[U-Boot] [PATCH 2/3] stm32mp1: add configuration op-tee

Patrick Delaunay patrick.delaunay at st.com
Tue Jul 2 11:26:06 UTC 2019 

Add support of Trusted boot chain with OP-TEE
- reserved 32MB at the end of the DDR for OP-TEE

Signed-off-by: Patrick Delaunay <patrick.delaunay at st.com>
---

 arch/arm/mach-stm32mp/Kconfig     |  12 ++++-
 board/st/stm32mp1/MAINTAINERS     |   1 +
 board/st/stm32mp1/README          |  29 ++++++++---
 board/st/stm32mp1/stm32mp1.c      |   4 +-
 configs/stm32mp15_optee_defconfig | 103 ++++++++++++++++++++++++++++++++++++++
 include/configs/stm32mp1.h        |  13 +++++
 6 files changed, 153 insertions(+), 9 deletions(-)
 create mode 100644 configs/stm32mp15_optee_defconfig

diff --git a/arch/arm/mach-stm32mp/Kconfig b/arch/arm/mach-stm32mp/Kconfig
index d9ad6b4..a00c8ab 100644
--- a/arch/arm/mach-stm32mp/Kconfig
+++ b/arch/arm/mach-stm32mp/Kconfig
@@ -62,7 +62,17 @@ config STM32MP1_TRUSTED
 		Say Y here to enable boot with TF-A
 		Trusted boot chain is :
 		BootRom => TF-A.stm32 (clock & DDR) => U-Boot.stm32
-		TF-A monitor provides proprietary smc to manage secure devices
+		TF-A monitor provides proprietary SMC to manage secure devices
+
+config STM32MP1_OPTEE
+	bool "Support trusted boot with TF-A and OP-TEE"
+	depends on STM32MP1_TRUSTED
+	default n
+	help
+		Say Y here to enable boot with TF-A and OP-TEE
+		Trusted boot chain is :
+		BootRom => TF-A.stm32 (clock & DDR) => OP-TEE => U-Boot.stm32
+		OP-TEE monitor provides ST SMC to access to secure resources
 
 config SYS_TEXT_BASE
 	prompt "U-Boot base address"
diff --git a/board/st/stm32mp1/MAINTAINERS b/board/st/stm32mp1/MAINTAINERS
index 0a2eddb..3bf4c21 100644
--- a/board/st/stm32mp1/MAINTAINERS
+++ b/board/st/stm32mp1/MAINTAINERS
@@ -5,5 +5,6 @@ S:	Maintained
 F:	arch/arm/dts/stm32mp157*
 F:	board/st/stm32mp1
 F:	configs/stm32mp15_basic_defconfig
+F:	configs/stm32mp15_optee_defconfig
 F:	configs/stm32mp15_trusted_defconfig
 F:	include/configs/stm32mp1.h
diff --git a/board/st/stm32mp1/README b/board/st/stm32mp1/README
index b0c8325..583d92e 100644
--- a/board/st/stm32mp1/README
+++ b/board/st/stm32mp1/README
@@ -47,7 +47,7 @@ BootRom => FSBL in SYSRAM => SSBL in DDR => OS (Linux Kernel)
 with FSBL = First Stage Bootloader
      SSBL = Second Stage Bootloader
 
-2 boot configurations are supported:
+3 boot configurations are supported:
 
 1) The "Trusted" boot chain (defconfig_file : stm32mp15_trusted_defconfig)
    BootRom => FSBL = Trusted Firmware-A (TF-A) => SSBL = U-Boot
@@ -56,7 +56,15 @@ with FSBL = First Stage Bootloader
    U-Boot is running in normal world and uses TF-A monitor
    to access to secure resources
 
