System Startup and Control

2.9 System Startup and Control

2.9.1 Boot Process

The SESS performs the role of a system supervisor. After reset, the SESS is the only core that starts execution. The SESS initializes the device, sets up the security policies and performs a secure boot for the other subsystems. Once the boot is complete, the SE offers runtime services for security, crypto and system configuration.

The boot process starts with the SESS executing boot code stored in its local ROM. Its purpose is to perform a basic system initialization and to identify the system context—memory retention states and wakeup events. Based on the result, the execution flow proceeds with cold or warm boot scenarios, with or without rebooting the related execution domains.

The cold boot process starts with the SESS configuring the bus infrastructure and Firewalls to enable access to the system memory and peripherals. The boot ROM code then accesses the reserved on-chip NVM for a cryptographically signed Second Stage bootloader, and after validation, it proceeds with its execution. The Second Stage bootloader in the SESS sets up the system clock generator, the PLL operation, and the security mechanism. Next, it scans the NVM for valid Application Table of Content (ATOC) and copies memory segments to their execution address (RTSS TCMs) if needed, or executes directly from MRAM if directed (XIP mode). Finally, the SESS starts each of the subsystem execution domains, bringing them out of reset, and then enters a wait loop, expecting application service requests coming from any of the MHUs connected to the application cores.

If the Second Stage bootloader validation fails, or it does not find any application code in NVM, the SESS enters a wait loop, expecting a command stream from a dedicated SE UART. This is an abnormal state intended for system recovery (Recovery mode) following accidental NVM data corruption.

Figure 2-16 describes the cold boot process execution flow.

Figure 2-16 Cold Boot Sequence

The warm boot is initiated when the processor wakes up from the lowest power-saving mode. The ROM boot code identifies the SESS RAM retention state and, in case it is valid, it continues with running the Second Stage bootloader stored there. Otherwise, it proceeds as in the cold boot scenario.

While in the STOP power mode, all subsystems are off and only a few peripherals can generate wakeup events. Usually, these are application specific events, configured and associated with a specific execution domain. The Second Stage bootloader identifies the mapping between the wakeup event and the associated execution domain, then proceeds with its boot procedure. If the execution domain has its memory retained, it is powered up and immediately started. Otherwise, the bootloader executes a cold boot scenario for that execution domain.

2.9.2 Application Deployment in NVM

Ensemble family of devices features up to 5.5MB of NVM (MRAM) that can store application code and data. The layout of the storage space is described in a dedicated memory location called System Table of Content (STOC). It contains pointers and attributes to the different blocks of application code and their attributes. The STOC is processed by the SE Second Stage bootloader as described in Section 2.9.1 Boot Process.

The attributes of each binary image specify if it needs to be loaded to an SRAM region. The image loading may also be configured to include decryption and/or decompression. Once the SE loads an application image to a specific subsystem, it releases its reset signal and starts its operation.