Boot process: FSBL (hart-software-services) -> OpenSBI + Keystone security manager -> U-boot -> Linux
To start off, clone the repositories from all of the above links (and switch to the linked branch).
# DEPENDENCIES:
# pip install kconfiglib
# riscv64-unknown-linux-gnu-gcc
git clone https://github.com/archshift/hart-software-services
cd hart-software-services
git checkout spi-flash-boot
cp boards/mpfs-icicle-kit-es/def_config .config
# Enable booting from SPI Flash
echo "CONFIG_SERVICE_BOOT_SPI_FLASH=0x400" >> .config
make BOARD=mpfs-icicle-kit-es CROSS_COMPILE=riscv64-unknown-linux-gnu-
# Output file: $PWD/boards/mpfs-icicle-kit-es/payload.hex
You need to flash this bootloader file with Libero. The process is described in detail in this post, under the section "Installing firmware".
# DEPENDENCIES:
# Tested with riscv64-unknown-linux-gnu-gcc == 10.2.0. Did NOT work with version 7.2.0.
git clone https://github.com/u-boot/u-boot
cd u-boot
git checkout v2021.04
# Create .config
make ARCH=riscv CROSS_COMPILE=riscv64-unknown-linux-gnu- -j12 microchip_mpfs_icicle_defconfig
# Build U-Boot
make ARCH=riscv CROSS_COMPILE=riscv64-unknown-linux-gnu-
# Output file: $PWD/u-boot.bin
git clone https://github.com/keystone-enclave/sm
cd sm
git checkout mpfs
Note: before building the SM, you need to change this line from PMP_NO_PERM
to PMP_ALL_PERM
. This works around an unresolved bug where U-Boot freezes on start, but unfortunately breaks Keystone's security model. So you SHOULD NOT try to use this in a secure system.
# Change this as needed
UBOOT_DIR=$PWD/../u-boot
# Build SM
make -C opensbi O=$PWD/build PLATFORM_DIR=$PWD/plat/mpfs \
FW_PAYLOAD_PATH=$UBOOT_DIR/u-boot.bin FW_PAYLOAD=y \
FW_FDT_PATH=$UBOOT_DIR/arch/riscv/dts/microchip-mpfs-icicle-kit.dtb \
PLATFORM_RISCV_ABI=lp64d CROSS_COMPILE=riscv64-unknown-elf-
# Output file: $PWD/build/platform/mpfs/firmware/fw_payload.elf
git clone https://github.com/archshift/polarfire-soc-flash-tools
cd polarfire-soc-flash-tools
# Change this as needed
export LIBERO_DIR=/usr/local/microsemi/Libero_SoC_v12.6/
# Change this as needed
SM_DIR=$PWD/..
cp $SM_DIR/build/platform/mpfs/firmware/fw_payload.elf .
./gen-design.sh
# Output file: spi-design.bin
# Flash spi-design.bin by opening MPFS_DESIGN.pro from the current directory
./flashpro.sh
NOTE: Under this patchset, the Icicle Kit's PCIE port is disabled. This is because Microchip's Linux patches are not up to date. But we need a more recent version of Linux to ensure all 4 CPUs are powered on.
Aside from Microchip's changes to allow Linux to boot, the provided patchset contains one additional change that maps the board's memory for Keystone to use.
git clone https://github.com/gregkh/linux
cd linux
git checkout v5.10.19
# Clone linux setup tools
git clone https://github.com/archshift/polarfire-linux buildsh
pushd buildsh
git checkout v5.10.19
popd
# Patch the kernel for PolarFire SoC
./buildsh/patch.sh
# Configure the kernel. You can leave the settings as they are and activate "Save".
./buildsh/menuconfig.sh
# Build images
./buildsh/mk-images.sh
# Output files: boot.scr.uimg fitImage
Copy both output files to the board's /boot
directory. Using the Icicle Kit's eMMC flash to boot Linux, you can plug it into your computer using microUSB and mount the eMMC using the bootloader:
# Access the boot monitor
sudo screen /dev/ttyUSB0 115200
# Reboot the board, then press any key to stop booting.
# Make the NAND available as a USB device.
> usbdmsc
Insert microUSB cable into the port next to the on-off switch and barrel jack connector. This will connect to the embedded FlashPro6 controller and will provide your JTAG functionality.
Download SoftConsole from Microchip's website. It's necessary to provide their custom build of OpenOCD that supports the FlashPro6 controller.
Navigate to the SoftConsole installation directory. From there execute the following command to start OpenOCD:
openocd/bin/openocd -c "set DEVICE MPFS" -f board/microsemi-riscv.cfg
If you'd like access to the OpenOCD console: use the following command in another window:
telnet localhost:4444
To debug a binary, use the following command in another window:
riscv64-unknown-elf-gdb <path/to/binary> -ex 'target remote localhost:3333'
Hi
Thank you for this tutorial. Unfortunately I am unable to build the KeyStone Security Manager because the mpfs branch does not exist.
If I try anyway to compile it in the master branch, I get a bunch of errors:
May I ask you how to fix this problem?