0001 * ARM Secure world bindings
0002
0003 ARM CPUs with TrustZone support have two distinct address spaces,
0004 "Normal" and "Secure". Most devicetree consumers (including the Linux
0005 kernel) are not TrustZone aware and run entirely in either the Normal
0006 world or the Secure world. However some devicetree consumers are
0007 TrustZone aware and need to be able to determine whether devices are
0008 visible only in the Secure address space, only in the Normal address
0009 space, or visible in both. (One example of that situation would be a
0010 virtual machine which boots Secure firmware and wants to tell the
0011 firmware about the layout of the machine via devicetree.)
0012
0013 The general principle of the naming scheme for Secure world bindings
0014 is that any property that needs a different value in the Secure world
0015 can be supported by prefixing the property name with "secure-". So for
0016 instance "secure-foo" would override "foo". For property names with
0017 a vendor prefix, the Secure variant of "vendor,foo" would be
0018 "vendor,secure-foo". If there is no "secure-" property then the Secure
0019 world value is the same as specified for the Normal world by the
0020 non-prefixed property. However, only the properties listed below may
0021 validly have "secure-" versions; this list will be enlarged on a
0022 case-by-case basis.
0023
0024 Defining the bindings in this way means that a device tree which has
0025 been annotated to indicate the presence of Secure-only devices can
0026 still be processed unmodified by existing Non-secure software (and in
0027 particular by the kernel).
0028
0029 Note that it is still valid for bindings intended for purely Secure
0030 world consumers (like kernels that run entirely in Secure) to simply
0031 describe the view of Secure world using the standard bindings. These
0032 secure- bindings only need to be used where both the Secure and Normal
0033 world views need to be described in a single device tree.
0034
0035 Valid Secure world properties
0036 -----------------------------
0037
0038 - secure-status : specifies whether the device is present and usable
0039 in the secure world. The combination of this with "status" allows
0040 the various possible combinations of device visibility to be
0041 specified. If "secure-status" is not specified it defaults to the
0042 same value as "status"; if "status" is not specified either then
0043 both default to "okay". This means the following combinations are
0044 possible:
0045
0046 /* Neither specified: default to visible in both S and NS */
0047 secure-status = "okay"; /* visible in both */
0048 status = "okay"; /* visible in both */
0049 status = "okay"; secure-status = "okay"; /* visible in both */
0050 secure-status = "disabled"; /* NS-only */
0051 status = "okay"; secure-status = "disabled"; /* NS-only */
0052 status = "disabled"; secure-status = "okay"; /* S-only */
0053 status = "disabled"; /* disabled in both */
0054 status = "disabled"; secure-status = "disabled"; /* disabled in both */
0055
0056 The secure-chosen node
0057 ----------------------
0058
0059 Similar to the /chosen node which serves as a place for passing data
0060 between firmware and the operating system, the /secure-chosen node may
0061 be used to pass data to the Secure OS. Only the properties defined
0062 below may appear in the /secure-chosen node.
0063
0064 - stdout-path : specifies the device to be used by the Secure OS for
0065 its console output. The syntax is the same as for /chosen/stdout-path.
0066 If the /secure-chosen node exists but the stdout-path property is not
0067 present, the Secure OS should not perform any console output. If
0068 /secure-chosen does not exist, the Secure OS should use the value of
0069 /chosen/stdout-path instead (that is, use the same device as the
0070 Normal world OS).
