mirrors/meta-arm
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-06-01 01:00:15 +00:00
Code Issues Projects Releases Wiki Activity

docs:corstone1000: Update user guide

Browse Source 
- Replace openSUSE Tumbleweed with openSUSE Leap.
- Ensure correct component versions are listed.
- Update changelog and release notes for C25Q4 release.
- Add Positive partial capsule update test.
- Improve user guide for consistency and clarity.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
This commit is contained in:
Hugues KAMBA MPIANA
2026-01-08 19:57:13 +00:00
committed by Jon Mason
parent e8ffad9ef3
commit 9d3e85c7d8
3 changed files with 390 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-arm-bsp/documentation/corstone1000/change-log.rst
+72 -1
View File
@@ -1,5 +1,5 @@
.. ..
# Copyright (c) 2022-2025, Arm Limited. # Copyright (c) 2022-2026, Arm Limited.
# #
# SPDX-License-Identifier: MIT # SPDX-License-Identifier: MIT
@@ -10,6 +10,77 @@ Change Log
This document contains a summary of the new features, changes and This document contains a summary of the new features, changes and
fixes in each release of Corstone-1000 software stack. fixes in each release of Corstone-1000 software stack.
***************
Version 2025.12
***************
Changes
=======
- Delivered end-to-end Cortex-A320 enablement across U-Boot, TF-A, TF-M, OP-TEE, Yocto machine layers, and documentation, including device-tree updates, MPIDR handling, and FVP model renaming.
- Rolled out the PSA Firmware Update (DEN0118) pipeline: U-Boot capsule parsing, Bootloader Abstraction Layer in TF-M, ESRT exposure, and Trusted Services IPC bridges replacing legacy capsule code.
- Hardened the new firmware update flow with EFI self-tests, metadata restructuring for partial and multi-image acceptance, and RSE-COMMS gating refinements.
- Upgraded key firmware components (TF-A 2.13.0, TF-M 2.2.1, Trusted Services 1.2.0, OP-TEE OS 4.7.0) and introduced targeted test skips plus integer-only build modes to keep validation green.
- Cleaned and renumbered downstream patch series across Trusted Services and TF-M while removing obsolete integrations to align with upstream baselines.
- Refreshed release material and architecture guides to describe the A320 profile, PSA FWU behavior, and updated software stack.
- Added KAS profiles, machine includes, and automated FVP selection logic to streamline developer workflows for the refreshed platform configuration.
Corstone-1000 components versions
=================================
+-------------------------------------------+-------------------+
| linux-yocto | 6.12.60 |
+-------------------------------------------+-------------------+
| u-boot | 2025.04 |
+-------------------------------------------+-------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-------------------+
| optee-client | 4.7.0 |
+-------------------------------------------+-------------------+
| optee-os | 4.7.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-a | 2.13.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-m | 2.2.1 |
+-------------------------------------------+-------------------+
| libts | v1.2.0 |
+-------------------------------------------+-------------------+
| ts-sp-{se-proxy, smm-gateway} | v1.2.0 |
+-------------------------------------------+-------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff |
+-------------------------------------------+-------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+----------------+
| meta-arm | whinlatter |
+-------------------------------------------+----------------+
| bitbake | 0dde1a3ff8 |
+-------------------------------------------+----------------+
| meta-openembedded | fc0152e434 |
+-------------------------------------------+----------------+
| openembedded-core | 4bd920ad7d |
+-------------------------------------------+----------------+
| meta-yocto | b3b6592635 |
+-------------------------------------------+----------------+
| meta-secure-core | 63209fb150 |
+-------------------------------------------+----------------+
| meta-ethos | aa2504a32f |
+-------------------------------------------+----------------+
| meta-sca | e68f1a9d17 |
+-------------------------------------------+----------------+
| busybox | 1.37.0 |
+-------------------------------------------+----------------+
| musl | 1.2.5 |
+-------------------------------------------+----------------+
| gcc-arm-none-eabi | 13.3.rel1 |
+-------------------------------------------+----------------+
| gcc-cross-aarch64 | 15.2.0 |
+-------------------------------------------+----------------+
| openssl | 3.5.4 |
+-------------------------------------------+----------------+
*************** ***************
Version 2025.05 Version 2025.05
*************** ***************
meta-arm-bsp/documentation/corstone1000/release-notes.rst
+13 -1
View File
@@ -1,5 +1,5 @@
.. ..
# Copyright (c) 2022-2025, Arm Limited. # Copyright (c) 2022-2026, Arm Limited.
# #
# SPDX-License-Identifier: MIT # SPDX-License-Identifier: MIT
@@ -19,6 +19,18 @@ intended for safety-critical applications. Should Your Software or Your Hardware
prove defective, you assume the entire cost of all necessary servicing, repair prove defective, you assume the entire cost of all necessary servicing, repair
or correction. or correction.
***********************
Release notes - 2025.12
***********************
The same notes as the 2025.05 release still apply.
Known Issues or Limitations
---------------------------
- Corstone-1000 with Cortex-A320 FVP does not currently support Symmetric Multiprocessing
- Corstone-1000 with Cortex-A320 FVP becomes unresponsive when the Linux kernel driver for the Ethos-U85 NPU loads automatically after a software reboot.
*********************** ***********************
Release notes - 2025.05 Release notes - 2025.05
*********************** ***********************
meta-arm-bsp/documentation/corstone1000/user-guide.rst
+303 -172
View File
@@ -1,5 +1,5 @@
.. ..
# Copyright (c) 2022-2025, Arm Limited. # Copyright (c) 2022-2026, Arm Limited.
# #
# SPDX-License-Identifier: MIT # SPDX-License-Identifier: MIT
@@ -133,7 +133,7 @@ Host Processor Components
+----------+------------------------------------------------------------------------------------------+ +----------+------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend`` | | bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend`` |
+----------+------------------------------------------------------------------------------------------+ +----------+------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/optee/optee-os_4.4.0.bb`` | | Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/optee/optee-os_4.7.0.bb`` |
+----------+------------------------------------------------------------------------------------------+ +----------+------------------------------------------------------------------------------------------+
`U-Boot <https://github.com/u-boot/u-boot.git>`__ `U-Boot <https://github.com/u-boot/u-boot.git>`__
@@ -144,7 +144,7 @@ Host Processor Components
+----------+----------------------------------------------------------------------------------+ +----------+----------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend`` | | bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend`` |
+----------+----------------------------------------------------------------------------------+ +----------+----------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2023.07.02.bb`` | | Recipe | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2025.04.bb`` |
+----------+----------------------------------------------------------------------------------+ +----------+----------------------------------------------------------------------------------+
Linux Linux
@@ -157,7 +157,7 @@ The provided distribution is based on `BusyBox <https://www.busybox.net/>`__ and
+-----------+------------------------------------------------------------------------------------------------+ +-----------+------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend`` | | bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend`` |
+-----------+------------------------------------------------------------------------------------------------+ +-----------+------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/poky/meta/recipes-kernel/linux/linux-yocto_6.12.bb`` | | Recipe | ``${WORKSPACE}/core/meta/recipes-kernel/linux/linux-yocto_6.12.bb`` |
+-----------+------------------------------------------------------------------------------------------------+ +-----------+------------------------------------------------------------------------------------------------+
| defconfig | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig`` | | defconfig | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig`` |
+-----------+------------------------------------------------------------------------------------------------+ +-----------+------------------------------------------------------------------------------------------------+
@@ -172,7 +172,7 @@ Secure Enclave Components
+----------+-------------------------------------------------------------------------------------------------------+ +----------+-------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend`` | | bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------+ +----------+-------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.1.1.bb`` | | Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.2.1.bb`` |
+----------+-------------------------------------------------------------------------------------------------------+ +----------+-------------------------------------------------------------------------------------------------------+
************************************ ************************************
@@ -245,7 +245,7 @@ Build
**The External System Processor is not available on the Corstone-1000 with Cortex-A320 FVP.** **The External System Processor is not available on the Corstone-1000 with Cortex-A320 FVP.**
Access to the External System Processor is disabled by default. Access to the External System Processor is disabled by default on **Corstone-1000 with Cortex-A35**.
To build the Corstone-1000 image with External System Processor enabled, run: To build the Corstone-1000 image with External System Processor enabled, run:
@@ -276,7 +276,7 @@ Everything apart from the Secure Enclave ROM firmware and External System firmwa
``corstone1000-flash-firmware-image-corstone1000-${TARGET}.wic`` file. ``corstone1000-flash-firmware-image-corstone1000-${TARGET}.wic`` file.
The output binaries run in the Corstone-1000 platform are the following: The output binaries run in the Corstone-1000 platform are the following:
- The Secure Enclave ROM firmware: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/bl1.bin`` - The Secure Enclave ROM firmware: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/trusted-firmware-m/bl1.bin``
- The External System Processor firmware: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/es_flashfw.bin`` - The External System Processor firmware: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/es_flashfw.bin``
- The internal firmware flash image: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-flash-firmware-image-corstone1000-${TARGET}.wic`` - The internal firmware flash image: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-flash-firmware-image-corstone1000-${TARGET}.wic``
@@ -370,7 +370,7 @@ Flash
IMAGE2FILE: \SOFTWARE\es0.bin IMAGE2FILE: \SOFTWARE\es0.bin
#. Copy ``bl1.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle. #. Copy ``bl1.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/trusted-firmware-m/`` to the ``SOFTWARE`` directory of the FPGA bundle.
#. Copy ``es_flashfw.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle #. Copy ``es_flashfw.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle
and rename the binary to ``es0.bin``. and rename the binary to ``es0.bin``.
#. Copy ``corstone1000-flash-firmware-image-corstone1000-mps3.wic`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` #. Copy ``corstone1000-flash-firmware-image-corstone1000-mps3.wic`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE``
@@ -477,11 +477,16 @@ The FVP can also be manually downloaded from `Arm Developer <arm-developer-fvp_>
the Corstone-1000 platform FVP installer. the Corstone-1000 platform FVP installer.
Follow the instructions of the installer to setup the FVP. Follow the instructions of the installer to setup the FVP.
#. Run the FVP #. Run ``tmux``:
.. code-block:: console
cd ${WORKSPACE} && tmux
#. Run the FVP within ``tmux``:
.. code-block:: console .. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \ kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux" -c "../meta-arm/scripts/runfvp --terminals=tmux"
@@ -560,7 +565,7 @@ Clean Secure Flash
bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image
bitbake -c build corstone1000-flash-firmware-image bitbake -c build corstone1000-flash-firmware-image
#. Replace the ``bl1.bin`` file on the SD card with ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/bl1.bin``. #. Replace the ``bl1.bin`` file on the SD card with ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/trusted-firmware-m/bl1.bin``.
#. Reboot the board to completely erase the secure flash. #. Reboot the board to completely erase the secure flash.
@@ -741,9 +746,7 @@ This sections below describe how to build and run ACS tests on Corstone-1000.
.. note:: .. note::
This prebuilt ACS image includes v5.13 kernel, which does not provide This prebuilt ACS image includes v5.13 kernel, which does not provide
USB driver support for Corstone-1000. The ACS image with a newer kernel version USB driver support for Corstone-1000.
and full USB support for Corstone-1000 will be available in the repository with the next
SystemReady release.
#. Decompress the pre-built ACS live image. #. Decompress the pre-built ACS live image.
@@ -809,16 +812,20 @@ FVP
=== ===
Run the commands below to run the ACS test on FVP using the built firmware image and the pre-built ACS image identified above: #. Run ``tmux``:
.. code-block:: console .. code-block:: console
cd ${WORKSPACE} cd ${WORKSPACE} && tmux
tmux
./meta-arm/scripts/runfvp \ #. Run the commands below within ``tmux`` to run the ACS test on FVP using the built firmware image and the pre-built ACS image identified above:
--terminals=tmux \
./build/tmp/deploy/images/corstone1000-fvp/corstone1000-flash-firmware-image-corstone1000-fvp.fvpconf \ .. code-block:: console
-- -C board.msd_mmc.p_mmc_file=${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic
./meta-arm/scripts/runfvp \
--terminals=tmux \
./build/tmp/deploy/images/corstone1000-fvp/corstone1000-flash-firmware-image-corstone1000-fvp.fvpconf \
-- -C board.msd_mmc.p_mmc_file=${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic
.. note:: .. note::
@@ -884,20 +891,42 @@ Capsule Update
systemready-patch/embedded-a/corstone1000/disable_module_autoloading/disable_module_autoloading.yml systemready-patch/embedded-a/corstone1000/disable_module_autoloading/disable_module_autoloading.yml
.. important::
Payload GUIDs (``${BL2_GUID}``, ``${TFM_S_GUID}``, ``${FIP_GUID}``, and ``${INITRAMFS_GUID}``)
are different depending on whether the capsule is built for the ``fvp`` or ``mps3`` ``${TARGET}``.
+------------+----------------------------------------+----------------------------------------+
| Payloads | FVP | MPS3 |
+============+========================================+========================================+
| BL2 | f1d883f9-dfeb-5363-98d8-686ee3b69f4f | fbfbefaa-0a56-50d5-b651-74091d3d62cf |
+------------+----------------------------------------+----------------------------------------+
| TFM_S | 7fad470e-5ec5-5c03-a2c1-4756b495de61 | af4cc7ad-ee2e-5a39-aad5-fac8a1e6173c |
+------------+----------------------------------------+----------------------------------------+
| FIP | f1933675-5a8c-5b6d-9ef4-846739e89bc8 | 55302f96-c4f0-5cf9-8624-e7cc388f2b68 |
+------------+----------------------------------------+----------------------------------------+
| INITRAMFS | f771aff9-c7e9-5f99-9eda-2369dd694f61 | 3e8ac972-c33c-5cc9-90a0-cdd3159683ea |
+------------+----------------------------------------+----------------------------------------+
The following section describes the steps to update the firmware using Capsule Update The following section describes the steps to update the firmware using Capsule Update
as the Corstone-1000 supports UEFI. as the Corstone-1000 supports UEFI.
The firmware update process is tested with an invalid capsule (rollback protection capsule update test) The firmware update process is tested with an invalid capsule and with valid capsules to validate the robustness and
and with a valid capsule (positive capsule update test) to validate the robustness and
error-handling capabilities of the firmware update mechanism. error-handling capabilities of the firmware update mechanism.
During the positive capsule update test, the Corstone-1000 is given a valid capsule, which it successfully applies, boots up and then reaches the Linux command prompt. **Positive full capsule update test:**
The Corstone-1000 is provided with a valid full capsule, which it applies successfully.
The system then boots normally and reaches the Linux command prompt.
During the rollback protection capsule update test, the Corstone-1000 is given an outdated capsule with a lower version number for all payloads, **Positive partial capsule update test:**
which is expected to be rejected due to its outdated status, thereby retaining the previous firmware. The Corstone-1000 is provided with a valid partial capsule that specifies an update for a single component only.
The capsule is applied successfully, after which the system boots normally and reaches the Linux command prompt.
Two different capsules (one for each test) are therefore needed to perform the tests. **Rollback protection capsule update test:**
The Corstone-1000 is provided with an outdated capsule containing lower version numbers for all payloads.
