1FF-A manifests binding to device tree 2===================================== 3 4This document defines the nodes and properties used to define a partition, 5according to the FF-A specification, and the SPMC manifest. 6 7FF-A Partition Manifest Properties 8---------------------------------- 9 10The FF-A partition manifest is consumed by the SPMC to configure the state 11associated with the related Secure Partition. 12 13- compatible [mandatory] 14 - value type: <string> 15 - Must be the string "arm,ffa-manifest-X.Y" which specifies the major and 16 minor versions of the device tree binding for the FFA manifest represented 17 by this node. The minor number is incremented if the binding changes in a 18 backwards compatible manner. 19 20 - X is an integer representing the major version number of this document. 21 - Y is an integer representing the minor version number of this document. 22 23- ffa-version [mandatory] 24 - value type: <u32> 25 - Must be two 16 bits values (X, Y), concatenated as 31:16 -> X, 26 15:0 -> Y, where: 27 28 - X is the major version of FF-A expected by the partition at the FFA 29 instance it will execute. 30 - Y is the minor version of FF-A expected by the partition at the FFA 31 instance it will execute. 32 33- id 34 - value type: <u32> 35 - Pre-allocated partition ID. 36 37- auxiliary-id 38 - value type: <u32> 39 - Pre-allocated ID that could be used in memory management transactions. 40 41- description 42 - value type: <string> 43 - Name of the partition e.g. for debugging purposes. 44 45- execution-ctx-count [mandatory] 46 - value type: <u32> 47 - Number of vCPUs that a VM or SP wants to instantiate. 48 49 - In the absence of virtualization, this is the number of execution 50 contexts that a partition implements. 51 - If value of this field = 1 and number of PEs > 1 then the partition is 52 treated as UP & migrate capable. 53 - If the value of this field > 1 then the partition is treated as a MP 54 capable partition irrespective of the number of PEs. 55 56- exception-level [mandatory] 57 - value type: <u32> 58 - The target exception level for the partition: 59 60 - 0x0: EL1 61 - 0x1: S_EL0 62 - 0x2: S_EL1 63 64- execution-state [mandatory] 65 - value type: <u32> 66 - The target execution state of the partition: 67 68 - 0: AArch64 69 - 1: AArch32 70 71- load-address 72 - value type: <u64> 73 - Physical base address of the partition in memory. Absence of this field 74 indicates that the partition is position independent and can be loaded at 75 any address chosen at boot time. 76 77- entrypoint-offset 78 - value type: <u64> 79 - Offset from the base of the partition's binary image to the entry point of 80 the partition. Absence of this field indicates that the entry point is at 81 offset 0x0 from the base of the partition's binary. 82 83- xlat-granule 84 - value type: <u32> 85 - Translation granule used with the partition: 86 87 - 0x0: 4k 88 - 0x1: 16k 89 - 0x2: 64k 90 91- boot-order 92 - value type: <u32> 93 - A unique number amongst all partitions that specifies if this partition 94 must be booted before others. The partition with the smaller number will be 95 booted first. Highest vlue allowed for this field is 0xFFFF. 96 97- rx-tx-buffer 98 - value type: "memory-regions" node 99 - Specific "memory-regions" nodes that describe the RX/TX buffers expected 100 by the partition. 101 The "compatible" must be the string "arm,ffa-manifest-rx_tx-buffer". 102 103- managed-exit 104 - value type: <empty> 105 - Specifies if managed exit is supported. 106 - This field is deprecated in favor of ns-interrupts-action field in the FF-A 107 v1.1 EAC0 spec. 108 109- managed-exit-virq 110 - value type: <empty> 111 - Indicates if the partition needs managed exit, if supported, to be signaled 112 through vIRQ signal. 113 114- ns-interrupts-action [mandatory] 115 - value type: <u32> 116 - Specifies the action that the SPMC must take in response to a Non-secure 117 physical interrupt. 118 119 - 0x0: Non-secure interrupt is queued 120 - 0x1: Non-secure interrupt is signaled after a managed exit 121 - 0x2: Non-secure interrupt is signaled 122 123 - This field supersedes the managed-exit field in the FF-A v1.0 spec. 124 125- other-s-interrupts-action 126 - value type: <u32> 127 - Specifies the action that the SPMC must take in response to a Other-Secure 128 physical interrupt. 129 130 - 0x0: Other-Secure interrupt is queued 131 - 0x1: Other-Secure interrupt is signaled 132 133- sri-interrupts-policy 134 135 - value type: <u32> 136 - Specifies how secure interrupts are handled when the SP is in a waiting 137 state and is targeted by a secure interrupt, or when the SP attempts to 138 return to a waiting state with pending secure interrupts. The value is a 139 bitfield. 140 141 - 0x0: Proactively inject the VI and resume SP when handling a secure 142 interrupt and SP in the waiting state. 143 - 0x1: Only when a secure interrupt is fired while target SP in the 144 waiting state, pend SRI to the NWd and rely on the scheduler to 145 explicitly donate CPU cycles to the SP. 146 - 0x2: Only when the SP attempts to go back to the waiting state while 147 having pending secure interrupts, trigger the SRI to the NWd and rely 148 on the scheduler to explicitly donate CPU cycles to the SP. 149 - 0x3: Enable both actions for values 0x1 and 0x2. 150 151- has-primary-scheduler 152 - value type: <empty> 153 - Presence of this field indicates that the partition implements the primary 154 scheduler. If so, run-time EL must be EL1. 155 156- time-slice-mem 157 - value type: <empty> 158 - Presence of this field indicates that the partition doesn't expect the 159 partition manager to time slice long running memory management functions. 160 161- gp-register-num 162 - value type: <u32> 163 - The field specifies the general purpose register number but not its width. 164 The width is derived from the partition's execution state, as specified in 165 the partition properties. For example, if the number value is 1 then the 166 general-purpose register used will be x1 in AArch64 state and w1 in AArch32 167 state. 168 Presence of this field indicates that the partition expects the address of 169 the FF-A boot information blob to be passed in the specified general purpose 170 register. 171 172- power-management-messages 173 - value type: <u32> 174 - Specifies which power management messages a partition subscribes to. 175 A set bit means the partition should be informed of the power event, clear 176 bit - should not be informed of event: 177 178 - Bit[0]: CPU_OFF 179 - Bit[1]: CPU_SUSPEND 180 - Bit[2]: CPU_SUSPEND_RESUME 181 182- vm-availability-messages 183 - value type: <u32> 184 - Specifies which VM availability messages a partition subscribes to. A set 185 bit means the partition should be informed of the event, clear bit - should 186 not be informed of event: 187 188 - Bit[0]: VM created 189 - Bit[1]: VM destroyed 190 191- lifecycle-support 192 - value type: <empty> 193 - Presence of this field indicates support for all partition lifecycle states 194 defined in the FF-A v1.3 ALP2 spec. 195 196- abort-action 197 - value type: <u32> 198 - Specifies the action that the SPMC takes when a partition encounters a fatal 199 error. 200 201 - 0x0: STOP 202 - 0x1: DESTROY 203 - 0x2: RESTART 204 - 0x3: PROPAGATE 205 206 - All other values are unsupported. If a partition does not specify this 207 field in the manifest, the SPMC takes implementation defined action. 208 209.. _services: 210 211Services 212~~~~~~~~ 213 214- A service pairs a protocol UUID with supported messaging methods that clients 215 use to reach the SP. 216- For the compatible value at the root set to "arm,ffa-manifest-1.0", the UUIDs 217 and messaging methods are specified in two separate lists at the root node as 218 below: 219 220 - uuid [mandatory] 221 - value type: <prop-encoded-array> 222 - An array of comma separated tuples each consisting of 4 <u32> values, 223 identifying the protocol UUIDs of the services implemented by this 224 partition. The UUID format is described in RFC 4122. 225 - These 4 <u32> values are packed similar to the UUID register mapping 226 specified in section '5.3 Unique Identification format', 227 SMC Calling Convention, DEN0028, v1.6 G BET0 228 (https://developer.arm.com/documentation/den0028/latest/). 229 - messaging-method [mandatory] 230 - value type: <prop-encoded-array> 231 - An array of <u32> values which specify which messaging methods are 232 supported for each service. If one value is specified all services 233 support those messaging methods. If multiple values are specified, there 234 must be the same number as UUIDs specified, and the messaging method at 235 each index is paired with the UUID at the matching index of the uuid 236 array. Set bit means the feature is supported, clear bit - not supported: 237 238 - Bit[0]: partition can receive direct requests via 239 FFA_MSG_SEND_DIRECT_REQ ABI if set 240 - Bit[1]: partition can send direct requests via 241 FFA_MSG_SEND_DIRECT_REQ ABI if set 242 - Bit[2]: partition can send and receive indirect messages 243 - Bit[9]: partition can receive direct requests via 244 FFA_MSG_SEND_DIRECT_REQ2 ABI if set 245 - Bit[10]: partition can send direct requests via 246 FFA_MSG_SEND_DIRECT_REQ2 ABI if set 247 - A request targeting a specific protocol UUID requires that service to 248 have the corresponding bit set. Requests that do not target a specific 249 protocol UUID (for example, a NULL UUID or FFA_MSG_SEND_DIRECT_REQ) are 250 allowed if any service exposes the required messaging method. 251 252- For compatible value "arm,ffa-manifest-X.Y" with X.Y > 1.0, specify services 253 under a parent "services" node like so: 254 255 - services [mandatory] 256 - compatible [mandatory] 257 - value type: <string> 258 - Must be the string "arm,ffa-manifest-services". 259 - Child service nodes [mandatory] 260 - uuid [mandatory] 261 - value type: <string> 262 - A protocol UUID specified in the canonical string format as 263 described in RFC 9562. 264 (https://www.rfc-editor.org/rfc/rfc9562.html#name-uuid-format) 265 - messaging-method [mandatory] 266 - value type: <u32> 267 - Specifies which messaging methods are supported by this service, 268 set bit means the feature is supported, clear bit - not supported: 269 270 - Bit[0]: partition can receive direct requests via 271 FFA_MSG_SEND_DIRECT_REQ ABI if set 272 - Bit[1]: partition can send direct requests via 273 FFA_MSG_SEND_DIRECT_REQ ABI if set 274 - Bit[2]: partition can send and receive indirect messages 275 - Bit[9]: partition can receive direct requests via 276 FFA_MSG_SEND_DIRECT_REQ2 ABI if set 277 - Bit[10]: partition can send direct requests via 278 FFA_MSG_SEND_DIRECT_REQ2 ABI if set 279 - Each child under "services" pairs a protocol UUID with a messaging 280 method. At least one child must be specified. 281 - A request targeting a specific protocol UUID requires that service to 282 have the corresponding bit set. Requests that do not target a specific 283 protocol UUID (for example, a NULL UUID or FFA_MSG_SEND_DIRECT_REQ) are 284 allowed if any service exposes the required messaging method. 285 286.. _memory_region_node: 287 288Memory Regions 289~~~~~~~~~~~~~~ 290 291- compatible [mandatory] 292 - value type: <string> 293 - Must be the string "arm,ffa-manifest-memory-regions". 294 295- description 296 - value type: <string> 297 - Name of the memory region e.g. for debugging purposes. 298 299- pages-count [mandatory] 300 - value type: <u32> 301 - Count of pages of memory region as a multiple of the translation granule 302 size 303 304- attributes [mandatory] 305 - value type: <u32> 306 - Mapping modes: ORed to get required permission 307 308 - 0x1: Read 309 - 0x2: Write 310 - 0x4: Execute 311 - 0x8: Security state 312 313- base-address 314 - value type: <u64> 315 - Base address of the region. The address must be aligned to the translation 316 granule size. 317 The address given may be a Physical Address (PA), Virtual Address (VA), or 318 Intermediate Physical Address (IPA). Refer to the FF-A specification for 319 more information on the restrictions around the address type. 320 If the base address is omitted then the partition manager must map a memory 321 region of the specified size into the partition's translation regime and 322 then communicate the region properties (including the base address chosen 323 by the partition manager) to the partition. 324 325- load-address-relative-offset 326 - value type: <u64> 327 - Offset relative to the load address of the partition. 328 When this is provided in the partition manifest, it should be added to the 329 load address to get the base address of the region. The secure partition 330 manifest can have either "base-address" or "load-address-relative-offset". 331 It cannot have both. 332 333- stream-ids 334 - value type: <prop-encoded-array> 335 - List of IDs belonging to a DMA capable peripheral device that has access to 336 the memory region represented by current node. 337 - Each ID must have been declared in exactly one device region node. 338 339- smmu-id 340 - value type: <u32> 341 - Identifies the SMMU IP that enforces the access control for the DMA device 342 that owns the above stream-ids. 343 344- stream-ids-access-permissions 345 - value type: <prop-encoded-array> 346 - List of attributes representing the instruction and data access permissions 347 used by the DMA device streams to access the memory region represented by 348 current node. 349 350.. _device_region_node: 351 352Device Regions 353~~~~~~~~~~~~~~ 354 355- compatible [mandatory] 356 - value type: <string> 357 - Must be the string "arm,ffa-manifest-device-regions". 358 359- description 360 - value type: <string> 361 - Name of the device region e.g. for debugging purposes. 362 363- pages-count [mandatory] 364 - value type: <u32> 365 - Count of pages of memory region as a multiple of the translation granule 366 size 367 368- attributes [mandatory] 369 - value type: <u32> 370 - Mapping modes: ORed to get required permission 371 372 - 0x1: Read 373 - 0x2: Write 374 - 0x4: Execute 375 - 0x8: Security state 376 377- base-address [mandatory] 378 - value type: <u64> 379 - Base address of the region. The address must be aligned to the translation 380 granule size. 381 The address given may be a Physical Address (PA), Virtual Address (VA), or 382 Intermediate Physical Address (IPA). Refer to the FF-A specification for 383 more information on the restrictions around the address type. 384 385- smmu-id 386 - value type: <u32> 387 - On systems with multiple System Memory Management Units (SMMUs) this 388 identifier is used to inform the partition manager which SMMU the device is 389 upstream of. If the field is omitted then it is assumed that the device is 390 not upstream of any SMMU. 391 392- stream-ids 393 - value type: <prop-encoded-array> 394 - List of IDs where an ID is a unique <u32> value amongst all devices assigned 395 to the partition. 396 397- interrupts 398 - value type: <prop-encoded-array> 399 - A list of (id, attributes) pair describing the device interrupts, where: 400 401 - id: The <u32> interrupt IDs. 402 - attributes: A <u32> value, containing attributes for each interrupt ID: 403 404 +----------------------+----------+ 405 |Field | Bit(s) | 406 +----------------------+----------+ 407 | Priority | 7:0 | 408 +----------------------+----------+ 409 | Security state | 8 | 410 +----------------------+----------+ 411 | Config(Edge/Level) | 9 | 412 +----------------------+----------+ 413 | Type(SPI/PPI/SGI) | 11:10 | 414 +----------------------+----------+ 415 416 Security state: 417 - Secure: 1 418 - Non-secure: 0 419 420 Configuration: 421 - Edge triggered: 0 422 - Level triggered: 1 423 424 Type: 425 - SPI: 0b10 426 - PPI: 0b01 427 - SGI: 0b00 428 429- interrupts-target 430 - value type: <prop-encoded-array> 431 - A list of (id, mpdir upper bits, mpidr lower bits) tuples describing which 432 mpidr the interrupt is routed to, where: 433 434 - id: The <u32> interrupt ID. Must be one of those specified in the 435 "interrupts" field. 436 - mpidr upper bits: The <u32> describing the upper bits of the 64 bits 437 mpidr 438 - mpidr lower bits: The <u32> describing the lower bits of the 64 bits 439 mpidr 440 441- exclusive-access 442 - value type: <empty> 443 - Presence of this field implies that this endpoint must be granted exclusive 444 access and ownership of this device's MMIO region. 445 446SPMC Manifest Properties 447------------------------ 448 449This manifest contains the SPMC *attribute* node consumed by the SPMD at 450boot time. 451 452attribute 453~~~~~~~~~ 454 455- spmc_id 456 - value type: <u32> 457 - Defines the endpoint ID value that SPMC can query through ``FFA_ID_GET``. 458- maj_ver 459 - value type: <u32> 460 - Major of the FF-A version implemented by the SPMC. SPMD checks against its own 461 version. 462- min_ver 463 - value type>: <u32> 464 - Minor of the FF-A version implemented by the SPMC. SPMD checks against its own 465 version. 466- exec_state 467 - value type: <u32> 468 - Defines the SPMC execution state (AArch64 or AArch32). 469- load_address 470 - value type: <u64> 471 - Base physical address in which the SPMC binary is placed. Should be page aligned. 472- entrypoint: 473 - value type: <u64> 474 - Defines the physical address for the cold boot primary core entrypoint used by the SPMD 475 (currently matches ``BL32_BASE``) to enter the SPMC. 476- binary_size 477 - value type: <u32> 478 - Defines the maximum size of the SPMC binary. It is used with load_address to sanitize the 479 specified entrypoint. 480 481-------------- 482 483*Copyright (c) 2019-2026, Arm Limited and Contributors. All rights reserved.* 484