Trusted Firmware for Cortex-A (TF-A) is an implementation of EL3 secure firmware. TF-A replaces PPA in secure firmware role.

Please note the steps listed in this topic can only be performed with LSDK 18.12 and newer releases. 
Also the TF-A boot flow is applicable only for LS1088ARDB-PB. LS1088ARDB is not supported LSDK 18.12 release onwards.
              

To migrate to the TF-A boot flow from the previous boot flow (with PPA), you need to compile the TF-A binaries, bl2_<boot_mode>.pbl and fip.bin, and flash these binaries on the specific boot medium on the board.

For QSPI NOR flash boot, you need to compile the following TF-A binaries.

Follow these steps to compile and deploy TF-A  binaries (bl2_qspi.pbl and fip.bin) in QSPI NOR flash.

1. Compile PBL binary from RCW source file
2. Compile U-Boot binary
3. [Optional] Compile OPTEE binary 
4. Compile TF-A binaries (bl2_qspi.pbl and fip.bin) for QSPI NOR flash
5. Program TF-A binaries to QSPI NOR flash

Step 1: Compile PBL binary from RCW source file

 You need to compile the rcw_1600_qspi.bin binary to build the bl2_qspi.pbl binary.

Clone the  rcw repository and compile the PBL binary. 

1. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/rcw
2. $ cd rcw
3. $ git checkout -b <new branch name> <LSDK tag>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12 
4. $ cd ls1088ardb
5. If required, make changes to the rcw files.
6. $ make

The compiled PBL binary for QSPI NOR flash on LS1088ARDB-PB, rcw_1600_qspi.bin, is available at rcw/ls1088ardb/FCQQQQQQQQ_PPP_H_0x1d_0x0d/.  

See the rcw/ls1088ardb/README file for an explanation of the naming convention for the directories that contain the RCW source and binary files.

Step 2: Compile U-Boot binary

You need to compile the u-boot.bin binary to build the fip.bin binary.

Clone the u-boot repository and compile the U-Boot binary for TF-A.

1. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/u-boot.git
2. $ cd u-boot
3. $ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12 
4. $ export ARCH=arm
5. $ export CROSS_COMPILE=aarch64-linux-gnu-
6. $ make distclean
7. $ make ls1088ardb_tfa_defconfig
8. $ make

If the make command shows the error "*** Your GCC is older than 6.0 and is not supported", ensure that you are using Ubuntu 18.04 64-bit version for building LSDK 18.12 U-Boot binary. 
                           

The compiled U-Boot image, u-boot.bin, is available at u-boot/.

Step 3: [Optional] Compile OP-TEE binary

You need to compile the tee.bin binary to build fip.bin with OPTEE. However, OPTEE is optional, you can skip the procedure to compile OPTEE if you want to build the FIP binary without OPTEE.

Clone the optee_os repository and build the OPTEE binary. 

1. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/optee_os
2. $ cd optee_os
3. $ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12
4. $ export ARCH=arm
5. $ export CROSS_COMPILE=aarch64-linux-gnu-
6. $ make CFG_ARM64_core=y PLATFORM=ls-ls1088ardb
7. $ aarch64-linux-gnu-objcopy -v -O binary out/arm-plat-ls/core/tee.elf out/arm-plat-ls/core/tee.bin

The compiled OPTEE image, tee.bin, is available at optee_os/out/arm-plat-ls/core/.

Step 4: Compile TF-A binaries for QSPI NOR flash

Clone the atf repository and compile the TF-A binaries, bl2_qspi.pbl and fip.bin.

1. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/atf
2. $ cd atf
3. $  git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12
4. $ export ARCH=arm
5. $ export CROSS_COMPILE=aarch64-linux-gnu-
6. Build BL2 binary with OPTEE.
   • $ make PLAT=ls1088ardb bl2 SPD=opteed BOOT_MODE=qspi pbl RCW=<path_to_rcw_binary>/rcw_1600_qspi.bin

     The compiled BL2 binaries, bl2.bin and bl2_qspi.pbl are available at atf/build/ls1088ardb/release/.

     For any update in the BL2 source code or RCW binary, the bl2_qspi.pbl binary needs to be recompiled.

     To compile the BL2 binary without OPTEE:
     make PLAT=ls1088ardb bl2 BOOT_MODE=qspi pbl RCW=<path_to_rcw_binary>/rcw_1600_qspi.bin
         

7. Build FIP binary with OPTEE and without trusted board boot.
   • $ make PLAT=ls1088ardb fip BL33=<path_to_u-boot_binary>/u-boot.bin SPD=opteed BL32=<path_to_optee_binary>/tee.bin
     

     The compiled BL31 and FIP binaries, bl31.bin, fip.bin, are available at atf/build/ls1088ardb/release/.

     For any update in the BL31, BL32, or BL33 binaries, the fip.bin binary needs to be recompiled.

     To compile the FIP binary without OPTEE and without trusted board boot:
     make PLAT=ls1088ardb fip BOOT_MODE=sd BL33=<path_to_u-boot_binary>/u-boot.bin
     To compile the FIP binary with trusted board boot, refer the read me at <atf repository>/plat/nxp/README.TRUSTED_BOOT
               

Step 5: Program TF-A binaries to QSPI NOR flash

1. Boot LS1088ARDB-PB from QSPI. Ensure that the switches are set to boot the board from QSPI. For booting from QSPI , SW1[1:8] + SW2[1] = 0011_0001_X
2. Boot from QSPI NOR flash0: => qixis_reset

   For LS1088ARDB-PB, in boot log, you'll see:

   Board: LS1088ARDB-PB, Board Arch: V1, Board version: A, boot from QSPI:0

Please ensure that you are using LS1088ARDB-PB to flash the TF-A binaries, as LS1088ARDB is not supported LSDK 18.12 release onwards.

Set up Ethernet connection

When board boots up, U-Boot prints a list of enabled Ethernet interfaces.

DPMAC1@xgmii, DPMAC2@xgmii, DPMAC3@qsgmii, DPMAC4@qsgmii, DPMAC5@qsgmii, DPMAC6@qsgmii, DPMAC7@qsgmii, DPMAC8@qsgmii, DPMAC9@qsgmii, DPMAC10@qsgmii

1. Set server IP address to the IP address of the host machine on which you have configured the TFTP server. 

   => setenv serverip <ipaddress1>

2. Set ethact and ethprime as the ethernet interface connected to the TFTP server.

   See LS1088ARDB/LS1088RDB-PB Ethernet port mapping for the mapping of Ethernet port names appearing on the chassis front panel with the port names in U-Boot and Linux.
                           

   => setenv ethprime <name of interface connected to TFTP server>

   For example:

   => setenv ethprime DPMAC3@qsgmii

   => setenv ethact <name of interface connected to TFTP server>

   For example:

   => setenv ethact DPMAC3@qsgmii

3. Set IP address of the board. You can set a static IP address or, if the board can connect to a dhcp server, you can use the dhcp command. 

   Static IP address assignment:
   => setenv ipaddr <ipaddress2>
   => setenv netmask <subnet mask>

   Dynamic IP address assignment:
   => dhcp

4. Save the settings. => saveenv
5. Check the connection between the board and the TFTP server.

=> ping $serverip

Using DPMAC3@qsgmii device

host 192.168.1.1 is alive

Load TF-A binaries from the TFTP server

For details about the flash image layout for TF-A binaries, refer LSDK memory layout for TF-A boot flow.
        

1. Program QSPI NOR flash1: => sf probe 0:1

2. Flash bl2_qspi.pbl:

   • => tftp 0xa0000000 bl2_qspi.pbl

   • => sf erase 0x0 +$filesize && sf write 0xa0000000 0x0 $filesize 

3. Flash fip.bin:
   • => tftp 0xa0000000 fip.bin
   • => sf erase 0x100000 +$filesize && sf write 0xa0000000 0x100000 $filesize
4. Boot from QSPI NOR flash1: => qixis_reset altbank

   LS1088ARDB-PB will boot with TF-A. In the boot log, you will see:

   => NOTICE: UDIMM 18ASF1G72AZ-2G6B1

   NOTICE: 8 GB DDR4, 64-bit, CL=15, ECC on, CS0+CS1
   NOTICE: BL2: v1.5(release):LSDK-18.12
   NOTICE: BL2: Built : 16:23:18, Feb 8 2019
   NOTICE: BL31: v1.5(release):LSDK-18.12
   NOTICE: BL31: Built : 16:25:08, Feb 8 2019
   NOTICE: Welcome to LS1088 BL31 Phase

For steps to deploy TF-A binaries on SD card, see LS1088ARDB-PB - How to deploy TF-A binaries on SD card