STM32MP15 ECO 5.0.0 BL2 stuck at loading BL32

debugging · ‎2023-09-13

Custom STM32MP157AAA3 board with 512MB DDR.

[Note: the NOTICE: DEBUG messages in below logs were added to the source code of TF-A]

The TF-A DT was compiled with option for SYSRAM with resulting dtb fw-config

OP-TEE was compiled for SYSRAM and and enabled with pager as can be seen in the contents FIP file:

The reservation was made in OP-TEE DT:

The optee-header_v2.bin: file generated:

Result:

NOTICE: Early console setup
NOTICE: CPU: STM32MP157AAA Rev.B
NOTICE: Model: STMicroelectronics custom STM32CubeMX board - openstlinux-6.1-yocto-mickledore-mp1-v23.06.21
NOTICE: DEBUG: stm32_print_boardinfo
NOTICE: DEBUG: stm32mp_is_closed_device
NOTICE: HELLO: fixed_regulator_register
NOTICE: DEBUG: stm32mp1_arch_security_setup
NOTICE: DEBUG: print_reset_reason
INFO: Reset reason (0x14):
INFO: Pad Reset from NRST
NOTICE: DEBUG: stm32mp1_syscfg_enable_io_compensation_finish
NOTICE: DEBUG: fconf_populate
INFO: FCONF: Reading TB_FW firmware configuration file from: 0x2ffe2000
INFO: FCONF: Reading firmware configuration information for: stm32mp_io
NOTICE: DEBUG: stm32_skip_boot_device_after_standby
NOTICE: DEBUG: stm32mp_io_setup
INFO: Using SDMMC
INFO: Instance 1
INFO: Boot used partition fsbl1
NOTICE: BL2: v2.8-stm32mp1-r1.0(debug):()
NOTICE: BL2: Built : 15:24:01, Sep 11 2023
INFO: BL2: Doing platform setup
INFO: RAM: DDR3-DDR3L 16bits 533000kHz
INFO: Memory size = 0x20000000 (512 MB)
INFO: BL2: Loading image id 1
INFO: Loading image id=1 at address 0x2ffff000
INFO: Image id=1 loaded: 0x2ffff000 - 0x2ffff1ea
INFO: FCONF: Reading FW_CONFIG firmware configuration file from: 0x2ffff000
INFO: FCONF: Reading firmware configuration information for: dyn_cfg
INFO: FCONF: Reading firmware configuration information for: stm32mp1_firewall
INFO: BL2: Loading image id 4
INFO: Loading image id=4 at address 0x2ffc0000
INFO: Image id=4 loaded: 0x2ffc0000 - 0x2ffc002c
INFO: OPTEE ep=0x2ffc0000
INFO: OPTEE header info:
INFO: magic=0x4554504f
INFO: version=0x2
INFO: arch=0x0
INFO: flags=0x0
INFO: nb_images=0x2
NOTICE: DEBUG: parse optee image #0
NOTICE: DEBUG: header->optee_image_list[num].image_id=0x0
NOTICE: DEBUG: OPTEE_PAGER_IMAGE_ID=0
NOTICE: DEBUG: OPTEE_PAGED_IMAGE_ID=1
NOTICE: DEBUG: init_load_addr=0x2ffc0000
NOTICE: DEBUG: init_size=0x26fc0
NOTICE: DEBUG: image_info->image_base=0x2ffc0000
NOTICE: DEBUG: image_info->image_max_size=0x22000
WARNING: The load address in optee header 0x2ffc0000 - 0x2ffe6fc0 is not in reserved area: 0x2ffc0000 - 0x2ffe2000.
ERROR: OPTEE header parse error.
PANIC at PC : 0x2ffed03d

The OP-TEE generated header file optee-header_v2.bin has the load address for FW_CONFIG (image ID 1) set to 0x2FFC0000, that is the same address that OPTEE tries to load loading Image ID #8 (extra 1) , also the boot log below. Changed the starting address in the OPTEE , conf.mk file to 0x2FFC0200 to avoid a conflict. (shown in the picture below). The optee-header_v2.bin has the size set to 0x26dc0 which is the size of BL32 Extra 1 (ID 😎 this isis too large to load in SRAM and created an BL2 load error as above.

After changing the size in the OP-TEE .mk file to to 0x1000 the OPTEE build still set it to 0x26EC0 in the header.:

It seems the OPTEE build ignored the config.mk file setting

OP-TEE conf.mk file:

CFG_TZSRAM_START ?= 0x2ffc0200
CFG_TZSRAM_SIZE ?= 0x00010000

The next attempt to load ID 8 (BL32 extra 1) was to manually changing the header file to size of 0x1000.

The changed header as follows

This went through a bit more but an “out of bounds" error is raised. See the log below.

