STM32MP157AAC Secure Boot Process on Avenger96 board

Kaushendra · ‎2020-05-05

Hi,

I would like to perform the secureboot on AV96 board. I have built the image with yocto openstlinux.I want to confirm the secure-boot scenario if Board Boots-up.

I'm sharing some logs,please comment me whether i need to seperately perfrom steps to make AV96 board boots securely.

NOTICE:  Model: Arrow Electronics STM32MP157A Avenger96 board
INFO:    Reset reason (0x10):
INFO:      Reset due to a failure of VDD_CORE
INFO:    Using SDMMC
INFO:      Instance 1
INFO:    Boot used partition fsbl1
NOTICE:  BL2: v2.0-r1.5(debug):
NOTICE:  BL2: Built : 13:13:37, Oct  2 2018
INFO:    BL2: Doing platform setup
INFO:    PMIC version = 0x10
INFO:    RAM: DDR3-1066/888 bin G 2x4Gb 533MHz v1.45
INFO:    Memory size = 0x40000000 (1024 MB)
INFO:    BL2 runs SP_MIN setup
INFO:    BL2: Loading image id 4
INFO:    Loading image id=4 at address 0x2fff0000
INFO:    Image id=4 loaded: 0x2fff0000 - 0x30000000
INFO:    BL2: Loading image id 5
INFO:    Loading image id=5 at address 0xc0100000
INFO:    STM32 Image size : 807362
WARNING: Skip signature check (header option)
INFO:    Image id=5 loaded: 0xc0100000 - 0xc01c51c2
INFO:    read version 0 current version 0
NOTICE:  BL2: Booting BL32
INFO:    Entry point address = 0x2fff0000
INFO:    SPSR = 0x1d3
INFO:    PMIC version = 0x10
NOTICE:  SP_MIN: v2.0-r1.5(debug):
NOTICE:  SP_MIN: Built : 13:13:37, Oct  2 2018
INFO:    ARM GICv2 driver initialized
INFO:    stm32mp HSI (18): Secure only
INFO:    stm32mp HSE (20): Secure only
INFO:    stm32mp PLL2 (27): Secure only
INFO:    stm32mp PLL2_R (30): Secure only
INFO:    SP_MIN: Initializing runtime services

Thanks

kaushendra

Kaushendra · ‎2020-07-29

Hi @Community member

I'm somewhat able to debug for Point No. 1 with version 2.4.0

***************************************************************

./STM32MP_KeyGen_CLI -ecc 1 -abs /home/kaushendra/kaush/ARROW/SEED/Avenger_secure_boot -pwd seed

o/p

seed

-------------------------------------------------------------------

STM32MP Key Generator v1.0.0

-------------------------------------------------------------------

Prime256v1 curve is selected.

AES_256_cbc algorithm is selected for private key encryption

Generating Prime256v1 keys...

Private key PEM file created

Public key PEM file created

public key hash file created

Keys generated successfully.

+ public key: /home/kaushendra/STM32MP_KeyGen/publicKey.pem

+ private key: /home/kaushendra/STM32MP_KeyGen/privateKey.pem

+ public hash key: /home/kaushendra/STM32MP_KeyGen/publicKeyhash.bin

issue: publicKeyhash.bin generated is size zero

[15:02:33] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$ ls -lrt

total 8

-r-------- 1 kaushendra kaushendra 379 Jul 29 13:13 privateKey.pem

-r--r--r-- 1 kaushendra kaushendra 178 Jul 29 13:13 publicKey.pem

-r--r--r-- 1 kaushendra kaushendra 0 Jul 29 13:13 publicKeyhash.bin

[15:21:16] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$

your help will be appreciated.

Reg,

kaushendra

Olivier GALLIEN · ‎2020-07-29

STM32CubeProgrammer V2.5 is the version available on st.com :

https://www.st.com/en/development-tools/stm32cubeprog.html

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Kaushendra · ‎2020-07-29

Thanks I'll test my scenario with new version and update on you.

Reg,

kaushendra

Kaushendra · ‎2020-07-29

Hi @Community member

with the upgrade to V2.5 i'm able to generate keys now.

/***************************************************/

[17:36:03] kaushendra@AHMCPU2172:~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin$ ./STM32MP_KeyGen_CLI -ecc 1 -pubk /home/kaushendra/secure_keys/public.pem -prvk endra/secure_keys/private.pem -hash /home/kaushendra/secure_keys/pubKeyHash.bin -pwd seed

-------------------------------------------------------------------

STM32MP Key Generator v1.0.0

-------------------------------------------------------------------

brainpoolP256t1 curve is selected.

AES_256_cbc algorithm is selected for private key encryption

Generating brainpoolP256t1 keys...

Private key PEM file created

Public key PEM file created

public key hash file created

Keys generated successfully.

+ public key: /home/kaushendra/secure_keys/public.pem

+ private key: /home/kaushendra/secure_keys/private.pem

+ public hash key: /home/kaushendra/secure_keys/pubKeyHash.bin

/*******************************************************************************/

I'll keep you posted if any issue for further steps for secure boot in avenger96

Thanks for support.

Reg,

kaushendra

Kaushendra · ‎2020-07-29

Hi @Community member

I have done Section 2.2 Key registration (https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#Key_registration)

Now I'm working over Section 2.3 Image signing (https://wiki.st.com/stm32mpu/wiki/Signing_tool)

Query No .1: Need to know Which file to pass for Command line options

--binary-image -bin
--load-address -la
--entry-point -ep

I would like to know whether Kernel Image ,u-boot or FSBL has to pe put there and what will be addresses

--files available to me in STM-yocto

tf-a-stm32mp157a-av96-trusted.stm32

tf-a-bl32-trusted.elf

tf-a-bl2-trusted.elf

u-boot-stm32mp157a-av96-trusted.stm32

Image--4.19-r0.14-stm32mp1-av96-20200430051417.bin

help will be appreciated as i'm doing this secure boot feature for the very first time

regards,

kaushendra

Kaushendra · ‎2020-07-30

Hi @Community member

I was able to resolve Image Signing issue with following:

FSBL:tf-a-stm32mp157a-av96-trusted.stm32

SSBL:u-boot-stm32mp157a-av96-trusted.stm32

Able to acheived 2.6.2 TF-A authentication

INFO:    Loading image id=5 at address 0xc0100000
INFO:    STM32 Image size : 807362
INFO:    Check signature on Non-Full-Secured platform
INFO:    Image id=5 loaded: 0xc0100000 - 0xc01c51c2
INFO:    read version 0 current version 0
NOTICE:  BL2: Booting BL32
INFO:    Entry point address = 0x2fff000

Thanks for the support.

Regards,

kaushendra sah

Kaushendra · ‎2020-08-05

HI @Community member

As I'm Completed with enabling Secure Boot Support over Avenger96 Board as per mentioned thread above.

I'm now trying to enable Trusted boot support in u-boot with TPM

I have enabled the TPM support in u-boot

CONFIG_CMD_TPM_V2=y
CONFIG_CMD_TPM=y
CONFIG_TPM_V2=y
CONFIG_TPM2_TIS_SPI=y
CONFIG_TPM=y

I also added SPI Node w.r.t enable TPM driver

diff --git a/arch/arm/dts/stm32mp157a-av96.dts b/arch/arm/dts/stm32mp157a-av96.dts
index 4e26181..fc1c480 100644
--- a/arch/arm/dts/stm32mp157a-av96.dts
+++ b/arch/arm/dts/stm32mp157a-av96.dts
@@ -26,3 +26,17 @@
 	pinctrl-1 = <&rcc_sleep_pins_a>;
 	status = "okay";
 };
+
+&spi2 {
+         pinctrl-names = "default", "sleep";
+         pinctrl-0 = <&spi2_pins_a>;
+         pinctrl-1 = <&spi2_sleep_pins_a>;
+         status = "okay";        
+
+         tpm_tis@0 {
+                 compatible = "tis,tpm2-spi";
+                 reg = <0>;
+                 spi-max-frequency = <10000000>;
+         };
+};
diff --git a/arch/arm/dts/stm32mp157a-pinctrl.dtsi b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
index af19839..6c1ada3 100644
--- a/arch/arm/dts/stm32mp157a-pinctrl.dtsi
+++ b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
@@ -1337,6 +1337,29 @@
 				};
 			};
 
+			spi2_pins_a: spi2-0 {
+                                pins1 {
+                                        pinmux = <STM32_PINMUX('B', 10, AF5)>, /* SPI2_SCK */
+                                                 <STM32_PINMUX('I', 3, AF5)>; /* SPI2_MOSI */
+                                        bias-disable;
+                                        drive-push-pull;
+                                        slew-rate = <1>;
+                                };
+
+                                pins2 {
+                                        pinmux = <STM32_PINMUX('I', 2, AF5)>; /* SPI2_MISO */
+                                        bias-disable;
+                                };
+                        };
+			
+			spi2_sleep_pins_a: spi2-sleep-0 {
+				pins {
+					pinmux = <STM32_PINMUX('B', 10, ANALOG)>, /* SPI2_SCK */
+						 <STM32_PINMUX('I', 2, ANALOG)>, /* SPI2_MISO */
+                         			 <STM32_PINMUX('I', 3, ANALOG)>; /* SPI2_MOSI */
+        			};
+			};
+

But I'm facing issue with driver probe at u-boot

Hit any key to stop autoboot:  0 
STM32MP> tpm
  tpm tpm2
STM32MP> tpm info
stm32mp1_clk_get_id: clk id 131 not found
Could not find TPM (ret=-22)
STM32MP> tpm2 info
stm32mp1_clk_get_id: clk id 131 not found
Could not find TPM (ret=-22)
STM32MP>

If possible please help me understand whether i'm doing the correct steps of missing something.

help will be appreciated.

Regards,

kaushendra sah

Ganesh.T · ‎2021-02-16

Hi,

Im also facing same issue in spi2 - uboot to PISOSR shift register ..

Please help on this...

Olivier GALLIEN · ‎2021-02-16

Hi @Ganesh.T ,

Thanks for your comment.

This would require to get further information regarding your context.

Are you using a modified AV96 board with secure chip as @Kaushendra ?

In any case I recommand to open a new post with your specific issue.

You can mention as reference this post if you think it help to understand your context and issue.

Thanks,

Olivier

Olivier GALLIEN
In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.