summaryrefslogtreecommitdiffstats
path: root/docs/plat/warp7.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-21 17:43:51 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-21 17:43:51 +0000
commitbe58c81aff4cd4c0ccf43dbd7998da4a6a08c03b (patch)
tree779c248fb61c83f65d1f0dc867f2053d76b4e03a /docs/plat/warp7.rst
parentInitial commit. (diff)
downloadarm-trusted-firmware-upstream.tar.xz
arm-trusted-firmware-upstream.zip
Adding upstream version 2.10.0+dfsg.upstream/2.10.0+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--docs/plat/warp7.rst210
1 files changed, 210 insertions, 0 deletions
diff --git a/docs/plat/warp7.rst b/docs/plat/warp7.rst
new file mode 100644
index 0000000..f98a76f
--- /dev/null
+++ b/docs/plat/warp7.rst
@@ -0,0 +1,210 @@
+NXP i.MX7 WaRP7
+===============
+
+The Trusted Firmware-A port for the i.MX7Solo WaRP7 implements BL2 at EL3.
+The i.MX7S contains a BootROM with a High Assurance Boot (HAB) functionality.
+This functionality provides a mechanism for establishing a root-of-trust from
+the reset vector to the command-line in user-space.
+
+Boot Flow
+---------
+
+BootROM --> TF-A BL2 --> BL32(OP-TEE) --> BL33(U-Boot) --> Linux
+
+In the WaRP7 port we encapsulate OP-TEE, DTB and U-Boot into a FIP. This FIP is
+expected and required
+
+Build Instructions
+------------------
+
+We need to use a file generated by u-boot in order to generate a .imx image the
+BootROM will boot. It is therefore _required_ to build u-boot before TF-A and
+furthermore it is _recommended_ to use the mkimage in the u-boot/tools directory
+to generate the TF-A .imx image.
+
+U-Boot
+~~~~~~
+
+https://git.linaro.org/landing-teams/working/mbl/u-boot.git
+
+.. code:: shell
+
+ git checkout -b rms-atf-optee-uboot linaro-mbl/rms-atf-optee-uboot
+ make warp7_bl33_defconfig;
+ make u-boot.imx arch=ARM CROSS_COMPILE=arm-linux-gnueabihf-
+
+OP-TEE
+~~~~~~
+
+https://github.com/OP-TEE/optee_os.git
+
+.. code:: shell
+
+ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- PLATFORM=imx PLATFORM_FLAVOR=mx7swarp7 ARCH=arm CFG_PAGEABLE_ADDR=0 CFG_DT_ADDR=0x83000000 CFG_NS_ENTRY_ADDR=0x87800000
+
+TF-A
+~~~~
+
+https://github.com/ARM-software/arm-trusted-firmware.git
+
+The following commands assume that a directory exits in the top-level TFA build
+directory "fiptool_images". "fiptool_images" contains
+
+- u-boot.bin
+ The binary output from the u-boot instructions above
+
+- tee-header_v2.bin
+- tee-pager_v2.bin
+- tee-pageable_v2.bin
+ Binary outputs from the previous OPTEE build steps
+
+It is also assumed copy of mbedtls is available on the path path ../mbedtls
+ https://github.com/ARMmbed/mbedtls.git
+ At the time of writing HEAD points to 0592ea772aee48ca1e6d9eb84eca8e143033d973
+
+.. code:: shell
+
+ mkdir fiptool_images
+ cp /path/to/optee/out/arm-plat-imx/core/tee-header_v2.bin fiptool_images
+ cp /path/to/optee/out/arm-plat-imx/core/tee-pager_v2.bin fiptool_images
+ cp /path/to/optee/out/arm-plat-imx/core/tee-pageable_v2.bin fiptool_images
+
+ make CROSS_COMPILE=${CROSS_COMPILE} PLAT=warp7 ARCH=aarch32 ARM_ARCH_MAJOR=7 \
+ ARM_CORTEX_A7=yes AARCH32_SP=optee PLAT_WARP7_UART=1 GENERATE_COT=1 \
+ TRUSTED_BOARD_BOOT=1 USE_TBBR_DEFS=1 MBEDTLS_DIR=../mbedtls \
+ NEED_BL32=yes BL32=fiptool_images/tee-header_v2.bin \
+ BL32_EXTRA1=fiptool_images/tee-pager_v2.bin \
+ BL32_EXTRA2=fiptool_images/tee-pageable_v2.bin \
+ BL33=fiptool_images/u-boot.bin certificates all
+
+ /path/to/u-boot/tools/mkimage -n /path/to/u-boot/u-boot.cfgout -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx
+
+FIP
+~~~
+
+.. code:: shell
+
+ cp /path/to/uboot/u-boot.bin fiptool_images
+ cp /path/to/linux/arch/boot/dts/imx7s-warp.dtb fiptool_images
+
+ tools/cert_create/cert_create -n --rot-key "build/warp7/debug/rot_key.pem" \
+ --tfw-nvctr 0 \
+ --ntfw-nvctr 0 \
+ --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \
+ --tb-fw=build/warp7/debug/bl2.bin \
+ --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt\
+ --tos-fw fiptool_images/tee-header_v2.bin \
+ --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \
+ --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \
+ --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \
+ --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \
+ --nt-fw fiptool_images/u-boot.bin \
+ --nt-fw-cert fiptool_images/u-boot.bin.crt \
+ --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \
+ --hw-config fiptool_images/imx7s-warp.dtb
+
+ tools/fiptool/fiptool create --tos-fw fiptool_images/tee-header_v2.bin \
+ --tos-fw-extra1 fiptool_images/tee-pager_v2.bin \
+ --tos-fw-extra2 fiptool_images/tee-pageable_v2.bin \
+ --nt-fw fiptool_images/u-boot.bin \
+ --hw-config fiptool_images/imx7s-warp.dtb \
+ --tos-fw-cert fiptool_images/tee-header_v2.bin.crt \
+ --tos-fw-key-cert fiptool_images/tee-header_v2.bin.key-crt \
+ --nt-fw-cert fiptool_images/u-boot.bin.crt \
+ --nt-fw-key-cert fiptool_images/u-boot.bin.key-crt \
+ --trusted-key-cert fiptool_images/trusted-key-cert.key-crt \
+ --tb-fw-cert fiptool_images/trusted-boot-fw.key-crt warp7.fip
+
+Deploy Images
+-------------
+
+First place the WaRP7 into UMS mode in u-boot this should produce an entry in
+/dev like /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0
+
+.. code:: shell
+
+ => ums 0 mmc 0
+
+Next flash bl2.imx and warp7.fip
+
+bl2.imx is flashed @ 1024 bytes
+warp7.fip is flash @ 1048576 bytes
+
+.. code:: shell
+
+ sudo dd if=bl2.bin.imx of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2 conv=notrunc
+ # Offset is 1MB 1048576 => 1048576 / 512 = 2048
+ sudo dd if=./warp7.fip of=/dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0 bs=512 seek=2048 conv=notrunc
+
+Remember to umount the USB device pefore proceeding
+
+.. code:: shell
+
+ sudo umount /dev/disk/by-id/usb-Linux_UMS_disk_0_WaRP7-0xf42400d3000001d4-0\:0*
+
+
+Signing BL2
+-----------
+
+A further step is to sign BL2.
+
+The image_sign.sh and bl2_sign.csf files alluded to blow are available here.
+
+https://github.com/bryanodonoghue/atf-code-signing
+
+It is suggested you use this script plus the example CSF file in order to avoid
+hard-coding data into your CSF files.
+
+Download both "image_sign.sh" and "bl2_sign.csf" to your
+arm-trusted-firmware top-level directory.
+
+.. code:: shell
+
+ #!/bin/bash
+ SIGN=image_sign.sh
+ TEMP=`pwd`/temp
+ BL2_CSF=bl2_sign.csf
+ BL2_IMX=bl2.bin.imx
+ CST_PATH=/path/to/cst-2.3.2
+ CST_BIN=${CST_PATH}/linux64/cst
+
+ #Remove temp
+ rm -rf ${TEMP}
+ mkdir ${TEMP}
+
+ # Generate IMX header
+ /path/to/u-boot/tools/mkimage -n u-boot.cfgout.warp7 -T imximage -e 0x9df00000 -d ./build/warp7/debug/bl2.bin ./build/warp7/debug/bl2.bin.imx > ${TEMP}/${BL2_IMX}.log
+
+ # Copy required items to $TEMP
+ cp build/warp7/debug/bl2.bin.imx ${TEMP}
+ cp ${CST_PATH}/keys/* ${TEMP}
+ cp ${CST_PATH}/crts/* ${TEMP}
+ cp ${BL2_CSF} ${TEMP}
+
+ # Generate signed BL2 image
+ ./${SIGN} image_sign_mbl_binary ${TEMP} ${BL2_CSF} ${BL2_IMX} ${CST_BIN}
+
+ # Copy signed BL2 to top-level directory
+ cp ${TEMP}/${BL2_IMX}-signed .
+ cp ${BL2_RECOVER_CSF} ${TEMP}
+
+
+The resulting bl2.bin.imx-signed can replace bl2.bin.imx in the Deploy
+Images section above, once done.
+
+Suggested flow for verifying.
+
+1. Followed all previous steps above and verify a non-secure ATF boot
+2. Down the NXP Code Singing Tool
+3. Generate keys
+4. Program the fuses on your board
+5. Replace bl2.bin.imx with bl2.bin.imx-signed
+6. Verify inside u-boot that "hab_status" shows no events
+7. Subsequently close your board.
+
+If you have HAB events @ step 6 - do not lock your board.
+
+To get a good over-view of generating keys and programming the fuses on the
+board read "High Assurance Boot for Dummies" by Boundary Devices.
+
+https://boundarydevices.com/high-assurance-boot-hab-dummies/