[PATCH 02/12] arm-ffa: add FF-A bus runtime support
Harsimran Singh Tungal
harsimransingh.tungal at arm.com
Mon May 4 22:25:03 CEST 2026
On 2026-04-28 12:10 -0600, Simon Glass wrote:
> Hi Harsimran,
>
> On 2026-04-24T17:31:50, Harsimran Singh Tungal
> <harsimransingh.tungal at arm.com> wrote:
> > arm-ffa: add FF-A bus runtime support
> >
> > Enable FF-A runtime transport for EFI services
> >
> > This patch introduces the FF-A runtime infrastructure that enables
> > U-Boot to use the Arm Firmware Framework for Arm A-profile (FF-A)
> > transport layer after ExitBootServices().
> > The runtime transport provides persistent, runtime-safe
> > implementations of key FF-A functions used by EFI runtime services.
> >
> > Summary of key changes:
> > -----------------------
> > - Add drivers/firmware/arm-ffa/arm-ffa-runtime.c implementing FF-A
> > runtime operations.
> > - Introduce include/arm_ffa_runtime.h exporting FF-A runtime
> > functions and data structures.
> > - Move FF-A error mapping into runtime context.
> > - Introduce invoke_ffa_fn_runtime() as runtime safe SMC wrapper.
> > - Add runtime SMC wrapper for sandbox emulation.
> > - Add ARM_FFA_RT_MODE Kconfig to enable runtime support.
> > [...]
> >
> > drivers/firmware/arm-ffa/Kconfig | 11 ++
> > drivers/firmware/arm-ffa/Makefile | 4 +-
> > drivers/firmware/arm-ffa/arm-ffa-runtime.c | 287 +++++++++++++++++++++++++++++
> > drivers/firmware/arm-ffa/arm-ffa-uclass.c | 111 ++---------
> > drivers/firmware/arm-ffa/arm-ffa.c | 16 +-
> > drivers/firmware/arm-ffa/ffa-emul-uclass.c | 12 ++
> > include/arm_ffa.h | 16 +-
> > include/arm_ffa_priv.h | 24 ++-
> > include/arm_ffa_runtime.h | 183 ++++++++++++++++++
> > test/dm/ffa.c | 6 +-
> > 10 files changed, 551 insertions(+), 119 deletions(-)
>
> > diff --git a/drivers/firmware/arm-ffa/arm-ffa-runtime.c b/drivers/firmware/arm-ffa/arm-ffa-runtime.c
> > @@ -0,0 +1,287 @@
> > + if (priv)
> > + ffa_copy_runtime_priv(&priv->rt);
> > + else
> > + log_err("FF-A: Entering RT mode without FF-A runtime data information\n");
> > +
> > + ffa_enable_runtime_context();
>
> This enables the runtime context unconditionally, even after logging
> the priv data is missing. The runtime then comes up with id == 0 and
> fwk_version == 0 and any later FF-A call silently uses bogus values.
> Please return after the log_err() so ffa_get_status_runtime_context()
> keeps returning false on the failure path.
>
Thanks for pointing this out.
I will fix this in patchset v2.
Regards
Harsimran Singh Tungal
> > diff --git a/drivers/firmware/arm-ffa/arm-ffa-runtime.c b/drivers/firmware/arm-ffa/arm-ffa-runtime.c
> > @@ -0,0 +1,287 @@
> > +#include <arm_ffa_runtime.h>
> > +#include <arm_ffa_priv.h>
> > +#include <log.h>
> > +#include <asm/global_data.h>
> > +#include <linux/errno.h>
> > +#include <linux/types.h>
> > +
> > +DECLARE_GLOBAL_DATA_PTR;
>
> gd doesn't seem to be referenced in this file?
>
No. gd is not being referenced.
gd declaration will be removed in patchset v2.
Regards
Harsimran Singh Tungal
> > diff --git a/drivers/firmware/arm-ffa/arm-ffa-runtime.c b/drivers/firmware/arm-ffa/arm-ffa-runtime.c
> > @@ -0,0 +1,287 @@
> > + * after the FF-A bus device has successfully probed and U-Boot’s FF-A
>
> This (and the same line in arm_ffa_runtime.h) should use a normal '
> instead of the UTF-8 right single quotation mark.
>
Sure.
I will fix this in v2.
Regards
Harsimran Singh Tungal
> > diff --git a/drivers/firmware/arm-ffa/arm-ffa-runtime.c b/drivers/firmware/arm-ffa/arm-ffa-runtime.c
> > @@ -0,0 +1,287 @@
> > +#if CONFIG_IS_ENABLED(ARM_FFA_RT_MODE)
> > +static void EFIAPI ffa_rt_exit_boot_services_notify(struct efi_event *event,
> > + void *context)
>
> CONFIG_IS_ENABLED() is only meaningful for symbols with an SPL twin.
> ARM_FFA_RT_MODE has none, and the uclass side already uses
> IS_ENABLED(CONFIG_ARM_FFA_RT_MODE) - please use IS_ENABLED() here and
> in arm_ffa_runtime.h.
>
Sure. I will be making suggested change in patchset v2.
Regards
Harsimran Singh Tungal
> > diff --git a/drivers/firmware/arm-ffa/arm-ffa-runtime.c b/drivers/firmware/arm-ffa/arm-ffa-runtime.c
> > @@ -0,0 +1,287 @@
> > + if (is_smc64) {
> > + req_mode = FFA_SMC_64(FFA_MSG_SEND_DIRECT_REQ);
> > + } else {
> > + req_mode = FFA_SMC_32(FFA_MSG_SEND_DIRECT_REQ);
> > + }
>
> Single-statement bodies should not be braced. Please run patman or
> checkpatch.pl on your patches. Also, the two efi_memset_runtime()
> calls below clear fresh stack variables. Please initialise them at
> declaration ('ffa_value_t ffa_args_rt = {}') and drop the explicit
> memset()s; the compiler's zero-init is just as runtime-safe and is
> what the boot path already does.
>
> Also could you run checkpatch / patman over your patches for v2?
>
I will keep the brace cleanup in v2, but I can't keep the `= {}`
initialization for the two local `ffa_value_t` variables.
I tested that variant and it triggers a Linux boot-time runtime warning
for this EFI runtime path, because the generated code is no longer
runtime-safe and initializing the way you are suggesting is not allowing
to map those variable in runtime memory. So, I suggest to restore the
explicit efi_memset_runtime() calls for those fresh stack variables.
Regards
Harsimran Singh Tungal
> > diff --git a/drivers/firmware/arm-ffa/arm-ffa-uclass.c b/drivers/firmware/arm-ffa/arm-ffa-uclass.c
> > @@ -1047,6 +961,11 @@ static int ffa_do_probe(struct udevice *dev)
> > + if (IS_ENABLED(CONFIG_ARM_FFA_RT_MODE)) {
> > + ret = ffa_setup_efi_exit_boot_services_event(uc_priv);
> > + if (ret)
> > + return ret;
> > + }
>
> If event creation fails here, the RX/TX buffers mapped above and the
> partition cache are leaked, i,e. the existing failure path for
> ffa_cache_partitions_info() at least calls
> ffa_unmap_rxtx_buffers_hdlr(). Please follow the same pattern, or move
> event registration before resource allocation.
>
Thanks for noticing this. This will be fixed in v2.
I will move ffa_setup_efi_exit_boot_services_event() to immediately after
ffa_get_endpoint_id() in ffa_do_probe(), so event-creation failure
happens before the later FF-A resource allocation steps.
Regards
Harsimran Singh Tungal
> > diff --git a/drivers/firmware/arm-ffa/Kconfig b/drivers/firmware/arm-ffa/Kconfig
> > @@ -41,3 +44,11 @@ config ARM_FFA_TRANSPORT
> > +config ARM_FFA_RT_MODE
> > + bool "Enable FF-A runtime support"
> > + depends on ARM_FFA_TRANSPORT && EFI_LOADER
> > + default y
>
> Just to check, does every existing FF-A user want this on? 'default y'
> silently enables a new transport path (and the ExitBootServices
> callback) for everyone with ARM_FFA_TRANSPORT && EFI_LOADER. I'd
> suggest defaulting, or at minimum 'default y if CORSTONE1000' or
> similar, until other boards have opted in.
>
The intention is for this to be a generic FF-A + EFI capability, not a
Corstone1000-specific opt-in.
`ARM_FFA_TRANSPORT` already has multiple in-tree users, so I would
prefer not to tie `ARM_FFA_RT_MODE` to a single board. Under
`ARM_FFA_TRANSPORT && EFI_LOADER`, this just enables the FF-A runtime
path and registers the ExitBootServices callback; the runtime transport
is only used by EFI runtime clients.
So I would prefer to keep `default y`.
Regards
Harsimran Singh Tungal
> > diff --git a/include/arm_ffa_priv.h b/include/arm_ffa_priv.h
> > @@ -212,9 +227,8 @@ struct ffa_partitions {
> > - u32 fwk_version;
> > + struct ffa_priv_runtime rt;
> > struct udevice *emul;
> > - u16 id;
>
> Just to clarify the model: 'struct ffa_priv' now embeds 'struct
> ffa_priv_runtime rt' at boot, and at ExitBootServices we copy the
> whole sub-struct (including 'use_ffa_runtime', always false here) into
> the resident 'ffa_priv_rt', then immediately overwrite use_ffa_runtime
> via ffa_enable_runtime_context(). Layering would be clearer if
> 'use_ffa_runtime' lived only on the resident copy and ffa_priv_runtime
> carried just the data shipped across the boundary (fwk_version, id).
>
> Regards,
> Simon
Agreed.
For v2, I split the runtime-enabled state out of `struct ffa_priv_runtime`.
The copied sub-struct now carries only the boot-time FF-A data that needs
to cross the `ExitBootServices()` boundary (`fwk_version` and `id`), while
the resident runtime-ready flag lives separately in the runtime copy and
is only set by `ffa_enable_runtime_context()`.
This keeps the boundary data limited to what is actually transported into runtime.
This will be fixed in patchset v2.
Regards
Harsimran Singh Tungal
>
More information about the U-Boot
mailing list