Trusty is Google's implementation of a Trusted Execution Environment (TEE) OS that runs alongside Android. This is the specification for devices using Arm Trustzone technology to provide a TEE. If your ARM devices use Trusty as the secure OS solution, implement the bootloader as described in the following sections.
To load and initialize the Trusty OS (TOS), a bootloader should:
- Set up and configure all available RAM.
- Initialize at least one serial port.
- Verify signature of TOS image.
- Load TOS into RAM (execution from flash or TCM isn't supported).
- Jump to the first instruction in the TOS image after setting up the state and registers as described below.
Calling into the TOS image
Configure the following state at entry:
- MMU turned off
- Data cache flushed and turned off (instruction cache can be on or off)
- All interrupts (IRQs and FIQs) disabled
- CPU in SVC mode on ARMv7 and EL3 on ARMv8
- Registers in the following state:
r0/x0: Size of memory allocated to TOS.
r1/x1: Physical address of a contiguous block of memory that contains platform-specific boot parameters. The layout of this block is platform-specific.
r2/x2: Size of the above block of memory.
r14/x30: Return address to jump to (in nonsecure mode) after TOS initializes.
On a 64-bit platform:
w0-w2are used for parameters, so
x0-x2should contain only 32-bit values.
x30can contain a 64-bit value.
- The value in
x0when added to the base address of TOS entry-point should result in a 32-bit value. The same applies to the size in register x2 when added to the address of boot parameter block in
Returning from TOS
After TOS completes initialization, it returns to the bootloader in nonsecure
mode (SCR.NS set to
1) so that the bootloader can continue loading the primary
operating system (that is, Android).