ARM Trusted Firmware分析——启动、PSCI、OP-TEE接口 - ArnoldLu

时间:2024-03-12 11:13:38

ARM Trusted Firmware分析——启动、PSCI、OP-TEE接口

 关键词:等等。

 下图划分成不同EL,分别描述BL1、BL2、BL31、BL32、BL33启动流程,以及PSCI、SP处理流程。

1. 冷启动(Cold boot)流程及阶段划分

ATF冷启动实现分为5个步骤:

  • BL1 - AP Trusted ROM,一般为BootRom。
  • BL2 - Trusted Boot Firmware,一般为Trusted Bootloader。
  • BL31 - EL3 Runtime Firmware,一般为SML,管理SMC执行处理和中断,运行在secure monitor中。
  • BL32 - Secure-EL1 Payload,一般为TEE OS Image。
  • BL33 - Non-Trusted Firmware,一般为uboot、linux kernel。

ATF输出BL1、BL2、BL31,提供BL32和BL33接口。

启动流程如下:

1.1 BL1

BL1位于ROM中,在EL3下从reset vector处开始运行。

BL1做的工作主要有:

  • 决定启动路径:冷启动还是热启动。
  • 架构初始化:异常向量、CPU复位处理函数配置、控制寄存器设置(SCRLR_EL3/SCR_EL3/CPTR_EL3/DAIF)
  • 平台初始化:使能Trusted Watchdog、初始化控制台、配置硬件一致性互联、配置MMU、初始化相关存储设备。
  • 固件更新处理
  • BL2镜像加载和执行:
    • BL1输出“Booting Trusted Firmware"。
    • BL1加载BL2到SRAM;如果SRAM不够或者BL2镜像错误,输出“Failed to load BL2 firmware.”。
    • BL1切换到Secure EL1并将执行权交给BL2.

1.2 BL2

BL2位于SRAM中,运行在Secure EL1主要工作有:

  • 架构初始化:EL1/EL0使能浮点单元和ASMID。
  • 平台初始化:控制台初始化、相关存储设备初始化、MMU、相关设备安全配置、
  • SCP_BL2:系统控制核镜像加载,单独核处理系统功耗、时钟、复位等控制。
  • 加载BL31镜像:BL2将控制权交给BL1;BL1关闭MMU并关cache;BL1将控制权交给BL31。
  • 加载BL32镜像:BL32运行在安全世界,BL2依赖BL31将控制权交给BL32。SPSR通过Secure-EL1 Payload Dispatcher进行初始化。
  • 加载BL33镜像:BL2依赖BL31将控制权交给BL33。

1.3 BL31

BL31位于SRAM中,EL3模式。除了做架构初始化和平台初始化外,还做了如下工作:

  • PSCI服务初始化,后续提供CPU功耗管理操作。
  • BL32镜像运行初始化,处于Secure EL1模式。
  • 初始化非安全EL2或EL1,跳转到BL33执行。
  • 负责安全非安全世界切换。
  • 进行安全服务请求的分发。

2 BL1

BL1镜像的异常向量表初始化了两个:一个是入口bl1_entrypoint,EL1镜像正常执行流程;另一个是SMC调用接口,EL2执行结束会通过SMC返回执行BL31。

vector_base bl1_vector_table
    b    bl1_entrypoint
    b    report_exception    /* Undef */
    b    bl1_aarch32_smc_handler    /* SMC call */
    b    report_exception    /* Prefetch abort */
    b    report_exception    /* Data abort */
    b    report_exception    /* Reserved */
    b    report_exception    /* IRQ */
    b    report_exception    /* FIQ */

func bl1_aarch32_smc_handler
    /* ------------------------------------------------
     * SMC in BL1 is handled assuming that the MMU is
     * turned off by BL2.
     * ------------------------------------------------
     */

    /* ----------------------------------------------
     * Only RUN_IMAGE SMC is supported.
     * ----------------------------------------------
     */
    mov    r8, #BL1_SMC_RUN_IMAGE--------------------------仅支持BL1_SMC_RUN_IMAGE SMC调用;其他调用触发report_exception。
    cmp    r8, r0
    blne    report_exception

    /* ------------------------------------------------
     * Make sure only Secure world reaches here.
     * ------------------------------------------------
     */
    ldcopr  r8, SCR
    tst    r8, #SCR_NS_BIT---------------------------------如果处于非安全状态,则触发report_exception。
    blne    report_exception

    /* ---------------------------------------------------------------------
     * Pass control to next secure image.
     * Here it expects r1 to contain the address of a entry_point_info_t
     * structure describing the BL entrypoint.
     * ---------------------------------------------------------------------
     */
    mov    r8, r1------------------------------------------第一个参数r0是功能id,即BL1_SMC_RUN_IMAGE_SMC。第二个参数是entry_point_info_t变量。
    mov    r0, r1
    bl    bl1_print_next_bl_ep_info

#if SPIN_ON_BL1_EXIT
    bl    print_debug_loop_message
debug_loop:
    b    debug_loop
#endif

    mov    r0, r8
    bl    bl1_plat_prepare_exit

    stcopr    r0, TLBIALL
    dsb    sy
    isb

    /*
     * Extract PC and SPSR based on struct `entry_point_info_t`
     * and load it in LR and SPSR registers respectively.
     */
    ldr    lr, [r8, #ENTRY_POINT_INFO_PC_OFFSET]
    ldr    r1, [r8, #(ENTRY_POINT_INFO_PC_OFFSET + 4)]
    msr    spsr, r1

    add    r8, r8, #ENTRY_POINT_INFO_ARGS_OFFSET
    ldm    r8, {r0, r1, r2, r3}----------------------------执行跳转到BL31。
    eret
endfunc bl1_aarch32_smc_handler

bl1_entrypoint()进行EL3执行环境初始化,设定向量表,加载bl2镜像并跳转到BL2执行。

func bl1_entrypoint
    /* ---------------------------------------------------------------------
     * If the reset address is programmable then bl1_entrypoint() is
     * executed only on the cold boot path. Therefore, we can skip the warm
     * boot mailbox mechanism.
     * ---------------------------------------------------------------------
     */
    el3_entrypoint_common                    \
        _set_endian=1                    \----------------------是否设定大小端。
        _warm_boot_mailbox=!PROGRAMMABLE_RESET_ADDRESS    \-----是否检查当前属于冷启动还是热启动。
        _secondary_cold_boot=!COLD_BOOT_SINGLE_CPU    \---------确定当前CPU是主CPU还是从CPU。
        _init_memory=1                    \---------------------是否初始化memory。
        _init_c_runtime=1                \----------------------是否初始化C语言执行环境。
        _exception_vectors=bl1_exceptions-----------------------异常向量表。

    /* ---------------------------------------------
     * Architectural init. can be generic e.g.
     * enabling stack alignment and platform spec-
     * ific e.g. MMU & page table setup as per the
     * platform memory map. Perform the latter here
     * and the former in bl1_main.
     * ---------------------------------------------
     */
    bl    bl1_early_platform_setup-------------------初始化memory、page table,所需外围设备初始化等。
    bl    bl1_plat_arch_setup

    /* --------------------------------------------------
     * Initialize platform and jump to our c-entry point
     * for this type of reset.
     * --------------------------------------------------
     */
    bl    bl1_main--------------------------------------------进行必要初始化,加载BL2镜像然后为退出EL3进入S.EL1做好准备。
/* -------------------------------------------------- * Do the transition to next boot image. * -------------------------------------------------- */ b el3_exit endfunc bl1_entrypoint

el3_entrypoint_common()主要完成进入EL3基本设置和向量表注册。

    .macro el3_entrypoint_common                    \
        _set_endian, _warm_boot_mailbox, _secondary_cold_boot,    \
        _init_memory, _init_c_runtime, _exception_vectors

    .if \_set_endian-------------------------------------------------------在进行内存读写之前,设置好系统的大小端。
        /* -------------------------------------------------------------
         * Set the CPU endianness before doing anything that might
         * involve memory reads or writes.
         * -------------------------------------------------------------
         */
        mrs    x0, sctlr_el3
        bic    x0, x0, #SCTLR_EE_BIT
        msr    sctlr_el3, x0
        isb
    .endif /* _set_endian */

    .if \_warm_boot_mailbox------------------------------------------------根据当前平台的entrypoint判断是冷启动还是热启动。
        /* -------------------------------------------------------------
         * This code will be executed for both warm and cold resets.
         * Now is the time to distinguish between the two.
         * Query the platform entrypoint address and if it is not zero
         * then it means it is a warm boot so jump to this address.
         * -------------------------------------------------------------
         */
        bl    plat_get_my_entrypoint
        cbz    x0, do_cold_boot--------------------------------------------如果为0说明是冷启动,执行do_cold_boot();非0则跳转到entrypoint执行。
        br    x0

    do_cold_boot:
    .endif /* _warm_boot_mailbox */

    /* ---------------------------------------------------------------------
     * It is a cold boot.
     * Perform any processor specific actions upon reset e.g. cache, TLB
     * invalidations etc.
     * ---------------------------------------------------------------------
     */
    bl    reset_handler---------------------------------------------------执行reset_handler()。

    el3_arch_init_common \_exception_vectors------------------------------初始化异常向量。

    .if \_secondary_cold_boot---------------------------------------------判断当前CPU是主CPU还是从CPU。
        /* -------------------------------------------------------------
         * Check if this is a primary or secondary CPU cold boot.
         * The primary CPU will set up the platform while the
         * secondaries are placed in a platform-specific state until the
         * primary CPU performs the necessary actions to bring them out
         * of that state and allows entry into the OS.
         * -------------------------------------------------------------
         */
        bl    plat_is_my_cpu_primary
        cbnz    w0, do_primary_cold_boot