The capsule is correctly rejected due to rollback protection, and the previously installed firmware is retained.
Three different capsules are therefore needed to perform the tests.
The following payloads can be individually updated: The following payloads can be individually updated:
@@ -922,20 +951,21 @@ This JSON file is required by EDK II's ``GenerateCapsule`` tool to generate the
The capsule's default metadata passed can be found in the ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb`` The capsule's default metadata passed can be found in the ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb``
and ``${WORKSPACE}/meta-arm/kas/corstone1000-image-configuration.yml`` files. and ``${WORKSPACE}/meta-arm/kas/corstone1000-image-configuration.yml`` files.
Valid Capsule Valid Full Capsule
============= ==================
An automatically generated capsule can be found at ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}-v6.uefi.capsule`` after running a firmware build. An automatically generated capsule can be found at ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-${TARGET}-v6.uefi.capsule`` after running a firmware build.
The default metadata values are assumed to be correct to generate a valid capsule. The default metadata values are assumed to be correct to generate a valid capsule.
This capsule will be used for the positive capsule update test. This capsule will be used for the positive capsule update test.
Invalid Capsule Valid Partial Capsule
=============== =====================
Generate a capsule with firmware version metadata for all payloads set lower than that of a valid capsule. To generate a capsule that updates only a single component, explicitly set the firmware version for that component and mark it as the only payload to be updated.
The valid capsule has a default firmware version of 6 for all payloads, while the simulated invalid capsule has the firmware version set to 5 for all payloads.
The **partial capsule** is also valid, but sets the firmware version to **7** **only** for the **BL2** component, indicating that no other components should be updated.
Use the following commands to generate the `capsule_config.json` file, which is required by the EDK2 tool for capsule creation: Use the following commands to generate the `capsule_config.json` file, which is required by the EDK2 tool for capsule creation:
@@ -943,10 +973,10 @@ Use the following commands to generate the `capsule_config.json` file, which is
cd ${WORKSPACE} cd ${WORKSPACE}
python3 meta-arm/scripts/generate_capsule_json_multiple.py \ python3 meta-arm/meta-arm/scripts/generate_capsule_json_multiple.py \
--selected_components DUMMY_START BL2 TFM_S FIP INITRAMFS DUMMY_END \ --selected_components DUMMY_START BL2 DUMMY_END \
--components DUMMY_START BL2 TFM_S FIP INITRAMFS DUMMY_END \ --components DUMMY_START BL2 TFM_S FIP INITRAMFS DUMMY_END \
--fw_versions 5 5 5 5 5 5 \ --fw_versions 0 7 0 0 0 0 \
--guids \ --guids \
6f784cbf-7938-5c23-8d6e-24d2f1410fa9 \ 6f784cbf-7938-5c23-8d6e-24d2f1410fa9 \
${BL2_GUID} ${TFM_S_GUID} ${FIP_GUID} ${INITRAMFS_GUID} \ ${BL2_GUID} ${TFM_S_GUID} ${FIP_GUID} ${INITRAMFS_GUID} \
@@ -955,12 +985,12 @@ Use the following commands to generate the `capsule_config.json` file, which is
--lowest_supported_versions 5 5 5 5 5 5 \ --lowest_supported_versions 5 5 5 5 5 5 \
--monotonic_counts 1 1 1 1 1 1 \ --monotonic_counts 1 1 1 1 1 1 \
--payloads \ --payloads \
build/tmp/deploy/images/corstone1000-${TARGET}/dummy.bin \ build/tmp/work/corstone1000_${TARGET}-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/bl2_signed.bin \ build/tmp/deploy/images/corstone1000-${TARGET}/trusted-firmware-m/bl2_signed.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/tfm_s_signed.bin \ build/tmp/deploy/images/corstone1000-${TARGET}/trusted-firmware-m/tfm_s_signed.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/signed_fip-corstone1000.bin \ build/tmp/deploy/images/corstone1000-${TARGET}/signed_fip-corstone1000.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/Image.gz-initramfs-corstone1000-${TARGET}.bin \ build/tmp/deploy/images/corstone1000-${TARGET}/Image.gz-initramfs-corstone1000-${TARGET}.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/dummy.bin \ build/tmp/work/corstone1000_${TARGET}-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \
--update_image_indexes 5 1 2 3 4 6 \ --update_image_indexes 5 1 2 3 4 6 \
--private_keys \ --private_keys \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \ build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
@@ -978,23 +1008,65 @@ Use the following commands to generate the `capsule_config.json` file, which is
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \ build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
--output capsule_config.json --output capsule_config.json
Run the command below to generate the partial capsule:
.. important:: .. code-block:: console
Payload GUIDs (``${BL2_GUID}``, ``${TFM_S_GUID}``, ``${FIP_GUID}``, and ``${INITRAMFS_GUID}``) ./build/tmp/sysroots-components/aarch64/edk2-basetools-native/usr/bin/edk2-BaseTools/BinWrappers/PosixLike/GenerateCapsule \
are different depending on whether the capsule is built for the ``fvp`` or ``mps3`` ``${TARGET}``. -e \
-j capsule_config.json \
--capflag PersistAcrossReset \
-o corstone1000-${TARGET}-partial-v7.uefi.capsule
The partial capsule will be located in the ``${WORKSPACE}`` directory.
