1.9 KiB
ARM Trusted Firmware - SPM User Guide
Contents
This document briefly presents the Secure Partition Management (SPM) support in the Arm Trusted Firmware (TF), specifically focusing on how to build Arm TF with SPM support.
1. Overview of the SPM software stack
SPM is supported on the Arm FVP exclusively at the moment.
It is not currently possible for BL31 to integrate SPM support and a Secure Payload Dispatcher (SPD) at the same time; they are mutually exclusive. In the SPM bootflow, a Secure Partition (SP) image executing at Secure-EL0 replaces the Secure Payload image executing at Secure-EL1 (e.g. a Trusted OS). Both are referred to as BL32.
A working prototype of a SP has been implemented by repurposing the EDK2 code and tools, leveraging the concept of the Standalone Management Mode (MM) in the UEFI specification (see the PI v1.6 Volume 4: Management Mode Core Interface). This will be referred to as the Standalone MM Secure Partition in the rest of this document.
2. Building TF with SPM support
To enable SPM support in the TF, the source code must be compiled with the build flag ENABLE_SPM=1. On Arm platforms the build option ARM_BL31_IN_DRAM can be used to select the location of BL31, both SRAM and DRAM are supported.
2.1. Using the Standalone MM SP
First, build the Standalone MM Secure Partition. To build it, refer to the instructions in the EDK2 repository.
Then build TF with SPM support and include the Standalone MM Secure Partition image in the FIP:
BL32=path/to/standalone/mm/sp BL33=path/to/bl33.bin \ make PLAT=fvp ENABLE_SPM=1 fip all
Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.