
 
          --key-alg ecdsa --hash-alg sha256 \
 
          --rot-key privateKey.pem \
 
          --tb-fw bl2.bin \
 
          --tb-fw-cert tb_fw.crt \
 
          --tos-fw-config bl32.dtb \
 
          --fw-config fw-config.dtb \
 
          --hw-config u-boot.dtb \
 
          --trusted-key-cert trusted_key.crt \
 
          --tos-fw-key-cert tos_fw_key.crt \
 
          --tos-fw-cert tos_fw_content.crt \
 
          --tos-fw bl32.bin \
 
          --nt-fw-key-cert nt_fw_key.crt \
 
          --nt-fw-cert nt_fw_content.crt \
 
          --nt-fw u-boot-nodtb.bin
 
 
 
You can now generate the FIP trusted package:
 
  {{PC$}} fiptool create \
 
          --tb-fw-cert tb_fw.crt \
 
          --fw-config fw-config.dtb \
 
          --hw-config u-boot.dtb \
 
          --trusted-key-cert trusted_key.crt \
 
          --tos-fw-key-cert tos_fw_key.crt \
 
          --tos-fw-config bl32.dtb \
 
          --tos-fw-cert tos_fw_content.crt \
 
          --tos-fw bl32.bin \
 
          --nt-fw-cert nt_fw_content.crt \
 
          --nt-fw-key-cert nt_fw_key.crt \
 
          --nt-fw u-boot-nodtb.bin \
 
          fip-trusted.bin
 
 
 
You can also use the TF-A Makefile:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
 
          BL33=<u-boot_path>/u-boot-nodtb.bin \
 
          BL33_CFG=<u-boot_path>/u-boot.dtb \
 
          BL32=<tfa_path>/bl32.bin \
 
          FW_CONFIG=<tfa_path>/fw-config.dtb \
 
          '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' \
 
          fip
 
 
 
Adding the AARCH32_SP=sp_min automatically manages the BL32 and FW_CONFIG path:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
 
          '''AARCH32_SP=sp_min''' \
 
          BL33=<u-boot_path>/u-boot-nodtb.bin \
 
          BL33_CFG=<u-boot_path>/u-boot.dtb
 
          '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' \
 
          fip
 
 
 
==== OP-TEE boot chain ====
 
===== Non-secure boot =====
 
You can create the FIP binary by using the <code>fiptool</code> command:
 
  {{PC$}} fiptool create --fw-config fw-config.dtb \
 
                --hw-config u-boot.dtb \
 
                --nt-fw u-boot-nodtb.bin \
 
                --tos-fw tee-header_v2.bin \
 
                --tos-fw-extra1 tee-pager_v2.bin \
 
                --tos-fw-extra2 tee-pageable_v2.bin \
 
                fip-optee.bin
 
 
 
You can also use the TF-A Makefile:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
 
            BL33=<u-boot_path>/u-boot-nodtb.bin BL33_CFG=<u-boot_path>/u-boot.dtb \
 
            BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
 
            BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin FW_CONFIG=<tfa_path>/fw-config.dtb fip
 
 
 
Adding the AARCH32_SP=optee automatically manages the FW_CONFIG path:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 '''AARCH32_SP=optee''' \
 
        BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
 
        BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin fip
 
 
 
 
 
===== Secure boot =====
 
You can create the certificate and FIP binary by using the <code>cert_create</code> and <code>fiptool</code> command:
 
  {{PC$}} cert_create \
 
          -n --tfw-nvctr 0 --ntfw-nvctr 0 \
 
          --key-alg ecdsa --hash-alg sha256 \
 
          --rot-key privateKey.pem \
 
          --tb-fw bl2.bin \
 
          --tb-fw-cert tb_fw.crt \
 
          --tos-fw tee-header_v2.bin \
 
          --tos-fw-extra1 tee-pager_v2.bin \
 
          --tos-fw-extra2 tee-pageable_v2.bin \
 
          --fw-config fw-config.dtb \
 
          --hw-config u-boot.dtb \
 
          --trusted-key-cert trusted_key.crt \
 
          --tos-fw-key-cert tos_fw_key.crt \
 
          --tos-fw-cert tos_fw_content.crt \
 
          --nt-fw-key-cert nt_fw_key.crt \
 
          --nt-fw-cert nt_fw_content.crt \
 
          --nt-fw u-boot-nodtb.bin
 
 
 
You can now generate the FIP trusted package:
 
