How to configure TF-A SP-MIN

1 Article purpose[edit]

This section details the TF-A SP-MIN (BL32) component. It explains how to use it in STM32 MPU runtime context, the build process from sources, and how to deploy it on your target.

2 Overview[edit]

TF-A SP-MIN is a secure partition that can be used for the ST boot chain.
This secure partition is executed in monitor mode. It is a secure implementation for limited services:

  • PSCI
  • SCMI
  • SiP services

For a more complete secure implementation, choose OP-TEE OS.

Warning.png TF-A SP-MIN images must be embedded in the FIP binary that is loaded by TF-A BL2 and can be automatically authentified.

3 Configuration[edit]

TF-A SP-MIN is based on device tree configuration.
Its device tree (called TOS_FW_CONFIG) is also loaded by the TF-A BL2 and its load address is passed to SP-MIN as second argument. It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.

4 Memory layout[edit]

SP-MIN binary (bl32.bin) is embedded in the FIP binary and identified as tos-fw.
The SP-MIN device tree is also embedded in the FIP and identified as tos-fw-config.

The SP-MIN is built with the PIE option which makes the code executable from a configurable address. The load addresses for SP-MIN and the device tree is configurable thanks to TF-A firmware configuration framework. If required, the load address can be independently changed by modifying the firmware configuration file.

5 Source code access and build process[edit]

Cross compilation of TF-A SP-MIN is only required if it has to be modified.
Refer to Setup Cross compile environment.

If changes have been made, rebuild TF-A (SP-MIN) and update the FIP. Update the associated FIP partitions of your boot device with this new image.

The build process creates a TF-A SP-MIN image and its device tree.

5.1 Install sources[edit]

5.1.1 From the Developer package[edit]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

5.1.2 Official source tree[edit]

Download source code from the official Trusted Firmware-A git repository.

 PC $> git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git
Warning.png The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.


For a full-featured software, go to STMicroelectronics github:

 PC $> git clone https://github.com/STMicroelectronics/arm-trusted-firmware.git


5.1.3 Distribution Package[edit]

It is possible to use the distribution package to download and rebuid TF-A SP-MIN

5.1.4 Build Process[edit]

5.1.4.1 TF-A Build flags[edit]

Here is the list of the mandatory flags that need to be specified to complete the SP-MIN build:

  • ARM_ARCH_MAJOR=7: the major version of Arm Architecture to target (STM32MP1 is based no an Arm v7 architecture)
  • ARCH=aarch32: specifies aarch32 architecture to be built
  • PLAT=stm32mp1: builds an STM32MP1 platform
  • DTB_FILE_NAME=<fdt file name>.dtb: this flag must be defined to build the proper target and include the correct DTB file into the final file
  • AARCH32_SP=sp_min: selects SP-MIN as secure partition

Optional flags:

  • BUILD_PLAT=<folder>: custom output folder name (default is build/<debug/release>/)
  • DEBUG=1: adds debug information in all binaries
  • V=1: prints verbose compilation traces


5.1.5 Build command[edit]

Warning.png The DTB_FILE_NAME flag and the AARCH32_SP=sp_min must be set to select the correct board configuration.

The device tree file for the target must be located in fdts folder (<board>.dts)

First add your own environment flags:

 PC $> unset LDFLAGS;
 PC $> unset CFLAGS;

Then compile the TF-A SP-MIN (BL32).

5.1.5.1 STM32MP15[edit]

The default build command for STM32MP15 is:

 PC $> make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board>.dtb bl32 dtbs

Here is the build command for the stm32mp157c-ev1 board:

 PC $> make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32=sp_min \
         DTB_FILE_NAME=stm32mp157c-ev1.dtb bl32 dtbs

5.1.6 Final image[edit]

Final images are available for updating the FIP binary (including the associated firmware configuration file):

<BUILD_PLAT>/bl32.bin
<BUILD_PLAT>/fdts/<board>.dtb
<BUILD_PLAT>/fdts/<board>-fw-config.dtb
Ex:
build/release/bl32.bin
build/release/fdts/stm32mp157c-ev1.dtb
build/release/fdts/stm32mp157c-ev1-fw-config.dtb

5.2 Updating the software[edit]

SP_MIN binary and its associated firmware are part of the FIP binary.
The next step to deploy the SP-MIN firmware is to update the FIP binary following the FIP update process.

5.3 Extra tips[edit]

When generating the SP-MIN, it is also possible in a single line to generate the associated FIP with the following command.
Example for STM32MP15 platform:

 PC $> make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board_name>.dtb BL33=<u-boot_path>/u-boot-nodtb.bin \
         BL33_CFG=<u-boot_path>/u-boot.dtb bl32 dtbs fip