2020-05-05 11:26 PM
Hi,
I would like to perform the secureboot on AV96 board. I have built the image with yocto openstlinux.I want to confirm the secure-boot scenario if Board Boots-up.
I'm sharing some logs,please comment me whether i need to seperately perfrom steps to make AV96 board boots securely.
NOTICE: Model: Arrow Electronics STM32MP157A Avenger96 board
INFO: Reset reason (0x10):
INFO: Reset due to a failure of VDD_CORE
INFO: Using SDMMC
INFO: Instance 1
INFO: Boot used partition fsbl1
NOTICE: BL2: v2.0-r1.5(debug):
NOTICE: BL2: Built : 13:13:37, Oct 2 2018
INFO: BL2: Doing platform setup
INFO: PMIC version = 0x10
INFO: RAM: DDR3-1066/888 bin G 2x4Gb 533MHz v1.45
INFO: Memory size = 0x40000000 (1024 MB)
INFO: BL2 runs SP_MIN setup
INFO: BL2: Loading image id 4
INFO: Loading image id=4 at address 0x2fff0000
INFO: Image id=4 loaded: 0x2fff0000 - 0x30000000
INFO: BL2: Loading image id 5
INFO: Loading image id=5 at address 0xc0100000
INFO: STM32 Image size : 807362
WARNING: Skip signature check (header option)
INFO: Image id=5 loaded: 0xc0100000 - 0xc01c51c2
INFO: read version 0 current version 0
NOTICE: BL2: Booting BL32
INFO: Entry point address = 0x2fff0000
INFO: SPSR = 0x1d3
INFO: PMIC version = 0x10
NOTICE: SP_MIN: v2.0-r1.5(debug):
NOTICE: SP_MIN: Built : 13:13:37, Oct 2 2018
INFO: ARM GICv2 driver initialized
INFO: stm32mp HSI (18): Secure only
INFO: stm32mp HSE (20): Secure only
INFO: stm32mp PLL2 (27): Secure only
INFO: stm32mp PLL2_R (30): Secure only
INFO: SP_MIN: Initializing runtime services
Thanks
kaushendra
Solved! Go to Solution.
2020-07-29 03:21 AM
Hi @Community member
I'm somewhat able to debug for Point No. 1 with version 2.4.0
***************************************************************
./STM32MP_KeyGen_CLI -ecc 1 -abs /home/kaushendra/kaush/ARROW/SEED/Avenger_secure_boot -pwd seed
o/p
seed
-------------------------------------------------------------------
STM32MP Key Generator v1.0.0
-------------------------------------------------------------------
Prime256v1 curve is selected.
AES_256_cbc algorithm is selected for private key encryption
Generating Prime256v1 keys...
Private key PEM file created
Public key PEM file created
public key hash file created
Keys generated successfully.
+ public key: /home/kaushendra/STM32MP_KeyGen/publicKey.pem
+ private key: /home/kaushendra/STM32MP_KeyGen/privateKey.pem
+ public hash key: /home/kaushendra/STM32MP_KeyGen/publicKeyhash.bin
issue: publicKeyhash.bin generated is size zero
[15:02:33] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$ ls -lrt
total 8
-r-------- 1 kaushendra kaushendra 379 Jul 29 13:13 privateKey.pem
-r--r--r-- 1 kaushendra kaushendra 178 Jul 29 13:13 publicKey.pem
-r--r--r-- 1 kaushendra kaushendra 0 Jul 29 13:13 publicKeyhash.bin
[15:21:16] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$
your help will be appreciated.
Reg,
kaushendra
2020-07-29 04:09 AM
STM32CubeProgrammer V2.5 is the version available on st.com :
https://www.st.com/en/development-tools/stm32cubeprog.html
Olivier
2020-07-29 04:49 AM
Thanks I'll test my scenario with new version and update on you.
Reg,
kaushendra
2020-07-29 05:10 AM
Hi @Community member
with the upgrade to V2.5 i'm able to generate keys now.
/***************************************************/
[17:36:03] kaushendra@AHMCPU2172:~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin$ ./STM32MP_KeyGen_CLI -ecc 1 -pubk /home/kaushendra/secure_keys/public.pem -prvk endra/secure_keys/private.pem -hash /home/kaushendra/secure_keys/pubKeyHash.bin -pwd seed
-------------------------------------------------------------------
STM32MP Key Generator v1.0.0
-------------------------------------------------------------------
brainpoolP256t1 curve is selected.
AES_256_cbc algorithm is selected for private key encryption
Generating brainpoolP256t1 keys...
Private key PEM file created
Public key PEM file created
public key hash file created
Keys generated successfully.
+ public key: /home/kaushendra/secure_keys/public.pem
+ private key: /home/kaushendra/secure_keys/private.pem
+ public hash key: /home/kaushendra/secure_keys/pubKeyHash.bin
/*******************************************************************************/
I'll keep you posted if any issue for further steps for secure boot in avenger96
Thanks for support.
Reg,
kaushendra
2020-07-29 09:43 PM
Hi @Community member
I have done Section 2.2 Key registration (https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#Key_registration)
Now I'm working over Section 2.3 Image signing (https://wiki.st.com/stm32mpu/wiki/Signing_tool)
Query No .1: Need to know Which file to pass for Command line options
I would like to know whether Kernel Image ,u-boot or FSBL has to pe put there and what will be addresses
--files available to me in STM-yocto
tf-a-stm32mp157a-av96-trusted.stm32
tf-a-bl32-trusted.elf
tf-a-bl2-trusted.elf
u-boot-stm32mp157a-av96-trusted.stm32
Image--4.19-r0.14-stm32mp1-av96-20200430051417.bin
help will be appreciated as i'm doing this secure boot feature for the very first time
regards,
kaushendra
2020-07-30 10:16 PM
Hi @Community member
I was able to resolve Image Signing issue with following:
FSBL:tf-a-stm32mp157a-av96-trusted.stm32
SSBL:u-boot-stm32mp157a-av96-trusted.stm32
Able to acheived 2.6.2 TF-A authentication
INFO: Loading image id=5 at address 0xc0100000
INFO: STM32 Image size : 807362
INFO: Check signature on Non-Full-Secured platform
INFO: Image id=5 loaded: 0xc0100000 - 0xc01c51c2
INFO: read version 0 current version 0
NOTICE: BL2: Booting BL32
INFO: Entry point address = 0x2fff000
Thanks for the support.
Regards,
kaushendra sah
2020-08-05 11:00 PM
HI @Community member
As I'm Completed with enabling Secure Boot Support over Avenger96 Board as per mentioned thread above.
I'm now trying to enable Trusted boot support in u-boot with TPM
I have enabled the TPM support in u-boot
CONFIG_CMD_TPM_V2=y
CONFIG_CMD_TPM=y
CONFIG_TPM_V2=y
CONFIG_TPM2_TIS_SPI=y
CONFIG_TPM=y
I also added SPI Node w.r.t enable TPM driver
diff --git a/arch/arm/dts/stm32mp157a-av96.dts b/arch/arm/dts/stm32mp157a-av96.dts
index 4e26181..fc1c480 100644
--- a/arch/arm/dts/stm32mp157a-av96.dts
+++ b/arch/arm/dts/stm32mp157a-av96.dts
@@ -26,3 +26,17 @@
pinctrl-1 = <&rcc_sleep_pins_a>;
status = "okay";
};
+
+&spi2 {
+ pinctrl-names = "default", "sleep";
+ pinctrl-0 = <&spi2_pins_a>;
+ pinctrl-1 = <&spi2_sleep_pins_a>;
+ status = "okay";
+
+ tpm_tis@0 {
+ compatible = "tis,tpm2-spi";
+ reg = <0>;
+ spi-max-frequency = <10000000>;
+ };
+};
diff --git a/arch/arm/dts/stm32mp157a-pinctrl.dtsi b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
index af19839..6c1ada3 100644
--- a/arch/arm/dts/stm32mp157a-pinctrl.dtsi
+++ b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
@@ -1337,6 +1337,29 @@
};
};
+ spi2_pins_a: spi2-0 {
+ pins1 {
+ pinmux = <STM32_PINMUX('B', 10, AF5)>, /* SPI2_SCK */
+ <STM32_PINMUX('I', 3, AF5)>; /* SPI2_MOSI */
+ bias-disable;
+ drive-push-pull;
+ slew-rate = <1>;
+ };
+
+ pins2 {
+ pinmux = <STM32_PINMUX('I', 2, AF5)>; /* SPI2_MISO */
+ bias-disable;
+ };
+ };
+
+ spi2_sleep_pins_a: spi2-sleep-0 {
+ pins {
+ pinmux = <STM32_PINMUX('B', 10, ANALOG)>, /* SPI2_SCK */
+ <STM32_PINMUX('I', 2, ANALOG)>, /* SPI2_MISO */
+ <STM32_PINMUX('I', 3, ANALOG)>; /* SPI2_MOSI */
+ };
+ };
+
But I'm facing issue with driver probe at u-boot
Hit any key to stop autoboot: 0
STM32MP> tpm
tpm tpm2
STM32MP> tpm info
stm32mp1_clk_get_id: clk id 131 not found
Could not find TPM (ret=-22)
STM32MP> tpm2 info
stm32mp1_clk_get_id: clk id 131 not found
Could not find TPM (ret=-22)
STM32MP>
If possible please help me understand whether i'm doing the correct steps of missing something.
help will be appreciated.
Regards,
kaushendra sah
2021-02-16 03:38 AM
Hi,
Im also facing same issue in spi2 - uboot to PISOSR shift register ..
Please help on this...
2021-02-16 05:00 AM
Hi @Ganesh.T ,
Thanks for your comment.
This would require to get further information regarding your context.
Are you using a modified AV96 board with secure chip as @Kaushendra ?
In any case I recommand to open a new post with your specific issue.
You can mention as reference this post if you think it help to understand your context and issue.
Thanks,
Olivier