1 ARM Trusted Firmware Porting Guide 2 ================================== 3 4 5 .. section-numbering:: 6 :suffix: . 7 8 .. contents:: 9 10 -------------- 11 12 Introduction 13 ------------ 14 15 Please note that this document has been updated for the new platform API 16 as required by the PSCI v1.0 implementation. Please refer to the 17 `Migration Guide`_ for the previous platform API. 18 19 Porting the ARM Trusted Firmware to a new platform involves making some 20 mandatory and optional modifications for both the cold and warm boot paths. 21 Modifications consist of: 22 23 - Implementing a platform-specific function or variable, 24 - Setting up the execution context in a certain way, or 25 - Defining certain constants (for example #defines). 26 27 The platform-specific functions and variables are declared in 28 `include/plat/common/platform.h`_. The firmware provides a default implementation 29 of variables and functions to fulfill the optional requirements. These 30 implementations are all weakly defined; they are provided to ease the porting 31 effort. Each platform port can override them with its own implementation if the 32 default implementation is inadequate. 33 34 Platform ports that want to be aligned with standard ARM platforms (for example 35 FVP and Juno) may also use `include/plat/arm/common/plat\_arm.h`_ and the 36 corresponding source files in ``plat/arm/common/``. These provide standard 37 implementations for some of the required platform porting functions. However, 38 using these functions requires the platform port to implement additional 39 ARM standard platform porting functions. These additional functions are not 40 documented here. 41 42 Some modifications are common to all Boot Loader (BL) stages. Section 2 43 discusses these in detail. The subsequent sections discuss the remaining 44 modifications for each BL stage in detail. 45 46 This document should be read in conjunction with the ARM Trusted Firmware 47 `User Guide`_. 48 49 Common modifications 50 -------------------- 51 52 This section covers the modifications that should be made by the platform for 53 each BL stage to correctly port the firmware stack. They are categorized as 54 either mandatory or optional. 55 56 Common mandatory modifications 57 ------------------------------ 58 59 A platform port must enable the Memory Management Unit (MMU) as well as the 60 instruction and data caches for each BL stage. Setting up the translation 61 tables is the responsibility of the platform port because memory maps differ 62 across platforms. A memory translation library (see ``lib/xlat_tables/``) is 63 provided to help in this setup. 64 65 Note that although this library supports non-identity mappings, this is intended 66 only for re-mapping peripheral physical addresses and allows platforms with high 67 I/O addresses to reduce their virtual address space. All other addresses 68 corresponding to code and data must currently use an identity mapping. 69 70 Also, the only translation granule size supported in Trusted Firmware is 4KB, as 71 various parts of the code assume that is the case. It is not possible to switch 72 to 16 KB or 64 KB granule sizes at the moment. 73 74 In ARM standard platforms, each BL stage configures the MMU in the 75 platform-specific architecture setup function, ``blX_plat_arch_setup()``, and uses 76 an identity mapping for all addresses. 77 78 If the build option ``USE_COHERENT_MEM`` is enabled, each platform can allocate a 79 block of identity mapped secure memory with Device-nGnRE attributes aligned to 80 page boundary (4K) for each BL stage. All sections which allocate coherent 81 memory are grouped under ``coherent_ram``. For ex: Bakery locks are placed in a 82 section identified by name ``bakery_lock`` inside ``coherent_ram`` so that its 83 possible for the firmware to place variables in it using the following C code 84 directive: 85 86 :: 87 88 __section("bakery_lock") 89 90 Or alternatively the following assembler code directive: 91 92 :: 93 94 .section bakery_lock 95 96 The ``coherent_ram`` section is a sum of all sections like ``bakery_lock`` which are 97 used to allocate any data structures that are accessed both when a CPU is 98 executing with its MMU and caches enabled, and when it's running with its MMU 99 and caches disabled. Examples are given below. 100 101 The following variables, functions and constants must be defined by the platform 102 for the firmware to work correctly. 103 104 File : platform\_def.h [mandatory] 105 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 106 107 Each platform must ensure that a header file of this name is in the system 108 include path with the following constants defined. This may require updating the 109 list of ``PLAT_INCLUDES`` in the ``platform.mk`` file. In the ARM development 110 platforms, this file is found in ``plat/arm/board/<plat_name>/include/``. 111 112 Platform ports may optionally use the file `include/plat/common/common\_def.h`_, 113 which provides typical values for some of the constants below. These values are 114 likely to be suitable for all platform ports. 115 116 Platform ports that want to be aligned with standard ARM platforms (for example 117 FVP and Juno) may also use `include/plat/arm/common/arm\_def.h`_, which provides 118 standard values for some of the constants below. However, this requires the 119 platform port to define additional platform porting constants in 120 ``platform_def.h``. These additional constants are not documented here. 121 122 - **#define : PLATFORM\_LINKER\_FORMAT** 123 124 Defines the linker format used by the platform, for example 125 ``elf64-littleaarch64``. 126 127 - **#define : PLATFORM\_LINKER\_ARCH** 128 129 Defines the processor architecture for the linker by the platform, for 130 example ``aarch64``. 131 132 - **#define : PLATFORM\_STACK\_SIZE** 133 134 Defines the normal stack memory available to each CPU. This constant is used 135 by `plat/common/aarch64/platform\_mp\_stack.S`_ and 136 `plat/common/aarch64/platform\_up\_stack.S`_. 137 138 - **define : CACHE\_WRITEBACK\_GRANULE** 139 140 Defines the size in bits of the largest cache line across all the cache 141 levels in the platform. 142 143 - **#define : FIRMWARE\_WELCOME\_STR** 144 145 Defines the character string printed by BL1 upon entry into the ``bl1_main()`` 146 function. 147 148 - **#define : PLATFORM\_CORE\_COUNT** 149 150 Defines the total number of CPUs implemented by the platform across all 151 clusters in the system. 152 153 - **#define : PLAT\_NUM\_PWR\_DOMAINS** 154 155 Defines the total number of nodes in the power domain topology 156 tree at all the power domain levels used by the platform. 157 This macro is used by the PSCI implementation to allocate 158 data structures to represent power domain topology. 159 160 - **#define : PLAT\_MAX\_PWR\_LVL** 161 162 Defines the maximum power domain level that the power management operations 163 should apply to. More often, but not always, the power domain level 164 corresponds to affinity level. This macro allows the PSCI implementation 165 to know the highest power domain level that it should consider for power 166 management operations in the system that the platform implements. For 167 example, the Base AEM FVP implements two clusters with a configurable 168 number of CPUs and it reports the maximum power domain level as 1. 169 170 - **#define : PLAT\_MAX\_OFF\_STATE** 171 172 Defines the local power state corresponding to the deepest power down 173 possible at every power domain level in the platform. The local power 174 states for each level may be sparsely allocated between 0 and this value 175 with 0 being reserved for the RUN state. The PSCI implementation uses this 176 value to initialize the local power states of the power domain nodes and 177 to specify the requested power state for a PSCI\_CPU\_OFF call. 178 179 - **#define : PLAT\_MAX\_RET\_STATE** 180 181 Defines the local power state corresponding to the deepest retention state 182 possible at every power domain level in the platform. This macro should be 183 a value less than PLAT\_MAX\_OFF\_STATE and greater than 0. It is used by the 184 PSCI implementation to distinguish between retention and power down local 185 power states within PSCI\_CPU\_SUSPEND call. 186 187 - **#define : PLAT\_MAX\_PWR\_LVL\_STATES** 188 189 Defines the maximum number of local power states per power domain level 190 that the platform supports. The default value of this macro is 2 since 191 most platforms just support a maximum of two local power states at each 192 power domain level (power-down and retention). If the platform needs to 193 account for more local power states, then it must redefine this macro. 194 195 Currently, this macro is used by the Generic PSCI implementation to size 196 the array used for PSCI\_STAT\_COUNT/RESIDENCY accounting. 197 198 - **#define : BL1\_RO\_BASE** 199 200 Defines the base address in secure ROM where BL1 originally lives. Must be 201 aligned on a page-size boundary. 202 203 - **#define : BL1\_RO\_LIMIT** 204 205 Defines the maximum address in secure ROM that BL1's actual content (i.e. 206 excluding any data section allocated at runtime) can occupy. 207 208 - **#define : BL1\_RW\_BASE** 209 210 Defines the base address in secure RAM where BL1's read-write data will live 211 at runtime. Must be aligned on a page-size boundary. 212 213 - **#define : BL1\_RW\_LIMIT** 214 215 Defines the maximum address in secure RAM that BL1's read-write data can 216 occupy at runtime. 217 218 - **#define : BL2\_BASE** 219 220 Defines the base address in secure RAM where BL1 loads the BL2 binary image. 221 Must be aligned on a page-size boundary. 222 223 - **#define : BL2\_LIMIT** 224 225 Defines the maximum address in secure RAM that the BL2 image can occupy. 226 227 - **#define : BL31\_BASE** 228 229 Defines the base address in secure RAM where BL2 loads the BL31 binary 230 image. Must be aligned on a page-size boundary. 231 232 - **#define : BL31\_LIMIT** 233 234 Defines the maximum address in secure RAM that the BL31 image can occupy. 235 236 For every image, the platform must define individual identifiers that will be 237 used by BL1 or BL2 to load the corresponding image into memory from non-volatile 238 storage. For the sake of performance, integer numbers will be used as 239 identifiers. The platform will use those identifiers to return the relevant 240 information about the image to be loaded (file handler, load address, 241 authentication information, etc.). The following image identifiers are 242 mandatory: 243 244 - **#define : BL2\_IMAGE\_ID** 245 246 BL2 image identifier, used by BL1 to load BL2. 247 248 - **#define : BL31\_IMAGE\_ID** 249 250 BL31 image identifier, used by BL2 to load BL31. 251 252 - **#define : BL33\_IMAGE\_ID** 253 254 BL33 image identifier, used by BL2 to load BL33. 255 256 If Trusted Board Boot is enabled, the following certificate identifiers must 257 also be defined: 258 259 - **#define : TRUSTED\_BOOT\_FW\_CERT\_ID** 260 261 BL2 content certificate identifier, used by BL1 to load the BL2 content 262 certificate. 263 264 - **#define : TRUSTED\_KEY\_CERT\_ID** 265 266 Trusted key certificate identifier, used by BL2 to load the trusted key 267 certificate. 268 269 - **#define : SOC\_FW\_KEY\_CERT\_ID** 270 271 BL31 key certificate identifier, used by BL2 to load the BL31 key 272 certificate. 273 274 - **#define : SOC\_FW\_CONTENT\_CERT\_ID** 275 276 BL31 content certificate identifier, used by BL2 to load the BL31 content 277 certificate. 278 279 - **#define : NON\_TRUSTED\_FW\_KEY\_CERT\_ID** 280 281 BL33 key certificate identifier, used by BL2 to load the BL33 key 282 certificate. 283 284 - **#define : NON\_TRUSTED\_FW\_CONTENT\_CERT\_ID** 285 286 BL33 content certificate identifier, used by BL2 to load the BL33 content 287 certificate. 288 289 - **#define : FWU\_CERT\_ID** 290 291 Firmware Update (FWU) certificate identifier, used by NS\_BL1U to load the 292 FWU content certificate. 293 294 - **#define : PLAT\_CRYPTOCELL\_BASE** 295 296 This defines the base address of ARM TrustZone CryptoCell and must be 297 defined if CryptoCell crypto driver is used for Trusted Board Boot. For 298 capable ARM platforms, this driver is used if ``ARM_CRYPTOCELL_INTEG`` is 299 set. 300 301 If the AP Firmware Updater Configuration image, BL2U is used, the following 302 must also be defined: 303 304 - **#define : BL2U\_BASE** 305 306 Defines the base address in secure memory where BL1 copies the BL2U binary 307 image. Must be aligned on a page-size boundary. 308 309 - **#define : BL2U\_LIMIT** 310 311 Defines the maximum address in secure memory that the BL2U image can occupy. 312 313 - **#define : BL2U\_IMAGE\_ID** 314 315 BL2U image identifier, used by BL1 to fetch an image descriptor 316 corresponding to BL2U. 317 318 If the SCP Firmware Update Configuration Image, SCP\_BL2U is used, the following 319 must also be defined: 320 321 - **#define : SCP\_BL2U\_IMAGE\_ID** 322 323 SCP\_BL2U image identifier, used by BL1 to fetch an image descriptor 324 corresponding to SCP\_BL2U. 325 NOTE: TF does not provide source code for this image. 326 327 If the Non-Secure Firmware Updater ROM, NS\_BL1U is used, the following must 328 also be defined: 329 330 - **#define : NS\_BL1U\_BASE** 331 332 Defines the base address in non-secure ROM where NS\_BL1U executes. 333 Must be aligned on a page-size boundary. 334 NOTE: TF does not provide source code for this image. 335 336 - **#define : NS\_BL1U\_IMAGE\_ID** 337 338 NS\_BL1U image identifier, used by BL1 to fetch an image descriptor 339 corresponding to NS\_BL1U. 340 341 If the Non-Secure Firmware Updater, NS\_BL2U is used, the following must also 342 be defined: 343 344 - **#define : NS\_BL2U\_BASE** 345 346 Defines the base address in non-secure memory where NS\_BL2U executes. 347 Must be aligned on a page-size boundary. 348 NOTE: TF does not provide source code for this image. 349 350 - **#define : NS\_BL2U\_IMAGE\_ID** 351 352 NS\_BL2U image identifier, used by BL1 to fetch an image descriptor 353 corresponding to NS\_BL2U. 354 355 For the the Firmware update capability of TRUSTED BOARD BOOT, the following 356 macros may also be defined: 357 358 - **#define : PLAT\_FWU\_MAX\_SIMULTANEOUS\_IMAGES** 359 360 Total number of images that can be loaded simultaneously. If the platform 361 doesn't specify any value, it defaults to 10. 362 363 If a SCP\_BL2 image is supported by the platform, the following constants must 364 also be defined: 365 366 - **#define : SCP\_BL2\_IMAGE\_ID** 367 368 SCP\_BL2 image identifier, used by BL2 to load SCP\_BL2 into secure memory 369 from platform storage before being transfered to the SCP. 370 371 - **#define : SCP\_FW\_KEY\_CERT\_ID** 372 373 SCP\_BL2 key certificate identifier, used by BL2 to load the SCP\_BL2 key 374 certificate (mandatory when Trusted Board Boot is enabled). 375 376 - **#define : SCP\_FW\_CONTENT\_CERT\_ID** 377 378 SCP\_BL2 content certificate identifier, used by BL2 to load the SCP\_BL2 379 content certificate (mandatory when Trusted Board Boot is enabled). 380 381 If a BL32 image is supported by the platform, the following constants must 382 also be defined: 383 384 - **#define : BL32\_IMAGE\_ID** 385 386 BL32 image identifier, used by BL2 to load BL32. 387 388 - **#define : TRUSTED\_OS\_FW\_KEY\_CERT\_ID** 389 390 BL32 key certificate identifier, used by BL2 to load the BL32 key 391 certificate (mandatory when Trusted Board Boot is enabled). 392 393 - **#define : TRUSTED\_OS\_FW\_CONTENT\_CERT\_ID** 394 395 BL32 content certificate identifier, used by BL2 to load the BL32 content 396 certificate (mandatory when Trusted Board Boot is enabled). 397 398 - **#define : BL32\_BASE** 399 400 Defines the base address in secure memory where BL2 loads the BL32 binary 401 image. Must be aligned on a page-size boundary. 402 403 - **#define : BL32\_LIMIT** 404 405 Defines the maximum address that the BL32 image can occupy. 406 407 If the Test Secure-EL1 Payload (TSP) instantiation of BL32 is supported by the 408 platform, the following constants must also be defined: 409 410 - **#define : TSP\_SEC\_MEM\_BASE** 411 412 Defines the base address of the secure memory used by the TSP image on the 413 platform. This must be at the same address or below ``BL32_BASE``. 414 415 - **#define : TSP\_SEC\_MEM\_SIZE** 416 417 Defines the size of the secure memory used by the BL32 image on the 418 platform. ``TSP_SEC_MEM_BASE`` and ``TSP_SEC_MEM_SIZE`` must fully accomodate 419 the memory required by the BL32 image, defined by ``BL32_BASE`` and 420 ``BL32_LIMIT``. 421 422 - **#define : TSP\_IRQ\_SEC\_PHY\_TIMER** 423 424 Defines the ID of the secure physical generic timer interrupt used by the 425 TSP's interrupt handling code. 426 427 If the platform port uses the translation table library code, the following 428 constants must also be defined: 429 430 - **#define : PLAT\_XLAT\_TABLES\_DYNAMIC** 431 432 Optional flag that can be set per-image to enable the dynamic allocation of 433 regions even when the MMU is enabled. If not defined, only static 434 functionality will be available, if defined and set to 1 it will also 435 include the dynamic functionality. 436 437 - **#define : MAX\_XLAT\_TABLES** 438 439 Defines the maximum number of translation tables that are allocated by the 440 translation table library code. To minimize the amount of runtime memory 441 used, choose the smallest value needed to map the required virtual addresses 442 for each BL stage. If ``PLAT_XLAT_TABLES_DYNAMIC`` flag is enabled for a BL 443 image, ``MAX_XLAT_TABLES`` must be defined to accommodate the dynamic regions 444 as well. 445 446 - **#define : MAX\_MMAP\_REGIONS** 447 448 Defines the maximum number of regions that are allocated by the translation 449 table library code. A region consists of physical base address, virtual base 450 address, size and attributes (Device/Memory, RO/RW, Secure/Non-Secure), as 451 defined in the ``mmap_region_t`` structure. The platform defines the regions 452 that should be mapped. Then, the translation table library will create the 453 corresponding tables and descriptors at runtime. To minimize the amount of 454 runtime memory used, choose the smallest value needed to register the 455 required regions for each BL stage. If ``PLAT_XLAT_TABLES_DYNAMIC`` flag is 456 enabled for a BL image, ``MAX_MMAP_REGIONS`` must be defined to accommodate 457 the dynamic regions as well. 458 459 - **#define : ADDR\_SPACE\_SIZE** 460 461 Defines the total size of the address space in bytes. For example, for a 32 462 bit address space, this value should be ``(1ull << 32)``. This definition is 463 now deprecated, platforms should use ``PLAT_PHY_ADDR_SPACE_SIZE`` and 464 ``PLAT_VIRT_ADDR_SPACE_SIZE`` instead. 465 466 - **#define : PLAT\_VIRT\_ADDR\_SPACE\_SIZE** 467 468 Defines the total size of the virtual address space in bytes. For example, 469 for a 32 bit virtual address space, this value should be ``(1ull << 32)``. 470 471 - **#define : PLAT\_PHY\_ADDR\_SPACE\_SIZE** 472 473 Defines the total size of the physical address space in bytes. For example, 474 for a 32 bit physical address space, this value should be ``(1ull << 32)``. 475 476 If the platform port uses the IO storage framework, the following constants 477 must also be defined: 478 479 - **#define : MAX\_IO\_DEVICES** 480 481 Defines the maximum number of registered IO devices. Attempting to register 482 more devices than this value using ``io_register_device()`` will fail with 483 -ENOMEM. 484 485 - **#define : MAX\_IO\_HANDLES** 486 487 Defines the maximum number of open IO handles. Attempting to open more IO 488 entities than this value using ``io_open()`` will fail with -ENOMEM. 489 490 - **#define : MAX\_IO\_BLOCK\_DEVICES** 491 492 Defines the maximum number of registered IO block devices. Attempting to 493 register more devices this value using ``io_dev_open()`` will fail 494 with -ENOMEM. MAX\_IO\_BLOCK\_DEVICES should be less than MAX\_IO\_DEVICES. 495 With this macro, multiple block devices could be supported at the same 496 time. 497 498 If the platform needs to allocate data within the per-cpu data framework in 499 BL31, it should define the following macro. Currently this is only required if 500 the platform decides not to use the coherent memory section by undefining the 501 ``USE_COHERENT_MEM`` build flag. In this case, the framework allocates the 502 required memory within the the per-cpu data to minimize wastage. 503 504 - **#define : PLAT\_PCPU\_DATA\_SIZE** 505 506 Defines the memory (in bytes) to be reserved within the per-cpu data 507 structure for use by the platform layer. 508 509 The following constants are optional. They should be defined when the platform 510 memory layout implies some image overlaying like in ARM standard platforms. 511 512 - **#define : BL31\_PROGBITS\_LIMIT** 513 514 Defines the maximum address in secure RAM that the BL31's progbits sections 515 can occupy. 516 517 - **#define : TSP\_PROGBITS\_LIMIT** 518 519 Defines the maximum address that the TSP's progbits sections can occupy. 520 521 If the platform port uses the PL061 GPIO driver, the following constant may 522 optionally be defined: 523 524 - **PLAT\_PL061\_MAX\_GPIOS** 525 Maximum number of GPIOs required by the platform. This allows control how 526 much memory is allocated for PL061 GPIO controllers. The default value is 527 528 #. $(eval $(call add\_define,PLAT\_PL061\_MAX\_GPIOS)) 529 530 If the platform port uses the partition driver, the following constant may 531 optionally be defined: 532 533 - **PLAT\_PARTITION\_MAX\_ENTRIES** 534 Maximum number of partition entries required by the platform. This allows 535 control how much memory is allocated for partition entries. The default 536 value is 128. 537 `For example, define the build flag in platform.mk`_: 538 PLAT\_PARTITION\_MAX\_ENTRIES := 12 539 $(eval $(call add\_define,PLAT\_PARTITION\_MAX\_ENTRIES)) 540 541 The following constant is optional. It should be defined to override the default 542 behaviour of the ``assert()`` function (for example, to save memory). 543 544 - **PLAT\_LOG\_LEVEL\_ASSERT** 545 If ``PLAT_LOG_LEVEL_ASSERT`` is higher or equal than ``LOG_LEVEL_VERBOSE``, 546 ``assert()`` prints the name of the file, the line number and the asserted 547 expression. Else if it is higher than ``LOG_LEVEL_INFO``, it prints the file 548 name and the line number. Else if it is lower than ``LOG_LEVEL_INFO``, it 549 doesn't print anything to the console. If ``PLAT_LOG_LEVEL_ASSERT`` isn't 550 defined, it defaults to ``LOG_LEVEL``. 551 552 File : plat\_macros.S [mandatory] 553 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 554 555 Each platform must ensure a file of this name is in the system include path with 556 the following macro defined. In the ARM development platforms, this file is 557 found in ``plat/arm/board/<plat_name>/include/plat_macros.S``. 558 559 - **Macro : plat\_crash\_print\_regs** 560 561 This macro allows the crash reporting routine to print relevant platform 562 registers in case of an unhandled exception in BL31. This aids in debugging 563 and this macro can be defined to be empty in case register reporting is not 564 desired. 565 566 For instance, GIC or interconnect registers may be helpful for 567 troubleshooting. 568 569 Handling Reset 570 -------------- 571 572 BL1 by default implements the reset vector where execution starts from a cold 573 or warm boot. BL31 can be optionally set as a reset vector using the 574 ``RESET_TO_BL31`` make variable. 575 576 For each CPU, the reset vector code is responsible for the following tasks: 577 578 #. Distinguishing between a cold boot and a warm boot. 579 580 #. In the case of a cold boot and the CPU being a secondary CPU, ensuring that 581 the CPU is placed in a platform-specific state until the primary CPU 582 performs the necessary steps to remove it from this state. 583 584 #. In the case of a warm boot, ensuring that the CPU jumps to a platform- 585 specific address in the BL31 image in the same processor mode as it was 586 when released from reset. 587 588 The following functions need to be implemented by the platform port to enable 589 reset vector code to perform the above tasks. 590 591 Function : plat\_get\_my\_entrypoint() [mandatory when PROGRAMMABLE\_RESET\_ADDRESS == 0] 592 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 593 594 :: 595 596 Argument : void 597 Return : uintptr_t 598 599 This function is called with the MMU and caches disabled 600 (``SCTLR_EL3.M`` = 0 and ``SCTLR_EL3.C`` = 0). The function is responsible for 601 distinguishing between a warm and cold reset for the current CPU using 602 platform-specific means. If it's a warm reset, then it returns the warm 603 reset entrypoint point provided to ``plat_setup_psci_ops()`` during 604 BL31 initialization. If it's a cold reset then this function must return zero. 605 606 This function does not follow the Procedure Call Standard used by the 607 Application Binary Interface for the ARM 64-bit architecture. The caller should 608 not assume that callee saved registers are preserved across a call to this 609 function. 610 611 This function fulfills requirement 1 and 3 listed above. 612 613 Note that for platforms that support programming the reset address, it is 614 expected that a CPU will start executing code directly at the right address, 615 both on a cold and warm reset. In this case, there is no need to identify the 616 type of reset nor to query the warm reset entrypoint. Therefore, implementing 617 this function is not required on such platforms. 618 619 Function : plat\_secondary\_cold\_boot\_setup() [mandatory when COLD\_BOOT\_SINGLE\_CPU == 0] 620 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 621 622 :: 623 624 Argument : void 625 626 This function is called with the MMU and data caches disabled. It is responsible 627 for placing the executing secondary CPU in a platform-specific state until the 628 primary CPU performs the necessary actions to bring it out of that state and 629 allow entry into the OS. This function must not return. 630 631 In the ARM FVP port, when using the normal boot flow, each secondary CPU powers 632 itself off. The primary CPU is responsible for powering up the secondary CPUs 633 when normal world software requires them. When booting an EL3 payload instead, 634 they stay powered on and are put in a holding pen until their mailbox gets 635 populated. 636 637 This function fulfills requirement 2 above. 638 639 Note that for platforms that can't release secondary CPUs out of reset, only the 640 primary CPU will execute the cold boot code. Therefore, implementing this 641 function is not required on such platforms. 642 643 Function : plat\_is\_my\_cpu\_primary() [mandatory when COLD\_BOOT\_SINGLE\_CPU == 0] 644 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 645 646 :: 647 648 Argument : void 649 Return : unsigned int 650 651 This function identifies whether the current CPU is the primary CPU or a 652 secondary CPU. A return value of zero indicates that the CPU is not the 653 primary CPU, while a non-zero return value indicates that the CPU is the 654 primary CPU. 655 656 Note that for platforms that can't release secondary CPUs out of reset, only the 657 primary CPU will execute the cold boot code. Therefore, there is no need to 658 distinguish between primary and secondary CPUs and implementing this function is 659 not required. 660 661 Function : platform\_mem\_init() [mandatory] 662 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 663 664 :: 665 666 Argument : void 667 Return : void 668 669 This function is called before any access to data is made by the firmware, in 670 order to carry out any essential memory initialization. 671 672 Function: plat\_get\_rotpk\_info() 673 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 674 675 :: 676 677 Argument : void *, void **, unsigned int *, unsigned int * 678 Return : int 679 680 This function is mandatory when Trusted Board Boot is enabled. It returns a 681 pointer to the ROTPK stored in the platform (or a hash of it) and its length. 682 The ROTPK must be encoded in DER format according to the following ASN.1 683 structure: 684 685 :: 686 687 AlgorithmIdentifier ::= SEQUENCE { 688 algorithm OBJECT IDENTIFIER, 689 parameters ANY DEFINED BY algorithm OPTIONAL 690 } 691 692 SubjectPublicKeyInfo ::= SEQUENCE { 693 algorithm AlgorithmIdentifier, 694 subjectPublicKey BIT STRING 695 } 696 697 In case the function returns a hash of the key: 698 699 :: 700 701 DigestInfo ::= SEQUENCE { 702 digestAlgorithm AlgorithmIdentifier, 703 digest OCTET STRING 704 } 705 706 The function returns 0 on success. Any other value is treated as error by the 707 Trusted Board Boot. The function also reports extra information related 708 to the ROTPK in the flags parameter: 709 710 :: 711 712 ROTPK_IS_HASH : Indicates that the ROTPK returned by the platform is a 713 hash. 714 ROTPK_NOT_DEPLOYED : This allows the platform to skip certificate ROTPK 715 verification while the platform ROTPK is not deployed. 716 When this flag is set, the function does not need to 717 return a platform ROTPK, and the authentication 718 framework uses the ROTPK in the certificate without 719 verifying it against the platform value. This flag 720 must not be used in a deployed production environment. 721 722 Function: plat\_get\_nv\_ctr() 723 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 724 725 :: 726 727 Argument : void *, unsigned int * 728 Return : int 729 730 This function is mandatory when Trusted Board Boot is enabled. It returns the 731 non-volatile counter value stored in the platform in the second argument. The 732 cookie in the first argument may be used to select the counter in case the 733 platform provides more than one (for example, on platforms that use the default 734 TBBR CoT, the cookie will correspond to the OID values defined in 735 TRUSTED\_FW\_NVCOUNTER\_OID or NON\_TRUSTED\_FW\_NVCOUNTER\_OID). 736 737 The function returns 0 on success. Any other value means the counter value could 738 not be retrieved from the platform. 739 740 Function: plat\_set\_nv\_ctr() 741 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 742 743 :: 744 745 Argument : void *, unsigned int 746 Return : int 747 748 This function is mandatory when Trusted Board Boot is enabled. It sets a new 749 counter value in the platform. The cookie in the first argument may be used to 750 select the counter (as explained in plat\_get\_nv\_ctr()). The second argument is 751 the updated counter value to be written to the NV counter. 752 753 The function returns 0 on success. Any other value means the counter value could 754 not be updated. 755 756 Function: plat\_set\_nv\_ctr2() 757 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 758 759 :: 760 761 Argument : void *, const auth_img_desc_t *, unsigned int 762 Return : int 763 764 This function is optional when Trusted Board Boot is enabled. If this 765 interface is defined, then ``plat_set_nv_ctr()`` need not be defined. The 766 first argument passed is a cookie and is typically used to 767 differentiate between a Non Trusted NV Counter and a Trusted NV 768 Counter. The second argument is a pointer to an authentication image 769 descriptor and may be used to decide if the counter is allowed to be 770 updated or not. The third argument is the updated counter value to 771 be written to the NV counter. 772 773 The function returns 0 on success. Any other value means the counter value 774 either could not be updated or the authentication image descriptor indicates 775 that it is not allowed to be updated. 776 777 Common mandatory function modifications 778 --------------------------------------- 779 780 The following functions are mandatory functions which need to be implemented 781 by the platform port. 782 783 Function : plat\_my\_core\_pos() 784 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 785 786 :: 787 788 Argument : void 789 Return : unsigned int 790 791 This funtion returns the index of the calling CPU which is used as a 792 CPU-specific linear index into blocks of memory (for example while allocating 793 per-CPU stacks). This function will be invoked very early in the 794 initialization sequence which mandates that this function should be 795 implemented in assembly and should not rely on the avalability of a C 796 runtime environment. This function can clobber x0 - x8 and must preserve 797 x9 - x29. 798 799 This function plays a crucial role in the power domain topology framework in 800 PSCI and details of this can be found in `Power Domain Topology Design`_. 801 802 Function : plat\_core\_pos\_by\_mpidr() 803 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 804 805 :: 806 807 Argument : u_register_t 808 Return : int 809 810 This function validates the ``MPIDR`` of a CPU and converts it to an index, 811 which can be used as a CPU-specific linear index into blocks of memory. In 812 case the ``MPIDR`` is invalid, this function returns -1. This function will only 813 be invoked by BL31 after the power domain topology is initialized and can 814 utilize the C runtime environment. For further details about how ARM Trusted 815 Firmware represents the power domain topology and how this relates to the 816 linear CPU index, please refer `Power Domain Topology Design`_. 817 818 Common optional modifications 819 ----------------------------- 820 821 The following are helper functions implemented by the firmware that perform 822 common platform-specific tasks. A platform may choose to override these 823 definitions. 824 825 Function : plat\_set\_my\_stack() 826 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 827 828 :: 829 830 Argument : void 831 Return : void 832 833 This function sets the current stack pointer to the normal memory stack that 834 has been allocated for the current CPU. For BL images that only require a 835 stack for the primary CPU, the UP version of the function is used. The size 836 of the stack allocated to each CPU is specified by the platform defined 837 constant ``PLATFORM_STACK_SIZE``. 838 839 Common implementations of this function for the UP and MP BL images are 840 provided in `plat/common/aarch64/platform\_up\_stack.S`_ and 841 `plat/common/aarch64/platform\_mp\_stack.S`_ 842 843 Function : plat\_get\_my\_stack() 844 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 845 846 :: 847 848 Argument : void 849 Return : uintptr_t 850 851 This function returns the base address of the normal memory stack that 852 has been allocated for the current CPU. For BL images that only require a 853 stack for the primary CPU, the UP version of the function is used. The size 854 of the stack allocated to each CPU is specified by the platform defined 855 constant ``PLATFORM_STACK_SIZE``. 856 857 Common implementations of this function for the UP and MP BL images are 858 provided in `plat/common/aarch64/platform\_up\_stack.S`_ and 859 `plat/common/aarch64/platform\_mp\_stack.S`_ 860 861 Function : plat\_report\_exception() 862 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 863 864 :: 865 866 Argument : unsigned int 867 Return : void 868 869 A platform may need to report various information about its status when an 870 exception is taken, for example the current exception level, the CPU security 871 state (secure/non-secure), the exception type, and so on. This function is 872 called in the following circumstances: 873 874 - In BL1, whenever an exception is taken. 875 - In BL2, whenever an exception is taken. 876 877 The default implementation doesn't do anything, to avoid making assumptions 878 about the way the platform displays its status information. 879 880 For AArch64, this function receives the exception type as its argument. 881 Possible values for exceptions types are listed in the 882 `include/common/bl\_common.h`_ header file. Note that these constants are not 883 related to any architectural exception code; they are just an ARM Trusted 884 Firmware convention. 885 886 For AArch32, this function receives the exception mode as its argument. 887 Possible values for exception modes are listed in the 888 `include/lib/aarch32/arch.h`_ header file. 889 890 Function : plat\_reset\_handler() 891 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 892 893 :: 894 895 Argument : void 896 Return : void 897 898 A platform may need to do additional initialization after reset. This function 899 allows the platform to do the platform specific intializations. Platform 900 specific errata workarounds could also be implemented here. The api should 901 preserve the values of callee saved registers x19 to x29. 902 903 The default implementation doesn't do anything. If a platform needs to override 904 the default implementation, refer to the `Firmware Design`_ for general 905 guidelines. 906 907 Function : plat\_disable\_acp() 908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 909 910 :: 911 912 Argument : void 913 Return : void 914 915 This api allows a platform to disable the Accelerator Coherency Port (if 916 present) during a cluster power down sequence. The default weak implementation 917 doesn't do anything. Since this api is called during the power down sequence, 918 it has restrictions for stack usage and it can use the registers x0 - x17 as 919 scratch registers. It should preserve the value in x18 register as it is used 920 by the caller to store the return address. 921 922 Function : plat\_error\_handler() 923 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 924 925 :: 926 927 Argument : int 928 Return : void 929 930 This API is called when the generic code encounters an error situation from 931 which it cannot continue. It allows the platform to perform error reporting or 932 recovery actions (for example, reset the system). This function must not return. 933 934 The parameter indicates the type of error using standard codes from ``errno.h``. 935 Possible errors reported by the generic code are: 936 937 - ``-EAUTH``: a certificate or image could not be authenticated (when Trusted 938 Board Boot is enabled) 939 - ``-ENOENT``: the requested image or certificate could not be found or an IO 940 error was detected 941 - ``-ENOMEM``: resources exhausted. Trusted Firmware does not use dynamic 942 memory, so this error is usually an indication of an incorrect array size 943 944 The default implementation simply spins. 945 946 Function : plat\_panic\_handler() 947 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 948 949 :: 950 951 Argument : void 952 Return : void 953 954 This API is called when the generic code encounters an unexpected error 955 situation from which it cannot recover. This function must not return, 956 and must be implemented in assembly because it may be called before the C 957 environment is initialized. 958 959 Note: The address from where it was called is stored in x30 (Link Register). 960 The default implementation simply spins. 961 962 Function : plat\_get\_bl\_image\_load\_info() 963 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 964 965 :: 966 967 Argument : void 968 Return : bl_load_info_t * 969 970 This function returns pointer to the list of images that the platform has 971 populated to load. This function is currently invoked in BL2 to load the 972 BL3xx images, when LOAD\_IMAGE\_V2 is enabled. 973 974 Function : plat\_get\_next\_bl\_params() 975 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 976 977 :: 978 979 Argument : void 980 Return : bl_params_t * 981 982 This function returns a pointer to the shared memory that the platform has 983 kept aside to pass trusted firmware related information that next BL image 984 needs. This function is currently invoked in BL2 to pass this information to 985 the next BL image, when LOAD\_IMAGE\_V2 is enabled. 986 987 Function : plat\_get\_stack\_protector\_canary() 988 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 989 990 :: 991 992 Argument : void 993 Return : u_register_t 994 995 This function returns a random value that is used to initialize the canary used 996 when the stack protector is enabled with ENABLE\_STACK\_PROTECTOR. A predictable 997 value will weaken the protection as the attacker could easily write the right 998 value as part of the attack most of the time. Therefore, it should return a 999 true random number. 1000 1001 Note: For the protection to be effective, the global data need to be placed at 1002 a lower address than the stack bases. Failure to do so would allow an attacker 1003 to overwrite the canary as part of the stack buffer overflow attack. 1004 1005 Function : plat\_flush\_next\_bl\_params() 1006 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1007 1008 :: 1009 1010 Argument : void 1011 Return : void 1012 1013 This function flushes to main memory all the image params that are passed to 1014 next image. This function is currently invoked in BL2 to flush this information 1015 to the next BL image, when LOAD\_IMAGE\_V2 is enabled. 1016 1017 Function : plat\_log\_get\_prefix() 1018 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1019 1020 :: 1021 1022 Argument : unsigned int 1023 Return : const char * 1024 1025 This function defines the prefix string corresponding to the `log_level` to be 1026 prepended to all the log output from ARM Trusted Firmware. The `log_level` 1027 (argument) will correspond to one of the standard log levels defined in 1028 debug.h. The platform can override the common implementation to define a 1029 different prefix string for the log output. The implementation should be 1030 robust to future changes that increase the number of log levels. 1031 1032 Modifications specific to a Boot Loader stage 1033 --------------------------------------------- 1034 1035 Boot Loader Stage 1 (BL1) 1036 ------------------------- 1037 1038 BL1 implements the reset vector where execution starts from after a cold or 1039 warm boot. For each CPU, BL1 is responsible for the following tasks: 1040 1041 #. Handling the reset as described in section 2.2 1042 1043 #. In the case of a cold boot and the CPU being the primary CPU, ensuring that 1044 only this CPU executes the remaining BL1 code, including loading and passing 1045 control to the BL2 stage. 1046 1047 #. Identifying and starting the Firmware Update process (if required). 1048 1049 #. Loading the BL2 image from non-volatile storage into secure memory at the 1050 address specified by the platform defined constant ``BL2_BASE``. 1051 1052 #. Populating a ``meminfo`` structure with the following information in memory, 1053 accessible by BL2 immediately upon entry. 1054 1055 :: 1056 1057 meminfo.total_base = Base address of secure RAM visible to BL2 1058 meminfo.total_size = Size of secure RAM visible to BL2 1059 meminfo.free_base = Base address of secure RAM available for 1060 allocation to BL2 1061 meminfo.free_size = Size of secure RAM available for allocation to BL2 1062 1063 BL1 places this ``meminfo`` structure at the beginning of the free memory 1064 available for its use. Since BL1 cannot allocate memory dynamically at the 1065 moment, its free memory will be available for BL2's use as-is. However, this 1066 means that BL2 must read the ``meminfo`` structure before it starts using its 1067 free memory (this is discussed in Section 3.2). 1068 1069 In future releases of the ARM Trusted Firmware it will be possible for 1070 the platform to decide where it wants to place the ``meminfo`` structure for 1071 BL2. 1072 1073 BL1 implements the ``bl1_init_bl2_mem_layout()`` function to populate the 1074 BL2 ``meminfo`` structure. The platform may override this implementation, for 1075 example if the platform wants to restrict the amount of memory visible to 1076 BL2. Details of how to do this are given below. 1077 1078 The following functions need to be implemented by the platform port to enable 1079 BL1 to perform the above tasks. 1080 1081 Function : bl1\_early\_platform\_setup() [mandatory] 1082 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1083 1084 :: 1085 1086 Argument : void 1087 Return : void 1088 1089 This function executes with the MMU and data caches disabled. It is only called 1090 by the primary CPU. 1091 1092 On ARM standard platforms, this function: 1093 1094 - Enables a secure instance of SP805 to act as the Trusted Watchdog. 1095 1096 - Initializes a UART (PL011 console), which enables access to the ``printf`` 1097 family of functions in BL1. 1098 1099 - Enables issuing of snoop and DVM (Distributed Virtual Memory) requests to 1100 the CCI slave interface corresponding to the cluster that includes the 1101 primary CPU. 1102 1103 Function : bl1\_plat\_arch\_setup() [mandatory] 1104 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1105 1106 :: 1107 1108 Argument : void 1109 Return : void 1110 1111 This function performs any platform-specific and architectural setup that the 1112 platform requires. Platform-specific setup might include configuration of 1113 memory controllers and the interconnect. 1114 1115 In ARM standard platforms, this function enables the MMU. 1116 1117 This function helps fulfill requirement 2 above. 1118 1119 Function : bl1\_platform\_setup() [mandatory] 1120 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1121 1122 :: 1123 1124 Argument : void 1125 Return : void 1126 1127 This function executes with the MMU and data caches enabled. It is responsible 1128 for performing any remaining platform-specific setup that can occur after the 1129 MMU and data cache have been enabled. 1130 1131 In ARM standard platforms, this function initializes the storage abstraction 1132 layer used to load the next bootloader image. 1133 1134 This function helps fulfill requirement 4 above. 1135 1136 Function : bl1\_plat\_sec\_mem\_layout() [mandatory] 1137 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1138 1139 :: 1140 1141 Argument : void 1142 Return : meminfo * 1143 1144 This function should only be called on the cold boot path. It executes with the 1145 MMU and data caches enabled. The pointer returned by this function must point to 1146 a ``meminfo`` structure containing the extents and availability of secure RAM for 1147 the BL1 stage. 1148 1149 :: 1150 1151 meminfo.total_base = Base address of secure RAM visible to BL1 1152 meminfo.total_size = Size of secure RAM visible to BL1 1153 meminfo.free_base = Base address of secure RAM available for allocation 1154 to BL1 1155 meminfo.free_size = Size of secure RAM available for allocation to BL1 1156 1157 This information is used by BL1 to load the BL2 image in secure RAM. BL1 also 1158 populates a similar structure to tell BL2 the extents of memory available for 1159 its own use. 1160 1161 This function helps fulfill requirements 4 and 5 above. 1162 1163 Function : bl1\_init\_bl2\_mem\_layout() [optional] 1164 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1165 1166 :: 1167 1168 Argument : meminfo *, meminfo * 1169 Return : void 1170 1171 BL1 needs to tell the next stage the amount of secure RAM available 1172 for it to use. This information is populated in a ``meminfo`` 1173 structure. 1174 1175 Depending upon where BL2 has been loaded in secure RAM (determined by 1176 ``BL2_BASE``), BL1 calculates the amount of free memory available for BL2 to use. 1177 BL1 also ensures that its data sections resident in secure RAM are not visible 1178 to BL2. An illustration of how this is done in ARM standard platforms is given 1179 in the **Memory layout on ARM development platforms** section in the 1180 `Firmware Design`_. 1181 1182 Function : bl1\_plat\_prepare\_exit() [optional] 1183 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1184 1185 :: 1186 1187 Argument : entry_point_info_t * 1188 Return : void 1189 1190 This function is called prior to exiting BL1 in response to the 1191 ``BL1_SMC_RUN_IMAGE`` SMC request raised by BL2. It should be used to perform 1192 platform specific clean up or bookkeeping operations before transferring 1193 control to the next image. It receives the address of the ``entry_point_info_t`` 1194 structure passed from BL2. This function runs with MMU disabled. 1195 1196 Function : bl1\_plat\_set\_ep\_info() [optional] 1197 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1198 1199 :: 1200 1201 Argument : unsigned int image_id, entry_point_info_t *ep_info 1202 Return : void 1203 1204 This function allows platforms to override ``ep_info`` for the given ``image_id``. 1205 1206 The default implementation just returns. 1207 1208 Function : bl1\_plat\_get\_next\_image\_id() [optional] 1209 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1210 1211 :: 1212 1213 Argument : void 1214 Return : unsigned int 1215 1216 This and the following function must be overridden to enable the FWU feature. 1217 1218 BL1 calls this function after platform setup to identify the next image to be 1219 loaded and executed. If the platform returns ``BL2_IMAGE_ID`` then BL1 proceeds 1220 with the normal boot sequence, which loads and executes BL2. If the platform 1221 returns a different image id, BL1 assumes that Firmware Update is required. 1222 1223 The default implementation always returns ``BL2_IMAGE_ID``. The ARM development 1224 platforms override this function to detect if firmware update is required, and 1225 if so, return the first image in the firmware update process. 1226 1227 Function : bl1\_plat\_get\_image\_desc() [optional] 1228 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1229 1230 :: 1231 1232 Argument : unsigned int image_id 1233 Return : image_desc_t * 1234 1235 BL1 calls this function to get the image descriptor information ``image_desc_t`` 1236 for the provided ``image_id`` from the platform. 1237 1238 The default implementation always returns a common BL2 image descriptor. ARM 1239 standard platforms return an image descriptor corresponding to BL2 or one of 1240 the firmware update images defined in the Trusted Board Boot Requirements 1241 specification. 1242 1243 Function : bl1\_plat\_fwu\_done() [optional] 1244 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1245 1246 :: 1247 1248 Argument : unsigned int image_id, uintptr_t image_src, 1249 unsigned int image_size 1250 Return : void 1251 1252 BL1 calls this function when the FWU process is complete. It must not return. 1253 The platform may override this function to take platform specific action, for 1254 example to initiate the normal boot flow. 1255 1256 The default implementation spins forever. 1257 1258 Function : bl1\_plat\_mem\_check() [mandatory] 1259 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1260 1261 :: 1262 1263 Argument : uintptr_t mem_base, unsigned int mem_size, 1264 unsigned int flags 1265 Return : int 1266 1267 BL1 calls this function while handling FWU related SMCs, more specifically when 1268 copying or authenticating an image. Its responsibility is to ensure that the 1269 region of memory identified by ``mem_base`` and ``mem_size`` is mapped in BL1, and 1270 that this memory corresponds to either a secure or non-secure memory region as 1271 indicated by the security state of the ``flags`` argument. 1272 1273 This function can safely assume that the value resulting from the addition of 1274 ``mem_base`` and ``mem_size`` fits into a ``uintptr_t`` type variable and does not 1275 overflow. 1276 1277 This function must return 0 on success, a non-null error code otherwise. 1278 1279 The default implementation of this function asserts therefore platforms must 1280 override it when using the FWU feature. 1281 1282 Boot Loader Stage 2 (BL2) 1283 ------------------------- 1284 1285 The BL2 stage is executed only by the primary CPU, which is determined in BL1 1286 using the ``platform_is_primary_cpu()`` function. BL1 passed control to BL2 at 1287 ``BL2_BASE``. BL2 executes in Secure EL1 and is responsible for: 1288 1289 #. (Optional) Loading the SCP\_BL2 binary image (if present) from platform 1290 provided non-volatile storage. To load the SCP\_BL2 image, BL2 makes use of 1291 the ``meminfo`` returned by the ``bl2_plat_get_scp_bl2_meminfo()`` function. 1292 The platform also defines the address in memory where SCP\_BL2 is loaded 1293 through the optional constant ``SCP_BL2_BASE``. BL2 uses this information 1294 to determine if there is enough memory to load the SCP\_BL2 image. 1295 Subsequent handling of the SCP\_BL2 image is platform-specific and is 1296 implemented in the ``bl2_plat_handle_scp_bl2()`` function. 1297 If ``SCP_BL2_BASE`` is not defined then this step is not performed. 1298 1299 #. Loading the BL31 binary image into secure RAM from non-volatile storage. To 1300 load the BL31 image, BL2 makes use of the ``meminfo`` structure passed to it 1301 by BL1. This structure allows BL2 to calculate how much secure RAM is 1302 available for its use. The platform also defines the address in secure RAM 1303 where BL31 is loaded through the constant ``BL31_BASE``. BL2 uses this 1304 information to determine if there is enough memory to load the BL31 image. 1305 1306 #. (Optional) Loading the BL32 binary image (if present) from platform 1307 provided non-volatile storage. To load the BL32 image, BL2 makes use of 1308 the ``meminfo`` returned by the ``bl2_plat_get_bl32_meminfo()`` function. 1309 The platform also defines the address in memory where BL32 is loaded 1310 through the optional constant ``BL32_BASE``. BL2 uses this information 1311 to determine if there is enough memory to load the BL32 image. 1312 If ``BL32_BASE`` is not defined then this and the next step is not performed. 1313 1314 #. (Optional) Arranging to pass control to the BL32 image (if present) that 1315 has been pre-loaded at ``BL32_BASE``. BL2 populates an ``entry_point_info`` 1316 structure in memory provided by the platform with information about how 1317 BL31 should pass control to the BL32 image. 1318 1319 #. (Optional) Loading the normal world BL33 binary image (if not loaded by 1320 other means) into non-secure DRAM from platform storage and arranging for 1321 BL31 to pass control to this image. This address is determined using the 1322 ``plat_get_ns_image_entrypoint()`` function described below. 1323 1324 #. BL2 populates an ``entry_point_info`` structure in memory provided by the 1325 platform with information about how BL31 should pass control to the 1326 other BL images. 1327 1328 The following functions must be implemented by the platform port to enable BL2 1329 to perform the above tasks. 1330 1331 Function : bl2\_early\_platform\_setup() [mandatory] 1332 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1333 1334 :: 1335 1336 Argument : meminfo * 1337 Return : void 1338 1339 This function executes with the MMU and data caches disabled. It is only called 1340 by the primary CPU. The arguments to this function is the address of the 1341 ``meminfo`` structure populated by BL1. 1342 1343 The platform may copy the contents of the ``meminfo`` structure into a private 1344 variable as the original memory may be subsequently overwritten by BL2. The 1345 copied structure is made available to all BL2 code through the 1346 ``bl2_plat_sec_mem_layout()`` function. 1347 1348 On ARM standard platforms, this function also: 1349 1350 - Initializes a UART (PL011 console), which enables access to the ``printf`` 1351 family of functions in BL2. 1352 1353 - Initializes the storage abstraction layer used to load further bootloader 1354 images. It is necessary to do this early on platforms with a SCP\_BL2 image, 1355 since the later ``bl2_platform_setup`` must be done after SCP\_BL2 is loaded. 1356 1357 Function : bl2\_plat\_arch\_setup() [mandatory] 1358 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1359 1360 :: 1361 1362 Argument : void 1363 Return : void 1364 1365 This function executes with the MMU and data caches disabled. It is only called 1366 by the primary CPU. 1367 1368 The purpose of this function is to perform any architectural initialization 1369 that varies across platforms. 1370 1371 On ARM standard platforms, this function enables the MMU. 1372 1373 Function : bl2\_platform\_setup() [mandatory] 1374 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1375 1376 :: 1377 1378 Argument : void 1379 Return : void 1380 1381 This function may execute with the MMU and data caches enabled if the platform 1382 port does the necessary initialization in ``bl2_plat_arch_setup()``. It is only 1383 called by the primary CPU. 1384 1385 The purpose of this function is to perform any platform initialization 1386 specific to BL2. 1387 1388 In ARM standard platforms, this function performs security setup, including 1389 configuration of the TrustZone controller to allow non-secure masters access 1390 to most of DRAM. Part of DRAM is reserved for secure world use. 1391 1392 Function : bl2\_plat\_sec\_mem\_layout() [mandatory] 1393 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1394 1395 :: 1396 1397 Argument : void 1398 Return : meminfo * 1399 1400 This function should only be called on the cold boot path. It may execute with 1401 the MMU and data caches enabled if the platform port does the necessary 1402 initialization in ``bl2_plat_arch_setup()``. It is only called by the primary CPU. 1403 1404 The purpose of this function is to return a pointer to a ``meminfo`` structure 1405 populated with the extents of secure RAM available for BL2 to use. See 1406 ``bl2_early_platform_setup()`` above. 1407 1408 Following function is required only when LOAD\_IMAGE\_V2 is enabled. 1409 1410 Function : bl2\_plat\_handle\_post\_image\_load() [mandatory] 1411 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1412 1413 :: 1414 1415 Argument : unsigned int 1416 Return : int 1417 1418 This function can be used by the platforms to update/use image information 1419 for given ``image_id``. This function is currently invoked in BL2 to handle 1420 BL image specific information based on the ``image_id`` passed, when 1421 LOAD\_IMAGE\_V2 is enabled. 1422 1423 Following functions are required only when LOAD\_IMAGE\_V2 is disabled. 1424 1425 Function : bl2\_plat\_get\_scp\_bl2\_meminfo() [mandatory] 1426 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1427 1428 :: 1429 1430 Argument : meminfo * 1431 Return : void 1432 1433 This function is used to get the memory limits where BL2 can load the 1434 SCP\_BL2 image. The meminfo provided by this is used by load\_image() to 1435 validate whether the SCP\_BL2 image can be loaded within the given 1436 memory from the given base. 1437 1438 Function : bl2\_plat\_handle\_scp\_bl2() [mandatory] 1439 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1440 1441 :: 1442 1443 Argument : image_info * 1444 Return : int 1445 1446 This function is called after loading SCP\_BL2 image and it is used to perform 1447 any platform-specific actions required to handle the SCP firmware. Typically it 1448 transfers the image into SCP memory using a platform-specific protocol and waits 1449 until SCP executes it and signals to the Application Processor (AP) for BL2 1450 execution to continue. 1451 1452 This function returns 0 on success, a negative error code otherwise. 1453 1454 Function : bl2\_plat\_get\_bl31\_params() [mandatory] 1455 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1456 1457 :: 1458 1459 Argument : void 1460 Return : bl31_params * 1461 1462 BL2 platform code needs to return a pointer to a ``bl31_params`` structure it 1463 will use for passing information to BL31. The ``bl31_params`` structure carries 1464 the following information. 1465 - Header describing the version information for interpreting the bl31\_param 1466 structure 1467 - Information about executing the BL33 image in the ``bl33_ep_info`` field 1468 - Information about executing the BL32 image in the ``bl32_ep_info`` field 1469 - Information about the type and extents of BL31 image in the 1470 ``bl31_image_info`` field 1471 - Information about the type and extents of BL32 image in the 1472 ``bl32_image_info`` field 1473 - Information about the type and extents of BL33 image in the 1474 ``bl33_image_info`` field 1475 1476 The memory pointed by this structure and its sub-structures should be 1477 accessible from BL31 initialisation code. BL31 might choose to copy the 1478 necessary content, or maintain the structures until BL33 is initialised. 1479 1480 Funtion : bl2\_plat\_get\_bl31\_ep\_info() [mandatory] 1481 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1482 1483 :: 1484 1485 Argument : void 1486 Return : entry_point_info * 1487 1488 BL2 platform code returns a pointer which is used to populate the entry point 1489 information for BL31 entry point. The location pointed by it should be 1490 accessible from BL1 while processing the synchronous exception to run to BL31. 1491 1492 In ARM standard platforms this is allocated inside a bl2\_to\_bl31\_params\_mem 1493 structure in BL2 memory. 