LS2088ARDB - How to deploy TF-A binaries in NOR flash

Trusted Firmware for Cortex-A (TF-A) is an implementation of EL3 secure firmware. TF-A replaces PPA in secure firmware role.

Please note the steps listed in this topic can only be performed with LSDK 18.12 and newer releases.

To migrate to the TF-A boot flow from the previous boot flow (with PPA), you need to compile the TF-A binaries, bl2_<boot_mode>.pbl and fip.bin, and flash these binaries on the specific boot medium on the board.

For NOR boot, you need to compile the following TF-A binaries.

TF-A binary name	Components
bl2_nor.pbl	BL2 binary: Platform initialization binary RCW binary for NOR boot
fip.bin	BL31: Secure runtime firmware BL32: Trusted OS, for example, OPTEE (optional) BL33: U-Boot/UEFI image

Follow these steps to compile and deploy TF-A binaries (bl2_nor.pbl and fip.bin) on the NOR flash.

Compile RCW binary
Compile U-Boot binary
[Optional] Compile OPTEE binary
Compile TF-A binaries (bl2_nor.pbl and fip.bin) for NOR boot
Program TF-A binaries to the NOR flash

Step 1: Compile RCW binary

You need to compile the rcw_1800.bin binary to build the bl2_nor.pbl binary.

Clone the  rcw repository and compile the PBL binary.

$ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/rcw
$ cd rcw
$ git checkout -b <new branch name> <LSDK tag>. For example, $ git checkout -b LSDK-19.09 LSDK-19.09
$ cd ls2088ardb
If required, make changes to the rcw files.
$ make

The compiled PBL binary for NOR boot on LS2088ARDB, rcw_1800.bin, is available at rcw/ls2088ardb/FFFFFFFF_PP_HH_0x2a_0x41

See the rcw/ls2088ardb/README file for an explanation of the naming convention for the directories that contain the RCW source and binary files.

Step 2: Compile U-Boot binary

You need to compile the u-boot.bin binary to build the fip.bin binary.

Clone the u-boot repository and compile the U-Boot binary for TF-A.

$ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/u-boot.git
$ cd u-boot
$ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-19.09 LSDK-19.09
$ export ARCH=arm64
$ export CROSS_COMPILE=aarch64-linux-gnu-
$ make distclean
$ make ls2088ardb_tfa_defconfig
$ make

If the make command shows the error "*** Your GCC is older than 6.0 and is not supported", ensure that you are using Ubuntu 18.04 64-bit version for building the LSDK 18.12 and onwards U-Boot binary.

The compiled U-Boot binary, u-boot.bin, is available at u-boot/.

Step 3: [Optional] Compile OPTEE binary

You need to compile the tee.bin binary to build fip.bin with OPTEE. However, OPTEE is optional, you can skip the procedure to compile OPTEE if you want to build the FIP binary without OPTEE.

Clone the optee_os repository and build the OPTEE binary.

$ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/optee_os
$ cd optee_os
$ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-19.09 LSDK-19.09
$ export ARCH=arm
$ export CROSS_COMPILE=aarch64-linux-gnu-
$ make CFG_ARM64_core=y PLATFORM=ls-ls2088ardb
$ aarch64-linux-gnu-objcopy -v -O binary out/arm-plat-ls/core/tee.elf out/arm-plat-ls/core/tee.bin

The compiled OPTEE image, tee.bin, is available at optee_os/out/arm-plat-ls/core/.

Step 4: Compile TF-A binaries for NOR boot

Clone the atf repository and compile the TF-A binaries, bl2_nor.pbl and fip.bin.

$ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/atf
$ cd atf
$ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-19.09 LSDK-19.09
$ export ARCH=arm64
$ export CROSS_COMPILE=aarch64-linux-gnu-
Build BL2 binary with OPTEE.
- $ make PLAT=ls2088ardb bl2 SPD=opteed BOOT_MODE=nor BL32=<path_to_optee_binary>/tee.bin pbl RCW=<path_to_rcw_binary>/rcw_1800.bin
  The compiled BL2 images, bl2.bin and bl2_nor.pbl are available at atf/build/ls2088ardb/release/.
  For any update in the BL2 source code or RCW binary, the bl2_nor.pbl binary needs to be recompiled.
```
To compile the BL2 binary without OPTEE:
$ make PLAT=ls2088ardb bl2 BOOT_MODE=nor pbl RCW=<path_to_rcw_binary>/rcw_1800.bin                    
       
```

Build FIP binary with OPTEE and without trusted board boot.

$ make PLAT=ls2088ardb fip BL33=<path_to_u-boot_binary>/u-boot.bin SPD=opteed BL32=<path_to_optee_binary>/tee.bin

The compiled BL31 and FIP binaries, bl31.bin, fip.bin, are available at atf/build/ls2088ardb/release/.

For any update in the BL31, BL32, or BL33 binaries, the fip.bin binary needs to be recompiled.

To compile the FIP binary without OPTEE and without trusted board boot:

$ make PLAT=ls2088ardb fip BOOT_MODE=nor BL33=<path_to_u-boot_binary>/u-boot.bin

To compile the FIP binary with trusted board boot, refer the read me at <atf repository>/plat/nxp/README.TRUSTED_BOOT

Step 5: Program TF-A binaries to NOR flash

Boot LS2088ARDB from NOR flash. Ensure that the switches and jumpers are set to boot the board from NOR bank 0.
- SW5[1:8] = 1111 1111
- SW3[1:8] = 0001 0010
- SW4[1:8] = 1111 1111
- SW6[1:8] = 1111 1111
- SW7[1:8] = 0100 0010
- SW9[1:8] = 0100 0000
- SW8[1:8] = 0111 1111
In addition to the above switch settings, make sure the following jumper settings are correct (for RDB Rev E and later)
- J14 = 1-2, for NOR boot
Boot from NOR bank 0: => qixis_reset
For LS2088ARDB, in boot log, you'll see:
Board: LS2088AE Rev1.1-RDB, Board Arch: V1, Board version: F, boot from vBank: 0

TF-A binaries can be loaded to LS2088ARDB from a TFTP server or from a mass storage device (SD, USB, or SATA).

Option 1: Load image from the TFTP server

Set up Ethernet connection

When board boots up, U-Boot prints a list of enabled Ethernet interfaces.

DPMAC1@xgmii, DPMAC2@xgmii, DPMAC3@xgmii, DPMAC4@xgmii, DPMAC5@xgmii, DPMAC6@xgmii, DPMAC7@xgmii, DPMAC8@xgmii

Set server IP address to the IP address of the host machine on which you have configured the TFTP server.
=> setenv serverip <ipaddress1>

Set ethact and ethprime as the Ethernet interface connected to the TFTP server.

See LS2088ARDB Ethernet port mapping for the mapping of Ethernet port names appearing on the chassis front panel with the port names in U-Boot and Linux.

=> setenv ethprime <name of interface connected to TFTP server>

For example:

=> setenv ethprime DPMAC1@xgmii

=> setenv ethact <name of interface connected to TFTP server>

For example:

=> setenv ethact DPMAC1@xgmii

Set IP address of the board. You can set a static IP address or, if the board can connect to a dhcp server, you can use the dhcp command.
Static IP address assignment:
=> setenv ipaddr <ipaddress2>
=> setenv netmask <subnet mask>
Dynamic IP address assignment:
=> dhcp
Save the settings. => saveenv
Check the connection between the board and the TFTP server.

=> ping $serverip

Using DPMAC1@xgmii device

host 192.168.1.1 is alive

Load TF-A binaries from the TFTP server

For details about the flash image layout for TF-A binaries, refer LSDK memory layout for TF-A boot flow.

Flash bl2_nor.pbl to NOR bank 4 (after booting from NOR bank 0).
- => tftp 82000000 bl2_nor.pbl
- => erase 0x584000000 +$filesize;cp.b 82000000 0x584000000 $filesize
Flash fip.bin to NOR bank 4 (after booting from NOR bank 0).
- => tftp 82000000 fip.bin
- => erase 0x584100000 +$filesize;cp.b 82000000 0x584100000 $filesize
Boot from NOR bank 4: => qixis_reset altbank
LS2088ARDB will boot with TF-A. In the boot log, you will see:
NOTICE: UDIMM 18ASF1G72AZ-2G3B1
NOTICE: 16 GB DDR4, 64-bit, CL=13, ECC on, 256B, CS0+CS1
NOTICE: UDIMM 18ASF1G72AZ-2G3B1
NOTICE: 4 GB DDR4, 32-bit, CL=11, ECC on, CS0+CS1
NOTICE: BL2: v1.5(release):LSDK-19.09
NOTICE: BL2: Built : 16:04:08, Nov 4 2019
NOTICE: BL31: v1.5(release):LSDK-19.09
NOTICE: BL31: Built : 16:40:39, Nov 4 2019
NOTICE: Welcome to LS2088 BL31 Phase

U-Boot 2019.04 (Nov 04 2019 - 15:57:49 +0530)
SoC: LS2088AE Rev1.1 (0x87090011)
Clock Configuration:
CPU0(A72):1800 MHz CPU1(A72):1800 MHz CPU2(A72):1800 MHz
CPU3(A72):1800 MHz CPU4(A72):1800 MHz CPU5(A72):1800 MHz
CPU6(A72):1800 MHz CPU7(A72):1800 MHz
Bus: 700 MHz DDR: 1866.667 MT/s DP-DDR: 1600 MT/s
Reset Configuration Word (RCW):
00000000: 483038b8 48480048 00000000 00000000
00000010: 00000000 00000000 00a00000 00000000
00000020: 01e01180 00002581 00000000 00000000
00000030: 00400c0b 00000000 00000000 00000000
00000040: 00000000 00000000 00000000 00000000
00000050: 00000000 00000000 00000000 00000000
00000060: 00000000 00000000 00027000 00000000
00000070: 412a0000 00040000
Model: Freescale Layerscape 2080a RDB Board
Board: LS2088AE Rev1.1-RDB, Board Arch: V1, Board version: F, boot from vBank: 4
.......

Option 2: Load image from partition on mass storage device (SD, USB, or SATA)

Select mass storage device to use.
```
=> mmc rescan
```
```
=> mmc info
```
Or
```
=> usb start
=> usb info
```
Or
=> scsi scan
=> scsi info

Optional – List files on storage device

=> ls mmc <device:partition>

For example:

=> ls mmc 0:2

=> ls usb <device:partition>

For example:

=> ls usb 0:1

=> ls scsi <device:partition>

For example:

=> ls scsi 0:2

If the ls command fails to run, check that U-Boot in NOR bank 0 supports the command by typing ls at the U-Boot prompt:
=> ls
ls - Lists files in a directory (default)
Usage:
ls <interface> [<dev[:part]> [directory]]
- Lists files in directory [directory] of partition [part] on device type [interface] and instance [dev].
If U-Boot does not support this command, then update the composite firmware image in NOR bank 0.
For steps to update composite firmware image in NOR bank, see Layerscape Software Development Kit User Guide .

Use the following command if the SD card is formatted/created using LSDK flex-installer command:
=> load <interface> [<dev[:part]> [<addr> [<filename> [bytes [pos]]]]]
For example:
=> load mmc 0:2 $load_addr bl2_nor.pbl
Use the following command if the SD card is formatted/created on a Windows PC:
=> fatload <interface> [<dev[:part]> [<addr> [<filename> [bytes [pos]]]]]
For example:
=> fatload mmc 0:2 $load_addr bl2_nor.pbl
Use the following command if the SD card is formatted/created on a Linux PC:
=> ext2load <interface> [<dev[:part]> [<addr> [<filename> [bytes [pos]]]]]
For example:
=>ext2load mmc 0:2 $load_addr bl2_nor.pbl
Also note that LSDK flex-installer command puts the images on the IInd partition, so 0:2 is used in the load command. If the SD card is formatted on Windows PC or Linux PC for single partition only, then 0 should be used instead of 0:2 in the fatload/ext2load command.

Load bl2_nor.pbl image from the storage device
=> load mmc 0:2 0xa0000000 <image name>
=> print filesize
For example:
=> load mmc 0:2 0xa0000000 bl2_nor.pbl
=> print filesize
filesize=14379
Or
=> load usb 0:2 0xa0000000 <image name>
=> print filesize
Or
=> load scsi 0:2 0xa0000000 <image name>
=> print filesize
Program bl2_nor.pbl to NOR bank 4 (after booting from NOR bank 0): => erase 0x584000000 +$filesize;cp.b 0xa0000000 0x584000000 $filesize
Load fip.bin image from the storage device
=> load mmc 0:2 0xa0000000 <image name>
=> print filesize
For example:
=> load mmc 0:2 0xa0000000 fip.bin
=> print filesize
filesize=131510
Or
=> load usb 0:2 0xa0000000 <image name>
=> print filesize
Or
=> load scsi 0:2 0xa0000000 <image name>
=> print filesize
Program fip.bin to NOR bank 4 (after booting from NOR bank 0): => erase 0x584100000 +$filesize;cp.b 0xa0000000 0x584100000 $filesize
Boot from NOR bank 4: => qixis_reset altbank
LS2088ARDB will boot with TF-A.

LS2088ARDB - How to deploy TF-A binaries in NOR flash

LS2088ARDB - How to deploy TF-A binaries in NOR flash