I'm trying to modify the flash layout used for b_u585i_iot2a in TF-M. Please see the details below.

wojciii · ‎2022-09-06

The reason that I'm doing this is because I want to sign the mcuboot bootloader used by TF-M.

(https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/target/stm/b_u585i_iot02a/include/flash_layout.h).

The flash layout looks like this:

/* Flash layout for b_u585i_iot02a  with BL2 (multiple image boot):
 *
 * 0x0000_0000 SCRATCH (64KB)
 * 0x0001_0000 BL2 - counters(16 KB)
 * 0x0001_4000 BL2 - MCUBoot (84 KB)
 * 0x0002_7000 OTP Write Protect (4KB)
 * 0x0002_8000 NV counters area (16 KB)
 * 0x0002_c000 Secure Storage Area (16 KB)
 * 0x0003_0000 Internal Trusted Storage Area (16 KB)
 * 0x0003_4000 Secure image     primary slot (256 KB)
 * 0x0007_4000 Non-secure image primary slot (512 KB)
 * 0x000f_4000 Secure image     secondary slot (256 KB)
 * 0x0013_4000 Non-secure image secondary slot (512 KB)
 *
 * Bl2 binary is written at 0x1_2000:
 * it contains bl2_counter init value, OTP write protect, NV counters area init.
 */

I added space for the header before "BL2 - counters" - there is 8 KiB free at this offset, as the counters start 8 KiB into this area. This solved my issue with the script used to sign binaries.

But now I have issues with MCUboot not being able to find the two (secure/non-secure) images. I don't understand this. It looks like I added space to the output image and this moved the secure/non-secure images without updating some offsets.

The linker config looks like this:

#include "region_defs.h" 
MEMORY
{
  /* Header used by signing script: /
  FLASH_SIGN_HEADER(rx) : ORIGIN = BL2_SIGN_AREA_BASE, LENGTH = BL2_SIGN_AREA_SIZE
 
#if defined(BL2_NVMCNT_AREA_BASE)
  FLASH_NVMCNT(rx) : ORIGIN = BL2_NVMCNT_AREA_BASE, LENGTH = BL2_NVMCNT_AREA_SIZE
#endif
  FLASH (rx)  : ORIGIN = BL2_CODE_START, LENGTH = BL2_CODE_SIZE
  FLASH_NOHDP (rx)  : ORIGIN = BL2_NOHDP_CODE_START, LENGTH = BL2_NOHDP_CODE_SIZE
#if defined(BL2_OTP_AREA_BASE)
  FLASH_OTP(rx) : ORIGIN = BL2_OTP_AREA_BASE, LENGTH = BL2_OTP_AREA_SIZE
#endif
#if defined(BL2_NVM_AREA_BASE)
  FLASH_NVM(rx) : ORIGIN = BL2_NVM_AREA_BASE, LENGTH = BL2_NVM_AREA_SIZE
#endif
  RAM   (rwx) : ORIGIN = BL2_DATA_START, LENGTH = BL2_DATA_SIZE
}

In region_defs.h from same directory I have the following:

/* Define Area for initializing BL2_NVCNT   */
/* backup sector is initialised */
#define BL2_NVMCNT_AREA_BASE                S_ROM_ALIAS(FLASH_BL2_NVCNT_AREA_OFFSET+FLASH_AREA_IMAGE_SECTOR_SIZE)
#define BL2_NVMCNT_AREA_SIZE                (FLASH_AREA_IMAGE_SECTOR_SIZE)
 
#define BL2_SIGN_AREA_BASE                S_ROM_ALIAS(FLASH_BL2_NVCNT_AREA_OFFSET)
#define BL2_SIGN_AREA_SIZE                (FLASH_AREA_IMAGE_SECTOR_SIZE)

Any hints as to what I'm doing wrong?

Can you point me to any example which sign the bootloader but not the different areas used for counters etc?

Jocelyn RICARD · ‎2022-09-07

Hello @Community member ,

I don't have immediate solution.

I would compare what changed between before and after.

Besides, I'm wondering what is the purpose of signing the bootloader itself.

Do you intend to update it ?

If not, enabling the hardware protections (HDP, WRP, RDP ) will make the bootloader immutable.

So, checking own authenticity looks useless to me. But I may miss something

Best regards

Jocelyn

wojciii · ‎2022-09-13

I would like to be able to update everything in this product and therefore I would like to sign the second stage bootloader. The immutable first stage bootloader also does some recovery in case the next stage gets corrupted.

Have you tried looking at the implementation of TF-M for b_u585i_iot2a?

Would it be possible for you to try to increase the first offset with for instance 64 KiB and see if this still can build a working TF-M/Zephyr combo?

If this didn't work OOTB what did you need to modify besides the flash layout? 🙂

wojciii · ‎2022-09-13

Also, I wonder what TFM_FLASH_BASE_ADDRESS should be set to in board.cmake. I would like to move the whole image by for example 64 KiB from the start of flash.

if (CONFIG_HAS_FLASH_LOAD_OFFSET)

MATH(EXPR TFM_HEX_BASE_ADDRESS_NS "${TFM_FLASH_BASE_ADDRESS}+${CONFIG_FLASH_LOAD_OFFSET}")

else()

set(TFM_HEX_BASE_ADDRESS_NS ${TFM_TFM_FLASH_BASE_ADDRESS})

endif()

It seems like this is being used when making a signed HEX file with Zephyr.

CONFIG_FLASH_LOAD_OFFSET is used by Zephyr but TFM_FLASH_BASE_ADDRESS is only used by the script signing.

Could you please explain how this variable is supposed to be used?

Jocelyn RICARD · ‎2022-09-13

Hello @Community member

Did you try simply adding 64KB offset ain the flash_layout.h:

#define FLASH_AREA_SCRATCH_OFFSET (0x10000)

Modifying following line because it originally does not take previous section into account:

#define FLASH_BL2_NVCNT_AREA_OFFSET (FLASH_AREA_SCRATCH_OFFSET + FLASH_AREA_SCRATCH_SIZE)

I made a quick check using the TFM provided in STM32Cube U5 and it works: everything is shifted 64KB

Best regards

Jocelyn

wojciii · ‎2022-09-13

I'm using Zephyr with the TF-M implementation there. Is this something you support?

Doing what you suggest doesn't work - merging of the hex images fails as (because overlapping addresses) - therefore TFM_FLASH_BASE_ADDRESS needs to be changed.

wojciii · ‎2022-09-14

Forget about TFM_FLASH_BASE_ADDRESS. 🙂

The important part is setting FLASH_LOAD_OFFSET in the Zephyr board definition. Increasing it will move the Zephyr unsecure partition up and hopefully resolve any clashes with the secure partition when merging the different HEX files into the final image.

You can close the issue. It works OK now.

Jocelyn RICARD · ‎2022-09-14

Hello @Community member

Thank you for your update.

I just finished the installation of Zephyr, and building a first project. But this is no more useful 🙂

Best regards

Jocelyn