STM32MP1
The instructions here will tell how to run OP-TEE on one of the supported STM32MP1 boards.
Supported boards
Board Name |
Manufacturer |
Boot media |
Hardware Description |
---|---|---|---|
STMicroelectronics |
SDcard |
||
STMicroelectronics |
SDcard |
||
STMicroelectronics |
SDcard |
||
STMicroelectronics |
SDCard (1) |
||
(1): STM32MP157x-EV1 boards also integrate an eMMC device, a NOR flash and a Nand flash the system can boot on. OP-TEE distribution however only supports booting from the SDcard slot.
Build instructions
Follow the instructions at “Get and build the solution”.
Configuration switch PLATFORM
can be used to specify the target device
as listed in table below:
Board Name |
Build configuration directive |
---|---|
|
|
|
|
|
|
|
When the build completes, generated image file sdcard.img can be found
in the generated binary images directory ../out/bin/
from build
root path. The images is a GPT multipartition image you can raw copy
to the target SDcard using a tool like dd.
A usual short fecth/build/load shell sequence is like the one below:
$ repo init -u https://github.com/OP-TEE/manifest.git -m stm32mp1.xml
$ repo sync
$ cd build
$ make toolchains
$ make PLATFORM=stm32mp1-157C_DK2_SCMI all
$ dd if=../out/bin/sdcard.img of=/dev/sdX conv=fdatasync status=progress
$ sgdisk -e /dev/sdX
Command sgdisk -e
fixes the GPT backup data which location depends on
storage device effective size.
Alternate configurations
The build makefile for STM32MP1 platforms (stm32mp1.mk) proposes some extra configuration switch for specific purpose.
STM32MP15 SCMI and non-SCMI variants
In order to enable security on STM32MP15 platforms, some device resources must be assigned to OP-TEE. In this configuration, non-secure world (e.g. U-Boot bootloader and Linux kernel) use SCMI services to access the secured resource (e.g. clocks and reset controllers). Therefore STM32MP15 boards come each with 2 variant configurations:
PLATFORM=stm32mp1-157A_DK1
,PLATFORM=stm32mp1-157C_DK2
andPLATFORM=stm32mp1-157C_EV1
do not enable chip root secure hardening and U-Boot/Linux DTS files do not rely on OP-TEE SCMI services.PLATFORM=stm32mp1-157A_DK1_SCMI
,PLATFORM=stm32mp1-157C_DK2_SCMI
andPLATFORM=stm32mp1-157C_EV1_SCMI
enable chip root secure hardening and U-Boot/Linux DTS files enable use of OP-TEE SCMI services.
STM32MP15 and OP-TEE pager
On STM32MP15 products, OP-TEE core default executes in a secure 256kB internal RAM (named SYSRAM). The size of the internal RAM may be impacting regarding OP-TEE pager performances. STM32MP15 product lines embed other internal RAMs that are initially dedicated to the chip Cortex-M co-processor firmware but can be assigned to OP-TEE to enlarge OP-TEE pager page pool and enhance OP-TEE performances.
Build configuration switch WITH_SRAM1_PAGER_POOL=y|n
, when enabled (y
),
assigns SRAM1 to OP-TEE, adding 128kB of internal secure RAM.
WITH_SRAM1_PAGER_POOL
is default enabled (but not mandated) for platform
flavors PLATFORM=stm32mp1-157C_*_SCMI
and default disabled for other
flavors.
Another way to assign one or more SRAMx (x=1..4) is to set OP-TEE OS configuration directive CFG_TZSRAM_SIZE to cover the SRAMs assigned to OP-TEE:
CFG_TZSRAM_SIZE=0x40000
assigns SYSRAM only to OP-TEE.CFG_TZSRAM_SIZE=0x60000
assigns SYSRAM and SRAM1 to OP-TEE.CFG_TZSRAM_SIZE=0x80000
assigns SYSRAM, SRAM1 and SRAM2 to OP-TEE.CFG_TZSRAM_SIZE=0x90000
assigns SYSRAM, SRAM1, SRAM2 and SRAM3 to OP-TEE.CFG_TZSRAM_SIZE=0xa0000
assigns SYSRAM, SRAM1, SRAM2, SRAM3 and SRAM4 to OP-TEE.
Using the eMMC RPMB partition for OP-TEE secure storage
STM32MP15 ED1 and EV1 boards embed an eMMC device that can be used for OP-TEE secure storage.
Build configuration switch WITH_RPMB_TEST=y|n
, when enabled (y
),
enables CFG_RPMB_FS
and CFG_RPMB_TESTKEY
OP-TEE OS configuration
switches to allow one to test OP-TEE RPMB secure storage support.
See “RPMB Secure Storage” for more information on OP-TEE RPMB secure storage.
Support for EFI secure variables
For platforms embedding an eMMC device with a RPMB partition, one can use OP-TEE to harden EFI secure boot storing EFI secure variables in OP-TEE secure storage. This can be used when booting a platform with a UEFI boot scheme.
Build configuration switch WITH_STMM=y|n
, when enabled (y
),
build and embed EDK2 StMM application in OP-TEE core to secure EFI variables
using OP-TEE RPMB secure storage. WITH_STMM=y
default enables
WITH_RPMB_TEST
.