Skip to main content
Visitor II
May 6, 2020
Solved

STM32MP157AAC Secure Boot Process on Avenger96 board

  • May 6, 2020
  • 10 replies
  • 3534 views

Hi,

I would like to perform the secureboot on AV96 board. I have built the image with yocto openstlinux.I want to confirm the secure-boot scenario if Board Boots-up.

I'm sharing some logs,please comment me whether i need to seperately perfrom steps to make AV96 board boots securely.

NOTICE: Model: Arrow Electronics STM32MP157A Avenger96 board
INFO: Reset reason (0x10):
INFO: Reset due to a failure of VDD_CORE
INFO: Using SDMMC
INFO: Instance 1
INFO: Boot used partition fsbl1
NOTICE: BL2: v2.0-r1.5(debug):
NOTICE: BL2: Built : 13:13:37, Oct 2 2018
INFO: BL2: Doing platform setup
INFO: PMIC version = 0x10
INFO: RAM: DDR3-1066/888 bin G 2x4Gb 533MHz v1.45
INFO: Memory size = 0x40000000 (1024 MB)
INFO: BL2 runs SP_MIN setup
INFO: BL2: Loading image id 4
INFO: Loading image id=4 at address 0x2fff0000
INFO: Image id=4 loaded: 0x2fff0000 - 0x30000000
INFO: BL2: Loading image id 5
INFO: Loading image id=5 at address 0xc0100000
INFO: STM32 Image size : 807362
WARNING: Skip signature check (header option)
INFO: Image id=5 loaded: 0xc0100000 - 0xc01c51c2
INFO: read version 0 current version 0
NOTICE: BL2: Booting BL32
INFO: Entry point address = 0x2fff0000
INFO: SPSR = 0x1d3
INFO: PMIC version = 0x10
NOTICE: SP_MIN: v2.0-r1.5(debug):
NOTICE: SP_MIN: Built : 13:13:37, Oct 2 2018
INFO: ARM GICv2 driver initialized
INFO: stm32mp HSI (18): Secure only
INFO: stm32mp HSE (20): Secure only
INFO: stm32mp PLL2 (27): Secure only
INFO: stm32mp PLL2_R (30): Secure only
INFO: SP_MIN: Initializing runtime services

Thanks

kaushendra

    This topic has been closed for replies.
    Best answer by Olivier GALLIEN

    Hi @Kaushendra​ 

    It's a hardware board limitation. Only way would be to change the assembled STM32MP15 chip ID ...

    I recommend you to contact Arrow to see if they plan to sell secure flavor of the AV96.

    BR,

    Olivier

    10 replies

    Visitor II
    May 6, 2020

    Hi,

    it seems that the BL2 does not verify the signature of your image with the id 5 (I assume that is your u-boot). This is due to a wrong bit in the .stm32 header (see here: https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#STM32_Header, the bit is the Option Flag).

    Visitor II
    May 6, 2020

    Thanks for the point you made,I'll try to follow as per you suggestion.

    Technical Moderator
    May 6, 2020

    Hi @Kaushendra​ 

    STM32MP157Axx does not support secure boot.

    You need secure sample reference STM32MP157Cxx.

    Olivier

    Visitor II
    May 6, 2020

    Hi @Community member​ 

    Could you please help me with reference links or guide which helps me to enable secure boot over Avenger96 Board.

    Technical Moderator
    May 6, 2020

    Hi @Kaushendra​ 

    It's a hardware board limitation. Only way would be to change the assembled STM32MP15 chip ID ...

    I recommend you to contact Arrow to see if they plan to sell secure flavor of the AV96.

    BR,

    Olivier

    Technical Moderator
    July 29, 2020

    Hi @Kaushendra​ 

    First quick answer.

    Point No .1 : I guess it's a know issue of version up to V2.4. Now fix in new STM32CubeProgrammer V2.5

    Point No.2 : Secure Boot can not be manage with U-Boot but only TF-A.

    This article might help to reach all available document :

    https://community.st.com/s/article/FAQ-STM32MP1-Security-overview

    Olivier

    Visitor II
    July 29, 2020

    Hi @Community member​ 

    Point No.1: I'm able to see only upto version 2.4 for download.

    Point No.2: I need to add TPM support in u-boot to can i get any reference links regarding that.

    Reg,

    kaushendra sah

    Visitor II
    July 29, 2020

    Hi @Community member​ 

    I'm somewhat able to debug for Point No. 1 with version 2.4.0

    ***************************************************************

    ./STM32MP_KeyGen_CLI -ecc 1 -abs /home/kaushendra/kaush/ARROW/SEED/Avenger_secure_boot -pwd seed

    o/p

     seed

          -------------------------------------------------------------------

                          STM32MP Key Generator v1.0.0                             

          -------------------------------------------------------------------

     Prime256v1 curve is selected.

     AES_256_cbc algorithm is selected for private key encryption

     Generating Prime256v1 keys...

     Private key PEM file created

     Public key PEM file created

     public key hash file created

     Keys generated successfully.

     + public key:      /home/kaushendra/STM32MP_KeyGen/publicKey.pem

     + private key:     /home/kaushendra/STM32MP_KeyGen/privateKey.pem

     + public hash key: /home/kaushendra/STM32MP_KeyGen/publicKeyhash.bin

    issue: publicKeyhash.bin generated is size zero

    [15:02:33] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$ ls -lrt

    total 8

    -r-------- 1 kaushendra kaushendra 379 Jul 29 13:13 privateKey.pem

    -r--r--r-- 1 kaushendra kaushendra 178 Jul 29 13:13 publicKey.pem

    -r--r--r-- 1 kaushendra kaushendra  0 Jul 29 13:13 publicKeyhash.bin

    [15:21:16] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$

    your help will be appreciated.

    Reg,

    kaushendra

    Technical Moderator
    July 29, 2020

    STM32CubeProgrammer V2.5 is the version available on st.com :

    https://www.st.com/en/development-tools/stm32cubeprog.html

    Olivier

    Visitor II
    July 29, 2020

    Thanks I'll test my scenario with new version and update on you.

    Reg,

    kaushendra

    Visitor II
    July 29, 2020

    Hi @Community member​ 

    with the upgrade to V2.5 i'm able to generate keys now.

    /***************************************************/

    [17:36:03] kaushendra@AHMCPU2172:~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin$ ./STM32MP_KeyGen_CLI -ecc 1 -pubk /home/kaushendra/secure_keys/public.pem -prvk endra/secure_keys/private.pem -hash /home/kaushendra/secure_keys/pubKeyHash.bin -pwd seed

          -------------------------------------------------------------------

                          STM32MP Key Generator v1.0.0                             

          -------------------------------------------------------------------

     brainpoolP256t1 curve is selected.

     AES_256_cbc algorithm is selected for private key encryption

     Generating brainpoolP256t1 keys...

     Private key PEM file created

     Public key PEM file created

     public key hash file created

     Keys generated successfully.

     + public key:      /home/kaushendra/secure_keys/public.pem

     + private key:     /home/kaushendra/secure_keys/private.pem

     + public hash key: /home/kaushendra/secure_keys/pubKeyHash.bin

    /*******************************************************************************/

    I'll keep you posted if any issue for further steps for secure boot in avenger96

    Thanks for support.

    Reg,

    kaushendra

    Visitor II
    July 30, 2020

    Hi @Community member​ 

    I have done Section 2.2 Key registration (https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#Key_registration)

    Now I'm working over Section 2.3 Image signing (https://wiki.st.com/stm32mpu/wiki/Signing_tool)

    Query No .1: Need to know Which file to pass for Command line options

    • --binary-image -bin
    • --load-address -la
    • --entry-point -ep

    I would like to know whether Kernel Image ,u-boot or FSBL has to pe put there and what will be addresses

    --files available to me in STM-yocto

    tf-a-stm32mp157a-av96-trusted.stm32

    tf-a-bl32-trusted.elf

    tf-a-bl2-trusted.elf

    u-boot-stm32mp157a-av96-trusted.stm32

    Image--4.19-r0.14-stm32mp1-av96-20200430051417.bin

    help will be appreciated as i'm doing this secure boot feature for the very first time

    regards,

    kaushendra

    Visitor II
    July 31, 2020

    Hi @Community member​ 

    I was able to resolve Image Signing issue with following:

    FSBL:tf-a-stm32mp157a-av96-trusted.stm32

    SSBL:u-boot-stm32mp157a-av96-trusted.stm32

    Able to acheived 2.6.2 TF-A authentication

    INFO: Loading image id=5 at address 0xc0100000
    INFO: STM32 Image size : 807362
    INFO: Check signature on Non-Full-Secured platform
    INFO: Image id=5 loaded: 0xc0100000 - 0xc01c51c2
    INFO: read version 0 current version 0
    NOTICE: BL2: Booting BL32
    INFO: Entry point address = 0x2fff000

    Thanks for the support.

    Regards,

    kaushendra sah

    Visitor II
    August 6, 2020

    HI @Community member​ 

    As I'm Completed with enabling Secure Boot Support over Avenger96 Board as per mentioned thread above.

    I'm now trying to enable Trusted boot support in u-boot with TPM

    I have enabled the TPM support in u-boot

    CONFIG_CMD_TPM_V2=y
    CONFIG_CMD_TPM=y
    CONFIG_TPM_V2=y
    CONFIG_TPM2_TIS_SPI=y
    CONFIG_TPM=y

    I also added SPI Node w.r.t enable TPM driver

    diff --git a/arch/arm/dts/stm32mp157a-av96.dts b/arch/arm/dts/stm32mp157a-av96.dts
    index 4e26181..fc1c480 100644
    --- a/arch/arm/dts/stm32mp157a-av96.dts
    +++ b/arch/arm/dts/stm32mp157a-av96.dts
    @@ -26,3 +26,17 @@
     	pinctrl-1 = <&rcc_sleep_pins_a>;
     	status = "okay";
     };
    +
    +&spi2 {
    + pinctrl-names = "default", "sleep";
    + pinctrl-0 = <&spi2_pins_a>;
    + pinctrl-1 = <&spi2_sleep_pins_a>;
    + status = "okay"; 
    +
    + tpm_tis@0 {
    + compatible = "tis,tpm2-spi";
    + reg = <0>;
    + spi-max-frequency = <10000000>;
    + };
    +};
    diff --git a/arch/arm/dts/stm32mp157a-pinctrl.dtsi b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
    index af19839..6c1ada3 100644
    --- a/arch/arm/dts/stm32mp157a-pinctrl.dtsi
    +++ b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
    @@ -1337,6 +1337,29 @@
     				};
     			};
     
    +			spi2_pins_a: spi2-0 {
    + pins1 {
    + pinmux = <STM32_PINMUX('B', 10, AF5)>, /* SPI2_SCK */
    + <STM32_PINMUX('I', 3, AF5)>; /* SPI2_MOSI */
    + bias-disable;
    + drive-push-pull;
    + slew-rate = <1>;
    + };
    +
    + pins2 {
    + pinmux = <STM32_PINMUX('I', 2, AF5)>; /* SPI2_MISO */
    + bias-disable;
    + };
    + };
    +			
    +			spi2_sleep_pins_a: spi2-sleep-0 {
    +				pins {
    +					pinmux = <STM32_PINMUX('B', 10, ANALOG)>, /* SPI2_SCK */
    +						 <STM32_PINMUX('I', 2, ANALOG)>, /* SPI2_MISO */
    + 			 <STM32_PINMUX('I', 3, ANALOG)>; /* SPI2_MOSI */
    + 			};
    +			};
    +

    But I'm facing issue with driver probe at u-boot

    Hit any key to stop autoboot: 0 
    STM32MP> tpm
     tpm tpm2
    STM32MP> tpm info
    stm32mp1_clk_get_id: clk id 131 not found
    Could not find TPM (ret=-22)
    STM32MP> tpm2 info
    stm32mp1_clk_get_id: clk id 131 not found
    Could not find TPM (ret=-22)
    STM32MP> 

    If possible please help me understand whether i'm doing the correct steps of missing something.

    help will be appreciated.

    Regards,

    kaushendra sah

    Visitor II
    February 16, 2021

    Hi,

    Im also facing same issue in spi2 - uboot to PISOSR shift register ..

    Please help on this...

    Technical Moderator
    February 16, 2021

    Hi @Ganesh.T​ ,

    Thanks for your comment.

    This would require to get further information regarding your context.

    Are you using a modified AV96 board with secure chip as @Kaushendra​ ?

    In any case I recommand to open a new post with your specific issue.

    You can mention as reference this post if you think it help to understand your context and issue.

    Thanks,

    Olivier