Boot ROM and ELF loader

Boot sequence

1. Reset initializes IMEM, DMEM and devices. Hart 0 starts at 0x00000000.
2. Secure boot releases boot_ok and mpu_lock when metadata checks pass.
3. The boot ROM initializes the HPS block bridge at 0xffff00c0.
4. Program and data images are treated as block devices and mounted through FAT/exFAT helpers.
5. The program drive is detected through root-level *.elf files.
6. The data drive is detected through the /data directory.
7. The first valid app is matched as /name.elf, /config/name.yaml and /data/name.
8. YAML is parsed into an internal app configuration.
9. ELF headers and program headers are validated.
10. Executable segments are written through the IMEM loader; data segments and BSS go to DMEM.
11. Start parameters and optional bundles for services such as HarvTTP are placed in DMEM.
12. The IMEM loader is locked.
13. The boot ROM sets a0 = params_addr, initializes sp and jumps to the ELF entry.

USB image layout

/
  harvttp.elf
  harvsql.elf
  config/
    harvttp/harvttp.yaml
    harvsql/harvsql.yaml
    harvsql/runtime.yaml
  config/harvsql/seed/
  config/harvsql/migrations/

/
  data/
    harvttp/
      webroot/
    harvsql/
      db/
        catalog.hsq

ELF validation

Load behavior

for each PT_LOAD phdr:
  reject if phdr.flags has both PF_W and PF_X
  if phdr.flags has PF_X:
    write_exec_segment_via_imem_loader(phdr)
  else:
    copy_to_dmem(phdr.filesz)
    zero_bss(phdr.memsz - phdr.filesz)

Error behavior

Boot errors are exposed through a debug word at 0x00000420. Status values begin with 0xB001....; failures are encoded as 0xBAD00000 | status. The current boot ROM starts the first valid app. A production multi-app path should load a supervisor first and let it isolate and schedule service ELFs.