2024-07-25 01:25 AM - last edited on 2024-07-29 06:55 AM by Andrew Neil
Hello STM32 MPU Community,
I am currently working on enabling secure boot on the STM32MP157C and have been following the instructions from this STMicroelectronics Wiki.
I am using a serial cable to view the U-Boot terminal. Upon startup, the terminal displays the message shown in the attached image. I am booting from an SD card, and the process halts with the following error message:
```
ERROR: Secured chip must enable TRUSTED_BOARD_BOOT
```
I would greatly appreciate any guidance or steps to resolve this issue. Has anyone else encountered this problem, and if so, what solutions have you found effective?
Thank you in advance for your assistance!
Best regards
2024-07-29 06:50 AM
Hello @ao2-yekeen ,
if you have the trace
NOTICE: Bootrom authentication succeeded
It means that the ROM code authentication succeeded.
After that the next step is to flash a TF-A built with the TRUSTED_BOARD_BOOT enabled as explained in the wiki page "How To Enable Secure Boot on STM32MPU".
The option TRUSTED_BOARD_BOOT=1 is normally enabled in the distribution package if you followed this chapter of the page:
Where you add SIGN_ENABLE in the local.conf:
echo 'SIGN_ENABLE = "1" ' >> conf/local.conf
If you look at the trusted-firmware-a layer, you can see that enabling "SIGN_ENABLE" enables "TRUSTED_BOARD_BOOT, which seems missing in your setup.
tf-a-stm32mp.inc:134:EXTRA_OEMAKE += "${@bb.utils.contains('SIGN_ENABLE', '1', 'TRUSTED_BOARD_BOOT=1', '', d)}"
Hope it helps,
Best Regards,
Kevin
2024-07-30 12:44 AM
Hi Kevin,
I already have it enabled in my yocto build as shown below but the error persist.
Kind regards,
Basit
2024-08-07 06:33 AM
Hello @ao2-yekeen ,
This should normally works. I will give it a try on my side and see if it works.
Just to be sure, in the screenshot that you shared, it looks like there is "#" at the beginning of each lines. Which means that the lines are commented in the "local.conf" and therefore not taken into account.
Can you confirm that they appear without the "#" at the beginning of the line in the configuration file?
Or if you can share the whole local.conf file (without the passkey).
Best Regards,
Kevin
2024-09-19 03:40 AM