Invalid Capsule
===============
Generate a capsule with firmware version metadata for all payloads set lower than that of a valid capsule.
The valid capsule has a default firmware version of 6 for all payloads, while the simulated invalid capsule has the firmware version set to 5 for all payloads.
Use the following commands to generate the `capsule_config.json` file, which is required by the EDK2 tool for capsule creation:
.. code-block:: console
cd ${WORKSPACE}
python3 meta-arm/meta-arm/scripts/generate_capsule_json_multiple.py \
--selected_components DUMMY_START BL2 TFM_S FIP INITRAMFS DUMMY_END \
--components DUMMY_START BL2 TFM_S FIP INITRAMFS DUMMY_END \
--fw_versions 5 5 5 5 5 5 \
--guids \
6f784cbf-7938-5c23-8d6e-24d2f1410fa9 \
${BL2_GUID} ${TFM_S_GUID} ${FIP_GUID} ${INITRAMFS_GUID} \
b57e432b-a250-5c73-93e3-90205e64baba \
--hardware_instances 1 1 1 1 1 1 \
--lowest_supported_versions 5 5 5 5 5 5 \
--monotonic_counts 1 1 1 1 1 1 \
--payloads \
build/tmp/work/corstone1000_${TARGET}-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/trusted-firmware-m/bl2_signed.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/trusted-firmware-m/tfm_s_signed.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/signed_fip-corstone1000.bin \
build/tmp/deploy/images/corstone1000-${TARGET}/Image.gz-initramfs-corstone1000-${TARGET}.bin \
build/tmp/work/corstone1000_${TARGET}-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \
--update_image_indexes 5 1 2 3 4 6 \
--private_keys \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
--certificates \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
--output capsule_config.json
+------------+----------------------------------------+----------------------------------------+
| Payloads | FVP | MPS3 |
+============+========================================+========================================+
| BL2 | f1d883f9-dfeb-5363-98d8-686ee3b69f4f | fbfbefaa-0a56-50d5-b651-74091d3d62cf |
+------------+----------------------------------------+----------------------------------------+
| TFM_S | 7fad470e-5ec5-5c03-a2c1-4756b495de61 | af4cc7ad-ee2e-5a39-aad5-fac8a1e6173c |
+------------+----------------------------------------+----------------------------------------+
| FIP | f1933675-5a8c-5b6d-9ef4-846739e89bc8 | 55302f96-c4f0-5cf9-8624-e7cc388f2b68 |
+------------+----------------------------------------+----------------------------------------+
| INITRAMFS | f771aff9-c7e9-5f99-9eda-2369dd694f61 | 3e8ac972-c33c-5cc9-90a0-cdd3159683ea |
+------------+----------------------------------------+----------------------------------------+
Run the command below to generate the invalid capsule: Run the command below to generate the invalid capsule:
@@ -1026,6 +1098,7 @@ MPS3
cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/corstone1000-mps3-v6.uefi.capsule /dev/sdc/BOOT/ cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/corstone1000-mps3-v6.uefi.capsule /dev/sdc/BOOT/
cp ${WORKSPACE}/corstone1000-mps3-v5.uefi.capsule /dev/sdc/EFI/BOOT/ cp ${WORKSPACE}/corstone1000-mps3-v5.uefi.capsule /dev/sdc/EFI/BOOT/
cp ${WORKSPACE}/corstone1000-mps3-partial-v7.uefi.capsule /dev/sdc/EFI/BOOT/
sync sync
.. note:: .. note::
@@ -1076,6 +1149,7 @@ FVP
sudo cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/corstone1000-fvp-v6.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ sudo cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/corstone1000-fvp-v6.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
sudo cp ${WORKSPACE}/corstone1000-fvp-v5.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ sudo cp ${WORKSPACE}/corstone1000-fvp-v5.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
sudo cp ${WORKSPACE}/corstone1000-fvp-partial-v7.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
sync sync
#. Unmount the IR image: #. Unmount the IR image:
@@ -1088,8 +1162,8 @@ FVP
Run Capsule Update Tests Run Capsule Update Tests
************************ ************************
The valid capsule (``corstone1000-${TARGET}-v6.uefi.capsule``) will be used first to run the positive capsule update test. The valid capsules will be used first to run the positive capsule update tests.
This will be followed by using the invalid capsule (``corstone1000-${TARGET}-v5.uefi.capsule``) to run the rollback protection capsule update test. This will be followed by using the invalid capsule to run the rollback protection capsule update test.
.. important:: .. important::
@@ -1097,10 +1171,10 @@ This will be followed by using the invalid capsule (``corstone1000-${TARGET}-v5.
The rollback protection capsule update test effectively tests that firmware rollback is not permitted. The rollback protection capsule update test effectively tests that firmware rollback is not permitted.
.. _positive-capsule-update-test: .. _positive-full-capsule-update-test:
Positive Capsule Update Test Positive Full Capsule Update Test
============================ =================================
#. Run Corstone-1000 with the ACS image containing the two capsule files: #. Run Corstone-1000 with the ACS image containing the two capsule files:
@@ -1111,11 +1185,16 @@ Positive Capsule Update Test
- FVP: - FVP:
#. Run the FVP with the IR prebuilt image which now also contains the two capsules: #. Run ``tmux``:
.. code-block:: console
cd ${WORKSPACE} && tmux
#. Run the FVP within ``tmux`` with the IR prebuilt image which now also contains the two capsules:
.. code-block:: console .. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \ kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux \ -c "../meta-arm/scripts/runfvp --terminals=tmux \
-- -C board.msd_mmc.p_mmc_file=${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic" -- -C board.msd_mmc.p_mmc_file=${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic"
@@ -1237,14 +1316,31 @@ Positive Capsule Update Test
.. warning:: .. warning::
Do not terminate FVP between the positive and rollback protection capsule update tests. Do not terminate FVP between the positive full capsule update and partial capsule update tests.
.. _positive-partial-capsule-update-test:
Positive Partial Capsule Update Test
====================================
Follow the steps for the `positive full capsule update test <positive-full-capsule-update-test_>`__ ensuring you use
``corstone1000-${TARGET}-partial-v7.uefi.capsule`` instead of ``corstone1000-${TARGET}-v6.uefi.capsule``.
Once the system has fully booted again, `read the ESRT <verifying-firmware-versions-via-esrt_>`__ to
confirm that the firmware version reflects the updated capsule.
.. warning::
Do not terminate FVP between the positive partial capsule update rollback protection capsule update tests.
Rollback Protection Capsule Update Test Rollback Protection Capsule Update Test
======================================= =======================================
.. important:: .. important::
The `positive capsule update test <positive-capsule-update-test_>`__ must be run before running the rollback protection capsule update test. The `positive partial capsule update test <positive-partial-capsule-update-test_>`__ must be run before running the rollback protection capsule update test.
#. After running the positive capsule update test, reboot the system by typing the following command on the Host Processor terminal (``ttyUSB2`` for MPS3): #. After running the positive capsule update test, reboot the system by typing the following command on the Host Processor terminal (``ttyUSB2`` for MPS3):
@@ -1431,8 +1527,8 @@ To check the version and status of BL2 (``entry0``), run:
cat /sys/firmware/efi/esrt/entries/entry0/last_attempt_status cat /sys/firmware/efi/esrt/entries/entry0/last_attempt_status
Positive Capsule Update Test ESRT Positive Full Capsule Update Test ESRT
================================= ======================================
The following table shows the details of the first four ESRT entries for the positive capsule update test: The following table shows the details of the first four ESRT entries for the positive capsule update test:
@@ -1448,6 +1544,23 @@ The following table shows the details of the first four ESRT entries for the pos
| 0 | ``${INITRAMFS_GUID}`` | 0 | 6 | 0 | 6 | 0 | | 0 | ``${INITRAMFS_GUID}`` | 0 | 6 | 0 | 6 | 0 |
+-------------------+-----------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+ +-------------------+-----------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
Positive Partial Capsule Update Test ESRT
=========================================
The following table shows the details of the first four ESRT entries for the positive capsule update test:
+-------------------+-----------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
| ``capsule_flags`` | ``fw_class`` | ``fw_type`` | ``fw_version`` | ``last_attempt_status`` | ``last_attempt_version`` | ``lowest_supported_fw_ver`` |
+===================+=======================+=============+================+=========================+==========================+=============================+
| 0 | ``${BL2_GUID}`` | 0 | 7 | 0 | 7 | 0 |
+-------------------+-----------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
| 0 | ``${TFM_S_GUID}`` | 0 | 6 | 0 | 6 | 0 |
+-------------------+-----------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
| 0 | ``${FIP_GUID}`` | 0 | 6 | 0 | 6 | 0 |
+-------------------+-----------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
| 0 | ``${INITRAMFS_GUID}`` | 0 | 6 | 0 | 6 | 0 |
+-------------------+-----------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
Rollback Protection Capsule Update Test ESRT Rollback Protection Capsule Update Test ESRT
============================================ ============================================
@@ -1456,7 +1569,7 @@ The following table shows the details of the first four ESRT entries for the rol
+-------------------+------------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+ +-------------------+------------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
| ``capsule_flags`` | ``fw_class`` | ``fw_type`` | ``fw_version`` | ``last_attempt_status`` | ``last_attempt_version`` | ``lowest_supported_fw_ver`` | | ``capsule_flags`` | ``fw_class`` | ``fw_type`` | ``fw_version`` | ``last_attempt_status`` | ``last_attempt_version`` | ``lowest_supported_fw_ver`` |
+===================+========================+=============+================+=========================+==========================+=============================+ +===================+========================+=============+================+=========================+==========================+=============================+
| 0 | ``${BL2_GUID}`` | 0 | 6 | 1 | 5 | 0 | | 0 | ``${BL2_GUID}`` | 0 | 7 | 1 | 5 | 0 |
+-------------------+------------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+ +-------------------+------------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
| 0 | ``${TFM_S_GUID}`` | 0 | 6 | 0 | 6 | 0 | | 0 | ``${TFM_S_GUID}`` | 0 | 6 | 0 | 6 | 0 |
+-------------------+------------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+ +-------------------+------------------------+-------------+----------------+-------------------------+--------------------------+-----------------------------+
@@ -1491,44 +1604,40 @@ Follow the instructions below to create the installation media.
#. Using your development machine, download one of following Linux distribution images: #. Using your development machine, download one of following Linux distribution images:
- `Debian installer image <https://cdimage.debian.org/mirror/cdimage/archive/12.7.0/arm64/iso-dvd/>`__ - `Debian installer image <https://cdimage.debian.org/mirror/cdimage/archive/12.7.0/arm64/iso-dvd/>`__
- `OpenSUSE Tumbleweed installer image <http://download.opensuse.org/ports/aarch64/tumbleweed/iso/>`__ - `openSUSE Leap installer image <https://download.opensuse.org/distribution/leap/15.6/iso/openSUSE-Leap-15.6-DVD-aarch64-Current.iso>`__
.. note:: .. note::
For openSUSE Tumbleweed, search for an ISO file with the format: ``openSUSE-Tumbleweed-DVD-aarch64-Snapshot$DATE-Media.iso``. The location of the ISO file on the development machine will be referred to as ``${DISTRO_INSTALLER_ISO_PATH}``.
``openSUSE-Tumbleweed-DVD-aarch64-Snapshot20250509-Media.iso`` was used during development.
The location of the ISO file on the development machine will be referred to as ``${DISTRO_INSTALLER_ISO_PATH}``.
#. Create the installation media which will contain the necessary files to install the operation system. #. Create the installation media which will contain the necessary files to install the operation system.
- MPS3: - **MPS3**:
#. Plug a blank USB drive formatted with FAT32, ensuring it has a minimum capacity of 4GB, to the development machine. #. Plug a blank USB drive formatted with FAT32, ensuring it has a minimum capacity of 4GB, to the development machine.
#. Run the following command to discover which device is your USB drive: #. Run the following command to discover which device is your USB drive:
.. code-block:: console .. code-block:: console
lsblk lsblk
The remaining steps assume the USB drive is ``/dev/sdb``. The remaining steps assume the USB drive is ``/dev/sdb``.
.. warning:: .. warning::
Do not mistake your development machine hard drive with the USB drive. Do not mistake your development machine hard drive with the USB drive.
#. Write one of the distribution installer ISO file to the USB drive. #. Write one of the distribution installer ISO file to the USB drive.
.. code-block:: console .. code-block:: console
sudo dd if=${DISTRO_INSTALLER_ISO_PATH} of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync; sudo dd if=${DISTRO_INSTALLER_ISO_PATH} of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync;
- FVP: - **FVP**:
The distribution installer ISO file does not need to be burnt to a USB drive. The distribution installer ISO file does not need to be burnt to a USB drive.
It will be used as is when starting the FVP install the distribution. It will be used as is when starting the FVP install the distribution.
******************** ********************
Prepare System Drive Prepare System Drive
@@ -1586,11 +1695,17 @@ MPS3
FVP FVP
=== ===
#. Start the FVP with the system drive as the primary drive and the distro ISO file as the secondary drive.
#. Run the ``tmux``:
.. code-block:: console
cd ${WORKSPACE} && tmux
#. Start the FVP within ``tmux`` with the system drive as the primary drive and the distro ISO file as the secondary drive:
.. code-block:: console .. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \ kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux -- \ -c "../meta-arm/scripts/runfvp --terminals=tmux -- \
-C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img \ -C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img \
@@ -1653,11 +1768,16 @@ Boot Distribution
The target should automatically boot into the installed operating system image. The target should automatically boot into the installed operating system image.
Stop the FVP and run the command below to simulate a cold boot: Stop the FVP with ``CTRL+C`` and run ``tmux``:
.. code-block:: console
cd ${WORKSPACE} && tmux
Run the command below to simulate a cold boot:
.. code-block:: console .. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \ kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux -- \ -c "../meta-arm/scripts/runfvp --terminals=tmux -- \
-C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img" -C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img"
@@ -1681,7 +1801,7 @@ Timeout Optimizations
.. important:: .. important::
Operating system timeouts are inconsistent across systems. Operating system timeouts are inconsistent across systems.
Skip this section if the system boots to Debian or OpenSUSE without any issue. Skip this section if the system boots to Debian or openSUSE without any issue.
Make the system modification below whilst in recovery mode to increase timeouts and boot to the installed distribution. Make the system modification below whilst in recovery mode to increase timeouts and boot to the installed distribution.
@@ -1796,63 +1916,6 @@ The modified ESP image can be found at ``${WORKSPACE}/build/tmp/deploy/images/co
Run Unsigned Image Boot Test Run Unsigned Image Boot Test
**************************** ****************************
.. _unsigned-image-boot-test-fvp:
FVP
===
#. Follow the instructions `here <use-efi-system-partition-fvp_>`__ to use the ESP.
#. Run the software stack as described `here <running-software-stack-fvp_>`__.
#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``.
.. warning::
There is a timeout of 3 seconds to stop the execution at the U-Boot prompt.
The U-Boot console prompt looks as follows:
.. code-block:: console
corstone1000#
.. important::
The rest of the instructions below will be executed on the U-Boot terminal.
#. On the U-Boot console, set the current MMC device.
.. code-block:: console
corstone1000# mmc dev 1
#. Enroll the four UEFI secure boot authenticated variables.
.. code-block:: console
corstone1000# \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize KEK; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize db; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize dbx
#. Attempt to Load the unsigned kernel image.
.. code-block:: console
corstone1000# \
load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp; \
loadm $loadaddr $kernel_addr_r $filesize; \
bootefi $kernel_addr_r $fdtcontroladdr
Booting /MemoryMapped(0x0,0x88200000,0x236aa00)
Image not authenticated
Loading image failed
The unsigned Linux kernel image should not be loaded.
.. _unsigned-image-boot-test-mps3: .. _unsigned-image-boot-test-mps3:
MPS3 MPS3
@@ -1925,27 +1988,68 @@ MPS3
The unsigned Linux kernel image should not be loaded. The unsigned Linux kernel image should not be loaded.
**************************
Run Signed Image Boot Test .. _unsigned-image-boot-test-fvp:
**************************
FVP FVP
=== ===
.. important:: #. Follow the instructions `here <use-efi-system-partition-fvp_>`__ to use the ESP.
You must first perform the `Unsigned Image Boot Test <unsigned-image-boot-test-fvp_>`__. #. Run the software stack as described `here <running-software-stack-fvp_>`__.
Load the signed kernel image. #. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``.
.. code-block:: console .. warning::
corstone1000# \ There is a timeout of 3 seconds to stop the execution at the U-Boot prompt.
load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp.signed; \
loadm $loadaddr $kernel_addr_r $filesize; \
bootefi $kernel_addr_r $fdtcontroladdr
The signed Linux kernel image should be booted successfully. The U-Boot console prompt looks as follows:
.. code-block:: console
corstone1000#
.. important::
The rest of the instructions below will be executed on the U-Boot terminal.
#. On the U-Boot console, set the current MMC device.
.. code-block:: console
corstone1000# mmc dev 1
#. Enroll the four UEFI secure boot authenticated variables.
.. code-block:: console
corstone1000# \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize KEK; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize db; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize dbx
#. Attempt to Load the unsigned kernel image.
.. code-block:: console
corstone1000# \
load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp; \
loadm $loadaddr $kernel_addr_r $filesize; \
bootefi $kernel_addr_r $fdtcontroladdr
Booting /MemoryMapped(0x0,0x88200000,0x236aa00)
Image not authenticated
Loading image failed
The unsigned Linux kernel image should not be loaded.
**************************
Run Signed Image Boot Test
**************************
MPS3 MPS3
==== ====
@@ -1966,6 +2070,25 @@ Load the signed kernel image.
The signed Linux kernel image should be booted successfully. The signed Linux kernel image should be booted successfully.
FVP
===
.. important::
You must first perform the `Unsigned Image Boot Test <unsigned-image-boot-test-fvp_>`__.
Load the signed kernel image.
.. code-block:: console
corstone1000# \
load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp.signed; \
loadm $loadaddr $kernel_addr_r $filesize; \
bootefi $kernel_addr_r $fdtcontroladdr
The signed Linux kernel image should be booted successfully.
******************* *******************
Disable Secure Boot Disable Secure Boot
******************* *******************
@@ -1982,15 +2105,6 @@ To resolve this, the Platform Key (one of the UEFI authenticated variables for s
#. On the U-Boot console, delete the Platform Key (PK). #. On the U-Boot console, delete the Platform Key (PK).
- FVP
.. code-block:: console
corstone1000# \
mmc dev 1; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
boot
- MPS3 - MPS3
.. code-block:: console .. code-block:: console
@@ -2001,6 +2115,16 @@ To resolve this, the Platform Key (one of the UEFI authenticated variables for s
load usb 0 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \ load usb 0 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
boot boot
- FVP
.. code-block:: console
corstone1000# \
mmc dev 1; \
load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \
boot
PSA API PSA API
------- -------
@@ -2098,12 +2222,19 @@ Ethos-U85 NPU
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git \ git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git \
-b CORSTONE1000-2025.12 -b CORSTONE1000-2025.12
#. Copy the additional kas configuration file to:
.. code-block:: console
cp ${WORKSPACE}/systemready-patch/embedded-a/corstone1000/ethos-u85_test/ethos-u85_test.yml \
${WORKSPACE}/meta-arm/kas/
#. Re-Build the Corstone-1000 with Cortex-A320 FVP software stack as follows: #. Re-Build the Corstone-1000 with Cortex-A320 FVP software stack as follows:
.. code-block:: console .. code-block:: console
kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml:\ kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml:\
systemready-patch/embedded-a/corstone1000/ethos-u85_test/ethos-u85_test.yml meta-arm/kas/ethos-u85_test.yml
#. Run the Corstone-1000 with Cortex-320 FVP: #. Run the Corstone-1000 with Cortex-320 FVP: