How to import, build and debug STM32CubeMP2 StarterAppM33TD demonstration in STM32CubeIDE

Applicable for

STM32MP21x lines, STM32MP23x lines, STM32MP25x lines

---

Trusted domain applicability

This article is only applicable to M33-TD flavor of STM32MP2 series

Important

In this article, the STM32MP215F-DK Discovery kit is taken as example. Nevertheless, it is also applicable for STM32MP257F-DK Discovery kit and STM32MP257F-EV1 Evaluation board Rev D.

This article gives some guidelines to support secure project on Arm^®-Cortex^®-M33 for M33-TD flavor focuses on building secure firmware (Trusted Firmware-M) alongside nonsecure firmware, and provides guidance on how to debug both. It can be used on both Windows and Linux workstations. However, the screenshots in this article were taken on a Linux workstation.

The secure project relies on the StarterApp_M33TD project delivered in STM32CubeMP2 Package. This project offers a secure build configuration using Trusted Firmware-M (TF-M).

1. Prerequisites[edit | edit source]

1.1. Hardware prerequisites[edit | edit source]

• Board must be connected to the workstation, refer to hardware description articles for details : STM32MP215x-DKx - hardware description.
  • If you are using other boards please refer here:
    • STM32MP257x-DKx - hardware description,
    • STM32MP257x-EV1 - hardware description
• The ST-Link V3 cable must be connected to the PC USB port to display traces.​
• 2 consoles on your workstation are needed : one for Arm^®-Cortex^®-M33 and one for Arm^®-Cortex^®-A35. For that, 2 "USB to TTL serial cables" are needed, see STM32MP215x-DKx_-_hardware_description#Connecting USB to TTL serial cables

1.2. Software prerequisites[edit | edit source]

• STM32CubeIDE must be installed.
• STM32CubeMX must be installed.
• STM32CubeProgrammer must be installed.
• Download the M33-TD Starter Package according to the Ecosystem release you are using:

Warning

Only microSD cards SanDisk Class 10 and UHS Speed Class 1 are verified. Others are not recommended.

• The STM32MP2 image (binaries) is delivered through one tarball file named FLASH-stm32mp2-m33td-openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18.tar.gz applicable to STM32MP215F-DK and STM32MP257x-EV1

• Download and install the STM32MP2 image (binaries):

The software package is provided AS IS, and by downloading it, you agree to be bound to the terms of the software license agreement (SLA0048). The detailed content licenses can be found here.

	STM32MP2 Starter Package image - STM32MP2-Ecosystem-v6.2.0 release for M33-TD flavor
Download	Warning Check first here, if a minor release based on this ecosystem release v6.2.0 is already published. If a minor release exists, replace the name of the STM32MP2 Starter Package file, used below, and in other wiki articles, by the name of file delivered with the minor release. Go on st.com to download the STM32MP2 Starter Package image, FLASH-stm32mp2-m33td-openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18.tar.gz file.
Installation	Go to the host PC directory in which you want to install the Starter Package (<Starter Package installation directory>); if you follow the proposition to organize the working directory, this means: cd <working directory path>/Starter-Package Download the tarball file in this directory Uncompress the tarball file to get the binaries for the different partitions of the image, and the Flash layout files: tar xvf FLASH-stm32mp2-m33td-openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18.tar.gz
Release note	Details of the content of this software package are available in the associated STM32 MPU OpenSTLinux release note. If you are interested in older releases (STM32MP2-Ecosystem-v6.1.0), please have a look into the section Archives

