xref: /rk3399_ARM-atf/docs/components/ffa-manifest-binding.rst (revision b48ba400af031a0115459c8c2f46593dafed7d04) 
1FF-A manifests binding to device tree
2=====================================
3
4This document defines the nodes and properties used to define a partition,
5according to the FF-A specification, and the SPMC manifest.
6
7FF-A Partition Manifest Properties
8----------------------------------
9
10The FF-A partition manifest is consumed by the SPMC to configure the state
11associated with the related Secure Partition.
12
13- compatible [mandatory]
14   - value type: <string>
15   - Must be the string "arm,ffa-manifest-X.Y" which specifies the major and
16     minor versions of the device tree binding for the FFA manifest represented
17     by this node. The minor number is incremented if the binding changes in a
18     backwards compatible manner.
19
20      - X is an integer representing the major version number of this document.
21      - Y is an integer representing the minor version number of this document.
22
23- ffa-version [mandatory]
24   - value type: <u32>
25   - Must be two 16 bits values (X, Y), concatenated as 31:16 -> X,
26     15:0 -> Y, where:
27
28      - X is the major version of FF-A expected by the partition at the FFA
29        instance it will execute.
30      - Y is the minor version of FF-A expected by the partition at the FFA
31        instance it will execute.
32
33- uuid [mandatory]
34   - value type: <prop-encoded-array>
35   - An array of comma separated tuples each consisting of 4 <u32> values,
36     identifying the UUID of the services implemented by this partition.
37     The UUID format is described in RFC 4122.
38   - These 4 <u32> values are packed similar to the UUID register mapping
39     specified in section '5.3 Unique Identification format', SMC Calling
40     Convention, DEN0028, v1.6 G BET0
41     (https://developer.arm.com/documentation/den0028/latest/).
42
43- id
44   - value type: <u32>
45   - Pre-allocated partition ID.
46
47- auxiliary-id
48   - value type: <u32>
49   - Pre-allocated ID that could be used in memory management transactions.
50
51- description
52   - value type: <string>
53   - Name of the partition e.g. for debugging purposes.
54
55- execution-ctx-count [mandatory]
56   - value type: <u32>
57   - Number of vCPUs that a VM or SP wants to instantiate.
58
59      - In the absence of virtualization, this is the number of execution
60        contexts that a partition implements.
61      - If value of this field = 1 and number of PEs > 1 then the partition is
62        treated as UP & migrate capable.
63      - If the value of this field > 1 then the partition is treated as a MP
64        capable partition irrespective of the number of PEs.
65
66- exception-level [mandatory]
67   - value type: <u32>
68   - The target exception level for the partition:
69
70      - 0x0: EL1
71      - 0x1: S_EL0
72      - 0x2: S_EL1
73
74- execution-state [mandatory]
75   - value type: <u32>
76   - The target execution state of the partition:
77
78      - 0: AArch64
79      - 1: AArch32
80
81- load-address
82   - value type: <u64>
83   - Physical base address of the partition in memory. Absence of this field
84     indicates that the partition is position independent and can be loaded at
85     any address chosen at boot time.
86
87- entrypoint-offset
88   - value type: <u64>
89   - Offset from the base of the partition's binary image to the entry point of
90     the partition. Absence of this field indicates that the entry point is at
91     offset 0x0 from the base of the partition's binary.
92
93- xlat-granule
94   - value type: <u32>
95   - Translation granule used with the partition:
96
97      - 0x0: 4k
98      - 0x1: 16k
99      - 0x2: 64k
100
101- boot-order
102   - value type: <u32>
103   - A unique number amongst all partitions that specifies if this partition
104     must be booted before others. The partition with the smaller number will be
105     booted first. Highest vlue allowed for this field is 0xFFFF.
106
107- rx-tx-buffer
108   - value type: "memory-regions" node
109   - Specific "memory-regions" nodes that describe the RX/TX buffers expected
110     by the partition.
111     The "compatible" must be the string "arm,ffa-manifest-rx_tx-buffer".
112
113- messaging-method [mandatory]
114   - value type: <u32>
115   - Specifies which messaging methods are supported by the partition, set bit
116     means the feature is supported, clear bit - not supported:
117
118      - Bit[0]: partition can receive direct requests via FFA_MSG_SEND_DIRECT_REQ ABI if set
119      - Bit[1]: partition can send direct requests via FFA_MSG_SEND_DIRECT_REQ ABI if set
120      - Bit[2]: partition can send and receive indirect messages
121      - Bit[9]: partition can receive direct requests via FFA_MSG_SEND_DIRECT_REQ2 ABI if set
122      - Bit[10]: partition can send direct requests via FFA_MSG_SEND_DIRECT_REQ2 ABI if set
123
124- managed-exit
125   - value type: <empty>
126   - Specifies if managed exit is supported.
127   - This field is deprecated in favor of ns-interrupts-action field in the FF-A
128     v1.1 EAC0 spec.
129
130- managed-exit-virq
131   - value type: <empty>
132   - Indicates if the partition needs managed exit, if supported, to be signaled
133     through vIRQ signal.
134
135- ns-interrupts-action [mandatory]
136   - value type: <u32>
137   - Specifies the action that the SPMC must take in response to a Non-secure
138     physical interrupt.
139
140      - 0x0: Non-secure interrupt is queued
141      - 0x1: Non-secure interrupt is signaled after a managed exit
142      - 0x2: Non-secure interrupt is signaled
143
144   - This field supersedes the managed-exit field in the FF-A v1.0 spec.
145
146- other-s-interrupts-action
147   - value type: <u32>
148   - Specifies the action that the SPMC must take in response to a Other-Secure
149     physical interrupt.
150
151      - 0x0: Other-Secure interrupt is queued
152      - 0x1: Other-Secure interrupt is signaled
153
154- sri-interrupts-policy
155
156  - value type: <u32>
157  - Specifies how secure interrupts are handled when the SP is in a waiting
158    state and is targeted by a secure interrupt, or when the SP attempts to
159    return to a waiting state with pending secure interrupts. The value is a
160    bitfield.
161
162      - 0x0: Proactively inject the VI and resume SP when handling a secure
163        interrupt and SP in the waiting state.
164      - 0x1: Only when a secure interrupt is fired while target SP in the
165        waiting state, pend SRI to the NWd and rely on the scheduler to
166        explicitly donate CPU cycles to the SP.
167      - 0x2: Only when the SP attempts to go back to the waiting state while
168        having pending secure interrupts, trigger the SRI to the NWd and rely
169        on the scheduler to explicitly donate CPU cycles to the SP.
170      - 0x3: Enable both actions for values 0x1 and 0x2.
171
172- has-primary-scheduler
173   - value type: <empty>
174   - Presence of this field indicates that the partition implements the primary
175     scheduler. If so, run-time EL must be EL1.
176
177- time-slice-mem
178   - value type: <empty>
179   - Presence of this field indicates that the partition doesn't expect the
180     partition manager to time slice long running memory management functions.
181
182- gp-register-num
183   - value type: <u32>
184   - The field specifies the general purpose register number but not its width.
185     The width is derived from the partition's execution state, as specified in
186     the partition properties. For example, if the number value is 1 then the
187     general-purpose register used will be x1 in AArch64 state and w1 in AArch32
188     state.
189     Presence of this field indicates that the partition expects the address of
190     the FF-A boot information blob to be passed in the specified general purpose
191     register.
192
193- power-management-messages
194   - value type: <u32>
195   - Specifies which power management messages a partition subscribes to.
196     A set bit means the partition should be informed of the power event, clear
197     bit - should not be informed of event:
198
199      - Bit[0]: CPU_OFF
200      - Bit[1]: CPU_SUSPEND
201      - Bit[2]: CPU_SUSPEND_RESUME
202
203- vm-availability-messages
204   - value type: <u32>
205   - Specifies which VM availability messages a partition subscribes to. A set
206     bit means the partition should be informed of the event, clear bit - should
207     not be informed of event:
208
209      - Bit[0]: VM created
210      - Bit[1]: VM destroyed
211
212- lifecycle-support
213   - value type: <empty>
214   - Presence of this field indicates support for all partition lifecycle states
215     defined in the FF-A v1.3 ALP2 spec.
216
217- abort-action
218   - value type: <u32>
219   - Specifies the action that the SPMC takes when a partition encounters a fatal
220     error.
221
222      - 0x0: STOP
223      - 0x1: DESTROY
224      - 0x2: RESTART
225      - 0x3: PROPAGATE
226
227   - All other values are unsupported. If a partition does not specify this
228     field in the manifest, the SPMC takes implementation defined action.
229
230.. _memory_region_node:
231
232Memory Regions
233~~~~~~~~~~~~~~
234
235- compatible [mandatory]
236   - value type: <string>
237   - Must be the string "arm,ffa-manifest-memory-regions".
238
239- description
240   - value type: <string>
241   - Name of the memory region e.g. for debugging purposes.
242
243- pages-count [mandatory]
244   - value type: <u32>
245   - Count of pages of memory region as a multiple of the translation granule
246     size
247
248- attributes [mandatory]
249   - value type: <u32>
250   - Mapping modes: ORed to get required permission
251
252      - 0x1: Read
253      - 0x2: Write
254      - 0x4: Execute
255      - 0x8: Security state
256
257- base-address
258   - value type: <u64>
259   - Base address of the region. The address must be aligned to the translation
260     granule size.
261     The address given may be a Physical Address (PA), Virtual Address (VA), or
262     Intermediate Physical Address (IPA). Refer to the FF-A specification for
263     more information on the restrictions around the address type.
264     If the base address is omitted then the partition manager must map a memory
265     region of the specified size into the partition's translation regime and
266     then communicate the region properties (including the base address chosen
267     by the partition manager) to the partition.
268
269- load-address-relative-offset
270   - value type: <u64>
271   - Offset relative to the load address of the partition.
272     When this is provided in the partition manifest, it should be added to the
273     load address to get the base address of the region. The secure partition
274     manifest can have either "base-address" or "load-address-relative-offset".
275     It cannot have both.
276
277- stream-ids
278   - value type: <prop-encoded-array>
279   - List of IDs belonging to a DMA capable peripheral device that has access to
280     the memory region represented by current node.
281   - Each ID must have been declared in exactly one device region node.
282
283- smmu-id
284   - value type: <u32>
285   - Identifies the SMMU IP that enforces the access control for the DMA device
286     that owns the above stream-ids.
287
288- stream-ids-access-permissions
289   - value type: <prop-encoded-array>
290   - List of attributes representing the instruction and data access permissions
291     used by the DMA device streams to access the memory region represented by
292     current node.
293
294.. _device_region_node:
295
296Device Regions
297~~~~~~~~~~~~~~
298
299- compatible [mandatory]
300   - value type: <string>
301   - Must be the string "arm,ffa-manifest-device-regions".
302
303- description
304   - value type: <string>
305   - Name of the device region e.g. for debugging purposes.
306
307- pages-count [mandatory]
308   - value type: <u32>
309   - Count of pages of memory region as a multiple of the translation granule
310     size
311
312- attributes [mandatory]
313   - value type: <u32>
314   - Mapping modes: ORed to get required permission
315
316     - 0x1: Read
317     - 0x2: Write
318     - 0x4: Execute
319     - 0x8: Security state
320
321- base-address [mandatory]
322   - value type: <u64>
323   - Base address of the region. The address must be aligned to the translation
324     granule size.
325     The address given may be a Physical Address (PA), Virtual Address (VA), or
326     Intermediate Physical Address (IPA). Refer to the FF-A specification for
327     more information on the restrictions around the address type.
328
329- smmu-id
330   - value type: <u32>
331   - On systems with multiple System Memory Management Units (SMMUs) this
332     identifier is used to inform the partition manager which SMMU the device is
333     upstream of. If the field is omitted then it is assumed that the device is
334     not upstream of any SMMU.
335
336- stream-ids
337   - value type: <prop-encoded-array>
338   - List of IDs where an ID is a unique <u32> value amongst all devices assigned
339     to the partition.
340
341- interrupts
342   - value type: <prop-encoded-array>
343   - A list of (id, attributes) pair describing the device interrupts, where:
344
345      - id: The <u32> interrupt IDs.
346      - attributes: A <u32> value, containing attributes for each interrupt ID:
347
348        +----------------------+----------+
349        |Field                 | Bit(s)   |
350        +----------------------+----------+
351        | Priority	       | 7:0      |
352        +----------------------+----------+
353        | Security state       | 8        |
354        +----------------------+----------+
355        | Config(Edge/Level)   | 9        |
356        +----------------------+----------+
357        | Type(SPI/PPI/SGI)    | 11:10    |
358        +----------------------+----------+
359
360        Security state:
361          - Secure:       1
362          - Non-secure:   0
363
364        Configuration:
365          - Edge triggered:       0
366          - Level triggered:      1
367
368        Type:
369          - SPI:  0b10
370          - PPI:  0b01
371          - SGI:  0b00
372
373- interrupts-target
374   - value type: <prop-encoded-array>
375   - A list of (id, mpdir upper bits, mpidr lower bits) tuples describing which
376     mpidr the interrupt is routed to, where:
377
378      - id: The <u32> interrupt ID. Must be one of those specified in the
379            "interrupts" field.
380      - mpidr upper bits: The <u32> describing the upper bits of the 64 bits
381                          mpidr
382      - mpidr lower bits: The <u32> describing the lower bits of the 64 bits
383                          mpidr
384
385- exclusive-access
386   - value type: <empty>
387   - Presence of this field implies that this endpoint must be granted exclusive
388     access and ownership of this device's MMIO region.
389
390SPMC Manifest Properties
391------------------------
392
393This manifest contains the SPMC *attribute* node consumed by the SPMD at
394boot time.
395
396attribute
397~~~~~~~~~
398
399- spmc_id
400   - value type: <u32>
401   - Defines the endpoint ID value that SPMC can query through ``FFA_ID_GET``.
402- maj_ver
403   - value type: <u32>
404   - Major of the FF-A version implemented by the SPMC. SPMD checks against its own
405     version.
406- min_ver
407   - value type>: <u32>
408   - Minor of the FF-A version implemented by the SPMC. SPMD checks against its own
409     version.
410- exec_state
411   - value type: <u32>
412   - Defines the SPMC execution state (AArch64 or AArch32).
413- load_address
414   - value type: <u64>
415   - Base physical address in which the SPMC binary is placed. Should be page aligned.
416- entrypoint:
417   - value type: <u64>
418   - Defines the physical address for the cold boot primary core entrypoint used by the SPMD
419     (currently matches ``BL32_BASE``) to enter the SPMC.
420- binary_size
421   - value type: <u32>
422   - Defines the maximum size of the SPMC binary. It is used with load_address to sanitize the
423     specified entrypoint.
424
425--------------
426
427*Copyright (c) 2019-2025, Arm Limited and Contributors. All rights reserved.*
428