ARM Trusted Firmware Boot Failure on QEMU Cortex-A57: Missing Firmware Headers and Image Loading Errors

ARM Trusted Firmware Boot Process and Cortex-A57 Workarounds

The issue revolves around the failure to boot ARM Trusted Firmware (ATF) on a QEMU virtual machine emulating a Cortex-A57 processor. The user is attempting to run bare-metal firmware at Exception Level 2 (EL2) using ATF to manage multi-core bootstrapping via the Power State Coordination Interface (PSCI). The boot process begins at EL3, where the primary core executes the BL1 (Boot Loader Stage 1) component of ATF. BL1 is responsible for initializing the platform, loading BL2 (Boot Loader Stage 2), and transitioning execution to BL2. However, the boot process fails during the loading of BL2 and subsequent firmware images, with errors indicating missing firmware headers and invalid image sizes.

The Cortex-A57 processor has several known errata, and ATF applies specific workarounds during the boot process. The log output shows that some workarounds are successfully applied (e.g., for CVE-2017-5715 and disable_ldnp_overread), while others are missing (e.g., for errata 813419, 826974, 826977, 828024, 829520, 833471, and 859972). These missing workarounds are not directly causing the boot failure but indicate that the firmware is not fully optimized for the Cortex-A57. The primary issue lies in the firmware image loading process, where the Firmware Image Package (FIP) header checks fail, and the size of the image cannot be determined.

Missing Firmware Headers and Invalid Image Sizes

The root cause of the boot failure is the absence of required headers in the firmware images and the inability of the bootloader to determine the size of the images. ATF expects firmware images to be packaged in a specific format, with headers that provide metadata such as the image type, load address, and size. The log output shows multiple warnings about failed FIP header checks, indicating that the images being loaded do not conform to the expected format. Additionally, the error message "Failed to determine the size of the image id=5 (-2)" suggests that the bootloader cannot parse the image metadata, leading to a failure in loading the image.

The FIP format is critical for ATF to manage multiple firmware components, including BL2, BL31 (EL3 runtime firmware), and BL33 (non-secure payload, such as a Linux kernel or bare-metal application). Each image must have a valid header that specifies its properties. Without these headers, the bootloader cannot correctly identify, validate, or load the images, resulting in the observed errors.

Implementing Firmware Headers and Validating Image Formats

To resolve the boot failure, the firmware images must be properly formatted with the required headers. The following steps outline the process for creating and validating FIP-compliant images:

1. Generate Firmware Images with Valid Headers: Use the fiptool utility provided by ATF to create FIP-compliant images. The fiptool utility packages individual firmware components into a single FIP binary, adding the necessary headers and metadata. For example, to create a FIP binary containing BL2, BL31, and BL33, use the following command:

   fiptool create --tb-fw bl2.bin --soc-fw bl31.bin --nt-fw bl33.bin fip.bin
   

   This command generates a fip.bin file that includes the specified firmware images with the appropriate headers.

2. Verify Image Metadata: Before loading the images, ensure that the metadata in the FIP headers is correct. The fiptool utility can also be used to inspect the contents of a FIP binary:

   fiptool info fip.bin
   

   This command displays the properties of each image in the FIP binary, including the type, load address, and size. Verify that these properties match the expected values for your platform.

3. Update QEMU Command Line: Modify the QEMU command line to load the FIP binary instead of individual firmware images. Replace the -kernel and -bios options with a single -bios option pointing to the FIP binary:

   qemu-system-aarch64 -nographic -machine virt,secure=on -cpu cortex-a57 -bios fip.bin -append console=ttyAMA0,38400 -smp 2 -m 1024 -d unimp -semihosting-config enable,target=native
   

   This ensures that QEMU loads the FIP binary, which contains all the necessary firmware components with valid headers.

4. Debugging and Logging: Enable additional logging and debugging options in ATF to gather more information about the boot process. Set the LOG_LEVEL build option to a higher value (e.g., LOG_LEVEL=50) to enable verbose logging:

   make PLAT=qemu DEBUG=1 LOG_LEVEL=50
   

   This provides detailed output that can help identify any remaining issues with the firmware images or boot process.

5. Apply Cortex-A57 Workarounds: Although the missing workarounds for Cortex-A57 errata are not directly causing the boot failure, it is good practice to ensure that all known errata are addressed. Review the ATF source code and build configuration to confirm that the necessary workarounds are enabled. For example, the ENABLE_CPU_WORKAROUNDS build option should be set to 1 to apply all available CPU workarounds.

By following these steps, the firmware images will be correctly formatted with the required headers, allowing ATF to successfully load and execute them. This resolves the boot failure and enables the Cortex-A57 to run bare-metal firmware at EL2 with multi-core support via PSCI.

Summary of Key Actions and Expected Outcomes

This comprehensive approach ensures that the firmware images are correctly formatted, validated, and loaded, enabling a successful boot process on the Cortex-A57 with ARM Trusted Firmware.