OP-TEE is an open source trusted OS, in armv7, its loading and
running are like this:
loading:
- SPL load both OP-TEE and U-Boot
running:
- SPL run into OP-TEE in secure mode;
- OP-TEE run into U-Boot in non-secure mode;
To make code simple, it would be fine to use IH_OS_TEE for the
os tyle in TPL(just like IH_OS_LINUX is using both in SPL and U-Boot).
Here is the diagram for SPL loading OP-TEE,
IH_OS_TEE:(make u-boot.itb for SPL)
Non-Secure Secure
BootROM
|
v
SPL
|
v
--------- OP-TEE
|
v
U-Boot
|
V
Linux
For other two king of OP-TEE loading/booting, see commit message:
45b55712d4 image: Add IH_OS_TEE for TEE chain-load boot
More detail:
https://github.com/OP-TEE/optee_os
and search for 'boot arguments' for detail entry parameter in:
core/arch/arm/kernel/generic_entry_a32.S
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
The SPL loaders assume that the CONFIG_SYS_TEXT_BASE memory location
is available and can be corrupted by loading ie. uImage or fitImage
headers there. Sometimes it could be beneficial to load the headers
elsewhere, ie. if CONFIG_SYS_TEXT_BASE is not yet writable while we
still want to parse the image headers in some local onchip memory to
ie. extract firmware from that image.
Add the possibility to override the location where the headers get
loaded by introducing new function, spl_get_load_buffer() which takes
two arguments -- offset from the CONFIG_SYS_TEXT_BASE and size of the
data that are to be loaded there -- and returns a valid buffer address
or hangs the system. The default behavior is the same as before, add
the offset to CONFIG_SYS_TEXT_BASE and return that address. User can
override the weak spl_get_load_buffer() function though.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
spl_common_init() debug-prints "spl_early_init()\n" but it is
called both from spl_early_init() and spl_init().
Fix this by moving the debug() statement to the calling functions
which now print their name.
Signed-off-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
At present each entry has an offset within its parent section. This is
useful for figuring out how entries relate to one another. However it
is sometimes necessary to locate an entry within an image, regardless
of which sections it is nested inside.
Add a new 'image-pos' property to provide this information. Also add
some documentation for the -u option binman provides, which updates the
device tree with final entry information.
Since the image position is a better symbol to use for the position of
U-Boot as obtained by SPL, update the SPL symbols to use this instead of
offset, which might be incorrect if hierarchical sections are used.
Signed-off-by: Simon Glass <sjg@chromium.org>
After some thought, I believe there is an unfortunate naming flaw in
binman. Entries have a position and size, but now that we support
hierarchical sections it is unclear whether a position should be an
absolute position within the image, or a relative position within its
parent section.
At present 'position' actually means the relative position. This indicates
a need for an 'image position' for code that wants to find the location of
an entry without having to do calculations back through parents to
discover this image position.
A better name for the current 'position' or 'pos' is 'offset'. It is not
always an absolute position, but it is always an offset from its parent
offset.
It is unfortunate to rename this concept now, 18 months after binman was
introduced. However I believe it is the right thing to do. The impact is
mostly limited to binman itself and a few changes to in-tree users to
binman:
tegra
sunxi
x86
The change makes old binman definitions (e.g. downstream or out-of-tree)
incompatible if they use the 'pos = <...>' property. Later work will
adjust binman to generate an error when it is used.
Signed-off-by: Simon Glass <sjg@chromium.org>
On some boards, we want to give the board/architecture-specific code a
chance to look at where the next image has been loaded from and
perform fixups before starting the next image. This is of particular
importance, when we probe multiple devices for bootable payloads and
boot the first one found.
This change adds the following:
- we record the boot_device used into the spl_image structure
- we provide an extension-point for boards/architectures that can
perform late fixups depending on a fully populated spl_image
structure (i.e. we'll know the final boot_device and have info
on the image type and operating system to be booted).
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Tested-by: Klaus Goger <klaus.goger@theobroma-systems.com>
Add support for loading U-Boot and optionally FDT from a fitImage
in SPL by using the full fitImage support from U-Boot. While we do
have limited SPL loading support in SPL with a small footprint, it
is missing a lot of important features, like checking signatures.
This support has all the fitImage features, while the footprint is
obviously larger.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
This patch adds support for incrementation of the bootcount in SPL.
Such feature is necessary when we do want to use this feature with
'falcon' boot mode (which loads OS directly in SPL).
Signed-off-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
If CONFIG_SPL_SERIAL_SUPPORT is disabled then the build fails because
serial_init is undefined. Guard preloader_console_init() appropriately
to fix this.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
A previous commit introduced the use of binman in the SPL.
After the binman_sym call over the 'pos' symbol, the output value is
checked against BINMAN_SYM_MISSING (-1UL). According to the
documentation (tools/binman/README), when it comes to the 'pos'
attribute:
pos:
This sets the position of an entry within the image. The first
byte of the image is normally at position 0. If 'pos' is not
provided, binman sets it to the end of the previous region, or
the start of the image's entry area (normally 0) if there is no
previous region.
So instead of checking if the return value is BINMAN_SYM_MISSING, we
should also check if the value is not null.
The failure happens when using both the SPL file and the U-Boot file
independently instead of the concatenated file (SPL + padding + U-Boot).
This is because the U-Boot binary file alone does not have the U-Boot
header while it is present in the concatenation file. Not having the
header forces the SPL to discover where it should load U-Boot. The
binman_sym call is supposed to do that but fails. Because of the wrong
check, the destination address was set to 0 while it should have been
somewhere in RAM. This, obviously, stalls the board.
Fixes: 8bee2d251a ("binman: Add binman symbol support to SPL")
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com>
Include the timezone in the SPL banner so the timestamp matches with
that from u-boot proper.
Signed-off-by: Klaus Goger <klaus.goger@theobroma-systems.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Selecting this option will reduce SPL boot time by approx. 6 ms
(e. g. with 70 bytes long banner string at 115200 baud).
Signed-off-by: Anatolij Gustschin <agust@denx.de>
Tested-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
SPL and TPL may not always need spl_board_init() at the same time.
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Allow SPL to access binman symbols and use this to get the address of
U-Boot. This falls back to CONFIG_SYS_TEXT_BASE if the binman symbol
is not available.
Signed-off-by: Simon Glass <sjg@chromium.org>
This adds a new interface spl_invoke_atf() that takes a spl_image_info
argument and then derives the necessary parameters for the ATF entry.
Based on the additional information recorded (into /fit-images) from
the FIT loadables, we can now easily locate the next boot stage.
We now pass a pointer to a FDT as the platform-specific parameter
pointer to ATF (so we don't run into the future headache of every
board/platform defining their own proprietary tag-structure), as
FDT access is already available in ATF.
With the necessary infrastructure in place, we can now update the
support for the ARM Trusted Firmware to dispatch into the
spl_invoke_atf function only if a IH_OS_ARM_TRUSTED_FIRMWARE image is
loaded.
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The maximum length of the name of the image is
obviously not sizeof(), which is just the
length of a pointer, but IH_NMLEN.
fixes: 62cf11c092
("SPL: Limit image name print length")
Signed-off-by: André Draszik <adraszik@tycoint.com>
Acked-by: Simon Glass <sjg@chromium.org>
Commit 15eb1d43bf ("spl: reorder the assignment of board info to
global data") intended to move assignment of board info earlier,
into board_init_r(). However, function preload_console_init() is
called either from spl_board_init() or from board_init_f(). For the
latter case, the board info assignment is much earlier than proposed
board_init_r(). Create a new function to fill gd->bd and call this
function when needed.
Signed-off-by: York Sun <york.sun@nxp.com>
CC: Lokesh Vutla <lokeshvutla@ti.com>
CC: Ravi Babu <ravibabu@ti.com>
CC: Lukasz Majewski <lukma@denx.de>
CC: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Since we may jump to next stage like ATF/OP-TEE instead of U-Boot,
we need to stash the bootstage info before it.
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
With debug enabled, SPL output following these debug prints is on the
same line and it is hard to read. Fix it.
Signed-off-by: Anatolij Gustschin <agust@denx.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The GPT timer was already initialised in board_init_f() as
it is needed in dram init. Do not repeat timer init in
board_init_r().
Signed-off-by: Anatolij Gustschin <agust@denx.de>
Acked-by: Stefano Babic <sbabic@denx.de>
Even though there's now a TPL_DM configuration option, the spl logic
still checks for SPL_DM and thus does not pick up the proper config
option.
This introduces the use of CONFIG_IS_ENABLED(DM) in spl.c to always
pick up the desired configuration option instead of having a
hard-coded check for the SPL variant.
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
The (upstream) changes to break up SYS_MALLOC_F_LEN for the full
U-Boot and the SPL stage, break TPL (if simple malloc is enabled in
TPL).
This adds support for a TPL-variant of SYS_MALLOC_F_LEN:
- adds TPL_SYS_MALLOC_F_LEN
- rewrites a test for CONFIG_SPL_SYS_MALLOC_F_LEN to access
CONFIG_VAL(SYS_MALLOC_F_LEN)
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Some platforms have very limited SRAM to run SPL code, so there may
not be the same amount space for a malloc pool before relocation in
the SPL stage as the normal U-Boot stage.
Make SPL and (the full) U-Boot stage use independent SYS_MALLOC_F_LEN,
so the size of pre-relocation malloc pool can be configured memory
space independently.
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Acked-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
[fixed up commit-message:]
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
On ARM v7M, the processor will return to ARM mode when executing blx
instruction with bit 0 of the address == 0. Always set it to 1 to stay in thumb
mode.
At present, it is applied only for raw U-Boot. This patch moves it to just
before booting next image. This way armv7m will be in thumb mode for any image
like raw or image with header like zImage or standard U-Boot.
Signed-off-by: Vikas Manocha <vikas.manocha@st.com>
At present bootstage only supports U-Boot proper. But SPL can also consume
boot time so it is useful to have the record start there.
Add bootstage support to SPL. Also support stashing the timing information
when SPL finishes so that it can be picked up and reported by U-Boot
proper. This provides a full boot time record, excluding only the time
taken by the boot ROM.
Signed-off-by: Simon Glass <sjg@chromium.org>
ATF(ARM Trusted Firmware) is used by ARM arch64 SoCs, find more infomation
about ATF at: https://github.com/ARM-software/arm-trusted-firmware
SPL is considered as BL2 in ATF terminology, it needs to load other parts
of ATF binary like BL31, BL32, SCP-BL30, and BL33(U-Boot). And needs to
prepare the parameter for BL31 which including entry and image information
for all other images. Then the SPL handle PC to BL31 with the parameter,
the BL31 will do the rest of work and at last get into U-Boot(BL33).
This patch needs work with patches from Andre for SPL support multi
binary in FIT.
The entry point of bl31 and bl33 are still using hard code because we
still can not get them from the FIT image information.
Signed-off-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Acked-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
In single stage bootmode or falcon boot mode, the SPL shall update the
device tree that we load with the normal fixups done via
arch_fixup_fdt(), when possible (ie we have enough information in this
restricted environment to be able to do that still). This will include
for example updating them memory nodes.
Signed-off-by: Ravi Babu <ravibabu@ti.com>
[trini: Reword commit message]
Move the assignment of board info to global data a bit early which is
safe,
so that ram details can be used to enable caches.
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Ravi Babu <ravibabu@ti.com>
Reviewed-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
At present fdt blob or argument address being passed to kernel is fixed at
compile time using macro CONFIG_SYS_SPL_ARGS_ADDR. FDT blob from
different media like nand, nor flash are copied to the address pointed
by the macro.
The problem is, it makes args/fdt blob compulsory to copy which is not required
in cases like for NOR Flash. This patch removes this limitation.
Signed-off-by: Vikas Manocha <vikas.manocha@st.com>
On ARM v7M, the processor will return to ARM mode when executing blx
instruction with bit 0 of the address == 0. Always set it to 1 to stay
in thumb mode.
Similar commit:
f99993c108
Author: Matt Porter <mporter@konsulko.com>
Date: Tue May 5 15:00:23 2015 -0400
common/cmd_boot: keep ARM v7M in thumb mode during do_go_exec()
Signed-off-by: Vikas Manocha <vikas.manocha@st.com>
Calls to IS_ENABLED() on a non-y/n option will always be false, even
when set. We can correct this by adding a new bool value that is set
based on the conditions required for SPL_STACK_R_MALLOC_SIMPLE_LEN to be
set instead.
Fixes: 340f418acd ("spl: Add spl_early_init()")
Reported-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
---
Changes in v2:
- Fix thinko pointed out by Lokesh
Add a Kconfig option that enables Legacy image support, this allows
boards to explicitly disable this, for instance when needed for
security reasons.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
[trini: Move to common/spl/Kconfig]
Signed-off-by: Tom Rini <trini@konsulko.com>
CONFIG_SPL_ABORT_ON_RAW_IMAGE causes SPL to abort and move on when it
encounters RAW images, express this same functionality as a positive
option enabling support for RAW images: CONFIG_SPL_RAW_IMAGE_SUPPORT
Also move uses of this to defconfigs.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
[trini: Rework Kconfig logic a little, move to common/spl/Kconfig]
Signed-off-by: Tom Rini <trini@konsulko.com>
At present malloc_base/_limit/_ptr are not initialised in spl_init() when
we call spl_init() in board_init_f(). This is due to a recent change aimed
at avoiding overwriting the malloc area set up on some boards by
spl_relocate_stack_gd().
However if CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN is not defined, we now
skip setting up the memory area in spl_init() which is obviously wrong.
To fix this, add a new function spl_early_init() which can be called in
board_init_f().
Fixes: b3d2861e (spl: Remove overwrite of relocated malloc limit)
Signed-off-by: Eddie Cai <eddie.cai.linux@gmail.com>
Rewrote spl_{,early_}init() to avoid duplicate code:
Rewrite/expand commit message:
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Eddie Cai <eddie.cai.linux@gmail.com>
This reverts commit 8c36e99f21.
There is misunderstanding in commit 8c36e99f21 ("armv8: release
slave cores from CPU_RELEASE_ADDR"). How to bring the slave cores
into U-Boot proper is platform-specific. So, it should be cared
in SoC/board files instead of common/spl/spl.c. As you see SPL
is the acronym of Secondary Program Loader, there is generally
something that runs before SPL (the First one is usually Boot ROM).
How to wake up slave cores from the Boot ROM is really SoC specific.
So, the intention for the spin table support is to bring the slave
cores into U-Boot proper in an SoC specific manner. (this must be
done after relocation. see below.)
If you bring the slaves into SPL, it is SoC own code responsibility
to transfer them to U-Boot proper. The Spin Table defines the
interface between a boot-loader and Linux kernel. It is unrelated
to the interface between SPL and U-Boot proper.
One more thing is missing in the commit; spl_image->entry_point
points to the entry address of U-Boot *before* relocation. U-Boot
relocates itself between board_init_f() and board_init_r(). This
means the master CPU sees the different copy of the spin code than
the slave CPUs enter. The spin_table_update_dt() protects the code
*after* relocation. As a result, the slave CPUs spin in unprotected
code, which leads to unstable behavior.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
spl_init on some boards is called after stack and heap relocation, on
some platforms spl_relocate_stack_gd is called to handle setting the
limit to its value CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN when simple
SPL malloc is enabled during relocation. spl_init should then not
re-assign the old pre-relocation limit when this is defined.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
When using ARMv8 with ARMV8_SPIN_TABLE=y, we want the slave cores to
wait on spin_table_cpu_release_addr, until the Linux kernel will "wake" them
by writing to that location. The address of spin_table_cpu_release_addr is
transferred to the kernel using the device tree that is updated by
spin_table_update_dt().
However, if we also use SPL, then the slave cores are stuck at
CPU_RELEASE_ADDR instead and as a result, never wake up.
This patch releases the slave cores by writing spl_image->entry_point to
CPU_RELEASE_ADDR location before the end of the SPL code
(at jump_to_image_no_args()).
That way, the slave cores will start to execute the u-boot and will get to
the spin-table code and wait on the correct address
(spin_table_cpu_release_addr).
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add a new top-level config option so support booting an image stored
in RAM. This allows to move the RAM boot support into a sparate file
and having a single condition to compile that file.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
There is no CONFIG_OF_PLATDATA, only CONFIG_SPL_OF_PLATDATA, so rename
the two references to CONFIG_OF_PLATDATA to CONFIG_SPL_OF_PLATDATA.
Signed-off-by: Tom Rini <trini@konsulko.com>
Since entry_point and load_addr are addresses, they should be
represented as longs to cover the whole address space and to avoid
warning when compiling the SPL in 64-bit.
Also adjust debug prints to add the 'l' specifier, where needed.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Reviewed-by: Jagan Teki <jagan@openedev.com>
Create a boot_from_devices() function to handle trying each device. This
helps to reduce the size of the already-large board_init_r() function.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is useful to name each method so that we can print out this name when
using the method. Currently this happens using a separate function. In
preparation for unifying this, add a name to each method.
The name is only available if we have libcommon support (i.e can use
printf()).
Signed-off-by: Simon Glass <sjg@chromium.org>
When CONFIG_SPL_STACK_R is enabled, and spl_init() is called before
board_init_r(), spl_relocate_stack_gd() will move global_data to a new
place in memory. This affects driver model since it uses a list for the
uclasses. Unless this is updated the list will become invalid. When
looking for a non-existent uclass, such as when adding a new one, the loop
in uclass_find() may continue forever, thus causing a hang.
Add a function to correct this rather obscure bug.
Signed-off-by: Simon Glass <sjg@chromium.org>
Some devices (e.g. dra7xx) support loading to RAM using DFU without
having direct boot from RAM support. Make sure the linker list
does not contain BOOT_DEVICE_RAM if CONFIG_SPL_RAM_DEVICE is not
enabled.
Fixes: 98136b2f26 ("spl: Convert spl_ram_load_image() to use linker list")
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Lukasz Majewski <l.majewski@samsung.com>
There is no need for this to be in the BSS region. By moving it we can delay
use of BSS in SPL. This is useful for machines where the BSS region is not
in writeable space. On 64-bit x86, SPL runs from SPI flash and it is easier
to eliminate BSS use than link SPL to run with BSS at a particular
cache-as-RAM (CAR) address.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>