[J-u-boot.git] / doc / arch / arm64.ffa.rst

.. SPDX-License-Identifier: GPL-2.0+

Arm FF-A Support
================

Summary
-------

FF-A stands for Firmware Framework for Arm A-profile processors.

FF-A specifies interfaces that enable a pair of software execution environments aka partitions to
communicate with each other. A partition could be a VM in the Normal or Secure world, an
application in S-EL0, or a Trusted OS in S-EL1.

The U-Boot FF-A support (the bus) implements the interfaces to communicate
with partitions in the Secure world aka Secure partitions (SPs).

The FF-A support specifically focuses on communicating with SPs that
isolate portions of EFI runtime services that must run in a protected
environment which is inaccessible by the Host OS or Hypervisor.
Examples of such services are set/get variables.

The FF-A support uses the SMC ABIs defined by the FF-A specification to:

- Discover the presence of SPs of interest
- Access an SP's service through communication protocols
  e.g. EFI MM communication protocol

At this stage of development only EFI boot-time services are supported.
Runtime support will be added in future developments.

The U-Boot FF-A support provides the following parts:

- A Uclass driver providing generic FF-A methods.
- An Arm FF-A device driver providing Arm-specific methods and reusing the Uclass methods.
- A sandbox emulator for Arm FF-A, emulates the FF-A side of the Secure World and provides
  FF-A ABIs inspection methods.
- An FF-A sandbox device driver for FF-A communication with the emulated Secure World.
  The driver leverages the FF-A Uclass to establish FF-A communication.
- Sandbox FF-A test cases.

FF-A and SMC specifications
---------------------------

The current implementation of the U-Boot FF-A support relies on
`FF-A v1.0 specification`_ and uses SMC32 calling convention which
means using the first 32-bit data of the Xn registers.

At this stage we only need the FF-A v1.0 features.

The FF-A support has been tested with OP-TEE which supports SMC32 calling
convention.

Hypervisors are supported if they are configured to trap SMC calls.

The FF-A support uses 64-bit registers as per `SMC Calling Convention v1.2 specification`_.

Supported hardware
------------------

Aarch64 plaforms

Configuration
-------------

CONFIG_ARM_FFA_TRANSPORT
    Enables the FF-A support. Turn this on if you want to use FF-A
    communication.
    When using an Arm 64-bit platform, the Arm FF-A driver will be used.
    When using sandbox, the sandbox FF-A emulator and FF-A sandbox driver will be used.

FF-A ABIs under the hood
------------------------

Invoking an FF-A ABI involves providing to the secure world/hypervisor the
expected arguments from the ABI.

On an Arm 64-bit platform, the ABI arguments are stored in x0 to x7 registers.
Then, an SMC instruction is executed.

At the secure side level or hypervisor the ABI is handled at a higher exception
level and the arguments are read and processed.

The response is put back through x0 to x7 registers and control is given back
to the U-Boot Arm FF-A driver (non-secure world).

The driver reads the response and processes it accordingly.

This methodology applies to all the FF-A ABIs.

FF-A bus discovery on Arm 64-bit platforms
------------------------------------------

When CONFIG_ARM_FFA_TRANSPORT is enabled, the FF-A bus is considered as
an architecture feature and discovered using ARM_SMCCC_FEATURES mechanism.
This discovery mechanism is performed by the PSCI driver.

The PSCI driver comes with a PSCI device tree node which is the root node for all
architecture features including FF-A bus.

::

   => dm tree

    Class     Index  Probed  Driver                Name
   -----------------------------------------------------------
    firmware      0  [ + ]   psci                      |-- psci
    ffa                   0  [   ]   arm_ffa               |   `-- arm_ffa

The PSCI driver is bound to the PSCI device and when probed it tries to discover
the architecture features by calling a callback the features drivers provide.

In case of FF-A, the callback is arm_ffa_is_supported() which tries to discover the
FF-A framework by querying the FF-A framework version from secure world using
FFA_VERSION ABI. When discovery is successful, the ARM_SMCCC_FEATURES
mechanism creates a U-Boot device for the FF-A bus and binds the Arm FF-A driver
with the device using device_bind_driver().

