blob: 1c642977812a0ad7aa8c33db496b59eda6381dab [file] [log] [blame]
Joel Hutton9e605632019-02-25 15:18:56 +00001Trusted Firmware images
2-----------------------
3
4This page contains the current name, abbreviated name and purpose of the various
5images referred to in the Trusted Firmware project.
6
7Some general notes:
8
9- Some of the names and abbreviated names have changed to accomodate new
10 requirements. The changed names are as backward compatible as possible to
11 minimize confusion. Where applicable, the previous names are indicated. Some
12 code, documentation and build artefacts may still refer to the previous names;
13 these will inevitably take time to catch up.
14
15- The main name change is to prefix each image with the processor it corresponds
16 to (for example ``AP_``, ``SCP_``, ...). In situations where there is no
17 ambiguity (for example, within AP specific code/documentation), it is
18 permitted to omit the processor prefix (for example, just BL1 instead of
19 ``AP_BL1``).
20
21- Previously, the format for 3rd level images had 2 forms; ``BL3`` was either
22 suffixed with a dash ("-") followed by a number (for example, ``BL3-1``) or a
23 subscript number, depending on whether rich text formatting was available.
24 This was confusing and often the dash gets omitted in practice. Therefore the
25 new form is to just omit the dash and not use subscript formatting.
26
27- The names no longer contain dash ("-") characters at all. In some places (for
28 example, function names) it's not possible to use this character. All dashes
29 are either removed or replaced by underscores ("_").
30
31- The abbreviation BL stands for BootLoader. This is a historical anomaly.
32 Clearly, many of these images are not BootLoaders, they are simply firmware
33 images. However, the BL abbreviation is now widely used and is retained for
34 backwards compatibility.
35
36- The image names are not case sensitive. For example, ``bl1`` is
37 interchangeable with ``BL1``, although mixed case should be avoided.
38
39AP Boot ROM: ``AP_BL1``
40~~~~~~~~~~~~~~~~~~~~~~~
41
42Typically, this is the first code to execute on the AP and cannot be modified.
43Its primary purpose is to perform the minimum intialization necessary to load
44and authenticate an updateable AP firmware image into an executable RAM
45location, then hand-off control to that image.
46
47AP RAM Firmware: ``AP_BL2``
48~~~~~~~~~~~~~~~~~~~~~~~~~~~
49
50This is the 2nd stage AP firmware. It is currently also known as the "Trusted
51Boot Firmware". Its primary purpose is to perform any additional initialization
52required to load and authenticate all 3rd level firmware images into their
53executable RAM locations, then hand-off control to the EL3 Runtime Firmware.
54
55EL3 Runtime Firmware: ``AP_BL31``
56~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
57
58Also known as "SoC AP firmware" or "EL3 monitor firmware". Its primary purpose
59is to handle transitions between the normal and secure world.
60
61Secure-EL1 Payload (SP): ``AP_BL32``
62~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
63
64Typically this is a TEE or Trusted OS, providing runtime secure services to the
65normal world. However, it may refer to a more abstract Secure-EL1 Payload (SP).
66Note that this abbreviation should only be used in systems where there is a
67single or primary image executing at Secure-EL1. In systems where there are
68potentially multiple SPs and there is no concept of a primary SP, this
69abbreviation should be avoided; use the recommended **Other AP 3rd level
70images** abbreviation instead.
71
72AP Normal World Firmware: ``AP_BL33``
73~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
74
75For example, UEFI or uboot. Its primary purpose is to boot a normal world OS.
76
77Other AP 3rd level images: ``AP_BL3_XXX``
78~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
79
80The abbreviated names of the existing 3rd level images imply a load/execution
81ordering (for example, ``AP_BL31 -> AP_BL32 -> AP_BL33``). Some systems may
82have additional images and/or a different load/execution ordering. The
83abbreviated names of the existing images are retained for backward compatibility
84but new 3rd level images should be suffixed with an underscore followed by text
85identifier, not a number.
86
87In systems where 3rd level images are provided by different vendors, the
88abbreviated name should identify the vendor as well as the image
89function. For example, ``AP_BL3_ARM_RAS``.
90
91SCP Boot ROM: ``SCP_BL1`` (previously ``BL0``)
92~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
93
94Typically, this is the first code to execute on the SCP and cannot be modified.
95Its primary purpose is to perform the minimum intialization necessary to load
96and authenticate an updateable SCP firmware image into an executable RAM
97location, then hand-off control to that image. This may be performed in
98conjunction with other processor firmware (for example, ``AP_BL1`` and
99``AP_BL2``).
100
101This image was previously abbreviated as ``BL0`` but in some systems, the SCP
102may directly load/authenticate its own firmware. In these systems, it doesn't
103make sense to interleave the image terminology for AP and SCP; both AP and SCP
104Boot ROMs are ``BL1`` from their own point of view.
105
106SCP RAM Firmware: ``SCP_BL2`` (previously ``BL3-0``)
107~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
108
109This is the 2nd stage SCP firmware. It is currently also known as the "SCP
110runtime firmware" but it could potentially be an intermediate firmware if the
111SCP needs to load/authenticate multiple 3rd level images in future.
112
113This image was previously abbreviated as BL3-0 but from the SCP's point of view,
114this has always been the 2nd stage firmware. The previous name is too
115AP-centric.
116
117Firmware update images
118----------------------
119
120The terminology for these images has not been widely adopted yet but they have
121to be considered in a production Trusted Board Boot solution.
122
123AP Firmware Update Boot ROM: ``AP_NS_BL1U``
124~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
125
126Typically, this is the first normal world code to execute on the AP during a
127firmware update operation, and cannot be modified. Its primary purpose is to
128load subequent firmware update images from an external interface and communicate
129with ``AP_BL1`` to authenticate those images.
130
131During firmware update, there are (potentially) multiple transitions between the
132secure and normal world. The "level" of the BL image is relative to the world
133it's in so it makes sense to encode "NS" in the normal world images. The absence
134of "NS" implies a secure world image.
135
136AP Firmware Update Config: ``AP_BL2U``
137~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
138
139This image does the minimum necessary AP secure world configuration required to
140complete the firmware update operation. It is potentially a subset of ``AP_BL2``
141functionality.
142
143SCP Firmware Update Config: ``SCP_BL2U`` (previously ``BL2-U0``)
144~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
145
146This image does the minimum necessary SCP secure world configuration required to
147complete the firmware update operation. It is potentially a subset of
148``SCP_BL2`` functionality.
149
150AP Firmware Updater: ``AP_NS_BL2U`` (previously ``BL3-U``)
151~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
152
153This is the 2nd stage AP normal world firmware updater. Its primary purpose is
154to load a new set of firmware images from an external interface and write them
155into non-volatile storage.
156
157Other processor firmware images
158-------------------------------
159
160Some systems may have additional processors to the AP and SCP. For example, a
161Management Control Processor (MCP). Images for these processors should follow
162the same terminology, with the processor abbreviation prefix, followed by
163underscore and the level of the firmware image.
164
165For example,
166
167MCP Boot ROM: ``MCP_BL1``
168~~~~~~~~~~~~~~~~~~~~~~~~~
169
170MCP RAM Firmware: ``MCP_BL2``
171~~~~~~~~~~~~~~~~~~~~~~~~~~~~~