How to configure TF-A SP-MIN

Applicable for

STM32MP15x lines

---

1. Article purpose[edit source]

This section details the TF-A SP-MIN (BL32) component. It explains how to use it in STM32 MPU runtime context, the build process from sources, and how to deploy it on your target.

2. Overview[edit source]

TF-A SP-MIN is a secure partition that can be used for the ST boot chain.
This secure partition is executed in monitor mode. It is a secure implementation for limited services:

• PSCI
• SCMI
• SiP services

For a more complete secure implementation, choose OP-TEE OS.

Warning

TF-A SP-MIN images must be embedded in the FIP binary that is loaded by TF-A BL2 and can be automatically authentified.

3. Configuration[edit source]

TF-A SP-MIN is based on device tree configuration.
Its device tree (called TOS_FW_CONFIG) is also loaded by the TF-A BL2 and its load address is passed to SP-MIN as second argument. It allows the SP-MIN code to remain generic and adapt the board compatibility based on the device tree.

4. Memory layout[edit source]

SP-MIN binary (bl32.bin) is embedded in the FIP binary and identified as tos-fw.
The SP-MIN device tree is also embedded in the FIP and identified as tos-fw-config.

The SP-MIN is built with the PIE option which makes the code executable from a configurable address. The load addresses for SP-MIN and the device tree is configurable thanks to TF-A firmware configuration framework. If required, the load address can be independently changed by modifying the firmware configuration file.

5. Source code access and build process[edit source]

Cross compilation of TF-A SP-MIN is only required if it has to be modified.
Refer to Setup Cross compile environment.

If changes have been made, rebuild TF-A (SP-MIN) and update the FIP. Update the associated FIP partitions of your boot device with this new image.

The build process creates a TF-A SP-MIN image and its device tree.

5.1. Install sources[edit source]

5.1.1. From the Developer package[edit source]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

5.1.2. Official source tree[edit source]

Download source code from the official Trusted Firmware-A git repository.

  git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git

Warning

The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.

For a full-featured software, go to STMicroelectronics github:

  git clone https://github.com/STMicroelectronics/arm-trusted-firmware.git

5.1.3. Distribution Package[edit source]

It is possible to use the distribution package to download and rebuid TF-A SP-MIN

5.1.4. Build Process[edit source]

5.1.4.1. TF-A Build flags[edit source]

Here is the list of the mandatory flags that need to be specified to complete the SP-MIN build:

• ARM_ARCH_MAJOR=7: the major version of Arm Architecture to target (STM32MP1 is based no an Arm v7 architecture)
• ARCH=aarch32: specifies aarch32 architecture to be built
• PLAT=stm32mp1: builds an STM32MP1 platform
• DTB_FILE_NAME=<fdt file name>.dtb: this flag must be defined to build the proper target and include the correct DTB file into the final file
• AARCH32_SP=sp_min: selects SP-MIN as secure partition

Optional flags:

• BUILD_PLAT=<folder>: custom output folder name (default is build/<debug/release>/)
• DEBUG=1: adds debug information in all binaries
• V=1: prints verbose compilation traces

5.1.5. Build command[edit source]

Warning

The DTB_FILE_NAME flag and the AARCH32_SP=sp_min must be set to select the correct board configuration. The device tree file for the target must be located in fdts folder (<board>.dts)

First add your own environment flags:

  unset LDFLAGS;
  unset CFLAGS;

Then compile the TF-A SP-MIN (BL32).

5.1.5.1. STM32MP15[edit source]

The default build command for STM32MP15 is:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board>.dtb bl32 dtbs

Here is the build command for the stm32mp157c-ev1 board:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=stm32mp157c-ev1.dtb bl32 dtbs

5.1.6. Final image[edit source]

Final images are available for updating the FIP binary (including the associated firmware configuration file):

<BUILD_PLAT>/bl32.bin
<BUILD_PLAT>/fdts/<board>.dtb
<BUILD_PLAT>/fdts/<board>-fw-config.dtb
Ex:
build/release/bl32.bin
build/release/fdts/stm32mp157c-ev1.dtb
build/release/fdts/stm32mp157c-ev1-fw-config.dtb

5.2. Updating the software[edit source]

SP_MIN binary and its associated firmware are part of the FIP binary.
The next step to deploy the SP-MIN firmware is to update the FIP binary following the FIP update process.

5.3. Extra tips[edit source]

When generating the SP-MIN, it is also possible in a single line to generate the associated FIP with the following command.
Example for STM32MP15 platform:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=sp_min \
         DTB_FILE_NAME=<board_name>.dtb BL33=<u-boot_path>/u-boot-nodtb.bin \
         BL33_CFG=<u-boot_path>/u-boot.dtb bl32 dtbs fip