- Last edited 6 months ago ago
How to configure TF-A FIP
- 1 Article purpose
- 2 Overview
- 3 Firmware Image Package creation tool
- 4 FIP binary creation
- 5 Updating the software on board
- 6 References
1 Article purpose
This section details the Trusted Firmware-A FIP (Firmware Image Package) usage in the STM32 MPU boot chain. It explains how to use it in STM32 MPU context and describes the build/update process that is required to deploy it on your target.
The FIP is used by the Trusted Firmware-A BL2 firmware to load and authenticate the next stage binaries.
The FIP follows the Trusted Firmware-A specification.
It must contains:
- All the boot stage firmware loaded by Trusted Firmware-A BL2.
- Configuration files.
3 Firmware Image Package creation tool
Trusted Firmware-A provides a dedicated tool named
fiptool to create a FIP.
If you want to regenerate it, you must follow the official documentation
. The official documentation introduces the different available options.
Here is the list of the most useful options:
|help||Show all available options supported||fiptool help|
|info||List the content of a FIP:
|| fiptool info fip.bin
Secure Payload BL32 (Trusted OS): offset=0x128, size=0x2C, cmdline="--tos-fw" Secure Payload BL32 Extra1 (Trusted OS Extra1): offset=0x154,
|update||Update allows one or more images to be replaced in an existing FIP binary||fiptool update --tos-fw bl32.bin fip.bin|
|unpack||Extracts all binaries from a FIP binary||fiptool unpack fip.bin|
|remove||Removes a binary from FIP binary||fiptool remove --tos-fw bl32.bin fip.bin|
4 FIP binary creation
Below the list of the different ways by which the FIP binary can be generated:
- Using the dedicated
- Using the Trusted Firmware-A official Makefile
The OpenSTLinux boot flow requires the following stages to be loaded:
- BL32: Secure OS OP-TEE OS
- BL33: The non-secure firmware (recommended U-Boot)
- HW_config: The OpenSTLinux uses the hw_config as the non-secure device tree
- FW_config: Firmware configuration file listing the previous images and defining their size and the load address
The Trusted Firmware-A Makefile with fip target and some variables uses
fiptool to automatically create the new FIP after the Trusted Firmware-A compilation.
With U-Boot as a non-secure firmware, the paths for the files used in next chapters are the following:
|fiptool option||File path for OP-TEE|
|Secure OS (OP-TEE)||BL32||--tos-fw||<optee_path>/tee-header_v2.bin|
|Firmware configuration file||FW_CONFIG||--fw-config||<tfa_path>/fw-config.dtb|
|U-Boot device tree||BL33_CFG||--hw-config||<u-boot_path>/u-boot.dtb|
4.2 Updating the FIP binary
When modifying a component included in the FIP binary, it is possible to update only part of the binary. To do this, use the
fiptool update command.
Example when a new U-Boot is generated, the FIP must be updated using the following commands:
- Full U-Boot update (U-Boot Binary and U-Boot Device tree)
fiptool update --nt-fw <u-boot_path>/u-boot-nodtb.bin --hw-config <u-boot_path>/u-boot.dtb fip.bin
5 Updating the software on board
5.1 Partitioning of binaries
The FIP build provides a binary named fip.bin (or fip-<board-name>-<bootchain>.bin from official release). It MUST be copied to a dedicated partition for which the partition type GUID is 19d5df83-11b0-457b-be2c-7559c13142a5 (STM32MP_FIP_GUID in plat/st/common/include/stm32mp_efi.h ). As a fallback, TF-A will look for a partition named fip. When Secure Firmware Update is enabled, the 2 partitions are named fip-a and fip-b, but those names won't be used by TF-A.
5.2 Updating via SDCard
If you use an SDCard, simply update the FIP binary by using the dd command on your host.
Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the fip partition or fip-a/fip-b when Secure Firmware Update is enabled:
- SDCard: /dev/mmcblkXpY (where X is the instance number, Y is the partition number of the FIP) - SDCard via USB reader: /dev/sdXY (where X is the instance number, Y is the partition number of the FIP))
- Under Linux®
dd if=<fip binary file> of=/dev/<device partition> bs=1M conv=fdatasync
- Under Windows®
CoreUtils  that includes the dd command is available for Windows.
5.3 Updating via USB mass storage on U-boot
Refer to the previous section to put FIP binary into SDCard/USB disk.
5.4 Updating your boot device via STM32CubeProgrammer
Refer to the STM32CubeProgrammer documentation for details on how to update your target.