Starting March 27, 2025, we recommend using android-latest-release instead of aosp-main to build and contribute to AOSP. For more information, see Changes to AOSP.
Stay organized with collections
Save and categorize content based on your preferences.
Trusty is Google's implementation of a Trusted
Execution Environment (TEE) OS that runs alongside Android. This is the
specification for devices using Arm Trustzone technology to provide a TEE. If
your ARM devices use Trusty as the secure OS solution, implement the bootloader
as described in the following sections.
Initialize TOS
To load and initialize the Trusty OS (TOS), a bootloader should:
Set up and configure all available RAM.
Initialize at least one serial port.
Verify signature of TOS image.
Load TOS into RAM (execution from flash or TCM isn't supported).
Jump to the first instruction in the TOS image after setting up the state and
registers as described below.
Call in to the TOS image
Configure the following state at entry:
MMU turned off
Data cache flushed and turned off (instruction cache can be on or off)
All interrupts (IRQs and FIQs) disabled
CPU in SVC mode on ARMv7 and EL3 on ARMv8
Registers in the following state:
r0/x0: Size of memory allocated to TOS.
r1/x1: Physical address of a contiguous block of memory that contains
platform-specific boot parameters. The layout of this block is
platform-specific.
r2/x2: Size of the above block of memory.
r14/x30: Return address to jump to (in nonsecure mode) after TOS
initializes.
On a 64-bit platform:
Only w0-w2 are used for parameters, so x0-x2 should contain only 32-bit
values.
x30 can contain a 64-bit value.
The value in x0 when added to the base address of TOS entry-point should
result in a 32-bit value. The same applies to the size in register x2 when
added to the address of boot parameter block in x1.
Return from TOS
After TOS completes initialization, it returns to the bootloader in nonsecure
mode (SCR.NS set to 1) so that the bootloader can continue loading the primary
operating system (that is, Android).
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2025-08-29 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Trusty OS (TOS) partitions\n\n[Trusty](/docs/security/features/trusty) is Google's implementation of a Trusted\nExecution Environment (TEE) OS that runs alongside Android. This is the\nspecification for devices using Arm Trustzone technology to provide a TEE. If\nyour ARM devices use Trusty as the secure OS solution, implement the bootloader\nas described in the following sections.\n\nInitialize TOS\n--------------\n\nTo load and initialize the Trusty OS (TOS), a bootloader should:\n\n- Set up and configure all available RAM.\n- Initialize at least one serial port.\n- Verify signature of TOS image.\n- Load TOS into RAM (execution from flash or TCM isn't supported).\n- Jump to the first instruction in the TOS image after setting up the state and registers as described below.\n\nCall in to the TOS image\n------------------------\n\nConfigure the following state at entry:\n\n- MMU turned off\n- Data cache flushed and turned off (instruction cache can be on or off)\n- All interrupts (IRQs and FIQs) disabled\n- CPU in SVC mode on ARMv7 and EL3 on ARMv8\n- Registers in the following state:\n - `r0/x0`: Size of memory allocated to TOS.\n - `r1/x1`: Physical address of a contiguous block of memory that contains platform-specific boot parameters. The layout of this block is platform-specific.\n - `r2/x2`: Size of the above block of memory.\n - `r14/x30`: Return address to jump to (in nonsecure mode) after TOS initializes.\n\n| **Note:** `r0-r3/x0-x3` also serve as scratch registers to TOS. Don't expect their values to be preserved upon return.\n\nOn a 64-bit platform:\n\n- Only `w0-w2` are used for parameters, so `x0-x2` should contain only 32-bit values.\n- `x30` can contain a 64-bit value.\n- The value in `x0` when added to the base address of TOS entry-point should result in a 32-bit value. The same applies to the size in register x2 when added to the address of boot parameter block in `x1`.\n\nReturn from TOS\n---------------\n\nAfter TOS completes initialization, it returns to the bootloader in nonsecure\nmode (SCR.NS set to `1`) so that the bootloader can continue loading the primary\noperating system (that is, Android)."]]
