1. Article purpose[edit source]
This section details the TF-A BL2 stage (Trusted Firmware-A Boot Loader stage 2) used as FSBL (First Stage Boot Loader).
It explains how to configure and build BL2 in STM32 MPU context, describes the build process from sources, and shows how to deploy it on your target.
2. Source code access and build process[edit source]
2.1. Cross compilation[edit source]
Cross compilation of TF-A BL2 is only required if it needs to be modified.
Refer to Setup Cross compile environment.
The build process creates an STM32 image. This binary is built in a single step during the build process.
2.2. Install sources[edit source]
2.2.1. From the Developer package[edit source]
The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation
2.2.2. Official source tree[edit source]
Download the source code from the official Trusted Firmware-A git repository.
git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git
For a full-featured software, go to STMicroelectronics github:
git clone https://github.com/STMicroelectronics/arm-trusted-firmware.git
2.2.3. Distribution Package[edit source]
It is possible to use the distribution package to download and rebuid TF-A BL2
2.3. Build process[edit source]
2.3.1. TF-A Build flags[edit source]
Generic flag can be found in https://trustedfirmware-a.readthedocs.io/en/v2.6/plat/stm32mp1.html#build-instructions and in tf-a repository: docs/plat/stm32mp1.rst
Optional flags:
- TRUSTED_BOARD_BOOT = 1: Enable Secure boot authentication
- STM32MP13 only. ENCRYPT_BL32 = 1: Enable encrypted boot. User should select the authenticated decryption algorithm : DECRYPTION_SUPPORT = aes_gcm
- PSA_FWU_SUPPORT = 1: Enable firmware update feature
- BUILD_PLAT = <folder>: custom output folder name (by default build/<debug/release>/)
- DEBUG = 1: adds debug information in all binaries
- STM32MP_EARLY_CONSOLE = 1: enable early traces during boot
- V = 1: prints verbose compilation traces
- DYN_DISABLE_AUTH = 1: enables/disables authentication using device tree
- STM32MP_FORCE_MTD_START_OFFSET = <value>: overrides the default start offset to read FIP on MTD devices (need to be aligned with FlashLayout).
Information |
Default offsets are STM32MP_NOR_FIP_OFFSET = 0x00080000 and STM32MP_NAND_FIP_OFFSET = 0x00200000 |
- STM32MP_USE_EXTERNAL_HEAP = 1: can be enabled to define MBEDTLS heap out of BL2 sources (defined in device tree).
For ecosystem release ≤ v3.0.0 compatibility
It is still possible to generate the a single BL2/BL32 file without FIP support, an option flag is available:
- STM32MP_USE_STM32IMAGE=1: Disable the FIP load and authentication management. Use the STM32 binary load and authentication used in ecosystem release ≤ v3.0.0 .
2.4. Build command[edit source]
The BL2 generation depends on the selected storage device. By default, only one storage device is supported.
:
First add your own environment flags:
unset LDFLAGS; unset CFLAGS;
Then compile the TF-A BL2.
For example, default build command for STM32MP15 is
make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
<Selected storage> STM32MP15=1 DTB_FILE_NAME=<board_name>.dtb
Here are build commands for the stm32mp157c-ev1 board (which supports different storage devices):
- Flash programming support, example with usb:
make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 STM32MP_USB_PROGRAMMER=1 \ STM32MP15=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb
- Dedicated boot storage, example with sdcard
make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 STM32MP_SDMMC=1 \ STM32MP15=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb
replace STM32MP_SDMMC with the correct device used
- Enable Secure boot on SDCard
MBEDTLS_DIR=<path_to_mbedtls_directory> make ARM_ARCH_MAJOR=7 \ ARCH=aarch32 PLAT=stm32mp1 TRUSTED_BOARD_BOOT=1 STM32MP_SDMMC=1 \ STM32MP15=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb
- Enable Encrypted boot on SDCard
MBEDTLS_DIR=<path_to_mbedtls_directory> make ARM_ARCH_MAJOR=7 \ ARCH=aarch32 PLAT=stm32mp1 TRUSTED_BOARD_BOOT=1 STM32MP_SDMMC=1 \ STM32MP15=1 ENCRYPT_BL32=1 DECRYPTION_SUPPORT=aes_gcm DTB_FILE_NAME=stm32mp157c-ev1.dtb
2.5. Final image[edit source]
The final image is available for Flash memory or SDCard update in the corresponding folder:
<BUILD_PLAT>/tf-a-<board>.stm32 Ex: build/release/tf-a-stm32mp157c-ev1.stm32
3. Updating the software on board[edit source]
3.1. Partitioning of binaries[edit source]
The TF-A build provides a binary named tf-a-<board>.stm32 that MUST be copied to a dedicated partition named "fsblX" (X depends on the number of needed backups in the Flash).
3.2. Updating via SDCard[edit source]
If you use an SDCard, simply update TF-A using the dd command on your host.
Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "fsbl1" partition is partition 1:
- SDCard: /dev/mmcblkXp1 (where X is the instance number) - SDCard via USB reader: /dev/sdX1 (where X is the instance number)
- Under Linux®
dd if=<tf-a file>.stm32 of=/dev/<device partition> bs=1M conv=fdatasync
Information |
To find the partition associated to a specific label, just plug the SDCard/USB disk into your PC and call the following command:
ls -l /dev/disk/by-partlabel/ total 0 lrwxrwxrwx 1 root root 10 Jan 17 17:38 bootfs -> ../../mmcblk0p4 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fip -> ../../mmcblk0p3 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl1 -> ../../mmcblk0p1 ? FSBL1 (TF-A) lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl2 -> ../../mmcblk0p2 ? FSBL2 (TF-A backup ? same content as FSBL) lrwxrwxrwx 1 root root 10 Jan 17 17:38 rootfs -> ../../mmcblk0p5 lrwxrwxrwx 1 root root 10 Jan 17 17:38 userfs -> ../../mmcblk0p6 |
- Under Windows®
CoreUtils [3] that includes the dd command is available for Windows.
3.3. Updating via USB mass storage on U-boot[edit source]
See How to use USB mass storage in U-Boot.
Refer to the previous section to put tf-a-<board>.stm32 into SDCard/USB disk.
3.4. Updating your boot device via STM32CubeProgrammer[edit source]
Refer to the STM32CubeProgrammer documentation to update your target.