18aa05055SPaul BeesleyCPU Reset 28aa05055SPaul Beesley========= 340d553cfSPaul Beesley 440d553cfSPaul BeesleyThis document describes the high-level design of the framework to handle CPU 540d553cfSPaul Beesleyresets in Trusted Firmware-A (TF-A). It also describes how the platform 640d553cfSPaul Beesleyintegrator can tailor this code to the system configuration to some extent, 740d553cfSPaul Beesleyresulting in a simplified and more optimised boot flow. 840d553cfSPaul Beesley 934760951SPaul BeesleyThis document should be used in conjunction with the :ref:`Firmware Design` 1034760951SPaul Beesleydocument which provides greater implementation details around the reset code, 1134760951SPaul Beesleyspecifically for the cold boot path. 1240d553cfSPaul Beesley 1340d553cfSPaul BeesleyGeneral reset code flow 1440d553cfSPaul Beesley----------------------- 1540d553cfSPaul Beesley 1640d553cfSPaul BeesleyThe TF-A reset code is implemented in BL1 by default. The following high-level 1740d553cfSPaul Beesleydiagram illustrates this: 1840d553cfSPaul Beesley 1940d553cfSPaul Beesley|Default reset code flow| 2040d553cfSPaul Beesley 2140d553cfSPaul BeesleyThis diagram shows the default, unoptimised reset flow. Depending on the system 2240d553cfSPaul Beesleyconfiguration, some of these steps might be unnecessary. The following sections 2340d553cfSPaul Beesleyguide the platform integrator by indicating which build options exclude which 2440d553cfSPaul Beesleysteps, depending on the capability of the platform. 2540d553cfSPaul Beesley 26e1c5026aSPaul Beesley.. note:: 27e1c5026aSPaul Beesley If BL31 is used as the TF-A entry point instead of BL1, the diagram 2840d553cfSPaul Beesley above is still relevant, as all these operations will occur in BL31 in 2940d553cfSPaul Beesley this case. Please refer to section 6 "Using BL31 entrypoint as the reset 3040d553cfSPaul Beesley address" for more information. 3140d553cfSPaul Beesley 3240d553cfSPaul BeesleyProgrammable CPU reset address 3340d553cfSPaul Beesley------------------------------ 3440d553cfSPaul Beesley 3540d553cfSPaul BeesleyBy default, TF-A assumes that the CPU reset address is not programmable. 3640d553cfSPaul BeesleyTherefore, all CPUs start at the same address (typically address 0) whenever 3740d553cfSPaul Beesleythey reset. Further logic is then required to identify whether it is a cold or 3840d553cfSPaul Beesleywarm boot to direct CPUs to the right execution path. 3940d553cfSPaul Beesley 4040d553cfSPaul BeesleyIf the reset vector address (reflected in the reset vector base address register 4140d553cfSPaul Beesley``RVBAR_EL3``) is programmable then it is possible to make each CPU start directly 4240d553cfSPaul Beesleyat the right address, both on a cold and warm reset. Therefore, the boot type 4340d553cfSPaul Beesleydetection can be skipped, resulting in the following boot flow: 4440d553cfSPaul Beesley 4540d553cfSPaul Beesley|Reset code flow with programmable reset address| 4640d553cfSPaul Beesley 4740d553cfSPaul BeesleyTo enable this boot flow, compile TF-A with ``PROGRAMMABLE_RESET_ADDRESS=1``. 4840d553cfSPaul BeesleyThis option only affects the TF-A reset image, which is BL1 by default or BL31 if 4940d553cfSPaul Beesley``RESET_TO_BL31=1``. 5040d553cfSPaul Beesley 5140d553cfSPaul BeesleyOn both the FVP and Juno platforms, the reset vector address is not programmable 5240d553cfSPaul Beesleyso both ports use ``PROGRAMMABLE_RESET_ADDRESS=0``. 5340d553cfSPaul Beesley 5440d553cfSPaul BeesleyCold boot on a single CPU 5540d553cfSPaul Beesley------------------------- 5640d553cfSPaul Beesley 5740d553cfSPaul BeesleyBy default, TF-A assumes that several CPUs may be released out of reset. 5840d553cfSPaul BeesleyTherefore, the cold boot code has to arbitrate access to hardware resources 5940d553cfSPaul Beesleyshared amongst CPUs. This is done by nominating one of the CPUs as the primary, 6040d553cfSPaul Beesleywhich is responsible for initialising shared hardware and coordinating the boot 6140d553cfSPaul Beesleyflow with the other CPUs. 6240d553cfSPaul Beesley 6340d553cfSPaul BeesleyIf the platform guarantees that only a single CPU will ever be brought up then 6440d553cfSPaul Beesleyno arbitration is required. The notion of primary/secondary CPU itself no longer 6540d553cfSPaul Beesleyapplies. This results in the following boot flow: 6640d553cfSPaul Beesley 6740d553cfSPaul Beesley|Reset code flow with single CPU released out of reset| 6840d553cfSPaul Beesley 6940d553cfSPaul BeesleyTo enable this boot flow, compile TF-A with ``COLD_BOOT_SINGLE_CPU=1``. This 7040d553cfSPaul Beesleyoption only affects the TF-A reset image, which is BL1 by default or BL31 if 7140d553cfSPaul Beesley``RESET_TO_BL31=1``. 7240d553cfSPaul Beesley 7340d553cfSPaul BeesleyOn both the FVP and Juno platforms, although only one core is powered up by 7440d553cfSPaul Beesleydefault, there are platform-specific ways to release any number of cores out of 7540d553cfSPaul Beesleyreset. Therefore, both platform ports use ``COLD_BOOT_SINGLE_CPU=0``. 7640d553cfSPaul Beesley 7740d553cfSPaul BeesleyProgrammable CPU reset address, Cold boot on a single CPU 7840d553cfSPaul Beesley--------------------------------------------------------- 7940d553cfSPaul Beesley 8040d553cfSPaul BeesleyIt is obviously possible to combine both optimisations on platforms that have 8140d553cfSPaul Beesleya programmable CPU reset address and which release a single CPU out of reset. 8240d553cfSPaul BeesleyThis results in the following boot flow: 8340d553cfSPaul Beesley 8440d553cfSPaul Beesley 8540d553cfSPaul Beesley|Reset code flow with programmable reset address and single CPU released out of reset| 8640d553cfSPaul Beesley 8740d553cfSPaul BeesleyTo enable this boot flow, compile TF-A with both ``COLD_BOOT_SINGLE_CPU=1`` 8840d553cfSPaul Beesleyand ``PROGRAMMABLE_RESET_ADDRESS=1``. These options only affect the TF-A reset 8940d553cfSPaul Beesleyimage, which is BL1 by default or BL31 if ``RESET_TO_BL31=1``. 9040d553cfSPaul Beesley 9140d553cfSPaul BeesleyUsing BL31 entrypoint as the reset address 9240d553cfSPaul Beesley------------------------------------------ 9340d553cfSPaul Beesley 9440d553cfSPaul BeesleyOn some platforms the runtime firmware (BL3x images) for the application 9540d553cfSPaul Beesleyprocessors are loaded by some firmware running on a secure system processor 9640d553cfSPaul Beesleyon the SoC, rather than by BL1 and BL2 running on the primary application 9740d553cfSPaul Beesleyprocessor. For this type of SoC it is desirable for the application processor 9840d553cfSPaul Beesleyto always reset to BL31 which eliminates the need for BL1 and BL2. 9940d553cfSPaul Beesley 10040d553cfSPaul BeesleyTF-A provides a build-time option ``RESET_TO_BL31`` that includes some additional 10140d553cfSPaul Beesleylogic in the BL31 entry point to support this use case. 10240d553cfSPaul Beesley 10340d553cfSPaul BeesleyIn this configuration, the platform's Trusted Boot Firmware must ensure that 10440d553cfSPaul BeesleyBL31 is loaded to its runtime address, which must match the CPU's ``RVBAR_EL3`` 10540d553cfSPaul Beesleyreset vector base address, before the application processor is powered on. 10640d553cfSPaul BeesleyAdditionally, platform software is responsible for loading the other BL3x images 10740d553cfSPaul Beesleyrequired and providing entry point information for them to BL31. Loading these 10840d553cfSPaul Beesleyimages might be done by the Trusted Boot Firmware or by platform code in BL31. 10940d553cfSPaul Beesley 11040d553cfSPaul BeesleyAlthough the Arm FVP platform does not support programming the reset base 11140d553cfSPaul Beesleyaddress dynamically at run-time, it is possible to set the initial value of the 11234760951SPaul Beesley``RVBAR_EL3`` register at start-up. This feature is provided on the Base FVP 11334760951SPaul Beesleyonly. 11434760951SPaul Beesley 11540d553cfSPaul BeesleyIt allows the Arm FVP port to support the ``RESET_TO_BL31`` configuration, in 11640d553cfSPaul Beesleywhich case the ``bl31.bin`` image must be loaded to its run address in Trusted 11740d553cfSPaul BeesleySRAM and all CPU reset vectors be changed from the default ``0x0`` to this run 11843f35ef5SPaul Beesleyaddress. See the :ref:`Arm Fixed Virtual Platforms (FVP)` for details of running 11943f35ef5SPaul Beesleythe FVP models in this way. 12040d553cfSPaul Beesley 12140d553cfSPaul BeesleyAlthough technically it would be possible to program the reset base address with 12240d553cfSPaul Beesleythe right support in the SCP firmware, this is currently not implemented so the 12340d553cfSPaul BeesleyJuno port doesn't support the ``RESET_TO_BL31`` configuration. 12440d553cfSPaul Beesley 12540d553cfSPaul BeesleyThe ``RESET_TO_BL31`` configuration requires some additions and changes in the 12640d553cfSPaul BeesleyBL31 functionality: 12740d553cfSPaul Beesley 12840d553cfSPaul BeesleyDetermination of boot path 12940d553cfSPaul Beesley~~~~~~~~~~~~~~~~~~~~~~~~~~ 13040d553cfSPaul Beesley 13140d553cfSPaul BeesleyIn this configuration, BL31 uses the same reset framework and code as the one 13240d553cfSPaul Beesleydescribed for BL1 above. Therefore, it is affected by the 13340d553cfSPaul Beesley``PROGRAMMABLE_RESET_ADDRESS`` and ``COLD_BOOT_SINGLE_CPU`` build options in the 13440d553cfSPaul Beesleysame way. 13540d553cfSPaul Beesley 13640d553cfSPaul BeesleyIn the default, unoptimised BL31 reset flow, on a warm boot a CPU is directed 13740d553cfSPaul Beesleyto the PSCI implementation via a platform defined mechanism. On a cold boot, 13840d553cfSPaul Beesleythe platform must place any secondary CPUs into a safe state while the primary 13940d553cfSPaul BeesleyCPU executes a modified BL31 initialization, as described below. 14040d553cfSPaul Beesley 14140d553cfSPaul BeesleyPlatform initialization 14240d553cfSPaul Beesley~~~~~~~~~~~~~~~~~~~~~~~ 14340d553cfSPaul Beesley 144*d2baffbcSManish V BadarkheIn this configuration, since the CPU resets to BL31, no parameters are expected 145*d2baffbcSManish V Badarkheto be passed to BL31 (see notes below for clarification). 146*d2baffbcSManish V BadarkheInstead, the platform code in BL31 needs to know, or be able to determine, the 147*d2baffbcSManish V Badarkhelocation of the BL32 (if required) and BL33 images and provide this information 148*d2baffbcSManish V Badarkhein response to the ``bl31_plat_get_next_image_ep_info()`` function. 14940d553cfSPaul Beesley 15040d553cfSPaul BeesleyAdditionally, platform software is responsible for carrying out any security 15140d553cfSPaul Beesleyinitialisation, for example programming a TrustZone address space controller. 15240d553cfSPaul BeesleyThis might be done by the Trusted Boot Firmware or by platform code in BL31. 15340d553cfSPaul Beesley 154*d2baffbcSManish V Badarkhe.. note:: 155*d2baffbcSManish V Badarkhe Even though RESET_TO_BL31 is designed such that BL31 is the reset BL image, 156*d2baffbcSManish V Badarkhe some platforms may wish to pass some arguments to BL31 as per the defined 157*d2baffbcSManish V Badarkhe contract between BL31 and previous bootloaders. Previous bootloaders can 158*d2baffbcSManish V Badarkhe pass arguments through registers x0 through x3. BL31 will preserve them and 159*d2baffbcSManish V Badarkhe propagate them to platform code, which will handle these arguments in an 160*d2baffbcSManish V Badarkhe IMPDEF manner. 161*d2baffbcSManish V Badarkhe 16240d553cfSPaul Beesley-------------- 16340d553cfSPaul Beesley 164*d2baffbcSManish V Badarkhe*Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.* 16540d553cfSPaul Beesley 166a2c320a8SPaul Beesley.. |Default reset code flow| image:: ../resources/diagrams/default_reset_code.png 167a2c320a8SPaul Beesley.. |Reset code flow with programmable reset address| image:: ../resources/diagrams/reset_code_no_boot_type_check.png 168a2c320a8SPaul Beesley.. |Reset code flow with single CPU released out of reset| image:: ../resources/diagrams/reset_code_no_cpu_check.png 169a2c320a8SPaul Beesley.. |Reset code flow with programmable reset address and single CPU released out of reset| image:: ../resources/diagrams/reset_code_no_checks.png 170
