Skip to content

GitLab

Unverified Commit fb45044b authored by davidcunado-arm's avatar davidcunado-arm Committed by GitHub
Browse files

Merge pull request #1312 from davidcunado-arm/dc/update_docs 

Docs: Update various for v1.5 release
parents c3e34a9e 855ac025
Hide whitespace changes
Inline Side-by-side
contributing.rst
View file @ fb45044b
Contributing to ARM Trusted Firmware
====================================
Contributing to Trusted Firmware-A
==================================
Getting Started
---------------
- Make sure you have a `GitHub account`_.
- Create an `issue`_ for your work if one does not already exist. This gives
everyone visibility of whether others are working on something similar. ARM
licensees may contact ARM directly via their partner managers instead if
everyone visibility of whether others are working on something similar. Arm
licensees may contact Arm directly via their partner managers instead if
they prefer.
- Note that the `issue`_ tracker for this project is in a separate
......@@ -27,8 +27,8 @@ Making Changes
- Make commits of logical units. See these general `Git guidelines`_ for
contributing to a project.
- Follow the `Linux coding style`_; this style is enforced for the ARM Trusted
Firmware project (style errors only, not warnings).
- Follow the `Linux coding style`_; this style is enforced for the TF-A
project (style errors only, not warnings).
- Use the checkpatch.pl script provided with the Linux source tree. A
Makefile target is provided for convenience (see section 2 in the
......@@ -57,7 +57,7 @@ Making Changes
::
Portions copyright (c) [XXXX-]YYYY, ARM Limited and Contributors. All rights reserved.
Portions copyright (c) [XXXX-]YYYY, Arm Limited and Contributors. All rights reserved.
where XXXX is the year of first contribution (if different to YYYY) and
YYYY is the year of most recent contribution.
......@@ -108,7 +108,7 @@ Submitting Changes
--------------
*Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2013-2018, Arm Limited and Contributors. All rights reserved.*
.. _GitHub account: https://github.com/signup/free
.. _issue: https://github.com/ARM-software/tf-issues/issues
......
docs/arm-sip-service.rst
View file @ fb45044b
ARM SiP Service
Arm SiP Service
===============
This document enumerates and describes the ARM SiP (Silicon Provider) services.
This document enumerates and describes the Arm SiP (Silicon Provider) services.
SiP services are non-standard, platform-specific services offered by the silicon
implementer or platform provider. They are accessed via. ``SMC`` ("SMC calls")
......@@ -13,20 +13,20 @@ services:
``0xc200ffff`` for 64-bit calls, and ``0x82000000`` - ``0x8200ffff`` for 32-bit
calls.
The ARM SiP implementation offers the following services:
The Arm SiP implementation offers the following services:
- Performance Measurement Framework (PMF)
- Execution State Switching service
Source definitions for ARM SiP service are located in the ``arm_sip_svc.h`` header
Source definitions for Arm SiP service are located in the ``arm_sip_svc.h`` header
file.
Performance Measurement Framework (PMF)
---------------------------------------
The `Performance Measurement Framework`_
allows callers to retrieve timestamps captured at various paths in ARM Trusted
Firmware execution. It's described in detail in `Firmware Design document`_.
allows callers to retrieve timestamps captured at various paths in TF-A
execution. It's described in detail in `Firmware Design document`_.
Execution State Switching service
---------------------------------
......@@ -35,8 +35,8 @@ Execution State Switching service provides a mechanism for a non-secure lower
Exception Level (either EL2, or NS EL1 if EL2 isn't implemented) to request to
switch its execution state (a.k.a. Register Width), either from AArch64 to
AArch32, or from AArch32 to AArch64, for the calling CPU. This service is only
available when ARM Trusted Firmware is built for AArch64 (i.e. when build option
``ARCH`` is set to ``aarch64``).
available when Trusted Firmware-A (TF-A) is built for AArch64 (i.e. when build
option ``ARCH`` is set to ``aarch64``).
``ARM_SIP_SVC_EXE_STATE_SWITCH``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -79,8 +79,8 @@ The service may return the following error codes:
- ``STATE_SW_E_PARAM``: If any of the parameters were deemed invalid for
a specific request.
- ``STATE_SW_E_DENIED``: If the call is not successful, or when ARM Trusted
Firmware is built for AArch32.
- ``STATE_SW_E_DENIED``: If the call is not successful, or when TF-A is
built for AArch32.
If the call is successful, the caller wouldn't observe the SMC returning.
Instead, execution starts at the supplied entry point, with the CPU registers 0
......@@ -89,7 +89,7 @@ respectively.
--------------
*Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2017-2018, Arm Limited and Contributors. All rights reserved.*
.. _SMC Calling Convention: http://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html
.. _Performance Measurement Framework: ./firmware-design.rst#user-content-performance-measurement-framework
......
docs/auth-framework.rst
View file @ fb45044b
......@@ -7,8 +7,9 @@ Abstracting a Chain of Trust
.. contents::
The aim of this document is to describe the authentication framework implemented
in the Trusted Firmware. This framework fulfills the following requirements:
The aim of this document is to describe the authentication framework
implemented in Trusted Firmware-A (TF-A). This framework fulfills the
following requirements:
#. It should be possible for a platform port to specify the Chain of Trust in
terms of certificate hierarchy and the mechanisms used to verify a
......@@ -152,8 +153,8 @@ performed to verify it:
In Diagram 1, each component is responsible for one or more of these operations.
The responsibilities are briefly described below.
TF Generic code and IO framework (GEN/IO)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TF-A Generic code and IO framework (GEN/IO)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These components are responsible for initiating the authentication process for a
particular image in BL1 or BL2. For each BL image that requires authentication,
......@@ -162,8 +163,8 @@ image until either an authenticated image or the ROT is reached. Then the
Generic code calls the IO framewotk to load the image and calls the
Authentication module to authenticate it, following the CoT from ROT to Image.
TF Platform Port (PP)
^^^^^^^^^^^^^^^^^^^^^
TF-A Platform Port (PP)
^^^^^^^^^^^^^^^^^^^^^^^
The platform is responsible for:
......@@ -374,8 +375,8 @@ single parsing method. There has to be one IPL for every method used by the
platform.
#. Raw format: This format is effectively a nop as an image using this method
is treated as being in raw binary format e.g. boot loader images used by ARM
TF. This method should only be used by data images.
is treated as being in raw binary format e.g. boot loader images used by
TF-A. This method should only be used by data images.
#. X509V3 method: This method uses industry standards like X.509 to represent
PKI certificates (authentication images). It is expected that open source
......@@ -631,8 +632,8 @@ array of image descriptors and it is registered in the framework using the macro
process to fail).
The number of images participating in the boot process depends on the CoT. There
is, however, a minimum set of images that are mandatory in the Trusted Firmware
and thus all CoTs must present:
is, however, a minimum set of images that are mandatory in TF-A and thus all
CoTs must present:
- ``BL2``
- ``SCP_BL2`` (platform specific)
......@@ -648,7 +649,7 @@ Following the `Platform Porting Guide`_, a platform must provide unique
identifiers for all the images and certificates that will be loaded during the
boot process. If a platform is using the TBBR as a reference for trusted boot,
these identifiers can be obtained from ``include/common/tbbr/tbbr_img_def.h``.
ARM platforms include this file in ``include/plat/arm/common/arm_def.h``. Other
Arm platforms include this file in ``include/plat/arm/common/arm_def.h``. Other
platforms may also include this file or provide their own identifiers.
**Important**: the authentication module uses these identifiers to index the
......@@ -880,7 +881,7 @@ extract the authentication parameters. The number and type of parser libraries
depend on the images used in the CoT. Raw images do not need a library, so
only an x509v3 library is required for the TBBR CoT.
ARM platforms will use an x509v3 library based on mbed TLS. This library may be
Arm platforms will use an x509v3 library based on mbed TLS. This library may be
found in ``drivers/auth/mbedtls/mbedtls_x509_parser.c``. It exports three
functions:
......@@ -898,14 +899,14 @@ an image of type ``IMG_CERT``, it will call the corresponding function exported
in this file.
The build system must be updated to include the corresponding library and
mbed TLS sources. ARM platforms use the ``arm_common.mk`` file to pull the
mbed TLS sources. Arm platforms use the ``arm_common.mk`` file to pull the
sources.
The cryptographic library
~~~~~~~~~~~~~~~~~~~~~~~~~
The cryptographic module relies on a library to perform the required operations,
i.e. verify a hash or a digital signature. ARM platforms will use a library
i.e. verify a hash or a digital signature. Arm platforms will use a library
based on mbed TLS, which can be found in
``drivers/auth/mbedtls/mbedtls_crypto.c``. This library is registered in the
authentication framework using the macro ``REGISTER_CRYPTO_LIB()`` and exports
......@@ -934,7 +935,7 @@ of SHA-256 with smaller memory footprint (~1.5 KB less) but slower (~30%).
--------------
*Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2017-2018, Arm Limited and Contributors. All rights reserved.*
.. _Trusted Board Boot: ./trusted-board-boot.rst
.. _Platform Porting Guide: ./porting-guide.rst
docs/change-log.rst
View file @ fb45044b
......@@ -4,8 +4,294 @@
.. contents::
ARM Trusted Firmware - version 1.4
==================================
Trusted Firmware-A - version 1.5
================================
New features
------------
- Added new firmware support to enable RAS (Reliability, Availability, and
Serviceability) functionality.
- Secure Partition Manager (SPM): A Secure Partition is a software execution
environment instantiated in S-EL0 that can be used to implement simple
management and security services. The SPM is the firmware component that
is responsible for managing a Secure Partition.
- SDEI dispatcher: Support for interrupt-based SDEI events and all
interfaces as defined by the SDEI specification v1.0, see
`SDEI Specification`_
- Exception Handling Framework (EHF): Framework that allows dispatching of
EL3 interrupts to their registered handlers which are registered based on
their priorities. Facilitates firmware-first error handling policy where
asynchronous exceptions may be routed to EL3.
Integrated the TSPD with EHF.
- Updated PSCI support:
- Implemented PSCI v1.1 optional features `MEM_PROTECT` and `SYSTEM_RESET2`.
The supported PSCI version was updated to v1.1.
- Improved PSCI STAT timestamp collection, including moving accounting for
retention states to be inside the locks and fixing handling of wrap-around
when calculating residency in AArch32 execution state.
- Added optional handler for early suspend that executes when suspending to
a power-down state and with data caches enabled.
This may provide a performance improvement on platforms where it is safe
to perform some or all of the platform actions from `pwr_domain_suspend`
with the data caches enabled.
- Enabled build option, BL2_AT_EL3, for BL2 to allow execution at EL3 without
any dependency on TF BL1.
This allows platforms which already have a non-TF Boot ROM to directly load
and execute BL2 and subsequent BL stages without need for BL1. This was not
previously possible because BL2 executes at S-EL1 and cannot jump straight to
EL3.
- Implemented support for SMCCC v1.1, including `SMCCC_VERSION` and
`SMCCC_ARCH_FEATURES`.
Additionally, added support for `SMCCC_VERSION` in PSCI features to enable
discovery of the SMCCC version via PSCI feature call.
- Added Dynamic Configuration framework which enables each of the boot loader
stages to be dynamically configured at runtime if required by the platform.
The boot loader stage may optionally specify a firmware configuration file
and/or hardware configuration file that can then be shared with the next boot
loader stage.
Introduced a new BL handover interface that essentially allows passing of 4
arguments between the different BL stages.
Updated cert_create and fip_tool to support the dynamic configuration files.
The COT also updated to support these new files.
- Code hygiene changes and alignment with MISRA guideline:
- Fix use of undefined macros.
- Achieved compliance with Mandatory MISRA coding rules.
- Achieved compliance for following Required MISRA rules for the default
build configurations on FVP and Juno platforms : 7.3, 8.3, 8.4, 8.5 and
8.8.
- Added support for Armv8.2-A architectural features:
- Updated translation table set-up to set the CnP (Common not Private) bit
for secure page tables so that multiple PEs in the same Inner Shareable
domain can use the same translation table entries for a given stage of
translation in a particular translation regime.
- Extended the supported values of ID_AA64MMFR0_EL1.PARange to include the
52-bit Physical Address range.
- Added support for the Scalable Vector Extension to allow Normal world
software to access SVE functionality but disable access to SVE, SIMD and
floating point functionality from the Secure world in order to prevent
corruption of the Z-registers.
- Added support for Armv8.4-A architectural feature Activity Monitor Unit (AMU)
extensions.
In addition to the v8.4 architectural extension, AMU support on Cortex-A75
was implemented.
- Enhanced OP-TEE support to enable use of pageable OP-TEE image. The Arm
standard platforms are updated to load up to 3 images for OP-TEE; header,
pager image and paged image.
The chain of trust is extended to support the additional images.
- Enhancements to the translation table library:
- Introduced APIs to get and set the memory attributes of a region.
- Added support to manage both priviledge levels in translation regimes that
describe translations for 2 Exception levels, specifically the EL1&0
translation regime, and extended the memory map region attributes to
include specifying Non-privileged access.
- Added support to specify the granularity of the mappings of each region,
for instance a 2MB region can be specified to be mapped with 4KB page
tables instead of a 2MB block.
- Disabled the higher VA range to avoid unpredictable behaviour if there is
an attempt to access addresses in the higher VA range.
- Added helpers for Device and Normal memory MAIR encodings that align with
the Arm Architecture Reference Manual for Armv8-A (Arm DDI0487B.b).
- Code hygiene including fixing type length and signedness of constants,
refactoring of function to enable the MMU, removing all instances where
the virtual address space is hardcoded and added comments that document
alignment needed between memory attributes and attributes specified in
TCR_ELx.
- Updated GIC support:
- Introduce new APIs for GICv2 and GICv3 that provide the capability to
specify interrupt properties rather than list of interrupt numbers alone.
The Arm platforms and other upstream platforms are migrated to use
interrupt properties.
- Added helpers to save / restore the GICv3 context, specifically the
Distributor and Redistributor contexts and architectural parts of the ITS
power management. The Distributor and Redistributor helpers also support
the implementation-defined part of GIC-500 and GIC-600.
Updated the Arm FVP platform to save / restore the GICv3 context on system
suspend / resume as an example of how to use the helpers.
Introduced a new TZC secured DDR carve-out for use by Arm platforms for
storing EL3 runtime data such as the GICv3 register context.
- Added support for Armv7-A architecture via build option ARM_ARCH_MAJOR=7.
This includes following features:
- Updates GICv2 driver to manage GICv1 with security extensions.
- Software implementation for 32bit division.
- Enabled use of generic timer for platforms that do not set
ARM_CORTEX_Ax=yes.
- Support for Armv7-A Virtualization extensions [DDI0406C_C].
- Support for both Armv7-A platforms that only have 32-bit addressing and
Armv7-A platforms that support large page addressing.
- Included support for following Armv7 CPUs: Cortex-A12, Cortex-A17,
Cortex-A7, Cortex-A5, Cortex-A9, Cortex-A15.
- Added support in QEMU for Armv7-A/Cortex-A15.
- Enhancements to Firmware Update feature:
- Updated the FWU documentation to describe the additional images needed for
Firmware update, and how they are used for both the Juno platform and the
Arm FVP platforms.
- Enhancements to Trusted Board Boot feature:
- Added support to cert_create tool for RSA PKCS1# v1.5 and SHA384, SHA512
and SHA256.
- For Arm platforms added support to use ECDSA keys.
- Enhanced the mbed TLS wrapper layer to include support for both RSA and
ECDSA to enable runtime selection between RSA and ECDSA keys.
- Added support for secure interrupt handling in AArch32 sp_min, hardcoded to
only handle FIQs.
- Added support to allow a platform to load images from multiple boot sources,
for example from a second flash drive.
- Added a logging framework that allows platforms to reduce the logging level
at runtime and additionally the prefix string can be defined by the platform.
- Further improvements to register initialisation:
- Control register PMCR_EL0 / PMCR is set to prohibit cycle counting in the
secure world. This register is added to the list of registers that are
saved and restored during world switch.
- When EL3 is running in AArch32 execution state, the Non-secure version of
SCTLR is explicitly initialised during the warmboot flow rather than
relying on the hardware to set the correct reset values.
- Enhanced support for Arm platforms:
- Introduced driver for Shared-Data-Structure (SDS) framework which is used
for communication between SCP and the AP CPU, replacing Boot-Over_MHU
(BOM) protocol.
The Juno platform is migrated to use SDS with the SCMI support added in
v1.3 and is set as default.
The driver can be found in the plat/arm/css/drivers folder.
- Improved memory usage by only mapping TSP memory region when the TSPD has
been included in the build. This reduces the memory footprint and avoids
unnecessary memory being mapped.
- Updated support for multi-threading CPUs for FVP platforms - always check
the MT field in MPDIR and access the bit fields accordingly.
- Support building for platforms that model DynamIQ configuration by
implementing all CPUs in a single cluster.
- Improved nor flash driver, for instance clearing status registers before
sending commands. Driver can be found plat/arm/board/common folder.
- Enhancements to QEMU platform:
- Added support for TBB.
- Added support for using OP-TEE pageable image.
- Added support for LOAD_IMAGE_V2.
- Migrated to use translation table library v2 by default.
- Added support for SEPARATE_CODE_AND_RODATA.
- Applied workarounds CVE-2017-5715 on Arm Cortex-A57, -A72, -A73 and -A75, and
for Armv7-A CPUs Cortex-A9, -A15 and -A17.
- Applied errata workaround for Arm Cortex-A57: 859972.
- Applied errata workaround for Arm Cortex-A72: 859971.
- Added support for Poplar 96Board platform.
- Added support for Raspberry Pi 3 platform.
- Added Call Frame Information (CFI) assembler directives to the vector entries
which enables debuggers to display the backtrace of functions that triggered
a synchronous abort.
- Added ability to build dtb.
- Added support for pre-tool (cert_create and fiptool) image processing
enabling compression of the image files before processing by cert_create and
fiptool.
This can reduce fip size and may also speed up loading of images. The image
verification will also get faster because certificates are generated based on
compressed images.
Imported zlib 1.2.11 to implement gunzip() for data compression.
- Enhancements to fiptool:
- Enabled the fiptool to be built using Visual Studio.
- Added padding bytes at the end of the last image in the fip to be
facilitate transfer by DMA.
Issues resolved since last release
----------------------------------
- TF-A can be built with optimisations disabled (-O0).
- Memory layout updated to enable Trusted Board Boot on Juno platform when
running TF-A in AArch32 execution mode (resolving `tf-issue#501`_).
Known Issues
------------
- DTB creation not supported when building on a windows host. This step in the
build process is skipped when running on a windows host.
Trusted Firmware-A - version 1.4
================================
New features
------------
......@@ -23,13 +309,13 @@ New features
- Added support for Cortex-A75 and Cortex-A55 processors.
Both Cortex-A75 and Cortex-A55 processors use the ARM DynamIQ Shared Unit
Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit
(DSU). The power-down and power-up sequences are therefore mostly managed in
hardware, reducing complexity of the software operations.
- Introduced ARM GIC-600 driver.
- Introduced Arm GIC-600 driver.
ARM GIC-600 IP complies with ARM GICv3 architecture. For FVP platforms, the
Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the
GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600.
- Updated GICv3 support:
......@@ -43,16 +329,16 @@ New features
- GIC driver data is flushed by the primary CPU so that secondary CPU do
not read stale GIC data.
- Added support for ARM System Control and Management Interface v1.0 (SCMI).
- Added support for Arm System Control and Management Interface v1.0 (SCMI).
The SCMI driver implements the power domain management and system power
management protocol of the SCMI specification (ARM DEN 0056ASCMI) for
management protocol of the SCMI specification (Arm DEN 0056ASCMI) for
communicating with any compliant power controller.
Support is added for the Juno platform. The driver can be found in the
plat/arm/css/drivers folder.
- Added support to enable pre-integration of TBB with the ARM TrustZone
- Added support to enable pre-integration of TBB with the Arm TrustZone
CryptoCell product, to take advantage of its hardware Root of Trust and
crypto acceleration services.
......@@ -84,12 +370,12 @@ New features
- Fixed integer overflow which addressed TFV-1: Malformed Firmware Update
SMC can result in copy of unexpectedly large data into secure memory.
- Introduced support for ARM Compiler 6 and LLVM (clang).
- Introduced support for Arm Compiler 6 and LLVM (clang).
ARM TF can now also be built with the ARM Compiler 6 or the clang compilers.
TF-A can now also be built with the Arm Compiler 6 or the clang compilers.
The assembler and linker must be provided by the GNU toolchain.
Tested with ARM CC 6.7 and clang 3.9.x and 4.0.x.
Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x.
- Memory footprint improvements:
......@@ -103,30 +389,29 @@ New features
additional logging options are supported via an optional platform define
`PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is.
- Enhancements to Trusted Firmware support when running in AArch32 execution
state:
- Enhancements to TF-A support when running in AArch32 execution state:
- Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to
hardware limitations, BL1 and BL2 boot in AArch64 state and there is
additional trampoline code to warm reset into SP_MIN in AArch32 execution
state.
- Added support for ARM Cortex-A53/57/72 MPCore processors including the
- Added support for Arm Cortex-A53/57/72 MPCore processors including the
errata workarounds that are already implemented for AArch64 execution
state.
- For FVP platforms, added AArch32 Trusted Board Boot support, including the
Firmware Update feature.
- Introduced ARM SiP service for use by ARM standard platforms.
- Introduced Arm SiP service for use by Arm standard platforms.
- Added new ARM SiP Service SMCs to enable the Non-secure world to read PMF
- Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF
timestamps.
Added PMF instrumentation points in ARM TF in order to quantify the
Added PMF instrumentation points in TF-A in order to quantify the
overall time spent in the PSCI software implementation.
- Added new ARM SiP service SMC to switch execution state.
- Added new Arm SiP service SMC to switch execution state.
This allows the lower exception level to change its execution state from
AArch64 to AArch32, or vice verse, via a request to EL3.
......@@ -142,7 +427,7 @@ New features
- Added version 2 of translation table library that allows different
translation tables to be modified by using different 'contexts'. Version 1
of the transalation table library only allows the current EL's translation
of the translation table library only allows the current EL's translation
tables to be modified.
Version 2 of the translation table also added support for dynamic
......@@ -172,7 +457,7 @@ New features
detection. For increased effectiveness of protection platforms must provide
an implementation that returns a random value.
- Enhanced support for ARM platforms:
- Enhanced support for Arm platforms:
- Added support for multi-threading CPUs, indicated by `MT` field in MPDIR.
A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions
......@@ -183,13 +468,13 @@ New features
enabled, returning the Processing Element count within the physical CPU
corresponding to `mpidr`.
- The ARM platforms migrated to use version 2 of the translation tables.
- The Arm platforms migrated to use version 2 of the translation tables.
- Introduced a new ARM platform layer API `plat_arm_psci_override_pm_ops`
which allows ARM platforms to modify `plat_arm_psci_pm_ops` and therefore
- Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops`
which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore
dynamically define PSCI capability.
- The ARM platforms migrated to use IMAGE_LOAD_V2 by default.
- The Arm platforms migrated to use IMAGE_LOAD_V2 by default.
- Enhanced reporting of errata workaround status with the following policy:
......@@ -206,15 +491,15 @@ New features
missing.
- Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the
architecture version to target ARM TF.
architecture version to target TF-A.
- Updated the spin lock implementation to use the more efficient CAS (Compare
And Swap) instruction when available. This instruction was introduced in
ARMv8.1-A.
Armv8.1-A.
- Applied errata workaround for ARM Cortex-A53: 855873.
- Applied errata workaround for Arm Cortex-A53: 855873.
- Applied errata workaround for ARM-Cortex-A57: 813419.
- Applied errata workaround for Arm-Cortex-A57: 813419.
- Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and
AArch32 execution states.
......@@ -248,7 +533,7 @@ New features
- Essential control registers are fully initialised on EL3 start-up, when
initialising the non-secure and secure context structures and when
preparing to leave EL3 for a lower EL. This gives better alignement with
the ARM ARM which states that software must initialise RES0 and RES1
the Arm ARM which states that software must initialise RES0 and RES1
fields with 0 / 1.
- Enhanced PSCI support:
......@@ -268,12 +553,12 @@ New features
Issues resolved since last release
----------------------------------
- ARM TF can be built with the latest mbed TLS version (v2.4.2). The earlier
version 2.3.0 cannot be used due to build warnings that the ARM TF build
- TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier
version 2.3.0 cannot be used due to build warnings that the TF-A build
system interprets as errors.
- TBBR, including the Firmware Update feature is now supported on FVP
platforms when running Trusted Firmware in AArch32 state.
platforms when running TF-A in AArch32 state.
- The version of the AEMv8 Base FVP used in this release has resolved the issue
of the model executing a reset instead of terminating in response to a
......@@ -282,11 +567,11 @@ Issues resolved since last release
Known Issues
------------
- Building TF with compiler optimisations disabled (-O0) fails.
- Building TF-A with compiler optimisations disabled (-O0) fails.
- Trusted Board Boot currently does not work on Juno when running Trusted
Firmware in AArch32 execution state due to error when loading the sp_min to
memory becasue of lack of free space available. See `tf-issue#501`_ for more
memory because of lack of free space available. See `tf-issue#501`_ for more
details.
- The errata workaround for A53 errata 843419 is only available from binutils
......@@ -294,14 +579,14 @@ Known Issues
platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for
more details.
ARM Trusted Firmware - version 1.3
==================================
Trusted Firmware-A - version 1.3
================================
New features
------------
- Added support for running Trusted Firmware in AArch32 execution state.
- Added support for running TF-A in AArch32 execution state.
The PSCI library has been refactored to allow integration with **EL3 Runtime
Software**. This is software that is executing at the highest secure
......@@ -315,11 +600,11 @@ New features
Booting to the BL1/BL2 images as well as booting straight to the Secure
Payload is supported.
- Improvements to the initialization framework for the PSCI service and ARM
- Improvements to the initialization framework for the PSCI service and Arm
Standard Services in general.
The PSCI service is now initialized as part of ARM Standard Service
initialization. This consolidates the initializations of any ARM Standard
The PSCI service is now initialized as part of Arm Standard Service
initialization. This consolidates the initializations of any Arm Standard
Service that may be added in the future.
A new function ``get_arm_std_svc_args()`` is introduced to get arguments
......@@ -337,7 +622,7 @@ New features
(BL31, BL32, etc). The new mechanism is data-driven by a list of image
descriptors provided by the platform code.
ARM platforms have been updated to support the new loading mechanism.
Arm platforms have been updated to support the new loading mechanism.
The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is
currently off by default for the AArch64 build.
......@@ -345,7 +630,7 @@ New features
**Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when
``LOAD_IMAGE_V2`` is enabled.
- Updated requirements for making contributions to ARM TF.
- Updated requirements for making contributions to TF-A.
Commits now must have a 'Signed-off-by:' field to certify that the
contribution has been made under the terms of the
......@@ -365,13 +650,13 @@ New features
- Updated PSCI support:
- Added support for PSCI NODE\_HW\_STATE API for ARM platforms.
- Added support for PSCI NODE\_HW\_STATE API for Arm platforms.
- New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in
``plat_psci_ops`` to enable platforms to perform platform-specific actions
needed to enter powerdown, including the 'wfi' invocation.
- PSCI STAT residency and count functions have been added on ARM platforms
- PSCI STAT residency and count functions have been added on Arm platforms
by using PMF.
- Enhancements to the translation table library:
......@@ -420,13 +705,13 @@ New features
convention as specified by TBBR and already used in cert\_create tool.
- Refactored the TZC-400 driver to also support memory controllers that
integrate TZC functionality, for example ARM CoreLink DMC-500. Also added
integrate TZC functionality, for example Arm CoreLink DMC-500. Also added
DMC-500 specific support.
- Implemented generic delay timer based on the system generic counter and
migrated all platforms to use it.
- Enhanced support for ARM platforms:
- Enhanced support for Arm platforms:
- Updated image loading support to make SCP images (SCP\_BL2 and SCP\_BL2U)
optional.
......@@ -441,7 +726,7 @@ New features
the default secure SRAM.
- Added support to use a System Security Control (SSC) Registers Unit
enabling ARM TF to be compiled to support multiple ARM platforms and
enabling TF-A to be compiled to support multiple Arm platforms and
then select one at runtime.
- Restricted mapping of Trusted ROM in BL1 to what is actually needed by
......@@ -455,26 +740,26 @@ New features
- Added support for Mediatek MT6795 platform.
- Added support for QEMU virtualization ARMv8-A target.
- Added support for QEMU virtualization Armv8-A target.
- Added support for Rockchip RK3368 and RK3399 platforms.
- Added support for Xilinx Zynq UltraScale+ MPSoC platform.
- Added support for ARM Cortex-A73 MPCore Processor.
- Added support for Arm Cortex-A73 MPCore Processor.
- Added support for ARM Cortex-A72 processor.
- Added support for Arm Cortex-A72 processor.
- Added support for ARM Cortex-A35 processor.
- Added support for Arm Cortex-A35 processor.
- Added support for ARM Cortex-A32 MPCore Processor.
- Added support for Arm Cortex-A32 MPCore Processor.
- Enabled preloaded BL33 alternative boot flow, in which BL2 does not load
BL33 from non-volatile storage and BL31 hands execution over to a preloaded
BL33. The User Guide has been updated with an example of how to use this
option with a bootwrapped kernel.
- Added support to build ARM TF on a Windows-based host machine.
- Added support to build TF-A on a Windows-based host machine.
- Updated Trusted Board Boot prototype implementation:
......@@ -493,7 +778,7 @@ New features
- Enabled G1S or G0 interrupts to be configured independently.
- Changed FVP default interrupt driver to be the GICv3-only driver.
**Note** the default build of Trusted Firmware will not be able to boot
**Note** the default build of TF-A will not be able to boot
Linux kernel with GICv2 FDT blob.
- Enabled wake-up from CPU\_SUSPEND to stand-by by temporarily re-routing
......@@ -510,26 +795,25 @@ Known issues
the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of
the model.
- Building TF with compiler optimisations disabled (``-O0``) fails.
- Building TF-A with compiler optimisations disabled (``-O0``) fails.
- ARM TF cannot be built with mbed TLS version v2.3.0 due to build warnings
that the ARM TF build system interprets as errors.
- TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings
that the TF-A build system interprets as errors.
- TBBR is not currently supported when running Trusted Firmware in AArch32
state.
- TBBR is not currently supported when running TF-A in AArch32 state.
ARM Trusted Firmware - version 1.2
==================================
Trusted Firmware-A - version 1.2
================================
New features
------------
- The Trusted Board Boot implementation on ARM platforms now conforms to the
- The Trusted Board Boot implementation on Arm platforms now conforms to the
mandatory requirements of the TBBR specification.
In particular, the boot process is now guarded by a Trusted Watchdog, which
will reset the system in case of an authentication or loading error. On ARM
platforms, a secure instance of ARM SP805 is used as the Trusted Watchdog.
will reset the system in case of an authentication or loading error. On Arm
platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog.
Also, a firmware update process has been implemented. It enables
authenticated firmware to update firmware images from external interfaces to
......@@ -563,44 +847,44 @@ New features
out, reducing the memory footprint of BL1 and BL2 by approximately
6 KB.
- On ARM development platforms, each BL stage now individually defines
- On Arm development platforms, each BL stage now individually defines
the number of regions that it needs to map in the MMU.
- Added the following new design documents:
- `Authentication framework`_
- `Firmware Update`_
- `TF Reset Design`_
- `TF-A Reset Design`_
- `Power Domain Topology Design`_
- Applied the new image terminology to the code base and documentation, as
described on the `TF wiki on GitHub`_.
described on the `TF-A wiki on GitHub`_.
- The build system has been reworked to improve readability and facilitate
adding future extensions.
- On ARM standard platforms, BL31 uses the boot console during cold boot
- On Arm standard platforms, BL31 uses the boot console during cold boot
but switches to the runtime console for any later logs at runtime. The TSP
uses the runtime console for all output.
- Implemented a basic NOR flash driver for ARM platforms. It programs the
- Implemented a basic NOR flash driver for Arm platforms. It programs the
device using CFI (Common Flash Interface) standard commands.
- Implemented support for booting EL3 payloads on ARM platforms, which
- Implemented support for booting EL3 payloads on Arm platforms, which
reduces the complexity of developing EL3 baremetal code by doing essential
baremetal initialization.
- Provided separate drivers for GICv3 and GICv2. These expect the entire
software stack to use either GICv2 or GICv3; hybrid GIC software systems
are no longer supported and the legacy ARM GIC driver has been deprecated.
are no longer supported and the legacy Arm GIC driver has been deprecated.
- Added support for Juno r1 and r2. A single set of Juno TF binaries can run
on Juno r0, r1 and r2 boards. Note that this TF version depends on a Linaro
- Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run
on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro
release that does *not* contain Juno r2 support.
- Added support for MediaTek mt8173 platform.
- Implemented a generic driver for ARM CCN IP.
- Implemented a generic driver for Arm CCN IP.
- Major rework of the PSCI implementation.
......@@ -612,7 +896,7 @@ New features
- Better alignment with version 1.0 of the PSCI specification.
- Added support for the SYSTEM\_SUSPEND PSCI API on ARM platforms. When invoked
- Added support for the SYSTEM\_SUSPEND PSCI API on Arm platforms. When invoked
on the last running core on a supported platform, this puts the system
into a low power mode with memory retention.
......@@ -625,17 +909,17 @@ New features
- Added support for NVidia Tegra T210 and T132 SoCs.
- Reorganised ARM platforms ports to greatly improve code shareability and
- Reorganised Arm platforms ports to greatly improve code shareability and
facilitate the reuse of some of this code by other platforms.
- Added support for ARM Cortex-A72 processor in the CPU specific framework.
- Added support for Arm Cortex-A72 processor in the CPU specific framework.
- Provided better error handling. Platform ports can now define their own
error handling, for example to perform platform specific bookkeeping or
post-error actions.
- Implemented a unified driver for ARM Cache Coherent Interconnects used for
both CCI-400 & CCI-500 IPs. ARM platforms ports have been migrated to this
- Implemented a unified driver for Arm Cache Coherent Interconnects used for
both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this
common driver. The standalone CCI-400 driver has been deprecated.
Issues resolved since last release
......@@ -668,10 +952,10 @@ Known issues
clarity and completeness. In particular, the design documentation is
incomplete for PSCI, the TSP(D) and the Juno platform.
- Building TF with compiler optimisations disabled (``-O0``) fails.
- Building TF-A with compiler optimisations disabled (``-O0``) fails.
ARM Trusted Firmware - version 1.1
==================================
Trusted Firmware-A - version 1.1
================================
New features
------------
......@@ -719,10 +1003,10 @@ New features
applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate
the Trusted OS is invoked.
- It is now possible to build Trusted Firmware without marking at least an
extra page of memory as coherent. The build flag ``USE_COHERENT_MEM`` can be
used to choose between the two implementations. This has been made possible
through these changes.
- It is now possible to build TF-A without marking at least an extra page of
memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to
choose between the two implementations. This has been made possible through
these changes.
- An implementation of Bakery locks, where the locks are not allocated in
coherent memory has been added.
......@@ -774,8 +1058,7 @@ New features
create mappings only for areas in the memory map that it needs.
- A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been
added. Details of using it with ARM Trusted Firmware can be found in
`OP-TEE Dispatcher`_
added. Details of using it with TF-A can be found in `OP-TEE Dispatcher`_
Issues resolved since last release
----------------------------------
......@@ -789,7 +1072,7 @@ Issues resolved since last release
- The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured
using the TZC-400 controller to be accessible only to the secure world.
- The ARM GIC driver is used to configure the GIC-400 instead of using a
- The Arm GIC driver is used to configure the GIC-400 instead of using a
GIC driver private to the Juno port.
- PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported.
......@@ -823,7 +1106,7 @@ Known issues
the model.
- GICv3 support is experimental. There are known issues with GICv3
initialization in the ARM Trusted Firmware.
initialization in the TF-A.
- While this version greatly reduces the on-chip RAM requirements, there are
further RAM usage enhancements that could be made.
......@@ -833,8 +1116,8 @@ Known issues
- The Juno-specific firmware design documentation is incomplete.
ARM Trusted Firmware - version 1.0
==================================
Trusted Firmware-A - version 1.0
================================
New features
------------
......@@ -970,14 +1253,14 @@ Issues resolved since last release
- CPU idle now works on the publicized version of the Foundation FVP.
- All known issues relating to the compiler version used have now been
resolved. This TF version uses Linaro toolchain 14.07 (based on GCC 4.9).
resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9).
Known issues
------------
- GICv3 support is experimental. The Linux kernel patches to support this are
not widely available. There are known issues with GICv3 initialization in
the ARM Trusted Firmware.
the TF-A.
- While this version greatly reduces the on-chip RAM requirements, there are
further RAM usage enhancements that could be made.
......@@ -1013,8 +1296,8 @@ Known issues
A similar change can be made to the other Cortex-A57-A53 Base FVP variants.
ARM Trusted Firmware - version 0.4
==================================
Trusted Firmware-A - version 0.4
================================
New features
------------
......@@ -1110,41 +1393,41 @@ Issues resolved since last release
14.04) now correctly reports progress in the console.
- Improved the Makefile structure to make it easier to separate out parts of
the Trusted Firmware for re-use in platform ports. Also, improved target
dependency checking.
the TF-A for re-use in platform ports. Also, improved target dependency
checking.
Known issues
------------
- GICv3 support is experimental. The Linux kernel patches to support this are
not widely available. There are known issues with GICv3 initialization in
the ARM Trusted Firmware.
the TF-A.
- Dynamic image loading is not available yet. The current image loader
implementation (used to load BL2 and all subsequent images) has some
limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
to loading errors, even if the images should theoretically fit in memory.
- The ARM Trusted Firmware still uses too much on-chip Trusted SRAM. A number
of RAM usage enhancements have been identified to rectify this situation.
- TF-A still uses too much on-chip Trusted SRAM. A number of RAM usage
enhancements have been identified to rectify this situation.
- CPU idle does not work on the advertised version of the Foundation FVP.
Some FVP fixes are required that are not available externally at the time
of writing. This can be worked around by disabling CPU idle in the Linux
kernel.
- Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been
observed when using Linaro toolchain versions later than 13.11. Although
most of these have been fixed, some remain at the time of writing. These
mainly seem to relate to a subtle change in the way the compiler converts
between 64-bit and 32-bit values (e.g. during casting operations), which
reveals previously hidden bugs in client code.
- Various bugs in TF-A, UEFI and the Linux kernel have been observed when
using Linaro toolchain versions later than 13.11. Although most of these
have been fixed, some remain at the time of writing. These mainly seem to
relate to a subtle change in the way the compiler converts between 64-bit
and 32-bit values (e.g. during casting operations), which reveals
previously hidden bugs in client code.
- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
ARM Trusted Firmware - version 0.3
==================================
Trusted Firmware-A - version 0.3
================================
New features
------------
......@@ -1170,9 +1453,9 @@ New features
- The PSCI AFFINITY\_INFO api has undergone limited testing on the Base FVPs to
allow experimental use.
- Required C library and runtime header files are now included locally in ARM
Trusted Firmware instead of depending on the toolchain standard include
paths. The local implementation has been cleaned up and reduced in scope.
- Required C library and runtime header files are now included locally in
TF-A instead of depending on the toolchain standard include paths. The
local implementation has been cleaned up and reduced in scope.
- Added I/O abstraction framework, primarily to allow generic code to load
images in a platform-independent way. The existing image loading code has
......@@ -1232,28 +1515,27 @@ Issues resolved since last release
- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to
a limited extent).
- The ARM Trusted Firmware build artifacts are now placed in the ``./build``
directory and sub-directories instead of being placed in the root of the
project.
- The TF-A build artifacts are now placed in the ``./build`` directory and
sub-directories instead of being placed in the root of the project.
- The ARM Trusted Firmware is now free from build warnings. Build warnings
are now treated as errors.
- TF-A is now free from build warnings. Build warnings are now treated as
errors.
- The ARM Trusted Firmware now provides C library support locally within the
project to maintain compatibility between toolchains/systems.
- TF-A now provides C library support locally within the project to maintain
compatibility between toolchains/systems.
- The PSCI locking code has been reworked so it no longer takes locks in an
incorrect sequence.
- The RAM-disk method of loading a Linux file-system has been confirmed to
work with the ARM Trusted Firmware and Linux kernel version (based on
version 3.13) used in this release, for both Foundation and Base FVPs.
work with the TF-A and Linux kernel version (based on version 3.13) used
in this release, for both Foundation and Base FVPs.
Known issues
------------
The following is a list of issues which are expected to be fixed in the future
releases of the ARM Trusted Firmware.
releases of TF-A.
- The TrustZone Address Space Controller (TZC-400) is not being programmed
yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported.
......@@ -1262,28 +1544,28 @@ releases of the ARM Trusted Firmware.
- GICv3 support is experimental. The Linux kernel patches to support this are
not widely available. There are known issues with GICv3 initialization in
the ARM Trusted Firmware.
TF-A.
