Trusty OS (TOS) Partitions

Trusty is Google's implementation of a Trusted Execution Environment (TEE) OS that runs alongside Android. This is the specification for devices using Arm Trustzone technology to provide a TEE. If your ARM devices use Trusty as the secure OS solution, implement the bootloader as described in the following sections.

Initializing TOS

To load and initialize the Trusty OS (TOS), a bootloader should:

  • Set up and configure all available RAM.
  • Initialize at least one serial port.
  • Verify signature of TOS image.
  • Load TOS into RAM (execution from flash or TCM isn't supported).
  • Jump to the first instruction in the TOS image after setting up the state and registers as described below.

Calling into the TOS image

Configure the following state at entry:

  • MMU turned off
  • Data cache flushed and turned off (instruction cache can be on or off)
  • All interrupts (IRQs and FIQs) disabled
  • CPU in SVC mode on ARMv7 and EL3 on ARMv8
  • Registers in the following state:
    • r0/x0: Size of memory allocated to TOS.
    • r1/x1: Physical address of a contiguous block of memory that contains platform-specific boot parameters. The layout of this block is platform-specific.
    • r2/x2: Size of the above block of memory.
    • r14/x30: Return address to jump to (in nonsecure mode) after TOS initializes.

On a 64-bit platform:

  • Only w0-w2 are used for parameters, so x0-x2 should contain only 32-bit values.
  • x30 can contain a 64-bit value.
  • The value in x0 when added to the base address of TOS entry-point should result in a 32-bit value. The same applies to the size in register x2 when added to the address of boot parameter block in x1.

Returning from TOS

After TOS completes initialization, it returns to the bootloader in nonsecure mode (SCR.NS set to 1) so that the bootloader can continue loading the primary operating system (that is, Android).