[SCMI] channel: Cmd [740 (0x14:0x7)] returned error (-8)

ThinhNguyen · ‎2025-04-07

I am working with openSTLinux as below:
- oe-manifest: TAG openstlinux-6.6-yocto-scarthgap-mpu-v25.03.19
- Hardware: STM32MP257F-DK
- Image: st-image-weston

When the system starts up I see some error messages like this:

Starting kernel ...

I/TC: Secondary CPU 1 initializing
I/TC: Secondary CPU 1 switching to normal world boot
I/TC: Reserved shared memory is disabled
I/TC: Dynamic shared memory is enabled
I/TC: Normal World virtualization support is disabled
I/TC: Asynchronous notifications are enabled
[    0.000000] [SCMI] channel: Cmd [740 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [741 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [742 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [743 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [744 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [745 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [746 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [747 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [748 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [749 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [750 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [751 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [752 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [823 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [824 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [825 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [828 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [829 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [830 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [831 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [832 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [833 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [834 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [835 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [837 (0x14:0x7)] returned error (-8)
[    0.000000] [SCMI] channel: Cmd [838 (0x14:0x7)] returned error (-8)
[    0.000000] Booting Linux on physical CPU 0x0000000000 [0x411fd040]

I think the error lines starting with SCMI are sent from OPTEE. However I don't understand what this process is and where to start debugging. Can you help me explain the meaning of this error line?

KYAO · ‎2025-04-14

Hi @ThinhNguyen,

For STM32MP25x in "BSEC-closed" state, by default, the debug support hardware modules are disabled.
So you can try :
1) without debug support : by adding the below in your linux top level device tree file.
2) with debug support : by modification in optee core/arch/arm/plat-stm32mp2/main.c as the below.

Best regards

========= 1) To be removed in linux top level device tree file =========

&cs_cpu_debug0 {
status = "okay";
};

&cs_cpu_debug1 {
status = "okay";
};

&cs_cti0 {
status = "okay";
};

&cs_cti1 {
status = "okay";
};

&cs_cti_cpu0 {
status = "okay";
};

&cs_cti_cpu1 {
status = "okay";
};

&cs_etf {
status = "okay";
};

&cs_etm0 {
status = "okay";
};

&cs_etm1 {
status = "okay";
};

&cs_etr {
status = "okay";
};

&cs_funnel {
status = "okay";
};

&cs_replicator {
status = "okay";
};

&cs_stm {
status = "okay";
};

&cs_tpiu {
status = "okay";
};

==== 2) optee modification ======

diff --git a/core/arch/arm/plat-stm32mp2/main.c b/core/arch/arm/plat-stm32mp2/main.c
index aec3929..a845fb6 100644
--- a/core/arch/arm/plat-stm32mp2/main.c
+++ b/core/arch/arm/plat-stm32mp2/main.c
@@ -190,7 +190,7 @@ static TEE_Result init_debug(void)
if (res)
return res;

- if (state != BSEC_STATE_SEC_CLOSED) {
+ if (1) { // enable debugging HW modules all the time
struct clk __maybe_unused *dbgmcu_clk = NULL;

if (IS_ENABLED(CFG_INSECURE))

View solution in original post

Olivier GALLIEN · ‎2025-04-08

Hi @ThinhNguyen ,

Can you please describe further how you generate the image ?

Eg did you change anything in Device Tree or Yocto configuration ?

Thanks

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

ThinhNguyen · ‎2025-04-08

Hi @Olivier GALLIEN,

For Linux Device tree I did change anything.

Here is my change in local.conf to enable secure boot.

ROOT_SIGN_KEY = "/mnt/HDD_2TB/KeyGenSecBoot/stm32mp25-signaturekey"
ROOT_ENCRYPT_KEY = "/mnt/HDD_2TB/KeyGenSecBoot/stm32mp25-encryptionkey"
# Generate Distribution Package with signed binaries for STM32MP25
SIGN_KEY = "${ROOT_SIGN_KEY}/privateKey00.pem"
SIGN_KEY_stm32mp21 = "${ROOT_SIGN_KEY}/privateKey00.pem"
SIGN_KEY_stm32mp23 = "${ROOT_SIGN_KEY}/privateKey00.pem"
SIGN_KEY_stm32mp25 = "${ROOT_SIGN_KEY}/privateKey00.pem"
EXTERNAL_KEY_CONF = "1"
SIGN_KEY_PASS = "xxx xxx xxx xxx xxx xxx xxx xxx"
SIGN_ENABLE = "1"
SIGN_TOOL = "/home/thinhnguyen/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/STM32_SigningTool_CLI"

# Generate a Distribution Package with encrypted partition binaries for STM32MP25
ENCRYPT_ENABLE = "1"
ENCRYPT_FSBL_KEY = "${ROOT_ENCRYPT_KEY}/stm32mp_encryption_key.bin"
ENCRYPT_FSBL_KEY_stm32mp23 = "${ROOT_ENCRYPT_KEY}/stm32mp_encryption_key.bin"
ENCRYPT_FSBL_KEY_stm32mp25 = "${ROOT_ENCRYPT_KEY}/stm32mp_encryption_key.bin"
ENCRYPT_FIP_KEY = "${ROOT_ENCRYPT_KEY}/stm32mp_encryption_key_256bits.bin"
ENCRYPT_FIP_KEY_stm32mp23 = "${ROOT_ENCRYPT_KEY}/stm32mp_encryption_key_256bits.bin"
ENCRYPT_FIP_KEY_stm32mp25 = "${ROOT_ENCRYPT_KEY}/stm32mp_encryption_key_256bits.bin"

Olivier GALLIEN · ‎2025-04-08

Hi @ThinhNguyen

OK, secure boot and encryption then

Do you confirm without change in local.conf all work properly right ?

Did you follow https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_Package ?

I notice you declined SIGN_KEY, ENCRYPT_FSBL and ENCRYPT_FIP per for each mp25, 23 ,21 ?

What's the purpose ?

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

ThinhNguyen · ‎2025-04-08

Hi @Olivier GALLIEN,

Do you confirm without change in local.conf all work properly right ?

=> I confirmed. I have just added some variables as above to enable secureboot.

Did you follow https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_Package ?
=> Yes. It helps me on this work.

I notice you declined SIGN_KEY, ENCRYPT_FSBL and ENCRYPT_FIP per for each mp25, 23 ,21 ?

What's the purpose ?

=> You mean I have multiple SIGN_KEY, ENCRYPT_FSBL and ENCRYPT_FIP lines for each soc? If I don't do that Yocto will give me an error and won't build. It says I have a missing declaration.

I also attached full log while it is booting.

ThinhNguyen · ‎2025-04-08

I tried on another board without sign & encrypt bootloader and not programing the OTP too. The issue does not happend. I attached the boot log.

ThinhNguyen · ‎2025-04-13

Does anyone have any suggestions on how to fix this? Secure boot is required so I can't disable it.

KYAO · ‎2025-04-14

Hi @ThinhNguyen,

For STM32MP25x in "BSEC-closed" state, by default, the debug support hardware modules are disabled.
So you can try :
1) without debug support : by adding the below in your linux top level device tree file.
2) with debug support : by modification in optee core/arch/arm/plat-stm32mp2/main.c as the below.

Best regards

========= 1) To be removed in linux top level device tree file =========

&cs_cpu_debug0 {
status = "okay";
};

&cs_cpu_debug1 {
status = "okay";
};

&cs_cti0 {
status = "okay";
};

&cs_cti1 {
status = "okay";
};

&cs_cti_cpu0 {
status = "okay";
};

&cs_cti_cpu1 {
status = "okay";
};

&cs_etf {
status = "okay";
};

&cs_etm0 {
status = "okay";
};

&cs_etm1 {
status = "okay";
};

&cs_etr {
status = "okay";
};

&cs_funnel {
status = "okay";
};

&cs_replicator {
status = "okay";
};

&cs_stm {
status = "okay";
};

&cs_tpiu {
status = "okay";
};

==== 2) optee modification ======

diff --git a/core/arch/arm/plat-stm32mp2/main.c b/core/arch/arm/plat-stm32mp2/main.c
index aec3929..a845fb6 100644
--- a/core/arch/arm/plat-stm32mp2/main.c
+++ b/core/arch/arm/plat-stm32mp2/main.c
@@ -190,7 +190,7 @@ static TEE_Result init_debug(void)
if (res)
return res;

- if (state != BSEC_STATE_SEC_CLOSED) {
+ if (1) { // enable debugging HW modules all the time
struct clk __maybe_unused *dbgmcu_clk = NULL;

if (IS_ENABLED(CFG_INSECURE))