At this stage the FF-A bus is registered with the DM and can be interacted with using
the DM APIs.

Clients are able to probe then use the FF-A bus by calling uclass_first_device().
Please refer to the armffa command implementation as an example of how to probe
and interact with the FF-A bus.

When calling uclass_first_device(), the FF-A driver is probed and ends up calling
ffa_do_probe() provided by the Uclass which does the following:

    - saving the FF-A framework version in uc_priv
    - querying from secure world the u-boot endpoint ID
    - querying from secure world the supported features of FFA_RXTX_MAP
    - mapping the RX/TX buffers
    - querying from secure world all the partitions information

When one of the above actions fails, probing fails and the driver stays not active
and can be probed again if needed.

Requirements for clients
------------------------

When using the FF-A bus with EFI, clients must query the SPs they are looking for
during EFI boot-time mode using the service UUID.

The RX/TX buffers are only available at EFI boot-time. Querying partitions is
done at boot time and data is cached for future use.

RX/TX buffers should be unmapped before EFI runtime mode starts.
The driver provides a bus operation for that called ffa_rxtx_unmap().

The user should call ffa_rxtx_unmap() to unmap the RX/TX buffers when required
(e.g: at efi_exit_boot_services()).

The Linux kernel allocates its own RX/TX buffers. To be able to register these kernel buffers
with secure world, the U-Boot's RX/TX buffers should be unmapped before EFI runtime starts.

When invoking FF-A direct messaging, clients should specify which ABI protocol
they want to use (32-bit vs 64-bit). Selecting the protocol means using
the 32-bit or 64-bit version of FFA_MSG_SEND_DIRECT_{REQ, RESP}.
The calling convention between U-Boot and the secure world stays the same: SMC32.

Requirements for user drivers
-----------------------------

Users who want to implement their custom FF-A device driver while reusing the FF-A Uclass can do so
by implementing their own invoke_ffa_fn() in the user driver.

The bus driver layer
--------------------

FF-A support comes on top of the SMCCC layer and is implemented by the FF-A Uclass drivers/firmware/arm-ffa/arm-ffa-uclass.c

The following features are provided:

- Support for the 32-bit version of the following ABIs:

    - FFA_VERSION
    - FFA_ID_GET
    - FFA_FEATURES
    - FFA_PARTITION_INFO_GET
    - FFA_RXTX_UNMAP
    - FFA_RX_RELEASE
    - FFA_RUN
    - FFA_ERROR
    - FFA_SUCCESS
    - FFA_INTERRUPT
    - FFA_MSG_SEND_DIRECT_REQ
    - FFA_MSG_SEND_DIRECT_RESP

- Support for the 64-bit version of the following ABIs:

    - FFA_RXTX_MAP
    - FFA_MSG_SEND_DIRECT_REQ
    - FFA_MSG_SEND_DIRECT_RESP

- Processing the received data from the secure world/hypervisor and caching it

- Hiding from upper layers the FF-A protocol and registers details. Upper
  layers focus on exchanged data, FF-A support takes care of how to transport
  that to the secure world/hypervisor using FF-A

- FF-A support provides driver operations to be used by upper layers:

    - ffa_partition_info_get
    - ffa_sync_send_receive
    - ffa_rxtx_unmap

- FF-A bus discovery makes sure FF-A framework is responsive and compatible
  with the driver

- FF-A bus can be compiled and used without EFI

Relationship between the sandbox emulator and the FF-A device
-------------------------------------------------------------

::

   => dm tree

    Class     Index  Probed  Driver                Name
   -----------------------------------------------------------
   ffa_emul      0  [ + ]   sandbox_ffa_emul      `-- arm-ffa-emul
    ffa                  0  [    ]   sandbox_arm_ffa               `-- sandbox-arm-ffa

The armffa command
------------------

armffa is a command showcasing how to use the FF-A bus and how to invoke the driver operations.

