關鍵詞:等等。
下圖划分成不同EL,分別描述BL1、BL2、BL31、BL32、BL33啟動流程,以及PSCI、SP處理流程。
1. 冷啟動(Cold boot)流程及階段划分
ATF冷啟動實現分為5個步驟:
- BL1 - AP Trusted ROM,一般為BootRom。
- BL2 - Trusted Boot Firmware,一般為Trusted Bootloader。
- BL31 - EL3 Runtime Firmware,一般為SML,管理SMC執行處理和中斷,運行在secure monitor中。
- BL32 - Secure-EL1 Payload,一般為TEE OS Image。
- BL33 - Non-Trusted Firmware,一般為uboot、linux kernel。
ATF輸出BL1、BL2、BL31,提供BL32和BL33接口。
啟動流程如下:
1.1 BL1
BL1位於ROM中,在EL3下從reset vector處開始運行。
BL1做的工作主要有:
- 決定啟動路徑:冷啟動還是熱啟動。
- 架構初始化:異常向量、CPU復位處理函數配置、控制寄存器設置(SCRLR_EL3/SCR_EL3/CPTR_EL3/DAIF)
- 平台初始化:使能Trusted Watchdog、初始化控制台、配置硬件一致性互聯、配置MMU、初始化相關存儲設備。
- 固件更新處理
- BL2鏡像加載和執行:
- BL1輸出“Booting Trusted Firmware"。
- BL1加載BL2到SRAM;如果SRAM不夠或者BL2鏡像錯誤,輸出“Failed to load BL2 firmware.”。
- BL1切換到Secure EL1並將執行權交給BL2.
1.2 BL2
BL2位於SRAM中,運行在Secure EL1主要工作有:
- 架構初始化:EL1/EL0使能浮點單元和ASMID。
- 平台初始化:控制台初始化、相關存儲設備初始化、MMU、相關設備安全配置、
- SCP_BL2:系統控制核鏡像加載,單獨核處理系統功耗、時鍾、復位等控制。
- 加載BL31鏡像:BL2將控制權交給BL1;BL1關閉MMU並關cache;BL1將控制權交給BL31。
- 加載BL32鏡像:BL32運行在安全世界,BL2依賴BL31將控制權交給BL32。SPSR通過Secure-EL1 Payload Dispatcher進行初始化。
- 加載BL33鏡像:BL2依賴BL31將控制權交給BL33。
1.3 BL31
BL31位於SRAM中,EL3模式。除了做架構初始化和平台初始化外,還做了如下工作:
- PSCI服務初始化,后續提供CPU功耗管理操作。
- BL32鏡像運行初始化,處於Secure EL1模式。
- 初始化非安全EL2或EL1,跳轉到BL33執行。
- 負責安全非安全世界切換。
- 進行安全服務請求的分發。
2 BL1
BL1鏡像的異常向量表初始化了兩個:一個是入口bl1_entrypoint,EL1鏡像正常執行流程;另一個是SMC調用接口,EL2執行結束會通過SMC返回執行BL31。
vector_base bl1_vector_table
b bl1_entrypoint
b report_exception /* Undef */ b bl1_aarch32_smc_handler /* SMC call */ b report_exception /* Prefetch abort */ b report_exception /* Data abort */ b report_exception /* Reserved */ b report_exception /* IRQ */ b report_exception /* FIQ */ func bl1_aarch32_smc_handler /* ------------------------------------------------ * SMC in BL1 is handled assuming that the MMU is * turned off by BL2. * ------------------------------------------------ */ /* ---------------------------------------------- * Only RUN_IMAGE SMC is supported. * ---------------------------------------------- */ mov r8, #BL1_SMC_RUN_IMAGE--------------------------僅支持BL1_SMC_RUN_IMAGE SMC調用;其他調用觸發report_exception。 cmp r8, r0 blne report_exception /* ------------------------------------------------ * Make sure only Secure world reaches here. * ------------------------------------------------ */ ldcopr r8, SCR tst r8, #SCR_NS_BIT---------------------------------如果處於非安全狀態,則觸發report_exception。 blne report_exception /* --------------------------------------------------------------------- * Pass control to next secure image. * Here it expects r1 to contain the address of a entry_point_info_t * structure describing the BL entrypoint. * --------------------------------------------------------------------- */ mov r8, r1------------------------------------------第一個參數r0是功能id,即BL1_SMC_RUN_IMAGE_SMC。第二個參數是entry_point_info_t變量。 mov r0, r1 bl bl1_print_next_bl_ep_info #if SPIN_ON_BL1_EXIT bl print_debug_loop_message debug_loop: b debug_loop #endif mov r0, r8 bl bl1_plat_prepare_exit stcopr r0, TLBIALL dsb sy isb /* * Extract PC and SPSR based on struct `entry_point_info_t` * and load it in LR and SPSR registers respectively. */ ldr lr, [r8, #ENTRY_POINT_INFO_PC_OFFSET] ldr r1, [r8, #(ENTRY_POINT_INFO_PC_OFFSET + 4)] msr spsr, r1 add r8, r8, #ENTRY_POINT_INFO_ARGS_OFFSET ldm r8, {r0, r1, r2, r3}----------------------------執行跳轉到BL31。 eret endfunc bl1_aarch32_smc_handler
bl1_entrypoint()進行EL3執行環境初始化,設定向量表,加載bl2鏡像並跳轉到BL2執行。
func bl1_entrypoint
/* ---------------------------------------------------------------------
* If the reset address is programmable then bl1_entrypoint() is
* executed only on the cold boot path. Therefore, we can skip the warm
* boot mailbox mechanism.
* ---------------------------------------------------------------------
*/ el3_entrypoint_common \ _set_endian=1 \----------------------是否設定大小端。 _warm_boot_mailbox=!PROGRAMMABLE_RESET_ADDRESS \-----是否檢查當前屬於冷啟動還是熱啟動。 _secondary_cold_boot=!COLD_BOOT_SINGLE_CPU \---------確定當前CPU是主CPU還是從CPU。 _init_memory=1 \---------------------是否初始化memory。 _init_c_runtime=1 \----------------------是否初始化C語言執行環境。 _exception_vectors=bl1_exceptions-----------------------異常向量表。 /* --------------------------------------------- * Architectural init. can be generic e.g. * enabling stack alignment and platform spec- * ific e.g. MMU & page table setup as per the * platform memory map. Perform the latter here * and the former in bl1_main. * --------------------------------------------- */ bl bl1_early_platform_setup-------------------初始化memory、page table,所需外圍設備初始化等。 bl bl1_plat_arch_setup /* -------------------------------------------------- * Initialize platform and jump to our c-entry point * for this type of reset. * -------------------------------------------------- */ bl bl1_main--------------------------------------------進行必要初始化,加載BL2鏡像然后為退出EL3進入S.EL1做好准備。
/* -------------------------------------------------- * Do the transition to next boot image. * -------------------------------------------------- */ b el3_exit endfunc bl1_entrypoint
el3_entrypoint_common()主要完成進入EL3基本設置和向量表注冊。
.macro el3_entrypoint_common \
_set_endian, _warm_boot_mailbox, _secondary_cold_boot, \
_init_memory, _init_c_runtime, _exception_vectors
.if \_set_endian-------------------------------------------------------在進行內存讀寫之前,設置好系統的大小端。 /* ------------------------------------------------------------- * Set the CPU endianness before doing anything that might * involve memory reads or writes. * ------------------------------------------------------------- */ mrs x0, sctlr_el3 bic x0, x0, #SCTLR_EE_BIT msr sctlr_el3, x0 isb .endif /* _set_endian */ .if \_warm_boot_mailbox------------------------------------------------根據當前平台的entrypoint判斷是冷啟動還是熱啟動。 /* ------------------------------------------------------------- * This code will be executed for both warm and cold resets. * Now is the time to distinguish between the two. * Query the platform entrypoint address and if it is not zero * then it means it is a warm boot so jump to this address. * ------------------------------------------------------------- */ bl plat_get_my_entrypoint cbz x0, do_cold_boot--------------------------------------------如果為0說明是冷啟動,執行do_cold_boot();非0則跳轉到entrypoint執行。 br x0 do_cold_boot: .endif /* _warm_boot_mailbox */ /* --------------------------------------------------------------------- * It is a cold boot. * Perform any processor specific actions upon reset e.g. cache, TLB * invalidations etc. * --------------------------------------------------------------------- */ bl reset_handler---------------------------------------------------執行reset_handler()。 el3_arch_init_common \_exception_vectors------------------------------初始化異常向量。 .if \_secondary_cold_boot---------------------------------------------判斷當前CPU是主CPU還是從CPU。 /* ------------------------------------------------------------- * Check if this is a primary or secondary CPU cold boot. * The primary CPU will set up the platform while the * secondaries are placed in a platform-specific state until the * primary CPU performs the necessary actions to bring them out * of that state and allows entry into the OS. * ------------------------------------------------------------- */ bl plat_is_my_cpu_primary cbnz w0, do_primary_cold_boot /* This is a cold boot on a secondary CPU */ bl plat_secondary_cold_boot_setup /* plat_secondary_cold_boot_setup() is not supposed to return */ bl el3_panic do_primary_cold_boot: .endif /* _secondary_cold_boot */ /* --------------------------------------------------------------------- * Initialize memory now. Secondary CPU initialization won't get to this * point. * --------------------------------------------------------------------- */ .if \_init_memory----------------------------------------------------初始化內存。 bl platform_mem_init .endif /* _init_memory */ /* --------------------------------------------------------------------- * Init C runtime environment: * - Zero-initialise the NOBITS sections. There are 2 of them: * - the .bss section; * - the coherent memory section (if any). * - Relocate the data section from ROM to RAM, if required. * --------------------------------------------------------------------- */ .if \_init_c_runtime-------------------------------------------------初始化C執行環境。 #if IMAGE_BL31 /* ------------------------------------------------------------- * Invalidate the RW memory used by the BL31 image. This * includes the data and NOBITS sections. This is done to * safeguard against possible corruption of this memory by * dirty cache lines in a system cache as a result of use by * an earlier boot loader stage. * ------------------------------------------------------------- */ adr x0, __RW_START__ adr x1, __RW_END__ sub x1, x1, x0 bl inv_dcache_range #endif /* IMAGE_BL31 */ ldr x0, =__BSS_START__ ldr x1, =__BSS_SIZE__ bl zeromem16 #if USE_COHERENT_MEM ldr x0, =__COHERENT_RAM_START__ ldr x1, =__COHERENT_RAM_UNALIGNED_SIZE__ bl zeromem16 #endif #if IMAGE_BL1 ldr x0, =__DATA_RAM_START__ ldr x1, =__DATA_ROM_START__ ldr x2, =__DATA_SIZE__ bl memcpy16 #endif .endif /* _init_c_runtime */ /* --------------------------------------------------------------------- * Use SP_EL0 for the C runtime stack. * --------------------------------------------------------------------- */ msr spsel, #0 /* --------------------------------------------------------------------- * Allocate a stack whose memory will be marked as Normal-IS-WBWA when * the MMU is enabled. There is no risk of reading stale stack memory * after enabling the MMU as only the primary CPU is running at the * moment. * --------------------------------------------------------------------- */ bl plat_set_my_stack .endm
bl1_main()完成架構和平台特有初始化操作,然后加載BL2鏡像並跳轉執行。
/******************************************************************************* * Function to perform late architectural and platform specific initialization. * It also queries the platform to load and run next BL image. Only called * by the primary cpu after a cold boot. ******************************************************************************/ void bl1_main(void) { unsigned int image_id; /* Announce our arrival */ NOTICE(FIRMWARE_WELCOME_STR); NOTICE("BL1: %s\n", version_string); NOTICE("BL1: %s\n", build_message); INFO("BL1: RAM %p - %p\n", (void *)BL1_RAM_BASE, (void *)BL1_RAM_LIMIT); ... /* Perform remaining generic architectural setup from EL3 */ bl1_arch_setup(); #if TRUSTED_BOARD_BOOT /* Initialize authentication module */ auth_mod_init();----------------------------------------------初始化安全模塊和鏡像解析模塊。 #endif /* TRUSTED_BOARD_BOOT */ /* Perform platform setup in BL1. */ bl1_platform_setup(); /* Get the image id of next image to load and run. */ image_id = bl1_plat_get_next_image_id();----------------------獲取下一級啟動鏡像的ID。 /* * We currently interpret any image id other than * BL2_IMAGE_ID as the start of firmware update. */ if (image_id == BL2_IMAGE_ID) bl1_load_bl2();------------------------------------------將BL2鏡像加載到TSRAM中。 else NOTICE("BL1-FWU: *******FWU Process Started*******\n"); bl1_prepare_next_image(image_id);----------------------------獲取image_id對應鏡像描述信息,並為進入下一級鏡像執行准備好上下文。 } /******************************************************************************* * This function locates and loads the BL2 raw binary image in the trusted SRAM. * Called by the primary cpu after a cold boot. * TODO: Add support for alternative image load mechanism e.g using virtio/elf * loader etc. ******************************************************************************/ void bl1_load_bl2(void) { image_desc_t *image_desc; image_info_t *image_info; entry_point_info_t *ep_info; meminfo_t *bl1_tzram_layout; meminfo_t *bl2_tzram_layout; int err; /* Get the image descriptor */ image_desc = bl1_plat_get_image_desc(BL2_IMAGE_ID); assert(image_desc); /* Get the image info */ image_info = &image_desc->image_info; /* Get the entry point info */ ep_info = &image_desc->ep_info; /* Find out how much free trusted ram remains after BL1 load */ bl1_tzram_layout = bl1_plat_sec_mem_layout(); INFO("BL1: Loading BL2\n"); #if LOAD_IMAGE_V2 err = load_auth_image(BL2_IMAGE_ID, image_info); #else /* Load the BL2 image */ err = load_auth_image(bl1_tzram_layout, BL2_IMAGE_ID, image_info->image_base, image_info, ep_info); #endif /* LOAD_IMAGE_V2 */ if (err) { ERROR("Failed to load BL2 firmware.\n"); plat_error_handler(err); } /* * Create a new layout of memory for BL2 as seen by BL1 i.e. * tell it the amount of total and free memory available. * This layout is created at the first free address visible * to BL2. BL2 will read the memory layout before using its * memory for other purposes. */ #if LOAD_IMAGE_V2 bl2_tzram_layout = (meminfo_t *) bl1_tzram_layout->total_base; #else bl2_tzram_layout = (meminfo_t *) bl1_tzram_layout->free_base; #endif /* LOAD_IMAGE_V2 */ bl1_init_bl2_mem_layout(bl1_tzram_layout, bl2_tzram_layout); ep_info->args.arg1 = (uintptr_t)bl2_tzram_layout; NOTICE("BL1: Booting BL2\n"); VERBOSE("BL1: BL2 memory layout address = %p\n", (void *) bl2_tzram_layout); } /******************************************************************************* * This function prepares the context for Secure/Normal world images. * Normal world images are transitioned to EL2(if supported) else EL1. ******************************************************************************/ void bl1_prepare_next_image(unsigned int image_id) { unsigned int security_state; image_desc_t *image_desc; entry_point_info_t *next_bl_ep; #if CTX_INCLUDE_AARCH32_REGS /* * Ensure that the build flag to save AArch32 system registers in CPU * context is not set for AArch64-only platforms. */ if (((read_id_aa64pfr0_el1() >> ID_AA64PFR0_EL1_SHIFT) & ID_AA64PFR0_ELX_MASK) == 0x1) { ERROR("EL1 supports AArch64-only. Please set build flag " "CTX_INCLUDE_AARCH32_REGS = 0"); panic(); } #endif /* Get the image descriptor. */ image_desc = bl1_plat_get_image_desc(image_id);---------------獲取鏡像描述信息,包括入口地址、名字等等。 assert(image_desc); /* Get the entry point info. */ next_bl_ep = &image_desc->ep_info; /* Get the image security state. */ security_state = GET_SECURITY_STATE(next_bl_ep->h.attr);------鏡像是屬於安全還是非安全鏡像。 /* Setup the Secure/Non-Secure context if not done already. */ if (!cm_get_context(security_state)) cm_set_context(&bl1_cpu_context[security_state], security_state); /* Prepare the SPSR for the next BL image. */ if (security_state == SECURE) {-------------------------------設置鏡像運行的SPSR數據。 next_bl_ep->spsr = SPSR_64(MODE_EL1, MODE_SP_ELX, DISABLE_ALL_EXCEPTIONS); } else { /* Use EL2 if supported else use EL1. */ if (read_id_aa64pfr0_el1() & (ID_AA64PFR0_ELX_MASK << ID_AA64PFR0_EL2_SHIFT)) { next_bl_ep->spsr = SPSR_64(MODE_EL2, MODE_SP_ELX, DISABLE_ALL_EXCEPTIONS); } else { next_bl_ep->spsr = SPSR_64(MODE_EL1, MODE_SP_ELX, DISABLE_ALL_EXCEPTIONS); } } /* Allow platform to make change */ bl1_plat_set_ep_info(image_id, next_bl_ep); /* Prepare the context for the next BL image. */ cm_init_my_context(next_bl_ep); cm_prepare_el3_exit(security_state);--------------------------為運行下一個鏡像,EL3做好准備。 /* Indicate that image is in execution state. */ image_desc->state = IMAGE_STATE_EXECUTED; print_entry_point_info(next_bl_ep);---------------------------打印下一級進行相關信息。下面即將el3_exit,退出EL3進入新的進項運行。 }
3 BL2
BL2的主要工作就是加載BL3x系列鏡像,然后通過SMC進入BL1進而跳轉到BL31運行。
bl2_entrypoint()是BL2的入口,前半部分主要進行一系列初始化工作,然后通過bl2_main()加載BL3x鏡像到RAM中,最后通過SMC調用執行BL1中指定的smc handler將CPU執行權交給BL31。
func bl2_entrypoint
/*---------------------------------------------
* Save from x1 the extents of the tzram
* available to BL2 for future use.
* x0 is not currently used.
* ---------------------------------------------
*/ mov x20, x1 /* --------------------------------------------- * Set the exception vector to something sane. * --------------------------------------------- */ adr x0, early_exceptions msr vbar_el1, x0-------------------------------------設定異常向量。 isb /* --------------------------------------------- * Enable the SError interrupt now that the * exception vectors have been setup. * --------------------------------------------- */ msr daifclr, #DAIF_ABT_BIT /* --------------------------------------------- * Enable the instruction cache, stack pointer * and data access alignment checks * --------------------------------------------- */ mov x1, #(SCTLR_I_BIT | SCTLR_A_BIT | SCTLR_SA_BIT) mrs x0, sctlr_el1 orr x0, x0, x1 msr sctlr_el1, x0----------------------------------配置cache、內存對齊等屬性。 isb /* --------------------------------------------- * Invalidate the RW memory used by the BL2 * image. This includes the data and NOBITS * sections. This is done to safeguard against * possible corruption of this memory by dirty * cache lines in a system cache as a result of * use by an earlier boot loader stage. * --------------------------------------------- */ adr x0, __RW_START__ adr x1, __RW_END__ sub x1, x1, x0 bl inv_dcache_range-------------------------------將BL2的__RW_START__和__RW_END__之間的內存刷回DDR中。 /* --------------------------------------------- * Zero out NOBITS sections. There are 2 of them: * - the .bss section; * - the coherent memory section. * --------------------------------------------- */ ldr x0, =__BSS_START__ ldr x1, =__BSS_SIZE__ bl zeromem16--------------------------------------初始化__BSS_START__開始,大小為__BSS_SIZE__內存為0。 #if USE_COHERENT_MEM ldr x0, =__COHERENT_RAM_START__ ldr x1, =__COHERENT_RAM_UNALIGNED_SIZE__ bl zeromem16 #endif /* -------------------------------------------- * Allocate a stack whose memory will be marked * as Normal-IS-WBWA when the MMU is enabled. * There is no risk of reading stale stack * memory after enabling the MMU as only the * primary cpu is running at the moment. * -------------------------------------------- */ bl plat_set_my_stack /* --------------------------------------------- * Perform early platform setup & platform * specific early arch. setup e.g. mmu setup * --------------------------------------------- */ mov x0, x20 bl bl2_early_platform_setup bl bl2_plat_arch_setup /* --------------------------------------------- * Jump to main function. * --------------------------------------------- */ bl bl2_main------------------------------------跳轉到BL2主函數執行,該函數加載BL3x鏡像,並通過SMC調用BL1指定SMC函數將CPU執行權交給BL31。 /* --------------------------------------------- * Should never reach this point. * --------------------------------------------- */ no_ret plat_panic_handler endfunc bl2_entrypoint
bl2_main()主要加載BL3x鏡像並驗證,然后獲取下一個要運行的鏡像信息,通過SMC調用讓BL1去啟動。
/******************************************************************************* * The only thing to do in BL2 is to load further images and pass control to * next BL. The memory occupied by BL2 will be reclaimed by BL3x stages. BL2 * runs entirely in S-EL1. ******************************************************************************/ void bl2_main(void) { entry_point_info_t *next_bl_ep_info; NOTICE("BL2: %s\n", version_string); NOTICE("BL2: %s\n", build_message); /* Perform remaining generic architectural setup in S-EL1 */ bl2_arch_setup(); #if TRUSTED_BOARD_BOOT /* Initialize authentication module */ auth_mod_init(); #endif /* TRUSTED_BOARD_BOOT */ /* Load the subsequent bootloader images. */ next_bl_ep_info = bl2_load_images(); #ifdef AARCH32 /* * For AArch32 state BL1 and BL2 share the MMU setup. * Given that BL2 does not map BL1 regions, MMU needs * to be disabled in order to go back to BL1. */ disable_mmu_icache_secure(); #endif /* AARCH32 */ /* * Run next BL image via an SMC to BL1. Information on how to pass * control to the BL32 (if present) and BL33 software images will * be passed to next BL image as an argument. */ smc(BL1_SMC_RUN_IMAGE, (unsigned long)next_bl_ep_info, 0, 0, 0, 0, 0, 0);----------發起SMC異常啟動BL31鏡像,交給BL1 bl1_aarch32_smc_handler處理。 }
bl2_mem_params_descs定義了BL2需要加載鏡像的信息,通過REGISTER_BL_IMAGE_DESCS()將其和bl_mem_params_desc_ptr關聯,並獲取需要加載鏡像數目bl_mem_params_desc_num。
#define REGISTER_BL_IMAGE_DESCS(_img_desc) \ bl_mem_params_node_t *bl_mem_params_desc_ptr = &_img_desc[0]; \ unsigned int bl_mem_params_desc_num = ARRAY_SIZE(_img_desc); static bl_mem_params_node_t bl2_mem_params_descs[] = { ... #ifdef EL3_PAYLOAD_BASE ... #else /* EL3_PAYLOAD_BASE */ /* Fill BL31 related information */ { .image_id = BL31_IMAGE_ID, SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP, VERSION_2, entry_point_info_t, SECURE | EXECUTABLE | EP_FIRST_EXE), .ep_info.pc = BL31_BASE, .ep_info.spsr = SPSR_64(MODE_EL3, MODE_SP_ELX, DISABLE_ALL_EXCEPTIONS), #if DEBUG .ep_info.args.arg1 = ARM_BL31_PLAT_PARAM_VAL, #endif SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t, IMAGE_ATTRIB_PLAT_SETUP), .image_info.image_base = BL31_BASE, .image_info.image_max_size = BL31_LIMIT - BL31_BASE, # ifdef BL32_BASE .next_handoff_image_id = BL32_IMAGE_ID, # else .next_handoff_image_id = BL33_IMAGE_ID, # endif }, # ifdef BL32_BASE /* Fill BL32 related information */ { .image_id = BL32_IMAGE_ID, SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP, VERSION_2, entry_point_info_t, SECURE | EXECUTABLE), .ep_info.pc = BL32_BASE, SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t, 0), .image_info.image_base = BL32_BASE, .image_info.image_max_size = BL32_LIMIT - BL32_BASE, .next_handoff_image_id = BL33_IMAGE_ID, }, # endif /* BL32_BASE */ /* Fill BL33 related information */ { .image_id = BL33_IMAGE_ID, SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP, VERSION_2, entry_point_info_t, NON_SECURE | EXECUTABLE), # ifdef PRELOADED_BL33_BASE .ep_info.pc = PRELOADED_BL33_BASE, SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING), # else .ep_info.pc = PLAT_ARM_NS_IMAGE_OFFSET, SET_STATIC_PARAM_HEAD(image_info, PARAM_EP, VERSION_2, image_info_t, 0), .image_info.image_base = PLAT_ARM_NS_IMAGE_OFFSET, .image_info.image_max_size = ARM_DRAM1_SIZE, # endif /* PRELOADED_BL33_BASE */ .next_handoff_image_id = INVALID_IMAGE_ID, } #endif /* EL3_PAYLOAD_BASE */ }; REGISTER_BL_IMAGE_DESCS(bl2_mem_params_descs) /******************************************************************************* * This function loads SCP_BL2/BL3x images and returns the ep_info for * the next executable image. ******************************************************************************/ entry_point_info_t *bl2_load_images(void) { bl_params_t *bl2_to_next_bl_params; bl_load_info_t *bl2_load_info; const bl_load_info_node_t *bl2_node_info; int plat_setup_done = 0; int err; /* * Get information about the images to load. */ bl2_load_info = plat_get_bl_image_load_info();-----------------獲取待加載鏡像BL3x或SCP_EL2信息,然后遍歷處理。 assert(bl2_load_info); assert(bl2_load_info->head); assert(bl2_load_info->h.type == PARAM_BL_LOAD_INFO); assert(bl2_load_info->h.version >= VERSION_2); bl2_node_info = bl2_load_info->head;---------------------------bl2_node_info指向鏡像第一個對象。 while (bl2_node_info) {----------------------------------------循環遍歷bl2_mem_params_descs成員並加載處理。 /* * Perform platform setup before loading the image, * if indicated in the image attributes AND if NOT * already done before. */ if (bl2_node_info->image_info->h.attr & IMAGE_ATTRIB_PLAT_SETUP) {----確定加載前是否需要進行特定平台初始化。 if (plat_setup_done) { WARN("BL2: Platform setup already done!!\n"); } else { INFO("BL2: Doing platform setup\n"); bl2_platform_setup(); plat_setup_done = 1; } } if (!(bl2_node_info->image_info->h.attr & IMAGE_ATTRIB_SKIP_LOADING)) {----確定是否需要跳過加載到RAM步驟;如否,則進行驗證並加載。 INFO("BL2: Loading image id %d\n", bl2_node_info->image_id); err = load_auth_image(bl2_node_info->image_id, bl2_node_info->image_info);----------------------------------------將鏡像加載到RAM,然后進行驗證。 if (err) { ERROR("BL2: Failed to load image (%i)\n", err); plat_error_handler(err); } } else { INFO("BL2: Skip loading image id %d\n", bl2_node_info->image_id); } /* Allow platform to handle image information. */ err = bl2_plat_handle_post_image_load(bl2_node_info->image_id);-------------修改特定鏡像的加載信息。 if (err) { ERROR("BL2: Failure in post image load handling (%i)\n", err); plat_error_handler(err); } /* Go to next image */ bl2_node_info = bl2_node_info->next_load_info;------------------------------循環加載下一個鏡像。 } /* * Get information to pass to the next image. */ bl2_to_next_bl_params = plat_get_next_bl_params();------------------------------獲取下一個執行鏡像入口信息,屬性為EXECUTABLE和EP_FIRST_EXE,也即BL31。 assert(bl2_to_next_bl_params); assert(bl2_to_next_bl_params->head); assert(bl2_to_next_bl_params->h.type == PARAM_BL_PARAMS); assert(bl2_to_next_bl_params->h.version >= VERSION_2); /* Flush the parameters to be passed to next image */ plat_flush_next_bl_params();----------------------------------------------------將bl_mem_params_desc_ptr數據刷到DDR中,后面即將通過SMC跳轉到BL1啟動BL31,保持數據一致性。 return bl2_to_next_bl_params->head->ep_info; }
4. BL31(EL3 Firmware)
參考文檔:《SMC CALLING CONVENTION System Software on ARM® Platforms》
SMCCC定義了每個SMC請求功能的ID以及入參和返回值。
下面逐一介紹運行在EL3固件的運行服務框架的注冊、初始化和使用。
SMCCC定義了每個運行服務框架的SMC功能ID、OEN(Owning Entity Numbers)、Fast和Standard調用、SMC32和SMC64調用轉換。
需要優先實現的功能有:
- Standard服務調用:
- Secure-EL1 Payload Dispatcher service:如果存在TOS或者S.EL1 Payload,則需要EL3 Secure Monitor負責切換NS.EL1/2和S.EL1。Secure Monitor和S.EL1 Payload之間接口被稱為SPD(S.EL1 Payload Dispatcher)。ATF還提供了TSP(Test S.EL1 Payload)和TSPD。
- CPU特有服務:提供CPU特有的的功能服務。
4.1 運行服務注冊
DECLARE_RT_SVC()用於注冊一個運行服務,指定服務名稱、OEN范圍、服務類型(SMC_TYPE_FAST/SMC_TYPE_STD)、初始化和調用函數。
通過DECLARE_RT_SVC()注冊的每個服務都會在ELF的rt_svc_descs段中存在,__RT_SVC_DESCS_START__和__RT_SVC_DESCS_END__是此段的起始結束地址,並可以通過地址范圍計算服務數量RT_SVC_DECS_NUM。
/* * Convenience macro to declare a service descriptor */ #define DECLARE_RT_SVC(_name, _start, _end, _type, _setup, _smch) \ static const rt_svc_desc_t __svc_desc_ ## _name \ __section("rt_svc_descs") __used = { \ .start_oen = _start, \ .end_oen = _end, \ .call_type = _type, \ .name = #_name, \ .init = _setup, \ .handle = _smch } typedef struct rt_svc_desc { uint8_t start_oen;-------------------service內部啟動oen uint8_t end_oen;---------------------service內部末尾oen uint8_t call_type;-------------------smc類型,是fast call還是standard call const char *name;--------------------service名稱 rt_svc_init_t init;------------------service初始化函數 rt_svc_handle_t handle;--------------對應function id的調用函數 } rt_svc_desc_t;
SMC功能ID范圍定義如下:
/******************************************************************************* * Owning entity number definitions inside the function id as per the SMC * calling convention ******************************************************************************/ #define OEN_ARM_START 0 #define OEN_ARM_END 0 #define OEN_CPU_START 1 #define OEN_CPU_END 1 #define OEN_SIP_START 2 #define OEN_SIP_END 2 #define OEN_OEM_START 3 #define OEN_OEM_END 3 #define OEN_STD_START 4 /* Standard Calls */ #define OEN_STD_END 4 #define OEN_TAP_START 48 /* Trusted Applications */ #define OEN_TAP_END 49 #define OEN_TOS_START 50 /* Trusted OS */ #define OEN_TOS_END 63 #define OEN_LIMIT 64
上面的定義根據如下規格:
MAX_RT_SVCS為128,是因為OEN有64個,SMC類型有Standard和Fast兩種類型,所以一共有128種。rt_svc_descs_indices[]一共有128個。
4.2 ATF初始化
bl31_entrypoint()是冷啟動的入口,只會被cpu0執行。
func bl31_entrypoint #if !RESET_TO_BL31 /* --------------------------------------------------------------- * Preceding bootloader has populated x0 with a pointer to a * 'bl31_params' structure & x1 with a pointer to platform * specific structure * --------------------------------------------------------------- */ #if HISILICON /* hisilicon use args from uboot, * load_fip.c has set value in address 8 and 16 */ mov x0, 8 mov x1, 16 ldr x20, [x0] ldr x21, [x1] #else mov x20, x0 mov x21, x1 #endif /* --------------------------------------------------------------------- * For !RESET_TO_BL31 systems, only the primary CPU ever reaches * bl31_entrypoint() during the cold boot flow, so the cold/warm boot * and primary/secondary CPU logic should not be executed in this case. * * Also, assume that the previous bootloader has already set up the CPU * endianness and has initialised the memory. * --------------------------------------------------------------------- */ el3_entrypoint_common \ _set_endian=0 \ _warm_boot_mailbox=0 \ _secondary_cold_boot=0 \ _init_memory=0 \ _init_c_runtime=1 \ _exception_vectors=runtime_exceptions----------------------------runtime_exceptions是ATF的異常向量表。 /* --------------------------------------------------------------------- * Relay the previous bootloader's arguments to the platform layer * --------------------------------------------------------------------- */ mov x0, x20 mov x1, x21 #else /* --------------------------------------------------------------------- * For RESET_TO_BL31 systems which have a programmable reset address, * bl31_entrypoint() is executed only on the cold boot path so we can * skip the warm boot mailbox mechanism. * --------------------------------------------------------------------- */ el3_entrypoint_common \ _set_endian=1 \ _warm_boot_mailbox=!PROGRAMMABLE_RESET_ADDRESS \ _secondary_cold_boot=!COLD_BOOT_SINGLE_CPU \ _init_memory=1 \ _init_c_runtime=1 \ _exception_vectors=runtime_exceptions /* --------------------------------------------------------------------- * For RESET_TO_BL31 systems, BL31 is the first bootloader to run so * there's no argument to relay from a previous bootloader. Zero the * arguments passed to the platform layer to reflect that. * --------------------------------------------------------------------- */ mov x0, 0 mov x1, 0 #endif /* RESET_TO_BL31 */ /* --------------------------------------------- * Perform platform specific early arch. setup * --------------------------------------------- */ bl bl31_early_platform_setup-------------------------------------初始化UART,以及獲取BL32、BL33的entrypoint。 bl bl31_plat_arch_setup------------------------------------------MMU內存初始化。 /* --------------------------------------------- * Jump to main function. * --------------------------------------------- */ bl bl31_main /* ------------------------------------------------------------- * Clean the .data & .bss sections to main memory. This ensures * that any global data which was initialised by the primary CPU * is visible to secondary CPUs before they enable their data * caches and participate in coherency. * ------------------------------------------------------------- */ adr x0, __DATA_START__ adr x1, __DATA_END__ sub x1, x1, x0 bl clean_dcache_range adr x0, __BSS_START__ adr x1, __BSS_END__ sub x1, x1, x0 bl clean_dcache_range--------------------------------------------刷data和bss段到內存中。 b el3_exit endfunc bl31_entrypoint
