Difference between revisions of "Boot chain overview"

[quality revision] [quality revision]
m
m
 
Applicable for STM32MP13x lines, STM32MP15x lines

1 Generic boot sequence[edit]

1.1 Linux start-up[edit]

Starting Linux® on a processor is done in several steps that progressively initialize the platform peripherals and memories. These steps are explained in the following parapraphs paragraphs and illustrated by the diagram on the right, which also gives typical memory sizes for each stage.

Generic Linux boot chain
Generic Linux boot chain

1.1.1 ROM code[edit]

The ROM code is a piece of software that takes its name from the read only memory (ROM) where it is stored. It fits in a few tens of Kbytes and maps its data in embedded RAM. It is the first code executed by the processor, and it embeds all the logic needed to select the boot device (serial link or Flashflash) from which the first-stage boot loader bootloader (FSBL) is loaded to the embedded RAM.
Most products require to trust the application that is running on the device and the ROM code is the first link in the chain of trust that must be established across all started components: this trust is established by authenticating the FSBL before starting it. In turn, the FSBL and each following component authenticates the next one, up to a level defined by the product manufacturer.

1.1.2 First stage boot loader bootloader (FSBL)[edit]

Among other things, the first stage boot loader bootloader (FSBL) initializes (part of) the clock tree and the external RAM controller. Finally, the FSBL loads the second-stage boot loader bootloader (SSBL) into the external RAM and jumps to it.

The Trusted Firmware-A (TF-A) and U-Boot secondary program loader (U-Boot SPL) are two possible FSBLs.

1.1.3 Second-stage boot loader bootloader (SSBL)[edit]

The second-stage boot loader bootloader (SSBL) runs in a wide RAM so it can implement complex features (such as, USB, Ethernet, display, and so on), that are very useful to make Linux kernel loading more flexible (from a Flash device, storage device on USB or on a network, and so on), and user-friendly (by showing a splash screen to the user). U-Boot is commonly used as a Linux bootloader in embedded systems.

1.1.4 Linux kernel space[edit]

The Linux kernel is started in the external memory and it initializes all the peripheral drivers that are needed on the platform.

1.1.5 Linux user space[edit]

Finally, the Linux kernel hands control to the user space starting the init process that runs all initialization actions described in the root file system (rootfs), including the application framework that exposes the user interface (UI) to the user.

1.2 Other services start-up[edit]

STM32MP boot chain
STM32MP boot chain

In addition to  Linux  startup, the boot chain can also handle the start-up of other servicesinstalls the secure monitor and may support coprocessor firmware loading.

For instance, for the STM32MP15, the boot chain starts:

  • the The  secure monitor , supported by the Arm® Cortex®-A secure context (TrustZone). Examples of use of a secure monitor are: user authentication, key storage, and tampering management.
  • the The  coprocessor  firmware, running on the Arm Cortex-M core. This can be used to offload real-time or low-power services.


The dotted lines in the diagram on the right mean that:

  • the  secure monitor  can be started by the first stage boot loader (FSBL) or the second stage boot loader (SSBL)
  • the The  coprocessor  can be started by the second stage boot loader bootloader (SSBL), known as “early boot”, or Linux kernel (by default).


2 STM32MP boot sequence[edit]

2.1 Diagram frames and legend[edit]

STM32MP hardware execution contexts
STM32MP hardware execution contexts

The hardware execution contexts are shown with vertical frames in the boot diagrams:

  • the  Arm Cortex-A secure  context, in pink
  • the  Arm Cortex-A non-secure  context, in dark blue
  • the  Arm Cortex-M  context, in light blue, for STM32MP15x lines More info.png only

The horizontal frame in:

  • the bottom part shows the boot chain
  • the top part shows the runtime services, that are installed by the boot chain


Boot chain diagrams legend
Boot chain diagrams legend

The legend on the right shows illustrates how the information about the various components shown in the frames , and which are involved in the boot process, is highlighted. These are highlighted as follows:

  • The box color shows the component source code origin
  • The arrows show the loading and calling actions between the components
  • The Cube logo is used on the top right corner of components that can be configured via STM32CubeMX
  • The lock show the components that can be authenticated during the boot process


2.2 STM32MP STM32MP13 boot chainschain[edit]

2.2.1 Overview[edit]

Zoom out to STM32MPU Embedded Software

Two different boot chain flavors are supported on STM32MP processors with STM32MPU Embedded Software:

The trusted boot chain

STM32MP13 boot chain uses Trusted Firmware-A (TF-A) as the FSBL

, so it should

in order to fulfill all the requirements for security-sensitive customers, and it uses U-Boot as the SSBL. Note that

the authentication is optional with

this boot chain

, so it

can run on any

STM32MP

STM32MP13 device

.

security variant (that is, with or without the

Secure
  • The basic boot chain is also available to generate both the FSBL (U-Boot SPL) and SSBL (U-Boot) from a unique piece of source code, U-Boot. It is only upstreamed with a limited number of features, and the U-Boot community is able to extend this.
  • Warning white.png Warning
    The basic boot chain is not supported/promoted by STMicroelectronics to make products, it is only provided to support the DDR Tuning Tool and the U-Boot developments.

    2.2.2 STM32MP15 case[edit]

    2.2.2.1 Overview[edit]

    The diagrams below illustrate the two boot chain flavors availble on the STM32MP15: the trusted boot chain and the basic boot chain.

    Trusted boot chain
    File:Basic boot chain.png
    Basic boot chain
    Notes:
  • The second-stage boot loader (SSBL) can run in ARM Secure/Trustzone mode (basic boot chain) or Non-Secure mode (trusted boot chain).
  • The STM32MP

    secure boot).

    The trusted boot chain is the default solution delivered by STMicroelectronics, with a complete feature set (for example, all Flash devices are supported).


    Refer to the security overview for an introduction of the secure features available on STM32MP13, from the secure boot up to trusted applications execution.

    STM32MP13 boot chain

    2.2.2 ROM code[edit]

    The ROM code starts the processor in secure mode. It supports the FSBL authentication and decryption.

    2.2.3 First stage bootloader (FSBL)[edit]

    The FSBL is executed from the SYSRAM.
    Among other things, this bootloader initializes (part of) the clock tree and the DDR controller. Finally, the FSBL loads the second-stage bootloader (SSBL) into the DDR external RAM and jumps to it.
    The bootloader stage 2, so called TF-A BL2, is the Trusted Firmware-A (TF-A) binary used as FSBL on STM32MP13.

    2.2.4 Second stage bootloader (SSBL)[edit]

    U-Boot is commonly used as a bootloader in embedded software and it is the one used on STM32MP13.

    2.2.5 Linux[edit]

    Linux® OS is loaded in DDR by U-Boot and executed in the non-secure context.

    2.2.6 Secure OS / Secure monitor[edit]

    The Cortex-A7 secure world supports OP-TEE secure OS.

    2.3 STM32MP15 boot chain[edit]

    2.3.1 Overview[edit]

    STM32MP15 boot chain uses Trusted Firmware-A (TF-A) as the FSBL in order to fulfill all the requirements for security-sensitive customers, and it uses U-Boot as the SSBL. Note that the authentication is optional with this boot chain, so it can run on any STM32MP15 device security variant (that is, with or without the Secure boot).
    Refer to the security overview for an introduction of the secure features available on STM32MP15, from the secure boot up to trusted applications execution.

    STM32MP15 boot chain

    Note:

    2.

    2

    3.2

    .2

    ROM code[edit]

    The ROM code starts the processor in secure mode. It supports the FSBL authentication and offers authentication services to the FSBL.

    2.

    2

    3.

    2.

    3 First stage

    boot loader

    bootloader (FSBL)[edit]

    The FSBL is executed from the SYSRAM.
    Among other things, this boot loader bootloader initializes (part of) the clock tree and the DDR controller. Finally, the FSBL loads the second-stage boot loader bootloader (SSBL) into the DDR external RAM and jumps to it.
    The bootloader stage 2, so called TF-A BL2, is the Trusted Firmware-A (TF-A) and U-Boot secondary program loader (U-Boot SPL) are the two possible FSBLs on the STM32MP15, for the trusted boot chain and the basic boot chain, respectively binary used as FSBL on STM32MP15.

    2.

    2

    3.

    2.

    4 Second stage

    boot loader

    bootloader (SSBL)[edit]

    The second-stage boot loader (SSBL) runs in a wide RAM so it can implement complex features (USB, Ethernet, display, and so on), that are very useful to make Linux kernel loading (from a Flash device, a network, and so on) more flexible, and user-friendly (by showing a splash screen to the user).
    U-Boot is commonly used as a bootloader in embedded software and it is the one used on STM32MP15.

    2.

    2

    3.

    2.

    5 Linux[edit]

    Linux® is OS is loaded in DDR by U-Boot and executed in the non-secure context.

    2.

    2

    3.

    2.

    6 Secure OS / Secure

    Monitor

    monitor[edit]

    The Cortex-A7 secure world can implement a minimal secure monitor (from TF-A SP-MIN or U-Boot) or a real secure OS, such as OP-TEE.

    2.

    2

    3.

    2.

    7 Coprocessor firmware[edit]

    The coprocessor STM32Cube firmware can be started at the SSBL level by U-Boot with the remoteproc feature (rproc command) or, later, by Linux remoteproc framework, depending on the application startup time-targets.

    2.2.3 Boot chains features set[edit]

    As previously mentionned, the Basic boot chain has a limited features set versus the Trusted boot chain (which is the default solution delivered by STMicroelectronics). Here is the list of supported features for the Trusted and Basic boot chains:

    Features Trusted boot chain Basic boot chain Boot device support eMMC Supported Supported SDCard Supported Supported NOR Supported Supported NAND Supported Not supported Flash programming via UART Supported Not supported Flash programming via USB Supported Not supported Device control DDR initialization Supported Supported PMIC management Supported Supported System shutdown Supported Not supported SMP CPU boot and reset Supported supported Low power management Supported Not supported Security features Authentication ECDSA Based Supported Not supported Secure boot TZEN=1 - SMC Firewalling Supported Not supported Cortex-M4 isolation control Supported Not supported Non secure boot - Unlimited access to RCC and PWR Supported Supported HSI/CSI Calibration Supported Not supported Security Tamper Supported Not supported Security OTP Supported Not supported Security IWDG1 Supported Not supported


    {{ApplicableFor
    |MPUs list=STM32MP13x, STM32MP15x
    |MPUs checklist=STM32MP13x, STM32MP15x
    }}__FORCETOC__
    == Generic boot sequence ==
    === Linux start-up ===
    Starting Linux<sup>&reg;</sup> on a processor is done in several steps that progressively initialize the platform peripherals and memories. These steps are 
    explained in the following parapraphsparagraphs and illustrated by the diagram on the right, which also gives typical memory sizes for each stage.
    [[File: Boot_chains_overview.png|thumb|upright=4|right|center|link=|Generic Linux boot chain]]
    
    ==== ROM code ====
    The ROM code is a piece of software that takes its name from the read only memory (ROM) where it is stored. It fits in a few tens of Kbytes and maps its data in embedded RAM. It is the first code executed by the processor, and it embeds all the logic needed to select the boot device (serial link or Flashflash) from which the first-stage boot loader bootloader (FSBL) is loaded to the embedded RAM.
    