• The binaries and the Flash layout files are in the <Starter Package installation directory>/stm32mp2-m33td-openstlinux-6.6-yocto-scarthgap-mpu-v26.02.18/images/stm32mp2-m33td/ directory. The most important ones are:

stm32mp2-m33td
├── arm-trusted-firmware                                                                    TF-A binaries for FSBLa partitions and supported boot chains
│   ├── bl2                                                                                 TF-A BL2 binary for FIP binaries creation
│   │   ├── tf-a-<board name>-<hardware security>-<boot chain>-<storage>.bin
│   │   └── [...]
│   ├── bl31                                                                                TF-A BL31 binary for FIP binaries creation
│   │   ├── debug                                                                           Debug binaries for BL31
│   │   │   ├── tf-a-bl31-<board name>-<hardware security>-<boot chain>-<storage>.elf           Debug symbol file for TF-A BL31
│   │   │   └── [...]
│   │   ├── <board name>-<hardware security>-<boot chain>-<storage>.dtb                     TF-A BL31 device tree for FIP binaries creation
│   │   ├── tf-a-bl31-<board name>-<hardware security>-<boot chain>-<storage>.bin           TF-A BL31 binary for FIP binaries creation
│   │   └── [...]
│   ├── ddr                                                                                 Trained DDR binary for FIP binaries creation
│   │   ├── ddr_pmu-<board name>-<hardware security>-<boot chain>-<storage>.bin
│   │   └── [...]
│   ├── debug                                                                               Debug binaries for TF-A
│   │   ├── debug-tf-a-<board name>-<hardware security>-<boot chain>-<storage>.stm32        Debug file for FSBL
│   │   ├── tf-a-bl2-<soc name>-<boot chain>-<storage>.elf                                  Debug symbol file for TF-A
│   │   └── [...]
│   ├── fwconfig                                                                            TF-A device tree for FIP binaries creation
│   │   ├── <board name>-<hardware security>-fwconfig-<boot chain>-<storage>.dtb
│   │   └── [...]
│   ├── metadata.bin                                                                        Meta data binary for METADATA partition for the supported boards
│   ├── tf-a-<board name>-<hardware security>-<boot chain>-<storage>.stm32                  TF-A binary for FSBL partition
│   └── [...]
├── arm-trusted-firmware-m                                                                  TF-M binaries for FSBLm partitions and supported boot chains
│   ├── debug                                                                               Debug binaries for TF-M
│   │   ├── debug-bl2-<board name>-<hardware security>.stm32                                Debug file for FSBLm
│   │   ├── tfm-<board name>-<hardware security>-<storage m33>-<storage a35>_s.elf          Debug symbol file for TF-M
│   │   └── [...]
│   ├── key                                                                                 Security key used by TF-M
│   │   ├── image_ns_signing_public_key-<board name>-<hardware security>-<storage m33>.pem
│   │   ├── image_s_signing_private_key-<board name>-<hardware security>-<storage m33>.pem
│   │   ├── image_s_signing_public_key-<board name>-<hardware security>-<storage m33>.pem
│   │   └── [...]
│   ├── bl2-<board name>-<hardware security>-<storage m33>.stm32                            TF-M binary for FSBLm partition
│   ├── ddr_phy_signed-<board name>-<hardware security>-<storage m33>.bin                   TF-M binary for M33ddr partition
│   └── [...]
├── fip                                                                                     FIP binaries for FIP partitions and supported boot chains
│   ├── fip-<board name>-<hardware security>-ddr-<boot chain>-<storage>.bin                 FIP binary for FIP DDR partition
│   ├── fip-<board name>-<hardware security>-<boot chain>-<storage>.bin                     FIP binary for FIP partition
│   └── [...]
├── flashlayout_st-image-weston                                                             Flash layout files (description of the partitions) for the supported boot chains on supported boot devices and boards
│   ├── [...]
│   ├── extensible                                                                          Flash layout files for microSD card boot device with no userfs partition but a rootfs partition extended to microSD card size
│   │   ├── FlashLayout_sdcard_<board name>-<hardware security>-extensible.tsv              (recommended setup for package repository service) microSD card boot device with rootfs partition extended to microSD card size
