Difference between revisions of "How to configure TF-A SP-MIN"

[unchecked revision] [quality revision]
m
m

1 Article purpose[edit]

This section details the TF-A SP-MIN (BL32) component. It explains how to use it in STM32 MPU runtime context, the build process from sources, and how to deploy it on your target.

2 Overview[edit]

TF-A SP-MIN is a secure partition that can be used for the ST boot chain.
This secure partition is executed in monitor mode. It is a secure implementation for limited services:

  • PSCI
  • SCMI
  • SiP services

For a more complete secure implementation, choose OP-TEE OS.

Warning white.png Warning
TF-A SP-MIN images must be embedded in the FIP binary that is loaded by TF-A BL2 and can be automatically authentified.

3 Configuration[edit]

TF-A SP-MIN is based on device tree configuration.
Its device tree (called TOS_FW_CONFIG) is also loaded by the TF-A BL2 and its load address is passed to SP-MIN as second argument. It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.

4 Memory layout[edit]

SP-MIN binary (bl32.bin) is embedded in the FIP binary and identified as tos-fw.
The SP-MIN device tree is also embedded in the FIP and identified as tos-fw-config.

The SP-MIN is built with the PIE option which makes the code executable from a configurable address. The load addresses for SP-MIN and the device tree is configurable thanks to TF-A firmware configuration framework. If required, the load address can be independently changed by modifying the firmware configuration file.

5 Source code access and build process[edit]

Cross compilation of TF-A SP-MIN is only required if it has to be modified.
Refer to Setup Cross compile environment.

If changes have been made, rebuild TF-A (SP-MIN) and update the FIP. Update the associated FIP partitions of your boot device with this new image.

The build process creates a TF-A SP-MIN image and its device tree.

5.1 Install sources[edit]

5.1.1 From the Developer package[edit]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

5.1.2 Official source tree[edit]

Download source code from the official Trusted Firmware-A git repository.

 
 git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git

Warning white.png Warning
The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.


For a full-featured software, go to STMicroelectronics github:

 
 git clone https://github.com/STMicroelectronics/arm-trusted-firmware.git


5.1.3 Distribution Package[edit]

It is possible to use the distribution package to download and rebuid TF-A SP-MIN

5.1.4 Build Process[edit]

5.1.4.1 TF-A Build flags[edit]

Here is the list of the mandatory flags that need to be specified to complete the SP-MIN build:

  • ARM_ARCH_MAJOR=7: the major version of Arm Architecture to target (STM32MP1 is based no an Arm v7 architecture)
  • ARCH=aarch32: specifies aarch32 architecture to be built
  • PLAT=stm32mp1: builds an STM32MP1 platform
  • DTB_FILE_NAME=<fdt file name>.dtb: this flag must be defined to build the proper target and include the correct DTB file into the final file
  • AARCH32_SP=sp_min: selects SP-MIN as secure partition

Optional flags:

  • BUILD_PLAT=<folder>: custom output folder name (default is build/<debug/release>/)
  • DEBUG=1: adds debug information in all binaries
  • V=1: prints verbose compilation traces


5.1.5 Build command[edit]

Warning white.png Warning
The DTB_FILE_NAME flag and the AARCH32_SP=sp_min must be set to select the correct board configuration.

The device tree file for the target must be located in fdts folder (<board>.dts)

First add your own environment flags:

 
 unset LDFLAGS;
  unset CFLAGS;

Then compile the TF-A SP-MIN (BL32).

5.1.5.1 STM32MP15[edit]

The default build command for STM32MP15 is:

 
 make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board>.dtb bl32 dtbs

Here is the build command for the stm32mp157c-ev1 board:

 
 make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32=sp_min \
         DTB_FILE_NAME=stm32mp157c-ev1.dtb bl32 dtbs

5.1.6 Final image[edit]

Final images are available for updating the FIP binary (including the associated firmware configuration file):

<BUILD_PLAT>/bl32.bin
<BUILD_PLAT>/fdts/<board>.dtb
<BUILD_PLAT>/fdts/<board>-fw-config.dtb
Ex:
build/release/bl32.bin
build/release/fdts/stm32mp157c-ev1.dtb
build/release/fdts/stm32mp157c-ev1-fw-config.dtb

5.2 Updating the software[edit]

SP_MIN binary and its associated firmware are part of the FIP binary.
The next step to deploy the SP-MIN firmware is to update the FIP binary following the FIP update process.

5.3 Extra tips[edit]

When generating the SP-MIN, it is also possible in a single line to generate the associated FIP with the following command.
Example for STM32MP15 platform:

 
 make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board_name>.dtb BL33=<u-boot_path>/u-boot-nodtb.bin \
         BL33_CFG=<u-boot_path>/u-boot.dtb bl32 dtbs fip


== Article purpose ==
This section details the TF-A SP-MIN (BL32) component.
It explains how to use it in STM32 MPU runtime context, the build process from sources, and how to deploy it on your target.<br>


== Overview ==
TF-A SP-MIN is a secure partition that can be used for the ST boot chain.<br>

This secure partition is executed in monitor mode. It is a secure implementation for limited services:
* PSCI
* SCMI
* SiP services

For a more complete secure implementation, choose [[OP-TEE_overview|OP-TEE OS]].<br>


{{Warning | TF-A SP-MIN images must be embedded in the [[How to configure TF-A FIP|FIP binary]] that is loaded by [[How to configure TF-A BL2 overview|TF-A BL2|BL2]] and can be automatically authentified.}}

== Configuration ==
TF-A SP-MIN is based on device tree configuration.<br>

Its device tree (called TOS_FW_CONFIG) is also loaded by the [[How to configure TF-A BL2 overview|TF-A BL2]] and its load address is passed to SP-MIN as second argument.
It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.

== Memory layout ==
SP-MIN binary (bl32.bin) is embedded in the FIP binary and identified as ''tos-fw''.<br>

The SP-MIN device tree is also embedded in the FIP and identified as ''tos-fw-config''.<br>


The SP-MIN is built with the '''PIE''' option which makes the code executable from a configurable address.
The load addresses for SP-MIN and the device tree is configurable thanks to [[TF-A_overview#FCONF|TF-A firmware configuration framework]].
If required, the load address can be independently changed by modifying the [[How to configure TF-A FW CONFIG|firmware configuration file]].

== Source code access and build process ==
Cross compilation of TF-A SP-MIN is only required if it has to be modified.<br>

Refer to [[Cross-compile with OpenSTLinux SDK|Setup Cross compile environment]].

If changes have been made, rebuild TF-A (SP-MIN) and update the [[How to configure TF-A FIP|FIP]]. Update the associated FIP partitions of your boot device with this new image.<br>


The build process creates a TF-A SP-MIN image and its device tree.

=== Install sources ===
==== From the Developer package ====
The Developer Package contains OpenSTLinux and TF-A sources:
[[STM32MP1_Developer_Package#Installing the TF-A|TF-A Installation]]

==== Official source tree ====
Download source code from the official Trusted Firmware-A git repository.
  {{PC$}} git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git

{{Warning|The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.}}<br>

For a full-featured software, go to STMicroelectronics github:
  {{PC$}} git clone https://github.com/STMicroelectronics/arm-trusted-firmware.git

{{InternalInfo |
Development source tree:
Download source code from the internal git
  {{PC$}} git clone ssh://gerrit.st.com:29418/mpu/oe/st/tf-a.git
}}

==== Distribution Package ====
It is possible to use the distribution package to download and rebuid [[How_to_cross-compile_with_the_Distribution_Package#Modifying_the_TF-A|TF-A SP-MIN]]

==== Build Process ====
===== TF-A Build flags =====
Here is the list of the mandatory flags that need to be specified to complete the [[STM32_MPU_TF-A_(SP-MIN)|SP-MIN]]SP-MIN build:
* ARM_ARCH_MAJOR=7: the major version of Arm Architecture to target (STM32MP1 is based no an Arm v7 architecture)
* ARCH=aarch32: specifies aarch32 architecture to be built
* PLAT=stm32mp1: builds an STM32MP1 platform
* DTB_FILE_NAME=<fdt file name>.dtb: this flag must be defined to build the proper target and include the correct DTB file into the final file 
* AARCH32_SP=sp_min: selects SP-MIN as secure partition

Optional flags:
* BUILD_PLAT=<folder>: custom output folder name (default is build/<debug/release>/)
* DEBUG{{=}}1: adds debug information in all binaries
* V{{=}}1: prints verbose compilation traces

{{InternalInfo |
* STM32MP_FPGA{{=}}1: includes specific FPGA code (not compatible with board)
* STM32MP1_TEST{{=}}1: enables tests
This TEST flag allows:
* TODO 
}}

==== Build command ====
{{Warning|The DTB_FILE_NAME flag and the AARCH32_SP{{=}}sp_min must be set to select the correct board configuration.<br>

The device tree file for the target must be located in {{CodeSource | TF-A | fdts}}  folder (<board>.dts)}}

First add your own environment flags:
  {{PC$}} unset LDFLAGS;
  {{PC$}} unset CFLAGS;

Then compile the TF-A SP-MIN (BL32).<br>


===== STM32MP15 =====
The default build command for STM32MP15 is:
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
          DTB_FILE_NAME=<board>.dtb bl32 dtbs

Here is the build command for the stm32mp157c-ev1 board:
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32=sp_min \
          DTB_FILE_NAME=stm32mp157c-ev1.dtb bl32 dtbs

==== Final image ====
Final images are available for updating the FIP binary (including the associated [[How to configure TF-A FW CONFIG|firmware configuration file]]):<pre>
<BUILD_PLAT>/bl32.bin<BUILD_PLAT>/fdts/<board>.dtb<BUILD_PLAT>/fdts/<board>-fw-config.dtb
Ex:
build/release/bl32.bin
build/release/fdts/stm32mp157c-ev1.dtb
build/release/fdts/stm32mp157c-ev1-fw-config.dtb</pre>


=== Updating the software ===
SP_MIN binary and its associated firmware are part of the [[How to configure TF-A FIP|FIP binary]].<br>

The next step to deploy the SP-MIN firmware is to update the FIP binary following the '''[[How to configure TF-A FIP#Updating_TF-A_SP-MIN|FIP update process]]'''.

=== Extra tips ===
When generating the SP-MIN, it is also possible in a single line to generate the associated FIP with the following command.<br>

Example for STM32MP15 platform:
  {{PC$}} make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
          DTB_FILE_NAME=<board_name>.dtb BL33=<u-boot_path>/u-boot-nodtb.bin \
          BL33_CFG=<u-boot_path>/u-boot.dtb bl32 dtbs '''fip'''
<noinclude>

[[Category:Trusted Firmware-A (SP-MIN)| 02]]
{{PublicationRequestId|19291|2120-03-10}}</noinclude>
Line 12: Line 12:
 
For a more complete secure implementation, choose [[OP-TEE_overview|OP-TEE OS]].<br>
 
For a more complete secure implementation, choose [[OP-TEE_overview|OP-TEE OS]].<br>
   
{{Warning | TF-A SP-MIN images must be embedded in the [[How to configure TF-A FIP|FIP binary]] that is loaded by [[How to configure TF-A BL2|BL2]] and can be automatically authentified.}}
+
{{Warning | TF-A SP-MIN images must be embedded in the [[How to configure TF-A FIP|FIP binary]] that is loaded by [[TF-A BL2 overview|TF-A BL2]] and can be automatically authentified.}}
   
 
== Configuration ==
 
== Configuration ==
 
TF-A SP-MIN is based on device tree configuration.<br>
 
TF-A SP-MIN is based on device tree configuration.<br>
Its device tree (called TOS_FW_CONFIG) is also loaded by the [[How to configure TF-A BL2|TF-A BL2]] and its load address is passed to SP-MIN as second argument.
+
Its device tree (called TOS_FW_CONFIG) is also loaded by the [[TF-A BL2 overview|TF-A BL2]] and its load address is passed to SP-MIN as second argument.
 
It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.
 
It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.
   
Line 61: Line 61:
 
==== Build Process ====
 
==== Build Process ====
 
===== TF-A Build flags =====
 
===== TF-A Build flags =====
Here is the list of the mandatory flags that need to be specified to complete the [[STM32_MPU_TF-A_(SP-MIN)|SP-MIN]] build:
+
Here is the list of the mandatory flags that need to be specified to complete the SP-MIN build:
 
* ARM_ARCH_MAJOR=7: the major version of Arm Architecture to target (STM32MP1 is based no an Arm v7 architecture)
 
* ARM_ARCH_MAJOR=7: the major version of Arm Architecture to target (STM32MP1 is based no an Arm v7 architecture)
 
* ARCH=aarch32: specifies aarch32 architecture to be built
 
* ARCH=aarch32: specifies aarch32 architecture to be built