This article gives some guidelines to support secure project on Arm®-Cortex®-M33 coprocessor on STM32MP25x lines .
The secure project relies on the TFM_Protected_Storage project from STM32CubeMP2 Package. This project provides a secure with TF-M build configuration. It can be used from a Window and Linux workstation.
This article focuses on how to build secure firmware (trusted firmware-M) together with nonsecure firmware and debug them.
1. Prerequisites[edit | edit source]
1.1. Hardware prerequisites[edit | edit source]
- Use the STM32MP257F-EV1 Evaluation board
- rev C
- Set Linux® console
- Connect the PC workstation to the Linux® Arm®-Cortex®-A via Ethernet (or Ethernet over USB). For more information, refer to STM32MP257x-EV1_-_hardware_description.
1.2. Software prerequisites[edit | edit source]
- Install the OpenSTLinux stater package (FlashLayout_emmc_stm32mp257f-dk-ca35tdcid-ostl-m33-examples-optee.tsv) .
- Boot the STM32MP257F-EV1
. Refer to STM32MP25_Evaluation_boards_-_Starter_Package#Booting the board
- Install STM32CubeIDE
- Install build environment and python dependencies for TF-M as described in How_to_configure_TF-M#Prerequisites chapter. Trusted-firmware-m should be installed in STM32CubeMP2 Package, Middlewares/Third_Party/trusted-firmware-m.
- Install python libraries, needed by OP-TEE signature python script
pip install pyelftools pip install pycryptodomex
2. Importing[edit | edit source]
2.1. Importing TFM_Protected_Storage STM32CubeIDE project[edit | edit source]
TFM_Protected_Storage STM32CubeIDE project is imported from STM32CubeMP2 Package using the menu File
> OpenProjects
from File Systems...
.
Then, set Import source
using Directory...
to the STM32CubeMP2 firmware selecting: .../STM32Cube/Repository/STM32Cube_FW_MP2_Vx.x.x/Projects/STM32MP257F-EV1/Applications/TFM/TFM_Protected_Storage/STM32CubeIDE
Note that TFM_Protected_Storage STM32CubeIDE project is available from STM32CubeMPU package repository on local disk or from Projects/STM32MP257F-EV1/Applications/TFM/TFM_Protected_Storage .
Resulting project structure contains two projects:
- TFM_Protected_Storage_CM33_NonSecure HAL-based project, addressing nonsecure part of application.
- TFM_Protected_Storage_CM33_trusted-firmware-m pre-set CMake STM32CubeIDE project for TF-M, with link to sources: trusted-firmware-M pointing inside STM32CubeMP2 Package Middlewares/Third_Party/trusted-firmware-m
2.2. Setting up the TFM_Protected_Storage_CM33_trusted-firmware-m project[edit | edit source]
The only missing element is access to trusted-firmware-M project source files.
As depicted below, the trusted-firmware-M, linked inside STM32CubeIDE project, points to a path that must be populated:
To populate it, follow the instructions in How to configure TF-M##Installing_sources. You can then refresh STM32CubeIDE project and view sources.
Make sure the trusted-firmware-M project is imported with pre-configured settings for:
- STM32MP257F-EV1 board - CMake project usage setting
-DTFM_PLATFORM=stm/stm32mp257f_ev1 -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake -DTFM_PROFILE=profile_medium -DCMAKE_BUILD_TYPE=debug -DNS=OFF
- STM32CubeIDE debug information added to CMake project
3. Building[edit | edit source]
It is now possible to build TFM_Protected_Storage_CM33_trusted-firmware-m:
Select TFM_Protected_Storage_CM33_NonSecure project. This project has only one build configuration: CA35TDCID_m33_ns_tfm_s_sign
.
Built can be done using standard eclipse Build icon
, it generates TFM_Protected_Storage_CM33_NonSecure_tfm_s_sign.bin
, visible after a project refresh.
Note that a post-build command is used to generate the bin object from the two sub-project ELF files:
- TFM_Protected_Storage_CM33_NonSecure_stripped.elf
- Middlewares/Third_Party/trusted-firmware-m/config_default/bin/tfm_s.elf
4. Debugging[edit | edit source]
4.1. Prerequisites to debug[edit | edit source]
Objective is to make debugging in production mode.
- STM32MP257F-EV1
must be up and running, and connected to the workstation via network and console.
- SD-card has been initialized with Starter Package version 24-06-26.
- The Cortex-M33 secure and nonsecure firmware images are encapsulated and signed.
- The resulting binary file
TFM_Protected_Storage_CM33_NonSecure_tfm_s_sign.bin
has to be loaded by OP-TEE. - To check OP-TEE security capabilities of the board, execute the following command into the Linux console:
cat /sys/class/remoteproc/remoteproc0/fw_format
The command should return "TEE".
Before using production mode debug, proxy network must be adjusted. Refer to How to set up proxy and P2P Ethernet connection with STM32CubeIDE for more information.
As illustrated in the following figure, the Target Status
on the bottom right must show a green light (refer to How_to_use_the_Target_Status_widget_in_STM32CubeIDE).
4.2. Loading .bin object[edit | edit source]
The generated .bin
object has to be downloaded into STM32MP257F-EV1 and loaded via "remoteproc" framework.
This is done using a Run Configuration
set in production mode.
4.2.1. Setting up the run configuration[edit | edit source]
Select TFM_Protected_Storage_CM33_NonSecure project and right click on Run As
> Run Configurations...
Double click on STM32 C/C++ Application
to create a configuration.
- In
main
tab:
Workspace...
button allows to select.bin
file
- In
Debugger
tab:
Load mode
should bethru Linux core
(production mode)- For limitation reason
GDB Connection Settings
should beConnect to remote GDB server
.
It is recommended to enrich the default Run Configuration
name with, for example, Run Cfg - Load
.
This is to distinguish from Debug Configuration
.
4.2.2. Running[edit | edit source]
Run with this configuration to transfer the .bin
and load it.
Below is illustrated the transfer pop-up:
Open a console inside STM32CubeIDE to check that the firmware has been loaded and is running on Arm®-Cortex®-M33:
- cat /sys/class/remoteproc/remoteproc0/firmware
- cat /sys/class/remoteproc/remoteproc0/state
In case of problem, follow the instructions from Linux remoteproc framework overview#How_to_trace_and_debug_the_framework article.
4.3. Debugging secure and nonsecure firmware[edit | edit source]
To debug these firmware, the debug configuration must reference both the secure and non-secure ELF files.
4.3.1. Setting up the debug configuration[edit | edit source]
Select TFM_Protected_Storage_CM33_NonSecure project and right click on Debug As
> C/C++ STM32 Application
This menu creates a debug configuration for the selected project.
It is recommended to enrich the default Debug Configuration
name with, for example,Debug Cfg
.
This is to distinguish from Run Configuration
.
In Startup
tab
- Edit nonsecure ELF and unset download
- Add TF-M elf definition with
Add
menu, and:- Program path to: trusted-firmware-m/config_default/bin/tfm_s.elf
- Disable
Download
- Give "ARM.exidx" file offset "0x9c20". The file offset address is retrieved from
tfm-s.elf
:
readelf -a tfm_s.elf | grep "Unwind section '.ARM.exidx' at offset"
Unwind section.ARM.exidx
at offset0x9c20
contains 1 entry:
- or
objdump -hw ./config_default/bin/tfm_s.elf | grep ".ARM.exidx" 17 .ARM.exidx 00000008 80008c20 80008c20 00009c20 2**2 CONTENTS, ALLOC, LOAD, READONLY, DATA
![]() |
A way to control entry point of the debug session could be to add a debug loop.
In the following figure, a debug loop has been added at the beginning of The debug session starts inside this debug loop. By changing i variable to 0, it is possible to step into TFM initialization code. |
4.3.2. Debugging[edit | edit source]
When launching the debug configuration, it is recommended
- to select
Switch
to theConfirm Perspective Switch
to enterDebug Eclipse perspective
. - Then, using
Suspend
icon, the control of Arm®-Cortex®-M33 execution can be taken.
The first instructions are a while loop on a volatile variable, enabling control to be taken from the start of the code.
4.3.3. Setting up traces[edit | edit source]
With debug loop in place, it is possible to switch MPU Serial
console to Cortex-M33 and display tfm-s and nonsecure ELF traces.
First right click on Target Status
widget and stop it.
Window
> Preferences
Then inside STM32Cube
> MPU Serial
, select Remove filter
and force console to /dev/ttyACM1
.
Then, open MPU serial console using the dedicated icon to display Cortex-M33 traces.