- Dynamic image loading is not available yet. The current image loader
implementation (used to load BL2 and all subsequent images) has some
limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
to loading errors, even if the images should theoretically fit in memory.
- The ARM Trusted Firmware uses too much on-chip Trusted SRAM. Currently the
Test Secure-EL1 Payload (BL3-2) executes in Trusted DRAM since there is not
enough SRAM. A number of RAM usage enhancements have been identified to
rectify this situation.
- TF-A uses too much on-chip Trusted SRAM. Currently the Test Secure-EL1
Payload (BL3-2) executes in Trusted DRAM since there is not enough SRAM.
A number of RAM usage enhancements have been identified to rectify this
situation.
- CPU idle does not work on the advertised version of the Foundation FVP.
Some FVP fixes are required that are not available externally at the time
of writing.
- Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been
observed when using Linaro toolchain versions later than 13.11. Although
most of these have been fixed, some remain at the time of writing. These
mainly seem to relate to a subtle change in the way the compiler converts
between 64-bit and 32-bit values (e.g. during casting operations), which
reveals previously hidden bugs in client code.
- Various bugs in TF-A, UEFI and the Linux kernel have been observed when
using Linaro toolchain versions later than 13.11. Although most of these
have been fixed, some remain at the time of writing. These mainly seem to
relate to a subtle change in the way the compiler converts between 64-bit
and 32-bit values (e.g. during casting operations), which reveals
previously hidden bugs in client code.
- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded
14.01) does not report progress correctly in the console. It only seems to
......@@ -1292,15 +1574,14 @@ releases of the ARM Trusted Firmware.
exhibit the problem.
- The Makefile structure doesn't make it easy to separate out parts of the
Trusted Firmware for re-use in platform ports, for example if only BL3-1 is
required in a platform port. Also, dependency checking in the Makefile is
flawed.
TF-A for re-use in platform ports, for example if only BL3-1 is required in
a platform port. Also, dependency checking in the Makefile is flawed.
- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
ARM Trusted Firmware - version 0.2
==================================
Trusted Firmware-A - version 0.2
================================
New features
------------
......@@ -1320,7 +1601,7 @@ Known issues
------------
The following is a list of issues which are expected to be fixed in the future
releases of the ARM Trusted Firmware.
releases of TF-A.
- The TrustZone Address Space Controller (TZC-400) is not being programmed
yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported.
......@@ -1330,7 +1611,7 @@ releases of the ARM Trusted Firmware.
- GICv3 support is experimental. The Linux kernel patches to support this are
not widely available. There are known issues with GICv3 initialization in
the ARM Trusted Firmware.
TF-A.
- Dynamic image loading is not available yet. The current image loader
implementation (used to load BL2 and all subsequent images) has some
......@@ -1340,42 +1621,41 @@ releases of the ARM Trusted Firmware.
- Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable
and ready for use.
- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have not
been tested.
- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have
not been tested.
- The ARM Trusted Firmware make files result in all build artifacts being
placed in the root of the project. These should be placed in appropriate
sub-directories.
- The TF-A make files result in all build artifacts being placed in the root
of the project. These should be placed in appropriate sub-directories.
- The compilation of ARM Trusted Firmware is not free from compilation
warnings. Some of these warnings have not been investigated yet so they
could mask real bugs.
- The compilation of TF-A is not free from compilation warnings. Some of these
warnings have not been investigated yet so they could mask real bugs.
- The ARM Trusted Firmware currently uses toolchain/system include files like
stdio.h. It should provide versions of these within the project to maintain
compatibility between toolchains/systems.
- TF-A currently uses toolchain/system include files like stdio.h. It should
provide versions of these within the project to maintain compatibility
between toolchains/systems.
- The PSCI code takes some locks in an incorrect sequence. This may cause
problems with suspend and hotplug in certain conditions.
- The Linux kernel used in this release is based on version 3.12-rc4. Using
this kernel with the ARM Trusted Firmware fails to start the file-system as
a RAM-disk. It fails to execute user-space ``init`` from the RAM-disk. As an
alternative, the VirtioBlock mechanism can be used to provide a file-system
to the kernel.
this kernel with the TF-A fails to start the file-system as a RAM-disk. It
fails to execute user-space ``init`` from the RAM-disk. As an alternative,
the VirtioBlock mechanism can be used to provide a file-system to the
kernel.
--------------
*Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2013-2018, Arm Limited and Contributors. All rights reserved.*
.. _SDEI Specification: http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf
.. _PSCI Integration Guide: psci-lib-integration-guide.rst
.. _Developer Certificate of Origin: ../dco.txt
.. _Contribution Guide: ../contributing.rst
.. _Authentication framework: auth-framework.rst
.. _Firmware Update: firmware-update.rst
.. _TF Reset Design: reset-design.rst
.. _TF-A Reset Design: reset-design.rst
.. _Power Domain Topology Design: psci-pd-tree.rst
.. _TF wiki on GitHub: https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Image-Terminology
.. _TF-A wiki on GitHub: https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Image-Terminology
.. _Authentication Framework: auth-framework.rst
.. _OP-TEE Dispatcher: optee-dispatcher.rst
.. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501
......
docs/cpu-specific-build-macros.rst
View file @ fb45044b
ARM CPU Specific Build Macros
Arm CPU Specific Build Macros
=============================
......@@ -14,8 +14,8 @@ for a specific CPU on a platform.
Security Vulnerability Workarounds
----------------------------------
ARM Trusted Firmware exports a series of build flags which control which
security vulnerability workarounds should be applied at runtime.
TF-A exports a series of build flags which control which security
vulnerability workarounds should be applied at runtime.
- ``WORKAROUND_CVE_2017_5715``: Enables the security workaround for
`CVE-2017-5715`_. Defaults to 1.
......@@ -23,10 +23,9 @@ security vulnerability workarounds should be applied at runtime.
CPU Errata Workarounds
----------------------
ARM Trusted Firmware exports a series of build flags which control the
errata workarounds that are applied to each CPU by the reset handler. The
errata details can be found in the CPU specific errata documents published
by ARM:
TF-A exports a series of build flags which control the errata workarounds that
are applied to each CPU by the reset handler. The errata details can be found
in the CPU specific errata documents published by Arm:
- `Cortex-A53 MPCore Software Developers Errata Notice`_
- `Cortex-A57 MPCore Software Developers Errata Notice`_
......@@ -135,8 +134,8 @@ architecture that can be enabled by the platform as desired.
- ``A53_DISABLE_NON_TEMPORAL_HINT``: This flag disables the cache non-temporal
hint. The LDNP/STNP instructions as implemented on Cortex-A53 do not behave
in a way most programmers expect, and will most probably result in a
significant speed degradation to any code that employs them. The ARMv8-A
architecture (see ARM DDI 0487A.h, section D3.4.3) allows cores to ignore
significant speed degradation to any code that employs them. The Armv8-A
architecture (see Arm DDI 0487A.h, section D3.4.3) allows cores to ignore
the non-temporal hint and treat LDNP/STNP as LDP/STP instead. Enabling this
flag enforces this behaviour. This needs to be enabled only for revisions
<= r0p3 of the CPU and is enabled by default.
......@@ -149,7 +148,7 @@ architecture that can be enabled by the platform as desired.
--------------
*Copyright (c) 2014-2016, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2014-2018, Arm Limited and Contributors. All rights reserved.*
.. _CVE-2017-5715: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
.. _Cortex-A53 MPCore Software Developers Errata Notice: http://infocenter.arm.com/help/topic/com.arm.doc.epm048406/Cortex_A53_MPCore_Software_Developers_Errata_Notice.pdf
......
docs/firmware-design.rst
View file @ fb45044b
ARM Trusted Firmware Design
===========================
Trusted Firmware-A design
=========================
.. section-numbering::
......@@ -7,30 +7,27 @@ ARM Trusted Firmware Design
.. contents::
The ARM Trusted Firmware implements a subset of the Trusted Board Boot
Requirements (TBBR) Platform Design Document (PDD) [1]_ for ARM reference
Trusted Firmware-A (TF-A) implements a subset of the Trusted Board Boot
Requirements (TBBR) Platform Design Document (PDD) [1]_ for Arm reference
platforms. The TBB sequence starts when the platform is powered on and runs up
to the stage where it hands-off control to firmware running in the normal
world in DRAM. This is the cold boot path.
The ARM Trusted Firmware also implements the Power State Coordination Interface
PDD [2]_ as a runtime service. PSCI is the interface from normal world software
to firmware implementing power management use-cases (for example, secondary CPU
boot, hotplug and idle). Normal world software can access ARM Trusted Firmware
runtime services via the ARM SMC (Secure Monitor Call) instruction. The SMC
instruction must be used as mandated by the SMC Calling Convention [3]_.
TF-A also implements the Power State Coordination Interface PDD [2]_ as a
runtime service. PSCI is the interface from normal world software to firmware
implementing power management use-cases (for example, secondary CPU boot,
hotplug and idle). Normal world software can access TF-A runtime services via
the Arm SMC (Secure Monitor Call) instruction. The SMC instruction must be
used as mandated by the SMC Calling Convention [3]_.
The ARM Trusted Firmware implements a framework for configuring and managing
interrupts generated in either security state. The details of the interrupt
management framework and its design can be found in ARM Trusted Firmware
Interrupt Management Design guide [4]_.
TF-A implements a framework for configuring and managing interrupts generated
in either security state. The details of the interrupt management framework
and its design can be found in TF-A Interrupt Management Design guide [4]_.
The ARM Trusted Firmware also implements a library for setting up and managing
the translation tables. The details of this library can be found in
`Xlat_tables design`_.
TF-A also implements a library for setting up and managing the translation
tables. The details of this library can be found in `Xlat_tables design`_.
The ARM Trusted Firmware can be built to support either AArch64 or AArch32
execution state.
TF-A can be built to support either AArch64 or AArch32 execution state.
Cold boot
---------
......@@ -46,9 +43,8 @@ the primary CPU has performed enough initialization to boot them.
Refer to the `Reset Design`_ for more information on the effect of the
``COLD_BOOT_SINGLE_CPU`` platform build option.
The cold boot path in this implementation of the ARM Trusted Firmware,
depends on the execution state.
For AArch64, it is divided into five steps (in order of execution):
The cold boot path in this implementation of TF-A depends on the execution
state. For AArch64, it is divided into five steps (in order of execution):
- Boot Loader stage 1 (BL1) *AP Trusted ROM*
- Boot Loader stage 2 (BL2) *Trusted Boot Firmware*
......@@ -63,7 +59,7 @@ For AArch32, it is divided into four steps (in order of execution):
- Boot Loader stage 3-2 (BL32) *EL3 Runtime Software*
- Boot Loader stage 3-3 (BL33) *Non-trusted Firmware*
ARM development platforms (Fixed Virtual Platforms (FVPs) and Juno) implement a
Arm development platforms (Fixed Virtual Platforms (FVPs) and Juno) implement a
combination of the following types of memory regions. Each bootloader stage uses
one or more of these memory regions.
......@@ -135,7 +131,7 @@ This stage begins execution from the platform's reset vector at EL3. The reset
address is platform dependent but it is usually located in a Trusted ROM area.
The BL1 data section is copied to trusted SRAM at runtime.
On the ARM development platforms, BL1 code starts execution from the reset
On the Arm development platforms, BL1 code starts execution from the reset
vector defined by the constant ``BL1_RO_BASE``. The BL1 data section is copied
to the top of trusted SRAM as defined by the constant ``BL1_RW_BASE``.
......@@ -205,7 +201,7 @@ BL1 performs minimal architectural initialization as follows.
0x1b : Undefined mode
0x1f : System mode
The ``plat_report_exception()`` implementation on the ARM FVP port programs
The ``plat_report_exception()`` implementation on the Arm FVP port programs
the Versatile Express System LED register in the following format to
indicate the occurence of an unexpected exception:
......@@ -299,7 +295,7 @@ BL1 performs minimal architectural initialization as follows.
Platform initialization
^^^^^^^^^^^^^^^^^^^^^^^
On ARM platforms, BL1 performs the following platform initializations:
On Arm platforms, BL1 performs the following platform initializations:
- Enable the Trusted Watchdog.
- Initialize the console.
......@@ -368,18 +364,18 @@ Architectural initialization
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For AArch64, BL2 performs the minimal architectural initialization required
for subsequent stages of the ARM Trusted Firmware and normal world software.
EL1 and EL0 are given access to Floating Point and Advanced SIMD registers
by clearing the ``CPACR.FPEN`` bits.
for subsequent stages of TF-A and normal world software. EL1 and EL0 are given
access to Floating Point and Advanced SIMD registers by clearing the
``CPACR.FPEN`` bits.
For AArch32, the minimal architectural initialization required for subsequent
stages of the ARM Trusted Firmware and normal world software is taken care of
in BL1 as both BL1 and BL2 execute at PL1.
stages of TF-A and normal world software is taken care of in BL1 as both BL1
and BL2 execute at PL1.
Platform initialization
^^^^^^^^^^^^^^^^^^^^^^^
On ARM platforms, BL2 performs the following platform initializations:
On Arm platforms, BL2 performs the following platform initializations:
- Initialize the console.
- Configure any required platform storage to allow loading further bootloader
......@@ -416,7 +412,7 @@ SCP\_BL2 (System Control Processor Firmware) image load
Some systems have a separate System Control Processor (SCP) for power, clock,
reset and system control. BL2 loads the optional SCP\_BL2 image from platform
storage into a platform-specific region of secure memory. The subsequent
handling of SCP\_BL2 is platform specific. For example, on the Juno ARM
handling of SCP\_BL2 is platform specific. For example, on the Juno Arm
development platform port the image is transferred into SCP's internal memory
using the Boot Over MHU (BOM) protocol after being loaded in the trusted SRAM
memory. The SCP executes SCP\_BL2 and signals to the Application Processor (AP)
......@@ -475,11 +471,11 @@ BL2 execution continues as follows:
Running BL2 at EL3 execution level
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some platforms have a non-TF Boot ROM that expects the next boot stage
to execute at EL3. On these platforms, TF BL1 is a waste of memory
as its only purpose is to ensure TF BL2 is entered at S-EL1. To avoid
Some platforms have a non-TF-A Boot ROM that expects the next boot stage
to execute at EL3. On these platforms, TF-A BL1 is a waste of memory
as its only purpose is to ensure TF-A BL2 is entered at S-EL1. To avoid
this waste, a special mode enables BL2 to execute at EL3, which allows
a non-TF Boot ROM to load and jump directly to BL2. This mode is selected
a non-TF-A Boot ROM to load and jump directly to BL2. This mode is selected
when the build flag BL2_AT_EL3 is enabled. The main differences in this
mode are:
......@@ -566,7 +562,7 @@ Platform initialization
BL31 performs detailed platform initialization, which enables normal world
software to function correctly.
On ARM platforms, this consists of the following:
On Arm platforms, this consists of the following:
- Initialize the console.
- Configure the Interconnect to enable hardware coherency.
......@@ -622,9 +618,9 @@ Using alternative Trusted Boot Firmware in place of BL1 & BL2 (AArch64 only)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some platforms have existing implementations of Trusted Boot Firmware that
would like to use ARM Trusted Firmware BL31 for the EL3 Runtime Software. To
enable this firmware architecture it is important to provide a fully documented
and stable interface between the Trusted Boot Firmware and BL31.
would like to use TF-A BL31 for the EL3 Runtime Software. To enable this
firmware architecture it is important to provide a fully documented and stable
interface between the Trusted Boot Firmware and BL31.
Future changes to the BL31 interface will be done in a backwards compatible
way, and this enables these firmware components to be independently enhanced/
......@@ -650,7 +646,7 @@ platform code in BL31:
::
X0 : Reserved for common Trusted Firmware information
X0 : Reserved for common TF-A information
X1 : Platform specific information
BL31 zero-init sections (e.g. ``.bss``) should not contain valid data on entry,
......@@ -665,10 +661,10 @@ used by the common BL31 code.
The convention is that ``X0`` conveys information regarding the BL31, BL32 and
BL33 images from the Trusted Boot firmware and ``X1`` can be used for other
platform specific purpose. This convention allows platforms which use ARM
Trusted Firmware's BL1 and BL2 images to transfer additional platform specific
information from Secure Boot without conflicting with future evolution of the
Trusted Firmware using ``X0`` to pass a ``bl31_params`` structure.
platform specific purpose. This convention allows platforms which use TF-A's
BL1 and BL2 images to transfer additional platform specific information from
Secure Boot without conflicting with future evolution of TF-A using ``X0`` to
pass a ``bl31_params`` structure.
BL31 common and SPD initialization code depends on image and entrypoint
information about BL33 and BL32, which is provided via BL31 platform APIs.
......@@ -680,8 +676,8 @@ Cold boot Initialization parameters. This data may need to be cleaned out of
the CPU caches if it is provided by an earlier boot stage and then accessed by
BL31 platform code before the caches are enabled.
ARM Trusted Firmware's BL2 implementation passes a ``bl31_params`` structure in
``X0`` and the ARM development platforms interpret this in the BL31 platform
TF-A's BL2 implementation passes a ``bl31_params`` structure in
``X0`` and the Arm development platforms interpret this in the BL31 platform
code.
MMU, Data caches & Coherency
......@@ -722,12 +718,11 @@ to simplify this action.
Required CPU state for BL31 Warm boot initialization
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When requesting a CPU power-on, or suspending a running CPU, ARM Trusted
Firmware provides the platform power management code with a Warm boot
initialization entry-point, to be invoked by the CPU immediately after the
reset handler. On entry to the Warm boot initialization function the calling
CPU must be in AArch64 EL3, little-endian data access and all interrupt sources
masked:
When requesting a CPU power-on, or suspending a running CPU, TF-A provides
the platform power management code with a Warm boot initialization
entry-point, to be invoked by the CPU immediately after the reset handler.
On entry to the Warm boot initialization function the calling CPU must be in
AArch64 EL3, little-endian data access and all interrupt sources masked:
::
......@@ -769,7 +764,7 @@ platform code in AArch32 EL3 Runtime Software:
::
R0 : Reserved for common Trusted Firmware information
R0 : Reserved for common TF-A information
R1 : Platform specific information
Use of the R0 and R1 parameters
......@@ -778,10 +773,9 @@ Use of the R0 and R1 parameters
The parameters are platform specific and the convention is that ``R0`` conveys
information regarding the BL3x images from the Trusted Boot firmware and ``R1``
can be used for other platform specific purpose. This convention allows
platforms which use ARM Trusted Firmware's BL1 and BL2 images to transfer
additional platform specific information from Secure Boot without conflicting
with future evolution of the Trusted Firmware using ``R0`` to pass a ``bl_params``
structure.
platforms which use TF-A's BL1 and BL2 images to transfer additional platform
specific information from Secure Boot without conflicting with future
evolution of TF-A using ``R0`` to pass a ``bl_params`` structure.
The AArch32 EL3 Runtime Software is responsible for entry into BL33. This
information can be obtained in a platform defined manner, e.g. compiled into
......@@ -791,7 +785,7 @@ via the Cold boot Initialization parameters. This data may need to be cleaned
out of the CPU caches if it is provided by an earlier boot stage and then
accessed by AArch32 EL3 Runtime Software before the caches are enabled.
When using AArch32 EL3 Runtime Software, the ARM development platforms pass a
When using AArch32 EL3 Runtime Software, the Arm development platforms pass a
``bl_params`` structure in ``R0`` from BL2 to be interpreted by AArch32 EL3 Runtime
Software platform code.
......@@ -814,9 +808,9 @@ Required CPU state for warm boot initialization
When requesting a CPU power-on, or suspending a running CPU, AArch32 EL3
Runtime Software must ensure execution of a warm boot initialization entrypoint.
If ARM Trusted Firmware BL1 is used and the PROGRAMMABLE\_RESET\_ADDRESS build
flag is false, then AArch32 EL3 Runtime Software must ensure that BL1 branches
to the warm boot entrypoint by arranging for the BL1 platform function,
If TF-A BL1 is used and the PROGRAMMABLE\_RESET\_ADDRESS build flag is false,
then AArch32 EL3 Runtime Software must ensure that BL1 branches to the warm
boot entrypoint by arranging for the BL1 platform function,
plat\_get\_my\_entrypoint(), to return a non-zero value.
In this case, the warm boot entrypoint must be in AArch32 EL3, little-endian
......@@ -827,7 +821,7 @@ data access and all interrupt sources masked:
PSTATE.AIF = 0x7
SCTLR.EE = 0
The warm boot entrypoint may be implemented by using the ARM Trusted Firmware
The warm boot entrypoint may be implemented by using TF-A
``psci_warmboot_entrypoint()`` function. In that case, the platform must fulfil
the pre-requisites mentioned in the `PSCI Library integration guide`_.
......@@ -860,7 +854,7 @@ not all been instantiated in the current implementation.
This service is for management of the entire system. The Power State
Coordination Interface (`PSCI`_) is the first set of standard service calls
defined by ARM (see PSCI section later).
defined by Arm (see PSCI section later).
#. Secure-EL1 Payload Dispatcher service
......@@ -874,12 +868,12 @@ not all been instantiated in the current implementation.
The interface between the EL3 Runtime Software and the Secure-EL1 Payload is
not defined by the `SMCCC`_ or any other standard. As a result, each
Secure-EL1 Payload requires a specific Secure Monitor that runs as a runtime
service - within ARM Trusted Firmware this service is referred to as the
Secure-EL1 Payload Dispatcher (SPD).
service - within TF-A this service is referred to as the Secure-EL1 Payload
Dispatcher (SPD).
ARM Trusted Firmware provides a Test Secure-EL1 Payload (TSP) and its
associated Dispatcher (TSPD). Details of SPD design and TSP/TSPD operation
are described in the "Secure-EL1 Payloads and Dispatchers" section below.
TF-A provides a Test Secure-EL1 Payload (TSP) and its associated Dispatcher
(TSPD). Details of SPD design and TSP/TSPD operation are described in the
"Secure-EL1 Payloads and Dispatchers" section below.
#. CPU implementation service
......@@ -887,7 +881,7 @@ not all been instantiated in the current implementation.
services for a given platform e.g. access to processor errata workarounds.
This service is currently unimplemented.
Additional services for ARM Architecture, SiP and OEM calls can be implemented.
Additional services for Arm Architecture, SiP and OEM calls can be implemented.
Each implemented service handles a range of SMC function identifiers as
described in the `SMCCC`_.
......@@ -1060,10 +1054,10 @@ registered with the generic PSCI code to be supported.
\*\*Note : These PSCI APIs require appropriate Secure Payload Dispatcher
hooks to be registered with the generic PSCI code to be supported.
The PSCI implementation in ARM Trusted Firmware is a library which can be
integrated with AArch64 or AArch32 EL3 Runtime Software for ARMv8-A systems.
A guide to integrating PSCI library with AArch32 EL3 Runtime Software
can be found `here`_.
The PSCI implementation in TF-A is a library which can be integrated with
AArch64 or AArch32 EL3 Runtime Software for Armv8-A systems. A guide to
integrating PSCI library with AArch32 EL3 Runtime Software can be found
`here`_.
Secure-EL1 Payloads and Dispatchers
-----------------------------------
......@@ -1072,20 +1066,20 @@ On a production system that includes a Trusted OS running in Secure-EL1/EL0,
the Trusted OS is coupled with a companion runtime service in the BL31
firmware. This service is responsible for the initialisation of the Trusted
OS and all communications with it. The Trusted OS is the BL32 stage of the
boot flow in ARM Trusted Firmware. The firmware will attempt to locate, load
and execute a BL32 image.
boot flow in TF-A. The firmware will attempt to locate, load and execute a
BL32 image.
ARM Trusted Firmware uses a more general term for the BL32 software that runs
at Secure-EL1 - the *Secure-EL1 Payload* - as it is not always a Trusted OS.
TF-A uses a more general term for the BL32 software that runs at Secure-EL1 -
the *Secure-EL1 Payload* - as it is not always a Trusted OS.
The ARM Trusted Firmware provides a Test Secure-EL1 Payload (TSP) and a Test
Secure-EL1 Payload Dispatcher (TSPD) service as an example of how a Trusted OS
is supported on a production system using the Runtime Services Framework. On
such a system, the Test BL32 image and service are replaced by the Trusted OS
and its dispatcher service. The ARM Trusted Firmware build system expects that
the dispatcher will define the build flag ``NEED_BL32`` to enable it to include
the BL32 in the build either as a binary or to compile from source depending
on whether the ``BL32`` build option is specified or not.
TF-A provides a Test Secure-EL1 Payload (TSP) and a Test Secure-EL1 Payload
Dispatcher (TSPD) service as an example of how a Trusted OS is supported on a
production system using the Runtime Services Framework. On such a system, the
Test BL32 image and service are replaced by the Trusted OS and its dispatcher
service. The TF-A build system expects that the dispatcher will define the
build flag ``NEED_BL32`` to enable it to include the BL32 in the build either
as a binary or to compile from source depending on whether the ``BL32`` build
option is specified or not.
The TSP runs in Secure-EL1. It is designed to demonstrate synchronous
communication with the normal-world software running in EL1/EL2. Communication
......@@ -1133,8 +1127,8 @@ prototype:
and is registered using the ``bl31_register_bl32_init()`` function.
Trusted Firmware supports two approaches for the SPD to pass control to BL32
before returning through EL3 and running the non-trusted firmware (BL33):
TF-A supports two approaches for the SPD to pass control to BL32 before
returning through EL3 and running the non-trusted firmware (BL33):
#. In the BL32 setup function, use ``bl31_set_next_image_type()`` to
request that the exit from ``bl31_main()`` is to the BL32 entrypoint in
......@@ -1153,8 +1147,8 @@ before returning through EL3 and running the non-trusted firmware (BL33):
``bl31_register_bl32_init()`` which provides a SPD-defined mechanism to
invoke a 'world-switch synchronous call' to Secure-EL1 to run the BL32
entrypoint.
NOTE: The Test SPD service included with the Trusted Firmware provides one
implementation of such a mechanism.
NOTE: The Test SPD service included with TF-A provides one implementation
of such a mechanism.
On completion BL32 returns control to BL31 via a SMC, and on receipt the
SPD service handler invokes the synchronous call return mechanism to return
......@@ -1260,11 +1254,11 @@ The sample crash output is shown below.
Guidelines for Reset Handlers
-----------------------------
Trusted Firmware implements a framework that allows CPU and platform ports to
perform actions very early after a CPU is released from reset in both the cold
and warm boot paths. This is done by calling the ``reset_handler()`` function in
both the BL1 and BL31 images. It in turn calls the platform and CPU specific
reset handling functions.
TF-A implements a framework that allows CPU and platform ports to perform
actions very early after a CPU is released from reset in both the cold and warm
boot paths. This is done by calling the ``reset_handler()`` function in both
the BL1 and BL31 images. It in turn calls the platform and CPU specific reset
handling functions.
Details for implementing a CPU specific reset handler can be found in
Section 8. Details for implementing a platform specific reset handler can be
......@@ -1330,11 +1324,11 @@ There are two ways to specify secure interrupt configuration:
CPU specific operations framework
---------------------------------
Certain aspects of the ARMv8 architecture are implementation defined,
that is, certain behaviours are not architecturally defined, but must be defined
and documented by individual processor implementations. The ARM Trusted
Firmware implements a framework which categorises the common implementation
defined behaviours and allows a processor to export its implementation of that
Certain aspects of the Armv8-A architecture are implementation defined,
that is, certain behaviours are not architecturally defined, but must be
defined and documented by individual processor implementations. TF-A
implements a framework which categorises the common implementation defined
behaviours and allows a processor to export its implementation of that
behaviour. The categories are:
#. Processor specific reset sequence.
......@@ -1437,11 +1431,11 @@ expected by the crash reporting framework.
CPU errata status reporting
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Errata workarounds for CPUs supported in ARM Trusted Firmware are applied during
both cold and warm boots, shortly after reset. Individual Errata workarounds are
enabled as build options. Some errata workarounds have potential run-time
implications; therefore some are enabled by default, others not. Platform ports
shall override build options to enable or disable errata as appropriate. The CPU
Errata workarounds for CPUs supported in TF-A are applied during both cold and
warm boots, shortly after reset. Individual Errata workarounds are enabled as
build options. Some errata workarounds have potential run-time implications;
therefore some are enabled by default, others not. Platform ports shall
override build options to enable or disable errata as appropriate. The CPU
drivers take care of applying errata workarounds that are enabled and applicable
to a given CPU. Refer to the section titled *CPU Errata Workarounds* in `CPUBM`_
for more information.
......@@ -1475,9 +1469,9 @@ macro, the errata reporting function, if it exists, must be named
``cpux_errata_report``. This function will always be called with MMU enabled; it
must follow AAPCS and may use stack.
In a debug build of ARM Trusted Firmware, on a CPU that comes out of reset, both
BL1 and the run time firmware (BL31 in AArch64, and BL32 in AArch32) will invoke
errata status reporting function, if one exists, for that type of CPU.
In a debug build of TF-A, on a CPU that comes out of reset, both BL1 and the
runtime firmware (BL31 in AArch64, and BL32 in AArch32) will invoke errata
status reporting function, if one exists, for that type of CPU.
To report the status of each errata workaround, the function shall use the
assembler macro ``report_errata``, passing it:
......@@ -1493,9 +1487,9 @@ assembler macro ``report_errata``, passing it:
The errata status reporting function will be called once per CPU type/errata
combination during the software's active life time.
It's expected that whenever an errata workaround is submitted to ARM Trusted
Firmware, the errata reporting function is appropriately extended to report its
status as well.
It's expected that whenever an errata workaround is submitted to TF-A, the
errata reporting function is appropriately extended to report its status as
well.
Reporting the status of errata workaround is for informational purpose only; it
has no functional significance.
......@@ -1516,22 +1510,22 @@ Each bootloader image can be divided in 2 parts:
In the ELF terminology, they are called ``NOBITS`` sections.
All PROGBITS sections are grouped together at the beginning of the image,
followed by all NOBITS sections. This is true for all Trusted Firmware images
and it is governed by the linker scripts. This ensures that the raw binary
images are as small as possible. If a NOBITS section was inserted in between
PROGBITS sections then the resulting binary file would contain zero bytes in
place of this NOBITS section, making the image unnecessarily bigger. Smaller
images allow faster loading from the FIP to the main memory.
followed by all NOBITS sections. This is true for all TF-A images and it is
governed by the linker scripts. This ensures that the raw binary images are
as small as possible. If a NOBITS section was inserted in between PROGBITS
sections then the resulting binary file would contain zero bytes in place of
this NOBITS section, making the image unnecessarily bigger. Smaller images
allow faster loading from the FIP to the main memory.
Linker scripts and symbols
~~~~~~~~~~~~~~~~~~~~~~~~~~
Each bootloader stage image layout is described by its own linker script. The
linker scripts export some symbols into the program symbol table. Their values
correspond to particular addresses. The trusted firmware code can refer to these
symbols to figure out the image memory layout.
correspond to particular addresses. TF-A code can refer to these symbols to
figure out the image memory layout.
Linker symbols follow the following naming convention in the trusted firmware.
Linker symbols follow the following naming convention in TF-A.
- ``__<SECTION>_START__``
......@@ -1564,10 +1558,10 @@ Linker symbols follow the following naming convention in the trusted firmware.
rounding up due to some alignment constraint. In other words,
``__<SECTION>_UNALIGNED_SIZE__ = __<SECTION>_UNALIGNED_END__ - __<SECTION>_START__``.
Some of the linker symbols are mandatory as the trusted firmware code relies on
them to be defined. They are listed in the following subsections. Some of them
must be provided for each bootloader stage and some are specific to a given
bootloader stage.
Some of the linker symbols are mandatory as TF-A code relies on them to be
defined. They are listed in the following subsections. Some of them must be
provided for each bootloader stage and some are specific to a given bootloader
stage.
The linker scripts define some extra, optional symbols. They are not actually
used by any code but they help in understanding the bootloader images' memory
......@@ -1622,12 +1616,11 @@ The following additional linker symbols are defined for BL1:
How to choose the right base addresses for each bootloader stage image
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There is currently no support for dynamic image loading in the Trusted Firmware.
This means that all bootloader images need to be linked against their ultimate
runtime locations and the base addresses of each image must be chosen carefully
such that images don't overlap each other in an undesired way. As the code
grows, the base addresses might need adjustments to cope with the new memory
layout.
There is currently no support for dynamic image loading in TF-A. This means
that all bootloader images need to be linked against their ultimate runtime
locations and the base addresses of each image must be chosen carefully such
that images don't overlap each other in an undesired way. As the code grows,
the base addresses might need adjustments to cope with the new memory layout.
The memory layout is completely specific to the platform and so there is no
general recipe for choosing the right base addresses for each bootloader image.
......@@ -1655,13 +1648,13 @@ Additionally, if the platform memory layout implies some image overlaying like
on FVP, BL31 and TSP need to know the limit address that their PROGBITS
sections must not overstep. The platform code must provide those.
When LOAD\_IMAGE\_V2 is disabled, Trusted Firmware provides a mechanism to
verify at boot time that the memory to load a new image is free to prevent
overwriting a previously loaded image. For this mechanism to work, the platform
must specify the memory available in the system as regions, where each region
consists of base address, total size and the free area within it (as defined
in the ``meminfo_t`` structure). Trusted Firmware retrieves these memory regions
by calling the corresponding platform API:
When LOAD\_IMAGE\_V2 is disabled, TF-A provides a mechanism to verify at boot
time that the memory to load a new image is free to prevent overwriting a
previously loaded image. For this mechanism to work, the platform must specify
the memory available in the system as regions, where each region consists of
base address, total size and the free area within it (as defined in the
``meminfo_t`` structure). TF-A retrieves these memory regions by calling the
corresponding platform API:
- ``meminfo_t *bl1_plat_sec_mem_layout(void)``
- ``meminfo_t *bl2_plat_sec_mem_layout(void)``
......@@ -1685,7 +1678,7 @@ corresponding processor (e.g. the SCP BL2 image).
To reduce fragmentation and simplify the tracking of free memory, all the free
memory within a region is always located in one single buffer defined by its
base address and size. Trusted Firmware implements a top/bottom load approach:
base address and size. TF-A implements a top/bottom load approach:
after a new image is loaded, it checks how much memory remains free above and
below the image. The smallest area is marked as unavailable, while the larger
area becomes the new free memory buffer. Platforms should take this behaviour
......@@ -1725,10 +1718,10 @@ And the following diagram is an example of an image loaded in the top part:
| |
+----------+
When LOAD\_IMAGE\_V2 is enabled, Trusted Firmware does not provide any mechanism
to verify at boot time that the memory to load a new image is free to prevent
overwriting a previously loaded image. The platform must specify the memory
available in the system for all the relevant BL images to be loaded.
When LOAD\_IMAGE\_V2 is enabled, TF-A does not provide any mechanism to verify
at boot time that the memory to load a new image is free to prevent overwriting
a previously loaded image. The platform must specify the memory available in
the system for all the relevant BL images to be loaded.
For example, in the case of BL1 loading BL2, ``bl1_plat_sec_mem_layout()`` will
return the region defined by the platform where BL1 intends to load BL2. The
......@@ -1736,10 +1729,10 @@ return the region defined by the platform where BL1 intends to load BL2. The
base and maximum image size provided by the platforms. Platforms must take
this behaviour into account when defining the base/size for each of the images.
Memory layout on ARM development platforms
Memory layout on Arm development platforms
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The following list describes the memory layout on the ARM development platforms:
The following list describes the memory layout on the Arm development platforms:
- A 4KB page of shared memory is used for communication between Trusted
Firmware and the platform's power controller. This is located at the base of
......@@ -1799,14 +1792,13 @@ mechanism at boot time are defined as follows (shown per API):
This region is an exact copy of the region defined by
``bl2_plat_sec_mem_layout()``. Being a disconnected copy means that all the
changes made to this region by the Trusted Firmware will not be propagated.
This approach is valid because the SCP BL2 image is loaded temporarily
while it is being transferred to the SCP, so this memory is reused
afterwards.
changes made to this region by the TF-A will not be propagated. This
approach is valid because the SCP BL2 image is loaded temporarily while it
is being transferred to the SCP, so this memory is reused afterwards.
- ``void bl2_plat_get_bl32_meminfo(meminfo_t *bl32_meminfo)``
This region depends on the location of the BL32 image. Currently, ARM
This region depends on the location of the BL32 image. Currently, Arm
platforms support three different locations (detailed below): Trusted SRAM,
Trusted DRAM and the TZC-Secured DRAM.
......@@ -1980,11 +1972,11 @@ Firmware Image Package (FIP)
----------------------------
Using a Firmware Image Package (FIP) allows for packing bootloader images (and
potentially other payloads) into a single archive that can be loaded by the ARM
Trusted Firmware from non-volatile platform storage. A driver to load images
from a FIP has been added to the storage layer and allows a package to be read
from supported platform storage. A tool to create Firmware Image Packages is
also provided and described below.
potentially other payloads) into a single archive that can be loaded by TF-A
from non-volatile platform storage. A driver to load images from a FIP has
been added to the storage layer and allows a package to be read from supported
platform storage. A tool to create Firmware Image Packages is also provided
and described below.
Firmware Image Package layout
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -2019,7 +2011,7 @@ retrieved.
The ToC header and entry formats are described in the header file
``include/tools_share/firmware_image_package.h``. This file is used by both the
tool and the ARM Trusted firmware.
tool and TF-A.
The ToC header has the following fields:
......@@ -2049,10 +2041,10 @@ A ToC entry has the following fields:
Firmware Image Package creation tool
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The FIP creation tool can be used to pack specified images into a binary package
that can be loaded by the ARM Trusted Firmware from platform storage. The tool
currently only supports packing bootloader images. Additional image definitions
can be added to the tool as required.
The FIP creation tool can be used to pack specified images into a binary
package that can be loaded by TF-A from platform storage. The tool currently
only supports packing bootloader images. Additional image definitions can be
added to the tool as required.
The tool can be found in ``tools/fiptool``.
......@@ -2060,38 +2052,37 @@ Loading from a Firmware Image Package (FIP)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Firmware Image Package (FIP) driver can load images from a binary package on
non-volatile platform storage. For the ARM development platforms, this is
non-volatile platform storage. For the Arm development platforms, this is
currently NOR FLASH.
Bootloader images are loaded according to the platform policy as specified by
the function ``plat_get_image_source()``. For the ARM development platforms, this
the function ``plat_get_image_source()``. For the Arm development platforms, this
means the platform will attempt to load images from a Firmware Image Package
located at the start of NOR FLASH0.
The ARM development platforms' policy is to only allow loading of a known set of
The Arm development platforms' policy is to only allow loading of a known set of
images. The platform policy can be modified to allow additional images.
Use of coherent memory in Trusted Firmware
------------------------------------------
Use of coherent memory in TF-A
------------------------------
There might be loss of coherency when physical memory with mismatched
shareability, cacheability and memory attributes is accessed by multiple CPUs
(refer to section B2.9 of `ARM ARM`_ for more details). This possibility occurs
in Trusted Firmware during power up/down sequences when coherency, MMU and
caches are turned on/off incrementally.
(refer to section B2.9 of `Arm ARM`_ for more details). This possibility occurs
in TF-A during power up/down sequences when coherency, MMU and caches are
turned on/off incrementally.
Trusted Firmware defines coherent memory as a region of memory with Device
nGnRE attributes in the translation tables. The translation granule size in
Trusted Firmware is 4KB. This is the smallest possible size of the coherent
memory region.
TF-A defines coherent memory as a region of memory with Device nGnRE attributes
in the translation tables. The translation granule size in TF-A is 4KB. This
is the smallest possible size of the coherent memory region.
By default, all data structures which are susceptible to accesses with
mismatched attributes from various CPUs are allocated in a coherent memory
region (refer to section 2.1 of `Porting Guide`_). The coherent memory region
accesses are Outer Shareable, non-cacheable and they can be accessed
with the Device nGnRE attributes when the MMU is turned on. Hence, at the
expense of at least an extra page of memory, Trusted Firmware is able to work
around coherency issues due to mismatched memory attributes.
expense of at least an extra page of memory, TF-A is able to work around
coherency issues due to mismatched memory attributes.
The alternative to the above approach is to allocate the susceptible data
structures in Normal WriteBack WriteAllocate Inner shareable memory. This
......@@ -2099,12 +2090,12 @@ approach requires the data structures to be designed so that it is possible to
work around the issue of mismatched memory attributes by performing software
cache maintenance on them.
Disabling the use of coherent memory in Trusted Firmware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disabling the use of coherent memory in TF-A
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It might be desirable to avoid the cost of allocating coherent memory on
platforms which are memory constrained. Trusted Firmware enables inclusion of
coherent memory in firmware images through the build flag ``USE_COHERENT_MEM``.
platforms which are memory constrained. TF-A enables inclusion of coherent
memory in firmware images through the build flag ``USE_COHERENT_MEM``.
This flag is enabled by default. It can be disabled to choose the second
approach described above.
......@@ -2116,9 +2107,8 @@ Coherent memory usage in PSCI implementation
The ``psci_non_cpu_pd_nodes`` data structure stores the platform's power domain
tree information for state management of power domains. By default, this data
structure is allocated in the coherent memory region in the Trusted Firmware
because it can be accessed by multple CPUs, either with caches enabled or
disabled.
structure is allocated in the coherent memory region in TF-A because it can be
accessed by multple CPUs, either with caches enabled or disabled.
.. code:: c
......@@ -2271,7 +2261,7 @@ operation on Lock\_N, the corresponding ``bakery_info_t`` in both CPU0 and CPU1
``bakery_lock`` section need to be fetched and appropriate cache operations need
to be performed for each access.
On ARM Platforms, bakery locks are used in psci (``psci_locks``) and power controller
On Arm Platforms, bakery locks are used in psci (``psci_locks``) and power controller
driver (``arm_lock``).
Non Functional Impact of removing coherent memory
......@@ -2292,7 +2282,7 @@ The implementation has been optimized to minimize this additional overhead.
Measurements indicate that when bakery locks are allocated in Normal memory, the
minimum latency of acquiring a lock is on an average 3-4 micro seconds whereas
in Device memory the same is 2 micro seconds. The measurements were done on the
Juno ARM development platform.
Juno Arm development platform.
As mentioned earlier, almost a page of memory can be saved by disabling
``USE_COHERENT_MEM``. Each platform needs to consider these trade-offs to decide
......@@ -2304,7 +2294,7 @@ optionally define macro ``PLAT_PERCPU_BAKERY_LOCK_SIZE`` (see the
Isolating code and read-only data on separate memory pages
----------------------------------------------------------
In the ARMv8 VMSA, translation table entries include fields that define the
In the Armv8-A VMSA, translation table entries include fields that define the
properties of the target memory region, such as its access permissions. The
smallest unit of memory that can be addressed by a translation table entry is
a memory page. Therefore, if software needs to set different permissions on two
......@@ -2379,7 +2369,7 @@ With this more condensed memory layout, the separation of read-only data will
add zero or one page to the memory footprint of each BL image. Each platform
should consider the trade-off between memory footprint and security.
This build flag is disabled by default, minimising memory footprint. On ARM
This build flag is disabled by default, minimising memory footprint. On Arm
platforms, it is enabled.
Publish and Subscribe Framework
......@@ -2433,11 +2423,10 @@ PE only; it won't cause handlers to execute on a different PE.
Note that publishing an event on a PE blocks until all the subscribed handlers
finish executing on the PE.
ARM Trusted Firmware generic code publishes and subscribes to some events
within. Platform ports are discouraged from subscribing to them. These events
may be withdrawn, renamed, or have their semantics altered in the future.
Platforms may however register, publish, and subscribe to platform-specific
events.
TF-A generic code publishes and subscribes to some events within. Platform
ports are discouraged from subscribing to them. These events may be withdrawn,
renamed, or have their semantics altered in the future. Platforms may however
register, publish, and subscribe to platform-specific events.
Publish and Subscribe Example
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -2473,9 +2462,9 @@ Performance Measurement Framework
---------------------------------
The Performance Measurement Framework (PMF) facilitates collection of
timestamps by registered services and provides interfaces to retrieve
them from within the ARM Trusted Firmware. A platform can choose to
expose appropriate SMCs to retrieve these collected timestamps.
timestamps by registered services and provides interfaces to retrieve them
from within TF-A. A platform can choose to expose appropriate SMCs to
retrieve these collected timestamps.
By default, the global physical counter is used for the timestamp
value and is read via ``CNTPCT_EL0``. The framework allows to retrieve
......@@ -2520,9 +2509,8 @@ timestamps in a PMF specific linker section at build time.
Additionally, it defines necessary functions to capture and
retrieve a particular timestamp for the given service at runtime.
The macro ``PMF_REGISTER_SERVICE()`` only enables capturing PMF
timestamps from within ARM Trusted Firmware. In order to retrieve
timestamps from outside of ARM Trusted Firmware, the
The macro ``PMF_REGISTER_SERVICE()`` only enables capturing PMF timestamps
from within TF-A. In order to retrieve timestamps from outside of TF-A, the
``PMF_REGISTER_SERVICE_SMC()`` macro must be used instead. This macro
accepts the same set of arguments as the ``PMF_REGISTER_SERVICE()``
macro but additionally supports retrieving timestamps using SMCs.
......@@ -2552,13 +2540,13 @@ and store it at the determined address for later retrieval.
Retrieving a timestamp
~~~~~~~~~~~~~~~~~~~~~~
From within ARM Trusted Firmware, timestamps for individual CPUs can
be retrieved using either ``PMF_GET_TIMESTAMP_BY_MPIDR()`` or
``PMF_GET_TIMESTAMP_BY_INDEX()`` macros. These macros accept the CPU's MPIDR
value, or its ordinal position, respectively.
From within TF-A, timestamps for individual CPUs can be retrieved using either
``PMF_GET_TIMESTAMP_BY_MPIDR()`` or ``PMF_GET_TIMESTAMP_BY_INDEX()`` macros.
These macros accept the CPU's MPIDR value, or its ordinal position
respectively.
From outside ARM Trusted Firmware, timestamps for individual CPUs can be
retrieved by calling into ``pmf_smc_handler()``.
From outside TF-A, timestamps for individual CPUs can be retrieved by calling
into ``pmf_smc_handler()``.
.. code:: c
......@@ -2600,32 +2588,31 @@ PMF code structure
#. ``pmf_helpers.h`` is an internal header used by ``pmf.h``.
ARMv8 Architecture Extensions
-----------------------------
Armv8-A Architecture Extensions
-------------------------------
ARM Trusted Firmware makes use of ARMv8 Architecture Extensions where
applicable. This section lists the usage of Architecture Extensions, and build
flags controlling them.
TF-A makes use of Armv8-A Architecture Extensions where applicable. This
section lists the usage of Architecture Extensions, and build flags
controlling them.
In general, and unless individually mentioned, the build options
``ARM_ARCH_MAJOR`` and ``ARM_ARCH_MINOR`` selects the Architecture Extension to
target when building ARM Trusted Firmware. Subsequent ARM Architecture
Extensions are backward compatible with previous versions.
target when building TF-A. Subsequent Arm Architecture Extensions are backward
compatible with previous versions.
The build system only requires that ``ARM_ARCH_MAJOR`` and ``ARM_ARCH_MINOR`` have a
valid numeric value. These build options only control whether or not
Architecture Extension-specific code is included in the build. Otherwise, ARM
Trusted Firmware targets the base ARMv8.0 architecture; i.e. as if
``ARM_ARCH_MAJOR`` == 8 and ``ARM_ARCH_MINOR`` == 0, which are also their respective
default values.
Architecture Extension-specific code is included in the build. Otherwise, TF-A
targets the base Armv8.0-A architecture; i.e. as if ``ARM_ARCH_MAJOR`` == 8
and ``ARM_ARCH_MINOR`` == 0, which are also their respective default values.
See also the *Summary of build options* in `User Guide`_.
For details on the Architecture Extension and available features, please refer
to the respective Architecture Extension Supplement.
ARMv8.1
~~~~~~~
Armv8.1-A
~~~~~~~~~
This Architecture Extension is targeted when ``ARM_ARCH_MAJOR`` >= 8, or when
``ARM_ARCH_MAJOR`` == 8 and ``ARM_ARCH_MINOR`` >= 1.
......@@ -2633,8 +2620,8 @@ This Architecture Extension is targeted when ``ARM_ARCH_MAJOR`` >= 8, or when
- The Compare and Swap instruction is used to implement spinlocks. Otherwise,
the load-/store-exclusive instruction pair is used.
ARMv8.2
~~~~~~~
Armv8.2-A
~~~~~~~~~
This Architecture Extension is targeted when ``ARM_ARCH_MAJOR`` == 8 and
``ARM_ARCH_MINOR`` >= 2.
......@@ -2644,23 +2631,22 @@ This Architecture Extension is targeted when ``ARM_ARCH_MAJOR`` == 8 and
translation table entries for a given stage of translation for a particular
translation regime.
ARMv7
~~~~~
Armv7-A
~~~~~~~
This Architecture Extension is targeted when ``ARM_ARCH_MAJOR`` == 7.
There are several ARMv7 extensions available. Obviously the TrustZone
extension is mandatory to support the ARM Trusted Firmware bootloader
and runtime services.
There are several Armv7-A extensions available. Obviously the TrustZone
extension is mandatory to support the TF-A bootloader and runtime services.
Platform implementing an ARMv7 system can to define from its target
Platform implementing an Armv7-A system can to define from its target
Cortex-A architecture through ``ARM_CORTEX_A<X> = yes`` in their
``plaform.mk`` script. For example ``ARM_CORTEX_A15=yes`` for a
Cortex-A15 target.
Platform can also set ``ARM_WITH_NEON=yes`` to enable neon support.
Note that using neon at runtime has constraints on non secure wolrd context.
The trusted firmware does not yet provide VFP context management.
TF-A does not yet provide VFP context management.
Directive ``ARM_CORTEX_A<x>`` and ``ARM_WITH_NEON`` are used to set
the toolchain target architecture directive.
......@@ -2676,9 +2662,9 @@ I.e:
Code Structure
--------------
Trusted Firmware code is logically divided between the three boot loader
stages mentioned in the previous sections. The code is also divided into the
following categories (present as directories in the source code):
TF-A code is logically divided between the three boot loader stages mentioned
in the previous sections. The code is also divided into the following
categories (present as directories in the source code):
- **Platform specific.** Choice of architecture specific code depends upon
the platform.
......@@ -2708,8 +2694,8 @@ categories. Based upon the above, the code layout looks like this:
The build system provides a non configurable build option IMAGE\_BLx for each
boot loader stage (where x = BL stage). e.g. for BL1 , IMAGE\_BL1 will be
defined by the build system. This enables the Trusted Firmware to compile
certain code only for specific boot loader stages
defined by the build system. This enables TF-A to compile certain code only
for specific boot loader stages
All assembler files have the ``.S`` extension. The linker source files for each
boot stage have the extension ``.ld.S``. These are processed by GCC to create the
......@@ -2721,15 +2707,15 @@ kernel at boot time. These can be found in the ``fdts`` directory.
References
----------
.. [#] Trusted Board Boot Requirements CLIENT PDD (ARM DEN0006C-1). Available
under NDA through your ARM account representative.
.. [#] Trusted Board Boot Requirements CLIENT PDD (Arm DEN0006C-1). Available
under NDA through your Arm account representative.
.. [#] `Power State Coordination Interface PDD`_
.. [#] `SMC Calling Convention PDD`_
.. [#] `ARM Trusted Firmware Interrupt Management Design guide`_.
.. [#] `TF-A Interrupt Management Design guide`_.
--------------
*Copyright (c) 2013-2018, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2013-2018, Arm Limited and Contributors. All rights reserved.*
.. _Reset Design: ./reset-design.rst
.. _Porting Guide: ./porting-guide.rst
......@@ -2743,10 +2729,10 @@ References
.. _here: ./psci-lib-integration-guide.rst
.. _cpu-specific-build-macros.rst: ./cpu-specific-build-macros.rst
.. _CPUBM: ./cpu-specific-build-macros.rst
.. _ARM ARM: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0487a.e/index.html
.. _Arm ARM: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0487a.e/index.html
.. _User Guide: ./user-guide.rst
.. _SMC Calling Convention PDD: http://infocenter.arm.com/help/topic/com.arm.doc.den0028b/ARM_DEN0028B_SMC_Calling_Convention.pdf
.. _ARM Trusted Firmware Interrupt Management Design guide: ./interrupt-framework-design.rst
.. _TF-A Interrupt Management Design guide: ./interrupt-framework-design.rst
.. _Xlat_tables design: xlat-tables-lib-v2-design.rst
.. |Image 1| image:: diagrams/rt-svc-descs-layout.png?raw=true
docs/firmware-update.rst
View file @ fb45044b
ARM Trusted Firmware - Firmware Update Design Guide
===================================================
Trusted Firmware-A - Firmware Update design guide
=================================================
.. section-numbering::
......@@ -21,9 +21,9 @@ is corrupt or missing; it therefore may be used as a recovery mode. It may also
be complemented by other, higher level firmware update software.
FWU implements a specific part of the Trusted Board Boot Requirements (TBBR)
specification, ARM DEN0006C-1. It should be used in conjunction with the
specification, Arm DEN0006C-1. It should be used in conjunction with the
`Trusted Board Boot`_ design document, which describes the image authentication
parts of the Trusted Firmware (TF) TBBR implementation.
parts of the Trusted Firmware-A (TF-A) TBBR implementation.
Scope
~~~~~
......@@ -63,11 +63,11 @@ The primary requirements of the FWU feature are:
it needs, and to enable platform specific FWU functionality. See the
`Porting Guide`_ for details of this interface.
TF uses abbreviated image terminology for FWU images like for other TF images.
An overview of this terminology can be found `here`_.
TF-A uses abbreviated image terminology for FWU images like for other TF-A
images. An overview of this terminology can be found `here`_.
The following diagram shows the FWU boot flow for ARM development platforms.
ARM CSS platforms like Juno have a System Control Processor (SCP), and these
The following diagram shows the FWU boot flow for Arm development platforms.
Arm CSS platforms like Juno have a System Control Processor (SCP), and these
use all defined FWU images. Other platforms may use a subset of these.
|Flow Diagram|
......@@ -193,8 +193,8 @@ BL1\_SMC\_RUN\_IMAGE
if (ep_info not EL3) synchronous exception
This SMC passes execution control to an EL3 image described by the provided
``entry_point_info_t`` structure. In the normal TF boot flow, BL2 invokes this SMC
for BL1 to pass execution control to BL31.
``entry_point_info_t`` structure. In the normal TF-A boot flow, BL2 invokes
this SMC for BL1 to pass execution control to BL31.
FWU\_SMC\_IMAGE\_COPY
~~~~~~~~~~~~~~~~~~~~~
......@@ -400,7 +400,7 @@ This is only allowed if the image is not being executed.
--------------
*Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2015-2018, Arm Limited and Contributors. All rights reserved.*
.. _Trusted Board Boot: ./trusted-board-boot.rst
.. _Porting Guide: ./porting-guide.rst
......
docs/interrupt-framework-design.rst
View file @ fb45044b
ARM Trusted Firmware Interrupt Management Design guide
======================================================
Trusted Firmware-A interrupt management design guide
====================================================
.. section-numbering::
......@@ -88,8 +88,8 @@ The framework considers certain routing models for each type of interrupt to be
incorrect as they conflict with the requirements mentioned in Section 1. The
following sub-sections describe all the possible routing models and specify
which ones are valid or invalid. EL3 interrupts are currently supported only
for GIC version 3.0 (ARM GICv3) and only the Secure-EL1 and Non-secure interrupt
types are supported for GIC version 2.0 (ARM GICv2) (See 1.2). The terminology
for GIC version 3.0 (Arm GICv3) and only the Secure-EL1 and Non-secure interrupt
types are supported for GIC version 2.0 (Arm GICv2) (See 1.2). The terminology
used in the following sub-sections is explained below.
#. **CSS**. Current Security State. ``0`` when secure and ``1`` when non-secure
......@@ -111,7 +111,7 @@ Secure-EL1 interrupts
#. **CSS=1, TEL3=0**. Interrupt is routed to the FEL when execution is in
non-secure state. This is an invalid routing model as a secure interrupt
is not visible to the secure software which violates the motivation behind
the ARM Security Extensions.
the Arm Security Extensions.
#. **CSS=1, TEL3=1**. Interrupt is routed to EL3 when execution is in
non-secure state. This is a valid routing model as secure software in EL3
......@@ -162,7 +162,7 @@ EL3 interrupts
#. **CSS=1, TEL3=0**. Interrupt is routed to the FEL when execution is in
non-secure state. This is an invalid routing model as a secure interrupt
is not visible to the secure software which violates the motivation behind
the ARM Security Extensions.
the Arm Security Extensions.
#. **CSS=1, TEL3=1**. Interrupt is routed to EL3 when execution is in
non-secure state. This is a valid routing model as secure software in EL3
......@@ -179,7 +179,7 @@ uses this information to determine whether the IRQ or the FIQ bit should be
programmed in ``SCR_EL3`` while applying the routing model for a type of
interrupt. The platform provides this information through the
``plat_interrupt_type_to_line()`` API (described in the
`Porting Guide`_). For example, on the FVP port when the platform uses an ARM GICv2
`Porting Guide`_). For example, on the FVP port when the platform uses an Arm GICv2
interrupt controller, Secure-EL1 interrupts are signaled through the FIQ signal
while Non-secure interrupts are signaled through the IRQ signal. This applies
when execution is in either security state.
......@@ -194,7 +194,7 @@ that security state. This means that all the other interrupt types using the
same interrupt signal will be forced to the same routing model. This should be
borne in mind when choosing the routing model for an interrupt type.
For example, in ARM GICv3, when the execution context is Secure-EL1/
For example, in Arm GICv3, when the execution context is Secure-EL1/
Secure-EL0, both the EL3 and the non secure interrupt types map to the FIQ
signal. So if either one of the interrupt type sets the routing model so
that **TEL3=1** when **CSS=0**, the FIQ bit in ``SCR_EL3`` will be programmed to
......@@ -208,8 +208,8 @@ The framework makes the following assumptions to simplify its implementation.
#. Although the framework has support for 2 types of secure interrupts (EL3
and Secure-EL1 interrupt), only interrupt controller architectures
like ARM GICv3 has architectural support for EL3 interrupts in the form of
Group 0 interrupts. In ARM GICv2, all secure interrupts are assumed to be
like Arm GICv3 has architectural support for EL3 interrupts in the form of
Group 0 interrupts. In Arm GICv2, all secure interrupts are assumed to be
handled in Secure-EL1. They can be delivered to Secure-EL1 via EL3 but they
cannot be handled in EL3.
......@@ -260,7 +260,7 @@ the non-secure interrupts and target them to the primary CPU. It should also
export the interface described in the `Porting Guide`_ to enable
handling of interrupts.
In the remainder of this document, for the sake of simplicity a ARM GICv2 system
In the remainder of this document, for the sake of simplicity a Arm GICv2 system
is considered and it is assumed that the FIQ signal is used to generate Secure-EL1
interrupts and the IRQ signal is used to generate non-secure interrupts in either
security state. EL3 interrupts are not considered.
......@@ -272,8 +272,7 @@ Roles and responsibilities for interrupt management are sub-divided between the
following components of software running in EL3 and Secure-EL1. Each component is
briefly described below.
#. EL3 Runtime Firmware. This component is common to all ports of the ARM
Trusted Firmware.
#. EL3 Runtime Firmware. This component is common to all ports of TF-A.
#. Secure Payload Dispatcher (SPD) service. This service interfaces with the
Secure Payload (SP) software which runs in Secure-EL1/Secure-EL0 and is
......@@ -282,20 +281,20 @@ briefly described below.
exported by the Context management library to implement this functionality.
Switching execution between the two security states is a requirement for
interrupt management as well. This results in a significant dependency on
the SPD service. ARM Trusted firmware implements an example Test Secure
Payload Dispatcher (TSPD) service.
the SPD service. TF-A implements an example Test Secure Payload Dispatcher
(TSPD) service.
An SPD service plugs into the EL3 runtime firmware and could be common to
some ports of the ARM Trusted Firmware.
some ports of TF-A.
#. Secure Payload (SP). On a production system, the Secure Payload corresponds
to a Secure OS which runs in Secure-EL1/Secure-EL0. It interfaces with the
SPD service to manage communication with non-secure software. ARM Trusted
Firmware implements an example secure payload called Test Secure Payload
(TSP) which runs only in Secure-EL1.
SPD service to manage communication with non-secure software. TF-A
implements an example secure payload called Test Secure Payload (TSP)
which runs only in Secure-EL1.
A Secure payload implementation could be common to some ports of the ARM
Trusted Firmware just like the SPD service.
A Secure payload implementation could be common to some ports of TF-A,
just like the SPD service.
Interrupt registration
----------------------
......@@ -515,7 +514,7 @@ the interrupt routing model is not known to the SPD service at compile time,
then the SP should pass this information to the SPD service at runtime during
its initialisation phase.
As mentioned earlier, a ARM GICv2 system is considered and it is assumed that
As mentioned earlier, an Arm GICv2 system is considered and it is assumed that
the FIQ signal is used to generate Secure-EL1 interrupts and the IRQ signal
is used to generate non-secure interrupts in either security state.
......@@ -595,7 +594,7 @@ exceptions taken at the same (Secure-EL1) exception level. This table is
referenced through the ``tsp_exceptions`` variable and programmed into the
VBAR\_EL1. It caters for the asynchronous handling model.
The TSP also programs the Secure Physical Timer in the ARM Generic Timer block
The TSP also programs the Secure Physical Timer in the Arm Generic Timer block
to raise a periodic interrupt (every half a second) for the purpose of testing
interrupt management across all the software components listed in 2.1
......@@ -999,7 +998,7 @@ TSP by returning ``SMC_UNK`` error.
--------------
*Copyright (c) 2014-2018, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2014-2018, Arm Limited and Contributors. All rights reserved.*
.. _Porting Guide: ./porting-guide.rst
.. _SMC calling convention: http://infocenter.arm.com/help/topic/com.arm.doc.den0028a/index.html
......
docs/plat/hikey.rst
View file @ fb45044b
......@@ -11,7 +11,7 @@ How to build
Code Locations
--------------
- ARM Trusted Firmware:
- Trusted Firmware-A:
`link <https://github.com/ARM-software/arm-trusted-firmware>`__
- OP-TEE
......@@ -76,13 +76,13 @@ Build Procedure
export UEFI_TOOLS_DIR=${BUILD_PATH}/uefi-tools
export EDK2_DIR=${BUILD_PATH}/edk2
EDK2_OUTPUT_DIR=${EDK2_DIR}/Build/HiKey/${BUILD_OPTION}_${AARCH64_TOOLCHAIN}
# Build fastboot for ARM Trust Firmware. It's used for recovery mode.
# Build fastboot for Trusted Firmware-A. It's used for recovery mode.
cd ${BUILD_PATH}/atf-fastboot
CROSS_COMPILE=aarch64-linux-gnu- make PLAT=hikey DEBUG=1
# Convert DEBUG/RELEASE to debug/release
FASTBOOT_BUILD_OPTION=$(echo ${BUILD_OPTION} | tr '[A-Z]' '[a-z]')
cd ${EDK2_DIR}
# Build UEFI & ARM Trust Firmware
# Build UEFI & Trusted Firmware-A
${UEFI_TOOLS_DIR}/uefi-build.sh -b ${BUILD_OPTION} -a ../arm-trusted-firmware -s ../optee_os hikey
- Generate l-loader.bin and partition table for aosp. The eMMC capacity is either 8GB or 4GB. Just change "aosp-8g" to "linux-8g" for debian.
......
docs/plat/hikey960.rst
View file @ fb45044b
......@@ -11,7 +11,7 @@ How to build
Code Locations
--------------
- ARM Trusted Firmware:
- Trusted Firmware-A:
`link <https://github.com/ARM-software/arm-trusted-firmware>`__
- OP-TEE:
......@@ -73,7 +73,7 @@ Build Procedure
export EDK2_DIR=${BUILD_PATH}/edk2
EDK2_OUTPUT_DIR=${EDK2_DIR}/Build/HiKey960/${BUILD_OPTION}_${AARCH64_TOOLCHAIN}
cd ${EDK2_DIR}
# Build UEFI & ARM Trust Firmware
# Build UEFI & Trusted Firmware-A
${UEFI_TOOLS_DIR}/uefi-build.sh -b ${BUILD_OPTION} -a ../arm-trusted-firmware -s ../optee_os hikey960
- Generate l-loader.bin and partition table.
......
docs/plat/nvidia-tegra.rst
View file @ fb45044b
......@@ -4,10 +4,10 @@ Tegra SoCs - Overview
- .. rubric:: T210
:name: t210
T210 has Quad ARM® Cortex®-A57 cores in a switched configuration with a
companion set of quad ARM Cortex-A53 cores. The Cortex-A57 and A53 cores
support ARMv8, executing both 64-bit Aarch64 code, and 32-bit Aarch32 code
including legacy ARMv7 applications. The Cortex-A57 processors each have
T210 has Quad Arm® Cortex®-A57 cores in a switched configuration with a
companion set of quad Arm Cortex-A53 cores. The Cortex-A57 and A53 cores
support Armv8-A, executing both 64-bit Aarch64 code, and 32-bit Aarch32 code
including legacy Armv7-A applications. The Cortex-A57 processors each have
48 KB Instruction and 32 KB Data Level 1 caches; and have a 2 MB shared
Level 2 unified cache. The Cortex-A53 processors each have 32 KB Instruction
and 32 KB Data Level 1 caches; and have a 512 KB shared Level 2 unified cache.
......@@ -16,7 +16,7 @@ and 32 KB Data Level 1 caches; and have a 512 KB shared Level 2 unified cache.
:name: t132
Denver is NVIDIA's own custom-designed, 64-bit, dual-core CPU which is
fully ARMv8 architecture compatible. Each of the two Denver cores
fully Armv8-A architecture compatible. Each of the two Denver cores
implements a 7-way superscalar microarchitecture (up to 7 concurrent
micro-ops can be executed per clock), and includes a 128KB 4-way L1
instruction cache, a 64KB 4-way L1 data cache, and a 2MB 16-way L2
......@@ -94,5 +94,5 @@ Tegra configs
=============
- 'tegra\_enable\_l2\_ecc\_parity\_prot': This flag enables the L2 ECC and Parity
Protection bit, for ARM Cortex-A57 CPUs, during CPU boot. This flag will
Protection bit, for Arm Cortex-A57 CPUs, during CPU boot. This flag will
be enabled by Tegrs SoCs during 'Cluster power up' or 'System Suspend' exit.
docs/plat/poplar.rst
View file @ fb45044b
......@@ -5,7 +5,7 @@ Poplar is the first development board compliant with the 96Boards Enterprise
Edition TV Platform specification.
The board features the Hi3798C V200 with an integrated quad-core 64-bit
ARM Cortex A53 processor and high performance Mali T720 GPU, making it capable
Arm Cortex A53 processor and high performance Mali T720 GPU, making it capable
of running any commercial set-top solution based on Linux or Android.
It supports a premium user experience with up to H.265 HEVC decoding of 4K
......@@ -14,7 +14,7 @@ video at 60 frames per second.
::
SOC Hisilicon Hi3798CV200
CPU Quad-core ARM Cortex-A53 64 bit
CPU Quad-core Arm Cortex-A53 64 bit
DRAM DDR3/3L/4 SDRAM interface, maximum 32-bit data width 2 GB
USB Two USB 2.0 ports One USB 3.0 ports
CONSOLE USB-micro port for console support
......@@ -28,11 +28,11 @@ video at 60 frames per second.
At the start of the boot sequence, the bootROM executes the so called l-loader
binary whose main role is to change the processor state to 64bit mode. This
must happen prior invoking the arm trusted firmware:
must happen prior to invoking Trusted Firmware-A:
::
l-loader --> arm_trusted_firmware --> u-boot
l-loader --> Trusted Firmware-A --> u-boot
How to build
============
......@@ -40,7 +40,7 @@ How to build
Code Locations
--------------
- ARM Trusted Firmware:
- Trusted Firmware-A:
`link <https://github.com/ARM-software/arm-trusted-firmware>`__
- l-loader:
......
docs/plat/qemu.rst
View file @ fb45044b
ARM Trusted Firmware for QEMU virt ARMv8-A
==========================================
Trusted Firmware-A for QEMU virt Armv8-A
========================================
ARM Trusted Firmware implements the EL3 firmware layer for QEMU virt
ARMv8-A. BL1 is used as the BootROM, supplied with the -bios argument.
Trusted Firmware-A (TF-A) implements the EL3 firmware layer for QEMU virt
Armv8-A. BL1 is used as the BootROM, supplied with the -bios argument.
When QEMU starts all CPUs are released simultaneously, BL1 selects a
primary CPU to handle the boot and the secondaries are placed in a polling
loop to be released by normal world via PSCI.
......@@ -10,7 +10,7 @@ loop to be released by normal world via PSCI.
BL2 edits the Flattened Device Tree, FDT, generated by QEMU at run-time to
add a node describing PSCI and also enable methods for the CPUs.
An ARM64 defonfig v4.5 Linux kernel is known to boot, FTD doesn't need to be
An ARM64 defconfig v4.5 Linux kernel is known to boot, FDT doesn't need to be
provided as it's generated by QEMU.
Current limitations:
......
docs/plat/rpi3.rst
View file @ fb45044b
Arm Trusted Firmware for Raspberry Pi 3
=======================================
Trusted Firmware-A for Raspberry Pi 3
=====================================
.. section-numbering::
:suffix: .
......@@ -7,16 +7,16 @@ Arm Trusted Firmware for Raspberry Pi 3
.. contents::
The `Raspberry Pi 3`_ is an inexpensive single-board computer that contains four
Cortex-A53 cores, which makes it possible to have a port of the Arm Trusted
Firmware.
Arm Cortex-A53 cores, which makes it possible to have a port of Trusted
Firmware-A (TF-A).
The following instructions explain how to use this port of the Trusted Firmware
with the default distribution of `Raspbian`_ because that's the distribution
officially supported by the Raspberry Pi Foundation. At the moment of writing
this, the officially supported kernel is a AArch32 kernel. This doesn't mean
that this port of the Trusted Firmware can't boot a AArch64 kernel. The `Linux
tree fork`_ maintained by the Foundation can be compiled for AArch64 by
following the steps in `AArch64 kernel build instructions`_.
The following instructions explain how to use this port of the TF-A with the
default distribution of `Raspbian`_ because that's the distribution officially
supported by the Raspberry Pi Foundation. At the moment of writing this, the
officially supported kernel is a AArch32 kernel. This doesn't mean that this
port of TF-A can't boot a AArch64 kernel. The `Linux tree fork`_ maintained by
the Foundation can be compiled for AArch64 by following the steps in
`AArch64 kernel build instructions`_.
**IMPORTANT NOTE**: This port isn't secure. All of the memory used is DRAM,
which is available from both the Non-secure and Secure worlds. This port
......@@ -46,15 +46,15 @@ The rules are simple:
the cores are powered on at the same time and start at address **0x0**.
This means that we can use the default AArch32 kernel provided in the official
`Raspbian`_ distribution by renaming it to ``kernel8.img``, while the Trusted
Firmware and anything else we need is in ``armstub8.bin``. This way we can
forget about the default bootstrap code. When using a AArch64 kernel, it is only
needed to make sure that the name on the SD card is ``kernel8.img``.
`Raspbian`_ distribution by renaming it to ``kernel8.img``, while TF-A and
anything else we need is in ``armstub8.bin``. This way we can forget about the
default bootstrap code. When using a AArch64 kernel, it is only needed to make
sure that the name on the SD card is ``kernel8.img``.
Ideally, we want to load the kernel and have all cores available, which means
that we need to make the secondary cores work in the way the kernel expects, as
explained in `Secondary cores`_. In practice, a small bootstrap is needed
between the Trusted Firmware and the kernel.
between TF-A and the kernel.
To get the most out of a AArch32 kernel, we want to boot it in Hypervisor mode
in AArch32. This means that BL33 can't be in EL2 in AArch64 mode. The
......@@ -66,7 +66,7 @@ Placement of images
The file ``armstub8.bin`` contains BL1 and the FIP. It is needed to add padding
between them so that the addresses they are loaded to match the ones specified
when compiling the Trusted Firmware.
when compiling TF-A.
The device tree block is loaded by the VideoCore loader from an appropriate
file, but we can specify the address it is loaded to in ``config.txt``.
......@@ -87,8 +87,8 @@ There are no similar restrictions for AArch64 kernels, as specified in the file
``Documentation/arm64/booting.txt``.
This means that we need to avoid the first 128 MiB of RAM when placing the
Trusted Firmware images (and specially the first 32 MiB, as they are directly
used to place the uncompressed AArch32 kernel image. This way, both AArch32 and
TF-A images (and specially the first 32 MiB, as they are directly used to
place the uncompressed AArch32 kernel image. This way, both AArch32 and
AArch64 kernels can be placed at the same address.
In the end, the images look like the following diagram when placed in memory.
......@@ -143,18 +143,17 @@ different mappings than the Arm cores in which the I/O addresses don't overlap
the DRAM. The memory reserved to be used by the VideoCore is always placed at
the end of the DRAM, so this space isn't wasted.
Considering the 128 MiB allocated to the GPU and the 16 MiB allocated for the
Trusted Firmware, there are 880 MiB available for Linux.
Considering the 128 MiB allocated to the GPU and the 16 MiB allocated for
TF-A, there are 880 MiB available for Linux.
Boot sequence
~~~~~~~~~~~~~
The boot sequence of the Trusted Firmware is the usual one except when booting
a AArch32 kernel. In that case, BL33 is booted in AArch32 Hypervisor mode so
that it can jump to the kernel in the same mode and let it take over that
privilege level. If BL33 was running in EL2 in AArch64 (as in the default
bootflow of the Trusted Firmware) it could only jump to the kernel in AArch32 in
Supervisor mode.
The boot sequence of TF-A is the usual one except when booting an AArch32
kernel. In that case, BL33 is booted in AArch32 Hypervisor mode so that it
can jump to the kernel in the same mode and let it take over that privilege
level. If BL33 was running in EL2 in AArch64 (as in the default bootflow of
TF-A) it could only jump to the kernel in AArch32 in Supervisor mode.
The `Linux kernel tree`_ has instructions on how to jump to the Linux kernel
in ``Documentation/arm/Booting`` and ``Documentation/arm64/booting.txt``. The
......@@ -168,9 +167,9 @@ use mailboxes to trap the secondary cores until they are ready to jump to the
kernel. This mailbox is located at a different address in the AArch32 default
kernel than in the AArch64 kernel.
Also, this port of the Trusted Firmware has another Trusted Mailbox in Shared BL
RAM. During cold boot, all secondary cores wait in a loop until they are given
given an address to jump to in this Mailbox (``bl31_warm_entrypoint``).
Also, this port of TF-A has another Trusted Mailbox in Shared BL RAM. During
cold boot, all secondary cores wait in a loop until they are given given an
address to jump to in this Mailbox (``bl31_warm_entrypoint``).
Once BL31 has finished and the primary core has jumped to the BL33 payload, it
has to call ``PSCI_CPU_ON`` to release the secondary CPUs from the wait loop.
......@@ -188,11 +187,10 @@ To boot a AArch32 kernel, both AArch64 and AArch32 toolchains are required. The
AArch32 toolchain is needed for the AArch32 bootstrap needed to load a 32-bit
kernel.
First, clone and compile `Raspberry Pi 3 Arm Trusted Firmware bootstrap`_.
Choose the one needed for the architecture of your kernel.
First, clone and compile `Raspberry Pi 3 TF-A bootstrap`_. Choose the one
needed for the architecture of your kernel.
Then compile the Arm Trusted Firmware. For a AArch32 kernel, use the following
command line:
Then compile TF-A. For a AArch32 kernel, use the following command line:
.. code:: shell
......@@ -219,8 +217,8 @@ by ``debug`` if you set the build option ``DEBUG=1``):
cat bl1.pad.bin build/rpi3/release/fip.bin > armstub8.bin
The resulting file, ``armstub8.bin``, contains BL1 and the FIP in the place they
need to be for the Trusted Firmware to boot correctly. Now, follow the
instructions in `Setup SD card`_.
need to be for TF-A to boot correctly. Now, follow the instructions in
`Setup SD card`_.
The following build options are supported:
......@@ -235,17 +233,17 @@ The following build options are supported:
is reserved by the command line passed to the kernel.
- ``RPI3_BL33_IN_AARCH32``: This port can load a AArch64 or AArch32 BL33 image.
By default this option is 0, which means that the Trusted Firmware will jump
to BL33 in EL2 in AArch64 mode. If set to 1, it will jump to BL33 in
Hypervisor in AArch32 mode.
By default this option is 0, which means that TF-A will jump to BL33 in EL2
in AArch64 mode. If set to 1, it will jump to BL33 in Hypervisor in AArch32
mode.
The following is not currently supported:
- AArch32 for the Trusted Firmware itself.
- AArch32 for TF-A itself.
- ``EL3_PAYLOAD_BASE``: The reason is that you can already load anything to any
address by changing the file ``armstub8.bin``, so there's no point in using
the Trusted Firmware in this case.
TF-A in this case.
- ``LOAD_IMAGE_V2=0``: Only version 2 is supported.
......@@ -307,16 +305,16 @@ untouched). They have been tested with the image available in 2017-09-07.
1. Insert the SD card and open the ``boot`` partition.
2. Rename ``kernel7.img`` to ``kernel8.img``. This tricks the VideoCore
bootloader into booting the Arm cores in AArch64 mode, like the Trusted
Firmware needs, even though the kernel is not compiled for AArch64.
bootloader into booting the Arm cores in AArch64 mode, like TF-A needs,
even though the kernel is not compiled for AArch64.
3. Copy ``armstub8.bin`` here. When ``kernel8.img`` is available, The VideoCore
bootloader will look for a file called ``armstub8.bin`` and load it at
address **0x0** instead of a predefined one.
4. Open ``cmdline.txt`` and add ``memmap=256M$16M`` to prevent the kernel from
using the memory needed by the Trusted Firmware. If you want to enable the
serial port "Mini UART", make sure that this file also contains
using the memory needed by TF-A. If you want to enable the serial port
"Mini UART", make sure that this file also contains
``console=serial0,115200 console=tty1``.
Note that the 16 MiB reserved this way won't be available for Linux, the same
......@@ -359,6 +357,6 @@ HDMI output won't show any text during boot.
.. _Linux kernel tree: https://github.com/torvalds/linux
.. _Linux tree fork: https://github.com/raspberrypi/linux
.. _Raspberry Pi 3: https://www.raspberrypi.org/products/raspberry-pi-3-model-b/
.. _Raspberry Pi 3 Arm Trusted Firmware bootstrap: https://github.com/AntonioND/rpi3-arm-tf-bootstrap
.. _Raspberry Pi 3 TF-A bootstrap: https://github.com/AntonioND/rpi3-arm-tf-bootstrap
.. _Raspberry Pi 3 documentation: https://www.raspberrypi.org/documentation/
.. _Raspbian: https://www.raspberrypi.org/downloads/raspbian/
docs/plat/socionext-uniphier.rst
View file @ fb45044b
ARM Trusted Firmware for Socionext UniPhier SoCs
================================================
Trusted Firmware-A for Socionext UniPhier SoCs
==============================================
Socionext UniPhier ARMv8-A SoCs use ARM Trusted Firmware as the secure world
firmware, supporting BL2 and BL31.
Socionext UniPhier Armv8-A SoCs use Trusted Firmware-A (TF-A) as the secure
world firmware, supporting BL2 and BL31.
UniPhier SoC family implements its internal boot ROM, which loads 64KB [1]_
image from a non-volatile storage to the on-chip SRAM, and jumps over to it.
ARM Trusted Firmware provides a special mode, BL2-AT-EL3, which enables BL2 to
execute at EL3. It is useful for platforms with non-TF boot ROM, like UniPhier.
Here, a problem is BL2 does not fit in the 64KB limit if `Trusted Board Boot`_
(TBB) is enabled. To solve this issue, Socionext provides a first stage loader
TF-A provides a special mode, BL2-AT-EL3, which enables BL2 to execute at EL3.
It is useful for platforms with non-TF-A boot ROM, like UniPhier. Here, a
problem is BL2 does not fit in the 64KB limit if `Trusted Board Boot`_ (TBB)
is enabled. To solve this issue, Socionext provides a first stage loader
called `UniPhier BL`_. This loader runs in the on-chip SRAM, initializes the
DRAM, expands BL2 there, and hands the control over to it. Therefore, all images
of ARM Trusted Firmware run in DRAM.
of TF-A run in DRAM.
The UniPhier platform works with/without TBB. See below for the build process
of each case. The image authentication for the UniPhier platform fully
......@@ -46,7 +46,7 @@ Boot Flow
This runs in the DRAM. It extracts more images such as BL31, BL33 (optionally
SCP_BL2, BL32 as well) from Firmware Image Package (FIP). If TBB is enabled,
they are all authenticated by the standard mechanism of ARM Trusted Firmware.
they are all authenticated by the standard mechanism of TF-A.
After loading all the images, it jumps to the BL31 entry.
4. BL31, BL32, and BL33
......
docs/plat/xilinx-zynqmp.rst
View file @ fb45044b
ARM Trusted Firmware for Xilinx Zynq UltraScale+ MPSoC
======================================================
Trusted Firmware-A for Xilinx Zynq UltraScale+ MPSoC
====================================================
ARM Trusted Firmware implements the EL3 firmware layer for Xilinx Zynq
Trusted Firmware-A (TF-A) implements the EL3 firmware layer for Xilinx Zynq
UltraScale + MPSoC.
The platform only uses the runtime part of ATF as ZynqMP already has a
The platform only uses the runtime part of TF-A as ZynqMP already has a
BootROM (BL1) and FSBL (BL2).
BL31 is ATF.
BL31 is TF-A.
BL32 is an optional Secure Payload.
BL33 is the non-secure world software (U-Boot, Linux etc).
......@@ -35,20 +35,20 @@ ZynqMP platform specific build options
- ``cadence``, ``cadence0``: Cadence UART 0
- ``cadence1`` : Cadence UART 1
FSBL->ATF Parameter Passing
FSBL->TF-A Parameter Passing
===========================
The FSBL populates a data structure with image information for the ATF. The ATF
uses that data to hand off to the loaded images. The address of the handoff data
The FSBL populates a data structure with image information for TF-A. TF-A uses
that data to hand off to the loaded images. The address of the handoff data
structure is passed in the ``PMU_GLOBAL.GLOBAL_GEN_STORAGE6`` register. The
register is free to be used by other software once the ATF is bringing up
register is free to be used by other software once TF-A has brought up
further firmware images.
Power Domain Tree
=================
The following power domain tree represents the power domain model used by the
ATF for ZynqMP:
The following power domain tree represents the power domain model used by TF-A
for ZynqMP:
::
......
docs/platform-interrupt-controller-API.rst
View file @ fb45044b
......@@ -24,7 +24,7 @@ This API should return the priority of the interrupt the PE is currently
servicing. This must be be called only after an interrupt has already been
acknowledged via. ``plat_ic_acknowledge_interrupt``.
In the case of ARM standard platforms using GIC, the *Running Priority Register*
In the case of Arm standard platforms using GIC, the *Running Priority Register*
is read to determine the priority of the interrupt.
Function: int plat_ic_is_spi(unsigned int id); [optional]
......@@ -77,7 +77,7 @@ Function: unsigned int plat_ic_get_interrupt_active(unsigned int id); [optional]
This API should return the *active* status of the interrupt ID specified by the
first parameter, ``id``.
In case of ARM standard platforms using GIC, the implementation of the API reads
In case of Arm standard platforms using GIC, the implementation of the API reads
the GIC *Set Active Register* to read and return the active status of the
interrupt.
......@@ -92,7 +92,7 @@ Function: void plat_ic_enable_interrupt(unsigned int id); [optional]
This API should enable the interrupt ID specified by the first parameter,
``id``. PEs in the system are expected to receive only enabled interrupts.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
inserts barrier to make memory updates visible before enabling interrupt, and
then writes to GIC *Set Enable Register* to enable the interrupt.
......@@ -107,7 +107,7 @@ Function: void plat_ic_disable_interrupt(unsigned int id); [optional]
This API should disable the interrupt ID specified by the first parameter,
``id``. PEs in the system are not expected to receive disabled interrupts.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
writes to GIC *Clear Enable Register* to disable the interrupt, and inserts
barrier to make memory updates visible afterwards.
......@@ -123,7 +123,7 @@ Function: void plat_ic_set_interrupt_priority(unsigned int id, unsigned int prio
This API should set the priority of the interrupt specified by first parameter
``id`` to the value set by the second parameter ``priority``.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
writes to GIC *Priority Register* set interrupt priority.
Function: int plat_ic_has_interrupt_type(unsigned int type); [optional]
......@@ -138,10 +138,10 @@ This API should return whether the platform supports a given interrupt type. The
parameter ``type`` shall be one of ``INTR_TYPE_EL3``, ``INTR_TYPE_S_EL1``, or
``INTR_TYPE_NS``.
In case of ARM standard platforms using GICv3, the implementation of the API
In case of Arm standard platforms using GICv3, the implementation of the API
returns ``1`` for all interrupt types.
In case of ARM standard platforms using GICv2, the API always return ``1`` for
In case of Arm standard platforms using GICv2, the API always return ``1`` for
``INTR_TYPE_NS``. Return value for other types depends on the value of build
option ``GICV2_G0_FOR_EL3``:
......@@ -180,7 +180,7 @@ one of:
- ``INTR_TYPE_EL3``: interrupt is meant to be consumed by EL3.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
writes to the GIC *Group Register* and *Group Modifier Register* (only GICv3) to
assign the interrupt to the right group.
......@@ -213,7 +213,7 @@ This API should raise an EL3 SGI. The first parameter, ``sgi_num``, specifies
the ID of the SGI. The second parameter, ``target``, must be the MPIDR of the
target PE.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
inserts barrier to make memory updates visible before raising SGI, then writes
to appropriate *SGI Register* in order to raise the EL3 SGI.
......@@ -239,7 +239,7 @@ The ``routing_mode`` parameter can be one of:
- ``INTR_ROUTING_MODE_PE`` means the interrupt is routed to the PE whose MPIDR
value is specified by the parameter ``mpidr``.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
writes to the GIC *Target Register* (GICv2) or *Route Register* (GICv3) to set
the routing.
......@@ -254,7 +254,7 @@ Function: void plat_ic_set_interrupt_pending(unsigned int id); [optional]
This API should set the interrupt specified by first parameter ``id`` to
*Pending*.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
inserts barrier to make memory updates visible before setting interrupt pending,
and writes to the GIC *Set Pending Register* to set the interrupt pending
status.
......@@ -270,7 +270,7 @@ Function: void plat_ic_clear_interrupt_pending(unsigned int id); [optional]
This API should clear the *Pending* status of the interrupt specified by first
parameter ``id``.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
writes to the GIC *Clear Pending Register* to clear the interrupt pending
status, and inserts barrier to make memory updates visible afterwards.
......@@ -287,7 +287,7 @@ controller such that only interrupts of higher priority than the supplied one
may be signalled to the PE. The API should return the current priority value
that it's overwriting.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
inserts to order memory updates before updating mask, then writes to the GIC
*Priority Mask Register*, and make sure memory updates are visible before
potential trigger due to mask update.
......@@ -305,9 +305,9 @@ obtained by the acknowledging the interrupt (read using
``plat_ic_acknowledge_interrupt()``). If the interrupt ID is invalid, this API
should return ``INTR_ID_UNAVAILABLE``.
In case of ARM standard platforms using GIC, the implementation of the API
In case of Arm standard platforms using GIC, the implementation of the API
masks out the interrupt ID field from the acknowledged value from GIC.
----
*Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2017-2018, Arm Limited and Contributors. All rights reserved.*
docs/platform-migration-guide.rst
View file @ fb45044b
......@@ -12,8 +12,8 @@ Guide to migrate to new Platform porting interface
Introduction
------------
The PSCI implementation in Trusted Firmware has undergone a redesign because of
three requirements that the PSCI 1.0 specification introduced :
The PSCI implementation in TF-A has undergone a redesign because of three
requirements that the PSCI 1.0 specification introduced :
- Removing the framework assumption about the structure of the MPIDR, and
its relation to the power topology enables support for deeper and more
......@@ -217,7 +217,7 @@ layer and the platform layer.
Refer `plat/arm/board/fvp/fvp\_pm.c`_ for the implementation details of
these handlers for the FVP. The commit `38dce70f51fb83b27958ba3e2ad15f5635cb1061`_
demonstrates the migration of ARM reference platforms to the new platform API.
demonstrates the migration of Arm reference platforms to the new platform API.
Miscellaneous modifications
---------------------------
......@@ -271,7 +271,7 @@ within its domain. It does so by storing the core index of first core
within it and number of core indexes following it. This means that core
indices returned by ``platform_get_core_pos()`` for cores within a particular
power domain must be consecutive. We expect that this is the case for most
platform ports including ARM reference platforms.
platform ports including Arm reference platforms.
The old PSCI helpers like ``psci_get_suspend_powerstate()``,
``psci_get_suspend_stateid()``, ``psci_get_suspend_stateid_by_mpidr()``,
......@@ -298,7 +298,7 @@ The mandatory macros to be defined by the platform port in ``platform_def.h``
- **#define : PLATFORM\_MAX\_AFFLVL**
Defines the maximum affinity level that the power management operations
should apply to. ARMv8-A has support for four affinity levels. It is likely
should apply to. Armv8-A has support for four affinity levels. It is likely
that hardware will implement fewer affinity levels. This macro allows the
PSCI implementation to consider only those affinity levels in the system
that the platform implements. For example, the Base AEM FVP implements two
......@@ -329,7 +329,7 @@ to handle the condition where the core has been warm reset but there is no
entrypoint to jump to.
This function does not follow the Procedure Call Standard used by the
Application Binary Interface for the ARM 64-bit architecture. The caller should
Application Binary Interface for the Arm 64-bit architecture. The caller should
not assume that callee saved registers are preserved across a call to this
function.
......@@ -410,7 +410,7 @@ Modifications for Power State Coordination Interface (in BL31)
--------------------------------------------------------------
The following functions must be implemented to initialize PSCI functionality in
the ARM Trusted Firmware.
TF-A.
Function : plat\_get\_aff\_count() [mandatory]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -595,7 +595,7 @@ PSCI specification for the CPU\_SUSPEND API.
--------------
*Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2015-2018, Arm Limited and Contributors. All rights reserved.*
.. _PSCI: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf
.. _Porting Guide: porting-guide.rst#user-content-function--plat_my_core_pos
......
docs/porting-guide.rst
View file @ fb45044b
ARM Trusted Firmware Porting Guide
==================================
Trusted Firmware-A Porting Guide
================================
.. section-numbering::
......@@ -16,7 +16,7 @@ Please note that this document has been updated for the new platform API
as required by the PSCI v1.0 implementation. Please refer to the
`Migration Guide`_ for the previous platform API.
Porting the ARM Trusted Firmware to a new platform involves making some
Porting Trusted Firmware-A (TF-A) to a new platform involves making some
mandatory and optional modifications for both the cold and warm boot paths.
Modifications consist of:
......@@ -31,20 +31,19 @@ implementations are all weakly defined; they are provided to ease the porting
effort. Each platform port can override them with its own implementation if the
default implementation is inadequate.
Platform ports that want to be aligned with standard ARM platforms (for example
Platform ports that want to be aligned with standard Arm platforms (for example
FVP and Juno) may also use `include/plat/arm/common/plat\_arm.h`_ and the
corresponding source files in ``plat/arm/common/``. These provide standard
implementations for some of the required platform porting functions. However,
using these functions requires the platform port to implement additional
ARM standard platform porting functions. These additional functions are not
Arm standard platform porting functions. These additional functions are not
documented here.
Some modifications are common to all Boot Loader (BL) stages. Section 2
discusses these in detail. The subsequent sections discuss the remaining
modifications for each BL stage in detail.
This document should be read in conjunction with the ARM Trusted Firmware
`User Guide`_.
This document should be read in conjunction with the TF-A `User Guide`_.
Common modifications
--------------------
......@@ -67,11 +66,11 @@ only for re-mapping peripheral physical addresses and allows platforms with high
I/O addresses to reduce their virtual address space. All other addresses
corresponding to code and data must currently use an identity mapping.
Also, the only translation granule size supported in Trusted Firmware is 4KB, as
various parts of the code assume that is the case. It is not possible to switch
to 16 KB or 64 KB granule sizes at the moment.
Also, the only translation granule size supported in TF-A is 4KB, as various
parts of the code assume that is the case. It is not possible to switch to
16 KB or 64 KB granule sizes at the moment.
In ARM standard platforms, each BL stage configures the MMU in the
In Arm standard platforms, each BL stage configures the MMU in the
platform-specific architecture setup function, ``blX_plat_arch_setup()``, and uses
an identity mapping for all addresses.
......@@ -106,14 +105,14 @@ File : platform\_def.h [mandatory]
Each platform must ensure that a header file of this name is in the system
include path with the following constants defined. This may require updating the
list of ``PLAT_INCLUDES`` in the ``platform.mk`` file. In the ARM development
list of ``PLAT_INCLUDES`` in the ``platform.mk`` file. In the Arm development
platforms, this file is found in ``plat/arm/board/<plat_name>/include/``.
Platform ports may optionally use the file `include/plat/common/common\_def.h`_,
which provides typical values for some of the constants below. These values are
likely to be suitable for all platform ports.
Platform ports that want to be aligned with standard ARM platforms (for example
Platform ports that want to be aligned with standard Arm platforms (for example
FVP and Juno) may also use `include/plat/arm/common/arm\_def.h`_, which provides
standard values for some of the constants below. However, this requires the
platform port to define additional platform porting constants in
......@@ -293,9 +292,9 @@ also be defined:
- **#define : PLAT\_CRYPTOCELL\_BASE**
This defines the base address of ARM® TrustZone® CryptoCell and must be
This defines the base address of Arm® TrustZone® CryptoCell and must be
defined if CryptoCell crypto driver is used for Trusted Board Boot. For
capable ARM platforms, this driver is used if ``ARM_CRYPTOCELL_INTEG`` is
capable Arm platforms, this driver is used if ``ARM_CRYPTOCELL_INTEG`` is
set.
If the AP Firmware Updater Configuration image, BL2U is used, the following
......@@ -322,7 +321,7 @@ must also be defined:
SCP\_BL2U image identifier, used by BL1 to fetch an image descriptor
corresponding to SCP\_BL2U.
NOTE: TF does not provide source code for this image.
NOTE: TF-A does not provide source code for this image.
If the Non-Secure Firmware Updater ROM, NS\_BL1U is used, the following must
also be defined:
......@@ -331,7 +330,7 @@ also be defined:
Defines the base address in non-secure ROM where NS\_BL1U executes.
Must be aligned on a page-size boundary.
NOTE: TF does not provide source code for this image.
NOTE: TF-A does not provide source code for this image.
- **#define : NS\_BL1U\_IMAGE\_ID**
......@@ -345,7 +344,7 @@ be defined:
Defines the base address in non-secure memory where NS\_BL2U executes.
Must be aligned on a page-size boundary.
NOTE: TF does not provide source code for this image.
NOTE: TF-A does not provide source code for this image.
- **#define : NS\_BL2U\_IMAGE\_ID**
......@@ -507,7 +506,7 @@ required memory within the the per-cpu data to minimize wastage.
structure for use by the platform layer.
The following constants are optional. They should be defined when the platform
memory layout implies some image overlaying like in ARM standard platforms.
memory layout implies some image overlaying like in Arm standard platforms.
- **#define : BL31\_PROGBITS\_LIMIT**
......@@ -569,7 +568,7 @@ File : plat\_macros.S [mandatory]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Each platform must ensure a file of this name is in the system include path with
the following macro defined. In the ARM development platforms, this file is
the following macro defined. In the Arm development platforms, this file is
found in ``plat/arm/board/<plat_name>/include/plat_macros.S``.
- **Macro : plat\_crash\_print\_regs**
......@@ -620,7 +619,7 @@ reset entrypoint point provided to ``plat_setup_psci_ops()`` during
BL31 initialization. If it's a cold reset then this function must return zero.
This function does not follow the Procedure Call Standard used by the
Application Binary Interface for the ARM 64-bit architecture. The caller should
Application Binary Interface for the Arm 64-bit architecture. The caller should
not assume that callee saved registers are preserved across a call to this
function.
......@@ -644,7 +643,7 @@ for placing the executing secondary CPU in a platform-specific state until the
primary CPU performs the necessary actions to bring it out of that state and
allow entry into the OS. This function must not return.
In the ARM FVP port, when using the normal boot flow, each secondary CPU powers
In the Arm FVP port, when using the normal boot flow, each secondary CPU powers
itself off. The primary CPU is responsible for powering up the secondary CPUs
when normal world software requires them. When booting an EL3 payload instead,
they stay powered on and are put in a holding pen until their mailbox gets
......@@ -827,9 +826,9 @@ This function validates the ``MPIDR`` of a CPU and converts it to an index,
which can be used as a CPU-specific linear index into blocks of memory. In
case the ``MPIDR`` is invalid, this function returns -1. This function will only
be invoked by BL31 after the power domain topology is initialized and can
utilize the C runtime environment. For further details about how ARM Trusted
Firmware represents the power domain topology and how this relates to the
linear CPU index, please refer `Power Domain Topology Design`_.
utilize the C runtime environment. For further details about how TF-A
represents the power domain topology and how this relates to the linear CPU
index, please refer `Power Domain Topology Design`_.
Common optional modifications
-----------------------------
......@@ -896,8 +895,7 @@ about the way the platform displays its status information.
For AArch64, this function receives the exception type as its argument.
Possible values for exceptions types are listed in the
`include/common/bl\_common.h`_ header file. Note that these constants are not
related to any architectural exception code; they are just an ARM Trusted
Firmware convention.
related to any architectural exception code; they are just a TF-A convention.
For AArch32, this function receives the exception mode as its argument.
Possible values for exception modes are listed in the
......@@ -954,8 +952,8 @@ Possible errors reported by the generic code are:
Board Boot is enabled)
- ``-ENOENT``: the requested image or certificate could not be found or an IO
error was detected
- ``-ENOMEM``: resources exhausted. Trusted Firmware does not use dynamic
memory, so this error is usually an indication of an incorrect array size
- ``-ENOMEM``: resources exhausted. TF-A does not use dynamic memory, so this
error is usually an indication of an incorrect array size
The default implementation simply spins.
......@@ -996,9 +994,9 @@ Function : plat\_get\_next\_bl\_params()
Return : bl_params_t *
This function returns a pointer to the shared memory that the platform has
kept aside to pass trusted firmware related information that next BL image
needs. This function is currently invoked in BL2 to pass this information to
the next BL image, when LOAD\_IMAGE\_V2 is enabled.
kept aside to pass TF-A related information that next BL image needs. This
function is currently invoked in BL2 to pass this information to the next BL
image, when LOAD\_IMAGE\_V2 is enabled.
Function : plat\_get\_stack\_protector\_canary()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -1039,11 +1037,11 @@ Function : plat\_log\_get\_prefix()
Return : const char *
This function defines the prefix string corresponding to the `log_level` to be
prepended to all the log output from ARM Trusted Firmware. The `log_level`
(argument) will correspond to one of the standard log levels defined in
debug.h. The platform can override the common implementation to define a
different prefix string for the log output. The implementation should be
robust to future changes that increase the number of log levels.
prepended to all the log output from TF-A. The `log_level` (argument) will
correspond to one of the standard log levels defined in debug.h. The platform
can override the common implementation to define a different prefix string for
the log output. The implementation should be robust to future changes that
increase the number of log levels.
Modifications specific to a Boot Loader stage
---------------------------------------------
......@@ -1101,7 +1099,7 @@ Function : bl1\_early\_platform\_setup() [mandatory]
This function executes with the MMU and data caches disabled. It is only called
by the primary CPU.
On ARM standard platforms, this function:
On Arm standard platforms, this function:
- Enables a secure instance of SP805 to act as the Trusted Watchdog.
......@@ -1124,7 +1122,7 @@ This function performs any platform-specific and architectural setup that the
platform requires. Platform-specific setup might include configuration of
memory controllers and the interconnect.
In ARM standard platforms, this function enables the MMU.
In Arm standard platforms, this function enables the MMU.
This function helps fulfill requirement 2 above.
......@@ -1143,7 +1141,7 @@ MMU and data cache have been enabled.
if support for multiple boot sources is required, it initializes the boot
sequence used by plat\_try\_next\_boot\_source().
In ARM standard platforms, this function initializes the storage abstraction
In Arm standard platforms, this function initializes the storage abstraction
layer used to load the next bootloader image.
This function helps fulfill requirement 4 above.
......@@ -1216,7 +1214,7 @@ loaded and executed. If the platform returns ``BL2_IMAGE_ID`` then BL1 proceeds
with the normal boot sequence, which loads and executes BL2. If the platform
returns a different image id, BL1 assumes that Firmware Update is required.
The default implementation always returns ``BL2_IMAGE_ID``. The ARM development
The default implementation always returns ``BL2_IMAGE_ID``. The Arm development
platforms override this function to detect if firmware update is required, and
if so, return the first image in the firmware update process.
......@@ -1231,7 +1229,7 @@ Function : bl1\_plat\_get\_image\_desc() [optional]
BL1 calls this function to get the image descriptor information ``image_desc_t``
for the provided ``image_id`` from the platform.
The default implementation always returns a common BL2 image descriptor. ARM
The default implementation always returns a common BL2 image descriptor. Arm
standard platforms return an image descriptor corresponding to BL2 or one of
the firmware update images defined in the Trusted Board Boot Requirements
specification.
......@@ -1371,7 +1369,7 @@ variable as the original memory may be subsequently overwritten by BL2. The
copied structure is made available to all BL2 code through the
``bl2_plat_sec_mem_layout()`` function.
On ARM standard platforms, this function also:
On Arm standard platforms, this function also:
- Initializes a UART (PL011 console), which enables access to the ``printf``
family of functions in BL2.
......@@ -1394,7 +1392,7 @@ by the primary CPU.
The purpose of this function is to perform any architectural initialization
that varies across platforms.
On ARM standard platforms, this function enables the MMU.
On Arm standard platforms, this function enables the MMU.
Function : bl2\_platform\_setup() [mandatory]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -1411,7 +1409,7 @@ called by the primary CPU.
