1. Purpose[edit | edit source]
This article presents the STM32MPU OP-TEE configuration profiles. The last section gives references to OP-TEE build environment where to apply the configuration tuning.
For information on the many configuration switches of OP-TEE, refer to the mainline documentation [1] and to OP-TEE configuration switches article.
2. Overview[edit | edit source]
As detailed in STM32MPU OP-TEE Overview article, OP-TEE is used both as a system resource manager, and as a secure service provider in STM32MPU software deliveries. Support for these services can be set from specific CFG_xxx configuration switches (see OP-TEE configuration switches). However, STM32MPU defines an OP-TEE configuration profile directive CFG_STM32MP_PROFILE that allows to set whether OP-TEE embeds secure services or only the system resource services. This article describes these profiles, and the related services embedded in OP-TEE OS.
3. OP-TEE system services profile[edit | edit source]
OP-TEE system resource management profile is enabled with CFG_STM32MP_PROFILE=system_services.
OpenSTLinux is designed to run a Linux ® kernel on an Arm Cortex-A processor. In this architecture, Linux ® kernel is designed to execute in the nonsecure state of the processor. Arm specifies several standard interfaces for Linux ® kernel (more generally Cortex-A nonsecure world software) to access resources that are under secure world control by processor and/or chip architecture design, even if these resources may not strictly require Root of Trust (RoT) constraints on their use. STM32MPU OP-TEE system services profile configures OP-TEE to embed only these services, disabling all secure services.
These services are exposed through several standard interfaces:
- Arm PSCI specification [2] covers CPU and system low-power modes.
- Arm defines a secure watchdog service interface bound on an Arm SMCCC function ID.
The interface was introduced in Linux ® kernel v5.8 [3]. - Arm SCMI specification [4] covers system resources as clocks, voltage regulators, power domains.
- STM32MP15 exposes platform SiP and OEM SMC function IDs in the scope of the Arm SMCCC specification [5].
These SMC function IDs are used in early OpenSTLinux distribution OTP fuses access services and up to now for low-power domains and voltage regulators control. - OP-TEE OS defines so-called PTA services, as standardized interfaces to access a few system resources.
The tables below list the resource management services available from OP-TEE. Some of these services are default enabled in applicable STM32MP product lines but can be individually disabled with their related CFG_xxx configuration switch.
Required means the service is embedded and cannot be disabled.
Optional/on means the service is embedded and can be disabled.
Optional/off means the service is not embedded and can be enabled.
Not applicable means the service do not apply to the product line.
OP-TEE system services | STM32MP13x lines | STM32MP15x lines | STM32MP25x lines |
---|---|---|---|
SCMI services | Required | Required | Required |
PSCI services | Required | Required | Required for PMIC services |
Oscillator calibration service | Optional/on (CFG_STM32_CLKCALIB=y) |
Optional/on (CFG_STM32_CLKCALIB=y) |
Required |
Wake-up source management | Required | Required | Not applicable |
Power Domain service | Required | Required | Not applicable |
OTP access services | Optional/on (CFG_BSEC_PTA=y) |
Optional/on (CFG_BSEC_PTA=y) |
Optional/on (CFG_BSEC_PTA=y) |
Random generation service | Optional/on (CFG_HWRNG_PTA=y) |
Optional/on (CFG_HWRNG_PTA=y) |
Optional/on (CFG_HWRNG_PTA=y) |
When OP-TEE is configured with CFG_STM32MP_PROFILE=system_services (and its core log level is configured in info trace level (CFG_TEE_CORE_LOG_LEVEL=2) or higher), OP-TEE initialization sequence prints the below trace message:
I/TC: OP-TEE ST profile: system_services
3.1. SCMI services[edit | edit source]
3.2. PSCI services[edit | edit source]
4. OP-TEE secure services profile[edit | edit source]
OP-TEE secure services profile is enabled with CFG_STM32MP_PROFILE=secure_and_system_services.
This profile embeds all the system services described in the previous section OP-TEE system services profile and embeds secure services as support for Trusted Applications[6] (TAs), secure remote co-processor loading, secure random number generation and more.
All secure services are built as OP-TEE TAs, executed in Cortex-A secure unprivileged level, or as OP-TEE core built-in services (named PTAs, part of OP-TEE core firmware image). When secure services are used, STM32MPU hardware assistance can greatly enhance the security hardening of the platform.
OP-TEE secure services are listed in the table below. Each of these services is default enabled in applicable STM32MP product line default configuration but can be individually disabled from their related CFG_ configuration switch.
Required means the service is embedded and cannot be disabled.
Optional/on means the service is embedded and can be disabled.
Optional/off means the service is not embedded and can be enabled.
Not applicable means the service do not apply to the product line.