  {{PC$}} fiptool create \
 
          --tb-fw-cert tb_fw.crt \
 
          --fw-config fw-config.dtb \
 
          --hw-config u-boot.dtb \
 
          --trusted-key-cert trusted_key.crt \
 
          --tos-fw-key-cert tos_fw_key.crt \
 
          --tos-fw-cert tos_fw_content.crt \
 
          --tos-fw tee-header_v2.bin \
 
          --tos-fw-extra1 tee-pager_v2.bin \
 
          --tos-fw-extra2 tee-pageable_v2.bin \
 
          --nt-fw-cert nt_fw_content.crt \
 
          --nt-fw-key-cert nt_fw_key.crt \
 
          --nt-fw u-boot-nodtb.bin \
 
          fip-optee-trusted.bin
 
 
 
You can also use the TF-A Makefile:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
 
            BL33=<u-boot_path>/u-boot-nodtb.bin BL33_CFG=<u-boot_path>/u-boot.dtb \
 
            BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
 
            BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin FW_CONFIG=<tfa_path>/fw-config.dtb \
 
            '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' fip
 
 
Adding the AARCH32_SP=optee automatically manages the FW_CONFIG path:
 
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 '''AARCH32_SP=optee''' \
 
        BL32=<optee_path>/tee_header_v2.bin BL32_EXTRA1=<optee_path>/tee_pager_v2.bin \
 
        BL32_EXTRA2=<optee_path>/tee_pageable_v2.bin \
 
        '''TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ROT_KEY=<path_to_private_key>.pem''' fip
 
   
 
=== Updating the FIP binary ===
 
=== Updating the FIP binary ===
When modifying a component included in the FIP binary, it is possible to update only part of the binary. To do this, use the <code>fiptool</code> update command:
+
When modifying a component included in the FIP binary, it is possible to update only part of the binary. To do this, use the <code>fiptool</code> update command.
 
 
{{Warning | When updating a binary in the FIP when the TRUSTED_BOARD_BOOT is enabled, the content certificate must be updated too. In this case the <code>cert_create</code> must be called with the previous generated certificate to avoid regenerating the whole CoT.}}
 
 
 
==== Updating TF-A SP-MIN ====
 
When a modification is made in the SP-MIN binary (or its device tree), the SP-MIN must be updated in the FIP binary:
 
* Full SP-MIN update
 
  {{PC$}} fiptool update --tos-fw BL32=<tfa_path>/bl32.bin --tos-fw-config <tfa_path>/bl32.dtb fip.bin
 
 
 
* SP-MIN core binary
 
  {{PC$}} fiptool update --tos-fw BL32=<tfa_path>/bl32.bin fip.bin
 
 
 
* SP-MIN device tree update
 
  {{PC$}} fiptool update --tos-fw-config <tfa_path>/bl32.dtb fip.bin
 
 
 
==== Updating U-Boot ====
 
When a new U-Boot is generated, the FIP must be updated using the following commands:
 
* Full U-Boot update
 
  {{PC$}} fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin --hw-config u-boot.dtb fip.bin
 
 
 
* U-Boot core binary
 
  {{PC$}} fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin fip.bin
 
 
 
* U-Boot device tree update
 
  {{PC$}} fiptool update --hw-config u-boot.dtb fip.bin
 
 
 
==== Updating OP-TEE ====
 
The OP-TEE OS rebuild is required to update the FIP package.
 
{{Warning | It is recommended to update all OP-TEE OS images rather than just update the required one.}}
 
 
 
  {{PC$}} fiptool update --tos-fw <optee_path>/tee-header_v2.bin \
 
          --tos-fw-extra1 <optee_path>/tee-pager_v2.bin \
 
          --tos-fw-extra2 <optee_path>/tee-pageable_v2.bin \
 
          fip-optee.bin
 
   
The OP-TEE OS build process generates the static binary location.<br>
+
Example when a new U-Boot is generated, the FIP must be updated using the following commands:
In case of mapping modification, the firmware configuration file must be adapted accordingly
+
* Full U-Boot update (U-Boot Binary and U-Boot Device tree)
  +
{{PC$}} fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin --hw-config <u-boot_path>/u-boot.dtb fip.bin
   
==== Updating FW_CONFIG ====
+
{{Warning | When updating a binary in the FIP when the [[TF-A_BL2_overview|Trusted Firmware-A BL2]] is built with [[TF-A_BL2_Trusted_Board_Boot|TRUSTED_BOARD_BOOT]] enabled, the content certificate must be updated too. See the [[TF-A_BL2_Trusted_Board_Boot|Trusted Board Boot]] for more details.}}
In case of change in the firmware configuration file, you must also update the FIP binary:
 
  {{PC$}} fiptool update --fw-config fw-config.dtb fip.bin
 
   
 
== Updating the software on board ==
 
== Updating the software on board ==
 
=== Partitioning of binaries ===
 
=== Partitioning of binaries ===
The FIP build provides a binary named fip.bin (or fip-<board-name>-<bootchain>.bin from official release) that MUST be copied to a dedicated partition named "fip".
+
The FIP build provides a binary named fip.bin (or fip-<board-name>-<bootchain>.bin from official release) that MUST be copied to a dedicated partition named '''fip''', '''fip-a''' or '''fip-b''' when [[Secure Firmware Update]] is enabled.
   
 
=== Updating via SDCard ===
 
=== Updating via SDCard ===
 
If you use an SDCard, simply update the FIP binary by using the dd command on your host.<br>
 
If you use an SDCard, simply update the FIP binary by using the dd command on your host.<br>
Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "fip" partition is partition 3:
+
Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the '''fip''' partition or '''fip-a'''/'''fip-b''' when [[Secure Firmware Update]] is enabled:
   - SDCard: /dev/mmcblkXp3 (where X is the instance number)
+
   - SDCard: /dev/mmcblkXpY (where X is the instance number, Y is the partition number of the FIP)
   - SDCardvia USB reader: /dev/sdX3 (where X is the instance number)
+
   - SDCard via USB reader: /dev/sdXY (where X is the instance number, Y is the partition number of the FIP))
 
* Under Linux<sup>&reg;</sup>
 
* Under Linux<sup>&reg;</sup>
 
   {{PC$}} dd if=<fip binary file> of=/dev/<device partition> bs=1M conv=fdatasync
 
   {{PC$}} dd if=<fip binary file> of=/dev/<device partition> bs=1M conv=fdatasync
Line 336: Line 116:
 
   {{PC$}} ls -l /dev/disk/by-partlabel/
 
   {{PC$}} ls -l /dev/disk/by-partlabel/
 
   total 0
 
   total 0
   lrwxrwxrwx 1 root root 10 Jan 17 17:38 bootfs -> ../../mmcblk0p4
+
   lrwxrwxrwx 1 root root 10 May  3 15:14 bootfs -> ../../sda8
   lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl1 -> ../../mmcblk0p1           FSBL1 (TF-A)
+
   lrwxrwxrwx 1 root root 10 May  3 15:14 fip-a -> ../../sda5          FIP (Image A)
   lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl2 -> ../../mmcblk0p2           FSBL2 (TF-A backup / same content as FSBL)
+
  lrwxrwxrwx 1 root root 10 May  3 15:14 fip-b -> ../../sda6          FIP (Image B)
   lrwxrwxrwx 1 root root 10 Jan 17 17:38 rootfs -> ../../mmcblk0p5
+
  lrwxrwxrwx 1 root root 10 May  3 15:14 fsbl1 -> ../../sda1           FSBL1 (Trusted Firmware-A BL2)
   lrwxrwxrwx 1 root root 10 Jan 17 17:38 {{Highlight|'''fip'''}} -> ../../mmcblk0p3            FIP
+
   lrwxrwxrwx 1 root root 10 May  3 15:14 fsbl2 -> ../../sda2           FSBL2 (Trusted Firmware-A BL2 backup)
   lrwxrwxrwx 1 root root 10 Jan 17 17:38 userfs -> ../../mmcblk0p6
+
  lrwxrwxrwx 1 root root 10 May  3 15:14 metadata1 -> ../../sda3
  +
   lrwxrwxrwx 1 root root 10 May  3 15:14 metadata2 -> ../../sda4
  +
  lrwxrwxrwx 1 root root 11 May  3 15:14 rootfs -> ../../sda10
  +
   lrwxrwxrwx 1 root root 10 May  3 15:14 u-boot-env -> ../../sda7
  +
  lrwxrwxrwx 1 root root 11 May  3 15:14 userfs -> ../../sda11
  +
   lrwxrwxrwx 1 root root 10 May  3 15:14 vendorfs -> ../../sda9
 
}}
 
}}
 
<br>
 
<br>
Line 359: Line 144:
   
 
<noinclude>
 
<noinclude>
[[Category:Platform configuration]]
+
[[Category:Trusted Firmware-A (BL2)|04]]
 
{{PublicationRequestId | 19289 | 2120-03-10 | }}
 
{{PublicationRequestId | 19289 | 2120-03-10 | }}
 
</noinclude>
 
</noinclude>