[RFC PATCH] stm32mp1: Replace STM32IMAGE config with TFABOOT_FIP

Patrick DELAUNAY patrick.delaunay at foss.st.com
Wed Sep 1 11:07:42 CEST 2021 

Hi Marek,

On 8/31/21 6:42 PM, Marek Vasut wrote:
> On 8/31/21 4:54 PM, Patrick DELAUNAY wrote:
>> Hi Alexandru,
>
> Hi,
>
>> On 8/26/21 11:47 PM, Alexandru Gagniuc wrote:
>>> Hi Patrick,
>>>
>>> I proposing a better fix fir the issues I outlined earlier, I made a
>>> classification of the currently supported boot modes.
>>>
>>>     1) BL1 -> SPL -> U-Boot
>>>     2) BL1 -> SPL -> OP-TEE
>>> ---------------------------------------------------------------------
>>> |  3) BL1 -> TF-A -> U-Boot                                         |
>>> |  4) BL1 -> TF-A -> OP-TEE                                         |
>>> | _________________________________________________________________ |
>>> || 5) BL1 -> TF-A -> FIP container                                 ||
>>> || CONFIG_TFABOOT_FIP ||
>>> ||_________________________________________________________________||
>>> |                                                                   |
>>> | CONFIG_TFABOOT |
>>> ---------------------------------------------------------------------
>>>
>>> Here, I'm looking at FIP as a new boot mode. In order to avoid
>>> breakage, any changes to support FIP it should naturally be done only
>>> to this new path.
>>>
>>> This proposal contains several changes, but I've squashed them into
>>> one for ease of discussion.
>>>
>>> This better matches the boot mode classification above.
>>
>> 1) is supported but with many constraint for security part and low 
>> power management
>>
>>      it is not recommended for real product / it will be not 
>> supported by STMicroelectronics
>
> Does this mean ST will be cutting off their own customers who use this 
> boot mode because they do not need/want additional complex 
> problematically licensed components in their boot chain and/or ST will 
> be forcing those customers into adding such unneeded/unwanted 
> components unconditionally ?
>
> I am strongly opposed to that.
>

Our concerns is not a licensing issue (BSD vs GPL) but firmware 
complexity to manage Cortex A (Linux) + Cortex M (RTOS) and shared 
ressources.

To guarantee the Cortex M security, the shared resource (as root clock 
or regulator for example) need to be managed by a centralized element.

It is the same for low power mode = to manage each possible step for 
Cortex M + Cortex A and PMIC security, the low power sequence are 
executed in secure side.


=> it is done in our ecosystem for STM32MP15x platform in secure monitor 
(OP-TEE - the preferred one - or SPMin) based on SCMI and PSCI api 
called by Linux kernel generic driver.


These API are NOT supported by SPL / U-Boot, it is the reason of the 
restrictions = I have only implement a limited PSCI support to start the 
kernel


You can continue to use SPL on STM32MP15 (at the current upstream level) 
but with limited features.


but only the boot with TF-A is supported / promoted by 
STMicroelectronics on the STM32MP family.


These restriction are already announced to STMicroelectronics customers 
since OpenSTLinux v1.2 I think.


For example in 
https://wiki.st.com/stm32mpu-ecosystem-v2/wiki/STM32MP15_ecosystem_release_note_-_v2.1.0

      Basic boot has been removed since STM32MP15-ecosystem-v2.0.0,

      if you were using basic boot with U-BOOT-SPL to load U-BOOT and 
the Kernel,

      then you need to use now the ST reference boot scheme in replacing 
U-BOOT-SPL by TF-A

      as FSBL as explained in Boot chain overview.


> I would argue that the U-Boot crypto code went through multiple 
> independent security reviews, personally I trust that more than code 
> fully controlled and maintained by any one single company, so I am not 
> buying the security constraint argument here.


When I talk about security, it is not crypto code, but some security 
features as isolation between cortex A and Cortex M, key infractructure, 
trusted environment execution, secure update.


> Regarding power management and low power modes, there is literally 
> nothing preventing Linux from implementing those low power modes, so 
> there is no reason to hide all that code in firmware, so I am not 
> buying the low power argument either.


Some part is already done in Linux with call SCMI / PSCI api.

Some part is done in secured firmware: DDR self refresh entry sequence / 
root clock deactivation / PMIC access on secured I2C.


>
> Finally, the argument that the component that is being forced upon 
> everyone is "open source" is really turning any design with such a SoC 
> into a huge risk.
>
> There have been SoCs where the vendor took "open source" bootloader 
> code, compiled a blob, released a blob and never gave out the sources, 
> because it is "open source" and not "free software", the BSD license 
> permits such practice, GPL does not. Whoever wanted to design a board 
> or SoM with such a SoC, had to adjust their design to match that one 
> blob. Of course, that also implies that any security problems were not 
> fixable in that blob.
>

TF-A in OpenSTLinux is delivered as source, you can recompile it => no 
blob delivery for STMicroelectronics

https://github.com/STMicroelectronics/arm-trusted-firmware

And we upstream all the TF-A developments (work in progress).


For us, OpenSTLinux is not only "open source" but "free software"....

and customers (SoM maker or other) manage their distribution.


> [...]


Regards.


Patrick

More information about the U-Boot mailing list