The launch of OpenSTLinux 6.1 is a significant milestone because it broadens the impact that microprocessors have on systems run by microprocessors, thanks in part to the new M33-TD support. Instead of using the Cortex-A35, it’s possible to use a microcontroller to run secure boot operations, resulting in significant gains in performance, security, and power consumption. This new version of our Linux distribution also adds support for the STM32MP21 series and updates the kernel, and many other software components, such as the Trusted Firmware-A and -M, to name only two. This release also builds up the feature set available on the STM32MP2 family of devices by adding new power modes.
As microprocessors increasingly become the secret weapons of many integrators, an intuitive and powerful Embedded Linux distribution is like a superpower. Too often, decision-makers overlook the critical role the operating system plays in a project’s success. However, developers know all too well how a spotty kernel, poorly written middleware, and unstable builds can slow efforts to a crawl. That’s why we’ve been expanding OpenSTLinux since its launch in 2019, both in scope and capability. At first glance, there are more packages, new distributions, and myriads of expansions. Let us, therefore, explore the OpenSTLinux ecosystem and why it has been such a strong supporting cast in the STM32 MPU story.
What’s new in OpenSTLinux 6.1?
M33-TD support
OpenSTLinux 6.1 introduces support for M33-TD, which, as the name suggests, enables the use of a Cortex-M33 core as a Trusted Domain boot processor. As a result, developers can outsource some of the first boot processes to the microcontroller, thus significantly saving time and resources. For instance, in an STM32MP2, a system could start the first security checks to establish a root of trust without waking the Cortex-A, thus significantly improving efficiency. Then, when it’s time to access the user space and turn on the Cortex-A35, the fact that some of the earlier checks are already completed means that the system boots faster.
Isolating the Trusted Domain from the processor means that if the OS running on the Cortex-A35 needs to restart, it won’t affect what’s happening on the Cortex-M33. Reboot is thus faster, which can help when updating some of the operating system’s components. It also means that developers can better isolate the secure boot applications on the Cortex-M33, therefore providing another layer of security. If hackers compromise what’s running on the Cortex-A35, even by gaining physical access to it, the fact that the secure boot is on an entirely different core provides a significantly higher level of protection.
To help developers experiment with the new feature, we are adding M33-TD support to the STM32MP257F-EV1, with more coming. Indeed, any MPU with a Cortex-M33 supports a dual-boot mode that utilizes either the serial NOR memory of the Cortex-M33 or the eMMC flash of the Cortex-A35. It’s the quickest way to test performance gain, boot time, and efficiency. We are also enabling the independent reboot of the Cortex-A35 and various low-power modes that leverage this new setup. We are even showcasing a low-resolution splash screen generated by the Cortex-M33 on an I2C panel to indicate when the microcontroller initiates secure boot.
What makes a great BSP?
A secure foundation
At the heart of OpenSTLinux is its Board Support Package (BSP), which has significantly matured since its initial release. To ensure the integrity and security of the system, the ST BSP uses a boot chain based on Trusted Firmware for Cortex-A and U-Boot. It ensures that OpenSTLinux takes advantage of the protection mechanisms available in Cortex-A cores to guarantee the system’s integrity at its lowest level. OpenSTLinux BSP also includes an open portable trusted execution environment (OP-TEE), which isolates secure code from the rest of the system. As a result, developers immediately benefit from extensive protections that guard the system configuration, resource management, and other critical services.
Avid readers of the ST Blog know that we have multiplied the security initiatives from STM32Trust, which provides documentation and code to help with various security implementations, to updating STM32CubeProgrammer to make secret provisioning more accessible on all our microprocessors. The new STM32MP2 even targets SESIP Level 3 certification to help makers provide concrete security guarantees to users. The OpenSTLinux BSP’s focus on ensuring the system’s integrity is thus a natural manifestation of our efforts to make security more accessible and ubiquitous. It’s also why we continue to mainline all our drivers to the Linux kernel. We want the open-source community to audit our work so we can respond rapidly to their feedback.
A close partnership with the open-source community
Indeed, since the launch of OpenSTLinux, ST has adopted the philosophy that upstreaming is in everyone’s best interest, and we continue to make it a priority by setting upstreaming objectives for our teams. There are security benefits and long-term support opportunities for companies looking to maintain systems over decades. It can also help developers standardize APIs to promote interoperability. Hence, OpenSTLinux is more than an OS for ST MPUs; it is a desire to lower the barrier to entry to embedded systems by facilitating secure and long-term development. Put simply, we aim to leverage the extensive capabilities of Linux while ensuring compatibility and support for our hardware, enabling developers to release their products to market more quickly.
It’s also why ST has added support for Buildroot. Initially, we focused our efforts on Yocto, and we still do. It’s often the de facto way to create a Linux-based system for industrial or niche applications. However, over the years, we heard from many in our communities who came from different backgrounds. Hence, we collaborated with Bootlin, a member of the ST Partner Program, to come up with an OpenSTLinux BSP based on OpenWRT. It’s also why we developed new OpenSTLinux-based distributions, such as OpenSTDroid and others based on OpenWRT. Put simply, as more communities adopt OpenSTLinux and STM32 MPUs, we try to meet developers where they are.
What makes a great ecosystem?
Specific packages for all stages of development
The best introduction to OpenSTLinux is with an evaluation board and a Starter package. It’s a pre-built image with all the drivers and modules necessary to run the OS from an SD Card or the embedded flash. It ensures developers can run the OS on their development board in minutes. Users don’t even need an IDE. They just boot up and start testing the operating system, run scripts, connect to the Internet, and more. Our STM32 MPU Wiki even provides a step-by-step guide to run the Starter Package on an STM32MP25 or an STM32MP15 board.
OpenSTLinux also comes in two other packages: Developer and Distribution. As the name suggests, the Developer Package targets ongoing projects. Programmer can use it to start writing and testing their applications. It, therefore, comes with an SDK, the source code for the MPU’s firmware, and more. It sits on top of the Starter Package and will help hasten developments. Afterwards, when teams approach production, they can download the Distribution package. It’s the most barebones version out of the three and is meant to be the most optimized OpenSTLinux version the system will run in the field. It is also possible to customize the Distribution package to create a unique Developer or Starter kit specific to a project or company.
Moreover, the OpenSTLinux BSP comes with all the services and modules enabling developers to work with STM32Cube Packages meant to run on the Cortex-M co-processor of the STM32MP15 or STM32MP2. Indeed, being able to isolate certain applications or benefit from a real-time operating system alongside the embedded Linux distribution on the Cortex-A meant that developers could transition more easily from their MCU to their MPU, reuse code, and tailor their system to take advantage of both worlds. By integrating STM32Cube Packages into OpenSTLinux BSP, we ensure developers have the tools they need to optimize their workflow, especially if they are already familiar with our ecosystem on our STM32 MCUs.
Numerous expansion packages to facilitate developments
Finally, ST continues to release new OpenSTLinux expansion packages to accelerate developments further. From X-LINUX-AI, which helps with machine learning applications, to X-LINUX-RT to approximate real-time execution, X-LINUX-PRDMNT for predictive maintenance, X-LINUX-GNSS1 for cellular connections, X-LINUX-AWS to connect to Amazon Web Services, and X-LINUX-NFC6 for contactless systems, there’s a package for a wide range of development needs. And the ecosystem keeps growing. While some competing ecosystems struggle to provide a reliable Linux distribution for their Arm microprocessor, OpenSTLinux is so dependable and extensive that we are now focusing on helping developers with their features outside the OS.