BL3異常向量表runtime_exceptions
el3_exit()退出當前ATF執行下一階段的鏡像。
/* ----------------------------------------------------- * This routine assumes that the SP_EL3 is pointing to * a valid context structure from where the gp regs and * other special registers can be retrieved. * ----------------------------------------------------- */ func el3_exit /* ----------------------------------------------------- * Save the current SP_EL0 i.e. the EL3 runtime stack * which will be used for handling the next SMC. Then * switch to SP_EL3 * ----------------------------------------------------- */ mov x17, sp msr spsel, #1 str x17, [sp, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP] /* ----------------------------------------------------- * Restore SPSR_EL3, ELR_EL3 and SCR_EL3 prior to ERET * ----------------------------------------------------- */ ldr x18, [sp, #CTX_EL3STATE_OFFSET + CTX_SCR_EL3] ldp x16, x17, [sp, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3] msr scr_el3, x18 msr spsr_el3, x16 msr elr_el3, x17 /* Restore saved general purpose registers and return */ b restore_gp_registers_eret endfunc el3_exit
bl31_main()是ATF主體,初始化好ATF服務、啟動optee os,至此可以提供psci、TOS等服務。然后再為進入BL33做好准備工作。
/******************************************************************************* * BL31 is responsible for setting up the runtime services for the primary cpu * before passing control to the bootloader or an Operating System. This * function calls runtime_svc_init() which initializes all registered runtime * services. The run time services would setup enough context for the core to * swtich to the next exception level. When this function returns, the core will * switch to the programmed exception level via. an ERET. ******************************************************************************/ void bl31_main(void) { NOTICE("BL31: %s\n", version_string); NOTICE("BL31: %s\n", build_message); /* Perform platform setup in BL31 */ bl31_platform_setup();---------------------------------------------------初始化GIC、Timer、Power等工作。 /* Initialise helper libraries */ bl31_lib_init();---------------------------------------------------------初始化BL31中相關全局變量。 /* Initialize the runtime services e.g. psci. */ INFO("BL31: Initializing runtime services\n"); runtime_svc_init();------------------------------------------------------初始化EL3 ATF中注冊的服務,編譯時放在rt_svc_decs特定段中。 /* * All the cold boot actions on the primary cpu are done. We now need to * decide which is the next image (BL32 or BL33) and how to execute it. * If the SPD runtime service is present, it would want to pass control * to BL32 first in S-EL1. In that case, SPD would have registered a * function to intialize bl32 where it takes responsibility of entering * S-EL1 and returning control back to bl31_main. Once this is done we * can prepare entry into BL33 as normal. */ /* * If SPD had registerd an init hook, invoke it. */ if (bl32_init) { INFO("BL31: Initializing BL32\n"); (*bl32_init)();------------------------------------------------------如果注冊了TOS支持,調用對應的init函數初始化TOS。對於optee就是opteed_init()。 } /* * We are ready to enter the next EL. Prepare entry into the image * corresponding to the desired security state after the next ERET. */ bl31_prepare_next_image_entry();-----------------------------------------准備跳轉到BL33, /* * Perform any platform specific runtime setup prior to cold boot exit * from BL31 */ bl31_plat_runtime_setup();-----------------------------------------------BL31退出前准備工作。 }
runtime_svc_init()作為BL31初始化一部分,初始化了運行在主CPU上的運行服務框架。這必須在TOS和普通世界軟件啟動之前執行,因為安全和非安全軟件可能需要使用這部分內容。
runtime_svc_init()主要對注冊的服務進行有限性驗證,調用各自服務的初始化函數init(),以及將不同SMC OEN轉換到注冊服務ID。
在實際使用中,注冊一個服務可能對應一系列SMC調用。
void runtime_svc_init(void) { int rc = 0, index, start_idx, end_idx; /* Assert the number of descriptors detected are less than maximum indices */ assert((RT_SVC_DESCS_END >= RT_SVC_DESCS_START) && (RT_SVC_DECS_NUM < MAX_RT_SVCS)); /* If no runtime services are implemented then simply bail out */ if (RT_SVC_DECS_NUM == 0)-----------------------------------------------對注冊到ATF的SMC服務數量進行檢查。 return; /* Initialise internal variables to invalid state */ memset(rt_svc_descs_indices, -1, sizeof(rt_svc_descs_indices)); rt_svc_descs = (rt_svc_desc_t *) RT_SVC_DESCS_START; for (index = 0; index < RT_SVC_DECS_NUM; index++) {----------------------遍歷rt_svc_descs段, rt_svc_desc_t *service = &rt_svc_descs[index]; rc = validate_rt_svc_desc(service); if (rc) { ERROR("Invalid runtime service descriptor %p\n", (void *) service); panic(); } if (service->init) { rc = service->init();--------------------------------------------執行當前service的init函數。 if (rc) { ERROR("Error initializing runtime service %s\n", service->name); continue; } } start_idx = get_unique_oen(rt_svc_descs[index].start_oen, service->call_type); assert(start_idx < MAX_RT_SVCS); end_idx = get_unique_oen(rt_svc_descs[index].end_oen, service->call_type); assert(end_idx < MAX_RT_SVCS); for (; start_idx <= end_idx; start_idx++)----------------------------根據call_type和oen范圍,確定rt_svc_descs_indices對應下標,達到SMC function id到注冊service id的轉換。 rt_svc_descs_indices[start_idx] = index; } }
4.3 處理SMC
當EL3 Firmware接收到一個SMC時,SMC功能ID通過W0傳遞到EL3 Firmware。這是根據寄存位寬和W0進行檢查,如果兩者不匹配則返回錯誤。
其中Bit[31]和bits[29:24]共7bit組成一個0~127范圍數值,在rt_svc_descs_indices[]所對應具體的軟件服務rt_svc_descs[]索引。
進而調用具體軟件服務的handle()函數:
uintptr_t handle_runtime_svc(uint32_t smc_fid, void *cookie, void *handle, unsigned int flags) { u_register_t x1, x2, x3, x4; int index, idx; const rt_svc_desc_t *rt_svc_descs; assert(handle); idx = get_unique_oen_from_smc_fid(smc_fid); assert(idx >= 0 && idx < MAX_RT_SVCS); index = rt_svc_descs_indices[idx];---------------------將從x0寄存器中讀取的Standard/Fast和OWN組合的idx,找到Runtime Service的index。 if (index < 0 || index >= RT_SVC_DECS_NUM) SMC_RET1(handle, SMC_UNK); rt_svc_descs = (rt_svc_desc_t *) RT_SVC_DESCS_START;---Runtime Service起始地址。 get_smc_params_from_ctx(handle, x1, x2, x3, x4);-------獲取x1/x2/x3/x4寄存器。 return rt_svc_descs[index].handle(smc_fid, x1, x2, x3, x4, cookie, handle, flags);--------------------調用具體Runtime Service的handle()函數。 }
5. BL31 PSCI
參考文檔:《POWER STATE COORDINATION INTERFACE (PSCI) System Software on ARM® Systems》
PSCI功能作為Standard service一部分,由std_svc_smc_handler()處理。
