EMB320 Windows CE 5.0 Image Configuration, Boot Loaders, And Security Jeff Glaum, Software Development Manager Glen Langer Program Manager Windows CE Core

EMB320EMB320

Windows CE 5.0Windows CE 5.0Image Configuration, Image Configuration, Boot Loaders, And Security Boot Loaders, And Security Jeff Glaum,Jeff Glaum,Software Development ManagerSoftware Development Manager

Glen Langer Glen Langer Program ManagerProgram Manager

Windows CE Core OS TeamWindows CE Core OS TeamMicrosoft CorporationMicrosoft Corporation

MManagementanagementTToolsools

CCommunicationsommunications& & MMessagingessaging

Device Update Agent

Software Update Services

Live Communications Server

Exchange Server

Internet Security and Acceleration Server

Speech Server

Image Update

LLocation ocation SServiceservices

MMultimediaultimedia

MapPoint

DirectX

Windows Media

Visual Studio 2005DDevelopment evelopment TToolsools

MFC 8.0, ATL 8.0

Win32NNativeative

MManagedanaged

SServer erver SSideide

LLightweightightweight

RRelationalelationalSQL Server 2005 Express EditionEDB

DDa

taata

PPro

gra

mm

ing

ro

gra

mm

ing

MM

od

el

od

el

DDevice evice BBuilding uilding TToolsools

HHardware/ardware/DDriversrivers

Windows XP DDK

Windows Embedded Studio

Platform Builder

OEM/IHV SuppliedBSP

(ARM, SH4, MIPS)OEM Hardware and Standard Drivers

Standard PC Hardware and Drivers

SQL Server 2005SQL Server 2005 Mobile Edition

ASP.NET Mobile Controls ASP.NET

.NET Compact Framework .NET Framework

Microsoft Operations Manager

Systems Management Server

AgendaAgenda

IntroductionIntroduction

Memory and Storage TechnologiesMemory and Storage Technologies

Windows CE 5.0 Image ConfigurationWindows CE 5.0 Image Configuration

Building an ImageBuilding an Image

Boot LoadersBoot Loaders

Boot Loader SecurityBoot Loader Security

ResourcesResources

MEDC Call to ActionMEDC Call to Action

Q and AQ and A

IntroductionIntroduction

Design Trade-OffsDesign Trade-OffsImage storageImage storage

SRAM, Flash (NOR & NAND), or DiskSRAM, Flash (NOR & NAND), or Disk

ExecutionExecutionExecute in Place (XIP) versus RelocatableExecute in Place (XIP) versus Relocatable

Slower and cheaper versus faster and $$Slower and cheaper versus faster and $$

CompressionCompressionSmaller image size (save cost) vs. slower loading Smaller image size (save cost) vs. slower loading but faster executionbut faster execution

Boot LoaderBoot LoaderComplexity versus PerformanceComplexity versus Performance

SecuritySecurity

How does Windows CE support this?How does Windows CE support this?Build process and toolsBuild process and tools

AgendaAgenda

IntroductionIntroductionMemory and Storage TechnologiesMemory and Storage TechnologiesWindows CE 5.0 Image ConfigurationWindows CE 5.0 Image ConfigurationBuilding an ImageBuilding an ImageBoot LoadersBoot LoadersBoot Loader SecurityBoot Loader SecurityResourcesResourcesMEDC Call to ActionMEDC Call to ActionQ and AQ and A

Memory And Memory And Storage TechnologiesStorage Technologies

Type significantly impacts cost and Type significantly impacts cost and performanceperformance

Each technology imposes different Each technology imposes different design constraintsdesign constraints

Note: The data for this section was derived from leading vendor Note: The data for this section was derived from leading vendor publications for both NAND and NOR; Because of ongoing changes in publications for both NAND and NOR; Because of ongoing changes in flash memory technologies, this information is subject to changeflash memory technologies, this information is subject to change

NAND Flash MemoryNAND Flash Memory

Dates from the late 1980s Dates from the late 1980s

Generally offers a lower cost per byteGenerally offers a lower cost per byte

Higher storage capacityHigher storage capacity

Block-accessed storage device with a Block-accessed storage device with a serial interfaceserial interface

Block-access method makes NAND Block-access method makes NAND unsuitable for execute in place (XIP) unsuitable for execute in place (XIP)

Images typically moved to RAM Images typically moved to RAM for executionfor execution


Issue:Issue: Where does CPU access code from for initial Where does CPU access code from for initial pre-boot or for OS at boot time?pre-boot or for OS at boot time?

SolutionsSolutionsAdd NOR flashAdd NOR flash

Use Hybrid flashUse Hybrid flash

New CPU designs use serial interfaceNew CPU designs use serial interface

Issue:Issue: Susceptible to manufacturing flaws and Susceptible to manufacturing flaws and possible run-time cell failurespossible run-time cell failures

SolutionsSolutionsHardware and/or software data error checking and correction Hardware and/or software data error checking and correction logic (ECC)logic (ECC)

Wear-leveling techniques to limit number of erase cyclesWear-leveling techniques to limit number of erase cycles


Generally has shorter erase and write Generally has shorter erase and write access timesaccess times

Comparable read access timeComparable read access time

Trade-Offs Trade-Offs Lower cost-per-byte ratio and larger Lower cost-per-byte ratio and larger storage capacity, versusstorage capacity, versus

Additional system complexity and any Additional system complexity and any additional expense in DRAMadditional expense in DRAM

NOR Flash Memory NOR Flash Memory

Generally offers a higher cost per byteGenerally offers a higher cost per byte

Storage capacity is typically smallerStorage capacity is typically smaller

Random-access storage (linear) device Random-access storage (linear) device with an SRAM-like interfacewith an SRAM-like interface

Lack of manufactured bad blocksLack of manufactured bad blocks

Suitable for XIP (execute in Suitable for XIP (execute in place) designsplace) designs

NOR Flash MemoryNOR Flash Memory

Slower read times compared to DRAMSlower read times compared to DRAMOffset by optimizing code for cache usageOffset by optimizing code for cache usage

Offset by running high-impact code from Offset by running high-impact code from RAM (80/20 Rule)RAM (80/20 Rule)

Trade-Offs Trade-Offs Higher cost-per-byte ratio and smaller Higher cost-per-byte ratio and smaller capacity, versuscapacity, versus

Lower system cost - no additional DRAM Lower system cost - no additional DRAM or bad block management logicor bad block management logic

Hybrid Flash MemoryHybrid Flash Memory

Combines the best of both NAND and Combines the best of both NAND and NOR technologies on a single deviceNOR technologies on a single device

NAND flash with on-chip wear-leveling NAND flash with on-chip wear-leveling and SRAM-like interfaceand SRAM-like interface

NAND flash with a NOR boot flash NAND flash with a NOR boot flash memory region for XIPmemory region for XIP

ATA/IDE Hard Disk Drive ATA/IDE Hard Disk Drive

Hard disk drive is good option for Hard disk drive is good option for image storageimage storage

Block-accessed devices Block-accessed devices

Code must first be copied to linear Code must first be copied to linear memory (DRAM) for executionmemory (DRAM) for execution

Trade-Offs Trade-Offs Significantly longer read and write access Significantly longer read and write access times, versustimes, versus

Larger storage capacityLarger storage capacity

AgendaAgenda


XIP Versus XIP Versus Relocatable CodeRelocatable Code

Position independent or “relocatable” code Position independent or “relocatable” code OS loader adjusts references to addressesOS loader adjusts references to addresses

Efficient use of system RAMEfficient use of system RAM

Load times are slightly longer for “fixups”Load times are slightly longer for “fixups”

Relocatable code Trade-Offs Relocatable code Trade-Offs Less flexibility (only executes from RAM)Less flexibility (only executes from RAM)

Typically requires more RAM than XIPing Typically requires more RAM than XIPing from flashfrom flash

Faster executionFaster execution

Slower boot timesSlower boot times

XIP Versus XIP Versus Relocatable CodeRelocatable Code

Fixed position or Fixed position or “execute in place (XIP)”“execute in place (XIP)”

Image is built to run from a specific Image is built to run from a specific locationlocation

Location must support linear accessLocation must support linear access

XIP Trade-Offs XIP Trade-Offs Minimized RAM usage, versusMinimized RAM usage, versus

Slower executionSlower execution

Faster boot timesFaster boot times

Image CompressionImage Compression

Build tools control which components Build tools control which components are XIP and which are relocatedare XIP and which are relocated

Commonly compressed to minimize Commonly compressed to minimize flash usageflash usage

Performance critical code Performance critical code

Rarely used modulesRarely used modules

Trade-OffsTrade-OffsFaster execution, versusFaster execution, versus

Longer load times, versusLonger load times, versus

Efficient flash usageEfficient flash usage

AgendaAgenda


ROM Image BuilderROM Image Builder

OS image is created by the ROM image OS image is created by the ROM image builder tool (romimage.exe)builder tool (romimage.exe)

Romimage.exe runs at the end of the Romimage.exe runs at the end of the build process (after all image build process (after all image components have been created/linked)components have been created/linked)

Configurable binary image builder Configurable binary image builder (.bib) files direct the process(.bib) files direct the process

ROM Image BuilderROM Image Builder

Romimage.exe performs the following Romimage.exe performs the following functions functions

Collects all the components that make up the final Collects all the components that make up the final image: drivers, executables, and data files image: drivers, executables, and data files

Adjusts code addresses (“fix-ups”) as necessary Adjusts code addresses (“fix-ups”) as necessary to control placement of the executable code in the to control placement of the executable code in the image’s virtual address space image’s virtual address space

Compresses parts of the image Compresses parts of the image

Places any data files or compressed sections in Places any data files or compressed sections in unused “holes” in the image (compact image)unused “holes” in the image (compact image)

Generates the image - nk.binGenerates the image - nk.bin

Binary Image Builder FileBinary Image Builder File

The binary image builder (.bib) file is a text The binary image builder (.bib) file is a text file containing sectionsfile containing sections

MEMORY: describes the embedded device’s MEMORY: describes the embedded device’s memory mapmemory map

MODULES and FILES: describes the MODULES and FILES: describes the modules/files that are to be placed in the final modules/files that are to be placed in the final image and their attributes (compressed, etc.)image and their attributes (compressed, etc.)

CONFIG: describes general image CONFIG: describes general image configuration informationconfiguration information

The .bib file (ce.bib) is generated from a The .bib file (ce.bib) is generated from a number of individual .bib files (common.bib, number of individual .bib files (common.bib, project.bib, platform.bib)project.bib, platform.bib)

CE Memory ArchitectureCE Memory Architecture

Slot 0 – current process Slot 0 – current process and consecutive code-data and consecutive code-data section DLLssection DLLs

Slot 1 – separate code-data Slot 1 – separate code-data sections (roughly 32MB)sections (roughly 32MB)

0x8000.0000 – 0xFFFF.FFFF is 0x8000.0000 – 0xFFFF.FFFF is the kernel virtual address rangethe kernel virtual address range

.BIB – MEMORY Section.BIB – MEMORY Section

MEMORY section, specified in config.bib, details the system MEMORY section, specified in config.bib, details the system virtual addresses availablevirtual addresses available

NK 80001000 01FFF000 RAMIMAGENK 80001000 01FFF000 RAMIMAGE

RAM 82000000 01DB0000 RAMRAM 82000000 01DB0000 RAM

RAMIMAGE entry locates any executables, modules, data files RAMIMAGE entry locates any executables, modules, data files and compressed sections in the range of virtual address and compressed sections in the range of virtual address 0x8000.1000 through 0x81FF.FFFF (could be flash or RAM)0x8000.1000 through 0x81FF.FFFF (could be flash or RAM)

RAM entry specifies the range of virtual addresses available to RAM entry specifies the range of virtual addresses available to the Windows CE kernel for allocation tothe Windows CE kernel for allocation to

the file system or object store, the file system or object store,

process virtual address spaces such as heaps and stacks, process virtual address spaces such as heaps and stacks,

memory mapped files and writable data sectionsmemory mapped files and writable data sections

.BIB – MODULES Section.BIB – MODULES Section

MODULES are fixed-up to a virtual address MODULES are fixed-up to a virtual address range (slot address) by romimage.exerange (slot address) by romimage.exe

MODULES section identifies which MODULES section identifies which executable files are to be included and executable files are to be included and their attributestheir attributes

INIT.EXE $(_FLATRELEASEDIR)\INIT.EXE NK SHINIT.EXE $(_FLATRELEASEDIR)\INIT.EXE NK SH

MYDLL.DLL $(_FLATRELEASEDIR)\MYDLL.DLL NK SHCMYDLL.DLL $(_FLATRELEASEDIR)\MYDLL.DLL NK SHC

Each entry: module name (in image), file on Each entry: module name (in image), file on development system, section name, and development system, section name, and attributesattributes

Uncompressed code can XIP and is fixed up to Uncompressed code can XIP and is fixed up to run in slot 1 by defaultrun in slot 1 by default

.BIB – FILES Section.BIB – FILES Section

FILES section is similar to MODULES FILES section is similar to MODULES section however all entries are section however all entries are compressed by default and files compressed by default and files aren’t fixed-uparen’t fixed-up

Used for data files (examples: bitmaps)Used for data files (examples: bitmaps) PIC.BMP $(_FLATRELEASEDIR)\PIC.BMP NK SHPIC.BMP $(_FLATRELEASEDIR)\PIC.BMP NK SH

Executable DLLs in the FILES section Executable DLLs in the FILES section are loaded into Slot 0 (different from are loaded into Slot 0 (different from MODULES section) and reduce overall MODULES section) and reduce overall process address space globallyprocess address space globally

.BIB – CONFIG Section.BIB – CONFIG Section

Contains generic image Contains generic image configuration informationconfiguration information

ROMOFFSET – used to “move” RAM ROMOFFSET – used to “move” RAM image into flashimage into flash

ROMSTART, ROMSIZE, and ROMWIDTH – ROMSTART, ROMSIZE, and ROMWIDTH – used to create binary .nb0 file (in addition used to create binary .nb0 file (in addition to .bin file)to .bin file)

Other settingsOther settings

Image BIN File FormatImage BIN File FormatIMAGE HEADER 15 Bytes:IMAGE HEADER 15 Bytes:4230303046460A - 7 byte sync record4230303046460A - 7 byte sync record4 byte starting address of image (physical address in this case)4 byte starting address of image (physical address in this case)4 byte overall length of image4 byte overall length of image

IMAGE RECORD HEADER 12 Bytes:IMAGE RECORD HEADER 12 Bytes:4 byte address of record (physical address in this case)4 byte address of record (physical address in this case)4 byte length of record4 byte length of record4 byte checksum of record4 byte checksum of record

Image Start = 0x00220000, length = 0x00B52D90Image Start = 0x00220000, length = 0x00B52D90Record [ 0] : Start = 0x00220000, Length = 0x00000010, Chksum = 0x00000829Record [ 0] : Start = 0x00220000, Length = 0x00000010, Chksum = 0x00000829Record [ 1] : Start = 0x00220040, Length = 0x00000008, Chksum = 0x00000314Record [ 1] : Start = 0x00220040, Length = 0x00000008, Chksum = 0x00000314Record [ 2] : Start = 0x00221000, Length = 0x0003EFFC, Chksum = 0x019B93D5Record [ 2] : Start = 0x00221000, Length = 0x0003EFFC, Chksum = 0x019B93D5Record [ 3] : Start = 0x00261000, Length = 0x000003A0, Chksum = 0x00014AD3Record [ 3] : Start = 0x00261000, Length = 0x000003A0, Chksum = 0x00014AD3......Record [119] : Start = 0x00000000, Length = 0x0022A178, Chksum = 0x00000000Record [119] : Start = 0x00000000, Length = 0x0022A178, Chksum = 0x00000000

start addressstart address

Image Mapping Image Mapping

At run time, OS components are fetched from At run time, OS components are fetched from the addresses chosen by Romimage.exe at the addresses chosen by Romimage.exe at build timebuild time

Compressed modules must be copied into RAMCompressed modules must be copied into RAM

Uncompressed modules will run XIP and will be Uncompressed modules will run XIP and will be mapped from the address range specified in the mapped from the address range specified in the MEMORY section of the .bib fileMEMORY section of the .bib file

If the entire image is built to XIP from RAM but is If the entire image is built to XIP from RAM but is stored in flash, then code is required—boot loader stored in flash, then code is required—boot loader or early OS startup code—to copy the image to the or early OS startup code—to copy the image to the correct RAM locationcorrect RAM location

AgendaAgenda


Boot Loader OverviewBoot Loader Overview

Design is affected byDesign is affected byHardware choices (flash): XIP versus copy-to-RAMHardware choices (flash): XIP versus copy-to-RAMManufacturing/process requirements: Manufacturing/process requirements: download transportdownload transport

Typical variationsTypical variationsLoad mechanism: Ethernet, USB, serial, local Load mechanism: Ethernet, USB, serial, local storage (flash, HDD, DOC, CF, etc.) or otherstorage (flash, HDD, DOC, CF, etc.) or otherDevelopment versus production requirementsDevelopment versus production requirementsOS image requirements (ex: XIP or compression)OS image requirements (ex: XIP or compression)

