Currently the upper OTP (after 57) are shadowed in U-Boot proper,
when TFABOOT is not used.
This choice cause an issue when U-Boot is not executed after SPL,
so this BSEC initialization is moved in SPL and no more executed in U-Boot,
so it is still executed only one time.
After this patch this BSEC initialization is done in FSBL: SPL or TF-A.
To force this initialization in all the case, the probe of the BSEC
driver is forced in SPL in the arch st32mp function: spl_board_init().
Even if today BSEC driver is already probed in STM32MP15x clock driver
clk_stm32mp1.c because get_cpu_type() is called in
stm32mp1_get_max_opp_freq() function.
Reported-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The stm32 gpio driver private data are not needed in arch include files,
they are not used by code except for stm32 gpio and pincontrol drivers,
using the same IP; the defines for this IP is moved in a new file
"stm32_gpio_priv.h" in driver/gpio.
This patch avoids to have duplicated file gpio.h for each SOC
in MPU directory mach-stm32mp and in each MCU directory arch-stm32*
and allows to remove CONFIG_GPIO_EXTRA_HEADER for all STM32.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use binman to add the stm32image header on SPL binary for basic boot
or on U-Boot binary when it is required, i.e. for TF-A boot without FIP
support, when CONFIG_STM32MP15x_STM32IMAGE is activated.
The "binman" tool is the recommended tool for specific image generation.
This patch allows to suppress the config.mk file and it is a preliminary
step to manage FIT generation with binman.
The init_r parsing of U-Boot device tree to search the binman
information is not required for STM32MP15, so the binman library
can be removed in U-Boot (CONFIG_BINMAN_FDT is deactivated).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The missing trailing newline could confuse check-config.sh if the
definition of an option was on the first line of the next file that
find(1) happened to return.
Signed-off-by: William Grant <wgrant@ubuntu.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
OF_HOSTFILE is used on sandbox configs only. Although it's pretty
unique and not causing any confusions, we are better of having simpler
config options for the DTB.
So let's replace that with the existing OF_BOARD. U-Boot would then
have only three config options for the DTB origin.
- OF_SEPARATE, build separately from U-Boot
- OF_BOARD, board specific way of providing the DTB
- OF_EMBED embedded in the u-boot binary(should not be used in production
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add stub for tee_find_device function when CONFIG_TEE is not activated
to simplify the caller code.
This patch allows to remove the CONFIG_IS_ENABLED(OPTEE) tests
for stm32 platform.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Acked-by: Etienne Carriere <etienne.carriere@inaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
When booting in EFI, lib/efi_loader/efi_memory.c calls
board_get_usable_ram_top(0) which returns by default
gd->ram_base + gd->ram_size which is the top of DDR.
In case of OPTEE boot, the top of DDR is currently reserved by OPTEE,
board_get_usable_ram_top(0) must return an address outside OPTEE
reserved memory.
gd->ram_top matches this constraint as it has already been initialized
by substracting all DT reserved-memory (included OPTEE memory area).
Fixes: 92b611e8b0 ("stm32mp: correctly handle board_get_usable_ram_top(0)")
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
default n/no doesn't need to be specified. It is default option anyway.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
[trini: Rework FSP_USE_UPD portion]
Signed-off-by: Tom Rini <trini@konsulko.com>
The STM32MP ROM provides several service. One of them is the ability
to verify ecdsa256 signatures. Hook the ROM API into the ECDSA uclass.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The function board_get_usable_ram_top can be called after relocation
with total_size = 0 to get the uppermost pointer that is valid to access
in U-Boot.
When total_size = 0, the reserved memory should be not take in account
with lmb library and 'gd->ram_base + gd->ram_size' can be used.
It is the case today in lib/efi_loader/efi_memory.c:efi_add_known_memory()
and this patch avoids that the reserved memory for OP-TEE is not part of
the EFI available memory regions.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The MTD tee partitions used to save the OP-TEE binary are needed when
TF-A doesn't use the FIP container to load binaries.
This patch puts under CONFIG_STM32MP15x_STM32IMAGE flag the associated
code in U-Boot binary and prepare the code cleanup when
CONFIG_STM32MP15x_STM32IMAGE support will be removed after TF-A migration
to FIP support.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
With FIP support in TF-A (when CONFIG_STM32MP15x_STM32IMAGE
is not activated), the DT nodes needed by OP-TEE are added by OP-TEE
firmware in U-Boot device tree, present in FIP.
These nodes are only required in trusted boot, when TF-A load the file
u-boot.stm32, including the U-Boot device tree with STM32IMAGE header,
in this case OP-TEE can't update the U-Boot device tree.
Moreover in trusted boot mode with FIP, as the OP-TEE nodes are present
in U-Boot device tree only when needed the function
stm32_fdt_disable_optee can be removed.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
By default for trusted boot with TF-A, U-Boot (u-boot-nodtb)
is located in FIP container with its device tree and with
the secure monitor (provided by TF-A or OP-TEE).
The FIP file is loaded by TF-A BL2 and each components is
extracted at the final location.
This patch add CONFIG_STM32MP15x_STM32IMAGE to request the
STM32 image generation for SOC STM32MP15x
when FIP container is not used (u-boot.stm32 is loaded by TF-A
as done previously to keep the backward compatibility).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.
Add a proper comment to simple_strtoul() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
OP-TEE is very particular about how the TZC should be configured.
When booting an OP-TEE payload, an incorrect TZC configuration will
result in a panic.
Most information can be derived from the SPL devicetree. The only
information we don't have is the split between TZDRAM and shared
memory. This has to be hardcoded. The rest of the configuration is
fairly easy, and only requires 3 TZC regions. Configure them.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
The purpose of this change is to allow configuring TrustZone (TZC)
memory permissions. For example, OP-TEE expects TZC regions to be
configured in a very particular way. The API presented here is
intended to allow exactly that.
UCLASS support is not implemented, because it would not be too useful.
Changing TZC permissions needs to be done with care, so as not to cut
off access to memory we are currently using. One place where we can
use this is at the end of SPL, right before jumping to OP-TEE.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
When the TAMP register 20 have an invalid value (0x0 for example after
TAMPER error) the "boot_device" U-Boot env variable have no value and
no error is displayed in U-Boot log.
The STM32MP boot command bootcmd_stm32mp failed with strange trace:
"Boot over !"
and the next command in bootcmd_stm32mp failed with few indication:
if test ${boot_device} = serial || test ${boot_device} = usb;
then stm32prog ${boot_device} ${boot_instance};
As it is difficult to investigate, the current patch avoids this issue:
- change the debug message to error: "unexpected boot mode" is displayed
- display trace "Boot over invalid!" in bootcmd_stm32mp
- execute "run distro_bootcmd" to try all the possible target
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use the device sequence number in boot_instance variable
and no more the SDMMC instance provided by ROM code/TF-A.
After this patch we don't need to define the mmc alias in
device tree, for example:
mmc0 = &sdmmc1;
mmc1 = &sdmmc2;
mmc2 = &sdmmc3;
to have a correct mapping between the ROM code boot device =
"${boot_device}${boot_instance}" and the MMC device in U-Boot.
With this patch the 'mmc0' device (used in mmc commands) is
always used when only one instance sdmmc is activated in device
tree, even if it is only the sdmmc2 or sdmmc3.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use the existing defines PMIC_SIZE and OTP_SIZE and a new define
CMD_SIZE for virtual partition size.
This patch corrects the size for OTP partition in alternate name
(1024 instead of 512) and avoids other alignment issues.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Enable the clocks during syscon probe when they are present in device tree.
This patch avoids a freeze when the SYSCFG clock is not enabled by
TF-A / OP-TEE.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The expected sequence to close the device
1/ Load key in DDR with any supported load command
2/ Update OTP with key: STM32MP> stm32key read <addr>
At this point the device is able to perform image authentication but
non-authenticated images can still be used and executed.
So it is the last moment to test boot with signed binary and
check that the ROM code accepts them.
3/ Close the device: only signed binary will be accepted !!
STM32MP> stm32key close
Warning: Programming these OTP is an irreversible operation!
This may brick your system if the HASH of key is invalid
This command should be deactivated by default in real product.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Allow to read the OTP value and lock status with the command
$> stm32key read.
This patch also protects the stm32key fuse command.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add a helper function to access to BSEC misc driver.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Lock the OTP value of key's hash after the command
$> stm32key fuse <address>
This operation forbids a second update of these OTP as they are
ECC protected in BSEC: any update of these OTP with a different value
causes a BSEC disturb error and the closed chip will be bricked.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Simplify parsing the command argument by using
the macro U_BOOT_CMD_WITH_SUBCMDS.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This command is used to evaluate the secure boot on stm32mp SOC,
it is deactivated by default in real products.
We activate this command only in STMicroelectronics defconfig
used with the evaluation boards.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reduce the content of short help message for stm32prog command and
removed the carriage return to fix the display of 'help' command when
this command is activated.
Fixes: 954bd1a923 ("stm32mp: add the command stm32prog")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Move the message "Invalid or missing layout file."
to debug level as it is a normal behavior and not an error
and add the missing '\n'.
This patch avoids the strange trace :
Boot over usb0!
Invalid or missing layout file.DFU alt info setting: done
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use get_cpu_dev() in uart getID command and remove the defines
DEVICE_ID_BYTE1 and 2 defines.
This patch prepare the support for new SOC family.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Correctly handle number of alternate when DM_PMIC is not activated.
This patch remove the last UNKNOWN partition in this case.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Acked-by: Jaehoon Chung <jh80.chung@samsung.com>
Handle the second USB enumeration only when the flashlayout is received
and when phase is PHASE_FLASHLAYOUT. This patch removes the call of
stm32prog_next_phase as it is already done in stm32prog_dfu_init().
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
When CONFIG_FIT_SIGNATURE is activated, CONFIG_LEGACY_IMAGE_FORMAT
is deactivated and the define IMAGE_FORMAT_LEGACY don't exist with
include/image.h:
#if defined(CONFIG_LEGACY_IMAGE_FORMAT)
#define IMAGE_FORMAT_LEGACY 0x01 /* legacy image_header based format */
#endif
This patch adds the needed check on compilation flag
CONFIG_LEGACY_IMAGE_FORMAT to avoid the compilation error
for command stm32prog:
cmd_stm32prog.c:81:8: error: ‘IMAGE_FORMAT_LEGACY’ undeclared
(first use in this function); did you mean ‘IMAGE_FORMAT_FIT’?
81 | if (IMAGE_FORMAT_LEGACY ==
| ^~~~~~~~~~~~~~~~~~~
| IMAGE_FORMAT_FIT
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add the support in command stm32prog of kernel load and start
with initrd file, identify by the partition Type "Binary" in
the flashlayout.tsv, for example:
- 0x01 fsbl Binary none 0x0 tfa.stm32
- 0x03 fip Binary none 0x0 fip.bin
P 0x10 kernel System ram0 0xC2000000 uImage.bin
P 0x11 dtb FileSystem ram0 0xC4000000 board.dtb
P 0x12 initrd Binary ram0 0xC4400000 <initrd>
The <initrd> file can be a legacy image "uInitrd", generated
with mkimage, or a RAW initrd image "initrd.gz".
After a DFU detach the bootm command with be executed
with the associated address, for example:
$> bootm 0xC2000000 0xC4400000:<size> 0xC4000000
When the "Binary" partition type is absent, the 'bootm'
command starts the kernel without ramdisk, for example:
$> bootm 0xC2000000 - 0xC4000000
With this paths, it is no more mandatory to generate FIT
including the kernel, DT and initrd:
- 0x01 fsbl Binary none 0x0 tfa.stm32
- 0x03 fip Binary none 0x0 fip.bin
P 0x10 fit System ram0 0xC2000000 fit.bin
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Handle timeout in stm32prog_serial_get_buffer to sent NACK
to STM32CubeProgrammer when the buffer is not fully received.
This patch avoids to reach the STM32CubeProgrammer timeout and
the associated unrecoverable error.
Timeout error occurred while waiting for acknowledgment.
Error: Write Operation fails at packet number 4165 at address 0x1044FF
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This patch removes the header check for UART download;
the check of checksum is not mandatory with even parity and chuck
checksum for each 256 received bytes and it is only done for
STM32 image (FSBL = TF-A BL2), not for FIT image.
This patch solve issue of duplicated 0x100 byte written with FIP header.
Fixes: 4fb7b3e108 ("stm32mp: stm32prog: add FIP header support")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
No more map the reserved region with "no-map" property by marking
the corresponding TLB entries with invalid entry (=0) to avoid
speculative access.
