174ac1efcSAhmed AzeemRD-Aspen (Zena CSS) Platform 274ac1efcSAhmed Azeem============================ 374ac1efcSAhmed Azeem 474ac1efcSAhmed AzeemThe RD-Aspen platform, as referenced in TF-A, includes the following features: 574ac1efcSAhmed Azeem 674ac1efcSAhmed Azeem* Primary Compute with four processor clusters, each containing: 774ac1efcSAhmed Azeem 874ac1efcSAhmed Azeem * Four Cortex-A720AE cores (Armv9.2-A application processor, 64-bit mode) 974ac1efcSAhmed Azeem * A DynamIQ Shared Unit (DSU-120AE) 1074ac1efcSAhmed Azeem 1174ac1efcSAhmed Azeem* A GIC-720AE, which is GICv4-compatible and supports GICv3 mode as well. 1274ac1efcSAhmed Azeem 1374ac1efcSAhmed AzeemFurther information on RD-Aspen is available at `Zena CSS`_ 1474ac1efcSAhmed Azeem 1574ac1efcSAhmed AzeemBoot Sequence 1674ac1efcSAhmed Azeem------------- 1774ac1efcSAhmed Azeem 1874ac1efcSAhmed AzeemThe boot process begins with the Runtime Security Engine (RSE), which loads the 1974ac1efcSAhmed AzeemApplication Processor (AP) BL2 image into the Trusted SRAM at a fixed address. 2074ac1efcSAhmed AzeemOnce loaded, the RSE signals the System Control Processor firmware (SCP-firmware) 2174ac1efcSAhmed Azeemrunning on Safety Island Cluster 0 (SI CL0) to initiate the AP power-up sequence. 2274ac1efcSAhmed Azeem 2374ac1efcSAhmed AzeemThe SCP-firmware then sets the reset vector base address (RVBAR) for the AP, ensuring 2474ac1efcSAhmed Azeemit starts executing BL2 from the designated address. Following this, the SCP-firmware 2574ac1efcSAhmed Azeempowers on AP Cluster 0, allowing the AP to run AP BL2. 2674ac1efcSAhmed Azeem 2774ac1efcSAhmed AzeemThe following tasks are executed for each AP BL stage: 2874ac1efcSAhmed Azeem 2974ac1efcSAhmed Azeem1. AP BL2: 3074ac1efcSAhmed Azeem 3174ac1efcSAhmed Azeem * Performs the actions described in the `Trusted Board Boot (TBB)`_ document. 32*dbe5353eSAhmed Azeem * (Optional step) Find the FIP image in a GPT partition, incase the FIP lies 33*dbe5353eSAhmed Azeem within in a GPT image. 3474ac1efcSAhmed Azeem * Copies the FW_CONFIG from Secure Flash to Trusted SRAM. 3574ac1efcSAhmed Azeem * Completes its dynamic configuration from the FW_CONFIG loaded. 3674ac1efcSAhmed Azeem This includes: 3774ac1efcSAhmed Azeem 3874ac1efcSAhmed Azeem * Parsing the configuration data. 3974ac1efcSAhmed Azeem * Setting up the required system parameters. 4074ac1efcSAhmed Azeem 4174ac1efcSAhmed Azeem * Reads and loads AP BL31 image into the Trusted SRAM. 42*dbe5353eSAhmed Azeem * (If present) Reads and loads AP BL32 (Secure Payload) image into Secure DRAM. 43*dbe5353eSAhmed Azeem * (If present) Reads and loads the SPMC manifest (for S-EL2 firmware configuration) 44*dbe5353eSAhmed Azeem into Trusted SRAM and passes its location to BL31. 4574ac1efcSAhmed Azeem * Copies AP BL33 and Device tree blob from Secure Flash to Normal DRAM. 4674ac1efcSAhmed Azeem * Transfers the execution to AP BL31. 4774ac1efcSAhmed Azeem 4874ac1efcSAhmed Azeem2. AP BL31: 4974ac1efcSAhmed Azeem 5074ac1efcSAhmed Azeem * Initializes Trusted Firmware-A Services. 51*dbe5353eSAhmed Azeem * Transfers the execution to AP BL32 and then transfers the execution to AP BL33 52*dbe5353eSAhmed Azeem 53*dbe5353eSAhmed Azeem3. AP BL32: 54*dbe5353eSAhmed Azeem 55*dbe5353eSAhmed Azeem * Initializes Trusted OS (OP-TEE) environment 56*dbe5353eSAhmed Azeem * Initializes Secure Partitions 57*dbe5353eSAhmed Azeem * Transfers the execution back to AP BL31 58*dbe5353eSAhmed Azeem * During runtime, it facilitates secure communication between the 59*dbe5353eSAhmed Azeem normal world environment (e.g. Linux) and the Trusted Execution Environment. 6074ac1efcSAhmed Azeem 6174ac1efcSAhmed AzeemBuild Procedure (TF-A only) 6274ac1efcSAhmed Azeem--------------------------- 6374ac1efcSAhmed Azeem 6474ac1efcSAhmed Azeem- Ensure all `Prerequisites`_ are met, and the ``CROSS_COMPILE`` environment 6574ac1efcSAhmed Azeem variable is properly set. 6674ac1efcSAhmed Azeem 6774ac1efcSAhmed Azeem- Build TF-A: 6874ac1efcSAhmed Azeem 69*dbe5353eSAhmed Azeem 7074ac1efcSAhmed Azeem .. code:: shell 7174ac1efcSAhmed Azeem 7274ac1efcSAhmed Azeem make \ 7374ac1efcSAhmed Azeem PLAT=rdaspen \ 7474ac1efcSAhmed Azeem MBEDTLS_DIR=<mbedtls_dir> \ 7574ac1efcSAhmed Azeem CREATE_KEYS=1 \ 7674ac1efcSAhmed Azeem GENERATE_COT=1 \ 7774ac1efcSAhmed Azeem TRUSTED_BOARD_BOOT=1 \ 7874ac1efcSAhmed Azeem COT=tbbr \ 7974ac1efcSAhmed Azeem ARM_ROTPK_LOCATION=devel_rsa \ 8074ac1efcSAhmed Azeem ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ 81*dbe5353eSAhmed Azeem BL32=<path to optee binary> \ 82*dbe5353eSAhmed Azeem ARM_GPT_SUPPORT=1 \ 8374ac1efcSAhmed Azeem BL33=<PATH-TO-BL33-BINARY> \ 8474ac1efcSAhmed Azeem 85*dbe5353eSAhmed Azeem.. note:: 86*dbe5353eSAhmed Azeem 87*dbe5353eSAhmed Azeem The ``BL32`` flag is optional and should be set only if a Trusted OS is required. 88*dbe5353eSAhmed Azeem If it is not set, then ``BL33`` will be loaded directly after ``BL31``. 89*dbe5353eSAhmed Azeem 90*dbe5353eSAhmed Azeem The ``ARM_GPT_SUPPORT`` flag is also optional. It must be enabled when the 91*dbe5353eSAhmed Azeem FIP image resides inside a GPT partition on Secure Flash. 92*dbe5353eSAhmed Azeem 9374ac1efcSAhmed Azeem-------------- 9474ac1efcSAhmed Azeem 9574ac1efcSAhmed Azeem*Copyright (c) 2025, Arm Limited. All rights reserved.* 9674ac1efcSAhmed Azeem 9774ac1efcSAhmed Azeem.. _Prerequisites: https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/prerequisites.html 9874ac1efcSAhmed Azeem.. _Trusted Board Boot (TBB): https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html 9974ac1efcSAhmed Azeem.. _Zena CSS: https://www.arm.com/products/automotive/compute-subsystems/zena 100