You are currently reviewing an older revision of this page.
Total Compute (TC) software stack is a reference software stack for the Arm Total Compute Fixed Virtual Platform (FVP). The TC software consists of firmware, kernel and file system components that can run on the associated FVP.
Some of its main components are as follows:
Some developer user does not need the related secure component for the TC software stack usage, the related secure image component such as the BL32(Hafnium) and other Secure Partition images which is implemented as trusted service, when the user just need to boot up into the normal linux, we can disable them.
Note: After the Secure Image is disabled, the related secure service will not available from non-secure world, for example, the U-Boot and Linux OS will not able to use the FF-A function call for the secure service.
For the default TC2 software stack, the BL31 has the support of the SPMD service which is used for support SPM(secure partition manager) of Hafnium, the change will include the TF-A. Another component is u-boot, u-boot will use the FF-A call to work with the secure firmware update service, it needs to be disable toot.
Remove the hafnium, optee, trusted service from the “$workspace/build-scripts/build-all.sh”
diff --git a/build-all.sh b/build-all.sh index a6717fa..b513b1b 100755 --- a/build-all.sh +++ b/build-all.sh @@ -8,12 +8,8 @@ for_each_build_script() { # Scripts are ordered so that components that depends on others are built last local scripts=( "build-scp.sh" - "build-hafnium.sh" "build-linux.sh" - "build-optee-os.sh" - "build-optee-test.sh" "build-u-boot.sh" - "build-trusted-services.sh" ) if [ -d "$SRC_DIR/trusty" ]; then
We need to disable the SPMD and Secure EL2 related build options:
diff --git a/config/tc2.config b/config/tc2.config index 23b86f9..654e787 100644 --- a/config/tc2.config +++ b/config/tc2.config @@ -27,12 +27,12 @@ make_opts_tfa=( TARGET_PLATFORM=$TC_TARGET_FLAVOR ARCH=aarch64 BL33=$OUTPUT_DIR/tmp_build/u-boot/u-boot.bin - BL32=$OUTPUT_DIR/tmp_build/hafnium/secure_tc_clang/hafnium.bin +# BL32=$OUTPUT_DIR/tmp_build/hafnium/secure_tc_clang/hafnium.bin SCP_BL2="$SCP_OUTDIR/scp/bin/tc2-bl2.bin" MBEDTLS_DIR="$SRC_DIR/mbedtls" - SPD=spmd - SPMD_SPM_AT_SEL2=1 - CTX_INCLUDE_EL2_REGS=1 +# SPD=spmd +# SPMD_SPM_AT_SEL2=1 +# CTX_INCLUDE_EL2_REGS=1 LD_LIBRARY_PATH=$TFA_OPENSSL_DIR/lib:$LD_LIBRARY_PATH CROSS_COMPILE=$TFA_COMPILER- TRUSTED_BOARD_BOOT=1 @@ -55,11 +55,11 @@ make_opts_tfa=( # TF-A for OP-TEE make_opts_tfa_optee=( - ARM_SPMC_MANIFEST_DTS="$TFA_SRC/plat/arm/board/tc/fdts/tc_spmc_optee_sp_manifest.dts" - SP_LAYOUT_FILE="$TFA_SP_DIR/sp_layout.json" +# ARM_SPMC_MANIFEST_DTS="$TFA_SRC/plat/arm/board/tc/fdts/tc_spmc_optee_sp_manifest.dts" +# SP_LAYOUT_FILE="$TFA_SP_DIR/sp_layout.json" ARM_GPT_SUPPORT=$TC_FWU_SUPPORT PSA_FWU_SUPPORT=$TC_FWU_SUPPORT - TS_SP_FW_CONFIG=1 +# TS_SP_FW_CONFIG=1 BUILD_BASE="${TFA_OUTDIR}/build/" )
Since the U-boot include the PSA update feature with FF-A driver, the FF-A driver will call the SPMD which will be not available after we remove the secure component support. We need to disable them in U-boot, otherwise the system will boot failure into U-boot stage.
diff --git a/configs/total_compute_defconfig b/configs/total_compute_defconfig index 55ec3397c1..5d3dc53fdd 100644 --- a/configs/total_compute_defconfig +++ b/configs/total_compute_defconfig @@ -60,8 +60,8 @@ CONFIG_SYS_FLASH_CFI=y CONFIG_SYS_MAX_FLASH_SECT=256 CONFIG_LIBAVB=y CONFIG_OF_LIBFDT_OVERLAY=y -CONFIG_ARM_FFA_TRANSPORT=y +# CONFIG_ARM_FFA_TRANSPORT=y CONFIG_CMD_EFIDEBUG=y -CONFIG_EFI_CAPSULE_FIRMWARE_ARM_PSA=y -CONFIG_EFI_CAPSULE_ON_DISK=y -CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y +#CONFIG_EFI_CAPSULE_FIRMWARE_ARM_PSA=y +#CONFIG_EFI_CAPSULE_ON_DISK=y +#CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
If we already build out the default software stack, we can remove the original binary by below cmd first:
$rm $workspace/output -rf
Then build the new component image again as below:
./run_docker.sh ./build-all.sh build
After the build successfully, the FIP image list is as below, we can see the BL32 is removed
Trusted Boot Firmware BL2: offset=0x290, size=0x13A99, cmdline="--tb-fw" SCP Firmware SCP_BL2: offset=0x13D29, size=0x11D24, cmdline="--scp-fw" EL3 Runtime Firmware BL31: offset=0x25A4D, size=0xE1C1, cmdline="--soc-fw" Non-Trusted Firmware BL33: offset=0x33C0E, size=0xACF58, cmdline="--nt-fw" FW_CONFIG: offset=0xE0B66, size=0x18C, cmdline="--fw-config" HW_CONFIG: offset=0xE0CF2, size=0x292B, cmdline="--hw-config" TB_FW_CONFIG: offset=0xE361D, size=0x2D0, cmdline="--tb-fw-config" Trusted key certificate: offset=0xE38ED, size=0x616, cmdline="--trusted-key-cert" SCP Firmware key certificate: offset=0xE3F03, size=0x4E2, cmdline="--scp-fw-key-cert" SoC Firmware key certificate: offset=0xE43E5, size=0x4E2, cmdline="--soc-fw-key-cert" Non-Trusted Firmware key certificate: offset=0xE48C7, size=0x4F3, cmdline="--nt-fw-key-cert" Trusted Boot Firmware BL2 certificate: offset=0xE4DBA, size=0x4BE, cmdline="--tb-fw-cert" SCP Firmware content certificate: offset=0xE5278, size=0x3F1, cmdline="--scp-fw-cert" SoC Firmware content certificate: offset=0xE5669, size=0x438, cmdline="--soc-fw-cert" Non-Trusted Firmware content certificate: offset=0xE5AA1, size=0x449, cmdline="--nt-fw-cert"
As described into the user guide, we can run the software stack again by cmd:
The TF-A and U-boot is running as below: