21. Raspberry Pi 4

The Raspberry Pi 4 is an inexpensive single-board computer that contains four Arm Cortex-A72 cores. Also in contrast to previous Raspberry Pi versions this model has a GICv2 interrupt controller.

This port is a minimal port to support loading non-secure EL2 payloads such as a 64-bit Linux kernel. Other payloads such as U-Boot or EDK-II should work as well, but have not been tested at this point.

IMPORTANT NOTE: This port isn’t secure. All of the memory used is DRAM, which is available from both the Non-secure and Secure worlds. The SoC does not seem to feature a secure memory controller of any kind, so portions of DRAM can’t be protected properly from the Non-secure world.

21.1. Build Instructions

There are no real configuration options at this point, so there is only one universal binary (bl31.bin), which can be built with:

CROSS_COMPILE=aarch64-linux-gnu- make PLAT=rpi4 DEBUG=1

Copy the generated build/rpi4/debug/bl31.bin to the SD card, either renaming it to armstub8.bin or adding an entry starting with armstub=, then followed by the respective file name to config.txt. You should have AArch64 code in the file loaded as the “kernel”, as BL31 will drop into AArch64/EL2 to the respective load address. arm64 Linux kernels are known to work this way.

Other options that should be set in config.txt to properly boot 64-bit kernels are:

enable_uart=1
arm_64bit=1
enable_gic=1

The BL31 code will patch the provided device tree blob in memory to advertise PSCI support, also will add a reserved-memory node to the DT to tell the non-secure payload to not touch the resident TF-A code.

If you connect a serial cable between the Mini UART and your computer, and connect to it (for example, with screen /dev/ttyUSB0 115200) you should see some text from BL31, followed by the output of the EL2 payload. The command line provided is read from the cmdline.txt file on the SD card.

21.2. TF-A port design

In contrast to the existing Raspberry Pi 3 port this one here is a BL31-only port, also it deviates quite a lot from the RPi3 port in many other ways. There is not so much difference between the two models, so eventually those two could be (more) unified in the future.

As with the previous models, the GPU and its firmware are the first entity to run after the SoC gets its power. The on-chip Boot ROM loads the next stage (bootcode.bin) from flash (EEPROM), which is again GPU code. This part knows how to access the MMC controller and how to parse a FAT filesystem, so it will load further compononents and configuration files from the first FAT partition on the SD card.

To accommodate this existing way of configuring and setting up the board, we use as much of this workflow as possible. If bootcode.bin finds a file called armstub8.bin on the SD card or it gets pointed to such code by finding a armstub= key in config.txt, it will load this file to the beginning of DRAM (address 0) and execute it in AArch64 EL3. But before doing that, it will also load a “kernel” and the device tree into memory. The load addresses have a default, but can also be changed by setting them in config.txt. If the GPU firmware finds a magic value in the armstub image file, it will put those two load addresses in memory locations near the beginning of memory, where TF-A code picks them up.

To keep things simple, we will just use the kernel load address as the BL33 entry point, also put the DTB address in the x0 register, as requested by the arm64 Linux kernel boot protocol. This does not necessarily mean that the EL2 payload needs to be a Linux kernel, a bootloader or any other kernel would work as well, as long as it can cope with having the DT address in register x0. If the payload has other means of finding the device tree, it could ignore this address as well.