        /* This is a cold boot on a secondary CPU */
        bl    plat_secondary_cold_boot_setup
        /* plat_secondary_cold_boot_setup() is not supposed to return */
        bl    el3_panic

    do_primary_cold_boot:
    .endif /* _secondary_cold_boot */

    /* ---------------------------------------------------------------------
     * Initialize memory now. Secondary CPU initialization won\'t get to this
     * point.
     * ---------------------------------------------------------------------
     */

    .if \_init_memory----------------------------------------------------初始化内存。
        bl    platform_mem_init
    .endif /* _init_memory */

    /* ---------------------------------------------------------------------
     * Init C runtime environment:
     *   - Zero-initialise the NOBITS sections. There are 2 of them:
     *       - the .bss section;
     *       - the coherent memory section (if any).
     *   - Relocate the data section from ROM to RAM, if required.
     * ---------------------------------------------------------------------
     */
    .if \_init_c_runtime-------------------------------------------------初始化C执行环境。
#if IMAGE_BL31
        /* -------------------------------------------------------------
         * Invalidate the RW memory used by the BL31 image. This
         * includes the data and NOBITS sections. This is done to
         * safeguard against possible corruption of this memory by
         * dirty cache lines in a system cache as a result of use by
         * an earlier boot loader stage.
         * -------------------------------------------------------------
         */
        adr    x0, __RW_START__
        adr    x1, __RW_END__
        sub    x1, x1, x0
        bl    inv_dcache_range
#endif /* IMAGE_BL31 */

        ldr    x0, =__BSS_START__
        ldr    x1, =__BSS_SIZE__
        bl    zeromem16

#if USE_COHERENT_MEM
        ldr    x0, =__COHERENT_RAM_START__
        ldr    x1, =__COHERENT_RAM_UNALIGNED_SIZE__
        bl    zeromem16
#endif

#if IMAGE_BL1
        ldr    x0, =__DATA_RAM_START__
        ldr    x1, =__DATA_ROM_START__
        ldr    x2, =__DATA_SIZE__
        bl    memcpy16
#endif
    .endif /* _init_c_runtime */

    /* ---------------------------------------------------------------------
     * Use SP_EL0 for the C runtime stack.
     * ---------------------------------------------------------------------
     */
    msr    spsel, #0

    /* ---------------------------------------------------------------------
     * Allocate a stack whose memory will be marked as Normal-IS-WBWA when
     * the MMU is enabled. There is no risk of reading stale stack memory
     * after enabling the MMU as only the primary CPU is running at the
     * moment.
     * ---------------------------------------------------------------------
     */
    bl    plat_set_my_stack
    .endm

bl1_main()完成架构和平台特有初始化操作,然后加载BL2镜像并跳转执行。

/*******************************************************************************
 * Function to perform late architectural and platform specific initialization.
 * It also queries the platform to load and run next BL image. Only called
 * by the primary cpu after a cold boot.
 ******************************************************************************/
void bl1_main(void)
{
    unsigned int image_id;

    /* Announce our arrival */
    NOTICE(FIRMWARE_WELCOME_STR);
    NOTICE("BL1: %s\n", version_string);
    NOTICE("BL1: %s\n", build_message);

    INFO("BL1: RAM %p - %p\n", (void *)BL1_RAM_BASE,
                    (void *)BL1_RAM_LIMIT);
...
    /* Perform remaining generic architectural setup from EL3 */
    bl1_arch_setup();

#if TRUSTED_BOARD_BOOT
    /* Initialize authentication module */
    auth_mod_init();----------------------------------------------初始化安全模块和镜像解析模块。
#endif /* TRUSTED_BOARD_BOOT */

    /* Perform platform setup in BL1. */
    bl1_platform_setup();

    /* Get the image id of next image to load and run. */
    image_id = bl1_plat_get_next_image_id();----------------------获取下一级启动镜像的ID。

    /*
     * We currently interpret any image id other than
     * BL2_IMAGE_ID as the start of firmware update.
     */
    if (image_id == BL2_IMAGE_ID)
        bl1_load_bl2();------------------------------------------将BL2镜像加载到TSRAM中。
    else
        NOTICE("BL1-FWU: *******FWU Process Started*******\n");

    bl1_prepare_next_image(image_id);----------------------------获取image_id对应镜像描述信息,并为进入下一级镜像执行准备好上下文。
}

/*******************************************************************************
 * This function locates and loads the BL2 raw binary image in the trusted SRAM.
 * Called by the primary cpu after a cold boot.
 * TODO: Add support for alternative image load mechanism e.g using virtio/elf
 * loader etc.
 ******************************************************************************/
void bl1_load_bl2(void)
{
    image_desc_t *image_desc;
    image_info_t *image_info;
    entry_point_info_t *ep_info;
    meminfo_t *bl1_tzram_layout;
    meminfo_t *bl2_tzram_layout;
    int err;

    /* Get the image descriptor */
    image_desc = bl1_plat_get_image_desc(BL2_IMAGE_ID);
    assert(image_desc);

    /* Get the image info */
    image_info = &image_desc->image_info;

    /* Get the entry point info */
    ep_info = &image_desc->ep_info;

    /* Find out how much free trusted ram remains after BL1 load */
    bl1_tzram_layout = bl1_plat_sec_mem_layout();

    INFO("BL1: Loading BL2\n");

#if LOAD_IMAGE_V2
    err = load_auth_image(BL2_IMAGE_ID, image_info);
#else
    /* Load the BL2 image */
    err = load_auth_image(bl1_tzram_layout,
             BL2_IMAGE_ID,
             image_info->image_base,
             image_info,
             ep_info);

#endif /* LOAD_IMAGE_V2 */

    if (err) {
        ERROR("Failed to load BL2 firmware.\n");
        plat_error_handler(err);
    }

    /*
     * Create a new layout of memory for BL2 as seen by BL1 i.e.
     * tell it the amount of total and free memory available.
     * This layout is created at the first free address visible
     * to BL2. BL2 will read the memory layout before using its
     * memory for other purposes.
     */
#if LOAD_IMAGE_V2
    bl2_tzram_layout = (meminfo_t *) bl1_tzram_layout->total_base;
#else
    bl2_tzram_layout = (meminfo_t *) bl1_tzram_layout->free_base;
#endif /* LOAD_IMAGE_V2 */

    bl1_init_bl2_mem_layout(bl1_tzram_layout, bl2_tzram_layout);

    ep_info->args.arg1 = (uintptr_t)bl2_tzram_layout;
    NOTICE("BL1: Booting BL2\n");
    VERBOSE("BL1: BL2 memory layout address = %p\n",
        (void *) bl2_tzram_layout);
}

/*******************************************************************************
 * This function prepares the context for Secure/Normal world images.
 * Normal world images are transitioned to EL2(if supported) else EL1.
 ******************************************************************************/
void bl1_prepare_next_image(unsigned int image_id)
{
    unsigned int security_state;
    image_desc_t *image_desc;
    entry_point_info_t *next_bl_ep;

#if CTX_INCLUDE_AARCH32_REGS
    /*
     * Ensure that the build flag to save AArch32 system registers in CPU
     * context is not set for AArch64-only platforms.
     */
    if (((read_id_aa64pfr0_el1() >> ID_AA64PFR0_EL1_SHIFT)
            & ID_AA64PFR0_ELX_MASK) == 0x1) {
        ERROR("EL1 supports AArch64-only. Please set build flag "
                "CTX_INCLUDE_AARCH32_REGS = 0");
        panic();
    }
#endif

    /* Get the image descriptor. */
    image_desc = bl1_plat_get_image_desc(image_id);---------------获取镜像描述信息,包括入口地址、名字等等。
    assert(image_desc);

    /* Get the entry point info. */
    next_bl_ep = &image_desc->ep_info;

    /* Get the image security state. */
    security_state = GET_SECURITY_STATE(next_bl_ep->h.attr);------镜像是属于安全还是非安全镜像。

    /* Setup the Secure/Non-Secure context if not done already. */
    if (!cm_get_context(security_state))
        cm_set_context(&bl1_cpu_context[security_state], security_state);

    /* Prepare the SPSR for the next BL image. */
    if (security_state == SECURE) {-------------------------------设置镜像运行的SPSR数据。
        next_bl_ep->spsr = SPSR_64(MODE_EL1, MODE_SP_ELX,
                   DISABLE_ALL_EXCEPTIONS);
    } else {
        /* Use EL2 if supported else use EL1. */
        if (read_id_aa64pfr0_el1() &
            (ID_AA64PFR0_ELX_MASK << ID_AA64PFR0_EL2_SHIFT)) {
            next_bl_ep->spsr = SPSR_64(MODE_EL2, MODE_SP_ELX,
                DISABLE_ALL_EXCEPTIONS);
        } else {
            next_bl_ep->spsr = SPSR_64(MODE_EL1, MODE_SP_ELX,
               DISABLE_ALL_EXCEPTIONS);
        }
    }

    /* Allow platform to make change */
    bl1_plat_set_ep_info(image_id, next_bl_ep);

    /* Prepare the context for the next BL image. */
    cm_init_my_context(next_bl_ep);
    cm_prepare_el3_exit(security_state);--------------------------为运行下一个镜像,EL3做好准备。

    /* Indicate that image is in execution state. */
    image_desc->state = IMAGE_STATE_EXECUTED;

    print_entry_point_info(next_bl_ep);---------------------------打印下一级进行相关信息。下面即将el3_exit,退出EL3进入新的进项运行。
}

3 BL2

BL2的主要工作就是加载BL3x系列镜像,然后通过SMC进入BL1进而跳转到BL31运行。

bl2_entrypoint()是BL2的入口,前半部分主要进行一系列初始化工作,然后通过bl2_main()加载BL3x镜像到RAM中,最后通过SMC调用执行BL1中指定的smc handler将CPU执行权交给BL31。

func bl2_entrypoint
    /*---------------------------------------------
     * Save from x1 the extents of the tzram
     * available to BL2 for future use.
     * x0 is not currently used.
     * ---------------------------------------------
     */
    mov    x20, x1

    /* ---------------------------------------------
     * Set the exception vector to something sane.
     * ---------------------------------------------
     */
    adr    x0, early_exceptions
    msr    vbar_el1, x0-------------------------------------设定异常向量。
    isb

    /* ---------------------------------------------
     * Enable the SError interrupt now that the
     * exception vectors have been setup.
     * ---------------------------------------------
     */
    msr    daifclr, #DAIF_ABT_BIT

    /* ---------------------------------------------
     * Enable the instruction cache, stack pointer
     * and data access alignment checks
     * ---------------------------------------------
     */
    mov    x1, #(SCTLR_I_BIT | SCTLR_A_BIT | SCTLR_SA_BIT)
    mrs    x0, sctlr_el1
    orr    x0, x0, x1
    msr    sctlr_el1, x0----------------------------------配置cache、内存对齐等属性。
    isb

    /* ---------------------------------------------
     * Invalidate the RW memory used by the BL2
     * image. This includes the data and NOBITS
     * sections. This is done to safeguard against
     * possible corruption of this memory by dirty
     * cache lines in a system cache as a result of
     * use by an earlier boot loader stage.
     * ---------------------------------------------
     */
    adr    x0, __RW_START__
    adr    x1, __RW_END__
    sub    x1, x1, x0
    bl    inv_dcache_range-------------------------------将BL2的__RW_START__和__RW_END__之间的内存刷回DDR中。

    /* ---------------------------------------------
     * Zero out NOBITS sections. There are 2 of them:
     *   - the .bss section;
     *   - the coherent memory section.
     * ---------------------------------------------
     */
    ldr    x0, =__BSS_START__
    ldr    x1, =__BSS_SIZE__
    bl    zeromem16--------------------------------------初始化__BSS_START__开始,大小为__BSS_SIZE__内存为0。

#if USE_COHERENT_MEM
    ldr    x0, =__COHERENT_RAM_START__
    ldr    x1, =__COHERENT_RAM_UNALIGNED_SIZE__
    bl    zeromem16
#endif

    /* --------------------------------------------
     * Allocate a stack whose memory will be marked
     * as Normal-IS-WBWA when the MMU is enabled.
     * There is no risk of reading stale stack
     * memory after enabling the MMU as only the
     * primary cpu is running at the moment.
     * --------------------------------------------
     */
    bl    plat_set_my_stack

    /* ---------------------------------------------
     * Perform early platform setup & platform
     * specific early arch. setup e.g. mmu setup
     * ---------------------------------------------
     */
    mov    x0, x20
    bl    bl2_early_platform_setup
    bl    bl2_plat_arch_setup

    /* ---------------------------------------------
     * Jump to main function.
     * ---------------------------------------------
     */
    bl    bl2_main------------------------------------跳转到BL2主函数执行,该函数加载BL3x镜像,并通过SMC调用BL1指定SMC函数将CPU执行权交给BL31。

    /* ---------------------------------------------
     * Should never reach this point.
     * ---------------------------------------------
     */
    no_ret    plat_panic_handler

endfunc bl2_entrypoint

bl2_main()主要加载BL3x镜像并验证,然后获取下一个要运行的镜像信息,通过SMC调用让BL1去启动。

/*******************************************************************************
 * The only thing to do in BL2 is to load further images and pass control to
 * next BL. The memory occupied by BL2 will be reclaimed by BL3x stages. BL2
 * runs entirely in S-EL1.
 ******************************************************************************/
void bl2_main(void)
{
    entry_point_info_t *next_bl_ep_info;

    NOTICE("BL2: %s\n", version_string);
    NOTICE("BL2: %s\n", build_message);

    /* Perform remaining generic architectural setup in S-EL1 */
    bl2_arch_setup();

#if TRUSTED_BOARD_BOOT
    /* Initialize authentication module */
    auth_mod_init();
#endif /* TRUSTED_BOARD_BOOT */

    /* Load the subsequent bootloader images. */
    next_bl_ep_info = bl2_load_images();

#ifdef AARCH32
    /*
     * For AArch32 state BL1 and BL2 share the MMU setup.
     * Given that BL2 does not map BL1 regions, MMU needs
     * to be disabled in order to go back to BL1.
     */
    disable_mmu_icache_secure();
#endif /* AARCH32 */

    /*
     * Run next BL image via an SMC to BL1. Information on how to pass
     * control to the BL32 (if present) and BL33 software images will
     * be passed to next BL image as an argument.
     */
    smc(BL1_SMC_RUN_IMAGE, (unsigned long)next_bl_ep_info, 0, 0, 0, 0, 0, 0);----------发起SMC异常启动BL31镜像,交给BL1 bl1_aarch32_smc_handler处理。
}

bl2_mem_params_descs定义了BL2需要加载镜像的信息,通过REGISTER_BL_IMAGE_DESCS()将其和bl_mem_params_desc_ptr关联,并获取需要加载镜像数目bl_mem_params_desc_num。

#define REGISTER_BL_IMAGE_DESCS(_img_desc)                \
    bl_mem_params_node_t *bl_mem_params_desc_ptr = &_img_desc[0];    \
    unsigned int bl_mem_params_desc_num = ARRAY_SIZE(_img_desc);

static bl_mem_params_node_t bl2_mem_params_descs[] = {
...
#ifdef EL3_PAYLOAD_BASE
...
#else /* EL3_PAYLOAD_BASE */

    /* Fill BL31 related information */
    {
        .image_id = BL31_IMAGE_ID,

        SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP,
            VERSION_2, entry_point_info_t,
            SECURE | EXECUTABLE | EP_FIRST_EXE),
        .ep_info.pc = BL31_BASE,
        .ep_info.spsr = SPSR_64(MODE_EL3, MODE_SP_ELX,
            DISABLE_ALL_EXCEPTIONS),
#if DEBUG
        .ep_info.args.arg1 = ARM_BL31_PLAT_PARAM_VAL,
#endif

        SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
            VERSION_2, image_info_t, IMAGE_ATTRIB_PLAT_SETUP),
        .image_info.image_base = BL31_BASE,
        .image_info.image_max_size = BL31_LIMIT - BL31_BASE,

# ifdef BL32_BASE
        .next_handoff_image_id = BL32_IMAGE_ID,
# else
        .next_handoff_image_id = BL33_IMAGE_ID,
# endif
    },

# ifdef BL32_BASE
    /* Fill BL32 related information */
    {
        .image_id = BL32_IMAGE_ID,

        SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP,
            VERSION_2, entry_point_info_t, SECURE | EXECUTABLE),
        .ep_info.pc = BL32_BASE,

        SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
            VERSION_2, image_info_t, 0),
        .image_info.image_base = BL32_BASE,
        .image_info.image_max_size = BL32_LIMIT - BL32_BASE,

        .next_handoff_image_id = BL33_IMAGE_ID,
    },
# endif /* BL32_BASE */

    /* Fill BL33 related information */
    {
        .image_id = BL33_IMAGE_ID,
        SET_STATIC_PARAM_HEAD(ep_info, PARAM_EP,
            VERSION_2, entry_point_info_t, NON_SECURE | EXECUTABLE),
# ifdef PRELOADED_BL33_BASE
        .ep_info.pc = PRELOADED_BL33_BASE,

        SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
            VERSION_2, image_info_t, IMAGE_ATTRIB_SKIP_LOADING),
# else
        .ep_info.pc = PLAT_ARM_NS_IMAGE_OFFSET,

        SET_STATIC_PARAM_HEAD(image_info, PARAM_EP,
            VERSION_2, image_info_t, 0),
        .image_info.image_base = PLAT_ARM_NS_IMAGE_OFFSET,
        .image_info.image_max_size = ARM_DRAM1_SIZE,
# endif /* PRELOADED_BL33_BASE */

        .next_handoff_image_id = INVALID_IMAGE_ID,
    }
#endif /* EL3_PAYLOAD_BASE */
};

REGISTER_BL_IMAGE_DESCS(bl2_mem_params_descs)


