Trusty is Google's implementation of a Trusted Execution Environment (TEE) OS that runs alongside Android. This is the specification for devices using Arm Trustzone technology to provide a TEE. If your ARM devices use Trusty as the secure OS solution, implement the bootloader as described in the following sections.
Initializing TOS
To load and initialize the Trusty OS (TOS), a bootloader should:
- Set up and configure all available RAM.
- Initialize at least one serial port.
- Verify signature of TOS image.
- Load TOS into RAM (execution from flash or TCM isn't supported).
- Jump to the first instruction in the TOS image after setting up the state and registers as described below.
Calling into the TOS image
Configure the following state at entry:
- MMU turned off
- Data cache flushed and turned off (instruction cache can be on or off)
- All interrupts (IRQs and FIQs) disabled
- CPU in SVC mode on ARMv7 and EL3 on ARMv8
- Registers in the following state:
r0/x0
: Size of memory allocated to TOS.r1/x1
: Physical address of a contiguous block of memory that contains platform-specific boot parameters. The layout of this block is platform-specific.r2/x2
: Size of the above block of memory.r14/x30
: Return address to jump to (in nonsecure mode) after TOS initializes.
On a 64-bit platform:
- Only
w0-w2
are used for parameters, sox0-x2
should contain only 32-bit values. x30
can contain a 64-bit value.- The value in
x0
when added to the base address of TOS entry-point should result in a 32-bit value. The same applies to the size in register x2 when added to the address of boot parameter block inx1
.
Returning from TOS
After TOS completes initialization, it returns to the bootloader in nonsecure
mode (SCR.NS set to 1
) so that the bootloader can continue loading the primary
operating system (that is, Android).