- boot-architecture - lists.linaro.org

DeviceTree Evolution call for Monday May 17

by Bill Mills

All, Frank Rowand has put together a page: https://elinux.org/New_FDT_format On the call tomorrow we will begin discussion on this topic. I suspect the above will take the full hour. However... Heinrich has sent out a proposal to embedded the signature data directly into the main DT node list. This is an alternative to adding a new section for meta data as was discussed a couple of months ago. Discussion of the alternatives for signatures is on the Todo list. Zoom meeting: Time: 3PM UTC / 4PM UK / 11 AM US East Meeting ID: 961 7042 8801 Passcode: 8250 Thanks, Bill -- Bill Mills Principal Technical Consultant, Linaro +1-240-643-0836 TZ: US Eastern Work Schedule: Tues/Wed/Thur

4 years, 2 months

3
2
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by Joanna Farley

Apologies I failed with the recording. Manish/Madhu will reply early next week with the slides and some notes to help with a follow up session which we hope to hold this Thursday. Invite and agenda will also be sent out early next week. Thanks Joanna On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote: Hi, Do we have slides and video from last week's discussion? Thanks, Okash On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > Hi Harb, > > Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be. > > So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use. > > This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use. > > Regards, > Simon > > On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote: >> >> Hey Folks, >> >> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow. >> >> >> >> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform). >> >> >> >> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag. >> >> >> >> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call. >> >> >> >> Thanks, >> >> --Harb >> >> >> >> From: Manish Pandey2 <Manish.Pandey2(a)arm.com> >> Sent: Friday, April 30, 2021 8:14 AM >> To: François Ozog <francois.ozog(a)linaro.org> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Hi All, >> >> >> >> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others. >> >> >> >> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST). >> >> >> >> Agenda: >> >> Discussion Session: Static and Dynamic Information Handling in TF-A >> >> Lead by Manish Pandey and Madhukar Pappireddy >> >> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages. >> >> The requirement is two-fold: >> >> 1. Passing static information(config files) >> >> 2. Passing dynamic information (Hob list) >> >> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects. >> >> >> >> The two specific item which we would like to discuss are: >> >> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both? >> >> 2. Standardization on Physical register use to pass base of HoB data structure. >> >> References: >> >> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html >> >> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q% >> >> >> >> Thanks >> >> >> >> Joanna >> >> >> >> You have been invited to the following event. >> >> TF-A Tech Forum >> >> When >> >> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time >> >> Calendar >> >> tf-a(a)lists.trustedfirmware.org >> >> Who >> >> • >> >> Bill Fletcher- creator >> >> • >> >> tf-a(a)lists.trustedfirmware.org >> >> more details » >> >> >> >> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. >> >> >> >> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/ >> >> >> >> Trusted Firmware is inviting you to a scheduled Zoom meeting. >> >> >> >> Join Zoom Meeting >> >> https://zoom.us/j/9159704974 >> >> >> >> Meeting ID: 915 970 4974 >> >> >> >> One tap mobile >> >> +16465588656,,9159704974# US (New York) >> >> +16699009128,,9159704974# US (San Jose) >> >> >> >> Dial by your location >> >> +1 646 558 8656 US (New York) >> >> +1 669 900 9128 US (San Jose) >> >> 877 853 5247 US Toll-free >> >> 888 788 0099 US Toll-free >> >> Meeting ID: 915 970 4974 >> >> Find your local number: https://zoom.us/u/ad27hc6t7h >> >> >> >> ________________________________ >> >> From: François Ozog <francois.ozog(a)linaro.org> >> Sent: 08 April 2021 16:50 >> To: Manish Pandey2 <Manish.Pandey2(a)arm.com> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Hi >> >> >> >> here is the meeting recording: >> >> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z >> >> >> >> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page). >> >> >> >> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail. >> >> >> >> Cheers >> >> >> >> FF >> >> >> >> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> >> >> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms. >> >> >> >> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed. >> >> >> >> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations. >> >> >> >> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.) >> >> >> >> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values. >> >> >> >> Looking forward to having further discussions on zoom call today. >> >> >> >> Thanks >> >> Manish P >> >> >> >> ________________________________ >> >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org> >> Sent: 25 March 2021 02:43 >> To: Simon Glass <sjg(a)chromium.org> >> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Just want to point out that TF-A currently already supports a (very simple) mechanism like this: >> >> >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> >> >> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31. >> >> >> >> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once. >> >> >> >> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi Harb, >> >> >> >> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote: >> >> Hello Folks, >> >> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic. >> >> >> >> I try to address the comments/feedback from Francois and Simon below…. >> >> >> >> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT. >> >> >> >> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases. >> >> >> >> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM). >> >> >> >> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model: >> >> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances >> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances. >> >> >> >> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code. >> >> >> >> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software. >> >> >> >> I understand the versatility of DT, but I see two major problems with DT: >> >> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained. >> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob) >> >> >> >> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs). >> >> >> >> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls. >> >> >> >> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call. >> >> >> >> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for. >> >> >> >> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about. >> >> >> >> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use. >> >> >> >> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors. >> >> >> >> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code: >> >> >> >> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ >> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ >> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) >> >> (etc.) >> >> >> >> static struct guid_name { >> efi_guid_t guid; >> const char *name; >> } guid_name[] = { >> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, >> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, >> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, >> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, >> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, >> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, >> >> (never figured out what those two are) >> >> >> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, >> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, >> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, >> { {}, "zero-guid" }, >> {} >> }; >> >> static const char *guid_to_name(const efi_guid_t *guid) >> { >> struct guid_name *entry; >> >> for (entry = guid_name; entry->name; entry++) { >> if (!guidcmp(guid, &entry->guid)) >> return entry->name; >> } >> >> return NULL; >> } >> >> >> >> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory. >> >> >> >> >> >> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB. >> >> >> >> Indeed. There is certainly value in both approaches. >> >> >> >> Regards, >> >> Simon >> >> >> >> >> >> Thanks, >> >> --Harb >> >> >> >> From: François Ozog <francois.ozog(a)linaro.org> >> Sent: Tuesday, March 23, 2021 10:00 AM >> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org> >> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> +Ron Minnich +Paul Isaac's >> >> >> >> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts. >> >> >> >> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> >> >> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET. >> >> >> >> The agenda: >> >> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions. >> >> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing. >> >> >> >> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB >> >> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. >> >> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains. >> >> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested). >> >> >> >> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2. >> >> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls). >> >> >> >> Requirements (to be validated): >> >> - ACPI and DT hardware descriptions. >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot) >> >> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages) >> >> - support secure world device assignment >> >> >> >> Cheers >> >> >> >> FF >> >> >> >> >> >> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote: >> >> Hi, >> >> Can I suggest using bloblist for this instead? It is lightweight, >> easier to parse, doesn't have GUIDs and is already used within U-Boot >> for passing info between SPL/U-Boot, etc. >> >> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist >> Header file describes the format: >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h >> >> Full set of unit tests: >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c >> >> Regards, >> Simon >> >> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote: >> > >> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org> >> > >> > standardization is very much welcomed here and need to accommodate a very >> > diverse set of situations. >> > For example, TEE OS may need to pass memory reservations to BL33 or >> > "capture" a device for the secure world. >> > >> > I have observed a number of architectures: >> > 1) pass information from BLx to BLy in the form of a specific object >> > 2) BLx called by BLy by a platform specific SMC to get information >> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree >> > fixups >> > >> > I also imagined a standardized "broadcast" FF-A call so that any firmware >> > element can either provide information or "do something". >> > >> > My understanding of your proposal is about standardizing on architecture 1) >> > with the HOB format. >> > >> > The advantage of the HOB is simplicity but it may be difficult to implement >> > schemes such as pruning a DT because device assignment in the secure world. >> > >> > In any case, it looks feasible to have TF-A and OP-TEE complement the list >> > of HOBs to pass information downstream (the bootflow). >> > >> > It would be good to start with building the comprehensive list of >> > information that need to be conveyed between firmware elements: >> > >> > information. | authoritative entity | reporting entity | information >> > exchanged: >> > dram | TFA | TFA | >> > <format to be detailed, NUMA topology to build the SRAT table or DT >> > equivalent?> >> > PSCI | SCP | TFA? | >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?| >> > secure SRAM | TFA. | TFA. | >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | >> > other? | | >> > | >> > >> > Cheers >> > >> > FF >> > >> > >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < >> > tf-a(a)lists.trustedfirmware.org> wrote: >> > >> > > Hello Folks, >> > > >> > > >> > > >> > > I'm emailing to start an open discussion about the adoption of a concept >> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware >> > > Framework Architecture (FFA). This is something that is a pretty major >> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s >> > > designed to enable a broad range of highly configurable datacenter >> > > platforms. >> > > >> > > >> > > >> > > >> > > >> > > What is a HOB (Background)? >> > > >> > > --------------------------- >> > > >> > > UEFI PI spec describes a particular definition for how HOB may be used for >> > > transitioning between the PEI and DXE boot phases, which is a good >> > > reference point for this discussion, but not necessarily the exact solution >> > > appropriate for TF-A. >> > > >> > > >> > > >> > > A HOB is simply a dynamically generated data structure passed in between >> > > two boot phases. This is information that was obtained through discovery >> > > and needs to be passed forward to the next boot phase *once*, with no API >> > > needed to call back (e.g. no call back into previous firmware phase is >> > > needed to fetch this information at run-time - it is simply passed one time >> > > during boot). >> > > >> > > >> > > >> > > There may be one or more HOBs passed in between boot phases. If there are >> > > more than one HOB that needs to be passed, this can be in a form of a "HOB >> > > table", which (for example) could be a UUID indexed array of pointers to >> > > HOB structures, used to locate a HOB of interest (based on UUID). In such >> > > cases, instead of passing a single HOB, the boot phases may rely on passing >> > > the pointer to the HOB table. >> > > >> > > >> > > >> > > This has been extremely useful concept to employ on highly configurable >> > > systems that must rely on flexible discovery mechanisms to initialize and >> > > boot the system. This is especially helpful when you have multiple >> > > >> > > >> > > >> > > >> > > >> > > Why do we need HOBs in TF-A?: >> > > >> > > ----------------------------- >> > > >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in >> > > a way that is SoC specific *but* platform agnostic. This means that a >> > > single ARM SoC that a SiP may deliver to customers may provide a single >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad >> > > range of platform designs and configurations in order to boot a platform >> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to >> > > achieve this, the platform configuration must be *discovered* instead of >> > > statically compiled as it is today in TF-A via device tree based >> > > enumeration. The mechanisms of discovery may differ broadly depending on >> > > the relevant industry standard, or in some cases may have rely on SiP >> > > specific discovery flows. >> > > >> > > >> > > >> > > For example: On server systems that support a broad range DIMM memory >> > > population/topologies, all the necessary information required to boot is >> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an >> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported >> > > with a single TF-A binary. Not only is this information required to >> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot >> > > phases will also need this SPD info to construct a system physical address >> > > map and properly initialize the MMU based on the memory present, and where >> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may >> > > need to generate standard firmware tables to the operating systems, such as >> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT, >> > > SRAT, even NFIT if NVDIMM's are present). >> > > >> > > >> > > >> > > In short, it all starts with a standardized or vendor specific discovery >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of >> > > information to the next boot stages (e.g. BL31/BL32/BL33). >> > > >> > > >> > > >> > > Today, every HOB may be a vendor specific structure, but in the future >> > > there may be benefit of defining standard HOBs. This may be useful for >> > > memory discovery, passing the system physical address map, enabling TPM >> > > measured boot, and potentially many other common HOB use-cases. >> > > >> > > >> > > >> > > It would be extremely beneficial to the datacenter market segment if the >> > > TF-A community would adopt this concept of information passing between all >> > > boot phases as opposed to rely solely on device tree enumeration. This is >> > > not intended to replace device tree, rather intended as an alternative way >> > > to describe the info that must be discovered and dynamically generated. >> > > >> > > >> > > >> > > >> > > >> > > Conclusion: >> > > >> > > ----------- >> > > >> > > We are proposing that the TF-A community begin pursuing the adoption of >> > > HOBs as a mechanism used for information exchange between each boot stage >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we >> > > want to explore standardizing some HOB structures for the BL33 phase (e.g. >> > > UEFI HOB structures), but initially would like to agree on this being a >> > > useful mechanism used to pass information between each boot stage. >> > > >> > > >> > > >> > > Thanks, >> > > >> > > --Harb >> > > >> > > >> > > >> > > >> > > >> > > >> > > -- >> > > TF-A mailing list >> > > TF-A(a)lists.trustedfirmware.org >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> > > >> > >> > >> > -- >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* >> > T: +33.67221.6485 >> > francois.ozog(a)linaro.org | Skype: ffozog >> > _______________________________________________ >> > boot-architecture mailing list >> > boot-architecture(a)lists.linaro.org >> > https://lists.linaro.org/mailman/listinfo/boot-architecture >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 2 months

1
0
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by Okash Khawaja

Hi, Do we have slides and video from last week's discussion? Thanks, Okash On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: > > Hi Harb, > > Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be. > > So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use. > > This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use. > > Regards, > Simon > > On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote: >> >> Hey Folks, >> >> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow. >> >> >> >> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform). >> >> >> >> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag. >> >> >> >> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call. >> >> >> >> Thanks, >> >> --Harb >> >> >> >> From: Manish Pandey2 <Manish.Pandey2(a)arm.com> >> Sent: Friday, April 30, 2021 8:14 AM >> To: François Ozog <francois.ozog(a)linaro.org> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Hi All, >> >> >> >> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others. >> >> >> >> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST). >> >> >> >> Agenda: >> >> Discussion Session: Static and Dynamic Information Handling in TF-A >> >> Lead by Manish Pandey and Madhukar Pappireddy >> >> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages. >> >> The requirement is two-fold: >> >> 1. Passing static information(config files) >> >> 2. Passing dynamic information (Hob list) >> >> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects. >> >> >> >> The two specific item which we would like to discuss are: >> >> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both? >> >> 2. Standardization on Physical register use to pass base of HoB data structure. >> >> References: >> >> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html >> >> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q% >> >> >> >> Thanks >> >> >> >> Joanna >> >> >> >> You have been invited to the following event. >> >> TF-A Tech Forum >> >> When >> >> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time >> >> Calendar >> >> tf-a(a)lists.trustedfirmware.org >> >> Who >> >> • >> >> Bill Fletcher- creator >> >> • >> >> tf-a(a)lists.trustedfirmware.org >> >> more details » >> >> >> >> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC. >> >> >> >> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/ >> >> >> >> Trusted Firmware is inviting you to a scheduled Zoom meeting. >> >> >> >> Join Zoom Meeting >> >> https://zoom.us/j/9159704974 >> >> >> >> Meeting ID: 915 970 4974 >> >> >> >> One tap mobile >> >> +16465588656,,9159704974# US (New York) >> >> +16699009128,,9159704974# US (San Jose) >> >> >> >> Dial by your location >> >> +1 646 558 8656 US (New York) >> >> +1 669 900 9128 US (San Jose) >> >> 877 853 5247 US Toll-free >> >> 888 788 0099 US Toll-free >> >> Meeting ID: 915 970 4974 >> >> Find your local number: https://zoom.us/u/ad27hc6t7h >> >> >> >> ________________________________ >> >> From: François Ozog <francois.ozog(a)linaro.org> >> Sent: 08 April 2021 16:50 >> To: Manish Pandey2 <Manish.Pandey2(a)arm.com> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Hi >> >> >> >> here is the meeting recording: >> >> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z >> >> >> >> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page). >> >> >> >> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail. >> >> >> >> Cheers >> >> >> >> FF >> >> >> >> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> >> >> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms. >> >> >> >> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed. >> >> >> >> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations. >> >> >> >> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.) >> >> >> >> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values. >> >> >> >> Looking forward to having further discussions on zoom call today. >> >> >> >> Thanks >> >> Manish P >> >> >> >> ________________________________ >> >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org> >> Sent: 25 March 2021 02:43 >> To: Simon Glass <sjg(a)chromium.org> >> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> Just want to point out that TF-A currently already supports a (very simple) mechanism like this: >> >> >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… >> >> >> >> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31. >> >> >> >> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once. >> >> >> >> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi Harb, >> >> >> >> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote: >> >> Hello Folks, >> >> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic. >> >> >> >> I try to address the comments/feedback from Francois and Simon below…. >> >> >> >> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT. >> >> >> >> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases. >> >> >> >> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM). >> >> >> >> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model: >> >> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances >> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances. >> >> >> >> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code. >> >> >> >> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software. >> >> >> >> I understand the versatility of DT, but I see two major problems with DT: >> >> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained. >> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob) >> >> >> >> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs). >> >> >> >> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls. >> >> >> >> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call. >> >> >> >> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for. >> >> >> >> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about. >> >> >> >> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use. >> >> >> >> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors. >> >> >> >> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code: >> >> >> >> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ >> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ >> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) >> >> (etc.) >> >> >> >> static struct guid_name { >> efi_guid_t guid; >> const char *name; >> } guid_name[] = { >> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, >> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, >> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, >> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, >> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, >> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, >> >> (never figured out what those two are) >> >> >> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, >> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, >> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, >> { {}, "zero-guid" }, >> {} >> }; >> >> static const char *guid_to_name(const efi_guid_t *guid) >> { >> struct guid_name *entry; >> >> for (entry = guid_name; entry->name; entry++) { >> if (!guidcmp(guid, &entry->guid)) >> return entry->name; >> } >> >> return NULL; >> } >> >> >> >> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory. >> >> >> >> >> >> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB. >> >> >> >> Indeed. There is certainly value in both approaches. >> >> >> >> Regards, >> >> Simon >> >> >> >> >> >> Thanks, >> >> --Harb >> >> >> >> From: François Ozog <francois.ozog(a)linaro.org> >> Sent: Tuesday, March 23, 2021 10:00 AM >> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org> >> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages >> >> >> >> +Ron Minnich +Paul Isaac's >> >> >> >> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts. >> >> >> >> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote: >> >> Hi, >> >> >> >> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET. >> >> >> >> The agenda: >> >> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions. >> >> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing. >> >> >> >> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB >> >> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. >> >> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains. >> >> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested). >> >> >> >> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2. >> >> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls). >> >> >> >> Requirements (to be validated): >> >> - ACPI and DT hardware descriptions. >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) >> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot) >> >> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages) >> >> - support secure world device assignment >> >> >> >> Cheers >> >> >> >> FF >> >> >> >> >> >> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote: >> >> Hi, >> >> Can I suggest using bloblist for this instead? It is lightweight, >> easier to parse, doesn't have GUIDs and is already used within U-Boot >> for passing info between SPL/U-Boot, etc. >> >> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist >> Header file describes the format: >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h >> >> Full set of unit tests: >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c >> >> Regards, >> Simon >> >> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote: >> > >> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org> >> > >> > standardization is very much welcomed here and need to accommodate a very >> > diverse set of situations. >> > For example, TEE OS may need to pass memory reservations to BL33 or >> > "capture" a device for the secure world. >> > >> > I have observed a number of architectures: >> > 1) pass information from BLx to BLy in the form of a specific object >> > 2) BLx called by BLy by a platform specific SMC to get information >> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree >> > fixups >> > >> > I also imagined a standardized "broadcast" FF-A call so that any firmware >> > element can either provide information or "do something". >> > >> > My understanding of your proposal is about standardizing on architecture 1) >> > with the HOB format. >> > >> > The advantage of the HOB is simplicity but it may be difficult to implement >> > schemes such as pruning a DT because device assignment in the secure world. >> > >> > In any case, it looks feasible to have TF-A and OP-TEE complement the list >> > of HOBs to pass information downstream (the bootflow). >> > >> > It would be good to start with building the comprehensive list of >> > information that need to be conveyed between firmware elements: >> > >> > information. | authoritative entity | reporting entity | information >> > exchanged: >> > dram | TFA | TFA | >> > <format to be detailed, NUMA topology to build the SRAT table or DT >> > equivalent?> >> > PSCI | SCP | TFA? | >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?| >> > secure SRAM | TFA. | TFA. | >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | >> > other? | | >> > | >> > >> > Cheers >> > >> > FF >> > >> > >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < >> > tf-a(a)lists.trustedfirmware.org> wrote: >> > >> > > Hello Folks, >> > > >> > > >> > > >> > > I'm emailing to start an open discussion about the adoption of a concept >> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware >> > > Framework Architecture (FFA). This is something that is a pretty major >> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s >> > > designed to enable a broad range of highly configurable datacenter >> > > platforms. >> > > >> > > >> > > >> > > >> > > >> > > What is a HOB (Background)? >> > > >> > > --------------------------- >> > > >> > > UEFI PI spec describes a particular definition for how HOB may be used for >> > > transitioning between the PEI and DXE boot phases, which is a good >> > > reference point for this discussion, but not necessarily the exact solution >> > > appropriate for TF-A. >> > > >> > > >> > > >> > > A HOB is simply a dynamically generated data structure passed in between >> > > two boot phases. This is information that was obtained through discovery >> > > and needs to be passed forward to the next boot phase *once*, with no API >> > > needed to call back (e.g. no call back into previous firmware phase is >> > > needed to fetch this information at run-time - it is simply passed one time >> > > during boot). >> > > >> > > >> > > >> > > There may be one or more HOBs passed in between boot phases. If there are >> > > more than one HOB that needs to be passed, this can be in a form of a "HOB >> > > table", which (for example) could be a UUID indexed array of pointers to >> > > HOB structures, used to locate a HOB of interest (based on UUID). In such >> > > cases, instead of passing a single HOB, the boot phases may rely on passing >> > > the pointer to the HOB table. >> > > >> > > >> > > >> > > This has been extremely useful concept to employ on highly configurable >> > > systems that must rely on flexible discovery mechanisms to initialize and >> > > boot the system. This is especially helpful when you have multiple >> > > >> > > >> > > >> > > >> > > >> > > Why do we need HOBs in TF-A?: >> > > >> > > ----------------------------- >> > > >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in >> > > a way that is SoC specific *but* platform agnostic. This means that a >> > > single ARM SoC that a SiP may deliver to customers may provide a single >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad >> > > range of platform designs and configurations in order to boot a platform >> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to >> > > achieve this, the platform configuration must be *discovered* instead of >> > > statically compiled as it is today in TF-A via device tree based >> > > enumeration. The mechanisms of discovery may differ broadly depending on >> > > the relevant industry standard, or in some cases may have rely on SiP >> > > specific discovery flows. >> > > >> > > >> > > >> > > For example: On server systems that support a broad range DIMM memory >> > > population/topologies, all the necessary information required to boot is >> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an >> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported >> > > with a single TF-A binary. Not only is this information required to >> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot >> > > phases will also need this SPD info to construct a system physical address >> > > map and properly initialize the MMU based on the memory present, and where >> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may >> > > need to generate standard firmware tables to the operating systems, such as >> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT, >> > > SRAT, even NFIT if NVDIMM's are present). >> > > >> > > >> > > >> > > In short, it all starts with a standardized or vendor specific discovery >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of >> > > information to the next boot stages (e.g. BL31/BL32/BL33). >> > > >> > > >> > > >> > > Today, every HOB may be a vendor specific structure, but in the future >> > > there may be benefit of defining standard HOBs. This may be useful for >> > > memory discovery, passing the system physical address map, enabling TPM >> > > measured boot, and potentially many other common HOB use-cases. >> > > >> > > >> > > >> > > It would be extremely beneficial to the datacenter market segment if the >> > > TF-A community would adopt this concept of information passing between all >> > > boot phases as opposed to rely solely on device tree enumeration. This is >> > > not intended to replace device tree, rather intended as an alternative way >> > > to describe the info that must be discovered and dynamically generated. >> > > >> > > >> > > >> > > >> > > >> > > Conclusion: >> > > >> > > ----------- >> > > >> > > We are proposing that the TF-A community begin pursuing the adoption of >> > > HOBs as a mechanism used for information exchange between each boot stage >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we >> > > want to explore standardizing some HOB structures for the BL33 phase (e.g. >> > > UEFI HOB structures), but initially would like to agree on this being a >> > > useful mechanism used to pass information between each boot stage. >> > > >> > > >> > > >> > > Thanks, >> > > >> > > --Harb >> > > >> > > >> > > >> > > >> > > >> > > >> > > -- >> > > TF-A mailing list >> > > TF-A(a)lists.trustedfirmware.org >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> > > >> > >> > >> > -- >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* >> > T: +33.67221.6485 >> > francois.ozog(a)linaro.org | Skype: ffozog >> > _______________________________________________ >> > boot-architecture mailing list >> > boot-architecture(a)lists.linaro.org >> > https://lists.linaro.org/mailman/listinfo/boot-architecture >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> -- >> TF-A mailing list >> TF-A(a)lists.trustedfirmware.org >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a >> >> >> >> >> -- >> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group >> >> T: +33.67221.6485 >> francois.ozog(a)linaro.org | Skype: ffozog >> >> > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 2 months

1
0
0 0

Re: [System-dt] System Device Tree call - May 2021

by Stefano Stabellini

Hi all, On Monday, Christopher and Daniel will talk about their Device Tree bindings for HyperLaunch, which has very close similarities to System Device Tree domains. We'll also discuss the topic of hierarchical domains and Bruce will present the latest Lopper updates. On Thu, 6 May 2021, Nathalie Chan King Choy via System-dt wrote: > Hi all, > > > > Calling for agenda items for next week’s System Device Tree call. > > > > Best regards, > > Nathalie > > > > -----Original Appointment----- > From: Nathalie Chan King Choy > Sent: Monday, April 26, 2021 1:52 PM > To: Nathalie Chan King Choy; 'system-dt(a)lists.openampproject.org' > Cc: boot-architecture(a)lists.linaro.org; Tony McDowell; Joakim Bech; Tomas Evensen; Loic PALLARDY; Sudeep Holla; Kepa, Krzysztof (GE > Research, US); Bruce Ashfield; marti.bolivar(a)nordicsemi.no; etoillon(a)kalrayinc.com; Raghuraman, Arvind; Stefano Stabellini; Ed T. Mooring > Subject: System Device Tree call - May 2021 > When: Monday, May 10, 2021 9:00 AM-10:00 AM (UTC-08:00) Pacific Time (US & Canada). > Where: webex > > > > Hi all, > > > > Notes & link to the recording from the last System DT call can be found at > https://github.com/OpenAMP/open-amp/wiki/System-Device-Tree-Meeting-Notes-2… > > > > If you missed the LVC21 Device Tree State of the Union: https://connect.linaro.org/resources/lvc21/lvc21-108/ > > Or the LVC21 Device Tree BOF: https://connect.linaro.org/resources/lvc21/lvc21-112 > > > > Action items from last call: > > * Loic: Check HW lock bindings > * Stefano: Will try to combine the 2 properties into 1 & come up with some examples. > > > > Call scheduled based on overlapping availability of the speakers. Will record for those who can’t make it. > > > > Thanks & regards, > > Nathalie > > >

4 years, 2 months

2
2
0 0

Re: [v5.4 stable] arm: stm32: Regression observed on "no-map" reserved memory region

by Rob Herring

On Tue, Apr 20, 2021 at 10:12 AM Alexandre TORGUE <alexandre.torgue(a)foss.st.com> wrote: > > > > On 4/20/21 4:45 PM, Rob Herring wrote: > > On Tue, Apr 20, 2021 at 9:03 AM Alexandre TORGUE > > <alexandre.torgue(a)foss.st.com> wrote: > >> > >> Hi, > > > > Greg or Sasha won't know what to do with this. Not sure who follows > > the stable list either. Quentin sent the patch, but is not the author. > > Given the patch in question is about consistency between EFI memory > > map boot and DT memory map boot, copying EFI knowledgeable folks would > > help (Ard B for starters). > > Ok thanks for the tips. I add Ard in the loop. Sigh. If it was only Ard I was suggesting I would have done that myself. Now everyone on the patch in question and relevant lists are Cc'ed. > > Ard, let me know if other people have to be directly added or if I have > to resend to another mailing list. > > thanks > alex > > > > >> > >> Since v5.4.102 I observe a regression on stm32mp1 platform: "no-map" > >> reserved-memory regions are no more "reserved" and make part of the > >> kernel System RAM. This causes allocation failure for devices which try > >> to take a reserved-memory region. > >> > >> It has been introduced by the following path: > >> > >> "fdt: Properly handle "no-map" field in the memory region > >> [ Upstream commit 86588296acbfb1591e92ba60221e95677ecadb43 ]" > >> which replace memblock_remove by memblock_mark_nomap in no-map case. > >> > >> Reverting this patch it's fine. > >> > >> I add part of my DT (something is maybe wrong inside): > >> > >> memory@c0000000 { > >> reg = <0xc0000000 0x20000000>; > >> }; > >> > >> reserved-memory { > >> #address-cells = <1>; > >> #size-cells = <1>; > >> ranges; > >> > >> gpu_reserved: gpu@d4000000 { > >> reg = <0xd4000000 0x4000000>; > >> no-map; > >> }; > >> }; > >> > >> Sorry if this issue has already been raised and discussed. > >> > >> Thanks > >> alex

4 years, 2 months

5
14
0 0

EBBR biweekly for 10 May 2021

by Grant Likely

Hi everyone, Here is the agenda for today's EBBR meeting. I've tentatively got on the schedule a discussion of UEFI compliance testing status, but I hadn't confirmed the topic with Vincent and Heinrich ahead of time, so we might not be ready to discuss that and it will be a short meeting today. The other topics I have are an update from Ilias on LoadFile and feedback on Jose's A/B update protocol presentation from last week. Dial in details are below g. Agenda: - News and updates - Feedback on firmware update protocol - UEFI SCT Failure scrub --- Join Zoom Meeting https://armltd.zoom.us/j/92081365511?pwd=SFZpRitXUEp3Zy9GM0h3UUZ1b1pnUT09 Topic: EBBR Biweekly Time: 10 May 2021, 16:00-17:00 GMT Meeting ID: 920 8136 5511 Passcode: 490324 One tap mobile +14086380968,,92081365511#,,,,*490324# US (San Jose) +16465189805,,92081365511#,,,,*490324# US (New York) Dial by your location +1 408 638 0968 US (San Jose) +1 646 518 9805 US (New York) +1 346 248 7799 US (Houston) Meeting ID: 920 8136 5511 Passcode: 490324 Find your local number: https://armltd.zoom.us/u/abf0Umg7EM Join by SIP 92081365511(a)zoomcrc.com Join by H.323 162.255.37.11 (US West) 162.255.36.11 (US East) 115.114.131.7 (India Mumbai) 115.114.115.7 (India Hyderabad) 213.19.144.110 (Amsterdam Netherlands) 213.244.140.110 (Germany) 103.122.166.55 (Australia Sydney) 103.122.167.55 (Australia Melbourne) 209.9.211.110 (Hong Kong SAR) 149.137.40.110 (Singapore) 64.211.144.160 (Brazil) 69.174.57.160 (Canada Toronto) 65.39.152.160 (Canada Vancouver) 207.226.132.110 (Japan Tokyo) 149.137.24.110 (Japan Osaka) Meeting ID: 920 8136 5511 Passcode: 490324 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

4 years, 2 months

1
0
0 0

RE: System Device Tree call - May 2021

by Nathalie Chan King Choy

Hi all, Calling for agenda items for next week's System Device Tree call. Best regards, Nathalie -----Original Appointment----- From: Nathalie Chan King Choy Sent: Monday, April 26, 2021 1:52 PM To: Nathalie Chan King Choy; 'system-dt(a)lists.openampproject.org' Cc: boot-architecture(a)lists.linaro.org; Tony McDowell; Joakim Bech; Tomas Evensen; Loic PALLARDY; Sudeep Holla; Kepa, Krzysztof (GE Research, US); Bruce Ashfield; marti.bolivar(a)nordicsemi.no; etoillon(a)kalrayinc.com; Raghuraman, Arvind; Stefano Stabellini; Ed T. Mooring Subject: System Device Tree call - May 2021 When: Monday, May 10, 2021 9:00 AM-10:00 AM (UTC-08:00) Pacific Time (US & Canada). Where: webex Hi all, Notes & link to the recording from the last System DT call can be found at https://github.com/OpenAMP/open-amp/wiki/System-Device-Tree-Meeting-Notes-2… If you missed the LVC21 Device Tree State of the Union: https://connect.linaro.org/resources/lvc21/lvc21-108/ Or the LVC21 Device Tree BOF: https://connect.linaro.org/resources/lvc21/lvc21-112 Action items from last call: * Loic: Check HW lock bindings * Stefano: Will try to combine the 2 properties into 1 & come up with some examples. Call scheduled based on overlapping availability of the speakers. Will record for those who can't make it. Thanks & regards, Nathalie

4 years, 2 months

1
0
0 0

[PATCH v3] Add RISC-V support content to the EBBR specification

by Atish Patra

This patch adds all the required content to make RISC-V EBBR compatible. The additional content is not a lot given that we just need to update the architecture specific sections for RISC-V. Rest of the document is ISA agnostic anyways. Signed-off-by: Atish Patra <atish.patra(a)wdc.com> --- source/chapter1-about.rst | 83 ++++++++++++++++++++++++++------- source/chapter2-uefi.rst | 14 +++--- source/chapter3-secureworld.rst | 12 +++++ source/index.rst | 3 ++ source/references.rst | 4 ++ 5 files changed, 92 insertions(+), 24 deletions(-) diff --git a/source/chapter1-about.rst b/source/chapter1-about.rst index 52e61e80b7f9..feb3e7b59431 100644 --- a/source/chapter1-about.rst +++ b/source/chapter1-about.rst @@ -158,6 +158,8 @@ easily meet the stricter BBR requirements. By definition, all BBR compliant systems are also EBBR compliant, but the converse is not true. +This specification is also referenced by RISC-V platform specification [RVPLTSPEC]_. + Conventions Used in this Document ================================= @@ -181,14 +183,12 @@ This document uses the following terms and abbreviations. .. glossary:: +AARCH64 +------- A64 The 64-bit Arm instruction set used in AArch64 state. All A64 instructions are 32 bits. - AArch32 - Arm 32-bit architectures. AArch32 is a roll up term referring to all - 32-bit versions of the Arm architecture starting at ARMv4. - AArch64 state The Arm 64-bit Execution state that uses 64-bit general purpose registers, and a 64-bit program counter (PC), Stack Pointer (SP), and @@ -197,10 +197,6 @@ This document uses the following terms and abbreviations. AArch64 Execution state provides a single instruction set, A64. - EFI Loaded Image - An executable image to be run under the UEFI environment, - and which uses boot time services. - EL0 The lowest Exception level on AArch64. The Exception level that is used to execute user applications, in Non-secure state. @@ -218,17 +214,56 @@ This document uses the following terms and abbreviations. execute Secure Monitor code, which handles the transitions between Non-secure and Secure states. EL3 is always in Secure state. - Logical Unit (LU) - A logical unit (LU) is an externally addressable, independent entity - within a device. In the context of storage, a single device may use - logical units to provide multiple independent storage areas. +ARM +--- + AArch32 + Arm 32-bit architectures. AArch32 is a roll up term referring to all + 32-bit versions of the Arm architecture starting at ARMv4. - OEM - Original Equipment Manufacturer. In this document, the final device - manufacturer. +RISC-V +------ + HART + Hardware thread in RISC-V. This is the hardware execution context that contains + all the state mandated by the ISA. - SiP - Silicon Partner. In this document, the silicon manufacturer. + HSM + Hart State Management (HSM) is an SBI extension that enables the supervisor + mode software to implement ordered booting. + + HS Mode + Hypervisor-extended-supervisor mode which virtualizes the supervisor mode. + + M Mode + Machine mode is the most secure and privileged mode in RISC-V. + + RISC-V + An open standard Instruction Set Architecture (ISA) based on + Reduced Instruction Set Architecture (RISC). + + RV32 + 32 bit execution mode in RISC-V. + + RV64 + 64 bit execution mode in RISC-V. + + RISC-V Supervisor Binary Interface (SBI) + Supervisor Binary Interface. This is an interface between SEE and supervisor + mode in RISC-V. + + SEE + Supervisor Execution Environment in RISC-V. This can be M mode or HS mode. + + S Mode + Supervisor mode is the next privilege mode after M mode where virtual memory is enabled. + + U Mode + User mode is the least privilege mode where user-space application is expected to run. + +UEFI +---- + EFI Loaded Image + An executable image to be run under the UEFI environment, + and which uses boot time services. UEFI Unified Extensible Firmware Interface. @@ -240,3 +275,17 @@ This document uses the following terms and abbreviations. UEFI Runtime Services Functionality that is provided to an Operating System after the ExitBootServices() call. + +Miscellaneous +------------- + Logical Unit (LU) + A logical unit (LU) is an externally addressable, independent entity + within a device. In the context of storage, a single device may use + logical units to provide multiple independent storage areas. + + OEM + Original Equipment Manufacturer. In this document, the final device + manufacturer. + + SiP + Silicon Partner. In this document, the silicon manufacturer. diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index 53c962ab5c25..4810096a7fd5 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -209,24 +209,24 @@ Resident UEFI firmware might target a specific privilege level. In contrast, UEFI Loaded Images, such as third-party drivers and boot applications, must not contain any built-in assumptions that they are to be loaded at a given privilege level during boot time since they can, for example, -legitimately be loaded into either EL1 or EL2 on AArch64. +legitimately be loaded into either EL1 or EL2 on AArch64 and HS or S mode on RISC-V. -AArch64 Exception Levels +Exception Levels ------------------------ -On AArch64 UEFI shall execute as 64-bit code at either EL1 or EL2, +UEFI shall execute as 64-bit code at either EL1 or EL2 (on AArch64) and at HS mode or S mode (on RISC-V), depending on whether or not virtualization is available at OS load time. -UEFI Boot at EL2 +UEFI Boot at EL2/HS mode ^^^^^^^^^^^^^^^^ -Most systems are expected to boot UEFI at EL2, to allow for the installation of +Most systems are expected to boot UEFI at EL2/HS mode, to allow for the installation of a hypervisor or a virtualization aware Operating System. -UEFI Boot at EL1 +UEFI Boot at EL1/S Mode ^^^^^^^^^^^^^^^^ -Booting of UEFI at EL1 is most likely employed within a hypervisor hosted Guest +Booting of UEFI at EL1/S mode is most likely employed within a hypervisor hosted Guest Operating System environment, to allow the subsequent booting of a UEFI-compliant Operating System. In this instance, the UEFI boot-time environment can be provided, as a diff --git a/source/chapter3-secureworld.rst b/source/chapter3-secureworld.rst index 9c51bca24f33..d6bfbd322837 100644 --- a/source/chapter3-secureworld.rst +++ b/source/chapter3-secureworld.rst @@ -27,3 +27,15 @@ Platforms without EL3 must implement one of: However, the spin table protocol is strongly discouraged. Future versions of this specification will only allow PSCI, and PSCI should be implemented in all new designs. + +RISC-V Multiprocessor Startup Protocol +====================================== +The resident firmware in M mode or hypervisor running in HS mode must implement +and conform to at least SBI [RVSBISPEC]_ v0.2 with HART +State Management(HSM) extension for both RV32 and RV64. In addition to that, the +firmware must ensure the following condition before jumping to the UEFI +application. + +The device tree must contain a property named **boot-hartid** under the */chosen* +node. This property must indicate the id of the booting hart. The corresponding entry +in the ACPI tables has not been defined yet as ACPI support in RISC-V is under progress. diff --git a/source/index.rst b/source/index.rst index 48318757f717..acd214d25323 100644 --- a/source/index.rst +++ b/source/index.rst @@ -1,5 +1,6 @@ .. EBBR Source Document Copyright Arm Limited, 2017-2019 + Copyright Western Digital Corporation or its affiliates, 2021 SPDX-License-Identifier: CC-BY-SA-4.0 #################################################### @@ -8,6 +9,8 @@ Embedded Base Boot Requirements (EBBR) Specification Copyright © 2017-2019 Arm Limited and Contributors. +Copyright © 2021 Western Digital Corporation or its affiliates. + This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to diff --git a/source/references.rst b/source/references.rst index 6d09d3c0aaa7..6d35d909c8fe 100644 --- a/source/references.rst +++ b/source/references.rst @@ -29,3 +29,7 @@ .. [UEFI] `Unified Extensable Firmware Interface Specification v2.8 Errata A <https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf>`_, February 2020, `UEFI Forum <http://www.uefi.org>`_ + +.. [RVPLTSPEC] `RISC-V Platform specification <https://github.com/riscv/riscv-platform-specs>`_ + +.. [RVSBISPEC] `RISC-V Supervisor Binary Interface specification <https://github.com/riscv/riscv-sbi-doc>`_ -- 2.30.1

4 years, 2 months

3
3
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by François Ozog

Hi here is the meeting recording: https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page). I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail. Cheers FF On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A < tf-a(a)lists.trustedfirmware.org> wrote: > Hi, > > From TF-A project point of view, we prefer to use existing mechanism to > pass parameters across boot stages using linked list of tagged elements (as > suggested by Julius). It has support for both generic and SiP-specific > tags. Having said that, it does not stop partners to introduce new > mechanisms suitable for their usecase in platform port initially and later > move to generic code if its suitable for other platforms. > > To start with, Ampere can introduce a platform specific implementation of > memory tag(speed/NUMA topology etc) which can be evaluated and discussed > for generalization in future. The tag will be populated in BL2 stage and > can be forwarded to further stages(and to BL33) by passing the head of list > pointer in one of the registers. Initially any register can be used but > going forward a standardization will be needed. > > The U-boot bloblist mentioned by Simon is conceptually similar to what > TF-A is using, if there is consensus of using bloblist/taglist then TF-A > tag list may be enhanced to take best of both the implementations. > > One of the potential problems of having structure used in different > projects is maintainability, this can be avoided by having a single copy of > these structures in TF-A (kept inside "include/export" which intended to be > used by other projects.) > > Regarding usage of either UUID or tag, I echo the sentiments of Simon and > Julius to keep it simple and use tag values. > > Looking forward to having further discussions on zoom call today. > > Thanks > Manish P > > ------------------------------ > *From:* TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius > Werner via TF-A <tf-a(a)lists.trustedfirmware.org> > *Sent:* 25 March 2021 02:43 > *To:* Simon Glass <sjg(a)chromium.org> > *Cc:* Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot > Architecture Mailman List <boot-architecture(a)lists.linaro.org>; > tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot > Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; > Ron Minnich <rminnich(a)google.com> > *Subject:* Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for > information passing between boot stages > > Just want to point out that TF-A currently already supports a (very > simple) mechanism like this: > > > https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… > > https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… > > https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… > > It's just a linked list of tagged elements. The tag space is split into > TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare > if more areas need to be defined -- a 64-bit tag can fit a lot). This is > currently being used by some platforms that run coreboot in place of > BL1/BL2, to pass information from coreboot (BL2) to BL31. > > I would echo Simon's sentiment of keeping this as simple as possible and > avoiding complicated and bloated data structures with UUIDs. You usually > want to parse something like this as early as possible in the passed-to > firmware stage, particularly if the structure encodes information about the > debug console (like it does for the platforms I mentioned above). For > example, in BL31 this basically means doing it right after moving from > assembly to C in bl31_early_platform_setup2() to get the console up before > running anything else. At that point in the BL31 initialization, the MMU > and caches are disabled, so data accesses are pretty expensive and you > don't want to spend a lot of parsing effort or calculate complicated > checksums or the like. You just want something extremely simple where you > ideally have to touch every data word only once. > > On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A < > tf-a(a)lists.trustedfirmware.org> wrote: > > Hi Harb, > > On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS < > abdulhamid(a)os.amperecomputing.com> wrote: > > Hello Folks, > > Appreciate the feedback and replies on this. Glad to see that there is > interest in this topic. 😊 > > > > I try to address the comments/feedback from Francois and Simon below…. > > > > @François Ozog <francois.ozog(a)linaro.org> – happy to discuss this on a > zoom call. I will make that time slot work, and will be available to > attend April 8, 4pm CT. > > > > Note that I’m using the term “HOB” here more generically, as there are > typically vendor specific structures beyond the resource descriptor HOB, > which provides only a small subset of the information that needs to be > passed between the boot phases. > > > > The whole point here is to provide mechanism to develop firmware that we > can build ARM Server SoC’s that support **any** BL33 payload (e.g. EDK2, > AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some > point). In other-words, we are trying to come up with a TF-A that would > be completely agnostic to the implementation of BL33 (i.e. BL33 is built > completely independently by a separate entity – e.g. an ODM/OEM). > > > > Keep in mind, in the server/datacenter market segment we are not building > vertically integrated systems with a single entity compiling > firmware/software stacks like most folks in TF-A have become use to. There > are two categories of higher level firmware code blobs in the > server/datacenter model: > > 1. “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, > BL31, and **possibly** one or more BL32 instances > 2. “Platform” or “board” firmware – in TF-A this may map to BL33 and * > *possibly** one or more BL32 instances. > > > > Even the platform firmware stack could be further fragmented by having > multiple entities involved in delivering the entire firmware stack: IBVs, > ODMs, OEMs, CSPs, and possibly even device vendor code. > > > > To support a broad range of platform designs with a broad range of memory > devices, we need a crisp and clear contract between the SoC firmware that > initializes memory (e.g. BL2) and how that platform boot firmware (e.g. > BL33) gathers information about what memory that was initialized, at what > speeds, NUMA topology, and many other relevant information that needs to be > known and comprehended by the platform firmware and eventually by the > platform software. > > > > I understand the versatility of DT, but I see two major problems with DT: > > - DT requires more complicated parsing to get properties, and even > more complex to dynamically set properties – this HOB structures may need > to be generated in boot phases where DDR is not available, and therefore we > will be extremely memory constrained. > - DT is probably overkill for this purpose – We really just want a > list of pointers to simple C structures that code cast (e.g. JEDEC SPD data > blob) > > > > I think that we should not mix the efforts around DT/ACPI specs with what > we are doing here, because those specs and concepts were developed for a > completely different purpose (i.e. abstractions needed for OS / RTOS > software, and not necessarily suitable for firmware-to-firmware hand-offs). > > > > Frankly, I would personally push back pretty hard on defining SMC’s for > something that should be one way information passing. Every SMC we add is > another attack vector to the secure world and an increased burden on the > folks that have to do security auditing and threat analysis. I see no > benefit in exposing these boot/HOB/BOB structures at run-time via SMC > calls. > > > > Please do let me know if you disagree and why. Look forward to discussing > on this thread or on the call. > > > > @Simon Glass <sjg(a)chromium.org> - Thanks for the pointer to bloblist. > I briefly reviewed and it seems like a good baseline for what we may be > looking for. > > > > That being said, I would say that there is some benefit in having some > kind of unique identifiers (e.g. UUID or some unique signature) so that we > can tie standardized data structures (based on some future TBD specs) to a > particular ID. For example, if the TPM driver in BL33 is looking for the > TPM structure in the HOB/BOB list, and may not care about the other data > blobs. The driver needs a way to identify and locate the blob it cares > about. > > > The tag is intended to serve that purpose, although perhaps it should > switch from an auto-allocating enum to one with explicit values for each > entry and a range for 'local' use. > > > > I guess we can achieve this with the tag, but the problem with tag when > you have eco-system with a lot of parties doing parallel development, you > can end up with tag collisions and folks fighting about who has rights to > what tag values. We would need some official process for folks to register > tags for whatever new structures we define, or maybe some tag range for > vendor specific structures. This comes with a lot of pain and > bureaucracy. On the other hand, UUID has been a proven way to make it easy > to just define your own blobs with **either** standard or vendor specific > structures without worry of ID collisions between vendors. > > > True. I think the pain is overstated, though. In this case I think we > actually want something that can be shared between projects and orgs, so > some amount of coordination could be considered a benefit. It could just be > a github pull request. I find the UUID unfriendly and not just to code size > and eyesight! Trying to discover what GUIDs mean or are valid is quite > tricky. E.g. see this code: > > #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ > EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ > 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) > (etc.) > > static struct guid_name { > efi_guid_t guid; > const char *name; > } guid_name[] = { > { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, > { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, > { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, > { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, > { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, > { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, > { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, > { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, > (never figured out what those two are) > > { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, > { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, > { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, > { {}, "zero-guid" }, > {} > }; > > static const char *guid_to_name(const efi_guid_t *guid) > { > struct guid_name *entry; > > for (entry = guid_name; entry->name; entry++) { > if (!guidcmp(guid, &entry->guid)) > return entry->name; > } > > return NULL; > } > > Believe it or not it took a fair bit of effort to find just that small > list, with nearly every one in a separate doc, from memory. > > > > We can probably debate whether there is any value in GUID/UUID or not > during the call… but again, boblist seems like a reasonable starting point > as an alternative to HOB. > > > Indeed. There is certainly value in both approaches. > > Regards, > Simon > > > > > Thanks, > > --Harb > > > > *From:* François Ozog <francois.ozog(a)linaro.org> > *Sent:* Tuesday, March 23, 2021 10:00 AM > *To:* François Ozog <francois.ozog(a)linaro.org>; Ron Minnich < > rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org> > *Cc:* Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS < > abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List < > boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org > *Subject:* Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for > information passing between boot stages > > > > +Ron Minnich <rminnich(a)google.com> +Paul Isaac's <paul.isaacs(a)linaro.org> > > > > Adding Ron and Paul because I think this interface should be also > benefiting LinuxBoot efforts. > > > > On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A < > tf-a(a)lists.trustedfirmware.org> wrote: > > Hi, > > > > I propose we cover the topic at the next Trusted Substrate > <https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom > call <https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET. > > > > The agenda: > > ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, > S-EL2, SCP) to adapt hardware description to some runtime conditions. > > runtime conditions here relates to DRAM size and topology detection, > secure DRAM memory carvings, PSCI and SCMI interface publishing. > > > > For additional background on existing metadata: UEFI Platform > Initialization Specification Version 1.7 > <https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…> > , 5.5 Resource Descriptor HOB > > Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. > > This HOB lacks memory NUMA attachment or something that could be related > to fill SRAT table for ACPI or relevant DT proximity domains. > > HOB is not consistent accros platforms: some platforms (Arm) lists memory > from the booting NUMA node, other platforms (x86) lists all memory from all > NUMA nodes. (At least this is the case on the two platforms I tested). > > > > There are two proposals to use memory structures from SPL/BLx up to the > handover function (as defined in the Device Tree technical report > <https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>) > which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or > EDK2. > > I would propose we also discuss possibility of FF-A interface to actually > query information or request actions to be done (this is a model actually > used in some SoCs with proprietary SMC calls). > > > > Requirements (to be validated): > > - ACPI and DT hardware descriptions. > > - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) > > - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, > TF-A/LinuxBoot) > > - at least allows complete DRAM description and "persistent" usage > (reserved areas for secure world or other usages) > > - support secure world device assignment > > > > Cheers > > > > FF > > > > > > On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote: > > Hi, > > Can I suggest using bloblist for this instead? It is lightweight, > easier to parse, doesn't have GUIDs and is already used within U-Boot > for passing info between SPL/U-Boot, etc. > > Docs here: > https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist > Header file describes the format: > https://github.com/u-boot/u-boot/blob/master/include/bloblist.h > > Full set of unit tests: > https://github.com/u-boot/u-boot/blob/master/test/bloblist.c > > Regards, > Simon > > On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> > wrote: > > > > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org> > > > > standardization is very much welcomed here and need to accommodate a very > > diverse set of situations. > > For example, TEE OS may need to pass memory reservations to BL33 or > > "capture" a device for the secure world. > > > > I have observed a number of architectures: > > 1) pass information from BLx to BLy in the form of a specific object > > 2) BLx called by BLy by a platform specific SMC to get information > > 3) BLx called by BLy by a platform specific SMC to perform Device Tree > > fixups > > > > I also imagined a standardized "broadcast" FF-A call so that any firmware > > element can either provide information or "do something". > > > > My understanding of your proposal is about standardizing on architecture > 1) > > with the HOB format. > > > > The advantage of the HOB is simplicity but it may be difficult to > implement > > schemes such as pruning a DT because device assignment in the secure > world. > > > > In any case, it looks feasible to have TF-A and OP-TEE complement the > list > > of HOBs to pass information downstream (the bootflow). > > > > It would be good to start with building the comprehensive list of > > information that need to be conveyed between firmware elements: > > > > information. | authoritative entity | reporting entity | information > > exchanged: > > dram | TFA | TFA | > > <format to be detailed, NUMA topology to build the SRAT table or DT > > equivalent?> > > PSCI | SCP | TFA? | > > SCMI | SCP or TEE-OS | TFA? TEE-OS?| > > secure SRAM | TFA. | TFA. | > > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | > > other? | | > > | > > > > Cheers > > > > FF > > > > > > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < > > tf-a(a)lists.trustedfirmware.org> wrote: > > > > > Hello Folks, > > > > > > > > > > > > I'm emailing to start an open discussion about the adoption of a > concept > > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware > > > Framework Architecture (FFA). This is something that is a pretty major > > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s > > > designed to enable a broad range of highly configurable datacenter > > > platforms. > > > > > > > > > > > > > > > > > > What is a HOB (Background)? > > > > > > --------------------------- > > > > > > UEFI PI spec describes a particular definition for how HOB may be used > for > > > transitioning between the PEI and DXE boot phases, which is a good > > > reference point for this discussion, but not necessarily the exact > solution > > > appropriate for TF-A. > > > > > > > > > > > > A HOB is simply a dynamically generated data structure passed in > between > > > two boot phases. This is information that was obtained through > discovery > > > and needs to be passed forward to the next boot phase *once*, with no > API > > > needed to call back (e.g. no call back into previous firmware phase is > > > needed to fetch this information at run-time - it is simply passed one > time > > > during boot). > > > > > > > > > > > > There may be one or more HOBs passed in between boot phases. If there > are > > > more than one HOB that needs to be passed, this can be in a form of a > "HOB > > > table", which (for example) could be a UUID indexed array of pointers > to > > > HOB structures, used to locate a HOB of interest (based on UUID). In > such > > > cases, instead of passing a single HOB, the boot phases may rely on > passing > > > the pointer to the HOB table. > > > > > > > > > > > > This has been extremely useful concept to employ on highly configurable > > > systems that must rely on flexible discovery mechanisms to initialize > and > > > boot the system. This is especially helpful when you have multiple > > > > > > > > > > > > > > > > > > Why do we need HOBs in TF-A?: > > > > > > ----------------------------- > > > > > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC > in > > > a way that is SoC specific *but* platform agnostic. This means that a > > > single ARM SoC that a SiP may deliver to customers may provide a single > > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad > > > range of platform designs and configurations in order to boot a > platform > > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to > > > achieve this, the platform configuration must be *discovered* instead > of > > > statically compiled as it is today in TF-A via device tree based > > > enumeration. The mechanisms of discovery may differ broadly depending > on > > > the relevant industry standard, or in some cases may have rely on SiP > > > specific discovery flows. > > > > > > > > > > > > For example: On server systems that support a broad range DIMM memory > > > population/topologies, all the necessary information required to boot > is > > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over > an > > > I2C bus. Leveraging the SPD bus, may platform variants could be > supported > > > with a single TF-A binary. Not only is this information required to > > > initialize memory in early boot phases (e.g. BL2), the subsequent boot > > > phases will also need this SPD info to construct a system physical > address > > > map and properly initialize the MMU based on the memory present, and > where > > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) > may > > > need to generate standard firmware tables to the operating systems, > such as > > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. > SLIT, > > > SRAT, even NFIT if NVDIMM's are present). > > > > > > > > > > > > In short, it all starts with a standardized or vendor specific > discovery > > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of > > > information to the next boot stages (e.g. BL31/BL32/BL33). > > > > > > > > > > > > Today, every HOB may be a vendor specific structure, but in the future > > > there may be benefit of defining standard HOBs. This may be useful for > > > memory discovery, passing the system physical address map, enabling TPM > > > measured boot, and potentially many other common HOB use-cases. > > > > > > > > > > > > It would be extremely beneficial to the datacenter market segment if > the > > > TF-A community would adopt this concept of information passing between > all > > > boot phases as opposed to rely solely on device tree enumeration. > This is > > > not intended to replace device tree, rather intended as an alternative > way > > > to describe the info that must be discovered and dynamically generated. > > > > > > > > > > > > > > > > > > Conclusion: > > > > > > ----------- > > > > > > We are proposing that the TF-A community begin pursuing the adoption of > > > HOBs as a mechanism used for information exchange between each boot > stage > > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we > > > want to explore standardizing some HOB structures for the BL33 phase > (e.g. > > > UEFI HOB structures), but initially would like to agree on this being a > > > useful mechanism used to pass information between each boot stage. > > > > > > > > > > > > Thanks, > > > > > > --Harb > > > > > > > > > > > > > > > > > > > > > -- > > > TF-A mailing list > > > TF-A(a)lists.trustedfirmware.org > > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > > > > > > -- > > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > > T: +33.67221.6485 > > francois.ozog(a)linaro.org | Skype: ffozog > > _______________________________________________ > > boot-architecture mailing list > > boot-architecture(a)lists.linaro.org > > https://lists.linaro.org/mailman/listinfo/boot-architecture > > > > > -- > > *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group* > > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > > -- > > *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group* > > T: +33.67221.6485 > francois.ozog(a)linaro.org | Skype: ffozog > > > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > -- > TF-A mailing list > TF-A(a)lists.trustedfirmware.org > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 2 months

4
3
0 0

How to add metadata to device-trees

by Heinrich Schuchardt

Dear all, in the DTE meetings we have been discussing how we should add signatures to device-trees. Due to the way how libfdt adds properties the sanest place to add metadata is before the memory reservation block. I have tested this with the U-Boot->GRUB->Linux boot sequence. See my slides at https://github.com/xypron/dte/blob/master/DTE%20-%20Adding%20Metadata.pdf and the test program I used https://github.com/xypron/dte/blob/master/src/add_metadata_area.c In the next DTE meetings we could discuss drafting a specification change for this. Best regards Heinrich

4 years, 2 months

2
2
0 0

Canceling meeting for Monday May 3

by Bill Mills

All, Sorry for the late notice but I am canceling the meeting for tomorrow, Monday May 3. Something came up for me that I must attend to. Also, Monday is a holiday in the UK. Grant will not be attending and pehaps others would not as well. Frank has been working to prepare for the discussion of the next DTB format so we will start that discussion next time. Thanks and sorry again, Bill -- Bill Mills Principal Technical Consultant, Linaro +1-240-643-0836 TZ: US Eastern Work Schedule: Tues/Wed/Thur

4 years, 2 months

1
0
0 0

System Device Tree call - May 2021

by Nathalie Chan King Choy

Hi all, Notes & link to the recording from the last System DT call can be found at https://github.com/OpenAMP/open-amp/wiki/System-Device-Tree-Meeting-Notes-2… If you missed the LVC21 Device Tree State of the Union: https://connect.linaro.org/resources/lvc21/lvc21-108/ Or the LVC21 Device Tree BOF: https://connect.linaro.org/resources/lvc21/lvc21-112 Action items from last call: * Loic: Check HW lock bindings * Stefano: Will try to combine the 2 properties into 1 & come up with some examples. Call scheduled based on overlapping availability of the speakers. Will record for those who can't make it. Thanks & regards, Nathalie Monday, May 10, 2021 9:00 AM | (UTC-07:00) Pacific Time (US & Canada) | 1 hr Join meeting<https://xilinx.webex.com/xilinx/j.php?MTID=mbc32e3c3ef70524171c8a6bb1b463ff2> More ways to join: Join from the meeting link https://xilinx.webex.com/xilinx/j.php?MTID=mbc32e3c3ef70524171c8a6bb1b463ff2 Join by meeting number Meeting number (access code): 145 453 6735 Meeting password: MQim27cd2K@ Join by phone +1-415-655-0001 US Toll 1-844-621-3956 United States Toll Free Global call-in numbers<https://xilinx.webex.com/xilinx/globalcallin.php?MTID=m5365d8b15eb1f587e081…> | Toll-free calling restrictions<https://www.webex.com/pdf/tollfree_restrictions.pdf> Need help? Go to https://help.webex.com

4 years, 2 months

1
0
0 0

EBBR v2.0.0 released

by Grant Likely

Hi all, I've just tagged v2.0.0 of EBBR. Please go have a read and please report any issues either here or on github: https://github.com/ARM-software/ebbr/releases/tag/v2.0.0 https://github.com/ARM-software/ebbr/issues Cheers, g.

4 years, 2 months

1
0
0 0

Reminder: EBBR Biweekly for 26 April 2021

by Grant Likely

Hi all, Next EBBR meeting is ON for Monday, 26 April 2021 at 16:00 GMT. Dial in details are below. As discussed at last meeting, the EBBR biweekly series will be dedicated to tech topics around boot standardization until such time as another EBBR release needs to be considered. This Monday, Jose Marinho will be presenting the proposed firmware update protocol https://lists.linaro.org/pipermail/boot-architecture/2021-April/001799.html Email me if you'd like to propose a tech topic for an upcoming EBBR meeting. g. --- Grant Likely is inviting you to a scheduled Zoom meeting. Topic: EBBR Biweekly Time: 18 Jan 2021, 16:00-17:00 GMT Join Zoom Meeting https://armltd.zoom.us/j/92081365511?pwd=SFZpRitXUEp3Zy9GM0h3UUZ1b1pnUT09 Meeting ID: 920 8136 5511 Passcode: 490324 One tap mobile +14086380968,,92081365511#,,,,*490324# US (San Jose) +16465189805,,92081365511#,,,,*490324# US (New York) Dial by your location +1 408 638 0968 US (San Jose) +1 646 518 9805 US (New York) +1 346 248 7799 US (Houston) Meeting ID: 920 8136 5511 Passcode: 490324 Find your local number: https://armltd.zoom.us/u/aelJgr9ZAW

4 years, 2 months

1
0
0 0

FW update on A-class Arm devices

by Jose Marinho

Good afternoon, Linaro and Arm have been standardizing the FW update mechanism for A-class devices. The intention behind the standardization is to enable generic implementations of the UEFI UpdateCapsule where: 1) the FW store resides in Secure World controlled flash; 2) there is FW bank duplication (A/B model). Arm published a specification, at Alpha quality, that defines the FW update model and a set of tools catering for 1) and 2) : https://developer.arm.com/-/media/Files/pdf/FWU-PSA-A_DEN0118_1.0ALP3.pdf Arm welcomes feedback on the specification. Please direct feedback to either myself or Grant Likely The FW update work will be discussed at the EBBR biweekly call this Monday (26th April). Regards, Jose IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

4 years, 2 months

3
2
0 0

DTE call today

by Bill Mills

Hello, We have the DTE call today. If Frank is ready to talk about DTB format evolution we will do that. If not we need agenda items. 4PM UK, 11AM US Eastern Zoom Meeting ID: 961 7042 8801 Passcode: 8250 Thanks, Bill -- Bill Mills Principal Technical Consultant, Linaro +1-240-643-0836 TZ: US Eastern Work Schedule: Tues/Wed/Thur

4 years, 2 months

3
4
0 0

Fwd: [TF-A] [RFC] TF-A threat model

by François Ozog

Interesting topic. ---------- Forwarded message --------- From: Zelalem Aweke via TF-A <tf-a(a)lists.trustedfirmware.org> Date: Fri, 16 Apr 2021 at 17:14 Subject: [TF-A] [RFC] TF-A threat model To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org> Hi All, We are releasing the first TF-A threat model document. This release provides the baseline for future updates to be applied as required by developments to the TF-A code base. Please review the document provide comments here: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/9627. Thanks, Zelalem -- TF-A mailing list TF-A(a)lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 2 months

1
0
0 0

Next week's reach out Council

by François Ozog

Hi, next week agenda is: - Industrial Internet Consortium patterns update - Civil Infrastructure Project liaison update - Open System Firmware <https://www.opencompute.org/projects/open-system-firmware> presentation and discussion On this last topic, I'm glad to welcome Ron Minnich who will present Open System Firmware initiatives from Open Compute Project. (Ron has a long history in firmware with creation of CoreBoot and more recently LinuxBoot). SystemReady standards define technical requirements to ensure decoupling between firmware and operating systems. I see OSF efforts complementing the technical standards with firmware business lifecycle to guarantee openness and freedom of use. A checklist <https://www.opencompute.org/wiki/Open_System_Firmware/Checklist> helps qualify systems per those openness and freedom of use criteria. I'd like us to be able to have an informed discussion on the checklist (meaning need to read before the call ;-) to see how much it may apply to Trusted Substrate <http://trusted-substrate.org>, and wether it would make sense (if technically feasible) to setup a liaison between our two groups. Cordially, FF PS: I will be sending additional invites for new attendees -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 3 months

1
0
0 0

Firmware: Sustainability vs planned obsolescence

by François Ozog

Hi even though I am not an "ecology activist", sustainability is a topic dear to me. And it can translate into firmware world... So I am targeting this message to the audience of the two firmware communities I know and hope it is okay to do so. March 2021 was a big date for Open Source Firmware <https://www.opencompute.org/projects/open-system-firmware>: that was the deadline to get " Owners must be able to change firmware and share it -- including any binary components -- with other owners. Starting in March, 2021, OCP badging for servers will require that systems support OSF. " That's a big step towards sustainability in the OCP world. More generally, we should have the capacity to characterize firmware sustainability for post official firmware End Of Life. What about the following : level 0: system cannot evolve or be updated. level 1: the system can be updated to a bootable minimal functionality with open community effort.It may lack some features. For instance, you can still look at your TV but lose Netflix 4K because the owners (in OCP sense) cannot get a signed Netflix TA (either updated or not). level 2: the TAs and other binaries can be made available (signed) to the ones maintaining open source firmware projects (TF-A, OP-TEE, U-Boot...). For instance, owners (in the OCP sense) can get the updated Netflix TA binary (updated or not) and sign it for inclusion. level 3: all firmware components are open source and can thus be community maintained. I think : Level 2 is the right balance between business value and "ecological" goal of sustainability. Level 3 is not mandatory and not the ultimate goal. Is this a good way to characterize sustainability? How to make at least level 2 happen ? Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 3 months

7
22
0 0

Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by Manish Pandey2

Hi, From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms. To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed. The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations. One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.) Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values. Looking forward to having further discussions on zoom call today. Thanks Manish P ________________________________ From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org> Sent: 25 March 2021 02:43 To: Simon Glass <sjg(a)chromium.org> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages Just want to point out that TF-A currently already supports a (very simple) mechanism like this: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31. I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once. On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> wrote: Hi Harb, On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com<mailto:abdulhamid@os.amperecomputing.com>> wrote: Hello Folks, Appreciate the feedback and replies on this. Glad to see that there is interest in this topic. 😊 I try to address the comments/feedback from Francois and Simon below…. @François Ozog<mailto:francois.ozog@linaro.org> – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT. Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases. The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM). Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model: 1. “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances 2. “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances. Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code. To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software. I understand the versatility of DT, but I see two major problems with DT: * DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained. * DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob) I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs). Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls. Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call. @Simon Glass<mailto:sjg@chromium.org> - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for. That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about. The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use. I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors. True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code: #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) (etc.) static struct guid_name { efi_guid_t guid; const char *name; } guid_name[] = { { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, (never figured out what those two are) { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, { {}, "zero-guid" }, {} }; static const char *guid_to_name(const efi_guid_t *guid) { struct guid_name *entry; for (entry = guid_name; entry->name; entry++) { if (!guidcmp(guid, &entry->guid)) return entry->name; } return NULL; } Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory. We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB. Indeed. There is certainly value in both approaches. Regards, Simon Thanks, --Harb From: François Ozog <francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org>> Sent: Tuesday, March 23, 2021 10:00 AM To: François Ozog <francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org>>; Ron Minnich <rminnich(a)google.com<mailto:rminnich@google.com>>; Paul Isaac's <paul.isaacs(a)linaro.org<mailto:paul.isaacs@linaro.org>> Cc: Simon Glass <sjg(a)chromium.org<mailto:sjg@chromium.org>>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com<mailto:abdulhamid@os.amperecomputing.com>>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org>>; tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages +Ron Minnich<mailto:rminnich@google.com> +Paul Isaac's<mailto:paul.isaacs@linaro.org> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts. On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> wrote: Hi, I propose we cover the topic at the next Trusted Substrate<https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom call<https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET. The agenda: ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions. runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing. For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7<https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…>, 5.5 Resource Descriptor HOB Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains. HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested). There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report<https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2. I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls). Requirements (to be validated): - ACPI and DT hardware descriptions. - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot) - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages) - support secure world device assignment Cheers FF On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org<mailto:sjg@chromium.org>> wrote: Hi, Can I suggest using bloblist for this instead? It is lightweight, easier to parse, doesn't have GUIDs and is already used within U-Boot for passing info between SPL/U-Boot, etc. Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist Header file describes the format: https://github.com/u-boot/u-boot/blob/master/include/bloblist.h Full set of unit tests: https://github.com/u-boot/u-boot/blob/master/test/bloblist.c Regards, Simon On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org>> wrote: > > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org>> > > standardization is very much welcomed here and need to accommodate a very > diverse set of situations. > For example, TEE OS may need to pass memory reservations to BL33 or > "capture" a device for the secure world. > > I have observed a number of architectures: > 1) pass information from BLx to BLy in the form of a specific object > 2) BLx called by BLy by a platform specific SMC to get information > 3) BLx called by BLy by a platform specific SMC to perform Device Tree > fixups > > I also imagined a standardized "broadcast" FF-A call so that any firmware > element can either provide information or "do something". > > My understanding of your proposal is about standardizing on architecture 1) > with the HOB format. > > The advantage of the HOB is simplicity but it may be difficult to implement > schemes such as pruning a DT because device assignment in the secure world. > > In any case, it looks feasible to have TF-A and OP-TEE complement the list > of HOBs to pass information downstream (the bootflow). > > It would be good to start with building the comprehensive list of > information that need to be conveyed between firmware elements: > > information. | authoritative entity | reporting entity | information > exchanged: > dram | TFA | TFA | > <format to be detailed, NUMA topology to build the SRAT table or DT > equivalent?> > PSCI | SCP | TFA? | > SCMI | SCP or TEE-OS | TFA? TEE-OS?| > secure SRAM | TFA. | TFA. | > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | > other? | | > | > > Cheers > > FF > > > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < > tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> wrote: > > > Hello Folks, > > > > > > > > I'm emailing to start an open discussion about the adoption of a concept > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware > > Framework Architecture (FFA). This is something that is a pretty major > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s > > designed to enable a broad range of highly configurable datacenter > > platforms. > > > > > > > > > > > > What is a HOB (Background)? > > > > --------------------------- > > > > UEFI PI spec describes a particular definition for how HOB may be used for > > transitioning between the PEI and DXE boot phases, which is a good > > reference point for this discussion, but not necessarily the exact solution > > appropriate for TF-A. > > > > > > > > A HOB is simply a dynamically generated data structure passed in between > > two boot phases. This is information that was obtained through discovery > > and needs to be passed forward to the next boot phase *once*, with no API > > needed to call back (e.g. no call back into previous firmware phase is > > needed to fetch this information at run-time - it is simply passed one time > > during boot). > > > > > > > > There may be one or more HOBs passed in between boot phases. If there are > > more than one HOB that needs to be passed, this can be in a form of a "HOB > > table", which (for example) could be a UUID indexed array of pointers to > > HOB structures, used to locate a HOB of interest (based on UUID). In such > > cases, instead of passing a single HOB, the boot phases may rely on passing > > the pointer to the HOB table. > > > > > > > > This has been extremely useful concept to employ on highly configurable > > systems that must rely on flexible discovery mechanisms to initialize and > > boot the system. This is especially helpful when you have multiple > > > > > > > > > > > > Why do we need HOBs in TF-A?: > > > > ----------------------------- > > > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in > > a way that is SoC specific *but* platform agnostic. This means that a > > single ARM SoC that a SiP may deliver to customers may provide a single > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad > > range of platform designs and configurations in order to boot a platform > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to > > achieve this, the platform configuration must be *discovered* instead of > > statically compiled as it is today in TF-A via device tree based > > enumeration. The mechanisms of discovery may differ broadly depending on > > the relevant industry standard, or in some cases may have rely on SiP > > specific discovery flows. > > > > > > > > For example: On server systems that support a broad range DIMM memory > > population/topologies, all the necessary information required to boot is > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an > > I2C bus. Leveraging the SPD bus, may platform variants could be supported > > with a single TF-A binary. Not only is this information required to > > initialize memory in early boot phases (e.g. BL2), the subsequent boot > > phases will also need this SPD info to construct a system physical address > > map and properly initialize the MMU based on the memory present, and where > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may > > need to generate standard firmware tables to the operating systems, such as > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT, > > SRAT, even NFIT if NVDIMM's are present). > > > > > > > > In short, it all starts with a standardized or vendor specific discovery > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of > > information to the next boot stages (e.g. BL31/BL32/BL33). > > > > > > > > Today, every HOB may be a vendor specific structure, but in the future > > there may be benefit of defining standard HOBs. This may be useful for > > memory discovery, passing the system physical address map, enabling TPM > > measured boot, and potentially many other common HOB use-cases. > > > > > > > > It would be extremely beneficial to the datacenter market segment if the > > TF-A community would adopt this concept of information passing between all > > boot phases as opposed to rely solely on device tree enumeration. This is > > not intended to replace device tree, rather intended as an alternative way > > to describe the info that must be discovered and dynamically generated. > > > > > > > > > > > > Conclusion: > > > > ----------- > > > > We are proposing that the TF-A community begin pursuing the adoption of > > HOBs as a mechanism used for information exchange between each boot stage > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we > > want to explore standardizing some HOB structures for the BL33 phase (e.g. > > UEFI HOB structures), but initially would like to agree on this being a > > useful mechanism used to pass information between each boot stage. > > > > > > > > Thanks, > > > > --Harb > > > > > > > > > > > > > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > > -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog > _______________________________________________ > boot-architecture mailing list > boot-architecture(a)lists.linaro.org<mailto:boot-architecture@lists.linaro.org> > https://lists.linaro.org/mailman/listinfo/boot-architecture -- [https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…] François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog -- TF-A mailing list TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- [https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…] François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog -- TF-A mailing list TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 3 months

6
5
0 0

EBBR Biweekly cancelled for today

by Grant Likely

I'm cancelling today's EBBR biweekly as I don't have an agenda for today. From discussion at the last EBBR meeting, with EBBR v2 about to be released and not a lot of new content to discuss, future EBBR meetings will be more of a tech forum format. Please email me if there is a tech topic you want to discuss in the biweekly EBBR forum and I'll add it to the schedule which will start in 2 weeks time. g. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

4 years, 3 months

1
0
0 0

Hand over blocks in SynQuacer SoC

by Masami Hiramatsu

Hello, Last week's meeting about HOBs for the DRAM information, I would like to give an example of the Socionext SynQuacer case. SynQuacer SoC is a bit unique SoC, it consists of 24xCA53(AP) + CM3(SCP), and it uses DIMM cards like PCs. Thus, when initializing the memory, it has to detect the DIMM and initialize it and notify the configuration to BL3X. The SynQuacer boots from SCP and runs SCP firmware on it. The SCP firmware initializes DDR memory and secure memory area. Since the SynQuacer has a GPIO (DIP switch) to enable or disable secure memory, secure memory is dynamically configurable. So, it has a vendor extension of SCMI call to pass that information. https://github.com/ARM-software/SCP-firmware/blob/master/product/synquacer/… When the TF-A is booted by SCP on AP, TF-A calls the SCMI and gets the DDR information, from which the secure memory area is removed. TF-A saved the information on an address, and EDK2 and U-Boot uses it (of course BL33 can issue the SCMI to get the information) [SCP fw] <-(SCMI)-> [TF-A] <-(memory*)-> [U-Boot/EDK2] * it will be updated to use SMC. - The SynQuacer doesn't use Devicetree to pass this information because EDK2 uses ACPI by default. - Secure memory information is not shared. that size and address are fixed in SCP-firmware, TF-A and OP-TEE. Thank you, -- Masami Hiramatsu

4 years, 3 months

1
0
0 0

Trusted Substrate architecture call: HandOverBlocks discussion

by François Ozog

Hi following a mail discussion on trusted-firmware A we will have a discussion on HOBs during this week's Trusted Substrate <http://trusted-substrate.org>architecture council call <https://linaro-org.zoom.us/j/94563644892>. In addition to mail thread, here is a deck <https://docs.google.com/presentation/d/1KyqkyqoGXHUynZSI2hRFBoO_P7sFwgUJWhj…> I'll use to start things up. Cheers FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 3 months

2
2
0 0

RE: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages

by raghu.ncstate＠icloud.com

Julius, Simon, It appears there are opinions you carry around UUID being complicated, bloated, code being an eyesore, parsing these lists early with MMU/Caches disabled, calculating checksums etc. While there is certainly a LOT of truth to those statements, these concerns need to be put into context and may not necessarily apply to all platforms running TF-A. Standardization and interoperability may be valued more on some platforms and some of the bloat and performance issues may be worth those tradeoffs. Some of these concerns may not even apply on powerful CPU’s and SoC’s with lots of memory. Also a quick grep for “uuid” in the TF-A repository shows that there is significant use of UUID’s for FIP, some SMC’s, secure partitions etc so use of UUID is not something new to TF-A. While there are many ways to solve the same problem, there are also potential dis-advantages to something like the mechanism pointed out below. For example, this is yet another solution to an already solved problem. If we use UEFI hob’s, the code and problem has been solved for decades and there is code re-use possible and that *potentially*(opinions may vary) is better for security as there have been eyes on it for long and is more stable.(I’m very aware UEFI is not the gold standard for security, but again, it is a blanket statement to say all UEFI code is bad). Does the method mentioned below allow you to create a dynamic list of arbitrary lengths and NOT lists of lengths decided at compile time? It appears that it is mainly being used on lists fixed at compile time. What about interoperability with UEFI? Coreboot is great for platforms/companies that use it but what about platforms that *must* use UEFI for various reasons? Do we need a conversion from the method below to a UEFI HOB if BL33 is UEFI? Clearly the solution below was tailored to coreboot. We can support multiple ways in the same code base through build and run time options and a platform should be free to make calls on whether the problems you mentioned below really apply or not. What is a pain to do(having co-ordination with multiple companies vs vendor defined tags/UUID’s) is also subjective and whether or not it is overstated is matter of opinion/context. I think it may be best to discuss this in the call and understand the requirements fully. It may turn out that what you have proposed below works anyway 😊 Thanks Raghu From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Julius Werner via TF-A Sent: Wednesday, March 24, 2021 7:44 PM To: Simon Glass <sjg(a)chromium.org> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages Just want to point out that TF-A currently already supports a (very simple) mechanism like this: https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/… It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31. I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once. On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org <mailto:tf-a@lists.trustedfirmware.org> > wrote: Hi Harb, On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com <mailto:abdulhamid@os.amperecomputing.com> > wrote: Hello Folks, Appreciate the feedback and replies on this. Glad to see that there is interest in this topic. 😊 I try to address the comments/feedback from Francois and Simon below…. <mailto:francois.ozog@linaro.org> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT. Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases. The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM). Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model: 1. “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances 2. “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances. Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code. To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software. I understand the versatility of DT, but I see two major problems with DT: * DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained. * DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob) I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs). Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls. Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call. <mailto:sjg@chromium.org> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for. That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about. The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use. I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors. True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code: #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \ EFI_GUID(0xd038747c, 0xd00c, 0x4980, \ 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55) (etc.) static struct guid_name { efi_guid_t guid; const char *name; } guid_name[] = { { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" }, { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" }, { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" }, { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" }, { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" }, { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" }, { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" }, { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" }, (never figured out what those two are) { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" }, { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" }, { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" }, { {}, "zero-guid" }, {} }; static const char *guid_to_name(const efi_guid_t *guid) { struct guid_name *entry; for (entry = guid_name; entry->name; entry++) { if (!guidcmp(guid, &entry->guid)) return entry->name; } return NULL; } Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory. We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB. Indeed. There is certainly value in both approaches. Regards, Simon Thanks, --Harb From: François Ozog <francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> > Sent: Tuesday, March 23, 2021 10:00 AM To: François Ozog <francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> >; Ron Minnich <rminnich(a)google.com <mailto:rminnich@google.com> >; Paul Isaac's <paul.isaacs(a)linaro.org <mailto:paul.isaacs@linaro.org> > Cc: Simon Glass <sjg(a)chromium.org <mailto:sjg@chromium.org> >; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com <mailto:abdulhamid@os.amperecomputing.com> >; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org <mailto:boot-architecture@lists.linaro.org> >; tf-a(a)lists.trustedfirmware.org <mailto:tf-a@lists.trustedfirmware.org> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages +Ron Minnich <mailto:rminnich@google.com> +Paul Isaac's <mailto:paul.isaacs@linaro.org> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts. On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org <mailto:tf-a@lists.trustedfirmware.org> > wrote: Hi, I propose we cover the topic at the next Trusted Substrate <https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom call <https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET. The agenda: ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions. runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing. For additional background on existing metadata: <https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…> UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY. This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains. HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested). There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report <https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…> ) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2. I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls). Requirements (to be validated): - ACPI and DT hardware descriptions. - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2) - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot) - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages) - support secure world device assignment Cheers FF On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org <mailto:sjg@chromium.org> > wrote: Hi, Can I suggest using bloblist for this instead? It is lightweight, easier to parse, doesn't have GUIDs and is already used within U-Boot for passing info between SPL/U-Boot, etc. Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist Header file describes the format: https://github.com/u-boot/u-boot/blob/master/include/bloblist.h Full set of unit tests: https://github.com/u-boot/u-boot/blob/master/test/bloblist.c Regards, Simon On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> > wrote: > > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org <mailto:boot-architecture@lists.linaro.org> > > > standardization is very much welcomed here and need to accommodate a very > diverse set of situations. > For example, TEE OS may need to pass memory reservations to BL33 or > "capture" a device for the secure world. > > I have observed a number of architectures: > 1) pass information from BLx to BLy in the form of a specific object > 2) BLx called by BLy by a platform specific SMC to get information > 3) BLx called by BLy by a platform specific SMC to perform Device Tree > fixups > > I also imagined a standardized "broadcast" FF-A call so that any firmware > element can either provide information or "do something". > > My understanding of your proposal is about standardizing on architecture 1) > with the HOB format. > > The advantage of the HOB is simplicity but it may be difficult to implement > schemes such as pruning a DT because device assignment in the secure world. > > In any case, it looks feasible to have TF-A and OP-TEE complement the list > of HOBs to pass information downstream (the bootflow). > > It would be good to start with building the comprehensive list of > information that need to be conveyed between firmware elements: > > information. | authoritative entity | reporting entity | information > exchanged: > dram | TFA | TFA | > <format to be detailed, NUMA topology to build the SRAT table or DT > equivalent?> > PSCI | SCP | TFA? | > SCMI | SCP or TEE-OS | TFA? TEE-OS?| > secure SRAM | TFA. | TFA. | > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? | > other? | | > | > > Cheers > > FF > > > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A < > tf-a(a)lists.trustedfirmware.org <mailto:tf-a@lists.trustedfirmware.org> > wrote: > > > Hello Folks, > > > > > > > > I'm emailing to start an open discussion about the adoption of a concept > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware > > Framework Architecture (FFA). This is something that is a pretty major > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s > > designed to enable a broad range of highly configurable datacenter > > platforms. > > > > > > > > > > > > What is a HOB (Background)? > > > > --------------------------- > > > > UEFI PI spec describes a particular definition for how HOB may be used for > > transitioning between the PEI and DXE boot phases, which is a good > > reference point for this discussion, but not necessarily the exact solution > > appropriate for TF-A. > > > > > > > > A HOB is simply a dynamically generated data structure passed in between > > two boot phases. This is information that was obtained through discovery > > and needs to be passed forward to the next boot phase *once*, with no API > > needed to call back (e.g. no call back into previous firmware phase is > > needed to fetch this information at run-time - it is simply passed one time > > during boot). > > > > > > > > There may be one or more HOBs passed in between boot phases. If there are > > more than one HOB that needs to be passed, this can be in a form of a "HOB > > table", which (for example) could be a UUID indexed array of pointers to > > HOB structures, used to locate a HOB of interest (based on UUID). In such > > cases, instead of passing a single HOB, the boot phases may rely on passing > > the pointer to the HOB table. > > > > > > > > This has been extremely useful concept to employ on highly configurable > > systems that must rely on flexible discovery mechanisms to initialize and > > boot the system. This is especially helpful when you have multiple > > > > > > > > > > > > Why do we need HOBs in TF-A?: > > > > ----------------------------- > > > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in > > a way that is SoC specific *but* platform agnostic. This means that a > > single ARM SoC that a SiP may deliver to customers may provide a single > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad > > range of platform designs and configurations in order to boot a platform > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to > > achieve this, the platform configuration must be *discovered* instead of > > statically compiled as it is today in TF-A via device tree based > > enumeration. The mechanisms of discovery may differ broadly depending on > > the relevant industry standard, or in some cases may have rely on SiP > > specific discovery flows. > > > > > > > > For example: On server systems that support a broad range DIMM memory > > population/topologies, all the necessary information required to boot is > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an > > I2C bus. Leveraging the SPD bus, may platform variants could be supported > > with a single TF-A binary. Not only is this information required to > > initialize memory in early boot phases (e.g. BL2), the subsequent boot > > phases will also need this SPD info to construct a system physical address > > map and properly initialize the MMU based on the memory present, and where > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may > > need to generate standard firmware tables to the operating systems, such as > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT, > > SRAT, even NFIT if NVDIMM's are present). > > > > > > > > In short, it all starts with a standardized or vendor specific discovery > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of > > information to the next boot stages (e.g. BL31/BL32/BL33). > > > > > > > > Today, every HOB may be a vendor specific structure, but in the future > > there may be benefit of defining standard HOBs. This may be useful for > > memory discovery, passing the system physical address map, enabling TPM > > measured boot, and potentially many other common HOB use-cases. > > > > > > > > It would be extremely beneficial to the datacenter market segment if the > > TF-A community would adopt this concept of information passing between all > > boot phases as opposed to rely solely on device tree enumeration. This is > > not intended to replace device tree, rather intended as an alternative way > > to describe the info that must be discovered and dynamically generated. > > > > > > > > > > > > Conclusion: > > > > ----------- > > > > We are proposing that the TF-A community begin pursuing the adoption of > > HOBs as a mechanism used for information exchange between each boot stage > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we > > want to explore standardizing some HOB structures for the BL33 phase (e.g. > > UEFI HOB structures), but initially would like to agree on this being a > > useful mechanism used to pass information between each boot stage. > > > > > > > > Thanks, > > > > --Harb > > > > > > > > > > > > > > -- > > TF-A mailing list > > TF-A(a)lists.trustedfirmware.org <mailto:TF-A@lists.trustedfirmware.org> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a > > > > > -- > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* > T: +33.67221.6485 > francois.ozog(a)linaro.org <mailto:francois.ozog@linaro.org> | Skype: ffozog > _______________________________________________ > boot-architecture mailing list > boot-architecture(a)lists.linaro.org <mailto:boot-architecture@lists.linaro.org> > https://lists.linaro.org/mailman/listinfo/boot-architecture -- <https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 <mailto:francois.ozog@linaro.org> francois.ozog(a)linaro.org | Skype: ffozog -- TF-A mailing list TF-A(a)lists.trustedfirmware.org <mailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a -- <https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group T: +33.67221.6485 <mailto:francois.ozog@linaro.org> francois.ozog(a)linaro.org | Skype: ffozog -- TF-A mailing list TF-A(a)lists.trustedfirmware.org <mailto:TF-A@lists.trustedfirmware.org> https://lists.trustedfirmware.org/mailman/listinfo/tf-a

4 years, 3 months

4
5
0 0

Glitching protection

by François Ozog

Hi Trusted Firmware M recently introduced protection against glitching at key decision points: https://github.com/mcu-tools/mcuboot/pull/776 To me this is a key mitigation element for companies that target PSA level 3 compliance which means hardware attacks resilience. I believe similar techniques need to be used in different projects involved in Linux secure booting (TF-A, OP-TEE, U-Boot, Linux kernel). Are there any efforts planned around this ? Is it feasible to have a "library" that could be integrated in different projects? Cheers FF

4 years, 3 months

4
8
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

boot-architecture