boot: Multi-image boot for direct-xip and ram-load

Multiple image boot support is implemented for direct-xip and ram-load
strategies. Dependency checking is also added, and for ram-load more
executable ram regions can be set.
Wrapper functions are intoduced to all boot strategies.

Change-Id: I59b346277dcb2c17cef4800f1e556b4ea9144845
Signed-off-by: Mark Horvath <mark.horvath@arm.com>
diff --git a/docs/design.md b/docs/design.md
index d498926..a296a8f 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -272,13 +272,22 @@
 #define IMAGE_EXECUTABLE_RAM_SIZE     <area_size_in_bytes>
 ```
 
+For multiple image load if multiple ram regions are used platform must define
+the `MULTIPLE_EXECUTABLE_RAM_REGIONS` flag instead and implement the following
+function:
+
+```c
+int boot_get_image_exec_ram_info(uint32_t image_id,
+                                 uint32_t *exec_ram_start,
+                                 uint32_t *exec_ram_size)
+```
+
 When ram-load is enabled, the `--load-addr <addr>` option of the `imgtool`
 script must also be used when signing the images. This option set the `RAM_LOAD`
 flag in the image header which indicates that the image should be loaded to the
 RAM and also set the load address in the image header.
 
-The ram-load mode currently supports only the single image boot and the image
-encryption feature is not supported.
+The ram-load mode currently does not support the image encryption feature.
 
 ## [Boot Swap Types](#boot-swap-types)
 
@@ -692,6 +701,41 @@
 + Boot into image in the primary slot of the 0th image position\
   (other image in the boot chain is started by another image).
 
+### [Multiple Image Boot for RAM loading and direct-xip](#multiple-image-boot-for-ram-loading-and-direct-xip)
+
+The operation of the boot loader is different when the ram-load or the
+direct-xip strategy is chosen. The flash map is very similar to the swap
+strategy but there is no need for Scratch area.
+
++  Loop 1. Until all images are loaded and all dependencies are satisfied
+    1. Subloop 1. Iterate over all images
+        + Does any of the slots contain an image?
+            + Yes:
+                + Choose the newer image.
+                + Copy it to RAM in case of ram-load strategy.
+                + Validate the image (integrity and security check).
+                + If validation fails delete the image from flash and try the other
+                  slot. (Image must be deleted from RAM too in case of ram-load
+                  strategy.)
+            + No: Return with failure.
+
+    2. Subloop 2. Iterate over all images
+        + Does the current image depend on other image(s)?
+            + Yes: Are all the image dependencies satisfied?
+                + Yes: Skip to next image.
+                + No:
+                    + Delete the image from RAM in case of ram-load strategy, but
+                      do not delete it from flash.
+                    + Try to load the image from the other slot.
+                    + Restart dependency check from the first image.
+            + No: Skip to next image.
+
++  Loop 2. Iterate over all images
+    + Increase the security counter if needed.
+    + Do the measured boot and the data sharing if needed.
+
++ Boot the loaded slot of image 0.
+
 ## [Image Swapping](#image-swapping)
 
 The boot loader swaps the contents of the two image slots for two reasons: