From patchwork Tue Jun 30 12:47:00 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Harsimran Singh Tungal X-Patchwork-Id: 91401 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E011BC44502 for ; Tue, 30 Jun 2026 12:47:19 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20452.1782823632854058936 for ; Tue, 30 Jun 2026 05:47:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=jcTOeCuv; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: harsimransingh.tungal@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id F39352C46; Tue, 30 Jun 2026 05:47:07 -0700 (PDT) Received: from e132995.cambridge.arm.com (e132995.arm.com [10.1.29.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BE4073F905; Tue, 30 Jun 2026 05:47:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1782823632; bh=tlSKGWTgxk4jBdI6xJvpoSploB/gmPQidloC35IlbFc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jcTOeCuv1EjO48L/8URSWOab0tGbs5XqLqQ0MFbOE3mVx/llhNFBifLdh/OkJhxVt J7K3Jqt0dN7hpSuYk7uBm/p6K7b4Y01xjWdtSzD5S6YbyjAJkY2u5yFWy9wSt4Ezpu Hg8vZt9MDCCxWYxIS9VTEo6r8MkioVn8tEEUDEpg= From: Harsimran Singh Tungal To: meta-arm@lists.yoctoproject.org Cc: Harsimran Singh Tungal Subject: [PATCH wrynose 1/5] arm-bsp/documentation: corstone1000: update 2026.05 wrynose release documentation Date: Tue, 30 Jun 2026 13:47:00 +0100 Message-Id: <20260630124704.301310-2-harsimransingh.tungal@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260630124704.301310-1-harsimransingh.tungal@arm.com> References: <20260630124704.301310-1-harsimransingh.tungal@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 12:47:19 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7100 Update the Corstone-1000 changelog, release notes and user guide for the 2026.05 wrynose release. Add the new 2026.05 changelog entry and capture the main release work, including the component upgrades, TF-M GPT and PSA FWU changes, and the updated SSH-enabled build flow. Refresh the component version tables and Yocto distribution component versions in changelog for the new release. Update the user guide to align with the 2026.05 release branch and documentation state, including the Yocto release name, recipe version references, release tag references, and related asset and report links. Signed-off-by: Harsimran Singh Tungal --- .../documentation/corstone1000/change-log.rst | 65 +++++++ .../corstone1000/release-notes.rst | 6 + .../documentation/corstone1000/user-guide.rst | 180 ++++++++++-------- 3 files changed, 176 insertions(+), 75 deletions(-) diff --git a/meta-arm-bsp/documentation/corstone1000/change-log.rst b/meta-arm-bsp/documentation/corstone1000/change-log.rst index 7bab9e21..0c79ad1b 100644 --- a/meta-arm-bsp/documentation/corstone1000/change-log.rst +++ b/meta-arm-bsp/documentation/corstone1000/change-log.rst @@ -10,6 +10,71 @@ Change Log This document contains a summary of the new features, changes and fixes in each release of Corstone-1000 software stack. +*************** +Version 2026.05 +*************** + +Changes +======= + +- Upgraded key Corstone-1000 components to U-Boot 2025.10, TF-A 2.14.1, TF-M 2.2.2, OP-TEE 4.9.0, Trusted Services 1.3.0, and Linux 6.19. +- Added GPT support in TF-M and updated MCUboot to use the GPT library for firmware-update partitions. +- Extended the TF-M firmware update flow with GPT fixes, partition create/remove/duplicate operations, metadata-only handling, flash erase protection, stale partition cleanup, and better handling of older images during PSA FWU. +- Added SSH-enabled build overlay for FVP mass-storage images. +- Removed GRUB from the initramfs boot package set. + +Corstone-1000 components versions +================================= + ++-------------------------------------------+-------------------+ +| linux-yocto | 6.19 | ++-------------------------------------------+-------------------+ +| u-boot | 2025.10 | ++-------------------------------------------+-------------------+ +| external-system | 0.1.0 | ++-------------------------------------------+-------------------+ +| optee-client | 4.9.0 | ++-------------------------------------------+-------------------+ +| optee-os | 4.9.0 | ++-------------------------------------------+-------------------+ +| trusted-firmware-a | 2.14.1 | ++-------------------------------------------+-------------------+ +| trusted-firmware-m | 2.2.2 | ++-------------------------------------------+-------------------+ +| libts | v1.3.0 | ++-------------------------------------------+-------------------+ +| ts-sp-{se-proxy, smm-gateway} | v1.3.0 | ++-------------------------------------------+-------------------+ +| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff | ++-------------------------------------------+-------------------+ + +Yocto distribution components versions +====================================== + ++-------------------------------------------+----------------+ +| meta-arm | wrynose | ++-------------------------------------------+----------------+ +| bitbake | 22021758e6 | ++-------------------------------------------+----------------+ +| meta-openembedded | 9af4488d46 | ++-------------------------------------------+----------------+ +| openembedded-core | 06dd66e622 | ++-------------------------------------------+----------------+ +| meta-yocto | 8251bdad5f | ++-------------------------------------------+----------------+ +| meta-secure-core | 07a99ae241 | ++-------------------------------------------+----------------+ +| busybox | 1.37.0 | ++-------------------------------------------+----------------+ +| musl | 1.2.6 | ++-------------------------------------------+----------------+ +| gcc-arm-none-eabi | 15.2.rel1 | ++-------------------------------------------+----------------+ +| gcc-cross-aarch64 | 15.2.0 | ++-------------------------------------------+----------------+ +| openssl | 3.5.6 | ++-------------------------------------------+----------------+ + *************** Version 2025.12 *************** diff --git a/meta-arm-bsp/documentation/corstone1000/release-notes.rst b/meta-arm-bsp/documentation/corstone1000/release-notes.rst index 1a7e312a..7757e749 100644 --- a/meta-arm-bsp/documentation/corstone1000/release-notes.rst +++ b/meta-arm-bsp/documentation/corstone1000/release-notes.rst @@ -19,6 +19,12 @@ intended for safety-critical applications. Should Your Software or Your Hardware prove defective, you assume the entire cost of all necessary servicing, repair or correction. +*********************** +Release notes - 2026.05 +*********************** + +The same notes as the 2025.05 release still apply. + *********************** Release notes - 2025.12 *********************** diff --git a/meta-arm-bsp/documentation/corstone1000/user-guide.rst b/meta-arm-bsp/documentation/corstone1000/user-guide.rst index a33ed066..0e72659c 100644 --- a/meta-arm-bsp/documentation/corstone1000/user-guide.rst +++ b/meta-arm-bsp/documentation/corstone1000/user-guide.rst @@ -50,7 +50,7 @@ The Corstone-1000 software stack can be run on: Yocto Stable Branch ------------------- -Corstone-1000 software stack is built on top of Yocto Project's `Whinlatter release `__. +Corstone-1000 software stack is built on top of Yocto Project's `Wrynose release `__. Software Components ------------------- @@ -91,7 +91,7 @@ Host Processor Components +----------+-------------------------------------------------------------------------------------------------------+ | bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend`` | +----------+-------------------------------------------------------------------------------------------------------+ -| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.14.0.bb`` | +| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.14.1.bb`` | +----------+-------------------------------------------------------------------------------------------------------+ `Trusted Services `__ @@ -131,7 +131,7 @@ Host Processor Components ================================================================ +----------+------------------------------------------------------------------------------------------+ -| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend`` | +| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_%.bbappend`` | +----------+------------------------------------------------------------------------------------------+ | Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/optee/optee-os_4.9.0.bb`` | +----------+------------------------------------------------------------------------------------------+ @@ -144,7 +144,7 @@ Host Processor Components +----------+----------------------------------------------------------------------------------+ | bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend`` | +----------+----------------------------------------------------------------------------------+ -| Recipe | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2025.04.bb`` | +| Recipe | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2025.10.bb`` | +----------+----------------------------------------------------------------------------------+ Linux @@ -172,7 +172,7 @@ Secure Enclave Components +----------+-------------------------------------------------------------------------------------------------------+ | bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend`` | +----------+-------------------------------------------------------------------------------------------------------+ -| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.2.1.bb`` | +| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.2.2.bb`` | +----------+-------------------------------------------------------------------------------------------------------+ ************************************ @@ -223,7 +223,7 @@ Build .. code-block:: console cd ${WORKSPACE} - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2025.12 + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2026.05 #. Build a Corstone-1000 image: @@ -272,20 +272,26 @@ Build with SSH The ``meta-arm/kas/corstone1000-${TARGET}.yml`` build produces an image for booting from flash. -To build a bootable mass storage OS image with Dropbear SSH enabled, run: +.. important:: + + The SSH-enabled mass storage image is supported only for the FVP target. + It is not supported for the MPS3 target, because it relies on pre-generated + SSH host keys intended for virtual platforms. + +To build a bootable mass storage OS image with Dropbear SSH enabled for FVP, +run: .. code-block:: console - kas build meta-arm/ci/corstone1000-${TARGET}.yml:meta-arm/kas/corstone1000-ssh.yml + kas build meta-arm/ci/corstone1000-fvp.yml:meta-arm/kas/corstone1000-ssh.yml -The mass storage OS image can be found at ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/core-image-minimal-corstone1000-${TARGET}.wic`` +The mass storage OS image can be found at +``${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/core-image-minimal-corstone1000-fvp.wic`` .. note:: - For the FVP, the generated ``core-image-minimal-corstone1000-fvp.fvpconf`` - configures the mass storage OS image using ``board.msd_mmc.p_mmc_file``. - - For the MPS3 platform, write the ``*.wic`` image directly to the mass storage device. + The generated ``core-image-minimal-corstone1000-fvp.fvpconf`` configures + the mass storage OS image using ``board.msd_mmc.p_mmc_file``. .. _flashing-firmware-images: @@ -379,8 +385,8 @@ Flash #. Copy ``bl1.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/trusted-firmware-m/`` to the ``SOFTWARE`` directory of the FPGA bundle. -#. Copy ``es_flashfw.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle - and rename the binary to ``es0.bin``. +#. Remove ``ES0.bin`` from the ``SOFTWARE`` directory of the FPGA bundle. Copy ``es_flashfw.bin`` from + ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle and rename the binary to ``es0.bin``. #. Copy ``corstone1000-flash-firmware-image-corstone1000-mps3.wic`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle and rename the wic image to ``cs1000.bin``. @@ -524,8 +530,8 @@ Tests Reports ------- -Reports for the tests conducted on the `Corstone-1000 software (CORSTONE1000-2025.12) `__ -release are available for reference `here `__. +Reports for the tests conducted on the `Corstone-1000 software (CORSTONE1000-2026.05) `__ +release are available for reference `here `__. .. _clean-secure-flash: @@ -544,7 +550,7 @@ Clean Secure Flash .. code-block:: console cd ${WORKSPACE} - git clone https://git.gitlab.arm.com/arm-reference-solutions/iot-platform-assets.git -b CORSTONE1000-2025.12 + git clone https://git.gitlab.arm.com/arm-reference-solutions/iot-platform-assets.git -b CORSTONE1000-2026.05 #. Copy the secure flash cleaning Git patch file to your copy of `meta-arm`. @@ -782,7 +788,12 @@ MPS3 cd ${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0 sudo dd if=ir-acs-live-image-generic-arm64.wic of=/dev/sdc iflag=direct oflag=direct bs=1M status=progress; sync -#. Plug the USB drive to the MPS3. At this point you should have both the USB drive with the ESP and the USB drive with the ACS image plugged to the MPS3. +#. Unplug the ESP USB drive from the MPS3, if connected. + +#. Plug only the ACS image USB drive to the MPS3. + + The ESP USB drive must remain unplugged while the ACS image is booting, + otherwise GRUB might fail to find the bootable partition on the ACS image USB drive. #. Reboot the MPS3. @@ -790,12 +801,10 @@ The MPS3 will reset multiple times during the test, and it might take approximat .. important:: - Unplug the ESP USB drive from the MPS3 if it is preventing GRUB - from finding the bootable partition. Leave only the ACS image USB drive - plugged in to run the ACS tests. - - The ESP USB drive can be plugged in again after - selecting the `Linux Boot` option in the GRUB menu at the end of the ACS tests. + Keep the ESP USB drive unplugged until the GRUB menu is displayed during + the Linux boot timeout workaround described below. Plug the ESP USB drive + back in just before selecting the `Linux Boot` option, so it is available + for the remaining ACS tests. .. warning:: @@ -806,6 +815,7 @@ The MPS3 will reset multiple times during the test, and it might take approximat #. Press Enter at the Linux prompt. #. Open the file `/etc/systemd/system.conf` and set `DefaultDeviceTimeoutSec=infinity`. #. Reboot the platform using the `reboot` command. + #. When the GRUB menu appears, plug the ESP USB drive back into the MPS3. #. Select the `Linux Boot` option from the GRUB menu. #. Allow Linux to boot and run the remaining ACS tests until completion. @@ -850,7 +860,7 @@ If GRUB is not interrupted, the tests are executed automatically in the followin - UEFI BSA - FWTS -The results can be fetched from the `acs_results` folder in the ``BOOT`` partition of the USB drive (for MPS3) or SD Card (for FVP). +The results can be fetched from the `acs_results` folder in the ``BOOT`` partition of the ACS image USB drive (for MPS3) or SD Card (for FVP). .. note:: @@ -921,6 +931,11 @@ Generate Capsules for the host machine during the firmware image building process. The tool can be found at ``${WORKSPACE}/build/tmp/sysroots-components/aarch64/edk2-basetools-native/usr/bin/edk2-BaseTools/BinWrappers/PosixLike/GenerateCapsule``. +.. note:: + + The ``aarch64`` part of this path depends on the build host architecture + and can be different on another host. + A JSON file containing metadata about the capsule payloads needs to be created using the script found at ``${WORKSPACE}/meta-arm/meta-arm/scripts/generate_capsule_json_multiple.py``. This JSON file is required by EDK II's ``GenerateCapsule`` tool to generate the capsule. @@ -1069,7 +1084,7 @@ MPS3 #. Prepare a USB drive as explained in `this `_ section. -#. Copy the capsule file to the root directory of the ``BOOT`` partition in the USB drive. +#. Copy the capsule files to the root directory of the ``BOOT`` partition in the USB drive. .. code-block:: console @@ -1153,7 +1168,7 @@ This will be followed by using the invalid capsule to run the rollback protectio Positive Full Capsule Update Test ================================= -#. Run Corstone-1000 with the ACS image containing the two capsule files: +#. Run Corstone-1000 with the ACS image containing the capsule files: - MPS3: @@ -1216,42 +1231,40 @@ Positive Full Capsule Update Test The software stack copies the capsule content to the external flash, which is shared between the Secure Enclave and the Host Processor - before rebooting the system. - - After the first reboot, TrustedFirmware-M should apply the valid capsule and display the following log on the Secure Enclave terminal (``ttyUSB1`` for MPS3) - before rebooting the system a second time: + before rebooting the system, and the following logs should be displayed on the Secure Enclave terminal (``ttyUSB1`` for MPS3): .. code-block:: console ... - SysTick_Handler: counted = 10, expiring on = 360 - SysTick_Handler: counted = 20, expiring on = 360 - SysTick_Handler: counted = 30, expiring on = 360 - ... + fwu_bootloader_install_image: enter + metadata_read: success: active = 0, previous = 1 + fwu_update_metadata: enter metadata_write: success: active = 1, previous = 0 - flash_full_capsule: exit - corstone1000_fwu_flash_image: exit: ret = 0 + fwu_update_metadata: exit: ret = 0 + fwu_bootloader_install_image: exit: ret = 0 ... - The above log snippet indicates that the new capsule image is successfully applied, and the board is booting with the external flash's Bank-1. + The above log snippet indicates that the new capsule image is successfully applied. + + After the first reboot, - After a second reboot, the following log should be displayed on on the Secure Enclave terminal (``ttyUSB1``): +#. Interrupt the U-Boot shell. .. code-block:: console - ... - fmp_set_image_info:133 Enter - FMP image update: image id = 0 - FMP image update: status = 0version=6 last_attempt_version=6. - fmp_set_image_info:157 Exit. - corstone1000_fwu_host_ack: exit: ret = 0 - ... - -#. Interrupt the U-Boot shell. + Hit any key to stop autoboot: + + After the first reboot, TrustedFirmware-M should display the following log on the Secure Enclave terminal (``ttyUSB1`` for MPS3): .. code-block:: console - Hit any key to stop autoboot: + ... + [INF] Starting TF-M BL1_1 + metadata_read: success: active = 1, previous = 0 + get_fwu_agent_state: exit: FWU Agent PSA_FWU_TRIAL (index mismatch) + bl1_get_active_bl2_image: booting from trial bank: 1 + bl1_get_active_bl2_image: exit: booting from bank = 1, offset = 0x1002000 + ... #. Run the following commands in order to run the Corstone-1000 Linux kernel. @@ -1264,6 +1277,18 @@ Positive Full Capsule Update Test $ loadm 0x90000000 $kernel_addr_r $filesize $ bootefi $kernel_addr_r $fdtcontroladdr + After executing above set of commands, the following log should be displayed on the Secure Enclave terminal (``ttyUSB1``): + + .. code-block:: console + + ... + fwu_accept_image: success: fwu state is changed to regular + update_nv_counters: success + disable_host_ack_timer: timer to reset is disabled + FMP image update: status = 0version=6 last_attempt_version=6. + fwu_bootloader_mark_image_accepted: exit: ret = 0 + ... + #. The first boot after a capsule update is considered the trial stage, during which the FWU image is accepted. However, to view the updated contents of the EFI System Resource Table (ESRT), an additional reboot is required. @@ -1357,21 +1382,20 @@ Rollback Protection Capsule Update Test .. code-block:: console ... - uefi_capsule_retrieve_images: image 0 at 0xa0000070, size=15654928 - uefi_capsule_retrieve_images: exit - flash_full_capsule: enter: image = 0x0xa0000070, size = 7764541, version = 5 - ERROR: flash_full_capsule: version error - private_metadata_write: enter: boot_index = 1 - private_metadata_write: success - fmp_set_image_info:133 Enter - FMP image update: image id = 0 - FMP image update: status = 1version=6 last_attempt_version=5. - fmp_set_image_info:157 Exit. - corstone1000_fwu_flash_image: exit: ret = -1 - fmp_get_image_info:232 Enter - pack_image_info:207 ImageInfo size = 105, ImageName size = 34, ImageVersionName - size = 36 - fmp_get_image_info:236 Exit + fwu_bootloader_load_image: enter: block_offset = 0 + FMP version: 0x5, metadata version : 0x7 + private_metadata_write: enter: boot_index = 0 + private_metadata_write: success + fmp_set_image_info:160 Enter + FMP image update: image id = 0 + FMP image update: status = 1version=7 last_attempt_version=5. + fmp_set_image_info:184 Exit. + ERROR: fwu_bootloader_load_image: version error + remove_all_stale_partitions: Removed GPT partition 'bl2_secondary' + remove_all_stale_partitions: Removed GPT partition 'tfm_secondary' + remove_all_stale_partitions: Removed GPT partition 'FIP_B' + remove_all_stale_partitions: Removed GPT partition 'kernel_secondary' + fwu_bootloader_load_image: exit: ret = -248 ... The Secure Enclave tries to load the new image a predetermined number of times @@ -1634,7 +1658,7 @@ Corstone-1000 on-board non-volatile storage size is insufficient for installing dd if=/dev/zero of=${WORKSPACE}/fvp_distro_system_drive.img \ bs=1 count=0 seek=10G; sync; \ - parted -s fvp_distro_system_drive.img mklabel gpt + parted -s ${WORKSPACE}/fvp_distro_system_drive.img mklabel gpt #. This MMC image will be used as the primary drive to boot the distribution. @@ -1688,6 +1712,10 @@ FVP -C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img \ -C board.msd_mmc_2.p_mmc_file=${DISTRO_INSTALLER_ISO_PATH}" + .. note:: + + The FVP distribution installation process can take 6-8 hours to complete. + The Linux distribution will be installed on ``fvp_distro_system_drive.img``. @@ -1696,7 +1724,7 @@ Debian Installation Extra Steps Debian installation may need some extra steps, that are indicated below: -#. Answer ``Yes`` to the question ``Force grub installation to the EFI removable media path?``. +#. Answer ``Yes`` to the question ``Install the GRUB boot loader``. If the GRUB installation fails, these are the steps to follow on the subsequent popups: @@ -1855,8 +1883,7 @@ Generate Keys, Signed Image and Unsigned Image cd ${WORKSPACE} git clone https://gitlab.arm.com/arm-reference-solutions/iot-platform-assets \ - - -b CORSTONE1000-2025.12 + -b CORSTONE1000-2026.05 #. Set the current working directory to build directory's subdirectory containing the software stack build images. @@ -1868,7 +1895,7 @@ Generate Keys, Signed Image and Unsigned Image .. code-block:: console - ./${WORKSPACE}/iot-platform-assets/corstone1000/secureboot/create_keys_and_sign.sh \ + ${WORKSPACE}/iot-platform-assets/corstone1000/secureboot/create_keys_and_sign.sh \ -d ${TARGET} \ -v ${CERTIFICATE_VALIDITY_DURATION_IN_DAYS} @@ -1902,7 +1929,7 @@ MPS3 #. Perform a cold boot of the MPS3. -#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``. +#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Hit any key to stop autoboot``. .. warning:: @@ -1975,7 +2002,7 @@ FVP #. Run the software stack as described `here `__. -#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``. +#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Hit any key to stop autoboot``. .. warning:: @@ -2076,9 +2103,12 @@ As a result, U-Boot reads these variables and verifies the Linux kernel image be In a typical boot scenario, the Linux kernel image is not signed, which will prevent the system from booting due to failed image authentication. To resolve this, the Platform Key (one of the UEFI authenticated variables for secure boot) needs to be deleted. -#. Perform a cold boot of the MPS3. +#. For MPS3, perform a cold boot. + +#. For FVP, continue in the same boot cycle in which the UEFI secure boot keys were enrolled. + Do not cold boot FVP before deleting the Platform Key, because the secure flash contents are not preserved across an FVP cold boot. -#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Press any key to stop``. +#. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message ``Hit any key to stop autoboot``. #. On the U-Boot console, delete the Platform Key (PK). @@ -2279,7 +2309,7 @@ and `Arm Development Studio `__ versions 2022.2, 2022.c, or 202 .. _arm-developer-fvp: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps .. _secure-debug-manager-repo-readme: https://github.com/ARM-software/secure-debug-manager/tree/master?tab=readme-ov-file#secure-debug-manager-psa-adac--sdc-600 .. _secure-debug-manager-armds-integration: https://github.com/ARM-software/secure-debug-manager?tab=readme-ov-file#arm-development-studio-integration -.. _meta-arm-repository-release-branch: https://docs.yoctoproject.org/next/migration-guides/migration-5.3.html +.. _meta-arm-repository-release-branch: https://docs.yoctoproject.org/next/migration-guides/migration-6.0.html .. _arm-ulink-pro-website: https://www.arm.com/products/development-tools/debug-probes/ulink-pro .. _arm-ds-website: https://www.arm.com/products/development-tools/embedded-and-software/arm-development-studio .. _edk2-repository: https://github.com/tianocore/edk2 From patchwork Tue Jun 30 12:47:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Harsimran Singh Tungal X-Patchwork-Id: 91400 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82256C44501 for ; Tue, 30 Jun 2026 12:47:19 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20453.1782823633958868289 for ; Tue, 30 Jun 2026 05:47:14 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=cymqZ2N5; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: harsimransingh.tungal@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EE6341D15; Tue, 30 Jun 2026 05:47:08 -0700 (PDT) Received: from e132995.cambridge.arm.com (e132995.arm.com [10.1.29.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BA13B3F905; Tue, 30 Jun 2026 05:47:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1782823633; bh=g3SHgyzizQJgNIMUuSfBos2bYY5F/mvFwU/dYchQNdI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cymqZ2N59uqJ5Swqjm8nYJL9YLeN/1KvzGs/b6q4G8vTKEqmHsXfnjXKSDs0pVmQ7 yRZTuWPEA2j8KK1r/OTHgVnf7K1UBqcR1ib6M+hEO8lB51gEjGYbxol587Xromi9ER VHvsn9gwCxybRVTA3RxLGtqTlqZJqFv21LJocAhQ= From: Harsimran Singh Tungal To: meta-arm@lists.yoctoproject.org Cc: Harsimran Singh Tungal Subject: [PATCH wrynose 2/5] arm-bsp/documentation: corstone1000-a320: update 2026.05 wrynose release documentation Date: Tue, 30 Jun 2026 13:47:01 +0100 Message-Id: <20260630124704.301310-3-harsimransingh.tungal@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260630124704.301310-1-harsimransingh.tungal@arm.com> References: <20260630124704.301310-1-harsimransingh.tungal@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 12:47:19 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7101 Update the Corstone-1000 with Cortex-A320 changelog, release notes, user guide, tests documentation and metadata for the 2026.05 release. Add the new 2026.05 changelog entry for the Corstone-1000 with Cortex-A320 specific updates and align the component version tables and Yocto distribution component versions with the current release content. Refresh the user guide and tests documentation to align with the 2026.05 release state, including release tag references, recipe version references, report links Signed-off-by: Harsimran Singh Tungal --- .../corstone-a320_metadata.yaml | 4 +- .../corstone1000-a320/topics/change-log.md | 70 +++++ .../corstone1000-a320/topics/release-notes.md | 12 + .../corstone1000-a320/topics/tests.md | 267 ++++++++++-------- .../corstone1000-a320/topics/user-guide.md | 38 +-- 5 files changed, 253 insertions(+), 138 deletions(-) diff --git a/meta-arm-bsp/documentation/corstone1000-a320/corstone-a320_metadata.yaml b/meta-arm-bsp/documentation/corstone1000-a320/corstone-a320_metadata.yaml index 718232f7..11f31235 100644 --- a/meta-arm-bsp/documentation/corstone1000-a320/corstone-a320_metadata.yaml +++ b/meta-arm-bsp/documentation/corstone1000-a320/corstone-a320_metadata.yaml @@ -1,5 +1,5 @@ --- -title: Corstone-1000 Armv9-A Edge-AI +title: Corstone-1000 with Cortex-A320 subtitle: "" abstract: Arm Corstone-1000 with Cortex-A320 is a reference solution for IoT devices. It is part of Total Solution for IoT which consists of hardware and software reference implementation. author: Arm @@ -97,7 +97,7 @@ variables: - name: secure_debug_manager_armds_integration value: 'https://github.com/ARM-software/secure-debug-manager?tab=readme-ov-file#arm-development-studio-integration' - name: meta_arm_repository_release_branch - value: 'https://docs.yoctoproject.org/next/migration-guides/migration-5.3.html' + value: 'https://docs.yoctoproject.org/next/migration-guides/migration-6.0.html' - name: arm_ulink_pro_website value: 'https://www.arm.com/products/development-tools/debug-probes/ulink-pro' - name: arm_ds_website diff --git a/meta-arm-bsp/documentation/corstone1000-a320/topics/change-log.md b/meta-arm-bsp/documentation/corstone1000-a320/topics/change-log.md index e891fd5c..02f9629e 100644 --- a/meta-arm-bsp/documentation/corstone1000-a320/topics/change-log.md +++ b/meta-arm-bsp/documentation/corstone1000-a320/topics/change-log.md @@ -2,6 +2,76 @@ This document contains a summary of the new features, changes and fixes in each release of the Corstone-1000 with Cortex-A320 software stack. +## Version 2026.05 {.reference} + +The following changes are present in this release: + +- Continued Corstone-1000 with Cortex-A320 enablement across U-Boot, TF-A, TF-M, OP-TEE, and Linux with the split A320 device tree, GIC-700 support, Ethos-U85 DT alignment, and NPU reset via the external-system controller. +- Enabled and documented FVP SMP builds and platform-agnostic multicore support, including the errata override fixes for Corstone-1000 with Cortex-A320 and removal of the reboot workaround note. +- Split Corstone-1000 with Cortex-A320 FVP support into a dedicated machine configuration and standalone documentation. + +### Corstone-1000 with Cortex-A320 components versions {.reference} + +The following component versions are available: + +Table: Corstone-1000 with Cortex-A320 component versions + ++----------------------------------------+-----------------------------------+ +| Component | Version | ++========================================+===================================+ +| linux-yocto | 6.19 | ++----------------------------------------+-----------------------------------+ +| u-boot | 2025.10 | ++----------------------------------------+-----------------------------------+ +| external-system | 0.1.0 | ++----------------------------------------+-----------------------------------+ +| optee-client | 4.9.0 | ++----------------------------------------+-----------------------------------+ +| optee-os | 4.9.0 | ++----------------------------------------+-----------------------------------+ +| trusted-firmware-a | 2.14.1 | ++----------------------------------------+-----------------------------------+ +| trusted-firmware-m | 2.2.2 | ++----------------------------------------+-----------------------------------+ +| libts | v1.3.0 | ++----------------------------------------+-----------------------------------+ +| ts-sp-{se-proxy, smm-gateway} | v1.3.0 | ++----------------------------------------+-----------------------------------+ +| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff | ++----------------------------------------+-----------------------------------+ + +### Yocto distribution components versions {.reference} + +The following Yocto distribution components versions are available: + +Table: Yocto distribution component versions + ++-------------------+------------+ +| Component | Version | ++===================+============+ +| meta-arm | wrynose | ++-------------------+------------+ +| bitbake | 22021758e6 | ++-------------------+------------+ +| meta-openembedded | 9af4488d46 | ++-------------------+------------+ +| openembedded-core | 06dd66e622 | ++-------------------+------------+ +| meta-yocto | 8251bdad5f | ++-------------------+------------+ +| meta-secure-core | 07a99ae241 | ++-------------------+------------+ +| busybox | 1.37.0 | ++-------------------+------------+ +| musl | 1.2.6 | ++-------------------+------------+ +| gcc-arm-none-eabi | 15.2.rel1 | ++-------------------+------------+ +| gcc-cross-aarch64 | 15.2.0 | ++-------------------+------------+ +| openssl | 3.5.6 | ++-------------------+------------+ + ## Version 2025.12 {.reference} The following changes are present in this release: diff --git a/meta-arm-bsp/documentation/corstone1000-a320/topics/release-notes.md b/meta-arm-bsp/documentation/corstone1000-a320/topics/release-notes.md index 7eadc1b2..5c95fae0 100644 --- a/meta-arm-bsp/documentation/corstone1000-a320/topics/release-notes.md +++ b/meta-arm-bsp/documentation/corstone1000-a320/topics/release-notes.md @@ -7,6 +7,18 @@ intended for safety-critical applications. Should your software or hardware prove defective, you assume the entire cost of all necessary servicing, repair or correction. +## Release notes - 2026.05 {.reference} + +The following knowns issues and limitations are present in this release: + +- Crypto isolation is not supported in the Secure world of Corstone-1000. Additionally, clients in + the Normal world are not isolated from one another. Therefore, if an end user wants to add a new + Secure Partition (SP) (such as a software TPM) that accesses the Crypto service via the SE-Proxy, + they are responsible for implementing their own isolation mechanisms to ensure proper security boundaries. +- DSTREAM debug probe may experience unreliable USB connectivity when used with Arm DS for secure debug. + This issue is under active investigation, and we are working to identify and resolve compatibility issues in a future update. + As a more stable alternative, the ULINKpro debug probe is recommended for use with Corstone-1000 in secure debug scenarios. + ## Release notes - 2025.12 {.reference} The following knowns issues and limitations are present in this release: diff --git a/meta-arm-bsp/documentation/corstone1000-a320/topics/tests.md b/meta-arm-bsp/documentation/corstone1000-a320/topics/tests.md index b86d87ca..90cd87c5 100644 --- a/meta-arm-bsp/documentation/corstone1000-a320/topics/tests.md +++ b/meta-arm-bsp/documentation/corstone1000-a320/topics/tests.md @@ -4,7 +4,7 @@ All the tests in this chapter assume you have already built the software stack a ## Reports {.reference} -Reports for the tests conducted on the [Corstone-1000 software (CORSTONE1000-2025.12)](https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2025.12) release are available for reference in the [GitLab repo](https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2025.12/embedded-a/corstone1000/CORSTONE1000-2025.12?ref_type=tags). +Reports for the tests conducted on the [Corstone-1000 software (CORSTONE1000-2026.05)](https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2026.05) release are available for reference in the [GitLab repo](https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2026.05/embedded-a/corstone1000/CORSTONE1000-2026.05?ref_type=tags). ## SystemReady IR {.reference} @@ -21,11 +21,11 @@ A storage with EFI System Partition (ESP) must exist in the system for the UEFI- 1. Build an ESP partition for your target ``` - kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml --target corstone1000-esp-image + kas build meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml --target corstone1000-esp-image ``` -2. Locate the `corstone1000-esp-image-corstone1000-fvp.wic` build artefact - in `${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/` +2. Locate the `corstone1000-esp-image-corstone1000-a320-fvp.wic` build artefact + in `${WORKSPACE}/build/tmp/deploy/images/corstone1000-a320-fvp/` ### Use the EFI system partition {.reference} @@ -121,7 +121,7 @@ To build and run ACS tests on Corstone-1000: ``` ./meta-arm/scripts/runfvp \ --terminals=tmux \ - ./build/tmp/deploy/images/corstone1000-fvp/corstone1000-flash-firmware-image-corstone1000-fvp.fvpconf \ + ./build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000-flash-firmware-image-corstone1000-a320-fvp.fvpconf \ -- -C board.msd_mmc.p_mmc_file=${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic ``` @@ -196,6 +196,11 @@ The following payloads can be individually updated: for the host machine during the firmware image building process. The tool can be found at `${WORKSPACE}/build/tmp/sysroots-components/aarch64/edk2-basetools-native/usr/bin/edk2-BaseTools/BinWrappers/PosixLike/GenerateCapsule`. +:::note +The `aarch64` part of this path depends on the build host architecture +and can be different on another host. +::: + A JSON file containing metadata about the capsule payloads needs to be created using the script found at `${WORKSPACE}/meta-arm/meta-arm/scripts/generate_capsule_json_multiple.py`. This JSON file is required by EDK II's `GenerateCapsule` tool to generate the capsule. @@ -205,7 +210,7 @@ and `${WORKSPACE}/meta-arm/kas/corstone1000-image-configuration.yml` files. #### Valid full capsule {.reference} -An automatically generated capsule can be found at `${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/corstone1000-fvp-v6.uefi.capsule` after running a firmware build. +An automatically generated capsule can be found at `${WORKSPACE}/build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000-a320-fvp-v6.uefi.capsule` after running a firmware build. The default metadata values are assumed to be correct to generate a valid capsule. @@ -234,27 +239,27 @@ b57e432b-a250-5c73-93e3-90205e64baba \ --lowest_supported_versions 5 5 5 5 5 5 \ --monotonic_counts 1 1 1 1 1 1 \ --payloads \ -build/tmp/work/corstone1000_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ -build/tmp/deploy/images/corstone1000-fvp/trusted-firmware-m/bl2_signed.bin \ -build/tmp/deploy/images/corstone1000-fvp/trusted-firmware-m/tfm_s_signed.bin \ -build/tmp/deploy/images/corstone1000-fvp/signed_fip.bin \ -build/tmp/deploy/images/corstone1000-fvp/Image.gz-initramfs-corstone1000-fvp.bin \ -build/tmp/work/corstone1000_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ +build/tmp/work/corstone1000_a320_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/trusted-firmware-m/bl2_signed.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/trusted-firmware-m/tfm_s_signed.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/signed_fip.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/Image.gz-initramfs-corstone1000-a320-fvp.bin \ +build/tmp/work/corstone1000_a320_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ --update_image_indexes 5 1 2 3 4 6 \ --private_keys \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ --certificates \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ --output capsule_config.json ``` @@ -265,7 +270,7 @@ Run the command below to generate the partial capsule: -e \ -j capsule_config.json \ --capflag PersistAcrossReset \ --o corstone1000-fvp-partial-v7.uefi.capsule +-o corstone1000-a320-fvp-partial-v7.uefi.capsule ``` The partial capsule will be located in the `${WORKSPACE}` directory. @@ -292,27 +297,27 @@ b57e432b-a250-5c73-93e3-90205e64baba \ --lowest_supported_versions 5 5 5 5 5 5 \ --monotonic_counts 1 1 1 1 1 1 \ --payloads \ -build/tmp/work/corstone1000_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ -build/tmp/deploy/images/corstone1000-fvp/trusted-firmware-m/bl2_signed.bin \ -build/tmp/deploy/images/corstone1000-fvp/trusted-firmware-m/tfm_s_signed.bin \ -build/tmp/deploy/images/corstone1000-fvp/signed_fip.bin \ -build/tmp/deploy/images/corstone1000-fvp/Image.gz-initramfs-corstone1000-fvp.bin \ -build/tmp/work/corstone1000_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ +build/tmp/work/corstone1000_a320_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/trusted-firmware-m/bl2_signed.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/trusted-firmware-m/tfm_s_signed.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/signed_fip.bin \ +build/tmp/deploy/images/corstone1000-a320-fvp/Image.gz-initramfs-corstone1000-a320-fvp.bin \ +build/tmp/work/corstone1000_a320_fvp-poky-linux-musl/corstone1000-flash-firmware-image/1.0/sources/corstone1000-flash-firmware-image-1.0/dummy.bin \ --update_image_indexes 5 1 2 3 4 6 \ --private_keys \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_key.key \ --certificates \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ -build/tmp/deploy/images/corstone1000-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ +build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000_capsule_cert.crt \ --output capsule_config.json ``` @@ -323,7 +328,7 @@ Run the command below to generate the invalid capsule: -e \ -j capsule_config.json \ --capflag PersistAcrossReset \ --o corstone1000-fvp-v5.uefi.capsule +-o corstone1000-a320-fvp-v5.uefi.capsule ``` The invalid capsule will be located in the `${WORKSPACE}` directory. @@ -363,9 +368,9 @@ as opposed to the on-disk method (delivery of capsules using a file on a mass st 4. Copy the capsules: ``` - sudo cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/corstone1000-fvp-v6.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ - sudo cp ${WORKSPACE}/corstone1000-fvp-v5.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ - sudo cp ${WORKSPACE}/corstone1000-fvp-partial-v7.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ + sudo cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000-a320-fvp-v6.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ + sudo cp ${WORKSPACE}/corstone1000-a320-fvp-v5.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ + sudo cp ${WORKSPACE}/corstone1000-a320-fvp-partial-v7.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/ sync ``` @@ -388,7 +393,7 @@ This sequence order must be respected as the invalid capsule has a firmware vers To run the test: -1. Run Corstone-1000 with the ACS image containing the two capsule files: +1. Run Corstone-1000 with the ACS image containing the capsule files: 1. Run `tmux`: @@ -399,7 +404,7 @@ To run the test: 2. Run the FVP within `tmux` with the IR prebuilt image which now also contains the two capsules: ``` - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml \ + kas shell meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml \ -c "../meta-arm/scripts/runfvp --terminals=tmux \ -- -C board.msd_mmc.p_mmc_file=${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic" ``` @@ -419,50 +424,56 @@ To run the test: 4. Run the `CapsuleApp` application with the valid capsule file: ``` - EFI/BOOT/app/CapsuleApp.efi corstone1000-fvp-v6.uefi.capsule + EFI/BOOT/app/CapsuleApp.efi corstone1000-a320-fvp-v6.uefi.capsule ``` - The capsule update will be started. The capsule update takes about 15-30 minutes to complete on FVP. The Corstone-1000 will reset after successfully applying the capsule. + The capsule update will be started. - The software stack copies the capsule content to the external flash, which is shared between the Secure Enclave and the Host Processor - before rebooting the system. + :::note + The capsule update takes about 15-30 minutes to complete on FVP. - After the first reboot, TrustedFirmware-M should apply the valid capsule and display the following log on the Secure Enclave terminal - before rebooting the system a second time: + The platform will reset after successfully applying the capsule. + ::: + + The software stack copies the capsule content to the external flash, which is shared between the Secure Enclave and the Host Processor + before rebooting the system, and the following logs should be displayed on the Secure Enclave terminal: ``` ... - SysTick_Handler: counted = 10, expiring on = 360 - SysTick_Handler: counted = 20, expiring on = 360 - SysTick_Handler: counted = 30, expiring on = 360 - ... + fwu_bootloader_install_image: enter + metadata_read: success: active = 0, previous = 1 + fwu_update_metadata: enter metadata_write: success: active = 1, previous = 0 - flash_full_capsule: exit - corstone1000_fwu_flash_image: exit: ret = 0 + fwu_update_metadata: exit: ret = 0 + fwu_bootloader_install_image: exit: ret = 0 ... ``` - The above log snippet indicates that the new capsule image is successfully applied, and the board is booting with the external flash's Bank-1. + The above log snippet indicates that the new capsule image is successfully applied. - After a second reboot, the following log should be displayed on on the Secure Enclave terminal (`ttyUSB1`): +5. Interrupt the U-Boot shell. ``` - ... - fmp_set_image_info:133 Enter - FMP image update: image id = 0 - FMP image update: status = 0version=6 last_attempt_version=6. - fmp_set_image_info:157 Exit. - corstone1000_fwu_host_ack: exit: ret = 0 - ... + Hit any key to stop autoboot: ``` -5. Interrupt the U-Boot shell. + After the first reboot, TrustedFirmware-M should display the following logs on the Secure Enclave terminal: ``` - Hit any key to stop autoboot: + ... + [INF] Starting TF-M BL1_1 + metadata_read: success: active = 1, previous = 0 + get_fwu_agent_state: exit: FWU Agent PSA_FWU_TRIAL (index mismatch) + bl1_get_active_bl2_image: booting from trial bank: 1 + bl1_get_active_bl2_image: exit: booting from bank = 1, offset = 0x1002000 + ... ``` -6. Run the following commands in order to run the Corstone-1000 Linux kernel, otherwise, the execution ends up in the ACS live image: +6. Run the following commands in order to run the Corstone-1000 Linux kernel. + + :::note + Otherwise, the execution ends up in the ACS live image. + ::: ``` $ unzip $kernel_addr 0x90000000 @@ -470,6 +481,18 @@ To run the test: $ bootefi $kernel_addr_r $fdtcontroladdr ``` + After executing the above set of commands, the following logs should be displayed on the Secure Enclave terminal: + + ``` + ... + fwu_accept_image: success: fwu state is changed to regular + update_nv_counters: success + disable_host_ack_timer: timer to reset is disabled + FMP image update: status = 0version=6 last_attempt_version=6. + fwu_bootloader_mark_image_accepted: exit: ret = 0 + ... + ``` + 7. The first boot after a capsule update is considered the trial stage, during which the FWU image is accepted. However, to view the updated contents of the EFI System Resource Table (ESRT), an additional reboot is required. @@ -495,11 +518,15 @@ To run the test: $ bootefi $kernel_addr_r $fdtcontroladdr ``` -10. Once the system has fully booted again, read [Verifying firmware versions with ESRT] to confirm that the firmware version reflects the updated capsule. Do not terminate FVP between the positive full capsule update and partial capsule update tests. +10. Once the system has fully booted again, read [Verifying firmware versions with ESRT] to confirm that the firmware version reflects the updated capsule. + +:::note +Do not terminate FVP between the positive full capsule update and partial capsule update tests. +::: #### Positive partial capsule update {.reference} -Follow the steps for the [Positive full capsule update test], ensuring you use `corstone1000-fvp-partial-v7.uefi.capsule` instead of `corstone1000-fvp-v6.uefi.capsule`. +Follow the steps for the [Positive full capsule update test], ensuring you use `corstone1000-a320-fvp-partial-v7.uefi.capsule` instead of `corstone1000-a320-fvp-v6.uefi.capsule`. Once the system has fully booted again, read [Verifying firmware versions with ESRT] to confirm that the firmware version reflects the updated capsule. @@ -534,28 +561,27 @@ To run the rollback protection capsule update test: 4. Run the `CapsuleApp` application with the invalid capsule file: ``` - EFI/BOOT/app/CapsuleApp.efi corstone1000-fvp-v5.uefi.capsule + EFI/BOOT/app/CapsuleApp.efi corstone1000-a320-fvp-v5.uefi.capsule ``` 5. TrustedFirmware-M should reject the capsule due to having a lower firmware version and display the following log on the Secure Enclave terminal: ``` ... - uefi_capsule_retrieve_images: image 0 at 0xa0000070, size=15654928 - uefi_capsule_retrieve_images: exit - flash_full_capsule: enter: image = 0x0xa0000070, size = 7764541, version = 5 - ERROR: flash_full_capsule: version error - private_metadata_write: enter: boot_index = 1 - private_metadata_write: success - fmp_set_image_info:133 Enter - FMP image update: image id = 0 - FMP image update: status = 1version=6 last_attempt_version=5. - fmp_set_image_info:157 Exit. - corstone1000_fwu_flash_image: exit: ret = -1 - fmp_get_image_info:232 Enter - pack_image_info:207 ImageInfo size = 105, ImageName size = 34, ImageVersionName - size = 36 - fmp_get_image_info:236 Exit + fwu_bootloader_load_image: enter: block_offset = 0 + FMP version: 0x5, metadata version : 0x7 + private_metadata_write: enter: boot_index = 0 + private_metadata_write: success + fmp_set_image_info:160 Enter + FMP image update: image id = 0 + FMP image update: status = 1version=7 last_attempt_version=5. + fmp_set_image_info:184 Exit. + ERROR: fwu_bootloader_load_image: version error + remove_all_stale_partitions: Removed GPT partition 'bl2_secondary' + remove_all_stale_partitions: Removed GPT partition 'tfm_secondary' + remove_all_stale_partitions: Removed GPT partition 'FIP_B' + remove_all_stale_partitions: Removed GPT partition 'kernel_secondary' + fwu_bootloader_load_image: exit: ret = -248 ... ``` @@ -816,7 +842,7 @@ Corstone-1000 on-board non-volatile storage size is insufficient for installing ``` dd if=/dev/zero of=${WORKSPACE}/fvp_distro_system_drive.img \ bs=1 count=0 seek=10G; sync; \ - parted -s fvp_distro_system_drive.img mklabel gpt + parted -s ${WORKSPACE}/fvp_distro_system_drive.img mklabel gpt ``` 2. This MMC image will be used as the primary drive to boot the distribution. @@ -834,19 +860,23 @@ To install: 2. Start the FVP within `tmux` with the system drive as the primary drive and the distro ISO file as the secondary drive: ``` - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml \ + kas shell meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml \ -c "../meta-arm/scripts/runfvp --terminals=tmux -- \ -C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img \ -C board.msd_mmc_2.p_mmc_file=${DISTRO_INSTALLER_ISO_PATH}" ``` + :::note + The FVP distribution installation process can take 6-8 hours to complete. + ::: + The Linux distribution will be installed on `fvp_distro_system_drive.img`. #### Debian installation extra steps {.reference} The Debian installation may need the following extra steps: -1. Answer `Yes` to the question `Force grub installation to the EFI removable media path?`. +1. Answer `Yes` to the section `Install the GRUB boot loader`. If the GRUB installation fails, these are the steps to follow on the subsequent popups: @@ -890,7 +920,7 @@ cd ${WORKSPACE} && tmux Run the command below to simulate a cold boot: ``` -kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml \ +kas shell meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml \ -c "../meta-arm/scripts/runfvp --terminals=tmux -- \ -C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img" ``` @@ -970,19 +1000,19 @@ To generate keys: cd ${WORKSPACE} git clone https://gitlab.arm.com/arm-reference-solutions/iot-platform-assets \ - -b CORSTONE1000-2025.12 + -b CORSTONE1000-2026.05 ``` 3. Set the current working directory to build directory's subdirectory containing the software stack build images. ``` - cd ${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/ + cd ${WORKSPACE}/build/tmp/deploy/images/corstone1000-a320-fvp/ ``` 4. Run the image signing script (without changing the current working directory). ``` - ./${WORKSPACE}/iot-platform-assets/corstone1000/secureboot/create_keys_and_sign.sh \ + ${WORKSPACE}/iot-platform-assets/corstone1000/secureboot/create_keys_and_sign.sh \ -d fvp \ -v ${CERTIFICATE_VALIDITY_DURATION_IN_DAYS} ``` @@ -991,7 +1021,7 @@ To generate keys: The [efitools](https://github.com/vathpela/efitools/) package is required to execute the script. `${CERTIFICATE_VALIDITY_DURATION_IN_DAYS}` is an integer that specifies the certificate's validity period in days. Consult the image signing script help message (`-h`) for more information about other optional arguments. The script is interactive and contains commands that require `sudo` level permissions. ::: - The keys, signed kernel image, and unsigned kernel image will be copied to the exisiting ESP image. The modified ESP image can be found at `${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/corstone1000-esp-image-corstone1000-fvp.wic`. + The keys, signed kernel image, and unsigned kernel image will be copied to the exisiting ESP image. The modified ESP image can be found at `${WORKSPACE}/build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000-esp-image-corstone1000-a320-fvp.wic`. ### Run unsigned image boot test {.reference} @@ -1001,7 +1031,7 @@ To run an unsigned image boot test: 2. Run the software stack as described in the Running the FVP model section of the Build, Flash and Run chapter. -3. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message `Press any key to stop`. +3. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message `Hit any key to stop autoboot`. :::note There is a timeout of 3 seconds to stop the execution at the U-Boot prompt. The U-Boot prompt looks as follows: @@ -1024,19 +1054,19 @@ To run an unsigned image boot test: ``` corstone1000# \ - load mmc 1:1 \$loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i \$loadaddr:\$filesize PK; \ - load mmc 1:1 \$loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i \$loadaddr:\$filesize KEK; \ - load mmc 1:1 \$loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i \$loadaddr:\$filesize db; \ - load mmc 1:1 \$loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i \$loadaddr:\$filesize dbx + load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \ + load mmc 1:1 $loadaddr corstone1000_secureboot_keys/KEK.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize KEK; \ + load mmc 1:1 $loadaddr corstone1000_secureboot_keys/db.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize db; \ + load mmc 1:1 $loadaddr corstone1000_secureboot_keys/dbx.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize dbx ``` 6. Attempt to Load the unsigned kernel image. ``` corstone1000# \ - load mmc 1:1 \$loadaddr corstone1000_secureboot_fvp_images/Image_fvp; \ - loadm \$loadaddr \$kernel_addr_r \$filesize; \ - bootefi \$kernel_addr_r \$fdtcontroladdr + load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp; \ + loadm $loadaddr $kernel_addr_r $filesize; \ + bootefi $kernel_addr_r $fdtcontroladdr Booting /MemoryMapped(0x0,0x88200000,0x236aa00) Image not authenticated @@ -1053,9 +1083,9 @@ Load the signed kernel image. ``` corstone1000# \ -load mmc 1:1 \$loadaddr corstone1000_secureboot_fvp_images/Image_fvp.signed; \ -loadm \$loadaddr \$kernel_addr_r $filesize; \ -bootefi \$kernel_addr_r \$fdtcontroladdr +load mmc 1:1 $loadaddr corstone1000_secureboot_fvp_images/Image_fvp.signed; \ +loadm $loadaddr $kernel_addr_r $filesize; \ +bootefi $kernel_addr_r $fdtcontroladdr ``` The signed Linux kernel image should be booted successfully. @@ -1068,14 +1098,17 @@ As a result, U-Boot reads these variables and verifies the Linux kernel image be In a typical boot scenario, the Linux kernel image is not signed, which will prevent the system from booting due to failed image authentication. To resolve this, the Platform Key (one of the UEFI authenticated variables for secure boot) needs to be deleted. -1. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message `Press any key to stop`. +For FVP, continue in the same boot cycle in which the UEFI secure boot keys were enrolled. +Do not cold boot FVP before deleting the Platform Key, because the secure flash contents are not preserved across an FVP cold boot. + +1. On the Host Processor terminal host side, stop the execution of U-Boot when prompted to do so with the message `Hit any key to stop autoboot`. 2. On the U-Boot , delete the Platform Key (PK). ``` corstone1000# \ mmc dev 1; \ - load mmc 1:1 \$loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i \$loadaddr:\$filesize PK; \ + load mmc 1:1 $loadaddr corstone1000_secureboot_keys/PK_delete.auth && setenv -e -nv -bs -rt -at -i $loadaddr:$filesize PK; \ boot ``` @@ -1107,14 +1140,14 @@ Symmetric multiprocessing (SMP) mode is supported on the Corstone-1000 with Cort 1. Build the software stack with SMP mode enabled. ``` - kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml:\ + kas build meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml:\ meta-arm/kas/corstone1000-multicore.yml ``` 2. Run the Corstone-1000 FVP. ``` - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml:\ + kas shell meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml:\ meta-arm/kas/corstone1000-multicore.yml \ -c "../meta-arm/scripts/runfvp" ``` @@ -1135,7 +1168,7 @@ To build on Ethos-U85 NPU: ``` cd ${WORKSPACE} git clone https://git.gitlab.arm.com/arm-reference-solutions/iot-platform-assets.git \ - -b CORSTONE1000-2025.12 + -b CORSTONE1000-2026.05 ``` 2. Copy the additional kas configuration file to: @@ -1163,14 +1196,14 @@ To build on Ethos-U85 NPU: 5. Re-build the Corstone-1000 FVP software stack as follows: ``` - kas build meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml:\ + kas build meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml:\ meta-arm/kas/ethos-u85-test.yml ``` 6. Run the Corstone-1000 FVP: ``` - kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-a320.yml:\ + kas shell meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml:\ meta-arm/kas/ethos-u85-test.yml \ -c "../meta-arm/scripts/runfvp" ``` diff --git a/meta-arm-bsp/documentation/corstone1000-a320/topics/user-guide.md b/meta-arm-bsp/documentation/corstone1000-a320/topics/user-guide.md index c0b1e6bc..61387909 100644 --- a/meta-arm-bsp/documentation/corstone1000-a320/topics/user-guide.md +++ b/meta-arm-bsp/documentation/corstone1000-a320/topics/user-guide.md @@ -1,8 +1,8 @@ # Build, flash and run {.chapter permissions=non-confidential} -The Arm Corstone-1000 software stack uses the Yocto Project to build a tiny Linux distribution suitable for the Arm Corstone-1000 platform (kernel and initramfs filesystem less than 6 MB on the flash). +The Arm Corstone-1000 with Cortex-A320 software stack uses the Yocto Project to build a tiny Linux distribution suitable for the Arm Corstone-1000 with Cortex-A320 platform (kernel and initramfs filesystem less than 6 MB on the flash). -The Corstone-1000 software stack can be run on [Arm Corstone-1000 Ecosystem FVP (Fixed Virtual Platform)](https://developer.arm.com/downloads/-/arm-ecosystem-fvps) and is built on top of Yocto Project's [Whinlatter release]($meta_arm_repository_release_branch). +The Corstone-1000 with Cortex-A320 software stack can be run on [Arm Corstone-1000 with Cortex-A320 FVP (Fixed Virtual Platform)](https://developer.arm.com/downloads/-/arm-ecosystem-fvps) and is built on top of Yocto Project's [Wrynose release]($meta_arm_repository_release_branch). The Yocto Project relies on the [BitBake](https://docs.yoctoproject.org/bitbake.html#bitbake-documentation) tool as its build tool. Please see the [Yocto Project documentation](https://docs.yoctoproject.org/) for more information. @@ -27,9 +27,9 @@ Please follow the steps described in the Yocto mega manual: ## Software components {.reference} -Within the Yocto Project, each component included in the Corstone-1000 software stack is specified as +Within the Yocto Project, each component included in the Corstone-1000 with Cortex-A320 software stack is specified as a [BitBake recipe](https://docs.yoctoproject.org/bitbake/2.2/bitbake-user-manual/bitbake-user-manual-intro.html#recipes). -The recipes specific to the Corstone-1000 BSP are located at: +The recipes specific to the Corstone-1000 with Cortex-A320 BSP are located at: `${WORKSPACE}/meta-arm/meta-arm-bsp/`. `${WORKSPACE}` refers to the absolute path to your workspace where the `meta-arm` repository will be cloned. Consider exporting it (e.g., `export WORKSPACE=$(realpath .)`) if you're already in the workspace directory, @@ -57,7 +57,7 @@ Table: Trusted Firmware-A components | Type | Path | | --------- | ---------------------------------------------------------------------------------------------------------------- | | bbappend | `${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend` | -| Recipe | `${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.14.0.bb` | +| Recipe | `${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.14.1.bb` | #### Trusted Services {.reference} @@ -90,7 +90,7 @@ Table: OP-TEE components | Type | Path | | --------- | ---------------------------------------------------------------------------------------------------------------- | -| bbappend | `${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend` | +| bbappend | `${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_%.bbappend` | | Recipe | `${WORKSPACE}/meta-arm/meta-arm/recipes-security/optee/optee-os_4.9.0.bb` | #### U-Boot {.reference} @@ -103,7 +103,7 @@ Table: U-Boot components | --------- | ---------------------------------------------------------------------------------------------------------------- | | bbappend | `${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend` | | bbappend | `${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend` | -| Recipe | `${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2025.04.bb` | +| Recipe | `${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2025.10.bb` | #### Linux {.reference} @@ -135,7 +135,7 @@ Table: Trusted Firmware-M secure enclave components | Type | Path | | --------- | ---------------------------------------------------------------------------------------------------------------- | | bbappend | `${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend` | -| Recipe | `${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.2.1.bb` | +| Recipe | `${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.2.2.bb` | ## Build {.reference} @@ -164,19 +164,19 @@ Building binaries natively on Windows and AArch64 Linux is not supported. Use an ``` cd ${WORKSPACE} - git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2025.12 + git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2026.05 ``` -4. Build a Corstone-1000 image: +4. Accept the EULA on the [Arm Developer](https://developer.arm.com/downloads/-/arm-ecosystem-fvps/eula) site to build a Corstone-1000 with Cortex-A320 image for FVP as follows: ``` - kas build meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml + export ARM_FVP_EULA_ACCEPT="True" ``` -5. Accept the EULA on the [Arm Developer](https://developer.arm.com/downloads/-/arm-ecosystem-fvps/eula) site to build a Corstone-1000 image for FVP as follows: +5. Build a Corstone-1000 with Cortex-A320 image: ``` - export ARM_FVP_EULA_ACCEPT="True" + kas build meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml ``` A clean build takes a significant amount of time given that all of the development machine utilities are also @@ -188,7 +188,7 @@ Once the build succeeds, all output binaries will be placed in `${WORKSPACE}/bui Everything apart from the Secure Enclave ROM firmware is bundled into a single binary, the `corstone1000-flash-firmware-image-corstone1000-a320-fvp.wic` file. -The output binaries run in the Corstone-1000 platform are the following: +The output binaries run in the Corstone-1000 with Cortex-A320 platform are the following: - The Secure Enclave ROM firmware: `${WORKSPACE}/build/tmp/deploy/images/corstone1000-a320-fvp/trusted-firmware-m/bl1.bin` - The internal firmware flash image: `${WORKSPACE}/build/tmp/deploy/images/corstone1000-a320-fvp/corstone1000-flash-firmware-image-corstone1000-a320-fvp.wic` @@ -218,21 +218,21 @@ on memories and peripherals before bringing the Host Processor out of reset. The Host Processor will boot TrustedFirmware-A, OP-TEE, U-Boot and then Linux before presenting a login prompt. -A Fixed Virtual Platform (FVP) model of the Corstone-1000 platform must be available to run the -Corstone-1000 FVP software image. +A Fixed Virtual Platform (FVP) model of the Corstone-1000 with Cortex-A320 platform must be available to run the +Corstone-1000 with Cortex-A320 FVP software image. A Yocto recipe is provided to download the latest supported FVP version. The recipe is located at `${WORKSPACE}/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000-a320.bb`. -The latest FVP version is `11.30.27` for Corstone-1000, and the model is automatically downloaded and installed when using the `runfvp` command as follows: +The latest FVP version is `11.31.cs1000_a320_2` for Corstone-1000 with Cortex-A320, and the model is automatically downloaded and installed when using the `runfvp` command as follows: ``` kas shell meta-arm/kas/corstone1000-a320-fvp.yml:meta-arm/ci/debug.yml \ -c "../meta-arm/scripts/runfvp -- --version" ``` -The FVP can also be manually downloaded from [Arm Developer](https://developer.arm.com/downloads/-/arm-ecosystem-fvps) to download the Corstone-1000 platform FVP installer. +The FVP can also be manually downloaded from [Arm Developer](https://developer.arm.com/downloads/-/arm-ecosystem-fvps) to download the Corstone-1000 with Cortex-A320 FVP package. To set up the FVP: @@ -262,4 +262,4 @@ To set up the FVP: ## Security issue reporting {.reference} -To report any security issues identified with Corstone-1000, please send an email to [psirt@arm.com](mailto:psirt@arm.com). +To report any security issues identified with Corstone-1000 with Cortex-A320, please send an email to [psirt@arm.com](mailto:psirt@arm.com). From patchwork Tue Jun 30 12:47:02 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Harsimran Singh Tungal X-Patchwork-Id: 91397 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 685D3C44500 for ; Tue, 30 Jun 2026 12:47:19 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20064.1782823634646457568 for ; Tue, 30 Jun 2026 05:47:14 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=lYf3HJTP; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: harsimransingh.tungal@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CA8042C46; Tue, 30 Jun 2026 05:47:09 -0700 (PDT) Received: from e132995.cambridge.arm.com (e132995.arm.com [10.1.29.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id B1D803F905; Tue, 30 Jun 2026 05:47:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1782823634; bh=bybrBVhkSbnuMk2wPfhh70xPbiu0DURAuS7DzljzT/g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lYf3HJTPtovz8sPX8EhC7enrXAXWd/IwL1y2KbGDFbDHk7IOCX3xzmEm50sXApFzO AytrAIjq0jriAkiAHDmGgtQokrdITG9KqhCYxkLu70qmq6eMqqpzD5LNs+A9+Hw3xz 9hNS5c9cgMB2Y8cZfkfNHtl55NmlmoM4zGATcoFE= From: Harsimran Singh Tungal To: meta-arm@lists.yoctoproject.org Cc: Harsimran Singh Tungal Subject: [PATCH wrynose 3/5] corstone1000: Pin layers SHA for wrynose release Date: Tue, 30 Jun 2026 13:47:02 +0100 Message-Id: <20260630124704.301310-4-harsimransingh.tungal@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260630124704.301310-1-harsimransingh.tungal@arm.com> References: <20260630124704.301310-1-harsimransingh.tungal@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 12:47:19 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7102 Pinned layers in corstone1000-base.yml Signed-off-by: Harsimran Singh Tungal --- kas/corstone1000-base.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/kas/corstone1000-base.yml b/kas/corstone1000-base.yml index 4438bcb8..4eecde4f 100644 --- a/kas/corstone1000-base.yml +++ b/kas/corstone1000-base.yml @@ -5,21 +5,25 @@ distro: poky defaults: repos: - branch: master + branch: wrynose repos: bitbake: url: https://git.openembedded.org/bitbake + branch: "2.18" + commit: 22021758e66737bcf68dfd2b74adc6a0cb1d42d9 layers: bitbake: disabled core: url: https://git.openembedded.org/openembedded-core + commit: 06dd66e6220e5ce4ed4b9af4d8231ae5f0a8ce80 layers: meta: meta-yocto: url: https://git.yoctoproject.org/meta-yocto + commit: 8251bdad5fda780a000fb41e6eda82eadf0fa39e layers: meta-poky: @@ -31,7 +35,7 @@ repos: meta-openembedded: url: https://git.openembedded.org/meta-openembedded - # commit: 461d85a1831318747af5abe86da193bcde3fd9b4 + commit: 9af4488d46cb4fd4c0d2d64820c86225ebd6ac71 layers: meta-oe: meta-python: @@ -39,7 +43,7 @@ repos: meta-secure-core: url: https://github.com/wind-river/meta-secure-core.git - # commit: 59d7e90542947c342098863b9998693ac79352b0 + commit: 07a99ae241acd488a2feda1ededf87dc70dfde80 layers: meta-secure-core-common: meta-signing-key: From patchwork Tue Jun 30 12:47:03 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Harsimran Singh Tungal X-Patchwork-Id: 91398 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58461C43327 for ; Tue, 30 Jun 2026 12:47:19 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.20454.1782823635700021639 for ; Tue, 30 Jun 2026 05:47:15 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=vXu3yujd; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: harsimransingh.tungal@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id ACF2C2ED2; Tue, 30 Jun 2026 05:47:10 -0700 (PDT) Received: from e132995.cambridge.arm.com (e132995.arm.com [10.1.29.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9B5373F905; Tue, 30 Jun 2026 05:47:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1782823635; bh=xeWM46I/E73LjxLodYhO44u27LqzS++hl305DrCAIOk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vXu3yujdImOldmcKPFzU2n4qTW8QjSsuGS9Lghf0u0Re2L7NOxhdh2+nv95Ta/3do WA0XC6PNmzwaAXb+6iweYQM+HIYsyL4b4k8ySuaqQSjyk5qSHcj50X2N7IOC4nDsLg RHdwFb8HgUN6CXyXQzUYjU4e9pzyTB4UvLW5P7vM= From: Harsimran Singh Tungal To: meta-arm@lists.yoctoproject.org Cc: Harsimran Singh Tungal Subject: [PATCH wrynose 4/5] fvp:corstone1000-a320: update Corstone-1000 A320 FVP to 11.31 Date: Tue, 30 Jun 2026 13:47:03 +0100 Message-Id: <20260630124704.301310-5-harsimransingh.tungal@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260630124704.301310-1-harsimransingh.tungal@arm.com> References: <20260630124704.301310-1-harsimransingh.tungal@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 12:47:19 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7103 Update the Corstone-1000 with Cortex-A320 FVP recipe to use the 11.31.cs1000_a320_2 release from Arm Developer. Switch the source URL to the new package layout, add the architecture-specific download tokens, and update the x86_64 and aarch64 SHA256 checksums. The new package extracts directly into the FVP install directory, so update the install step and license paths accordingly. Signed-off-by: Harsimran Singh Tungal --- .../fvp/fvp-corstone1000-a320.bb | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/meta-arm/recipes-devtools/fvp/fvp-corstone1000-a320.bb b/meta-arm/recipes-devtools/fvp/fvp-corstone1000-a320.bb index c266abc4..1c2e4933 100644 --- a/meta-arm/recipes-devtools/fvp/fvp-corstone1000-a320.bb +++ b/meta-arm/recipes-devtools/fvp/fvp-corstone1000-a320.bb @@ -2,12 +2,19 @@ require fvp-ecosystem.inc MODEL = "Corstone-1000-with-Cortex-A320" MODEL_CODE = "FVP_Corstone_1000-A320" -PV = "11.30.27" +PV = "11.31.cs1000_a320_2" +FVP_INSTALL_DIR = "${MODEL_CODE}_${PV}" -FVP_AARCH64_SHA256SUM = "a45898fead5549779153263c3544fa1032c285d532275eb678f58cae3317b01f" -FVP_X86_64_SHA256SUM = "d57b248a1c1bc5a6040605d50af94a5151adc4da26ec9acc456ec86b819ffb76" +FVP_AARCH64_SHA256SUM = "37b67836ff09089c292c1c78fa23d60f8613a95cf4a768b70f5b4f037ad476ef" +FVP_X86_64_SHA256SUM = "f84b973efa6a65c76ae7038a281b592836081fea1920eb90fa9ca983f177a1f2" -SRC_URI = "https://developer.arm.com/-/cdn-downloads/permalink/FVPs-Corstone-IoT/${MODEL}/${MODEL_CODE}_${PV_URL}_${FVP_ARCH}.tgz;subdir=${BP};name=fvp-${HOST_ARCH}" +FVP_ARCH:aarch64 = "Linux_armv8" +FVP_ARCH:x86-64 = "Linux_x86" + +FVP_URL_TOKEN:aarch64 = "st=1782487701~exp=2097847701~hmac=f31b5bcea56a5f3ac8cdb3d3bfe7611e5d394987752444c07c82365dc8936338" +FVP_URL_TOKEN:x86-64 = "st=1782487742~exp=2097847742~hmac=b2e12e26a2481d2c280e93c671f0b941fe9ebce5125a4c85f7d4bc7467f3e8f5" + +SRC_URI = "https://developer.arm.com/-/cdn-downloads/FVPs-Corstone-IoT/${MODEL}/${MODEL_CODE}_${PV}_${FVP_ARCH}.tar.gz?__token__=${FVP_URL_TOKEN};subdir=${BP};name=fvp-${HOST_ARCH}" SRC_URI[fvp-aarch64.sha256sum] = "${FVP_AARCH64_SHA256SUM}" SRC_URI[fvp-x86_64.sha256sum] = "${FVP_X86_64_SHA256SUM}" @@ -15,14 +22,24 @@ SRC_URI[fvp-x86_64.sha256sum] = "${FVP_X86_64_SHA256SUM}" UPSTREAM_VERSION_UNKNOWN = "1" LIC_FILES_CHKSUM = "\ - file://license_terms/license_agreement.txt;md5=1a33828e132ba71861c11688dbb0bd16 \ - file://license_terms/third_party_licenses/third_party_licenses.txt;md5=a5ce56e117d0ab63791fbb7c35ec2211 \ + file://${FVP_INSTALL_DIR}/license_terms/license_agreement.txt;md5=7fde2369510c8bcafaf4cbf42f7aa23a \ + file://${FVP_INSTALL_DIR}/license_terms/third_party_licenses/third_party_licenses.txt;md5=da95c9d79488fe4b6115bb7f9900b505 \ " -do_install:append() { - # This FVP embeds a Python runtime, so clean up RPATHs and remove pointless static libraries - chrpath --delete ${D}${FVPDIR}/python/lib/python*/lib-dynload/*.so - find ${D}${FVPDIR}/python/ -name *.a -delete +do_install() { + mkdir --parents ${D}${FVPDIR}/models/${FVP_ARCH_DIR} ${D}${bindir} + + cp --archive --no-preserve=ownership ${S}/${FVP_INSTALL_DIR} ${D}${FVPDIR}/models/${FVP_ARCH_DIR}/ + + FVP_DIR="${D}${FVPDIR}/models/${FVP_ARCH_DIR}/${FVP_INSTALL_DIR}" + + stat $FVP_DIR/bin/FVP_* >/dev/null 2>&1 || bbfatal Cannot find FVP binaries in $FVP_DIR/bin + + for FVP in $FVP_DIR/bin/FVP_*; do + ln -rs "$FVP" "${D}${bindir}/$(basename "$FVP")" + done } COMPATIBLE_HOST = "(aarch64|x86_64).*-linux" + +INSANE_SKIP:${PN} += "dev-so" From patchwork Tue Jun 30 12:47:04 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Harsimran Singh Tungal X-Patchwork-Id: 91399 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7571C44503 for ; Tue, 30 Jun 2026 12:47:19 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.20067.1782823636605554109 for ; Tue, 30 Jun 2026 05:47:16 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@arm.com header.s=foss header.b=sCm5SZ0F; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: harsimransingh.tungal@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 94C7F1D15; Tue, 30 Jun 2026 05:47:11 -0700 (PDT) Received: from e132995.cambridge.arm.com (e132995.arm.com [10.1.29.35]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 7C2293F905; Tue, 30 Jun 2026 05:47:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1782823636; bh=m+Hv5cjZGTnJVcLy/mBAX9etgVspxhGHgi/o44e3Th8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sCm5SZ0FgVol6zxvgIX+yS4VZ+46vex80+p5XpkEkMd2ltIVZ2J+GMUy7hYKmxCMm NI51SlNZ32m7bEr+8pePx+gckHsPOph3hW9ehu7yZAr46CFOZ8RyPJVkJbFZXyk+j+ 07+n9on/PvPPnPxmSgIqhdOgAYVUPYCOPRhfQCjg= From: Harsimran Singh Tungal To: meta-arm@lists.yoctoproject.org Cc: Harsimran Singh Tungal Subject: [PATCH wrynose 5/5] ci: enable testimage coverage for Corstone-1000 A320 FVP Date: Tue, 30 Jun 2026 13:47:04 +0100 Message-Id: <20260630124704.301310-6-harsimransingh.tungal@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260630124704.301310-1-harsimransingh.tungal@arm.com> References: <20260630124704.301310-1-harsimransingh.tungal@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 30 Jun 2026 12:47:19 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/7104 Update the Corstone-1000 A320 FVP CI matrix to run testimage jobs. This enables testimage coverage for both the firmware-only and no-firmware entries. Signed-off-by: Harsimran Singh Tungal --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9c56a5c4..b770e45a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -161,9 +161,9 @@ corstone1000-a320-fvp: parallel: matrix: - FIRMWARE: corstone1000-firmware-only - TESTING: [none, tftf] + TESTING: [testimage, tftf] - FIRMWARE: none - TESTING: none + TESTING: testimage documentation: extends: .setup