The STM32MP ROM provides several service. One of them is the ability
to verify ecdsa256 signatures. Hook the ROM API into the ECDSA uclass.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The function board_get_usable_ram_top can be called after relocation
with total_size = 0 to get the uppermost pointer that is valid to access
in U-Boot.
When total_size = 0, the reserved memory should be not take in account
with lmb library and 'gd->ram_base + gd->ram_size' can be used.
It is the case today in lib/efi_loader/efi_memory.c:efi_add_known_memory()
and this patch avoids that the reserved memory for OP-TEE is not part of
the EFI available memory regions.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The MTD tee partitions used to save the OP-TEE binary are needed when
TF-A doesn't use the FIP container to load binaries.
This patch puts under CONFIG_STM32MP15x_STM32IMAGE flag the associated
code in U-Boot binary and prepare the code cleanup when
CONFIG_STM32MP15x_STM32IMAGE support will be removed after TF-A migration
to FIP support.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
With FIP support in TF-A (when CONFIG_STM32MP15x_STM32IMAGE
is not activated), the DT nodes needed by OP-TEE are added by OP-TEE
firmware in U-Boot device tree, present in FIP.
These nodes are only required in trusted boot, when TF-A load the file
u-boot.stm32, including the U-Boot device tree with STM32IMAGE header,
in this case OP-TEE can't update the U-Boot device tree.
Moreover in trusted boot mode with FIP, as the OP-TEE nodes are present
in U-Boot device tree only when needed the function
stm32_fdt_disable_optee can be removed.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
By default for trusted boot with TF-A, U-Boot (u-boot-nodtb)
is located in FIP container with its device tree and with
the secure monitor (provided by TF-A or OP-TEE).
The FIP file is loaded by TF-A BL2 and each components is
extracted at the final location.
This patch add CONFIG_STM32MP15x_STM32IMAGE to request the
STM32 image generation for SOC STM32MP15x
when FIP container is not used (u-boot.stm32 is loaded by TF-A
as done previously to keep the backward compatibility).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.
Add a proper comment to simple_strtoul() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
OP-TEE is very particular about how the TZC should be configured.
When booting an OP-TEE payload, an incorrect TZC configuration will
result in a panic.
Most information can be derived from the SPL devicetree. The only
information we don't have is the split between TZDRAM and shared
memory. This has to be hardcoded. The rest of the configuration is
fairly easy, and only requires 3 TZC regions. Configure them.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The purpose of this change is to allow configuring TrustZone (TZC)
memory permissions. For example, OP-TEE expects TZC regions to be
configured in a very particular way. The API presented here is
intended to allow exactly that.
UCLASS support is not implemented, because it would not be too useful.
Changing TZC permissions needs to be done with care, so as not to cut
off access to memory we are currently using. One place where we can
use this is at the end of SPL, right before jumping to OP-TEE.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
When the TAMP register 20 have an invalid value (0x0 for example after
TAMPER error) the "boot_device" U-Boot env variable have no value and
no error is displayed in U-Boot log.
The STM32MP boot command bootcmd_stm32mp failed with strange trace:
"Boot over !"
and the next command in bootcmd_stm32mp failed with few indication:
if test ${boot_device} = serial || test ${boot_device} = usb;
then stm32prog ${boot_device} ${boot_instance};
As it is difficult to investigate, the current patch avoids this issue:
- change the debug message to error: "unexpected boot mode" is displayed
- display trace "Boot over invalid!" in bootcmd_stm32mp
- execute "run distro_bootcmd" to try all the possible target
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use the device sequence number in boot_instance variable
and no more the SDMMC instance provided by ROM code/TF-A.
After this patch we don't need to define the mmc alias in
device tree, for example:
mmc0 = &sdmmc1;
mmc1 = &sdmmc2;
mmc2 = &sdmmc3;
to have a correct mapping between the ROM code boot device =
"${boot_device}${boot_instance}" and the MMC device in U-Boot.
With this patch the 'mmc0' device (used in mmc commands) is
always used when only one instance sdmmc is activated in device
tree, even if it is only the sdmmc2 or sdmmc3.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use the existing defines PMIC_SIZE and OTP_SIZE and a new define
CMD_SIZE for virtual partition size.
This patch corrects the size for OTP partition in alternate name
(1024 instead of 512) and avoids other alignment issues.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Enable the clocks during syscon probe when they are present in device tree.
This patch avoids a freeze when the SYSCFG clock is not enabled by
TF-A / OP-TEE.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The expected sequence to close the device
1/ Load key in DDR with any supported load command
2/ Update OTP with key: STM32MP> stm32key read <addr>
At this point the device is able to perform image authentication but
non-authenticated images can still be used and executed.
So it is the last moment to test boot with signed binary and
check that the ROM code accepts them.
3/ Close the device: only signed binary will be accepted !!
STM32MP> stm32key close
Warning: Programming these OTP is an irreversible operation!
This may brick your system if the HASH of key is invalid
This command should be deactivated by default in real product.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Allow to read the OTP value and lock status with the command
$> stm32key read.
This patch also protects the stm32key fuse command.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add a helper function to access to BSEC misc driver.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Lock the OTP value of key's hash after the command
$> stm32key fuse <address>
This operation forbids a second update of these OTP as they are
ECC protected in BSEC: any update of these OTP with a different value
causes a BSEC disturb error and the closed chip will be bricked.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Simplify parsing the command argument by using
the macro U_BOOT_CMD_WITH_SUBCMDS.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This command is used to evaluate the secure boot on stm32mp SOC,
it is deactivated by default in real products.
We activate this command only in STMicroelectronics defconfig
used with the evaluation boards.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reduce the content of short help message for stm32prog command and
removed the carriage return to fix the display of 'help' command when
this command is activated.
Fixes: 954bd1a923 ("stm32mp: add the command stm32prog")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Move the message "Invalid or missing layout file."
to debug level as it is a normal behavior and not an error
and add the missing '\n'.
This patch avoids the strange trace :
Boot over usb0!
Invalid or missing layout file.DFU alt info setting: done
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use get_cpu_dev() in uart getID command and remove the defines
DEVICE_ID_BYTE1 and 2 defines.
This patch prepare the support for new SOC family.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Correctly handle number of alternate when DM_PMIC is not activated.
This patch remove the last UNKNOWN partition in this case.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Acked-by: Jaehoon Chung <jh80.chung@samsung.com>
Handle the second USB enumeration only when the flashlayout is received
and when phase is PHASE_FLASHLAYOUT. This patch removes the call of
stm32prog_next_phase as it is already done in stm32prog_dfu_init().
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
When CONFIG_FIT_SIGNATURE is activated, CONFIG_LEGACY_IMAGE_FORMAT
is deactivated and the define IMAGE_FORMAT_LEGACY don't exist with
include/image.h:
#if defined(CONFIG_LEGACY_IMAGE_FORMAT)
#define IMAGE_FORMAT_LEGACY 0x01 /* legacy image_header based format */
#endif
This patch adds the needed check on compilation flag
CONFIG_LEGACY_IMAGE_FORMAT to avoid the compilation error
for command stm32prog:
cmd_stm32prog.c:81:8: error: ‘IMAGE_FORMAT_LEGACY’ undeclared
(first use in this function); did you mean ‘IMAGE_FORMAT_FIT’?
81 | if (IMAGE_FORMAT_LEGACY ==
| ^~~~~~~~~~~~~~~~~~~
| IMAGE_FORMAT_FIT
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add the support in command stm32prog of kernel load and start
with initrd file, identify by the partition Type "Binary" in
the flashlayout.tsv, for example:
- 0x01 fsbl Binary none 0x0 tfa.stm32
- 0x03 fip Binary none 0x0 fip.bin
P 0x10 kernel System ram0 0xC2000000 uImage.bin
P 0x11 dtb FileSystem ram0 0xC4000000 board.dtb
P 0x12 initrd Binary ram0 0xC4400000 <initrd>
The <initrd> file can be a legacy image "uInitrd", generated
with mkimage, or a RAW initrd image "initrd.gz".
After a DFU detach the bootm command with be executed
with the associated address, for example:
$> bootm 0xC2000000 0xC4400000:<size> 0xC4000000
When the "Binary" partition type is absent, the 'bootm'
command starts the kernel without ramdisk, for example:
$> bootm 0xC2000000 - 0xC4000000
With this paths, it is no more mandatory to generate FIT
including the kernel, DT and initrd:
- 0x01 fsbl Binary none 0x0 tfa.stm32
- 0x03 fip Binary none 0x0 fip.bin
P 0x10 fit System ram0 0xC2000000 fit.bin
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Handle timeout in stm32prog_serial_get_buffer to sent NACK
to STM32CubeProgrammer when the buffer is not fully received.
This patch avoids to reach the STM32CubeProgrammer timeout and
the associated unrecoverable error.
Timeout error occurred while waiting for acknowledgment.
Error: Write Operation fails at packet number 4165 at address 0x1044FF
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This patch removes the header check for UART download;
the check of checksum is not mandatory with even parity and chuck
checksum for each 256 received bytes and it is only done for
STM32 image (FSBL = TF-A BL2), not for FIT image.
This patch solve issue of duplicated 0x100 byte written with FIP header.
Fixes: 4fb7b3e108 ("stm32mp: stm32prog: add FIP header support")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
No more map the reserved region with "no-map" property by marking
the corresponding TLB entries with invalid entry (=0) to avoid
speculative access.
The device tree parsing done in lmb_init_and_reserve() takes a
long time when it is executed without data cache, so it is called in
enable_caches() before to disable it.
This patch fixes an issue where predictive read access on secure DDR
OP-TEE reserved area are caught by firewall.
Series-cc: marex
Series-cc: pch
Series-cc: marek.bykowski@gmail.com
Series-cc: Ard Biesheuvel <ardb@kernel.org>
Series-cc: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add 8M for the U-Boot reserved memory (display, fdt, gd, ...)
mapped cacheable before relocation.
Without this patch the device tree, located before the MALLOC area
is not tagged cacheable just after relocation, before mmu reconfiguration.
This patch reduces the duration for device tree parsing in
lmb_init_and_reserve.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add Engicam i.Core STM32MP1 SoM
Add FIP header support for STM32programmer
Update uart number when no serial device found for STM32MP1
Remove board_check_usb_power function when ADC flag is not set
Update SPL size limitation for STM32MP1
Set soc_type, soc_pkg, soc_rev env variables for STM32MP1
-----BEGIN PGP SIGNATURE-----
iQJQBAABCgA6FiEEXyrViUccKBz9c35Jysd4L3sz/6YFAmBwTr0cHHBhdHJpY2Uu
Y2hvdGFyZEBmb3NzLnN0LmNvbQAKCRDKx3gvezP/plSwD/9SAhxTYqAblFZqZmJj
Lu+F5fwuXXd8S5LwqNeIKULv+UhJngClkE4HdjSl6T0yR10v6YkPNRDVj4+1gzBd
wZizmCsnqqDW0QGsTO5AVo+oTwhX4RHkvxEF7BjOqtVuoMZGiozE53+29QORHTnZ
+j8CYAeORf9wvGAi5y+Wr8ICqP6HwPJPNlta4S8iYC867BM38R9evBqynlaZaWPE
8FhaXwbAj9ZR9ifCiO+7ObgfXGDT63ejCecjE+539m3FWlBrn+/AWLsg4zF037Dw
DcV324pnVFP4AIOVsuc9hF7luAYctoXQcNHt1QbD3gmWqPQAgpH8Llfq5cMyudza
/m/112Y7fuLxO3F14DzZSj5l3ims0XG56Yg7zBwN6exDPr3iWA4UwTSH9lRJDnBq
aJyvLfAFAvz+X15oePjrQrVp7c+6MigeY2nmhVCWV53Yrl+/TnnekQXlHJ3TsHED
bPW5/LarLge18uACTZvLzYruIvDSU3INPP1W0vUu7YMDwuEp21K1GSspN7yA0yDK
nrWXxmYJGVWanAEvW//zuuqUhxtNjAb/qIQl0UgjFN9cDT5vJZ7oY3nWOwP+0V2a
o+qrRxBTWSVliOShYpfjyHRsASRna2QLLUNQaBeoUqZBKNnFvuw4LZzmqNvV+Idj
+XWRCiSDJnf1zRrMwFLvZZ+UTQ==
=4VxR
-----END PGP SIGNATURE-----
Merge tag 'u-boot-stm32-20210409' of https://source.denx.de/u-boot/custodians/u-boot-stm
Add rt-thread art-pi board support based on STM32H750 SoC
Add Engicam i.Core STM32MP1 SoM
Add FIP header support for STM32programmer
Update uart number when no serial device found for STM32MP1
Remove board_check_usb_power function when ADC flag is not set
Update SPL size limitation for STM32MP1
Set soc_type, soc_pkg, soc_rev env variables for STM32MP1
Split up get_soc_name(), clean the decoding up a bit, and set up
environment variables which contain the SoC type, package, revision.
This is useful on SoMs, where multiple SoC options are populated.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Patrick Delaunay <patrick.delaunay@st.com>
Cc: Patrice Chotard <patrice.chotard@st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Replace the remaining printf in setup_boot_mode() by log macro
to handle filtering for log features.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Align the uart number in the trace of setup_boot_mode() with the name of
the uart/usart device (start at 1) and not with the instance value
(start at 0), i.e. the serial device sequence number and the index in
serial_addr[].
Fixes: f49eb16c17 ("stm32mp: stm32prog: replace alias by serial
device sequence number")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of TF-A FIP header in command stm32prog for all the boot
partition and not only the STM32IMAGE.
