* U-BOOT 2021.07 and STM32MP15x issues for Trusted Boot Chain
@ 2021-07-22 8:01 gianluca
2021-07-22 9:03 ` Patrick DELAUNAY
0 siblings, 1 reply; 2+ messages in thread
From: gianluca @ 2021-07-22 8:01 UTC (permalink / raw)
To: u-boot; +Cc: Gianluca Renzi
Hello list,
I was wondering what I am doing wrong following the procedure explained
in the doc/board/st/stm32mp1.rst documentation file.
I am using the latest git version (the Makefile says 2021.07).
My goal is to run from sdcard in trusted boot chain (TrustZone secure
monitor) the evaluation kit STM32MP157C-DK2.
The procedure says:
> The **Trusted** boot chain
> ``````````````````````````
>
> defconfig_file : stm32mp15_trusted_defconfig
>
> +-------------+-------------------------+------------+-------+
> | ROM code | FSBL | SSBL | OS |
> + +-------------------------+------------+-------+
> | |Trusted Firmware-A (TF-A)| U-Boot | Linux |
> +-------------+-------------------------+------------+-------+
> | TrustZone |secure monitor |
> +-------------+-------------------------+------------+-------+
>
> TF-A performs a full initialization of Secure peripherals and installs a
> secure monitor, BL32:
>
> * SPMin provided by TF-A or
> * OP-TEE from specific partitions (teeh, teed, teex).
>
> U-Boot is running in normal world and uses the secure monitor to access
> to secure resources.
As far as I understand there is only a single first-stage-boot-loader
(FSBL) and a second-stage-boot-loader (SSBL), otherwise in the *Basic
Boot Chain* I have FSBL1 and FSBL2 _and_ a SSBL.
> Build Procedure
> ---------------
>
> 1. Install the required tools for U-Boot
>
> * install package needed in U-Boot makefile
> (libssl-dev, swig, libpython-dev...)
>
> * install ARMv7 toolchain for 32bit Cortex-A (from Linaro,
> from SDK for STM32MP15x, or any crosstoolchains from your distribution)
> (you can use any gcc cross compiler compatible with U-Boot)
>
Done. I am in a Debian Buster DevelWorkstation, so everything is coming
from the official repos.
At the moment the arm toolchain is: > arm-linux-gnueabihf-gcc -v
> Using built-in specs.
> COLLECT_GCC=arm-linux-gnueabihf-gcc
> COLLECT_LTO_WRAPPER=/usr/lib/gcc-cross/arm-linux-gnueabihf/8/lto-wrapper
> Target: arm-linux-gnueabihf
> Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-2' --with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs --enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-libitm --disable-libquadmath --disable-libquadmath-support --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-multiarch --disable-sjlj-exceptions --with-arch=armv7-a --with-fpu=vfpv3-d16 --with-float=hard --with-mode=thumb --disable-werror --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=arm-linux-gnueabihf --program-prefix=arm-linux-gnueabihf- --includedir=/usr/arm-linux-gnueabihf/include
> Thread model: posix
> gcc version 8.3.0 (Debian 8.3.0-2)
> 2. Set the cross compiler::
>
> # export CROSS_COMPILE=/path/to/toolchain/arm-linux-gnueabi-
export CROSS_COMPILE=arm-linux-gnueabihf-
>
> 3. Select the output directory (optional)::
>
> # export KBUILD_OUTPUT=/path/to/output
>
> for example: use one output directory for each configuration::
>
> # export KBUILD_OUTPUT=stm32mp15_trusted
export KBUILD_OUTPUT=stm32mp15_trusted
> 4. Configure U-Boot::
>
> # make <defconfig_file>
>
> with <defconfig_file>:
>
> - For **trusted** boot mode : **stm32mp15_trusted_defconfig**
make stm32mp15_trusted_defconfig
make[1]: Entering directory
'/home/gianluca/Progetti-GIT/stm32mp1-debian/bootrom/downloads/u-boot-2021.07/stm32mp15_trusted'
HOSTCC scripts/basic/fixdep
GEN Makefile
HOSTCC scripts/kconfig/conf.o
YACC scripts/kconfig/zconf.tab.c
LEX scripts/kconfig/zconf.lex.c
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
#
# configuration written to .config
#
make[1]: Leaving directory
'/home/gianluca/Progetti-GIT/stm32mp1-debian/bootrom/downloads/u-boot-2021.07/stm32mp15_trusted'
>
> 5. Configure the device-tree and build the U-Boot image::
>
> # make DEVICE_TREE=<name> all
>
make DEVICE_TREE=stm32mp157c-dk2 all
make[1]: Entering directory
'/home/gianluca/Progetti-GIT/stm32mp1-debian/bootrom/downloads/u-boot-2021.07/stm32mp15_trusted'
GEN Makefile
scripts/kconfig/conf --syncconfig Kconfig
UPD include/config.h
CFG u-boot.cfg
GEN include/autoconf.mk
GEN include/autoconf.mk.dep
CFGCHK u-boot.cfg
UPD include/config/uboot.release
Using .. as source for U-Boot
GEN Makefile
UPD include/generated/version_autogenerated.h
UPD include/generated/timestamp_autogenerated.h
UPD include/generated/dt.h
...
...
...
CC net/tftp.o
AR net/built-in.o
LDS u-boot.lds
LD u-boot
OBJCOPY u-boot-nodtb.bin
DTC arch/arm/dts/stm32mp157a-dk1.dtb
DTC arch/arm/dts/stm32mp157a-avenger96.dtb
DTC arch/arm/dts/stm32mp157a-icore-stm32mp1-ctouch2.dtb
DTC arch/arm/dts/stm32mp157a-icore-stm32mp1-edimm2.2.dtb
DTC arch/arm/dts/stm32mp157a-microgea-stm32mp1-microdev2.0.dtb
DTC arch/arm/dts/stm32mp157a-microgea-stm32mp1-microdev2.0-of7.dtb
DTC arch/arm/dts/stm32mp157c-dk2.dtb
DTC arch/arm/dts/stm32mp157c-ed1.dtb
DTC arch/arm/dts/stm32mp157c-ev1.dtb
DTC arch/arm/dts/stm32mp157c-odyssey.dtb
DTC arch/arm/dts/stm32mp15xx-dhcom-drc02.dtb
DTC arch/arm/dts/stm32mp15xx-dhcom-pdk2.dtb
DTC arch/arm/dts/stm32mp15xx-dhcom-picoitx.dtb
DTC arch/arm/dts/stm32mp15xx-dhcor-avenger96.dtb
SHIPPED dts/dt.dtb
CAT u-boot-dtb.bin
COPY u-boot.bin
MKIMAGE u-boot.stm32
OBJCOPY u-boot.srec
SYM u-boot.sym
COPY u-boot.dtb
make[1]: Leaving directory
'/home/gianluca/Progetti-GIT/stm32mp1-debian/bootrom/downloads/u-boot-2021.07/stm32mp15_trusted'
>
> 6. Output files
>
> BootRom and TF-A expect binaries with STM32 image header
> SPL expects file with U-Boot uImage header
>
> So in the output directory (selected by KBUILD_OUTPUT),
> you can found the needed files:
>
> - For **Trusted** boot (with or without OP-TEE)
>
> - FSBL = **tf-a.stm32** (provided by TF-A compilation)
> - SSBL = **u-boot.stm32**
No tf-a.stm32 for TrustZone Boot but only the u-boot.stm32 file.
>
> - For Basic boot
>
> - FSBL = spl/u-boot-spl.stm32
> - SSBL = u-boot.img
find . -name 'tf-a.stm32'
find . -name '*tf-a*'
find . -name '*tfa*'
./include/config/tfaboot.h
./include/config/arch/support/tfaboot.h
Where is the tf-a.stm32?????
Something missing by my side???
Regards,
Gianluca Renzi
--
Eurek s.r.l. |
Electronic Engineering | http://www.eurek.it
via Celletta 8/B, 40026 Imola, Italy | Phone: +39-(0)542-609120
p.iva 00690621206 - c.f. 04020030377 | Fax: +39-(0)542-609212
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: U-BOOT 2021.07 and STM32MP15x issues for Trusted Boot Chain
2021-07-22 8:01 U-BOOT 2021.07 and STM32MP15x issues for Trusted Boot Chain gianluca
@ 2021-07-22 9:03 ` Patrick DELAUNAY
0 siblings, 0 replies; 2+ messages in thread
From: Patrick DELAUNAY @ 2021-07-22 9:03 UTC (permalink / raw)
To: gianluca, u-boot; +Cc: Gianluca Renzi, U-Boot STM32, Patrice CHOTARD
Hi Gianluca,
On 7/22/21 10:01 AM, gianluca wrote:
> Hello list,
> I was wondering what I am doing wrong following the procedure
> explained in the doc/board/st/stm32mp1.rst documentation file.
>
> I am using the latest git version (the Makefile says 2021.07).
>
> My goal is to run from sdcard in trusted boot chain (TrustZone secure
> monitor) the evaluation kit STM32MP157C-DK2.
>
> The procedure says:
>
>> The **Trusted** boot chain
>> ``````````````````````````
>>
>> defconfig_file : stm32mp15_trusted_defconfig
>>
>> +-------------+-------------------------+------------+-------+
>> | ROM code | FSBL | SSBL | OS |
>> + +-------------------------+------------+-------+
>> | |Trusted Firmware-A (TF-A)| U-Boot | Linux |
>> +-------------+-------------------------+------------+-------+
>> | TrustZone |secure monitor |
>> +-------------+-------------------------+------------+-------+
>>
>> TF-A performs a full initialization of Secure peripherals and installs a
>> secure monitor, BL32:
>>
>> * SPMin provided by TF-A or
>> * OP-TEE from specific partitions (teeh, teed, teex).
>>
>> U-Boot is running in normal world and uses the secure monitor to access
>> to secure resources.
>
> As far as I understand there is only a single first-stage-boot-loader
> (FSBL) and a second-stage-boot-loader (SSBL), otherwise in the *Basic
> Boot Chain* I have FSBL1 and FSBL2 _and_ a SSBL.
>
>
FSBL1 / FBSL2 => can be use for basic or trusted boot chain = it is 2
copy for the FSBL for failsafe update
the ROM code will check integrity of FSBL1 ..... if it is failing, it
will use FSBL2 instead
This feature allo to always boot even if FSBL1 update is interrupted....
if this feature is not needed you can remove the second FSBL partition.
>> Build Procedure
>> ---------------
>>
>> 1. Install the required tools for U-Boot
>>
>> * install package needed in U-Boot makefile
>> (libssl-dev, swig, libpython-dev...)
>>
>> * install ARMv7 toolchain for 32bit Cortex-A (from Linaro,
>> from SDK for STM32MP15x, or any crosstoolchains from your
>> distribution)
>> (you can use any gcc cross compiler compatible with U-Boot)
>>
>
> Done. I am in a Debian Buster DevelWorkstation, so everything is
> coming from the official repos.
>
> At the moment the arm toolchain is: > arm-linux-gnueabihf-gcc -v
>
(...)
>>
>> 6. Output files
>>
>> BootRom and TF-A expect binaries with STM32 image header
>> SPL expects Gianlucafile with U-Boot uImage header
>>
>> So in the output directory (selected by KBUILD_OUTPUT),
>> you can found the needed files:
>>
>> - For **Trusted** boot (with or without OP-TEE)
>>
>> - FSBL = **tf-a.stm32** (provided by TF-A compilation)
>> - SSBL = **u-boot.stm32**
>
> No tf-a.stm32 for TrustZone Boot but only the u-boot.stm32 file.
>
"tf-a.stm32" is provided by TF-A compilation (see after.
>>
>> - For Basic boot
>>
>> - FSBL = spl/u-boot-spl.stm32
>> - SSBL = u-boot.img
>
> find . -name 'tf-a.stm32'
>
> find . -name '*tf-a*'
>
> find . -name '*tfa*'
> ./include/config/tfaboot.h
> ./include/config/arch/support/tfaboot.h
>
> Where is the tf-a.stm32?????
>
> Something missing by my side???
>
>
> Regards,
> Gianluca Renzi
"TF-A" = "Trusted Firmware-A" is a separate component and it need to
be compiled separately.
TF-A references =
- https://www.trustedfirmware.org/projects/tf-a/
- https://trustedfirmware-a.readthedocs.io/en/latest/
=> https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/
For build information at upstream, you can check
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/docs/plat/stm32mp1.rst
For first test you can use SP_min as secure monitor:
|make CROSS_COMPILE=arm-linux-gnueabihf- PLAT=stm32mp1 ARCH=aarch32
ARM_ARCH_MAJOR=7 AARCH32_SP=sp_min STM32MP_SDMMC=1 STM32MP_EMMC=1
STM32MP_RAW_NAND=1 STM32MP_SPI_NAND=1 STM32MP_SPI_NOR=1
DTB_FILE_NAME=stm32mp157c-ev1.dtb |
I will update the stm32mp1 readme to indicate these missing information.
you need to compile 2 projects
- TF-A => FSBL
- U-Boot => SSBL
PS: to have a full secure support support with FIP (when it will be
supported on TF-A side),
you can use OP-TEE as the secure OS.... but it is a separate project
TF-A REF =
- https://www.op-tee.org/
- https://optee.readthedocs.io/en/latest/
- BUILD =
https://optee.readthedocs.io/en/latest/building/devices/stm32mp1.html
=> https://github.com/OP-TEE/optee_os
In this case you need to compile the binary include in FIP
- OP-TEE => Secure OS
- U-Boot => SSBL
Then you can compile:
- TF-A => FSBL & FIP (including OP-TEE and U-Boot)
Regards
Patrick
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-22 9:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-22 8:01 U-BOOT 2021.07 and STM32MP15x issues for Trusted Boot Chain gianluca
2021-07-22 9:03 ` Patrick DELAUNAY
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.