The purpose of this function is to perform any platform initialization
specific to BL2.
In ARM standard platforms, this function performs security setup, including
In Arm standard platforms, this function performs security setup, including
configuration of the TrustZone controller to allow non-secure masters access
to most of DRAM. Part of DRAM is reserved for secure world use.
......@@ -1526,7 +1524,7 @@ BL2 platform code returns a pointer which is used to populate the entry point
information for BL31 entry point. The location pointed by it should be
accessible from BL1 while processing the synchronous exception to run to BL31.
In ARM standard platforms this is allocated inside a bl2\_to\_bl31\_params\_mem
In Arm standard platforms this is allocated inside a bl2\_to\_bl31\_params\_mem
structure in BL2 memory.
Function : bl2\_plat\_set\_bl31\_ep\_info() [mandatory]
......@@ -1664,8 +1662,8 @@ of this always returns 0.
Boot Loader Stage 2 (BL2) at EL3
--------------------------------
When the platform has a non-TF Boot ROM it is desirable to jump
directly to BL2 instead of TF BL1. In this case BL2 is expected to
When the platform has a non-TF-A Boot ROM it is desirable to jump
directly to BL2 instead of TF-A BL1. In this case BL2 is expected to
execute at EL3 instead of executing at EL1. Refer to the `Firmware
Design`_ for more information.
......@@ -1687,7 +1685,7 @@ This function executes with the MMU and data caches disabled. It is only called
by the primary CPU. This function receives four parameters which can be used
by the platform to pass any needed information from the Boot ROM to BL2.
On ARM standard platforms, this function does the following:
On Arm standard platforms, this function does the following:
- Initializes a UART (PL011 console), which enables access to the ``printf``
family of functions in BL2.
......@@ -1711,7 +1709,7 @@ by the primary CPU.
The purpose of this function is to perform any architectural initialization
that varies across platforms.
On ARM standard platforms, this function enables the MMU.
On Arm standard platforms, this function enables the MMU.
Function : bl2\_el3\_plat\_prepare\_exit() [optional]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -1740,7 +1738,7 @@ process and is executed only by the primary CPU. BL1 passes control to BL2U at
If ``SCP_BL2U_BASE`` is not defined then this step is not performed.
#. Any platform specific setup required to perform the FWU process. For
example, ARM standard platforms initialize the TZC controller so that the
example, Arm standard platforms initialize the TZC controller so that the
normal world can access DDR memory.
The following functions must be implemented by the platform port to enable
......@@ -1761,7 +1759,7 @@ of the ``meminfo`` structure and platform specific info provided by BL1.
The platform may copy the contents of the ``mem_info`` and ``plat_info`` into
private storage as the original memory may be subsequently overwritten by BL2U.
On ARM CSS platforms ``plat_info`` is interpreted as an ``image_info_t`` structure,
On Arm CSS platforms ``plat_info`` is interpreted as an ``image_info_t`` structure,
to extract SCP\_BL2U image information, which is then copied into a private
variable.
......@@ -1795,7 +1793,7 @@ called by the primary CPU.
The purpose of this function is to perform any platform initialization
specific to BL2U.
In ARM standard platforms, this function performs security setup, including
In Arm standard platforms, this function performs security setup, including
configuration of the TrustZone controller to allow non-secure masters access
to most of DRAM. Part of DRAM is reserved for secure world use.
......@@ -1868,7 +1866,7 @@ sub-structures into private variables if the original memory may be
subsequently overwritten by BL31 and similarly the ``void *`` pointing
to the platform data also needs to be saved.
In ARM standard platforms, BL2 passes a pointer to a ``bl31_params`` structure
In Arm standard platforms, BL2 passes a pointer to a ``bl31_params`` structure
in BL2 memory. BL31 copies the information in this pointer to internal data
structures. It also performs the following:
......@@ -1893,7 +1891,7 @@ by the primary CPU.
The purpose of this function is to perform any architectural initialization
that varies across platforms.
On ARM standard platforms, this function enables the MMU.
On Arm standard platforms, this function enables the MMU.
Function : bl31\_platform\_setup() [mandatory]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -1910,7 +1908,7 @@ called by the primary CPU.
The purpose of this function is to complete platform initialization so that both
BL31 runtime services and normal world software can function correctly.
On ARM standard platforms, this function does the following:
On Arm standard platforms, this function does the following:
- Initialize the generic interrupt controller.
......@@ -1978,7 +1976,7 @@ Function : plat\_get\_syscnt\_freq2() [mandatory]
This function is used by the architecture setup code to retrieve the counter
frequency for the CPU's generic timer. This value will be programmed into the
``CNTFRQ_EL0`` register. In ARM standard platforms, it returns the base frequency
``CNTFRQ_EL0`` register. In Arm standard platforms, it returns the base frequency
of the system counter, which is retrieved from the first entry in the frequency
modes table.
......@@ -2045,7 +2043,7 @@ argument, which is the address of the handler the SDEI client requested to
register. The function must return ``0`` for successful validation, or ``-1``
upon failure.
The default implementation always returns ``0``. On ARM platforms, this function
The default implementation always returns ``0``. On Arm platforms, this function
is implemented to translate the entry point to physical address, and further to
ensure that the address is located in Non-secure DRAM.
......@@ -2072,18 +2070,18 @@ The default implementation only prints out a warning message.
Power State Coordination Interface (in BL31)
--------------------------------------------
The ARM Trusted Firmware's implementation of the PSCI API is based around the
concept of a *power domain*. A *power domain* is a CPU or a logical group of
CPUs which share some state on which power management operations can be
performed as specified by `PSCI`_. Each CPU in the system is assigned a cpu
index which is a unique number between ``0`` and ``PLATFORM_CORE_COUNT - 1``.
The *power domains* are arranged in a hierarchical tree structure and
each *power domain* can be identified in a system by the cpu index of any CPU
that is part of that domain and a *power domain level*. A processing element
(for example, a CPU) is at level 0. If the *power domain* node above a CPU is
a logical grouping of CPUs that share some state, then level 1 is that group
of CPUs (for example, a cluster), and level 2 is a group of clusters
(for example, the system). More details on the power domain topology and its
The TF-A implementation of the PSCI API is based around the concept of a
*power domain*. A *power domain* is a CPU or a logical group of CPUs which
share some state on which power management operations can be performed as
specified by `PSCI`_. Each CPU in the system is assigned a cpu index which is
a unique number between ``0`` and ``PLATFORM_CORE_COUNT - 1``. The
*power domains* are arranged in a hierarchical tree structure and each
*power domain* can be identified in a system by the cpu index of any CPU that
is part of that domain and a *power domain level*. A processing element (for
example, a CPU) is at level 0. If the *power domain* node above a CPU is a
logical grouping of CPUs that share some state, then level 1 is that group of
CPUs (for example, a cluster), and level 2 is a group of clusters (for
example, the system). More details on the power domain topology and its
organization can be found in `Power Domain Topology Design`_.
BL31's platform initialization code exports a pointer to the platform-specific
......@@ -2223,12 +2221,12 @@ platform-specific psci power management actions by populating the passed
pointer with a pointer to BL31's private ``plat_psci_ops`` structure.
A description of each member of this structure is given below. Please refer to
the ARM FVP specific implementation of these handlers in
the Arm FVP specific implementation of these handlers in
`plat/arm/board/fvp/fvp\_pm.c`_ as an example. For each PSCI function that the
platform wants to support, the associated operation or operations in this
structure must be provided and implemented (Refer section 4 of
`Firmware Design`_ for the PSCI API supported in Trusted Firmware). To disable
a PSCI function in a platform port, the operation should be removed from this
`Firmware Design`_ for the PSCI API supported in TF-A). To disable a PSCI
function in a platform port, the operation should be removed from this
structure instead of providing an empty implementation.
plat\_psci\_ops.cpu\_standby()
......@@ -2511,14 +2509,14 @@ state or EL3/S-EL1 in the secure state. The design of this framework is
described in the `IMF Design Guide`_
A platform should export the following APIs to support the IMF. The following
text briefly describes each api and its implementation in ARM standard
text briefly describes each api and its implementation in Arm standard
platforms. The API implementation depends upon the type of interrupt controller
present in the platform. ARM standard platform layer supports both
`ARM Generic Interrupt Controller version 2.0 (GICv2)`_
and `3.0 (GICv3)`_. Juno builds the ARM
Standard layer to use GICv2 and the FVP can be configured to use either GICv2 or
GICv3 depending on the build flag ``FVP_USE_GIC_DRIVER`` (See FVP platform
specific build options in `User Guide`_ for more details).
present in the platform. Arm standard platform layer supports both
`Arm Generic Interrupt Controller version 2.0 (GICv2)`_
and `3.0 (GICv3)`_. Juno builds the Arm platform layer to use GICv2 and the
FVP can be configured to use either GICv2 or GICv3 depending on the build flag
``FVP_USE_GIC_DRIVER`` (See FVP platform specific build options in
`User Guide`_ for more details).
See also: `Interrupt Controller Abstraction APIs`__.
......@@ -2532,7 +2530,7 @@ Function : plat\_interrupt\_type\_to\_line() [mandatory]
Argument : uint32_t, uint32_t
Return : uint32_t
The ARM processor signals an interrupt exception either through the IRQ or FIQ
The Arm processor signals an interrupt exception either through the IRQ or FIQ
interrupt line. The specific line that is signaled depends on how the interrupt
controller (IC) reports different interrupt types from an execution context in
either security state. The IMF uses this API to determine which interrupt line
......@@ -2545,11 +2543,11 @@ security state of the originating execution context. The return result is the
bit position in the ``SCR_EL3`` register of the respective interrupt trap: IRQ=1,
FIQ=2.
In the case of ARM standard platforms using GICv2, S-EL1 interrupts are
In the case of Arm standard platforms using GICv2, S-EL1 interrupts are
configured as FIQs and Non-secure interrupts as IRQs from either security
state.
In the case of ARM standard platforms using GICv3, the interrupt line to be
In the case of Arm standard platforms using GICv3, the interrupt line to be
configured depends on the security state of the execution context when the
interrupt is signalled and are as follows:
......@@ -2574,7 +2572,7 @@ handler function. ``INTR_TYPE_INVAL`` is returned when there is no interrupt
pending. The valid interrupt types that can be returned are ``INTR_TYPE_EL3``,
``INTR_TYPE_S_EL1`` and ``INTR_TYPE_NS``. This API must be invoked at EL3.
In the case of ARM standard platforms using GICv2, the *Highest Priority
In the case of Arm standard platforms using GICv2, the *Highest Priority
Pending Interrupt Register* (``GICC_HPPIR``) is read to determine the id of
the pending interrupt. The type of interrupt depends upon the id value as
follows.
......@@ -2583,7 +2581,7 @@ follows.
#. id = 1022 is reported as a Non-secure interrupt.
#. id = 1023 is reported as an invalid interrupt type.
In the case of ARM standard platforms using GICv3, the system register
In the case of Arm standard platforms using GICv3, the system register
``ICC_HPPIR0_EL1``, *Highest Priority Pending group 0 Interrupt Register*,
is read to determine the id of the pending interrupt. The type of interrupt
depends upon the id value as follows.
......@@ -2605,7 +2603,7 @@ This API returns the id of the highest priority pending interrupt at the
platform IC. ``INTR_ID_UNAVAILABLE`` is returned when there is no interrupt
pending.
In the case of ARM standard platforms using GICv2, the *Highest Priority
In the case of Arm standard platforms using GICv2, the *Highest Priority
Pending Interrupt Register* (``GICC_HPPIR``) is read to determine the id of the
pending interrupt. The id that is returned by API depends upon the value of
the id read from the interrupt controller as follows.
......@@ -2616,7 +2614,7 @@ the id read from the interrupt controller as follows.
This id is returned by the API.
#. id = 1023. ``INTR_ID_UNAVAILABLE`` is returned.
In the case of ARM standard platforms using GICv3, if the API is invoked from
In the case of Arm standard platforms using GICv3, if the API is invoked from
EL3, the system register ``ICC_HPPIR0_EL1``, *Highest Priority Pending Interrupt
group 0 Register*, is read to determine the id of the pending interrupt. The id
that is returned by API depends upon the value of the id read from the
......@@ -2651,12 +2649,12 @@ The actual interrupt number shall be extracted from this raw value using the API
.. __: platform-interrupt-controller-API.rst#function-unsigned-int-plat-ic-get-interrupt-id-unsigned-int-raw-optional
This function in ARM standard platforms using GICv2, reads the *Interrupt
This function in Arm standard platforms using GICv2, reads the *Interrupt
Acknowledge Register* (``GICC_IAR``). This changes the state of the highest
priority pending interrupt from pending to active in the interrupt controller.
It returns the value read from the ``GICC_IAR``, unmodified.
In the case of ARM standard platforms using GICv3, if the API is invoked
In the case of Arm standard platforms using GICv3, if the API is invoked
from EL3, the function reads the system register ``ICC_IAR0_EL1``, *Interrupt
Acknowledge Register group 0*. If the API is invoked from S-EL1, the function
reads the system register ``ICC_IAR1_EL1``, *Interrupt Acknowledge Register
......@@ -2680,7 +2678,7 @@ the interrupt corresponding to the id (passed as the parameter) has
finished. The id should be the same as the id returned by the
``plat_ic_acknowledge_interrupt()`` API.
ARM standard platforms write the id to the *End of Interrupt Register*
Arm standard platforms write the id to the *End of Interrupt Register*
(``GICC_EOIR``) in case of GICv2, and to ``ICC_EOIR0_EL1`` or ``ICC_EOIR1_EL1``
system register in case of GICv3 depending on where the API is invoked from,
EL3 or S-EL1. This deactivates the corresponding interrupt in the interrupt
......@@ -2703,12 +2701,12 @@ interrupt type (one of ``INTR_TYPE_EL3``, ``INTR_TYPE_S_EL1`` and ``INTR_TYPE_NS
returned depending upon how the interrupt has been configured by the platform
IC. This API must be invoked at EL3.
ARM standard platforms using GICv2 configures S-EL1 interrupts as Group0 interrupts
Arm standard platforms using GICv2 configures S-EL1 interrupts as Group0 interrupts
and Non-secure interrupts as Group1 interrupts. It reads the group value
corresponding to the interrupt id from the relevant *Interrupt Group Register*
(``GICD_IGROUPRn``). It uses the group value to determine the type of interrupt.
In the case of ARM standard platforms using GICv3, both the *Interrupt Group
In the case of Arm standard platforms using GICv3, both the *Interrupt Group
Register* (``GICD_IGROUPRn``) and *Interrupt Group Modifier Register*
(``GICD_IGRPMODRn``) is read to figure out whether the interrupt is configured
as Group 0 secure interrupt, Group 1 secure interrupt or Group 1 NS interrupt.
......@@ -2829,10 +2827,10 @@ C Library
To avoid subtle toolchain behavioral dependencies, the header files provided
by the compiler are not used. The software is built with the ``-nostdinc`` flag
to ensure no headers are included from the toolchain inadvertently. Instead the
required headers are included in the ARM Trusted Firmware source tree. The
library only contains those C library definitions required by the local
implementation. If more functionality is required, the needed library functions
will need to be added to the local implementation.
required headers are included in the TF-A source tree. The library only
contains those C library definitions required by the local implementation. If
more functionality is required, the needed library functions will need to be
added to the local implementation.
Versions of `FreeBSD`_ headers can be found in ``include/lib/stdlib``. Some of
these headers have been cut down in order to simplify the implementation. In
......@@ -2873,7 +2871,7 @@ required in their respective ``blx_platform_setup()`` functions. Currently
storage access is only required by BL1 and BL2 phases. The ``load_image()``
function uses the storage layer to access non-volatile platform storage.
It is mandatory to implement at least one storage driver. For the ARM
It is mandatory to implement at least one storage driver. For the Arm
development platforms the Firmware Image Package (FIP) driver is provided as
the default means to load data from storage (see the "Firmware Image Package"
section in the `User Guide`_). The storage layer is described in the header file
......@@ -2913,7 +2911,7 @@ amount of open resources per driver.
--------------
*Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2013-2018, Arm Limited and Contributors. All rights reserved.*
.. _Migration Guide: platform-migration-guide.rst
.. _include/plat/common/platform.h: ../include/plat/common/platform.h
......@@ -2931,6 +2929,6 @@ amount of open resources per driver.
.. _PSCI: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf
.. _plat/arm/board/fvp/fvp\_pm.c: ../plat/arm/board/fvp/fvp_pm.c
.. _IMF Design Guide: interrupt-framework-design.rst
.. _ARM Generic Interrupt Controller version 2.0 (GICv2): http://infocenter.arm.com/help/topic/com.arm.doc.ihi0048b/index.html
.. _Arm Generic Interrupt Controller version 2.0 (GICv2): http://infocenter.arm.com/help/topic/com.arm.doc.ihi0048b/index.html
.. _3.0 (GICv3): http://infocenter.arm.com/help/topic/com.arm.doc.ihi0069b/index.html
.. _FreeBSD: http://www.freebsd.org
docs/psci-lib-integration-guide.rst
View file @ fb45044b
PSCI Library Integration guide for ARMv8-A AArch32 systems
PSCI Library Integration guide for Armv8-A AArch32 systems
==========================================================
......@@ -8,7 +8,7 @@ PSCI Library Integration guide for ARMv8-A AArch32 systems
.. contents::
This document describes the PSCI library interface with a focus on how to
integrate with a suitable Trusted OS for an ARMv8-A AArch32 system. The PSCI
integrate with a suitable Trusted OS for an Armv8-A AArch32 system. The PSCI
Library implements the PSCI Standard as described in `PSCI spec`_ and is meant
to be integrated with EL3 Runtime Software which invokes the PSCI Library
interface appropriately. **EL3 Runtime Software** refers to software executing
......@@ -17,9 +17,10 @@ Monitor mode in AArch32, and provides runtime services to the non-secure world.
The runtime service request is made via SMC (Secure Monitor Call) and the call
must adhere to `SMCCC`_. In AArch32, EL3 Runtime Software may additionally
include Trusted OS functionality. A minimal AArch32 Secure Payload, SP-MIN, is
provided in ARM Trusted Firmware to illustrate the usage and integration of the
PSCI library. The description of PSCI library interface and its integration
with EL3 Runtime Software in this document is targeted towards AArch32 systems.
provided in Trusted Firmware-A (TF-A) to illustrate the usage and integration
of the PSCI library. The description of PSCI library interface and its
integration with EL3 Runtime Software in this document is targeted towards
AArch32 systems.
Generic call sequence for PSCI Library interface (AArch32)
----------------------------------------------------------
......@@ -315,7 +316,7 @@ Software must provide an SMC handling framework capable of MP adhering to
The EL3 Runtime Software must also export cache maintenance primitives
and some helper utilities for assert, print and memory operations as listed
below. The ARM Trusted Firmware source tree provides implementations for all
below. The TF-A source tree provides implementations for all
these functions but the EL3 Runtime Software may use its own implementation.
**Functions : assert(), memcpy(), memset**
......@@ -355,10 +356,10 @@ failure that cannot be recovered from. This function **must not** return.
**Function : tf\_printf()**
This is printf-compatible function, but unlike printf, it does not return any
value. The ARM Trusted Firmware source tree provides an implementation which
value. The TF-A source tree provides an implementation which
is optimized for stack usage and supports only a subset of format specifiers.
The details of the format specifiers supported can be found in the
``tf_printf.c`` file in ARM Trusted Firmware source tree.
``tf_printf.c`` file in the TF-A source tree.
CPU Context management API
~~~~~~~~~~~~~~~~~~~~~~~~~~
......@@ -537,7 +538,8 @@ CPU operations
~~~~~~~~~~~~~~
The CPU operations (cpu\_ops) framework implement power down sequence specific
to the CPU and the details of which can be found in the ``CPU specific operations framework`` section of `Firmware Design`_. The ARM Trusted Firmware
to the CPU and the details of which can be found in the
``CPU specific operations framework`` section of `Firmware Design`_. The TF-A
tree implements the ``cpu_ops`` for various supported CPUs and the EL3 Runtime
Software needs to include the required ``cpu_ops`` in its build. The start and
end of the ``cpu_ops`` descriptors must be exported by the EL3 Runtime Software
......@@ -550,7 +552,7 @@ workarounds.
--------------
*Copyright (c) 2016, ARM Limited and Contributors. All rights reserved.*
*Copyright (c) 2016-2018, Arm Limited and Contributors. All rights reserved.*
.. _PSCI spec: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf
.. _SMCCC: https://silver.arm.com/download/ARM_and_AMBA_Architecture/AR570-DA-80002-r0p0-00rel0/ARM_DEN0028A_SMC_Calling_Convention.pdf
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment