| Abdellatif El Khlifi | 2f403d1 | 2023-08-04 14:33:40 +0100 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0+ |
| 2 | |
| 3 | Arm FF-A Support |
| 4 | ================ |
| 5 | |
| 6 | Summary |
| 7 | ------- |
| 8 | |
| 9 | FF-A stands for Firmware Framework for Arm A-profile processors. |
| 10 | |
| 11 | FF-A specifies interfaces that enable a pair of software execution environments aka partitions to |
| 12 | communicate with each other. A partition could be a VM in the Normal or Secure world, an |
| 13 | application in S-EL0, or a Trusted OS in S-EL1. |
| 14 | |
| 15 | The U-Boot FF-A support (the bus) implements the interfaces to communicate |
| 16 | with partitions in the Secure world aka Secure partitions (SPs). |
| 17 | |
| 18 | The FF-A support specifically focuses on communicating with SPs that |
| 19 | isolate portions of EFI runtime services that must run in a protected |
| 20 | environment which is inaccessible by the Host OS or Hypervisor. |
| 21 | Examples of such services are set/get variables. |
| 22 | |
| 23 | The FF-A support uses the SMC ABIs defined by the FF-A specification to: |
| 24 | |
| 25 | - Discover the presence of SPs of interest |
| 26 | - Access an SP's service through communication protocols |
| 27 | e.g. EFI MM communication protocol |
| 28 | |
| 29 | At this stage of development only EFI boot-time services are supported. |
| 30 | Runtime support will be added in future developments. |
| 31 | |
| 32 | The U-Boot FF-A support provides the following parts: |
| 33 | |
| 34 | - A Uclass driver providing generic FF-A methods. |
| 35 | - An Arm FF-A device driver providing Arm-specific methods and reusing the Uclass methods. |
| Abdellatif El Khlifi | 4970d5b | 2023-08-04 14:33:41 +0100 | [diff] [blame^] | 36 | - A sandbox emulator for Arm FF-A, emulates the FF-A side of the Secure World and provides |
| 37 | FF-A ABIs inspection methods. |
| 38 | - An FF-A sandbox device driver for FF-A communication with the emulated Secure World. |
| 39 | The driver leverages the FF-A Uclass to establish FF-A communication. |
| Abdellatif El Khlifi | 2f403d1 | 2023-08-04 14:33:40 +0100 | [diff] [blame] | 40 | |
| 41 | FF-A and SMC specifications |
| 42 | ------------------------------------------- |
| 43 | |
| 44 | The current implementation of the U-Boot FF-A support relies on |
| 45 | `FF-A v1.0 specification`_ and uses SMC32 calling convention which |
| 46 | means using the first 32-bit data of the Xn registers. |
| 47 | |
| 48 | At this stage we only need the FF-A v1.0 features. |
| 49 | |
| 50 | The FF-A support has been tested with OP-TEE which supports SMC32 calling |
| 51 | convention. |
| 52 | |
| 53 | Hypervisors are supported if they are configured to trap SMC calls. |
| 54 | |
| 55 | The FF-A support uses 64-bit registers as per `SMC Calling Convention v1.2 specification`_. |
| 56 | |
| 57 | Supported hardware |
| 58 | -------------------------------- |
| 59 | |
| 60 | Aarch64 plaforms |
| 61 | |
| 62 | Configuration |
| 63 | ---------------------- |
| 64 | |
| 65 | CONFIG_ARM_FFA_TRANSPORT |
| 66 | Enables the FF-A support. Turn this on if you want to use FF-A |
| 67 | communication. |
| 68 | When using an Arm 64-bit platform, the Arm FF-A driver will be used. |
| Abdellatif El Khlifi | 4970d5b | 2023-08-04 14:33:41 +0100 | [diff] [blame^] | 69 | When using sandbox, the sandbox FF-A emulator and FF-A sandbox driver will be used. |
| Abdellatif El Khlifi | 2f403d1 | 2023-08-04 14:33:40 +0100 | [diff] [blame] | 70 | |
| 71 | FF-A ABIs under the hood |
| 72 | --------------------------------------- |
| 73 | |
| 74 | Invoking an FF-A ABI involves providing to the secure world/hypervisor the |
| 75 | expected arguments from the ABI. |
| 76 | |
| 77 | On an Arm 64-bit platform, the ABI arguments are stored in x0 to x7 registers. |
| 78 | Then, an SMC instruction is executed. |
| 79 | |
| 80 | At the secure side level or hypervisor the ABI is handled at a higher exception |
| 81 | level and the arguments are read and processed. |
| 82 | |
| 83 | The response is put back through x0 to x7 registers and control is given back |
| 84 | to the U-Boot Arm FF-A driver (non-secure world). |
| 85 | |
| 86 | The driver reads the response and processes it accordingly. |
| 87 | |
| 88 | This methodology applies to all the FF-A ABIs. |
| 89 | |
| 90 | FF-A bus discovery on Arm 64-bit platforms |
| 91 | --------------------------------------------- |
| 92 | |
| 93 | When CONFIG_ARM_FFA_TRANSPORT is enabled, the FF-A bus is considered as |
| 94 | an architecture feature and discovered using ARM_SMCCC_FEATURES mechanism. |
| 95 | This discovery mechanism is performed by the PSCI driver. |
| 96 | |
| 97 | The PSCI driver comes with a PSCI device tree node which is the root node for all |
| 98 | architecture features including FF-A bus. |
| 99 | |
| 100 | :: |
| 101 | |
| 102 | => dm tree |
| 103 | |
| 104 | Class Index Probed Driver Name |
| 105 | ----------------------------------------------------------- |
| Abdellatif El Khlifi | 2f403d1 | 2023-08-04 14:33:40 +0100 | [diff] [blame] | 106 | firmware 0 [ + ] psci |-- psci |
| 107 | ffa 0 [ ] arm_ffa | `-- arm_ffa |
| Abdellatif El Khlifi | 2f403d1 | 2023-08-04 14:33:40 +0100 | [diff] [blame] | 108 | |
| 109 | The PSCI driver is bound to the PSCI device and when probed it tries to discover |
| 110 | the architecture features by calling a callback the features drivers provide. |
| 111 | |
| 112 | In case of FF-A, the callback is arm_ffa_is_supported() which tries to discover the |
| 113 | FF-A framework by querying the FF-A framework version from secure world using |
| 114 | FFA_VERSION ABI. When discovery is successful, the ARM_SMCCC_FEATURES |
| 115 | mechanism creates a U-Boot device for the FF-A bus and binds the Arm FF-A driver |
| 116 | with the device using device_bind_driver(). |
| 117 | |
| 118 | At this stage the FF-A bus is registered with the DM and can be interacted with using |
| 119 | the DM APIs. |
| 120 | |
| 121 | Clients are able to probe then use the FF-A bus by calling uclass_first_device(). |
| 122 | |
| 123 | When calling uclass_first_device(), the FF-A driver is probed and ends up calling |
| 124 | ffa_do_probe() provided by the Uclass which does the following: |
| 125 | |
| 126 | - saving the FF-A framework version in uc_priv |
| 127 | - querying from secure world the u-boot endpoint ID |
| 128 | - querying from secure world the supported features of FFA_RXTX_MAP |
| 129 | - mapping the RX/TX buffers |
| 130 | - querying from secure world all the partitions information |
| 131 | |
| 132 | When one of the above actions fails, probing fails and the driver stays not active |
| 133 | and can be probed again if needed. |
| 134 | |
| 135 | Requirements for clients |
| 136 | ------------------------------------- |
| 137 | |
| 138 | When using the FF-A bus with EFI, clients must query the SPs they are looking for |
| 139 | during EFI boot-time mode using the service UUID. |
| 140 | |
| 141 | The RX/TX buffers are only available at EFI boot-time. Querying partitions is |
| 142 | done at boot time and data is cached for future use. |
| 143 | |
| 144 | RX/TX buffers should be unmapped before EFI runtime mode starts. |
| 145 | The driver provides a bus operation for that called ffa_rxtx_unmap(). |
| 146 | |
| 147 | The user should call ffa_rxtx_unmap() to unmap the RX/TX buffers when required |
| 148 | (e.g: at efi_exit_boot_services()). |
| 149 | |
| 150 | The Linux kernel allocates its own RX/TX buffers. To be able to register these kernel buffers |
| 151 | with secure world, the U-Boot's RX/TX buffers should be unmapped before EFI runtime starts. |
| 152 | |
| 153 | When invoking FF-A direct messaging, clients should specify which ABI protocol |
| 154 | they want to use (32-bit vs 64-bit). Selecting the protocol means using |
| 155 | the 32-bit or 64-bit version of FFA_MSG_SEND_DIRECT_{REQ, RESP}. |
| 156 | The calling convention between U-Boot and the secure world stays the same: SMC32. |
| 157 | |
| 158 | Requirements for user drivers |
| 159 | ------------------------------------- |
| 160 | |
| 161 | Users who want to implement their custom FF-A device driver while reusing the FF-A Uclass can do so |
| 162 | by implementing their own invoke_ffa_fn() in the user driver. |
| 163 | |
| 164 | The bus driver layer |
| 165 | ------------------------------ |
| 166 | |
| 167 | FF-A support comes on top of the SMCCC layer and is implemented by the FF-A Uclass drivers/firmware/arm-ffa/arm-ffa-uclass.c |
| 168 | |
| 169 | The following features are provided: |
| 170 | |
| 171 | - Support for the 32-bit version of the following ABIs: |
| 172 | |
| 173 | - FFA_VERSION |
| 174 | - FFA_ID_GET |
| 175 | - FFA_FEATURES |
| 176 | - FFA_PARTITION_INFO_GET |
| 177 | - FFA_RXTX_UNMAP |
| 178 | - FFA_RX_RELEASE |
| 179 | - FFA_RUN |
| 180 | - FFA_ERROR |
| 181 | - FFA_SUCCESS |
| 182 | - FFA_INTERRUPT |
| 183 | - FFA_MSG_SEND_DIRECT_REQ |
| 184 | - FFA_MSG_SEND_DIRECT_RESP |
| 185 | |
| 186 | - Support for the 64-bit version of the following ABIs: |
| 187 | |
| 188 | - FFA_RXTX_MAP |
| 189 | - FFA_MSG_SEND_DIRECT_REQ |
| 190 | - FFA_MSG_SEND_DIRECT_RESP |
| 191 | |
| 192 | - Processing the received data from the secure world/hypervisor and caching it |
| 193 | |
| 194 | - Hiding from upper layers the FF-A protocol and registers details. Upper |
| 195 | layers focus on exchanged data, FF-A support takes care of how to transport |
| 196 | that to the secure world/hypervisor using FF-A |
| 197 | |
| 198 | - FF-A support provides driver operations to be used by upper layers: |
| 199 | |
| 200 | - ffa_partition_info_get |
| 201 | - ffa_sync_send_receive |
| 202 | - ffa_rxtx_unmap |
| 203 | |
| 204 | - FF-A bus discovery makes sure FF-A framework is responsive and compatible |
| 205 | with the driver |
| 206 | |
| 207 | - FF-A bus can be compiled and used without EFI |
| 208 | |
| Abdellatif El Khlifi | 4970d5b | 2023-08-04 14:33:41 +0100 | [diff] [blame^] | 209 | Relationship between the sandbox emulator and the FF-A device |
| 210 | --------------------------------------------------------------- |
| 211 | |
| 212 | :: |
| 213 | |
| 214 | => dm tree |
| 215 | |
| 216 | Class Index Probed Driver Name |
| 217 | ----------------------------------------------------------- |
| 218 | ffa_emul 0 [ + ] sandbox_ffa_emul `-- arm-ffa-emul |
| 219 | ffa 0 [ ] sandbox_arm_ffa `-- sandbox-arm-ffa |
| 220 | |
| Abdellatif El Khlifi | 2f403d1 | 2023-08-04 14:33:40 +0100 | [diff] [blame] | 221 | Example of boot logs with FF-A enabled |
| 222 | -------------------------------------- |
| 223 | |
| 224 | For example, when using FF-A with Corstone-1000 the logs are as follows: |
| 225 | |
| 226 | :: |
| 227 | |
| 228 | U-Boot 2023.01 (May 10 2023 - 11:08:07 +0000) corstone1000 aarch64 |
| 229 | |
| 230 | DRAM: 2 GiB |
| 231 | Arm FF-A framework discovery |
| 232 | FF-A driver 1.0 |
| 233 | FF-A framework 1.0 |
| 234 | FF-A versions are compatible |
| 235 | ... |
| 236 | FF-A driver 1.0 |
| 237 | FF-A framework 1.0 |
| 238 | FF-A versions are compatible |
| 239 | EFI: MM partition ID 0x8003 |
| 240 | ... |
| 241 | EFI stub: Booting Linux Kernel... |
| 242 | ... |
| 243 | Linux version 6.1.9-yocto-standard (oe-user@oe-host) (aarch64-poky-linux-musl-gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.40.202301193 |
| 244 | Machine model: ARM Corstone1000 FPGA MPS3 board |
| 245 | |
| 246 | Contributors |
| 247 | ------------ |
| 248 | * Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com> |
| 249 | |
| 250 | .. _`FF-A v1.0 specification`: https://documentation-service.arm.com/static/5fb7e8a6ca04df4095c1d65e |
| 251 | .. _`SMC Calling Convention v1.2 specification`: https://documentation-service.arm.com/static/5f8edaeff86e16515cdbe4c6 |