DECLARE_RT_SVC( std_svc, OEN_STD_START, OEN_STD_END, SMC_TYPE_FAST, std_svc_setup, std_svc_smc_handler-----------------------------對於Fast類型Standard服務調用,主要是進行PSCI處理。 ); uintptr_t std_svc_smc_handler(uint32_t smc_fid, u_register_t x1, u_register_t x2, u_register_t x3, u_register_t x4, void *cookie, void *handle, u_register_t flags) { /* * Dispatch PSCI calls to PSCI SMC handler and return its return * value */ if (is_psci_fid(smc_fid)) { uint64_t ret; ... ret = psci_smc_handler(smc_fid, x1, x2, x3, x4, cookie, handle, flags);---------------------首先判斷是否是Fast類型,然后交給psci_smc_handler()進行處理。 ... SMC_RET1(handle, ret); } ... } u_register_t psci_smc_handler(uint32_t smc_fid, u_register_t x1, u_register_t x2, u_register_t x3, u_register_t x4, void *cookie, void *handle, u_register_t flags) { if (is_caller_secure(flags)) return SMC_UNK; /* Check the fid against the capabilities */ if (!(psci_caps & define_psci_cap(smc_fid))) return SMC_UNK; if (((smc_fid >> FUNCID_CC_SHIFT) & FUNCID_CC_MASK) == SMC_32) { ... } else {---------------------------------------------這里以64系統為例。 /* 64-bit PSCI function */ switch (smc_fid) { case PSCI_CPU_SUSPEND_AARCH64: return psci_cpu_suspend(x1, x2, x3); case PSCI_CPU_ON_AARCH64:-----------------------PSCI_CPU_ON_AARCH64為0xc4000003,bit[31]=1:Fast Call、bit[30]=1:SMC64、bits[29:24]=000100:Starndard service、bits[15:0]=0000 0011:內部定義序號。 return psci_cpu_on(x1, x2, x3);
case PSCI_AFFINITY_INFO_AARCH64:
return psci_affinity_info(x1, x2);
case PSCI_MIG_AARCH64:
return psci_migrate(x1);
case PSCI_MIG_INFO_UP_CPU_AARCH64:
return psci_migrate_info_up_cpu();
case PSCI_NODE_HW_STATE_AARCH64:
return psci_node_hw_state(x1, x2);
case PSCI_SYSTEM_SUSPEND_AARCH64:
return psci_system_suspend(x1, x2);
#if ENABLE_PSCI_STAT
case PSCI_STAT_RESIDENCY_AARCH64:
return psci_stat_residency(x1, x2);
case PSCI_STAT_COUNT_AARCH64:
return psci_stat_count(x1, x2);
#endif
default: break; } } WARN("Unimplemented PSCI Call: 0x%x \n", smc_fid); return SMC_UNK; }
5.1 PSCI_VERSION
unsigned int psci_version(void) { return PSCI_MAJOR_VER | PSCI_MINOR_VER; } #define PSCI_MAJOR_VER (1 << 16) #define PSCI_MINOR_VER 0x0
5.2 PSCI_CPU_SUSPEND
int psci_cpu_suspend(unsigned int power_state, uintptr_t entrypoint, u_register_t context_id) { int rc; unsigned int target_pwrlvl, is_power_down_state; entry_point_info_t ep; psci_power_state_t state_info = { {PSCI_LOCAL_STATE_RUN} }; plat_local_state_t cpu_pd_state; /* Validate the power_state parameter */ rc = psci_validate_power_state(power_state, &state_info); if (rc != PSCI_E_SUCCESS) { assert(rc == PSCI_E_INVALID_PARAMS); return rc; } /* * Get the value of the state type bit from the power state parameter. */ is_power_down_state = psci_get_pstate_type(power_state); /* Sanity check the requested suspend levels */ assert(psci_validate_suspend_req(&state_info, is_power_down_state) == PSCI_E_SUCCESS); target_pwrlvl = psci_find_target_suspend_lvl(&state_info); if (target_pwrlvl == PSCI_INVALID_PWR_LVL) { ERROR("Invalid target power level for suspend operation\n"); panic(); } /* Fast path for CPU standby.*/ if (is_cpu_standby_req(is_power_down_state, target_pwrlvl)) { if (!psci_plat_pm_ops->cpu_standby) return PSCI_E_INVALID_PARAMS; /* * Set the state of the CPU power domain to the platform * specific retention state and enter the standby state. */ cpu_pd_state = state_info.pwr_domain_state[PSCI_CPU_PWR_LVL]; psci_set_cpu_local_state(cpu_pd_state); #if ENABLE_PSCI_STAT /* * Capture time-stamp before CPU standby * No cache maintenance is needed as caches * are ON through out the CPU standby operation. */ PMF_CAPTURE_TIMESTAMP(psci_svc, PSCI_STAT_ID_ENTER_LOW_PWR, PMF_NO_CACHE_MAINT); #endif #if ENABLE_RUNTIME_INSTRUMENTATION PMF_CAPTURE_TIMESTAMP(rt_instr_svc, RT_INSTR_ENTER_HW_LOW_PWR, PMF_NO_CACHE_MAINT); #endif psci_plat_pm_ops->cpu_standby(cpu_pd_state); /* Upon exit from standby, set the state back to RUN. */ psci_set_cpu_local_state(PSCI_LOCAL_STATE_RUN); #if ENABLE_RUNTIME_INSTRUMENTATION PMF_CAPTURE_TIMESTAMP(rt_instr_svc, RT_INSTR_EXIT_HW_LOW_PWR, PMF_NO_CACHE_MAINT); #endif #if ENABLE_PSCI_STAT /* Capture time-stamp after CPU standby */ PMF_CAPTURE_TIMESTAMP(psci_svc, PSCI_STAT_ID_EXIT_LOW_PWR, PMF_NO_CACHE_MAINT); /* Update PSCI stats */ psci_stats_update_pwr_up(PSCI_CPU_PWR_LVL, &state_info, PMF_NO_CACHE_MAINT); #endif return PSCI_E_SUCCESS; } /* * If a power down state has been requested, we need to verify entry * point and program entry information. */ if (is_power_down_state) { rc = psci_validate_entry_point(&ep, entrypoint, context_id); if (rc != PSCI_E_SUCCESS) return rc; } /* * Do what is needed to enter the power down state. Upon success, * enter the final wfi which will power down this CPU. This function * might return if the power down was abandoned for any reason, e.g. * arrival of an interrupt */ psci_cpu_suspend_start(&ep, target_pwrlvl, &state_info, is_power_down_state); return PSCI_E_SUCCESS; }
5.3 PSCI_CPU_OFF
int psci_cpu_off(void) { int rc; unsigned int target_pwrlvl = PLAT_MAX_PWR_LVL; /* * Do what is needed to power off this CPU and possible higher power * levels if it able to do so. Upon success, enter the final wfi * which will power down this CPU. */ rc = psci_do_cpu_off(target_pwrlvl); /* * The only error cpu_off can return is E_DENIED. So check if that's * indeed the case. */ assert(rc == PSCI_E_DENIED); return rc; }
5.4 PSCI_CPU_ON
/******************************************************************************* * PSCI frontend api for servicing SMCs. Described in the PSCI spec. ******************************************************************************/ int psci_cpu_on(u_register_t target_cpu, uintptr_t entrypoint, u_register_t context_id) { int rc; entry_point_info_t ep; /* Determine if the cpu exists of not */ rc = psci_validate_mpidr(target_cpu); if (rc != PSCI_E_SUCCESS) return PSCI_E_INVALID_PARAMS; /* Validate the entry point and get the entry_point_info */ rc = psci_validate_entry_point(&ep, entrypoint, context_id); if (rc != PSCI_E_SUCCESS) return rc; /* * To turn this cpu on, specify which power * levels need to be turned on */ return psci_cpu_on_start(target_cpu, &ep); }
5.5 PSCI_AFFINITY_INFO
int psci_affinity_info(u_register_t target_affinity, unsigned int lowest_affinity_level) { unsigned int target_idx; /* We dont support level higher than PSCI_CPU_PWR_LVL */ if (lowest_affinity_level > PSCI_CPU_PWR_LVL) return PSCI_E_INVALID_PARAMS; /* Calculate the cpu index of the target */ target_idx = plat_core_pos_by_mpidr(target_affinity); if (target_idx == -1) return PSCI_E_INVALID_PARAMS; return psci_get_aff_info_state_by_idx(target_idx); }
5.6 PSCI_MIG
int psci_migrate(u_register_t target_cpu) { int rc; u_register_t resident_cpu_mpidr; rc = psci_spd_migrate_info(&resident_cpu_mpidr); if (rc != PSCI_TOS_UP_MIG_CAP) return (rc == PSCI_TOS_NOT_UP_MIG_CAP) ? PSCI_E_DENIED : PSCI_E_NOT_SUPPORTED; /* * Migrate should only be invoked on the CPU where * the Secure OS is resident. */ if (resident_cpu_mpidr != read_mpidr_el1()) return PSCI_E_NOT_PRESENT; /* Check the validity of the specified target cpu */ rc = psci_validate_mpidr(target_cpu); if (rc != PSCI_E_SUCCESS) return PSCI_E_INVALID_PARAMS; assert(psci_spd_pm && psci_spd_pm->svc_migrate); rc = psci_spd_pm->svc_migrate(read_mpidr_el1(), target_cpu); assert(rc == PSCI_E_SUCCESS || rc == PSCI_E_INTERN_FAIL); return rc; }