The primary function of the boot loader is to load an The primary function of the boot loader is to load an executable image (OS) into memory and to run itexecutable image (OS) into memory and to run it

x86 Boot Loadersx86 Boot Loaders

Special considerationsSpecial considerationsreal-mode (OS starts in protected mode)real-mode (OS starts in protected mode)boot from disk (BIOS)boot from disk (BIOS)

x86 Boot Loader Variationsx86 Boot Loader VariationsLoadCEPC.exe – real-mode DOS programLoadCEPC.exe – real-mode DOS program

Eboot.bin – Ethernet boot loaderEboot.bin – Ethernet boot loaderSboot.bin – Serial boot loaderSboot.bin – Serial boot loader

BIOSloader – uses BIOS INT13h interfaceBIOSloader – uses BIOS INT13h interfaceROMboot – replaces BIOS and supports ROMboot – replaces BIOS and supports IDE and EthernetIDE and Ethernet

Future: PXE (network boot)Future: PXE (network boot)

Development ProcessDevelopment Process

Create development boot loaderCreate development boot loaderDownloads image from Platform BuilderDownloads image from Platform Builder

Later enhanced for productionLater enhanced for production

boot loader is cross-compiled, linked, and located on boot loader is cross-compiled, linked, and located on a desktop PCa desktop PC

Downloaded and debugged on the target deviceDownloaded and debugged on the target deviceJTAG / IEEE 1149.1 (debug board)JTAG / IEEE 1149.1 (debug board)

Built-in ROM monitorBuilt-in ROM monitor

EEPROM / Flash programmerEEPROM / Flash programmer

Goal: share code with OS image (OAL)Goal: share code with OS image (OAL)

Build And Output FormatBuild And Output Format

Code located atCode located at%_WINCEROOT%\public\common\oak\drivers\ethdbg%_WINCEROOT%\public\common\oak\drivers\ethdbg

%_TARGETPLATROOT%\src\bootloader\eboot%_TARGETPLATROOT%\src\bootloader\eboot (links executable) – OEM code (links executable) – OEM code

Boot Loader EXE run through romimage to Boot Loader EXE run through romimage to generate BIN and possibly NB0 or SRE filesgenerate BIN and possibly NB0 or SRE files

BIN: download with Platform Builder BIN: download with Platform Builder (ROMOFFSET)(ROMOFFSET)

NB0: JTAG/manufacturingNB0: JTAG/manufacturing

SRE: requires interpreter on device SRE: requires interpreter on device (boot monitor)(boot monitor)

Development Development Loader DesignLoader Design

Support libraries provided by MicrosoftSupport libraries provided by MicrosoftCommon loader framework: blcommonCommon loader framework: blcommon

Network and flash support librariesNetwork and flash support libraries

Goal is to minimize amount of code Goal is to minimize amount of code that needs to be written by that needs to be written by OEM/partnerOEM/partner

Architecture designed to be modular Architecture designed to be modular and extendableand extendable

Boot Loader ArchitectureBoot Loader Architecture

blcommonblcommon

OEM codeOEM code

ebooteboot

……

NE

200N

E200

00 RT

L813

RT

L813

99 DP

83815D

P83815

bootpartbootpart

flash FMDflash FMD

EDBG driversEDBG drivers

Typical development boot loaderTypical development boot loader

Boot Loader ArchitectureBoot Loader Architecture

Blcommon – generic boot loader frameworkBlcommon – generic boot loader framework

OEM code – general board init and extensionsOEM code – general board init and extensions

Eboot – Ethernet functions (UDP, Eboot – Ethernet functions (UDP, DHCP, TFTP)DHCP, TFTP)

EDBG drivers – Ethernet driversEDBG drivers – Ethernet drivers3Com 3C90x, AMD AM79C97x, CS8900A, NS 3Com 3C90x, AMD AM79C97x, CS8900A, NS DP83815, NE2000, RealTek RTL8139, SMSC9000 DP83815, NE2000, RealTek RTL8139, SMSC9000 and SMSC100 (list is growing)and SMSC100 (list is growing)

Bootpart – storage partition managementBootpart – storage partition management

FMD – flash management driverFMD – flash management driverSamsung/Sandisk (NAND), Intel StrataFlash (NOR)Samsung/Sandisk (NAND), Intel StrataFlash (NOR)

Boot SequenceBoot Sequence

Boot loader startup sequenceBoot loader startup sequence

StartupStartup

EbootMainEbootMain

BootloaderMainBootloaderMain

OEMDebugInitOEMDebugInit

OEMPlatformInitOEMPlatformInit

OEMPreDownloadOEMPreDownload

Download OccursDownload Occurs

OEMLaunchOEMLaunch

Other (optional)Other (optional)::OEMReadDataOEMReadDataOEMShowProgressOEMShowProgress

OEMIsFlashAddrOEMIsFlashAddrOEMMapMemAddrOEMMapMemAddrOEMStartEraseFlashOEMStartEraseFlashOEMContinueEraseFlashOEMContinueEraseFlashOEMFinishEraseFlashOEMFinishEraseFlashOEMWriteFlashOEMWriteFlash

Kernel startup sequenceKernel startup sequence

StartupStartup

KernelStartKernelStart

ARMInitARMInit

OEMInitDebugSerialOEMInitDebugSerial

OEMInitOEMInit

KernelInitKernelInit

HeapInitHeapInit

InitMemoryPoolInitMemoryPool

ProcInitProcInit

SchedInitSchedInit

FirstScheduleFirstSchedule

SystemStartupFuncSystemStartupFunc

Boot ProcessBoot Process

CPU initialization: CPU initialization: StartUp()StartUp()Assembly code that runs at the CPU Assembly code that runs at the CPU reset vectorreset vectorInitializes CPU core (RAM accessible)Initializes CPU core (RAM accessible)

Protection mode (supervisor)Protection mode (supervisor)Clocks/PLLsClocks/PLLsRAM controllerRAM controllerOptionally sets up MMU and cachesOptionally sets up MMU and caches

Relocates to RAM (and copies initialized Relocates to RAM (and copies initialized global variable section)global variable section)Initializes stack pointerInitializes stack pointerJumps to C code (blcommon entry point)Jumps to C code (blcommon entry point)


OEMDebugInit() OEMDebugInit() Initializes debug output connection (example: Initializes debug output connection (example: serial UART)serial UART)

OEMWriteDebugByte()OEMWriteDebugByte() sends ASCII characters sends ASCII characters over debug output connectionover debug output connection

OEMPlatformInit()OEMPlatformInit()Initializes bridge (host, PCI, PCMCIA, etc.) and Initializes bridge (host, PCI, PCMCIA, etc.) and peripheral bus logicperipheral bus logic

Initializes other board-level logic needed to Initializes other board-level logic needed to access download transport hardware access download transport hardware (example: Ethernet controller)(example: Ethernet controller)


Pre-download initialization: Pre-download initialization: OEMPreDownload()OEMPreDownload()

Prepares and establishes download connectionPrepares and establishes download connection

For a development Ethernet boot loader, most of this For a development Ethernet boot loader, most of this handled in the eboot library’s handled in the eboot library’s EbootInitEtherTransport() and EbootInitEtherTransport() and EbootEtherReadData() functionsEbootEtherReadData() functions

Obtain an IP address (static or DHCP)Obtain an IP address (static or DHCP)

Broadcast UDP “BOOTME” packets on the subnetBroadcast UDP “BOOTME” packets on the subnet

Jump to a device-resident image based on Platform Builder Jump to a device-resident image based on Platform Builder settingssettings

** or **** or **

Establish a TFTP connection to Platform Builder and Establish a TFTP connection to Platform Builder and download BIN file recordsdownload BIN file records


Post-Download/Lauch: Post-Download/Lauch: OEMLaunch()OEMLaunch()

Acquires user settings from Platform Acquires user settings from Platform Builder (examples: clean boot, passive Builder (examples: clean boot, passive KITL, etc.) – handled in eboot library’s KITL, etc.) – handled in eboot library’s EbootWaitForHostConnect() function.EbootWaitForHostConnect() function.

Fills out shared OS data structure Fills out shared OS data structure (bootargs/driver-globals)(bootargs/driver-globals)

Optional: writes download image Optional: writes download image to flashto flash

Jumps to imageJumps to image

Optional FunctionsOptional Functions

Flash-relatedFlash-relatedOEMIsFlash()OEMIsFlash()

Checks whether an address is in flashChecks whether an address is in flash

OEMMapMemAddr()OEMMapMemAddr()Maps BIN records to another memory range Maps BIN records to another memory range (useful for caching a flash image in RAM)(useful for caching a flash image in RAM)

OEMStartEraseFlash()OEMStartEraseFlash()OEMContinueEraseFlash()OEMContinueEraseFlash()OEMFinishEraseFlash()OEMFinishEraseFlash()OEMWriteFlash()OEMWriteFlash()

Use BootPart and FMD for flash accessUse BootPart and FMD for flash access


Blcommon contains simple Blcommon contains simple signature supportsignature support

Before writing a download image to Before writing a download image to flash and before running image, flash and before running image, CheckSignature() calledCheckSignature() called

Signed hash of image’s Signed hash of image’s table-of-contents (TOC) is stored table-of-contents (TOC) is stored in the .bin imagein the .bin image

AgendaAgenda

IntroductionIntroductionMemory and Storage TechnologiesMemory and Storage TechnologiesWindows CE 5.0 Image ConfigurationWindows CE 5.0 Image ConfigurationBuilding an Image Building an Image Boot LoadersBoot LoadersBoot Loader SecurityBoot Loader SecurityResourcesResourcesMEDC Call to ActionMEDC Call to ActionQ and AQ and A


Chain of TrustChain of Trust

Detecting and correcting errorsDetecting and correcting errorsDuring downloadDuring download

During bootDuring boot

PreventionPreventionLocking the flash partLocking the flash part

Hardware interlocksHardware interlocks


Possible solutions using hardwarePossible solutions using hardwareARM TrustZoneARM TrustZone™™

MIPS32MIPS32®® 4KSd 4KSd™™ Core Core

Boot Loader SecurityBoot Loader SecurityARM TrustZoneARM TrustZone™™

NormalNormal SecureSecure-TrustZone SW Elements--TrustZone SW Elements-

Normal OSNormal OS

Normal Normal OS app.OS app.

Secure Secure KernelKernel

SecureSecure servicesservices

SecureSecure drivers & drivers & hardware hardware

abstraction abstraction layerslayers

Mo

nit

or

Mo

nit

or

BootBootLoaderLoader

Licensable SWLicensable SWfrom ARMfrom ARM

SecureSecuredevices /devices /

peripheralsperipherals

ARM TrustZoneARM TrustZoneTMTM diagram used with permission diagram used with permission

Boot Loader SecurityBoot Loader SecurityARM TrustZoneARM TrustZone™™

TrustZoneTrustZone™™ Advantages AdvantagesSecure Process ExecutionSecure Process Execution

Secure mode for boot loader and kernelSecure mode for boot loader and kernel

Periodically verify the imagePeriodically verify the image

Secure StorageSecure StoragePublic and private keysPublic and private keys

Cryptographic algorithmsCryptographic algorithms

Sensitive dataSensitive data

Secure peripheralsSecure peripheralsTimers, smart cardTimers, smart card

Trusted I/O, including JTAG access disabledTrusted I/O, including JTAG access disabledARM TrustZoneARM TrustZoneTMTM info used with permission info used with permission

Boot Loader SecurityBoot Loader SecurityMIPS32MIPS32®® 4KSd 4KSd™™ Core Core

Builds on MIPS’ existing server-class security Builds on MIPS’ existing server-class security (in all cores)(in all cores)

ExecutionExecutionCoreCore

Secure Secure MMUMMU

SecuritySecurityfeaturesfeatures

TLBTLB

SecureSecureCacheCache

ControllerController

InstructionInstructionCacheCache

Data CacheData Cacheand/orand/or

ScratchpadScratchpad

BIUBIU

EJTAGEJTAG

PowerPowerManagementManagement

RequiredRequired Optional orOptional orConfigurableConfigurable

On-ChipOn-ChipBusBus

Co-ProcessorCo-Processor

SecuritySecurity

MIPS16e™MIPS16e™CodeCode

CompressionCompression

MIPS32™4KSd™ Smart Card CoreMIPS32™4KSd™ Smart Card Core

MIPS32® 4KSd™MIPS32® 4KSd™ diagram used with permission diagram used with permission

AddsAddsSecure MMUSecure MMU

Secure CachesSecure Caches

CryptographicCryptographicAccelerationAcceleration

TamperTamperResistanceResistance

Boot Loader SecurityBoot Loader SecurityMIPSMIPS®® MT ASE MT ASE

MIPS Multi-Threading presents Virtual CPUsMIPS Multi-Threading presents Virtual CPUsKnown as Virtual Processing Elements (VPEs)Known as Virtual Processing Elements (VPEs)

Could employ a software supervisor to enforceCould employ a software supervisor to enforceinter-VPE communication (or lack thereof)inter-VPE communication (or lack thereof)

MT Application-Specific Extension MT Application-Specific Extension (ASE) also presents hardware Threads(ASE) also presents hardware Threads

Known as Thread Contexts (TCs)Known as Thread Contexts (TCs)

Dramatically increase processorDramatically increase processorefficiency by instantly switching awayefficiency by instantly switching awayfrom blocked threads from blocked threads

MIPS CoreMIPS Core

MT ASEMT ASE

AppsApps

SecureSecureKernelKernel

VPE0VPE0 VPE1VPE1

OSOS

MIPS® MT ASE diagram used with permissionMIPS® MT ASE diagram used with permission

ResourcesResources

““System Memory Management in System Memory Management in Windows CE .NET”, whitepaperWindows CE .NET”, whitepaperhttp://msdn.microsoft.com/library/en-us/dncenet/hthttp://msdn.microsoft.com/library/en-us/dncenet/html/systemmemorymgmtwince.aspml/systemmemorymgmtwince.asp

Platform Builder documentation, Platform Builder documentation, ““How to Develop a Boot LoaderHow to Develop a Boot Loader””http://msdn.microsoft.com/library/default.asp?url=/lihttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcehardware5/html/wce50howHowtoDebrary/en-us/wcehardware5/html/wce50howHowtoDevelopaBootLoader.aspvelopaBootLoader.asp

http://msdn.microsoft.com/library/en-us/dncenet/html/systemmemorymgmtwince.asp

http://msdn.microsoft.com/library/en-us/dncenet/html/systemmemorymgmtwince.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wcehardware5/html/wce50howHowtoDevelopaBootLoader.asp



While At MEDC 2005…While At MEDC 2005…Fill outFill out an evaluation for this session an evaluation for this session

Randomly selected instant Randomly selected instant WINWIN prizes! prizes!

Use Use real technology in a labreal technology in a lab Instructor led Instructor led Reef E/FReef E/F & & Breakers LBreakers L

Self-paced Self-paced Reef B/CReef B/C

VisitVisit the Microsoft Product Pavilion the Microsoft Product Pavilion

in the Exhibit Hall in the Exhibit Hall Shorelines BShorelines B

After The Conference…After The Conference…

DevelopDevelop

BuildBuild

InstallInstall

BuildBuild

JoinJoin

InstallInstall

EnterEnter

JoinJoin

Full-featured trial versions of Windows CE Full-featured trial versions of Windows CE and/or Windows XP Embeddedand/or Windows XP Embedded

Cool stuff & tell us about it: Cool stuff & tell us about it: msdn.microsoft.com/embedded/community

Windows Embedded Partner Program:Windows Embedded Partner Program:www.mswep.com

Windows Mobile 5.0 Eval Kit including Windows Mobile 5.0 Eval Kit including Visual Studio 2005 Beta 2Visual Studio 2005 Beta 2

Mobile2Market Contest and win up to $25000: Mobile2Market Contest and win up to $25000: mobile2marketcontest.com

Microsoft Solutions Partner Program:Microsoft Solutions Partner Program:partner.microsoft.com

http://www.msdn.microsoft.com/embedded/community

http://www.mswep.com/

http://www.mobile2marketcontest.com/

http://www.partner.microsoft.com/

Tools & ResourcesTools & Resources

msdn.microsoft.com/msdn.microsoft.com/ embeddedembedded

microsoft.public.microsoft.public. windowsxp.embeddedwindowsxp.embedded windowsce.platbuilderwindowsce.platbuilder windowsce.embedded.vcwindowsce.embedded.vc

blogs.msdn.com/blogs.msdn.com/ mikehallmikehall

Windows CE 5.0 Eval KitWindows CE 5.0 Eval KitWindows XP Embedded Eval KitWindows XP Embedded Eval Kit

msdn.microsoft.com/msdn.microsoft.com/ mobilitymobility

microsoft.public.microsoft.public. pocketpc.developer pocketpc.developer smartphone.developer smartphone.developer dotnet.framework.compactframeworkdotnet.framework.compactframework

blogs.msdn.com/blogs.msdn.com/ windowsmobilewindowsmobile vsdteamvsdteam netcfteamnetcfteam

Windows Mobile 5.0 Eval KitWindows Mobile 5.0 Eval Kit

WebsitesWebsites

NewsgroupsNewsgroups

BlogsBlogs

ToolsTools

BuildBuild DevelopDevelop

http://www.microsoft.public.dotnet.framework.compactframework/

Questions?Questions?

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

EMB320 Windows CE 5.0 Image Configuration, Boot Loaders, And Security Jeff Glaum, Software Development Manager Glen Langer Program Manager Windows CE Core