2021-09-18 06:17:53 +00:00
|
|
|
.. SPDX-License-Identifier: GPL-2.0+
|
|
|
|
.. sectionauthor:: Jan Kiszka <jan.kiszka@siemens.com>
|
|
|
|
|
|
|
|
SIMATIC IOT2050 BASIC and ADVANCED
|
|
|
|
==================================
|
|
|
|
|
|
|
|
The SIMATIC IOT2050 is an open industrial IoT gateway that is using the TI
|
|
|
|
AM6528 GP (Basic variant) or the AM6548 HS (Advanced variant). The Advanced
|
|
|
|
variant is prepared for secure boot.
|
|
|
|
|
|
|
|
The IOT2050 starts only from OSPI. It loads a Siemens-provided bootloader
|
|
|
|
called SE-Boot for the MCU domain (R5F cores), then hands over to ATF and
|
|
|
|
OP-TEE, before booting U-Boot on the A53 cores. This describes how to build all
|
|
|
|
open artifacts into a flashable image for the OSPI flash. The flash image will
|
|
|
|
work on both variants.
|
|
|
|
|
|
|
|
Dependencies
|
|
|
|
------------
|
|
|
|
|
|
|
|
ATF: Upstream release 2.4 or newer
|
|
|
|
OP-TEE: Upstream release 3.10.0 or newer
|
|
|
|
|
|
|
|
Binary dependencies can be found in
|
|
|
|
https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/u-boot/files/prebuild.
|
|
|
|
The following binaries from that source need to be present in the build folder:
|
|
|
|
|
2023-02-28 18:19:09 +00:00
|
|
|
- seboot_pg1.bin
|
|
|
|
- seboot_pg2.bin
|
2021-09-18 06:17:53 +00:00
|
|
|
|
2023-02-28 18:19:18 +00:00
|
|
|
For building an image containing the OTP key provisioning data, below binary
|
|
|
|
needs to be present in the build folder:
|
|
|
|
|
|
|
|
- otpcmd.bin
|
|
|
|
|
|
|
|
Regarding how to generating this otpcmd.bin, please refer to:
|
|
|
|
https://github.com/siemens/meta-iot2050/tree/master/recipes-bsp/secure-boot-otp-provisioning/files/make-otpcmd.sh
|
|
|
|
|
2021-09-18 06:17:53 +00:00
|
|
|
Building
|
|
|
|
--------
|
|
|
|
|
|
|
|
Make sure that CROSS_COMPILE is set appropriately:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
$ export CROSS_COMPILE=aarch64-linux-gnu-
|
|
|
|
|
|
|
|
ATF:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
$ make PLAT=k3 SPD=opteed K3_USART=1
|
|
|
|
|
|
|
|
OP-TEE:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
2021-11-28 21:57:01 +00:00
|
|
|
$ make PLATFORM=k3-am65x CFG_ARM64_core=y CFG_TEE_CORE_LOG_LEVEL=2 CFG_CONSOLE_UART=1 CFG_USER_TA_TARGETS="ta_arm64"
|
2021-09-18 06:17:53 +00:00
|
|
|
|
|
|
|
U-Boot:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
$ export ATF=/path/to/bl31.bin
|
|
|
|
$ export TEE=/path/to/tee-pager_v2.bin
|
2023-02-28 18:19:09 +00:00
|
|
|
|
|
|
|
# configure for PG1
|
|
|
|
$ make iot2050_pg1_defconfig
|
|
|
|
|
|
|
|
# or configure for PG2
|
|
|
|
$ make iot2050_pg2_defconfig
|
|
|
|
|
2021-09-18 06:17:53 +00:00
|
|
|
$ make
|
|
|
|
|
|
|
|
Flashing
|
|
|
|
--------
|
|
|
|
|
|
|
|
Via U-Boot:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
IOT2050> sf probe
|
|
|
|
IOT2050> load mmc 0:1 $loadaddr /path/to/flash.bin
|
|
|
|
IOT2050> sf update $loadaddr 0x0 $filesize
|
|
|
|
|
|
|
|
Via external programmer Dediprog SF100 or SF600:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
$ dpcmd --vcc 2 -v -u flash.bin
|
2023-02-28 18:19:17 +00:00
|
|
|
|
|
|
|
Signing (optional)
|
|
|
|
------------------
|
|
|
|
|
|
|
|
To enable verified boot for the firmware artifacts after the Siemens-managed
|
|
|
|
first-stage loader (seboot_pg*.bin), the following steps need to be taken
|
|
|
|
before and after the build:
|
|
|
|
|
|
|
|
Generate dtsi holding the public key
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
tools/key2dtsi.py -c -s key.pem public-key.dtsi
|
|
|
|
|
|
|
|
This will be used to embed the public key into U-Boot SPL and main so that each
|
|
|
|
step can validate signatures of the succeeding one.
|
|
|
|
|
|
|
|
Adjust U-Boot configuration
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
Enabled at least the following options in U-Boot:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
CONFIG_SPL_FIT_SIGNATURE=y
|
|
|
|
CONFIG_DEVICE_TREE_INCLUDES="/path/to/public-key.dtsi"
|
|
|
|
CONFIG_RSA=y
|
|
|
|
|
|
|
|
Note that there are more configuration changes needed in order to lock-down
|
|
|
|
the command line and the boot process of U-Boot for secure scenarios. These are
|
|
|
|
not in scope here.
|
|
|
|
|
|
|
|
Build U-Boot
|
|
|
|
^^^^^^^^^^^^
|
|
|
|
|
|
|
|
See related section above.
|
|
|
|
|
|
|
|
Sign flash.bin
|
|
|
|
^^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
In the build folder still containing artifacts from step 3, invoke:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
tools/iot2050-sign-fw.sh /path/to/key.pem
|
|
|
|
|
|
|
|
Flash signed flash.bin
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
|
|
|
|
The signing has happen in-place in flash.bin, thus the flashing procedure
|
|
|
|
described above.
|