You are currently reviewing an older revision of this page.
Total Compute (TC) software stack is a reference software stack for the Arm Total Compute Fixed Virtual Platform (FVP). The TC software consists of firmware, kernel and file system components that can run on the associated FVP.
Some of its main components are as follows:
Some developer user does not need the related secure component for the TC software stack usage, the related secure image component such as the BL32(Hafnium) and other Secure Partition images which is implemented as trusted service, when the user just need to boot up into the normal linux, we can disable them. In this document, we will take buildroot file system as example, other file system shoulbe similar.
NOTE: After the Secure Image is disabled, the related secure service will not available from non-secure world, for example, the U-Boot and Linux OS will not able to use the FF-A function call for the secure service.
For the default TC2 software stack, the image list is as below:
Trusted Boot Firmware BL2: offset=0x3F8, size=0x14ED1, cmdline="--tb-fw" SCP Firmware SCP_BL2: offset=0x152C9, size=0x11D24, cmdline="--scp-fw" EL3 Runtime Firmware BL31: offset=0x26FED, size=0x101D1, cmdline="--soc-fw" Secure Payload BL32 (Trusted OS): offset=0x371BE, size=0x2E2D0, cmdline="--tos-fw" Non-Trusted Firmware BL33: offset=0x6548E, size=0xB1F30, cmdline="--nt-fw" FW_CONFIG: offset=0x1173BE, size=0x18C, cmdline="--fw-config" HW_CONFIG: offset=0x11754A, size=0x297F, cmdline="--hw-config" TB_FW_CONFIG: offset=0x119EC9, size=0x296, cmdline="--tb-fw-config" TOS_FW_CONFIG: offset=0x11A15F, size=0x76F, cmdline="--tos-fw-config" Trusted key certificate: offset=0x11A8CE, size=0x616, cmdline="--trusted-key-cert" SCP Firmware key certificate: offset=0x11AEE4, size=0x4E2, cmdline="--scp-fw-key-cert" SoC Firmware key certificate: offset=0x11B3C6, size=0x4E2, cmdline="--soc-fw-key-cert" Trusted OS Firmware key certificate: offset=0x11B8A8, size=0x4F0, cmdline="--tos-fw-key-cert" Non-Trusted Firmware key certificate: offset=0x11BD98, size=0x4F3, cmdline="--nt-fw-key-cert" Trusted Boot Firmware BL2 certificate: offset=0x11C28B, size=0x4BE, cmdline="--tb-fw-cert" SCP Firmware content certificate: offset=0x11C749, size=0x3F1, cmdline="--scp-fw-cert" SoC Firmware content certificate: offset=0x11CB3A, size=0x438, cmdline="--soc-fw-cert" Trusted OS Firmware content certificate: offset=0x11CF72, size=0x4D6, cmdline="--tos-fw-cert" Non-Trusted Firmware content certificate: offset=0x11D448, size=0x449, cmdline="--nt-fw-cert" SiP owned Secure Partition content certificate: offset=0x11D891, size=0x600, cmdline="--sip-sp-cert" DC1EEF48-B17A-4CCF-AC8B-DFCFF7711B14: offset=0x11DE91, size=0x12346, cmdline="--blob" D9DF52D5-16A2-4BB2-9AA4-D26D3B84E8C0: offset=0x1301D7, size=0x97D5E, cmdline="--blob" 6823A838-1B06-470E-9774-0CCE8BFB53FD: offset=0x1C7F35, size=0xC350, cmdline="--blob" 486178E0-E7F8-11E3-BC5E-0002A5D5C51B: offset=0x1D4285, size=0x74038, cmdline="--blob"
For the default TC2 software stack, the BL31 has the support of the SPMD service which is used to support SPM(secure partition manager) of Hafnium, the change will include the TF-A. Another component is u-boot, u-boot will use the FF-A call to work with the secure firmware update service by default, it also needs to be disabled, otherwise it will boot failure into u-boot.
Remove the hafnium, optee, trusted service from the “$workspace/build-scripts/build-all.sh” as below:
diff --git a/build-all.sh b/build-all.sh index a6717fa..b513b1b 100755 --- a/build-all.sh +++ b/build-all.sh @@ -8,12 +8,8 @@ for_each_build_script() { # Scripts are ordered so that components that depends on others are built last local scripts=( "build-scp.sh" - "build-hafnium.sh" "build-linux.sh" - "build-optee-os.sh" - "build-optee-test.sh" "build-u-boot.sh" - "build-trusted-services.sh" ) if [ -d "$SRC_DIR/trusty" ]; then
We need to disable the SPMD and Secure EL2 related build options, the code path is “$workspace/build-scripts/configs/tc2.config”, the change is as below:
diff --git a/config/tc2.config b/config/tc2.config index 23b86f9..654e787 100644 --- a/config/tc2.config +++ b/config/tc2.config @@ -27,12 +27,12 @@ make_opts_tfa=( TARGET_PLATFORM=$TC_TARGET_FLAVOR ARCH=aarch64 BL33=$OUTPUT_DIR/tmp_build/u-boot/u-boot.bin - BL32=$OUTPUT_DIR/tmp_build/hafnium/secure_tc_clang/hafnium.bin +# BL32=$OUTPUT_DIR/tmp_build/hafnium/secure_tc_clang/hafnium.bin SCP_BL2="$SCP_OUTDIR/scp/bin/tc2-bl2.bin" MBEDTLS_DIR="$SRC_DIR/mbedtls" - SPD=spmd - SPMD_SPM_AT_SEL2=1 - CTX_INCLUDE_EL2_REGS=1 +# SPD=spmd +# SPMD_SPM_AT_SEL2=1 +# CTX_INCLUDE_EL2_REGS=1 LD_LIBRARY_PATH=$TFA_OPENSSL_DIR/lib:$LD_LIBRARY_PATH CROSS_COMPILE=$TFA_COMPILER- TRUSTED_BOARD_BOOT=1 @@ -55,11 +55,11 @@ make_opts_tfa=( # TF-A for OP-TEE make_opts_tfa_optee=( - ARM_SPMC_MANIFEST_DTS="$TFA_SRC/plat/arm/board/tc/fdts/tc_spmc_optee_sp_manifest.dts" - SP_LAYOUT_FILE="$TFA_SP_DIR/sp_layout.json" +# ARM_SPMC_MANIFEST_DTS="$TFA_SRC/plat/arm/board/tc/fdts/tc_spmc_optee_sp_manifest.dts" +# SP_LAYOUT_FILE="$TFA_SP_DIR/sp_layout.json" ARM_GPT_SUPPORT=$TC_FWU_SUPPORT PSA_FWU_SUPPORT=$TC_FWU_SUPPORT - TS_SP_FW_CONFIG=1 +# TS_SP_FW_CONFIG=1 BUILD_BASE="${TFA_OUTDIR}/build/" )
Since the U-boot include the PSA update feature with FF-A driver, the FF-A driver will call the SPMD which will be not available after we remove the secure component support. We need to disable them in U-boot, otherwise the system will boot failure into U-boot stage.
The change for the uboot is $workspace/src/u-boot/configs/total_compute_defconfig” as below:
diff --git a/configs/total_compute_defconfig b/configs/total_compute_defconfig index 55ec3397c1..5d3dc53fdd 100644 --- a/configs/total_compute_defconfig +++ b/configs/total_compute_defconfig @@ -60,8 +60,8 @@ CONFIG_SYS_FLASH_CFI=y CONFIG_SYS_MAX_FLASH_SECT=256 CONFIG_LIBAVB=y CONFIG_OF_LIBFDT_OVERLAY=y -CONFIG_ARM_FFA_TRANSPORT=y +# CONFIG_ARM_FFA_TRANSPORT=y CONFIG_CMD_EFIDEBUG=y -CONFIG_EFI_CAPSULE_FIRMWARE_ARM_PSA=y -CONFIG_EFI_CAPSULE_ON_DISK=y -CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y +#CONFIG_EFI_CAPSULE_FIRMWARE_ARM_PSA=y +#CONFIG_EFI_CAPSULE_ON_DISK=y +#CONFIG_EFI_RUNTIME_UPDATE_CAPSULE=y
If we already build out the default software stack, we can remove the original binary by below cmd first:
$rm $workspace/output -rf
Then build the new component image again as below:
./run_docker.sh ./build-all.sh build
After the build successfully, the FIP image list is as below, we can see the BL32 is removed
Trusted Boot Firmware BL2: offset=0x290, size=0x13A99, cmdline="--tb-fw" SCP Firmware SCP_BL2: offset=0x13D29, size=0x11D24, cmdline="--scp-fw" EL3 Runtime Firmware BL31: offset=0x25A4D, size=0xE1C1, cmdline="--soc-fw" Non-Trusted Firmware BL33: offset=0x33C0E, size=0xACF58, cmdline="--nt-fw" FW_CONFIG: offset=0xE0B66, size=0x18C, cmdline="--fw-config" HW_CONFIG: offset=0xE0CF2, size=0x292B, cmdline="--hw-config" TB_FW_CONFIG: offset=0xE361D, size=0x2D0, cmdline="--tb-fw-config" Trusted key certificate: offset=0xE38ED, size=0x616, cmdline="--trusted-key-cert" SCP Firmware key certificate: offset=0xE3F03, size=0x4E2, cmdline="--scp-fw-key-cert" SoC Firmware key certificate: offset=0xE43E5, size=0x4E2, cmdline="--soc-fw-key-cert" Non-Trusted Firmware key certificate: offset=0xE48C7, size=0x4F3, cmdline="--nt-fw-key-cert" Trusted Boot Firmware BL2 certificate: offset=0xE4DBA, size=0x4BE, cmdline="--tb-fw-cert" SCP Firmware content certificate: offset=0xE5278, size=0x3F1, cmdline="--scp-fw-cert" SoC Firmware content certificate: offset=0xE5669, size=0x438, cmdline="--soc-fw-cert" Non-Trusted Firmware content certificate: offset=0xE5AA1, size=0x449, cmdline="--nt-fw-cert"
The removed image list comparted to the default image list is as below:
Secure Payload BL32 (Trusted OS): offset=0x371BE, size=0x2E2D0, cmdline="--tos-fw" TOS_FW_CONFIG: offset=0x11A15F, size=0x76F, cmdline="--tos-fw-config" Trusted OS Firmware key certificate: offset=0x11B8A8, size=0x4F0, cmdline="--tos-fw-key-cert" Trusted OS Firmware content certificate: offset=0x11CF72, size=0x4D6, cmdline="--tos-fw-cert" SiP owned Secure Partition content certificate: offset=0x11D891, size=0x600, cmdline="--sip-sp-cert" DC1EEF48-B17A-4CCF-AC8B-DFCFF7711B14: offset=0x11DE91, size=0x12346, cmdline="--blob" D9DF52D5-16A2-4BB2-9AA4-D26D3B84E8C0: offset=0x1301D7, size=0x97D5E, cmdline="--blob" 6823A838-1B06-470E-9774-0CCE8BFB53FD: offset=0x1C7F35, size=0xC350, cmdline="--blob" 486178E0-E7F8-11E3-BC5E-0002A5D5C51B: offset=0x1D4285, size=0x74038, cmdline="--blob"
As described into the TC2 user guide running-buildroot, we can run the software stack again by cmd:
./run-scripts/tc2/run_model.sh -m <model binary path> -d buildroot
The TF-A and U-boot is running as below:
The Linux kernel is boot as normally, for example the log as below:
Starting kernel ... [ 0.000000][ T0] Booting Linux on physical CPU 0x0000000000 [0x410fd801] [ 0.000000][ T0] Linux version 5.15.41-g7385306ee901 (jett@jett-sw-P520) (aarch64-none-linux-gnu-gcc (Arm GNU Toolchain 12.2.Rel1 (Build arm-12.24)) 12.2.1 20221205, GNU ld (Arm GNU Toolchain 12.2.Rel1 (Build arm-12.24)) 2.39.0.20221210) #1 SMP PREEMPT Fri Feb 2 03:28:14 UTC 2024 [ 0.000000][ T0] Machine model: arm,tc [ 0.000000][ T0] Stack Depot is disabled [ 0.000000][ T0] earlycon: pl11 at MMIO 0x000000002a400000 (options '') [ 0.000000][ T0] printk: bootconsole [pl11] enabled [ 0.000000][ T0] efi: UEFI not found. [ 0.000000][ T0] Reserved memory: created CMA memory pool at 0x00000081f8000000, size 128 MiB [ 0.000000][ T0] OF: reserved mem: initialized node linux,cma, compatible id shared-dma-pool [ 0.000000][ T0] software IO TLB: Reserved memory: created restricted DMA pool at 0x00000000f8e00000, size 2 MiB [ 0.000000][ T0] OF: reserved mem: initialized node optee@0xf8e00000, compatible id restricted-dma-pool [ 0.000000][ T0] kvm [0]: Reserved 46 MiB at 0x81f4200000 [ 0.000000][ T0] Zone ranges: ................................... Starting network: ip: RTNETLINK answers: File exists [ 3.031771][ T227] ip (227) used greatest stack depth: 12672 bytes left FAIL [ 3.076275][ T220] random: crng init done ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 Starting sshd: OK ^M Welcome to Buildroot ^Mbuildroot login: root # cat /proc^M# cat /proc/^[[Jcm^M# cat /proc/cmdline ^[[J stack_depot_disable=on kasan.stacktrace=off kvm-arm.mode=protected cgroup_disable=pressure console=ttyAMA0 debug user_debug=31 earlycon=pl011,0x2A400000 loglevel=9 androidboot.hardware=total_compute androidboot.boot_devices=1c050000.mmci ip=dhcp androidboot.selinux=permissive allow_mismatched_32bit_el0 systemd.log_level=info