STM32MP157AAC Secure Boot Process on Avenger96 board

Kaushendra · ‎2020-05-05

Hi,

I would like to perform the secureboot on AV96 board. I have built the image with yocto openstlinux.I want to confirm the secure-boot scenario if Board Boots-up.

I'm sharing some logs,please comment me whether i need to seperately perfrom steps to make AV96 board boots securely.

NOTICE:  Model: Arrow Electronics STM32MP157A Avenger96 board
INFO:    Reset reason (0x10):
INFO:      Reset due to a failure of VDD_CORE
INFO:    Using SDMMC
INFO:      Instance 1
INFO:    Boot used partition fsbl1
NOTICE:  BL2: v2.0-r1.5(debug):
NOTICE:  BL2: Built : 13:13:37, Oct  2 2018
INFO:    BL2: Doing platform setup
INFO:    PMIC version = 0x10
INFO:    RAM: DDR3-1066/888 bin G 2x4Gb 533MHz v1.45
INFO:    Memory size = 0x40000000 (1024 MB)
INFO:    BL2 runs SP_MIN setup
INFO:    BL2: Loading image id 4
INFO:    Loading image id=4 at address 0x2fff0000
INFO:    Image id=4 loaded: 0x2fff0000 - 0x30000000
INFO:    BL2: Loading image id 5
INFO:    Loading image id=5 at address 0xc0100000
INFO:    STM32 Image size : 807362
WARNING: Skip signature check (header option)
INFO:    Image id=5 loaded: 0xc0100000 - 0xc01c51c2
INFO:    read version 0 current version 0
NOTICE:  BL2: Booting BL32
INFO:    Entry point address = 0x2fff0000
INFO:    SPSR = 0x1d3
INFO:    PMIC version = 0x10
NOTICE:  SP_MIN: v2.0-r1.5(debug):
NOTICE:  SP_MIN: Built : 13:13:37, Oct  2 2018
INFO:    ARM GICv2 driver initialized
INFO:    stm32mp HSI (18): Secure only
INFO:    stm32mp HSE (20): Secure only
INFO:    stm32mp PLL2 (27): Secure only
INFO:    stm32mp PLL2_R (30): Secure only
INFO:    SP_MIN: Initializing runtime services

Thanks

kaushendra

Olivier GALLIEN · ‎2020-05-06

Hi @Kaushendra

It's a hardware board limitation. Only way would be to change the assembled STM32MP15 chip ID ...

I recommend you to contact Arrow to see if they plan to sell secure flavor of the AV96.

BR,

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

View solution in original post

Fee · ‎2020-05-06

Hi,

it seems that the BL2 does not verify the signature of your image with the id 5 (I assume that is your u-boot). This is due to a wrong bit in the .stm32 header (see here: https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#STM32_Header, the bit is the Option Flag).

Kaushendra · ‎2020-05-06

Thanks for the point you made,I'll try to follow as per you suggestion.

Olivier GALLIEN · ‎2020-05-06

Hi @Kaushendra

STM32MP157Axx does not support secure boot.

You need secure sample reference STM32MP157Cxx.

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Kaushendra · ‎2020-05-06

Hi @Community member

Could you please help me with reference links or guide which helps me to enable secure boot over Avenger96 Board.

Olivier GALLIEN · ‎2020-05-06

Hi @Kaushendra

It's a hardware board limitation. Only way would be to change the assembled STM32MP15 chip ID ...

I recommend you to contact Arrow to see if they plan to sell secure flavor of the AV96.

BR,

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Kaushendra · ‎2020-05-06

Hi @Community member

Thanks for your valuable inputs over the issue.

Regards,

kaushendra sah

Kaushendra · ‎2020-07-28

Hi @Community member

As suggested we have swapped the processor to STM32MP157Cxx

following this link to enable secure boot on avneger96 https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#Authentication_processing

Point No .1 : facing while generating keys (https://wiki.st.com/stm32mpu/wiki/KeyGen_tool)

3.2.1 Example 1: Key creation using the AES256 algorithm

./STM32MP_KeyGen_CLI -ecc prime256v1 -abs /home/kaushendra/AVENGER -pwd SEED

-------------------------------------------------------------------

STM32MP Key Generator v1.0.0

-------------------------------------------------------------------

Prime256v1 curve is selected.

AES_256_cbc algorithm is selected for private key encryption

Generating Prime256v1 keys...

Error: creating Key File fails

Error occured while creating PEM file!

Error: An error occured while generating key files

Point No.2 : Need to understand steps to implement Secure boot support in u-boot with TPM on avenger96's yocto environment

help over this points will be appreciated for quick start of me.

Thanks in advance,

kaushendra sah

Olivier GALLIEN · ‎2020-07-29

Hi @Kaushendra

First quick answer.

Point No .1 : I guess it's a know issue of version up to V2.4. Now fix in new STM32CubeProgrammer V2.5

Point No.2 : Secure Boot can not be manage with U-Boot but only TF-A.

This article might help to reach all available document :

https://community.st.com/s/article/FAQ-STM32MP1-Security-overview

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Kaushendra · ‎2020-07-29

Hi @Community member

Point No.1: I'm able to see only upto version 2.4 for download.

Point No.2: I need to add TPM support in u-boot to can i get any reference links regarding that.

Reg,

kaushendra sah