Procedure for adding Verified Boot and Trusted Firmware-A support for Rasberry Pi 3B+

[vvramya]

Introduction:

These are the instructions we followed to build U-Boot and OP-TEE OS for Raspberry Pi 3 B+ using the FIT image format.

Building OPTEE-OS:

1) Install the prerequisite packages:

sudo apt-get install android-tools-adb android-tools-fastboot autoconf
automake bc bison build-essential cscope curl device-tree-compiler
expect flex ftp-upload gdisk iasl libattr1-dev libcap-dev
libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev
libpixman-1-dev libssl-dev libtool make
mtools netcat python-crypto python-serial python-wand unzip uuid-dev
xdg-utils xterm xz-utils zlib1g-dev git

2) Repo Setup:

$ mkdir ~/bin $ PATH=~/bin:$PATH $ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo $ chmod a+x ~/bin/repo $ git config --global user.name "Your Name" $ git config --global user.email "Your email"

3) Build OP-TEE OS and toolchains:

(we’re using the latest version of OPTEE)

$ mkdir optee $ cd optee $ repo init -u https://github.com/johnphilby/manifest/tree/add-support-rpi3-bplus -m rpi3-bplus.xml $ repo sync $ cd build

once repo mainfest is done, Then we can build using the following command $ make -j2 toolchains

$ make -j nproc

4) Verified boot on the Raspberry Pi 3 B+:

4.1) Create a Signed image:

4.1.1) create a folder called fit, outside optee folder

$ mkdir fit
$ cd fit

4.1.2)create a file image.its(image source file)
/dts-v1/;
/ {
    description = "RPi FIT Image";
    #address-cells = <2>;
    images {
        kernel-1 {
            description = "default kernel";
            data = /incbin/("Image");
            type = "kernel";
            arch = "arm64";
            os = "linux";
            compression = "none";
            load =  <0x00080000>;
            entry = <0x00080000>;
            hash-1 {
                algo = "sha1";
            };
        };
        tee-1 {
            description = "atf";
            data = /incbin/("armstub8.bin");
            type = "standalone";
            arch = "arm64";
            compression = "none";
            load =  <0x08400000>;
            entry = <0x08400000>;
            hash-1 {
                algo = "sha1";
            };
        };
        fdt-1 {
            description = "device tree";
            data = /incbin/("bcm2710-rpi-3-b-plus.dtb");
            type = "flat_dt";
            arch = "arm64";
            compression = "none";
            load = <0x01000000>;
            entry = <0x01000000>;
            hash-1 {
                algo = "sha1";
            };
        };
    };
    configurations {
        default = "config-1";
        config-1 {
            description = "default configuration";
            kernel = "kernel-1";
            loadables = "tee-1";
            fdt = "fdt-1";
            signature-1 {
                algo = "sha1,rsa2048";
                key-name-hint = "dev";
                sign-images = "fdt", "kernel", "loadables";
            };
        };
    };
};

4.1.3) Copy image and DTB files to fit folder:

$ ln -s ../optee/linux/arch/arm64/boot/dts/broadcom/bcm2710-rpi-3-b-plus.dtb $ ln -s ../optee/linux/arch/arm64/boot/Image $ ln -s ../optee/arm-trusted-firmware/build/rpi3/debug/armstub8.bin $ cp ../optee/linux/arch/arm64/boot/dts/broadcom/bcm2710-rpi-3-b-plus.dtb bcm2710-rpi-3-b-plus-pubkey.dtb

4.1.4) Generate a new RSA key pair:

$ mkdir keys $ openssl genrsa -F4 -out keys/dev.key 2048 $ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt

4.1.5) Generate a signed FIT image:

../optee/u-boot/tools/mkimage -f image.its -K bcm2710-rpi-3-b-plus-pubkey.dtb -k keys -r image.fit

5) Build U-Boot with FIT image:

5.1)Replace the following lines in optee/build/rpi3/firmware/uboot.env.txt file:

boot_fit=bootm ${fit_addr}
fdt_addr_r=0x01000000
fit_addr=0x02000000
fdtfile=bcm2710-rpi-3-b-plus.dtb
load_fit=fatload mmc 0:1 ${fit_addr} image.fit
mmcboot=run load_fit; run set_bootargs_tty set_bootargs_mmc set_common_args; run boot_fit

Build U-Boot env file:

$ cd ../optee/build $ make EXT_DTB=../../fit/bcm2710-rpi-3-b-plus-pubkey.dtb arm-tf u-boot-env

5.2) Configure FIT image support:

Add the following in optee/u-boot/configs/rpi_3_defconfig file

CONFIG_DEFAULT_DEVICE_TREE="bcm2837-rpi-3-b-plus" CONFIG_OF_CONTROL=y CONFIG_FIT=y CONFIG_FIT_SIGNATURE=y CONFIG_RSA=y

Add the following in optee/u-boot/include/configs/rpi.h file to support the larger FIT image:

define CONFIG_SYS_BOOTM_LEN (16 << 20)

5.3) Build the U-Boot with FIT Image

$ cd optee/build/ $ make u-boot-clean arm-tf-clean u-boot-env-clean $ make EXT_DTB=../../fit/bcm2710-rpi-3-b-plus-pubkey.dtb arm-tf u-boot-env u-boot

6) Install the image:

6.1) Prepare the SD card using following:

$ cd optee/build $ make img-help

fdisk /dev/sdx # where sdx is the name of your sd-card

p # prints partition table d # repeat until all partitions are deleted n # create a new partition p # create primary 1 # make it the first partition

# use the default sector +70M # create a boot partition with 32MB of space n # create rootfs partition p 2 # fill the remaining disk, adjust size to fit your needs t # change partition type 1 # select first partition e # use type 'e' (FAT16) a # make partition bootable 1 # select first partition p # double check everything looks right w # write partition table to disk

run the following as root $ mkfs.vfat -F16 -n BOOT /dev/sdx1 $ mkdir -p /media/boot $ mount /dev/sdx1 /media/boot $ cd /media $ gunzip -cd /home/ramya/optee_latest/optee/build/../out-br/images/rootfs.cpio.gz | sudo cpio -idmv "boot/*" $ umount boot

run the following as root $ mkfs.ext4 -L rootfs /dev/sdx2 $ mkdir -p /media/rootfs $ mount /dev/sdx2 /media/rootfs $ cd rootfs $ gunzip -cd /home/ramya/optee_latest/optee/build/../out-br/images/rootfs.cpio.gz | sudo cpio -idmv $ rm -rf /media/rootfs/boot/* $ cd .. && umount rootfs

mount /dev/sdX1 /media/boot cd /media/boot/ cp /home/ramya/optee_latest/optee/out/uboot.env . cp /home/ramya/optee_latest/fit/image.fit . cd .. && umount /dev/sdX1

7) Test Verified boot in Raspberry Pi 3b+:

Insert SD card into rpi3b+ board and verified boot configured correctly from U-Boot output:

Power up the board

You can see like below:

NOTICE: Booting Trusted Firmware

NOTICE: BL1: v2.0(debug):v2.0-580-g023bc01 NOTICE: BL1: Built : 18:13:54, Apr 9 2019 INFO: BL1: RAM 0x100ee000 - 0x100f7000 INFO: BL1: cortex_a53: CPU workaround for 843419 was applied INFO: BL1: cortex_a53: CPU workaround for 855873 was applied NOTICE: rpi3: Detected: Raspberry Pi 3 Model B+ (1GB, Sony, UK) [0x00a020d3] INFO: BL1: Loading BL2 INFO: Loading image id=1 at address 0x100b4000 INFO: Image id=1 loaded: 0x100b4000 - 0x100b9410 NOTICE: BL1: Booting BL2 INFO: Image id=5 loaded: 0x11000000 - 0x1107fff8 NOTICE: BL1: Booting BL31 INFO: Entry point address = 0x100e0000 INFO: SPSR = 0x3cd NOTICE: BL31: v2.0(debug):v2.0-580-g023bc01 NOTICE: BL31: Built : 18:14:00, Apr 9 2019 INFO: rpi3: Checking DTB... INFO: BL31: Initializing runtime services INFO: BL31: cortex_a53: CPU workaround for 843419 was applied INFO: BL31: cortex_a53: CPU workaround for 855873 was applied INFO: BL31: Initializing BL32

U-Boot 2019.01-00093-gaac0c29-dirty (Apr 10 2019 - 11:05:51 +0530)

DRAM: 128 MiB RPI 3 Model B+ (0xa020d3) MMC: mmc@7e202000: 0, sdhci@7e300000: 1 Loading Environment from FAT... OK In: serial Out: serial Err: serial Net: No ethernet found. starting USB... USB0: scanning bus 0 for devices... 4 USB Device(s) found scanning usb for storage devices... 0 Storage Device(s) found Hit any key to stop autoboot: 0 16105600 bytes read in 671 ms (22.9 MiB/s)

Loading kernel from FIT Image at 02000000 ...

Using 'config-1' configuration Verifying Hash Integrity ... OK Trying 'kernel-1' kernel subimage Description: default kernel Type: Kernel Image Compression: uncompressed Data Start: 0x020000c0 Data Size: 15071744 Bytes = 14.4 MiB Architecture: AArch64 OS: Linux Load Address: 0x00080000 Entry Point: 0x00080000 Hash algo: sha1 Hash value: 60c0bd58ae20a73eabf8d89b647bd3c19a137bc5 Verifying Hash Integrity ... sha1+ OK

Loading fdt from FIT Image at 02000000 ...

Using 'config-1' configuration Verifying Hash Integrity ... OK Trying 'fdt-1' fdt subimage Description: device tree Type: Flat Device Tree Compression: uncompressed Data Start: 0x02f5569c Data Size: 25621 Bytes = 25 KiB Architecture: AArch64 Load Address: 0x01000000 Hash algo: sha1 Hash value: d37f8aed170466dbf71dbf671f7487859c0dfcf0 Verifying Hash Integrity ... sha1+ OK Loading fdt from 0x02f5569c to 0x01000000 Booting using the fdt blob at 0x1000000

Loading loadables from FIT Image at 02000000 ...

Trying 'tee-1' loadables subimage Description: atf Type: Standalone Program Compression: uncompressed Data Start: 0x02e5fba0 Data Size: 1006116 Bytes = 982.5 KiB Architecture: AArch64 Load Address: 0x08400000 Entry Point: 0x08400000 Hash algo: sha1 Hash value: 4dc5a9130a711ae9414cdb6378ad6294f31d97d1 Verifying Hash Integrity ... sha1+ OK Loading loadables from 0x02e5fba0 to 0x08400000 Loading Kernel Image ... OK reserving fdt memory region: addr=0 size=1000 Loading Device Tree to 0000000007b36000, end 0000000007b3f414 ... OK

Starting kernel ... ........... ......... Starting logging: OK Initializing random number generator... done. Set permissions on /dev/tee*: OK Create/set permissions on /data/tee: OK Starting tee-supplicant: OK Starting network: OK

Welcome to Buildroot, type root or test to login buildroot login:

[jbech-linaro]

@vvramya , thanks for sharing, it'd be good to have this in the official documentation https://optee.readthedocs.io ... maybe here https://optee.readthedocs.io/building/devices/rpi3.html#.

We should also proceed with https://github.com/OP-TEE/manifest/pull/134 and https://github.com/OP-TEE/build/pull/358 that you and @johnphilby created. I.e., getting things into the official trees. We don't want to rely on external instructions / trees etc, since we cannot vouch for things outside of our control.

@msa2 this is probably of interest to you.

[johnphilby]

@jbech-linaro We would like to closely work with you in improving OPTEE. The management has allocated two resources for the same - Ramya and Varsha. Would like to discuss this in a separate mail on the tasks they can work on. They have been tinkering with optee to get a hang of it and it seems they are comfortable taking additional tasks. If there is a ToDo list of the tasks and if you can point them in the right direction, it would help.

I couldn’t find the time for pushing those changes OP-TEE/build#358 since I do not work full time on OPTEE. Will definitely try to push it this weekend.

[github-actions[bot]]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.