    
    ==== First stage boot loader <br>
    
    Most products require to trust the application that is running on the device and the ROM code is the first link in the chain of trust that must be established across all started components: this trust is established by authenticating the FSBL before starting it. In turn, the FSBL and each following component authenticates the next one, up to a level defined by the product manufacturer.
    
    ==== First stage bootloader (FSBL) ====
    Among other things, the first stage boot loader bootloader (FSBL) initializes (part of) the clock tree and the external RAM controller. Finally, the FSBL loads the second-stage boot loader bootloader (SSBL) into the external RAM and jumps to it.<br />
    
    
    The [[TF-A overview|Trusted Firmware-A (TF-A)]] and [[U-Boot overview|U-Boot]] secondary program loader (U-Boot SPL) are two possible FSBLs.
    
    ==== Second-stage boot loader bootloader (SSBL) ====
    The second-stage boot loader bootloader (SSBL) runs in a wide RAM so it can implement complex features (such as, USB, Ethernet, display, and so on), that are very useful to make Linux kernel loading more flexible (from a Flashstorage device, a network, and so on on USB or on a network), and user-friendly (by showing a splash screen to the user). [[U-Boot overview|U-Boot]] is commonly used as a Linux bootloader in embedded systems.
    
    ==== Linux kernel space ====
    The Linux kernel is started in the external memory and it initializes all the peripheral drivers that are needed on the platform.
    
    ==== Linux user space ====
    Finally, the Linux kernel hands control to the user space starting the init process that runs all initialization actions described in the root file system (rootfs), including the application framework that exposes the user interface (UI) to the user.<br />
    
    
    === Other services start-up ===
    [[File: STM32MP boot chain.png|thumb|upright=2|right|link=|STM32MP boot chain]]
    In addition to <span style="color:#FFFFFF; background:{{STDarkBlue}};">&nbsp;Linux&nbsp;</span> startup, the boot chain can also handleinstalls the start-up of other services.<br /><br />
    
    secure monitor and may support coprocessor firmware loading.<br /><br />
    For instance, for the STM32MP15, the boot chain starts:
    * theThe <span style="color:#FFFFFF; background:{{STPink}};">&nbsp;secure monitor&nbsp;</span>, supported by the Arm<sup>&reg;</sup> Cortex<sup>&reg;</sup>-A secure context (TrustZone). Examples of use of a secure monitor are: user authentication, key storage, and tampering management.
    * theThe <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;coprocessor&nbsp;</span> firmware, running on the Arm Cortex-M core. This can be used to offload real-time or low-power services.<br />
    
    The dotted lines in the diagram on the right mean that:
    * theThe <span style="color:#FFFFFF; background:{{STPinkSTLightBlue}};">&nbsp;secure monitor&nbsp;</span> can be started by the '''first stage boot loader (FSBL)''' or the '''second stage boot loader (SSBL)'''
    * the <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;coprocessor&nbsp;</span> can be started by the '''second stage boot loader bootloader (SSBL)''', known as “'''early boot'''”, or '''Linux kernel''' (by default).<br clear=all>
    
    
    == STM32MP boot sequence ==
    === Diagram frames and legend ===
    [[File:Boot diagrams contexts.png|thumb|upright=2|right|link=|STM32MP hardware execution contexts]]
    The [[Getting_started_with_STM32_MPU_devices#Multiple-core_architecture_concepts|hardware execution contexts]] are shown with vertical frames in the boot diagrams:
    * the <span style="color:#FFFFFF; background:{{STPink}};">&nbsp;Arm Cortex-A secure&nbsp;</span> context, in pink
    * the <span style="color:#FFFFFF; background:{{STDarkBlue}};">&nbsp;Arm Cortex-A non-secure&nbsp;</span> context, in dark blue
    * the <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;Arm Cortex-M&nbsp;</span> context, in light blue
    , for {{MicroprocessorDevice | device=15}} only
    The horizontal frame in:
    * the bottom part shows the '''boot chain'''
    * the top part shows the '''runtime''' services, that are installed by the '''boot chain'''<br clear=all>
    
    [[File:Boot chains legend.png|thumb|upright=2|right|link=|Boot chain diagrams legend]]
    The legend on the right showsillustrates how the information about the various components shown in the frames, and which  are involved in the boot process, is highlighted. These are highlighted as follows:
    * The box '''color''' shows the component source code origin
    * The '''arrows''' show the loading and calling actions between the components
    * The '''Cube''' logo is used on the top right corner of components that can be configured via [[STM32CubeMX]] 
    * The '''lock''' show the components that can be authenticated during the boot process<br clear=all>
    
    
    === STM32MPSTM32MP13 boot chainschain ===
    ==== Overview ====[[File: STM32MPU Embedded Software architecture overview.png|link=STM32MPU Embedded Software architecture overview|thumb|Zoom out to STM32MPU Embedded Software]]
    Two different boot chain flavors are supported on STM32MP processors with [[STM32MPU Embedded Software architecture overview|STM32MPU Embedded Software]]:
    * The '''trusted boot chain''' STM32MP13 boot chain uses [[TF-A overview|Trusted Firmware-A (TF-A)]] as the FSBL, so it should in order to fulfill all the requirements for security-sensitive customers, and it uses [[U-Boot overview|U-Boot]] as the SSBL. Note that the authentication is optional with this boot chain, so it  can run on any STM32MPSTM32MP13 device. [[STM32MP15 [[STM32MP13_microprocessor#Part_number_codification|security]] variant (that is,  with or without the Securesecure boot). '''The trusted boot chain is the default solution delivered by STMicroelectronics''', with a complete feature set (for example, all Flash devices are supported).
    * The '''basic boot chain''' is also available to generate both the FSBL (U-Boot SPL) and SSBL (U-Boot) from a unique piece of source code, [[U-Boot overview|U-Boot]].  It is only upstreamed with a [[#Boot_chains_features_set|limited number of features]], and the U-Boot community is able to extend this.<br clear=all>
    
    {{Warning | The basic boot chain is not supported/promoted by STMicroelectronics to make products, it is only provided to support the DDR Tuning Tool and the U-Boot developments.}}
    
    ==== STM32MP15 case ====
    ===== Overview =====
    The diagrams below illustrate the two boot chain flavors availble on the STM32MP15: the '''trusted boot chain''' and the '''basic boot chain'''.
    [[File:Trusted boot chain.png|center|link=|frame|Trusted boot chain]]<br>
    
    [[File:Basic boot chain.png|center|link=|frame|Basic boot chain]]<br clear=all>
    
    Notes:
    * The second-stage boot loader (SSBL) can run in ARM Secure/Trustzone mode (basic boot chain) or Non-Secure mode (trusted boot chain).
    * The STM32MP<br>
    
    Refer to the [[Security overview|security overview]] for an introduction of the secure features available on STM32MP13, from the secure boot up to trusted applications execution.
    [[File:STM32MP13 boot chain.png|center|link=|STM32MP13 boot chain]]
    
    ==== ROM code ====
    The [[STM32 MPU ROM code overview|ROM code]] starts the processor in secure mode. It supports the FSBL authentication and decryption.
    
    ==== First stage bootloader (FSBL) ====
    The FSBL is executed from the [[SYSRAM_internal_memory|SYSRAM]].<br />
    
    Among other things, this bootloader initializes (part of) the clock tree and the [[DDRCTRL and DDRPHYC internal peripherals|DDR controller]]. Finally, the FSBL loads the second-stage bootloader (SSBL) into the DDR external RAM and jumps to it.<br>
    
    The bootloader stage 2, so called TF-A BL2, is the [[TF-A overview|Trusted Firmware-A (TF-A)]] binary used as FSBL on STM32MP13.<br>
    
    
    ==== Second stage bootloader (SSBL) ====
    [[U-Boot overview|U-Boot]] is commonly used as a bootloader in embedded software and it is the one used on STM32MP13.
    
    ==== Linux ====
    Linux<sup>&reg;</sup> OS is loaded in DDR by U-Boot and executed in the non-secure context.
    
    ==== Secure OS / Secure monitor ====
    The Cortex-A7 secure world supports [[OP-TEE overview|OP-TEE]] secure OS.
    
    === STM32MP15 boot chain ===
    ==== Overview ====
    STM32MP15 boot chain uses [[TF-A overview|Trusted Firmware-A (TF-A)]] as the FSBL in order to fulfill all the requirements for security-sensitive customers, and it uses [[U-Boot overview|U-Boot]] as the SSBL. Note that the authentication is optional with this boot chain, so it can run on any STM32MP15 device [[STM32MP15_microprocessor#Part_number_codification|security]] variant (that is,  with or without the Secure boot).<br>
    
    Refer to the [[Security overview|security overview]] for an introduction of the secure features available on STM32MP15, from the secure boot up to trusted applications execution.
    [[File:Trusted boot chain.png|center|link=|STM32MP15 boot chain]]
    Note:
    * The STM32MP15 coprocessor can be started at the SSBL level by the [[U-Boot overview|U-Boot early boot]] feature or, later, by the [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets.
    
    ===== ROM code =====
    
    The [[STM32MP15 STM32 MPU ROM code overview|ROM code]] starts the processor in secure mode. It supports the FSBL authentication and offers authentication services to the FSBL.
    
    ===== First stage boot loader bootloader (FSBL) =====
    
    The FSBL is executed from the [[SYSRAM_internal_memory|SYSRAM]].<br />
    
    Among other things, this boot loader bootloader initializes (part of) the clock tree and the [[DDRCTRL and DDRPHYC internal peripherals|DDR controller]]. Finally, the FSBL loads the second-stage boot loader bootloader (SSBL) into the DDR external RAM and jumps to it.<br />
    
    The bootloader stage 2, so called TF-A BL2, is the [[TF-A overview|Trusted Firmware-A (TF-A)]] and [[U-Boot overview|U-Boot]] secondary program loader (U-Boot SPL) are the two possible FSBLs on the STM32MP15, for the '''trusted boot chain''' and the '''basic boot chain''', respectively.
    
    ===== Second stage boot loader (SSBL) =====
    The second-stage boot loader (SSBL) runs in a wide RAM so it can implement complex features (USB, Ethernet, display, and so on), that are very useful to make Linux kernel loading (from a Flash device, a network, and so on) more flexible, and user-friendly (by showing a splash screen to the user).<br />
    binary used as FSBL on STM32MP15.<br>
    
    
    ==== Second stage bootloader (SSBL) ====[[U-Boot overview|U-Boot]] is commonly used as a bootloader in embedded software.
    
    ===== Linux ===== and it is the one used on STM32MP15.
    
    ==== Linux ====
    
    Linux<sup>&reg;</sup> is OS is loaded in DDR by U-Boot and executed in the non-secure context.
    
    ===== Secure OS / Secure Monitor =====monitor ====
    
    The Cortex-A7 secure world can implement a minimal secure monitor (from [[TF-A_overview#BL32|TF-A SP-MIN]] or [[U-Boot overview|U-Boot]]) or a real secure OS, such as [[OP-TEE overview|OP-TEE]].
    
    ===== Coprocessor firmware =====
    
    The coprocessor [[STM32CubeMP1 architecture|STM32Cube]] firmware can be started at the SSBL level by [[U-Boot overview|U-Boot]] with the remoteproc feature (rproc command) or, later, by [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets.
    ==== Boot chains features set ====
    As previously mentionned, the Basic boot chain has a limited features set versus the Trusted boot chain (which is the default solution delivered by STMicroelectronics). Here is the list of supported features for the Trusted and Basic boot chains:
    
    {|
    ! Features !! Trusted boot chain !! Basic boot chain
    |-
    ! Boot device support !! !!
    |-
    | eMMC || Supported || Supported
    |-
    | SDCard || Supported || Supported
    |-
    | NOR || Supported || Supported
    |-
    | NAND || Supported || Not supported
    |-
    | Flash programming via UART || Supported || Not supported
    |-
    | Flash programming via USB || Supported || Not supported
    |-
    ! Device control !! !!
    |-
    | DDR initialization || Supported || Supported
    |-
    | PMIC management || Supported || Supported
    |-
    | System shutdown || Supported || Not supported
    |-
    | SMP CPU boot and reset || Supported || supported
    |-
    | Low power management || Supported || Not supported
    |-
    ! Security features !! !!
    |-
    | Authentication ECDSA Based || Supported || Not supported
    |-
    | Secure boot TZEN=1 - SMC Firewalling || Supported || Not supported
    |-
    | Cortex-M4 isolation control || Supported || Not supported
    |-
    | Non secure boot - Unlimited access to RCC and PWR || Supported || Supported
    |-
    | HSI/CSI Calibration || Supported || Not supported
    |-
    | Security Tamper || Supported || Not supported
    |-
    | Security OTP || Supported || Not supported
    |-
    | Security IWDG1 || Supported || Not supported
    |-
    |}
    <noinclude>
    
    [[Category:Platform boot|0]]
    {{PublicationRequestId | 13223 |<noinclude>
    
    [[Category:Platform boot|0]]
    {{PublicationRequestId |22726  | 2022-03-03| previous : 13223  - 2019-09-11}}</noinclude>
    (51 intermediate revisions by 7 users not shown)
    Line 1: Line 1:
      +
    {{ApplicableFor
      +
    |MPUs list=STM32MP13x, STM32MP15x
      +
    |MPUs checklist=STM32MP13x, STM32MP15x
      +
    }}
     
    __FORCETOC__
     
    __FORCETOC__
     
    == Generic boot sequence ==
     
    == Generic boot sequence ==
     
    === Linux start-up ===
     
    === Linux start-up ===
     
    Starting Linux<sup>&reg;</sup> on a processor is done in several steps that progressively initialize the platform peripherals and memories. These steps are  
     
    Starting Linux<sup>&reg;</sup> on a processor is done in several steps that progressively initialize the platform peripherals and memories. These steps are  
    explained in the following parapraphs and illustrated by the diagram on the right, which also gives typical memory sizes for each stage.
    +
    explained in the following paragraphs and illustrated by the diagram on the right, which also gives typical memory sizes for each stage.
    [[File: Boot_chains_overview.png|thumb|upright=4|right|link=|Generic Linux boot chain]]
    +
    [[File: Boot_chains_overview.png|center|link=|Generic Linux boot chain]]
       
     
    ==== ROM code ====
     
    ==== ROM code ====
    The ROM code is a piece of software that takes its name from the read only memory (ROM) where it is stored. It fits in a few tens of Kbytes and maps its data in embedded RAM. It is the first code executed by the processor, and it embeds all the logic needed to select the boot device (serial link or Flash) from which the first-stage boot loader (FSBL) is loaded to the embedded RAM.
    +
    The ROM code is a piece of software that takes its name from the read only memory (ROM) where it is stored. It fits in a few tens of Kbytes and maps its data in embedded RAM. It is the first code executed by the processor, and it embeds all the logic needed to select the boot device (serial link or flash) from which the first-stage bootloader (FSBL) is loaded to the embedded RAM.<br>
      +
    Most products require to trust the application that is running on the device and the ROM code is the first link in the chain of trust that must be established across all started components: this trust is established by authenticating the FSBL before starting it. In turn, the FSBL and each following component authenticates the next one, up to a level defined by the product manufacturer.
       
    ==== First stage boot loader (FSBL) ====
    +
    ==== First stage bootloader (FSBL) ====
    Among other things, the first stage boot loader (FSBL) initializes (part of) the clock tree and the external RAM controller. Finally, the FSBL loads the second-stage boot loader (SSBL) into the external RAM and jumps to it.<br />
    +
    Among other things, the first stage bootloader (FSBL) initializes (part of) the clock tree and the external RAM controller. Finally, the FSBL loads the second-stage bootloader (SSBL) into the external RAM and jumps to it.<br />
       
     
    The [[TF-A overview|Trusted Firmware-A (TF-A)]] and [[U-Boot overview|U-Boot]] secondary program loader (U-Boot SPL) are two possible FSBLs.
     
    The [[TF-A overview|Trusted Firmware-A (TF-A)]] and [[U-Boot overview|U-Boot]] secondary program loader (U-Boot SPL) are two possible FSBLs.
       
    ==== Second-stage boot loader (SSBL) ====
    +
    ==== Second-stage bootloader (SSBL) ====
    The second-stage boot loader (SSBL) runs in a wide RAM so it can implement complex features (USB, Ethernet, display, and so on), that are very useful to make Linux kernel loading more flexible (from a Flash device, a network, and so on), and user-friendly (by showing a splash screen to the user). [[U-Boot overview|U-Boot]] is commonly used as a Linux bootloader in embedded systems.
    +
    The second-stage bootloader (SSBL) runs in a wide RAM so it can implement complex features (such as, USB, Ethernet, display), that are very useful to make Linux kernel loading more flexible (from a storage device on USB or on a network), and user-friendly (by showing a splash screen to the user). [[U-Boot overview|U-Boot]] is commonly used as a Linux bootloader in embedded systems.
       