/*******************************************************************************
 * This function loads SCP_BL2/BL3x images and returns the ep_info for
 * the next executable image.
 ******************************************************************************/
entry_point_info_t *bl2_load_images(void)
{
    bl_params_t *bl2_to_next_bl_params;
    bl_load_info_t *bl2_load_info;
    const bl_load_info_node_t *bl2_node_info;
    int plat_setup_done = 0;
    int err;

    /*
     * Get information about the images to load.
     */
    bl2_load_info = plat_get_bl_image_load_info();-----------------获取待加载镜像BL3x或SCP_EL2信息,然后遍历处理。
    assert(bl2_load_info);
    assert(bl2_load_info->head);
    assert(bl2_load_info->h.type == PARAM_BL_LOAD_INFO);
    assert(bl2_load_info->h.version >= VERSION_2);
    bl2_node_info = bl2_load_info->head;---------------------------bl2_node_info指向镜像第一个对象。

    while (bl2_node_info) {----------------------------------------循环遍历bl2_mem_params_descs成员并加载处理。
        /*
         * Perform platform setup before loading the image,
         * if indicated in the image attributes AND if NOT
         * already done before.
         */
        if (bl2_node_info->image_info->h.attr & IMAGE_ATTRIB_PLAT_SETUP) {----确定加载前是否需要进行特定平台初始化。
            if (plat_setup_done) {
                WARN("BL2: Platform setup already done!!\n");
            } else {
                INFO("BL2: Doing platform setup\n");
                bl2_platform_setup();
                plat_setup_done = 1;
            }
        }

        if (!(bl2_node_info->image_info->h.attr & IMAGE_ATTRIB_SKIP_LOADING)) {----确定是否需要跳过加载到RAM步骤;如否,则进行验证并加载。
            INFO("BL2: Loading image id %d\n", bl2_node_info->image_id);
            err = load_auth_image(bl2_node_info->image_id,
                bl2_node_info->image_info);----------------------------------------将镜像加载到RAM,然后进行验证。
            if (err) {
                ERROR("BL2: Failed to load image (%i)\n", err);
                plat_error_handler(err);
            }
        } else {
            INFO("BL2: Skip loading image id %d\n", bl2_node_info->image_id);
        }

        /* Allow platform to handle image information. */
        err = bl2_plat_handle_post_image_load(bl2_node_info->image_id);-------------修改特定镜像的加载信息。
        if (err) {
            ERROR("BL2: Failure in post image load handling (%i)\n", err);
            plat_error_handler(err);
        }

        /* Go to next image */
        bl2_node_info = bl2_node_info->next_load_info;------------------------------循环加载下一个镜像。
    }

    /*
     * Get information to pass to the next image.
     */
    bl2_to_next_bl_params = plat_get_next_bl_params();------------------------------获取下一个执行镜像入口信息,属性为EXECUTABLE和EP_FIRST_EXE,也即BL31。
    assert(bl2_to_next_bl_params);
    assert(bl2_to_next_bl_params->head);
    assert(bl2_to_next_bl_params->h.type == PARAM_BL_PARAMS);
    assert(bl2_to_next_bl_params->h.version >= VERSION_2);

    /* Flush the parameters to be passed to next image */
    plat_flush_next_bl_params();----------------------------------------------------将bl_mem_params_desc_ptr数据刷到DDR中,后面即将通过SMC跳转到BL1启动BL31,保持数据一致性。

    return bl2_to_next_bl_params->head->ep_info;
}

4. BL31(EL3 Firmware)

参考文档:《SMC CALLING CONVENTION System Software on ARM® Platforms

SMCCC定义了每个SMC请求功能的ID以及入参和返回值。

下面逐一介绍运行在EL3固件的运行服务框架的注册、初始化和使用。

SMCCC定义了每个运行服务框架的SMC功能ID、OEN(Owning Entity Numbers)、Fast和Standard调用、SMC32和SMC64调用转换。

需要优先实现的功能有:

  • Standard服务调用:
  • Secure-EL1 Payload Dispatcher service:如果存在TOS或者S.EL1 Payload,则需要EL3 Secure Monitor负责切换NS.EL1/2和S.EL1。Secure Monitor和S.EL1 Payload之间接口被称为SPD(S.EL1 Payload Dispatcher)。ATF还提供了TSP(Test S.EL1 Payload)和TSPD。
  • CPU特有服务:提供CPU特有的的功能服务。

4.1 运行服务注册

DECLARE_RT_SVC()用于注册一个运行服务,指定服务名称、OEN范围、服务类型(SMC_TYPE_FAST/SMC_TYPE_STD)、初始化和调用函数。

通过DECLARE_RT_SVC()注册的每个服务都会在ELF的rt_svc_descs段中存在,__RT_SVC_DESCS_START__和__RT_SVC_DESCS_END__是此段的起始结束地址,并可以通过地址范围计算服务数量RT_SVC_DECS_NUM。

/*
 * Convenience macro to declare a service descriptor
 */
#define DECLARE_RT_SVC(_name, _start, _end, _type, _setup, _smch) \
    static const rt_svc_desc_t __svc_desc_ ## _name \
        __section("rt_svc_descs") __used = { \
            .start_oen = _start, \
            .end_oen = _end, \
            .call_type = _type, \
            .name = #_name, \
            .init = _setup, \
            .handle = _smch }

typedef struct rt_svc_desc {
    uint8_t start_oen;-------------------service内部启动oen
    uint8_t end_oen;---------------------service内部末尾oen
    uint8_t call_type;-------------------smc类型,是fast call还是standard call
    const char *name;--------------------service名称
    rt_svc_init_t init;------------------service初始化函数
    rt_svc_handle_t handle;--------------对应function id的调用函数
} rt_svc_desc_t;

SMC功能ID范围定义如下:

/*******************************************************************************
 * Owning entity number definitions inside the function id as per the SMC
 * calling convention
 ******************************************************************************/
#define OEN_ARM_START            0
#define OEN_ARM_END            0
#define OEN_CPU_START            1
#define OEN_CPU_END            1
#define OEN_SIP_START            2
#define OEN_SIP_END            2
#define OEN_OEM_START            3
#define OEN_OEM_END            3
#define OEN_STD_START            4    /* Standard Calls */
#define OEN_STD_END            4
#define OEN_TAP_START            48    /* Trusted Applications */
#define OEN_TAP_END            49
#define OEN_TOS_START            50    /* Trusted OS */
#define OEN_TOS_END            63
#define OEN_LIMIT            64

上面的定义根据如下规格:

MAX_RT_SVCS为128,是因为OEN有64个SMC类型有Standard和Fast两种类型,所以一共有128种。rt_svc_descs_indices[]一共有128个

4.2 ATF初始化

bl31_entrypoint()是冷启动的入口,只会被cpu0执行。

func bl31_entrypoint
#if !RESET_TO_BL31
    /* ---------------------------------------------------------------
     * Preceding bootloader has populated x0 with a pointer to a
     * \'bl31_params\' structure & x1 with a pointer to platform
     * specific structure
     * ---------------------------------------------------------------
     */
#if HISILICON
    /* hisilicon use args from uboot,
     * load_fip.c has set value in address 8 and 16
     */
    mov    x0, 8
    mov    x1, 16
    ldr    x20, [x0]
    ldr    x21, [x1]
#else
    mov    x20, x0
    mov    x21, x1
#endif
    /* ---------------------------------------------------------------------
     * For !RESET_TO_BL31 systems, only the primary CPU ever reaches
     * bl31_entrypoint() during the cold boot flow, so the cold/warm boot
     * and primary/secondary CPU logic should not be executed in this case.
     *
     * Also, assume that the previous bootloader has already set up the CPU
     * endianness and has initialised the memory.
     * ---------------------------------------------------------------------
     */
    el3_entrypoint_common                    \
        _set_endian=0                    \
        _warm_boot_mailbox=0                \
        _secondary_cold_boot=0                \
        _init_memory=0                    \
        _init_c_runtime=1                \
        _exception_vectors=runtime_exceptions----------------------------runtime_exceptions是ATF的异常向量表。

    /* ---------------------------------------------------------------------
     * Relay the previous bootloader\'s arguments to the platform layer
     * ---------------------------------------------------------------------
     */
    mov    x0, x20
    mov    x1, x21
#else
    /* ---------------------------------------------------------------------
     * For RESET_TO_BL31 systems which have a programmable reset address,
     * bl31_entrypoint() is executed only on the cold boot path so we can
     * skip the warm boot mailbox mechanism.
     * ---------------------------------------------------------------------
     */
    el3_entrypoint_common                    \
        _set_endian=1                    \
        _warm_boot_mailbox=!PROGRAMMABLE_RESET_ADDRESS    \
        _secondary_cold_boot=!COLD_BOOT_SINGLE_CPU    \
        _init_memory=1                    \
        _init_c_runtime=1                \
        _exception_vectors=runtime_exceptions

    /* ---------------------------------------------------------------------
     * For RESET_TO_BL31 systems, BL31 is the first bootloader to run so
     * there\'s no argument to relay from a previous bootloader. Zero the
     * arguments passed to the platform layer to reflect that.
     * ---------------------------------------------------------------------
     */
    mov    x0, 0
    mov    x1, 0
#endif /* RESET_TO_BL31 */

    /* ---------------------------------------------
     * Perform platform specific early arch. setup
     * ---------------------------------------------
     */
    bl    bl31_early_platform_setup-------------------------------------初始化UART,以及获取BL32、BL33的entrypoint。
    bl    bl31_plat_arch_setup------------------------------------------MMU内存初始化。

    /* ---------------------------------------------
     * Jump to main function.
     * ---------------------------------------------
     */
    bl    bl31_main
    /* -------------------------------------------------------------
     * Clean the .data & .bss sections to main memory. This ensures
     * that any global data which was initialised by the primary CPU
     * is visible to secondary CPUs before they enable their data
     * caches and participate in coherency.
     * -------------------------------------------------------------
     */
    adr    x0, __DATA_START__
    adr    x1, __DATA_END__
    sub    x1, x1, x0
    bl    clean_dcache_range

    adr    x0, __BSS_START__
    adr    x1, __BSS_END__
    sub    x1, x1, x0
    bl    clean_dcache_range--------------------------------------------刷data和bss段到内存中。

    b    el3_exit
endfunc bl31_entrypoint

BL3异常向量表runtime_exceptions

 el3_exit()退出当前ATF执行下一阶段的镜像。

    /* -----------------------------------------------------
     * This routine assumes that the SP_EL3 is pointing to
     * a valid context structure from where the gp regs and
     * other special registers can be retrieved.
     * -----------------------------------------------------
     */
func el3_exit
    /* -----------------------------------------------------
     * Save the current SP_EL0 i.e. the EL3 runtime stack
     * which will be used for handling the next SMC. Then
     * switch to SP_EL3
     * -----------------------------------------------------
     */
    mov    x17, sp
    msr    spsel, #1
    str    x17, [sp, #CTX_EL3STATE_OFFSET + CTX_RUNTIME_SP]

    /* -----------------------------------------------------
     * Restore SPSR_EL3, ELR_EL3 and SCR_EL3 prior to ERET
     * -----------------------------------------------------
     */
    ldr    x18, [sp, #CTX_EL3STATE_OFFSET + CTX_SCR_EL3]
    ldp    x16, x17, [sp, #CTX_EL3STATE_OFFSET + CTX_SPSR_EL3]
    msr    scr_el3, x18
    msr    spsr_el3, x16
    msr    elr_el3, x17

    /* Restore saved general purpose registers and return */
    b    restore_gp_registers_eret
endfunc el3_exit

 bl31_main()是ATF主体,初始化好ATF服务、启动optee os,至此可以提供psci、TOS等服务。然后再为进入BL33做好准备工作。

/*******************************************************************************
 * BL31 is responsible for setting up the runtime services for the primary cpu
 * before passing control to the bootloader or an Operating System. This
 * function calls runtime_svc_init() which initializes all registered runtime
 * services. The run time services would setup enough context for the core to
 * swtich to the next exception level. When this function returns, the core will
 * switch to the programmed exception level via. an ERET.
 ******************************************************************************/
void bl31_main(void)
{
    NOTICE("BL31: %s\n", version_string);
    NOTICE("BL31: %s\n", build_message);

    /* Perform platform setup in BL31 */
    bl31_platform_setup();---------------------------------------------------初始化GIC、Timer、Power等工作。

    /* Initialise helper libraries */
    bl31_lib_init();---------------------------------------------------------初始化BL31中相关全局变量。

    /* Initialize the runtime services e.g. psci. */
    INFO("BL31: Initializing runtime services\n");
    runtime_svc_init();------------------------------------------------------初始化EL3 ATF中注册的服务,编译时放在rt_svc_decs特定段中。

    /*
     * All the cold boot actions on the primary cpu are done. We now need to
     * decide which is the next image (BL32 or BL33) and how to execute it.
     * If the SPD runtime service is present, it would want to pass control
     * to BL32 first in S-EL1. In that case, SPD would have registered a
     * function to intialize bl32 where it takes responsibility of entering
     * S-EL1 and returning control back to bl31_main. Once this is done we
     * can prepare entry into BL33 as normal.
     */

    /*
     * If SPD had registerd an init hook, invoke it.
     */
    if (bl32_init) {
        INFO("BL31: Initializing BL32\n");
        (*bl32_init)();------------------------------------------------------如果注册了TOS支持,调用对应的init函数初始化TOS。对于optee就是opteed_init()。
    }
    /*
     * We are ready to enter the next EL. Prepare entry into the image
     * corresponding to the desired security state after the next ERET.
     */
    bl31_prepare_next_image_entry();-----------------------------------------准备跳转到BL33,

    /*
     * Perform any platform specific runtime setup prior to cold boot exit
     * from BL31
     */
    bl31_plat_runtime_setup();-----------------------------------------------BL31退出前准备工作。
}

runtime_svc_init()作为BL31初始化一部分,初始化了运行在主CPU上的运行服务框架。这必须在TOS和普通世界软件启动之前执行,因为安全和非安全软件可能需要使用这部分内容。

runtime_svc_init()主要对注册的服务进行有限性验证,调用各自服务的初始化函数init(),以及将不同SMC OEN转换到注册服务ID。

在实际使用中,注册一个服务可能对应一系列SMC调用。

void runtime_svc_init(void)
{
    int rc = 0, index, start_idx, end_idx;

    /* Assert the number of descriptors detected are less than maximum indices */
    assert((RT_SVC_DESCS_END >= RT_SVC_DESCS_START) &&
            (RT_SVC_DECS_NUM < MAX_RT_SVCS));

    /* If no runtime services are implemented then simply bail out */
    if (RT_SVC_DECS_NUM == 0)-----------------------------------------------对注册到ATF的SMC服务数量进行检查。
        return;

    /* Initialise internal variables to invalid state */
    memset(rt_svc_descs_indices, -1, sizeof(rt_svc_descs_indices));

    rt_svc_descs = (rt_svc_desc_t *) RT_SVC_DESCS_START;
    for (index = 0; index < RT_SVC_DECS_NUM; index++) {----------------------遍历rt_svc_descs段,
        rt_svc_desc_t *service = &rt_svc_descs[index];

        rc = validate_rt_svc_desc(service);
        if (rc) {
            ERROR("Invalid runtime service descriptor %p\n",
                (void *) service);
            panic();
        }

        if (service->init) {
            rc = service->init();--------------------------------------------执行当前service的init函数。
            if (rc) {
                ERROR("Error initializing runtime service %s\n",
                        service->name);
                continue;
            }
        }

        start_idx = get_unique_oen(rt_svc_descs[index].start_oen,
                service->call_type);
        assert(start_idx < MAX_RT_SVCS);
        end_idx = get_unique_oen(rt_svc_descs[index].end_oen,
                service->call_type);
        assert(end_idx < MAX_RT_SVCS);
        for (; start_idx <= end_idx; start_idx++)----------------------------根据call_type和oen范围,确定rt_svc_descs_indices对应下标,达到SMC function id到注册service id的转换。
            rt_svc_descs_indices[start_idx] = index;
    }
}

4.3 处理SMC

当EL3 Firmware接收到一个SMC时,SMC功能ID通过W0传递到EL3 Firmware。这是根据寄存位宽和W0进行检查,如果两者不匹配则返回错误。

其中Bit[31]和bits[29:24]共7bit组成一个0~127范围数值,在rt_svc_descs_indices[]所对应具体的软件服务rt_svc_descs[]索引。

进而调用具体软件服务的handle()函数:

uintptr_t handle_runtime_svc(uint32_t smc_fid,
                 void *cookie,
                 void *handle,
                 unsigned int flags)
{
    u_register_t x1, x2, x3, x4;
    int index, idx;
    const rt_svc_desc_t *rt_svc_descs;

    assert(handle);
    idx = get_unique_oen_from_smc_fid(smc_fid);
    assert(idx >= 0 && idx < MAX_RT_SVCS);

    index = rt_svc_descs_indices[idx];---------------------将从x0寄存器中读取的Standard/Fast和OWN组合的idx,找到Runtime Service的index。
    if (index < 0 || index >= RT_SVC_DECS_NUM)
        SMC_RET1(handle, SMC_UNK);

    rt_svc_descs = (rt_svc_desc_t *) RT_SVC_DESCS_START;---Runtime Service起始地址。

    get_smc_params_from_ctx(handle, x1, x2, x3, x4);-------获取x1/x2/x3/x4寄存器。

    return rt_svc_descs[index].handle(smc_fid, x1, x2, x3, x4, cookie,
                        handle, flags);--------------------调用具体Runtime Service的handle()函数。
}

5. BL31 PSCI

参考文档:《POWER STATE COORDINATION INTERFACE (PSCI) System Software on ARM® Systems

PSCI功能作为Standard service一部分,由std_svc_smc_handler()处理。

DECLARE_RT_SVC(
        std_svc,

        OEN_STD_START,
        OEN_STD_END,
        SMC_TYPE_FAST,
        std_svc_setup,
        std_svc_smc_handler-----------------------------对于Fast类型Standard服务调用,主要是进行PSCI处理。
);

uintptr_t std_svc_smc_handler(uint32_t smc_fid,
                 u_register_t x1,
                 u_register_t x2,
                 u_register_t x3,
                 u_register_t x4,
                 void *cookie,
                 void *handle,
                 u_register_t flags)
{
    /*
     * Dispatch PSCI calls to PSCI SMC handler and return its return
     * value
     */
    if (is_psci_fid(smc_fid)) {
        uint64_t ret;
...

        ret = psci_smc_handler(smc_fid, x1, x2, x3, x4,
            cookie, handle, flags);---------------------首先判断是否是Fast类型,然后交给psci_smc_handler()进行处理。
...
        SMC_RET1(handle, ret);
    }
...
}

u_register_t psci_smc_handler(uint32_t smc_fid,
              u_register_t x1,
              u_register_t x2,
              u_register_t x3,
              u_register_t x4,
              void *cookie,
              void *handle,
              u_register_t flags)
{
    if (is_caller_secure(flags))
        return SMC_UNK;

    /* Check the fid against the capabilities */
    if (!(psci_caps & define_psci_cap(smc_fid)))
        return SMC_UNK;

    if (((smc_fid >> FUNCID_CC_SHIFT) & FUNCID_CC_MASK) == SMC_32) {
...
    } else {---------------------------------------------这里以64系统为例。
        /* 64-bit PSCI function */

        switch (smc_fid) {
        case PSCI_CPU_SUSPEND_AARCH64:
            return psci_cpu_suspend(x1, x2, x3);

        case PSCI_CPU_ON_AARCH64:-----------------------PSCI_CPU_ON_AARCH64为0xc4000003,bit[31]=1:Fast Call、bit[30]=1:SMC64、bits[29:24]=000100:Starndard service、bits[15:0]=0000 0011:内部定义序号。
            return psci_cpu_on(x1, x2, x3);

          case PSCI_AFFINITY_INFO_AARCH64:
              return psci_affinity_info(x1, x2);

          case PSCI_MIG_AARCH64:
          return psci_migrate(x1);

          case PSCI_MIG_INFO_UP_CPU_AARCH64:
              return psci_migrate_info_up_cpu();

          case PSCI_NODE_HW_STATE_AARCH64:
              return psci_node_hw_state(x1, x2);

          case PSCI_SYSTEM_SUSPEND_AARCH64:
              return psci_system_suspend(x1, x2);

  #if ENABLE_PSCI_STAT
          case PSCI_STAT_RESIDENCY_AARCH64:
              return psci_stat_residency(x1, x2);

          case PSCI_STAT_COUNT_AARCH64:
              return psci_stat_count(x1, x2);
  #endif

        default:
            break;
        }
    }

    WARN("Unimplemented PSCI Call: 0x%x \n", smc_fid);
    return SMC_UNK;
}

5.1 PSCI_VERSION

unsigned int psci_version(void)
{
    return PSCI_MAJOR_VER | PSCI_MINOR_VER;
}

#define PSCI_MAJOR_VER        (1 << 16)
#define PSCI_MINOR_VER        0x0

5.2 PSCI_CPU_SUSPEND

int psci_cpu_suspend(unsigned int power_state,
             uintptr_t entrypoint,
             u_register_t context_id)
{
    int rc;
    unsigned int target_pwrlvl, is_power_down_state;
    entry_point_info_t ep;
    psci_power_state_t state_info = { {PSCI_LOCAL_STATE_RUN} };
    plat_local_state_t cpu_pd_state;

    /* Validate the power_state parameter */
    rc = psci_validate_power_state(power_state, &state_info);
    if (rc != PSCI_E_SUCCESS) {
        assert(rc == PSCI_E_INVALID_PARAMS);
        return rc;
    }

    /*
     * Get the value of the state type bit from the power state parameter.
     */
    is_power_down_state = psci_get_pstate_type(power_state);

    /* Sanity check the requested suspend levels */
    assert(psci_validate_suspend_req(&state_info, is_power_down_state)
            == PSCI_E_SUCCESS);

    target_pwrlvl = psci_find_target_suspend_lvl(&state_info);
    if (target_pwrlvl == PSCI_INVALID_PWR_LVL) {
        ERROR("Invalid target power level for suspend operation\n");
        panic();
    }

    /* Fast path for CPU standby.*/
    if (is_cpu_standby_req(is_power_down_state, target_pwrlvl)) {
        if  (!psci_plat_pm_ops->cpu_standby)
            return PSCI_E_INVALID_PARAMS;

        /*
         * Set the state of the CPU power domain to the platform
         * specific retention state and enter the standby state.
         */
        cpu_pd_state = state_info.pwr_domain_state[PSCI_CPU_PWR_LVL];
        psci_set_cpu_local_state(cpu_pd_state);

#if ENABLE_PSCI_STAT
        /*
         * Capture time-stamp before CPU standby
         * No cache maintenance is needed as caches
         * are ON through out the CPU standby operation.
         */
        PMF_CAPTURE_TIMESTAMP(psci_svc, PSCI_STAT_ID_ENTER_LOW_PWR,
            PMF_NO_CACHE_MAINT);
#endif

#if ENABLE_RUNTIME_INSTRUMENTATION
        PMF_CAPTURE_TIMESTAMP(rt_instr_svc,
            RT_INSTR_ENTER_HW_LOW_PWR,
            PMF_NO_CACHE_MAINT);
#endif

        psci_plat_pm_ops->cpu_standby(cpu_pd_state);

        /* Upon exit from standby, set the state back to RUN. */
        psci_set_cpu_local_state(PSCI_LOCAL_STATE_RUN);

#if ENABLE_RUNTIME_INSTRUMENTATION
        PMF_CAPTURE_TIMESTAMP(rt_instr_svc,
            RT_INSTR_EXIT_HW_LOW_PWR,
            PMF_NO_CACHE_MAINT);
#endif

#if ENABLE_PSCI_STAT
        /* Capture time-stamp after CPU standby */
        PMF_CAPTURE_TIMESTAMP(psci_svc, PSCI_STAT_ID_EXIT_LOW_PWR,
            PMF_NO_CACHE_MAINT);

        /* Update PSCI stats */
        psci_stats_update_pwr_up(PSCI_CPU_PWR_LVL, &state_info,
            PMF_NO_CACHE_MAINT);
#endif

        return PSCI_E_SUCCESS;
    }

    /*
     * If a power down state has been requested, we need to verify entry
     * point and program entry information.
     */
    if (is_power_down_state) {
        rc = psci_validate_entry_point(&ep, entrypoint, context_id);
        if (rc != PSCI_E_SUCCESS)
            return rc;
    }

    /*
     * Do what is needed to enter the power down state. Upon success,
     * enter the final wfi which will power down this CPU. This function
     * might return if the power down was abandoned for any reason, e.g.
     * arrival of an interrupt
     */
    psci_cpu_suspend_start(&ep,
                target_pwrlvl,
                &state_info,
                is_power_down_state);

    return PSCI_E_SUCCESS;
}

5.3 PSCI_CPU_OFF

int psci_cpu_off(void)
{
    int rc;
    unsigned int target_pwrlvl = PLAT_MAX_PWR_LVL;

    /*
     * Do what is needed to power off this CPU and possible higher power
     * levels if it able to do so. Upon success, enter the final wfi
     * which will power down this CPU.
     */
    rc = psci_do_cpu_off(target_pwrlvl);

    /*
     * The only error cpu_off can return is E_DENIED. So check if that\'s
     * indeed the case.
     */
    assert(rc == PSCI_E_DENIED);

    return rc;
}

5.4 PSCI_CPU_ON

/*******************************************************************************
 * PSCI frontend api for servicing SMCs. Described in the PSCI spec.
 ******************************************************************************/
int psci_cpu_on(u_register_t target_cpu,
        uintptr_t entrypoint,
        u_register_t context_id)

{
    int rc;
    entry_point_info_t ep;

    /* Determine if the cpu exists of not */
    rc = psci_validate_mpidr(target_cpu);
    if (rc != PSCI_E_SUCCESS)
        return PSCI_E_INVALID_PARAMS;

    /* Validate the entry point and get the entry_point_info */
    rc = psci_validate_entry_point(&ep, entrypoint, context_id);
    if (rc != PSCI_E_SUCCESS)
        return rc;

    /*
     * To turn this cpu on, specify which power
     * levels need to be turned on
     */
    return psci_cpu_on_start(target_cpu, &ep);
}

5.5 PSCI_AFFINITY_INFO

int psci_affinity_info(u_register_t target_affinity,
               unsigned int lowest_affinity_level)
{
    unsigned int target_idx;

    /* We dont support level higher than PSCI_CPU_PWR_LVL */
    if (lowest_affinity_level > PSCI_CPU_PWR_LVL)
        return PSCI_E_INVALID_PARAMS;

    /* Calculate the cpu index of the target */
    target_idx = plat_core_pos_by_mpidr(target_affinity);
    if (target_idx == -1)
        return PSCI_E_INVALID_PARAMS;

    return psci_get_aff_info_state_by_idx(target_idx);
}

5.6 PSCI_MIG

int psci_migrate(u_register_t target_cpu)
{
    int rc;
    u_register_t resident_cpu_mpidr;

    rc = psci_spd_migrate_info(&resident_cpu_mpidr);
    if (rc != PSCI_TOS_UP_MIG_CAP)
        return (rc == PSCI_TOS_NOT_UP_MIG_CAP) ?
              PSCI_E_DENIED : PSCI_E_NOT_SUPPORTED;

    /*
     * Migrate should only be invoked on the CPU where
     * the Secure OS is resident.
     */
    if (resident_cpu_mpidr != read_mpidr_el1())
        return PSCI_E_NOT_PRESENT;

    /* Check the validity of the specified target cpu */
    rc = psci_validate_mpidr(target_cpu);
    if (rc != PSCI_E_SUCCESS)
        return PSCI_E_INVALID_PARAMS;

    assert(psci_spd_pm && psci_spd_pm->svc_migrate);

    rc = psci_spd_pm->svc_migrate(read_mpidr_el1(), target_cpu);
    assert(rc == PSCI_E_SUCCESS || rc == PSCI_E_INTERN_FAIL);

    return rc;
}

5.7 PSCI_MIG_INFO_TYPE

int psci_migrate_info_type(void)
{
    u_register_t resident_cpu_mpidr;

    return psci_spd_migrate_info(&resident_cpu_mpidr);
}

/*******************************************************************************
 * This function invokes the migrate info hook in the spd_pm_ops. It performs
 * the necessary return value validation. If the Secure Payload is UP and
 * migrate capable, it returns the mpidr of the CPU on which the Secure payload
 * is resident through the mpidr parameter. Else the value of the parameter on
 * return is undefined.
 ******************************************************************************/
int psci_spd_migrate_info(u_register_t *mpidr)
{
    int rc;

    if (!psci_spd_pm || !psci_spd_pm->svc_migrate_info)
        return PSCI_E_NOT_SUPPORTED;

    rc = psci_spd_pm->svc_migrate_info(mpidr);

    assert(rc == PSCI_TOS_UP_MIG_CAP || rc == PSCI_TOS_NOT_UP_MIG_CAP \
        || rc == PSCI_TOS_NOT_PRESENT_MP || rc == PSCI_E_NOT_SUPPORTED);

    return rc;
}

5.8 PSCI_MIG_INFO_UP_CPU

long psci_migrate_info_up_cpu(void)
{
    u_register_t resident_cpu_mpidr;
    int rc;

    /*
     * Return value of this depends upon what
     * psci_spd_migrate_info() returns.
     */
    rc = psci_spd_migrate_info(&resident_cpu_mpidr);
    if (rc != PSCI_TOS_NOT_UP_MIG_CAP && rc != PSCI_TOS_UP_MIG_CAP)
        return PSCI_E_INVALID_PARAMS;

    return resident_cpu_mpidr;
}

5.9 PSCI_SYSTEM_OFF

void psci_system_off(void)
{
    psci_print_power_domain_map();

    assert(psci_plat_pm_ops->system_off);

    /* Notify the Secure Payload Dispatcher */
    if (psci_spd_pm && psci_spd_pm->svc_system_off) {
        psci_spd_pm->svc_system_off();
    }

    /* Call the platform specific hook */
    psci_plat_pm_ops->system_off();

    /* This function does not return. We should never get here */
}

5.10 PSCI_SYSTEM_RESET

void psci_system_reset(void)
{
    psci_print_power_domain_map();

    assert(psci_plat_pm_ops->system_reset);

    /* Notify the Secure Payload Dispatcher */
    if (psci_spd_pm && psci_spd_pm->svc_system_reset) {
        psci_spd_pm->svc_system_reset();
    }

    /* Call the platform specific hook */
    psci_plat_pm_ops->system_reset();

    /* This function does not return. We should never get here */
}

5.11 PSCI_FEATURES

int psci_features(unsigned int psci_fid)
{
    unsigned int local_caps = psci_caps;

    /* Check if it is a 64 bit function */
    if (((psci_fid >> FUNCID_CC_SHIFT) & FUNCID_CC_MASK) == SMC_64)
        local_caps &= PSCI_CAP_64BIT_MASK;

    /* Check for invalid fid */
    if (!(is_std_svc_call(psci_fid) && is_valid_fast_smc(psci_fid)
            && is_psci_fid(psci_fid)))
        return PSCI_E_NOT_SUPPORTED;


    /* Check if the psci fid is supported or not */
    if (!(local_caps & define_psci_cap(psci_fid)))
        return PSCI_E_NOT_SUPPORTED;

    /* Format the feature flags */
    if (psci_fid == PSCI_CPU_SUSPEND_AARCH32 ||
            psci_fid == PSCI_CPU_SUSPEND_AARCH64) {
        /*
         * The trusted firmware does not support OS Initiated Mode.
         */
        return (FF_PSTATE << FF_PSTATE_SHIFT) |
            ((!FF_SUPPORTS_OS_INIT_MODE) << FF_MODE_SUPPORT_SHIFT);
    }

    /* Return 0 for all other fid\'s */
    return PSCI_E_SUCCESS;
}

5.12 PSCI_SYSTEM_SUSPEND

int psci_system_suspend(uintptr_t entrypoint, u_register_t context_id)
{
    int rc;
    psci_power_state_t state_info;
    entry_point_info_t ep;

    /* Check if the current CPU is the last ON CPU in the system */
    if (!psci_is_last_on_cpu())
        return PSCI_E_DENIED;

    /* Validate the entry point and get the entry_point_info */
    rc = psci_validate_entry_point(&ep, entrypoint, context_id);
    if (rc != PSCI_E_SUCCESS)
        return rc;

    /* Query the psci_power_state for system suspend */
    psci_query_sys_suspend_pwrstate(&state_info);

    /* Ensure that the psci_power_state makes sense */
    assert(psci_find_target_suspend_lvl(&state_info) == PLAT_MAX_PWR_LVL);
    assert(psci_validate_suspend_req(&state_info, PSTATE_TYPE_POWERDOWN)
                        == PSCI_E_SUCCESS);
    assert(is_local_state_off(state_info.pwr_domain_state[PLAT_MAX_PWR_LVL]));

    /*
     * Do what is needed to enter the system suspend state. This function
     * might return if the power down was abandoned for any reason, e.g.
     * arrival of an interrupt
     */
    psci_cpu_suspend_start(&ep,
                PLAT_MAX_PWR_LVL,
                &state_info,
                PSTATE_TYPE_POWERDOWN);

    return PSCI_E_SUCCESS;
}

6. BL31 OPTEE接口

optee注册了Fast和Standard两种调用类型,Fast类型需要使用opteed_setup()进行初始化。两种类型共用opteed_smc_handler()进行smc处理。

/* Define an OPTEED runtime service descriptor for fast SMC calls */
DECLARE_RT_SVC(
    opteed_fast,

    OEN_TOS_START,
    OEN_TOS_END,
    SMC_TYPE_FAST,
    opteed_setup,
    opteed_smc_handler
);

/* Define an OPTEED runtime service descriptor for standard SMC calls */
DECLARE_RT_SVC(
    opteed_std,

    OEN_TOS_START,
    OEN_TOS_END,
    SMC_TYPE_STD,
    NULL,
    opteed_smc_handler
);

6.1 optee启动

在ATF BL31启动过程中,runtime_svc_init()会调用opteed_setup()来完成optee的启动。

/*******************************************************************************
 * OPTEE Dispatcher setup. The OPTEED finds out the OPTEE entrypoint and type
 * (aarch32/aarch64) if not already known and initialises the context for entry
 * into OPTEE for its initialization.
 ******************************************************************************/
int32_t opteed_setup(void)
{
    entry_point_info_t *optee_ep_info;
    uint32_t linear_id;

    linear_id = plat_my_core_pos();

    optee_ep_info = bl31_plat_get_next_image_ep_info(SECURE);-----------------获取BL32即optee os镜像信息。
    if (!optee_ep_info) {
        WARN("No OPTEE provided by BL2 boot loader, Booting device"
            " without OPTEE initialization. SMC`s destined for OPTEE"
            " will return SMC_UNK\n");
        return 1;
    }

    if (!optee_ep_info->pc)
        return 1;

    /*
     * We could inspect the SP image and determine it\'s execution
     * state i.e whether AArch32 or AArch64. Assuming it\'s AArch32
     * for the time being.
     */
    opteed_rw = OPTEE_AARCH64;
    opteed_init_optee_ep_state(optee_ep_info,
                opteed_rw,
                optee_ep_info->pc,
                &opteed_sp_context[linear_id]);------------------------------初始化安全CPU的smc上下文,存放于opteed_sp_context[]中。

    /*
     * All OPTEED initialization done. Now register our init function with
     * BL31 for deferred invocation
     */
    bl31_register_bl32_init(&opteed_init);-----------------------------------bl32_init指向opteed_init(),在bl31_main()中被调用。

    return 0;
}

opteed_init()从镜像中获取optee os的入口点,并初始化好ATF和optee切换的上下文,然后进入optee并等待返回结果。

/*******************************************************************************
 * This function passes control to the OPTEE image (BL32) for the first time
 * on the primary cpu after a cold boot. It assumes that a valid secure
 * context has already been created by opteed_setup() which can be directly
 * used.  It also assumes that a valid non-secure context has been
 * initialised by PSCI so it does not need to save and restore any
 * non-secure state. This function performs a synchronous entry into
 * OPTEE. OPTEE passes control back to this routine through a SMC.
 ******************************************************************************/
static int32_t opteed_init(void)
{
    uint32_t linear_id = plat_my_core_pos();
    optee_context_t *optee_ctx = &opteed_sp_context[linear_id];
    entry_point_info_t *optee_entry_point;
    uint64_t rc;

    /*
     * Get information about the OPTEE (BL32) image. Its
     * absence is a critical failure.
     */
    optee_entry_point = bl31_plat_get_next_image_ep_info(SECURE);-----------------------------获取optee os镜像信息。
    assert(optee_entry_point);

    cm_init_my_context(optee_entry_point);----------------------------------------------------设置当前CPU进入安全状态的上下文。

    /*
     * Arrange for an entry into OPTEE. It will be returned via
     * OPTEE_ENTRY_DONE case
     */
    rc = opteed_synchronous_sp_entry(optee_ctx);----------------------------------------------启动optee os,并等待OPTEE_ENTRY_DONE返回结果。
    assert(rc != 0);

    return rc;
}

/*******************************************************************************
 * This function takes an OPTEE context pointer and:
 * 1. Applies the S-EL1 system register context from optee_ctx->cpu_ctx.
 * 2. Saves the current C runtime state (callee saved registers) on the stack
 *    frame and saves a reference to this state.
 * 3. Calls el3_exit() so that the EL3 system and general purpose registers
 *    from the optee_ctx->cpu_ctx are used to enter the OPTEE image.
 ******************************************************************************/
uint64_t opteed_synchronous_sp_entry(optee_context_t *optee_ctx)
{
    uint64_t rc;

    assert(optee_ctx != NULL);
    assert(optee_ctx->c_rt_ctx == 0);

    /* Apply the Secure EL1 system register context and switch to it */
    assert(cm_get_context(SECURE) == &optee_ctx->cpu_ctx);
    cm_el1_sysregs_context_restore(SECURE);---------------从optee_ctx->cpu_ctx中恢复S.EL1相关寄存器。
    cm_set_next_eret_context(SECURE);---------------------保存从S.EL1返回需要的上下文。

    rc = opteed_enter_sp(&optee_ctx->c_rt_ctx);-----------将安全CPU保存的状态恢复到optee_ctx->c_rt_ctx中,并跳转到opteed os执行。
#if DEBUG
    optee_ctx->c_rt_ctx = 0;
#endif

    return rc;
}
func opteed_enter_sp
/* Make space for the registers that we\'re going to save */ mov x3, sp str x3, [x0, #0] sub sp, sp, #OPTEED_C_RT_CTX_SIZE /* Save callee-saved registers on to the stack */ stp x19, x20, [sp, #OPTEED_C_RT_CTX_X19] stp x21, x22, [sp, #OPTEED_C_RT_CTX_X21] stp x23, x24, [sp, #OPTEED_C_RT_CTX_X23] stp x25, x26, [sp, #OPTEED_C_RT_CTX_X25] stp x27, x28, [sp, #OPTEED_C_RT_CTX_X27] stp x29, x30, [sp, #OPTEED_C_RT_CTX_X29] /* --------------------------------------------- * Everything is setup now. el3_exit() will * use the secure context to restore to the * general purpose and EL3 system registers to * ERET into OPTEE. * --------------------------------------------- */ b el3_exit--------------------------------------------------使用配置好的安全上下文,退出EL3进入OPTEE。 endfunc opteed_enter_sp

6.2 optee的SPD

 BL31中处理OP-TEE安全请求分发入口函数是opteed_smc_handler()。

uint64_t opteed_smc_handler(uint32_t smc_fid,
             uint64_t x1,
             uint64_t x2,
             uint64_t x3,
             uint64_t x4,
             void *cookie,
             void *handle,
             uint64_t flags)
{
    cpu_context_t *ns_cpu_context;
    uint32_t linear_id = plat_my_core_pos();
    optee_context_t *optee_ctx = &opteed_sp_context[linear_id];---------------获取当前CPU保存的optee上下文。
    uint64_t rc;

    /*
     * Determine which security state this SMC originated from
     */

    if (is_caller_non_secure(flags)) {
        /*
         * This is a fresh request from the non-secure client.
         * The parameters are in x1 and x2. Figure out which
         * registers need to be preserved, save the non-secure
         * state and send the request to the secure payload.
         */
        assert(handle == cm_get_context(NON_SECURE));

        cm_el1_sysregs_context_save(NON_SECURE);

        /*
         * We are done stashing the non-secure context. Ask the
         * OPTEE to do the work now.
         */

        /*
         * Verify if there is a valid context to use, copy the
         * operation type and parameters to the secure context
         * and jump to the fast smc entry point in the secure
         * payload. Entry into S-EL1 will take place upon exit
         * from this function.
         */
        assert(&optee_ctx->cpu_ctx == cm_get_context(SECURE));

        /* Set appropriate entry for SMC.
         * We expect OPTEE to manage the PSTATE.I and PSTATE.F
         * flags as appropriate.
         */
        if (GET_SMC_TYPE(smc_fid) == SMC_TYPE_FAST) {
            cm_set_elr_el3(SECURE, (uint64_t)
                    &optee_vectors->fast_smc_entry);
        } else {
            cm_set_elr_el3(SECURE, (uint64_t)
                    &optee_vectors->std_smc_entry);
        }

        cm_el1_sysregs_context_restore(SECURE);
        cm_set_next_eret_context(SECURE);

        write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx),
                  CTX_GPREG_X4,
                  read_ctx_reg(get_gpregs_ctx(handle),
                       CTX_GPREG_X4));
        write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx),
                  CTX_GPREG_X5,
                  read_ctx_reg(get_gpregs_ctx(handle),
                       CTX_GPREG_X5));
        write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx),
                  CTX_GPREG_X6,
                  read_ctx_reg(get_gpregs_ctx(handle),
                       CTX_GPREG_X6));
        /* Propagate hypervisor client ID */
        write_ctx_reg(get_gpregs_ctx(&optee_ctx->cpu_ctx),
                  CTX_GPREG_X7,
                  read_ctx_reg(get_gpregs_ctx(handle),
                       CTX_GPREG_X7));

        SMC_RET4(&optee_ctx->cpu_ctx, smc_fid, x1, x2, x3);
    }

    /*
     * Returning from OPTEE
     */

    switch (smc_fid) {
    case TEESMC_OPTEED_RETURN_ENTRY_DONE:-------------------------------------optee冷启动初始化完成后返回。
        assert(optee_vectors == NULL);
        optee_vectors = (optee_vectors_t *) x1;

        if (optee_vectors) {
            set_optee_pstate(optee_ctx->state, OPTEE_PSTATE_ON);

            psci_register_spd_pm_hook(&opteed_pm);

            flags = 0;
            set_interrupt_rm_flag(flags, NON_SECURE);
            rc = register_interrupt_type_handler(INTR_TYPE_S_EL1,
                        opteed_sel1_interrupt_handler,
                        flags);
            if (rc)
                panic();
        }
        opteed_synchronous_sp_exit(optee_ctx, x1);-----------------------------从optee中返回。

    case TEESMC_OPTEED_RETURN_ON_DONE:-----------------------------------------表示optee由cpu_on导致的启动完成,0标识成功,其他失败。
    case TEESMC_OPTEED_RETURN_RESUME_DONE:-------------------------------------表示optee从cpu_suspend导致的休眠中唤醒完成;0表示成功,其他失败。
    case TEESMC_OPTEED_RETURN_OFF_DONE:----------------------------------------下面分表表示optee对cpu_off/cpu_suspend/system_off/system_reset的响应结果;0表示成功,其他表示失败。其中system_off和system_reset无返回参数。
    case TEESMC_OPTEED_RETURN_SUSPEND_DONE:
    case TEESMC_OPTEED_RETURN_SYSTEM_OFF_DONE:
    case TEESMC_OPTEED_RETURN_SYSTEM_RESET_DONE:
        opteed_synchronous_sp_exit(optee_ctx, x1);

    case TEESMC_OPTEED_RETURN_CALL_DONE:---------------------------------------optee处理完smc之后,需要返回普通世界,x1-x4返回参数。
        assert(handle == cm_get_context(SECURE));
        cm_el1_sysregs_context_save(SECURE);

        /* Get a reference to the non-secure context */
        ns_cpu_context = cm_get_context(NON_SECURE);
        assert(ns_cpu_context);

        /* Restore non-secure state */
        cm_el1_sysregs_context_restore(NON_SECURE);
        cm_set_next_eret_context(NON_SECURE);

        SMC_RET4(ns_cpu_context, x1, x2, x3, x4);

    case TEESMC_OPTEED_RETURN_FIQ_DONE:-----------------------------------------optee处理完fiq中断后,需要返回普通世界。
        ns_cpu_context = cm_get_context(NON_SECURE);
        assert(ns_cpu_context);

        cm_el1_sysregs_context_restore(NON_SECURE);
        cm_set_next_eret_context(NON_SECURE);

        SMC_RET0((uint64_t) ns_cpu_context);

    default:
        panic();
    }
}

void opteed_synchronous_sp_exit(optee_context_t *optee_ctx, uint64_t ret)
{
    assert(optee_ctx != NULL);
    /* Save the Secure EL1 system register context */
    assert(cm_get_context(SECURE) == &optee_ctx->cpu_ctx);
    cm_el1_sysregs_context_save(SECURE);------------------------保存S.EL1下optee系统寄存器保存到cpu_context[SECURE]中。

    assert(optee_ctx->c_rt_ctx != 0);
    opteed_exit_sp(optee_ctx->c_rt_ctx, ret);-------------------恢复optee_enter_sp()保存的C运行环境上下文。

    /* Should never reach here */
    assert(0);
}

参考文档