Last edited one month ago

How to configure TF-A BL2

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP25x lines

1. Article purpose[edit source]

This section details the TF-A BL2 stage (Trusted Firmware-A Boot Loader stage 2) used as FSBL (First Stage Boot Loader). It explains how to configure and build BL2 in STM32 MPU context, describes the build process from sources, and shows how to deploy it on your target.

2. Source code access and build process[edit source]

2.1. Cross compilation[edit source]

Cross compilation of TF-A BL2 is only required if it needs to be modified.
Refer to Setup Cross compile environment.

The build process creates an STM32 image. This binary is built in a single step during the build process.

2.2. Install sources[edit source]

2.2.1. From the Developer package[edit source]

The Developer Package contains OpenSTLinux and TF-A sources: TF-A Installation

2.2.2. Official source tree[edit source]

Download the source code from the official Trusted Firmware-A git repository.

  git clone
Warning white.png Warning
The STM32MP1 platform is not yet fully upstreamed. Depending on the version used, some features may not be available.

For a full-featured software, go to STMicroelectronics github:

  git clone

2.2.3. Distribution Package[edit source]

It is possible to use the distribution package to download and rebuid TF-A BL2

2.3. Build process[edit source]

2.3.1. TF-A Build flags[edit source]

Generic build flags for TF-A are described in the Build Options page of the official TF-A documentation[1].

Generic build flags for STM32 MPU platforms can be found in the build instruction chapter in docs/plat/st/stm32mpus.rst .
Specific STM32MP1 series platform flags can be found in the build instruction chapter of the official TF-A documentation [2].
Specific STM32MP2 series platform flags can be found in the build instruction chapter in docs/plat/st/stm32mp2.rst .

Other optional flags:

  • STM32MP1_OPTEE_IN_SYSRAM (only for STM32MP15x lines More info.png): To put OP-TEE pager in SYSRAM. Default: 0 (OP-TEE is in DDR)
  • STM32MP_FORCE_MTD_START_OFFSET = <value>: overrides the default start offset to read FIP on MTD devices (need to be aligned with FlashLayout).
Info white.png Information
Default offsets are STM32MP_NOR_FIP_OFFSET = 0x00080000 and STM32MP_NAND_FIP_OFFSET = 0x00200000

2.4. Build command[edit source]

2.4.1. Build command details[edit source]

The BL2 generation depends on the selected storage device. By default, only one storage device is supported.

Warning white.png Warning
The DTB_FILE_NAME flag and the selected storage must be set to select the correct board configuration.

The device tree file for the target must be located in fdts folder (<board>.dts)


Then compile the TF-A BL2.
For example, default build command for STM32MP15 is:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 \
         <Selected storage> STM32MP15=1 DTB_FILE_NAME=<board_name>.dtb

Example with sdcard:

  make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 STM32MP_SDMMC=1 \
         STM32MP15=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb

Replace STM32MP_SDMMC with the chosen device.

Example for STM32MP2 series:

  make PLAT=stm32mp2 DTB_FILE_NAME=stm32mp257f-ev1.dtb STM32MP_SDMMC=1 \
         SPD=opteed STM32MP_DDR4_TYPE=1

2.4.2. Secure boot support[edit source]

Warning white.png Warning
Some specific libraries (mbedTLS , ...) are required to build tools and enable the TRUSTED_BOARD_BOOT : Prerequisites software library

To enable secure boot, you have to add TRUSTED_BOARD_BOOT=1 flag:
Example with secure boot on stm32mp135f-dk:

  make MBEDTLS_DIR=<path_to_mbedtls_directory> ARM_ARCH_MAJOR=7 \
              ARCH=aarch32 PLAT=stm32mp1 STM32MP_SDMMC=1 TRUSTED_BOARD_BOOT=1  \
              STM32MP13=1 DTB_FILE_NAME=stm32mp135f-dk.dtb

To enable secure boot with encryption support, you have to add DECRYPTION_SUPPORT=aes_gcm with the ENCRYPT_BLx to specify the encrypted binary.
Example with encrypted BL32 on stm32mp135f-dk:

  MBEDTLS_DIR=<path_to_mbedtls_directory> make ARM_ARCH_MAJOR=7 \
         ARCH=aarch32 PLAT=stm32mp1 STM32MP_SDMMC=1 TRUSTED_BOARD_BOOT=1  \
         ENCRYPT_BL32=1 DECRYPTION_SUPPORT=aes_gcm \
         STM32MP13=1 DTB_FILE_NAME=stm32mp135f-dk.dtb

Example of secure boot with with stm32mp257f-ev1:

  make MBEDTLS_DIR=<path_to_mbedtls_directory> SPD=opteed \
          PLAT=stm32mp2 STM32MP_SDMMC=1 STM32MP_DDR4_TYPE=1 \
          TRUSTED_BOARD_BOOT=1 DTB_FILE_NAME=stm32mp257f-ev1.dtb

2.4.3. OSTL device tree for STM32MP2 series[edit source]

For STM32MP257F-EV1 Evaluation board More info green.png, ST provides OSTL device tree configurations in a dedicated git repository: tf-a/stm32mp257f-ev1-ca35tdcid-ostl.dts . You can use the git submodule command:

  git submodule add fdts/external-dt
  make PLAT=stm32mp2 DTB_FILE_NAME=stm32mp257f-ev1-ca35tdcid-ostl.dtb STM32MP_SDMMC=1 \
         SPD=opteed STM32MP_DDR4_TYPE=1

or git clone command with TFA_EXTERNAL_DT:

  git clone ${DT_PATH}
  make PLAT=stm32mp2 DTB_FILE_NAME=stm32mp257f-ev1-ca35tdcid-ostl.dtb STM32MP_SDMMC=1 \
         SPD=opteed STM32MP_DDR4_TYPE=1 TFA_EXTERNAL_DT=${DT_PATH}/tf-a

Here DT_PATH can be chosen to whatever you wish, but it must not be a relative path, for example:

  export DT_PATH=`pwd`/../dt-stm32mp

2.4.4. Troubleshooting[edit source]

If you use developer package SDK, you have to unset these flags:

  unset LDFLAGS;
  unset CFLAGS;

2.5. Final image[edit source]

The final image is available for Flash memory or SDCard update in the corresponding folder:


3. Updating the software on board[edit source]

3.1. Partitioning of binaries[edit source]

The TF-A build provides a binary named tf-a-<board>.stm32 that MUST be copied to a dedicated partition named "fsblX" (X depends on the number of needed backups in the Flash).

Warning white.png Warning
TF-A must be located in the first partition of your boot device.

You can just update the first partition for a simple test, but all backup partitions must contain the same image at the end.

3.2. Updating via SDCard[edit source]

If you use an SDCard, simply update TF-A using the dd command on your host.
Plug your SDCard into the computer and copy the binary to the dedicated partition; on an SDCard/USB disk the "fsbl1" partition is partition 1:

 - SDCard: /dev/mmcblkXp1 (where X is the instance number)
 - SDCard via USB reader: /dev/sdX1 (where X is the instance number)
  • Under Linux®
  dd if=<tf-a file>.stm32 of=/dev/<device partition> bs=1M conv=fdatasync
Info white.png Information
To find the partition associated to a specific label, just plug the SDCard/USB disk into your PC and call the following command:
  ls -l /dev/disk/by-partlabel/
 total 0
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 bootfs -> ../../mmcblk0p4
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fip -> ../../mmcblk0p3
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl1 -> ../../mmcblk0p1          ? FSBL1 (TF-A)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 fsbl2 -> ../../mmcblk0p2          ? FSBL2 (TF-A backup ? same content as FSBL)
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 rootfs -> ../../mmcblk0p5
 lrwxrwxrwx 1 root root 10 Jan 17 17:38 userfs -> ../../mmcblk0p6

  • Under Windows®

CoreUtils [3] that includes the dd command is available for Windows.

3.3. Updating via USB mass storage on U-boot[edit source]

See How to use USB mass storage in U-Boot.

Refer to the previous section to put tf-a-<board>.stm32 into SDCard/USB disk.

3.4. Updating your boot device via STM32CubeProgrammer[edit source]

Refer to the STM32CubeProgrammer documentation to update your target.