How to debug TF-A SP-MIN

1 Article purpose[edit]

This article explains how to debug TF-A SP-MIN firmware.
Debug is specifically linked to the TrustZone® environment.

There are two main ways to debug TF-A, by using traces inside the code, or by using JTAG to access the secure world. This article focuses on the solution integrated in OpenSTLinux, debug over gdb (based on ST-Link or JTAG). ,

2 Debugging[edit]

2.1 TF-A version number[edit]

The starting point for debugging is to identify the TF-A BL2 version used in the target. Debug and release versions are displayed on the console with the following format:

NOTICE: SP_MIN: v2.4-r1.0(debug):<tag>
  • v2.4-r1.0 is the TF-A SP-MIN version used.
  • (debug) : Build mode enable
  • <tag> : Git reference resulting from the git describe command at build time

2.2 Debugging with traces[edit]

TF-A allows RELEASE and DEBUG modes to be enabled:

  • RELEASE mode builds with default LOG_LEVEL to 20, which only prints ERROR and NOTICE traces.
  • DEBUG mode enables the -g build flag (for debugging the build object), and set LOG_LEVEL default value to 40.

With the debug LOG_LEVEL, you can add console traces such as ERROR, NOTICE, WARNING or INFO. Please refer to include/common/debug.h

Warning.png You cannot build code with LOG_LEVEL set to 50 (the highest level); this would generate too many traces and TF-A would not fit in the SYSRAM. If required, change some VERBOSE messages to INFO.

For both modes, you must ensure that the UART is properly configured:

  • SP-MIN: UART traces are default enabled

Traces and errors are available on the console defined in the chosen node of the device tree by the stdout-path property:

chosen {
        stdout-path = "serial0:115200n8";
};

Traces are only available when the console has been fully registered. Prior to that call, the traces are not displayed and it is recommended to use the debugger.

2.3 Debugging with GDB[edit]

TF-A SP-MIN is executed in CPU secure state. One can debug TF-A SP-MIN through JTAG using the embedded ST-Link or the JTAG output, if it is present on the board. For early SP-MIN debugging purposes, it is recommended to use the Wrapper for FSBL images that enables the debug link.

2.3.1 Debugging boot sequence[edit]

The SP-MIN boot stage is executed during the boot sequence. It is also called at runtime when SMC calls are issued. To break into SP-MIN, connect to the target and break.

When SP-MIN is compiled with the PIE feature, symbols must be loaded with the correct offset:

(gdb) add-symbol-file <path_to_build_folder>/bl32/bl32.elf -o <offset> 0

The offset can be found in the firmware configuration file (see tos_fw load address property) or in the boot logs:

    INFO:    BL2: Loading image id 4
    INFO:    Loading image id=4 at address 0x2ffc5000
    INFO:    Image id=4 loaded: 0x2ffc5000 - 0x2ffd847c


In the above example:

  • BL32 load address is 0x2ffc5000.

You can directly load all your symbols:

    (gdb) add-symbol-file <path_to_build_folder>/bl32/bl32.elf -o 0x2ffc5000 0

Set your hardware breakpoint and reset:

(gdb) hb sp_min_entrypoint
(gdb) monitor reset halt
(gdb) continue