How to configure TF-A BL2

Applicable for STM32MP13x lines, STM32MP15x lines

1 Article purpose[edit]

This section details the TF-A BL2 stage (Trusted Firmware-A Boot Loader stage 2) used as FSBL (First Stage Boot Loader). It explains how to configure and build BL2 in STM32 MPU context, describes the build process from sources, and shows how to deploy it on your target.

2 Source code access and build process[edit]

2.1 Cross compilation[edit]

Cross compilation of TF-A BL2 is only required if it needs to be modified.
Refer to Setup Cross compile environment.

The build process creates an STM32 image. This binary is built in a single step during the build process.

2.2 Install sources[edit]

2.2.1 From the Developer package[edit]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

2.2.2 Official source tree[edit]

Download the source code from the official Trusted Firmware-A git repository.

  git clone
Warning white.png Warning
The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.

For a full-featured software, go to STMicroelectronics github:

  git clone

2.2.3 Distribution Package[edit]

It is possible to use the distribution package to download and rebuid TF-A BL2

2.3 Build process[edit]

2.3.1 TF-A Build flags[edit]

Generic build flags for TF-A are described in the Build Options page of the official TF-A documentation[1].

Specific STM32MP1 platform flags can be found in the build instruction chapter of the official TF-A documentation [2].

Other optional flags:

  • STM32MP1_OPTEE_IN_SYSRAM (only for STM32MP15x lines More info.png): To put OP-TEE pager in SYSRAM. Default: 0 (OP-TEE is in DDR)
  • STM32MP_FORCE_MTD_START_OFFSET = <value>: overrides the default start offset to read FIP on MTD devices (need to be aligned with FlashLayout).
Info white.png Information
Default offsets are STM32MP_NOR_FIP_OFFSET = 0x00080000 and STM32MP_NAND_FIP_OFFSET = 0x00200000

2.4 Build command[edit]

2.4.1 Build command details[edit]

The BL2 generation depends on the selected storage device. By default, only one storage device is supported.

Warning white.png Warning
The DTB_FILE_NAME flag and the selected storage must be set to select the correct board configuration.

The device tree file for the target must be located in fdts folder (<board>.dts)


Then compile the TF-A BL2.
For example, default build command for STM32MP15 is:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
         <Selected storage> STM32MP15=1 DTB_FILE_NAME=<board_name>.dtb

Example with sdcard:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 STM32MP_SDMMC=1 \
         STM32MP15=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb

Replace STM32MP_SDMMC with the chosen device.

2.4.2 Secure boot support[edit]

Warning white.png Warning
Some specific libraries (mbedTLS , ...) are required to build tools and enable the TRUSTED_BOARD_BOOT : Prerequisites software library

To enable secure boot, you have to add TRUSTED_BOARD_BOOT=1 flag:
Example with secure boot on stm32mp135f-dk:

  MBEDTLS_DIR=<path_to_mbedtls_directory> make ARM_ARCH_MAJOR=7 \
              ARCH=aarch32 PLAT=stm32mp1 STM32MP_SDMMC=1 TRUSTED_BOARD_BOOT=1  \
              STM32MP13=1 DTB_FILE_NAME=stm32mp135f-dk.dtb

To enable secure boot with encryption support, you have to add DECRYPTION_SUPPORT=aes_gcm with the ENCRYPT_BLx to specify the encrypted binary.
Example with encrypted BL32 on stm32mp135f-dk:

  MBEDTLS_DIR=<path_to_mbedtls_directory> make ARM_ARCH_MAJOR=7 \
         ARCH=aarch32 PLAT=stm32mp1 STM32MP_SDMMC=1 TRUSTED_BOARD_BOOT=1  \
         ENCRYPT_BL32=1 DECRYPTION_SUPPORT=aes_gcm \
         STM32MP13=1 DTB_FILE_NAME=stm32mp135f-dk.dtb

2.4.3 Troubleshooting[edit]

If you use developer package SDK, you have to unset these flags:

  unset LDFLAGS;
  unset CFLAGS;

2.5 Final image[edit]

The final image is available for Flash memory or SDCard update in the corresponding folder:


3 Updating the software on board[edit]

3.1 Partitioning of binaries[edit]

The TF-A build provides a binary named tf-a-<board>.stm32 that MUST be copied to a dedicated partition named "fsblX" (X depends on the number of needed backups in the Flash).

Warning white.png Warning
TF-A must be located in the first partition of your boot device.

You can just update the first partition for a simple test, but all backup partitions must contain the same image at the end.

3.2 Updating via SDCard[edit]

If you use an SDCard, simply update TF-A using the dd command on your host.
Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "fsbl1" partition is partition 1:

 - SDCard: /dev/mmcblkXp1 (where X is the instance number)
 - SDCard via USB reader: /dev/sdX1 (where X is the instance number)
  • Under Linux®
  dd if=<tf-a file>.stm32 of=/dev/<device partition> bs=1M conv=fdatasync
Info white.png Information
To find the partition associated to a specific label, just plug the SDCard/USB disk into your PC and call the following command:
  ls -l /dev/disk/by-partlabel/
 total 0
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 bootfs -> ../../mmcblk0p4
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fip -> ../../mmcblk0p3
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl1 -> ../../mmcblk0p1          ? FSBL1 (TF-A)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl2 -> ../../mmcblk0p2          ? FSBL2 (TF-A backup ? same content as FSBL)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 rootfs -> ../../mmcblk0p5
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 userfs -> ../../mmcblk0p6

  • Under Windows®

CoreUtils [3] that includes the dd command is available for Windows.

3.3 Updating via USB mass storage on U-boot[edit]

See How to use USB mass storage in U-Boot.

Refer to the previous section to put tf-a-<board>.stm32 into SDCard/USB disk.

3.4 Updating your boot device via STM32CubeProgrammer[edit]

Refer to the STM32CubeProgrammer documentation to update your target.