diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/firmware-design.md | 21 | ||||
| -rw-r--r-- | docs/firmware-update.md | 28 | ||||
| -rw-r--r-- | docs/porting-guide.md | 49 | ||||
| -rw-r--r-- | docs/user-guide.md | 2 |
4 files changed, 74 insertions, 26 deletions
diff --git a/docs/firmware-design.md b/docs/firmware-design.md index c37f9c5f..0acb1fa8 100644 --- a/docs/firmware-design.md +++ b/docs/firmware-design.md @@ -1127,7 +1127,8 @@ can be found in the [cpu-specific-build-macros.md][CPUBM] file. The CPU specific operations framework depends on the `cpu_ops` structure which needs to be exported for each type of CPU in the platform. It is defined in `include/lib/cpus/aarch64/cpu_macros.S` and has the following fields : `midr`, -`reset_func()`, `core_pwr_dwn()`, `cluster_pwr_dwn()` and `cpu_reg_dump()`. +`reset_func()`, `cpu_pwr_down_ops` (array of power down functions) and +`cpu_reg_dump()`. The CPU specific files in `lib/cpus` export a `cpu_ops` data structure with suitable handlers for that CPU. For example, `lib/cpus/aarch64/cortex_a53.S` @@ -1161,15 +1162,15 @@ During the BL31 initialization sequence, the pointer to the matching `cpu_ops` entry is stored in per-CPU data by `init_cpu_ops()` so that it can be quickly retrieved during power down sequences. -The PSCI service, upon receiving a power down request, determines the highest -power level at which to execute power down sequence for a particular CPU and -invokes the corresponding 'prepare' power down handler in the CPU specific -operations framework. For example, when a CPU executes a power down for power -level 0, the `prepare_core_pwr_dwn()` retrieves the `cpu_ops` pointer from the -per-CPU data and the corresponding `core_pwr_dwn()` is invoked. Similarly when -a CPU executes power down at power level 1, the `prepare_cluster_pwr_dwn()` -retrieves the `cpu_ops` pointer and the corresponding `cluster_pwr_dwn()` is -invoked. +Various CPU drivers register handlers to perform power down at certain power +levels for that specific CPU. The PSCI service, upon receiving a power down +request, determines the highest power level at which to execute power down +sequence for a particular CPU. It uses the `prepare_cpu_pwr_dwn()` function to +pick the right power down handler for the requested level. The function +retrieves `cpu_ops` pointer member of per-CPU data, and from that, further +retrieves `cpu_pwr_down_ops` array, and indexes into the required level. If the +requested power level is higher than what a CPU driver supports, the handler +registered for highest level is invoked. At runtime the platform hooks for power down are invoked by the PSCI service to perform platform specific operations during a power down sequence, for example diff --git a/docs/firmware-update.md b/docs/firmware-update.md index 97df8cf4..21872fd4 100644 --- a/docs/firmware-update.md +++ b/docs/firmware-update.md @@ -206,21 +206,31 @@ for BL1 to pass execution control to BL31. if (image_id is non-secure image) return -EPERM if (image_id state is not (RESET or COPYING)) return -EPERM if (secure world caller) return -EPERM + if (image_addr + block_size overflows) return -ENOMEM + if (image destination address + image_size overflows) return -ENOMEM if (source block is in secure memory) return -ENOMEM if (source block is not mapped into BL1) return -ENOMEM if (image_size > free secure memory) return -ENOMEM -This SMC copies the secure image indicated by `image_id` into secure memory. The -image may be copied in a single block or multiple blocks. In either case, the -total size of the image must be provided in `image_size` when invoking this SMC -the first time for each image. The `image_addr` and `block_size` specify the -source memory block to copy from. If `block_size` >= the size of the remaining -image to copy, then BL1 completes the copy operation and sets the image state -to COPIED. If there is still more to copy, BL1 sets the image state to COPYING. +This SMC copies the secure image indicated by `image_id` from non-secure memory +to secure memory for later authentication. The image may be copied in a single +block or multiple blocks. In either case, the total size of the image must be +provided in `image_size` when invoking this SMC for the first time for each +image; it is ignored in subsequent calls (if any) for the same image. + +The `image_addr` and `block_size` specify the source memory block to copy from. +The destination address is provided by the platform code. + +If `block_size` is greater than the amount of remaining bytes to copy for this +image then the former is truncated to the latter. The copy operation is then +considered as complete and the FWU state machine transitions to the "COPIED" +state. If there is still more to copy, the FWU state machine stays in or +transitions to the COPYING state (depending on the previous state). + When using multiple blocks, the source blocks do not necessarily need to be in contiguous memory. -BL1 returns from exception to the normal world caller. +Once the SMC is handled, BL1 returns from exception to the normal world caller. ### FWU_SMC_IMAGE_AUTH @@ -347,7 +357,7 @@ a `void *`. The SMC does not return. - - - - - - - - - - - - - - - - - - - - - - - - - - -_Copyright (c) 2015, ARM Limited and Contributors. All rights reserved._ +_Copyright (c) 2015-2016, ARM Limited and Contributors. All rights reserved._ [Porting Guide]: ./porting-guide.md diff --git a/docs/porting-guide.md b/docs/porting-guide.md index 74a0a85f..e8486f12 100644 --- a/docs/porting-guide.md +++ b/docs/porting-guide.md @@ -443,7 +443,19 @@ constant must also be defined: * **#define : ADDR_SPACE_SIZE** Defines the total size of the address space in bytes. For example, for a 32 - bit address space, this value should be `(1ull << 32)`. + bit address space, this value should be `(1ull << 32)`. This definition is + now deprecated, platforms should use `PLAT_PHY_ADDR_SPACE_SIZE` and + `PLAT_VIRT_ADDR_SPACE_SIZE` instead. + +* **#define : PLAT_VIRT_ADDR_SPACE_SIZE** + + Defines the total size of the virtual address space in bytes. For example, + for a 32 bit virtual address space, this value should be `(1ull << 32)`. + +* **#define : PLAT_PHY_ADDR_SPACE_SIZE** + + Defines the total size of the physical address space in bytes. For example, + for a 32 bit physical address space, this value should be `(1ull << 32)`. If the platform port uses the IO storage framework, the following constants must also be defined: @@ -690,12 +702,32 @@ not be retrieved from the platform. This function is mandatory when Trusted Board Boot is enabled. It sets a new counter value in the platform. The cookie in the first argument may be used to -select the counter (as explained in plat_get_nv_ctr()). +select the counter (as explained in plat_get_nv_ctr()). The second argument is +the updated counter value to be written to the NV counter. The function returns 0 on success. Any other value means the counter value could not be updated. +### Function: plat_set_nv_ctr2() + + Argument : void *, const auth_img_desc_t *, unsigned int + Return : int + +This function is optional when Trusted Board Boot is enabled. If this +interface is defined, then `plat_set_nv_ctr()` need not be defined. The +first argument passed is a cookie and is typically used to +differentiate between a Non Trusted NV Counter and a Trusted NV +Counter. The second argument is a pointer to an authentication image +descriptor and may be used to decide if the counter is allowed to be +updated or not. The third argument is the updated counter value to +be written to the NV counter. + +The function returns 0 on success. Any other value means the counter value +either could not be updated or the authentication image descriptor indicates +that it is not allowed to be updated. + + 2.3 Common mandatory function modifications --------------------------------- @@ -1089,10 +1121,15 @@ The default implementation spins forever. unsigned int flags Return : int -BL1 calls this function while handling FWU copy and authenticate SMCs. The -platform must ensure that the provided `mem_base` and `mem_size` are mapped into -BL1, and that this memory corresponds to either a secure or non-secure memory -region as indicated by the security state of the `flags` argument. +BL1 calls this function while handling FWU related SMCs, more specifically when +copying or authenticating an image. Its responsibility is to ensure that the +region of memory identified by `mem_base` and `mem_size` is mapped in BL1, and +that this memory corresponds to either a secure or non-secure memory region as +indicated by the security state of the `flags` argument. + +This function can safely assume that the value resulting from the addition of +`mem_base` and `mem_size` fits into a `uintptr_t` type variable and does not +overflow. This function must return 0 on success, a non-null error code otherwise. diff --git a/docs/user-guide.md b/docs/user-guide.md index e910790c..056c4145 100644 --- a/docs/user-guide.md +++ b/docs/user-guide.md @@ -1102,7 +1102,7 @@ to load the ELF file over JTAG on Juno. The AArch64 build of this version of ARM Trusted Firmware has been tested on the following ARM FVPs (64-bit host machine only). -* `Foundation_Platform` (Version 10.1, Build 10.1.32) +* `Foundation_Platform` (Version 10.2, Build 10.2.20) * `FVP_Base_AEMv8A-AEMv8A` (Version 7.7, Build 0.8.7701) * `FVP_Base_Cortex-A57x4-A53x4` (Version 7.7, Build 0.8.7701) * `FVP_Base_Cortex-A57x1-A53x1` (Version 7.7, Build 0.8.7701) |