     
    ==== Linux kernel space ====
     
    ==== Linux kernel space ====
    Line 24: Line 29:
       
     
    === Other services start-up ===
     
    === Other services start-up ===
    [[File: STM32MP boot chain.png|thumb|upright=2|right|link=|STM32MP boot chain]]
    +
    [[File: STM32MP boot chain.png|right|link=|STM32MP boot chain]]
    In addition to <span style="color:#FFFFFF; background:{{STDarkBlue}};">&nbsp;Linux&nbsp;</span> startup, the boot chain can also handle the start-up of other services.
    +
    In addition to <span style="color:#FFFFFF; background:{{STDarkBlue}};">&nbsp;Linux&nbsp;</span> startup, the boot chain also installs the secure monitor and may support coprocessor firmware loading.
     
    <br /><br />
     
    <br /><br />
     
     
    For instance, for the STM32MP15, the boot chain starts:
     
    For instance, for the STM32MP15, the boot chain starts:
    * the <span style="color:#FFFFFF; background:{{STPink}};">&nbsp;secure monitor&nbsp;</span>, supported by the Arm<sup>&reg;</sup> Cortex<sup>&reg;</sup>-A secure context (TrustZone). Examples of use of a secure monitor are: user authentication, key storage, and tampering management.
    +
    * The <span style="color:#FFFFFF; background:{{STPink}};">&nbsp;secure monitor&nbsp;</span>, supported by the Arm<sup>&reg;</sup> Cortex<sup>&reg;</sup>-A secure context (TrustZone). Examples of use of a secure monitor are: user authentication, key storage, and tampering management.
    * the <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;coprocessor&nbsp;</span> firmware, running on the Arm Cortex-M core. This can be used to offload real-time or low-power services.
    +
    * The <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;coprocessor&nbsp;</span> firmware, running on the Arm Cortex-M core. This can be used to offload real-time or low-power services.
     
    <br />
     
    <br />
     
    The dotted lines in the diagram on the right mean that:
     
    The dotted lines in the diagram on the right mean that:
    * the <span style="color:#FFFFFF; background:{{STPink}};">&nbsp;secure monitor&nbsp;</span> can be started by the '''first stage boot loader (FSBL)''' or the '''second stage boot loader (SSBL)'''
    +
    * The <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;coprocessor&nbsp;</span> can be started by the '''second stage bootloader (SSBL)''', known as “'''early boot'''”, or '''Linux kernel''' (by default).
    * the <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;coprocessor&nbsp;</span> can be started by the '''second stage boot loader (SSBL)''', known as “'''early boot'''”, or '''Linux kernel'''
     
     
    <br clear=all>
     
    <br clear=all>
       
     
    == STM32MP boot sequence ==
     
    == STM32MP boot sequence ==
     
    === Diagram frames and legend ===
     
    === Diagram frames and legend ===
    [[File:Boot diagrams contexts.png|thumb|upright=2|right|link=|STM32MP hardware execution contexts]]
    +
    [[File:Boot diagrams contexts.png|right|link=|STM32MP hardware execution contexts]]
     
    The [[Getting_started_with_STM32_MPU_devices#Multiple-core_architecture_concepts|hardware execution contexts]] are shown with vertical frames in the boot diagrams:
     
    The [[Getting_started_with_STM32_MPU_devices#Multiple-core_architecture_concepts|hardware execution contexts]] are shown with vertical frames in the boot diagrams:
     
    * the <span style="color:#FFFFFF; background:{{STPink}};">&nbsp;Arm Cortex-A secure&nbsp;</span> context, in pink
     
    * the <span style="color:#FFFFFF; background:{{STPink}};">&nbsp;Arm Cortex-A secure&nbsp;</span> context, in pink
     
    * the <span style="color:#FFFFFF; background:{{STDarkBlue}};">&nbsp;Arm Cortex-A non-secure&nbsp;</span> context, in dark blue
     
    * the <span style="color:#FFFFFF; background:{{STDarkBlue}};">&nbsp;Arm Cortex-A non-secure&nbsp;</span> context, in dark blue
    * the <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;Arm Cortex-M&nbsp;</span> context, in light blue
    +
    * the <span style="color:#FFFFFF; background:{{STLightBlue}};">&nbsp;Arm Cortex-M&nbsp;</span> context, in light blue, for {{MicroprocessorDevice | device=15}} only
      +
     
     
    The horizontal frame in:
     
    The horizontal frame in:
     
    * the bottom part shows the '''boot chain'''
     
    * the bottom part shows the '''boot chain'''
     
    * the top part shows the '''runtime''' services, that are installed by the '''boot chain'''
     
    * the top part shows the '''runtime''' services, that are installed by the '''boot chain'''
     
    <br clear=all>
     
    <br clear=all>
    [[File:Boot chains legend.png|thumb|upright=2|right|link=|Boot chain diagrams legend]]
    +
    [[File:Boot chains legend.png|right|link=|Boot chain diagrams legend]]
    The legend on the right shows how information about the various components shown in the frames, and which are involved in the boot process, is highlighted:
    +
    The legend on the right illustrates how the information about the various components shown in the frames are involved in the boot process. These are highlighted as follows:
     
    * The box '''color''' shows the component source code origin
     
    * The box '''color''' shows the component source code origin
     
    * The '''arrows''' show the loading and calling actions between the components
     
    * The '''arrows''' show the loading and calling actions between the components
    Line 56: Line 60:
     
    <br clear=all>
     
    <br clear=all>
       
    === STM32MP boot chains ===
    +
    === STM32MP13 boot chain ===
     
    ==== Overview ====
     
    ==== Overview ====
    [[File: STM32MPU Embedded Software architecture overview.png|link=STM32MPU Embedded Software architecture overview|thumb|Zoom out to STM32MPU Embedded Software]]
    +
    STM32MP13 boot chain uses [[TF-A overview|Trusted Firmware-A (TF-A)]] as the FSBL in order to fulfill all the requirements for security-sensitive customers, and it uses [[U-Boot overview|U-Boot]] as the SSBL. Note that this boot chain can run on any STM32MP13 device [[STM32MP13_microprocessor#Part_number_codification|security]] variant (that is,  with or without the secure boot).<br>
    Two different boot chain flavors are supported on STM32MP processors with [[STM32MPU Embedded Software architecture overview|STM32MPU Embedded Software]]:
    +
    Refer to the [[Security overview|security overview]] for an introduction of the secure features available on STM32MP13, from the secure boot up to trusted applications execution.
    * The '''trusted boot chain''' uses [[TF-A overview|Trusted Firmware-A (TF-A)]] as the FSBL, so it should fulfill all the requirements for security-sensitive customers, and it uses [[U-Boot overview|U-Boot]] as the SSBL. Note that the authentication is optional with this boot chain, so it can run on any STM32MP device. [[STM32MP15_microprocessor#Part_number_codification|security]] variant (that is,  with or without the Secure boot). '''The trusted boot chain is the default solution delivered by STMicroelectronics''', with a complete feature set (for example, all Flash devices are supported).
    +
    [[File:STM32MP13 boot chain.png|center|link=|STM32MP13 boot chain]]
    * The '''basic boot chain''' is also available to generate both the FSBL (U-Boot SPL) and SSBL (U-Boot) from a unique piece of source code, [[U-Boot overview|U-Boot]].  It is only upstreamed with a [[#Boot_chains_features_set|limited number of features]], and the U-Boot community is able to extend this.
    +
     
    <br clear=all>
    +
    ==== ROM code ====
    {{Warning | The basic boot chain is not supported/promoted by STMicroelectronics to make products, it is only provided to support the DDR Tuning Tool and the U-Boot developments.}}
    +
    The [[STM32 MPU ROM code overview|ROM code]] starts the processor in secure mode. It supports the FSBL authentication and decryption.
      +
     
      +
    ==== First stage bootloader (FSBL) ====
      +
    The FSBL is executed from the [[SYSRAM_internal_memory|SYSRAM]].<br />
      +
    Among other things, this bootloader initializes (part of) the clock tree and the [[DDRCTRL and DDRPHYC internal peripherals|DDR controller]]. Finally, the FSBL loads the second-stage bootloader (SSBL) into the DDR external RAM and jumps to it.<br>
      +
    The bootloader stage 2, so called TF-A BL2, is the [[TF-A overview|Trusted Firmware-A (TF-A)]] binary used as FSBL on STM32MP13.<br>
      +
     
      +
    ==== Second stage bootloader (SSBL) ====
      +
    [[U-Boot overview|U-Boot]] is commonly used as a bootloader in embedded software and it is the one used on STM32MP13.
      +
     
      +
    ==== Linux ====
      +
    Linux<sup>&reg;</sup> OS is loaded in DDR by U-Boot and executed in the non-secure context.
       
    ==== STM32MP15 case ====
    +
    ==== Secure OS / Secure monitor ====
    ===== Overview =====
    +
    The Cortex-A7 secure world supports [[OP-TEE overview|OP-TEE]] secure OS.
    The diagrams below illustrate the two boot chain flavors availble on the STM32MP15: the '''trusted boot chain''' and the '''basic boot chain'''.
     
    [[File:Trusted boot chain.png|center|link=|frame|Trusted boot chain]]
     
    <br>
     
    [[File:Basic boot chain.png|center|link=|frame|Basic boot chain]]
     
    <br clear=all>
     
    Notes:
     
    * The second-stage boot loader (SSBL) can run in ARM Secure/Trustzone mode (basic boot chain) or Non-Secure mode (trusted boot chain).
     
    * The STM32MP coprocessor can be started at the SSBL level by the [[U-Boot overview|U-Boot early boot]] feature or, later, by the [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets.
     
       
    ===== ROM code =====
    +
    === STM32MP15 boot chain ===
    The [[STM32MP15 ROM code overview|ROM code]] starts the processor in secure mode. It supports the FSBL authentication and offers authentication services to the FSBL.
    +
    ==== Overview ====
      +
    STM32MP15 boot chain uses [[TF-A overview|Trusted Firmware-A (TF-A)]] as the FSBL in order to fulfill all the requirements for security-sensitive customers, and it uses [[U-Boot overview|U-Boot]] as the SSBL. Note that the authentication is optional with this boot chain, so it can run on any STM32MP15 device [[STM32MP15_microprocessor#Part_number_codification|security]] variant (that is,  with or without the Secure boot).<br>
      +
    Refer to the [[Security overview|security overview]] for an introduction of the secure features available on STM32MP15, from the secure boot up to trusted applications execution.
      +
    [[File:Trusted boot chain.png|center|link=|STM32MP15 boot chain]]
      +
    Note:
      +
    * The STM32MP15 coprocessor can be started at the SSBL level by the [[U-Boot overview|U-Boot early boot]] feature or, later, by the [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets.
       
    ===== First stage boot loader (FSBL) =====
    +
    ==== ROM code ====
      +
    The [[STM32 MPU ROM code overview|ROM code]] starts the processor in secure mode. It supports the FSBL authentication and offers authentication services to the FSBL.
      +
     
      +
    ==== First stage bootloader (FSBL) ====
     
    The FSBL is executed from the [[SYSRAM_internal_memory|SYSRAM]].<br />
     
    The FSBL is executed from the [[SYSRAM_internal_memory|SYSRAM]].<br />
    Among other things, this boot loader initializes (part of) the clock tree and the [[DDRCTRL and DDRPHYC internal peripherals|DDR controller]]. Finally, the FSBL loads the second-stage boot loader (SSBL) into the DDR external RAM and jumps to it.<br />
    +
    Among other things, this bootloader initializes (part of) the clock tree and the [[DDRCTRL and DDRPHYC internal peripherals|DDR controller]]. Finally, the FSBL loads the second-stage bootloader (SSBL) into the DDR external RAM and jumps to it.<br>
    The [[TF-A overview|Trusted Firmware-A (TF-A)]] and [[U-Boot overview|U-Boot]] secondary program loader (U-Boot SPL) are the two possible FSBLs on the STM32MP15, for the '''trusted boot chain''' and the '''basic boot chain''', respectively.
    +
    The bootloader stage 2, so called TF-A BL2, is the [[TF-A overview|Trusted Firmware-A (TF-A)]] binary used as FSBL on STM32MP15.<br>
       
    ===== Second stage boot loader (SSBL) =====
    +
    ==== Second stage bootloader (SSBL) ====
    The second-stage boot loader (SSBL) runs in a wide RAM so it can implement complex features (USB, Ethernet, display, and so on), that are very useful to make Linux kernel loading (from a Flash device, a network, and so on) more flexible, and user-friendly (by showing a splash screen to the user).<br />
    +
    [[U-Boot overview|U-Boot]] is commonly used as a bootloader in embedded software and it is the one used on STM32MP15.
    [[U-Boot overview|U-Boot]] is commonly used as a bootloader in embedded software.
     
       
    ===== Linux =====
    +
    ==== Linux ====
    Linux<sup>&reg;</sup> is OS is loaded in DDR by U-Boot and executed in the non-secure context.
    +
    Linux<sup>&reg;</sup> OS is loaded in DDR by U-Boot and executed in the non-secure context.
       
    ===== Secure OS / Secure Monitor =====
    +
    ==== Secure OS / Secure monitor ====
    The Cortex-A7 secure world can implement a minimal secure monitor (from [[TF-A_overview#BL32|TF-A]] or [[U-Boot overview|U-Boot]]) or a real secure OS, such as [[OP-TEE overview|OP-TEE]].
    +
    The Cortex-A7 secure world can implement a minimal secure monitor (from [[TF-A_overview#BL32|TF-A SP-MIN]] or [[U-Boot overview|U-Boot]]) or a real secure OS, such as [[OP-TEE overview|OP-TEE]].
       
    ===== Coprocessor firmware =====
    +
    ==== Coprocessor firmware ====
     
    The coprocessor [[STM32CubeMP1 architecture|STM32Cube]] firmware can be started at the SSBL level by [[U-Boot overview|U-Boot]] with the remoteproc feature (rproc command) or, later, by [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets.
     
    The coprocessor [[STM32CubeMP1 architecture|STM32Cube]] firmware can be started at the SSBL level by [[U-Boot overview|U-Boot]] with the remoteproc feature (rproc command) or, later, by [[Linux remoteproc framework overview|Linux remoteproc framework]], depending on the application startup time-targets.
     
    ==== Boot chains features set ====
     
    As previously mentionned, the Basic boot chain has a limited features set versus the Trusted boot chain (which is the default solution delivered by STMicroelectronics). Here is the list of supported features for the Trusted and Basic boot chains:
     
     
    {|
     
    ! Features !! Trusted boot chain !! Basic boot chain
     
    |-
     
    ! Boot device support !! !!
     
    |-
     
    | eMMC || Supported || Supported
     
    |-
     
    | SDCard || Supported || Supported
     
    |-
     
    | NOR || Supported || Supported
     
    |-
     
    | NAND || Supported || Not supported
     
    |-
     
    | Flash programming via UART || Supported || Not supported
     
    |-
     
    | Flash programming via USB || Supported || Not supported
     
    |-
     
    ! Device control !! !!
     
    |-
     
    | DDR initialization || Supported || Supported
     
    |-
     
    | PMIC management || Supported || Supported
     
    |-
     
    | System shutdown || Supported || Not supported
     
    |-
     
    | SMP CPU boot and reset || Supported || supported
     
    |-
     
    | Low power management || Supported || Not supported
     
    |-
     
    ! Security features !! !!
     
    |-
     
    | Authentication ECDSA Based || Supported || Not supported
     
    |-
     
    | Secure boot TZEN=1 - SMC Firewalling || Supported || Not supported
     
    |-
     
    | Cortex-M4 isolation control || Supported || Not supported
     
    |-
     
    | Non secure boot - Unlimited access to RCC and PWR || Supported || Supported
     
    |-
     
    | HSI/CSI Calibration || Supported || Not supported
     
    |-
     
    | Security Tamper || Supported || Not supported
     
    |-
     
    | Security OTP || Supported || Not supported
     
    |-
     
    | Security IWDG1 || Supported || Not supported
     
    |-
     
    |}
     
       
     
    <noinclude>
     
    <noinclude>
     
    [[Category:Platform boot|0]]
     
    [[Category:Platform boot|0]]
    {{PublicationRequestId | 13223 |2019-09-11}}
    +
    {{PublicationRequestId |22726  | 2022-03-03| previous : 13223 - 2019-09-11}}
     
    </noinclude>
     
    </noinclude>