Re: [TF-A] Trusted Firmware version 2.5 is now available
by Chris Kay
Thanks, Gary, and to everybody who contributed to this release!
I’d like to quickly remind everybody that, as part of the v2.5 release, the Trusted Firmware-A project formally adopted the Conventional Commits v1.0.0<https://www.conventionalcommits.org/en/v1.0.0/> specification to enable us to radically reduce our time-to-release in the future. Thank you to everybody who took part in the discussions that allowed us to integrate this, and to those whose concerns I hope we have by now satisfied.
As part of this effort, we have introduced a commit verification check to the existing Gerrit-triggered CI job. Where before this applied only to Arm employees, this now includes everybody (even you, reader of this email). This will no doubt require some initial mental reorientation as it did for our Arm-based guinea pigs, but I hope that this it will become a non-issue in short time.
To aid in the transition, we are also now packaging additional tooling, namely Commitizen<https://commitizen-tools.github.io/commitizen/> and commitlint<https://commitlint.js.org/#/>, to make writing conformant commits easier, the installation instructions for which have been integrated into the v2.5 prerequisites page<https://trustedfirmware-a.readthedocs.io/en/latest/getting_started/prerequi…>. These tools are optional, but highly recommended if you do find your commits being rejected by the CI.
Please note that patches currently awaiting review on Gerrit will need to adhere to this specification before merging (this should only take a minute).
If you missed previous communications or are unfamiliar with Conventional Commits, here is a brief summary of the format that commit messages are now expected to take:
<type>[optional scope]: <description>
[optional body]
[optional footer(s)]
Where the <type> is one of:
* feat: A new feature
* fix: A bug fix
* docs: Documentation only changes
* style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
* refactor: A code change that neither fixes a bug nor adds a feature
* perf: A code change that improves performance
* test: Adding missing tests or correcting existing tests
* build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
* ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
* chore: Other changes that don't modify src or test files
* revert: Reverts a previous commit
And the [optional scope] consists of an optional parentheses-wrapped scope of your choosing, similarly to how many contributors prefixed their commits previously.
A real-world example:
docs(prerequisites): add `--no-save` to `npm install`
To avoid the mistake fixed by the previous commit, ensure users install
the Node.js dependencies without polluting the lock file by passing
`--no-save` to the `npm install` line.
Change-Id: I10b5cc17b9001fc2e26deee02bf99ce033a949c1
Signed-off-by: Chris Kay <chris.kay(a)arm.com>
If you have the time, please do read up on the specification for additional details – I promise it’s short.
So long, and happy committing. 😊
Regards,
Chris
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Gary Morrison via TF-A <tf-a(a)lists.trustedfirmware.org>
Date: Thursday, 20 May 2021 at 15:59
To: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>
Subject: [TF-A] Trusted Firmware version 2.5 is now available
Trusted Firmware version 2.5 is now available and can be found here:
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tag/?h=v2.5
https://git.trustedfirmware.org/TF-A/tf-a-tests.git/tag/?h=v2.5
https://git.trustedfirmware.org/hafnium/hafnium.git/tag/?h=v2.5
https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/tag/?h=v2.5
Please refer to the read-the-docs and change log for further information.
Regards,
Gary Morrison -- Arm
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
5 years, 1 month
- 1
- 0
Trusted Firmware version 2.5 is now available
by Gary Morrison
Trusted Firmware version 2.5 is now available and can be found here:
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tag/?h=v2.5
https://git.trustedfirmware.org/TF-A/tf-a-tests.git/tag/?h=v2.5
https://git.trustedfirmware.org/hafnium/hafnium.git/tag/?h=v2.5
https://git.trustedfirmware.org/ci/tf-a-ci-scripts.git/tag/?h=v2.5
Please refer to the read-the-docs and change log for further information.
Regards,
Gary Morrison -- Arm
5 years, 1 month
- 1
- 0
Re: [TF-A] [PATCH v1] imx8mp: silent uart
by Sandrine Bailleux
Hello Heiko,
Thanks for your patch!
TF-A project uses Gerrit as the review system for patches, would you
mind posting your patch there instead? More details about the patch
submission process can be found here:
https://trustedfirmware-a.readthedocs.io/en/latest/process/contributing.html
Regarding the patch itself, I agree with you that this feature would be
useful to other platforms as well. I wonder whether we need a new build
option for this, though. We already got LOG_LEVEL, which if set to 0,
will effectively silent any console output. However, it will still embed
the console driver code within the firmware, if I am not mistaken. So
perhaps we should change that, and make LOG_LEVEL=0 compile the console
driver code out, in addition to what it already does today.
How does that sound to you?
Regards,
Sandrine
On 5/18/21 4:01 PM, Heiko Schocher via TF-A wrote:
> when bootloaders and kernels console output is disabled,
> (called silent boot) no output on console is recommended.
>
> Add commandline option IMX_BOOT_SILENT to disable
> console registration at all.
>
> Default value is 0, so patch does not change current
> functionality.
>
> Signed-off-by: Heiko Schocher <hs(a)denx.de>
> ---
> I just added this to imx8mp, but may this option is
> useful on other platforms too?
>
> plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c | 4 ++++
> plat/imx/imx8m/imx8mp/platform.mk | 3 +++
> 2 files changed, 7 insertions(+)
>
> diff --git a/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c b/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
> index 22fbd5e4b..d75143270 100644
> --- a/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
> +++ b/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
> @@ -95,7 +95,9 @@ static void bl31_tzc380_setup(void)
> void bl31_early_platform_setup2(u_register_t arg0, u_register_t arg1,
> u_register_t arg2, u_register_t arg3)
> {
> +#if (IMX_BOOT_SILENT == 0)
> static console_t console;
> +#endif
> unsigned int i;
>
> /* Enable CSU NS access permission */
> @@ -109,10 +111,12 @@ void bl31_early_platform_setup2(u_register_t arg0, u_register_t arg1,
>
> imx8m_caam_init();
>
> +#if (IMX_BOOT_SILENT == 0)
> console_imx_uart_register(IMX_BOOT_UART_BASE, IMX_BOOT_UART_CLK_IN_HZ,
> IMX_CONSOLE_BAUDRATE, &console);
> /* This console is only used for boot stage */
> console_set_scope(&console, CONSOLE_FLAG_BOOT);
> +#endif
>
> /*
> * tell BL3-1 where the non-secure software image is located
> diff --git a/plat/imx/imx8m/imx8mp/platform.mk b/plat/imx/imx8m/imx8mp/platform.mk
> index 1d11e3df4..471c96e70 100644
> --- a/plat/imx/imx8m/imx8mp/platform.mk
> +++ b/plat/imx/imx8m/imx8mp/platform.mk
> @@ -54,3 +54,6 @@ $(eval $(call add_define,BL32_SIZE))
>
> IMX_BOOT_UART_BASE ?= 0x30890000
> $(eval $(call add_define,IMX_BOOT_UART_BASE))
> +
> +IMX_BOOT_SILENT ?= 0
> +$(eval $(call add_define,IMX_BOOT_SILENT))
>
5 years, 1 month
- 2
- 1
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by François Ozog
Le mer. 19 mai 2021 à 03:58, Madhukar Pappireddy via TF-A <
tf-a(a)lists.trustedfirmware.org> a écrit :
> Hi,
>
> I tried to summarize the discussions in the previous TF-A tech forum
> regarding the proposal to adopt Hand-off Blocks (HOBs) for passing
> information along the boot chain. I am certain I could not capture all
> suggestions/concerns brought up during the call. I apologize if I missed
> and/or misinterpreted any comments and would appreciate it if everyone
> could share their thoughts in response to this email thread.
>
> The idea is to share information to other boot phases:
> > Dynamic information: Created during runtime. Shared in the form of a
> chain of blobs(built as a linked list of C structure objects i.e., HOB
> list).
> > Static information: Known at compile time. Historically, shared through
> the use of Device Tree/ACPI tables
>
> Both the above requirements are common in many ecosystems and need to
> co-exist.
>
> There are broadly 3 problems to solve:
> 1. Format of HOB structures: It looks like the consensus is that we could
> use existing mechanisms for this (BL_AUX_PARAM in TF-A or bloblist in
> u-boot).
> 2. Identification of HOB list entries: There is a debate about whether
> tags would suffice or if the HOB list producer and consumer would depend on
> UUID/GUIDs for identifying a specific HOB structure. Another suggestion was
> to use a hybrid approach. Reserve a single tag ID for
> identifying/constructing a HOB structure that further leverages UUID based
> identifier. This way, the generic HOB list doesn't need to support UUIDs
> and can work with tags.
> 3. The design contract for the static interface between two boot phases:
> The problem at hand is whether to pass a pointer to a HOB list or a device
> tree blob through the general-purpose registers for configuration hand-off
> between two boot phases. Some proposals that came up:
> > Proposal 1: Always pass a pointer to the device tree blob
> through the GP register and capture the pointer to the HOB list as a
> property of a node that is uniquely identifiable by the downstream boot
> phase. This needs to define a device tree binding such that producer and
> consumer agree on the information passed.
> > Proposal 2: Pass a pointer to a generic container through the GP
> register that can be interpreted appropriately by both boot loaders(i.e.,
> producer and consumer of the boot info). This container can either be a dtb
> or a HOB list which can be simply inferred by checking for a magic header
> that indicates if the buffer appears to be a flattened device tree.
> > One another concern that was brought up offline is to make sure
> we don't break current design contracts between various boot loader phases
> in TF-A. Many of the general-purpose registers have a designated purpose
> such as to share configurations between BL images( such as firmware config
> dtb, SoC config dtb, Non trusted firmware config dtb, memory layout, entry
> point info, etc.).
>
there should be another paragraph:
4. Requirements for data representation.
I’ll take two concrete examples related to DIMM slot population and
reporting.
6 years ago (can’t be sure) only DRAM modules could be fitted into DIMM
slots. And then came NVDIMM and flash as DIMM (invented by Diablo
technologies: 1TB of flash on a DIMM with a few MB as IO buffers and
control registers - those memory regions where the only addressable DRAM).
In both cases all firmware chain had to be changed to cope with them. If we
had used self descriptive information passing (CBOR, DT, AML) for DIMM slot
population and not C structure the journey would have been much simpler
with forward and backward compatibility as a major side effect.
So for data representation , I would concur with previous Ron Minnich
@googke comment that we should be using self descriptive information rather
than C structures.
>
> If I am not mistaken, a single design may not fit the needs of every
> segment(client, Infra, embedded) and the forum is open to solutions
> tailored for individual segments. Joanna will be sending a follow up email
> with more information about future TF-A tech forums that serves as a
> platform for further discussions.
>
> Thanks,
> Madhukar
>
> -----Original Message-----
> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Joanna
> Farley via TF-A
> Sent: Sunday, May 16, 2021 5:19 AM
> To: Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <sjg(a)chromium.org
> >
> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot
> Architecture Mailman List <boot-architecture(a)lists.linaro.org>;
> tf-a(a)lists.trustedfirmware.org; Ed Stuber <edstuber(a)amperecomputing.com>;
> Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <
> u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich
> <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com>
> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for
> information passing between boot stages
>
> Apologies I failed with the recording. Manish/Madhu will reply early next
> week with the slides and some notes to help with a follow up session which
> we hope to hold this Thursday. Invite and agenda will also be sent out
> early next week.
>
> Thanks
>
> Joanna
>
> On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <
> tf-a-bounces(a)lists.trustedfirmware.org on behalf of
> tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi,
>
> Do we have slides and video from last week's discussion?
>
> Thanks,
> Okash
>
>
> On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A
> <tf-a(a)lists.trustedfirmware.org> wrote:
> >
> > Hi Harb,
> >
> > Thanks for the idea. I am still not completely sure what benefit
> UUID provides to an open project. I'd like to propose something different,
> more in the spirit of open collaboration. I also worry that the word
> 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e.
> enabling/preferring closed-source firmware and the continued decline of
> open-source projects. It really should not be.
> >
> > So I suggest: Use simple integer IDs and reserve some area for
> 'private' use. If you want to collaborate across projects outside your
> company, you either need to allocate a 'public' ID or agree privately
> between the parties which private ID to use.
> >
> > This means that the default and easiest option is for collaboration
> and a public ID, with private ones (whose purpose may be secret) reserved
> just for private use.
> >
> > Regards,
> > Simon
> >
> > On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com> wrote:
> >>
> >> Hey Folks,
> >>
> >> We wanted to put out a middle-ground proposal to help guide the
> discussion on the call tomorrow.
> >>
> >>
> >>
> >> A proposal that we have been discussing offline involves reserving
> a single tag ID for the purpose of construction UEFI PI HOB List structure,
> and that tag would be used to identify a HOB-specific structure that does
> leverage UUID based identifier. This will eliminate the burden of having
> to support UUID as the tag, and this enables projects that require UUID
> based identifiers for the broad range of HOB structures that need to be
> produced during the booting of the platform. Once we have a tag for a HOB
> list, this will enable various HOB producers that can add/extend the HOB
> list in TF-A code (or even pre-TF-A code), with a HOB consumer for that
> UUID/GUID on the other side (i.e. whatever the BL33 image is booting on
> that platform).
> >>
> >>
> >>
> >> Essentially, the idea is if someone would like to support HOB
> structures in a standard way using TF-A, they would wrap it up in a
> BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we
> identify the structure as a HOB list is with this new reserved tag.
> >>
> >>
> >>
> >> Hopefully that makes sense and less contentious. Look forward to
> discuss this further on the call.
> >>
> >>
> >>
> >> Thanks,
> >>
> >> --Harb
> >>
> >>
> >>
> >> From: Manish Pandey2 <Manish.Pandey2(a)arm.com>
> >> Sent: Friday, April 30, 2021 8:14 AM
> >> To: François Ozog <francois.ozog(a)linaro.org>
> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <
> jwerner(a)chromium.org>; Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org;
> U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <
> paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs)
> for information passing between boot stages
> >>
> >>
> >>
> >> Hi All,
> >>
> >>
> >>
> >> Please find invite for next TF-A Tech Forum session to continue our
> discussions on HOB implementation, feel free to forward it to others.
> >>
> >>
> >>
> >> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 –
> 17:00 (BST).
> >>
> >>
> >>
> >> Agenda:
> >>
> >> Discussion Session: Static and Dynamic Information Handling in TF-A
> >>
> >> Lead by Manish Pandey and Madhukar Pappireddy
> >>
> >> · There is ongoing mailing lists discussion[1] related with
> adopting a mechanism to pass information through boot stages.
> >>
> >> The requirement is two-fold:
> >>
> >> 1. Passing static information(config files)
> >>
> >> 2. Passing dynamic information (Hob list)
> >>
> >> In the upcoming TF-A tech forum, we can start with a discussion on
> dynamic information passing and if time permits, we can cover static
> information passing. The purpose of the call is to have an open discussion
> and continue the discussion from the trusted-substrate call[2] done
> earlier. We would like to understand the various requirements and possible
> ways to implement it in TF-A in a generalized way so that it can work with
> other Firmware projects.
> >>
> >>
> >>
> >> The two specific item which we would like to discuss are:
> >>
> >> 1. HOB format: TF-A/u-boot both has an existing bloblist
> implementation, which uses tag values. Question, can this be enhanced to
> use hybrid values(Tag and UUID) both?
> >>
> >> 2. Standardization on Physical register use to pass base of
> HoB data structure.
> >>
> >> References:
> >>
> >> [1]
> https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
> >>
> >> [2]
> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn…
> Passcode: IPn+5q%
> >>
> >>
> >>
> >> Thanks
> >>
> >>
> >>
> >> Joanna
> >>
> >>
> >>
> >> You have been invited to the following event.
> >>
> >> TF-A Tech Forum
> >>
> >> When
> >>
> >> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
> >>
> >> Calendar
> >>
> >> tf-a(a)lists.trustedfirmware.org
> >>
> >> Who
> >>
> >> •
> >>
> >> Bill Fletcher- creator
> >>
> >> •
> >>
> >> tf-a(a)lists.trustedfirmware.org
> >>
> >> more details »
> >>
> >>
> >>
> >> We run an open technical forum call for anyone to participate and
> it is not restricted to Trusted Firmware project members. It will operate
> under the guidance of the TF TSC.
> >>
> >>
> >>
> >> Feel free to forward this invite to colleagues. Invites are via the
> TF-A mailing list and also published on the Trusted Firmware website.
> Details are here:
> https://www.trustedfirmware.org/meetings/tf-a-technical-forum/
> >>
> >>
> >>
> >> Trusted Firmware is inviting you to a scheduled Zoom meeting.
> >>
> >>
> >>
> >> Join Zoom Meeting
> >>
> >> https://zoom.us/j/9159704974
> >>
> >>
> >>
> >> Meeting ID: 915 970 4974
> >>
> >>
> >>
> >> One tap mobile
> >>
> >> +16465588656,,9159704974# US (New York)
> >>
> >> +16699009128,,9159704974# US (San Jose)
> >>
> >>
> >>
> >> Dial by your location
> >>
> >> +1 646 558 8656 US (New York)
> >>
> >> +1 669 900 9128 US (San Jose)
> >>
> >> 877 853 5247 US Toll-free
> >>
> >> 888 788 0099 US Toll-free
> >>
> >> Meeting ID: 915 970 4974
> >>
> >> Find your local number: https://zoom.us/u/ad27hc6t7h
> >>
> >>
> >>
> >> ________________________________
> >>
> >> From: François Ozog <francois.ozog(a)linaro.org>
> >> Sent: 08 April 2021 16:50
> >> To: Manish Pandey2 <Manish.Pandey2(a)arm.com>
> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <
> jwerner(a)chromium.org>; Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <
> tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>;
> Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs)
> for information passing between boot stages
> >>
> >>
> >>
> >> Hi
> >>
> >>
> >>
> >> here is the meeting recording:
> >>
> >>
> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn…
> Passcode: IPn+5q%z
> >>
> >>
> >>
> >> I am really sorry about the confusion related to the meeting time.
> I have now understood: the Collaborate portal uses a specific calendar
> which is tied to US/Chicago timezone while the actual Google Calendar is
> tied to Central Europe timezone. I am going to drop the Collaborate portal
> and use a shared Google calendar (it should be visible on the
> trusted-substrate.org page).
> >>
> >>
> >>
> >> I'll try to summarize what I learnt and highlight my view on what
> can be next steps in a future mail.
> >>
> >>
> >>
> >> Cheers
> >>
> >>
> >>
> >> FF
> >>
> >>
> >>
> >> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
> >>
> >> Hi,
> >>
> >>
> >>
> >> From TF-A project point of view, we prefer to use existing
> mechanism to pass parameters across boot stages using linked list of tagged
> elements (as suggested by Julius). It has support for both generic and
> SiP-specific tags. Having said that, it does not stop partners to introduce
> new mechanisms suitable for their usecase in platform port initially and
> later move to generic code if its suitable for other platforms.
> >>
> >>
> >>
> >> To start with, Ampere can introduce a platform specific
> implementation of memory tag(speed/NUMA topology etc) which can be
> evaluated and discussed for generalization in future. The tag will be
> populated in BL2 stage and can be forwarded to further stages(and to BL33)
> by passing the head of list pointer in one of the registers. Initially any
> register can be used but going forward a standardization will be needed.
> >>
> >>
> >>
> >> The U-boot bloblist mentioned by Simon is conceptually similar to
> what TF-A is using, if there is consensus of using bloblist/taglist then
> TF-A tag list may be enhanced to take best of both the implementations.
> >>
> >>
> >>
> >> One of the potential problems of having structure used in different
> projects is maintainability, this can be avoided by having a single copy of
> these structures in TF-A (kept inside "include/export" which intended to be
> used by other projects.)
> >>
> >>
> >>
> >> Regarding usage of either UUID or tag, I echo the sentiments of
> Simon and Julius to keep it simple and use tag values.
> >>
> >>
> >>
> >> Looking forward to having further discussions on zoom call today.
> >>
> >>
> >>
> >> Thanks
> >>
> >> Manish P
> >>
> >>
> >>
> >> ________________________________
> >>
> >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of
> Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
> >> Sent: 25 March 2021 02:43
> >> To: Simon Glass <sjg(a)chromium.org>
> >> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot
> Architecture Mailman List <boot-architecture(a)lists.linaro.org>;
> tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot
> Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>;
> Ron Minnich <rminnich(a)google.com>
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs)
> for information passing between boot stages
> >>
> >>
> >>
> >> Just want to point out that TF-A currently already supports a (very
> simple) mechanism like this:
> >>
> >>
> >>
> >>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> >>
> >>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> >>
> >>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> >>
> >>
> >>
> >> It's just a linked list of tagged elements. The tag space is split
> into TF-A-wide generic tags and SiP-specific tags (with plenty of room to
> spare if more areas need to be defined -- a 64-bit tag can fit a lot). This
> is currently being used by some platforms that run coreboot in place of
> BL1/BL2, to pass information from coreboot (BL2) to BL31.
> >>
> >>
> >>
> >> I would echo Simon's sentiment of keeping this as simple as
> possible and avoiding complicated and bloated data structures with UUIDs.
> You usually want to parse something like this as early as possible in the
> passed-to firmware stage, particularly if the structure encodes information
> about the debug console (like it does for the platforms I mentioned above).
> For example, in BL31 this basically means doing it right after moving from
> assembly to C in bl31_early_platform_setup2() to get the console up before
> running anything else. At that point in the BL31 initialization, the MMU
> and caches are disabled, so data accesses are pretty expensive and you
> don't want to spend a lot of parsing effort or calculate complicated
> checksums or the like. You just want something extremely simple where you
> ideally have to touch every data word only once.
> >>
> >>
> >>
> >> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
> >>
> >> Hi Harb,
> >>
> >>
> >>
> >> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com> wrote:
> >>
> >> Hello Folks,
> >>
> >> Appreciate the feedback and replies on this. Glad to see that
> there is interest in this topic.
> >>
> >>
> >>
> >> I try to address the comments/feedback from Francois and Simon
> below….
> >>
> >>
> >>
> >> @François Ozog – happy to discuss this on a zoom call. I will make
> that time slot work, and will be available to attend April 8, 4pm CT.
> >>
> >>
> >>
> >> Note that I’m using the term “HOB” here more generically, as there
> are typically vendor specific structures beyond the resource descriptor
> HOB, which provides only a small subset of the information that needs to be
> passed between the boot phases.
> >>
> >>
> >>
> >> The whole point here is to provide mechanism to develop firmware
> that we can build ARM Server SoC’s that support *any* BL33 payload (e.g.
> EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at
> some point). In other-words, we are trying to come up with a TF-A that
> would be completely agnostic to the implementation of BL33 (i.e. BL33 is
> built completely independently by a separate entity – e.g. an ODM/OEM).
> >>
> >>
> >>
> >> Keep in mind, in the server/datacenter market segment we are not
> building vertically integrated systems with a single entity compiling
> firmware/software stacks like most folks in TF-A have become use to. There
> are two categories of higher level firmware code blobs in the
> server/datacenter model:
> >>
> >> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2,
> BL31, and *possibly* one or more BL32 instances
> >> “Platform” or “board” firmware – in TF-A this may map to BL33 and
> *possibly* one or more BL32 instances.
> >>
> >>
> >>
> >> Even the platform firmware stack could be further fragmented by
> having multiple entities involved in delivering the entire firmware stack:
> IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code.
> >>
> >>
> >>
> >> To support a broad range of platform designs with a broad range of
> memory devices, we need a crisp and clear contract between the SoC firmware
> that initializes memory (e.g. BL2) and how that platform boot firmware
> (e.g. BL33) gathers information about what memory that was initialized, at
> what speeds, NUMA topology, and many other relevant information that needs
> to be known and comprehended by the platform firmware and eventually by the
> platform software.
> >>
> >>
> >>
> >> I understand the versatility of DT, but I see two major problems
> with DT:
> >>
> >> DT requires more complicated parsing to get properties, and even
> more complex to dynamically set properties – this HOB structures may need
> to be generated in boot phases where DDR is not available, and therefore we
> will be extremely memory constrained.
> >> DT is probably overkill for this purpose – We really just want a
> list of pointers to simple C structures that code cast (e.g. JEDEC SPD data
> blob)
> >>
> >>
> >>
> >> I think that we should not mix the efforts around DT/ACPI specs
> with what we are doing here, because those specs and concepts were
> developed for a completely different purpose (i.e. abstractions needed for
> OS / RTOS software, and not necessarily suitable for firmware-to-firmware
> hand-offs).
> >>
> >>
> >>
> >> Frankly, I would personally push back pretty hard on defining SMC’s
> for something that should be one way information passing. Every SMC we add
> is another attack vector to the secure world and an increased burden on the
> folks that have to do security auditing and threat analysis. I see no
> benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls.
> >>
> >>
> >>
> >> Please do let me know if you disagree and why. Look forward to
> discussing on this thread or on the call.
> >>
> >>
> >>
> >> @Simon Glass - Thanks for the pointer to bloblist. I briefly
> reviewed and it seems like a good baseline for what we may be looking for.
> >>
> >>
> >>
> >> That being said, I would say that there is some benefit in having
> some kind of unique identifiers (e.g. UUID or some unique signature) so
> that we can tie standardized data structures (based on some future TBD
> specs) to a particular ID. For example, if the TPM driver in BL33 is
> looking for the TPM structure in the HOB/BOB list, and may not care about
> the other data blobs. The driver needs a way to identify and locate the
> blob it cares about.
> >>
> >>
> >>
> >> The tag is intended to serve that purpose, although perhaps it
> should switch from an auto-allocating enum to one with explicit values for
> each entry and a range for 'local' use.
> >>
> >>
> >>
> >> I guess we can achieve this with the tag, but the problem with tag
> when you have eco-system with a lot of parties doing parallel development,
> you can end up with tag collisions and folks fighting about who has rights
> to what tag values. We would need some official process for folks to
> register tags for whatever new structures we define, or maybe some tag
> range for vendor specific structures. This comes with a lot of pain and
> bureaucracy. On the other hand, UUID has been a proven way to make it easy
> to just define your own blobs with *either* standard or vendor specific
> structures without worry of ID collisions between vendors.
> >>
> >>
> >>
> >> True. I think the pain is overstated, though. In this case I think
> we actually want something that can be shared between projects and orgs, so
> some amount of coordination could be considered a benefit. It could just be
> a github pull request. I find the UUID unfriendly and not just to code size
> and eyesight! Trying to discover what GUIDs mean or are valid is quite
> tricky. E.g. see this code:
> >>
> >>
> >>
> >> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
> >> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
> >> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
> >>
> >> (etc.)
> >>
> >>
> >>
> >> static struct guid_name {
> >> efi_guid_t guid;
> >> const char *name;
> >> } guid_name[] = {
> >> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
> >> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
> >> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" },
> >> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
> >> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
> >> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
> >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" },
> >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" },
> >>
> >> (never figured out what those two are)
> >>
> >>
> >> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
> >> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
> >> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" },
> >> { {}, "zero-guid" },
> >> {}
> >> };
> >>
> >> static const char *guid_to_name(const efi_guid_t *guid)
> >> {
> >> struct guid_name *entry;
> >>
> >> for (entry = guid_name; entry->name; entry++) {
> >> if (!guidcmp(guid, &entry->guid))
> >> return entry->name;
> >> }
> >>
> >> return NULL;
> >> }
> >>
> >>
> >>
> >> Believe it or not it took a fair bit of effort to find just that
> small list, with nearly every one in a separate doc, from memory.
> >>
> >>
> >>
> >>
> >>
> >> We can probably debate whether there is any value in GUID/UUID or
> not during the call… but again, boblist seems like a reasonable starting
> point as an alternative to HOB.
> >>
> >>
> >>
> >> Indeed. There is certainly value in both approaches.
> >>
> >>
> >>
> >> Regards,
> >>
> >> Simon
> >>
> >>
> >>
> >>
> >>
> >> Thanks,
> >>
> >> --Harb
> >>
> >>
> >>
> >> From: François Ozog <francois.ozog(a)linaro.org>
> >> Sent: Tuesday, March 23, 2021 10:00 AM
> >> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <
> rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
> >> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs)
> for information passing between boot stages
> >>
> >>
> >>
> >> +Ron Minnich +Paul Isaac's
> >>
> >>
> >>
> >> Adding Ron and Paul because I think this interface should be also
> benefiting LinuxBoot efforts.
> >>
> >>
> >>
> >> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
> >>
> >> Hi,
> >>
> >>
> >>
> >> I propose we cover the topic at the next Trusted Substrate zoom
> call on April 8th 4pm CET.
> >>
> >>
> >>
> >> The agenda:
> >>
> >> ABI between non-secure firmware and the rest of firmware (EL3,
> S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions.
> >>
> >> runtime conditions here relates to DRAM size and topology
> detection, secure DRAM memory carvings, PSCI and SCMI interface publishing.
> >>
> >>
> >>
> >> For additional background on existing metadata: UEFI Platform
> Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB
> >>
> >> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY.
> >>
> >> This HOB lacks memory NUMA attachment or something that could be
> related to fill SRAT table for ACPI or relevant DT proximity domains.
> >>
> >> HOB is not consistent accros platforms: some platforms (Arm) lists
> memory from the booting NUMA node, other platforms (x86) lists all memory
> from all NUMA nodes. (At least this is the case on the two platforms I
> tested).
> >>
> >>
> >>
> >> There are two proposals to use memory structures from SPL/BLx up to
> the handover function (as defined in the Device Tree technical report)
> which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or
> EDK2.
> >>
> >> I would propose we also discuss possibility of FF-A interface to
> actually query information or request actions to be done (this is a model
> actually used in some SoCs with proprietary SMC calls).
> >>
> >>
> >>
> >> Requirements (to be validated):
> >>
> >> - ACPI and DT hardware descriptions.
> >>
> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
> >>
> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2,
> TF-A/LinuxBoot)
> >>
> >> - at least allows complete DRAM description and "persistent" usage
> (reserved areas for secure world or other usages)
> >>
> >> - support secure world device assignment
> >>
> >>
> >>
> >> Cheers
> >>
> >>
> >>
> >> FF
> >>
> >>
> >>
> >>
> >>
> >> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote:
> >>
> >> Hi,
> >>
> >> Can I suggest using bloblist for this instead? It is lightweight,
> >> easier to parse, doesn't have GUIDs and is already used within
> U-Boot
> >> for passing info between SPL/U-Boot, etc.
> >>
> >> Docs here:
> https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
> >> Header file describes the format:
> >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
> >>
> >> Full set of unit tests:
> >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
> >>
> >> Regards,
> >> Simon
> >>
> >> On Mon, 22 Mar 2021 at 23:58, François Ozog <
> francois.ozog(a)linaro.org> wrote:
> >> >
> >> > +Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>
> >> >
> >> > standardization is very much welcomed here and need to
> accommodate a very
> >> > diverse set of situations.
> >> > For example, TEE OS may need to pass memory reservations to BL33
> or
> >> > "capture" a device for the secure world.
> >> >
> >> > I have observed a number of architectures:
> >> > 1) pass information from BLx to BLy in the form of a specific
> object
> >> > 2) BLx called by BLy by a platform specific SMC to get information
> >> > 3) BLx called by BLy by a platform specific SMC to perform Device
> Tree
> >> > fixups
> >> >
> >> > I also imagined a standardized "broadcast" FF-A call so that any
> firmware
> >> > element can either provide information or "do something".
> >> >
> >> > My understanding of your proposal is about standardizing on
> architecture 1)
> >> > with the HOB format.
> >> >
> >> > The advantage of the HOB is simplicity but it may be difficult to
> implement
> >> > schemes such as pruning a DT because device assignment in the
> secure world.
> >> >
> >> > In any case, it looks feasible to have TF-A and OP-TEE complement
> the list
> >> > of HOBs to pass information downstream (the bootflow).
> >> >
> >> > It would be good to start with building the comprehensive list of
> >> > information that need to be conveyed between firmware elements:
> >> >
> >> > information. | authoritative entity | reporting entity |
> information
> >> > exchanged:
> >> > dram | TFA | TFA
> |
> >> > <format to be detailed, NUMA topology to build the SRAT table or
> DT
> >> > equivalent?>
> >> > PSCI | SCP | TFA?
> |
> >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
> >> > secure SRAM | TFA. | TFA. |
> >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
> >> > other? | |
> >> > |
> >> >
> >> > Cheers
> >> >
> >> > FF
> >> >
> >> >
> >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
> >> > tf-a(a)lists.trustedfirmware.org> wrote:
> >> >
> >> > > Hello Folks,
> >> > >
> >> > >
> >> > >
> >> > > I'm emailing to start an open discussion about the adoption of
> a concept
> >> > > known as "hand-off blocks" or HOB to become a part of the TF-A
> Firmware
> >> > > Framework Architecture (FFA). This is something that is a
> pretty major
> >> > > pain point when it comes to the adoption of TF-A in ARM Server
> SoC’s
> >> > > designed to enable a broad range of highly configurable
> datacenter
> >> > > platforms.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > What is a HOB (Background)?
> >> > >
> >> > > ---------------------------
> >> > >
> >> > > UEFI PI spec describes a particular definition for how HOB may
> be used for
> >> > > transitioning between the PEI and DXE boot phases, which is a
> good
> >> > > reference point for this discussion, but not necessarily the
> exact solution
> >> > > appropriate for TF-A.
> >> > >
> >> > >
> >> > >
> >> > > A HOB is simply a dynamically generated data structure passed
> in between
> >> > > two boot phases. This is information that was obtained through
> discovery
> >> > > and needs to be passed forward to the next boot phase *once*,
> with no API
> >> > > needed to call back (e.g. no call back into previous firmware
> phase is
> >> > > needed to fetch this information at run-time - it is simply
> passed one time
> >> > > during boot).
> >> > >
> >> > >
> >> > >
> >> > > There may be one or more HOBs passed in between boot phases.
> If there are
> >> > > more than one HOB that needs to be passed, this can be in a
> form of a "HOB
> >> > > table", which (for example) could be a UUID indexed array of
> pointers to
> >> > > HOB structures, used to locate a HOB of interest (based on
> UUID). In such
> >> > > cases, instead of passing a single HOB, the boot phases may
> rely on passing
> >> > > the pointer to the HOB table.
> >> > >
> >> > >
> >> > >
> >> > > This has been extremely useful concept to employ on highly
> configurable
> >> > > systems that must rely on flexible discovery mechanisms to
> initialize and
> >> > > boot the system. This is especially helpful when you have
> multiple
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > Why do we need HOBs in TF-A?:
> >> > >
> >> > > -----------------------------
> >> > >
> >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM
> Server SoC in
> >> > > a way that is SoC specific *but* platform agnostic. This means
> that a
> >> > > single ARM SoC that a SiP may deliver to customers may provide
> a single
> >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support
> a broad
> >> > > range of platform designs and configurations in order to boot a
> platform
> >> > > specific firmware (e.g. BL33 and possibly even BL32 code). In
> order to
> >> > > achieve this, the platform configuration must be *discovered*
> instead of
> >> > > statically compiled as it is today in TF-A via device tree based
> >> > > enumeration. The mechanisms of discovery may differ broadly
> depending on
> >> > > the relevant industry standard, or in some cases may have rely
> on SiP
> >> > > specific discovery flows.
> >> > >
> >> > >
> >> > >
> >> > > For example: On server systems that support a broad range DIMM
> memory
> >> > > population/topologies, all the necessary information required
> to boot is
> >> > > fully discovered via standard JEDEC Serial Presence Detect
> (SPD) over an
> >> > > I2C bus. Leveraging the SPD bus, may platform variants could
> be supported
> >> > > with a single TF-A binary. Not only is this information
> required to
> >> > > initialize memory in early boot phases (e.g. BL2), the
> subsequent boot
> >> > > phases will also need this SPD info to construct a system
> physical address
> >> > > map and properly initialize the MMU based on the memory
> present, and where
> >> > > the memory may be present. Subsequent boot phases (e.g. BL33 /
> UEFI) may
> >> > > need to generate standard firmware tables to the operating
> systems, such as
> >> > > SMBIOS tables describing DIMM topology and various ACPI tables
> (e.g. SLIT,
> >> > > SRAT, even NFIT if NVDIMM's are present).
> >> > >
> >> > >
> >> > >
> >> > > In short, it all starts with a standardized or vendor specific
> discovery
> >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the
> passing of
> >> > > information to the next boot stages (e.g. BL31/BL32/BL33).
> >> > >
> >> > >
> >> > >
> >> > > Today, every HOB may be a vendor specific structure, but in the
> future
> >> > > there may be benefit of defining standard HOBs. This may be
> useful for
> >> > > memory discovery, passing the system physical address map,
> enabling TPM
> >> > > measured boot, and potentially many other common HOB use-cases.
> >> > >
> >> > >
> >> > >
> >> > > It would be extremely beneficial to the datacenter market
> segment if the
> >> > > TF-A community would adopt this concept of information passing
> between all
> >> > > boot phases as opposed to rely solely on device tree
> enumeration. This is
> >> > > not intended to replace device tree, rather intended as an
> alternative way
> >> > > to describe the info that must be discovered and dynamically
> generated.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > Conclusion:
> >> > >
> >> > > -----------
> >> > >
> >> > > We are proposing that the TF-A community begin pursuing the
> adoption of
> >> > > HOBs as a mechanism used for information exchange between each
> boot stage
> >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer
> term we
> >> > > want to explore standardizing some HOB structures for the BL33
> phase (e.g.
> >> > > UEFI HOB structures), but initially would like to agree on this
> being a
> >> > > useful mechanism used to pass information between each boot
> stage.
> >> > >
> >> > >
> >> > >
> >> > > Thanks,
> >> > >
> >> > > --Harb
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > TF-A mailing list
> >> > > TF-A(a)lists.trustedfirmware.org
> >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >> > >
> >> >
> >> >
> >> > --
> >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing
> Group*
> >> > T: +33.67221.6485
> >> > francois.ozog(a)linaro.org | Skype: ffozog
> >> > _______________________________________________
> >> > boot-architecture mailing list
> >> > boot-architecture(a)lists.linaro.org
> >> > https://lists.linaro.org/mailman/listinfo/boot-architecture
> >>
> >>
> >>
> >>
> >> --
> >>
> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
> >>
> >> T: +33.67221.6485
> >> francois.ozog(a)linaro.org | Skype: ffozog
> >>
> >>
> >>
> >> --
> >> TF-A mailing list
> >> TF-A(a)lists.trustedfirmware.org
> >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >>
> >>
> >>
> >>
> >> --
> >>
> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
> >>
> >> T: +33.67221.6485
> >> francois.ozog(a)linaro.org | Skype: ffozog
> >>
> >>
> >>
> >> --
> >> TF-A mailing list
> >> TF-A(a)lists.trustedfirmware.org
> >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >>
> >> --
> >> TF-A mailing list
> >> TF-A(a)lists.trustedfirmware.org
> >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >>
> >>
> >>
> >>
> >> --
> >>
> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
> >>
> >> T: +33.67221.6485
> >> francois.ozog(a)linaro.org | Skype: ffozog
> >>
> >>
> >
> > --
> > TF-A mailing list
> > TF-A(a)lists.trustedfirmware.org
> > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
5 years, 1 month
- 1
- 0
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by François Ozog
Le mer. 19 mai 2021 à 23:51, Jeremy Linton via TF-A <
tf-a(a)lists.trustedfirmware.org> a écrit :
> On 5/18/21 8:59 PM, Madhukar Pappireddy via TF-A wrote:
> > Hi,
> >
> > I tried to summarize the discussions in the previous TF-A tech forum
> regarding the proposal to adopt Hand-off Blocks (HOBs) for passing
> information along the boot chain. I am certain I could not capture all
> suggestions/concerns brought up during the call. I apologize if I missed
> and/or misinterpreted any comments and would appreciate it if everyone
> could share their thoughts in response to this email thread.
> >
> > The idea is to share information to other boot phases:
> >> Dynamic information: Created during runtime. Shared in the form of a
> chain of blobs(built as a linked list of C structure objects i.e., HOB
> list).
> >> Static information: Known at compile time. Historically, shared through
> the use of Device Tree/ACPI tables
> >
> > Both the above requirements are common in many ecosystems and need to
> co-exist.
> >
> > There are broadly 3 problems to solve:
> > 1. Format of HOB structures: It looks like the consensus is that we
> could use existing mechanisms for this (BL_AUX_PARAM in TF-A or bloblist in
> u-boot).
> > 2. Identification of HOB list entries: There is a debate about whether
> tags would suffice or if the HOB list producer and consumer would depend on
> UUID/GUIDs for identifying a specific HOB structure. Another suggestion was
> to use a hybrid approach. Reserve a single tag ID for
> identifying/constructing a HOB structure that further leverages UUID based
> identifier. This way, the generic HOB list doesn't need to support UUIDs
> and can work with tags.
> > 3. The design contract for the static interface between two boot phases:
> The problem at hand is whether to pass a pointer to a HOB list or a device
> tree blob through the general-purpose registers for configuration hand-off
> between two boot phases. Some proposals that came up:
> > > Proposal 1: Always pass a pointer to the device tree blob
> through the GP register and capture the pointer to the HOB list as a
> property of a node that is uniquely identifiable by the downstream boot
> phase. This needs to define a device tree binding such that producer and
> consumer agree on the information passed.
>
>
> Using DT to pass platform info at this level is sort of crazy on an ACPI
> machine which won't have native DTs. Meaning there is an additional
> level of unnecessary indirection that needs to be converted back into a
> format which can be utilized by AML and other parts of the ACPI stack.
I would love the BL33 becomes a product maker (using a board vendor
product) decision: using EDK2, U-Boot, LinuxBoot or even Xen directly as
BL33.
If this is a goal , then there will be a need for a translation layer
between the firmware framework (tfa, core boot, uboot SPL) formats and the
non secure firmware format.
If this is not a goal then I agree that passing a DT in an ACPI system is
suboptimal. That said there is a UEFI PI HOB that is a DT container and
used in existing systems. And conversely, in systems with complex MDIO or
other hardware without ACPI representation (serdes), it does not make sense
to bring ACPI stuff.
The easiest path is to not give a choice of BL33 and have a format for each
“realm”: DT or ACPI.
>
> Its also helpful to look at what has become of the rpi4 uefi port, where
> the DT is actually dynamic (or provided by the user, complete with HAT
> overlays) and fed into the lower level firmware and propagated up
> through the system. The result has frequently been subtle bugs or boot
> failures because the DT provided by the rpi foundation as part of their
> low level firwmare+kernel stack is modified by their low level firwmare,
> and it differs from the DT in mainline linux. So more than once we have
> discovered that there isn't a single DT that can be boot both the
> current firmware and a current mainline linux. In the past there was
> even an option to use one DT for the firmware and an entirely seperate
> one for linux, but that was removed when it bacame apparent you couldn't
> have the lower level firmwaer say modifying MMIO windows for the PCIe
> subsystem and not propogate that into the other user supplied DT.
>
ACPI shows that firmware provided hardware description makes life easier.
That’s why Arm SystemReady-IR states that it should be the case for DT too.
RPI4 and beaglebone have had different strategies and each with good and
bad things. The Linaro Device Tree Evolution open project is tackling
diverse aspects of DT including proper handling hats, and other runtime
adaptations.
>
> At this point the uefi firmware on the rpi will provide a DT if asked,
> but it doesn't parse it nor does anything in the AML. Instead everything
> is done directly against the hardware, even when the HW registers aren't
> well documented.That is in large parts because the AML requirements are
> a lot different than what is provided in the DT.
>
>
>
> > > Proposal 2: Pass a pointer to a generic container through the GP
> register that can be interpreted appropriately by both boot loaders(i.e.,
> producer and consumer of the boot info). This container can either be a dtb
> or a HOB list which can be simply inferred by checking for a magic header
> that indicates if the buffer appears to be a flattened device tree.
> > > One another concern that was brought up offline is to make sure
> we don't break current design contracts between various boot loader phases
> in TF-A. Many of the general-purpose registers have a designated purpose
> such as to share configurations between BL images( such as firmware config
> dtb, SoC config dtb, Non trusted firmware config dtb, memory layout, entry
> point info, etc.).
> >
> > If I am not mistaken, a single design may not fit the needs of every
> segment(client, Infra, embedded) and the forum is open to solutions
> tailored for individual segments. Joanna will be sending a follow up email
> with more information about future TF-A tech forums that serves as a
> platform for further discussions.
> >
> > Thanks,
> > Madhukar
> >
> > -----Original Message-----
> > From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Joanna
> Farley via TF-A
> > Sent: Sunday, May 16, 2021 5:19 AM
> > To: Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <
> sjg(a)chromium.org>
> > Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot
> Architecture Mailman List <boot-architecture(a)lists.linaro.org>;
> tf-a(a)lists.trustedfirmware.org; Ed Stuber <edstuber(a)amperecomputing.com>;
> Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <
> u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich
> <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com>
> > Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for
> information passing between boot stages
> >
> > Apologies I failed with the recording. Manish/Madhu will reply early
> next week with the slides and some notes to help with a follow up session
> which we hope to hold this Thursday. Invite and agenda will also be sent
> out early next week.
> >
> > Thanks
> >
> > Joanna
> >
> > On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <
> tf-a-bounces(a)lists.trustedfirmware.org on behalf of
> tf-a(a)lists.trustedfirmware.org> wrote:
> >
> > Hi,
> >
> > Do we have slides and video from last week's discussion?
> >
> > Thanks,
> > Okash
> >
> >
> > On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A
> > <tf-a(a)lists.trustedfirmware.org> wrote:
> > >
> > > Hi Harb,
> > >
> > > Thanks for the idea. I am still not completely sure what benefit
> UUID provides to an open project. I'd like to propose something different,
> more in the spirit of open collaboration. I also worry that the word
> 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e.
> enabling/preferring closed-source firmware and the continued decline of
> open-source projects. It really should not be.
> > >
> > > So I suggest: Use simple integer IDs and reserve some area for
> 'private' use. If you want to collaborate across projects outside your
> company, you either need to allocate a 'public' ID or agree privately
> between the parties which private ID to use.
> > >
> > > This means that the default and easiest option is for
> collaboration and a public ID, with private ones (whose purpose may be
> secret) reserved just for private use.
> > >
> > > Regards,
> > > Simon
> > >
> > > On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com> wrote:
> > >>
> > >> Hey Folks,
> > >>
> > >> We wanted to put out a middle-ground proposal to help guide the
> discussion on the call tomorrow.
> > >>
> > >>
> > >>
> > >> A proposal that we have been discussing offline involves
> reserving a single tag ID for the purpose of construction UEFI PI HOB List
> structure, and that tag would be used to identify a HOB-specific structure
> that does leverage UUID based identifier. This will eliminate the burden
> of having to support UUID as the tag, and this enables projects that
> require UUID based identifiers for the broad range of HOB structures that
> need to be produced during the booting of the platform. Once we have a tag
> for a HOB list, this will enable various HOB producers that can add/extend
> the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for
> that UUID/GUID on the other side (i.e. whatever the BL33 image is booting
> on that platform).
> > >>
> > >>
> > >>
> > >> Essentially, the idea is if someone would like to support HOB
> structures in a standard way using TF-A, they would wrap it up in a
> BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we
> identify the structure as a HOB list is with this new reserved tag.
> > >>
> > >>
> > >>
> > >> Hopefully that makes sense and less contentious. Look forward
> to discuss this further on the call.
> > >>
> > >>
> > >>
> > >> Thanks,
> > >>
> > >> --Harb
> > >>
> > >>
> > >>
> > >> From: Manish Pandey2 <Manish.Pandey2(a)arm.com>
> > >> Sent: Friday, April 30, 2021 8:14 AM
> > >> To: François Ozog <francois.ozog(a)linaro.org>
> > >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <
> jwerner(a)chromium.org>; Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org;
> U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <
> paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
> > >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks
> (HOBs) for information passing between boot stages
> > >>
> > >>
> > >>
> > >> Hi All,
> > >>
> > >>
> > >>
> > >> Please find invite for next TF-A Tech Forum session to continue
> our discussions on HOB implementation, feel free to forward it to others.
> > >>
> > >>
> > >>
> > >> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00
> – 17:00 (BST).
> > >>
> > >>
> > >>
> > >> Agenda:
> > >>
> > >> Discussion Session: Static and Dynamic Information Handling in
> TF-A
> > >>
> > >> Lead by Manish Pandey and Madhukar Pappireddy
> > >>
> > >> · There is ongoing mailing lists discussion[1] related
> with adopting a mechanism to pass information through boot stages.
> > >>
> > >> The requirement is two-fold:
> > >>
> > >> 1. Passing static information(config files)
> > >>
> > >> 2. Passing dynamic information (Hob list)
> > >>
> > >> In the upcoming TF-A tech forum, we can start with a discussion
> on dynamic information passing and if time permits, we can cover static
> information passing. The purpose of the call is to have an open discussion
> and continue the discussion from the trusted-substrate call[2] done
> earlier. We would like to understand the various requirements and possible
> ways to implement it in TF-A in a generalized way so that it can work with
> other Firmware projects.
> > >>
> > >>
> > >>
> > >> The two specific item which we would like to discuss are:
> > >>
> > >> 1. HOB format: TF-A/u-boot both has an existing bloblist
> implementation, which uses tag values. Question, can this be enhanced to
> use hybrid values(Tag and UUID) both?
> > >>
> > >> 2. Standardization on Physical register use to pass base of
> HoB data structure.
> > >>
> > >> References:
> > >>
> > >> [1]
> https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
> > >>
> > >> [2]
> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn…
> Passcode: IPn+5q%
> > >>
> > >>
> > >>
> > >> Thanks
> > >>
> > >>
> > >>
> > >> Joanna
> > >>
> > >>
> > >>
> > >> You have been invited to the following event.
> > >>
> > >> TF-A Tech Forum
> > >>
> > >> When
> > >>
> > >> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
> > >>
> > >> Calendar
> > >>
> > >> tf-a(a)lists.trustedfirmware.org
> > >>
> > >> Who
> > >>
> > >> •
> > >>
> > >> Bill Fletcher- creator
> > >>
> > >> •
> > >>
> > >> tf-a(a)lists.trustedfirmware.org
> > >>
> > >> more details »
> > >>
> > >>
> > >>
> > >> We run an open technical forum call for anyone to participate
> and it is not restricted to Trusted Firmware project members. It will
> operate under the guidance of the TF TSC.
> > >>
> > >>
> > >>
> > >> Feel free to forward this invite to colleagues. Invites are via
> the TF-A mailing list and also published on the Trusted Firmware website.
> Details are here:
> https://www.trustedfirmware.org/meetings/tf-a-technical-forum/
> > >>
> > >>
> > >>
> > >> Trusted Firmware is inviting you to a scheduled Zoom meeting.
> > >>
> > >>
> > >>
> > >> Join Zoom Meeting
> > >>
> > >> https://zoom.us/j/9159704974
> > >>
> > >>
> > >>
> > >> Meeting ID: 915 970 4974
> > >>
> > >>
> > >>
> > >> One tap mobile
> > >>
> > >> +16465588656,,9159704974# US (New York)
> > >>
> > >> +16699009128,,9159704974# US (San Jose)
> > >>
> > >>
> > >>
> > >> Dial by your location
> > >>
> > >> +1 646 558 8656 US (New York)
> > >>
> > >> +1 669 900 9128 US (San Jose)
> > >>
> > >> 877 853 5247 US Toll-free
> > >>
> > >> 888 788 0099 US Toll-free
> > >>
> > >> Meeting ID: 915 970 4974
> > >>
> > >> Find your local number: https://zoom.us/u/ad27hc6t7h
> > >>
> > >>
> > >>
> > >> ________________________________
> > >>
> > >> From: François Ozog <francois.ozog(a)linaro.org>
> > >> Sent: 08 April 2021 16:50
> > >> To: Manish Pandey2 <Manish.Pandey2(a)arm.com>
> > >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <
> jwerner(a)chromium.org>; Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <
> tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>;
> Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
> > >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks
> (HOBs) for information passing between boot stages
> > >>
> > >>
> > >>
> > >> Hi
> > >>
> > >>
> > >>
> > >> here is the meeting recording:
> > >>
> > >>
> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn…
> Passcode: IPn+5q%z
> > >>
> > >>
> > >>
> > >> I am really sorry about the confusion related to the meeting
> time. I have now understood: the Collaborate portal uses a specific
> calendar which is tied to US/Chicago timezone while the actual Google
> Calendar is tied to Central Europe timezone. I am going to drop the
> Collaborate portal and use a shared Google calendar (it should be visible
> on the trusted-substrate.org page).
> > >>
> > >>
> > >>
> > >> I'll try to summarize what I learnt and highlight my view on
> what can be next steps in a future mail.
> > >>
> > >>
> > >>
> > >> Cheers
> > >>
> > >>
> > >>
> > >> FF
> > >>
> > >>
> > >>
> > >> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
> > >>
> > >> Hi,
> > >>
> > >>
> > >>
> > >> From TF-A project point of view, we prefer to use existing
> mechanism to pass parameters across boot stages using linked list of tagged
> elements (as suggested by Julius). It has support for both generic and
> SiP-specific tags. Having said that, it does not stop partners to introduce
> new mechanisms suitable for their usecase in platform port initially and
> later move to generic code if its suitable for other platforms.
> > >>
> > >>
> > >>
> > >> To start with, Ampere can introduce a platform specific
> implementation of memory tag(speed/NUMA topology etc) which can be
> evaluated and discussed for generalization in future. The tag will be
> populated in BL2 stage and can be forwarded to further stages(and to BL33)
> by passing the head of list pointer in one of the registers. Initially any
> register can be used but going forward a standardization will be needed.
> > >>
> > >>
> > >>
> > >> The U-boot bloblist mentioned by Simon is conceptually similar
> to what TF-A is using, if there is consensus of using bloblist/taglist
> then TF-A tag list may be enhanced to take best of both the implementations.
> > >>
> > >>
> > >>
> > >> One of the potential problems of having structure used in
> different projects is maintainability, this can be avoided by having a
> single copy of these structures in TF-A (kept inside "include/export" which
> intended to be used by other projects.)
> > >>
> > >>
> > >>
> > >> Regarding usage of either UUID or tag, I echo the sentiments of
> Simon and Julius to keep it simple and use tag values.
> > >>
> > >>
> > >>
> > >> Looking forward to having further discussions on zoom call today.
> > >>
> > >>
> > >>
> > >> Thanks
> > >>
> > >> Manish P
> > >>
> > >>
> > >>
> > >> ________________________________
> > >>
> > >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf
> of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
> > >> Sent: 25 March 2021 02:43
> > >> To: Simon Glass <sjg(a)chromium.org>
> > >> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>;
> Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>;
> tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot
> Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>;
> Ron Minnich <rminnich(a)google.com>
> > >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks
> (HOBs) for information passing between boot stages
> > >>
> > >>
> > >>
> > >> Just want to point out that TF-A currently already supports a
> (very simple) mechanism like this:
> > >>
> > >>
> > >>
> > >>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> > >>
> > >>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> > >>
> > >>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> > >>
> > >>
> > >>
> > >> It's just a linked list of tagged elements. The tag space is
> split into TF-A-wide generic tags and SiP-specific tags (with plenty of
> room to spare if more areas need to be defined -- a 64-bit tag can fit a
> lot). This is currently being used by some platforms that run coreboot in
> place of BL1/BL2, to pass information from coreboot (BL2) to BL31.
> > >>
> > >>
> > >>
> > >> I would echo Simon's sentiment of keeping this as simple as
> possible and avoiding complicated and bloated data structures with UUIDs.
> You usually want to parse something like this as early as possible in the
> passed-to firmware stage, particularly if the structure encodes information
> about the debug console (like it does for the platforms I mentioned above).
> For example, in BL31 this basically means doing it right after moving from
> assembly to C in bl31_early_platform_setup2() to get the console up before
> running anything else. At that point in the BL31 initialization, the MMU
> and caches are disabled, so data accesses are pretty expensive and you
> don't want to spend a lot of parsing effort or calculate complicated
> checksums or the like. You just want something extremely simple where you
> ideally have to touch every data word only once.
> > >>
> > >>
> > >>
> > >> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
> > >>
> > >> Hi Harb,
> > >>
> > >>
> > >>
> > >> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com> wrote:
> > >>
> > >> Hello Folks,
> > >>
> > >> Appreciate the feedback and replies on this. Glad to see that
> there is interest in this topic.
> > >>
> > >>
> > >>
> > >> I try to address the comments/feedback from Francois and Simon
> below….
> > >>
> > >>
> > >>
> > >> @François Ozog – happy to discuss this on a zoom call. I will
> make that time slot work, and will be available to attend April 8, 4pm CT.
> > >>
> > >>
> > >>
> > >> Note that I’m using the term “HOB” here more generically, as
> there are typically vendor specific structures beyond the resource
> descriptor HOB, which provides only a small subset of the information that
> needs to be passed between the boot phases.
> > >>
> > >>
> > >>
> > >> The whole point here is to provide mechanism to develop firmware
> that we can build ARM Server SoC’s that support *any* BL33 payload (e.g.
> EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at
> some point). In other-words, we are trying to come up with a TF-A that
> would be completely agnostic to the implementation of BL33 (i.e. BL33 is
> built completely independently by a separate entity – e.g. an ODM/OEM).
> > >>
> > >>
> > >>
> > >> Keep in mind, in the server/datacenter market segment we are not
> building vertically integrated systems with a single entity compiling
> firmware/software stacks like most folks in TF-A have become use to. There
> are two categories of higher level firmware code blobs in the
> server/datacenter model:
> > >>
> > >> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2,
> BL31, and *possibly* one or more BL32 instances
> > >> “Platform” or “board” firmware – in TF-A this may map to BL33
> and *possibly* one or more BL32 instances.
> > >>
> > >>
> > >>
> > >> Even the platform firmware stack could be further fragmented by
> having multiple entities involved in delivering the entire firmware stack:
> IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code.
> > >>
> > >>
> > >>
> > >> To support a broad range of platform designs with a broad range
> of memory devices, we need a crisp and clear contract between the SoC
> firmware that initializes memory (e.g. BL2) and how that platform boot
> firmware (e.g. BL33) gathers information about what memory that was
> initialized, at what speeds, NUMA topology, and many other relevant
> information that needs to be known and comprehended by the platform
> firmware and eventually by the platform software.
> > >>
> > >>
> > >>
> > >> I understand the versatility of DT, but I see two major problems
> with DT:
> > >>
> > >> DT requires more complicated parsing to get properties, and even
> more complex to dynamically set properties – this HOB structures may need
> to be generated in boot phases where DDR is not available, and therefore we
> will be extremely memory constrained.
> > >> DT is probably overkill for this purpose – We really just want a
> list of pointers to simple C structures that code cast (e.g. JEDEC SPD data
> blob)
> > >>
> > >>
> > >>
> > >> I think that we should not mix the efforts around DT/ACPI specs
> with what we are doing here, because those specs and concepts were
> developed for a completely different purpose (i.e. abstractions needed for
> OS / RTOS software, and not necessarily suitable for firmware-to-firmware
> hand-offs).
> > >>
> > >>
> > >>
> > >> Frankly, I would personally push back pretty hard on defining
> SMC’s for something that should be one way information passing. Every SMC
> we add is another attack vector to the secure world and an increased burden
> on the folks that have to do security auditing and threat analysis. I see
> no benefit in exposing these boot/HOB/BOB structures at run-time via SMC
> calls.
> > >>
> > >>
> > >>
> > >> Please do let me know if you disagree and why. Look forward to
> discussing on this thread or on the call.
> > >>
> > >>
> > >>
> > >> @Simon Glass - Thanks for the pointer to bloblist. I briefly
> reviewed and it seems like a good baseline for what we may be looking for.
> > >>
> > >>
> > >>
> > >> That being said, I would say that there is some benefit in
> having some kind of unique identifiers (e.g. UUID or some unique signature)
> so that we can tie standardized data structures (based on some future TBD
> specs) to a particular ID. For example, if the TPM driver in BL33 is
> looking for the TPM structure in the HOB/BOB list, and may not care about
> the other data blobs. The driver needs a way to identify and locate the
> blob it cares about.
> > >>
> > >>
> > >>
> > >> The tag is intended to serve that purpose, although perhaps it
> should switch from an auto-allocating enum to one with explicit values for
> each entry and a range for 'local' use.
> > >>
> > >>
> > >>
> > >> I guess we can achieve this with the tag, but the problem with
> tag when you have eco-system with a lot of parties doing parallel
> development, you can end up with tag collisions and folks fighting about
> who has rights to what tag values. We would need some official process for
> folks to register tags for whatever new structures we define, or maybe some
> tag range for vendor specific structures. This comes with a lot of pain
> and bureaucracy. On the other hand, UUID has been a proven way to make it
> easy to just define your own blobs with *either* standard or vendor
> specific structures without worry of ID collisions between vendors.
> > >>
> > >>
> > >>
> > >> True. I think the pain is overstated, though. In this case I
> think we actually want something that can be shared between projects and
> orgs, so some amount of coordination could be considered a benefit. It
> could just be a github pull request. I find the UUID unfriendly and not
> just to code size and eyesight! Trying to discover what GUIDs mean or are
> valid is quite tricky. E.g. see this code:
> > >>
> > >>
> > >>
> > >> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
> > >> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
> > >> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
> > >>
> > >> (etc.)
> > >>
> > >>
> > >>
> > >> static struct guid_name {
> > >> efi_guid_t guid;
> > >> const char *name;
> > >> } guid_name[] = {
> > >> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
> > >> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
> > >> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM"
> },
> > >> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
> > >> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
> > >> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
> > >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database
> ea" },
> > >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database
> 9b" },
> > >>
> > >> (never figured out what those two are)
> > >>
> > >>
> > >> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
> > >> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
> > >> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory"
> },
> > >> { {}, "zero-guid" },
> > >> {}
> > >> };
> > >>
> > >> static const char *guid_to_name(const efi_guid_t *guid)
> > >> {
> > >> struct guid_name *entry;
> > >>
> > >> for (entry = guid_name; entry->name; entry++) {
> > >> if (!guidcmp(guid, &entry->guid))
> > >> return entry->name;
> > >> }
> > >>
> > >> return NULL;
> > >> }
> > >>
> > >>
> > >>
> > >> Believe it or not it took a fair bit of effort to find just that
> small list, with nearly every one in a separate doc, from memory.
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> We can probably debate whether there is any value in GUID/UUID
> or not during the call… but again, boblist seems like a reasonable starting
> point as an alternative to HOB.
> > >>
> > >>
> > >>
> > >> Indeed. There is certainly value in both approaches.
> > >>
> > >>
> > >>
> > >> Regards,
> > >>
> > >> Simon
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> Thanks,
> > >>
> > >> --Harb
> > >>
> > >>
> > >>
> > >> From: François Ozog <francois.ozog(a)linaro.org>
> > >> Sent: Tuesday, March 23, 2021 10:00 AM
> > >> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <
> rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
> > >> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
> > >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks
> (HOBs) for information passing between boot stages
> > >>
> > >>
> > >>
> > >> +Ron Minnich +Paul Isaac's
> > >>
> > >>
> > >>
> > >> Adding Ron and Paul because I think this interface should be
> also benefiting LinuxBoot efforts.
> > >>
> > >>
> > >>
> > >> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
> > >>
> > >> Hi,
> > >>
> > >>
> > >>
> > >> I propose we cover the topic at the next Trusted Substrate
> zoom call on April 8th 4pm CET.
> > >>
> > >>
> > >>
> > >> The agenda:
> > >>
> > >> ABI between non-secure firmware and the rest of firmware (EL3,
> S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions.
> > >>
> > >> runtime conditions here relates to DRAM size and topology
> detection, secure DRAM memory carvings, PSCI and SCMI interface publishing.
> > >>
> > >>
> > >>
> > >> For additional background on existing metadata: UEFI Platform
> Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB
> > >>
> > >> Out of the ResourceType we care about is
> EFI_RESOURCE_SYSTEM_MEMORY.
> > >>
> > >> This HOB lacks memory NUMA attachment or something that could be
> related to fill SRAT table for ACPI or relevant DT proximity domains.
> > >>
> > >> HOB is not consistent accros platforms: some platforms (Arm)
> lists memory from the booting NUMA node, other platforms (x86) lists all
> memory from all NUMA nodes. (At least this is the case on the two platforms
> I tested).
> > >>
> > >>
> > >>
> > >> There are two proposals to use memory structures from SPL/BLx up
> to the handover function (as defined in the Device Tree technical report)
> which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or
> EDK2.
> > >>
> > >> I would propose we also discuss possibility of FF-A interface to
> actually query information or request actions to be done (this is a model
> actually used in some SoCs with proprietary SMC calls).
> > >>
> > >>
> > >>
> > >> Requirements (to be validated):
> > >>
> > >> - ACPI and DT hardware descriptions.
> > >>
> > >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
> > >>
> > >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot,
> TF-A/EDK2, TF-A/LinuxBoot)
> > >>
> > >> - at least allows complete DRAM description and "persistent"
> usage (reserved areas for secure world or other usages)
> > >>
> > >> - support secure world device assignment
> > >>
> > >>
> > >>
> > >> Cheers
> > >>
> > >>
> > >>
> > >> FF
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org>
> wrote:
> > >>
> > >> Hi,
> > >>
> > >> Can I suggest using bloblist for this instead? It is lightweight,
> > >> easier to parse, doesn't have GUIDs and is already used within
> U-Boot
> > >> for passing info between SPL/U-Boot, etc.
> > >>
> > >> Docs here:
> https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
> > >> Header file describes the format:
> > >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
> > >>
> > >> Full set of unit tests:
> > >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
> > >>
> > >> Regards,
> > >> Simon
> > >>
> > >> On Mon, 22 Mar 2021 at 23:58, François Ozog <
> francois.ozog(a)linaro.org> wrote:
> > >> >
> > >> > +Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>
> > >> >
> > >> > standardization is very much welcomed here and need to
> accommodate a very
> > >> > diverse set of situations.
> > >> > For example, TEE OS may need to pass memory reservations to
> BL33 or
> > >> > "capture" a device for the secure world.
> > >> >
> > >> > I have observed a number of architectures:
> > >> > 1) pass information from BLx to BLy in the form of a specific
> object
> > >> > 2) BLx called by BLy by a platform specific SMC to get
> information
> > >> > 3) BLx called by BLy by a platform specific SMC to perform
> Device Tree
> > >> > fixups
> > >> >
> > >> > I also imagined a standardized "broadcast" FF-A call so that
> any firmware
> > >> > element can either provide information or "do something".
> > >> >
> > >> > My understanding of your proposal is about standardizing on
> architecture 1)
> > >> > with the HOB format.
> > >> >
> > >> > The advantage of the HOB is simplicity but it may be difficult
> to implement
> > >> > schemes such as pruning a DT because device assignment in the
> secure world.
> > >> >
> > >> > In any case, it looks feasible to have TF-A and OP-TEE
> complement the list
> > >> > of HOBs to pass information downstream (the bootflow).
> > >> >
> > >> > It would be good to start with building the comprehensive list
> of
> > >> > information that need to be conveyed between firmware elements:
> > >> >
> > >> > information. | authoritative entity | reporting entity |
> information
> > >> > exchanged:
> > >> > dram | TFA | TFA
> |
> > >> > <format to be detailed, NUMA topology to build the SRAT table
> or DT
> > >> > equivalent?>
> > >> > PSCI | SCP | TFA?
> |
> > >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
> > >> > secure SRAM | TFA. | TFA.
> |
> > >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
> > >> > other? | |
> > >> > |
> > >> >
> > >> > Cheers
> > >> >
> > >> > FF
> > >> >
> > >> >
> > >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
> > >> > tf-a(a)lists.trustedfirmware.org> wrote:
> > >> >
> > >> > > Hello Folks,
> > >> > >
> > >> > >
> > >> > >
> > >> > > I'm emailing to start an open discussion about the adoption
> of a concept
> > >> > > known as "hand-off blocks" or HOB to become a part of the
> TF-A Firmware
> > >> > > Framework Architecture (FFA). This is something that is a
> pretty major
> > >> > > pain point when it comes to the adoption of TF-A in ARM
> Server SoC’s
> > >> > > designed to enable a broad range of highly configurable
> datacenter
> > >> > > platforms.
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > What is a HOB (Background)?
> > >> > >
> > >> > > ---------------------------
> > >> > >
> > >> > > UEFI PI spec describes a particular definition for how HOB
> may be used for
> > >> > > transitioning between the PEI and DXE boot phases, which is
> a good
> > >> > > reference point for this discussion, but not necessarily the
> exact solution
> > >> > > appropriate for TF-A.
> > >> > >
> > >> > >
> > >> > >
> > >> > > A HOB is simply a dynamically generated data structure
> passed in between
> > >> > > two boot phases. This is information that was obtained
> through discovery
> > >> > > and needs to be passed forward to the next boot phase
> *once*, with no API
> > >> > > needed to call back (e.g. no call back into previous
> firmware phase is
> > >> > > needed to fetch this information at run-time - it is simply
> passed one time
> > >> > > during boot).
> > >> > >
> > >> > >
> > >> > >
> > >> > > There may be one or more HOBs passed in between boot
> phases. If there are
> > >> > > more than one HOB that needs to be passed, this can be in a
> form of a "HOB
> > >> > > table", which (for example) could be a UUID indexed array of
> pointers to
> > >> > > HOB structures, used to locate a HOB of interest (based on
> UUID). In such
> > >> > > cases, instead of passing a single HOB, the boot phases may
> rely on passing
> > >> > > the pointer to the HOB table.
> > >> > >
> > >> > >
> > >> > >
> > >> > > This has been extremely useful concept to employ on highly
> configurable
> > >> > > systems that must rely on flexible discovery mechanisms to
> initialize and
> > >> > > boot the system. This is especially helpful when you have
> multiple
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > Why do we need HOBs in TF-A?:
> > >> > >
> > >> > > -----------------------------
> > >> > >
> > >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM
> Server SoC in
> > >> > > a way that is SoC specific *but* platform agnostic. This
> means that a
> > >> > > single ARM SoC that a SiP may deliver to customers may
> provide a single
> > >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to
> support a broad
> > >> > > range of platform designs and configurations in order to
> boot a platform
> > >> > > specific firmware (e.g. BL33 and possibly even BL32 code).
> In order to
> > >> > > achieve this, the platform configuration must be
> *discovered* instead of
> > >> > > statically compiled as it is today in TF-A via device tree
> based
> > >> > > enumeration. The mechanisms of discovery may differ broadly
> depending on
> > >> > > the relevant industry standard, or in some cases may have
> rely on SiP
> > >> > > specific discovery flows.
> > >> > >
> > >> > >
> > >> > >
> > >> > > For example: On server systems that support a broad range
> DIMM memory
> > >> > > population/topologies, all the necessary information
> required to boot is
> > >> > > fully discovered via standard JEDEC Serial Presence Detect
> (SPD) over an
> > >> > > I2C bus. Leveraging the SPD bus, may platform variants
> could be supported
> > >> > > with a single TF-A binary. Not only is this information
> required to
> > >> > > initialize memory in early boot phases (e.g. BL2), the
> subsequent boot
> > >> > > phases will also need this SPD info to construct a system
> physical address
> > >> > > map and properly initialize the MMU based on the memory
> present, and where
> > >> > > the memory may be present. Subsequent boot phases (e.g.
> BL33 / UEFI) may
> > >> > > need to generate standard firmware tables to the operating
> systems, such as
> > >> > > SMBIOS tables describing DIMM topology and various ACPI
> tables (e.g. SLIT,
> > >> > > SRAT, even NFIT if NVDIMM's are present).
> > >> > >
> > >> > >
> > >> > >
> > >> > > In short, it all starts with a standardized or vendor
> specific discovery
> > >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the
> passing of
> > >> > > information to the next boot stages (e.g. BL31/BL32/BL33).
> > >> > >
> > >> > >
> > >> > >
> > >> > > Today, every HOB may be a vendor specific structure, but in
> the future
> > >> > > there may be benefit of defining standard HOBs. This may be
> useful for
> > >> > > memory discovery, passing the system physical address map,
> enabling TPM
> > >> > > measured boot, and potentially many other common HOB
> use-cases.
> > >> > >
> > >> > >
> > >> > >
> > >> > > It would be extremely beneficial to the datacenter market
> segment if the
> > >> > > TF-A community would adopt this concept of information
> passing between all
> > >> > > boot phases as opposed to rely solely on device tree
> enumeration. This is
> > >> > > not intended to replace device tree, rather intended as an
> alternative way
> > >> > > to describe the info that must be discovered and dynamically
> generated.
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > Conclusion:
> > >> > >
> > >> > > -----------
> > >> > >
> > >> > > We are proposing that the TF-A community begin pursuing the
> adoption of
> > >> > > HOBs as a mechanism used for information exchange between
> each boot stage
> > >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)?
> Longer term we
> > >> > > want to explore standardizing some HOB structures for the
> BL33 phase (e.g.
> > >> > > UEFI HOB structures), but initially would like to agree on
> this being a
> > >> > > useful mechanism used to pass information between each boot
> stage.
> > >> > >
> > >> > >
> > >> > >
> > >> > > Thanks,
> > >> > >
> > >> > > --Harb
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > TF-A mailing list
> > >> > > TF-A(a)lists.trustedfirmware.org
> > >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> > >> > >
> > >> >
> > >> >
> > >> > --
> > >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing
> Group*
> > >> > T: +33.67221.6485
> > >> > francois.ozog(a)linaro.org | Skype: ffozog
> > >> > _______________________________________________
> > >> > boot-architecture mailing list
> > >> > boot-architecture(a)lists.linaro.org
> > >> > https://lists.linaro.org/mailman/listinfo/boot-architecture
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >>
> > >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing
> Group
> > >>
> > >> T: +33.67221.6485
> > >> francois.ozog(a)linaro.org | Skype: ffozog
> > >>
> > >>
> > >>
> > >> --
> > >> TF-A mailing list
> > >> TF-A(a)lists.trustedfirmware.org
> > >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >>
> > >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing
> Group
> > >>
> > >> T: +33.67221.6485
> > >> francois.ozog(a)linaro.org | Skype: ffozog
> > >>
> > >>
> > >>
> > >> --
> > >> TF-A mailing list
> > >> TF-A(a)lists.trustedfirmware.org
> > >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> > >>
> > >> --
> > >> TF-A mailing list
> > >> TF-A(a)lists.trustedfirmware.org
> > >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >>
> > >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing
> Group
> > >>
> > >> T: +33.67221.6485
> > >> francois.ozog(a)linaro.org | Skype: ffozog
> > >>
> > >>
> > >
> > > --
> > > TF-A mailing list
> > > TF-A(a)lists.trustedfirmware.org
> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> > --
> > TF-A mailing list
> > TF-A(a)lists.trustedfirmware.org
> > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
5 years, 1 month
- 1
- 0
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by Jeremy Linton
On 5/18/21 8:59 PM, Madhukar Pappireddy via TF-A wrote:
> Hi,
>
> I tried to summarize the discussions in the previous TF-A tech forum regarding the proposal to adopt Hand-off Blocks (HOBs) for passing information along the boot chain. I am certain I could not capture all suggestions/concerns brought up during the call. I apologize if I missed and/or misinterpreted any comments and would appreciate it if everyone could share their thoughts in response to this email thread.
>
> The idea is to share information to other boot phases:
>> Dynamic information: Created during runtime. Shared in the form of a chain of blobs(built as a linked list of C structure objects i.e., HOB list).
>> Static information: Known at compile time. Historically, shared through the use of Device Tree/ACPI tables
>
> Both the above requirements are common in many ecosystems and need to co-exist.
>
> There are broadly 3 problems to solve:
> 1. Format of HOB structures: It looks like the consensus is that we could use existing mechanisms for this (BL_AUX_PARAM in TF-A or bloblist in u-boot).
> 2. Identification of HOB list entries: There is a debate about whether tags would suffice or if the HOB list producer and consumer would depend on UUID/GUIDs for identifying a specific HOB structure. Another suggestion was to use a hybrid approach. Reserve a single tag ID for identifying/constructing a HOB structure that further leverages UUID based identifier. This way, the generic HOB list doesn't need to support UUIDs and can work with tags.
> 3. The design contract for the static interface between two boot phases: The problem at hand is whether to pass a pointer to a HOB list or a device tree blob through the general-purpose registers for configuration hand-off between two boot phases. Some proposals that came up:
> > Proposal 1: Always pass a pointer to the device tree blob through the GP register and capture the pointer to the HOB list as a property of a node that is uniquely identifiable by the downstream boot phase. This needs to define a device tree binding such that producer and consumer agree on the information passed.
Using DT to pass platform info at this level is sort of crazy on an ACPI
machine which won't have native DTs. Meaning there is an additional
level of unnecessary indirection that needs to be converted back into a
format which can be utilized by AML and other parts of the ACPI stack.
Its also helpful to look at what has become of the rpi4 uefi port, where
the DT is actually dynamic (or provided by the user, complete with HAT
overlays) and fed into the lower level firmware and propagated up
through the system. The result has frequently been subtle bugs or boot
failures because the DT provided by the rpi foundation as part of their
low level firwmare+kernel stack is modified by their low level firwmare,
and it differs from the DT in mainline linux. So more than once we have
discovered that there isn't a single DT that can be boot both the
current firmware and a current mainline linux. In the past there was
even an option to use one DT for the firmware and an entirely seperate
one for linux, but that was removed when it bacame apparent you couldn't
have the lower level firmwaer say modifying MMIO windows for the PCIe
subsystem and not propogate that into the other user supplied DT.
At this point the uefi firmware on the rpi will provide a DT if asked,
but it doesn't parse it nor does anything in the AML. Instead everything
is done directly against the hardware, even when the HW registers aren't
well documented.That is in large parts because the AML requirements are
a lot different than what is provided in the DT.
> > Proposal 2: Pass a pointer to a generic container through the GP register that can be interpreted appropriately by both boot loaders(i.e., producer and consumer of the boot info). This container can either be a dtb or a HOB list which can be simply inferred by checking for a magic header that indicates if the buffer appears to be a flattened device tree.
> > One another concern that was brought up offline is to make sure we don't break current design contracts between various boot loader phases in TF-A. Many of the general-purpose registers have a designated purpose such as to share configurations between BL images( such as firmware config dtb, SoC config dtb, Non trusted firmware config dtb, memory layout, entry point info, etc.).
>
> If I am not mistaken, a single design may not fit the needs of every segment(client, Infra, embedded) and the forum is open to solutions tailored for individual segments. Joanna will be sending a follow up email with more information about future TF-A tech forums that serves as a platform for further discussions.
>
> Thanks,
> Madhukar
>
> -----Original Message-----
> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Joanna Farley via TF-A
> Sent: Sunday, May 16, 2021 5:19 AM
> To: Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <sjg(a)chromium.org>
> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; Ed Stuber <edstuber(a)amperecomputing.com>; Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com>
> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>
> Apologies I failed with the recording. Manish/Madhu will reply early next week with the slides and some notes to help with a follow up session which we hope to hold this Thursday. Invite and agenda will also be sent out early next week.
>
> Thanks
>
> Joanna
>
> On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi,
>
> Do we have slides and video from last week's discussion?
>
> Thanks,
> Okash
>
>
> On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A
> <tf-a(a)lists.trustedfirmware.org> wrote:
> >
> > Hi Harb,
> >
> > Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be.
> >
> > So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use.
> >
> > This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use.
> >
> > Regards,
> > Simon
> >
> > On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
> >>
> >> Hey Folks,
> >>
> >> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow.
> >>
> >>
> >>
> >> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform).
> >>
> >>
> >>
> >> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag.
> >>
> >>
> >>
> >> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call.
> >>
> >>
> >>
> >> Thanks,
> >>
> >> --Harb
> >>
> >>
> >>
> >> From: Manish Pandey2 <Manish.Pandey2(a)arm.com>
> >> Sent: Friday, April 30, 2021 8:14 AM
> >> To: François Ozog <francois.ozog(a)linaro.org>
> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
> >>
> >>
> >>
> >> Hi All,
> >>
> >>
> >>
> >> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others.
> >>
> >>
> >>
> >> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST).
> >>
> >>
> >>
> >> Agenda:
> >>
> >> Discussion Session: Static and Dynamic Information Handling in TF-A
> >>
> >> Lead by Manish Pandey and Madhukar Pappireddy
> >>
> >> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages.
> >>
> >> The requirement is two-fold:
> >>
> >> 1. Passing static information(config files)
> >>
> >> 2. Passing dynamic information (Hob list)
> >>
> >> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects.
> >>
> >>
> >>
> >> The two specific item which we would like to discuss are:
> >>
> >> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both?
> >>
> >> 2. Standardization on Physical register use to pass base of HoB data structure.
> >>
> >> References:
> >>
> >> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
> >>
> >> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%
> >>
> >>
> >>
> >> Thanks
> >>
> >>
> >>
> >> Joanna
> >>
> >>
> >>
> >> You have been invited to the following event.
> >>
> >> TF-A Tech Forum
> >>
> >> When
> >>
> >> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
> >>
> >> Calendar
> >>
> >> tf-a(a)lists.trustedfirmware.org
> >>
> >> Who
> >>
> >> •
> >>
> >> Bill Fletcher- creator
> >>
> >> •
> >>
> >> tf-a(a)lists.trustedfirmware.org
> >>
> >> more details »
> >>
> >>
> >>
> >> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC.
> >>
> >>
> >>
> >> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/
> >>
> >>
> >>
> >> Trusted Firmware is inviting you to a scheduled Zoom meeting.
> >>
> >>
> >>
> >> Join Zoom Meeting
> >>
> >> https://zoom.us/j/9159704974
> >>
> >>
> >>
> >> Meeting ID: 915 970 4974
> >>
> >>
> >>
> >> One tap mobile
> >>
> >> +16465588656,,9159704974# US (New York)
> >>
> >> +16699009128,,9159704974# US (San Jose)
> >>
> >>
> >>
> >> Dial by your location
> >>
> >> +1 646 558 8656 US (New York)
> >>
> >> +1 669 900 9128 US (San Jose)
> >>
> >> 877 853 5247 US Toll-free
> >>
> >> 888 788 0099 US Toll-free
> >>
> >> Meeting ID: 915 970 4974
> >>
> >> Find your local number: https://zoom.us/u/ad27hc6t7h
> >>
> >>
> >>
> >> ________________________________
> >>
> >> From: François Ozog <francois.ozog(a)linaro.org>
> >> Sent: 08 April 2021 16:50
> >> To: Manish Pandey2 <Manish.Pandey2(a)arm.com>
> >> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
> >>
> >>
> >>
> >> Hi
> >>
> >>
> >>
> >> here is the meeting recording:
> >>
> >> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z
> >>
> >>
> >>
> >> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page).
> >>
> >>
> >>
> >> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail.
> >>
> >>
> >>
> >> Cheers
> >>
> >>
> >>
> >> FF
> >>
> >>
> >>
> >> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
> >>
> >> Hi,
> >>
> >>
> >>
> >> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms.
> >>
> >>
> >>
> >> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed.
> >>
> >>
> >>
> >> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations.
> >>
> >>
> >>
> >> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.)
> >>
> >>
> >>
> >> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values.
> >>
> >>
> >>
> >> Looking forward to having further discussions on zoom call today.
> >>
> >>
> >>
> >> Thanks
> >>
> >> Manish P
> >>
> >>
> >>
> >> ________________________________
> >>
> >> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
> >> Sent: 25 March 2021 02:43
> >> To: Simon Glass <sjg(a)chromium.org>
> >> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
> >>
> >>
> >>
> >> Just want to point out that TF-A currently already supports a (very simple) mechanism like this:
> >>
> >>
> >>
> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> >>
> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> >>
> >> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
> >>
> >>
> >>
> >> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31.
> >>
> >>
> >>
> >> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once.
> >>
> >>
> >>
> >> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
> >>
> >> Hi Harb,
> >>
> >>
> >>
> >> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
> >>
> >> Hello Folks,
> >>
> >> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic.
> >>
> >>
> >>
> >> I try to address the comments/feedback from Francois and Simon below….
> >>
> >>
> >>
> >> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT.
> >>
> >>
> >>
> >> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases.
> >>
> >>
> >>
> >> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM).
> >>
> >>
> >>
> >> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model:
> >>
> >> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances
> >> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances.
> >>
> >>
> >>
> >> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code.
> >>
> >>
> >>
> >> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software.
> >>
> >>
> >>
> >> I understand the versatility of DT, but I see two major problems with DT:
> >>
> >> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained.
> >> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob)
> >>
> >>
> >>
> >> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs).
> >>
> >>
> >>
> >> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls.
> >>
> >>
> >>
> >> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call.
> >>
> >>
> >>
> >> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for.
> >>
> >>
> >>
> >> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about.
> >>
> >>
> >>
> >> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use.
> >>
> >>
> >>
> >> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors.
> >>
> >>
> >>
> >> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code:
> >>
> >>
> >>
> >> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
> >> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
> >> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
> >>
> >> (etc.)
> >>
> >>
> >>
> >> static struct guid_name {
> >> efi_guid_t guid;
> >> const char *name;
> >> } guid_name[] = {
> >> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
> >> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
> >> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" },
> >> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
> >> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
> >> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
> >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" },
> >> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" },
> >>
> >> (never figured out what those two are)
> >>
> >>
> >> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
> >> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
> >> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" },
> >> { {}, "zero-guid" },
> >> {}
> >> };
> >>
> >> static const char *guid_to_name(const efi_guid_t *guid)
> >> {
> >> struct guid_name *entry;
> >>
> >> for (entry = guid_name; entry->name; entry++) {
> >> if (!guidcmp(guid, &entry->guid))
> >> return entry->name;
> >> }
> >>
> >> return NULL;
> >> }
> >>
> >>
> >>
> >> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory.
> >>
> >>
> >>
> >>
> >>
> >> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB.
> >>
> >>
> >>
> >> Indeed. There is certainly value in both approaches.
> >>
> >>
> >>
> >> Regards,
> >>
> >> Simon
> >>
> >>
> >>
> >>
> >>
> >> Thanks,
> >>
> >> --Harb
> >>
> >>
> >>
> >> From: François Ozog <francois.ozog(a)linaro.org>
> >> Sent: Tuesday, March 23, 2021 10:00 AM
> >> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
> >> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
> >> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
> >>
> >>
> >>
> >> +Ron Minnich +Paul Isaac's
> >>
> >>
> >>
> >> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts.
> >>
> >>
> >>
> >> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
> >>
> >> Hi,
> >>
> >>
> >>
> >> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET.
> >>
> >>
> >>
> >> The agenda:
> >>
> >> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions.
> >>
> >> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing.
> >>
> >>
> >>
> >> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB
> >>
> >> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY.
> >>
> >> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains.
> >>
> >> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested).
> >>
> >>
> >>
> >> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2.
> >>
> >> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls).
> >>
> >>
> >>
> >> Requirements (to be validated):
> >>
> >> - ACPI and DT hardware descriptions.
> >>
> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
> >>
> >> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot)
> >>
> >> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages)
> >>
> >> - support secure world device assignment
> >>
> >>
> >>
> >> Cheers
> >>
> >>
> >>
> >> FF
> >>
> >>
> >>
> >>
> >>
> >> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote:
> >>
> >> Hi,
> >>
> >> Can I suggest using bloblist for this instead? It is lightweight,
> >> easier to parse, doesn't have GUIDs and is already used within U-Boot
> >> for passing info between SPL/U-Boot, etc.
> >>
> >> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
> >> Header file describes the format:
> >> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
> >>
> >> Full set of unit tests:
> >> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
> >>
> >> Regards,
> >> Simon
> >>
> >> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote:
> >> >
> >> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>
> >> >
> >> > standardization is very much welcomed here and need to accommodate a very
> >> > diverse set of situations.
> >> > For example, TEE OS may need to pass memory reservations to BL33 or
> >> > "capture" a device for the secure world.
> >> >
> >> > I have observed a number of architectures:
> >> > 1) pass information from BLx to BLy in the form of a specific object
> >> > 2) BLx called by BLy by a platform specific SMC to get information
> >> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree
> >> > fixups
> >> >
> >> > I also imagined a standardized "broadcast" FF-A call so that any firmware
> >> > element can either provide information or "do something".
> >> >
> >> > My understanding of your proposal is about standardizing on architecture 1)
> >> > with the HOB format.
> >> >
> >> > The advantage of the HOB is simplicity but it may be difficult to implement
> >> > schemes such as pruning a DT because device assignment in the secure world.
> >> >
> >> > In any case, it looks feasible to have TF-A and OP-TEE complement the list
> >> > of HOBs to pass information downstream (the bootflow).
> >> >
> >> > It would be good to start with building the comprehensive list of
> >> > information that need to be conveyed between firmware elements:
> >> >
> >> > information. | authoritative entity | reporting entity | information
> >> > exchanged:
> >> > dram | TFA | TFA |
> >> > <format to be detailed, NUMA topology to build the SRAT table or DT
> >> > equivalent?>
> >> > PSCI | SCP | TFA? |
> >> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
> >> > secure SRAM | TFA. | TFA. |
> >> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
> >> > other? | |
> >> > |
> >> >
> >> > Cheers
> >> >
> >> > FF
> >> >
> >> >
> >> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
> >> > tf-a(a)lists.trustedfirmware.org> wrote:
> >> >
> >> > > Hello Folks,
> >> > >
> >> > >
> >> > >
> >> > > I'm emailing to start an open discussion about the adoption of a concept
> >> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware
> >> > > Framework Architecture (FFA). This is something that is a pretty major
> >> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s
> >> > > designed to enable a broad range of highly configurable datacenter
> >> > > platforms.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > What is a HOB (Background)?
> >> > >
> >> > > ---------------------------
> >> > >
> >> > > UEFI PI spec describes a particular definition for how HOB may be used for
> >> > > transitioning between the PEI and DXE boot phases, which is a good
> >> > > reference point for this discussion, but not necessarily the exact solution
> >> > > appropriate for TF-A.
> >> > >
> >> > >
> >> > >
> >> > > A HOB is simply a dynamically generated data structure passed in between
> >> > > two boot phases. This is information that was obtained through discovery
> >> > > and needs to be passed forward to the next boot phase *once*, with no API
> >> > > needed to call back (e.g. no call back into previous firmware phase is
> >> > > needed to fetch this information at run-time - it is simply passed one time
> >> > > during boot).
> >> > >
> >> > >
> >> > >
> >> > > There may be one or more HOBs passed in between boot phases. If there are
> >> > > more than one HOB that needs to be passed, this can be in a form of a "HOB
> >> > > table", which (for example) could be a UUID indexed array of pointers to
> >> > > HOB structures, used to locate a HOB of interest (based on UUID). In such
> >> > > cases, instead of passing a single HOB, the boot phases may rely on passing
> >> > > the pointer to the HOB table.
> >> > >
> >> > >
> >> > >
> >> > > This has been extremely useful concept to employ on highly configurable
> >> > > systems that must rely on flexible discovery mechanisms to initialize and
> >> > > boot the system. This is especially helpful when you have multiple
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > Why do we need HOBs in TF-A?:
> >> > >
> >> > > -----------------------------
> >> > >
> >> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in
> >> > > a way that is SoC specific *but* platform agnostic. This means that a
> >> > > single ARM SoC that a SiP may deliver to customers may provide a single
> >> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad
> >> > > range of platform designs and configurations in order to boot a platform
> >> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to
> >> > > achieve this, the platform configuration must be *discovered* instead of
> >> > > statically compiled as it is today in TF-A via device tree based
> >> > > enumeration. The mechanisms of discovery may differ broadly depending on
> >> > > the relevant industry standard, or in some cases may have rely on SiP
> >> > > specific discovery flows.
> >> > >
> >> > >
> >> > >
> >> > > For example: On server systems that support a broad range DIMM memory
> >> > > population/topologies, all the necessary information required to boot is
> >> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an
> >> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported
> >> > > with a single TF-A binary. Not only is this information required to
> >> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot
> >> > > phases will also need this SPD info to construct a system physical address
> >> > > map and properly initialize the MMU based on the memory present, and where
> >> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may
> >> > > need to generate standard firmware tables to the operating systems, such as
> >> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT,
> >> > > SRAT, even NFIT if NVDIMM's are present).
> >> > >
> >> > >
> >> > >
> >> > > In short, it all starts with a standardized or vendor specific discovery
> >> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of
> >> > > information to the next boot stages (e.g. BL31/BL32/BL33).
> >> > >
> >> > >
> >> > >
> >> > > Today, every HOB may be a vendor specific structure, but in the future
> >> > > there may be benefit of defining standard HOBs. This may be useful for
> >> > > memory discovery, passing the system physical address map, enabling TPM
> >> > > measured boot, and potentially many other common HOB use-cases.
> >> > >
> >> > >
> >> > >
> >> > > It would be extremely beneficial to the datacenter market segment if the
> >> > > TF-A community would adopt this concept of information passing between all
> >> > > boot phases as opposed to rely solely on device tree enumeration. This is
> >> > > not intended to replace device tree, rather intended as an alternative way
> >> > > to describe the info that must be discovered and dynamically generated.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > Conclusion:
> >> > >
> >> > > -----------
> >> > >
> >> > > We are proposing that the TF-A community begin pursuing the adoption of
> >> > > HOBs as a mechanism used for information exchange between each boot stage
> >> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we
> >> > > want to explore standardizing some HOB structures for the BL33 phase (e.g.
> >> > > UEFI HOB structures), but initially would like to agree on this being a
> >> > > useful mechanism used to pass information between each boot stage.
> >> > >
> >> > >
> >> > >
> >> > > Thanks,
> >> > >
> >> > > --Harb
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > TF-A mailing list
> >> > > TF-A(a)lists.trustedfirmware.org
> >> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >> > >
> >> >
> >> >
> >> > --
> >> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
> >> > T: +33.67221.6485
> >> > francois.ozog(a)linaro.org | Skype: ffozog
> >> > _______________________________________________
> >> > boot-architecture mailing list
> >> > boot-architecture(a)lists.linaro.org
> >> > https://lists.linaro.org/mailman/listinfo/boot-architecture
> >>
> >>
> >>
> >>
> >> --
> >>
> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
> >>
> >> T: +33.67221.6485
> >> francois.ozog(a)linaro.org | Skype: ffozog
> >>
> >>
> >>
> >> --
> >> TF-A mailing list
> >> TF-A(a)lists.trustedfirmware.org
> >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >>
> >>
> >>
> >>
> >> --
> >>
> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
> >>
> >> T: +33.67221.6485
> >> francois.ozog(a)linaro.org | Skype: ffozog
> >>
> >>
> >>
> >> --
> >> TF-A mailing list
> >> TF-A(a)lists.trustedfirmware.org
> >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >>
> >> --
> >> TF-A mailing list
> >> TF-A(a)lists.trustedfirmware.org
> >> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> >>
> >>
> >>
> >>
> >> --
> >>
> >> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
> >>
> >> T: +33.67221.6485
> >> francois.ozog(a)linaro.org | Skype: ffozog
> >>
> >>
> >
> > --
> > TF-A mailing list
> > TF-A(a)lists.trustedfirmware.org
> > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
5 years, 1 month
- 1
- 0
CANCELLED TF-A Tech Forum Agenda @ Thr 20th May 2021 16:00-1700 BST CANCELLED
by Joanna Farley
Hi Everyone,
I am cancelling this week’s TF-A Tech Forum as I don’t have any areas to present/discuss.
I expect the session on 3rd June to be a follow on session of that held below from 2 weeks ago. A write up was posted yesterday to the mailing list.
Thanks
Joanna
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Joanna Farley via TF-A <tf-a(a)lists.trustedfirmware.org>
Reply to: Joanna Farley <Joanna.Farley(a)arm.com>
Date: Thursday, 29 April 2021 at 17:59
To: "tf-a(a)lists.trustedfirmware.org" <tf-a(a)lists.trustedfirmware.org>
Subject: [TF-A] TF-A Tech Forum Agenda @ Thr 6th May 2021 16:00-1700 BST
Hi All,
The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST).
Agenda:
* Discussion Session: Static and Dynamic Information Handling in TF-A
* Lead by Manish Pandy and Madhukar Pappireddy
· There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages.
The requirement is two-fold:
1. Passing static information(config files)
2. Passing dynamic information (Hob list)
In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects.
The two specific item which we would like to discuss are:
1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both?
2. Standardization on Physical register use to pass base of HoB data structure.
References:
[1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
[2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%
Thanks
Joanna
You have been invited to the following event.
TF-A Tech Forum
When
Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
Calendar
tf-a(a)lists.trustedfirmware.org
Who
•
Bill Fletcher- creator
•
tf-a(a)lists.trustedfirmware.org
more details »<https://www.google.com/calendar/event?action=VIEW&eid=NWlub3Ewdm1tMmk1cTJrM…>
We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC.
Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/<https://www.google.com/url?q=https%3A%2F%2Fwww.trustedfirmware.org%2Fmeetin…>
Trusted Firmware is inviting you to a scheduled Zoom meeting.
Join Zoom Meeting
https://zoom.us/j/9159704974<https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fj%2F9159704974&sa=D&us…>
Meeting ID: 915 970 4974
One tap mobile
+16465588656,,9159704974# US (New York)
+16699009128,,9159704974# US (San Jose)
Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 9128 US (San Jose)
877 853 5247 US Toll-free
888 788 0099 US Toll-free
Meeting ID: 915 970 4974
Find your local number: https://zoom.us/u/ad27hc6t7h<https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fu%2Fad27hc6t7h&sa=D&us…>
Going (tf-a(a)lists.trustedfirmware.org)? All events in this series: Yes<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> - Maybe<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> - No<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> more options »<https://www.google.com/calendar/event?action=VIEW&eid=NWlub3Ewdm1tMmk1cTJrM…>
Invitation from Google Calendar<https://www.google.com/calendar/>
You are receiving this courtesy email at the account tf-a(a)lists.trustedfirmware.org because you are an attendee of this event.
To stop receiving future updates for this event, decline this event. Alternatively, you can sign up for a Google Account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to the organiser and be added to the guest list, invite others regardless of their own invitation status or to modify your RSVP. Learn more<https://support.google.com/calendar/answer/37135#forwarding>.
5 years, 1 month
- 1
- 0
Canceled event with note: TF-A Tech Forum @ Thu May 20, 2021 4pm - 5pm (BST) (tf-a@lists.trustedfirmware.org)
by joanna.farley@arm.com
This event has been canceled with this note:
"Cancelling the TF-A Tech Forum session this week. We expect the session on
3rd of June to be a follow up of the Discussion Session: Static and Dynamic
Information Handling in TF-A held 2 weeks ago."
Title: TF-A Tech Forum
We run an open technical forum call for anyone to participate and it is not
restricted to Trusted Firmware project members. It will operate under the
guidance of the TF TSC. Feel free to forward this invite to
colleagues. Invites are via the TF-A mailing list and also published on the
Trusted Firmware website. Details are
here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/Tr…
Firmware is inviting you to a scheduled Zoom meeting.Join Zoom
Meetinghttps://zoom.us/j/9159704974Meeting ID: 915 970 4974One tap
mobile+16465588656,,9159704974# US (New York)+16699009128,,9159704974# US
(San Jose)Dial by your location +1 646 558
8656 US (New York) +1 669 900
9128 US (San Jose) 877 853 5247 US
Toll-free 888 788 0099 US Toll-freeMeeting ID:
915 970 4974Find your local
number: https://zoom.us/u/ad27hc6t7h
When: Thu May 20, 2021 4pm – 5pm United Kingdom Time
Calendar: tf-a(a)lists.trustedfirmware.org
Who:
* Bill Fletcher - creator
* marek.bykowski(a)gmail.com
* okash.khawaja(a)gmail.com
* tf-a(a)lists.trustedfirmware.org
Invitation from Google Calendar: https://calendar.google.com/calendar/
You are receiving this courtesy email at the account
tf-a(a)lists.trustedfirmware.org because you are an attendee of this event.
To stop receiving future updates for this event, decline this event.
Alternatively you can sign up for a Google account at
https://calendar.google.com/calendar/ and control your notification
settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to
the organizer and be added to the guest list, or invite others regardless
of their own invitation status, or to modify your RSVP. Learn more at
https://support.google.com/calendar/answer/37135#forwarding
5 years, 1 month
- 1
- 0
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by Joanna Farley
Looks tf-a(a)lists.trustedfirmware.org got dropped. Adding that back in.
Joanna
On 19/05/2021, 15:33, "Joanna Farley" <Joanna.Farley(a)arm.com> wrote:
It’s a bit short notice to host another TF-A Tech-forum call on this tomorrow for a live debate as well as Manish who led the call last time is not available this week. So I propose our next TF-A Techforum session on Thursday 3rd June at 4pm BST and between now and then email discussions can possibly be pursued.
From a TF-A perspective we want to help facilitate a number of segments/use-cases we heard about as Madhu mentions below. As such any enablement we can provide in TF-A common code would be good to identify that contributors to other segments/use-cases can build upon in shared platform code in TF-A or elsewhere outside the TF-A repository of that works better for those segments/use-cases.
Thanks
Joanna
On 19/05/2021, 03:50, "Madhukar Pappireddy" <Madhukar.Pappireddy(a)arm.com> wrote:
Attached slides presented by Manish in the TF-A tech forum.
-----Original Message-----
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Madhukar Pappireddy via TF-A
Sent: Tuesday, May 18, 2021 8:59 PM
To: Joanna Farley <Joanna.Farley(a)arm.com>; Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <sjg(a)chromium.org>
Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; Ed Stuber <edstuber(a)amperecomputing.com>; Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <u-boot(a)lists.denx.de>; tf-a(a)lists.trustedfirmware.org; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com>
Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
Hi,
I tried to summarize the discussions in the previous TF-A tech forum regarding the proposal to adopt Hand-off Blocks (HOBs) for passing information along the boot chain. I am certain I could not capture all suggestions/concerns brought up during the call. I apologize if I missed and/or misinterpreted any comments and would appreciate it if everyone could share their thoughts in response to this email thread.
The idea is to share information to other boot phases:
> Dynamic information: Created during runtime. Shared in the form of a chain of blobs(built as a linked list of C structure objects i.e., HOB list).
> Static information: Known at compile time. Historically, shared through the use of Device Tree/ACPI tables
Both the above requirements are common in many ecosystems and need to co-exist.
There are broadly 3 problems to solve:
1. Format of HOB structures: It looks like the consensus is that we could use existing mechanisms for this (BL_AUX_PARAM in TF-A or bloblist in u-boot).
2. Identification of HOB list entries: There is a debate about whether tags would suffice or if the HOB list producer and consumer would depend on UUID/GUIDs for identifying a specific HOB structure. Another suggestion was to use a hybrid approach. Reserve a single tag ID for identifying/constructing a HOB structure that further leverages UUID based identifier. This way, the generic HOB list doesn't need to support UUIDs and can work with tags.
3. The design contract for the static interface between two boot phases: The problem at hand is whether to pass a pointer to a HOB list or a device tree blob through the general-purpose registers for configuration hand-off between two boot phases. Some proposals that came up:
> Proposal 1: Always pass a pointer to the device tree blob through the GP register and capture the pointer to the HOB list as a property of a node that is uniquely identifiable by the downstream boot phase. This needs to define a device tree binding such that producer and consumer agree on the information passed.
> Proposal 2: Pass a pointer to a generic container through the GP register that can be interpreted appropriately by both boot loaders(i.e., producer and consumer of the boot info). This container can either be a dtb or a HOB list which can be simply inferred by checking for a magic header that indicates if the buffer appears to be a flattened device tree.
> One another concern that was brought up offline is to make sure we don't break current design contracts between various boot loader phases in TF-A. Many of the general-purpose registers have a designated purpose such as to share configurations between BL images( such as firmware config dtb, SoC config dtb, Non trusted firmware config dtb, memory layout, entry point info, etc.).
If I am not mistaken, a single design may not fit the needs of every segment(client, Infra, embedded) and the forum is open to solutions tailored for individual segments. Joanna will be sending a follow up email with more information about future TF-A tech forums that serves as a platform for further discussions.
Thanks,
Madhukar
-----Original Message-----
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Joanna Farley via TF-A
Sent: Sunday, May 16, 2021 5:19 AM
To: Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <sjg(a)chromium.org>
Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; Ed Stuber <edstuber(a)amperecomputing.com>; Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com>
Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
Apologies I failed with the recording. Manish/Madhu will reply early next week with the slides and some notes to help with a follow up session which we hope to hold this Thursday. Invite and agenda will also be sent out early next week.
Thanks
Joanna
On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote:
Hi,
Do we have slides and video from last week's discussion?
Thanks,
Okash
On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A
<tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi Harb,
>
> Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be.
>
> So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use.
>
> This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use.
>
> Regards,
> Simon
>
> On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hey Folks,
>>
>> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow.
>>
>>
>>
>> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform).
>>
>>
>>
>> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag.
>>
>>
>>
>> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call.
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Sent: Friday, April 30, 2021 8:14 AM
>> To: François Ozog <francois.ozog(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others.
>>
>>
>>
>> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST).
>>
>>
>>
>> Agenda:
>>
>> Discussion Session: Static and Dynamic Information Handling in TF-A
>>
>> Lead by Manish Pandey and Madhukar Pappireddy
>>
>> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages.
>>
>> The requirement is two-fold:
>>
>> 1. Passing static information(config files)
>>
>> 2. Passing dynamic information (Hob list)
>>
>> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects.
>>
>>
>>
>> The two specific item which we would like to discuss are:
>>
>> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both?
>>
>> 2. Standardization on Physical register use to pass base of HoB data structure.
>>
>> References:
>>
>> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
>>
>> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%
>>
>>
>>
>> Thanks
>>
>>
>>
>> Joanna
>>
>>
>>
>> You have been invited to the following event.
>>
>> TF-A Tech Forum
>>
>> When
>>
>> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
>>
>> Calendar
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> Who
>>
>> •
>>
>> Bill Fletcher- creator
>>
>> •
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> more details »
>>
>>
>>
>> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC.
>>
>>
>>
>> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/
>>
>>
>>
>> Trusted Firmware is inviting you to a scheduled Zoom meeting.
>>
>>
>>
>> Join Zoom Meeting
>>
>> https://zoom.us/j/9159704974
>>
>>
>>
>> Meeting ID: 915 970 4974
>>
>>
>>
>> One tap mobile
>>
>> +16465588656,,9159704974# US (New York)
>>
>> +16699009128,,9159704974# US (San Jose)
>>
>>
>>
>> Dial by your location
>>
>> +1 646 558 8656 US (New York)
>>
>> +1 669 900 9128 US (San Jose)
>>
>> 877 853 5247 US Toll-free
>>
>> 888 788 0099 US Toll-free
>>
>> Meeting ID: 915 970 4974
>>
>> Find your local number: https://zoom.us/u/ad27hc6t7h
>>
>>
>>
>> ________________________________
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: 08 April 2021 16:50
>> To: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi
>>
>>
>>
>> here is the meeting recording:
>>
>> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z
>>
>>
>>
>> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page).
>>
>>
>>
>> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail.
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms.
>>
>>
>>
>> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed.
>>
>>
>>
>> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations.
>>
>>
>>
>> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.)
>>
>>
>>
>> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values.
>>
>>
>>
>> Looking forward to having further discussions on zoom call today.
>>
>>
>>
>> Thanks
>>
>> Manish P
>>
>>
>>
>> ________________________________
>>
>> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
>> Sent: 25 March 2021 02:43
>> To: Simon Glass <sjg(a)chromium.org>
>> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Just want to point out that TF-A currently already supports a (very simple) mechanism like this:
>>
>>
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>>
>>
>> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31.
>>
>>
>>
>> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once.
>>
>>
>>
>> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi Harb,
>>
>>
>>
>> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hello Folks,
>>
>> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic.
>>
>>
>>
>> I try to address the comments/feedback from Francois and Simon below….
>>
>>
>>
>> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT.
>>
>>
>>
>> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases.
>>
>>
>>
>> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM).
>>
>>
>>
>> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model:
>>
>> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances
>> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances.
>>
>>
>>
>> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code.
>>
>>
>>
>> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software.
>>
>>
>>
>> I understand the versatility of DT, but I see two major problems with DT:
>>
>> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained.
>> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob)
>>
>>
>>
>> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs).
>>
>>
>>
>> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls.
>>
>>
>>
>> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call.
>>
>>
>>
>> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for.
>>
>>
>>
>> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about.
>>
>>
>>
>> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use.
>>
>>
>>
>> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors.
>>
>>
>>
>> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code:
>>
>>
>>
>> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
>> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
>> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
>>
>> (etc.)
>>
>>
>>
>> static struct guid_name {
>> efi_guid_t guid;
>> const char *name;
>> } guid_name[] = {
>> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
>> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
>> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" },
>> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
>> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
>> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" },
>>
>> (never figured out what those two are)
>>
>>
>> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
>> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
>> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" },
>> { {}, "zero-guid" },
>> {}
>> };
>>
>> static const char *guid_to_name(const efi_guid_t *guid)
>> {
>> struct guid_name *entry;
>>
>> for (entry = guid_name; entry->name; entry++) {
>> if (!guidcmp(guid, &entry->guid))
>> return entry->name;
>> }
>>
>> return NULL;
>> }
>>
>>
>>
>> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory.
>>
>>
>>
>>
>>
>> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB.
>>
>>
>>
>> Indeed. There is certainly value in both approaches.
>>
>>
>>
>> Regards,
>>
>> Simon
>>
>>
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: Tuesday, March 23, 2021 10:00 AM
>> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> +Ron Minnich +Paul Isaac's
>>
>>
>>
>> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts.
>>
>>
>>
>> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET.
>>
>>
>>
>> The agenda:
>>
>> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions.
>>
>> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing.
>>
>>
>>
>> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB
>>
>> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY.
>>
>> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains.
>>
>> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested).
>>
>>
>>
>> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2.
>>
>> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls).
>>
>>
>>
>> Requirements (to be validated):
>>
>> - ACPI and DT hardware descriptions.
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot)
>>
>> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages)
>>
>> - support secure world device assignment
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>>
>>
>> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote:
>>
>> Hi,
>>
>> Can I suggest using bloblist for this instead? It is lightweight,
>> easier to parse, doesn't have GUIDs and is already used within U-Boot
>> for passing info between SPL/U-Boot, etc.
>>
>> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
>> Header file describes the format:
>> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
>>
>> Full set of unit tests:
>> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
>>
>> Regards,
>> Simon
>>
>> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote:
>> >
>> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>
>> >
>> > standardization is very much welcomed here and need to accommodate a very
>> > diverse set of situations.
>> > For example, TEE OS may need to pass memory reservations to BL33 or
>> > "capture" a device for the secure world.
>> >
>> > I have observed a number of architectures:
>> > 1) pass information from BLx to BLy in the form of a specific object
>> > 2) BLx called by BLy by a platform specific SMC to get information
>> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree
>> > fixups
>> >
>> > I also imagined a standardized "broadcast" FF-A call so that any firmware
>> > element can either provide information or "do something".
>> >
>> > My understanding of your proposal is about standardizing on architecture 1)
>> > with the HOB format.
>> >
>> > The advantage of the HOB is simplicity but it may be difficult to implement
>> > schemes such as pruning a DT because device assignment in the secure world.
>> >
>> > In any case, it looks feasible to have TF-A and OP-TEE complement the list
>> > of HOBs to pass information downstream (the bootflow).
>> >
>> > It would be good to start with building the comprehensive list of
>> > information that need to be conveyed between firmware elements:
>> >
>> > information. | authoritative entity | reporting entity | information
>> > exchanged:
>> > dram | TFA | TFA |
>> > <format to be detailed, NUMA topology to build the SRAT table or DT
>> > equivalent?>
>> > PSCI | SCP | TFA? |
>> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
>> > secure SRAM | TFA. | TFA. |
>> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
>> > other? | |
>> > |
>> >
>> > Cheers
>> >
>> > FF
>> >
>> >
>> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
>> > tf-a(a)lists.trustedfirmware.org> wrote:
>> >
>> > > Hello Folks,
>> > >
>> > >
>> > >
>> > > I'm emailing to start an open discussion about the adoption of a concept
>> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware
>> > > Framework Architecture (FFA). This is something that is a pretty major
>> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s
>> > > designed to enable a broad range of highly configurable datacenter
>> > > platforms.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > What is a HOB (Background)?
>> > >
>> > > ---------------------------
>> > >
>> > > UEFI PI spec describes a particular definition for how HOB may be used for
>> > > transitioning between the PEI and DXE boot phases, which is a good
>> > > reference point for this discussion, but not necessarily the exact solution
>> > > appropriate for TF-A.
>> > >
>> > >
>> > >
>> > > A HOB is simply a dynamically generated data structure passed in between
>> > > two boot phases. This is information that was obtained through discovery
>> > > and needs to be passed forward to the next boot phase *once*, with no API
>> > > needed to call back (e.g. no call back into previous firmware phase is
>> > > needed to fetch this information at run-time - it is simply passed one time
>> > > during boot).
>> > >
>> > >
>> > >
>> > > There may be one or more HOBs passed in between boot phases. If there are
>> > > more than one HOB that needs to be passed, this can be in a form of a "HOB
>> > > table", which (for example) could be a UUID indexed array of pointers to
>> > > HOB structures, used to locate a HOB of interest (based on UUID). In such
>> > > cases, instead of passing a single HOB, the boot phases may rely on passing
>> > > the pointer to the HOB table.
>> > >
>> > >
>> > >
>> > > This has been extremely useful concept to employ on highly configurable
>> > > systems that must rely on flexible discovery mechanisms to initialize and
>> > > boot the system. This is especially helpful when you have multiple
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Why do we need HOBs in TF-A?:
>> > >
>> > > -----------------------------
>> > >
>> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in
>> > > a way that is SoC specific *but* platform agnostic. This means that a
>> > > single ARM SoC that a SiP may deliver to customers may provide a single
>> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad
>> > > range of platform designs and configurations in order to boot a platform
>> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to
>> > > achieve this, the platform configuration must be *discovered* instead of
>> > > statically compiled as it is today in TF-A via device tree based
>> > > enumeration. The mechanisms of discovery may differ broadly depending on
>> > > the relevant industry standard, or in some cases may have rely on SiP
>> > > specific discovery flows.
>> > >
>> > >
>> > >
>> > > For example: On server systems that support a broad range DIMM memory
>> > > population/topologies, all the necessary information required to boot is
>> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an
>> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported
>> > > with a single TF-A binary. Not only is this information required to
>> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot
>> > > phases will also need this SPD info to construct a system physical address
>> > > map and properly initialize the MMU based on the memory present, and where
>> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may
>> > > need to generate standard firmware tables to the operating systems, such as
>> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT,
>> > > SRAT, even NFIT if NVDIMM's are present).
>> > >
>> > >
>> > >
>> > > In short, it all starts with a standardized or vendor specific discovery
>> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of
>> > > information to the next boot stages (e.g. BL31/BL32/BL33).
>> > >
>> > >
>> > >
>> > > Today, every HOB may be a vendor specific structure, but in the future
>> > > there may be benefit of defining standard HOBs. This may be useful for
>> > > memory discovery, passing the system physical address map, enabling TPM
>> > > measured boot, and potentially many other common HOB use-cases.
>> > >
>> > >
>> > >
>> > > It would be extremely beneficial to the datacenter market segment if the
>> > > TF-A community would adopt this concept of information passing between all
>> > > boot phases as opposed to rely solely on device tree enumeration. This is
>> > > not intended to replace device tree, rather intended as an alternative way
>> > > to describe the info that must be discovered and dynamically generated.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Conclusion:
>> > >
>> > > -----------
>> > >
>> > > We are proposing that the TF-A community begin pursuing the adoption of
>> > > HOBs as a mechanism used for information exchange between each boot stage
>> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we
>> > > want to explore standardizing some HOB structures for the BL33 phase (e.g.
>> > > UEFI HOB structures), but initially would like to agree on this being a
>> > > useful mechanism used to pass information between each boot stage.
>> > >
>> > >
>> > >
>> > > Thanks,
>> > >
>> > > --Harb
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > TF-A mailing list
>> > > TF-A(a)lists.trustedfirmware.org
>> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>> > >
>> >
>> >
>> > --
>> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
>> > T: +33.67221.6485
>> > francois.ozog(a)linaro.org | Skype: ffozog
>> > _______________________________________________
>> > boot-architecture mailing list
>> > boot-architecture(a)lists.linaro.org
>> > https://lists.linaro.org/mailman/listinfo/boot-architecture
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
5 years, 1 month
- 1
- 0
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by Madhukar Pappireddy
Hi,
I tried to summarize the discussions in the previous TF-A tech forum regarding the proposal to adopt Hand-off Blocks (HOBs) for passing information along the boot chain. I am certain I could not capture all suggestions/concerns brought up during the call. I apologize if I missed and/or misinterpreted any comments and would appreciate it if everyone could share their thoughts in response to this email thread.
The idea is to share information to other boot phases:
> Dynamic information: Created during runtime. Shared in the form of a chain of blobs(built as a linked list of C structure objects i.e., HOB list).
> Static information: Known at compile time. Historically, shared through the use of Device Tree/ACPI tables
Both the above requirements are common in many ecosystems and need to co-exist.
There are broadly 3 problems to solve:
1. Format of HOB structures: It looks like the consensus is that we could use existing mechanisms for this (BL_AUX_PARAM in TF-A or bloblist in u-boot).
2. Identification of HOB list entries: There is a debate about whether tags would suffice or if the HOB list producer and consumer would depend on UUID/GUIDs for identifying a specific HOB structure. Another suggestion was to use a hybrid approach. Reserve a single tag ID for identifying/constructing a HOB structure that further leverages UUID based identifier. This way, the generic HOB list doesn't need to support UUIDs and can work with tags.
3. The design contract for the static interface between two boot phases: The problem at hand is whether to pass a pointer to a HOB list or a device tree blob through the general-purpose registers for configuration hand-off between two boot phases. Some proposals that came up:
> Proposal 1: Always pass a pointer to the device tree blob through the GP register and capture the pointer to the HOB list as a property of a node that is uniquely identifiable by the downstream boot phase. This needs to define a device tree binding such that producer and consumer agree on the information passed.
> Proposal 2: Pass a pointer to a generic container through the GP register that can be interpreted appropriately by both boot loaders(i.e., producer and consumer of the boot info). This container can either be a dtb or a HOB list which can be simply inferred by checking for a magic header that indicates if the buffer appears to be a flattened device tree.
> One another concern that was brought up offline is to make sure we don't break current design contracts between various boot loader phases in TF-A. Many of the general-purpose registers have a designated purpose such as to share configurations between BL images( such as firmware config dtb, SoC config dtb, Non trusted firmware config dtb, memory layout, entry point info, etc.).
If I am not mistaken, a single design may not fit the needs of every segment(client, Infra, embedded) and the forum is open to solutions tailored for individual segments. Joanna will be sending a follow up email with more information about future TF-A tech forums that serves as a platform for further discussions.
Thanks,
Madhukar
-----Original Message-----
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Joanna Farley via TF-A
Sent: Sunday, May 16, 2021 5:19 AM
To: Okash Khawaja <okash.khawaja(a)gmail.com>; Simon Glass <sjg(a)chromium.org>
Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; Ed Stuber <edstuber(a)amperecomputing.com>; Arjun Khare <akhare(a)amperecomputing.com>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Moe Ammar <moe(a)amperecomputing.com>
Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
Apologies I failed with the recording. Manish/Madhu will reply early next week with the slides and some notes to help with a follow up session which we hope to hold this Thursday. Invite and agenda will also be sent out early next week.
Thanks
Joanna
On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote:
Hi,
Do we have slides and video from last week's discussion?
Thanks,
Okash
On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A
<tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi Harb,
>
> Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be.
>
> So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use.
>
> This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use.
>
> Regards,
> Simon
>
> On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hey Folks,
>>
>> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow.
>>
>>
>>
>> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform).
>>
>>
>>
>> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag.
>>
>>
>>
>> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call.
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Sent: Friday, April 30, 2021 8:14 AM
>> To: François Ozog <francois.ozog(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others.
>>
>>
>>
>> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST).
>>
>>
>>
>> Agenda:
>>
>> Discussion Session: Static and Dynamic Information Handling in TF-A
>>
>> Lead by Manish Pandey and Madhukar Pappireddy
>>
>> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages.
>>
>> The requirement is two-fold:
>>
>> 1. Passing static information(config files)
>>
>> 2. Passing dynamic information (Hob list)
>>
>> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects.
>>
>>
>>
>> The two specific item which we would like to discuss are:
>>
>> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both?
>>
>> 2. Standardization on Physical register use to pass base of HoB data structure.
>>
>> References:
>>
>> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
>>
>> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%
>>
>>
>>
>> Thanks
>>
>>
>>
>> Joanna
>>
>>
>>
>> You have been invited to the following event.
>>
>> TF-A Tech Forum
>>
>> When
>>
>> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
>>
>> Calendar
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> Who
>>
>> •
>>
>> Bill Fletcher- creator
>>
>> •
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> more details »
>>
>>
>>
>> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC.
>>
>>
>>
>> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/
>>
>>
>>
>> Trusted Firmware is inviting you to a scheduled Zoom meeting.
>>
>>
>>
>> Join Zoom Meeting
>>
>> https://zoom.us/j/9159704974
>>
>>
>>
>> Meeting ID: 915 970 4974
>>
>>
>>
>> One tap mobile
>>
>> +16465588656,,9159704974# US (New York)
>>
>> +16699009128,,9159704974# US (San Jose)
>>
>>
>>
>> Dial by your location
>>
>> +1 646 558 8656 US (New York)
>>
>> +1 669 900 9128 US (San Jose)
>>
>> 877 853 5247 US Toll-free
>>
>> 888 788 0099 US Toll-free
>>
>> Meeting ID: 915 970 4974
>>
>> Find your local number: https://zoom.us/u/ad27hc6t7h
>>
>>
>>
>> ________________________________
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: 08 April 2021 16:50
>> To: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi
>>
>>
>>
>> here is the meeting recording:
>>
>> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z
>>
>>
>>
>> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page).
>>
>>
>>
>> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail.
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms.
>>
>>
>>
>> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed.
>>
>>
>>
>> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations.
>>
>>
>>
>> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.)
>>
>>
>>
>> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values.
>>
>>
>>
>> Looking forward to having further discussions on zoom call today.
>>
>>
>>
>> Thanks
>>
>> Manish P
>>
>>
>>
>> ________________________________
>>
>> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
>> Sent: 25 March 2021 02:43
>> To: Simon Glass <sjg(a)chromium.org>
>> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Just want to point out that TF-A currently already supports a (very simple) mechanism like this:
>>
>>
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>>
>>
>> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31.
>>
>>
>>
>> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once.
>>
>>
>>
>> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi Harb,
>>
>>
>>
>> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hello Folks,
>>
>> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic.
>>
>>
>>
>> I try to address the comments/feedback from Francois and Simon below….
>>
>>
>>
>> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT.
>>
>>
>>
>> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases.
>>
>>
>>
>> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM).
>>
>>
>>
>> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model:
>>
>> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances
>> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances.
>>
>>
>>
>> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code.
>>
>>
>>
>> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software.
>>
>>
>>
>> I understand the versatility of DT, but I see two major problems with DT:
>>
>> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained.
>> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob)
>>
>>
>>
>> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs).
>>
>>
>>
>> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls.
>>
>>
>>
>> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call.
>>
>>
>>
>> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for.
>>
>>
>>
>> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about.
>>
>>
>>
>> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use.
>>
>>
>>
>> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors.
>>
>>
>>
>> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code:
>>
>>
>>
>> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
>> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
>> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
>>
>> (etc.)
>>
>>
>>
>> static struct guid_name {
>> efi_guid_t guid;
>> const char *name;
>> } guid_name[] = {
>> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
>> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
>> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" },
>> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
>> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
>> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" },
>>
>> (never figured out what those two are)
>>
>>
>> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
>> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
>> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" },
>> { {}, "zero-guid" },
>> {}
>> };
>>
>> static const char *guid_to_name(const efi_guid_t *guid)
>> {
>> struct guid_name *entry;
>>
>> for (entry = guid_name; entry->name; entry++) {
>> if (!guidcmp(guid, &entry->guid))
>> return entry->name;
>> }
>>
>> return NULL;
>> }
>>
>>
>>
>> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory.
>>
>>
>>
>>
>>
>> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB.
>>
>>
>>
>> Indeed. There is certainly value in both approaches.
>>
>>
>>
>> Regards,
>>
>> Simon
>>
>>
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: Tuesday, March 23, 2021 10:00 AM
>> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> +Ron Minnich +Paul Isaac's
>>
>>
>>
>> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts.
>>
>>
>>
>> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET.
>>
>>
>>
>> The agenda:
>>
>> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions.
>>
>> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing.
>>
>>
>>
>> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB
>>
>> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY.
>>
>> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains.
>>
>> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested).
>>
>>
>>
>> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2.
>>
>> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls).
>>
>>
>>
>> Requirements (to be validated):
>>
>> - ACPI and DT hardware descriptions.
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot)
>>
>> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages)
>>
>> - support secure world device assignment
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>>
>>
>> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote:
>>
>> Hi,
>>
>> Can I suggest using bloblist for this instead? It is lightweight,
>> easier to parse, doesn't have GUIDs and is already used within U-Boot
>> for passing info between SPL/U-Boot, etc.
>>
>> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
>> Header file describes the format:
>> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
>>
>> Full set of unit tests:
>> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
>>
>> Regards,
>> Simon
>>
>> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote:
>> >
>> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>
>> >
>> > standardization is very much welcomed here and need to accommodate a very
>> > diverse set of situations.
>> > For example, TEE OS may need to pass memory reservations to BL33 or
>> > "capture" a device for the secure world.
>> >
>> > I have observed a number of architectures:
>> > 1) pass information from BLx to BLy in the form of a specific object
>> > 2) BLx called by BLy by a platform specific SMC to get information
>> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree
>> > fixups
>> >
>> > I also imagined a standardized "broadcast" FF-A call so that any firmware
>> > element can either provide information or "do something".
>> >
>> > My understanding of your proposal is about standardizing on architecture 1)
>> > with the HOB format.
>> >
>> > The advantage of the HOB is simplicity but it may be difficult to implement
>> > schemes such as pruning a DT because device assignment in the secure world.
>> >
>> > In any case, it looks feasible to have TF-A and OP-TEE complement the list
>> > of HOBs to pass information downstream (the bootflow).
>> >
>> > It would be good to start with building the comprehensive list of
>> > information that need to be conveyed between firmware elements:
>> >
>> > information. | authoritative entity | reporting entity | information
>> > exchanged:
>> > dram | TFA | TFA |
>> > <format to be detailed, NUMA topology to build the SRAT table or DT
>> > equivalent?>
>> > PSCI | SCP | TFA? |
>> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
>> > secure SRAM | TFA. | TFA. |
>> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
>> > other? | |
>> > |
>> >
>> > Cheers
>> >
>> > FF
>> >
>> >
>> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
>> > tf-a(a)lists.trustedfirmware.org> wrote:
>> >
>> > > Hello Folks,
>> > >
>> > >
>> > >
>> > > I'm emailing to start an open discussion about the adoption of a concept
>> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware
>> > > Framework Architecture (FFA). This is something that is a pretty major
>> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s
>> > > designed to enable a broad range of highly configurable datacenter
>> > > platforms.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > What is a HOB (Background)?
>> > >
>> > > ---------------------------
>> > >
>> > > UEFI PI spec describes a particular definition for how HOB may be used for
>> > > transitioning between the PEI and DXE boot phases, which is a good
>> > > reference point for this discussion, but not necessarily the exact solution
>> > > appropriate for TF-A.
>> > >
>> > >
>> > >
>> > > A HOB is simply a dynamically generated data structure passed in between
>> > > two boot phases. This is information that was obtained through discovery
>> > > and needs to be passed forward to the next boot phase *once*, with no API
>> > > needed to call back (e.g. no call back into previous firmware phase is
>> > > needed to fetch this information at run-time - it is simply passed one time
>> > > during boot).
>> > >
>> > >
>> > >
>> > > There may be one or more HOBs passed in between boot phases. If there are
>> > > more than one HOB that needs to be passed, this can be in a form of a "HOB
>> > > table", which (for example) could be a UUID indexed array of pointers to
>> > > HOB structures, used to locate a HOB of interest (based on UUID). In such
>> > > cases, instead of passing a single HOB, the boot phases may rely on passing
>> > > the pointer to the HOB table.
>> > >
>> > >
>> > >
>> > > This has been extremely useful concept to employ on highly configurable
>> > > systems that must rely on flexible discovery mechanisms to initialize and
>> > > boot the system. This is especially helpful when you have multiple
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Why do we need HOBs in TF-A?:
>> > >
>> > > -----------------------------
>> > >
>> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in
>> > > a way that is SoC specific *but* platform agnostic. This means that a
>> > > single ARM SoC that a SiP may deliver to customers may provide a single
>> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad
>> > > range of platform designs and configurations in order to boot a platform
>> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to
>> > > achieve this, the platform configuration must be *discovered* instead of
>> > > statically compiled as it is today in TF-A via device tree based
>> > > enumeration. The mechanisms of discovery may differ broadly depending on
>> > > the relevant industry standard, or in some cases may have rely on SiP
>> > > specific discovery flows.
>> > >
>> > >
>> > >
>> > > For example: On server systems that support a broad range DIMM memory
>> > > population/topologies, all the necessary information required to boot is
>> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an
>> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported
>> > > with a single TF-A binary. Not only is this information required to
>> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot
>> > > phases will also need this SPD info to construct a system physical address
>> > > map and properly initialize the MMU based on the memory present, and where
>> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may
>> > > need to generate standard firmware tables to the operating systems, such as
>> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT,
>> > > SRAT, even NFIT if NVDIMM's are present).
>> > >
>> > >
>> > >
>> > > In short, it all starts with a standardized or vendor specific discovery
>> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of
>> > > information to the next boot stages (e.g. BL31/BL32/BL33).
>> > >
>> > >
>> > >
>> > > Today, every HOB may be a vendor specific structure, but in the future
>> > > there may be benefit of defining standard HOBs. This may be useful for
>> > > memory discovery, passing the system physical address map, enabling TPM
>> > > measured boot, and potentially many other common HOB use-cases.
>> > >
>> > >
>> > >
>> > > It would be extremely beneficial to the datacenter market segment if the
>> > > TF-A community would adopt this concept of information passing between all
>> > > boot phases as opposed to rely solely on device tree enumeration. This is
>> > > not intended to replace device tree, rather intended as an alternative way
>> > > to describe the info that must be discovered and dynamically generated.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Conclusion:
>> > >
>> > > -----------
>> > >
>> > > We are proposing that the TF-A community begin pursuing the adoption of
>> > > HOBs as a mechanism used for information exchange between each boot stage
>> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we
>> > > want to explore standardizing some HOB structures for the BL33 phase (e.g.
>> > > UEFI HOB structures), but initially would like to agree on this being a
>> > > useful mechanism used to pass information between each boot stage.
>> > >
>> > >
>> > >
>> > > Thanks,
>> > >
>> > > --Harb
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > TF-A mailing list
>> > > TF-A(a)lists.trustedfirmware.org
>> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>> > >
>> >
>> >
>> > --
>> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
>> > T: +33.67221.6485
>> > francois.ozog(a)linaro.org | Skype: ffozog
>> > _______________________________________________
>> > boot-architecture mailing list
>> > boot-architecture(a)lists.linaro.org
>> > https://lists.linaro.org/mailman/listinfo/boot-architecture
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
5 years, 1 month
- 1
- 0
[PATCH v1] imx8mp: silent uart
by Heiko Schocher
when bootloaders and kernels console output is disabled,
(called silent boot) no output on console is recommended.
Add commandline option IMX_BOOT_SILENT to disable
console registration at all.
Default value is 0, so patch does not change current
functionality.
Signed-off-by: Heiko Schocher <hs(a)denx.de>
---
I just added this to imx8mp, but may this option is
useful on other platforms too?
plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c | 4 ++++
plat/imx/imx8m/imx8mp/platform.mk | 3 +++
2 files changed, 7 insertions(+)
diff --git a/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c b/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
index 22fbd5e4b..d75143270 100644
--- a/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
+++ b/plat/imx/imx8m/imx8mp/imx8mp_bl31_setup.c
@@ -95,7 +95,9 @@ static void bl31_tzc380_setup(void)
void bl31_early_platform_setup2(u_register_t arg0, u_register_t arg1,
u_register_t arg2, u_register_t arg3)
{
+#if (IMX_BOOT_SILENT == 0)
static console_t console;
+#endif
unsigned int i;
/* Enable CSU NS access permission */
@@ -109,10 +111,12 @@ void bl31_early_platform_setup2(u_register_t arg0, u_register_t arg1,
imx8m_caam_init();
+#if (IMX_BOOT_SILENT == 0)
console_imx_uart_register(IMX_BOOT_UART_BASE, IMX_BOOT_UART_CLK_IN_HZ,
IMX_CONSOLE_BAUDRATE, &console);
/* This console is only used for boot stage */
console_set_scope(&console, CONSOLE_FLAG_BOOT);
+#endif
/*
* tell BL3-1 where the non-secure software image is located
diff --git a/plat/imx/imx8m/imx8mp/platform.mk b/plat/imx/imx8m/imx8mp/platform.mk
index 1d11e3df4..471c96e70 100644
--- a/plat/imx/imx8m/imx8mp/platform.mk
+++ b/plat/imx/imx8m/imx8mp/platform.mk
@@ -54,3 +54,6 @@ $(eval $(call add_define,BL32_SIZE))
IMX_BOOT_UART_BASE ?= 0x30890000
$(eval $(call add_define,IMX_BOOT_UART_BASE))
+
+IMX_BOOT_SILENT ?= 0
+$(eval $(call add_define,IMX_BOOT_SILENT))
--
2.30.2
5 years, 1 month
- 1
- 0
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by Joanna Farley
Apologies I failed with the recording. Manish/Madhu will reply early next week with the slides and some notes to help with a follow up session which we hope to hold this Thursday. Invite and agenda will also be sent out early next week.
Thanks
Joanna
On 14/05/2021, 13:30, "TF-A on behalf of Okash Khawaja via TF-A" <tf-a-bounces(a)lists.trustedfirmware.org on behalf of tf-a(a)lists.trustedfirmware.org> wrote:
Hi,
Do we have slides and video from last week's discussion?
Thanks,
Okash
On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A
<tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi Harb,
>
> Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be.
>
> So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use.
>
> This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use.
>
> Regards,
> Simon
>
> On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hey Folks,
>>
>> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow.
>>
>>
>>
>> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform).
>>
>>
>>
>> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag.
>>
>>
>>
>> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call.
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Sent: Friday, April 30, 2021 8:14 AM
>> To: François Ozog <francois.ozog(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others.
>>
>>
>>
>> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST).
>>
>>
>>
>> Agenda:
>>
>> Discussion Session: Static and Dynamic Information Handling in TF-A
>>
>> Lead by Manish Pandey and Madhukar Pappireddy
>>
>> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages.
>>
>> The requirement is two-fold:
>>
>> 1. Passing static information(config files)
>>
>> 2. Passing dynamic information (Hob list)
>>
>> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects.
>>
>>
>>
>> The two specific item which we would like to discuss are:
>>
>> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both?
>>
>> 2. Standardization on Physical register use to pass base of HoB data structure.
>>
>> References:
>>
>> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
>>
>> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%
>>
>>
>>
>> Thanks
>>
>>
>>
>> Joanna
>>
>>
>>
>> You have been invited to the following event.
>>
>> TF-A Tech Forum
>>
>> When
>>
>> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
>>
>> Calendar
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> Who
>>
>> •
>>
>> Bill Fletcher- creator
>>
>> •
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> more details »
>>
>>
>>
>> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC.
>>
>>
>>
>> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/
>>
>>
>>
>> Trusted Firmware is inviting you to a scheduled Zoom meeting.
>>
>>
>>
>> Join Zoom Meeting
>>
>> https://zoom.us/j/9159704974
>>
>>
>>
>> Meeting ID: 915 970 4974
>>
>>
>>
>> One tap mobile
>>
>> +16465588656,,9159704974# US (New York)
>>
>> +16699009128,,9159704974# US (San Jose)
>>
>>
>>
>> Dial by your location
>>
>> +1 646 558 8656 US (New York)
>>
>> +1 669 900 9128 US (San Jose)
>>
>> 877 853 5247 US Toll-free
>>
>> 888 788 0099 US Toll-free
>>
>> Meeting ID: 915 970 4974
>>
>> Find your local number: https://zoom.us/u/ad27hc6t7h
>>
>>
>>
>> ________________________________
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: 08 April 2021 16:50
>> To: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi
>>
>>
>>
>> here is the meeting recording:
>>
>> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z
>>
>>
>>
>> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page).
>>
>>
>>
>> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail.
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms.
>>
>>
>>
>> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed.
>>
>>
>>
>> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations.
>>
>>
>>
>> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.)
>>
>>
>>
>> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values.
>>
>>
>>
>> Looking forward to having further discussions on zoom call today.
>>
>>
>>
>> Thanks
>>
>> Manish P
>>
>>
>>
>> ________________________________
>>
>> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
>> Sent: 25 March 2021 02:43
>> To: Simon Glass <sjg(a)chromium.org>
>> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Just want to point out that TF-A currently already supports a (very simple) mechanism like this:
>>
>>
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>>
>>
>> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31.
>>
>>
>>
>> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once.
>>
>>
>>
>> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi Harb,
>>
>>
>>
>> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hello Folks,
>>
>> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic.
>>
>>
>>
>> I try to address the comments/feedback from Francois and Simon below….
>>
>>
>>
>> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT.
>>
>>
>>
>> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases.
>>
>>
>>
>> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM).
>>
>>
>>
>> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model:
>>
>> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances
>> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances.
>>
>>
>>
>> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code.
>>
>>
>>
>> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software.
>>
>>
>>
>> I understand the versatility of DT, but I see two major problems with DT:
>>
>> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained.
>> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob)
>>
>>
>>
>> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs).
>>
>>
>>
>> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls.
>>
>>
>>
>> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call.
>>
>>
>>
>> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for.
>>
>>
>>
>> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about.
>>
>>
>>
>> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use.
>>
>>
>>
>> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors.
>>
>>
>>
>> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code:
>>
>>
>>
>> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
>> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
>> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
>>
>> (etc.)
>>
>>
>>
>> static struct guid_name {
>> efi_guid_t guid;
>> const char *name;
>> } guid_name[] = {
>> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
>> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
>> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" },
>> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
>> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
>> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" },
>>
>> (never figured out what those two are)
>>
>>
>> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
>> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
>> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" },
>> { {}, "zero-guid" },
>> {}
>> };
>>
>> static const char *guid_to_name(const efi_guid_t *guid)
>> {
>> struct guid_name *entry;
>>
>> for (entry = guid_name; entry->name; entry++) {
>> if (!guidcmp(guid, &entry->guid))
>> return entry->name;
>> }
>>
>> return NULL;
>> }
>>
>>
>>
>> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory.
>>
>>
>>
>>
>>
>> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB.
>>
>>
>>
>> Indeed. There is certainly value in both approaches.
>>
>>
>>
>> Regards,
>>
>> Simon
>>
>>
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: Tuesday, March 23, 2021 10:00 AM
>> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> +Ron Minnich +Paul Isaac's
>>
>>
>>
>> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts.
>>
>>
>>
>> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET.
>>
>>
>>
>> The agenda:
>>
>> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions.
>>
>> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing.
>>
>>
>>
>> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB
>>
>> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY.
>>
>> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains.
>>
>> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested).
>>
>>
>>
>> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2.
>>
>> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls).
>>
>>
>>
>> Requirements (to be validated):
>>
>> - ACPI and DT hardware descriptions.
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot)
>>
>> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages)
>>
>> - support secure world device assignment
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>>
>>
>> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote:
>>
>> Hi,
>>
>> Can I suggest using bloblist for this instead? It is lightweight,
>> easier to parse, doesn't have GUIDs and is already used within U-Boot
>> for passing info between SPL/U-Boot, etc.
>>
>> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
>> Header file describes the format:
>> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
>>
>> Full set of unit tests:
>> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
>>
>> Regards,
>> Simon
>>
>> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote:
>> >
>> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>
>> >
>> > standardization is very much welcomed here and need to accommodate a very
>> > diverse set of situations.
>> > For example, TEE OS may need to pass memory reservations to BL33 or
>> > "capture" a device for the secure world.
>> >
>> > I have observed a number of architectures:
>> > 1) pass information from BLx to BLy in the form of a specific object
>> > 2) BLx called by BLy by a platform specific SMC to get information
>> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree
>> > fixups
>> >
>> > I also imagined a standardized "broadcast" FF-A call so that any firmware
>> > element can either provide information or "do something".
>> >
>> > My understanding of your proposal is about standardizing on architecture 1)
>> > with the HOB format.
>> >
>> > The advantage of the HOB is simplicity but it may be difficult to implement
>> > schemes such as pruning a DT because device assignment in the secure world.
>> >
>> > In any case, it looks feasible to have TF-A and OP-TEE complement the list
>> > of HOBs to pass information downstream (the bootflow).
>> >
>> > It would be good to start with building the comprehensive list of
>> > information that need to be conveyed between firmware elements:
>> >
>> > information. | authoritative entity | reporting entity | information
>> > exchanged:
>> > dram | TFA | TFA |
>> > <format to be detailed, NUMA topology to build the SRAT table or DT
>> > equivalent?>
>> > PSCI | SCP | TFA? |
>> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
>> > secure SRAM | TFA. | TFA. |
>> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
>> > other? | |
>> > |
>> >
>> > Cheers
>> >
>> > FF
>> >
>> >
>> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
>> > tf-a(a)lists.trustedfirmware.org> wrote:
>> >
>> > > Hello Folks,
>> > >
>> > >
>> > >
>> > > I'm emailing to start an open discussion about the adoption of a concept
>> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware
>> > > Framework Architecture (FFA). This is something that is a pretty major
>> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s
>> > > designed to enable a broad range of highly configurable datacenter
>> > > platforms.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > What is a HOB (Background)?
>> > >
>> > > ---------------------------
>> > >
>> > > UEFI PI spec describes a particular definition for how HOB may be used for
>> > > transitioning between the PEI and DXE boot phases, which is a good
>> > > reference point for this discussion, but not necessarily the exact solution
>> > > appropriate for TF-A.
>> > >
>> > >
>> > >
>> > > A HOB is simply a dynamically generated data structure passed in between
>> > > two boot phases. This is information that was obtained through discovery
>> > > and needs to be passed forward to the next boot phase *once*, with no API
>> > > needed to call back (e.g. no call back into previous firmware phase is
>> > > needed to fetch this information at run-time - it is simply passed one time
>> > > during boot).
>> > >
>> > >
>> > >
>> > > There may be one or more HOBs passed in between boot phases. If there are
>> > > more than one HOB that needs to be passed, this can be in a form of a "HOB
>> > > table", which (for example) could be a UUID indexed array of pointers to
>> > > HOB structures, used to locate a HOB of interest (based on UUID). In such
>> > > cases, instead of passing a single HOB, the boot phases may rely on passing
>> > > the pointer to the HOB table.
>> > >
>> > >
>> > >
>> > > This has been extremely useful concept to employ on highly configurable
>> > > systems that must rely on flexible discovery mechanisms to initialize and
>> > > boot the system. This is especially helpful when you have multiple
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Why do we need HOBs in TF-A?:
>> > >
>> > > -----------------------------
>> > >
>> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in
>> > > a way that is SoC specific *but* platform agnostic. This means that a
>> > > single ARM SoC that a SiP may deliver to customers may provide a single
>> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad
>> > > range of platform designs and configurations in order to boot a platform
>> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to
>> > > achieve this, the platform configuration must be *discovered* instead of
>> > > statically compiled as it is today in TF-A via device tree based
>> > > enumeration. The mechanisms of discovery may differ broadly depending on
>> > > the relevant industry standard, or in some cases may have rely on SiP
>> > > specific discovery flows.
>> > >
>> > >
>> > >
>> > > For example: On server systems that support a broad range DIMM memory
>> > > population/topologies, all the necessary information required to boot is
>> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an
>> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported
>> > > with a single TF-A binary. Not only is this information required to
>> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot
>> > > phases will also need this SPD info to construct a system physical address
>> > > map and properly initialize the MMU based on the memory present, and where
>> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may
>> > > need to generate standard firmware tables to the operating systems, such as
>> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT,
>> > > SRAT, even NFIT if NVDIMM's are present).
>> > >
>> > >
>> > >
>> > > In short, it all starts with a standardized or vendor specific discovery
>> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of
>> > > information to the next boot stages (e.g. BL31/BL32/BL33).
>> > >
>> > >
>> > >
>> > > Today, every HOB may be a vendor specific structure, but in the future
>> > > there may be benefit of defining standard HOBs. This may be useful for
>> > > memory discovery, passing the system physical address map, enabling TPM
>> > > measured boot, and potentially many other common HOB use-cases.
>> > >
>> > >
>> > >
>> > > It would be extremely beneficial to the datacenter market segment if the
>> > > TF-A community would adopt this concept of information passing between all
>> > > boot phases as opposed to rely solely on device tree enumeration. This is
>> > > not intended to replace device tree, rather intended as an alternative way
>> > > to describe the info that must be discovered and dynamically generated.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Conclusion:
>> > >
>> > > -----------
>> > >
>> > > We are proposing that the TF-A community begin pursuing the adoption of
>> > > HOBs as a mechanism used for information exchange between each boot stage
>> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we
>> > > want to explore standardizing some HOB structures for the BL33 phase (e.g.
>> > > UEFI HOB structures), but initially would like to agree on this being a
>> > > useful mechanism used to pass information between each boot stage.
>> > >
>> > >
>> > >
>> > > Thanks,
>> > >
>> > > --Harb
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > TF-A mailing list
>> > > TF-A(a)lists.trustedfirmware.org
>> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>> > >
>> >
>> >
>> > --
>> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
>> > T: +33.67221.6485
>> > francois.ozog(a)linaro.org | Skype: ffozog
>> > _______________________________________________
>> > boot-architecture mailing list
>> > boot-architecture(a)lists.linaro.org
>> > https://lists.linaro.org/mailman/listinfo/boot-architecture
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
5 years, 1 month
- 1
- 0
Re: [TF-A] MEM_PROTECT for secure world?
by Varun Wadekar
Hi Okash,
My understanding is that the NS world must call PSCI_MEM_PROTECT_CHECK_RANGE and PSCI_MEM_PROTECT before passing the buffer to the S world. So, I believe the check in the code is correct.
The spec guarantees that the memory range passed with this SMC will be cleared before executing a system reset.
This statement from the spec is confusing - " When MEM_PROTECT is called, the implementation must ensure that all volatile memory that is accessible by the caller is overwritten on the following boot". How can the implementation know the memory accessible by the caller in the first place? I feel this creates an unwanted dependency - EL3 needs to understand memory requirements for all NS clients.
I would like to believe that the implementation is only aware of a memory range registered by a caller via the MEM_PROTECT SMC call and so clears only this range before a system reset.
-Varun
-----Original Message-----
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Okash Khawaja via TF-A
Sent: Wednesday, May 5, 2021 5:10 PM
To: tf-a(a)lists.trustedfirmware.org
Subject: [TF-A] MEM_PROTECT for secure world?
External email: Use caution opening links or attachments
Hi,
As a PSCI call, MEM_PROTECT which is used to protect against cold reboot attack, can't be called from TZ-secure. In a situation where at run time, HLOS in NS-EL1 transfers some buffer that it owns, to a secure partition then secure partition can't call MEM_PROTECT because psci_smc_handler will return SMC_UNK if the caller is secure.
Should MEM_PROTECT be available to TZ-secure as well?
Thanks,
Okash
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.tru…
5 years, 1 month
- 2
- 3
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by Okash Khawaja
Hi,
Do we have slides and video from last week's discussion?
Thanks,
Okash
On Wed, May 5, 2021 at 11:52 PM Simon Glass via TF-A
<tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi Harb,
>
> Thanks for the idea. I am still not completely sure what benefit UUID provides to an open project. I'd like to propose something different, more in the spirit of open collaboration. I also worry that the word 'standard' seems to be a synonym for UUIDs, UEFI, etc., i.e. enabling/preferring closed-source firmware and the continued decline of open-source projects. It really should not be.
>
> So I suggest: Use simple integer IDs and reserve some area for 'private' use. If you want to collaborate across projects outside your company, you either need to allocate a 'public' ID or agree privately between the parties which private ID to use.
>
> This means that the default and easiest option is for collaboration and a public ID, with private ones (whose purpose may be secret) reserved just for private use.
>
> Regards,
> Simon
>
> On Wed, 5 May 2021 at 11:42, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hey Folks,
>>
>> We wanted to put out a middle-ground proposal to help guide the discussion on the call tomorrow.
>>
>>
>>
>> A proposal that we have been discussing offline involves reserving a single tag ID for the purpose of construction UEFI PI HOB List structure, and that tag would be used to identify a HOB-specific structure that does leverage UUID based identifier. This will eliminate the burden of having to support UUID as the tag, and this enables projects that require UUID based identifiers for the broad range of HOB structures that need to be produced during the booting of the platform. Once we have a tag for a HOB list, this will enable various HOB producers that can add/extend the HOB list in TF-A code (or even pre-TF-A code), with a HOB consumer for that UUID/GUID on the other side (i.e. whatever the BL33 image is booting on that platform).
>>
>>
>>
>> Essentially, the idea is if someone would like to support HOB structures in a standard way using TF-A, they would wrap it up in a BL_AUX_PARAM/BLOB structure (whatever the group decides) and the way we identify the structure as a HOB list is with this new reserved tag.
>>
>>
>>
>> Hopefully that makes sense and less contentious. Look forward to discuss this further on the call.
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Sent: Friday, April 30, 2021 8:14 AM
>> To: François Ozog <francois.ozog(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi All,
>>
>>
>>
>> Please find invite for next TF-A Tech Forum session to continue our discussions on HOB implementation, feel free to forward it to others.
>>
>>
>>
>> The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST).
>>
>>
>>
>> Agenda:
>>
>> Discussion Session: Static and Dynamic Information Handling in TF-A
>>
>> Lead by Manish Pandey and Madhukar Pappireddy
>>
>> · There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages.
>>
>> The requirement is two-fold:
>>
>> 1. Passing static information(config files)
>>
>> 2. Passing dynamic information (Hob list)
>>
>> In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects.
>>
>>
>>
>> The two specific item which we would like to discuss are:
>>
>> 1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both?
>>
>> 2. Standardization on Physical register use to pass base of HoB data structure.
>>
>> References:
>>
>> [1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
>>
>> [2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%
>>
>>
>>
>> Thanks
>>
>>
>>
>> Joanna
>>
>>
>>
>> You have been invited to the following event.
>>
>> TF-A Tech Forum
>>
>> When
>>
>> Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
>>
>> Calendar
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> Who
>>
>> •
>>
>> Bill Fletcher- creator
>>
>> •
>>
>> tf-a(a)lists.trustedfirmware.org
>>
>> more details »
>>
>>
>>
>> We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC.
>>
>>
>>
>> Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/
>>
>>
>>
>> Trusted Firmware is inviting you to a scheduled Zoom meeting.
>>
>>
>>
>> Join Zoom Meeting
>>
>> https://zoom.us/j/9159704974
>>
>>
>>
>> Meeting ID: 915 970 4974
>>
>>
>>
>> One tap mobile
>>
>> +16465588656,,9159704974# US (New York)
>>
>> +16699009128,,9159704974# US (San Jose)
>>
>>
>>
>> Dial by your location
>>
>> +1 646 558 8656 US (New York)
>>
>> +1 669 900 9128 US (San Jose)
>>
>> 877 853 5247 US Toll-free
>>
>> 888 788 0099 US Toll-free
>>
>> Meeting ID: 915 970 4974
>>
>> Find your local number: https://zoom.us/u/ad27hc6t7h
>>
>>
>>
>> ________________________________
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: 08 April 2021 16:50
>> To: Manish Pandey2 <Manish.Pandey2(a)arm.com>
>> Cc: Simon Glass <sjg(a)chromium.org>; Julius Werner <jwerner(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Hi
>>
>>
>>
>> here is the meeting recording:
>>
>> https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%z
>>
>>
>>
>> I am really sorry about the confusion related to the meeting time. I have now understood: the Collaborate portal uses a specific calendar which is tied to US/Chicago timezone while the actual Google Calendar is tied to Central Europe timezone. I am going to drop the Collaborate portal and use a shared Google calendar (it should be visible on the trusted-substrate.org page).
>>
>>
>>
>> I'll try to summarize what I learnt and highlight my view on what can be next steps in a future mail.
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>> On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> From TF-A project point of view, we prefer to use existing mechanism to pass parameters across boot stages using linked list of tagged elements (as suggested by Julius). It has support for both generic and SiP-specific tags. Having said that, it does not stop partners to introduce new mechanisms suitable for their usecase in platform port initially and later move to generic code if its suitable for other platforms.
>>
>>
>>
>> To start with, Ampere can introduce a platform specific implementation of memory tag(speed/NUMA topology etc) which can be evaluated and discussed for generalization in future. The tag will be populated in BL2 stage and can be forwarded to further stages(and to BL33) by passing the head of list pointer in one of the registers. Initially any register can be used but going forward a standardization will be needed.
>>
>>
>>
>> The U-boot bloblist mentioned by Simon is conceptually similar to what TF-A is using, if there is consensus of using bloblist/taglist then TF-A tag list may be enhanced to take best of both the implementations.
>>
>>
>>
>> One of the potential problems of having structure used in different projects is maintainability, this can be avoided by having a single copy of these structures in TF-A (kept inside "include/export" which intended to be used by other projects.)
>>
>>
>>
>> Regarding usage of either UUID or tag, I echo the sentiments of Simon and Julius to keep it simple and use tag values.
>>
>>
>>
>> Looking forward to having further discussions on zoom call today.
>>
>>
>>
>> Thanks
>>
>> Manish P
>>
>>
>>
>> ________________________________
>>
>> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
>> Sent: 25 March 2021 02:43
>> To: Simon Glass <sjg(a)chromium.org>
>> Cc: Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>; Ron Minnich <rminnich(a)google.com>
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> Just want to point out that TF-A currently already supports a (very simple) mechanism like this:
>>
>>
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>>
>>
>>
>> It's just a linked list of tagged elements. The tag space is split into TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare if more areas need to be defined -- a 64-bit tag can fit a lot). This is currently being used by some platforms that run coreboot in place of BL1/BL2, to pass information from coreboot (BL2) to BL31.
>>
>>
>>
>> I would echo Simon's sentiment of keeping this as simple as possible and avoiding complicated and bloated data structures with UUIDs. You usually want to parse something like this as early as possible in the passed-to firmware stage, particularly if the structure encodes information about the debug console (like it does for the platforms I mentioned above). For example, in BL31 this basically means doing it right after moving from assembly to C in bl31_early_platform_setup2() to get the console up before running anything else. At that point in the BL31 initialization, the MMU and caches are disabled, so data accesses are pretty expensive and you don't want to spend a lot of parsing effort or calculate complicated checksums or the like. You just want something extremely simple where you ideally have to touch every data word only once.
>>
>>
>>
>> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi Harb,
>>
>>
>>
>> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com> wrote:
>>
>> Hello Folks,
>>
>> Appreciate the feedback and replies on this. Glad to see that there is interest in this topic.
>>
>>
>>
>> I try to address the comments/feedback from Francois and Simon below….
>>
>>
>>
>> @François Ozog – happy to discuss this on a zoom call. I will make that time slot work, and will be available to attend April 8, 4pm CT.
>>
>>
>>
>> Note that I’m using the term “HOB” here more generically, as there are typically vendor specific structures beyond the resource descriptor HOB, which provides only a small subset of the information that needs to be passed between the boot phases.
>>
>>
>>
>> The whole point here is to provide mechanism to develop firmware that we can build ARM Server SoC’s that support *any* BL33 payload (e.g. EDK2, AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some point). In other-words, we are trying to come up with a TF-A that would be completely agnostic to the implementation of BL33 (i.e. BL33 is built completely independently by a separate entity – e.g. an ODM/OEM).
>>
>>
>>
>> Keep in mind, in the server/datacenter market segment we are not building vertically integrated systems with a single entity compiling firmware/software stacks like most folks in TF-A have become use to. There are two categories of higher level firmware code blobs in the server/datacenter model:
>>
>> “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2, BL31, and *possibly* one or more BL32 instances
>> “Platform” or “board” firmware – in TF-A this may map to BL33 and *possibly* one or more BL32 instances.
>>
>>
>>
>> Even the platform firmware stack could be further fragmented by having multiple entities involved in delivering the entire firmware stack: IBVs, ODMs, OEMs, CSPs, and possibly even device vendor code.
>>
>>
>>
>> To support a broad range of platform designs with a broad range of memory devices, we need a crisp and clear contract between the SoC firmware that initializes memory (e.g. BL2) and how that platform boot firmware (e.g. BL33) gathers information about what memory that was initialized, at what speeds, NUMA topology, and many other relevant information that needs to be known and comprehended by the platform firmware and eventually by the platform software.
>>
>>
>>
>> I understand the versatility of DT, but I see two major problems with DT:
>>
>> DT requires more complicated parsing to get properties, and even more complex to dynamically set properties – this HOB structures may need to be generated in boot phases where DDR is not available, and therefore we will be extremely memory constrained.
>> DT is probably overkill for this purpose – We really just want a list of pointers to simple C structures that code cast (e.g. JEDEC SPD data blob)
>>
>>
>>
>> I think that we should not mix the efforts around DT/ACPI specs with what we are doing here, because those specs and concepts were developed for a completely different purpose (i.e. abstractions needed for OS / RTOS software, and not necessarily suitable for firmware-to-firmware hand-offs).
>>
>>
>>
>> Frankly, I would personally push back pretty hard on defining SMC’s for something that should be one way information passing. Every SMC we add is another attack vector to the secure world and an increased burden on the folks that have to do security auditing and threat analysis. I see no benefit in exposing these boot/HOB/BOB structures at run-time via SMC calls.
>>
>>
>>
>> Please do let me know if you disagree and why. Look forward to discussing on this thread or on the call.
>>
>>
>>
>> @Simon Glass - Thanks for the pointer to bloblist. I briefly reviewed and it seems like a good baseline for what we may be looking for.
>>
>>
>>
>> That being said, I would say that there is some benefit in having some kind of unique identifiers (e.g. UUID or some unique signature) so that we can tie standardized data structures (based on some future TBD specs) to a particular ID. For example, if the TPM driver in BL33 is looking for the TPM structure in the HOB/BOB list, and may not care about the other data blobs. The driver needs a way to identify and locate the blob it cares about.
>>
>>
>>
>> The tag is intended to serve that purpose, although perhaps it should switch from an auto-allocating enum to one with explicit values for each entry and a range for 'local' use.
>>
>>
>>
>> I guess we can achieve this with the tag, but the problem with tag when you have eco-system with a lot of parties doing parallel development, you can end up with tag collisions and folks fighting about who has rights to what tag values. We would need some official process for folks to register tags for whatever new structures we define, or maybe some tag range for vendor specific structures. This comes with a lot of pain and bureaucracy. On the other hand, UUID has been a proven way to make it easy to just define your own blobs with *either* standard or vendor specific structures without worry of ID collisions between vendors.
>>
>>
>>
>> True. I think the pain is overstated, though. In this case I think we actually want something that can be shared between projects and orgs, so some amount of coordination could be considered a benefit. It could just be a github pull request. I find the UUID unfriendly and not just to code size and eyesight! Trying to discover what GUIDs mean or are valid is quite tricky. E.g. see this code:
>>
>>
>>
>> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
>> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
>> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
>>
>> (etc.)
>>
>>
>>
>> static struct guid_name {
>> efi_guid_t guid;
>> const char *name;
>> } guid_name[] = {
>> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
>> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
>> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" },
>> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
>> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
>> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" },
>> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" },
>>
>> (never figured out what those two are)
>>
>>
>> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
>> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
>> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" },
>> { {}, "zero-guid" },
>> {}
>> };
>>
>> static const char *guid_to_name(const efi_guid_t *guid)
>> {
>> struct guid_name *entry;
>>
>> for (entry = guid_name; entry->name; entry++) {
>> if (!guidcmp(guid, &entry->guid))
>> return entry->name;
>> }
>>
>> return NULL;
>> }
>>
>>
>>
>> Believe it or not it took a fair bit of effort to find just that small list, with nearly every one in a separate doc, from memory.
>>
>>
>>
>>
>>
>> We can probably debate whether there is any value in GUID/UUID or not during the call… but again, boblist seems like a reasonable starting point as an alternative to HOB.
>>
>>
>>
>> Indeed. There is certainly value in both approaches.
>>
>>
>>
>> Regards,
>>
>> Simon
>>
>>
>>
>>
>>
>> Thanks,
>>
>> --Harb
>>
>>
>>
>> From: François Ozog <francois.ozog(a)linaro.org>
>> Sent: Tuesday, March 23, 2021 10:00 AM
>> To: François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
>> Cc: Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
>> Subject: Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
>>
>>
>>
>> +Ron Minnich +Paul Isaac's
>>
>>
>>
>> Adding Ron and Paul because I think this interface should be also benefiting LinuxBoot efforts.
>>
>>
>>
>> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org> wrote:
>>
>> Hi,
>>
>>
>>
>> I propose we cover the topic at the next Trusted Substrate zoom call on April 8th 4pm CET.
>>
>>
>>
>> The agenda:
>>
>> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1, S-EL2, SCP) to adapt hardware description to some runtime conditions.
>>
>> runtime conditions here relates to DRAM size and topology detection, secure DRAM memory carvings, PSCI and SCMI interface publishing.
>>
>>
>>
>> For additional background on existing metadata: UEFI Platform Initialization Specification Version 1.7, 5.5 Resource Descriptor HOB
>>
>> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY.
>>
>> This HOB lacks memory NUMA attachment or something that could be related to fill SRAT table for ACPI or relevant DT proximity domains.
>>
>> HOB is not consistent accros platforms: some platforms (Arm) lists memory from the booting NUMA node, other platforms (x86) lists all memory from all NUMA nodes. (At least this is the case on the two platforms I tested).
>>
>>
>>
>> There are two proposals to use memory structures from SPL/BLx up to the handover function (as defined in the Device Tree technical report) which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or EDK2.
>>
>> I would propose we also discuss possibility of FF-A interface to actually query information or request actions to be done (this is a model actually used in some SoCs with proprietary SMC calls).
>>
>>
>>
>> Requirements (to be validated):
>>
>> - ACPI and DT hardware descriptions.
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
>>
>> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2, TF-A/LinuxBoot)
>>
>> - at least allows complete DRAM description and "persistent" usage (reserved areas for secure world or other usages)
>>
>> - support secure world device assignment
>>
>>
>>
>> Cheers
>>
>>
>>
>> FF
>>
>>
>>
>>
>>
>> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote:
>>
>> Hi,
>>
>> Can I suggest using bloblist for this instead? It is lightweight,
>> easier to parse, doesn't have GUIDs and is already used within U-Boot
>> for passing info between SPL/U-Boot, etc.
>>
>> Docs here: https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
>> Header file describes the format:
>> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
>>
>> Full set of unit tests:
>> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
>>
>> Regards,
>> Simon
>>
>> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org> wrote:
>> >
>> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>
>> >
>> > standardization is very much welcomed here and need to accommodate a very
>> > diverse set of situations.
>> > For example, TEE OS may need to pass memory reservations to BL33 or
>> > "capture" a device for the secure world.
>> >
>> > I have observed a number of architectures:
>> > 1) pass information from BLx to BLy in the form of a specific object
>> > 2) BLx called by BLy by a platform specific SMC to get information
>> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree
>> > fixups
>> >
>> > I also imagined a standardized "broadcast" FF-A call so that any firmware
>> > element can either provide information or "do something".
>> >
>> > My understanding of your proposal is about standardizing on architecture 1)
>> > with the HOB format.
>> >
>> > The advantage of the HOB is simplicity but it may be difficult to implement
>> > schemes such as pruning a DT because device assignment in the secure world.
>> >
>> > In any case, it looks feasible to have TF-A and OP-TEE complement the list
>> > of HOBs to pass information downstream (the bootflow).
>> >
>> > It would be good to start with building the comprehensive list of
>> > information that need to be conveyed between firmware elements:
>> >
>> > information. | authoritative entity | reporting entity | information
>> > exchanged:
>> > dram | TFA | TFA |
>> > <format to be detailed, NUMA topology to build the SRAT table or DT
>> > equivalent?>
>> > PSCI | SCP | TFA? |
>> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
>> > secure SRAM | TFA. | TFA. |
>> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
>> > other? | |
>> > |
>> >
>> > Cheers
>> >
>> > FF
>> >
>> >
>> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
>> > tf-a(a)lists.trustedfirmware.org> wrote:
>> >
>> > > Hello Folks,
>> > >
>> > >
>> > >
>> > > I'm emailing to start an open discussion about the adoption of a concept
>> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware
>> > > Framework Architecture (FFA). This is something that is a pretty major
>> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s
>> > > designed to enable a broad range of highly configurable datacenter
>> > > platforms.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > What is a HOB (Background)?
>> > >
>> > > ---------------------------
>> > >
>> > > UEFI PI spec describes a particular definition for how HOB may be used for
>> > > transitioning between the PEI and DXE boot phases, which is a good
>> > > reference point for this discussion, but not necessarily the exact solution
>> > > appropriate for TF-A.
>> > >
>> > >
>> > >
>> > > A HOB is simply a dynamically generated data structure passed in between
>> > > two boot phases. This is information that was obtained through discovery
>> > > and needs to be passed forward to the next boot phase *once*, with no API
>> > > needed to call back (e.g. no call back into previous firmware phase is
>> > > needed to fetch this information at run-time - it is simply passed one time
>> > > during boot).
>> > >
>> > >
>> > >
>> > > There may be one or more HOBs passed in between boot phases. If there are
>> > > more than one HOB that needs to be passed, this can be in a form of a "HOB
>> > > table", which (for example) could be a UUID indexed array of pointers to
>> > > HOB structures, used to locate a HOB of interest (based on UUID). In such
>> > > cases, instead of passing a single HOB, the boot phases may rely on passing
>> > > the pointer to the HOB table.
>> > >
>> > >
>> > >
>> > > This has been extremely useful concept to employ on highly configurable
>> > > systems that must rely on flexible discovery mechanisms to initialize and
>> > > boot the system. This is especially helpful when you have multiple
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Why do we need HOBs in TF-A?:
>> > >
>> > > -----------------------------
>> > >
>> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC in
>> > > a way that is SoC specific *but* platform agnostic. This means that a
>> > > single ARM SoC that a SiP may deliver to customers may provide a single
>> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad
>> > > range of platform designs and configurations in order to boot a platform
>> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to
>> > > achieve this, the platform configuration must be *discovered* instead of
>> > > statically compiled as it is today in TF-A via device tree based
>> > > enumeration. The mechanisms of discovery may differ broadly depending on
>> > > the relevant industry standard, or in some cases may have rely on SiP
>> > > specific discovery flows.
>> > >
>> > >
>> > >
>> > > For example: On server systems that support a broad range DIMM memory
>> > > population/topologies, all the necessary information required to boot is
>> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over an
>> > > I2C bus. Leveraging the SPD bus, may platform variants could be supported
>> > > with a single TF-A binary. Not only is this information required to
>> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot
>> > > phases will also need this SPD info to construct a system physical address
>> > > map and properly initialize the MMU based on the memory present, and where
>> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI) may
>> > > need to generate standard firmware tables to the operating systems, such as
>> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g. SLIT,
>> > > SRAT, even NFIT if NVDIMM's are present).
>> > >
>> > >
>> > >
>> > > In short, it all starts with a standardized or vendor specific discovery
>> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of
>> > > information to the next boot stages (e.g. BL31/BL32/BL33).
>> > >
>> > >
>> > >
>> > > Today, every HOB may be a vendor specific structure, but in the future
>> > > there may be benefit of defining standard HOBs. This may be useful for
>> > > memory discovery, passing the system physical address map, enabling TPM
>> > > measured boot, and potentially many other common HOB use-cases.
>> > >
>> > >
>> > >
>> > > It would be extremely beneficial to the datacenter market segment if the
>> > > TF-A community would adopt this concept of information passing between all
>> > > boot phases as opposed to rely solely on device tree enumeration. This is
>> > > not intended to replace device tree, rather intended as an alternative way
>> > > to describe the info that must be discovered and dynamically generated.
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Conclusion:
>> > >
>> > > -----------
>> > >
>> > > We are proposing that the TF-A community begin pursuing the adoption of
>> > > HOBs as a mechanism used for information exchange between each boot stage
>> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we
>> > > want to explore standardizing some HOB structures for the BL33 phase (e.g.
>> > > UEFI HOB structures), but initially would like to agree on this being a
>> > > useful mechanism used to pass information between each boot stage.
>> > >
>> > >
>> > >
>> > > Thanks,
>> > >
>> > > --Harb
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > TF-A mailing list
>> > > TF-A(a)lists.trustedfirmware.org
>> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>> > >
>> >
>> >
>> > --
>> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
>> > T: +33.67221.6485
>> > francois.ozog(a)linaro.org | Skype: ffozog
>> > _______________________________________________
>> > boot-architecture mailing list
>> > boot-architecture(a)lists.linaro.org
>> > https://lists.linaro.org/mailman/listinfo/boot-architecture
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>> --
>> TF-A mailing list
>> TF-A(a)lists.trustedfirmware.org
>> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>>
>>
>>
>>
>> --
>>
>> François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
>>
>> T: +33.67221.6485
>> francois.ozog(a)linaro.org | Skype: ffozog
>>
>>
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
5 years, 1 month
- 1
- 0
Re: [TF-A] MEM_PROTECT for secure world?
by raghu.ncstate@icloud.com
If I understand the cold boot attack correctly for the normal world, it is that we boot a NWd OS once, make it decrypt all its secrets into DRAM, pull the power and quickly boot to another OS and read contents of DRAM before the data decays, to extract secrets of the old OS using the new OS. While this can apply to secure world, It might be a safe assumption that we cannot boot arbitrary, unsigned TZ code and trusted OS's on an ARM system in the last few years due to use of CoT, Rollback protection etc.
As a general rule of thumb, early boot code should probably be scrubbing secure DRAM anyway, I think, to prevent this attack, in which case the way to do the cold boot attack would be through a run time attack on TZ code.
Thanks
Raghu
-----Original Message-----
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Okash Khawaja via TF-A
Sent: Wednesday, May 5, 2021 9:10 AM
To: tf-a(a)lists.trustedfirmware.org
Subject: [TF-A] MEM_PROTECT for secure world?
Hi,
As a PSCI call, MEM_PROTECT which is used to protect against cold reboot attack, can't be called from TZ-secure. In a situation where at run time, HLOS in NS-EL1 transfers some buffer that it owns, to a secure partition then secure partition can't call MEM_PROTECT because psci_smc_handler will return SMC_UNK if the caller is secure.
Should MEM_PROTECT be available to TZ-secure as well?
Thanks,
Okash
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
5 years, 1 month
- 2
- 5
Re: [TF-A] Stack Protector for platforms not implementing plat_get_stack_protector_canary
by raghu.ncstate@icloud.com
Adding tf-a list again.
-----Original Message-----
From: raghu.ncstate(a)icloud.com <raghu.ncstate(a)icloud.com>
Sent: Thursday, May 13, 2021 9:33 AM
To: 'Heiko Thiery' <heiko.thiery(a)gmail.com>; 'tf-a-bounces(a)lists.trustedfirmware.org' <tf-a-bounces(a)lists.trustedfirmware.org>
Subject: RE: [TF-A] Stack Protector for platforms not implementing plat_get_stack_protector_canary
Right. The point I was trying to make is the same as the comment in the C file says "this is better than nothing but not necessarily really secure". I'm just saying SSP without truly random stack canary in an open source project is as good as not having SSP 😊
>From an TF-A point of view, I think we want to encourage folks to include TRNG's on their platform and we should not provide an insecure default implementation, since people may assume security properties about it if they don’t look closely enough.
Thanks
Raghu
-----Original Message-----
From: Heiko Thiery <heiko.thiery(a)gmail.com>
Sent: Thursday, May 13, 2021 8:57 AM
To: raghu.ncstate(a)icloud.com; tf-a-bounces(a)lists.trustedfirmware.org
Subject: Re: [TF-A] Stack Protector for platforms not implementing plat_get_stack_protector_canary
Hi,
Am Do., 13. Mai 2021 um 17:13 Uhr schrieb <raghu.ncstate(a)icloud.com>:
>
> Without a RNG, implementing a generic function as you have mentioned below would mean returning a constant value or random numbers that are not cryptographically secure for the stack canary. Neither of those options will really provide any security benefit. In absence of a TRNG or secret seed that can be used to generate secure random numbers, I think turning off SSP is not that much worse than returning bad values.
But as you can read in the comments of some implementations, it is better to return a pseudo value than none at all. Or am I wrong there?
And assuming that this is true, it would be good to have an implementation for all those who don't use TRNG like the ones at
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/rockc….
>
> A quick google search tells me that imx8m may have a random number generator so the platform code may need to hook up tf-a platform port to the random number.
>
> -----Original Message-----
> From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> On Behalf Of Heiko
> Thiery via TF-A
> Sent: Thursday, May 13, 2021 12:34 AM
> To: tf-a(a)lists.trustedfirmware.org
> Subject: [TF-A] Stack Protector for platforms not implementing
> plat_get_stack_protector_canary
>
> Hi all,
>
> I recently encountered a build issue with the imx8m platform.
> Buildroot will set the SSP (Stack Smashing Protection) option to on by
> default in the next release. This option also turns on the
> ENABLE_STACK_PROTECTOR in the ATF. But since the
> plat_get_stack_protector_canary() function is not implemented for the
> imx8m for example, the build fails for this platform. My question now
> is: could you implement a generic function like it is implemented for some platforms that don't have a real RNG? Or is there a concern here?
>
> I must admit that I have no experience with ATF other than building and deploying it.
>
> Thanks
> --
> Heiko
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
Thanks
--
Heiko
5 years, 1 month
- 2
- 3
Re: [TF-A] Lost gerrit email notifications
by Joanna Farley
Hi Raghu,
That’s should have been corrected as there was a fault on trustedfirmware.org servers which was fixed overnight as I was also missing notifications but they have started to come through now.
Joanna
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Raghu Krishnamurthy via TF-A <tf-a(a)lists.trustedfirmware.org>
Reply to: "raghu.ncstate(a)icloud.com" <raghu.ncstate(a)icloud.com>
Date: Thursday, 13 May 2021 at 15:47
To: "tf-a(a)lists.trustedfirmware.org" <tf-a(a)lists.trustedfirmware.org>
Subject: [TF-A] Lost gerrit email notifications
Hi All,
I seem to have lost email notification of comments on gerrit reviews. I’ve checked my gerrit settings and reset the settings to enable notifications but I cant seem to get notifications from gerrit. Is this something others are seeing as well?
Thanks
Raghu
5 years, 1 month
- 2
- 1
Lost gerrit email notifications
by raghu.ncstate@icloud.com
Hi All,
I seem to have lost email notification of comments on gerrit reviews. I've
checked my gerrit settings and reset the settings to enable notifications
but I cant seem to get notifications from gerrit. Is this something others
are seeing as well?
Thanks
Raghu
5 years, 1 month
- 1
- 0
Stack Protector for platforms not implementing plat_get_stack_protector_canary
by Heiko Thiery
Hi all,
I recently encountered a build issue with the imx8m platform.
Buildroot will set the SSP (Stack Smashing Protection) option to on by
default in the next release. This option also turns on the
ENABLE_STACK_PROTECTOR in the ATF. But since the
plat_get_stack_protector_canary() function is not implemented for the
imx8m for example, the build fails for this platform. My question now
is: could you implement a generic function like it is implemented for
some platforms that don't have a real RNG? Or is there a concern here?
I must admit that I have no experience with ATF other than building
and deploying it.
Thanks
--
Heiko
5 years, 1 month
- 1
- 0
Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for information passing between boot stages
by François Ozog
Hi
here is the meeting recording:
https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn…
Passcode: IPn+5q%z
I am really sorry about the confusion related to the meeting time. I have
now understood: the Collaborate portal uses a specific calendar which is
tied to US/Chicago timezone while the actual Google Calendar is tied to
Central Europe timezone. I am going to drop the Collaborate portal and use
a shared Google calendar (it should be visible on the trusted-substrate.org
page).
I'll try to summarize what I learnt and highlight my view on what can be
next steps in a future mail.
Cheers
FF
On Thu, 8 Apr 2021 at 13:56, Manish Pandey2 via TF-A <
tf-a(a)lists.trustedfirmware.org> wrote:
> Hi,
>
> From TF-A project point of view, we prefer to use existing mechanism to
> pass parameters across boot stages using linked list of tagged elements (as
> suggested by Julius). It has support for both generic and SiP-specific
> tags. Having said that, it does not stop partners to introduce new
> mechanisms suitable for their usecase in platform port initially and later
> move to generic code if its suitable for other platforms.
>
> To start with, Ampere can introduce a platform specific implementation of
> memory tag(speed/NUMA topology etc) which can be evaluated and discussed
> for generalization in future. The tag will be populated in BL2 stage and
> can be forwarded to further stages(and to BL33) by passing the head of list
> pointer in one of the registers. Initially any register can be used but
> going forward a standardization will be needed.
>
> The U-boot bloblist mentioned by Simon is conceptually similar to what
> TF-A is using, if there is consensus of using bloblist/taglist then TF-A
> tag list may be enhanced to take best of both the implementations.
>
> One of the potential problems of having structure used in different
> projects is maintainability, this can be avoided by having a single copy of
> these structures in TF-A (kept inside "include/export" which intended to be
> used by other projects.)
>
> Regarding usage of either UUID or tag, I echo the sentiments of Simon and
> Julius to keep it simple and use tag values.
>
> Looking forward to having further discussions on zoom call today.
>
> Thanks
> Manish P
>
> ------------------------------
> *From:* TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Julius
> Werner via TF-A <tf-a(a)lists.trustedfirmware.org>
> *Sent:* 25 March 2021 02:43
> *To:* Simon Glass <sjg(a)chromium.org>
> *Cc:* Harb Abdulhamid OS <abdulhamid(a)os.amperecomputing.com>; Boot
> Architecture Mailman List <boot-architecture(a)lists.linaro.org>;
> tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; U-Boot
> Mailing List <u-boot(a)lists.denx.de>; Paul Isaac's <paul.isaacs(a)linaro.org>;
> Ron Minnich <rminnich(a)google.com>
> *Subject:* Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for
> information passing between boot stages
>
> Just want to point out that TF-A currently already supports a (very
> simple) mechanism like this:
>
>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>
> https://review.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/…
>
> It's just a linked list of tagged elements. The tag space is split into
> TF-A-wide generic tags and SiP-specific tags (with plenty of room to spare
> if more areas need to be defined -- a 64-bit tag can fit a lot). This is
> currently being used by some platforms that run coreboot in place of
> BL1/BL2, to pass information from coreboot (BL2) to BL31.
>
> I would echo Simon's sentiment of keeping this as simple as possible and
> avoiding complicated and bloated data structures with UUIDs. You usually
> want to parse something like this as early as possible in the passed-to
> firmware stage, particularly if the structure encodes information about the
> debug console (like it does for the platforms I mentioned above). For
> example, in BL31 this basically means doing it right after moving from
> assembly to C in bl31_early_platform_setup2() to get the console up before
> running anything else. At that point in the BL31 initialization, the MMU
> and caches are disabled, so data accesses are pretty expensive and you
> don't want to spend a lot of parsing effort or calculate complicated
> checksums or the like. You just want something extremely simple where you
> ideally have to touch every data word only once.
>
> On Wed, Mar 24, 2021 at 5:06 PM Simon Glass via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi Harb,
>
> On Wed, 24 Mar 2021 at 11:39, Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com> wrote:
>
> Hello Folks,
>
> Appreciate the feedback and replies on this. Glad to see that there is
> interest in this topic. 😊
>
>
>
> I try to address the comments/feedback from Francois and Simon below….
>
>
>
> @François Ozog <francois.ozog(a)linaro.org> – happy to discuss this on a
> zoom call. I will make that time slot work, and will be available to
> attend April 8, 4pm CT.
>
>
>
> Note that I’m using the term “HOB” here more generically, as there are
> typically vendor specific structures beyond the resource descriptor HOB,
> which provides only a small subset of the information that needs to be
> passed between the boot phases.
>
>
>
> The whole point here is to provide mechanism to develop firmware that we
> can build ARM Server SoC’s that support **any** BL33 payload (e.g. EDK2,
> AptioV, CoreBoot, and maybe even directly boot strapping LinuxBoot at some
> point). In other-words, we are trying to come up with a TF-A that would
> be completely agnostic to the implementation of BL33 (i.e. BL33 is built
> completely independently by a separate entity – e.g. an ODM/OEM).
>
>
>
> Keep in mind, in the server/datacenter market segment we are not building
> vertically integrated systems with a single entity compiling
> firmware/software stacks like most folks in TF-A have become use to. There
> are two categories of higher level firmware code blobs in the
> server/datacenter model:
>
> 1. “SoC” or “silicon” firmware – in TF-A this may map to BL1, BL2,
> BL31, and **possibly** one or more BL32 instances
> 2. “Platform” or “board” firmware – in TF-A this may map to BL33 and *
> *possibly** one or more BL32 instances.
>
>
>
> Even the platform firmware stack could be further fragmented by having
> multiple entities involved in delivering the entire firmware stack: IBVs,
> ODMs, OEMs, CSPs, and possibly even device vendor code.
>
>
>
> To support a broad range of platform designs with a broad range of memory
> devices, we need a crisp and clear contract between the SoC firmware that
> initializes memory (e.g. BL2) and how that platform boot firmware (e.g.
> BL33) gathers information about what memory that was initialized, at what
> speeds, NUMA topology, and many other relevant information that needs to be
> known and comprehended by the platform firmware and eventually by the
> platform software.
>
>
>
> I understand the versatility of DT, but I see two major problems with DT:
>
> - DT requires more complicated parsing to get properties, and even
> more complex to dynamically set properties – this HOB structures may need
> to be generated in boot phases where DDR is not available, and therefore we
> will be extremely memory constrained.
> - DT is probably overkill for this purpose – We really just want a
> list of pointers to simple C structures that code cast (e.g. JEDEC SPD data
> blob)
>
>
>
> I think that we should not mix the efforts around DT/ACPI specs with what
> we are doing here, because those specs and concepts were developed for a
> completely different purpose (i.e. abstractions needed for OS / RTOS
> software, and not necessarily suitable for firmware-to-firmware hand-offs).
>
>
>
> Frankly, I would personally push back pretty hard on defining SMC’s for
> something that should be one way information passing. Every SMC we add is
> another attack vector to the secure world and an increased burden on the
> folks that have to do security auditing and threat analysis. I see no
> benefit in exposing these boot/HOB/BOB structures at run-time via SMC
> calls.
>
>
>
> Please do let me know if you disagree and why. Look forward to discussing
> on this thread or on the call.
>
>
>
> @Simon Glass <sjg(a)chromium.org> - Thanks for the pointer to bloblist.
> I briefly reviewed and it seems like a good baseline for what we may be
> looking for.
>
>
>
> That being said, I would say that there is some benefit in having some
> kind of unique identifiers (e.g. UUID or some unique signature) so that we
> can tie standardized data structures (based on some future TBD specs) to a
> particular ID. For example, if the TPM driver in BL33 is looking for the
> TPM structure in the HOB/BOB list, and may not care about the other data
> blobs. The driver needs a way to identify and locate the blob it cares
> about.
>
>
> The tag is intended to serve that purpose, although perhaps it should
> switch from an auto-allocating enum to one with explicit values for each
> entry and a range for 'local' use.
>
>
>
> I guess we can achieve this with the tag, but the problem with tag when
> you have eco-system with a lot of parties doing parallel development, you
> can end up with tag collisions and folks fighting about who has rights to
> what tag values. We would need some official process for folks to register
> tags for whatever new structures we define, or maybe some tag range for
> vendor specific structures. This comes with a lot of pain and
> bureaucracy. On the other hand, UUID has been a proven way to make it easy
> to just define your own blobs with **either** standard or vendor specific
> structures without worry of ID collisions between vendors.
>
>
> True. I think the pain is overstated, though. In this case I think we
> actually want something that can be shared between projects and orgs, so
> some amount of coordination could be considered a benefit. It could just be
> a github pull request. I find the UUID unfriendly and not just to code size
> and eyesight! Trying to discover what GUIDs mean or are valid is quite
> tricky. E.g. see this code:
>
> #define FSP_HOB_RESOURCE_OWNER_TSEG_GUID \
> EFI_GUID(0xd038747c, 0xd00c, 0x4980, \
> 0xb3, 0x19, 0x49, 0x01, 0x99, 0xa4, 0x7d, 0x55)
> (etc.)
>
> static struct guid_name {
> efi_guid_t guid;
> const char *name;
> } guid_name[] = {
> { FSP_HOB_RESOURCE_OWNER_TSEG_GUID, "TSEG" },
> { FSP_HOB_RESOURCE_OWNER_FSP_GUID, "FSP" },
> { FSP_HOB_RESOURCE_OWNER_SMM_PEI_SMRAM_GUID, "SMM PEI SMRAM" },
> { FSP_NON_VOLATILE_STORAGE_HOB_GUID, "NVS" },
> { FSP_VARIABLE_NV_DATA_HOB_GUID, "Variable NVS" },
> { FSP_GRAPHICS_INFO_HOB_GUID, "Graphics info" },
> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID1, "PCD database ea" },
> { FSP_HOB_RESOURCE_OWNER_PCD_DATABASE_GUID2, "PCD database 9b" },
> (never figured out what those two are)
>
> { FSP_HOB_RESOURCE_OWNER_PEIM_DXE_GUID, "PEIM Init DXE" },
> { FSP_HOB_RESOURCE_OWNER_ALLOC_STACK_GUID, "Alloc stack" },
> { FSP_HOB_RESOURCE_OWNER_SMBIOS_MEMORY_GUID, "SMBIOS memory" },
> { {}, "zero-guid" },
> {}
> };
>
> static const char *guid_to_name(const efi_guid_t *guid)
> {
> struct guid_name *entry;
>
> for (entry = guid_name; entry->name; entry++) {
> if (!guidcmp(guid, &entry->guid))
> return entry->name;
> }
>
> return NULL;
> }
>
> Believe it or not it took a fair bit of effort to find just that small
> list, with nearly every one in a separate doc, from memory.
>
>
>
> We can probably debate whether there is any value in GUID/UUID or not
> during the call… but again, boblist seems like a reasonable starting point
> as an alternative to HOB.
>
>
> Indeed. There is certainly value in both approaches.
>
> Regards,
> Simon
>
>
>
>
> Thanks,
>
> --Harb
>
>
>
> *From:* François Ozog <francois.ozog(a)linaro.org>
> *Sent:* Tuesday, March 23, 2021 10:00 AM
> *To:* François Ozog <francois.ozog(a)linaro.org>; Ron Minnich <
> rminnich(a)google.com>; Paul Isaac's <paul.isaacs(a)linaro.org>
> *Cc:* Simon Glass <sjg(a)chromium.org>; Harb Abdulhamid OS <
> abdulhamid(a)os.amperecomputing.com>; Boot Architecture Mailman List <
> boot-architecture(a)lists.linaro.org>; tf-a(a)lists.trustedfirmware.org
> *Subject:* Re: [TF-A] Proposal: TF-A to adopt hand-off blocks (HOBs) for
> information passing between boot stages
>
>
>
> +Ron Minnich <rminnich(a)google.com> +Paul Isaac's <paul.isaacs(a)linaro.org>
>
>
>
> Adding Ron and Paul because I think this interface should be also
> benefiting LinuxBoot efforts.
>
>
>
> On Tue, 23 Mar 2021 at 11:17, François Ozog via TF-A <
> tf-a(a)lists.trustedfirmware.org> wrote:
>
> Hi,
>
>
>
> I propose we cover the topic at the next Trusted Substrate
> <https://collaborate.linaro.org/display/TS/Trusted+Substrate+Home> zoom
> call <https://linaro-org.zoom.us/j/94563644892> on April 8th 4pm CET.
>
>
>
> The agenda:
>
> ABI between non-secure firmware and the rest of firmware (EL3, S-EL1,
> S-EL2, SCP) to adapt hardware description to some runtime conditions.
>
> runtime conditions here relates to DRAM size and topology detection,
> secure DRAM memory carvings, PSCI and SCMI interface publishing.
>
>
>
> For additional background on existing metadata: UEFI Platform
> Initialization Specification Version 1.7
> <https://uefi.org/sites/default/files/resources/PI_Spec_1_7_final_Jan_2019.p…>
> , 5.5 Resource Descriptor HOB
>
> Out of the ResourceType we care about is EFI_RESOURCE_SYSTEM_MEMORY.
>
> This HOB lacks memory NUMA attachment or something that could be related
> to fill SRAT table for ACPI or relevant DT proximity domains.
>
> HOB is not consistent accros platforms: some platforms (Arm) lists memory
> from the booting NUMA node, other platforms (x86) lists all memory from all
> NUMA nodes. (At least this is the case on the two platforms I tested).
>
>
>
> There are two proposals to use memory structures from SPL/BLx up to the
> handover function (as defined in the Device Tree technical report
> <https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…>)
> which can be U-boot (BL33 or just U-Boot in case of SPL/U-Boot scheme) or
> EDK2.
>
> I would propose we also discuss possibility of FF-A interface to actually
> query information or request actions to be done (this is a model actually
> used in some SoCs with proprietary SMC calls).
>
>
>
> Requirements (to be validated):
>
> - ACPI and DT hardware descriptions.
>
> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2)
>
> - agnostic to boot framework (SPL/U-Boot, TF-A/U-Boot, TF-A/EDK2,
> TF-A/LinuxBoot)
>
> - at least allows complete DRAM description and "persistent" usage
> (reserved areas for secure world or other usages)
>
> - support secure world device assignment
>
>
>
> Cheers
>
>
>
> FF
>
>
>
>
>
> On Mon, 22 Mar 2021 at 19:56, Simon Glass <sjg(a)chromium.org> wrote:
>
> Hi,
>
> Can I suggest using bloblist for this instead? It is lightweight,
> easier to parse, doesn't have GUIDs and is already used within U-Boot
> for passing info between SPL/U-Boot, etc.
>
> Docs here:
> https://github.com/u-boot/u-boot/blob/master/doc/README.bloblist
> Header file describes the format:
> https://github.com/u-boot/u-boot/blob/master/include/bloblist.h
>
> Full set of unit tests:
> https://github.com/u-boot/u-boot/blob/master/test/bloblist.c
>
> Regards,
> Simon
>
> On Mon, 22 Mar 2021 at 23:58, François Ozog <francois.ozog(a)linaro.org>
> wrote:
> >
> > +Boot Architecture Mailman List <boot-architecture(a)lists.linaro.org>
> >
> > standardization is very much welcomed here and need to accommodate a very
> > diverse set of situations.
> > For example, TEE OS may need to pass memory reservations to BL33 or
> > "capture" a device for the secure world.
> >
> > I have observed a number of architectures:
> > 1) pass information from BLx to BLy in the form of a specific object
> > 2) BLx called by BLy by a platform specific SMC to get information
> > 3) BLx called by BLy by a platform specific SMC to perform Device Tree
> > fixups
> >
> > I also imagined a standardized "broadcast" FF-A call so that any firmware
> > element can either provide information or "do something".
> >
> > My understanding of your proposal is about standardizing on architecture
> 1)
> > with the HOB format.
> >
> > The advantage of the HOB is simplicity but it may be difficult to
> implement
> > schemes such as pruning a DT because device assignment in the secure
> world.
> >
> > In any case, it looks feasible to have TF-A and OP-TEE complement the
> list
> > of HOBs to pass information downstream (the bootflow).
> >
> > It would be good to start with building the comprehensive list of
> > information that need to be conveyed between firmware elements:
> >
> > information. | authoritative entity | reporting entity | information
> > exchanged:
> > dram | TFA | TFA |
> > <format to be detailed, NUMA topology to build the SRAT table or DT
> > equivalent?>
> > PSCI | SCP | TFA? |
> > SCMI | SCP or TEE-OS | TFA? TEE-OS?|
> > secure SRAM | TFA. | TFA. |
> > secure DRAM | TFA? TEE-OS? | TFA? TEE-OS? |
> > other? | |
> > |
> >
> > Cheers
> >
> > FF
> >
> >
> > On Mon, 22 Mar 2021 at 09:34, Harb Abdulhamid OS via TF-A <
> > tf-a(a)lists.trustedfirmware.org> wrote:
> >
> > > Hello Folks,
> > >
> > >
> > >
> > > I'm emailing to start an open discussion about the adoption of a
> concept
> > > known as "hand-off blocks" or HOB to become a part of the TF-A Firmware
> > > Framework Architecture (FFA). This is something that is a pretty major
> > > pain point when it comes to the adoption of TF-A in ARM Server SoC’s
> > > designed to enable a broad range of highly configurable datacenter
> > > platforms.
> > >
> > >
> > >
> > >
> > >
> > > What is a HOB (Background)?
> > >
> > > ---------------------------
> > >
> > > UEFI PI spec describes a particular definition for how HOB may be used
> for
> > > transitioning between the PEI and DXE boot phases, which is a good
> > > reference point for this discussion, but not necessarily the exact
> solution
> > > appropriate for TF-A.
> > >
> > >
> > >
> > > A HOB is simply a dynamically generated data structure passed in
> between
> > > two boot phases. This is information that was obtained through
> discovery
> > > and needs to be passed forward to the next boot phase *once*, with no
> API
> > > needed to call back (e.g. no call back into previous firmware phase is
> > > needed to fetch this information at run-time - it is simply passed one
> time
> > > during boot).
> > >
> > >
> > >
> > > There may be one or more HOBs passed in between boot phases. If there
> are
> > > more than one HOB that needs to be passed, this can be in a form of a
> "HOB
> > > table", which (for example) could be a UUID indexed array of pointers
> to
> > > HOB structures, used to locate a HOB of interest (based on UUID). In
> such
> > > cases, instead of passing a single HOB, the boot phases may rely on
> passing
> > > the pointer to the HOB table.
> > >
> > >
> > >
> > > This has been extremely useful concept to employ on highly configurable
> > > systems that must rely on flexible discovery mechanisms to initialize
> and
> > > boot the system. This is especially helpful when you have multiple
> > >
> > >
> > >
> > >
> > >
> > > Why do we need HOBs in TF-A?:
> > >
> > > -----------------------------
> > >
> > > It is desirable that EL3 firmware (e.g. TF-A) built for ARM Server SoC
> in
> > > a way that is SoC specific *but* platform agnostic. This means that a
> > > single ARM SoC that a SiP may deliver to customers may provide a single
> > > TF-A binary (e.g. BL1, BL2, BL31) that could be used to support a broad
> > > range of platform designs and configurations in order to boot a
> platform
> > > specific firmware (e.g. BL33 and possibly even BL32 code). In order to
> > > achieve this, the platform configuration must be *discovered* instead
> of
> > > statically compiled as it is today in TF-A via device tree based
> > > enumeration. The mechanisms of discovery may differ broadly depending
> on
> > > the relevant industry standard, or in some cases may have rely on SiP
> > > specific discovery flows.
> > >
> > >
> > >
> > > For example: On server systems that support a broad range DIMM memory
> > > population/topologies, all the necessary information required to boot
> is
> > > fully discovered via standard JEDEC Serial Presence Detect (SPD) over
> an
> > > I2C bus. Leveraging the SPD bus, may platform variants could be
> supported
> > > with a single TF-A binary. Not only is this information required to
> > > initialize memory in early boot phases (e.g. BL2), the subsequent boot
> > > phases will also need this SPD info to construct a system physical
> address
> > > map and properly initialize the MMU based on the memory present, and
> where
> > > the memory may be present. Subsequent boot phases (e.g. BL33 / UEFI)
> may
> > > need to generate standard firmware tables to the operating systems,
> such as
> > > SMBIOS tables describing DIMM topology and various ACPI tables (e.g.
> SLIT,
> > > SRAT, even NFIT if NVDIMM's are present).
> > >
> > >
> > >
> > > In short, it all starts with a standardized or vendor specific
> discovery
> > > flow in an early boot stage (e.g. BL1/BL2), followed by the passing of
> > > information to the next boot stages (e.g. BL31/BL32/BL33).
> > >
> > >
> > >
> > > Today, every HOB may be a vendor specific structure, but in the future
> > > there may be benefit of defining standard HOBs. This may be useful for
> > > memory discovery, passing the system physical address map, enabling TPM
> > > measured boot, and potentially many other common HOB use-cases.
> > >
> > >
> > >
> > > It would be extremely beneficial to the datacenter market segment if
> the
> > > TF-A community would adopt this concept of information passing between
> all
> > > boot phases as opposed to rely solely on device tree enumeration.
> This is
> > > not intended to replace device tree, rather intended as an alternative
> way
> > > to describe the info that must be discovered and dynamically generated.
> > >
> > >
> > >
> > >
> > >
> > > Conclusion:
> > >
> > > -----------
> > >
> > > We are proposing that the TF-A community begin pursuing the adoption of
> > > HOBs as a mechanism used for information exchange between each boot
> stage
> > > (e.g. BL1->BL2, BL2->BL31, BL31->BL32, and BL31->BL33)? Longer term we
> > > want to explore standardizing some HOB structures for the BL33 phase
> (e.g.
> > > UEFI HOB structures), but initially would like to agree on this being a
> > > useful mechanism used to pass information between each boot stage.
> > >
> > >
> > >
> > > Thanks,
> > >
> > > --Harb
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > TF-A mailing list
> > > TF-A(a)lists.trustedfirmware.org
> > > https://lists.trustedfirmware.org/mailman/listinfo/tf-a
> > >
> >
> >
> > --
> > François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
> > T: +33.67221.6485
> > francois.ozog(a)linaro.org | Skype: ffozog
> > _______________________________________________
> > boot-architecture mailing list
> > boot-architecture(a)lists.linaro.org
> > https://lists.linaro.org/mailman/listinfo/boot-architecture
>
>
>
>
> --
>
> *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group*
>
> T: +33.67221.6485
> francois.ozog(a)linaro.org | Skype: ffozog
>
>
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
>
>
>
> --
>
> *François-Frédéric Ozog* | *Director Linaro Edge & Fog Computing Group*
>
> T: +33.67221.6485
> francois.ozog(a)linaro.org | Skype: ffozog
>
>
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
5 years, 1 month
- 4
- 3
Rockchip rk3399 build broken with gcc11
by Olivier Deprez
Hi Rockchip platform maintainers,
There's a build issue spotted with GCC11 on rk3399 platform reported here using tip of master: https://developer.trustedfirmware.org/T925
The issue is not breaking the build with earlier gcc versions, but we think the error is legitimate and caused by a mistake in the platform code. Details in the ticket.
Any chance for you to have a look?
Thanks, Olivier.
5 years, 1 month
- 1
- 0
MEM_PROTECT for secure world?
by Okash Khawaja
Hi,
As a PSCI call, MEM_PROTECT which is used to protect against cold
reboot attack, can't be called from TZ-secure. In a situation where at
run time, HLOS in NS-EL1 transfers some buffer that it owns, to a
secure partition then secure partition can't call MEM_PROTECT because
psci_smc_handler will return SMC_UNK if the caller is secure.
Should MEM_PROTECT be available to TZ-secure as well?
Thanks,
Okash
5 years, 1 month
- 1
- 0
TF-A Tech Forum Agenda @ Thr 6th May 2021 16:00-1700 BST
by Joanna Farley
Hi All,
The next TF-A Tech Forum is scheduled for Thu 6th May 2021 16:00 – 17:00 (BST).
Agenda:
* Discussion Session: Static and Dynamic Information Handling in TF-A
* Lead by Manish Pandy and Madhukar Pappireddy
· There is ongoing mailing lists discussion[1] related with adopting a mechanism to pass information through boot stages.
The requirement is two-fold:
1. Passing static information(config files)
2. Passing dynamic information (Hob list)
In the upcoming TF-A tech forum, we can start with a discussion on dynamic information passing and if time permits, we can cover static information passing. The purpose of the call is to have an open discussion and continue the discussion from the trusted-substrate call[2] done earlier. We would like to understand the various requirements and possible ways to implement it in TF-A in a generalized way so that it can work with other Firmware projects.
The two specific item which we would like to discuss are:
1. HOB format: TF-A/u-boot both has an existing bloblist implementation, which uses tag values. Question, can this be enhanced to use hybrid values(Tag and UUID) both?
2. Standardization on Physical register use to pass base of HoB data structure.
References:
[1] https://lists.trustedfirmware.org/pipermail/tf-a/2021-April/001069.html
[2] https://linaro-org.zoom.us/rec/share/zjfHeMIumkJhirLCVQYTHR6ftaqyWvF_0klgQn… Passcode: IPn+5q%
Thanks
Joanna
You have been invited to the following event.
TF-A Tech Forum
When
Every 2 weeks from 16:00 to 17:00 on Thursday United Kingdom Time
Calendar
tf-a(a)lists.trustedfirmware.org
Who
•
Bill Fletcher- creator
•
tf-a(a)lists.trustedfirmware.org
more details »<https://www.google.com/calendar/event?action=VIEW&eid=NWlub3Ewdm1tMmk1cTJrM…>
We run an open technical forum call for anyone to participate and it is not restricted to Trusted Firmware project members. It will operate under the guidance of the TF TSC.
Feel free to forward this invite to colleagues. Invites are via the TF-A mailing list and also published on the Trusted Firmware website. Details are here: https://www.trustedfirmware.org/meetings/tf-a-technical-forum/<https://www.google.com/url?q=https%3A%2F%2Fwww.trustedfirmware.org%2Fmeetin…>
Trusted Firmware is inviting you to a scheduled Zoom meeting.
Join Zoom Meeting
https://zoom.us/j/9159704974<https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fj%2F9159704974&sa=D&us…>
Meeting ID: 915 970 4974
One tap mobile
+16465588656,,9159704974# US (New York)
+16699009128,,9159704974# US (San Jose)
Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 9128 US (San Jose)
877 853 5247 US Toll-free
888 788 0099 US Toll-free
Meeting ID: 915 970 4974
Find your local number: https://zoom.us/u/ad27hc6t7h<https://www.google.com/url?q=https%3A%2F%2Fzoom.us%2Fu%2Fad27hc6t7h&sa=D&us…>
Going (tf-a(a)lists.trustedfirmware.org)? All events in this series: Yes<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> - Maybe<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> - No<https://www.google.com/calendar/event?action=RESPOND&eid=NWlub3Ewdm1tMmk1cT…> more options »<https://www.google.com/calendar/event?action=VIEW&eid=NWlub3Ewdm1tMmk1cTJrM…>
Invitation from Google Calendar<https://www.google.com/calendar/>
You are receiving this courtesy email at the account tf-a(a)lists.trustedfirmware.org because you are an attendee of this event.
To stop receiving future updates for this event, decline this event. Alternatively, you can sign up for a Google Account at https://www.google.com/calendar/ and control your notification settings for your entire calendar.
Forwarding this invitation could allow any recipient to send a response to the organiser and be added to the guest list, invite others regardless of their own invitation status or to modify your RSVP. Learn more<https://support.google.com/calendar/answer/37135#forwarding>.
5 years, 2 months
- 1
- 0
Re: [TF-A] Run BL33 (u-boot) in EL3
by François Ozog
Le mar. 27 avr. 2021 à 11:04, Loh, Tien Hock via TF-A <
tf-a(a)lists.trustedfirmware.org> a écrit :
> Achin,
>
> Yes that’s what I have suspected in the first place, but no harm asking :)
>
>
>
> Tien Fong,
>
> As per discussed, we could probably expose the a compile time option in
> BL31 that expose a command that read/write to the secure domain.
>
> That case, u-boot shell will be able to access secure domain and not need
> to run in EL3.
>
Would you allow an OS to access underlying hypervisor ?
In essence this is what you are asking:
there are architectural services such as kicking off a new cpu that are
supposed to be routed to the right service handler (PSCI) or secure
firmware updates with anti-bricking support....
Could you be more specific on what you want to do and why ?
That may help us advise on achieving your goals while still being
architecturally correct.
>
>
> Thanks
>
>
>
> *From:* Chee, Tien Fong <tien.fong.chee(a)intel.com>
> *Sent:* Tuesday, April 27, 2021 5:01 PM
> *To:* Achin Gupta <Achin.Gupta(a)arm.com>; tf-a(a)lists.trustedfirmware.org;
> Loh, Tien Hock <tien.hock.loh(a)intel.com>
> *Cc:* See, Chin Liang <chin.liang.see(a)intel.com>; Hea, Kok Kiang <
> kok.kiang.hea(a)intel.com>
> *Subject:* RE: Run BL33 (u-boot) in EL3
>
>
>
> Hi Achin,
>
>
>
> Thanks for the feedback.
>
>
>
> This is use case when user doing development, testing and bring up the
> board, they can use this option to run their script on U-Boot shell to
> access these secure region. Once they have finished the development, and
> testing, then user can switch U-Boot into EL2. This flexibility would
> definitely giving some degree of convenience for development and testing.
>
>
>
> Thanks.
>
>
>
> *From:* Achin Gupta <Achin.Gupta(a)arm.com>
> *Sent:* Tuesday, 27 April, 2021 4:38 PM
> *To:* tf-a(a)lists.trustedfirmware.org; Loh, Tien Hock <
> tien.hock.loh(a)intel.com>
> *Cc:* Chee, Tien Fong <tien.fong.chee(a)intel.com>; See, Chin Liang <
> chin.liang.see(a)intel.com>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com>
> *Subject:* Re: Run BL33 (u-boot) in EL3
>
>
>
> Hi Tien Hock,
>
>
>
> The maintainers will have more thoughts on this but my $0.02 fwiw.
>
>
>
> I cannot see why the Trusted Firmware project should carry any option that
> enables use of EL3 by users who do not care about security. EL3 is not
> meant to run u-boot with a shell that can be used to fiddle with secure
> memory. This flies against the basic security principles that the project
> is built upon.
>
>
>
> cheers,
> Achin
>
>
> ------------------------------
>
> *From:* TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of Loh,
> Tien Hock via TF-A <tf-a(a)lists.trustedfirmware.org>
> *Sent:* 27 April 2021 09:02
> *To:* tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>
> *Cc:* Chee, Tien Fong <tien.fong.chee(a)intel.com>; See, Chin Liang <
> chin.liang.see(a)intel.com>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com>
> *Subject:* [TF-A] Run BL33 (u-boot) in EL3
>
>
>
> Hi,
>
>
>
> I’m maintaining TF-A for Intel SoCFPGA platform.
>
> Would it be possible if we should have the option to run BL33 (u-boot in
> our case) in EL3?
>
>
>
> The Intel SoCFPGA platform u-boot used to handle all SMC calls:
>
> SPL u-boot (EL3) -> u-boot (EL3)
>
> And we have since move to use TF-A’s BL31, thus boot became
> SPL u-boot (EL3) -> TF-A BL31 (EL3) -> u-boot (EL2)
>
>
>
> Main reason is that some users would like to keep u-boot at EL3 as they do
> not care about security, and some users wanted to run some debugging
> read/write to secure region in u-boot shell.
>
>
>
> Thanks
>
> Tien Hock
>
>
> --
> TF-A mailing list
> TF-A(a)lists.trustedfirmware.org
> https://lists.trustedfirmware.org/mailman/listinfo/tf-a
>
--
François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group*
T: +33.67221.6485
francois.ozog(a)linaro.org | Skype: ffozog
5 years, 2 months
- 2
- 3
Re: [TF-A] Run BL33 (u-boot) in EL3
by Manish Pandey2
Hi Tien Hock,
Did you explored EL3_PAYLOAD_BASE build option. This option enables booting an EL3 payload, if it suits you then u-boot as EL3 payload.
thanks
Manish
________________________________
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org> on behalf of François Ozog via TF-A <tf-a(a)lists.trustedfirmware.org>
Sent: 27 April 2021 20:16
To: Loh, Tien Hock <tien.hock.loh(a)intel.com>
Cc: tf-a(a)lists.trustedfirmware.org <tf-a(a)lists.trustedfirmware.org>; See, Chin Liang <chin.liang.see(a)intel.com>; Chee, Tien Fong <tien.fong.chee(a)intel.com>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com>
Subject: Re: [TF-A] Run BL33 (u-boot) in EL3
Le mar. 27 avr. 2021 à 11:04, Loh, Tien Hock via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>> a écrit :
Achin,
Yes that’s what I have suspected in the first place, but no harm asking :)
Tien Fong,
As per discussed, we could probably expose the a compile time option in BL31 that expose a command that read/write to the secure domain.
That case, u-boot shell will be able to access secure domain and not need to run in EL3.
Would you allow an OS to access underlying hypervisor ?
In essence this is what you are asking:
there are architectural services such as kicking off a new cpu that are supposed to be routed to the right service handler (PSCI) or secure firmware updates with anti-bricking support....
Could you be more specific on what you want to do and why ?
That may help us advise on achieving your goals while still being architecturally correct.
Thanks
From: Chee, Tien Fong <tien.fong.chee(a)intel.com<mailto:tien.fong.chee@intel.com>>
Sent: Tuesday, April 27, 2021 5:01 PM
To: Achin Gupta <Achin.Gupta(a)arm.com<mailto:Achin.Gupta@arm.com>>; tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>; Loh, Tien Hock <tien.hock.loh(a)intel.com<mailto:tien.hock.loh@intel.com>>
Cc: See, Chin Liang <chin.liang.see(a)intel.com<mailto:chin.liang.see@intel.com>>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com<mailto:kok.kiang.hea@intel.com>>
Subject: RE: Run BL33 (u-boot) in EL3
Hi Achin,
Thanks for the feedback.
This is use case when user doing development, testing and bring up the board, they can use this option to run their script on U-Boot shell to access these secure region. Once they have finished the development, and testing, then user can switch U-Boot into EL2. This flexibility would definitely giving some degree of convenience for development and testing.
Thanks.
From: Achin Gupta <Achin.Gupta(a)arm.com<mailto:Achin.Gupta@arm.com>>
Sent: Tuesday, 27 April, 2021 4:38 PM
To: tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>; Loh, Tien Hock <tien.hock.loh(a)intel.com<mailto:tien.hock.loh@intel.com>>
Cc: Chee, Tien Fong <tien.fong.chee(a)intel.com<mailto:tien.fong.chee@intel.com>>; See, Chin Liang <chin.liang.see(a)intel.com<mailto:chin.liang.see@intel.com>>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com<mailto:kok.kiang.hea@intel.com>>
Subject: Re: Run BL33 (u-boot) in EL3
Hi Tien Hock,
The maintainers will have more thoughts on this but my $0.02 fwiw.
I cannot see why the Trusted Firmware project should carry any option that enables use of EL3 by users who do not care about security. EL3 is not meant to run u-boot with a shell that can be used to fiddle with secure memory. This flies against the basic security principles that the project is built upon.
cheers,
Achin
________________________________
From: TF-A <tf-a-bounces(a)lists.trustedfirmware.org<mailto:tf-a-bounces@lists.trustedfirmware.org>> on behalf of Loh, Tien Hock via TF-A <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>>
Sent: 27 April 2021 09:02
To: tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org> <tf-a(a)lists.trustedfirmware.org<mailto:tf-a@lists.trustedfirmware.org>>
Cc: Chee, Tien Fong <tien.fong.chee(a)intel.com<mailto:tien.fong.chee@intel.com>>; See, Chin Liang <chin.liang.see(a)intel.com<mailto:chin.liang.see@intel.com>>; Hea, Kok Kiang <kok.kiang.hea(a)intel.com<mailto:kok.kiang.hea@intel.com>>
Subject: [TF-A] Run BL33 (u-boot) in EL3
Hi,
I’m maintaining TF-A for Intel SoCFPGA platform.
Would it be possible if we should have the option to run BL33 (u-boot in our case) in EL3?
The Intel SoCFPGA platform u-boot used to handle all SMC calls:
SPL u-boot (EL3) -> u-boot (EL3)
And we have since move to use TF-A’s BL31, thus boot became
SPL u-boot (EL3) -> TF-A BL31 (EL3) -> u-boot (EL2)
Main reason is that some users would like to keep u-boot at EL3 as they do not care about security, and some users wanted to run some debugging read/write to secure region in u-boot shell.
Thanks
Tien Hock
--
TF-A mailing list
TF-A(a)lists.trustedfirmware.org<mailto:TF-A@lists.trustedfirmware.org>
https://lists.trustedfirmware.org/mailman/listinfo/tf-a
--
[https://drive.google.com/a/linaro.org/uc?id=0BxTAygkus3RgQVhuNHMwUi1mYWc&ex…]
François-Frédéric Ozog | Director Linaro Edge & Fog Computing Group
T: +33.67221.6485
francois.ozog(a)linaro.org<mailto:francois.ozog@linaro.org> | Skype: ffozog
5 years, 2 months
- 2
- 1