The device tree parsing done in lmb_init_and_reserve() takes a
long time when it is executed without data cache, so it is called in
enable_caches() before to disable it.
This patch fixes an issue where predictive read access on secure DDR
OP-TEE reserved area are caught by firewall.
Series-cc: marex
Series-cc: pch
Series-cc: marek.bykowski@gmail.com
Series-cc: Ard Biesheuvel <ardb@kernel.org>
Series-cc: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add 8M for the U-Boot reserved memory (display, fdt, gd, ...)
mapped cacheable before relocation.
Without this patch the device tree, located before the MALLOC area
is not tagged cacheable just after relocation, before mmu reconfiguration.
This patch reduces the duration for device tree parsing in
lmb_init_and_reserve.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add Engicam i.Core STM32MP1 SoM
Add FIP header support for STM32programmer
Update uart number when no serial device found for STM32MP1
Remove board_check_usb_power function when ADC flag is not set
Update SPL size limitation for STM32MP1
Set soc_type, soc_pkg, soc_rev env variables for STM32MP1
-----BEGIN PGP SIGNATURE-----
iQJQBAABCgA6FiEEXyrViUccKBz9c35Jysd4L3sz/6YFAmBwTr0cHHBhdHJpY2Uu
Y2hvdGFyZEBmb3NzLnN0LmNvbQAKCRDKx3gvezP/plSwD/9SAhxTYqAblFZqZmJj
Lu+F5fwuXXd8S5LwqNeIKULv+UhJngClkE4HdjSl6T0yR10v6YkPNRDVj4+1gzBd
wZizmCsnqqDW0QGsTO5AVo+oTwhX4RHkvxEF7BjOqtVuoMZGiozE53+29QORHTnZ
+j8CYAeORf9wvGAi5y+Wr8ICqP6HwPJPNlta4S8iYC867BM38R9evBqynlaZaWPE
8FhaXwbAj9ZR9ifCiO+7ObgfXGDT63ejCecjE+539m3FWlBrn+/AWLsg4zF037Dw
DcV324pnVFP4AIOVsuc9hF7luAYctoXQcNHt1QbD3gmWqPQAgpH8Llfq5cMyudza
/m/112Y7fuLxO3F14DzZSj5l3ims0XG56Yg7zBwN6exDPr3iWA4UwTSH9lRJDnBq
aJyvLfAFAvz+X15oePjrQrVp7c+6MigeY2nmhVCWV53Yrl+/TnnekQXlHJ3TsHED
bPW5/LarLge18uACTZvLzYruIvDSU3INPP1W0vUu7YMDwuEp21K1GSspN7yA0yDK
nrWXxmYJGVWanAEvW//zuuqUhxtNjAb/qIQl0UgjFN9cDT5vJZ7oY3nWOwP+0V2a
o+qrRxBTWSVliOShYpfjyHRsASRna2QLLUNQaBeoUqZBKNnFvuw4LZzmqNvV+Idj
+XWRCiSDJnf1zRrMwFLvZZ+UTQ==
=4VxR
-----END PGP SIGNATURE-----
Merge tag 'u-boot-stm32-20210409' of https://source.denx.de/u-boot/custodians/u-boot-stm
Add rt-thread art-pi board support based on STM32H750 SoC
Add Engicam i.Core STM32MP1 SoM
Add FIP header support for STM32programmer
Update uart number when no serial device found for STM32MP1
Remove board_check_usb_power function when ADC flag is not set
Update SPL size limitation for STM32MP1
Set soc_type, soc_pkg, soc_rev env variables for STM32MP1
Split up get_soc_name(), clean the decoding up a bit, and set up
environment variables which contain the SoC type, package, revision.
This is useful on SoMs, where multiple SoC options are populated.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Patrick Delaunay <patrick.delaunay@st.com>
Cc: Patrice Chotard <patrice.chotard@st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Replace the remaining printf in setup_boot_mode() by log macro
to handle filtering for log features.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Align the uart number in the trace of setup_boot_mode() with the name of
the uart/usart device (start at 1) and not with the instance value
(start at 0), i.e. the serial device sequence number and the index in
serial_addr[].
Fixes: f49eb16c17 ("stm32mp: stm32prog: replace alias by serial
device sequence number")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>