Step 1: Set up SBL
Some of the following instructions are taken from different documents mentioned in Download the SBL Source Code and the Slim Bootloader Document and assembled here to give a better user experience.
In this step, you will configure Intel® TCC Tools during the SBL setup on your host system. You will need to enable the following options in SBL:
Intel® Time Coordinated Computing Mode (Intel® TCC Mode)
The Intel® TCC Mode option configures many individual settings in a single location. These settings are considered the out-of-box configuration for real-time applications and the starting point for exploring Intel® TCC Tools.
Software SRAM
The Software SRAM option enables or disables software static random-access memory (software SRAM). Software SRAM enables you to allocate low-latency memory buffers for your real-time applications. Software SRAM is a software construct that uses hardware capabilities to allocate a portion of the physical address space into the cache so the addresses are less likely to be evicted by the same or other processes. For details about the Software SRAM option, see the Developer Guide (Public Document).
Data Streams Optimizer
The Data Streams Optimizer option enables or disables the data streams optimizer tool. The tool enables you to improve data movement between processor subsystems, for example, when data packets need to be transferred between an Ethernet card connected to a PCIe* port and system memory. The tool tunes the various control points between these entities by instructing the SBL to write values to registers. For details about the Data Streams Optimizer option, see the Data Streams Optimizer Setting (Public Document).
TCC Error Log
The Intel® TCC error log feature allows you to see errors that happened during the BIOS boot process.
Based on your use case, you may decide later to use a different SBL configuration.
Supported Hardware
See these supported hardware for supported processors.
Intel® TCC Tools currently supports the following processors:
Intel Atom® x6000E Series Processors (code name: Elkhart Lake Processors)
11th Generation Intel® Core™ Processors (code name: Tiger Lake UP3 Processors)
Intel® Xeon® W-11000E Series Processors (code name: Tiger Lake H Processors)
SBL Prerequisites
You will need the DediProg* device, DediProg software (engineering version), and a Windows* Host.
Download the SBL Source Code
Download the SBL source code for your supported hardware:
SBL Source Code Supported Hardware
SBL Firmware Release Notes Document Number
Intel Atom® x6000E Series Processors (Code Name: Elkhart Lake Processors)
11th Generation Intel® Core™ Processors (Code Name: Tiger Lake UP3 Processors)
Intel® Xeon® W-11000E Series Processors (Code Name: Tiger Lake H Processors)
Extract the compressed file. You will see three files: Readme_Extract.txt, ReleaseNotes.txt, and the *.se file.
Create a <work_directory> in the Linux* machine: mkdir sbl-test
Copy the *.se file into your <work_directory>.
Make the *.se file executable by running the following command:
chmod +x <filename>.se
Extract the *.se file using the following command:
./<filename>.se
Page through the license using the space bar. At the end, enter ‘y’ and press ENTER to accept the license.
Extract the contents of the *.se file into a directory with the same name as the *.se file (without the .se extension).
Extract the SblPlatform.zip file.
The following table lists the contents in the extracted *.se file:
File List DOCUMENTATION
Description
SblPlatform.zip
SBL source code
UefiPldPlatform.zip (not required if using SBL)
UEFI payload source code
CfgData
SBL configuration data
Documents/TGL_UP3_IoT_Features.pdf
Document on how to enable Intel® TCC, TSN, IBECC, FuSa
Documents/TGL_UP3_FirmwareUpdate.pdf
Document on how to update firmware
Documents/SBL_TGL_Security_addendum.pdf
Tiger Lake security feature
Documentation/license.txt
License
Licenses/License Notices.pdf
License notices
Licenses/Slim Bootloader_C2A_Commercial Use License -limited use binary Final Clean 3.7.19.pdf
Commercial Use License
Enable Intel® TCC in SBL
To enable the Intel® TCC subregion setting in SBL, go to the following directory:
<work_directory>/SblPlatform/SblOpen/Platform/<PlatformBoardPkg>/
For Tiger Lake UP3 Processors or Tiger Lake H Processors, go to the following directory:
<work_directory>/sbl-tgl-up3-mr5-rel/SblPlatform/SblOpen/Platform/<PlatformBoardPkg>/
NOTE:Replace <PlatformBoardPkg> with:“ElkhartlakeBoardPkg” for Elkhart Lake Processors
“TigerlakeBoardPkg” for Tiger Lake UP3 Processors
“TigerlakehBoardPkg” for Tiger Lake H Processors
<work_directory>/SblPlatform/SblOpen/Platform/<PlatformBoardPkg>/
Open the “BoardConfig.py” configuration file and change “self.ENABLE_TCC=1” and “self.ENABLE_TSN = 1”.
Save the configuration file.
Download the Cache Reservation Library (CRL) Binary:
The Cache Reservation Library (CRL) binary, formerly known as the Platform Tuning Configuration Manager (PTCM) binary, is a module that implements the logic to create software SRAM buffers within the cache hierarchy on Intel Atom® x6000E Series Processors, 11th Gen Intel® Core™ Processors, and Intel® Xeon® W-11000E Series Processors.
The Intel’s Integrated Firmware Image (IFWI) binary enables CRL by default, to create software SRAM regions within the physical address space accessible through Intel® TCC Tools. To enable Intel® TCC Tools, integrate the specific CRL version for your Intel® platform, into the UEFI BIOS or Slim Bootloader.
Go to the following directory:
NOTE:Replace <PlatformBoardPkg> with:“ElkhartlakeBoardPkg” for Elkhart Lake Processors
“TigerlakeBoardPkg” for Tiger Lake UP3 Processors
“TigerlakehBoardPkg” for Tiger Lake H Processors
<work_directory>/SblPlatform/SblOpen/Platform/<PlatformBoardPkg>/
Create the “Binaries” folder in the path.
Find your Intel® platform, look for the latest release, then click the CRL version link provided in the following table. Download and extract the .zip file:
CRL Versions for Different Platforms Platform
Release
IFWI Kit Version
CRL Version
Intel® TCC Tools Version
Intel Atom® x6000E Series Processors (Codename: Elkhart Lake Processors)
MR3
v4122.00
2022.1
Intel Atom® x6000E Series Processors (Codename: Elkhart Lake Processors)
MR2
v3471.01
2021.3, 2022.1
Intel Atom® x6000E Series Processors (Codename: Elkhart Lake Processors)
MR1
v3312.01
2021.2, 2021.3
Intel Atom® x6000E Series Processors (Codename: Elkhart Lake Processors)
PR1
v3165.02
2021.1, 2021.2
Intel Atom® x6000E Series Processors (Codename: Elkhart Lake Processors)
PV
v3097.01a
2021.1, 2021.2
11th Gen Intel® Core™ Processors (Codename: Tiger Lake UP3 Processors)
MR5
v5035_01
2022.1
11th Gen Intel® Core™ Processors (Codename: Tiger Lake UP3 Processors)
MR4
v4415_01
2021.3, 2022.1
11th Gen Intel® Core™ Processors (Codename: Tiger Lake UP3 Processors)
MR3
v4315_01
2021.2, 2021.3
11th Gen Intel® Core™ Processors (Codename: Tiger Lake UP3 Processors)
MR2
v4225_01
2021.2
11th Gen Intel® Core™ Processors (Codename: Tiger Lake UP3 Processors)
MR1
v4045_01
v2.0 (no longer supported)
2021.1
Intel® Xeon® W-11000E Series Processors (Codename: Tiger Lake H Processors)
MR3
v5055_01
2022.1
Intel® Xeon® W-11000E Series Processors (Codename: Tiger Lake H Processors)
MR2
v4425_01
2021.3, 2022.1
Intel® Xeon® W-11000E Series Processors (Codename: Tiger Lake H Processors)
MR1
v4345_01
2021.3
Intel® Xeon® W-11000E Series Processors (Codename: Tiger Lake H Processors)
PV
v4285_02
2021.2, 2021.3
Copy the CRL binary (crl.bin) into the “Binaries” folder.
Set up the Build Environment
NOTE:The Linux* host system (Ubuntu 20.04 LTS 64-bit) is also supported for code development and compilation, but with limited validation coverage.
Instructions in this section show how to install the following software, to set up the build environment on the Linux* OS:
GCC 7.3 or above
Python* release 3.6 or above
NASM 2.12.02 or above
iASL 20200326
OpenSSL* toolkit version 1.1.1 or above
Git* version control system
Install the required packages on the Ubuntu* OS using the following command: .. ex-code:: bash
$ sudo apt-get install -y build-essential iasl python uuid-dev nasm openssl gcc-multilib qemu git
To check if iASL version 2020 or above version is installed successfully:
iasl -v
To install iASLASL version 2020 or above, run the following commands in any folder:
wget https://acpica.org/sites/acpica/files/acpica-unix-20200326.tar.gz tar xzf acpica-unix-20200326.tar.gz cd acpica-unix-20200326 make sudo make installSee iASL user guide for more details on iASL.
Get the OpenSSL toolkit path using the following command:
whereis -b openssl
Export the OpenSSL toolkit path using the following command:
export OPENSSL_PATH=<OpenSSL_Toolkit_Path>
E.g. export OPENSSL_PATH=/usr/local/bin/openssl
Generate Keys
Before building the Slim Bootloader, you need to generate a set of cryptographic keys. These keys have the .pem extension, and may be referred to as the PEM keys in other documents. Several Keys are required for SBL components signing and verification. The keys are required as the user will need to put them in a location with a specified name.
Go to the SblPlatform directory using the following command:
cd <work_directory>/SblPlatform
Create the SblKeys folder using the following command:
mkdir SblKeys
SBL also provides a tool (SblOpen/BootloaderCorePkg/Tools/GenerateKeys.py) to generate all the keys in the SBL source code. Generate the keys in the SblKeys folder using the following command:
python3 SblOpen/BootloaderCorePkg/Tools/GenerateKeys.py -k SblKeys
When using the SBL OsLoader payload, use the following to verify the OS image:
OS1_TestKey_Pub_RSA2048.pem or
OS1_TestKey_Pub_RSA3072.pem
Replace them with the respective public keys used when signing the OS Image.
For OS images with the Yocto* container images, refer to the Yocto Project* BKC Release Notes. Get the private key used in signing the Yocto Project SBL container image during the Yocto Project image build. Refer to Step 2: Build Yocto Project*-Based Image. Then, extract the public keys and replace them with the following:
OS1_TestKey_Pub_RSA2048.pem or
OS1_TestKey_Pub_RSA3072.pem
NOTE:The key generation process is a one-time process. Use the same set of keys for signing and verification operations when generating the firmware capsule update image, configuration data, container image, and others. Verification operations will fail (security violations) if different keys are used. Also use the same keys in the sbl_os and sbl_rtcm for the Yocto Project* build image, and for the Data Streams Optimizer tool and the Cache Configurator tool.For more information, refer to the key generation procedure in the Keys Generation section of the Slim Bootloader Project Documentation.
Configure the SBL (Optional)
Refer to the Slim Bootloader Configuration for more information on configuring the board or platform specific settings (for example, GPIO, features, memory, and boot options) using the SBL configuration data feature.
Build the SBL
Change the permissions file on the wrappers with these commands:
cd SblPlatform/SblOpen/BaseTools/BinWrappers/PosixLike/ chmod +x *Go to your platform board package directory to open the .dlt file (the file depends on whether you are using LPDDR4 or DDR4), example given as follows:
vi SblPlatform/SblOpen/Platform/<platform_board_package>/CfgData/CfgData_Int_Tglu_Ddr4.dlt
Comment out the payload setting as follows to use the OsLoader payload:
#GEN_CFG_DATA.PayloadId | 'AUTO'
Build the SBL with OsLoader Payload:
python3 SblPlatform/SblOpen/BuildLoader.py build tgl -r
NOTE:-r is for release build. Default is the debug build.NOTE:If you get an error, clean using the following command:python3 BuildLoader.py clean
NOTE:After the SBL is built, you can see “Done [tgl]!”. Confirm that the image is located in the Outputs/<platform_name> folder.The SBL supports two different payloads: - OsLoader which is the built-in payload built when building the SBL. - UEFI Payload which needs to be built separately. To build a UEFI payload into the Slim Bootloader, you need to copy UEFIPAYLOAD.FD to SblOpen/Platform/TigerlakeBoardPkg/Binaries/UefiPld.fd before building the SBL.
The SBL can be built with the OsLoader and UEFI payload in a single SBL image. If both are built in, you can use J9J5 header on the Tiger Lake RVP to select the payload to boot with. - When pin 3-4 are connected, select the UEFI payload. - Otherwise, select the OsLoader payload to boot.
If you always want to boot to the UEFI payload without using the GPIO pin selection, you can update the config file to specify which payload to boot as follows before the build:
In SblOpen/Platform/TigerlakeBoardPkg/CfgData/CfgData_Int_Tglu_Ddr*.dlt, for example,
change: GEN_CFG_DATA.PayloadId | 'AUTO' to GEN_CFG_DATA.PayloadId | 'UEFI'
To build the SBL with OsLoader and UEFI payload (if you are using the UEFI binaries):
python3 SblBuild.py build tgl -p "OsLoader.efi:LLDR:Lz4;UefiPld.fd:UEFI:Lzma"
The Slimbootloader.bin image will be generated in the following folder:
Outputs/<platform_name>
NOTE:This binary needs to be stitched before writing to flash.
Stitch the SBL
Go to your work directory using the following command:
cd <work_directory>
Create the Components folder at your work directory using the following command:
mkdir Components
Go to the Components folder using the following command:
cd Components
Download each “Package” in the table and store all packages in the Components folder.
Extract the packages using the following command, for example: unzip 'IntelCSME_TGL-U_15.0.35.1951 V6.1_Consumer.zip':
unzip <filename_and_extension>
Go back to your work directory using the following command:
cd ..
Create the Stitching folder at your work directory using the following command:
mkdir Stitching
Go to the Stitching folder:
cd Stitching
Create each folder listed in the “Destination File” column using the following command, e.g. mkdir Fit
mkdir <destination_folder>
Copy all files listed under the “Source File” column to the “Destination File” locations, using the following command. If you see *.*, you will need to copy all files. For example, cp -r ~/<work_directory>/Components/IntelCSME_TGL-U_15.0.35.1951\ V6.1_Consumer/Tools/System_Tools/FIT/Linux64/* Fit/
cp -r <source_file_path> <destination_file_path>
If a different name is given as the “Destination File”, rename the file according to the name given in “Destination File” (e.g. rename “ME_FW_Consumer_15.0.35.1951_prod.bin” to “MeRegionFile.bin”):
NOTE:Contact an Intel representative for the latest Best Known Configuration (BKC) information to obtain the needed stitching components if any of the following links are not available.
Downloading Ingredients
To generate an IFWI for booting, the Slim Bootloader needs to stitch with other ingredients. You can download the following stitch ingredients from the Intel website or from the Slim Bootloader website.
Intel® Management Engine Firmware (Intel® ME FW) that is tied to an essential platform functionality. The Intel® ME FW contains code and configuration data for Intel® ME functions.
Gigabit Ethernet (GbE), a component embedded in the Multi-Chip Package (MCP). The GbE region of the flash contains bits that define the configuration of the GbE hardware.
Bootloader Image, required for the stitching process and is generated in a previous section.
To facilitate the Slim Bootloader stitching process, some stitch scripts are provided with this release kit to create an IFWI.
The following table shows the firmware ingredients that are validated to be used in this release. The “Package” column lists the download locations of the package. The “Source File” column lists the default firmware location after the package is extracted. The “Destination File” column lists the final location and filename. The following steps will guide you on copying the files from the location in the “Source File” column to the location in the “Destination File” column, and renaming the files if needed.
Stitching Ingredients Package
Source File
Destination File
BPMGEN2 (RDC:573188)
*.*
BpmGen2/*.*
CSME 15.0.35.1951v6.1_consumer (RDC:681974)
Tools/System_Tools/FIT/Linux64/*.*
Fit/*.*
CSME 15.0.35.1951v6.1_consumer (RDC:681974)
Tools/System_Tools/FIT/ Windows32/*.*
Fit/*.*
CSME 15.0.35.1951v6.1_consumer (RDC:681974)
Tools/System_Tools/MEU/Linux64/*
Meu/*.*
CSME 15.0.35.1951v6.1_consumer (RDC:681974)
Tools/System_Tools/MEU/ Windows32/*.*
Meu/*.*
CSME 15.0.35.1951v6.1_consumer (RDC:681974)
Image Components/CSME/Silicon/LP/ME_FW/ _Consumer_15.0.35.1951_prod.bin
Input/MeRegionFile.bin
IOM 11.0016.0.0 (RDC: 681974)
Image Components/TCSS/IOM/ iomp_11.0016.0.0_prod.bin
Input/IomBinaryFile.bin
PCHC 15.0.0.1021 (RDC: 681974)
Image Components/PCHC/ pchc_tgl_15.0.0.1021_prod.bin
Input/PchcSubPartitionData.bin
Dekel PHY 11.225.256.2041 (RDC: 681974)
Image Components/TCSS/DEKEL_PHY/ PHY_B0_11.225.256.2041_prod.bin
Input/PhyBinaryFile.bin
PMC 150.01.20.1039 (RDC: 681974)
Image Components/PMC/TGPLP_B0_PMC_FW/ _150.01.20.1039_prod.bin
Input/PmcBinary.bin
TBT TBT_TGL_B0_REV43 (RDC: 681974)
Image Components/TCSS/TBT/ TBT_TGLREV_43_prod.bin
Input/TbtBinaryFile.bin
ACM 1.14.25 (RDC: 642089)
BIOSACM/TigerLake_biosac/ _TGL_BIOSAC_REL_NT_O1.PW/ _signed_256K.bin
Input/acm0.bin
ChipsetInit TgpLpB0_V8 (RDC: 636588)
TgpLpPchChipsetInitB0V8.bin
Input/ChipInitBinary.bin
Diagnostic ACM 200812 (RDC: 630368)
TGL-UP3 Diagnostic ACM PV/b0/tgl-up3_diagnostic_acm_b0_200812.bin
Input/DiagnosticAcm.bin
EC 1.39 (RDC: 644753)
TGL_EC-01.39_06_17_2021/TGL_EC01.39.bin
Input/EcRegion.bin
EC 1.39 (RDC: 644753)
TGL_EC-01.39_06_17_2021/Results/ EcRegionPointer.bin
Input/EcRegionPointer.bin
GbE 0.8 (RDC: 614233)
Nahum9_tgl_lp_v0.8/ n9_tgl_lp_v_non_lan_sw_v0.8/ n9_tgl_lp_v_non_la n_sw_v0.8.bin
Input/GbeRegion.bin
ISH 5.4.1.4476v3 (RDC: 653591)
ISH_Kit_5.4.1.4476v3/ISH_FW/Image Components/FW/Production_ish/ C_5.4.1.4476.bin
Input/IshImage.bin
ISH 5.4.1.4476v3 (RDC: 653591)
ISH_Kit_5.4.1.4476v3/ISH_FW/Image Components/PDT CONFIG FILES/INTC_pdt_TGL_MOSAIC/ _BOM 1_SENSORS
Input/PdtBinary.bin
SblCode
Parameters set generated by BpmGen2GUI.exe. See the next section for details.
BpmGen2/bpmgen2.params
NOTE:if you don’t see bpmgen2.params, you need to create by referring to the next section.
Generate the BpmGen2 Params
Generate the bpmgen2.params file manually using the BpmGen2GUI tool by following these steps:
NOTE:Skip the following steps if the bpmgen2.params file has been generated.
In Windows* OS, run the BpmGen2GUI tool.
NOTE:If the BpmGen2UI tool execution is prevented by Microsoft Defender SmartScreen, click “More Info” to run the tool.NOTE:bpmgen2.params is a default file. As part of the stitching process, the required parameters would be overwritten with get_bpmgen2_params_change_list defined in StitchIfwiConfig*py. This is as per the SBL configuration.Select a working directory (BpmGen2/).
Click [Create Boot Policy Manifest (BPM) Def].
NOTE:Do not click the highlighted option, [Create Key Manifest (KM)].Navigate to the BPM Screen 3, as shown in the following figure:
Click [Save BPM Definition File].
Save as bpmgen2.params without changing any default configuration.
Copy bpmgen2.params to the BpmGen2 folder in the Linux* OS.
Stitching Steps
Ensure all the stitch components are ready in the <work_directory>/Stitching folder, and the SBL binary in the Outputs/<platform_name> folder. If you need to build the SBL, refer to the Build the SBL section.
Run the following command in the command line console to see the help message about the stitch script:
python3 SblOpen/Platform/TigerlakeBoardPkg/Script/StitchIfwi.py -h
usage: StitchIfwi.py [-h] [-p PLATFORM] [-w WORK_DIR] -c CONFIG_FILE [-s SBL_FILE] [-b {legacy,vm,fve,fvme}] [-d PLAT_DATA] [-r] [-t {ptt,dtpm,none}] [-o OPTION] [-op OUTPATH]
NOTE:
If you received an error about missing libxcb-xinerama.so.0, run the following command to install:
sudo apt-get install libxcb-xinerama.so.0
Argument |
Description |
|---|---|
-h, –help |
show this help message and exit |
-p PLATFORM |
specify platform SKU to stitch |
-w WORK_DIR |
specify stitch workspace directory, Intel® Converged Security and Management Engine (Intel® CSME) tools and ingredients should be here |
-c CONFIG_FILE |
specify the platform specific stitch config file |
-s SBL_FILE |
specify slim bootloader file or generate zip file |
-b {legacy,vm,fve,fvme} |
specify Boot Guard profile type |
-d PLAT_DATA |
Specify a platform specific data (HEX, DWORD) for customization |
-r |
delete temporary files after stitch |
-t {ptt,dtpm,none} |
specify TPM type |
-o OPTION |
Platform-specific stitch option. Format: ‘-o option1; option2; …’ For each option, the format is ‘parameter:data’. Try -o help for more information. |
-op OUTPATH |
Specify path to write output IFWI and signed bin files. |
For -o parameter, type -o to obtain the details below:
‘sata’ – Enable SATA direct port, by default disabled.
‘tsn7’ – Enable TSN Port 7, by default TSN port is disabled.
‘lp4’ – Stitch for DDRLP4 board, by default for DDR4 board.
‘32MB’ – Stitch image set to 32MB, by default use 16MB.
‘spi’ – Set SPI frequency to be 25MHz, 33MHz, 50MHz, 100MHz.
For example, to stitch an IFWI image with the verified boot and measured boot enabled for Tiger Lake-U platform Bx silicon, run the following command:
python3 SblOpen/Platform/TigerlakeBoardPkg/Script/StitchIfwi.py -b legacy -s SblOpen/Outputs/tgl/Stitch_Components.zip -c SblOpen/Platform/TigerlakeBoardPkg/Script/StitchIfwiConfig_tglu.py -w /home/athirah/dx-sbl/Stitching/ -p tglu_b0
If stitching is successful, the following message is displayed. sbl_ifwi_tglu_b0.bin file is generated in the current folder:
IFWI Stitching completed successfully! Boot Guard Profile: LEGACYIFWI image: sbl_ifwi_tglu_b0.bin
NOTE:The stitch command only helps you to generate an IFWI quickly with the default settings. You can also change soft straps as needed by using the Intel® Flash Image Tool (Intel® FIT) tool based on the generated IFWI image. Refer to TGL-LP Consumer Bring Up Guide.pdf in the Intel® CSME package described in Downloading IngredientsNOTE:If you received a “permission denied” error while trying to build the SBL, use the following command to edit the permission so that everyone can access the folder: chmod +x <folder_name/binary_name>
Flash the SBL onto the board.
NOTE:This activity is applicable on Intel Reference Validation Platform or Customer Reference Board RVP/CRB. If you are using the Original Equipment Manufacturer or Original Device Manufacturer OEM/ODM board please work with your Bios Vendor or contact Intel Representatives.
For more information on flashing the bootloader using a DediProg device, refer to the Intel Atom® x6000E Series, and Intel® Pentium® and Celeron® N and J Series Processors for IoT Applications (Elkhart Lake) - CRB User Guide.