Question About U-Boot (trust_merger)


1 1

Recommended Posts



I have been studying Armbian's build script, and I have managed to extrapolate a standalone u-boot build process for my NanoPC-T4 by cherry-picking the relevant commands / patches from the builder repo:


This works well, and it opens the door for additional flexibility for those who need it regarding making the most of their hardware. That said, it raises a few questions.


1) My NanoPC-T4 will not boot without the Armbian patches. The vanilla u-boot does not work out of the box. I reported this issue here, but I'm wondering if the Armbian folks ever try to get patches back into upstream?


2) After many attempts, I cannot get a working u-boot (even with the patches) if I try to go the route of linking bl31.elf using the $BL31 environment variable. The only way I can get the loader to work is by building a separate trust.bin using the trust_merger binary. In looking at the Armbian build script, I see that a custom ini file is included with this section related to the BL31:




I'm wondering if that ADDR line is the reason that building a trust.bin works, but trying to link against bl31.elf does not. Is there a way to build u-boot without using trust.bin to achieve an identical result? My exact build steps are as follows:


$ docker run -ti ubuntu:focal
# apt-get update

# apt-get -y install build-essential flex bison gcc-aarch64-linux-gnu git \
  device-tree-compiler python3 gcc-arm-none-eabi bc

# cd /root

# git clone

# cd u-boot-nanopct4

# make CROSS_COMPILE=aarch64-linux-gnu- nanopc-t4-rk3399_defconfig
# make u-boot-dtb.bin CROSS_COMPILE=aarch64-linux-gnu-

# tools/mkimage -n rk3399 -T rksd -d vendor/rkbin/blobs/rk3399_ddr_800MHz_v1.24.bin idbloader.bin
# cat vendor/rkbin/blobs/rk3399_miniloader_v1.19.bin >> idbloader.bin

# export PATH=$PATH:`pwd`/vendor/rkbin/bin
# trust_merger --replace bl31.elf vendor/rkbin/blobs/rk3399_bl31_v1.30.elf trust.ini
# loaderimage --pack --uboot ./u-boot-dtb.bin uboot.img

# dd if=idbloader.bin of=/dev/mmcblk2 seek=64 conv=notrunc
# dd if=uboot.img of=/dev/mmcblk2 seek=16384 conv=notrunc
# dd if=trust.bin of=/dev/mmcblk2 seek=24576 conv=notrunc
# sync


Lastly, I want to give a quick thanks to the Armbian project for doing such amazing work. Looking through all of the builder code has really given me an appreciation as to the level of detail and knowledge embedded in this work, and it's super impressive how well everything works out of the box. Thanks!

Link to post
Share on other sites

Armbian is a community driven open source project. Do you like to contribute your code?

Negative. It behaves in the same way as the issue I reported to the u-boot mailing list. You can see my post here:


And my boot log here (via UART):


The only way I've been able to get the NanoPC-T4 to work is via building a standalone trust.bin and using the Armbian patches.

Link to post
Share on other sites

Sure, I will test this. The whole set up right now is a "throwaway".  I'm basically using the nano to learn more about SoC, u-boot, aarch64, etc. I've been testing with the kernel that ships with Nix, but I've also done some testing with kernel that ships with Armbian. I'll report back.

Link to post
Share on other sites

I could not get the aforementioned kernel to work, but I have managed to build a u-boot that works with the NanoPC-T4 without using trust_merger (only using the ATF).


$ docker run -ti ubuntu:focal

# apt-get update

# apt-get -y install build-essential flex bison gcc-aarch64-linux-gnu git device-tree-compiler python3 gcc-arm-none-eabi bc

# cd /root

# git clone 
# git clone

# cd arm-trusted-firmware/
# make realclean
# make CROSS_COMPILE=aarch64-linux-gnu- PLAT=rk3399 bl31
# cp /root/arm-trusted-firmware/build/rk3399/release/bl31/bl31.elf ../u-boot/
# cd ../u-boot
# make CROSS_COMPILE=aarch64-linux-gnu- nanopc-t4-rk3399_defconfig
# make CROSS_COMPILE=aarch64-linux-gnu-

# git clone rkbin

# rkbin=./rkbin

# ./tools/mkimage -n rk3399 -T rksd -d ${rkbin}/rk33/rk3399_ddr_800MHz_v1.24.bin idbloader.img
# cat ${rkbin}/rk33/rk3399_miniloader_v1.19.bin >> idbloader.img


Copy files to target machine...


# dd if=idbloader.img of=/dev/mmcblk2 conv=fsync,notrunc bs=512 seek=64
# dd if=u-boot.itb of=/dev/mmcblk2 conv=fsync,notrunc bs=512 seek=16384


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


1 1