1. Article purpose[edit source]
This article explains how the TAMP backup registers are used by STM32MPU Embedded Software on STM32MP25.
2. Overview[edit source]
The STM32MP25 embeds 128 backup registers of 32 bits. A programmable border allows these backup registers to be split into a secure and a non-secure groupa.
3. Backup register usage[edit source]
This paragraph explains the default usage of backup registers by the ROM code and STM32MPU Embedded Software distribution. The subsequent chapter then shows the backup register mapping used to fulfill those needs.
3.1. Boot counter feature[edit source]
The BOOT_COUNTER is used by U-Boot to detect boot failures between its execution and before the complete Linux application initialization :
- It is incremented by U-Boot
- It is reset by the application
Hence if U-Boot reads a non-null value after a reset, this means that something went wrong at boot time. This information can be used to initiate entry into a fail safe mode.
3.2. Boot mode selection feature[edit source]
The BOOT_MODE register is used to propagate boot mode information from one component to the next boot stage, on cold boot or after a reset:
- The ROM code executes a serial boot if BOOT_MODE[7:0] is equal to 0xFF, as stated in the ROM code boot device selection strategy. In this case, the backup register is reset by the ROM code before proceeding with the serial boot mode. Other values are ignored by the ROM code.
- TF-A gets the selected boot device from the ROM code context in SYSRAM and writes it into BOOT_MODE[15:8] for U-Boot[1]. The boot interface type is written into BOOT_MODE[15:12], and the instance used is written into BOOT_MODE[11:8]. TF-A also writes other information in this register. The partition that was used to boot is written into BOOT_MODE[19:16], and the BL2 authentification status from ROM code into BOOT_MODE[23:20].
3.3. Firmware update info feature[edit source]
The FWU_INFO is used by TF-A BL2 to detect boot failures between its execution and before the complete Linux application initialization during a Secure Firmware Update.
3.4. SAES secret key feature[edit source]
The SAES secret key registers can be used to own a 256 bits key that is carried to SAES internal peripheral via a buried hardware bus. This solution allows to protect the key with the tamper mechanism: these registers together with SAES memory and registers are erased as soon as a tamper event occurs.
Notice that, when this feature is used, the concerned backup registers should be set as 'secure'.
Look for 'boot hardware key' in the STM32MP25 Reference Manuals for more information about this feature.
3.5. Cortex-M coprocessor resource table[edit source]
The Cortex_M_rsc_tab_addr and Cortex_M_rsc_tab_size registers are used to provide information on the resource table present in the Cortex-M firmware. This information is written by the boot stage in charge of Cortex-M load and start, and then read and initialized by the Linux to instantiate the inter-processor communication. Notice that the registers are duplicated to support the Cortex-A master boot mode (registers written by U-boot) and the Cortex-M master boot mode (registers written by the Cortex-M non secure FW itself).
4. Memory mapping[edit source]
The table below shows the backup register mapping used by STM32MPU Embedded Software.
The TAMP backup register base address is 0x46010100, corresponding to TAMP_BKP0R.
By default, the openSTLinux set a fixed configuration for tamp resources identification:
- R0 = Main processor (Cortex-A35 or Cortex-M33 depending on boot mode selection)
- R1 = Cortex-A35 processor
- R2 = Cortex-M33 processor
The table shows the read/write accesses to the registers but doesn't show the read only accesses. Refer to STM32MP25 Reference Manuals for more details on the read only access.
The different area listed in the table below are all programmable thanks to the device tree configuration.
| Zone | RIF Zone | TAMP register | ROM / software register name | Comment |
|---|---|---|---|---|
| Zone3 Read/Write Non-secure | Zone3-RIF2 | TAMP_BKP127R | ||
| TAMP_BKP126R | ||||
| TAMP_BKP125R | ||||
| TAMP_BKP124R | ||||
| TAMP_BKP123R | ||||
| TAMP_BKP122R | CM_rsc_tab_addr | Cortex-M resource table address | ||
| TAMP_BKP121R | CM_rsc_tab_size | Cortex-M resource table size | ||
| TAMP_BKP120R | BOOT_MODE | Boot mode for CM33 non secure | ||
| Zone3-RIF0 | TAMP_BKP119R | |||
| TAMP_BKP118R | ||||
| TAMP_BKP117R | ||||
| TAMP_BKP116R | ||||
| TAMP_BKP115R | ||||
| TAMP_BKP114R | ||||
| TAMP_BKP113R | ||||
| TAMP_BKP112R | ||||
| TAMP_BKP111R | ||||
| TAMP_BKP110R | ||||
| TAMP_BKP109R | ||||
| TAMP_BKP108R | ||||
| Zone3-RIF1 | TAMP_BKP107R | |||
| TAMP_BKP106R | ||||
| TAMP_BKP105R | ||||
| TAMP_BKP104R | ||||
| TAMP_BKP103R | ||||
| TAMP_BKP102R | ||||
| TAMP_BKP101R | ||||
| TAMP_BKP100R | ||||
| TAMP_BKP99R | ||||
| TAMP_BKP98R | CM_rsc_tab_addr | Cortex-M resource table address | ||
| TAMP_BKP97R | CM_rsc_tab_size | Cortex-M resource table size | ||
| TAMP_BKP96R | BOOT_MODE | See Boot mode selection feature | ||
| Zone2 Read Non-secure/Write secure | Zone2-RIF2 | TAMP_BKP95R | Cortex_M_state | CM33 power state |
| TAMP_BKP94R | ||||
| TAMP_BKP93R | ||||
| TAMP_BKP92R | ||||
| TAMP_BKP91R | ||||
| TAMP_BKP90R | ||||
| TAMP_BKP89R | ||||
| TAMP_BKP88R | ||||
| TAMP_BKP87R | ||||
| TAMP_BKP86R | ||||
| TAMP_BKP85R | ||||
| TAMP_BKP84R | ||||
| TAMP_BKP83R | ||||
| TAMP_BKP82R | ||||
| TAMP_BKP81R | ||||
| TAMP_BKP80R | ||||
| TAMP_BKP79R | ||||
| TAMP_BKP78R | ||||
| TAMP_BKP77R | ||||
| TAMP_BKP76R | ||||
| TAMP_BKP75R | ||||
| TAMP_BKP74R | ||||
| TAMP_BKP73R | ||||
| TAMP_BKP72R | ||||
| Zone2-RIF1 | TAMP_BKP71R | Cortex_A_state | CA35 power state | |
| TAMP_BKP70R | ||||
| TAMP_BKP69R | ||||
| TAMP_BKP68R | ||||
| TAMP_BKP67R | ||||
| TAMP_BKP66R | ||||
| TAMP_BKP65R | ||||
| TAMP_BKP64R | ||||
| TAMP_BKP63R | ||||
| TAMP_BKP62R | ||||
| TAMP_BKP61R | ||||
| TAMP_BKP60R | ||||
| TAMP_BKP59R | ||||
| TAMP_BKP58R | ||||
| TAMP_BKP57R | ||||
| TAMP_BKP56R | ||||
| TAMP_BKP55R | ||||
| TAMP_BKP54R | ||||
| TAMP_BKP53R | ||||
| TAMP_BKP52R | ||||
| TAMP_BKP51R | ||||
| TAMP_BKP50R | ||||
| TAMP_BKP49R | ||||
| TAMP_BKP48R | FWU_INFO | See Firmware update info feature | ||
| Zone1 Read/Write secure | Zone1-RIF2 | TAMP_BKP47R | ||
| TAMP_BKP46R | ||||
| TAMP_BKP45R | ||||
| TAMP_BKP44R | ||||
| TAMP_BKP43R | ||||
| TAMP_BKP42R | ||||
| TAMP_BKP41R | ||||
| TAMP_BKP40R | ||||
| TAMP_BKP39R | ||||
| TAMP_BKP38R | ||||
| TAMP_BKP37R | ||||
| TAMP_BKP36R | ||||
| TAMP_BKP35R | ||||
| TAMP_BKP34R | ||||
| TAMP_BKP33R | ||||
| TAMP_BKP32R | ||||
| TAMP_BKP31R | PLAT_NV_COUNTER_BL2_3 | |||
| TAMP_BKP30R | PLAT_NV_COUNTER_BL2_2 | |||
| TAMP_BKP29R | PLAT_NV_COUNTER_BL2_1 | |||
| TAMP_BKP28R | PLAT_NV_COUNTER_BL2_0 | |||
| TAMP_BKP27R | PLAT_NV_COUNTER_PS_2 | |||
| TAMP_BKP26R | PLAT_NV_COUNTER_PS_1 | |||
| TAMP_BKP25R | PLAT_NV_COUNTER_PS_0 | |||
| TAMP_BKP24R | Init value | TF-M NV Counter region | ||
| Zone1-RIF1 | TAMP_BKP23R | |||
| TAMP_BKP22R | ||||
| TAMP_BKP21R | ||||
| TAMP_BKP20R | ||||
| TAMP_BKP19R | ||||
| TAMP_BKP18R | ||||
| TAMP_BKP17R | ||||
| TAMP_BKP16R | ||||
| TAMP_BKP15R | ||||
| TAMP_BKP14R | ||||
| TAMP_BKP13R | ||||
| TAMP_BKP12R | ||||
| TAMP_BKP11R | LOWPOWER_EP_ADDR | Entry point address for low power mode exit | ||
| TAMP_BKP10R | ||||
| TAMP_BKP9R | ||||
| TAMP_BKP8R | ||||
| TAMP_BKP7R | Can be used as 'SAES secret key' and the registers should be set secure in that case | Propagated to SAES by the hardware KEYBUS | ||
| TAMP_BKP6R | ||||
| TAMP_BKP5R | ||||
| TAMP_BKP4R | ||||
| TAMP_BKP3R | ||||
| TAMP_BKP2R | ||||
| TAMP_BKP1R | ||||
| TAMP_BKP0R |
4.1. References[edit source]
Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. 