How to configure TF-A SP-MIN

Revision as of 08:07, 19 March 2021 by Anne Journeau (talk | contribs) (TF-A Build flags)

1 Article purpose[edit]

This section details the TF-A SP-MIN (BL32) component. It explains how to use it in STM32 MPU runtime context, the build process from sources, and how to deploy it on your target.
The build examples are based on the OpenSTLinux environment:

  • Developer Package
  • Distribution Package

2 Overview[edit]

TF-A SP-MIN is a secure partition that can be used for the ST boot chain.
This secure partition is executed in monitor mode. It is a secure implementation for limited services:

  • PSCI
  • SCMI
  • SiP services

For a more complete secure implementation, choose OP-TEE OS.

Warning white.png Warning
TF-A SP-MIN images must be embedded in the FIP binary that is loaded by BL2 and can be automatically authentified.

3 Configuration[edit]

TF-A SP-MIN is based on device tree configuration.
Its device tree (called TOS_FW_CONFIG) is also loaded by the TF-A BL2 and its load address is passed to SP-MIN as second argument. It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.

4 Memory layout[edit]

SP-MIN binary (bl32.bin) is embedded in the FIP binary and identified as tos-fw.
The SP-MIN device tree is also embedded in the FIP and identified as tos-fw-config.

The SP-MIN is built with the PIE option which makes the code executable from a configurable address. The load addresses for SP-MIN and the device tree is configurable thanks to TF-A firmware configuration framework. If required, the load address can be independently changed by modifying the firmware configuration file.

5 Source code access and build process[edit]

Cross compilation of TF-A SP-MIN is only required if it has to be modified.
By default, in the Starter Package, the TF-A SP-MIN images are embedded in the trusted FIP, fip-<board>-trusted.bin.
If changes have been made, rebuild TF-A (SP-MIN) and update the FIP. Update the associated FIP partitions of your boot device with this new image.

The build process creates a TF-A SP-MIN image and its device tree.

5.1 Developer Package[edit]

5.1.1 Install sources[edit]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

5.1.2 Official source tree[edit]

Download source code from the official Trusted Firmware-A git repository.

  git clone
Warning white.png Warning
The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.

For a full-featured software, go to STMicroelectronics github:

  git clone

5.1.3 Build Process[edit] Initializing the cross compile environment[edit]

Refer to Setup Cross compile environment. TF-A Build flags[edit]

Here is the list of the mandatory flags that need to be specified to complete the SP-MIN build:

  • ARM_ARCH_MAJOR=7: the major version of Arm Architecture to target (STM32MP1 is based no an Arm v7 architecture)
  • ARCH=aarch32: specifies aarch32 architecture to be built
  • PLAT=stm32mp1: builds an STM32MP1 platform
  • DTB_FILE_NAME=<fdt file name>.dtb: this flag must be defined to build the proper target and include the correct DTB file into the final file
  • AARCH32_SP=sp_min: selects SP-MIN as secure partition

Optional flags:

  • BUILD_PLAT=<folder>: custom output folder name (default is build/<debug/release>/)
  • DEBUG=1: adds debug information in all binaries
  • V=1: prints verbose compilation traces

5.1.4 Build command[edit]

Warning white.png Warning
Please read carefully

First add your own environment flags:

  unset LDFLAGS;
  unset CFLAGS;

Then compile the TF-A SP-MIN (BL32). STM32MP15[edit]

The default build command for STM32MP15 is:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board>.dtb bl32 dtbs

Here is the build command for the stm32mp157c-ev1 board:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32=sp_min \
         DTB_FILE_NAME=stm32mp157c-ev1.dtb bl32 dtbs

From the Developer Package tarball, a Makefile.sdk is present and must be used to build the target. It automatically sets the proper configuration for the TF-A build.

  make -f Makefile.sdk TF_A_CONFIG=trusted TF_A_DEVICETREE=<board>

The latest version of the helper file is also available from GitHub: README_HOWTO.txt .

5.1.5 Final image[edit]

Final images are available for updating the FIP binary (including the associated firmware configuration file):


5.2 Distribution Package[edit]

For an OpenSTLinux distribution, the TF-A SP-MIN image is built in release mode by default. The yocto recipe can be found in:


To modify the TF-A SP-MIN code source, use the following steps starting from an already downloaded and built OpenSTLinux distribution.

5.2.1 Accessing the sources[edit]

You can use devtool to access the source.

  cd <baseline root directory>
  devtool modify tf-a-stm32mp sources/boot/tf-a

By going to the sources/boot/tf-a folder, you can manage and modify the TF-A sources. To rebuild it, go back to the build-<distribution> folder and launch the TF-A recipe:

  bitbake tf-a-stm32mp

The final image is deployed in the image default output folder.

5.3 Updating the software[edit]

SP_MIN binary and its associated firmware are part of the FIP binary.
The next step to deploy the SP-MIN firmware is to update the FIP binary following the FIP update process.

5.4 Extra tips[edit]

When generating the SP-MIN, it is also possible in a single line to generate the associated FIP with the following command.
Example for STM32MP15 platform:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board_name>.dtb BL33=<u-boot_path>/u-boot-nodtb.bin \
         BL33_CFG=<u-boot_path>/u-boot.dtb bl32 dtbs fip