Procedure for adding Verified Boot and Trusted Firmware-A support for Rasberry Pi 3B+

[vvramya]

Introduction:

These are the instructions we followed to build U-Boot and OP-TEE OS for Raspberry Pi 3 B+ using the FIT image format.

Building OPTEE-OS:

1. Install the prerequisite packages:

sudo apt-get install android-tools-adb android-tools-fastboot autoconf
automake bc bison build-essential cscope curl device-tree-compiler
expect flex ftp-upload gdisk iasl libattr1-dev libcap-dev
libfdt-dev libftdi-dev libglib2.0-dev libhidapi-dev libncurses5-dev
libpixman-1-dev libssl-dev libtool make
mtools netcat python-crypto python-serial python-wand unzip uuid-dev
xdg-utils xterm xz-utils zlib1g-dev git

2. Repo Setup:

$ mkdir /bin
$ PATH=/bin:$PATH
$ curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
$ chmod a+x ~/bin/repo
$ git config --global user.name "Your Name"
$ git config --global user.email "Your email"

3. Build OP-TEE OS and toolchains:

(we’re using the latest version of OPTEE)

$ mkdir optee
$ cd optee
$ repo init -u https://github.com/johnphilby/manifest/tree/add-support-rpi3-bplus -m rpi3-bplus.xml
$ repo sync
$ cd build

once repo mainfest is done, Then we can build using the following command
$ make -j2 toolchains

$ make -j nproc

4. Verified boot on the Raspberry Pi 3 B+:

4.1) Create a Signed image:

4.1.1) create a folder called fit, outside optee folder

$ mkdir fit
$ cd fit

4.1.2)create a file image.its(image source file)
/dts-v1/;
/ {
	description = "RPi FIT Image";
	#address-cells = <2>;
	images {
		kernel-1 {
			description = "default kernel";
			data = /incbin/("Image");
			type = "kernel";
			arch = "arm64";
			os = "linux";
			compression = "none";
			load =  <0x00080000>;
			entry = <0x00080000>;
			hash-1 {
				algo = "sha1";
			};
		};
		tee-1 {
			description = "atf";
			data = /incbin/("armstub8.bin");
			type = "standalone";
			arch = "arm64";
			compression = "none";
			load =  <0x08400000>;
			entry = <0x08400000>;
			hash-1 {
				algo = "sha1";
			};
		};
		fdt-1 {
			description = "device tree";
			data = /incbin/("bcm2710-rpi-3-b-plus.dtb");
			type = "flat_dt";
			arch = "arm64";
			compression = "none";
			load = <0x01000000>;
			entry = <0x01000000>;
			hash-1 {
				algo = "sha1";
			};
		};
	};
	configurations {
		default = "config-1";
		config-1 {
			description = "default configuration";
			kernel = "kernel-1";
			loadables = "tee-1";
			fdt = "fdt-1";
			signature-1 {
				algo = "sha1,rsa2048";
				key-name-hint = "dev";
				sign-images = "fdt", "kernel", "loadables";
			};
		};
	};
};

4.1.3) Copy image and DTB files to fit folder:

$ ln -s ../optee/linux/arch/arm64/boot/dts/broadcom/bcm2710-rpi-3-b-plus.dtb
$ ln -s ../optee/linux/arch/arm64/boot/Image
$ ln -s ../optee/arm-trusted-firmware/build/rpi3/debug/armstub8.bin
$ cp ../optee/linux/arch/arm64/boot/dts/broadcom/bcm2710-rpi-3-b-plus.dtb bcm2710-rpi-3-b-plus-pubkey.dtb

4.1.4) Generate a new RSA key pair:

$ mkdir keys
$ openssl genrsa -F4 -out keys/dev.key 2048
$ openssl req -batch -new -x509 -key keys/dev.key -out keys/dev.crt

4.1.5) Generate a signed FIT image:

../optee/u-boot/tools/mkimage -f image.its -K bcm2710-rpi-3-b-plus-pubkey.dtb -k keys -r image.fit

5. Build U-Boot with FIT image:

   5.1)Replace the following lines in optee/build/rpi3/firmware/uboot.env.txt file:

   boot_fit=bootm ${fit_addr}
   fdt_addr_r=0x01000000
   fit_addr=0x02000000
   fdtfile=bcm2710-rpi-3-b-plus.dtb
   load_fit=fatload mmc 0:1 ${fit_addr} image.fit
   mmcboot=run load_fit; run set_bootargs_tty set_bootargs_mmc set_common_args; run boot_fit

Build U-Boot env file:

$ cd ../optee/build
$ make EXT_DTB=../../fit/bcm2710-rpi-3-b-plus-pubkey.dtb arm-tf u-boot-env

5.2) Configure FIT image support:

Add the following in optee/u-boot/configs/rpi_3_defconfig file

CONFIG_DEFAULT_DEVICE_TREE="bcm2837-rpi-3-b-plus"
CONFIG_OF_CONTROL=y
CONFIG_FIT=y
CONFIG_FIT_SIGNATURE=y
CONFIG_RSA=y

Add the following in optee/u-boot/include/configs/rpi.h file to support the larger FIT image:

#define CONFIG_SYS_BOOTM_LEN (16 << 20)

5.3) Build the U-Boot with FIT Image

$ cd optee/build/
$ make u-boot-clean arm-tf-clean u-boot-env-clean
$ make EXT_DTB=../../fit/bcm2710-rpi-3-b-plus-pubkey.dtb arm-tf u-boot-env u-boot

6. Install the image:

6.1) Prepare the SD card using following:

$ cd optee/build
$ make img-help

fdisk /dev/sdx # where sdx is the name of your sd-card

p # prints partition table
d # repeat until all partitions are deleted
n # create a new partition
p # create primary
1 # make it the first partition
# use the default sector
+70M # create a boot partition with 32MB of space
n # create rootfs partition
p
2

# fill the remaining disk, adjust size to fit your needs
t # change partition type
1 # select first partition
e # use type 'e' (FAT16)
a # make partition bootable
1 # select first partition
p # double check everything looks right
w # write partition table to disk

run the following as root
$ mkfs.vfat -F16 -n BOOT /dev/sdx1
$ mkdir -p /media/boot
$ mount /dev/sdx1 /media/boot
$ cd /media
$ gunzip -cd /home/ramya/optee_latest/optee/build/../out-br/images/rootfs.cpio.gz | sudo cpio -idmv "boot/*"
$ umount boot

run the following as root
$ mkfs.ext4 -L rootfs /dev/sdx2
$ mkdir -p /media/rootfs
$ mount /dev/sdx2 /media/rootfs
$ cd rootfs
$ gunzip -cd /home/ramya/optee_latest/optee/build/../out-br/images/rootfs.cpio.gz | sudo cpio -idmv
$ rm -rf /media/rootfs/boot/*
$ cd .. && umount rootfs

mount /dev/sdX1 /media/boot
cd /media/boot/
cp /home/ramya/optee_latest/optee/out/uboot.env .
cp /home/ramya/optee_latest/fit/image.fit .
cd .. && umount /dev/sdX1

7. Test Verified boot in Raspberry Pi 3b+:

Insert SD card into rpi3b+ board and verified boot configured correctly from U-Boot output:

Power up the board

You can see like below:

NOTICE: Booting Trusted Firmware

NOTICE: BL1: v2.0(debug):v2.0-580-g023bc01
NOTICE: BL1: Built : 18:13:54, Apr 9 2019
INFO: BL1: RAM 0x100ee000 - 0x100f7000
INFO: BL1: cortex_a53: CPU workaround for 843419 was applied
INFO: BL1: cortex_a53: CPU workaround for 855873 was applied
NOTICE: rpi3: Detected: Raspberry Pi 3 Model B+ (1GB, Sony, UK) [0x00a020d3]
INFO: BL1: Loading BL2
INFO: Loading image id=1 at address 0x100b4000
INFO: Image id=1 loaded: 0x100b4000 - 0x100b9410
NOTICE: BL1: Booting BL2
INFO: Image id=5 loaded: 0x11000000 - 0x1107fff8
NOTICE: BL1: Booting BL31
INFO: Entry point address = 0x100e0000
INFO: SPSR = 0x3cd
NOTICE: BL31: v2.0(debug):v2.0-580-g023bc01
NOTICE: BL31: Built : 18:14:00, Apr 9 2019
INFO: rpi3: Checking DTB...
INFO: BL31: Initializing runtime services
INFO: BL31: cortex_a53: CPU workaround for 843419 was applied
INFO: BL31: cortex_a53: CPU workaround for 855873 was applied
INFO: BL31: Initializing BL32

U-Boot 2019.01-00093-gaac0c29-dirty (Apr 10 2019 - 11:05:51 +0530)

DRAM: 128 MiB
RPI 3 Model B+ (0xa020d3)
MMC: mmc@7e202000: 0, sdhci@7e300000: 1
Loading Environment from FAT... OK
In: serial
Out: serial
Err: serial
Net: No ethernet found.
starting USB...
USB0: scanning bus 0 for devices... 4 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
Hit any key to stop autoboot: 0
16105600 bytes read in 671 ms (22.9 MiB/s)

Loading kernel from FIT Image at 02000000 ...

Using 'config-1' configuration
Verifying Hash Integrity ... OK
Trying 'kernel-1' kernel subimage
Description: default kernel
Type: Kernel Image
Compression: uncompressed
Data Start: 0x020000c0
Data Size: 15071744 Bytes = 14.4 MiB
Architecture: AArch64
OS: Linux
Load Address: 0x00080000
Entry Point: 0x00080000
Hash algo: sha1
Hash value: 60c0bd58ae20a73eabf8d89b647bd3c19a137bc5
Verifying Hash Integrity ... sha1+ OK

Loading fdt from FIT Image at 02000000 ...

Using 'config-1' configuration
Verifying Hash Integrity ... OK
Trying 'fdt-1' fdt subimage
Description: device tree
Type: Flat Device Tree
Compression: uncompressed
Data Start: 0x02f5569c
Data Size: 25621 Bytes = 25 KiB
Architecture: AArch64
Load Address: 0x01000000
Hash algo: sha1
Hash value: d37f8aed170466dbf71dbf671f7487859c0dfcf0
Verifying Hash Integrity ... sha1+ OK
Loading fdt from 0x02f5569c to 0x01000000
Booting using the fdt blob at 0x1000000

Loading loadables from FIT Image at 02000000 ...

Trying 'tee-1' loadables subimage
Description: atf
Type: Standalone Program
Compression: uncompressed
Data Start: 0x02e5fba0
Data Size: 1006116 Bytes = 982.5 KiB
Architecture: AArch64
Load Address: 0x08400000
Entry Point: 0x08400000
Hash algo: sha1
Hash value: 4dc5a9130a711ae9414cdb6378ad6294f31d97d1
Verifying Hash Integrity ... sha1+ OK
Loading loadables from 0x02e5fba0 to 0x08400000
Loading Kernel Image ... OK
reserving fdt memory region: addr=0 size=1000
Loading Device Tree to 0000000007b36000, end 0000000007b3f414 ... OK

Starting kernel ...
...........
.........
Starting logging: OK
Initializing random number generator... done.
Set permissions on /dev/tee*: OK
Create/set permissions on /data/tee: OK
Starting tee-supplicant: OK
Starting network: OK

Welcome to Buildroot, type root or test to login
buildroot login:

[jbech-linaro]

@vvramya , thanks for sharing, it'd be good to have this in the official documentation https://optee.readthedocs.io ... maybe here https://optee.readthedocs.io/building/devices/rpi3.html#.

We should also proceed with OP-TEE/manifest#134 and OP-TEE/build#358 that you and @johnphilby created. I.e., getting things into the official trees. We don't want to rely on external instructions / trees etc, since we cannot vouch for things outside of our control.

@msa2 this is probably of interest to you.

[johnphilby]

@jbech-linaro We would like to closely work with you in improving OPTEE. The management has allocated two resources for the same - Ramya and Varsha. Would like to discuss this in a separate mail on the tasks they can work on. They have been tinkering with optee to get a hang of it and it seems they are comfortable taking additional tasks. If there is a ToDo list of the tasks and if you can point them in the right direction, it would help.

I couldn’t find the time for pushing those changes OP-TEE/build#358 since I do not work full time on OPTEE. Will definitely try to push it this weekend.

[github-actions]

This issue has been marked as a stale issue because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this issue will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.