STM32MP157AAC Secure Boot Process on Avenger96 board

Hi,

it seems that the BL2 does not verify the signature of your image with the id 5 (I assume that is your u-boot). This is due to a wrong bit in the .stm32 header (see here: https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#STM32_Header, the bit is the Option Flag).

Hi @Kaushendra​ 

STM32MP157Axx does not support secure boot.

You need secure sample reference STM32MP157Cxx.

Olivier

Hi @Kaushendra​ 

First quick answer.

Point No .1 : I guess it's a know issue of version up to V2.4. Now fix in new STM32CubeProgrammer V2.5

Point No.2 : Secure Boot can not be manage with U-Boot but only TF-A.

This article might help to reach all available document :

https://community.st.com/s/article/FAQ-STM32MP1-Security-overview

Olivier

Hi @Community member​ 

I'm somewhat able to debug for Point No. 1 with version 2.4.0

***************************************************************

./STM32MP_KeyGen_CLI -ecc 1 -abs /home/kaushendra/kaush/ARROW/SEED/Avenger_secure_boot -pwd seed

o/p

 seed

      -------------------------------------------------------------------

                      STM32MP Key Generator v1.0.0                             

      -------------------------------------------------------------------

 Prime256v1 curve is selected.

 AES_256_cbc algorithm is selected for private key encryption

 Generating Prime256v1 keys...

 Private key PEM file created

 Public key PEM file created

 public key hash file created

 Keys generated successfully.

 + public key:      /home/kaushendra/STM32MP_KeyGen/publicKey.pem

 + private key:     /home/kaushendra/STM32MP_KeyGen/privateKey.pem

 + public hash key: /home/kaushendra/STM32MP_KeyGen/publicKeyhash.bin

issue: publicKeyhash.bin generated is size zero

[15:02:33] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$ ls -lrt

total 8

-r-------- 1 kaushendra kaushendra 379 Jul 29 13:13 privateKey.pem

-r--r--r-- 1 kaushendra kaushendra 178 Jul 29 13:13 publicKey.pem

-r--r--r-- 1 kaushendra kaushendra  0 Jul 29 13:13 publicKeyhash.bin

[15:21:16] kaushendra@AHMCPU2172:~/STM32MP_KeyGen$

your help will be appreciated.

Reg,

kaushendra

Thanks I'll test my scenario with new version and update on you.

Reg,

kaushendra

Hi @Community member​ 

with the upgrade to V2.5 i'm able to generate keys now.

/***************************************************/

[17:36:03] kaushendra@AHMCPU2172:~/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin$ ./STM32MP_KeyGen_CLI -ecc 1 -pubk /home/kaushendra/secure_keys/public.pem -prvk endra/secure_keys/private.pem -hash /home/kaushendra/secure_keys/pubKeyHash.bin -pwd seed

      -------------------------------------------------------------------

                      STM32MP Key Generator v1.0.0                             

      -------------------------------------------------------------------

 brainpoolP256t1 curve is selected.

 AES_256_cbc algorithm is selected for private key encryption

 Generating brainpoolP256t1 keys...

 Private key PEM file created

 Public key PEM file created

 public key hash file created

 Keys generated successfully.

 + public key:      /home/kaushendra/secure_keys/public.pem

 + private key:     /home/kaushendra/secure_keys/private.pem

 + public hash key: /home/kaushendra/secure_keys/pubKeyHash.bin

/*******************************************************************************/

I'll keep you posted if any issue for further steps for secure boot in avenger96

Thanks for support.

Reg,

kaushendra

Hi @Community member​ 

I have done Section 2.2 Key registration (https://wiki.st.com/stm32mpu/wiki/STM32MP15_secure_boot#Key_registration)

Now I'm working over Section 2.3 Image signing (https://wiki.st.com/stm32mpu/wiki/Signing_tool)

Query No .1: Need to know Which file to pass for Command line options

• --binary-image -bin
• --load-address -la
• --entry-point -ep

I would like to know whether Kernel Image ,u-boot or FSBL has to pe put there and what will be addresses

--files available to me in STM-yocto

tf-a-stm32mp157a-av96-trusted.stm32

tf-a-bl32-trusted.elf

tf-a-bl2-trusted.elf

u-boot-stm32mp157a-av96-trusted.stm32

Image--4.19-r0.14-stm32mp1-av96-20200430051417.bin

help will be appreciated as i'm doing this secure boot feature for the very first time

regards,

kaushendra

Hi @Community member​ 

I was able to resolve Image Signing issue with following:

FSBL:tf-a-stm32mp157a-av96-trusted.stm32

SSBL:u-boot-stm32mp157a-av96-trusted.stm32

Able to acheived 2.6.2 TF-A authentication

INFO: Loading image id=5 at address 0xc0100000
INFO: STM32 Image size : 807362
INFO: Check signature on Non-Full-Secured platform
INFO: Image id=5 loaded: 0xc0100000 - 0xc01c51c2
INFO: read version 0 current version 0
NOTICE: BL2: Booting BL32
INFO: Entry point address = 0x2fff000

Thanks for the support.

Regards,

kaushendra sah

HI @Community member​ 

As I'm Completed with enabling Secure Boot Support over Avenger96 Board as per mentioned thread above.

I'm now trying to enable Trusted boot support in u-boot with TPM

I have enabled the TPM support in u-boot

CONFIG_CMD_TPM_V2=y
CONFIG_CMD_TPM=y
CONFIG_TPM_V2=y
CONFIG_TPM2_TIS_SPI=y
CONFIG_TPM=y

I also added SPI Node w.r.t enable TPM driver

diff --git a/arch/arm/dts/stm32mp157a-av96.dts b/arch/arm/dts/stm32mp157a-av96.dts
index 4e26181..fc1c480 100644
--- a/arch/arm/dts/stm32mp157a-av96.dts
+++ b/arch/arm/dts/stm32mp157a-av96.dts
@@ -26,3 +26,17 @@
 	pinctrl-1 = <&rcc_sleep_pins_a>;
 	status = "okay";
 };
+
+&spi2 {
+ pinctrl-names = "default", "sleep";
+ pinctrl-0 = <&spi2_pins_a>;
+ pinctrl-1 = <&spi2_sleep_pins_a>;
+ status = "okay"; 
+
+ tpm_tis@0 {
+ compatible = "tis,tpm2-spi";
+ reg = <0>;
+ spi-max-frequency = <10000000>;
+ };
+};
diff --git a/arch/arm/dts/stm32mp157a-pinctrl.dtsi b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
index af19839..6c1ada3 100644
--- a/arch/arm/dts/stm32mp157a-pinctrl.dtsi
+++ b/arch/arm/dts/stm32mp157a-pinctrl.dtsi
@@ -1337,6 +1337,29 @@
 				};
 			};
 
+			spi2_pins_a: spi2-0 {
+ pins1 {
+ pinmux = <STM32_PINMUX('B', 10, AF5)>, /* SPI2_SCK */
+ <STM32_PINMUX('I', 3, AF5)>; /* SPI2_MOSI */
+ bias-disable;
+ drive-push-pull;
+ slew-rate = <1>;
+ };
+
+ pins2 {
+ pinmux = <STM32_PINMUX('I', 2, AF5)>; /* SPI2_MISO */
+ bias-disable;
+ };
+ };
+			
+			spi2_sleep_pins_a: spi2-sleep-0 {
+				pins {
+					pinmux = <STM32_PINMUX('B', 10, ANALOG)>, /* SPI2_SCK */
+						 <STM32_PINMUX('I', 2, ANALOG)>, /* SPI2_MISO */
+ 			 <STM32_PINMUX('I', 3, ANALOG)>; /* SPI2_MOSI */
+ 			};
+			};
+

But I'm facing issue with driver probe at u-boot

Hit any key to stop autoboot: 0 
STM32MP> tpm
 tpm tpm2
STM32MP> tpm info
stm32mp1_clk_get_id: clk id 131 not found
Could not find TPM (ret=-22)
STM32MP> tpm2 info
stm32mp1_clk_get_id: clk id 131 not found
Could not find TPM (ret=-22)
STM32MP> 

If possible please help me understand whether i'm doing the correct steps of missing something.

help will be appreciated.

Regards,

kaushendra sah

Hi,

Im also facing same issue in spi2 - uboot to PISOSR shift register ..

Please help on this...