Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-18 02:24:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
arm-trusted-firmware/docs/plat/warp7.rst
Bryan O'Donoghue 31e4c20de6 docs: warp7: Update WaRP7 description for TBB 
This patch updates the WaRP7 build descriptions for booting WaRP7 in
Trusted Board Boot mode. TBB is the only mode we really intend to support
for this board so rather than maintain documentation for the old way of
doing it, this patch updates the description for TBB mode only.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
2019-01-18 16:10:56 +00:00

204 lines
7.2 KiB
ReStructuredText
Raw Blame History

Trusted Firmware-A for i.MX7 WaRP7
==================================
The Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3.
The i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality.
This functionality provides a mechanism for establishing a root-of-trust from
the reset vector to the command-line in user-space.
Boot Flow
=========
BootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux
In the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is
expected and required
# Build Instructions
We need to use a file generated by u-boot in order to generate a .imx image the
BootROM will boot. It is therefore _required_ to build u-boot before TF-A and
furthermore it is _recommended_ to use the mkimage in the u-boot/tools directory
to generate the TF-A .imx image.
## U-Boot:
https://git.linaro.org/landing-teams/working/mbl/u-boot.git
.. code:: shell
git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot
make warp7_bl33_defconfig;
make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf-
## OP-TEE:
https://github.com/OP-TEE/optee_os.git
.. code:: shell
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000
## TF-A:
https://github.com/ARM-software/arm-trusted-firmware.git
The following commands assume that a directory exits in the top-level TFA build
directory "fiptool_images". "fiptool_images" contains
- u-boot.bin
The binary output from the u-boot instructions above
- tee-header_v2.bin
- tee-pager_v2.bin
- tee-pageable_v2.bin
Binary outputs from the previous OPTEE build steps
It is also assumed copy of mbedtls is available on the path path ../mbedtls
https://github.com/ARMmbed/mbedtls.git
At the time of writing HEAD points to 0592ea772aee48ca1e6d9eb84eca8e143033d973
.. code:: shell
mkdir fiptool_images
cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images
cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images
cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images
make CROSS_COMPILE=${CROSS_COMPILE} PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
ARM_CORTEX_A7=yes AARCH32_SP=optee PLAT_WARP7_UART=1 GENERATE_COT=1 \
TRUSTED_BOARD_BOOT=1 USE_TBBR_DEFS=1 MBEDTLS_DIR=../mbedtls \
NEED_BL32=yes BL32=fiptool_images/tee-header_v2.bin \
BL32_EXTRA1=fiptool_images/tee-pager_v2.bin \
BL32_EXTRA2=fiptool_images/tee-pageable_v2.bin \
BL33=fiptool_images/u-boot.bin certificates all
/path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx
## FIP:
.. code:: shell
cp /path/to/uboot/u-boot.bin fiptool_images
cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images
tools/cert_create/cert_create -n --rot-key "build/warp7/debug/rot_key.pem" \
--tfw-nvctr 0 \
--ntfw-nvctr 0 \
--trusted-key-cert fiptool_images/trusted-key-cert.key-crt \
--tb-fw=build/warp7/debug/bl2.bin \
--tb-fw-cert fiptool_images/trusted-boot-fw.key-crt\
--tos-fw fiptool_images/tee-header_v2.bin \
--tos-fw-cert fiptool_images/tee-header_v2.bin.crt \
--tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \
--tos-fw-extra1 fiptool_images/tee-pager_v2.bin \
--tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \
--nt-fw fiptool_images/u-boot.bin \
--nt-fw-cert fiptool_images/u-boot.bin.crt \
--nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \
--hw-config fiptool_images/imx7s-warp.dtb
tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin \
--tos-fw-extra1 fiptool_images/tee-pager_v2.bin \
--tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \
--nt-fw fiptool_images/u-boot.bin \
--hw-config fiptool_images/imx7s-warp.dtb \
--tos-fw-cert fiptool_images/tee-header_v2.bin.crt \
--tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \
--nt-fw-cert fiptool_images/u-boot.bin.crt \
--nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \
--trusted-key-cert fiptool_images/trusted-key-cert.key-crt \
--tb-fw-cert fiptool_images/trusted-boot-fw.key-crt warp7.fip
# Deploy Images
First place the WaRP7 into UMS mode in u-boot this should produce an entry in
/dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0
.. code:: shell
=> ums 0 mmc 0
Next flash bl2.imx and warp7.fip
bl2.imx is flashed @ 1024 bytes
warp7.fip is flash @ 1048576 bytes
.. code:: shell
sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc
# Offset is 1MB 1048576 => 1048576 / 512 = 2048
sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc
Remember to umount the USB device pefore proceeding
.. code:: shell
sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0*
# Signing BL2
A further step is to sign BL2.
The image_sign.sh and bl2_sign.csf files alluded to blow are available here.
https://github.com/bryanodonoghue/atf-code-signing
It is suggested you use this script plus the example CSF file in order to avoid
hard-coding data into your CSF files.
Download both "image_sign.sh" and "bl2_sign.csf" to your
arm-trusted-firmware top-level directory.
.. code:: shell
#!/bin/bash
SIGN=image_sign.sh
TEMP=`pwd`/temp
BL2_CSF=bl2_sign.csf
BL2_IMX=bl2.bin.imx
CST_PATH=/path/to/cst-2.3.2
CST_BIN=${CST_PATH}/linux64/cst
#Remove temp
rm -rf ${TEMP}
mkdir ${TEMP}
# Generate IMX header
/path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log
# Copy required items to $TEMP
cp build/warp7/debug/bl2.bin.imx ${TEMP}
cp ${CST_PATH}/keys/* ${TEMP}
cp ${CST_PATH}/crts/* ${TEMP}
cp ${BL2_CSF} ${TEMP}
# Generate signed BL2 image
./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN}
# Copy signed BL2 to top-level directory
cp ${TEMP}/${BL2_IMX}-signed .
cp ${BL2_RECOVER_CSF} ${TEMP}
The resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy
Images section above, once done.
Suggested flow for verifying.
1. Followed all previous steps above and verify a non-secure ATF boot
2. Down the NXP Code Singing Tool
3. Generate keys
4. Program the fuses on your board
5. Replace bl2.bin.imx with bl2.bin.imx-signed
6. Verify inside u-boot that "hab_status" shows no events
7. Subsequently close your board.
If you have HAB events @ step 6 - do not lock your board.
To get a good over-view of generating keys and programming the fuses on the
board read "High Assurance Boot for Dummies" by Boundary Devices.
https://boundarydevices.com/high-assurance-boot-hab-dummies/
Reference in a new issue View git blame Copy permalink