3.8. ARM Trusted Firmware-AΒΆ


Trusted Firmware-A (TF-A) provides a reference implementation of secure world software for Armv7-A and Armv8-A, including a Secure Monitor executing at Exception Level 3 (EL3).

ATF is used as the initial start code on ARMv8-A cores for all K3 platforms. After setting up the initial core state and applying any needed errata fixes it sets up itself as the EL3 monitor handler. After this is installs the secure world software (OP-TEE) and passes execution on to either the Linux kernel or U-Boot in the non-secure world.

Getting the ATF Source Code

$ git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git

Getting Security Dev Tool

$ git clone https://git.ti.com/git/security-development-tools/core-secdev-k3.git -b master
$ export TI_SECURE_DEV_PKG=`pwd`/core-secdev-k3

Building ATF

$ export TFA_DIR=<path-to-arm-trusted-firmware>
on GP
$ cd $TFA_DIR
$ make ARCH=aarch64 CROSS_COMPILE=aarch64-none-linux-gnu- PLAT=k3 TARGET_BOARD=lite SPD=opteed
on HS
$ cd $TFA_DIR
$ make ARCH=aarch64 CROSS_COMPILE=aarch64-none-linux-gnu- PLAT=k3 TARGET_BOARD=lite SPD=opteed

Sign the output binary (bl31.bin) located in: $TFA_DIR/build/k3/lite/release
$ {TI_SECURE_DEV_PKG}/scripts/secure-binary-image.sh $TFA_DIR/build/k3/lite/release/bl31.bin $TFA_DIR/build/k3/lite/release/bl31.bin.signed

Default load locations

ATF image 0x701c0000
OP-TEE image 0x9e800000
U-Boot/Linux kernel image 0x80080000
DTB 0x82000000

To change the default load address of these binaries, an adress has to be changed in several source trees. The following is an example for AM64x family devices. Other family devices might not at the moment have binman dtsi files associated with them but they could in the future.

Source ATF OPTEE A53 SPL A53 U-Boot DTB kernel Comments
<atf>/plat/ti/k3/board/lite/board.mk   BL32_BASE PRELOADED_BL33_BASE   K3_HW_CONFIG_BASE   Change K3_HW_CONFIG_BASE for u-boot a53 skip case
<optee>/core/arch/arm/plat-k3/conf.mk   CFG_TZDRAM_START          
<uboot>/configs/am64x_evm_r5_defconfig K3_ATF_LOAD_ADDR            
<uboot>/configs/am64x_evm_a53_defconfig     SPL_TEXT_BASE SYS_TEXT_BASE     SYS_TEXT_BASE can be set in defconfig, has default value in Kconfig
<uboot/linux>/arch/arm/dts/k3-am642*.dts files   reserved-memory nodes          
<uboot>/arch/arm/dts/k3-am642-evm-binman.dtsi file   tee nodes uboot nodes uboot nodes      
<uboot>/include/configs/ti_armv7_common.h         fdtaddr loadaddr If not defined here, u-boot will pick any adress
uEnv.txt         fdtaddr loadaddr Overwrite the u-boot environment variables