The Role of Open Source Firmware in RISC-V

Atish Patra Alistair Francis Anup Patel

OSFC – 3rd of September 2019

•Introduction to RISC-V •Industry standard Open source bootloaders •Current RISC-V boot flow •OpenSBI Project •Upstream Status •Future work •Demo

•U-Boot – Lukas Auler – Bin Meng – Anup Patel •Coreboot – Ron Minnich – Patrick Rudolph – Shawn Chang •EDK2 – Abner Chang • And others

•Pronounced as risk-five •An open RISC Instruction Set Architecture (ISA) •The base ISA is incredibly small – The ISA can be extended • Integer (I) and Embedded (E) are part of the base ISA • Multiply/Divide (M), Atomic (A), Single Floating Point (F), Double Floating Point (D), Quad Floating Point (Q) and Compressed Instructions (C) are frozen already • Virtualisation (H), Vector (V), Bit Manipulation (B) are examples of draft extensions • The General Extension (G) is shorthand for M, A, F and D – Aimed at everything from small embedded systems to high end HPC •Multiple CPU implementations already available •SiFive, BOOM, Rocket64, Andes, QEMU, etc •Currently heavily backed by SiFive, Microsemi, NVIDIA, Western Digital and others © 2019 Western Digital Corporation or its affiliates. All rights reserved. 8/30/19 4 Why RISC-V?

•An open source ISA allows anyone to use and modify the ISA without any licensing cost – This is different to commercial companies which ship black boxes with strict NDAs •Customization for specific applications •Security audits to verify security in critical applications •Lower cost users (such as small companies or hobbyists) to use the ISA •Community driven development approach allows input from anybody – The RISC-V foundation still decides on the final specifications

• Runs from DDR Proprietary • Typically open-source • DDR initialization • Filesystem support Open • Loads RUNTIME and • Network booting Source BOOTLOADER • Boot configuration • Examples: • Examples: • BIOS/UEFI • U-Boot Loads • U-Boot SPL • GRUB • Coreboot ROM stage • LinuxBoot Jumps

ROM LOADER RUNTIME BOOTLOADER OS

• Runs from On-Chip • Runs from On-Chip SRAM or ROM DDR • Uses On-Chip SRAM • SOC security setup • SOC power-up and • Runtime services as-per clock setup specifications • Examples: • ATF • BIOS/UEFI © 2019 Western Digital Corporation or its affiliates. All rights reserved. 8/30/19 6 RISC-V Upstream Boot Flow

Follows commonly used multiple boot stages model Proprietary

Open Loads Source RISC-V Jumps specific

ZSBL FSBL OpenSBI U-Boot Linux (M-mode) (M-mode) (M-mode) (S-mode) (S-mode) (ROM) (LOADER) (RUNTIME) (BOOTLOADER) (OS)

• Follows a standard boot flow

• Uses U-Boot as the last stage boot loader

• U-Boot binary as the payload to OpenSBI

• FSBL is SiFive specific and will be replaced by Coreboot/U-Boot SPL

• OpenSBI is a RISC-V specific runtime service provider

•SBI is the RISC-V Supervisor Binary Interface – System call style calling convention between Supervisor (S-mode OS) and Supervisor Execution Environment (SEE) •SEE can be: App1 App2 – A M-mode RUNTIME firmware for OS/Hypervisor running in HS-mode ABI ABI – A HS-mode Hypervisor for Guest OS running in VS-mode OS (S-Mode) SBI •SBI calls help: SEE (M-Mode) – Reduce duplicate platform code across OSes (Linux, FreeBSD, etc) – Provide common drivers for an OS which can be shared by multiple platforms – Provide an interface for direct access to hardware resources (M-mode only resources) •Specifications being drafted by the Unix Platform Specification Working group – Maintain and evolve the SBI specifications – Currently, SBI v0.1 in-use and SBI v0.2 in draft stage

•OpenSBI is an open-source implementation of the RISC-V Supervisor Binary Interface (SBI) specifications – Licensed under the terms of the BSD-2 clause license – Helps to avoid SBI implementation fragmentation – Maintained by the community •Aimed at providing RUNTIME services in M-mode – Typically used in boot stage following ROM/LOADER •Provides support for reference platforms – Generic simple drivers included for M-mode to operate ▪ PLIC, CLINT, UART 8250 – Other platforms can reuse the common code and add needed drivers

•Layered structure to accommodate various use cases – Generic SBI library with platform abstraction • Typically used with external firmware and bootloader OpenSBI Layers – EDK2 (UEFI implementation), Secure boot working group – Platform specific library Platform Specific Reference Firmware • Similar to core library but including platform specific drivers – Platform specific reference firmware Platform Specific • Three different types of RUNTIME firmware Library

•Wide range of hardware features supported SBI Library – RV32 and RV64 – Misaligned load/store handling – Missing CSR emulation – Protects firmware using PMP support

•OpenSBI provides several types of reference firmware, all platform-specific – FW_PAYLOAD • Firmware with the next booting stage as a payload • Default firmware being used in Linux capable RISC-V hardware – FW_JUMP • Firmware with static jump address to the next booting stage • Default method for QEMU – FW_DYNAMIC • Firmware with dynamic information on the next booting stage • U-Boot SPL is using FW_DYNAMIC •SOC Vendors may choose: – Use one of OpenSBI reference firmwares as their M-mode RUNTIME firmware – Build M-mode RUNTIME firmware from scratch with OpenSBI as library – Extend existing M-mode firmwares (U-Boot_M_mode/EDK2) with OpenSBI as library

•SiFive HiFive Unleashed •Andes AE350 •Ariane FPGA SOC •Kendryte K210 •QEMU virt machines (32-bit/64-bit)

•OpenSBI •Grub – Actively developed and maintained – RISC-V support available upstream – Version 0.4 released •Linux Kernel – Default in Buildroot, Yocto/OpenEmbedded and – Upstream kernel boots in QEMU the QEMU “BIOS” – 5.3 kernel works with OpenSBI+U-Boot – Fedora/Debian provides images available with OpenSBI binary on HiFive Unleashed •U-Boot – U-Boot-2019.07 release has HiFive Unleashed S-mode support with SMP – Boot via network supported – MMC boot support coming in 2019.10 – EFI support for RISC-V available

•OpenSBI firmware with dynamic information about the next booting stage •Coreboot support available on both hardware & QEMU

•U-Boot SPL Only available for QEMU for now •HiFive Unleashed U-Boot SPL support not available yet Proprietary Open Loads Source Passed via ‘a2’ register RISC-V Jumps specific

ZSBL U-Boot SPL struct OpenSBI U-Boot Linux (M-mode) Coreboot fw_dynamic_info (M-mode) (S-mode) (S-mode) (ROM) (M-mode) (RUNTIME) (BOOTLOADER) (OS)

•Work in progress •Open Source EDK2 (UEFI implementation) OpenSBI integration – HPE leading this effort – Available in EDK2 mailing list for U540 on Xilinx VC707 FPGA – OpenSBI built with EDK2 build environment •OpenSBI used as library in Pre-EFI Initialization (PEI) Phase •Driver eXecution Environment (DXE) Phase in S-mode will use OpenSBI function wrappers to make ecalls (Not done yet)

© 2019 Western Digital Corporation or its affiliates. All rights reserved. 8/30/19 15 Future boot support Toward a stable and easy to use boot ecosystem •EFI stub support in Linux kernel for full UEFI support – Enterprise class boot environment •U-Boot SPL support for hardware •Booting from SDCARD in coreboot possible ? •EDK2 project upstreaming •LinuxBoot ? •Other bootloaders ?

•SBI specifications – SBI v0.2 specification – Power management extension in SBI •OpenSBI – SBI v0.2 support – Sequential cpu boot via CPU hotplug – Support other M-mode boot loader such as Coreboot/U-Boot SPL – Hypervisor support – More platforms support • Need hardware !

•OSTree can be thought of as git for operating system updates •It is used to mange Linux system operating system updates •Unlike git OSTree “checks out” files using hardlinks, so the rootFS is immutable to prevent corruption •OSTree started with Gnome Continuous (high performance continuous delivery/testing system for GNOME) •OSTree is used in meta-updater (an OE layer) and Fedora SilverBlue •Flatpak uses libostree

•Q&A ?

© 2019 Western Digital Corporation or its affiliates. All rights reserved. 8/30/19 21 © 2019 Western Digital Corporation or its affiliates. All rights reserved. 8/30/19 Constraints on using OpenSBI Library

•Same GCC target options (i.e. -march, -mabi, and -mcmodel) need to be used for the external firmware and OpenSBI sources •External firmware must create per-HART non-overlapping: 1. Program Stack 2. OpenSBI scratch space (i.e. struct sbi_scratch instance with extra space above) •Two constraints in calling any OpenSBI functions from external firmware: 1. MSCRATCH CSR of calling HART must be set to its own OpenSBI scratch space 2. SP register (i.e. the stack pointer) of calling HART must be set to its own stack •External firmware must also ensure that: – Interrupts are disabled in the MSTATUS and MIE CSRs when calling sbi_init() – sbi_init() is called for each HART that is powered-up at boot-time or in response to a CPU hotplug event – sbi_trap_handler() is called for M-mode interrupts and M-mode traps

•OpenSBI – https://github.com/riscv/opensbi •SBI – https://github.com/riscv/riscv-sbi-doc •EDK2 – https://edk2.groups.io/g/devel/message/46479?p=,,,20,0,0,0::Created,,riscv,20,2,0,33047245

•OpenSBI used as library

•Open Source EDK2 (UEFI implementation) OpenSBI integration Open Source – HPE leading this effort RISC-V – Available in EDK2 staging area for U540 on Xilinx VC707 FPGA specific – OpenSBI built with EDK2 build environment Loads Jumps Passed via ‘a2’ registerEDK2 BDS phase PEI phase DXE phase (M-Mode) ZSBL FSBL (M-Mode) (M-Mode) Bootloader Linux SEC (M-mode) (M-mode) (Grub/U-Bo (S-Mode) (ROM) (ROM) phase ot) OS OpenSBI library (M-Mode) EDK2 OpenSBI DXE Driver (S-Mode)

Loads Jumps FW_PAYLOAD

ROM LOADER RUNTIME BOOTLOADER OS (M-mode) (M-mode) (M-mode) (S-mode) (S-mode) (ZSBL) (FSBL) (OpenSBI) (U-Boot) (Linux)

•OpenSBI firmware with the next booting stage as a payload – Any S-mode BOOTLOADER/OS image as the payload to OpenSBI FW_PAYLOAD – Allows overriding device tree blob (i.e. DTB) – Very similar to BBL hence fits nicely in existing boot-flow of SiFive Unleashed board

•Down-side: – We have to re-create FW_PAYLOAD image whenever OpenSBI or the BOOTLOADER (U-Boot) changes – No mechanism to pass parameters from previous booting stage (i.e. LOADER) to FW_PAYLOAD

Loads Jumps

ROM LOADER RUNTIME BOOTLOADER OS (M-mode) (M-mode) (M-mode) (S-mode) (S-mode) (ZSBL) (U-Boot_SPL/Coreboot/QEMU) (FW_JUMP) (U-Boot) (Linux)

•OpenSBI firmware with a fixed jump address to the next booting stage – Next stage booting stage (i.e. BOOTLADER) and FW_JUMP are loaded by the previous booting stage (i.e. LOADER) – Very useful for QEMU because we can use pre-compiled FW_JUMP

•Down-side: – Previous booting stage (i.e. LOADER) has to load next booting stage (i.e. BOOTLADER) at a fixed location – No mechanism to pass parameters from pervious booting stage (i.e. LOADER) to FW_JUMP

Loads Jumps Passed via ‘a2’ register

ROM LOADER struct RUNTIME BOOTLOADER OS (M-mode) (M-mode) fw_dynamic_info (M-mode) (S-mode) (S-mode) (ZSBL) (U-Boot_SPL/Coreboot/QEMU) (FW_DYNAMIC) (U-Boot) (Linux)

•OpenSBI firmware with dynamic information about the next booting

stage struct fw_dynamic_info – The next stage booting stage (i.e. BOOTLADER) and FW_DYNAMIC are loaded by unsigned long magic the previous booting stage (i.e. LOADER) unsigned long version – The previous booting stage (i.e. LOADER) passes the location of struct unsigned long next_addr fw_dynamic_info to FW_DYNAMIC via ‘a2’ register unsigned long next_mode unsigned long options •Down-side: – Previous booting stage (i.e. LOADER) needs to be aware of struct fw_dynamic_info

•OpenSBI used as library

HiFive Unleashed QEMU • Instructions also available at •Instructions available at opensbi/docs/platform/qemu_virt.md opensbi/docs/platform/sifive_fu540.md •U-Boot image as a payload • U-Boot binary as payload – Building make PLATFORM=qemu/virt make PLAT=sifive/hifive_u540 \ FW_PAYLOAD_PATH=/u-boot.bin FW_PAYLOAD_PATH=~/workspace/u-boot-riscv/u-boot.bin

– Running qemu-system-riscv64 -M virt -m 256M -display none -serial stdio \ -kernel build/platform/qemu/virt/firmware/fw_payload.elf