│   │   └── [...]
│   └── optee                                                                               Flash layout files for optee boot chain
│       ├── FlashLayout_<boot device>_<board name>-<hardware security>-optee.tsv
│       └── [...]
├── Kernel                                                                                   Debug binaries for Linux kernel
│   ├── config-6.6.116                                                                    Reference config file for Linux kernel
│   └── vmlinux                                                                              Image of the Linux kernel
├── m33-firmware                                                             TF-M/CubeMp2 binaries for M33FW partitions and supported boot chains
│   ├── ddr_phy-<board name>-cm33tdcid-ostl-sdcard_Signed.bin  <hardware security>-<storage m33>_Signed.bin  DDR binary for M33ddr' partition
│   ├── tf-m-starterapp-<board name>-<hardware security>-<storage m33>-<storage a35>_s_ns.bin  TF-M/CubeMP2 binary for M33FW partition
│   └── [...]
├── m33-project                                                             CubeMp2 firmware binaries which can be assembled with TF-M secure binaries
│   ├── StarterApp_M33TD_full-dynamic-<board name>-<hardware security>-<storage m33>-<storage a35>_ns.bin CubeMP2 binary
│   └── [...]
├── optee                                                                                    OPTEE-OS binaries
│   ├── debug                                                                                Debug binaries for OPTEE-OS
│   │   ├── tee-<board name>-<hardware security>-<boot chain>.elf                            Debug symbol file for OPTEE-OS
│   │   ├── tee-<board name>-<hardware security>-<boot chain>-programmer.elf                 Debug symbol file for OPTEE-OS configured for usb/serial
│   │   └── [...]
│   ├── tee-header_v2-<board name>-<hardware security>-<boot chain>.bin                    OPTEE-OS binary for FIP binaries creation (FIP partition)
│   ├── tee-header_v2-<board name>-<hardware security>-<boot chain>-programmer.bin         OPTEE-OS binary for FIP binaries creation (FIP-BOOT partition)
│   ├── tee-pageable_v2-<board name>-<hardware security>-<boot chain>.bin                  OPTEE-OS binary for FIP binaries creation (FIP partition)
│   ├── tee-pageable_v2-<board name>-<hardware security>-<boot chain>-programmer.bin       OPTEE-OS binary for FIP binaries creation (FIP-BOOT partition)
│   ├── tee-pager_v2-<board name>-<hardware security>-<boot chain>.bin                     OPTEE-OS binary for FIP binaries creation (FIP partition)
│   ├── tee-pager_v2-<board name>-<hardware security>-<boot chain>-programmer.bin          OPTEE-OS binary for FIP binaries creation (FIP-BOOT partition)
│   └── [...]
├── scripts
│   └── create_sdcard_from_flashlayout.sh
├── u-boot                                                                                   U-BOOT binaries
│   ├── debug                                                                                Debug binaries for U-BOOT
│   │   ├── u-boot-<soc name>-<u-boot config>.elf                                            Debug symbol file for U-BOOT
│   │   └── [...]
│   ├── configuration-<soc name>_defconfig                                                   Reference configuration file for U-Boot
│   ├── u-boot-nodtb-<soc name>-<u-boot config>.bin                                        U-BOOT binary for FIP binaries creation
│   ├── u-boot-<board name>-<hardware security>-<u-boot config>.dtb                          U-BOOT device tree for FIP binaries creation
│   └── [...]
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.rootfs.ext4                            Binary for full image content (no split of partition)
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.rootfs.license
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.rootfs-license_content.html            License summary for all packages needed to feed all partitions
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.rootfs.manifest
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.splitted-bootfs.ext4                    Binary for bootfs partition on eMMC and microSD card devices)
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.splitted-vendorfs.ext4                  Binary for vendorfs partition on eMMC and microSD card devices)
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.splitted-rootfs.ext4                    Binary for rootfs partition on eMMC and microSD card devices)
├── st-image-weston-openstlinux-weston-stm32mp2-m33td.splitted-userfs.ext4                    Binary for userfs partition on eMMC and microSD card devices)
└── [...]

Description:

<soc name>:
* stm32mp21
* stm32mp25
<board name>:
* stm32mp215-dk, stm32mp257f-ev1
<hardware security>:
* if nothing declared then there is a minimal hardware configuration for RIFF profile OPEN
* cm33tdcid-ostl                     custom hardware configuration (can be different following use-case and hardware) for RIFF profile  CUSTOM (CLOSED)
* cm33tdcid-ostl-serial-ca35tdcid    specific configuration used for programmation
<boot chain>:
* optee                     optee boot chain
<storage>:
* emmc                            eMMC storage
* nor                             NOR storage
* programmer-uart                 storage programmation via UART
* programmer-usb                  storage programmation via USB
* sdcard                          microSD card storage
<storage a35>:
* emmc                            eMMC storage
* nor                             NOR storage
* sdcard                          microSD card storage
<storage m33>:
* emmc                            eMMC storage
* nor                             NOR storage
* sdcard                          microSD card storage
<boot device>:
* emmc                            boot Cortex M33 via emmc storage and Cortex A35 via emmc storage
* nor-emmc                        boot Cortex M33 via nor storage and Cortex A35 via emmc storage
* nor-nor-sdcard                  boot Cortex M33 via nor storage and Cortex A35 via nor storage for first stage (fsbl, fip) and files system are located on sdcard storage
* nor-sdcard                      boot Cortex M33 via nor storage and Cortex A35 via sdcard
* sdcard                          boot Cortex M33 via sdcard storage and Cortex A35 via sdcard storage
<u-boot config>:
* default
* programmer                Programmer config enabled

• Install build environment and python dependencies for TF-M as described in How_to_configure,_build_and_deploy_TF-M#Prerequisites chapter.

Warning

Be careful to clone from the STMicroelectronics Github.

• Install sources of trusted-firmware-m as described in How_to_configure,_build_and_deploy_TF-M#Downloading_source chapter.

Trusted-firmware-m should be installed in STM32CubeMP2 Package, Middlewares/Third_Party/trusted-firmware-m.

• Go where you installed trusted-firmware-m

cd <working directory path>/STM32Cube_FW_MP2_V1.X.0/Middlewares/Third_Party/trusted-firmware-m

• Install, on the workstation, python libraries, needed for TF-M signature python script.

pip install -r tools/requirements.txt

Warning

The process running STM32CubeIDE must define HTTP and HTTPS proxies for the CMake command to successfully access the network. Network access is required to download TF-M sources and dependencies during CMake configure. For help to set up proxy please read How_to_set_up_proxy_and_P2P_Ethernet_connection_with_STM32CubeIDE On Linux® workstation, it is recommended to launch STM32CubeIDE from your terminal with configured proxy environment.

Warning

On Windows, you may need to rename the file "python.exe" as "python3.exe" to complete the build.

Warning

On Ubuntu 22.04, when compiling MCUboot BL2 after installing all required build tools and dependencies, you may encounter errors due to missing Python modules required by the scripts boot_record.py (requires cbor2) and image.py (requires intelhex) located in Third_Party/trusted-firmware-m/config_default/lib/ext/mcuboot-src/scripts/imgtool/. To resolve these issues, install the necessary packages by running: sudo pip install cbor2 intelhex imgtool in your terminal.

1.3. Import StarterApp_M33TD project into STM32CubeIDE[edit | edit source]

StarterApp_M33TD project is imported into STM32CubeIDE from STM32CubeMP2 Package using the menu File > Import....
Then, expand General, choose Existing Projects into Workspace.

A new window appears in Select root directory: click on Browse... and select in the STM32CubeMP2 firmware .../STM32Cube_FW_MP2_V1.X.0/Projects/STM32MP215F-DK/Demonstrations/StarterApp_M33TD/STM32CubeIDE.

Note that StarterApp_M33TD project is available from STM32CubeMPU package repository on local disk or from Projects/STM32MP215F-DK/Demonstrations/StarterApp_M33TD .

Resulting project structure contains two projects:

• StarterApp_M33TD_CM33_NonSecure, HAL-based project, addressing nonsecure part of application.
• StarterApp_M33TD_CM33_trusted-firmware-m, pre-set CMake STM32CubeIDE project for TF-M, with link to sources: trusted-firmware-M pointing inside STM32CubeMP2 Package Middlewares/Third_Party/trusted-firmware-m

1.4. Set up and configure the StarterApp_M33TD_CM33_trusted-firmware-m project[edit | edit source]

1.4.1. Configure trusted-firmware-m link[edit | edit source]

Information

This section is normally not needed if you followed the #Software_prerequisites and installed the trusted-firmware-m sources in Middlewares/Third_Party/trusted-firmware-m. You should only follow it if your trusted-firmware-m is empty: trusted-firmware-m imported empty link

To use the Trusted Firmware-M (TF-M) source files in your project, you need to specify the path to the TF-M repository.

As shown in the screenshot below, enter the correct path to the TF-M source folder in the STM32CubeIDE project settings to properly link the repository with your CMake-based project configuration.

Right click in trusted-firmware-m -> Properties -> Resources -> Edit and provide the path to trusted-firmware-m directory .

To get source code, follow the instructions in How_to_configure,_build_and_deploy_TF-M#Installing_sources. You can then refresh STM32CubeIDE project and view sources.

1.4.2. CMake configuration[edit | edit source]

In order to check CMake command

• right click on StarterApp_M33TD_CM33_trusted-firmware-m->Properties-> C/C++ build, click on CMake Settings tab, then in Other Options put your "CMake command" Apply > Apply and close

The trusted-firmware-M project is imported with pre-configured settings, but some of them can be customized.

Below an example of STM32MP215F-DK board - CMake project usage settings:

-DTFM_PLATFORM=stm/stm32mp215f_dk 
-DTFM_TOOLCHAIN_FILE=toolchain_GNUARM.cmake 
-DSTM32_BOOT_DEV=sdmmc1 # This option can be modified if you are not using the SD-CARD as boot memory.
-DTFM_PROFILE=profile_medium 
-DSTM32_M33TDCID=ON 
-DCMAKE_BUILD_TYPE=Relwithdebinfo 
-DNS=OFF 
-DDTS_EXT_DIR=../../../../../../../../Utilities/dt-stm32mp
-DDTS_BOARD_BL2=stm32mp2/m33-td/mcuboot/stm32mp215f-dk-cm33tdcid-ostl-sdcard-bl2.dts
-DDTS_BOARD_S=stm32mp2/m33-td/tfm/stm32mp215f-dk-cm33tdcid-ostl-sdcard-s.dts
-DDEBUG_AUTHENTICATION=FULL  # Enabled for Debug Purpose, Default: this option is removed.

Warning

You must manually update DTS_EXT_DIR because the one delivered in STM32Cube_FW_MP2_V1.2.0 is not correct. The path value should be ../../../../../../../../Utilities/dt-stm32mp.

2. Set up embedded software[edit | edit source]

2.1. Populate the board with OpenSTLinux release for M33-TD flavor [edit | edit source]

Flash OpenSTLinux Starter Package ecosystem release v6.2.0 (or ecosystem release v6.1.0 ) dedicated to M33-TD flavor on your SD card, following instructions given in STM32MP21_Discovery_kits_-_Starter_Package#Image flashing / STM32MP25_Discovery_kits_-_Starter_Package#Image_flashing / STM32MP25_Evaluation_boards_-_Starter_Package#Image_flashing chapter.

2.2. Boot the board[edit | edit source]

2.2.1. Configure boot pins[edit | edit source]

Once the embedded software has been downloaded onto the desired storage medias, specific boot pins configuration is needed to boot on Arm^®-Cortex^®-M33.

In this example, we want to use the storage profile sdcard-sdcard where embedded software images meant for Arm^®-Cortex^®-M33 and Arm^®-Cortex^®-A35 are both stored on sdcard.

You must refer to STM32MP215x-DKx_-_hardware_description#Boot_switches / STM32MP257x-DKx_-_hardware_description#Boot_switches / STM32MP257x-EV1_-_hardware_description#Boot-related_switches to configure the boot pin correctly for M33-TD flavor .

2.2.2. Create a second console[edit | edit source]

Two consoles are needed to check the dual boot.
See How_to_open_several_serial_consoles

To trace boot logs for Arm^®-Cortex^®-M33 and Arm^®-Cortex^®-A35, you must open two consoles on windows.

2.2.3. Start your board[edit | edit source]

To boot your board, you need to reset it by pressing on the Reset button on the board.

See dual boot steps, on the both consoles, in the screenshot below:

2.3. Configure StarterAppM33TD application with Device tree generated by STM32CubeMX[edit | edit source]

Information

This part is optional. It is needed if you want to use the device tree generated from STM32CubeMX

The StarterAppM33TD application can be configured to run with a device tree generated by STM32CubeMX project.

To create an M33-TD flavor STM32CubeMX project, follow instructions given in How_to_create_STM32MPU_projects_with_STM32CubeMX#Create_an_STM32MP2_series_project

• Below an example of the device tree files generated by STM32CubeMX

username@hostname:~/Downloads/MP2_TFM_TEST/MP21_board/CM33/DeviceTree$ tree

└── MP21_board
   ├── mcuboot
   │   ├── stm32mp215f-mp21_board-mx.dts
   │   ├── stm32mp215f-mp21_board-mx-rcc.dtsi
   │   ├── stm32mp215f-mp21_board-mx-resmem.dtsi
   │   ├── stm32mp215f-mp21_board-mx-rif.dtsi
   │   └── stm32mp21-mx.dtsi
   └── tf-m
       ├── stm32mp215f-mp21_board-mx.dts
       ├── stm32mp215f-mp21_board-mx-rcc.dtsi
       ├── stm32mp215f-mp21_board-mx-resmem.dtsi
       └── stm32mp215f-mp21_board-mx-rif.dtsi

• In order to build with STM32CubeMX Device Tree user have to update CMake project usage settings.
• Only these ones should be updated :

-DDTS_EXT_DIR=/local/home/username/Downloads/MP2_TFM_TEST/MP21_board/CM33/DeviceTree 
-DDTS_BOARD_BL2=MP21_board/mcuboot/stm32mp215f-mp21_board-mx.dts 
-DDTS_BOARD_S=MP21_board/tf-m/stm32mp215f-mp21_board-mx.dts

3. Build updated project[edit | edit source]

3.1. Build the StarterApp_M33TD_CM33_trusted-firmware-m project[edit | edit source]

• StarterApp_M33TD_CM33_trusted-firmware-m project generates bl2.stm32 , ddr_phy_signed.bin , tfm_s.bin , tfm_s.elf and bl2.elf.
• StarterApp_M33TD_CM33_NonSecure project generates StarterApp_M33TD_CM33_NonSecure_tfm_s_ns_signed.bin

So when bl2 or tfm-s are rebuilt, you need to rebuild StarterApp_M33TD_CM33_NonSecure project in order to link and sign secure tfm_s.bin and StarterApp_M33TD_CM33_NonSecure.bin thanks to "postbuild" command, explained below in the article.

You can configure your project doing right click to your StarterApp_M33TD_CM33_trusted-firmware-m > CMake configure.

Information

If you already made the CMake configuration in the past, you can override it by selecting Delete and Reconfigure.

Then run the build of StarterApp_M33TD_CM33_trusted-firmware-m by cliking on the hammer build icon from eclipse.

The generated ELF files tfm_s.elf and bl2.elf, are needed to debug. They can be found in:

• StarterApp_M33TD_CM33_trusted-firmware-m/trusted-firmware-m/config_default/api_ns/bin/ tfm_s.elf
• StarterApp_M33TD_CM33_trusted-firmware-m/trusted-firmware-m/config_default/api_ns/bin/ bl2.elf

3.2. Build the StarterApp_M33TD_CM33_NonSecure project[edit | edit source]

3.2.1. Activate generation of .bin[edit | edit source]

• To generate the bin object StarterApp_M33TD_CM33_NonSecure_tfm_s_ns_signed.bin, you need to activate the generation of the .bin from

right click StarterApp_M33TD_CM33_NonSecure > Properties > C/C++ Build > Settings > MCU/MPU Post build outputs > select covert to binary file(-O binary ):

3.2.2. Select Build Config[edit | edit source]

Before starting build of the StarterApp_M33TD_CM33_NonSecure project, we need to select the config best applicable for our usecase.

3.2.3. Postbuild[edit | edit source]

The StarterApp_M33TD_CM33_NonSecure project is used to get StarterApp_M33TD_CM33_NonSecure_tfm_s_ns_signed.bin object in order to link and sign secure tfm_s.bin, and non secure StarterApp_M33TD_CM33_NonSecure.bin
thanks to "postbuild" command visible in C/C++ Build > Settings and in tab Build Steps:

3.3. Using STM32CubeProgrammer to flash the new binaries[edit | edit source]

3.3.1. Copy the Firmware Images generated in previous step to the correct locations[edit | edit source]

• STM32CubeProgrammer GUI can read a tsv file and flash the binaries mentioned in correct partitions on the external memories (sdcard, eMMC, sNOR etc)
• OSTL starter package comes with pre-compiled binaries for M33-TD flavor .
• To be able to flash the external memory with our newly compiled binaries we need to replace them.
• copy our newly compiled images to the correct directory as shown in the tsv file below.
  • bl2.stm32 :: By default generated in STM32Cube_FW_MP2_V1.X.0/Middlewares/Third_Party/trusted-firmware-m/config_default/api_ns/bin/,
  • ddr_phy_signed.bin :: By default generated in STM32Cube_FW_MP2_V1.X.0/Middlewares/Third_Party/trusted-firmware-m/config_default/api_ns/bin/
  • StarterApp_M33TD_CM33_NonSecure_tfm_s_ns_signed.bin :: By default generated in STM32Cube_FW_MP2_V1.X.0/Projects/STM32MP215F-DK/Demonstrations/StarterApp_M33TD/STM32CubeIDE/CM33/NonSecure/CM33TDCID_m33_ns_tfm_s_sign/

3.3.2. Flashing with STM32CubeProgrammer GUI Application[edit | edit source]

• Run STM32CubeProgrammer GUI Application

• Fill Binaries Directory with the path to binaries inside OpenSTLinux images: <working directory path>/Starter-Package/stm32mp2-m33td-openstlinux-6.6-yocto-scarthgap-mpu-vxx.xx.xx/images/stm32mp2-m33td/.
• Fill TSV File with the updated .tsv file.
• Connect to the target through USB
• Click on Download button.

4. How to debug[edit | edit source]

4.1. Prerequisites to debug[edit | edit source]

Once the download is completed, you must configure again the Boot Pin for M33-TD flavor boot. You must refer to STM32MP215x-DKx_-_hardware_description#Boot_switches.

4.2. Debug bl2[edit | edit source]

Open a console in STM32CubeIDE and reboot the board, you should see logs like this:​

By default the code should be stuck in the bl2.​

Select StarterApp_M33TD_CM33_trusted-firmware-m project and right click to get Debug As > Debug configurations....

Double click STM32 C/C++ Application and create debug configuration:

• In main tabulation, Search Project and select bl2.elf.
• In Debugger tabulation:
  • Load Mode and select thru JTAG/SWD link (Engineering mode).
• In Startup tabulation:
  • Remove all the Initialization Commands
  • Disable in Runtime Options the Resume checkbox.
  • Select the Load Image and Symbols element click Edit and disable Download.

And click on Apply.

Click on Debug and you should see that you are in /StarterApp_M33TD_CM33_trusted-firmware-m/trusted-firmware-m/platform/ext/target/stm/common/stm32mp2xx/bl2/boot_hal.c.

You can just use the step into button to continue your debug in the BL2.

4.3. Debug TF-M secure[edit | edit source]

Information

A way to control entry point of the TF-M debug session could be to add a debug loop. enum tfm_hal_status_t tfm_hal_platform_init(void) { // Debug loop entry volatile int i=1; while(i); The debug session starts inside this debug loop. In variable tab, you can modify the value of “i” to 0 to unlock the loop and then it become possible to step into TF-M initialization code.

When debugging TF-M Secure and nonsecure firmware, please note that both run with cache enabled (D-Cache and I-Cache) by default. Because of this, standard breakpoints and variable modifications may not work as expected during debugging.

To avoid these limitations and to make easier the debug, you can disable the cache for debug purpose.

4.3.1. Disabling Cache[edit | edit source]

• You need to modify your CMake settings and add at the beginning:

-DSTM32_CACHE_ENABLED=OFF

The explanation to reach the CMake settings is available here: CMake_configuration

• Then run the CMake Configure and the build of the trusted-firmware-m Build_the_StarterApp_M33TD_CM33_trusted-firmware-m_project

• Build the NonSecure project Build_the_StarterApp_M33TD_CM33_NonSecure_project

• Flash the new binaries Populate_board_with_the_created_project

4.3.2. Create the TF-M debug configuration[edit | edit source]

Select StarterApp_M33TD_CM33_trusted-firmware-m project and right click to get Debug As > Debug configurations. Double click STM32 C/C++ Application and edit debug configuration:

• Rename it with _tfm at the end of the name
• InMain tabulation:
  • Search Project and select tfm_s.elf.
• InDebugger tabulation:
  • Load Mode and select thru JTAG/SWD link (Engineering mode).
• In Startup tabulation:
  • Disable Resume.
  • Remove monitor halt & monitor reset
  • Select the Load Image and Symbols element click Edit and disable Download.

Apply and Debug.

Information

Each time you want to debug the TF-M, you should first debug the BL2 to pass the __WFI(); in the code. This Waiting for Interrupt is there to help to debug the BL2, but it can be commented for being able to load the TF-M directly. Go inside /StarterApp_M33TD_CM33_trusted-firmware-m/trusted-firmware-m/platform/ext/target/stm/common/stm32mp2xx/bl2/boot_hal.c In int stm32mp2_init_debug(void), replace __WFI(); with // __WFI(); Rebuild everything Flash the new binaries.

4.4. Debug StarterApp_M33TD_CM33_NonSecure[edit | edit source]

Information

Example of a way to control entry point of the CM33 Non Secure debug session. Comment the waiting point (while) that we added in Debug_TF-M_secure and instead edit StarterApp_M33TD_CM33_NonSecure/Application/User/Core/Src/main.c: In the function main, replace: #ifdef DEBUG with #ifndef DEBUG Build the updated project Build_updated_project Flash the new binaries Populate_board_with_the_created_project The debug session starts inside this debug loop. In variable tab, you can modify the value of “debug” to 0 to unlock the loop and then it become possible to step into TF-M initialization code.

SelectStarterApp_M33TD_CM33_NonSecure project and right click to get Debug As > Debug configurations. Double click STM32 C/C++ Application and edit debug configuration:

• In main tabulation, Search Project and select StarterApp_M33TD_CM33_NonSecure.elf.
• In Debugger tabulation, Load Mode and select thru JTAG/SWD link (Engineering mode).
  • In configuration Script select User Defined and point to your updated cfg
• In Startup tabulation:
  • Disable Resume.
  • Remove monitor halt & monitor reset
  • Select the Load Image and Symbols element click Edit and disable Download.

Apply and Debug.

Information

Compiler Optimization settings If you encounter an issue when starting a debug session, always confirm that the compiler optimization is set to Debug. In Properties -> C/C++ Build -> Settings -> MCU GCC Compiler -> Debugging -> Debug level should be set at Maximum (-g3)