This patch is a preliminary patch to support FIP as second boot stage
after TF-A BL2 when CONFIG_TFABOOT is activated for trusted boot chain.
The FIP is archive binary loaded by TF-A BL2, which contains the secure OS
= OP-TEE and the non secure firmware and device tree = U-Boot.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
7" OF is a capacitive touch 7" Open Frame panel solutions with
- 7" AUO B101AW03 LVDS panel
- EDT, FT5526 Touch
MicroGEA STM32MP1 is a STM32MP157A based Micro SoM.
MicroDev 2.0 is a general purpose miniature carrier board with CAN,
LTE and LVDS panel interfaces.
MicroGEA STM32MP1 needs to mount on top of MicroDev 2.0 board with
pluged 7" OF for creating complete MicroGEA STM32MP1 MicroDev 2.0
7" Open Frame Solution board.
Linux dts commit details:
commit <1d278204cbaa> ("ARM: dts: stm32: Add Engicam MicroGEA STM32MP1
MicroDev 2.0 7" OF")
Add support for it.
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
MicroDev 2.0 is a general purpose miniature carrier board with CAN,
LTE and LVDS panel interfaces.
Genaral features:
- Ethernet 10/100
- USB Type A
- Audio Out
- microSD
- LVDS panel connector
- Wifi/BT (option)
- UMTS LTE with sim connector (option)
MicroGEA STM32MP1 is a STM32MP157A based Micro SoM.
MicroGEA STM32MP1 needs to mount on top of this MicroDev 2.0 board
for creating complete MicroGEA STM32MP1 MicroDev 2.0 Carrier board.
Linux dts commit details:
commit <f838dae7afd0> ("ARM: dts: stm32: Add Engicam MicroGEA STM32MP1
MicroDev 2.0 board")
Add support for it.
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Engicam C.TOUCH 2.0 is an EDIMM compliant general purpose Carrier
board.
Genaral features:
- Ethernet 10/100
- Wifi/BT
- USB Type A/OTG
- Audio Out
- CAN
- LVDS panel connector
i.Core STM32MP1 is an EDIMM SoM based on STM32MP157A from Engicam.
i.Core STM32MP1 needs to mount on top of this Carrier board for
creating complete i.Core STM32MP1 C.TOUCH 2.0 board.
Linux dts commit details:
commit <6ca2898df59f> ("ARM: dts: stm32: Add Engicam i.Core STM32MP1
C.TOUCH 2.0")
Add support for it.
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Engicam EDIMM2.2 Starter Kit is an EDIMM 2.2 Form Factor Capacitive
Evaluation Board.
Genaral features:
- LCD 7" C.Touch
- microSD slot
- Ethernet 1Gb
- Wifi/BT
- 2x LVDS Full HD interfaces
- 3x USB 2.0
- 1x USB 3.0
- HDMI Out
- Mini PCIe
- MIPI CSI
- 2x CAN
- Audio Out
i.Core STM32MP1 is an EDIMM SoM based on STM32MP157A from Engicam.
i.Core STM32MP1 needs to mount on top of this Evaluation board for
creating complete i.Core STM32MP1 EDIMM2.2 Starter Kit.
Linux dts commit details:
commit <adc0496104b6> ("ARM: dts: stm32: Add Engicam i.Core STM32MP1
EDIMM2.2 Starter Kit")
Add support for it.
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
SPI Load isn't mandatory for STM32 builds.
Let's imply instead of select it to get rid of build
issues for non-SPI defconfigs.
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Fix following compilation issue when SYS_DCACHE_OFF and/or SYS_DCACHE_SYS
are enabled :
arch/arm/mach-stm32mp/cpu.c: In function ‘early_enable_caches’:
arch/arm/mach-stm32mp/cpu.c:223:10: error: ‘volatile struct arch_global_data’ has no member named ‘tlb_size’
223 | gd->arch.tlb_size = PGTABLE_SIZE;
| ^
arch/arm/mach-stm32mp/cpu.c:224:10: error: ‘volatile struct arch_global_data’ has no member named ‘tlb_addr’
224 | gd->arch.tlb_addr = (unsigned long)&early_tlb;
| ^
Signed-off-by: Patrice Chotard <patrice.chotard@st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Enable the clocks during bsec probe when they are present in device tree.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The command "stm32prog serial <dev>" can directly use the device sequence
number of serial uclass as this sequence number is egual to alias when it
exist; this assumption simplify the code and avoid access to gd->fdt_blob
and the device tree parsing.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
When serial instance is not found in device tree, the console
should be enabled and the error should be indicated.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>