Hi Marex, > -----Original Message----- > From: Marek Vasut <marek.va...@mailbox.org> > Sent: 13 January 2025 12:40 > Subject: Re: [PATCH 2/3] image: Add support for starting TFA BL31 as fitImage > loadables > > On 1/13/25 1:15 PM, Biju Das wrote: > > Hi Marex, > > > > Thanks for the patch > > > >> -----Original Message----- > >> From: U-Boot <u-boot-boun...@lists.denx.de> On Behalf Of Marek Vasut > >> Sent: 12 January 2025 22:37 > >> Subject: [PATCH 2/3] image: Add support for starting TFA BL31 as > >> fitImage loadables > >> > >> Add support for starting TFA from U-Boot running in EL3 as part of > >> fitImage boot, so the user can start U-Boot in the highest privilege > >> level on the platform, bundle TFA, Linux, DT into a single fitImage and > >> boot such a bundle as a > whole. > >> > >> There are two main benefits of this approach. First is the ability to > >> run U-Boot in EL3, where it has unrestricted access to the entire > >> system and can act as a useful debug tool, as it was always intendedSecure) > >> to be used. Second is the ability to easily and safely update of any > >> component in the fitImage, be > it TFA, Linux or DT. > > > > In this case, who will do switching from secure world to normal world, > > u-boot? > > Do you have any link to the u-boot patch from secure to normal world > > switching with kernel entry point passed to BL31? > > > > Otherwise, kernel, also will be executing in secure world mode. > See 3/3 , U-Boot runs in EL3 , before starting kernel it jumps into TFA > BL31 , TFA BL31 does its setup and switches from EL3 to EL2 , TFA BL31 > returns to U-Boot > armv8_switch_to_el2 which checks if this code is running in EL2 (it is) and > does the last few steps > before starting kernel, and then finally jumps to the kernel .
Thanks for the explanation. I missed the details in 3/3. BL2(Secure)->U-boot(Secure)->BL31(Secure)-->U-boot(Normal)->Linux Kernel(Normal) Cheers, Biju