1494 1495 Function : bl2\_plat\_set\_bl31\_ep\_info() [mandatory] 1496 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1497 1498 :: 1499 1500 Argument : image_info *, entry_point_info * 1501 Return : void 1502 1503 In the normal boot flow, this function is called after loading BL31 image and 1504 it can be used to overwrite the entry point set by loader and also set the 1505 security state and SPSR which represents the entry point system state for BL31. 1506 1507 When booting an EL3 payload instead, this function is called after populating 1508 its entry point address and can be used for the same purpose for the payload 1509 image. It receives a null pointer as its first argument in this case. 1510 1511 Function : bl2\_plat\_set\_bl32\_ep\_info() [mandatory] 1512 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1513 1514 :: 1515 1516 Argument : image_info *, entry_point_info * 1517 Return : void 1518 1519 This function is called after loading BL32 image and it can be used to 1520 overwrite the entry point set by loader and also set the security state 1521 and SPSR which represents the entry point system state for BL32. 1522 1523 Function : bl2\_plat\_set\_bl33\_ep\_info() [mandatory] 1524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1525 1526 :: 1527 1528 Argument : image_info *, entry_point_info * 1529 Return : void 1530 1531 This function is called after loading BL33 image and it can be used to 1532 overwrite the entry point set by loader and also set the security state 1533 and SPSR which represents the entry point system state for BL33. 1534 1535 In the preloaded BL33 alternative boot flow, this function is called after 1536 populating its entry point address. It is passed a null pointer as its first 1537 argument in this case. 1538 1539 Function : bl2\_plat\_get\_bl32\_meminfo() [mandatory] 1540 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1541 1542 :: 1543 1544 Argument : meminfo * 1545 Return : void 1546 1547 This function is used to get the memory limits where BL2 can load the 1548 BL32 image. The meminfo provided by this is used by load\_image() to 1549 validate whether the BL32 image can be loaded with in the given 1550 memory from the given base. 1551 1552 Function : bl2\_plat\_get\_bl33\_meminfo() [mandatory] 1553 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1554 1555 :: 1556 1557 Argument : meminfo * 1558 Return : void 1559 1560 This function is used to get the memory limits where BL2 can load the 1561 BL33 image. The meminfo provided by this is used by load\_image() to 1562 validate whether the BL33 image can be loaded with in the given 1563 memory from the given base. 1564 1565 This function isn't needed if either ``PRELOADED_BL33_BASE`` or ``EL3_PAYLOAD_BASE`` 1566 build options are used. 1567 1568 Function : bl2\_plat\_flush\_bl31\_params() [mandatory] 1569 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1570 1571 :: 1572 1573 Argument : void 1574 Return : void 1575 1576 Once BL2 has populated all the structures that needs to be read by BL1 1577 and BL31 including the bl31\_params structures and its sub-structures, 1578 the bl31\_ep\_info structure and any platform specific data. It flushes 1579 all these data to the main memory so that it is available when we jump to 1580 later Bootloader stages with MMU off 1581 1582 Function : plat\_get\_ns\_image\_entrypoint() [mandatory] 1583 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1584 1585 :: 1586 1587 Argument : void 1588 Return : uintptr_t 1589 1590 As previously described, BL2 is responsible for arranging for control to be 1591 passed to a normal world BL image through BL31. This function returns the 1592 entrypoint of that image, which BL31 uses to jump to it. 1593 1594 BL2 is responsible for loading the normal world BL33 image (e.g. UEFI). 1595 1596 This function isn't needed if either ``PRELOADED_BL33_BASE`` or ``EL3_PAYLOAD_BASE`` 1597 build options are used. 1598 1599 Function : bl2\_plat\_preload\_setup [optional] 1600 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1601 1602 :: 1603 Argument : void 1604 Return : void 1605 1606 This optional function performs any BL2 platform initialization 1607 required before image loading, that is not done later in 1608 bl2\_platform\_setup(). Specifically, if support for multiple 1609 boot sources is required, it initializes the boot sequence used by 1610 plat\_try\_next\_boot\_source(). 1611 1612 Function : plat\_try\_next\_boot\_source() [optional] 1613 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1614 1615 :: 1616 Argument : void 1617 Return : int 1618 1619 This optional function passes to the next boot source in the redundancy 1620 sequence. 1621 1622 This function moves the current boot redundancy source to the next 1623 element in the boot sequence. If there are no more boot sources then it 1624 must return 0, otherwise it must return 1. The default implementation 1625 of this always returns 0. 1626 1627 FWU Boot Loader Stage 2 (BL2U) 1628 ------------------------------ 1629 1630 The AP Firmware Updater Configuration, BL2U, is an optional part of the FWU 1631 process and is executed only by the primary CPU. BL1 passes control to BL2U at 1632 ``BL2U_BASE``. BL2U executes in Secure-EL1 and is responsible for: 1633 1634 #. (Optional) Transfering the optional SCP\_BL2U binary image from AP secure 1635 memory to SCP RAM. BL2U uses the SCP\_BL2U ``image_info`` passed by BL1. 1636 ``SCP_BL2U_BASE`` defines the address in AP secure memory where SCP\_BL2U 1637 should be copied from. Subsequent handling of the SCP\_BL2U image is 1638 implemented by the platform specific ``bl2u_plat_handle_scp_bl2u()`` function. 1639 If ``SCP_BL2U_BASE`` is not defined then this step is not performed. 1640 1641 #. Any platform specific setup required to perform the FWU process. For 1642 example, ARM standard platforms initialize the TZC controller so that the 1643 normal world can access DDR memory. 1644 1645 The following functions must be implemented by the platform port to enable 1646 BL2U to perform the tasks mentioned above. 1647 1648 Function : bl2u\_early\_platform\_setup() [mandatory] 1649 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1650 1651 :: 1652 1653 Argument : meminfo *mem_info, void *plat_info 1654 Return : void 1655 1656 This function executes with the MMU and data caches disabled. It is only 1657 called by the primary CPU. The arguments to this function is the address 1658 of the ``meminfo`` structure and platform specific info provided by BL1. 1659 1660 The platform may copy the contents of the ``mem_info`` and ``plat_info`` into 1661 private storage as the original memory may be subsequently overwritten by BL2U. 1662 1663 On ARM CSS platforms ``plat_info`` is interpreted as an ``image_info_t`` structure, 1664 to extract SCP\_BL2U image information, which is then copied into a private 1665 variable. 1666 1667 Function : bl2u\_plat\_arch\_setup() [mandatory] 1668 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1669 1670 :: 1671 1672 Argument : void 1673 Return : void 1674 1675 This function executes with the MMU and data caches disabled. It is only 1676 called by the primary CPU. 1677 1678 The purpose of this function is to perform any architectural initialization 1679 that varies across platforms, for example enabling the MMU (since the memory 1680 map differs across platforms). 1681 1682 Function : bl2u\_platform\_setup() [mandatory] 1683 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1684 1685 :: 1686 1687 Argument : void 1688 Return : void 1689 1690 This function may execute with the MMU and data caches enabled if the platform 1691 port does the necessary initialization in ``bl2u_plat_arch_setup()``. It is only 1692 called by the primary CPU. 1693 1694 The purpose of this function is to perform any platform initialization 1695 specific to BL2U. 1696 1697 In ARM standard platforms, this function performs security setup, including 1698 configuration of the TrustZone controller to allow non-secure masters access 1699 to most of DRAM. Part of DRAM is reserved for secure world use. 1700 1701 Function : bl2u\_plat\_handle\_scp\_bl2u() [optional] 1702 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1703 1704 :: 1705 1706 Argument : void 1707 Return : int 1708 1709 This function is used to perform any platform-specific actions required to 1710 handle the SCP firmware. Typically it transfers the image into SCP memory using 1711 a platform-specific protocol and waits until SCP executes it and signals to the 1712 Application Processor (AP) for BL2U execution to continue. 1713 1714 This function returns 0 on success, a negative error code otherwise. 1715 This function is included if SCP\_BL2U\_BASE is defined. 1716 1717 Boot Loader Stage 3-1 (BL31) 1718 ---------------------------- 1719 1720 During cold boot, the BL31 stage is executed only by the primary CPU. This is 1721 determined in BL1 using the ``platform_is_primary_cpu()`` function. BL1 passes 1722 control to BL31 at ``BL31_BASE``. During warm boot, BL31 is executed by all 1723 CPUs. BL31 executes at EL3 and is responsible for: 1724 1725 #. Re-initializing all architectural and platform state. Although BL1 performs 1726 some of this initialization, BL31 remains resident in EL3 and must ensure 1727 that EL3 architectural and platform state is completely initialized. It 1728 should make no assumptions about the system state when it receives control. 1729 1730 #. Passing control to a normal world BL image, pre-loaded at a platform- 1731 specific address by BL2. BL31 uses the ``entry_point_info`` structure that BL2 1732 populated in memory to do this. 1733 1734 #. Providing runtime firmware services. Currently, BL31 only implements a 1735 subset of the Power State Coordination Interface (PSCI) API as a runtime 1736 service. See Section 3.3 below for details of porting the PSCI 1737 implementation. 1738 1739 #. Optionally passing control to the BL32 image, pre-loaded at a platform- 1740 specific address by BL2. BL31 exports a set of apis that allow runtime 1741 services to specify the security state in which the next image should be 1742 executed and run the corresponding image. BL31 uses the ``entry_point_info`` 1743 structure populated by BL2 to do this. 1744 1745 If BL31 is a reset vector, It also needs to handle the reset as specified in 1746 section 2.2 before the tasks described above. 1747 1748 The following functions must be implemented by the platform port to enable BL31 1749 to perform the above tasks. 1750 1751 Function : bl31\_early\_platform\_setup() [mandatory] 1752 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1753 1754 :: 1755 1756 Argument : bl31_params *, void * 1757 Return : void 1758 1759 This function executes with the MMU and data caches disabled. It is only called 1760 by the primary CPU. The arguments to this function are: 1761 1762 - The address of the ``bl31_params`` structure populated by BL2. 1763 - An opaque pointer that the platform may use as needed. 1764 1765 The platform can copy the contents of the ``bl31_params`` structure and its 1766 sub-structures into private variables if the original memory may be 1767 subsequently overwritten by BL31 and similarly the ``void *`` pointing 1768 to the platform data also needs to be saved. 1769 1770 In ARM standard platforms, BL2 passes a pointer to a ``bl31_params`` structure 1771 in BL2 memory. BL31 copies the information in this pointer to internal data 1772 structures. It also performs the following: 1773 1774 - Initialize a UART (PL011 console), which enables access to the ``printf`` 1775 family of functions in BL31. 1776 1777 - Enable issuing of snoop and DVM (Distributed Virtual Memory) requests to the 1778 CCI slave interface corresponding to the cluster that includes the primary 1779 CPU. 1780 1781 Function : bl31\_plat\_arch\_setup() [mandatory] 1782 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1783 1784 :: 1785 1786 Argument : void 1787 Return : void 1788 1789 This function executes with the MMU and data caches disabled. It is only called 1790 by the primary CPU. 1791 1792 The purpose of this function is to perform any architectural initialization 1793 that varies across platforms. 1794 1795 On ARM standard platforms, this function enables the MMU. 1796 1797 Function : bl31\_platform\_setup() [mandatory] 1798 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1799 1800 :: 1801 1802 Argument : void 1803 Return : void 1804 1805 This function may execute with the MMU and data caches enabled if the platform 1806 port does the necessary initialization in ``bl31_plat_arch_setup()``. It is only 1807 called by the primary CPU. 1808 1809 The purpose of this function is to complete platform initialization so that both 1810 BL31 runtime services and normal world software can function correctly. 1811 1812 On ARM standard platforms, this function does the following: 1813 1814 - Initialize the generic interrupt controller. 1815 1816 Depending on the GIC driver selected by the platform, the appropriate GICv2 1817 or GICv3 initialization will be done, which mainly consists of: 1818 1819 - Enable secure interrupts in the GIC CPU interface. 1820 - Disable the legacy interrupt bypass mechanism. 1821 - Configure the priority mask register to allow interrupts of all priorities 1822 to be signaled to the CPU interface. 1823 - Mark SGIs 8-15 and the other secure interrupts on the platform as secure. 1824 - Target all secure SPIs to CPU0. 1825 - Enable these secure interrupts in the GIC distributor. 1826 - Configure all other interrupts as non-secure. 1827 - Enable signaling of secure interrupts in the GIC distributor. 1828 1829 - Enable system-level implementation of the generic timer counter through the 1830 memory mapped interface. 1831 1832 - Grant access to the system counter timer module 1833 1834 - Initialize the power controller device. 1835 1836 In particular, initialise the locks that prevent concurrent accesses to the 1837 power controller device. 1838 1839 Function : bl31\_plat\_runtime\_setup() [optional] 1840 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1841 1842 :: 1843 1844 Argument : void 1845 Return : void 1846 1847 The purpose of this function is allow the platform to perform any BL31 runtime 1848 setup just prior to BL31 exit during cold boot. The default weak 1849 implementation of this function will invoke ``console_uninit()`` which will 1850 suppress any BL31 runtime logs. 1851 1852 In ARM Standard platforms, this function will initialize the BL31 runtime 1853 console which will cause all further BL31 logs to be output to the 1854 runtime console. 1855 1856 Function : bl31\_get\_next\_image\_info() [mandatory] 1857 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1858 1859 :: 1860 1861 Argument : unsigned int 1862 Return : entry_point_info * 1863 1864 This function may execute with the MMU and data caches enabled if the platform 1865 port does the necessary initializations in ``bl31_plat_arch_setup()``. 1866 1867 This function is called by ``bl31_main()`` to retrieve information provided by 1868 BL2 for the next image in the security state specified by the argument. BL31 1869 uses this information to pass control to that image in the specified security 1870 state. This function must return a pointer to the ``entry_point_info`` structure 1871 (that was copied during ``bl31_early_platform_setup()``) if the image exists. It 1872 should return NULL otherwise. 1873 1874 Function : plat\_get\_syscnt\_freq2() [mandatory] 1875 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1876 1877 :: 1878 1879 Argument : void 1880 Return : unsigned int 1881 1882 This function is used by the architecture setup code to retrieve the counter 1883 frequency for the CPU's generic timer. This value will be programmed into the 1884 ``CNTFRQ_EL0`` register. In ARM standard platforms, it returns the base frequency 1885 of the system counter, which is retrieved from the first entry in the frequency 1886 modes table. 1887 1888 #define : PLAT\_PERCPU\_BAKERY\_LOCK\_SIZE [optional] 1889 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1890 1891 When ``USE_COHERENT_MEM = 0``, this constant defines the total memory (in 1892 bytes) aligned to the cache line boundary that should be allocated per-cpu to 1893 accommodate all the bakery locks. 1894 1895 If this constant is not defined when ``USE_COHERENT_MEM = 0``, the linker 1896 calculates the size of the ``bakery_lock`` input section, aligns it to the 1897 nearest ``CACHE_WRITEBACK_GRANULE``, multiplies it with ``PLATFORM_CORE_COUNT`` 1898 and stores the result in a linker symbol. This constant prevents a platform 1899 from relying on the linker and provide a more efficient mechanism for 1900 accessing per-cpu bakery lock information. 1901 1902 If this constant is defined and its value is not equal to the value 1903 calculated by the linker then a link time assertion is raised. A compile time 1904 assertion is raised if the value of the constant is not aligned to the cache 1905 line boundary. 1906 1907 Power State Coordination Interface (in BL31) 1908 -------------------------------------------- 1909 1910 The ARM Trusted Firmware's implementation of the PSCI API is based around the 1911 concept of a *power domain*. A *power domain* is a CPU or a logical group of 1912 CPUs which share some state on which power management operations can be 1913 performed as specified by `PSCI`_. Each CPU in the system is assigned a cpu 1914 index which is a unique number between ``0`` and ``PLATFORM_CORE_COUNT - 1``. 1915 The *power domains* are arranged in a hierarchical tree structure and 1916 each *power domain* can be identified in a system by the cpu index of any CPU 1917 that is part of that domain and a *power domain level*. A processing element 1918 (for example, a CPU) is at level 0. If the *power domain* node above a CPU is 1919 a logical grouping of CPUs that share some state, then level 1 is that group 1920 of CPUs (for example, a cluster), and level 2 is a group of clusters 1921 (for example, the system). More details on the power domain topology and its 1922 organization can be found in `Power Domain Topology Design`_. 1923 1924 BL31's platform initialization code exports a pointer to the platform-specific 1925 power management operations required for the PSCI implementation to function 1926 correctly. This information is populated in the ``plat_psci_ops`` structure. The 1927 PSCI implementation calls members of the ``plat_psci_ops`` structure for performing 1928 power management operations on the power domains. For example, the target 1929 CPU is specified by its ``MPIDR`` in a PSCI ``CPU_ON`` call. The ``pwr_domain_on()`` 1930 handler (if present) is called for the CPU power domain. 1931 1932 The ``power-state`` parameter of a PSCI ``CPU_SUSPEND`` call can be used to 1933 describe composite power states specific to a platform. The PSCI implementation 1934 defines a generic representation of the power-state parameter viz which is an 1935 array of local power states where each index corresponds to a power domain 1936 level. Each entry contains the local power state the power domain at that power 1937 level could enter. It depends on the ``validate_power_state()`` handler to 1938 convert the power-state parameter (possibly encoding a composite power state) 1939 passed in a PSCI ``CPU_SUSPEND`` call to this representation. 1940 1941 The following functions form part of platform port of PSCI functionality. 1942 1943 Function : plat\_psci\_stat\_accounting\_start() [optional] 1944 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1945 1946 :: 1947 1948 Argument : const psci_power_state_t * 1949 Return : void 1950 1951 This is an optional hook that platforms can implement for residency statistics 1952 accounting before entering a low power state. The ``pwr_domain_state`` field of 1953 ``state_info`` (first argument) can be inspected if stat accounting is done 1954 differently at CPU level versus higher levels. As an example, if the element at 1955 index 0 (CPU power level) in the ``pwr_domain_state`` array indicates a power down 1956 state, special hardware logic may be programmed in order to keep track of the 1957 residency statistics. For higher levels (array indices > 0), the residency 1958 statistics could be tracked in software using PMF. If ``ENABLE_PMF`` is set, the 1959 default implementation will use PMF to capture timestamps. 1960 1961 Function : plat\_psci\_stat\_accounting\_stop() [optional] 1962 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1963 1964 :: 1965 1966 Argument : const psci_power_state_t * 1967 Return : void 1968 1969 This is an optional hook that platforms can implement for residency statistics 1970 accounting after exiting from a low power state. The ``pwr_domain_state`` field 1971 of ``state_info`` (first argument) can be inspected if stat accounting is done 1972 differently at CPU level versus higher levels. As an example, if the element at 1973 index 0 (CPU power level) in the ``pwr_domain_state`` array indicates a power down 1974 state, special hardware logic may be programmed in order to keep track of the 1975 residency statistics. For higher levels (array indices > 0), the residency 1976 statistics could be tracked in software using PMF. If ``ENABLE_PMF`` is set, the 1977 default implementation will use PMF to capture timestamps. 1978 1979 Function : plat\_psci\_stat\_get\_residency() [optional] 1980 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1981 1982 :: 1983 1984 Argument : unsigned int, const psci_power_state_t *, int 1985 Return : u_register_t 1986 1987 This is an optional interface that is is invoked after resuming from a low power 1988 state and provides the time spent resident in that low power state by the power 1989 domain at a particular power domain level. When a CPU wakes up from suspend, 1990 all its parent power domain levels are also woken up. The generic PSCI code 1991 invokes this function for each parent power domain that is resumed and it 1992 identified by the ``lvl`` (first argument) parameter. The ``state_info`` (second 1993 argument) describes the low power state that the power domain has resumed from. 1994 The current CPU is the first CPU in the power domain to resume from the low 1995 power state and the ``last_cpu_idx`` (third parameter) is the index of the last 1996 CPU in the power domain to suspend and may be needed to calculate the residency 1997 for that power domain. 1998 1999 Function : plat\_get\_target\_pwr\_state() [optional] 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2001 2002 :: 2003 2004 Argument : unsigned int, const plat_local_state_t *, unsigned int 2005 Return : plat_local_state_t 2006 2007 The PSCI generic code uses this function to let the platform participate in 2008 state coordination during a power management operation. The function is passed 2009 a pointer to an array of platform specific local power state ``states`` (second 2010 argument) which contains the requested power state for each CPU at a particular 2011 power domain level ``lvl`` (first argument) within the power domain. The function 2012 is expected to traverse this array of upto ``ncpus`` (third argument) and return 2013 a coordinated target power state by the comparing all the requested power 2014 states. The target power state should not be deeper than any of the requested 2015 power states. 2016 2017 A weak definition of this API is provided by default wherein it assumes 2018 that the platform assigns a local state value in order of increasing depth 2019 of the power state i.e. for two power states X & Y, if X < Y 2020 then X represents a shallower power state than Y. As a result, the 2021 coordinated target local power state for a power domain will be the minimum 2022 of the requested local power state values. 2023 2024 Function : plat\_get\_power\_domain\_tree\_desc() [mandatory] 2025 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2026 2027 :: 2028 2029 Argument : void 2030 Return : const unsigned char * 2031 2032 This function returns a pointer to the byte array containing the power domain 2033 topology tree description. The format and method to construct this array are 2034 described in `Power Domain Topology Design`_. The BL31 PSCI initilization code 2035 requires this array to be described by the platform, either statically or 2036 dynamically, to initialize the power domain topology tree. In case the array 2037 is populated dynamically, then plat\_core\_pos\_by\_mpidr() and 2038 plat\_my\_core\_pos() should also be implemented suitably so that the topology 2039 tree description matches the CPU indices returned by these APIs. These APIs 2040 together form the platform interface for the PSCI topology framework. 2041 2042 Function : plat\_setup\_psci\_ops() [mandatory] 2043 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2044 2045 :: 2046 2047 Argument : uintptr_t, const plat_psci_ops ** 2048 Return : int 2049 2050 This function may execute with the MMU and data caches enabled if the platform 2051 port does the necessary initializations in ``bl31_plat_arch_setup()``. It is only 2052 called by the primary CPU. 2053 2054 This function is called by PSCI initialization code. Its purpose is to let 2055 the platform layer know about the warm boot entrypoint through the 2056 ``sec_entrypoint`` (first argument) and to export handler routines for 2057 platform-specific psci power management actions by populating the passed 2058 pointer with a pointer to BL31's private ``plat_psci_ops`` structure. 2059 2060 A description of each member of this structure is given below. Please refer to 2061 the ARM FVP specific implementation of these handlers in 2062 `plat/arm/board/fvp/fvp\_pm.c`_ as an example. For each PSCI function that the 2063 platform wants to support, the associated operation or operations in this 2064 structure must be provided and implemented (Refer section 4 of 2065 `Firmware Design`_ for the PSCI API supported in Trusted Firmware). To disable 2066 a PSCI function in a platform port, the operation should be removed from this 2067 structure instead of providing an empty implementation. 2068 2069 plat\_psci\_ops.cpu\_standby() 2070 .............................. 2071 2072 Perform the platform-specific actions to enter the standby state for a cpu 2073 indicated by the passed argument. This provides a fast path for CPU standby 2074 wherein overheads of PSCI state management and lock acquistion is avoided. 2075 For this handler to be invoked by the PSCI ``CPU_SUSPEND`` API implementation, 2076 the suspend state type specified in the ``power-state`` parameter should be 2077 STANDBY and the target power domain level specified should be the CPU. The 2078 handler should put the CPU into a low power retention state (usually by 2079 issuing a wfi instruction) and ensure that it can be woken up from that 2080 state by a normal interrupt. The generic code expects the handler to succeed. 2081 2082 plat\_psci\_ops.pwr\_domain\_on() 2083 ................................. 2084 2085 Perform the platform specific actions to power on a CPU, specified 2086 by the ``MPIDR`` (first argument). The generic code expects the platform to 2087 return PSCI\_E\_SUCCESS on success or PSCI\_E\_INTERN\_FAIL for any failure. 2088 2089 plat\_psci\_ops.pwr\_domain\_off() 2090 .................................. 2091 2092 Perform the platform specific actions to prepare to power off the calling CPU 2093 and its higher parent power domain levels as indicated by the ``target_state`` 2094 (first argument). It is called by the PSCI ``CPU_OFF`` API implementation. 2095 2096 The ``target_state`` encodes the platform coordinated target local power states 2097 for the CPU power domain and its parent power domain levels. The handler 2098 needs to perform power management operation corresponding to the local state 2099 at each power level. 2100 2101 For this handler, the local power state for the CPU power domain will be a 2102 power down state where as it could be either power down, retention or run state 2103 for the higher power domain levels depending on the result of state 2104 coordination. The generic code expects the handler to succeed. 2105 2106 plat\_psci\_ops.pwr\_domain\_suspend\_pwrdown\_early() [optional] 2107 ................................................................. 2108 2109 This optional function may be used as a performance optimization to replace 2110 or complement pwr_domain_suspend() on some platforms. Its calling semantics 2111 are identical to pwr_domain_suspend(), except the PSCI implementation only 2112 calls this function when suspending to a power down state, and it guarantees 2113 that data caches are enabled. 2114 2115 When HW_ASSISTED_COHERENCY = 0, the PSCI implementation disables data caches 2116 before calling pwr_domain_suspend(). If the target_state corresponds to a 2117 power down state and it is safe to perform some or all of the platform 2118 specific actions in that function with data caches enabled, it may be more 2119 efficient to move those actions to this function. When HW_ASSISTED_COHERENCY 2120 = 1, data caches remain enabled throughout, and so there is no advantage to 2121 moving platform specific actions to this function. 2122 2123 plat\_psci\_ops.pwr\_domain\_suspend() 2124 ...................................... 2125 2126 Perform the platform specific actions to prepare to suspend the calling 2127 CPU and its higher parent power domain levels as indicated by the 2128 ``target_state`` (first argument). It is called by the PSCI ``CPU_SUSPEND`` 2129 API implementation. 2130 2131 The ``target_state`` has a similar meaning as described in 2132 the ``pwr_domain_off()`` operation. It encodes the platform coordinated 2133 target local power states for the CPU power domain and its parent 2134 power domain levels. The handler needs to perform power management operation 2135 corresponding to the local state at each power level. The generic code 2136 expects the handler to succeed. 2137 2138 The difference between turning a power domain off versus suspending it is that 2139 in the former case, the power domain is expected to re-initialize its state 2140 when it is next powered on (see ``pwr_domain_on_finish()``). In the latter 2141 case, the power domain is expected to save enough state so that it can resume 2142 execution by restoring this state when its powered on (see 2143 ``pwr_domain_suspend_finish()``). 2144 2145 When suspending a core, the platform can also choose to power off the GICv3 2146 Redistributor and ITS through an implementation-defined sequence. To achieve 2147 this safely, the ITS context must be saved first. The architectural part is 2148 implemented by the ``gicv3_its_save_disable()`` helper, but most of the needed 2149 sequence is implementation defined and it is therefore the responsibility of 2150 the platform code to implement the necessary sequence. Then the GIC 2151 Redistributor context can be saved using the ``gicv3_rdistif_save()`` helper. 2152 Powering off the Redistributor requires the implementation to support it and it 2153 is the responsibility of the platform code to execute the right implementation 2154 defined sequence. 2155 2156 When a system suspend is requested, the platform can also make use of the 2157 ``gicv3_distif_save()`` helper to save the context of the GIC Distributor after 2158 it has saved the context of the Redistributors and ITS of all the cores in the 2159 system. The context of the Distributor can be large and may require it to be 2160 allocated in a special area if it cannot fit in the platform's global static 2161 data, for example in DRAM. The Distributor can then be powered down using an 2162 implementation-defined sequence. 2163 2164 plat\_psci\_ops.pwr\_domain\_pwr\_down\_wfi() 2165 ............................................. 2166 2167 This is an optional function and, if implemented, is expected to perform 2168 platform specific actions including the ``wfi`` invocation which allows the 2169 CPU to powerdown. Since this function is invoked outside the PSCI locks, 2170 the actions performed in this hook must be local to the CPU or the platform 2171 must ensure that races between multiple CPUs cannot occur. 2172 2173 The ``target_state`` has a similar meaning as described in the ``pwr_domain_off()`` 2174 operation and it encodes the platform coordinated target local power states for 2175 the CPU power domain and its parent power domain levels. This function must 2176 not return back to the caller. 2177 2178 If this function is not implemented by the platform, PSCI generic 2179 implementation invokes ``psci_power_down_wfi()`` for power down. 2180 2181 plat\_psci\_ops.pwr\_domain\_on\_finish() 2182 ......................................... 2183 2184 This function is called by the PSCI implementation after the calling CPU is 2185 powered on and released from reset in response to an earlier PSCI ``CPU_ON`` call. 2186 It performs the platform-specific setup required to initialize enough state for 2187 this CPU to enter the normal world and also provide secure runtime firmware 2188 services. 2189 2190 The ``target_state`` (first argument) is the prior state of the power domains 2191 immediately before the CPU was turned on. It indicates which power domains 2192 above the CPU might require initialization due to having previously been in 2193 low power states. The generic code expects the handler to succeed. 2194 2195 plat\_psci\_ops.pwr\_domain\_suspend\_finish() 2196 .............................................. 2197 2198 This function is called by the PSCI implementation after the calling CPU is 2199 powered on and released from reset in response to an asynchronous wakeup 2200 event, for example a timer interrupt that was programmed by the CPU during the 2201 ``CPU_SUSPEND`` call or ``SYSTEM_SUSPEND`` call. It performs the platform-specific 2202 setup required to restore the saved state for this CPU to resume execution 2203 in the normal world and also provide secure runtime firmware services. 2204 2205 The ``target_state`` (first argument) has a similar meaning as described in 2206 the ``pwr_domain_on_finish()`` operation. The generic code expects the platform 2207 to succeed. 2208 2209 If the Distributor, Redistributors or ITS have been powered off as part of a 2210 suspend, their context must be restored in this function in the reverse order 2211 to how they were saved during suspend sequence. 2212 2213 plat\_psci\_ops.system\_off() 2214 ............................. 2215 2216 This function is called by PSCI implementation in response to a ``SYSTEM_OFF`` 2217 call. It performs the platform-specific system poweroff sequence after 2218 notifying the Secure Payload Dispatcher. 2219 2220 plat\_psci\_ops.system\_reset() 2221 ............................... 2222 2223 This function is called by PSCI implementation in response to a ``SYSTEM_RESET`` 2224 call. It performs the platform-specific system reset sequence after 2225 notifying the Secure Payload Dispatcher. 2226 2227 plat\_psci\_ops.validate\_power\_state() 2228 ........................................ 2229 2230 This function is called by the PSCI implementation during the ``CPU_SUSPEND`` 2231 call to validate the ``power_state`` parameter of the PSCI API and if valid, 2232 populate it in ``req_state`` (second argument) array as power domain level 2233 specific local states. If the ``power_state`` is invalid, the platform must 2234 return PSCI\_E\_INVALID\_PARAMS as error, which is propagated back to the 2235 normal world PSCI client. 2236 2237 plat\_psci\_ops.validate\_ns\_entrypoint() 2238 .......................................... 2239 2240 This function is called by the PSCI implementation during the ``CPU_SUSPEND``, 2241 ``SYSTEM_SUSPEND`` and ``CPU_ON`` calls to validate the non-secure ``entry_point`` 2242 parameter passed by the normal world. If the ``entry_point`` is invalid, 2243 the platform must return PSCI\_E\_INVALID\_ADDRESS as error, which is 2244 propagated back to the normal world PSCI client. 2245 2246 plat\_psci\_ops.get\_sys\_suspend\_power\_state() 2247 ................................................. 2248 2249 This function is called by the PSCI implementation during the ``SYSTEM_SUSPEND`` 2250 call to get the ``req_state`` parameter from platform which encodes the power 2251 domain level specific local states to suspend to system affinity level. The 2252 ``req_state`` will be utilized to do the PSCI state coordination and 2253 ``pwr_domain_suspend()`` will be invoked with the coordinated target state to 2254 enter system suspend. 2255 2256 plat\_psci\_ops.get\_pwr\_lvl\_state\_idx() 2257 ........................................... 2258 2259 This is an optional function and, if implemented, is invoked by the PSCI 2260 implementation to convert the ``local_state`` (first argument) at a specified 2261 ``pwr_lvl`` (second argument) to an index between 0 and 2262 ``PLAT_MAX_PWR_LVL_STATES`` - 1. This function is only needed if the platform 2263 supports more than two local power states at each power domain level, that is 2264 ``PLAT_MAX_PWR_LVL_STATES`` is greater than 2, and needs to account for these 2265 local power states. 2266 2267 plat\_psci\_ops.translate\_power\_state\_by\_mpidr() 2268 .................................................... 2269 2270 This is an optional function and, if implemented, verifies the ``power_state`` 2271 (second argument) parameter of the PSCI API corresponding to a target power 2272 domain. The target power domain is identified by using both ``MPIDR`` (first 2273 argument) and the power domain level encoded in ``power_state``. The power domain 2274 level specific local states are to be extracted from ``power_state`` and be 2275 populated in the ``output_state`` (third argument) array. The functionality 2276 is similar to the ``validate_power_state`` function described above and is 2277 envisaged to be used in case the validity of ``power_state`` depend on the 2278 targeted power domain. If the ``power_state`` is invalid for the targeted power 2279 domain, the platform must return PSCI\_E\_INVALID\_PARAMS as error. If this 2280 function is not implemented, then the generic implementation relies on 2281 ``validate_power_state`` function to translate the ``power_state``. 2282 2283 This function can also be used in case the platform wants to support local 2284 power state encoding for ``power_state`` parameter of PSCI\_STAT\_COUNT/RESIDENCY 2285 APIs as described in Section 5.18 of `PSCI`_. 2286 2287 plat\_psci\_ops.get\_node\_hw\_state() 2288 ...................................... 2289 2290 This is an optional function. If implemented this function is intended to return 2291 the power state of a node (identified by the first parameter, the ``MPIDR``) in 2292 the power domain topology (identified by the second parameter, ``power_level``), 2293 as retrieved from a power controller or equivalent component on the platform. 2294 Upon successful completion, the implementation must map and return the final 2295 status among ``HW_ON``, ``HW_OFF`` or ``HW_STANDBY``. Upon encountering failures, it 2296 must return either ``PSCI_E_INVALID_PARAMS`` or ``PSCI_E_NOT_SUPPORTED`` as 2297 appropriate. 2298 2299 Implementations are not expected to handle ``power_levels`` greater than 2300 ``PLAT_MAX_PWR_LVL``. 2301 2302 plat\_psci\_ops.system\_reset2() 2303 ................................ 2304 2305 This is an optional function. If implemented this function is 2306 called during the ``SYSTEM_RESET2`` call to perform a reset 2307 based on the first parameter ``reset_type`` as specified in 2308 `PSCI`_. The parameter ``cookie`` can be used to pass additional 2309 reset information. If the ``reset_type`` is not supported, the 2310 function must return ``PSCI_E_NOT_SUPPORTED``. For architectural 2311 resets, all failures must return ``PSCI_E_INVALID_PARAMETERS`` 2312 and vendor reset can return other PSCI error codes as defined 2313 in `PSCI`_. On success this function will not return. 2314 2315 plat\_psci\_ops.write\_mem\_protect() 2316 .................................... 2317 2318 This is an optional function. If implemented it enables or disables the 2319 ``MEM_PROTECT`` functionality based on the value of ``val``. 2320 A non-zero value enables ``MEM_PROTECT`` and a value of zero 2321 disables it. Upon encountering failures it must return a negative value 2322 and on success it must return 0. 2323 2324 plat\_psci\_ops.read\_mem\_protect() 2325 ..................................... 2326 2327 This is an optional function. If implemented it returns the current 2328 state of ``MEM_PROTECT`` via the ``val`` parameter. Upon encountering 2329 failures it must return a negative value and on success it must 2330 return 0. 2331 2332 plat\_psci\_ops.mem\_protect\_chk() 2333 ................................... 2334 2335 This is an optional function. If implemented it checks if a memory 2336 region defined by a base address ``base`` and with a size of ``length`` 2337 bytes is protected by ``MEM_PROTECT``. If the region is protected 2338 then it must return 0, otherwise it must return a negative number. 2339 2340 Interrupt Management framework (in BL31) 2341 ---------------------------------------- 2342 2343 BL31 implements an Interrupt Management Framework (IMF) to manage interrupts 2344 generated in either security state and targeted to EL1 or EL2 in the non-secure 2345 state or EL3/S-EL1 in the secure state. The design of this framework is 2346 described in the `IMF Design Guide`_ 2347 2348 A platform should export the following APIs to support the IMF. The following 2349 text briefly describes each api and its implementation in ARM standard 2350 platforms. The API implementation depends upon the type of interrupt controller 2351 present in the platform. ARM standard platform layer supports both 2352 `ARM Generic Interrupt Controller version 2.0 (GICv2)`_ 2353 and `3.0 (GICv3)`_. Juno builds the ARM 2354 Standard layer to use GICv2 and the FVP can be configured to use either GICv2 or 2355 GICv3 depending on the build flag ``FVP_USE_GIC_DRIVER`` (See FVP platform 2356 specific build options in `User Guide`_ for more details). 2357 2358 See also: `Interrupt Controller Abstraction APIs`__. 2359 2360 .. __: platform-interrupt-controller-API.rst 2361 2362 Function : plat\_interrupt\_type\_to\_line() [mandatory] 2363 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2364 2365 :: 2366 2367 Argument : uint32_t, uint32_t 2368 Return : uint32_t 2369 2370 The ARM processor signals an interrupt exception either through the IRQ or FIQ 2371 interrupt line. The specific line that is signaled depends on how the interrupt 2372 controller (IC) reports different interrupt types from an execution context in 2373 either security state. The IMF uses this API to determine which interrupt line 2374 the platform IC uses to signal each type of interrupt supported by the framework 2375 from a given security state. This API must be invoked at EL3. 2376 2377 The first parameter will be one of the ``INTR_TYPE_*`` values (see 2378 `IMF Design Guide`_) indicating the target type of the interrupt, the second parameter is the 2379 security state of the originating execution context. The return result is the 2380 bit position in the ``SCR_EL3`` register of the respective interrupt trap: IRQ=1, 2381 FIQ=2. 2382 2383 In the case of ARM standard platforms using GICv2, S-EL1 interrupts are 2384 configured as FIQs and Non-secure interrupts as IRQs from either security 2385 state. 2386 2387 In the case of ARM standard platforms using GICv3, the interrupt line to be 2388 configured depends on the security state of the execution context when the 2389 interrupt is signalled and are as follows: 2390 2391 - The S-EL1 interrupts are signaled as IRQ in S-EL0/1 context and as FIQ in 2392 NS-EL0/1/2 context. 2393 - The Non secure interrupts are signaled as FIQ in S-EL0/1 context and as IRQ 2394 in the NS-EL0/1/2 context. 2395 - The EL3 interrupts are signaled as FIQ in both S-EL0/1 and NS-EL0/1/2 2396 context. 2397 2398 Function : plat\_ic\_get\_pending\_interrupt\_type() [mandatory] 2399 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2400 2401 :: 2402 2403 Argument : void 2404 Return : uint32_t 2405 2406 This API returns the type of the highest priority pending interrupt at the 2407 platform IC. The IMF uses the interrupt type to retrieve the corresponding 2408 handler function. ``INTR_TYPE_INVAL`` is returned when there is no interrupt 2409 pending. The valid interrupt types that can be returned are ``INTR_TYPE_EL3``, 2410 ``INTR_TYPE_S_EL1`` and ``INTR_TYPE_NS``. This API must be invoked at EL3. 2411 2412 In the case of ARM standard platforms using GICv2, the *Highest Priority 2413 Pending Interrupt Register* (``GICC_HPPIR``) is read to determine the id of 2414 the pending interrupt. The type of interrupt depends upon the id value as 2415 follows. 2416 2417 #. id < 1022 is reported as a S-EL1 interrupt 2418 #. id = 1022 is reported as a Non-secure interrupt. 2419 #. id = 1023 is reported as an invalid interrupt type. 2420 2421 In the case of ARM standard platforms using GICv3, the system register 2422 ``ICC_HPPIR0_EL1``, *Highest Priority Pending group 0 Interrupt Register*, 2423 is read to determine the id of the pending interrupt. The type of interrupt 2424 depends upon the id value as follows. 2425 2426 #. id = ``PENDING_G1S_INTID`` (1020) is reported as a S-EL1 interrupt 2427 #. id = ``PENDING_G1NS_INTID`` (1021) is reported as a Non-secure interrupt. 2428 #. id = ``GIC_SPURIOUS_INTERRUPT`` (1023) is reported as an invalid interrupt type. 2429 #. All other interrupt id's are reported as EL3 interrupt. 2430 2431 Function : plat\_ic\_get\_pending\_interrupt\_id() [mandatory] 2432 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2433 2434 :: 2435 2436 Argument : void 2437 Return : uint32_t 2438 2439 This API returns the id of the highest priority pending interrupt at the 2440 platform IC. ``INTR_ID_UNAVAILABLE`` is returned when there is no interrupt 2441 pending. 2442 2443 In the case of ARM standard platforms using GICv2, the *Highest Priority 2444 Pending Interrupt Register* (``GICC_HPPIR``) is read to determine the id of the 2445 pending interrupt. The id that is returned by API depends upon the value of 2446 the id read from the interrupt controller as follows. 2447 2448 #. id < 1022. id is returned as is. 2449 #. id = 1022. The *Aliased Highest Priority Pending Interrupt Register* 2450 (``GICC_AHPPIR``) is read to determine the id of the non-secure interrupt. 2451 This id is returned by the API. 2452 #. id = 1023. ``INTR_ID_UNAVAILABLE`` is returned. 2453 2454 In the case of ARM standard platforms using GICv3, if the API is invoked from 2455 EL3, the system register ``ICC_HPPIR0_EL1``, *Highest Priority Pending Interrupt 2456 group 0 Register*, is read to determine the id of the pending interrupt. The id 2457 that is returned by API depends upon the value of the id read from the 2458 interrupt controller as follows. 2459 2460 #. id < ``PENDING_G1S_INTID`` (1020). id is returned as is. 2461 #. id = ``PENDING_G1S_INTID`` (1020) or ``PENDING_G1NS_INTID`` (1021). The system 2462 register ``ICC_HPPIR1_EL1``, *Highest Priority Pending Interrupt group 1 2463 Register* is read to determine the id of the group 1 interrupt. This id 2464 is returned by the API as long as it is a valid interrupt id 2465 #. If the id is any of the special interrupt identifiers, 2466 ``INTR_ID_UNAVAILABLE`` is returned. 2467 2468 When the API invoked from S-EL1 for GICv3 systems, the id read from system 2469 register ``ICC_HPPIR1_EL1``, *Highest Priority Pending group 1 Interrupt 2470 Register*, is returned if is not equal to GIC\_SPURIOUS\_INTERRUPT (1023) else 2471 ``INTR_ID_UNAVAILABLE`` is returned. 2472 2473 Function : plat\_ic\_acknowledge\_interrupt() [mandatory] 2474 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2475 2476 :: 2477 2478 Argument : void 2479 Return : uint32_t 2480 2481 This API is used by the CPU to indicate to the platform IC that processing of 2482 the highest pending interrupt has begun. It should return the id of the 2483 interrupt which is being processed. 2484 2485 This function in ARM standard platforms using GICv2, reads the *Interrupt 2486 Acknowledge Register* (``GICC_IAR``). This changes the state of the highest 2487 priority pending interrupt from pending to active in the interrupt controller. 2488 It returns the value read from the ``GICC_IAR``. This value is the id of the 2489 interrupt whose state has been changed. 2490 2491 In the case of ARM standard platforms using GICv3, if the API is invoked 2492 from EL3, the function reads the system register ``ICC_IAR0_EL1``, *Interrupt 2493 Acknowledge Register group 0*. If the API is invoked from S-EL1, the function 2494 reads the system register ``ICC_IAR1_EL1``, *Interrupt Acknowledge Register 2495 group 1*. The read changes the state of the highest pending interrupt from 2496 pending to active in the interrupt controller. The value read is returned 2497 and is the id of the interrupt whose state has been changed. 2498 2499 The TSP uses this API to start processing of the secure physical timer 2500 interrupt. 2501 2502 Function : plat\_ic\_end\_of\_interrupt() [mandatory] 2503 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2504 2505 :: 2506 2507 Argument : uint32_t 2508 Return : void 2509 2510 This API is used by the CPU to indicate to the platform IC that processing of 2511 the interrupt corresponding to the id (passed as the parameter) has 2512 finished. The id should be the same as the id returned by the 2513 ``plat_ic_acknowledge_interrupt()`` API. 2514 2515 ARM standard platforms write the id to the *End of Interrupt Register* 2516 (``GICC_EOIR``) in case of GICv2, and to ``ICC_EOIR0_EL1`` or ``ICC_EOIR1_EL1`` 2517 system register in case of GICv3 depending on where the API is invoked from, 2518 EL3 or S-EL1. This deactivates the corresponding interrupt in the interrupt 2519 controller. 2520 2521 The TSP uses this API to finish processing of the secure physical timer 2522 interrupt. 2523 2524 Function : plat\_ic\_get\_interrupt\_type() [mandatory] 2525 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2526 2527 :: 2528 2529 Argument : uint32_t 2530 Return : uint32_t 2531 2532 This API returns the type of the interrupt id passed as the parameter. 2533 ``INTR_TYPE_INVAL`` is returned if the id is invalid. If the id is valid, a valid 2534 interrupt type (one of ``INTR_TYPE_EL3``, ``INTR_TYPE_S_EL1`` and ``INTR_TYPE_NS``) is 2535 returned depending upon how the interrupt has been configured by the platform 2536 IC. This API must be invoked at EL3. 2537 2538 ARM standard platforms using GICv2 configures S-EL1 interrupts as Group0 interrupts 2539 and Non-secure interrupts as Group1 interrupts. It reads the group value 2540 corresponding to the interrupt id from the relevant *Interrupt Group Register* 2541 (``GICD_IGROUPRn``). It uses the group value to determine the type of interrupt. 2542 2543 In the case of ARM standard platforms using GICv3, both the *Interrupt Group 2544 Register* (``GICD_IGROUPRn``) and *Interrupt Group Modifier Register* 2545 (``GICD_IGRPMODRn``) is read to figure out whether the interrupt is configured 2546 as Group 0 secure interrupt, Group 1 secure interrupt or Group 1 NS interrupt. 2547 2548 Crash Reporting mechanism (in BL31) 2549 ----------------------------------- 2550 2551 BL31 implements a crash reporting mechanism which prints the various registers 2552 of the CPU to enable quick crash analysis and debugging. It requires that a 2553 console is designated as the crash console by the platform which will be used to 2554 print the register dump. 2555 2556 The following functions must be implemented by the platform if it wants crash 2557 reporting mechanism in BL31. The functions are implemented in assembly so that 2558 they can be invoked without a C Runtime stack. 2559 2560 Function : plat\_crash\_console\_init 2561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2562 2563 :: 2564 2565 Argument : void 2566 Return : int 2567 2568 This API is used by the crash reporting mechanism to initialize the crash 2569 console. It must only use the general purpose registers x0 to x4 to do the 2570 initialization and returns 1 on success. 2571 2572 Function : plat\_crash\_console\_putc 2573 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2574 2575 :: 2576 2577 Argument : int 2578 Return : int 2579 2580 This API is used by the crash reporting mechanism to print a character on the 2581 designated crash console. It must only use general purpose registers x1 and 2582 x2 to do its work. The parameter and the return value are in general purpose 2583 register x0. 2584 2585 Function : plat\_crash\_console\_flush 2586 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2587 2588 :: 2589 2590 Argument : void 2591 Return : int 2592 2593 This API is used by the crash reporting mechanism to force write of all buffered 2594 data on the designated crash console. It should only use general purpose 2595 registers x0 and x1 to do its work. The return value is 0 on successful 2596 completion; otherwise the return value is -1. 2597 2598 Build flags 2599 ----------- 2600 2601 - **ENABLE\_PLAT\_COMPAT** 2602 All the platforms ports conforming to this API specification should define 2603 the build flag ``ENABLE_PLAT_COMPAT`` to 0 as the compatibility layer should 2604 be disabled. For more details on compatibility layer, refer 2605 `Migration Guide`_. 2606 2607 There are some build flags which can be defined by the platform to control 2608 inclusion or exclusion of certain BL stages from the FIP image. These flags 2609 need to be defined in the platform makefile which will get included by the 2610 build system. 2611 2612 - **NEED\_BL33** 2613 By default, this flag is defined ``yes`` by the build system and ``BL33`` 2614 build option should be supplied as a build option. The platform has the 2615 option of excluding the BL33 image in the ``fip`` image by defining this flag 2616 to ``no``. If any of the options ``EL3_PAYLOAD_BASE`` or ``PRELOADED_BL33_BASE`` 2617 are used, this flag will be set to ``no`` automatically. 2618 2619 C Library 2620 --------- 2621 2622 To avoid subtle toolchain behavioral dependencies, the header files provided 2623 by the compiler are not used. The software is built with the ``-nostdinc`` flag 2624 to ensure no headers are included from the toolchain inadvertently. Instead the 2625 required headers are included in the ARM Trusted Firmware source tree. The 2626 library only contains those C library definitions required by the local 2627 implementation. If more functionality is required, the needed library functions 2628 will need to be added to the local implementation. 2629 2630 Versions of `FreeBSD`_ headers can be found in ``include/lib/stdlib``. Some of 2631 these headers have been cut down in order to simplify the implementation. In 2632 order to minimize changes to the header files, the `FreeBSD`_ layout has been 2633 maintained. The generic C library definitions can be found in 2634 ``include/lib/stdlib`` with more system and machine specific declarations in 2635 ``include/lib/stdlib/sys`` and ``include/lib/stdlib/machine``. 2636 2637 The local C library implementations can be found in ``lib/stdlib``. In order to 2638 extend the C library these files may need to be modified. It is recommended to 2639 use a release version of `FreeBSD`_ as a starting point. 2640 2641 The C library header files in the `FreeBSD`_ source tree are located in the 2642 ``include`` and ``sys/sys`` directories. `FreeBSD`_ machine specific definitions 2643 can be found in the ``sys/<machine-type>`` directories. These files define things 2644 like 'the size of a pointer' and 'the range of an integer'. Since an AArch64 2645 port for `FreeBSD`_ does not yet exist, the machine specific definitions are 2646 based on existing machine types with similar properties (for example SPARC64). 2647 2648 Where possible, C library function implementations were taken from `FreeBSD`_ 2649 as found in the ``lib/libc`` directory. 2650 2651 A copy of the `FreeBSD`_ sources can be downloaded with ``git``. 2652 2653 :: 2654 2655 git clone git://github.com/freebsd/freebsd.git -b origin/release/9.2.0 2656 2657 Storage abstraction layer 2658 ------------------------- 2659 2660 In order to improve platform independence and portability an storage abstraction 2661 layer is used to load data from non-volatile platform storage. 2662 2663 Each platform should register devices and their drivers via the Storage layer. 2664 These drivers then need to be initialized by bootloader phases as 2665 required in their respective ``blx_platform_setup()`` functions. Currently 2666 storage access is only required by BL1 and BL2 phases. The ``load_image()`` 2667 function uses the storage layer to access non-volatile platform storage. 2668 2669 It is mandatory to implement at least one storage driver. For the ARM 2670 development platforms the Firmware Image Package (FIP) driver is provided as 2671 the default means to load data from storage (see the "Firmware Image Package" 2672 section in the `User Guide`_). The storage layer is described in the header file 2673 ``include/drivers/io/io_storage.h``. The implementation of the common library 2674 is in ``drivers/io/io_storage.c`` and the driver files are located in 2675 ``drivers/io/``. 2676 2677 Each IO driver must provide ``io_dev_*`` structures, as described in 2678 ``drivers/io/io_driver.h``. These are returned via a mandatory registration 2679 function that is called on platform initialization. The semi-hosting driver 2680 implementation in ``io_semihosting.c`` can be used as an example. 2681 2682 The Storage layer provides mechanisms to initialize storage devices before 2683 IO operations are called. The basic operations supported by the layer 2684 include ``open()``, ``close()``, ``read()``, ``write()``, ``size()`` and ``seek()``. 2685 Drivers do not have to implement all operations, but each platform must 2686 provide at least one driver for a device capable of supporting generic 2687 operations such as loading a bootloader image. 2688 2689 The current implementation only allows for known images to be loaded by the 2690 firmware. These images are specified by using their identifiers, as defined in 2691 [include/plat/common/platform\_def.h] (or a separate header file included from 2692 there). The platform layer (``plat_get_image_source()``) then returns a reference 2693 to a device and a driver-specific ``spec`` which will be understood by the driver 2694 to allow access to the image data. 2695 2696 The layer is designed in such a way that is it possible to chain drivers with 2697 other drivers. For example, file-system drivers may be implemented on top of 2698 physical block devices, both represented by IO devices with corresponding 2699 drivers. In such a case, the file-system "binding" with the block device may 2700 be deferred until the file-system device is initialised. 2701 2702 The abstraction currently depends on structures being statically allocated 2703 by the drivers and callers, as the system does not yet provide a means of 2704 dynamically allocating memory. This may also have the affect of limiting the 2705 amount of open resources per driver. 2706 2707 -------------- 2708 2709 *Copyright (c) 2013-2017, ARM Limited and Contributors. All rights reserved.* 2710 2711 .. _Migration Guide: platform-migration-guide.rst 2712 .. _include/plat/common/platform.h: ../include/plat/common/platform.h 2713 .. _include/plat/arm/common/plat\_arm.h: ../include/plat/arm/common/plat_arm.h%5D 2714 .. _User Guide: user-guide.rst 2715 .. _include/plat/common/common\_def.h: ../include/plat/common/common_def.h 2716 .. _include/plat/arm/common/arm\_def.h: ../include/plat/arm/common/arm_def.h 2717 .. _plat/common/aarch64/platform\_mp\_stack.S: ../plat/common/aarch64/platform_mp_stack.S 2718 .. _plat/common/aarch64/platform\_up\_stack.S: ../plat/common/aarch64/platform_up_stack.S 2719 .. _For example, define the build flag in platform.mk: PLAT_PL061_MAX_GPIOS%20:=%20160 2720 .. _Power Domain Topology Design: psci-pd-tree.rst 2721 .. _include/common/bl\_common.h: ../include/common/bl_common.h 2722 .. _include/lib/aarch32/arch.h: ../include/lib/aarch32/arch.h 2723 .. _Firmware Design: firmware-design.rst 2724 .. _PSCI: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf 2725 .. _plat/arm/board/fvp/fvp\_pm.c: ../plat/arm/board/fvp/fvp_pm.c 2726 .. _IMF Design Guide: interrupt-framework-design.rst 2727 .. _ARM Generic Interrupt Controller version 2.0 (GICv2): http://infocenter.arm.com/help/topic/com.arm.doc.ihi0048b/index.html 2728 .. _3.0 (GICv3): http://infocenter.arm.com/help/topic/com.arm.doc.ihi0069b/index.html 2729 .. _FreeBSD: http://www.freebsd.org 2730