OP-TEE secure & system services | STM32MP13x lines | STM32MP15x lines | STM32MP25x lines |
---|---|---|---|
System services | |||
SCMI services | Required | Required | Required |
PSCI services | Required | Required | Required for PMIC services |
Oscillator calibration service | Optional/on (CFG_STM32_CLKCALIB=y) |
Optional/on (CFG_STM32_CLKCALIB=y) |
Required |
Wake-up source management | Required | Required | Not applicable |
Power Domain service | Required | Required | Not applicable |
OTP access services | Optional (CFG_BSEC_PTA=y) |
Optional (CFG_BSEC_PTA=y) |
Optional (CFG_BSEC_PTA=y) |
Random generation service | Recommended (CFG_HWRNG_PTA=y) |
Optional/on (CFG_HWRNG_PTA=y) |
Optional/on (CFG_HWRNG_PTA=y) |
Secure services - Trustworthiness of external TAs and internal PTAs | |||
User Trusted application support (CFG_WITH_USER_TA=y) |
Required | Required | Required |
NVMEM provisioning services (CFG_BSEC_PTA=y and stm32mp_nvmem TA) |
Optional/on |
Optional/on |
Optional/on |
Remote proc services (CFG_STM32MP_REMOTEPROC=y and remoteproc TA) |
Not applicable | Optional/on |
Optional/on |
OP-TEE trusted keys wrapping [7] (CFG_IN_TREE_EARLY_TAS+=trusted_keys/...) |
Optional/on | Optional/on | Optional/on |
OP-TEE PKCS#11 token [8] (pkcs11 TA, CFG_PKCS11_TA+=y for tests) |
Optional/on | Optional/on | Optional/on |
OP-TEE StMM [9] for EFI secure variables (CFG_STMM_PATH=...) |
Optional/off | Optional/off | Optional/off |
When OP-TEE is configured with CFG_STM32MP_PROFILE=seecure_and_system_services (and its core log level is configured in info trace level (CFG_TEE_CORE_LOG_LEVEL=2) or higher), OP-TEE initialization sequence prints the below trace message:
I/TC: OP-TEE ST profile: secure_and_system_services
5. Platform default configuration and constraints[edit | edit source]
5.1. STM32MP13 default profile[edit | edit source]
Platform default configuration for STM32MP13x lines enables both system and secure service:
- CFG_STM32MP_PROFILE=secure_and_system_services
On STM32MP13x lines , OP-TEE OS is loaded in the external memory (DDR) that is encrypted by TF-A BL2 thanks to DDRMCE.
On STM32MP13x lines , secure services need some STM32MPU subsystems be assigned to the secure world (STM32 RNG, STM32 AES, STM32 IWDG, etc...)
5.2. STM32MP15 default profile[edit | edit source]
Platform default configuration for STM32MP15x lines enables only system resource management services:
- CFG_STM32MP_PROFILE=system_services
Because STM32MP15x lines does not offer DDR encryption support, enabling the secure services profile requires OP-TEE to execute in the small secure internal SYSRAM thanks to its "pager" mode (memory page swapping). The paging mechanism can affect OP-TEE service performances. This mode also requires low-power sequence to save/restore the internal secure memory into/from the non-secure DDR, using STM32 CRYP and STM32 RNG assistance. Therefore STM32MP15A* and STM32MP15D* chips cannot support low-power suspended state when secure services are enabled. It is possible to assign SRAM1 and some other SRAMx to OP-TEE pager if they are not used by the Cortex-M processor.
In order to enable OP-TEE secure services on STM32MP15x lines , set CFG_STM32MP_PROFILE=secure_and_system_services. This profile runs OP-TEE is the secure SYSRAM with OP-TEE pager enabled. Refer to section STM32MP15 pager constraints for more information on configuration constraints when pager is enabled.
5.3. STM32MP25 default profile[edit | edit source]
Platform default configuration for STM32MP25x lines enables both system and secure services:
- CFG_STM32MP_PROFILE=secure_and_system_services
OP-TEE OS is loaded in a secure memory region of the DDR, covered by the RISAF that supports memory region encryption and secure level management.
On STM32MP25x lines , secure services need some STM32MPU subsystems to be assigned to the secure world (STM32 RNG, STM32 AES, STM32 IWDG, etc...)
6. Details on build directives[edit | edit source]
Article OP-TEE configuration switches details the CFG_xxx configuration directives that are default set when building the OP-TEE image for a target platform. The build environment can override some of the configuration switch values defined for a platform. How to pass these changes depends on the build environment, refer to these 3 sections:
- Build OP-TEE with the Distribution Package;
- Build OP-TEE with the Developer Package;
- Build OP-TEE in a mainline build environment.
7. References[edit | edit source]
- ↑ https://optee.readthedocs.io/en/3.19.0/
- ↑ https://developer.arm.com/documentation/den0022/latest/
- ↑ https://elixir.bootlin.com/linux/v5.8/source/Documentation/devicetree/bindings/watchdog/arm-smc-wdt.yaml
- ↑ https://developer.arm.com/documentation/den0056/latest/
- ↑ https://developer.arm.com/documentation/den0028/latest/
- ↑ https://optee.readthedocs.io/en/latest/building/trusted_applications.html
- ↑ https://static.linaro.org/connect/san19/presentations/san19-413.pdf
- ↑ https://optee.readthedocs.io/en/latest/building/userland_integration.html#pkcs-11-driver
- ↑ https://optee.readthedocs.io/en/latest/building/efi_vars/stmm.html