docs/spm-user-guide.rst

ARM Trusted Firmware - SPM User Guide
=====================================

.. section-numbering::
    :suffix: .

.. contents::


This document briefly presents the Secure Partition Management (SPM) support in
the Arm Trusted Firmware (TF), specifically focusing on how to build Arm TF with
SPM support.

Overview of the SPM software stack
----------------------------------

SPM is supported on the Arm FVP exclusively at the moment.

It is not currently possible for BL31 to integrate SPM support and a Secure
Payload Dispatcher (SPD) at the same time; they are mutually exclusive. In the
SPM bootflow, a Secure Partition (SP) image executing at Secure-EL0 replaces the
Secure Payload image executing at Secure-EL1 (e.g. a Trusted OS). Both are
referred to as BL32.

A working prototype of a SP has been implemented by repurposing the EDK2 code
and tools, leveraging the concept of the *Standalone Management Mode (MM)* in
the UEFI specification (see the PI v1.6 Volume 4: Management Mode Core
Interface). This will be referred to as the *Standalone MM Secure Partition* in
the rest of this document.


Building TF with SPM support
----------------------------

To enable SPM support in the TF, the source code must be compiled with the build
flag ``ENABLE_SPM=1``. On Arm platforms the build option ``ARM_BL31_IN_DRAM``
can be used to select the location of BL31, both SRAM and DRAM are supported.


Using the Standalone MM SP
~~~~~~~~~~~~~~~~~~~~~~~~~~

First, build the Standalone MM Secure Partition. To build it, refer to the
`instructions in the EDK2 repository`_.

Then build TF with SPM support and include the Standalone MM Secure Partition
image in the FIP:

::

    BL32=path/to/standalone/mm/sp BL33=path/to/bl33.bin \
    make PLAT=fvp ENABLE_SPM=1 fip all


--------------

*Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.*

.. _instructions in the EDK2 repository: https://github.com/tianocore/edk2-staging/blob/AArch64StandaloneMm/HowtoBuild.MD