Last edited 3 weeks ago

STM32MPU OP-TEE profiles

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP25x lines


1. Purpose[edit source]

This article presents the STM32MPU OP-TEE configuration profiles. Last section gives references to OP-TEE build environment where to apply the configuration tuning.

For information on the many configuration switches of OP-TEE, refer to the mainline documentation [1] and to OP-TEE configuration switches article.

2. Overview[edit source]

As detailed in STM32MPU OP-TEE Overview article, OP-TEE is used both as a system resource manager and as a secure service provider in STM32MPU software deliveries. Support for these services can be set from specific CFG_xxx configuration switches (see OP-TEE configuration switches) however STM32MPU defines an OP-TEE configuration profile directive, CFG_STM32MP_PROFILE, that allows to set whether OP-TEE embeds secure services or only the system resource services. This article describes these profiles and the related services embedded in OP-TEE OS.

3. OP-TEE system services profile[edit source]

OP-TEE system resource management profile is enabled with CFG_STM32MP_PROFILE=system_services.

OpenSTLinux is designed to run a Linux ® kernel on an Arm Cortex-A processor. In this architecture, Linux ® kernel is designed to execute in the non-secure state of the processor. Arm specifies several standard interfaces for Linux ® kernel (more generally Cortex-A non-secure world software) to access resources that are under secure world control by processor and/or chip architecture design, even if these resources may not strictly require Root of Trust (RoT) constraints on their use. STM32MPU OP-TEE system services profile configures OP-TEE to embed only these services, disabling all secure services.

These services are exposed through several standard interfaces:

  • Arm PSCI specification [2] covers CPU and system low power modes.
  • Arm defines a secure watchdog service interface bound on an Arm SMCCC function ID.
    The interface was introduced in Linux ® kernel v5.8 [3].
  • Arm SCMI specification [4] covers system resources as clocks, voltage regulators, power domains.
  • STM32MP15 exposes platform SiP and OEM SMC function IDs in the scope of the Arm SMCCC specification [5].
    These SMC function IDs are used in early OpenSTLinux distribution OTP fuses access services and up to now for low power domains and voltage regulators control.
  • OP-TEE OS defines so-called PTA services, as standardized interfaces to access a few system resources.

The tables below lists the resource management services available from OP-TEE. Some of these services are default enabled in applicable STM32MP product lines but can be individually disabled with their related CFG_xxx configuration switch.

required means the service is embedded and cannot be disabled.
optional/on means the service is embedded and can be disabled.
optional/off means the service is not embedded and can be enabled.
not applicable means the service do not apply to the product line.

OP-TEE system services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
SCMI services required required required
PSCI services required required required
for PMIC services
Oscillator calibration service optional/on
(CFG_STM32_CLKCALIB=y)
optional/on
(CFG_STM32_CLKCALIB=y)
required
Wakeup source management required required not applicable
Power Domain service required required not applicable
OTP access services optional/on
(CFG_BSEC_PTA=y)
optional/on
(CFG_BSEC_PTA=y)
optional/on
(CFG_BSEC_PTA=y)
Random generation service optional/on
(CFG_HWRNG_PTA=y)
optional/on
(CFG_HWRNG_PTA=y)
optional/on
(CFG_HWRNG_PTA=y)

When OP-TEE is configured with CFG_STM32MP_PROFILE=system_services (and its core log level is configured in info trace level (CFG_TEE_CORE_LOG_LEVEL=2) or higher), OP-TEE initialization sequence prints the below trace message:

  I/TC: OP-TEE ST profile: system_services

3.1. SCMI services[edit source]

SCMI services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
Clock management required required required
Reset management required required required
Performance management
(CPU DVFS)
optional/on
(CFG_STM32_CPU_OPP=y)
optional/off
(default under Linux® control)
optional/on
(CFG_STM32_CPU_OPP=y)
Regulator management required optional/off
(default under Linux® control)
required

3.2. PSCI services[edit source]

PSCI services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
CPU hot-plug required required required
System reset required required not applicable
(done by TF-A)
System power off required required required
System standby required required required
Info white.png Information
On STM32MP25x lines More info.png, the PSCI services are handled by secure monitor level firmware that is TF-A/BL31. However TF-A/BL31 calls OP-TEE OS for voltage regulator controls during low power state transitions.

4. OP-TEE secure services profile[edit source]

OP-TEE secure services profile is enabled with CFG_STM32MP_PROFILE=secure_and_system_services.

This profile embeds all the system services described in the previous section OP-TEE system services profile and embeds secure services as support for Trusted Applications[6] (TAs), secure remote co-processor loading, secure random number generation and more.
All secure services are built as OP-TEE TAs, executed in Cortex-A secure unprivileged level, or as OP-TEE core built-in services (named PTAs, part of OP-TEE core firmware image). When secure services are used, STM32MPU hardware assistance can greatly enhance the security hardening of the platform.

OP-TEE secure services are listed in the table below. Each of these services is default enabled in applicable STM32MP product line default configuration but can be individually disabled from their related CFG_ configuration switch.

required means the service is embedded and cannot be disabled.
optional/on means the service is embedded and can be disabled.
optional/off means the service is not embedded and can be enabled.
not applicable means the service do not apply to the product line.

OP-TEE secure & system services STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
System services
SCMI services required required required
PSCI services required required required
for PMIC services
Oscillator calibration service optional/on
(CFG_STM32_CLKCALIB=y)
optional/on
(CFG_STM32_CLKCALIB=y)
required
Wakeup source management required required not applicable
Power Domain service required required not applicable
OTP access services optional
(CFG_BSEC_PTA=y)
optional
(CFG_BSEC_PTA=y)
optional
(CFG_BSEC_PTA=y)
Random generation service recommended
(CFG_HWRNG_PTA=y)
optional/on
(CFG_HWRNG_PTA=y)
optional/on
(CFG_HWRNG_PTA=y)
Secure services - Trustworthiness of external TAs and internal PTAs
User Trusted application support
(CFG_WITH_USER_TA=y)
required required required
NVMEM provisioning services
(CFG_BSEC_PTA=y and stm32mp_nvmem TA)
optional/on
optional/on
optional/on
Remote proc services
(CFG_STM32MP_REMOTEPROC=y and remoteproc TA)
not applicable optional/on
optional/on
OP-TEE trusted keys wrapping [7]
(CFG_IN_TREE_EARLY_TAS+=trusted_keys/...)
optional/on optional/on optional/on
OP-TEE PKCS#11 token [8]
(pkcs11 TA, CFG_PKCS11_TA+=y for tests)
optional/on optional/on optional/on
OP-TEE StMM [9] for EFI secure variables
(CFG_STMM_PATH=...)
optional/off optional/off optional/off

When OP-TEE is configured with CFG_STM32MP_PROFILE=seecure_and_system_services (and its core log level is configured in info trace level (CFG_TEE_CORE_LOG_LEVEL=2) or higher), OP-TEE initialization sequence prints the below trace message:

  I/TC: OP-TEE ST profile: secure_and_system_services

5. Platform default configuration and constraints[edit source]

5.1. STM32MP13 default profile[edit source]

Platform default configuration for STM32MP13x lines More info.png enables both system and secure service:

  • CFG_STM32MP_PROFILE=secure_and_system_services

On STM32MP13x lines More info.png, OP-TEE OS is loaded in the external memory (DDR) that is encrypted by TF-A BL2 thanks to DDRMCE.
On STM32MP13x lines More info.png, secure services needs some STM32MPU subsystems be assigned to the secure world (STM32 RNG, STM32 AES, STM32 IWDG, etc...)

5.2. STM32MP15 default profile[edit source]

Platform default configuration for STM32MP15x lines More info.png enables only system resource management services:

  • CFG_STM32MP_PROFILE=system_services

Because STM32MP15x lines More info.png does not offer DDR encryption support, enabling the secure services profile requires OP-TEE to execute in the small secure internal SYSRAM thanks to its "pager" mode (memory page swapping). The paging mechanism can affect OP-TEE service performances. This mode also requires low power sequence to save/restore the internal secure memory into/from the non-secure DDR, using STM32 CRYP and STM32 RNG assistance. Therefore STM32MP15A* and STM32MP15D* chips cannot support low power suspended state when secure services are enabled. It is possible to assign SRAM1 and some other SRAMx to OP-TEE pager if they are not used by the Cortex-M processor.

In order to enable OP-TEE secure services on STM32MP15x lines More info.png, one shall set CFG_STM32MP_PROFILE=secure_and_system_services. This profile runs OP-TEE is the secure SYSRAM with OP-TEE pager enabled. Refer to section STM32MP15 pager constraints for more information on configuration constraints when pager is enabled.

5.3. STM32MP25 default profile[edit source]

Platform default configuration for STM32MP25x lines More info.png enables both system and secure services:

  • CFG_STM32MP_PROFILE=secure_and_system_services

OP-TEE OS is loaded in a secure memory region of the DDR, covered by the RISAF that supports memory region encryption and secure level management.

On STM32MP25x lines More info.png, secure services need some STM32MPU subsystems to be assigned to the secure world (STM32 RNG, STM32 AES, STM32 IWDG, etc...)

6. Details on build directives[edit source]

Article OP-TEE configuration switches details the CFG_xxx configuration directives that are default set when building the OP-TEE image for a target platform. The build environment can override some of the configuration switch values defined for a platform. How to pass these changes depends on the build environment, refer to these 3 sections:

Info white.png Information

For ecosystem release ≤ v3.0.0 compatibility:
It is still possible to automatically generate an unsigned STM32 binary files with an option flag:
CFG_STM32MP15x_STM32IMAGE=1: Generate the STM32 files for ecosystem release ≤ v3.0.0 compatibility.


7. References[edit source]