4.7.1.1.Introduction

ThePSA FW update specification defines the concepts ofFirmwareUpdateClient andFirmwareUpdateAgent.The new firmware images are provided by theClient to theUpdateAgentto flash them in non-volatile storage.

A common system design will place theUpdateAgent in the Secure-worldwhile theClient executes in the Normal-world.ThePSA FW update specification provides ABIs meant for a Normal-worldentity akaClient to transmit the firmware images to theUpdateAgent.

4.7.1.2.Scope

The design of theClient andUpdateAgent is out of scope of thisdocument.This document mainly coversPlatformBoot details i.e. the role ofthe second stage Bootloader after FWU has been done byClient andUpdateAgent.

4.7.1.3.Overview

There are active and update banks in the non-volatile storage identifiedby theactive_index and theupdate_index respectively.An active bank stores running firmware, whereas an update bank containsfirmware updates.

Once Firmwares are updated in the update bank of the non-volatilestorage, thenUpdateAgent marks the update bank as the active bank,and write updated FWU metadata in non-volatile storage.On subsequent reboot, the second stage Bootloader (BL2) performs thefollowing actions:

• Read FWU metadata in memory

• Retrieve the image specification (offset and length) of updated imagespresent in non-volatile storage with the help of FWU metadata

• Set these image specification in the corresponding I/O policies of theupdated images using the FWU platform functionsplat_fwu_set_images_source() andplat_fwu_set_metadata_image_source(),please referPorting Guide

• Use these I/O policies to read the images from this address into the memory

By default, the platform uses the active bank of non-volatile storage to bootthe images intrialstate. If images pass through the authentication checkand also if the system successfully booted the Normal-world image thenUpdateAgent marks this update as accepted after further sanitisationchecking at Normal-world.

The second stage Bootloader (BL2) avoids upgrading the platform NV-counter untilit’s been confirmed that given update is accepted.

The following sequence diagram shows platform-boot flow:

If the platform fails to boot from active bank due to any reasons suchas authentication failure or non-fuctionality of Normal-world software then thewatchdog will reset to give a chance to the platform to fix the issue. Thisboot failure & reset sequence might be repeated up totrialstate times.After that, the platform can decide to boot from theprevious_active_indexbank.

If the images still does not boot successfully from theprevious_active_indexbank (e.g. due to ageing effect of non-volatile storage) then the platform canchoose firmware recovery mechanismTBBR Firmware Update (TBBR FWU) to bring systemback to life.

4.7.2.1.Introduction

This technique enables authenticated firmware to update firmware images fromexternal interfaces such as USB, UART, SD-eMMC, NAND, NOR or Ethernet to SoCNon-Volatile memories such as NAND Flash, LPDDR2-NVM or any memory determinedby the platform.This feature functions even when the current firmware in the system is corruptor missing; it therefore may be used as a recovery mode. It may also becomplemented by other, higher level firmware update software.

FWU implements a specific part of the Trusted Board Boot Requirements (TBBR)specification, Arm DEN0006C-1. It should be used in conjunction with theTrusted Board Boot design document, which describes the imageauthentication parts of the Trusted Firmware-A (TF-A) TBBR implementation.

It can be used as a last resort when all firmware updates that are carried outas part of thePSA Firmware Update (PSA FWU) procedure have failed to function.

4.7.2.2.Scope

This document describes the secure world FWU design. It is beyond its scope todescribe how normal world FWU images should operate. To implement normal worldFWU images, please refer to the “Non-Trusted Firmware Updater” requirements inthe TBBR.

4.7.2.3.Overview

The FWU boot flow is primarily mediated by BL1. Since BL1 executes in ROM, andit is usually desirable to minimize the amount of ROM code, the design allowssome parts of FWU to be implemented in other secure and normal world images.Platform code may choose which parts are implemented in which images but thegeneral expectation is:

• BL1 handles:

  • Detection and initiation of the FWU boot flow.

  • Copying images from non-secure to secure memory

  • FWU image authentication

  • Context switching between the normal and secure world during the FWUprocess.

• Other secure world FWU images handle platform initialization required bythe FWU process.

• Normal world FWU images handle loading of firmware images from externalinterfaces to non-secure memory.

The primary requirements of the FWU feature are:

1. Export a BL1 SMC interface to interoperate with other FWU images executingat other Exception Levels.

2. Export a platform interface to provide FWU common code with the informationit needs, and to enable platform specific FWU functionality. See thePorting Guide for details of this interface.

TF-A uses abbreviated image terminology for FWU images like for other TF-Aimages. See theImage Terminology document for an explanation of theseterms.

The following diagram shows the FWU boot flow for Arm development platforms.Arm CSS platforms like Juno have a System Control Processor (SCP), and theseuse all defined FWU images. Other platforms may use a subset of these.

4.7.2.4.Image Identification

Each FWU image and certificate is identified by a unique ID, defined by theplatform, which BL1 uses to fetch an image descriptor (image_desc_t) via acall tobl1_plat_get_image_desc(). The same ID is also used to prepare theChain of Trust (Refer to theAuthentication Framework & Chain of Trustdocument for more information).

The image descriptor includes the following information:

• Executable or non-executable image. This indicates whether the normal worldis permitted to request execution of a secure world FWU image (afterauthentication). Secure world certificates and non-AP images are examplesof non-executable images.

• Secure or non-secure image. This indicates whether the image isauthenticated/executed in secure or non-secure memory.

• Image base address and size.

• Image entry point configuration (anentry_point_info_t).

• FWU image state.

BL1 uses the FWU image descriptors to:

• Validate the arguments of FWU SMCs

• Manage the state of the FWU process

• Initialize the execution state of the next FWU image.

4.7.2.5.FWU State Machine

BL1 maintains state for each FWU image during FWU execution. FWU images at lowerException Levels raise SMCs to invoke FWU functionality in BL1, which causesBL1 to update its FWU image state. The BL1 image states and valid statetransitions are shown in the diagram below. Note that secure images have a morecomplex state machine than non-secure images.

The following is a brief description of the supported states:

• RESET: This is the initial state of every image at the start of FWU.Authentication failure also leads to this state. A secureimage may yield to this state if it has completed execution.It can also be reached by usingFWU_SMC_IMAGE_RESET.

• COPYING: This is the state of a secure image while BL1 is copying itin blocks from non-secure to secure memory.

• COPIED: This is the state of a secure image when BL1 has completedcopying it to secure memory.

• AUTHENTICATED: This is the state of an image when BL1 has successfullyauthenticated it.

• EXECUTED: This is the state of a secure, executable image when BL1 haspassed execution control to it.

• INTERRUPTED: This is the state of a secure, executable image after it hasrequested BL1 to resume normal world execution.

4.7.2.6.BL1 SMC Interface

Arguments:uint32_tfunctionID:0x0Return:uint32_t

Arguments:uint32_tfunctionID:0x1Return:UUID:32bitsineachofw0-w3(orr0-r3forAArch32callers)

Argument:uint32_tfunctionID:0x3Return:uint32_t:Bits[31:16]MajorVersionBits[15:0]MinorVersion

Arguments:uint32_tfunctionID:0x4entry_point_info_t*ep_infoReturn:voidPre-conditions:if(normalworldcaller)synchronousexceptionif(ep_infonotEL3)synchronousexception

Arguments:uint32_tfunctionID:0x10unsignedintimage_iduintptr_timage_addrunsignedintblock_sizeunsignedintimage_sizeReturn:int:0(Success):-ENOMEM:-EPERMPre-conditions:if(image_idisinvalid)return-EPERMif(image_idisnon-secureimage)return-EPERMif(image_idstateisnot(RESETorCOPYING))return-EPERMif(secureworldcaller)return-EPERMif(image_addr+block_sizeoverflows)return-ENOMEMif(imagedestinationaddress+image_sizeoverflows)return-ENOMEMif(sourceblockisinsecurememory)return-ENOMEMif(sourceblockisnotmappedintoBL1)return-ENOMEMif(image_size>freesecurememory)return-ENOMEMif(imageoverlapsanotherimage)return-EPERM

Arguments:uint32_tfunctionID:0x11unsignedintimage_iduintptr_timage_addrunsignedintimage_sizeReturn:int:0(Success):-ENOMEM:-EPERM:-EAUTHPre-conditions:if(image_idisinvalid)return-EPERMif(secureworldcaller)if(image_idstateisnotRESET)return-EPERMif(image_addr/image_sizeisnotmappedintoBL1)return-ENOMEMelse//normalworldcallerif(image_idissecureimage)if(image_idstateisnotCOPIED)return-EPERMelse//image_idisnon-secureimageif(image_idstateisnotRESET)return-EPERMif(image_addr/image_sizeisinsecurememory)return-ENOMEMif(image_addr/image_sizenotmappedintoBL1)return-ENOMEM

Arguments:uint32_tfunctionID:0x12unsignedintimage_idReturn:int:0(Success):-EPERMPre-conditions:if(image_idisinvalid)return-EPERMif(secureworldcaller)return-EPERMif(image_idisnon-secureimage)return-EPERMif(image_idisnon-executableimage)return-EPERMif(image_idstateisnotAUTHENTICATED)return-EPERM

Arguments:uint32_tfunctionID:0x13register_timage_paramReturn:register_t:image_param(Success):-EPERMPre-conditions:if(normalworldcallerandnoINTERRUPTEDsecureimage)return-EPERM

Arguments:uint32_tfunctionID:0x14Return:int:0(Success):-EPERMPre-conditions:if(normalworldcaller)return-EPERM

Arguments:uint32_tfunctionID:0x15register_tclient_cookieReturn:N/A

Arguments:uint32_tfunctionID:0x16unsignedintimage_idReturn:int:0(Success):-EPERMPre-conditions:if(secureworldcaller)return-EPERMif(imageinEXECUTED)return-EPERM