Please refer the command documentation at :doc:`../usage/cmd/armffa`

Example of boot logs with FF-A enabled
--------------------------------------

For example, when using FF-A with Corstone-1000, debug logs enabled, the output is as follows:

::

   U-Boot 2023.01 (May 10 2023 - 11:08:07 +0000) corstone1000 aarch64

   DRAM:  2 GiB
   Arm FF-A framework discovery
   FF-A driver 1.0
   FF-A framework 1.0
   FF-A versions are compatible
   ...
   FF-A driver 1.0
   FF-A framework 1.0
   FF-A versions are compatible
   EFI: MM partition ID 0x8003
   ...
   EFI stub: Booting Linux Kernel...
   ...
   Linux version 6.1.9-yocto-standard (oe-user@oe-host) (aarch64-poky-linux-musl-gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.40.202301193
   Machine model: ARM Corstone1000 FPGA MPS3 board

Contributors
------------
   * Abdellatif El Khlifi <[email protected]>

.. _`FF-A v1.0 specification`: https://documentation-service.arm.com/static/5fb7e8a6ca04df4095c1d65e
.. _`SMC Calling Convention v1.2 specification`: https://documentation-service.arm.com/static/5f8edaeff86e16515cdbe4c6
Commit	Line	Data
39d383bd AEK	1	.. SPDX-License-Identifier: GPL-2.0+
	2
	3	Arm FF-A Support
	4	================
	5
	6	Summary
	7	-------
	8
	9	FF-A stands for Firmware Framework for Arm A-profile processors.
	10
	11	FF-A specifies interfaces that enable a pair of software execution environments aka partitions to
	12	communicate with each other. A partition could be a VM in the Normal or Secure world, an
	13	application in S-EL0, or a Trusted OS in S-EL1.
	14
	15	The U-Boot FF-A support (the bus) implements the interfaces to communicate
	16	with partitions in the Secure world aka Secure partitions (SPs).
	17
	18	The FF-A support specifically focuses on communicating with SPs that
	19	isolate portions of EFI runtime services that must run in a protected
	20	environment which is inaccessible by the Host OS or Hypervisor.
	21	Examples of such services are set/get variables.
	22
	23	The FF-A support uses the SMC ABIs defined by the FF-A specification to:
	24
	25	- Discover the presence of SPs of interest
	26	- Access an SP's service through communication protocols
	27	e.g. EFI MM communication protocol
	28
	29	At this stage of development only EFI boot-time services are supported.
	30	Runtime support will be added in future developments.
	31
	32	The U-Boot FF-A support provides the following parts:
	33
	34	- A Uclass driver providing generic FF-A methods.
	35	- An Arm FF-A device driver providing Arm-specific methods and reusing the Uclass methods.
a09852d8 AEK	36	- A sandbox emulator for Arm FF-A, emulates the FF-A side of the Secure World and provides
	37	FF-A ABIs inspection methods.
	38	- An FF-A sandbox device driver for FF-A communication with the emulated Secure World.
	39	The driver leverages the FF-A Uclass to establish FF-A communication.
a2f5c91c	40	- Sandbox FF-A test cases.
39d383bd AEK	41
39d383bd AEK	42	FF-A and SMC specifications
b214e880	43	---------------------------
39d383bd AEK	44
	45	The current implementation of the U-Boot FF-A support relies on
	46	`FF-A v1.0 specification`_ and uses SMC32 calling convention which
	47	means using the first 32-bit data of the Xn registers.
	48
	49	At this stage we only need the FF-A v1.0 features.
	50
	51	The FF-A support has been tested with OP-TEE which supports SMC32 calling
	52	convention.
	53
	54	Hypervisors are supported if they are configured to trap SMC calls.
	55
	56	The FF-A support uses 64-bit registers as per `SMC Calling Convention v1.2 specification`_.
	57
	58	Supported hardware
b214e880	59	------------------
39d383bd AEK	60
	61	Aarch64 plaforms
	62
	63	Configuration
b214e880	64	-------------
39d383bd AEK	65
	66	CONFIG_ARM_FFA_TRANSPORT
	67	Enables the FF-A support. Turn this on if you want to use FF-A
	68	communication.
	69	When using an Arm 64-bit platform, the Arm FF-A driver will be used.
a09852d8	70	When using sandbox, the sandbox FF-A emulator and FF-A sandbox driver will be used.
39d383bd AEK	71
39d383bd AEK	72	FF-A ABIs under the hood
b214e880	73	------------------------
39d383bd AEK	74
	75	Invoking an FF-A ABI involves providing to the secure world/hypervisor the
	76	expected arguments from the ABI.
	77
	78	On an Arm 64-bit platform, the ABI arguments are stored in x0 to x7 registers.
	79	Then, an SMC instruction is executed.
	80
	81	At the secure side level or hypervisor the ABI is handled at a higher exception
	82	level and the arguments are read and processed.
	83
	84	The response is put back through x0 to x7 registers and control is given back
	85	to the U-Boot Arm FF-A driver (non-secure world).
	86
	87	The driver reads the response and processes it accordingly.
	88
	89	This methodology applies to all the FF-A ABIs.
	90
	91	FF-A bus discovery on Arm 64-bit platforms
b214e880	92	------------------------------------------
39d383bd AEK	93
	94	When CONFIG_ARM_FFA_TRANSPORT is enabled, the FF-A bus is considered as
	95	an architecture feature and discovered using ARM_SMCCC_FEATURES mechanism.
	96	This discovery mechanism is performed by the PSCI driver.
	97
	98	The PSCI driver comes with a PSCI device tree node which is the root node for all
	99	architecture features including FF-A bus.
	100
	101	::
	102
	103	=> dm tree
	104
	105	Class Index Probed Driver Name
	106	-----------------------------------------------------------
39d383bd AEK	107	firmware 0 [ + ] psci \|-- psci
39d383bd AEK	108	ffa 0 [ ] arm_ffa \| `-- arm_ffa
39d383bd AEK	109
	110	The PSCI driver is bound to the PSCI device and when probed it tries to discover
	111	the architecture features by calling a callback the features drivers provide.
	112
	113	In case of FF-A, the callback is arm_ffa_is_supported() which tries to discover the
	114	FF-A framework by querying the FF-A framework version from secure world using
	115	FFA_VERSION ABI. When discovery is successful, the ARM_SMCCC_FEATURES
	116	mechanism creates a U-Boot device for the FF-A bus and binds the Arm FF-A driver
	117	with the device using device_bind_driver().
	118
	119	At this stage the FF-A bus is registered with the DM and can be interacted with using
	120	the DM APIs.
	121
	122	Clients are able to probe then use the FF-A bus by calling uclass_first_device().
f16a48fe AEK	123	Please refer to the armffa command implementation as an example of how to probe
f16a48fe AEK	124	and interact with the FF-A bus.
39d383bd AEK	125
	126	When calling uclass_first_device(), the FF-A driver is probed and ends up calling
	127	ffa_do_probe() provided by the Uclass which does the following:
	128
	129	- saving the FF-A framework version in uc_priv
	130	- querying from secure world the u-boot endpoint ID
	131	- querying from secure world the supported features of FFA_RXTX_MAP
	132	- mapping the RX/TX buffers
	133	- querying from secure world all the partitions information
	134
	135	When one of the above actions fails, probing fails and the driver stays not active
	136	and can be probed again if needed.
	137
	138	Requirements for clients
b214e880	139	------------------------
39d383bd AEK	140
	141	When using the FF-A bus with EFI, clients must query the SPs they are looking for
	142	during EFI boot-time mode using the service UUID.
	143
	144	The RX/TX buffers are only available at EFI boot-time. Querying partitions is
	145	done at boot time and data is cached for future use.
	146
	147	RX/TX buffers should be unmapped before EFI runtime mode starts.
	148	The driver provides a bus operation for that called ffa_rxtx_unmap().
	149
	150	The user should call ffa_rxtx_unmap() to unmap the RX/TX buffers when required
	151	(e.g: at efi_exit_boot_services()).
	152
	153	The Linux kernel allocates its own RX/TX buffers. To be able to register these kernel buffers
	154	with secure world, the U-Boot's RX/TX buffers should be unmapped before EFI runtime starts.
	155
	156	When invoking FF-A direct messaging, clients should specify which ABI protocol
	157	they want to use (32-bit vs 64-bit). Selecting the protocol means using
	158	the 32-bit or 64-bit version of FFA_MSG_SEND_DIRECT_{REQ, RESP}.
	159	The calling convention between U-Boot and the secure world stays the same: SMC32.
	160
	161	Requirements for user drivers
b214e880	162	-----------------------------
39d383bd AEK	163
	164	Users who want to implement their custom FF-A device driver while reusing the FF-A Uclass can do so
	165	by implementing their own invoke_ffa_fn() in the user driver.
	166
	167	The bus driver layer
b214e880	168	--------------------
39d383bd AEK	169
	170	FF-A support comes on top of the SMCCC layer and is implemented by the FF-A Uclass drivers/firmware/arm-ffa/arm-ffa-uclass.c
	171
	172	The following features are provided:
	173
	174	- Support for the 32-bit version of the following ABIs:
	175
	176	- FFA_VERSION
	177	- FFA_ID_GET
	178	- FFA_FEATURES
	179	- FFA_PARTITION_INFO_GET
	180	- FFA_RXTX_UNMAP
	181	- FFA_RX_RELEASE
	182	- FFA_RUN
	183	- FFA_ERROR
	184	- FFA_SUCCESS
	185	- FFA_INTERRUPT
	186	- FFA_MSG_SEND_DIRECT_REQ
	187	- FFA_MSG_SEND_DIRECT_RESP
	188
	189	- Support for the 64-bit version of the following ABIs:
	190
	191	- FFA_RXTX_MAP
	192	- FFA_MSG_SEND_DIRECT_REQ
	193	- FFA_MSG_SEND_DIRECT_RESP
	194
	195	- Processing the received data from the secure world/hypervisor and caching it
	196
	197	- Hiding from upper layers the FF-A protocol and registers details. Upper
	198	layers focus on exchanged data, FF-A support takes care of how to transport
	199	that to the secure world/hypervisor using FF-A
	200
	201	- FF-A support provides driver operations to be used by upper layers:
	202
	203	- ffa_partition_info_get
	204	- ffa_sync_send_receive
	205	- ffa_rxtx_unmap
	206
	207	- FF-A bus discovery makes sure FF-A framework is responsive and compatible
	208	with the driver
	209
	210	- FF-A bus can be compiled and used without EFI
	211
a09852d8	212	Relationship between the sandbox emulator and the FF-A device
b214e880	213	-------------------------------------------------------------
a09852d8 AEK	214
	215	::
	216
	217	=> dm tree
	218
	219	Class Index Probed Driver Name
	220	-----------------------------------------------------------
	221	ffa_emul 0 [ + ] sandbox_ffa_emul `-- arm-ffa-emul
	222	ffa 0 [ ] sandbox_arm_ffa `-- sandbox-arm-ffa
	223
f16a48fe	224	The armffa command
b214e880	225	------------------
f16a48fe AEK	226
	227	armffa is a command showcasing how to use the FF-A bus and how to invoke the driver operations.
	228
	229	Please refer the command documentation at :doc:`../usage/cmd/armffa`
	230
39d383bd AEK	231	Example of boot logs with FF-A enabled
	232	--------------------------------------
	233
67969516	234	For example, when using FF-A with Corstone-1000, debug logs enabled, the output is as follows:
39d383bd AEK	235
	236	::
	237
	238	U-Boot 2023.01 (May 10 2023 - 11:08:07 +0000) corstone1000 aarch64
	239
	240	DRAM: 2 GiB
	241	Arm FF-A framework discovery
	242	FF-A driver 1.0
	243	FF-A framework 1.0
	244	FF-A versions are compatible
	245	...
	246	FF-A driver 1.0
	247	FF-A framework 1.0
	248	FF-A versions are compatible
	249	EFI: MM partition ID 0x8003
	250	...
	251	EFI stub: Booting Linux Kernel...
	252	...
	253	Linux version 6.1.9-yocto-standard (oe-user@oe-host) (aarch64-poky-linux-musl-gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.40.202301193
	254	Machine model: ARM Corstone1000 FPGA MPS3 board
	255
	256	Contributors
	257	------------
	258	* Abdellatif El Khlifi <[email protected]>
	259
	260	.. _`FF-A v1.0 specification`: https://documentation-service.arm.com/static/5fb7e8a6ca04df4095c1d65e
	261	.. _`SMC Calling Convention v1.2 specification`: https://documentation-service.arm.com/static/5f8edaeff86e16515cdbe4c6