Closed athoelke closed 10 years ago
Hi Andrew,
Sorry delayed reply – but thanks for doing this. It looks good and extensible. So as long as we get the processor into the right state the main change to run from our BL2 will be moving from:
(*BL31_image_entry)(RUN_IMAGE, NULL, NULL, &(struct bl31_args from bl_common.h), NULL);
to
(*BL31_image_entry)(&(struct bl31_param_v1), &(optional plat specific struct));
and of course filling in the different args struct…
All fine, Thanks, James
(trying to email back – may go in GitHub – if not added you to cc)
From: Andrew Thoelke [mailto:notifications@github.com] Sent: 09 April 2014 23:36 To: ARM-software/tf-issues Subject: [tf-issues] RFC: Proposed requirements and specification for BL3-1 initialization (#133)
I know this is a long entry - but I wanted to capture most of the related requirements, some proposed specification and some commentary on what happens on the FVP. Please provide some feedback if this does not meet your needs or if you have suggestions for implementation as we plan to start implementing this proposal piece by piece over the coming few weeks. We will probably break bits out of the long text into separate/sub issues.
Entrypoint definitions
A function residing at the CPU reset vector RVBAR_EL3. The function must be capable of determining the cold/warm boot and primary/secondary status of the CPU, and invoking the appropriate follow on function:
A function which must be called exactly once by the primary CPU before any other code in the image is run, excepting a possible Reset Handler described above.
A function (or functions) that initialize a CPU following a software programmed or interrupt triggered warm power-on. It is assumed that the cold boot initialization is complete.
BL3-1 interface requirements
· The BL3-1 base address entrypoint should default to being the BL3-1 Cold boot Initialization function.
· It must be possible for a platform to configure the BL3-1 base address entrypoint to be a Reset Handler.
This is only called by the primary CPU, if this is called by any other CPU the firmware will abort.
Required CPU state
On entry to the cold boot initialization function the calling primary CPU must be AArch64 EL3, little-endian data access, and all interrupt sources masked:
PSTATE.EL = 3
PSTATE.RW = 1
PSTATE.DAIF = 0xf
CTLR_EL3.EE = 0
X0 and X1 can be used to pass information from the Trusted Boot Firmware to the platform code in BL3-1:
X0 : Reserved for common Trusted Firmware information
X1 : Platform specific information
BL3-1 zero-init sections (e.g. .bss) must not contain valid data on entry, these will be zero filled prior to invoking platform setup code.
Use of the X0 and X1 parameters
The parameters are platform specific and passed from the Cold boot Initialization function to bl31_early_platform_setup().
The convention is that X0 conveys information regarding the BL3-1, BL3-2 and BL3-3 images from the Secure Boot software and X1 can be used for other platform specific purpose. This convention allows platforms which use Trusted Firmware's BL1 and BL2 images to transfer additional platform specific information from Secure Boot without conflicting with future evolution of the Trusted Firmware use of X0.
More details on the use of these parameters and proposed specification for X0 follows below.
Platform specific functionality required during initialization
BL3-1 common initialization code depends on platform specific CPU, MMU and core SoC initialization, which must be provided via bl31 platform APIs.
Platform specific data required during initialization
BL3-1 common and SPD initialization code depends on image, entrypoint and memory information about BL3-3 and BL3-2, which is provided via bl31 platform APIs. This information is required until the start of execution of BL3-3.
This information can be provided in a platform defined manner, e.g. compiled into the platform code in BL3-1, or provided in a platform defined memory location by the Trusted Boot firmware, or passed from the Trusted Boot Firmware via the Cold boot Initialization parameters. This data is not referenced by common or SPD code prior to caches being enabled, however if platform code uses this data with caches disabled, the platform must ensure that the data is flushed into main memory before initializing BL3-1.
MMU & Caches
The common code does not depend on caches and MMU being enabled or disabled on entry to this function. If disabled on entry, these should be enabled during bl31_plat_arch_setup().
Coherency
The coherency status of the CPU and SoC interconnect is platform specific on entry. If not coherent on entry, coherency should be enabled prior to MMU and caches being enabled during bl31_plat_arch_setup().
When requesting a CPU power-on, or suspending a running CPU, Trusted Firmware provides the platform power management code with a Warm boot Initialization entry-point, to be invoked by the CPU immediately after the Reset Handler. On entry to the Warm boot Initialization function the calling CPU must be in AArch64 EL3, little-endian data access and all interrupt sources masked:
PSTATE.EL = 3
PSTATE.RW = 1
PSTATE.DAIF = 0xf
SCTLR_EL3.EE = 0
The PSCI implementation will initialize the processor state and ensure that the platform power management code is then invoked as required to initialize all necessary system, cluster and CPU resources.
Future changes to the BL3-1 interface must be done in a backwards compatible way. This ensures that adoption of updated Trusted Firmware code will not break systems that use alternative Trusted Boot Firmware (e.g. not BL2 from Trusted Firmware), and should allow such Boot firmware to be enhanced/updated to exploit the new functionality independently.
Related Requirements and commentary Specification: Common data structures
Initialization of BL3-1, and the setup for execution of BL3-2 and BL3-3 requires that information about these images and their entrypoint context (address, mode, parameters, etc) is provided to the common BL3-1 software or to any SPD built into BL3-1. If Trusted Firmware BL2 is being used, this will transfer this information in a structured way to the BL3-1 Cold boot Initialization function in parameter X0.
In order to best support the use of independent Trusted Boot Firmware, but enable each of these data structures to evolve independently in future we should avoid making these structures rigid, and avoid hard-wiring the precise type of the structure into the BL3-1 code.
For example, the initial image information, based on the current .bin images, would just contain a base address and image size. A future extension to that structure to support .elf images could additionally provide the extent of the RAM required or offsets and extents of the important image sections (read-only, read-write, coherent). The BL3-1 code for using this structure should be able to recognize and interpret either the basic .bin info or make use of the extended .elf info.
The proposal is to make these structures typed, versioned and sized - providing flexibility in how these are constructed and then passed between boot loader stages.
/***
without demanding immediate changes in ports of the firmware.
**/
typedef struct {
uint16_t type_ver; /* type[15:8]/version[7:0] of this structure */
uint16_t size; /* size of this structure in bytes */
uint32_t attr; /* attributes: unused bits SBZ */
} param_header;
/***
argument parameters (X0-X3), and security state for an image entrypoint.
*
The security state is indicated using bit 0 of the header attributes.
**/
typedef struct {
param_header h;
uintptr_t pc; /* entrypoint address */
uint32_t spsr; /* entrypoint processor state */
unsigned long X[4]; /* register value arguments */
} entrypoint_v1;
/***
optimization or greater flexibility in the common firmware code
**/
typedef struct {
param_header h;
uintptr_t image_base; /* physical address of base of image */
uint32_t image_size; /* bytes read from image file */
} image_info_binary;
/***
BL3-1's cold-boot entrypoint.
*
about BL3-2 and BL3-3 to the common and SPD code.
*
indicated by the respective image_info pointers being 0
.
**/
typedef struct {
param_header h;
image_info_binary* bl31_image;
image_info_binary* bl32_image;
entrypoint_v1* bl32_ep;
image_info_binary* bl33_image;
entrypoint_v1* bl33_ep;
} bl31_param_v1;
Requirement: BL3-2 and BL3-3 entrypoint setup
The common BL2 code must ensure that platform specific code in BL2 is able to set or update the BL3-3 and BL3-2 entrypoint information after these images have been loaded.
The common BL3-1 code must ensure that the SPD code (if present) is able to set or update the BL3-2 entrypoint information before this is used to execute the image.
It must be possible for all aspects of the entrypoint to be specified: register width, exception level, processing mode, ISA, PC and initial parameters (X0-X3)
Detailed specification of these APIs will be provided later during implementation and added to the porting guide.
Specification: Control transfer from BL2 to BL3-1 via BL1
[This is incompatible with the current SMC convention, which uses registers for the entrypoint context. However, unlike the BL2/BL3-1 interface it is expected that users of BL1 will also be using a matching version of BL2 so this break should have no impact]
If BL1 is being used to transfer control to BL3-1, this implements an SMC call for use by BL2 (or any replacement) which has the following parameters: Register
Usage
X0
RUN_IMAGE = 0xC0000000 : SMC function number used for the BL2 -> BL1 -> BL3-1 transition
X1
physical address of an entrypoint_v1 structure for BL3-1. This will include the PC, SPSR, X0 and X1 values for the BL3-1 initialization function.
— Reply to this email directly or view it on GitHubhttps://github.com/ARM-software/tf-issues/issues/133.
I know this is a long entry - but I wanted to capture most of the related requirements, some proposed specification and some commentary on what happens on the FVP. Please provide some feedback if this does not meet your needs or if you have suggestions for implementation as we plan to start implementing this proposal piece by piece over the coming few weeks. We will probably break bits out of the long text into separate/sub issues.
Entrypoint definitions
1. Reset Handler
A function residing at the CPU reset vector
RVBAR_EL3
. The function must be capable of determining the cold/warm boot and primary/secondary status of the CPU, and invoking the appropriate follow on function:2. Cold boot Initialization
A function which must be called exactly once by the primary CPU before any other code in the image is run, excepting a possible Reset Handler described above.
3. Warm boot Initalization
A function (or functions) that initialize a CPU following a software programmed or interrupt triggered warm power-on. It is assumed that the cold boot initialization is complete.
BL3-1 interface requirements
1. BL3-1 base address entrypoint
2. BL3-1 Cold boot Initialization
This is only called by the primary CPU, if this is called by any other CPU the firmware will abort.
Required CPU state
On entry to the cold boot initialization function the calling primary CPU must be AArch64 EL3, little-endian data access, and all interrupt sources masked:
X0 and X1 can be used to pass information from the Trusted Boot Firmware to the platform code in BL3-1:
BL3-1 zero-init sections (e.g.
.bss
) must not contain valid data on entry, these will be zero filled prior to invoking platform setup code.Use of the X0 and X1 parameters
The parameters are platform specific and passed from the Cold boot Initialization function to
bl31_early_platform_setup()
.The convention is that
X0
conveys information regarding the BL3-1, BL3-2 and BL3-3 images from the Secure Boot software andX1
can be used for other platform specific purpose. This convention allows platforms which use Trusted Firmware's BL1 and BL2 images to transfer additional platform specific information from Secure Boot without conflicting with future evolution of the Trusted Firmware use ofX0
.More details on the use of these parameters and proposed specification for
X0
follows below.Platform specific functionality required during initialization
BL3-1 common initialization code depends on platform specific CPU, MMU and core SoC initialization, which must be provided via bl31 platform APIs.
Platform specific data required during initialization
BL3-1 common and SPD initialization code depends on image, entrypoint and memory information about BL3-3 and BL3-2, which is provided via bl31 platform APIs. This information is required until the start of execution of BL3-3.
This information can be provided in a platform defined manner, e.g. compiled into the platform code in BL3-1, or provided in a platform defined memory location by the Trusted Boot firmware, or passed from the Trusted Boot Firmware via the Cold boot Initialization parameters. This data is not referenced by common or SPD code prior to caches being enabled, however if platform code uses this data with caches disabled, the platform must ensure that the data is flushed into main memory before initializing BL3-1.
MMU & Caches
The common code does not depend on caches and MMU being enabled or disabled on entry to this function. If disabled on entry, these should be enabled during
bl31_plat_arch_setup()
.Coherency
The coherency status of the CPU and SoC interconnect is platform specific on entry. If not coherent on entry, coherency should be enabled prior to MMU and caches being enabled during
bl31_plat_arch_setup()
.3. BL3-1 Warm boot Initialization
When requesting a CPU power-on, or suspending a running CPU, Trusted Firmware provides the platform power management code with a Warm boot Initialization entry-point, to be invoked by the CPU immediately after the Reset Handler. On entry to the Warm boot Initialization function the calling CPU must be in AArch64 EL3, little-endian data access and all interrupt sources masked:
The PSCI implementation will initialize the processor state and ensure that the platform power management code is then invoked as required to initialize all necessary system, cluster and CPU resources.
4. BL3-1 compatibility with independent Trusted Boot Firmware
Future changes to the BL3-1 interface must be done in a backwards compatible way. This ensures that adoption of updated Trusted Firmware code will not break systems that use alternative Trusted Boot Firmware (e.g. not BL2 from Trusted Firmware), and should allow such Boot firmware to be enhanced/updated to exploit the new functionality independently.
Related Requirements and commentary
Specification: Common data structures
Initialization of BL3-1, and the setup for execution of BL3-2 and BL3-3 requires that information about these images and their entrypoint context (address, mode, parameters, etc) is provided to the common BL3-1 software or to any SPD built into BL3-1. If Trusted Firmware BL2 is being used, this will transfer this information in a structured way to the BL3-1 Cold boot Initialization function in parameter X0.
In order to best support the use of independent Trusted Boot Firmware, but enable each of these data structures to evolve independently in future we should avoid making these structures rigid, and avoid hard-wiring the precise type of the structure into the BL3-1 code.
For example, the initial image information, based on the current
.bin
images, would just contain a base address and image size. A future extension to that structure to support.elf
images could additionally provide the extent of the RAM required or offsets and extents of the important image sections (read-only, read-write, coherent). The BL3-1 code for using this structure should be able to recognize and interpret either the basic.bin
info or make use of the extended.elf
info.The proposal is to make these structures typed, versioned and sized - providing flexibility in how these are constructed and then passed between boot loader stages.
Requirement: BL3-2 and BL3-3 entrypoint setup
The common BL2 code must ensure that platform specific code in BL2 is able to set or update the BL3-3 and BL3-2 entrypoint information after these images have been loaded.
The common BL3-1 code must ensure that the SPD code (if present) is able to set or update the BL3-2 entrypoint information before this is used to execute the image.
It must be possible for all aspects of the entrypoint to be specified: register width, exception level, processing mode, ISA, PC and initial parameters (X0-X3)
Detailed specification of these APIs will be provided later during implementation and added to the porting guide.
Specification: Control transfer from BL2 to BL3-1 via BL1
[This is incompatible with the current SMC convention, which uses registers for the entrypoint context. However, unlike the BL2/BL3-1 interface it is expected that users of BL1 will also be using a matching version of BL2 so this break should have no impact]
If BL1 is being used to transfer control to BL3-1, this implements an SMC call for use by BL2 (or any replacement) which has the following parameters:
X0
RUN_IMAGE = 0xC0000000
: SMC function number used for the BL2 -> BL1 -> BL3-1 transitionX1
entrypoint_v1
structure for BL3-1. This will include thePC
,SPSR
,X0
andX1
values for the BL3-1 initialization function.