FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure Boot on STM32MP157C: "ERROR: Secured chip must enable TRUSTED_BOARD_BOOT

ao2-yekeen
Associate

‎2024-07-25 01:25 AM - last edited on ‎2024-07-29 06:55 AM by

Hello STM32 MPU Community,

I am currently working on enabling secure boot on the STM32MP157C and have been following the instructions from this STMicroelectronics Wiki. 

I am using a serial cable to view the U-Boot terminal. Upon startup, the terminal displays the message shown in the attached image. I am booting from an SD card, and the process halts with the following error message:

```
ERROR: Secured chip must enable TRUSTED_BOARD_BOOT
```

I would greatly appreciate any guidance or steps to resolve this issue. Has anyone else encountered this problem, and if so, what solutions have you found effective?

Thank you in advance for your assistance!

Best regards

Labels:
Preview file
13 KB
0 Kudos
3 REPLIES 3
Kevin HUBER
ST Employee

‎2024-07-29 06:50 AM

Hello @ao2-yekeen ,

 

if you have the trace

 

NOTICE:  Bootrom authentication succeeded

It means that the ROM code authentication succeeded.

After that the next step is to flash a TF-A built with the TRUSTED_BOARD_BOOT enabled as explained in the wiki page "How To Enable Secure Boot on STM32MPU".

 

The option TRUSTED_BOARD_BOOT=1 is normally enabled in the distribution package if you followed this chapter of the page:

https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_package#Generate_Distribution_package_with_signed_binaries

Where you add SIGN_ENABLE in the local.conf:

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf

If you look at the trusted-firmware-a layer, you can see that enabling "SIGN_ENABLE" enables "TRUSTED_BOARD_BOOT, which seems missing in your setup.

tf-a-stm32mp.inc:134:EXTRA_OEMAKE += "${@bb.utils.contains('SIGN_ENABLE', '1', 'TRUSTED_BOARD_BOOT=1', '', d)}"

Hope it helps,

Best Regards,

Kevin

 

 

 

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
0 Kudos
ao2-yekeen
Associate

‎2024-07-30 12:44 AM

 

Hi Kevin,

 I already have it enabled in  my yocto build as shown below but the error persist.

ao2yekeen_0-1722266297240.png

 

Kind regards,

Basit

 

 

0 Kudos
Kevin HUBER
ST Employee

‎2024-08-07 06:33 AM

Hello @ao2-yekeen ,

 

This should normally works. I will give it a try on my side and see if it works.

Just to be sure, in the screenshot that you shared, it looks like there is "#" at the beginning of each lines. Which means that the lines are commented in the "local.conf" and therefore not taken into account.

Can you confirm that they appear without the "#" at the beginning of the line in the configuration file?

Or if you can share the whole local.conf file (without the passkey).

 

Best Regards,
Kevin

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
0 Kudos
Top