TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / f7990c83a81b16b86f3f24535e5bfb8993c25d9a / . / docs / design_documents / tfm_its_512_flash.rst
blob: aa58c2b036aab3f548eaeb7b84d452a02409468a [file] [log] [blame]
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]1###############################################################
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]2Add support for block-aligned flash in Internal Trusted Storage
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]3###############################################################
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]4
5:Author: Minos Galanakis
6:Organization: Arm Limited
7:Contact: Minos Galanakis <minos.galanakis@arm.com>
8:Status: Accepted
9
10Abstract
11========
12
13The proposal is describing a mechanism to enable the use of larger flash
14devices, imposing a requirement for word-aligned full-block program operations,
Edison Aif7990c82020-07-16 18:31:48 +0800[diff] [blame^]15in Trusted Firmware-M.
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]16
17
18Requirements
19============
20
21- Allow page-aligned writes for up to 512 Bytes per page.
22- Guarantee data integrity and power-failure reliability.
23- Do not alter existing supported platform behaviour.
24
25Current implementation
26======================
27
28In the current ITS filesystem design, each filesystem create or write operation
29requires two flash blocks to be updated: first the data block and then the
30metadata block. Buffering is avoided as much as possible to reduce
31RAM requirements.
32
33However, if the ITS_FLASH_PROGRAM_UNIT is 512 Bytes then the data will have to
34stored in a temporary memory location in order to be able to write
35that much data in one-shot.
36
37Proposed implementation overview
38================================
39
401. A new block-sized static buffer should be added to its_flash.c when
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]41 ``ITS_FLASH_PROGRAM_UNIT`` is larger than currently supported.
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]422. Methods calling the flash API such as ``its_flash_write()`` or
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]43 ``its_flash_block_to_block_move()`` will populate the buffer instead of
44 directly programming the flash.
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]453. A new method ``its_flash_flush()``, should be provided in order to flush
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]46 the block buffer to the device.
474. ``its_flash_flush()`` should be called twice: Once after a data block
48 update and once more after the metadata block update is completed.
495. The proposed design should require that the data block update is always
50 completed before the metadata block update starts
516. Writes to the block buffer should be atomic, and guarded against corruption
52 by data from different blocks.
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]53
54Considerations
55==============
56
57- The proposed implementation will increase the RAM usage of ITS by the size
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]58 of a block, only for platforms which require block-aligned writes.
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]59- Currently power-failure is detected by software by incrementing an 8-bit
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]60 metadata header field (``swap_count``), as the last written byte. When the
61 proposed block-buffer is used, the block is programmed in one-shot and the
62 order the bytes are written on the physical device, is hardware dependent.
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]63- A set of guarantees are required by the supported flash ECC devices.
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]64 The device's flash APIs should provide a mechanism to capture and raise
65 incomplete program operations, as well as write bytes in a sequential order.
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]66
67For example, if a board powers down through a 512 page program operation, the
68next read operation should return an error rather than read invalid data.
69
70Functional flow diagram
71=======================
72
73The logic of the proposal is described in the following diagram
74
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]75.. code-block::
76
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]77 |----------------------|
78 | data write() |
79 |----------------------|
80 | | |------------------------------|
81 |-> | its_flash_write | ---> | data[] -> its_block_buffer[] |
82 | | | |------------------------------|
83 | |----------------------|
84 | | | |------------------------------------|
85 | | its_flash_flush | ---> | its_block_buffer[] -> flash dev IO |
86 | | | |------------------------------------|
87 | |----------------------|
88 | |
89 | ------------------------------------
90 | |
91 | V
92 | |----------------------| |--------------------------|
93 | | data write() complete| | metadata write() complete|
94 | |----------------------| |--------------------------|
95 | <-| Metadata write() | |
96 |----------------------| |
97 V
98 |--------------------------|
99 | Operation Complete |
100 |--------------------------|
101
Galanakis, Minosf7657902019-10-25 16:47:23 +0100[diff] [blame]102--------------
103
Galanakis, Minosdc6694b2020-01-06 13:54:56 +0000[diff] [blame]104*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*