-2) The "Basic" boot chain (defconfig_file : stm32mp15_basic_defconfig)
+2) The "Trusted" boot chain with OP-TEE
+   (defconfig_file : stm32mp15_optee_defconfig)
+   BootRom => FSBL = Trusted Firmware-A (TF-A) => SSBL = U-Boot
+   TF-A performs a full initialization of Secure peripherals and installs OP-TEE
+   from specific partitions (teeh, teed, teex).
+   U-Boot is running in normal world and uses OP-TEE monitor to access
+   to secure resources.
+
+3) The "Basic" boot chain (defconfig_file : stm32mp15_basic_defconfig)
    BootRom => FSBL = U-Boot SPL => SSBL = U-Boot
    SPL has limited security initialisation
    U-Boot is running in secure mode and provide a secure monitor to the kernel
@@ -109,6 +117,7 @@ the supported device trees for stm32mp157 are:
 
 	for example: use one output directory for each configuration
 	# export KBUILD_OUTPUT=stm32mp15_trusted
+	# export KBUILD_OUTPUT=stm32mp15_optee
 	# export KBUILD_OUTPUT=stm32mp15_basic
 
 4. Configure U-Boot:
@@ -116,6 +125,7 @@ the supported device trees for stm32mp157 are:
 	# make <defconfig_file>
 
 	- For trusted boot mode : "stm32mp15_trusted_defconfig"
+	- For trusted with OP-TEE boot mode : "stm32mp15_optee_defconfig"
 	- For basic boot mode: "stm32mp15_basic_defconfig"
 
 5. Configure the device-tree and build the U-Boot image:
@@ -129,20 +139,25 @@ the supported device trees for stm32mp157 are:
 	# make stm32mp15_trusted_defconfig
 	# make DEVICE_TREE=stm32mp157c-ev1 all
 
-  b) basic boot on ev1
+  b) trusted with OP-TEE boot on dk2
+	# export KBUILD_OUTPUT=stm32mp15_optee
+	# make stm32mp15_optee_defconfig
+	# make DEVICE_TREE=stm32mp157c-dk2 all
+
+  c) basic boot on ev1
 	# export KBUILD_OUTPUT=stm32mp15_basic
 	# make stm32mp15_basic_defconfig
 	# make DEVICE_TREE=stm32mp157c-ev1 all
 
-  c) basic boot on ed1
+  d) basic boot on ed1
 	# export KBUILD_OUTPUT=stm32mp15_basic
 	# make stm32mp15_basic_defconfig
 	# make DEVICE_TREE=stm32mp157c-ed1 all
 
-  d) basic boot on dk2
+  e) basic boot on dk1
 	# export KBUILD_OUTPUT=stm32mp15_basic
 	# make stm32mp15_basic_defconfig
-	# make DEVICE_TREE=stm32mp157c-dk2 all
+	# make DEVICE_TREE=stm32mp157a-dk1 all
 
   d) basic boot on avenger96
 	# export KBUILD_OUTPUT=stm32mp15_basic
@@ -157,7 +172,7 @@ the supported device trees for stm32mp157 are:
   So in the output directory (selected by KBUILD_OUTPUT),
   you can found the needed files:
 
-  a) For Trusted boot
+  a) For Trusted boot (with or without OP-TEE)
    + FSBL = tf-a.stm32 (provided by TF-A compilation)
    + SSBL = u-boot.stm32
 
diff --git a/board/st/stm32mp1/stm32mp1.c b/board/st/stm32mp1/stm32mp1.c
index 7769293..d62d180 100644
--- a/board/st/stm32mp1/stm32mp1.c
+++ b/board/st/stm32mp1/stm32mp1.c
@@ -76,7 +76,9 @@ int checkboard(void)
 	const char *fdt_compat;
 	int fdt_compat_len;
 
-	if (IS_ENABLED(CONFIG_STM32MP1_TRUSTED))
+	if (IS_ENABLED(CONFIG_STM32MP1_OPTEE))
+		mode = "trusted with OP-TEE";
+	else if (IS_ENABLED(CONFIG_STM32MP1_TRUSTED))
 		mode = "trusted";
 	else
 		mode = "basic";
diff --git a/configs/stm32mp15_optee_defconfig b/configs/stm32mp15_optee_defconfig
new file mode 100644
index 0000000..f3e4ea6
--- /dev/null
+++ b/configs/stm32mp15_optee_defconfig
@@ -0,0 +1,103 @@
+CONFIG_ARM=y
+CONFIG_ARCH_STM32MP=y
+CONFIG_SYS_MALLOC_F_LEN=0x3000
+CONFIG_TARGET_STM32MP1=y
+CONFIG_STM32MP1_OPTEE=y
+CONFIG_DISTRO_DEFAULTS=y
+CONFIG_FIT=y
+CONFIG_BOOTCOMMAND="run bootcmd_stm32mp"
+CONFIG_SYS_PROMPT="STM32MP> "
+# CONFIG_CMD_BOOTD is not set
+# CONFIG_CMD_ELF is not set
+# CONFIG_CMD_IMI is not set
+# CONFIG_CMD_XIMG is not set
+# CONFIG_CMD_EXPORTENV is not set
+# CONFIG_CMD_IMPORTENV is not set
+CONFIG_CMD_MEMINFO=y
+CONFIG_CMD_MEMTEST=y
+CONFIG_CMD_ADC=y
+CONFIG_CMD_CLK=y
+CONFIG_CMD_DFU=y
+CONFIG_CMD_FUSE=y
+CONFIG_CMD_GPIO=y
+CONFIG_CMD_GPT=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_MMC=y
+CONFIG_CMD_SF=y
+CONFIG_CMD_SPI=y
+CONFIG_CMD_USB=y
+CONFIG_CMD_USB_MASS_STORAGE=y
+CONFIG_CMD_CACHE=y
+CONFIG_CMD_TIME=y
+CONFIG_CMD_TIMER=y
+CONFIG_CMD_PMIC=y
+CONFIG_CMD_REGULATOR=y
+CONFIG_CMD_EXT4_WRITE=y
+CONFIG_CMD_MTDPARTS=y
+CONFIG_CMD_UBI=y
+CONFIG_DEFAULT_DEVICE_TREE="stm32mp157c-ev1"
+CONFIG_ENV_IS_NOWHERE=y
+CONFIG_ENV_IS_IN_EXT4=y
+CONFIG_ENV_IS_IN_SPI_FLASH=y
+CONFIG_ENV_IS_IN_UBI=y
+CONFIG_ENV_EXT4_INTERFACE="mmc"
+CONFIG_ENV_EXT4_DEVICE_AND_PART="0:auto"
+CONFIG_ENV_EXT4_FILE="/uboot.env"
+CONFIG_ENV_UBI_PART="UBI"
+CONFIG_ENV_UBI_VOLUME="uboot_config"
+CONFIG_STM32_ADC=y
+CONFIG_USB_FUNCTION_FASTBOOT=y
+CONFIG_FASTBOOT_BUF_ADDR=0xC0000000
+CONFIG_FASTBOOT_BUF_SIZE=0x02000000
+CONFIG_FASTBOOT_USB_DEV=1
+CONFIG_FASTBOOT_FLASH=y
+CONFIG_FASTBOOT_FLASH_MMC_DEV=1
+CONFIG_DM_HWSPINLOCK=y
+CONFIG_HWSPINLOCK_STM32=y
+CONFIG_DM_I2C=y
+CONFIG_SYS_I2C_STM32F7=y
+CONFIG_LED=y
+CONFIG_LED_GPIO=y
+CONFIG_DM_MMC=y
+CONFIG_SUPPORT_EMMC_BOOT=y
+CONFIG_STM32_SDMMC2=y
+CONFIG_MTD=y
+CONFIG_NAND=y
+CONFIG_NAND_STM32_FMC2=y
+CONFIG_DM_SPI_FLASH=y
+CONFIG_SPI_FLASH=y
+CONFIG_SPI_FLASH_BAR=y
+CONFIG_SPI_FLASH_MACRONIX=y
+CONFIG_SPI_FLASH_SPANSION=y
+CONFIG_SPI_FLASH_STMICRO=y
+CONFIG_SPI_FLASH_WINBOND=y
+# CONFIG_SPI_FLASH_USE_4K_SECTORS is not set
+CONFIG_SPI_FLASH_MTD=y
+CONFIG_DM_ETH=y
+CONFIG_DWC_ETH_QOS=y
+CONFIG_PHY=y
+CONFIG_PHY_STM32_USBPHYC=y
+CONFIG_PINCONF=y
+CONFIG_PINCTRL_STMFX=y
+CONFIG_DM_PMIC=y
+CONFIG_PMIC_STPMIC1=y
+CONFIG_DM_REGULATOR_FIXED=y
+CONFIG_DM_REGULATOR_GPIO=y
+CONFIG_DM_REGULATOR_STM32_VREFBUF=y
+CONFIG_DM_REGULATOR_STPMIC1=y
+CONFIG_SERIAL_RX_BUFFER=y
+CONFIG_STM32_SERIAL=y
+CONFIG_SPI=y
+CONFIG_DM_SPI=y
+CONFIG_STM32_QSPI=y
+CONFIG_STM32_SPI=y
+CONFIG_USB=y
+CONFIG_DM_USB=y
+CONFIG_DM_USB_GADGET=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_EHCI_GENERIC=y
+CONFIG_USB_GADGET=y
+CONFIG_USB_GADGET_MANUFACTURER="STMicroelectronics"
+CONFIG_USB_GADGET_VENDOR_NUM=0x0483
+CONFIG_USB_GADGET_PRODUCT_NUM=0x5720
+CONFIG_USB_GADGET_DWC2_OTG=y
diff --git a/include/configs/stm32mp1.h b/include/configs/stm32mp1.h
index 6626be7..d4805c2 100644
--- a/include/configs/stm32mp1.h
+++ b/include/configs/stm32mp1.h
@@ -28,6 +28,10 @@
 #define CONFIG_SYS_SDRAM_BASE			STM32_DDR_BASE
 #define CONFIG_SYS_INIT_SP_ADDR			CONFIG_SYS_TEXT_BASE
 
+#ifdef CONFIG_STM32MP1_OPTEE
+#define CONFIG_SYS_MEM_TOP_HIDE			SZ_32M
+#endif /* CONFIG_STM32MP1_OPTEE */
+
 /*
  * Console I/O buffer size
  */
@@ -125,10 +129,19 @@
 
 #include <config_distro_bootcmd.h>
 
+#ifdef CONFIG_STM32MP1_OPTEE
+/* with OPTEE: define specific MTD partitions = teeh, teed, teex */
+#define STM32MP_MTDPARTS \
+	"mtdparts_nor0=256k(fsbl1),256k(fsbl2),2m(ssbl),256k(u-boot-env),256k(teeh),256k(teed),256k(teex),-(nor_user)\0" \
+	"mtdparts_nand0=2m(fsbl),2m(ssbl1),2m(ssbl2),512k(teeh),512k(teed),512k(teex),-(UBI)\0"
+
+#else /* CONFIG_STM32MP1_OPTEE */
 #define STM32MP_MTDPARTS \
 	"mtdparts_nor0=256k(fsbl1),256k(fsbl2),2m(ssbl),256k(u-boot-env),-(nor_user)\0" \
 	"mtdparts_nand0=2m(fsbl),2m(ssbl1),2m(ssbl2),-(UBI)\0"
 
+#endif /* CONFIG_STM32MP1_OPTEE */
+
 #ifndef CONFIG_SYS_MTDPARTS_RUNTIME
 #undef STM32MP_MTDPARTS
 #define STM32MP_MTDPARTS
-- 
2.7.4

More information about the U-Boot mailing list