Difference between revisions of "Kernel Loader"

From Vita Development Wiki
Jump to navigation Jump to search
(Redirected page to Kernel Boot Loader)
Tag: New redirect
Line 1: Line 1:
The Kernel Boot Loader is (likely) the third stage bootloader for the system. It is <code>kernel_boot_loader.self</code> in the [[Boot Sequence#Boot Partition|Boot Partition]]. It initializes the ARM [[TrustZone]] (ARM Secure Kernel) and non-secure kernel.
#REDIRECT [[Kernel Boot Loader]]
== ARM Kernel BootLoader ==
It is speculated that the first stage of the secure boot process is the [[Boot ROM]] in F00D which decrypts kernel_boot_loader.self into DRAM and resets ARM. The stage at this point would have set up DRAM and the eMMC driver. There is no VMA at this point. A couple of things are loaded into memory. <code>kprx_auth_sm.self</code> from the [[SLB2]] eMMC partition is located at <code>0x40000500</code> (as-is/encrypted). Similarly <code>prog_rvk.srvk</code> is located at <code>0x40008B00</code>. The VBAR is likely set to <code>0x40000000</code>, where most handlers point to unhandled exception error code. The secure kernel bootloader segments are loaded to <code>0x40020000</code> (where the reset vector points to) and are in three main parts. The first part is the secure kernel bootloader code which includes stripped down versions of [[SceSysmem]], [[SceKernelModulemgr]], and initialization code (reset vector points to code in this range). The second part is the [[Secure Kernel]] stored as a series of either plaintext ELFs or [[ARZL]] compressed ELF. On FW 1.69, only <code>SceSysmem</code> is ARZL compressed, the other Secure Kernel modules are plaintext ELFs. Additionally, some initialization data is passed in <code>0x4005A000</code>, <code>0x0</code>, and <code>0x100</code>.
== Secure Kernel BootLoader - reset ==
The reset function cleans the cache and resets many CP15 registers. Next it does some more device initialization and prints out the debug string <code>Starting PSP2 Kernel Boot Loader</code>. Core 0 then creates some initialization data from parameters passed in from the previous stage as well as with params hard coded. This includes the VMA for the VBAR, MVBAR, TTBR0, TTBR1, and other configurations. It then turns on virtual memory and maps the defined regions for everything defined above. Other cores wait for this to complete and then just use the initialization data created by core 0. The L2 cache is also setup at this point. After this point, the low-level system is finished initializing.
== Secure Kernel BootLoader - TrustZone loading ==
Next the ARM Secure Kernel is loaded with the stripped down module manager inside the bootloader. First [[SceSysmem]], which on newer FWs is [[ARZL]] compressed is decompressed to scratch space at <code>0x1C000000</code>. Then the ELF loader loads it and the memory manager's initialization function is called which setups the memory system in secure world. This also setups [[KBL Param]] in secure world. Data from physical address <code>0x100</code> is copied to the buffer allocated at offset 0x6C0 of the [[KBL Param]] buffer (in FW 1.69 this is 0x46C0 in secure world). The other ELFs are not compressed and just loaded as-is to the ELF loader. [[SceExcpmgr]] is loaded next and its initialization function replaces the vectors pointed to by VBAR and MVBAR. The MVBAR determines how <code>SMC</code> calls are handled and is the entry point to secure world. Other modules' initialization functions invoke [[SceExcpmgr]] functions to register SMC handlers. When [[SceSblSmsched]] is initialized, it initialized the security processor with <code>kprx_auth_sm.self</code> and <code>prog_rvk.srvk</code> found in memory. After this point is likely when signature revocation would take affect. The [[Libraries#Secure Kernel|other modules]] are loaded, then the [[TrustZone]] DRAM region (0x40000000-0x40300000 on FW 1.69, 0x40200000 on later versions) are set up in hardware, and after that, the secure world is completely done loading.
== Non-Secure Kernel BootLoader ==
The [[NSKBL]] is stored as an [[ARZL]] compressed binary at physical address <code>0x50000000</code>. It is uncompressed to <code>0x51000000</code>. The reset vector for NSKBL is also found at <code>0x51000000</code>. The initialization data initially found at <code>0x100</code> is copied to <code>0x40200100</code> (<code>0x40300100</code> before FW 3.52) so that non-secure world can access it. Secure Kernel Bootloader then switches to non-secure world by writing NS to SCR and does a return-from-exception to the non-secure reset vector. The NSKBL has to setup everything (including VMA) again in the non-secure world. The initialization of the non-secure KBL is almost exactly the same as the secure version.
== Non-secure Kernel ==
TODO: Talk about <code>os0:psp2bootconfig.skprx</code> loading and stuff.

Latest revision as of 11:36, 14 January 2022

Redirect to: