Joel Hutton | 9e60563 | 2019-02-25 15:18:56 +0000 | [diff] [blame^] | 1 | Trusted Firmware images |
| 2 | ----------------------- |
| 3 | |
| 4 | This page contains the current name, abbreviated name and purpose of the various |
| 5 | images referred to in the Trusted Firmware project. |
| 6 | |
| 7 | Some general notes: |
| 8 | |
| 9 | - Some of the names and abbreviated names have changed to accomodate new |
| 10 | requirements. The changed names are as backward compatible as possible to |
| 11 | minimize confusion. Where applicable, the previous names are indicated. Some |
| 12 | code, documentation and build artefacts may still refer to the previous names; |
| 13 | these will inevitably take time to catch up. |
| 14 | |
| 15 | - The main name change is to prefix each image with the processor it corresponds |
| 16 | to (for example ``AP_``, ``SCP_``, ...). In situations where there is no |
| 17 | ambiguity (for example, within AP specific code/documentation), it is |
| 18 | permitted to omit the processor prefix (for example, just BL1 instead of |
| 19 | ``AP_BL1``). |
| 20 | |
| 21 | - Previously, the format for 3rd level images had 2 forms; ``BL3`` was either |
| 22 | suffixed with a dash ("-") followed by a number (for example, ``BL3-1``) or a |
| 23 | subscript number, depending on whether rich text formatting was available. |
| 24 | This was confusing and often the dash gets omitted in practice. Therefore the |
| 25 | new form is to just omit the dash and not use subscript formatting. |
| 26 | |
| 27 | - The names no longer contain dash ("-") characters at all. In some places (for |
| 28 | example, function names) it's not possible to use this character. All dashes |
| 29 | are either removed or replaced by underscores ("_"). |
| 30 | |
| 31 | - The abbreviation BL stands for BootLoader. This is a historical anomaly. |
| 32 | Clearly, many of these images are not BootLoaders, they are simply firmware |
| 33 | images. However, the BL abbreviation is now widely used and is retained for |
| 34 | backwards compatibility. |
| 35 | |
| 36 | - The image names are not case sensitive. For example, ``bl1`` is |
| 37 | interchangeable with ``BL1``, although mixed case should be avoided. |
| 38 | |
| 39 | AP Boot ROM: ``AP_BL1`` |
| 40 | ~~~~~~~~~~~~~~~~~~~~~~~ |
| 41 | |
| 42 | Typically, this is the first code to execute on the AP and cannot be modified. |
| 43 | Its primary purpose is to perform the minimum intialization necessary to load |
| 44 | and authenticate an updateable AP firmware image into an executable RAM |
| 45 | location, then hand-off control to that image. |
| 46 | |
| 47 | AP RAM Firmware: ``AP_BL2`` |
| 48 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 49 | |
| 50 | This is the 2nd stage AP firmware. It is currently also known as the "Trusted |
| 51 | Boot Firmware". Its primary purpose is to perform any additional initialization |
| 52 | required to load and authenticate all 3rd level firmware images into their |
| 53 | executable RAM locations, then hand-off control to the EL3 Runtime Firmware. |
| 54 | |
| 55 | EL3 Runtime Firmware: ``AP_BL31`` |
| 56 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 57 | |
| 58 | Also known as "SoC AP firmware" or "EL3 monitor firmware". Its primary purpose |
| 59 | is to handle transitions between the normal and secure world. |
| 60 | |
| 61 | Secure-EL1 Payload (SP): ``AP_BL32`` |
| 62 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 63 | |
| 64 | Typically this is a TEE or Trusted OS, providing runtime secure services to the |
| 65 | normal world. However, it may refer to a more abstract Secure-EL1 Payload (SP). |
| 66 | Note that this abbreviation should only be used in systems where there is a |
| 67 | single or primary image executing at Secure-EL1. In systems where there are |
| 68 | potentially multiple SPs and there is no concept of a primary SP, this |
| 69 | abbreviation should be avoided; use the recommended **Other AP 3rd level |
| 70 | images** abbreviation instead. |
| 71 | |
| 72 | AP Normal World Firmware: ``AP_BL33`` |
| 73 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 74 | |
| 75 | For example, UEFI or uboot. Its primary purpose is to boot a normal world OS. |
| 76 | |
| 77 | Other AP 3rd level images: ``AP_BL3_XXX`` |
| 78 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 79 | |
| 80 | The abbreviated names of the existing 3rd level images imply a load/execution |
| 81 | ordering (for example, ``AP_BL31 -> AP_BL32 -> AP_BL33``). Some systems may |
| 82 | have additional images and/or a different load/execution ordering. The |
| 83 | abbreviated names of the existing images are retained for backward compatibility |
| 84 | but new 3rd level images should be suffixed with an underscore followed by text |
| 85 | identifier, not a number. |
| 86 | |
| 87 | In systems where 3rd level images are provided by different vendors, the |
| 88 | abbreviated name should identify the vendor as well as the image |
| 89 | function. For example, ``AP_BL3_ARM_RAS``. |
| 90 | |
| 91 | SCP Boot ROM: ``SCP_BL1`` (previously ``BL0``) |
| 92 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 93 | |
| 94 | Typically, this is the first code to execute on the SCP and cannot be modified. |
| 95 | Its primary purpose is to perform the minimum intialization necessary to load |
| 96 | and authenticate an updateable SCP firmware image into an executable RAM |
| 97 | location, then hand-off control to that image. This may be performed in |
| 98 | conjunction with other processor firmware (for example, ``AP_BL1`` and |
| 99 | ``AP_BL2``). |
| 100 | |
| 101 | This image was previously abbreviated as ``BL0`` but in some systems, the SCP |
| 102 | may directly load/authenticate its own firmware. In these systems, it doesn't |
| 103 | make sense to interleave the image terminology for AP and SCP; both AP and SCP |
| 104 | Boot ROMs are ``BL1`` from their own point of view. |
| 105 | |
| 106 | SCP RAM Firmware: ``SCP_BL2`` (previously ``BL3-0``) |
| 107 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 108 | |
| 109 | This is the 2nd stage SCP firmware. It is currently also known as the "SCP |
| 110 | runtime firmware" but it could potentially be an intermediate firmware if the |
| 111 | SCP needs to load/authenticate multiple 3rd level images in future. |
| 112 | |
| 113 | This image was previously abbreviated as BL3-0 but from the SCP's point of view, |
| 114 | this has always been the 2nd stage firmware. The previous name is too |
| 115 | AP-centric. |
| 116 | |
| 117 | Firmware update images |
| 118 | ---------------------- |
| 119 | |
| 120 | The terminology for these images has not been widely adopted yet but they have |
| 121 | to be considered in a production Trusted Board Boot solution. |
| 122 | |
| 123 | AP Firmware Update Boot ROM: ``AP_NS_BL1U`` |
| 124 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 125 | |
| 126 | Typically, this is the first normal world code to execute on the AP during a |
| 127 | firmware update operation, and cannot be modified. Its primary purpose is to |
| 128 | load subequent firmware update images from an external interface and communicate |
| 129 | with ``AP_BL1`` to authenticate those images. |
| 130 | |
| 131 | During firmware update, there are (potentially) multiple transitions between the |
| 132 | secure and normal world. The "level" of the BL image is relative to the world |
| 133 | it's in so it makes sense to encode "NS" in the normal world images. The absence |
| 134 | of "NS" implies a secure world image. |
| 135 | |
| 136 | AP Firmware Update Config: ``AP_BL2U`` |
| 137 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 138 | |
| 139 | This image does the minimum necessary AP secure world configuration required to |
| 140 | complete the firmware update operation. It is potentially a subset of ``AP_BL2`` |
| 141 | functionality. |
| 142 | |
| 143 | SCP Firmware Update Config: ``SCP_BL2U`` (previously ``BL2-U0``) |
| 144 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 145 | |
| 146 | This image does the minimum necessary SCP secure world configuration required to |
| 147 | complete the firmware update operation. It is potentially a subset of |
| 148 | ``SCP_BL2`` functionality. |
| 149 | |
| 150 | AP Firmware Updater: ``AP_NS_BL2U`` (previously ``BL3-U``) |
| 151 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 152 | |
| 153 | This is the 2nd stage AP normal world firmware updater. Its primary purpose is |
| 154 | to load a new set of firmware images from an external interface and write them |
| 155 | into non-volatile storage. |
| 156 | |
| 157 | Other processor firmware images |
| 158 | ------------------------------- |
| 159 | |
| 160 | Some systems may have additional processors to the AP and SCP. For example, a |
| 161 | Management Control Processor (MCP). Images for these processors should follow |
| 162 | the same terminology, with the processor abbreviation prefix, followed by |
| 163 | underscore and the level of the firmware image. |
| 164 | |
| 165 | For example, |
| 166 | |
| 167 | MCP Boot ROM: ``MCP_BL1`` |
| 168 | ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 169 | |
| 170 | MCP RAM Firmware: ``MCP_BL2`` |
| 171 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |