[Invitation going out to both the sytem-dt list and the boot-architecture list, based on recommendation from Francois]
Hi all,
It has been a while since our last call, because work was happening on the 4th action item below. Now, there are some updates to present.
The notes from the previous call can be found on the OpenAMP wiki at this link:
https://github.com/OpenAMP/open-amp/wiki/System-DT-Meeting-Notes-2020
Action items from the previous call:
* Nathalie sync up w/ Francois about who should be invited to System DT call (some individuals at DTE call didn't get this invitation)
* Stefano to go back & discuss w/ Xilinx XMPU expert.
* Stefano: Revisit wording of IDs
* Stefano & Tomas to sync-up with Loic & Benjamin. Target for next System DT call to discuss how the 2 proposals combine. Include description of the use cases you're giving solution for.
For info about the system-dt list, link to the archives, to unsubscribe yourself, or
for someone to subscribe themselves, visit:
https://lists.openampproject.org/mailman/listinfo/system-dt
For information about the System Device Trees effort, including a link to
the intro presentation from Linaro Connect SAN19:
https://github.com/OpenAMP/open-amp/wiki/System-Device-Trees
Best regards,
Nathalie C. Chan King Choy
Program Manager focused on Open Source and Community
===================
Nathalie Chan King Choy is inviting you to a scheduled Zoom meeting.
Topic: System DT call - July
Time: Jul 20, 2020 08:00 AM Pacific Time (US and Canada)
Join Zoom Meeting
https://us02web.zoom.us/j/89143577824
Meeting ID: 891 4357 7824
One tap mobile
+13126266799,,89143577824# US (Chicago)
+13462487799,,89143577824# US (Houston)
Dial by your location
+1 312 626 6799 US (Chicago)
+1 346 248 7799 US (Houston)
+1 646 558 8656 US (New York)
+1 669 900 9128 US (San Jose)
+1 253 215 8782 US (Tacoma)
+1 301 715 8592 US (Germantown)
+1 587 328 1099 Canada
+1 647 374 4685 Canada
+1 647 558 0588 Canada
+1 778 907 2071 Canada
+1 204 272 7920 Canada
+1 438 809 7799 Canada
+44 203 051 2874 United Kingdom
+44 203 481 5237 United Kingdom
+44 203 481 5240 United Kingdom
+44 203 901 7895 United Kingdom
+44 131 460 1196 United Kingdom
+33 1 7037 9729 France
+33 1 7095 0103 France
+33 1 7095 0350 France
+33 1 8699 5831 France
+33 1 7037 2246 France
+46 8 5050 0828 Sweden
+46 8 5050 0829 Sweden
+46 8 5052 0017 Sweden
+46 850 539 728 Sweden
+46 8 4468 2488 Sweden
+46 8 5016 3827 Sweden
Meeting ID: 891 4357 7824
Find your local number: https://us02web.zoom.us/u/k6bFgrs5K
Hi,
Here are the notes from our last meeting.
(For next calls, it would be nice people take some notes in the shared
scratch document so that we increase quality of them)
Attendees
Tom Rini
Joakim Bech (Linaro)
François-Frédéric Ozog (Linaro)
Ilias Apalodimas (Linaro)
Mark Brown (Arm)
Heinrich Schuchardt
Priyanka Jain (NXP)
Jens Wiklander (Linaro)
Arnd Bergmann
CVS
Atish Patra (Western Digital)
Grant Likely (Arm)
Etienne Carriere (ST)
====================================
I - RISC-V
Atish from Western Digital has a 4 developer team on. Focus on
standardized boot flows:
- U-Boot SPL + U-Boot.
- coreBoot + EDK2
====================================
II - Technical report github
Atul volunteered
FF: What format to use ? RST? MD? Other?
Heinrich: RST and MD are rendered by github.
====================================
III - Technical report outline and content updates
A proposal to be made so that a minimal UEFI set of requirements is
defined with DT support.
Frank: Should not put DT spec in the UEFI forum
FF: this is not the goal, the goal is to get references to DT in UEFI
Need to ensure we have terminology that can be applied to all
architectures (for instance Arm+TFA+U-Boot and RISC-V+U-Boot
SPL+U-Boot).
Please make proposals for content including new sections for the use cases.
====================================
IV- Overlays presentation
Franks Presentation notes:
https://elinux.org/Frank%27s_Evolving_Overlay_Thoughtshttps://elinux.org/images/0/03/Elce_2018_dt_bof.pdfhttps://elinux.org/Device_Tree_Reference -> OverLays
Overlay made simple with DTC extensions: use a reference to define the
place in the tree where the update is to be made:
&{/path/to/node} { <overlay definition> }
Use cases:
Hot swap
Expansion slots (beaglebone)
FPGAs (load from kernel to FPGA; led by Altera/Xilinx)
Not too dynamic, in particular because there are still memory leaks
Use of “apply overlay by the bootload” helps reducing the number of
DTS/DTB files to deal with.
plugable CPU: overlay is a solution
few terms to define/standardise/clarify by frank:
Cold-swap = ? < describe the actual use-case in simple terms >
Hot-swap = ? < describe the actual use-case in simple terms >
Real hot-swap will be difficult to support.
Another use case for “hot-swap” is a developer helper to change
parameter “dynamically” to avoid a full reboot.
FF: DT event may be a wrong way to deal with dynamism: using bus
events to trigger changes seem more natural
Grant: event code is fragile, prefer pre-boot control
Hi,
I have updated the document to reflect what I heard from the remainder
of the last call. Please have a look and comment.
https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…
If you volunteer to edit content, please ask me and I'll give you edit
rights on the document.
Shall we make a github backed document? If so, any volunteer to make it happen?
Agenda for June 24th:
- DT Overlay status presentation by Frank Rowand.
- Document review and trying to close all comments.
Cordially
--
FF
Hi,
Trusted OSes such as OP-TEE or QSEE are using SMC yielding function
numbers in the 0x32000000-0x3200006F range. The SMC calling
conventions are specified in DEN0028 which has currently three
versions (see below).
To the best of my understanding, the use of this range is:
- compliant with version a
- acceptable with version b
- somewhat contradicting with version c
version a analysis:
table 6.1 states that the trusted OS standard calls should be in the
range "0x02000000-0x7FFFFFFF", so the selected range is good. Section
2.1 that defines a bit structure for function numbers for both
yielding and fast calls and the range is compatible. The range covered
by table 6.1 for Trusted OS calls is however much bigger that the bit
structure definition. As a result a 0x02000000 call is a yielding
Trusted OS call as per table 6.1 but a Yielding SiP call as per
section 2.1.
version b analysis:
table 6.2 states that the trusted OS yielding calls should be in the
range "0x02000000-0x1FFFFFFF" and that the range
"0x20000000-0x7FFFFFFF" is "reserved for future expansion of Trusted
OS Yielding Calls". So the range is acceptable but poorly selected.
There is the same inconsistency as version a when it comes to
qualifying a 0x02000000 call: table 6.2 says it is a Trusted OS
yielding call, section 2.5 says it is a yielding SiP call.
version c analysis:
section 2.5.1 now clearly states that the bit structure is only for
Fast calls. and both section 2.52 and table 6.2 state that Trusted OS
calls should be in the range "0x02000000-0x1FFFFFFF". both section
2.5.2 and 6 qualify the 0x02000000 call as a Trusted OS yielding
call.
I think that version a and b have inconsistent between chapter 2 and
6. Version c brings internal consistency but seems to be not in
alignment with best practices.
I guess there is a need to both address internal document
inconsistency and better reflect existing products.
Any thoughts?
-FF
version a:
https://drive.google.com/file/d/1OclQZk0o28n5ZUIYeTuFICbLiGWzOvxH/view?usp=…
version b: https://static.docs.arm.com/den0028/b/ARM_DEN0028B_SMC_Calling_Convention.p…
version c:
https://static.docs.arm.com/den0028/c/Q1-ARM-DEN-0028_SMC_Calling_Conventio…
Hello Francois,
in our last meeting you suggested to investigate deeper what meaning
modularization in device trees could mean.
One example I have seen is the definition of memory mappings for PCIe.
If for you example you look in the device tree of the Raspberry Pi 4 you
can find that there is an entry:
pcie@7d500000 {
ranges = <
0x2000000 0x00 0xf8000000 0x06 0x00 0x00 0x4000000>;
};
The ranges property defines the mapping
MEM 0x600000000..0x603ffffff -> 0xf8000000
and thereby the address and size of the memory windows used for
communication.
On some boards e.g. the MacchitoBin you have multiple platform devices
each with its own ranges definitions. Here are the values in May 2019:
pcie@f2600000 {
ranges = <
0x81000000 0x0 0xf9000000 0x0 0xf9000000 0x0 0x10000
0x82000000 0x0 0xf6000000 0x0 0xf6000000 0x0 0xf00000>;
}
pcie@f2620000 {
ranges = <
0x81000000 0x0 0xf9010000 0x0 0xf9010000 0x0 0x10000
0x82000000 0x0 0xf7000000 0x0 0xf7000000 0x0 0xf00000>;
}
pcie@f2640000 {
ranges = <
0x81000000 0x0 0xf9020000 0x0 0xf9020000 0x0 0x10000
0x82000000 0x0 0xf8000000 0x0 0xf8000000 0x0 0xf00000>;
}
On my MacchitoBin the GPU card was not usable because the memory window
was too small to create the required BARs. Changing the window size and
location solved the problem, commit d3446b266a8c ("arm64: dts: marvell:
mcbin: enlarge PCI memory window").
The problem with the current way in qhich PCI devices are declared is
that they do not indicate requirements and capabilities and let the
software figure out a good mapping. But instead fixed mappings are
hard-coded into the device-tree.
So for me this would be one element of DT modularization:
The description of a device should provide capabilities and requirements
and avoid fixed software settings.
Best regards
Heinrich
Address comments from Heinrich Schuchardt:
- Typo fixes
- Be specific to say "Devicetree Blob"
- Add comment on rationale for choosing EfiACPIReclaimMemory for DTB
Cc: Heinrich Schuchardt <xypron.glpk(a)gmx.de>
Signed-off-by: Grant Likely <grant.likely(a)arm.com>
---
source/chapter2-uefi.rst | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index c9c0101..066fefb 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -81,9 +81,9 @@ A UEFI system that complies with this specification may provide the additional
tables via the EFI Configuration Table.
Compliant systems are required to provide one, but not both, of the following
-tables.
+tables:
-- An Advanced Configuration and Power Interface [ACPI]_ table, or
+- an Advanced Configuration and Power Interface [ACPI]_ table, or
- a Devicetree [DTSPEC]_ system description
EBBR systems must not provide both ACPI and Devicetree
@@ -96,11 +96,13 @@ Devicetree
^^^^^^^^^^
If firmware provides a Devicetree system description then it must be provided
-in Flattened Devicetree (DTB) format version 17 or higher as described in
+in Flattened Devicetree Blob (DTB) format version 17 or higher as described in
[DTSPEC]_ § 5.1.
The following GUID must be used in the EFI system table ([UEFI]_ § 4)
to identify the DTB.
The DTB must be contained in memory of type EfiACPIReclaimMemory.
+EfiACPIReclaimMemory was chosen to match the recommendation for ACPI
+tables which fulfill the same task as the DTB.
.. code-block:: c
--
2.20.1
I'd like to do a point release of EBBR in the near future. There is an
important change to how RuntimeServicesSupported is described in the
UEFI spec that needs to be adjusted in EBBR, and the DTB UUID was
missing. The rest of the changes are minor editorial and typo fixes.
I've tagged v1.0.1-rc1 in github for review. Full diff is below. Please
review and comment.
Thanks,
g.
---
.travis.yml | 82 +++++++++++++++++------------------------
CONTRIBUTING.rst | 23 +-----------
source/chapter2-uefi.rst | 40 +++++++++++++++++---
source/chapter3-secureworld.rst | 6 +--
source/index.rst | 3 ++
source/references.rst | 10 ++---
6 files changed, 81 insertions(+), 83 deletions(-)
---
diff --git a/.travis.yml b/.travis.yml
index 3688a67..4a63cb0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,63 +1,49 @@
sudo: false
dist: trusty
-
cache:
apt: true
-
env:
global:
- - SPHINXBUILD=~/.local/bin/sphinx-build
- - DIFF_COMMIT=v0.5
-
+ - SPHINXBUILD=~/.local/bin/sphinx-build
+ - secure: Nn985mEk01BbYLY7IQToa51+jpVp8/f72Q+SY6GVe1cf41gRG4CWrrLFLo4Zrdd+e5a9tMKJ2o6WqT4m0i1AziVnoFx62QtC0dmJVsp4eVzQdhWkaRTcLdoKp18om0To6cVmBzYFzsIUROyOwwJfprpzwylQGFqNFoNG20UmnzTy5c/bg36Ohh/vcpt3HXO6emKDTychu1fBC8tuiy7k5BCfPekKAg6sKTqjsgKM+pEZuv9zTzrBY0HVqCoSLhWUraADko51baOtbBOzLtH4L4EO1rmiFs7/HpN/MzF6REurCAbBM5q82aS/z5KUoMGENt+OwWbeT9BcqUty1wYAFwuK7UwkDO2+YauqGhZ75GKOt213Fdn70Wx1xMkOerdEb8oSdH8Av/FWxwbfI6qxsAhjimYTZ5OCCZu06AVMBugxBnZeYxF89+83qVUxCHNGyGnql1PHJnlIiOzmCmcgjFo90u9fv24497m9O9QlEic/PnN0VLogPOftgcRUdoLjsYh9P6+BvXrWQ0omu41UwnzNJERaeUXuXV+iJsj6kBuj1j6EJ7OK4RyS/Td8mC7sGFBdwOX+HLaPqBTD2rm7z0wtST0jyFJjPfmvCU94+ovpCuYeMxgeudnUXT8T26v6v73nk7QLIIYm1Idg2ibSBfQy5IT220sH6291IryoY2c=
git:
depth: false
-
addons:
apt:
packages:
- - python-pip
- - latexmk
- - libalgorithm-diff-perl
- - texlive
- - texlive-latex-extra
- - texlive-humanities
- - texlive-generic-recommended
- - graphviz
- - texlive-generic-extra
-
+ - python-pip
+ - latexmk
+ - libalgorithm-diff-perl
+ - texlive
+ - texlive-latex-extra
+ - texlive-humanities
+ - texlive-generic-recommended
+ - graphviz
+ - texlive-generic-extra
install:
- - pip install --user mako
- - pip install --user Sphinx
-
-before_script:
- - wget https://github.com/ftilmann/latexdiff/releases/download/1.2.1/latexdiff-1.2…
- - tar xvf latexdiff-1.2.1.tar.gz
- - export PATH=$PWD/latexdiff-1.2.1/:$PATH
-
+- pip install --user mako
+- pip install --user Sphinx
script:
- - make latexpdf
- - make html
- - make singlehtml
-
+- make latexpdf
+- make html
+- make singlehtml
before_deploy:
- - cp build/latex/ebbr.pdf build/ebbr-$TRAVIS_TAG.pdf
-
+- cp build/latex/ebbr.pdf build/ebbr-$TRAVIS_TAG.pdf
deploy:
- - provider: releases
- prerelease: true
- api_key:
- secure: QAzEatdHC5w1uC06y6ceeRwL6dXhTz8DmkvIirXbv9paEKC7OHpsNm2NtCvLQDLnT98CFBj64y13P29DTYV0ExHNExnixP+R0b9G5kvCG/mGf+k6teXJmtsDRezTCmqAWwxLp70rewcHM+gQ1SdRy+HlHuVC5D70p99vv/f5hK/6f/PodxB0ftrvmb2S+B733+O7kiEKvBZUq/gaX5MTe8x+N09W+4SUTC4Xy5e0KlADfMWiLRhlJvU0PgtQ0IhRaeHnD+gmz/HUaUE/bsdXzIwv9Vb3p9eVmXLj1nE+p1toM5MJwmpKClXgph55PsD2X9xBSwxBhHZ3JOCl6QCOYaqkNvcE0U3e3QzC1b92EHoHN5vMrZenkALe0y1z1u1G+cZybjUEQ2lTmNq1HmO/QLdVHBCShR9xkpjm+8m//NXON8TDgP5z+hIU/g2NLfcSLdinogRLz2vnSmR6SjWzhH8q29d+wg3f5//eMgTCQF1dSRvNt8SjYUQDrW9z1k4dV64Jcn5AWjWmcaErG2D8jWJQGzzrts84Hcv3N7fRUwvMxdQOQDvoMaIxNxg35rBsuGa1tJkLyurOW31uwbOzrLlRSEcypPimpFQWysBwnX+aNTudhY0Dv4HKSIO12iZdIz9pbsMrJCBMCQdAydIDj35Fu5tJ5Ns4/JRaw5IoBQU=
- file_glob: true
- file:
- - "build/ebbr-*.pdf"
- skip_cleanup: true
- on:
- tags: true
- branch: master
- - provider: pages
- github_token: $GITHUB_TOKEN
- local_dir: "build/singlehtml"
- skip_cleanup: true
- on:
- branch: master
-
+- provider: releases
+ prerelease: true
+ api_key:
+ secure: QAzEatdHC5w1uC06y6ceeRwL6dXhTz8DmkvIirXbv9paEKC7OHpsNm2NtCvLQDLnT98CFBj64y13P29DTYV0ExHNExnixP+R0b9G5kvCG/mGf+k6teXJmtsDRezTCmqAWwxLp70rewcHM+gQ1SdRy+HlHuVC5D70p99vv/f5hK/6f/PodxB0ftrvmb2S+B733+O7kiEKvBZUq/gaX5MTe8x+N09W+4SUTC4Xy5e0KlADfMWiLRhlJvU0PgtQ0IhRaeHnD+gmz/HUaUE/bsdXzIwv9Vb3p9eVmXLj1nE+p1toM5MJwmpKClXgph55PsD2X9xBSwxBhHZ3JOCl6QCOYaqkNvcE0U3e3QzC1b92EHoHN5vMrZenkALe0y1z1u1G+cZybjUEQ2lTmNq1HmO/QLdVHBCShR9xkpjm+8m//NXON8TDgP5z+hIU/g2NLfcSLdinogRLz2vnSmR6SjWzhH8q29d+wg3f5//eMgTCQF1dSRvNt8SjYUQDrW9z1k4dV64Jcn5AWjWmcaErG2D8jWJQGzzrts84Hcv3N7fRUwvMxdQOQDvoMaIxNxg35rBsuGa1tJkLyurOW31uwbOzrLlRSEcypPimpFQWysBwnX+aNTudhY0Dv4HKSIO12iZdIz9pbsMrJCBMCQdAydIDj35Fu5tJ5Ns4/JRaw5IoBQU=
+ file_glob: true
+ file:
+ - build/ebbr-*.pdf
+ skip_cleanup: true
+ on:
+ tags: true
+ branch: master
+- provider: pages
+ github_token: "$GITHUB_TOKEN"
+ local_dir: build/singlehtml
+ skip_cleanup: true
+ on:
+ branch: master
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index a5643a3..7021f0f 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@@ -8,35 +8,14 @@ Anyone may contribute to the EBBR project.
Contributions are licensed under CC-BY-SA-4.0_ and must be made with a
Developer Certificate of Origin (DCO_) attestation as described below.
-EBBR discussion uses the boot-architecture_ and arm.ebbr-discuss mailing lists.
-The 'official' list is arm.ebbr-discuss, but the list archives are not
-yet public, so boot-architecture_ is being used to keep everything in
-the open.
+EBBR discussion uses the boot-architecture_ mailing list.
* boot-architecture(a)lists.linaro.org
-* arm.ebbr-discuss(a)arm.com
Past discussions can be found in the boot-architecture-archive_.
We use the IRC channel `#ebbr`_ on OFTC_.
-There is a bi-weekly conference call to discuss EBBR topics on the 2nd
-and 4th Tuesday of the month at 15:00 UTC/BST, 7:00 PST/PDT, 23:00/22:00 CST
-(following UTC/BST daylight savings time shifts).
-Anyone is welcome to join.
-
-- Online meeting: https://arm-onsite.webex.com/meet/gralik01
-- Phone
-
- - 1-408-792-6300 Call-in toll number (US/Canada)
- - 1-877-668-4490 Call-in toll-free number (US/Canada)
- - 44-203-478-5285 Call-in toll number (UK)
- - 08-002061177 Call-in toll-free (UK)
- - More access numbers: webex-global-numbers_
-- Access code: 809 053 990
-
-.. _webex-global-numbers: https://arm-onsite.webex.com/cmp3300/webcomponents/widget/globalcallin/glob…
-
DCO Attestation
---------------
diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst
index f6a5802..c9c0101 100644
--- a/source/chapter2-uefi.rst
+++ b/source/chapter2-uefi.rst
@@ -9,7 +9,7 @@ platforms.
UEFI Version
============
-This document uses version 2.7 of the UEFI specification [UEFI]_.
+This document uses version 2.8 Errata A of the UEFI specification [UEFI]_.
UEFI Compliance
===============
@@ -86,12 +86,41 @@ tables.
- An Advanced Configuration and Power Interface [ACPI]_ table, or
- a Devicetree [DTSPEC]_ system description
-As stated above, EBBR systems must not provide both ACPI and Devicetree
+EBBR systems must not provide both ACPI and Devicetree
tables at the same time.
Systems that support both interfaces must provide a configuration
mechanism to select either ACPI or Devicetree,
and must ensure only the selected interface is provided to the OS loader.
+Devicetree
+^^^^^^^^^^
+
+If firmware provides a Devicetree system description then it must be provided
+in Flattened Devicetree (DTB) format version 17 or higher as described in
+[DTSPEC]_ § 5.1.
+The following GUID must be used in the EFI system table ([UEFI]_ § 4)
+to identify the DTB.
+The DTB must be contained in memory of type EfiACPIReclaimMemory.
+
+.. code-block:: c
+
+ #define EFI_DTB_GUID \
+ EFI_GUID(0xb1b621d5, 0xf19c, 0x41a5, \
+ 0x83, 0x0b, 0xd9, 0x15, 0x2c, 0x69, 0xaa, 0xe0)
+
+Firmware must have the DTB resident in memory and installed in the EFI system table
+before executing any UEFI applications or drivers that are not part of the system
+firmware image.
+Once the DTB is installed as a configuration table,
+the system firmware must not make any modification to it or reference any data
+contained within the DTB.
+
+UEFI applications are permitted to modify or replace the loaded DTB.
+System firmware must not depend on any data contained within the DTB.
+If system firmware makes use of a DTB for its own configuration,
+it should use a separate private copy that is not installed in the
+EFI System Table or otherwise be exposed to EFI applications.
+
UEFI Secure Boot (Optional)
---------------------------
@@ -111,7 +140,7 @@ during both boot services and runtime services.
However, it isn't always practical for all EFI_RUNTIME_SERVICES functions
to be callable during runtime services due to hardware limitations.
If any EFI_RUNTIME_SERVICES functions are only available during boot services
-then firmware shall provide the global `RuntimeServicesSupported` variable to
+then firmware shall provide the `EFI_RT_PROPERTIES_TABLE` to
indicate which functions are available during runtime services.
Functions that are not available during runtime services shall return
EFI_UNSUPPORTED.
@@ -148,7 +177,7 @@ Firmware shall not create runtime mappings, or perform any runtime IO that will
conflict with device access by the OS.
Normally this means a device may be controlled by firmware, or controlled by
the OS, but not both.
-e.g. If firmware attempts to access an eMMC device at runtime then it will
+E.g. if firmware attempts to access an eMMC device at runtime then it will
conflict with transactions being performed by the OS.
Devices that are provided to the OS (i.e., via PCIe discovery or ACPI/DT
@@ -202,7 +231,8 @@ If a platform does not implement modifying non-volatile variables with
SetVariable() after ExitBootServices(),
then firmware shall return EFI_UNSUPPORTED for any call to SetVariable(),
and must advertise that SetVariable() isn't available during runtime services
-via the `RuntimeServicesSupported` variable as defined in UEFI version 2.8.
+via the `RuntimeServicesSupported` value in the `EFI_RT_PROPERTIES_TABLE`
+as defined in [UEFI]_ § 4.6.
EFI applications can read `RuntimeServicesSupported` to determine if calls
to SetVariable() need to be performed before calling ExitBootServices().
diff --git a/source/chapter3-secureworld.rst b/source/chapter3-secureworld.rst
index 4e9fa61..9c51bca 100644
--- a/source/chapter3-secureworld.rst
+++ b/source/chapter3-secureworld.rst
@@ -1,8 +1,8 @@
.. SPDX-License-Identifier: CC-BY-SA-4.0
-******************************
-Priviledged or Secure Firmware
-******************************
+*****************************
+Privileged or Secure Firmware
+*****************************
AArch32 Multiprocessor Startup Protocol
=======================================
diff --git a/source/index.rst b/source/index.rst
index 9bc4a09..7a5ded9 100644
--- a/source/index.rst
+++ b/source/index.rst
@@ -45,6 +45,9 @@ Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
31 March 2019 1.0 - Remove unnecessary UEFI requirements
appendix
- Allow for ACPI vendor id in firmware path
+ 1 June 2020 1.0.1-rc1 - Update to UEFI 2.8 Errata A
+ - Specify UUID for passing DTB
+ - Typo and editorial fixes
================= ========= =============================================
.. toctree::
diff --git a/source/references.rst b/source/references.rst
index a12c1a2..1eb0509 100644
--- a/source/references.rst
+++ b/source/references.rst
@@ -8,8 +8,8 @@
<https://github.com/devicetree-org/devicetree-specification/releases/tag/v0.2>`_,
`Devicetree.org <https://devicetree.org>`_
-.. [LINUXA64BOOT] `Linux Documentation/arm64/booting.txt
- <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/tre…>`_,
+.. [LINUXA64BOOT] `Linux Documentation/arm64/booting.rst
+ <https://www.kernel.org/doc/html/latest/arm64/booting.html>`_,
Linux kernel
.. [PSCI] `Power State Coordination Interface Issue C (PSCI v1.0)
@@ -20,6 +20,6 @@
<https://static.docs.arm.com/den0044/b/DEN0044B_Server_Base_Boot_Requirement…>`_
8 March 2016, `Arm Limited <http://arm.com>`_
-.. [UEFI] `Unified Extensable Firmware Interface Specification v2.7A
- <http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_7_A%20Sep…>`_,
- August 2017, `UEFI Forum <http://www.uefi.org>`_
+.. [UEFI] `Unified Extensable Firmware Interface Specification v2.8 Errata A
+ <https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_A_Feb14.pdf>`_,
+ February 2020, `UEFI Forum <http://www.uefi.org>`_
On Wed, Mar 11, 2020 at 01:42:36PM +0100, Francois Ozog wrote:
> On Wed, 11 Mar 2020 at 12:45, Daniel Thompson <daniel.thompson(a)linaro.org>
> wrote:
>
> > On Wed, Mar 11, 2020 at 11:20:17AM +0100, Francois Ozog wrote:
> > > On Wed, 11 Mar 2020 at 07:48, Heinrich Schuchardt <xypron.glpk(a)gmx.de>
> > wrote:
> > > > On 3/11/20 12:04 AM, Heinrich Schuchardt wrote:
> > > > In the expert mode of gdisk there is command 'j' for moving the GPT
> > > > Partition Entry Array to an arbitrary sector. This will protect the
> > area
> > > > between the GPT header and the GPT Partition Entry Array from being
> > used
> > > > for a partition. The same can be done with parameter -j of sgdisk.
> > > >
> > > > Furthermore gdisk supports creating a hybrid MBR. This allow to have
> > > > GUID partition table and a MBR partion table at the same time where the
> > > > MBR partition table mirrors up to three GPT partitions and the fourth
> > > > MBR partition is used to protect the GUID partition table.
> > > >
> > > > So requiring GPT and having boards only supporting booting from an MBR
> > > > partition (like the Raspberry) seems not to be exclusive.
> > > >
> > >
> > > That sounds like a great solution!
> >
> > The last time we discussed this there was *very* strong opposition
> > during meetings to hybrid partitioning and IIRC language was added to
> > the spec to prohibit it.
> >
> > Hybrid partitioning is a problem because it imposes to difficult to meet
> > constraints on partitioning tools provided by the operating system.
> >
> > In other words if we permit hybrid partitioning in order that boot code
> > can find the firmware then the operating system would inherit a duty to
> > not to screw up the firmware loading when it modifies the partition
> > tables. It is hard to express how the OS should go about that.
> >
> > Hence the current approach where we accept that MBR partitioning
> > offers an inferior feature set to GPT.
> >
> >
> We have the following cases:
>
> - FW compatible with GPT (I mean firmware can be searched based on
> GUID partition)
> Ok
>
> - FW that uses offsets and can be positioned at LBA >= 33
> Ok
> Need to define a protective partition
>
> - FW that uses offsets and can be positioned such that space between LBA-2
> and LBA-33 is used.
> Ok in theory as the header states where the partition entries location is
> specified in a GPT_HEADER "Starting LBA of array of partition entries".
> Linux kernel properly loads the partition entries if we push them after
> 16MB.
>
> read_lba <https://elixir.bootlin.com/linux/latest/ident/read_lba>(state,
> le64_to_cpu <https://elixir.bootlin.com/linux/latest/ident/le64_to_cpu>(gpt->partition_entry_lba)
>
> But I bet 2 is hardcoded in many tools...
Agree... but that's "just bugs" and I suspect we could get >90% test
coverage for Linux systems just by checking util-linux (and the kernel
itself). Maybe for extra style points also check on of the BSDs.
> - FW that supposes LBA-1 (macchiatobin the firmware blob that contain TF-A
> must be here)
> In theory OK as Linux will detect bad signature and use the alternate GPT
In the current spec this case isn't materially different to firmware
whose boot ROM parses the MBR to load extra code (which wasn't listed
above). In both cases the system would be expected to adopt MBR and
create protective partitions for the firmware (and accept that the
protective partition is vulnerable to damage by auto-partitioning
installers).
Having said is this really relevant for MacchiatoBin? Why put EBBR
firmware onto shared media? I thought MacchiatoBin could boot from the
4MB SPI NOR.
Daniel.
Hi,
I have observed a spike in DT presentations at events in 2018 and a
relative smaller set in 2019.
Many discussions raise a lot of good points, there are lists of things
to solve or proposals in various sites but there is no clear path to a
widely acceptable solution.
It feels like the traditional model of "contribute code first" reaches
its limits here: Device Tree is not just a device tree. It is a
pivotal piece of information manipulated by too many components from
Trusted Firmware A to Mac OSX and U-boot. And there are many
legitimate "owners" of pieces of the DT...
We need to find a way to build consensus across projects. Mail
discussions are good but I feel this does not fully help getting
closer to having up streamed code and specs into projects such as (and
not limited to):
- Trusted Firmware
- OP-TEE
- Hafnium
- U-Boot
- Linux
- Android
- FreeBSD
- DeviceTree
- EBBR
- Firmware Framework A
- Parsec
To that end, what about collectively building a Technical Report with
a number of editors in charge of different sections?
An example outline could be:
- the problems we try to solve (and what is outside of scope)
. board diversity handling (build/boot/runtime)
. cape/hat/FPGA handling (build/boot/runtime)
. product value chain handling (soc vendor/product vendor/sw vendor...)
. trust of DT
. device assignment to application or VM
- DT evolution
. actors (UML meaning)
. responsibility boundaries (signatures...)
. DTB format evolution
. DTBo
. DT at build time for many upstream projects
- cross project incremental roadmap highlights
. introduce DT signature
Of course the Technical Report shall be supported by different PoCs on
many topics such as DTB format so that the architecture is future
proof and we can start small.
What are your views?
Cheers
FF
Hi,
Following implementation (or work towards) of EBBR 1.0 + UEFI Secure
boot + UEFI update capsule we learnt a lot.
Here are some topics that may need some clarification on the EBBR
specs and It looks timely to start working on EBBR evolution.
0.1 - EBBR goal
May be a reassessment on the "for what" the specification is built.
Following all the discussions with prominent industry players, I start
to think that limiting the constraints to be EBBR compliant may become
counter productive. There will be both EBBR non compliant and EBBR
compliant systems. This is inevitable. But EBBR exist for a number of
use cases in a number of markets. The value of EBBR is consistent
behavior across those.
Maximising number of EBBR compliant systems without stating use case
parameters ( "why" and "for what") may not be the best goal.
Out of things to be more explicit are supported secure boot flows
(with/without shim+grub or direct). Some vendors require shim+grub
while industry players want the exact opposite: nothing but UEFI. This
drivers a number of requirements in terms of UEFI protocols needed
0.2 - normative text
The normative section shall be stated clearly: is " 1.2. Guiding
Principles" normative?
IETF and ETSI have different language conventions to express
absolutely mandated and various levels of optionality. This spec may
be red by Telecom people or Linux people. Their interpretation may be
erroneous on words such as "shall" (ETSI "SHALL" = "IETF "MUST"). The
language need to be explicit.
I - protective offsets
EBBR 1.0 states in "4.1. Partitioning of Shared Storage" that
"Automatic partitioning tools (e.g. an OS installer) must not create
partitions within the first 1MiB of storage, or delete, move, or
modify protective partition entries."
StandaloneMM is 2.5MB by itself with U-Boot being over 1MB without the
variable rework done and update capsules. 4MB seems the minimum. 8MB
to get margin and 16MB for A/B scheme.
EBBR same paragraph also states:
"Automatic partitioning tools (e.g. an OS installer) must not create
partitions within the first 1MiB of storage, or delete, move, or
modify protective partition entries. Manual partitioning tools should
provide warnings when modifying protective partitions or creating
partitions within the first 1MiB."
is it expected that Linaro upstreams changes in installation tools,
partition tools to conform to this (with updated to be agreed
minimum)?
II - identifying partitions
Having two EFI partitions defined with EFI_GUID need a precise
behaviour defined: boot with first or boot with second.
Shall we have a EFI_GUID_ALT defined for A/B partition schemes?
If not, the BootXXX variables should be used as selector?
We lean towards BootXXX variables and not defining a new GUID. But
this would mean explicit behavior to be stated in case of lack of
BootXXX.
I think GPT volume mirroring should be used in conjunction with A/B:
A/B to recover version failures with current hardware, surrounding
software; mirroring to protect against storage failures.
Is there any recommendation on mirrored EFI volumes handling ?
III - 32 bits
are there any 32 bits specific considerations to be added?
IV - UEFI_RNG_PROTOCOL
Following my view in 0) I think this shall be made mandatory
Linaro has upstreamed this in U-Boot and started to implement
additional hardware drivers.
KASLR is thus functional in 64 bits and will be in 32bits.
V - UEFI SecureBoot
Following my view in 0) I think this shall be made mandatory
UEFI SecureBoot is not mentioned in section 2.6 so we need to clarify
what needs to be implemented.
In particular, we need to implement EFI_LOAD_FILE2_PROTOCOL for initrd
signature checking.
VI - UEFI update capsules
Following my view in 0) I think this shall be made mandatory
Section 2.6 of UEFI spec 2.7 mentions
At some point in time we will need to propose UEFI specification update for:
- anti-bricking anti rollback expected behavior
- abstract capsules for "start transaction", "commit", "rollback" when
we will be dealing with system wide transactional updates.
There is probably a lot to state here but I am just starting the discussion.
VII - UEFI watchdog
Following my view in 0) I think this shall be made mandatory
In addition to its definition, it should also integrate consistent
parameters to define total duration covered as well as number of
failed consecutive updates to be triggered as well as how it is
delivered (powercycle, NMI, secureIRQ...)
Cheers
--
François-Frédéric
