Registered User mNo edit summary |
Registered User mNo edit summary |
||
| (35 intermediate revisions by 7 users not shown) | |||
| Line 3: | Line 3: | ||
=== Linux start-up === | === Linux start-up === | ||
Starting Linux<sup>®</sup> on a processor is done in several steps that progressively initialize the platform peripherals and memories. These steps are | Starting Linux<sup>®</sup> on a processor is done in several steps that progressively initialize the platform peripherals and memories. These steps are | ||
explained in the following | explained in the following paragraphs and illustrated by the diagram on the right, which also gives typical memory sizes for each stage. | ||
[[File: Boot_chains_overview.png| | [[File: Boot_chains_overview.png|center|link=|Generic Linux boot chain]] | ||
==== ROM code ==== | ==== ROM code ==== | ||
The ROM code is a piece of software that takes its name from the read only memory (ROM) where it is stored. It fits in a few tens of Kbytes and maps its data in embedded RAM. It is the first code executed by the processor, and it embeds all the logic needed to select the boot device (serial link or Flash) from which the first-stage boot loader (FSBL) is loaded to the embedded RAM. | The ROM code is a piece of software that takes its name from the read only memory (ROM) where it is stored. It fits in a few tens of Kbytes and maps its data in embedded RAM. It is the first code executed by the processor, and it embeds all the logic needed to select the boot device (serial link or Flash) from which the first-stage boot loader (FSBL) is loaded to the embedded RAM.<br> | ||
Most products require to trust the application that is running on the device and the ROM code is the first link in the chain of trust that must be established across all started components: this trust is established by authenticating the FSBL before starting it. In turn, the FSBL and each following component will authenticate the next one, up to a level defined by the product manufacturer. | |||
==== First stage boot loader (FSBL) ==== | ==== First stage boot loader (FSBL) ==== | ||
| Line 24: | Line 25: | ||
=== Other services start-up === | === Other services start-up === | ||
[[File: STM32MP boot chain.png | [[File: STM32MP boot chain.png|right|link=|STM32MP boot chain]] | ||
In addition to <span style="color:#FFFFFF; background:{{STDarkBlue}};"> Linux </span> startup, the boot chain | In addition to <span style="color:#FFFFFF; background:{{STDarkBlue}};"> Linux </span> startup, the boot chain also installs the secure monitor and may support coprocessor firmware loading. | ||
<br /><br /> | <br /><br /> | ||
For instance, for the STM32MP15, the boot chain starts: | For instance, for the STM32MP15, the boot chain starts: | ||
* the <span style="color:#FFFFFF; background:{{STPink}};"> secure monitor </span>, supported by the Arm<sup>®</sup> Cortex<sup>®</sup>-A secure context (TrustZone). Examples of use of a secure monitor are: user authentication, key storage, and tampering management. | * the <span style="color:#FFFFFF; background:{{STPink}};"> secure monitor </span>, supported by the Arm<sup>®</sup> Cortex<sup>®</sup>-A secure context (TrustZone). Examples of use of a secure monitor are: user authentication, key storage, and tampering management. | ||
| Line 33: | Line 33: | ||
<br /> | <br /> | ||
The dotted lines in the diagram on the right mean that: | The dotted lines in the diagram on the right mean that: | ||
* the <span style="color:#FFFFFF; background:{{STLightBlue}};"> coprocessor </span> can be started by the '''second stage boot loader (SSBL)''', known as “'''early boot'''”, or '''Linux kernel''' | * the <span style="color:#FFFFFF; background:{{STLightBlue}};"> coprocessor </span> can be started by the '''second stage boot loader (SSBL)''', known as “'''early boot'''”, or '''Linux kernel''' | ||
<br clear=all> | <br clear=all> | ||
| Line 39: | Line 38: | ||
== STM32MP boot sequence == | == STM32MP boot sequence == | ||
=== Diagram frames and legend === | === Diagram frames and legend === | ||
[[File:Boot diagrams contexts.png | [[File:Boot diagrams contexts.png|right|link=|STM32MP hardware execution contexts]] | ||
The [[Getting_started_with_STM32_MPU_devices#Multiple-core_architecture_concepts|hardware execution contexts]] are shown with vertical frames in the boot diagrams: | The [[Getting_started_with_STM32_MPU_devices#Multiple-core_architecture_concepts|hardware execution contexts]] are shown with vertical frames in the boot diagrams: | ||
* the <span style="color:#FFFFFF; background:{{STPink}};"> Arm Cortex-A secure </span> context, in pink | * the <span style="color:#FFFFFF; background:{{STPink}};"> Arm Cortex-A secure </span> context, in pink | ||
| Line 48: | Line 47: | ||
* the top part shows the '''runtime''' services, that are installed by the '''boot chain''' | * the top part shows the '''runtime''' services, that are installed by the '''boot chain''' | ||
<br clear=all> | <br clear=all> | ||
[[File:Boot chains legend.png | [[File:Boot chains legend.png|right|link=|Boot chain diagrams legend]] | ||
The legend on the right shows how information about the various components shown in the frames, and which are involved in the boot process, is highlighted: | The legend on the right shows how information about the various components shown in the frames, and which are involved in the boot process, is highlighted: | ||
* The box '''color''' shows the component source code origin | * The box '''color''' shows the component source code origin | ||
| Line 56: | Line 55: | ||
<br clear=all> | <br clear=all> | ||
=== | === STM32MP15 boot chain === | ||
==== Overview ==== | ==== Overview ==== | ||
[[File: STM32MPU Embedded Software architecture overview.png|link=STM32MPU Embedded Software architecture overview|thumb|Zoom out to STM32MPU Embedded Software]] | [[File: STM32MPU Embedded Software architecture overview.png|link=STM32MPU Embedded Software architecture overview|thumb|Zoom out to STM32MPU Embedded Software]] | ||
STM32MP15 boot chain uses [[TF-A overview|Trusted Firmware-A (TF-A)]] as the FSBL in order to fulfill all the requirements for security-sensitive customers, and it uses [[U-Boot overview|U-Boot]] as the SSBL. Note that the authentication is optional with this boot chain, so it can run on any STM32MP15 device [[STM32MP15_microprocessor#Part_number_codification|security]] variant (that is, with or without the Secure boot).<br> | |||
Refer to the [[Security overview|security overview]] for an introduction of the secure features available on STM32MP15, from the secure boot up to trusted applications execution. | |||
[[File:Trusted boot chain.png|center|link=|STM32MP15 boot chain]] | |||
<br clear=all> | <br clear=all> | ||
Note: | |||
* The STM32MP15 coprocessor can be started at the SSBL level by the [[U-Boot overview|U-Boot early boot]] feature or, later, by the [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets. | |||
==== ROM code ==== | |||
The [[STM32MP15 ROM code overview|ROM code]] starts the processor in secure mode. It supports the FSBL authentication and offers authentication services to the FSBL. | The [[STM32MP15 ROM code overview|ROM code]] starts the processor in secure mode. It supports the FSBL authentication and offers authentication services to the FSBL. | ||
==== First stage boot loader (FSBL) ==== | |||
The FSBL is executed from the [[SYSRAM_internal_memory|SYSRAM]].<br /> | The FSBL is executed from the [[SYSRAM_internal_memory|SYSRAM]].<br /> | ||
Among other things, this boot loader initializes (part of) the clock tree and the [[DDRCTRL and DDRPHYC internal peripherals|DDR controller]]. Finally, the FSBL loads the second-stage boot loader (SSBL) into the DDR external RAM and jumps to it.<br | Among other things, this boot loader initializes (part of) the clock tree and the [[DDRCTRL and DDRPHYC internal peripherals|DDR controller]]. Finally, the FSBL loads the second-stage boot loader (SSBL) into the DDR external RAM and jumps to it.<br> | ||
The [[TF-A overview|Trusted Firmware-A (TF-A)]] | The boot loader stage 2, so called TF-A BL2, is the [[TF-A overview|Trusted Firmware-A (TF-A)]] binary used as FSBL on STM32MP15.<br> | ||
==== Second stage boot loader (SSBL) ==== | |||
[[U-Boot overview|U-Boot]] is commonly used as a bootloader in embedded software and it is the one used on STM32MP15. | |||
[[U-Boot overview|U-Boot]] is commonly used as a bootloader in embedded software. | |||
==== Linux ==== | |||
Linux<sup>®</sup> | Linux<sup>®</sup> OS is loaded in DDR by U-Boot and executed in the non-secure context. | ||
==== Secure OS / Secure Monitor ==== | |||
The Cortex-A7 secure world can implement a minimal secure monitor (from [[TF-A_overview#BL32|TF-A]] or [[U-Boot overview|U-Boot]]) or a real secure OS, such as [[OP-TEE overview|OP-TEE]]. | The Cortex-A7 secure world can implement a minimal secure monitor (from [[TF-A_overview#BL32|TF-A SP-MIN]] or [[U-Boot overview|U-Boot]]) or a real secure OS, such as [[OP-TEE overview|OP-TEE]]. | ||
==== Coprocessor firmware ==== | |||
The coprocessor [[STM32CubeMP1 architecture|STM32Cube]] firmware can be started at the SSBL level by [[U-Boot overview|U-Boot]] with the remoteproc feature (rproc command) or, later, by [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets. | The coprocessor [[STM32CubeMP1 architecture|STM32Cube]] firmware can be started at the SSBL level by [[U-Boot overview|U-Boot]] with the remoteproc feature (rproc command) or, later, by [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets. | ||
<noinclude> | <noinclude> | ||
Latest revision as of 13:15, 12 March 2021
1. Generic boot sequence[edit source]
1.1. Linux start-up[edit source]
Starting Linux® on a processor is done in several steps that progressively initialize the platform peripherals and memories. These steps are explained in the following paragraphs and illustrated by the diagram on the right, which also gives typical memory sizes for each stage.
1.1.1. ROM code[edit source]
The ROM code is a piece of software that takes its name from the read only memory (ROM) where it is stored. It fits in a few tens of Kbytes and maps its data in embedded RAM. It is the first code executed by the processor, and it embeds all the logic needed to select the boot device (serial link or Flash) from which the first-stage boot loader (FSBL) is loaded to the embedded RAM.
Most products require to trust the application that is running on the device and the ROM code is the first link in the chain of trust that must be established across all started components: this trust is established by authenticating the FSBL before starting it. In turn, the FSBL and each following component will authenticate the next one, up to a level defined by the product manufacturer.
1.1.2. First stage boot loader (FSBL)[edit source]
Among other things, the first stage boot loader (FSBL) initializes (part of) the clock tree and the external RAM controller. Finally, the FSBL loads the second-stage boot loader (SSBL) into the external RAM and jumps to it.
The Trusted Firmware-A (TF-A) and U-Boot secondary program loader (U-Boot SPL) are two possible FSBLs.
1.1.3. Second-stage boot loader (SSBL)[edit source]
The second-stage boot loader (SSBL) runs in a wide RAM so it can implement complex features (USB, Ethernet, display, and so on), that are very useful to make Linux kernel loading more flexible (from a Flash device, a network, and so on), and user-friendly (by showing a splash screen to the user). U-Boot is commonly used as a Linux bootloader in embedded systems.
1.1.4. Linux kernel space[edit source]
The Linux kernel is started in the external memory and it initializes all the peripheral drivers that are needed on the platform.
1.1.5. Linux user space[edit source]
Finally, the Linux kernel hands control to the user space starting the init process that runs all initialization actions described in the root file system (rootfs), including the application framework that exposes the user interface (UI) to the user.
1.2. Other services start-up[edit source]
In addition to Linux startup, the boot chain also installs the secure monitor and may support coprocessor firmware loading.
For instance, for the STM32MP15, the boot chain starts:
- the secure monitor , supported by the Arm® Cortex®-A secure context (TrustZone). Examples of use of a secure monitor are: user authentication, key storage, and tampering management.
- the coprocessor firmware, running on the Arm Cortex-M core. This can be used to offload real-time or low-power services.
The dotted lines in the diagram on the right mean that:
- the coprocessor can be started by the second stage boot loader (SSBL), known as “early boot”, or Linux kernel
2. STM32MP boot sequence[edit source]
2.1. Diagram frames and legend[edit source]
The hardware execution contexts are shown with vertical frames in the boot diagrams:
- the Arm Cortex-A secure context, in pink
- the Arm Cortex-A non-secure context, in dark blue
- the Arm Cortex-M context, in light blue
The horizontal frame in:
- the bottom part shows the boot chain
- the top part shows the runtime services, that are installed by the boot chain
The legend on the right shows how information about the various components shown in the frames, and which are involved in the boot process, is highlighted:
- The box color shows the component source code origin
- The arrows show the loading and calling actions between the components
- The Cube logo is used on the top right corner of components that can be configured via STM32CubeMX
- The lock show the components that can be authenticated during the boot process
2.2. STM32MP15 boot chain[edit source]
2.2.1. Overview[edit source]
STM32MP15 boot chain uses Trusted Firmware-A (TF-A) as the FSBL in order to fulfill all the requirements for security-sensitive customers, and it uses U-Boot as the SSBL. Note that the authentication is optional with this boot chain, so it can run on any STM32MP15 device security variant (that is, with or without the Secure boot).
Refer to the security overview for an introduction of the secure features available on STM32MP15, from the secure boot up to trusted applications execution.
Note:
- The STM32MP15 coprocessor can be started at the SSBL level by the U-Boot early boot feature or, later, by the Linux remoteproc framework, depending on the application startup time-targets.
2.2.2. ROM code[edit source]
The ROM code starts the processor in secure mode. It supports the FSBL authentication and offers authentication services to the FSBL.
2.2.3. First stage boot loader (FSBL)[edit source]
The FSBL is executed from the SYSRAM.
Among other things, this boot loader initializes (part of) the clock tree and the DDR controller. Finally, the FSBL loads the second-stage boot loader (SSBL) into the DDR external RAM and jumps to it.
The boot loader stage 2, so called TF-A BL2, is the Trusted Firmware-A (TF-A) binary used as FSBL on STM32MP15.
2.2.4. Second stage boot loader (SSBL)[edit source]
U-Boot is commonly used as a bootloader in embedded software and it is the one used on STM32MP15.
2.2.5. Linux[edit source]
Linux® OS is loaded in DDR by U-Boot and executed in the non-secure context.
2.2.6. Secure OS / Secure Monitor[edit source]
The Cortex-A7 secure world can implement a minimal secure monitor (from TF-A SP-MIN or U-Boot) or a real secure OS, such as OP-TEE.
2.2.7. Coprocessor firmware[edit source]
The coprocessor STM32Cube firmware can be started at the SSBL level by U-Boot with the remoteproc feature (rproc command) or, later, by Linux remoteproc framework, depending on the application startup time-targets.
Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. 