5.7 PSCI_MIG_INFO_TYPE
int psci_migrate_info_type(void) { u_register_t resident_cpu_mpidr; return psci_spd_migrate_info(&resident_cpu_mpidr); } /******************************************************************************* * This function invokes the migrate info hook in the spd_pm_ops. It performs * the necessary return value validation. If the Secure Payload is UP and * migrate capable, it returns the mpidr of the CPU on which the Secure payload * is resident through the mpidr parameter. Else the value of the parameter on * return is undefined. ******************************************************************************/ int psci_spd_migrate_info(u_register_t *mpidr) { int rc; if (!psci_spd_pm || !psci_spd_pm->svc_migrate_info) return PSCI_E_NOT_SUPPORTED; rc = psci_spd_pm->svc_migrate_info(mpidr); assert(rc == PSCI_TOS_UP_MIG_CAP || rc == PSCI_TOS_NOT_UP_MIG_CAP \ || rc == PSCI_TOS_NOT_PRESENT_MP || rc == PSCI_E_NOT_SUPPORTED); return rc; }
5.8 PSCI_MIG_INFO_UP_CPU
long psci_migrate_info_up_cpu(void) { u_register_t resident_cpu_mpidr; int rc; /* * Return value of this depends upon what * psci_spd_migrate_info() returns. */ rc = psci_spd_migrate_info(&resident_cpu_mpidr); if (rc != PSCI_TOS_NOT_UP_MIG_CAP && rc != PSCI_TOS_UP_MIG_CAP) return PSCI_E_INVALID_PARAMS; return resident_cpu_mpidr; }
5.9 PSCI_SYSTEM_OFF
void psci_system_off(void) { psci_print_power_domain_map(); assert(psci_plat_pm_ops->system_off); /* Notify the Secure Payload Dispatcher */ if (psci_spd_pm && psci_spd_pm->svc_system_off) { psci_spd_pm->svc_system_off(); } /* Call the platform specific hook */ psci_plat_pm_ops->system_off(); /* This function does not return. We should never get here */ }
5.10 PSCI_SYSTEM_RESET
void psci_system_reset(void) { psci_print_power_domain_map(); assert(psci_plat_pm_ops->system_reset); /* Notify the Secure Payload Dispatcher */ if (psci_spd_pm && psci_spd_pm->svc_system_reset) { psci_spd_pm->svc_system_reset(); } /* Call the platform specific hook */ psci_plat_pm_ops->system_reset(); /* This function does not return. We should never get here */ }
5.11 PSCI_FEATURES
int psci_features(unsigned int psci_fid) { unsigned int local_caps = psci_caps; /* Check if it is a 64 bit function */ if (((psci_fid >> FUNCID_CC_SHIFT) & FUNCID_CC_MASK) == SMC_64) local_caps &= PSCI_CAP_64BIT_MASK; /* Check for invalid fid */ if (!(is_std_svc_call(psci_fid) && is_valid_fast_smc(psci_fid) && is_psci_fid(psci_fid))) return PSCI_E_NOT_SUPPORTED; /* Check if the psci fid is supported or not */ if (!(local_caps & define_psci_cap(psci_fid))) return PSCI_E_NOT_SUPPORTED; /* Format the feature flags */ if (psci_fid == PSCI_CPU_SUSPEND_AARCH32 || psci_fid == PSCI_CPU_SUSPEND_AARCH64) { /* * The trusted firmware does not support OS Initiated Mode. */ return (FF_PSTATE << FF_PSTATE_SHIFT) | ((!FF_SUPPORTS_OS_INIT_MODE) << FF_MODE_SUPPORT_SHIFT); } /* Return 0 for all other fid's */ return PSCI_E_SUCCESS; }
5.12 PSCI_SYSTEM_SUSPEND
int psci_system_suspend(uintptr_t entrypoint, u_register_t context_id) { int rc; psci_power_state_t state_info; entry_point_info_t ep; /* Check if the current CPU is the last ON CPU in the system */ if (!psci_is_last_on_cpu()) return PSCI_E_DENIED; /* Validate the entry point and get the entry_point_info */ rc = psci_validate_entry_point(&ep, entrypoint, context_id); if (rc != PSCI_E_SUCCESS) return rc; /* Query the psci_power_state for system suspend */ psci_query_sys_suspend_pwrstate(&state_info); /* Ensure that the psci_power_state makes sense */ assert(psci_find_target_suspend_lvl(&state_info) == PLAT_MAX_PWR_LVL); assert(psci_validate_suspend_req(&state_info, PSTATE_TYPE_POWERDOWN) == PSCI_E_SUCCESS); assert(is_local_state_off(state_info.pwr_domain_state[PLAT_MAX_PWR_LVL])); /* * Do what is needed to enter the system suspend state. This function * might return if the power down was abandoned for any reason, e.g. * arrival of an interrupt */ psci_cpu_suspend_start(&ep, PLAT_MAX_PWR_LVL, &state_info, PSTATE_TYPE_POWERDOWN); return PSCI_E_SUCCESS; }
6. BL31 OPTEE接口
optee注冊了Fast和Standard兩種調用類型,Fast類型需要使用opteed_setup()進行初始化。兩種類型共用opteed_smc_handler()進行smc處理。
/* Define an OPTEED runtime service descriptor for fast SMC calls */ DECLARE_RT_SVC( opteed_fast, OEN_TOS_START, OEN_TOS_END, SMC_TYPE_FAST, opteed_setup, opteed_smc_handler ); /* Define an OPTEED runtime service descriptor for standard SMC calls */ DECLARE_RT_SVC( opteed_std, OEN_TOS_START, OEN_TOS_END, SMC_TYPE_STD, NULL, opteed_smc_handler );
6.1 optee啟動
在ATF BL31啟動過程中,runtime_svc_init()會調用opteed_setup()來完成optee的啟動。
/******************************************************************************* * OPTEE Dispatcher setup. The OPTEED finds out the OPTEE entrypoint and type * (aarch32/aarch64) if not already known and initialises the context for entry * into OPTEE for its initialization. ******************************************************************************/ int32_t opteed_setup(void) { entry_point_info_t *optee_ep_info; uint32_t linear_id; linear_id = plat_my_core_pos(); optee_ep_info = bl31_plat_get_next_image_ep_info(SECURE);-----------------獲取BL32即optee os鏡像信息。 if (!optee_ep_info) { WARN("No OPTEE provided by BL2 boot loader, Booting device" " without OPTEE initialization. SMC`s destined for OPTEE" " will return SMC_UNK\n"); return 1; } if (!optee_ep_info->pc) return 1; /* * We could inspect the SP image and determine it's execution * state i.e whether AArch32 or AArch64. Assuming it's AArch32 * for the time being. */ opteed_rw = OPTEE_AARCH64; opteed_init_optee_ep_state(optee_ep_info, opteed_rw, optee_ep_info->pc, &opteed_sp_context[linear_id]);------------------------------初始化安全CPU的smc上下文,存放於opteed_sp_context[]中。 /* * All OPTEED initialization done. Now register our init function with * BL31 for deferred invocation */ bl31_register_bl32_init(&opteed_init);-----------------------------------bl32_init指向opteed_init(),在bl31_main()中被調用。 return 0; }
opteed_init()從鏡像中獲取optee os的入口點,並初始化好ATF和optee切換的上下文,然后進入optee並等待返回結果。
/******************************************************************************* * This function passes control to the OPTEE image (BL32) for the first time * on the primary cpu after a cold boot. It assumes that a valid secure * context has already been created by opteed_setup() which can be directly * used. It also assumes that a valid non-secure context has been * initialised by PSCI so it does not need to save and restore any * non-secure state. This function performs a synchronous entry into * OPTEE. OPTEE passes control back to this routine through a SMC. ******************************************************************************/ static int32_t opteed_init(void) { uint32_t linear_id = plat_my_core_pos(); optee_context_t *optee_ctx = &opteed_sp_context[linear_id]; entry_point_info_t *optee_entry_point; uint64_t rc; /* * Get information about the OPTEE (BL32) image. Its * absence is a critical failure. */ optee_entry_point = bl31_plat_get_next_image_ep_info(SECURE);-----------------------------獲取optee os鏡像信息。 assert(optee_entry_point); cm_init_my_context(optee_entry_point);----------------------------------------------------設置當前CPU進入安全狀態的上下文。 /* * Arrange for an entry into OPTEE. It will be returned via * OPTEE_ENTRY_DONE case */ rc = opteed_synchronous_sp_entry(optee_ctx);----------------------------------------------啟動optee os,並等待OPTEE_ENTRY_DONE返回結果。 assert(rc != 0); return rc; } /******************************************************************************* * This function takes an OPTEE context pointer and: * 1. Applies the S-EL1 system register context from optee_ctx->cpu_ctx. * 2. Saves the current C runtime state (callee saved registers) on the stack * frame and saves a reference to this state. * 3. Calls el3_exit() so that the EL3 system and general purpose registers * from the optee_ctx->cpu_ctx are used to enter the OPTEE image. ******************************************************************************/ uint64_t opteed_synchronous_sp_entry(optee_context_t *optee_ctx) { uint64_t rc; assert(optee_ctx != NULL); assert(optee_ctx->c_rt_ctx == 0); /* Apply the Secure EL1 system register context and switch to it */ assert(cm_get_context(SECURE) == &optee_ctx->cpu_ctx); cm_el1_sysregs_context_restore(SECURE);---------------從optee_ctx->cpu_ctx中恢復S.EL1相關寄存器。 cm_set_next_eret_context(SECURE);---------------------保存從S.EL1返回需要的上下文。 rc = opteed_enter_sp(&optee_ctx->c_rt_ctx);-----------將安全CPU保存的狀態恢復到optee_ctx->c_rt_ctx中,並跳轉到opteed os執行。 #if DEBUG optee_ctx->c_rt_ctx = 0; #endif return rc; }
func opteed_enter_sp /* Make space for the registers that we're going to save */ mov x3, sp str x3, [x0, #0] sub sp, sp, #OPTEED_C_RT_CTX_SIZE /* Save callee-saved registers on to the stack */ stp x19, x20, [sp, #OPTEED_C_RT_CTX_X19] stp x21, x22, [sp, #OPTEED_C_RT_CTX_X21] stp x23, x24, [sp, #OPTEED_C_RT_CTX_X23] stp x25, x26, [sp, #OPTEED_C_RT_CTX_X25] stp x27, x28, [sp, #OPTEED_C_RT_CTX_X27] stp x29, x30, [sp, #OPTEED_C_RT_CTX_X29] /* --------------------------------------------- * Everything is setup now. el3_exit() will * use the secure context to restore to the * general purpose and EL3 system registers to * ERET into OPTEE. * --------------------------------------------- */ b el3_exit--------------------------------------------------使用配置好的安全上下文,退出EL3進入OPTEE。 endfunc opteed_enter_sp
6.2 optee的SPD
BL31中處理OP-TEE安全請求分發入口函數是opteed_smc_handler()。
uint64_t opteed_smc_handler(uint32_t smc_fid, uint64_t x1, uint64_t x2, uint64_t x3, uint64_t x4, void *cookie, void *handle, uint64_t flags) { cpu_context_t *ns_cpu_context; uint32_t linear_id = plat_my_core_pos(); optee_context_t *optee_ctx = &opteed_sp_context[linear_id];---------------獲取當前CPU保存的optee上下文。 uint64_t rc; /* * Determine which security state this SMC originated from */ if (is_caller_non_secure(flags)) { /* * This is a fresh request from the non-secure client. * The parameters are in x1 and x2. Figure out which * registers need to be preserved, save the non-secure * state and send the request to the secure payload. */ assert(handle == cm_get_context(NON_SECURE)); cm_el1_sysregs_context_save(NON_SECURE); /* * We are done stashing the non-secure context. Ask the * OPTEE to do the work now. */ /* * Verify if there is a valid context to use, copy the * operation type and parameters to the secure context * and jump to the fast smc entry point in the secure * payload. Entry into S-EL1 will take place upon exit * from this function. */ assert(&optee_ctx->cpu_ctx == cm_get_context(SECURE)); /* Set appropriate entry for SMC. * We expect OPTEE to manage the PSTATE.I and PSTATE.F * flags as appropriate. */ if (GET_SMC_TYPE(smc_fid) == SMC_TYPE_FAST) { cm_set_elr_el3(SECURE, (uint64_t) &optee_vectors->fast_smc_entry); } else { cm_set_elr_el3(SECURE, (uint64_t) &optee_vectors->std_smc_entry); } cm_el1_sysregs_context_restore(SECURE); cm_set_next_eret_context(SECURE); write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx), CTX_GPREG_X4, read_ctx_reg(get_gpregs_ctx(handle), CTX_GPREG_X4)); write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx), CTX_GPREG_X5, read_ctx_reg(get_gpregs_ctx(handle), CTX_GPREG_X5)); write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx), CTX_GPREG_X6, read_ctx_reg(get_gpregs_ctx(handle), CTX_GPREG_X6)); /* Propagate hypervisor client ID */ write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx), CTX_GPREG_X7, read_ctx_reg(get_gpregs_ctx(handle), CTX_GPREG_X7)); SMC_RET4(&optee_ctx->cpu_ctx, smc_fid, x1, x2, x3); } /* * Returning from OPTEE */ switch (smc_fid) { case TEESMC_OPTEED_RETURN_ENTRY_DONE:-------------------------------------optee冷啟動初始化完成后返回。 assert(optee_vectors == NULL); optee_vectors = (optee_vectors_t *) x1; if (optee_vectors) { set_optee_pstate(optee_ctx->state, OPTEE_PSTATE_ON); psci_register_spd_pm_hook(&opteed_pm); flags = 0; set_interrupt_rm_flag(flags, NON_SECURE); rc = register_interrupt_type_handler(INTR_TYPE_S_EL1, opteed_sel1_interrupt_handler, flags); if (rc) panic(); } opteed_synchronous_sp_exit(optee_ctx, x1);-----------------------------從optee中返回。 case TEESMC_OPTEED_RETURN_ON_DONE:-----------------------------------------表示optee由cpu_on導致的啟動完成,0標識成功,其他失敗。 case TEESMC_OPTEED_RETURN_RESUME_DONE:-------------------------------------表示optee從cpu_suspend導致的休眠中喚醒完成;0表示成功,其他失敗。 case TEESMC_OPTEED_RETURN_OFF_DONE:----------------------------------------下面分表表示optee對cpu_off/cpu_suspend/system_off/system_reset的響應結果;0表示成功,其他表示失敗。其中system_off和system_reset無返回參數。 case TEESMC_OPTEED_RETURN_SUSPEND_DONE: case TEESMC_OPTEED_RETURN_SYSTEM_OFF_DONE: case TEESMC_OPTEED_RETURN_SYSTEM_RESET_DONE: opteed_synchronous_sp_exit(optee_ctx, x1); case TEESMC_OPTEED_RETURN_CALL_DONE:---------------------------------------optee處理完smc之后,需要返回普通世界,x1-x4返回參數。 assert(handle == cm_get_context(SECURE)); cm_el1_sysregs_context_save(SECURE); /* Get a reference to the non-secure context */ ns_cpu_context = cm_get_context(NON_SECURE); assert(ns_cpu_context); /* Restore non-secure state */ cm_el1_sysregs_context_restore(NON_SECURE); cm_set_next_eret_context(NON_SECURE); SMC_RET4(ns_cpu_context, x1, x2, x3, x4); case TEESMC_OPTEED_RETURN_FIQ_DONE:-----------------------------------------optee處理完fiq中斷后,需要返回普通世界。 ns_cpu_context = cm_get_context(NON_SECURE); assert(ns_cpu_context); cm_el1_sysregs_context_restore(NON_SECURE); cm_set_next_eret_context(NON_SECURE); SMC_RET0((uint64_t) ns_cpu_context); default: panic(); } } void opteed_synchronous_sp_exit(optee_context_t *optee_ctx, uint64_t ret) { assert(optee_ctx != NULL); /* Save the Secure EL1 system register context */ assert(cm_get_context(SECURE) == &optee_ctx->cpu_ctx); cm_el1_sysregs_context_save(SECURE);------------------------保存S.EL1下optee系統寄存器保存到cpu_context[SECURE]中。 assert(optee_ctx->c_rt_ctx != 0); opteed_exit_sp(optee_ctx->c_rt_ctx, ret);-------------------恢復optee_enter_sp()保存的C運行環境上下文。 /* Should never reach here */ assert(0); }
參考文檔
- 《ARM Trusted Firmware Design》:介紹了ATF關鍵設計思想Cold boot、EL3運行時服務、PSCI、Secure-EL1系統和服務、BL鏡像內存划分、FIP、Trusted Firmware內存一致性等等。
- 《學習整理:arm-trusted-firmware》:基本上是對《ARM Trusted Firmware Design》的翻譯。
- 《ATF(ARM Trusted firmware)》專題:介紹了ATF啟動流程以及各個階段內容。