Questions:

1 Why does OPTEE use the same start address for image ID 8 (Extra 1) and for ID 1 (FWCONFIG) ? Is this correct ? If we had not changed the base address in the conf.mk to 0x2ffc000200 it would start to overwrite FWCONFIG data at 0x2ffc0000 with ID8 BL32, OP-TEE extra 1, data

2. Why does OPTEE set a larger size in the header for BL32 extra 1 than available in SRAM for OT-TEE ?

3. and why does OPTEE ignore the CFG_TSZR_RAM size setting t(to reduce the size for SYSRAM) in the conf.mk file ?

4. Where does BL2 get the base address 0xde000000 and size from (see log below) ?

5. Is 0xde000000 the address BL2 will try to load image ID#9 (BL32 Extra 2) ?

6. What is/could be wrong ?

7. is there a "good boot" log of an DK or EV board using ECO 5.0.0 to see what the memory locations are used by BL2 for loading the FIP images ?

Boot log after manually changing the size to 0x10000 in the header:

INFO: Using SDMMC
INFO: Instance 1
INFO: Boot used partition fsbl1
NOTICE: BL2: v2.8-stm32mp1-r1.0(debug):()
NOTICE: BL2: Built : 15:24:01, Sep 11 2023
INFO: BL2: Doing platform setup
INFO: RAM: DDR3-DDR3L 16bits 533000kHz
INFO: Memory size = 0x20000000 (512 MB)
INFO: BL2: Loading image id 1
INFO: Loading image id=1 at address 0x2ffff000
INFO: Image id=1 loaded: 0x2ffff000 - 0x2ffff1ea
INFO: FCONF: Reading FW_CONFIG firmware configuration file from: 0x2ffff000
INFO: FCONF: Reading firmware configuration information for: dyn_cfg
INFO: FCONF: Reading firmware configuration information for: stm32mp1_firewall
INFO: BL2: Loading image id 4
INFO: Loading image id=4 at address 0x2ffc0000
INFO: Image id=4 loaded: 0x2ffc0000 - 0x2ffc002c
INFO: OPTEE ep=0x2ffc0000
INFO: OPTEE header info:
INFO: magic=0x4554504f
INFO: version=0x2
INFO: arch=0x0
INFO: flags=0x0
INFO: nb_images=0x2
NOTICE: DEBUG: parse optee image #0
NOTICE: DEBUG: header->optee_image_list[num].image_id=0x0
NOTICE: DEBUG: OPTEE_PAGER_IMAGE_ID=0
NOTICE: DEBUG: OPTEE_PAGED_IMAGE_ID=1
NOTICE: DEBUG: init_load_addr=0x2ffc0200
NOTICE: DEBUG: init_size=0x10000
NOTICE: DEBUG: image_info->image_base=0x2ffc0000
NOTICE: DEBUG: image_info->image_max_size=0x22000
NOTICE: DEBUG: parse optee image #1
NOTICE: DEBUG: header->optee_image_list[num].image_id=0x1
NOTICE: DEBUG: OPTEE_PAGER_IMAGE_ID=0
NOTICE: DEBUG: OPTEE_PAGED_IMAGE_ID=1
NOTICE: DEBUG: parse_optee_image

NOTICE: DEBUG: init_load_addr=0xde000000
NOTICE: DEBUG: init_size=0x84000
NOTICE: DEBUG: image_info->image_base=0xde000000
NOTICE: DEBUG: image_info->image_max_size=0x2000000
INFO: BL2: Loading image id 8
INFO: Loading image id=8 at address 0x2ffc0200
WARNING: Image id=8 size out of bounds
ERROR: BL2: Failed to load image id 8 (-27)

debugging · ‎2023-09-15

Thank for the reply, but still wondering what are the key selection criteria to make a decision between OP-TEE in DDR or internal RAM ?

debugging · ‎2023-09-15

i assume this should be : this is not mandatory for every product

It depends the use case, . In other words, if the product does need the protection of malicious attacks just use DRAM.

Bernard PUEL · ‎2023-09-18

Product security is a big and complex subject really depending on the product. This needs to be global (HW + SW) and coherent from the production of the product and also after life of the product.

You can have an overview of the different tools available on STM32MP1 = https://wiki.st.com/stm32mpu/wiki/Security_overview

You may also request help from partners (like proven run).

After you decided which OP-TEE services are mandatory for your product, table https://wiki.st.com/stm32mpu/wiki/How_to_configure_OP-TEE#OP-TEE_core_configuration is here to advice between the 2 choices (internal or external RAM).

Bernard PUEL · ‎2023-09-18

Here is also a high level introduction if needed = https://www.st.com/content/st_com/en/premium-content/premium-content-white-paper-protecting-oem-assets-and-ensuring-firmware-integrity-through-stm32-and-open-source-solutions.html

debugging · ‎2023-09-25

Thank for the feedback. Still stuck at the AXI 480 error. See my post. This happens both with OPTEE in DDR or in SRAM, I can switch between those quickly using custom build boot scripts. Both results in same problem and it has taken me a month now to boot a simple board with discrete power and still unsuccessful. Spending many nights and days on this. I have no clues anymore. 🙁