STM32MP15, cannot reboot in secure mode (TZEN = 1)

Question

Hi,I work on a custom board using a DHCOR SoM with a STM32MP157C SoC. I setup the TF-A + OP-TEE boot chain for the secure boot and I managed to boot on the linux stm32 (v6.1). The board hangs at reboot :[ 1480.467975] reboot: Restarting systemI/TC: Forced system resetTo reboot the board, the OP-TEE OS writes '1' in the RCC_MP_GRSTCSETR register bit 0. If TZEN = '1', this register can only be modified in secure mode. TZEN is set to '1' by writing a '1' in the RCC_TZCR register bit 0, which is done by the rcc driver if the 'compatible' property is set to "st,stm32mp1-rcc-secure" in the OP-TEE device tree. The RCC is switched in "secure mode", which is confirmed at boot :D/TC:0 0 check_rcc_secure_configuration:347 RCC/PWR secure hardening: TZEN enable, MCKPROT enableFrom the documentation, chapter 10.4.14 RCC TrustZone function :"The bit TZEN allows the RCC and the PWR to be switched in secure mode. The RCC_TZCR register is only accessible by a secure access. When TZEN = ‘1’, some RCC and PWR registers can only be modified using secure accesses. The reading of registers is always allowed."The secure attribute of the RCC_MP_GRSTCSETR register is "S", which means from the table 74 :"This register can only be written in secure mode when TZEN = ‘1’ or when TZEN AND MCKPROT = ‘1’."What I understand is that by setting RCC in secure mode with TZEN = '1' write access requires to be in secure mode. But what is the "secure mode" here ? What did I miss in my configuration ?Regards,Pierre-Loup

Pierre-Loup · Accepted Answer

Hi,I solved my issue. Is not related with linux stm and secure boot chain.Our SoC revision is Rev.Z. Our custom board is based on the avenger96 (Rev.B) with the same eMMC (SDINBD4-8G), but the RST pin schematic is a bit different. We use discrete components for supplies.I found your discussion about a similar problem (Rev.B), you said:If you are using discrete components for supplies, you have to ensure your eMMC is reset when NRST pulse occur. This could be done either by doing a power cycle on the eMMC supplies or connecting NRST to the memory reset pin (need to permanently enable this pin in the eMMC RST_n_FUNCTION register)Thus, I enable the eMMC reset pin in the EXTCSD register and now the board reboot on the eMMC. But I am not quite sure to understand the solution, so please if you can enlighten me.The ROM code use the JEDEC boot sequence (CMD0) and get the boot sector on DAT0 pin. Maybe the mmc driver set our eMMC in an incompatible mode with the ROM code during the kernel startup (because before mmc driver probing the board reboot with a kernel panic, and not after). From the JEDEC spec, the eMMC HW RST pin is disabled by default.Does the ROM code try to send a HW RST signal to the eMMC at boot time to set the eMMC in a pre-idle state ? @PatrickF wrote:@Pierre-Loup wrote:I do not have an available JTAG on my custom board.If fail occur at bootrom, bootrom trace dump is required (JTAG is not mandatory as it could be done with only two wires SWD).The SWD wires are not accessible on our custom board.Regards,

Pierre-Loup · Answer

My RCC configuration seems to be correct. In fact, it is possible to reboot from the non-secure world with u-boot.

I can reproduce the hang by removing the 'st,mask-reset' property of the buck3 PMIC vdd regulator in the OP-TEE device tree. So I my guess is the vdd regulator is shutdown when it is Linux asking for a reboot, preventing the board to reboot (akin to a power off).

Given that the PMIC and reboot is the scope of the OP-TEE, what can cause this behavior ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded