Keystone and the Polarfire SOC Icicle Kit

keystone-pfsoc-notes.md

Keystone and the Polarfire SOC Icicle Kit

Running Keystone on the Icicle Kit

Boot process: FSBL (hart-software-services) -> OpenSBI + Keystone security manager -> U-boot -> Linux

To start off, clone the repositories from all of the above links (and switch to the linked branch).

Building FSBL that loads from SPI flash

# DEPENDENCIES:
# pip install kconfiglib
# riscv64-unknown-linux-gnu-gcc

git clone https://github.com/archshift/hart-software-services
cd hart-software-services
git checkout spi-flash-boot
cp boards/mpfs-icicle-kit-es/def_config .config

# Enable booting from SPI Flash
echo "CONFIG_SERVICE_BOOT_SPI_FLASH=0x400" >> .config

make BOARD=mpfs-icicle-kit-es CROSS_COMPILE=riscv64-unknown-linux-gnu-
# Output file: $PWD/boards/mpfs-icicle-kit-es/payload.hex

You need to flash this bootloader file with Libero. The process is described in detail in this post, under the section "Installing firmware".

Building U-Boot

# DEPENDENCIES:
# Tested with riscv64-unknown-linux-gnu-gcc == 10.2.0. Did NOT work with version 7.2.0.

git clone https://github.com/u-boot/u-boot
cd u-boot
git checkout v2021.04

# Create .config
make ARCH=riscv CROSS_COMPILE=riscv64-unknown-linux-gnu- -j12 microchip_mpfs_icicle_defconfig
# Build U-Boot
make ARCH=riscv CROSS_COMPILE=riscv64-unknown-linux-gnu-
# Output file: $PWD/u-boot.bin

Building OpenSBI + Keystone

git clone https://github.com/keystone-enclave/sm
cd sm
git checkout mpfs

Note: before building the SM, you need to change this line from PMP_NO_PERM to PMP_ALL_PERM. This works around an unresolved bug where U-Boot freezes on start, but unfortunately breaks Keystone's security model. So you SHOULD NOT try to use this in a secure system.

# Change this as needed
UBOOT_DIR=$PWD/../u-boot

# Build SM
make -C opensbi O=$PWD/build PLATFORM_DIR=$PWD/plat/mpfs \
  FW_PAYLOAD_PATH=$UBOOT_DIR/u-boot.bin FW_PAYLOAD=y \
  FW_FDT_PATH=$UBOOT_DIR/arch/riscv/dts/microchip-mpfs-icicle-kit.dtb \
  PLATFORM_RISCV_ABI=lp64d CROSS_COMPILE=riscv64-unknown-elf-
# Output file: $PWD/build/platform/mpfs/firmware/fw_payload.elf

Flashing OpenSBI + Keystone

git clone https://github.com/archshift/polarfire-soc-flash-tools
cd polarfire-soc-flash-tools

# Change this as needed
export LIBERO_DIR=/usr/local/microsemi/Libero_SoC_v12.6/
# Change this as needed
SM_DIR=$PWD/..

cp $SM_DIR/build/platform/mpfs/firmware/fw_payload.elf .
./gen-design.sh
# Output file: spi-design.bin
# Flash spi-design.bin by opening MPFS_DESIGN.pro from the current directory
./flashpro.sh

Building Linux

NOTE: Under this patchset, the Icicle Kit's PCIE port is disabled. This is because Microchip's Linux patches are not up to date. But we need a more recent version of Linux to ensure all 4 CPUs are powered on.

Aside from Microchip's changes to allow Linux to boot, the provided patchset contains one additional change that maps the board's memory for Keystone to use.

git clone https://github.com/gregkh/linux
cd linux
git checkout v5.10.19

# Clone linux setup tools
git clone https://github.com/archshift/polarfire-linux buildsh
pushd buildsh
git checkout v5.10.19
popd

# Patch the kernel for PolarFire SoC
./buildsh/patch.sh
# Configure the kernel. You can leave the settings as they are and activate "Save".
./buildsh/menuconfig.sh
# Build images
./buildsh/mk-images.sh
# Output files: boot.scr.uimg fitImage

Copy both output files to the board's /boot directory. Using the Icicle Kit's eMMC flash to boot Linux, you can plug it into your computer using microUSB and mount the eMMC using the bootloader:

# Access the boot monitor
sudo screen /dev/ttyUSB0 115200

# Reboot the board, then press any key to stop booting.
# Make the NAND available as a USB device.
> usbdmsc

Other notes

Debugging PolarFire SoC using JTAG

Insert microUSB cable into the port next to the on-off switch and barrel jack connector. This will connect to the embedded FlashPro6 controller and will provide your JTAG functionality.

Download SoftConsole from Microchip's website. It's necessary to provide their custom build of OpenOCD that supports the FlashPro6 controller.

Navigate to the SoftConsole installation directory. From there execute the following command to start OpenOCD:

openocd/bin/openocd -c "set DEVICE MPFS" -f board/microsemi-riscv.cfg

If you'd like access to the OpenOCD console: use the following command in another window:

telnet localhost:4444

To debug a binary, use the following command in another window:

riscv64-unknown-elf-gdb <path/to/binary> -ex 'target remote localhost:3333'

Hi

Thank you for this tutorial. Unfortunately I am unable to build the KeyStone Security Manager because the mpfs branch does not exist.

If I try anyway to compile it in the master branch, I get a bunch of errors:

riscv64-unknown-linux-gnu/bin/ld: /keystone_icicle_kit/sm/build/platform/mpfs/lib/libplatsbi.a(sm.o): in function `sm_copy_key':
/home/pl/Documents/keystone_icicle_kit/sm/plat//mpfs/../../src/sm.c:85: undefined reference to `sanctum_sm_hash'
riscv64-unknown-linux-gnu/bin/ld: /keystone_icicle_kit/sm/plat//mpfs/../../src/sm.c:86: undefined reference to `sanctum_sm_signature'
riscv64-unknown-linux-gnu/bin/ld: /keystone_icicle_kit/sm/plat//mpfs/../../src/sm.c:86: undefined reference to `sanctum_sm_public_key'
riscv64-unknown-linux-gnu/bin/ld: /keystone_icicle_kit/sm/plat//mpfs/../../src/sm.c:87: undefined reference to `sanctum_sm_secret_key'
riscv64-unknown-linux-gnu/bin/ld: /keystone_icicle_kit/sm/plat//mpfs/../../src/sm.c:88: undefined reference to `sanctum_dev_public_key'

May I ask you how to fix this problem?