Overview
Trustzone supports dumping of L0/L1 i-cache and d-cache starting from 8960 TZ1.3. Both 8960 1.0 and 1.5 have such features.
Cache dumping can be requested by HLOS. Two different dumping styles are supported:
1.. Watchdog bark: HLOS request to dump caches is handled similarly to watchdog bark. SGI is set to other CPUs, CPU contexts are dumped, all CPUs dump L0/L1 caches, device is reset.
2.. Just L1 dump: HLOS request to dump caches returns back to HLOS. Only the cache of the requesting CPU is dumped.
Cache dumping is also done in watchdog bark handling.
Trustzone no longer cleans d-cache in watchdog bark handler.
Structure of Dump Buffer
The dump structure is as follows:
typedef struct tzbsp_l1_dump_buf_s{ uint32 magic; /**< Dump magic number, set to \c TZBSP_L1_DUMP_MAGIC. */ uint32 version; /**< Dump version number, set to \c TZBSP_L1_DUMP_VERSION. */ /** If context was WDT bark, bit [0]=1, if L1 dump was requested by HLOS, bit * [1]=1 */ uint32 flags; uint32 cpu_count; /**< The number of CPUs in the system. */ uint32 i_tag_size; /**< Size of i-cache line tag in bytes. */ /** Size of i-cache line in bytes. L0/L1 i-cache line size is double the * architectural size as both ICRDR0 and ICRDR1 are read for each i-cache * word. */ uint32 i_line_size; uint32 i_num_sets; /**< Number of i-cache sets. */ uint32 i_num_ways; /**< Number of ways in each i-cache set. */ uint32 d_tag_size; /**< Size of d-cache tag in bytes. */ uint32 d_line_size; /**< Size of d-cache line in bytes. */ uint32 d_num_sets; /**< Number of d-cache sets. */ uint32 d_num_ways; /**< Number of ways in each d-cache set. */ uint32 saw2_spm_ctl[TZBSP_CPU_COUNT]; /**< SAW2_SPM_CTL for each CPU. */ uint32 spare[32 - TZBSP_CPU_COUNT]; /**< Spare fields for future use. */ /** * L0/L1 dumps start from \c lines. Full CPU0 cache dump is the first, then * CPU1, and so forth. The layout of the cache dump for each CPU is as * follows: * - L0 i-cache dump. * - L1 i-cache dump. * - L0 d-cache dump. * - L1 d-cache dump. * * Both L0 i-cache and d-cache are 1/4th of the size of corresponding L1 * caches. * * Formulas to calculate each dump size based on the fields in this * structure, the arithmetic is in bytes: * * The size of L0 i-cache dump per CPU: * i0_dump_size = (i_tag_size + i_line_size) * i_num_sets * * The size of L1 i-cache dump per CPU: * i1_dump_size = (i_tag_size + i_line_size) * i_num_sets * i_num_ways * * The size of L0 d-cache dump per CPU: * d0_dump_size = (d_tag_size + d_line_size) * d_num_sets * * The size of d-cache dump per CPU: * d1_dump_size = (d_tag_size + d_line_size) * d_num_sets * d_num_ways */ uint8 lines[];} tzbsp_l1_dump_buf_t;Dump buffer version numbers start from 1. The following bits are defined for the flags field:
enum { /** L1 dump was done in WDT bark context. */ TZBSP_L1_DUMP_FLAGS_WDT_BIT = 0x01, /** L1 dump was done by HLOS/non-secure request. */
TZBSP_L1_DUMP_FLAGS_NS_BIT = 0x02, };
Flag bit TZBSP_L1_DUMP_FLAGS_WDT_BIT is set when cache dumping is done in watchdog bark context. Flag bit TZBSP_L1_DUMP_FLAGS_NS_BIT is set when HLOS request cache dumping that results in reset. Bit TZBSP_L1_DUMP_FLAGS_NS_BIT is not set when HLOS requests cache dumping that returns back to HLOS.
The dump magic number is as follows:
#define TZBSP_L1_DUMP_MAGIC 0x314C4151
The magic number as bytes reads ['Q', 'A', 'L', '1'], a short for Qualcomm Apps Level 1
Discovery of Dump Buffer in Memory Dump
TZ will write the address of the dump buffer to shared IMEM at this location:
#define TZBSP_IMEM_L1_BUFFER_ADDR (SHARED_IMEM_TZ_BASE + 4)On 8960 the base address for TZ shared IMEM is as follows:
#define SHARED_IMEM_TZ_BASE 0x2a03f720During cold boot TZ will write zero to the shared IMEM location. The dump buffer address is written to shared IMEM location only if cache dumping is done. If the IMEM location contains zero in the memory dumps, then cache dumping didn't happen
No comments:
Post a Comment