Skip to main content
D
DDing.1
Visitor II
April 9, 2021
Solved

Hello,I want to konw how to turn on the verification of the images(op-tee)

  • April 9, 2021
  • 4 replies
  • 3308 views

0693W000008z8EKQAY.png0693W000008z8EFQAY.pngI used the latest official version(2021-03-31) to configure the stm32mp157c-dk2 of the optee version, and used the official tutorial to generate fip.bin and burn it to the corresponding partition, but it seems that the image is not checked,in other worlds, I did not see the successful prompt for the verification of the mirror image.

    This topic has been closed for replies.
    Best answer by LionelD

    Hi @DDing.1​ ,

    Go to know, in the FIP management there is no formal "Authentication success" to be printed.

    If it boots, it works ;)

    The only way can you can ensure that it works is that the complete firmware + certificate are loaded:

    Image 31 (FW_CONFIG) required Image 6 (Trusted Boot Firmware Certificate).

    You have mode loaded images (ID must correspond to all certificates) to confirm that it works.

    There is no possibility to skip the authentication so if OP-TEE/U-Boot are launched, authentication is successful.

    BR,

    Lionel

    4 replies

    O
    Olivier GALLIEN
    Technical Moderator
    April 9, 2021

    Hi @DDing.1​ ,

    I understand you expect FIP binaries to be authenticate, right ?

    Please refer to https://wiki.st.com/stm32mpu/wiki/How_to_configure_TF-A_FIP#Secure_boot

    Hope it help

    Olivier

    D
    DDing.1Author
    Visitor II
    April 9, 2021

    Yes, I configured it according to this (use the TF-A makefile), but I did not see the corresponding verification process when stm32 was started(the startup log did not seem to change). I want to know if I I have forgotten any steps,thanks

    L
    LionelD
    Visitor II
    April 10, 2021

    Hi @DDing.1​ ,

    According to your traces, the FIP seems to be properly generated BUT the BL2 is not build with the TRUSTED_BOARD_BOOT=1 support. So the processing to load associated certificate chain is not supported in your current BL2 TF-A binary -> No authentication.

    To ensure that it is properly on, there is a trace during boot to now if the crypto_lib is initialized:

    NOTICE: BL2: v2.4-r1.0(debug):v2.4-stm32mp-r1

    NOTICE: BL2: Built : 12:14:26, Apr 10 2021

    INFO:   Using crypto library 'stm32_crypto_lib'

    Please rebuild the TF-A BL2 as explained https://wiki.st.com/stm32mpu/wiki/TF-A_BL2_overview#Trusted_boot_support and reflash it.

    Use:

    https://wiki.st.com/stm32mpu/wiki/How_to_configure_TF-A_BL2#Build_process

    Important is the

    TRUSTED_BOARD_BOOT = 1: adds MBEDTLS build sources and authentication framework enabled

    BR,

    Lionel

    D
    DDing.1Author
    Visitor II
    April 13, 2021

    Hello, I have now modified the configuration of BL2 according to the document and the configuration command is as follows:

    make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 DTB_FILE_NAME=stm32mp157c-dk2.dtb STM32MP_SDMMC=1 STM32MP_EMMC=1 AARCH32_SP=optee TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 DYN_DISABLE_AUTH=1  MBEDTLS_DIR=/home/tflgr/mbedtls

    Then I configured the fip binary file again, the command is as follows:

    make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 AARCH32_SP=optee

    DTB_FILE_NAME=stm32mp157c-dk2.dtb

    BL33=../../FIP_artifacts/u-boot/u-boot-nodtb-stm32mp15.bin

    BL33_CFG=../../FIP_artifacts/u-boot/u-boot-stm32mp157c-dk2-trusted.dtb

    BL32=../../FIP_artifacts/optee/tee-header_v2-stm32mp157c-dk2.bin BL32_EXTRA1=../../FIP_artifacts/optee/tee-pager_v2-stm32mp157c-dk2.bin

    BL32_EXTRA2=../../FIP_artifacts/optee/tee-pageable_v2-stm32mp157c-dk2.bin

    FW_CONFIG=../../FIP_artifacts/arm-trusted-firmware/fwconfig/stm32mp157c-dk2-fw-config-optee.dtb

    MBEDTLS_DIR=/home/tflgr/mbedtls  TRUSTED_BOARD_BOOT=1 GENERATE_COT=1

    ROT_KEY=./plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem fip

    The following files were generated, and then put .stm32 and fip.bin into the sdb1 and sdb3 partitions with the dd command.

    0693W000008zLKBQA2.jpg 

    But the startup log did not change and did not output INFO:   Using crypto library 'stm32_crypto_lib', as follows:

    NOTICE: CPU: STM32MP157CAC Rev.B                                              

    NOTICE: Model: STMicroelectronics STM32MP157C-DK2 Discovery Board             

    NOTICE: Board: MB1272 Var2.0 Rev.C-01                                         

    INFO:   Reset reason (0x14):                                                  

    INFO:     Pad Reset from NRST                                                 

    INFO:   PMIC version = 0x10                                                   

    INFO:   FCONF: Reading TB_FW firmware configuration file from: 0x2ffe3000     

    INFO:   FCONF: Reading firmware configuration information for: stm32mp_io     

    INFO:   Using SDMMC                                                           

    INFO:     Instance 1                                                          

    INFO:   Boot used partition fsbl1                                             

    NOTICE: BL2: v2.4-r1.0(debug):v2.4-dirty                                      

    NOTICE: BL2: Built : 16:43:51, Nov 17 2020                                    

    INFO:   BL2: Doing platform setup                                             

    INFO:   RAM: DDR3-DDR3L 16bits 533000Khz                                      

    WARNING: Couldn't find property st,phy-cal in dtb                              

    INFO:   Memory size = 0x20000000 (512 MB)                                     

    INFO:   BL2: Loading image id 31                                              

    INFO:   Loading image id=31 at address 0x2ffff000                             

    INFO:   Image id=31 loaded: 0x2ffff000 - 0x2ffff1fa                           

    INFO:   FCONF: Reading FW_CONFIG firmware configuration file from: 0x2ffff000 

    INFO:   FCONF: Reading firmware configuration information for: dyn_cfg        

    INFO:   FCONF: Reading firmware configuration information for: stm32mp1_firewal

    WARNING: FCONF: Invalid config id 26                                           

    INFO:   BL2: Loading image id 4                                               

    INFO:   Loading image id=4 at address 0x2ffc0000                              

    INFO:   Image id=4 loaded: 0x2ffc0000 - 0x2ffc002c                            

    INFO:   OPTEE ep=0x2ffc0000                                                   

    INFO:   OPTEE header info: 

    Thanks.

    L
    LionelD
    Visitor II
    April 13, 2021

    Hi,

    Your build command looks go to me, but I'm surprised that the build date print into your boot is NOTICE: BL2: Built : 16:43:51, Nov 17 2020.

    Are you sure to updated it into your card? First partition must be updated with you binary generated, stm32 file. 

    I'm surprised as, regarding your build command, you will generate a release version (without all these logs)?

    Could you please confirm.                        

    DYN_DISABLE_AUTH=1 -> Not mandatory, you could remove it from now or maybe double check that the property is still set to 0 in the DT file to avoid any removal of the authentication.

    GENERATE_COT=1 -> Used to generate the FIP, not required during the BL2 build.

    BR,

    Lionel

    L
    LionelD
    Visitor II
    April 14, 2021

    Hi @[DDing.1]​ ,

    The wiki as a lack of info, I'll add it soon for the MBEDTLS part.

    MBEDTLS is used as an external repo as mentioned here in the official doc:

    https://trustedfirmware-a.readthedocs.io/en/v2.4/design/trusted-board-boot-build.html

    To build the FIP image, ensure the following command line variables are set while invoking 

    make to build TF-A:

    MBEDTLS_DIR=<path of the directory containing mbed TLS sources>

    TRUSTED_BOARD_BOOT=1

    GENERATE_COT=1

    As per requirement:

    https://trustedfirmware-a.readthedocs.io/en/v2.4/getting_started/prerequisites.html

    The following libraries are required for Trusted Board Boot support:

    mbed TLS == 2.24.0 (tag: mbedtls-2.24.0)

    So now, regarding your issue (because it seems that your build is now OK as the crypto lib is initialized).

    It seems internal MBEDTLS error. Could you please double check the version used to build your BL2 and confirm that it's the 2.24.0?

    BR,

    Lionel

    D
    DDing.1Author
    Visitor II
    April 15, 2021

    Thanks.But I rebuilt the image with version 2.24.0, but it still got the same error.

    Terms & ConditionsAccessibility statement