cancel
Showing results for 
Search instead for 
Did you mean: 

STM32MP15x lines: Activate secure_and_system_services profile

Charles Dias
Associate III

Dear all,

I'm trying to run a TA application on STM32MP157C-DK2 board. Im using the STM32MPU Developer Package to build the TF-A and the OP-TEE.

I've built the TF-A using the command below:

make -f $PWD/../Makefile.sdk TF_A_DEVICETREE=stm32mp157c-dk2 TF_A_CONFIG=optee-sdcard STM32MP1_OPTEE_IN_SYSRAM=1 ELF_DEBUG_ENABLE='1' all

After that, I copied the file generated file STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/tf-a-stm32mp-v2.8.15-stm32mp-r2-r0/deploy/tf-a-stm32mp157c-dk2-optee-sdcard.stm32 to STM32MP1-Ecosystem-v5.1.0/Starter-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/images/stm32mp1/arm-trusted-firmware/

Is this right?

Then, I built the OP-TEE

make -f $PWD/../Makefile.sdk CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-dk2 CFG_STM32MP_PROFILE=secure_and_system_services all

And copied the files from STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/FIP_artifacts/fip/ to STM32MP1-Ecosystem-v5.1.0/Starter-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/images/stm32mp*/fip/

So, when I try to flash the board I receive the following output:

NOTICE:  CPU: STM32MP157CAC Rev.B
NOTICE:  Model: STMicroelectronics STM32MP157C-DK2 Discovery Board
NOTICE:  Board: MB1272 Var2.0 Rev.C-01
INFO:    PMIC version = 0x10
INFO:    Reset reason (0x15):
INFO:      Power-on Reset (rst_por)
INFO:    FCONF: Reading TB_FW firmware configuration file from: 0x2ffe2000
INFO:    FCONF: Reading firmware configuration information for: stm32mp_io
INFO:    FCONF: Reading firmware configuration information for: stm32mp_fuse
INFO:    Using USB
INFO:      Instance 2
INFO:    Boot used partition fsbl1
NOTICE:  BL2: v2.8-stm32mp1-r2.0(debug):lts-v2.8.15-dirty(567af710)
NOTICE:  BL2: Built : 00:51:33, Jan 26 2024
INFO:    BL2: Doing platform setup
INFO:    RAM: DDR3-DDR3L 16bits 533000kHz
INFO:    Memory size = 0x20000000 (512 MB)
INFO:    DFU USB START...
INFO:    phase ID :3, Manifestation 3 at c71a7e52
INFO:    Send detach request
INFO:    Receive DFU Detach
INFO:    DFU USB STOP...
INFO:    BL2: Loading image id 1
INFO:    Loading image id=1 at address 0x2ffff000
INFO:    Image id=1 loaded: 0x2ffff000 - 0x2ffff1ea
INFO:    FCONF: Reading FW_CONFIG firmware configuration file from: 0x2ffff000
INFO:    FCONF: Reading firmware configuration information for: dyn_cfg
INFO:    FCONF: Reading firmware configuration information for: stm32mp1_firewall
INFO:    BL2: Loading image id 4
INFO:    Loading image id=4 at address 0xde000000
INFO:    Image id=4 loaded: 0xde000000 - 0xde00002c
INFO:    OPTEE ep=0xde000000
INFO:    OPTEE header info:
INFO:          magic=0x4554504f
INFO:          version=0x2
INFO:          arch=0x0
INFO:          flags=0x0
INFO:          nb_images=0x2
WARNING: The load address in optee header 0x2ffc0000 - 0x2ffd3bd0 is not in reserved area: 0xde000000 - 0xe0000000.
ERROR:   OPTEE header parse error.
PANIC at PC : 0x2ffec987

Exception mode=0x00000016 at: 0x2ffec987

 

 

Thank you!

 

 
1 ACCEPTED SOLUTION

Accepted Solutions

I summarized the steps to change the profile to secure_and_system_services and enable the execution in SYSRAM for STM32MP157C-DK2 board:

 

Environment Setup

1. Set up the environment as described in the https://wiki.st.com/stm32mpu/wiki/STM32MPU_Developer_Package.

 

Updating OP-TEE

1. Follow the OP-TEE setup instructions provided in the https://github.com/STMicroelectronics/meta-st-stm32mp/blob/mickledore/recipes-security/optee/optee-os/README.HOW_TO.txt.

 

2. Initialize the SDK.

 

3. Navigate to the directory <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/optee-os-stm32mp-3.19.0-stm32mp-r2-r0/optee-os-stm32mp-3.19.0-stm32mp-r2

4. Export the FIP_DEPLOYDIR_ROOT variable:
export FIP_DEPLOYDIR_ROOT=$PWD/../../FIP_artifacts

5. Compile OP-TEE with the following command. Skipping this step may result in a compilation error in the next step.

make -f $PWD/../Makefile.sdk all

 

6. Enable the secure_and_system_services profile and execution in SYSRAM:
make -f $PWD/../Makefile.sdk CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-dk2 CFG_STM32MP_PROFILE=secure_and_system_services CFG_STM32MP1_OPTEE_IN_SYSRAM=y all

7. Check the generated files. These will be used to update the FIP:
- ../deploy/tee-header_v2-stm32mp157c-dk2.bin
- ../deploy/tee-pager_v2-stm32mp157c-dk2.bin
- ../deploy/tee-pageable_v2-stm32mp157c-dk2.bin

 

Updating TF-A

1. Follow the TF-A setup instructions provided in the https://github.com/STMicroelectronics/meta-st-stm32mp/blob/mickledore/recipes-bsp/trusted-firmware-a/tf-a-stm32mp/README.HOW_TO.txt.

 

2. Navigate to the directory <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/tf-a-stm32mp-v2.8.15-stm32mp-r2-r0/tf-a-stm32mp-v2.8.15-stm32mp-r2

3. Export the `FIP_DEPLOYDIR_ROOT` variable:
export FIP_DEPLOYDIR_ROOT=$PWD/../../FIP_artifacts

4. Compile TF-A, enabling execution in SYSRAM:
make -f $PWD/../Makefile.sdk TF_A_DEVICETREE=stm32mp157c-dk2 TF_A_CONFIG=optee-sdcard ELF_DEBUG_ENABLE='1' STM32MP1_OPTEE_IN_SYSRAM=1 all

5. Check the generated file:
- ../deploy/tf-a-stm32mp157c-dk2-optee-sdcard.stm32

 

6. Copy the generated file to the appropriate directory:
cp -rvf ../deploy/tf-a-stm32mp157c-dk2-optee-sdcard.stm32 <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Starter-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/images/stm32mp1/arm-trusted-firmware/

Updating the FIP

After compiling TF-A, the fip-stm32mp157c-dk2-optee-sdcard.bin file is 1,466,490 bytes. It is necessary to update the Secure OS (OP-TEE), OP-TEE pager, and OP-TEE pageable. This can be done using the fiptool. Refer to the https://wiki.st.com/stm32mpu/wiki/How_to_configure_TF-A_FIP.

 

1. Navigate to the directory <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/optee-os-stm32mp-3.19.0-stm32mp-r2-r0/optee-os-stm32mp-3.19.0-stm32mp-r2


2. Update the FIP with the generated OP-TEE files:
fiptool update --tos-fw ../deploy/tee-header_v2-stm32mp157c-dk2.bin ../../FIP_artifacts/fip/fip-stm32mp157c-dk2-optee-sdcard.bin && \
fiptool update --tos-fw-extra1 ../deploy/tee-pager_v2-stm32mp157c-dk2.bin ../../FIP_artifacts/fip/fip-stm32mp157c-dk2-optee-sdcard.bin && \
fiptool update --tos-fw-extra2 ../deploy/tee-pageable_v2-stm32mp157c-dk2.bin ../../FIP_artifacts/fip/fip-stm32mp157c-dk2-optee-sdcard.bin

3. After updating, the fip-stm32mp157c-dk2-optee-sdcard.bin file size should be 1,736,274 bytes.

 

4. Copy the updated FIP to the Starter Package directory:
cp -rvf $FIP_DEPLOYDIR_ROOT/fip/* <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Starter-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/images/stm32mp*/fip/

Populating the SD Card

1. Use the STM32CubeProgrammer to populate the SD Card as described in the https://wiki.st.com/stm32mpu/wiki/Getting_started/STM32MP1_boards/STM32MP157x-DK2/Let's_start/Populate_the_target_and_boot_the_image#Populate_the_SD_card.

View solution in original post

6 REPLIES 6
Erwan SZYMANSKI
ST Employee

Hello @Charles Dias ,
You well compiled and deployed TF-A BL2 but I suspect you did not update the BL31 FIP device tree. 
It is mentioned in this paragraph, after the TF-A BL2 compilation : https://wiki.st.com/stm32mpu/wiki/TF-A_BL31_overview#Build_process

So please follow this article https://wiki.st.com/stm32mpu/wiki/How_to_configure_TF-A_FIP#STM32MP1_series and update your TF-A built fw-config.dtb device tree into the FIP.

As you ask OP-TEE to run in SYSRAM, it means the FW config has changed. However inside your FIP, it still think that OP-TEE is in DDR due to a non updated fw-config.dtb.

Kind regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Hello @Erwan SZYMANSKI.

I'll take a look, but could ST provide a tutorial about changing the profile to allow running a TA for one of the developer boards? I read countless pages of documentation and found essential information scattered across different pages. Even after that, I still couldn't manage to change the profile to run a TA.

Thanks for your help.

Hello @Charles Dias ,
Thank you for your feedback, can you explain your current status right now and at which step you are blocked ? 

Kind regards,
Erwan.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Charles Dias
Associate III

Hello @Erwan SZYMANSKI,

The last link shared by you help me a lot! Thank you!

I was stuck on how to create the FIP with the updated TF-A and OP-TEE at the same time. When I ran the commands described at the beginning of this post, the FIP was generated with only the TF-A or OP-TEE update information, not both. Using the fiptool I updated the fip file.

Profile changed to secure_and_system_services.

CharlesDias_0-1723124208245.png

Test with optee_example_hello_world.

CharlesDias_1-1723124252781.png

 

 

I summarized the steps to change the profile to secure_and_system_services and enable the execution in SYSRAM for STM32MP157C-DK2 board:

 

Environment Setup

1. Set up the environment as described in the https://wiki.st.com/stm32mpu/wiki/STM32MPU_Developer_Package.

 

Updating OP-TEE

1. Follow the OP-TEE setup instructions provided in the https://github.com/STMicroelectronics/meta-st-stm32mp/blob/mickledore/recipes-security/optee/optee-os/README.HOW_TO.txt.

 

2. Initialize the SDK.

 

3. Navigate to the directory <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/optee-os-stm32mp-3.19.0-stm32mp-r2-r0/optee-os-stm32mp-3.19.0-stm32mp-r2

4. Export the FIP_DEPLOYDIR_ROOT variable:
export FIP_DEPLOYDIR_ROOT=$PWD/../../FIP_artifacts

5. Compile OP-TEE with the following command. Skipping this step may result in a compilation error in the next step.

make -f $PWD/../Makefile.sdk all

 

6. Enable the secure_and_system_services profile and execution in SYSRAM:
make -f $PWD/../Makefile.sdk CFG_EMBED_DTB_SOURCE_FILE=stm32mp157c-dk2 CFG_STM32MP_PROFILE=secure_and_system_services CFG_STM32MP1_OPTEE_IN_SYSRAM=y all

7. Check the generated files. These will be used to update the FIP:
- ../deploy/tee-header_v2-stm32mp157c-dk2.bin
- ../deploy/tee-pager_v2-stm32mp157c-dk2.bin
- ../deploy/tee-pageable_v2-stm32mp157c-dk2.bin

 

Updating TF-A

1. Follow the TF-A setup instructions provided in the https://github.com/STMicroelectronics/meta-st-stm32mp/blob/mickledore/recipes-bsp/trusted-firmware-a/tf-a-stm32mp/README.HOW_TO.txt.

 

2. Navigate to the directory <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/tf-a-stm32mp-v2.8.15-stm32mp-r2-r0/tf-a-stm32mp-v2.8.15-stm32mp-r2

3. Export the `FIP_DEPLOYDIR_ROOT` variable:
export FIP_DEPLOYDIR_ROOT=$PWD/../../FIP_artifacts

4. Compile TF-A, enabling execution in SYSRAM:
make -f $PWD/../Makefile.sdk TF_A_DEVICETREE=stm32mp157c-dk2 TF_A_CONFIG=optee-sdcard ELF_DEBUG_ENABLE='1' STM32MP1_OPTEE_IN_SYSRAM=1 all

5. Check the generated file:
- ../deploy/tf-a-stm32mp157c-dk2-optee-sdcard.stm32

 

6. Copy the generated file to the appropriate directory:
cp -rvf ../deploy/tf-a-stm32mp157c-dk2-optee-sdcard.stm32 <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Starter-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/images/stm32mp1/arm-trusted-firmware/

Updating the FIP

After compiling TF-A, the fip-stm32mp157c-dk2-optee-sdcard.bin file is 1,466,490 bytes. It is necessary to update the Secure OS (OP-TEE), OP-TEE pager, and OP-TEE pageable. This can be done using the fiptool. Refer to the https://wiki.st.com/stm32mpu/wiki/How_to_configure_TF-A_FIP.

 

1. Navigate to the directory <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Developer-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi/optee-os-stm32mp-3.19.0-stm32mp-r2-r0/optee-os-stm32mp-3.19.0-stm32mp-r2


2. Update the FIP with the generated OP-TEE files:
fiptool update --tos-fw ../deploy/tee-header_v2-stm32mp157c-dk2.bin ../../FIP_artifacts/fip/fip-stm32mp157c-dk2-optee-sdcard.bin && \
fiptool update --tos-fw-extra1 ../deploy/tee-pager_v2-stm32mp157c-dk2.bin ../../FIP_artifacts/fip/fip-stm32mp157c-dk2-optee-sdcard.bin && \
fiptool update --tos-fw-extra2 ../deploy/tee-pageable_v2-stm32mp157c-dk2.bin ../../FIP_artifacts/fip/fip-stm32mp157c-dk2-optee-sdcard.bin

3. After updating, the fip-stm32mp157c-dk2-optee-sdcard.bin file size should be 1,736,274 bytes.

 

4. Copy the updated FIP to the Starter Package directory:
cp -rvf $FIP_DEPLOYDIR_ROOT/fip/* <path-to-folder>/STM32MP1-Ecosystem-v5.1.0/Starter-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/images/stm32mp*/fip/

Populating the SD Card

1. Use the STM32CubeProgrammer to populate the SD Card as described in the https://wiki.st.com/stm32mpu/wiki/Getting_started/STM32MP1_boards/STM32MP157x-DK2/Let's_start/Populate_the_target_and_boot_the_image#Populate_the_SD_card.

@Erwan SZYMANSKII've spent a very long time trying to get this to work for the stm32mp157f-dk2 with ecosystem version 5.1.0. I was able to get OP-TEE running in SYSRAM for 5.0.0, but it seems something has changed with 5.1.0. I'm using the following script to build OP-TEE and TF-A, create the FIP, update the Starter Package, and program the board:

#!/bin/bash

# Compiles U-BOOT, TF-A BL2, and OP-TEE for mp157f-dk2 with OP-TEE in SYSRAM and updates Starter Package
#   NB: This script expects that all sources are extracted with patches already applied and that the cross-compilation environment has been sourced

BASEDIR="${PWD}/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26/sources/arm-ostl-linux-gnueabi"
FIP_DEPLOYDIR_ROOT="${BASEDIR}/FIP_artifacts"
FWCONF_DIR="${FIP_DEPLOYDIR_ROOT}/arm-trusted-firmware/fwconfig/"
STARTER_PKG_DIR="${PWD}/../Starter-Package/stm32mp1-openstlinux-6.1-yocto-mickledore-mpu-v24.06.26"

echo ""
echo "******************************"
echo "**** STEP 1: BUILD U-BOOT ****"
echo "******************************"
cd "$BASEDIR/u-boot-stm32mp-v2022.10-stm32mp-r2-r0/u-boot-stm32mp-v2022.10-stm32mp-r2"
make stm32mp15_defconfig
make DEVICE_TREE=stm32mp157f-dk2 all
cp u-boot-nodtb.bin $FIP_DEPLOYDIR_ROOT/u-boot/u-boot-nodtb-stm32mp15.bin
cp u-boot.dtb $FIP_DEPLOYDIR_ROOT/u-boot/u-boot-stm32mp157f-dk2.dtb
echo Done


echo ""
echo "******************************"
echo "**** STEP 3: BUILD OP-TEE ****"
echo "******************************"
cd "$BASEDIR/optee-os-stm32mp-3.19.0-stm32mp-r2-r0/optee-os-stm32mp-3.19.0-stm32mp-r2"
make -f $PWD/../Makefile.sdk all
make -f $PWD/../Makefile.sdk CFG_EMBED_DTB_SOURCE_FILE=stm32mp157f-dk2 CFG_STM32MP_PROFILE=secure_and_system_services CFG_STM32MP1_OPTEE_IN_SYSRAM=y CFG_WITH_USER_TA=y FIP_DEPLOYDIR_ROOT=$FIP_DEPLOYDIR_ROOT DEPLOYDIR=$FIP_DEPLOYDIR_ROOT/optee all
echo Done


echo ""
echo "********************************"
echo "**** STEP 2: BUILD TF-A BL2 ****"
echo "********************************"
cd "$BASEDIR/tf-a-stm32mp-v2.8.15-stm32mp-r2-r0/tf-a-stm32mp-v2.8.15-stm32mp-r2"
make -f $PWD/../Makefile.sdk PLAT=stm32mp1 STM32MP_SDMMC=1 STM32MP15=1 DTB_FILE_NAME=stm32mp157f-dk2.dtb TF_A_DEVICETREE=stm32mp157f-dk2 \
  STM32MP1_OPTEE_IN_SYSRAM=1 TF_A_CONFIG=optee-sdcard DEPLOYDIR=$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware all
cp -rvf $BASEDIR/tf-a-stm32mp-v2.8.15-stm32mp-r2-r0/build/fwconfig/* $FWCONF_DIR
echo Done


echo ""
echo "***********************************"
echo "**** STEP 4: UPDATE FIP BINARY ****"
echo "***********************************"
cd $FIP_DEPLOYDIR_ROOT/fip
fiptool create --tos-fw ../optee/tee-header_v2-stm32mp157f-dk2.bin \
               --tos-fw-extra1 ../optee/tee-pager_v2-stm32mp157f-dk2.bin \
               --tos-fw-extra2 ../optee/tee-pageable_v2-stm32mp157f-dk2.bin \
               --hw-config ../u-boot/u-boot-stm32mp157f-dk2.dtb \
               --fw-config ../arm-trusted-firmware/fwconfig/stm32mp157f-dk2-fw-config-optee-sdcard.dtb \
               --nt-fw ../u-boot/u-boot-nodtb-stm32mp15.bin \
               fip-stm32mp157f-dk2-optee-sdcard.bin
echo Done


echo ""
echo "****************************************"
echo "**** STEP 5: UPDATE STARTER PACKAGE ****"
echo "****************************************"
rm -rf $STARTER_PKG_DIR/images/stm32mp1/arm-trusted-firmware/*
rm -rf $STARTER_PKG_DIR/images/stm32mp1/fip/*
cd $FIP_DEPLOYDIR_ROOT
cp -rvf arm-trusted-firmware/* $STARTER_PKG_DIR/images/stm32mp1/arm-trusted-firmware/
cp -rvf fip/* $STARTER_PKG_DIR/images/stm32mp1/fip/
cp -vf $BASEDIR/tf-a-stm32mp-v2.8.15-stm32mp-r2-r0/build/optee-sdcard-stm32mp15-stm32mp157f-dk2/*.stm32 $STARTER_PKG_DIR/images/stm32mp1/arm-trusted-firmware
echo Done

 However, when programming the board, partition 0x3 fails with the following error message:

NOTICE:  BL2: v2.8-stm32mp1-r2.0(debug):lts-v2.8.15-dirty(567af710)
NOTICE:  BL2: Built : 00:51:33, Jan 26 2024
INFO:    BL2: Doing platform setup
INFO:    RAM: DDR3-DDR3L 16bits 533000kHz
INFO:    Memory size = 0x20000000 (512 MB)
INFO:    DFU USB START...
INFO:    phase ID :3, Manifestation 3 at c71a7f22
INFO:    Send detach request
INFO:    Receive DFU Detach
INFO:    DFU USB STOP...
INFO:    BL2: Loading image id 1
INFO:    Loading image id=1 at address 0x2ffff000
INFO:    Image id=1 loaded: 0x2ffff000 - 0x2ffff1ea
INFO:    FCONF: Reading FW_CONFIG firmware configuration file from: 0x2ffff000
INFO:    FCONF: Reading firmware configuration information for: dyn_cfg
INFO:    FCONF: Reading firmware configuration information for: stm32mp1_firewall
INFO:    BL2: Loading image id 4
INFO:    Loading image id=4 at address 0xde000000
INFO:    Image id=4 loaded: 0xde000000 - 0xde00002c
INFO:    OPTEE ep=0xde000000
INFO:    OPTEE header info:
INFO:          magic=0x4554504f
INFO:          version=0x2
INFO:          arch=0x0
INFO:          flags=0x0
INFO:          nb_images=0x2
WARNING: The load address in optee header 0x2ffc0000 - 0x2ffd3bd0 is not in reserved area: 0xde000000 - 0xe0000000.
ERROR:   OPTEE header parse error.
PANIC at PC : 0x2ffec987

Exception mode=0x00000016 at: 0x2ffec987

Any help you can provide would be very appreciated.