Hi,

has anybody tried to activate/implement the Trusted Board Boot (TBB) feature of ARM Trusted Firmware (ATF) on Hikey or any other 96Board, yet?

Minimal requirement to run TBB is GENERATE_COT, but it should be possible to only generate these Certificates of Trust (CoT) and add them to the your Firmware Image Package (FIP). I've already tested TBB (incl. CoT) with Juno DevBoard and it worked fine. The 96Boards repository does not mention TBB anywhere. But also in Hikey branch it is possible to set the GENERATE_COT flag and the *.crt files get generated.

BUT trying to flash fip.bin including the certificates always freezes while flashing with fastboot.

My Workflow looks like this.

* compile 96boards-arm-trusted-firmware using uefi-tools from linaro (works)

* generate new l-loader.bin and ptable-linux.img with l-loader tool from 96boards

* generating boot-fat.uefi.img with a script following the instructions from 96boards

* flash l-loader.bin, ptable, fip, nvme and boot ...

Same works great with Makefile Targets in DS-5 IDE, but after setting the GENERATE_COT flag flashing process stops while downloading fip.bin. The commandline output of fastboot freezes and these are the last lines from UART output.

INFO: Hisilicon HiKey platform is initialized
NOTICE: Enter fastboot mode...
INFO: enter usb_config
INFO: USB: DMA mode.
INFO: USB ULPI PHY
INFO: enter reset_endpoints.
INFO: Enter downloading mode. Please run fastboot command on Host.
INFO: enter reset_endpoints.
INFO: enter reset_endpoints.
INFO: enter reset_endpoints.
INFO: enter reset_endpoints.
INFO: usb: online (highspeed)
INFO: cmd :getvar:partition-type:ptable
INFO: cmd :getvar:max-download-size
INFO: cmd :download:00004600
INFO: cmd :flash:ptable
INFO: recog updatefile
INFO: cmd :getvar:partition-type:fastboot
INFO: cmd :getvar:max-download-size
INFO: cmd :download:0014605e

Does anybody know that issue or can give me a hint where to search for a solution? Creating the fip.bin (without CoT) in DEBUG mode does result in a bigger file and is still flashable, so size doesn't matter.

The output without CoT Option looks like:

INFO: usb: online (highspeed)
INFO: cmd :getvar:partition-type:ptable
INFO: cmd :getvar:max-download-size
INFO: cmd :download:00004600
INFO: cmd :flash:ptable
INFO: recog updatefile
INFO: cmd :getvar:partition-type:fastboot
INFO: cmd :getvar:max-download-size
INFO: cmd :download:00128f08
INFO: cmd :flash:fastboot
INFO: recog updatefile
INFO: cmd :getvar:partition-type:nvme
INFO: cmd :getvar:max-download-size
INFO: cmd :download:00020000
INFO: cmd :flash:nvme
INFO: recog updatefile
INFO: cmd :getvar:partition-type:boot
INFO: cmd :getvar:max-download-size
INFO: cmd :download:04000000
INFO: cmd :flash:boot
INFO: recog updatefile


Could it be a bug in l-loader? I've also tested it with the current state of https://github.com/96boards/arm-trusted-firmware but without any impact. Which components are affected by adding the certificates, without using TBB?

Adding some TBB code from Juno and compiling for Hikey made my BL1 now asking for a BL2 certificate, but without flashing fip ... :-(

NOTICE: TRUSTED_BOARD_BOOT - auth_init()
INFO: Using authentication module 'PolarSSL'
INFO: Using FIP
WARNING: Failed to access image 'bl2.crt' (-1)
ERROR: Failed to load BL2 certificate.
PANIC at PC : 0x00000000f9807b54


Kind Regards,

Michael