How to build and debug secure project on Cortex-M33 coprocessor in STM32CubeIDE

Applicable for

Trusted domain applicability

This article is only applicable to A35-TD flavor of STM32MP2 series

This article gives some guidelines to support secure project on Arm^®-Cortex^®-M33 coprocessor on STM32MP25x lines .

The secure project relies on the TFM_Protected_Storage project from STM32CubeMP2 Package. This project provides a secure with TF-M build configuration. It can be used from a Window and Linux workstation.

This article focuses on how to build secure firmware (trusted firmware-M) together with nonsecure firmware and debug them.

1. Prerequisites[edit | edit source]

1.1. Hardware prerequisites[edit | edit source]

Use the STM32MP257F-EV1 Evaluation board - rev C
Set Linux^® console
Connect the PC workstation to the Linux^® Arm^®-Cortex^®-A via Ethernet (or Ethernet over USB). For more information, refer to STM32MP257x-EV1_-_hardware_description.

1.2. Software prerequisites[edit | edit source]

Install the OpenSTLinux stater package (FlashLayout_emmc_stm32mp257f-dk-ca35tdcid-ostl-m33-examples-optee.tsv) .
Boot the STM32MP257F-EV1 . Refer to STM32MP25_Evaluation_boards_-_Starter_Package#Booting the board

Install STM32CubeIDE

Install build environment and python dependencies for TF-M as described in How_to_configure_TF-M#Prerequisites chapter. Trusted-firmware-m should be installed in STM32CubeMP2 Package, Middlewares/Third_Party/trusted-firmware-m.

Install python libraries, needed by OP-TEE signature python script

pip install pyelftools
pip install pycryptodomex

2. Importing[edit | edit source]

2.1. Importing TFM_Protected_Storage STM32CubeIDE project[edit | edit source]

TFM_Protected_Storage STM32CubeIDE project is imported from STM32CubeMP2 Package using the menu File > OpenProjects from File Systems....
Then, set Import source using Directory... to the STM32CubeMP2 firmware selecting: .../STM32Cube/Repository/STM32Cube_FW_MP2_Vx.x.x/Projects/STM32MP257F-EV1/Applications/TFM/TFM_Protected_Storage/STM32CubeIDE

Note that TFM_Protected_Storage STM32CubeIDE project is available from STM32CubeMPU package repository on local disk or from Projects/STM32MP257F-EV1/Applications/TFM/TFM_Protected_Storage .

Resulting project structure contains two projects:

TFM_Protected_Storage_CM33_NonSecure HAL-based project, addressing nonsecure part of application.
TFM_Protected_Storage_CM33_trusted-firmware-m pre-set CMake STM32CubeIDE project for TF-M, with link to sources: trusted-firmware-M pointing inside STM32CubeMP2 Package Middlewares/Third_Party/trusted-firmware-m

TFM_Protected_Storage imported project

2.2. Setting up the TFM_Protected_Storage_CM33_trusted-firmware-m project[edit | edit source]

The only missing element is access to trusted-firmware-M project source files.

As depicted below, the trusted-firmware-M, linked inside STM32CubeIDE project, points to a path that must be populated:

trusted-firmware-m link to source files

To populate it, follow the instructions in How to configure TF-M##Installing_sources. You can then refresh STM32CubeIDE project and view sources.

trusted-firmware-m sources from STM32CubeIDE

Make sure the trusted-firmware-M project is imported with pre-configured settings for:

STM32MP257F-EV1 board - CMake project usage setting

-DTFM_PLATFORM=stm/stm32mp257f_ev1 -DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake -DTFM_PROFILE=profile_medium -DCMAKE_BUILD_TYPE=debug -DNS=OFF

STM32CubeIDE debug information added to CMake project

3. Building[edit | edit source]

It is now possible to build TFM_Protected_Storage_CM33_trusted-firmware-m:

Warning

The process running STM32CubeIDE must define HTTP and HTTPS proxies for the CMake command to successfully access the network.

On Linux^® workstation, it is recommended to launch STM32CubeIDE from xterm with configured proxy environment.

Select TFM_Protected_Storage_CM33_NonSecure project. This project has only one build configuration: CA35TDCID_m33_ns_tfm_s_sign.
Built can be done using standard eclipse Build icon, it generates TFM_Protected_Storage_CM33_NonSecure_tfm_s_sign.bin, visible after a project refresh.

Note that a post-build command is used to generate the bin object from the two sub-project ELF files:

TFM_Protected_Storage_CM33_NonSecure_stripped.elf
Middlewares/Third_Party/trusted-firmware-m/config_default/bin/tfm_s.elf

4. Debugging[edit | edit source]

4.1. Prerequisites to debug[edit | edit source]

Objective is to make debugging in production mode.

STM32MP257F-EV1 must be up and running, and connected to the workstation via network and console.
SD-card has been initialized with Starter Package version 24-06-26.

The Cortex-M33 secure and nonsecure firmware images are encapsulated and signed.
The resulting binary file TFM_Protected_Storage_CM33_NonSecure_tfm_s_sign.bin has to be loaded by OP-TEE.
To check OP-TEE security capabilities of the board, execute the following command into the Linux console:

cat /sys/class/remoteproc/remoteproc0/fw_format

The command should return "TEE".

Before using production mode debug, proxy network must be adjusted. Refer to How to set up proxy and P2P Ethernet connection with STM32CubeIDE for more information.

As illustrated in the following figure, the Target Status on the bottom right must show a green light (refer to How_to_use_the_Target_Status_widget_in_STM32CubeIDE).

4.2. Loading .bin object[edit | edit source]

The generated .bin object has to be downloaded into STM32MP257F-EV1 and loaded via "remoteproc" framework.

This is done using a Run Configuration set in production mode.

4.2.1. Setting up the run configuration[edit | edit source]

Select TFM_Protected_Storage_CM33_NonSecure project and right click on Run As > Run Configurations...
Double click on STM32 C/C++ Application to create a configuration.

In main tab:

Workspace... button allows to select .bin file

In Debugger tab:

Load mode should be thru Linux core (production mode)
For limitation reason GDB Connection Settings should be Connect to remote GDB server.

It is recommended to enrich the default Run Configuration name with, for example, Run Cfg - Load. This is to distinguish from Debug Configuration.

4.2.2. Running[edit | edit source]

Run with this configuration to transfer the .bin and load it.

Below is illustrated the transfer pop-up:

Open a console inside STM32CubeIDE to check that the firmware has been loaded and is running on Arm^®-Cortex^®-M33:

cat /sys/class/remoteproc/remoteproc0/firmware
cat /sys/class/remoteproc/remoteproc0/state

In case of problem, follow the instructions from Linux remoteproc framework overview#How_to_trace_and_debug_the_framework article.

4.3. Debugging secure and nonsecure firmware[edit | edit source]

To debug these firmware, the debug configuration must reference both the secure and non-secure ELF files.

4.3.1. Setting up the debug configuration[edit | edit source]

Select TFM_Protected_Storage_CM33_NonSecure project and right click on Debug As > C/C++ STM32 Application
This menu creates a debug configuration for the selected project.

It is recommended to enrich the default Debug Configuration name with, for example,Debug Cfg . This is to distinguish from Run Configuration.

In Startup tab

Edit nonsecure ELF and unset download

Add TF-M elf definition with Add menu, and:
- Program path to: trusted-firmware-m/config_default/bin/tfm_s.elf
- Disable Download
- Give "ARM.exidx" file offset "0x9c20". The file offset address is retrieved from tfm-s.elf:

 readelf -a tfm_s.elf | grep "Unwind section '.ARM.exidx' at offset"

Unwind section .ARM.exidx at offset 0x9c20 contains 1 entry:

or

 objdump -hw ./config_default/bin/tfm_s.elf | grep ".ARM.exidx"
17 .ARM.exidx               00000008  80008c20  80008c20  00009c20  2**2  CONTENTS, ALLOC, LOAD, READONLY, DATA

Information

A way to control entry point of the debug session could be to add a debug loop. In the following figure, a debug loop has been added at the beginning of tfm_hal_platform_init() TFM_Protected_Storage_CM33_trusted-firmware-m/trusted-firmware-m/platform/ext/target/stm/common/stm32mp2/secure/tfm_hal_platform.c.

The debug session starts inside this debug loop. By changing i variable to 0, it is possible to step into TFM initialization code.

Debug loop inside TF-M init code

4.3.2. Debugging[edit | edit source]

When launching the debug configuration, it is recommended

to select Switch to the Confirm Perspective Switch to enter Debug Eclipse perspective.
Then, using Suspend icon, the control of Arm^®-Cortex^®-M33 execution can be taken.

The first instructions are a while loop on a volatile variable, enabling control to be taken from the start of the code.

Step into tf-m initialization code

4.3.3. Setting up traces[edit | edit source]

With debug loop in place, it is possible to switch MPU Serial console to Cortex-M33 and display tfm-s and nonsecure ELF traces.

First right click on Target Status widget and stop it.

Target Status stop

Window > Preferences
Then inside STM32Cube > MPU Serial, select Remove filter and force console to /dev/ttyACM1.

Then, open MPU serial console using the dedicated icon to display Cortex-M33 traces.

Tracing TF-M & Non Secure elf