boot: Multi-image boot for direct-xip and ram-load
Multiple image boot support is implemented for direct-xip and ram-load
strategies. Dependency checking is also added, and for ram-load more
executable ram regions can be set.
Wrapper functions are intoduced to all boot strategies.
Change-Id: I59b346277dcb2c17cef4800f1e556b4ea9144845
Signed-off-by: Mark Horvath <mark.horvath@arm.com>
diff --git a/docs/design.md b/docs/design.md
index d498926..a296a8f 100644
--- a/docs/design.md
+++ b/docs/design.md
@@ -272,13 +272,22 @@
#define IMAGE_EXECUTABLE_RAM_SIZE <area_size_in_bytes>
```
+For multiple image load if multiple ram regions are used platform must define
+the `MULTIPLE_EXECUTABLE_RAM_REGIONS` flag instead and implement the following
+function:
+
+```c
+int boot_get_image_exec_ram_info(uint32_t image_id,
+ uint32_t *exec_ram_start,
+ uint32_t *exec_ram_size)
+```
+
When ram-load is enabled, the `--load-addr <addr>` option of the `imgtool`
script must also be used when signing the images. This option set the `RAM_LOAD`
flag in the image header which indicates that the image should be loaded to the
RAM and also set the load address in the image header.
-The ram-load mode currently supports only the single image boot and the image
-encryption feature is not supported.
+The ram-load mode currently does not support the image encryption feature.
## [Boot Swap Types](#boot-swap-types)
@@ -692,6 +701,41 @@
+ Boot into image in the primary slot of the 0th image position\
(other image in the boot chain is started by another image).
+### [Multiple Image Boot for RAM loading and direct-xip](#multiple-image-boot-for-ram-loading-and-direct-xip)
+
+The operation of the boot loader is different when the ram-load or the
+direct-xip strategy is chosen. The flash map is very similar to the swap
+strategy but there is no need for Scratch area.
+
++ Loop 1. Until all images are loaded and all dependencies are satisfied
+ 1. Subloop 1. Iterate over all images
+ + Does any of the slots contain an image?
+ + Yes:
+ + Choose the newer image.
+ + Copy it to RAM in case of ram-load strategy.
+ + Validate the image (integrity and security check).
+ + If validation fails delete the image from flash and try the other
+ slot. (Image must be deleted from RAM too in case of ram-load
+ strategy.)
+ + No: Return with failure.
+
+ 2. Subloop 2. Iterate over all images
+ + Does the current image depend on other image(s)?
+ + Yes: Are all the image dependencies satisfied?
+ + Yes: Skip to next image.
+ + No:
+ + Delete the image from RAM in case of ram-load strategy, but
+ do not delete it from flash.
+ + Try to load the image from the other slot.
+ + Restart dependency check from the first image.
+ + No: Skip to next image.
+
++ Loop 2. Iterate over all images
+ + Increase the security counter if needed.
+ + Do the measured boot and the data sharing if needed.
+
++ Boot the loaded slot of image 0.
+
## [Image Swapping](#image-swapping)
The boot loader swaps the contents of the two image slots for two reasons: