Trusted Firmware for Cortex-A (TF-A) is an implementation of EL3 secure firmware. TF-A replaces PPA in secure firmware role. Please note the steps listed in this topic can only be performed with LSDK 18.12 and newer releases. Also the TF-A boot flow is applicable only for LS1088ARDB-PB. LS1088ARDB is not supported LSDK 18.12 release onwards. To migrate to the TF-A boot flow from the previous boot flow (with PPA), you need to compile the TF-A binaries, bl2_<boot_mode>.pbl and fip.bin, and flash these binaries on the specific boot medium on the board. For SD boot, you need to compile the following TF-A binaries. TF-A binary name Components bl2_sd.pbl BL2 binary: Platform initialization binary RCW binary for SD boot fip.bin BL31: Secure runtime firmware BL32: Trusted OS, for example, OPTEE (optional) BL33: U-Boot/UEFI image Follow these steps to compile and deploy TF-A binaries (bl2_sd.pbl and fip.bin) on the SD card. Compile PBL binary from RCW source file Compile U-Boot binary [Optional] Compile OPTEE binary Compile TF-A binaries (bl2_sd.pbl and fip.bin) for SD boot Program TF-A binaries to the SD card Step 1: Compile PBL binary from RCW source file You need to compile the rcw_1600_sd.bin binary to build the bl2_sd.pbl binary. Clone the rcw repository and compile the PBL binary. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/rcw $ cd rcw $ git checkout -b <new branch name> <LSDK tag>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12 $ cd ls1088ardb If required, make changes to the rcw files. $ make The compiled PBL binary for SD boot on LS1088ARDB-PB, rcw_1600_sd.bin, is available at rcw/ls1088ardb/FCQQQQQQQQ_PPP_H_0x1d_0x0d/. See the rcw/ls1088ardb/README file for an explanation of the naming convention for the directories that contain the RCW source and binary files. Step 2: Compile U-Boot binary You need to compile the u-boot.bin binary to build the fip.bin binary. Clone the u-boot repository and compile the U-Boot binary for TF-A. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/u-boot.git $ cd u-boot $ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12 $ export ARCH=arm $ export CROSS_COMPILE=aarch64-linux-gnu- $ make distclean $ make ls1088ardb_tfa_defconfig $ make If the make command shows the error "*** Your GCC is older than 6.0 and is not supported", ensure that you are using Ubuntu 18.04 64-bit version for building the LSDK 18.12 U-Boot binary. The compiled U-Boot binary, u-boot.bin, is available at u-boot/. Step 3: [Optional] Compile OPTEE binary You need to compile the tee.bin binary to build fip.bin with OPTEE. However, OPTEE is optional, you can skip the procedure to compile OPTEE if you want to build the FIP binary without OPTEE. Clone the optee_os repository and build the OPTEE binary. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/optee_os $ cd optee_os $ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12 $ export ARCH=arm $ export CROSS_COMPILE=aarch64-linux-gnu- $ make CFG_ARM64_core=y PLATFORM=ls-ls1088ardb $ aarch64-linux-gnu-objcopy -v -O binary out/arm-plat-ls/core/tee.elf out/arm-plat-ls/core/tee.bin The compiled OPTEE image, tee.bin, is available at optee_os/out/arm-plat-ls/core/. Step 4: Compile TF-A binaries for SD boot Clone the atf repository and compile the TF-A binaries, bl2_sd.pbl and fip.bin. $ git clone https://source.codeaurora.org/external/qoriq/qoriq-components/atf $ cd atf $ git checkout -b <new branch name> LSDK-<LSDK version>. For example, $ git checkout -b LSDK-18.12 LSDK-18.12 $ export ARCH=arm $ export CROSS_COMPILE=aarch64-linux-gnu- Build BL2 binary with OPTEE. $ make PLAT=ls1088ardb bl2 SPD=opteed BOOT_MODE=sd pbl RCW=<path_to_rcw_binary>/rcw_1600_sd.bin The compiled BL2 images, bl2.bin and bl2_sd.pbl are available at atf/build/ls1088ardb/release/. For any update in the BL2 source code or RCW binary, the bl2_sd.pbl binary needs to be recompiled. To compile the BL2 binary without OPTEE: $ make PLAT=ls1088ardb bl2 BOOT_MODE=sd pbl RCW=<path_to_rcw_binary>/rcw_1600_sd.bin Build FIP binary with OPTEE and without trusted board boot. $ make PLAT=ls1088ardb fip BL33=<path_to_u-boot_binary>/u-boot.bin SPD=opteed BL32=<path_to_optee_binary>/tee.bin The compiled BL31 and FIP binaries, bl31.bin, fip.bin, are available at atf/build/ls1088ardb/release/. For any update in the BL31, BL32, or BL33 binaries, the fip.bin binary needs to be recompiled. To compile the FIP binary without OPTEE and without trusted board boot:
$ make PLAT=ls1088ardb fip BOOT_MODE=sd BL33=<path_to_u-boot_binary>/u-boot.bin To compile the FIP binary with trusted board boot, refer the read me at <atf repository>/plat/nxp/README.TRUSTED_BOOT Step 5: Program TF-A binaries to SD card Boot LS1088ARDB-PB from QSPI. Ensure that the switches are set to boot the board from QSPI. For booting from QSPI , SW1[1:8] + SW2[1] = 0011_0001_X Boot from QSPI NOR flash0: => qixis_reset For LS1088ARDB-PB, in boot log, you'll see: Board: LS1088ARDB-PB, Board Arch: V1, Board version: A, boot from QSPI:0 Please ensure that you are using LS1088ARDB-PB to flash the TF-A binaries, as LS1088ARDB is not supported LSDK 18.12 release onwards. Set up Ethernet connection When board boots up, U-Boot prints a list of enabled Ethernet interfaces. DPMAC1@xgmii, DPMAC2@xgmii, DPMAC3@qsgmii, DPMAC4@qsgmii, DPMAC5@qsgmii, DPMAC6@qsgmii, DPMAC7@qsgmii, DPMAC8@qsgmii, DPMAC9@qsgmii, DPMAC10@qsgmii Set server IP address to the IP address of the host machine on which you have configured the TFTP server. => setenv serverip <ipaddress1> Set ethact and ethprime as the Ethernet interface connected to the TFTP server. See LS1088ARDB/LS1088RDB-PB Ethernet port mapping for the mapping of Ethernet port names appearing on the chassis front panel with the port names in U-Boot and Linux. => setenv ethprime <name of interface connected to TFTP server> For example: => setenv ethprime DPMAC3@qsgmii => setenv ethact <name of interface connected to TFTP server> For example: => setenv ethact DPMAC3@qsgmii Set IP address of the board. You can set a static IP address or, if the board can connect to a dhcp server, you can use the dhcp command. Static IP address assignment: => setenv ipaddr <ipaddress2> => setenv netmask <subnet mask> Dynamic IP address assignment: => dhcp Save the settings. => saveenv Check the connection between the board and the TFTP server. => ping $serverip Using DPMAC3@qsgmii device host 192.168.1.1 is alive Load TF-A binaries from the TFTP server For details about the flash image layout for TF-A binaries, refer LSDK memory layout for TF-A boot flow. Flash bl2_sd.pbl: => tftp 82000000 bl2_sd.pbl => mmc write 82000000 8 <blk_cnt> Here, blk_cnt refers to number of blocks in SD card that need to be written as per the file size. For example, when you load bl2_sd.pbl from the TFTP server, if the bytes transferred is 82809 (14379 hex), then blk_cnt is calculated as 82809/512 = 161 (A1 hex). For this example, mmc write command will be: => mmc write 82000000 8 A1 Flash fip.bin: => tftp 82000000 fip.bin => mmc write 82000000 800 <blk_cnt> Here, blk_cnt refers to number of blocks in SD card that need to be written as per the file size. For example, when you load fip.bin from the TFTP server, if the bytes transferred is 1077157 (106fa5 hex), then blk_cnt is calculated as 1077157/512 = 2103 (837 hex). For this example, mmc write command will be: => mmc write 82000000 800 837 Boot from SD card: => qixis_reset sd LS1088ARDB-PB will boot with TF-A. In the boot log, you will see: NOTICE: UDIMM 18ASF1G72AZ-2G6B1 NOTICE: 8 GB DDR4, 64-bit, CL=15, ECC on, CS0+CS1 NOTICE: BL2: v1.5(release):LSDK-18.12 NOTICE: BL2: Built : 11:57:03, Dec 23 2018 NOTICE: BL31: v1.5(release):LSDK-18.12 NOTICE: BL31: Built : 15:21:44, Feb 11 2019 NOTICE: Welcome to LS1088 BL31 Phase For steps to deploy TF-A binaries in QSPI NOR flash, see LS1088ARDB-PB - How to deploy TF-A binaries in QSPI NOR flash
View full article