1Change Log & Release Notes 2========================== 3 4This document contains a summary of the new features, changes, fixes and known 5issues in each release of Trusted Firmware-A. 6 7Version 2.2 8----------- 9 10New Features 11^^^^^^^^^^^^ 12 13- Architecture 14 - Enable Pointer Authentication (PAuth) support for Secure World 15 - Adds support for ARMv8.3-PAuth in BL1 SMC calls and 16 BL2U image for firmware updates. 17 18 - Enable Memory Tagging Extension (MTE) support in both secure and non-secure 19 worlds 20 - Adds support for the new Memory Tagging Extension arriving in 21 ARMv8.5. MTE support is now enabled by default on systems that 22 support it at EL0. 23 - To enable it at ELx for both the non-secure and the secure 24 world, the compiler flag ``CTX_INCLUDE_MTE_REGS`` includes register 25 saving and restoring when necessary in order to prevent information 26 leakage between the worlds. 27 28 - Add support for Branch Target Identification (BTI) 29 30- Build System 31 - Modify FVP makefile for CPUs that support both AArch64/32 32 33 - AArch32: Allow compiling with soft-float toolchain 34 35 - Makefile: Add default warning flags 36 37 - Add Makefile check for PAuth and AArch64 38 39 - Add compile-time errors for HW_ASSISTED_COHERENCY flag 40 41 - Apply compile-time check for AArch64-only CPUs 42 43 - build_macros: Add mechanism to prevent bin generation. 44 45 - Add support for default stack-protector flag 46 47 - spd: opteed: Enable NS_TIMER_SWITCH 48 49 - plat/arm: Skip BL2U if RESET_TO_SP_MIN flag is set 50 51 - Add new build option to let each platform select which implementation of spinlocks 52 it wants to use 53 54- CPU Support 55 - DSU: Workaround for erratum 798953 and 936184 56 57 - Neoverse N1: Force cacheable atomic to near atomic 58 - Neoverse N1: Workaround for erratum 1073348, 1130799, 1165347, 1207823, 59 1220197, 1257314, 1262606, 1262888, 1275112, 1315703, 1542419 60 61 - Neoverse Zeus: Apply the MSR SSBS instruction 62 63 - cortex-Hercules/HerculesAE: Support added for Cortex-Hercules and 64 Cortex-HerculesAE CPUs 65 - cortex-Hercules/HerculesAE: Enable AMU for Cortex-Hercules and Cortex-HerculesAE 66 67 - cortex-a76AE: Support added for Cortex-A76AE CPU 68 - cortex-a76: Workaround for erratum 1257314, 1262606, 1262888, 1275112, 69 1286807 70 71 - cortex-a65/a65AE: Support added for Cortex-A65 and Cortex-A65AE CPUs 72 - cortex-a65: Enable AMU for Cortex-A65 73 74 - cortex-a55: Workaround for erratum 1221012 75 76 - cortex-a35: Workaround for erratum 855472 77 78 - cortex-a9: Workaround for erratum 794073 79 80- Drivers 81 - console: Allow the console to register multiple times 82 83 - delay: Timeout detection support 84 85 - gicv3: Enabled multi-socket GIC redistributor frame discovery and migrated 86 ARM platforms to the new API 87 - Adds ``gicv3_rdistif_probe`` function that delegates the responsibility 88 of discovering the corresponding redistributor base frame to each CPU 89 itself. 90 91 - sbsa: Add SBSA watchdog driver 92 93 - st/stm32_hash: Add HASH driver 94 95 - ti/uart: Add an AArch32 variant 96 97- Library at ROM (romlib) 98 - Introduce BTI support in Library at ROM (romlib) 99 100- New Platforms Support 101 - amlogic: g12a: New platform support added for the S905X2 (G12A) platform 102 - amlogic: meson/gxl: New platform support added for Amlogic Meson 103 S905x (GXL) 104 105 - arm/a5ds: New platform support added for A5 DesignStart 106 107 - arm/corstone: New platform support added for Corstone-700 108 109 - intel: New platform support added for Agilex 110 111 - mediatek: New platform support added for MediaTek mt8183 112 113 - qemu/qemu_sbsa: New platform support added for QEMU SBSA platform 114 115 - renesas/rcar_gen3: plat: New platform support added for D3 116 117 - rockchip: New platform support added for px30 118 - rockchip: New platform support added for rk3288 119 120 - rpi: New platform support added for Raspberry Pi 4 121 122- Platforms 123 - arm/common: Introduce wrapper functions to setup secure watchdog 124 125 - arm/fvp: Add Delay Timer driver to BL1 and BL31 and option for defining 126 platform DRAM2 base 127 - arm/fvp: Add Linux DTS files for 32 bit threaded FVPs 128 129 - arm/n1sdp: Add code for DDR ECC enablement and BL33 copy to DDR, Initialise CNTFRQ 130 in Non Secure CNTBaseN 131 132 - arm/juno: Use shared mbedtls heap between BL1 and BL2 and add basic support for 133 dynamic config 134 135 - imx: Basic support for PicoPi iMX7D, rdc module init, caam module init, 136 aipstz init, IMX_SIP_GET_SOC_INFO, IMX_SIP_BUILDINFO added 137 138 - intel: Add ncore ccu driver 139 140 - mediatek/mt81*: Use new bl31_params_parse() helper 141 142 - nvidia: tegra: Add support for multi console interface 143 144 - qemu/qemu_sbsa: Adding memory mapping for both FLASH0/FLASH1 145 - qemu: Added gicv3 support, new console interface in AArch32, and sub-platforms 146 147 - renesas/rcar_gen3: plat: Add R-Car V3M support, new board revision for H3ULCB, DBSC4 148 setting before self-refresh mode 149 150 - socionext/uniphier: Support console based on multi-console 151 152 - st: stm32mp1: Add OP-TEE, Avenger96, watchdog, LpDDR3, authentication support 153 and general SYSCFG management 154 155 - ti/k3: common: Add support for J721E, Use coherent memory for shared data, Trap all 156 asynchronous bus errors to EL3 157 158 - xilinx/zynqmp: Add support for multi console interface, Initialize IPI table from 159 zynqmp_config_setup() 160 161- PSCI 162 - Adding new optional PSCI hook ``pwr_domain_on_finish_late`` 163 - This PSCI hook ``pwr_domain_on_finish_late`` is similar to 164 ``pwr_domain_on_finish`` but is guaranteed to be invoked when the 165 respective core and cluster are participating in coherency. 166 167- Security 168 - Speculative Store Bypass Safe (SSBS): Further enhance protection against Spectre 169 variant 4 by disabling speculative loads/stores (SPSR.SSBS bit) by default. 170 171 - UBSAN support and handlers 172 - Adds support for the Undefined Behaviour sanitizer. There are two types of 173 support offered - minimalistic trapping support which essentially immediately 174 crashes on undefined behaviour and full support with full debug messages. 175 176- Tools 177 - cert_create: Add support for bigger RSA key sizes (3KB and 4KB), 178 previously the maximum size was 2KB. 179 180 - fiptool: Add support to build fiptool on Windows. 181 182 183Changed 184^^^^^^^ 185 186- Architecture 187 - Refactor ARMv8.3 Pointer Authentication support code 188 189 - backtrace: Strip PAC field when PAUTH is enabled 190 191 - Prettify crash reporting output on AArch64. 192 193 - Rework smc_unknown return code path in smc_handler 194 - Leverage the existing ``el3_exit()`` return routine for smc_unknown return 195 path rather than a custom set of instructions. 196 197- BL-Specific 198 - Invalidate dcache build option for BL2 entry at EL3 199 200 - Add missing support for BL2_AT_EL3 in XIP memory 201 202- Boot Flow 203 - Add helper to parse BL31 parameters (both versions) 204 205 - Factor out cross-BL API into export headers suitable for 3rd party code 206 207 - Introduce lightweight BL platform parameter library 208 209- Drivers 210 - auth: Memory optimization for Chain of Trust (CoT) description 211 212 - bsec: Move bsec_mode_is_closed_device() service to platform 213 214 - cryptocell: Move Cryptocell specific API into driver 215 216 - gicv3: Prevent pending G1S interrupt from becoming G0 interrupt 217 218 - mbedtls: Remove weak heap implementation 219 220 - mmc: Increase delay between ACMD41 retries 221 - mmc: stm32_sdmmc2: Correctly manage block size 222 - mmc: stm32_sdmmc2: Manage max-frequency property from DT 223 224 - synopsys/emmc: Do not change FIFO TH as this breaks some platforms 225 - synopsys: Update synopsys drivers to not rely on undefined overflow behaviour 226 227 - ufs: Extend the delay after reset to wait for some slower chips 228 229- Platforms 230 - amlogic/meson/gxl: Remove BL2 dependency from BL31 231 232 - arm/common: Shorten the Firmware Update (FWU) process 233 234 - arm/fvp: Remove GIC initialisation from secondary core cold boot 235 236 - arm/sgm: Temporarily disable shared Mbed TLS heap for SGM 237 238 - hisilicon: Update hisilicon drivers to not rely on undefined overflow behaviour 239 240 - imx: imx8: Replace PLAT_IMX8* with PLAT_imx8*, remove duplicated linker symbols and 241 deprecated code include, keep only IRQ 32 unmasked, enable all power domain by default 242 243 - marvell: Prevent SError accessing PCIe link, Switch to xlat_tables_v2, do not rely on 244 argument passed via smc, make sure that comphy init will use correct address 245 246 - mediatek: mt8173: Refactor RTC and PMIC drivers 247 - mediatek: mt8173: Apply MULTI_CONSOLE framework 248 249 - nvidia: Tegra: memctrl_v2: fix "overflow before widen" coverity issue 250 251 - qemu: Simplify the image size calculation, Move and generalise FDT PSCI fixup, move 252 gicv2 codes to separate file 253 254 - renesas/rcar_gen3: Convert to multi-console API, update QoS setting, Update IPL and 255 Secure Monitor Rev2.0.4, Change to restore timer counter value at resume, Update DDR 256 setting rev.0.35, qos: change subslot cycle, Change periodic write DQ training option. 257 258 - rockchip: Allow SOCs with undefined wfe check bits, Streamline and complete UARTn_BASE 259 macros, drop rockchip-specific imported linker symbols for bl31, Disable binary generation 260 for all SOCs, Allow console device to be set by DTB, Use new bl31_params_parse functions 261 262 - rpi/rpi3: Move shared rpi3 files into common directory 263 264 - socionext/uniphier: Set CONSOLE_FLAG_TRANSLATE_CRLF and clean up console driver 265 - socionext/uniphier: Replace DIV_ROUND_UP() with div_round_up() from utils_def.h 266 267 - st/stm32mp: Split stm32mp_io_setup function, move stm32_get_gpio_bank_clock() to private 268 file, correctly handle Clock Spreading Generator, move oscillator functions to generic file, 269 realign device tree files with internal devs, enable RTCAPB clock for dual-core chips, use a 270 common function to check spinlock is available, move check_header() to common code 271 272 - ti/k3: Enable SEPARATE_CODE_AND_RODATA by default, Remove shared RAM space, 273 Drop _ADDRESS from K3_USART_BASE to match other defines, Remove MSMC port 274 definitions, Allow USE_COHERENT_MEM for K3, Set L2 latency on A72 cores 275 276- PSCI 277 - PSCI: Lookup list of parent nodes to lock only once 278 279- Secure Partition Manager (SPM): SPCI Prototype 280 - Fix service UUID lookup 281 282 - Adjust size of virtual address space per partition 283 284 - Refactor xlat context creation 285 286 - Move shim layer to TTBR1_EL1 287 288 - Ignore empty regions in resource description 289 290- Security 291 - Refactor SPSR initialisation code 292 293 - SMMUv3: Abort DMA transactions 294 - For security DMA should be blocked at the SMMU by default unless explicitly 295 enabled for a device. SMMU is disabled after reset with all streams bypassing 296 the SMMU, and abortion of all incoming transactions implements a default deny 297 policy on reset. 298 - Moves ``bl1_platform_setup()`` function from arm_bl1_setup.c to FVP platforms' 299 fvp_bl1_setup.c and fvp_ve_bl1_setup.c files. 300 301- Tools 302 - cert_create: Remove RSA PKCS#1 v1.5 support 303 304 305Resolved Issues 306^^^^^^^^^^^^^^^ 307 308- Architecture 309 - Fix the CAS spinlock implementation by adding a missing DSB in ``spin_unlock()`` 310 311 - AArch64: Fix SCTLR bit definitions 312 - Removes incorrect ``SCTLR_V_BIT`` definition and adds definitions for 313 ARMv8.3-Pauth `EnIB`, `EnDA` and `EnDB` bits. 314 315 - Fix restoration of PAuth context 316 - Replace call to ``pauth_context_save()`` with ``pauth_context_restore()`` in 317 case of unknown SMC call. 318 319- BL-Specific Issues 320 - Fix BL31 crash reporting on AArch64 only platforms 321 322- Build System 323 - Remove several warnings reported with W=2 and W=1 324 325- Code Quality Issues 326 - SCTLR and ACTLR are 32-bit for AArch32 and 64-bit for AArch64 327 - Unify type of "cpu_idx" across PSCI module. 328 - Assert if power level value greater then PSCI_INVALID_PWR_LVL 329 - Unsigned long should not be used as per coding guidelines 330 - Reduce the number of memory leaks in cert_create 331 - Fix type of cot_desc_ptr 332 - Use explicit-width data types in AAPCS parameter structs 333 - Add python configuration for editorconfig 334 - BL1: Fix type consistency 335 336 - Enable -Wshift-overflow=2 to check for undefined shift behavior 337 - Updated upstream platforms to not rely on undefined overflow behaviour 338 339- Coverity Quality Issues 340 - Remove GGC ignore -Warray-bounds 341 - Fix Coverity #261967, Infinite loop 342 - Fix Coverity #343017, Missing unlock 343 - Fix Coverity #343008, Side affect in assertion 344 - Fix Coverity #342970, Uninitialized scalar variable 345 346- CPU Support 347 - cortex-a12: Fix MIDR mask 348 349- Drivers 350 - console: Remove Arm console unregister on suspend 351 352 - gicv3: Fix support for full SPI range 353 354 - scmi: Fix wrong payload length 355 356- Library Code 357 - libc: Fix sparse warning for __assert() 358 359 - libc: Fix memchr implementation 360 361- Platforms 362 - rpi: rpi3: Fix compilation error when stack protector is enabled 363 364 - socionext/uniphier: Fix compilation fail for SPM support build config 365 366 - st/stm32mp1: Fix TZC400 configuration against non-secure DDR 367 368 - ti/k3: common: Fix RO data area size calculation 369 370- Security 371 - AArch32: Disable Secure Cycle Counter 372 - Changes the implementation for disabling Secure Cycle Counter. 373 For ARMv8.5 the counter gets disabled by setting ``SDCR.SCCD`` bit on 374 CPU cold/warm boot. For the earlier architectures PMCR register is 375 saved/restored on secure world entry/exit from/to Non-secure state, 376 and cycle counting gets disabled by setting PMCR.DP bit. 377 - AArch64: Disable Secure Cycle Counter 378 - For ARMv8.5 the counter gets disabled by setting ``MDCR_El3.SCCD`` bit on 379 CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is 380 saved/restored on secure world entry/exit from/to Non-secure state, 381 and cycle counting gets disabled by setting PMCR_EL0.DP bit. 382 383Deprecations 384^^^^^^^^^^^^ 385 386- Common Code 387 - Remove MULTI_CONSOLE_API flag and references to it 388 389 - Remove deprecated `plat_crash_console_*` 390 391 - Remove deprecated interfaces `get_afflvl_shift`, `mpidr_mask_lower_afflvls`, `eret` 392 393 - AARCH32/AARCH64 macros are now deprecated in favor of ``__aarch64__`` 394 395 - ``__ASSEMBLY__`` macro is now deprecated in favor of ``__ASSEMBLER__`` 396 397- Drivers 398 - console: Removed legacy console API 399 - console: Remove deprecated finish_console_register 400 401 - tzc: Remove deprecated types `tzc_action_t` and `tzc_region_attributes_t` 402 403- Secure Partition Manager (SPM): 404 - Prototype SPCI-based SPM (services/std_svc/spm) will be replaced with alternative 405 methods of secure partitioning support. 406 407Known Issues 408^^^^^^^^^^^^ 409 410- Build System Issues 411 - dtb: DTB creation not supported when building on a Windows host. 412 413 This step in the build process is skipped when running on a Windows host. A 414 known issue from the 1.6 release. 415 416- Platform Issues 417 - arm/juno: System suspend from Linux does not function as documented in the 418 user guide 419 420 Following the instructions provided in the user guide document does not 421 result in the platform entering system suspend state as expected. A message 422 relating to the hdlcd driver failing to suspend will be emitted on the 423 Linux terminal. 424 425 - mediatek/mt6795: This platform does not build in this release 426 427Version 2.1 428----------- 429 430New Features 431^^^^^^^^^^^^ 432 433- Architecture 434 - Support for ARMv8.3 pointer authentication in the normal and secure worlds 435 436 The use of pointer authentication in the normal world is enabled whenever 437 architectural support is available, without the need for additional build 438 flags. 439 440 Use of pointer authentication in the secure world remains an 441 experimental configuration at this time. Using both the ``ENABLE_PAUTH`` 442 and ``CTX_INCLUDE_PAUTH_REGS`` build flags, pointer authentication can be 443 enabled in EL3 and S-EL1/0. 444 445 See the :ref:`Firmware Design` document for additional details on the use 446 of pointer authentication. 447 448 - Enable Data Independent Timing (DIT) in EL3, where supported 449 450- Build System 451 - Support for BL-specific build flags 452 453 - Support setting compiler target architecture based on ``ARM_ARCH_MINOR`` 454 build option. 455 456 - New ``RECLAIM_INIT_CODE`` build flag: 457 458 A significant amount of the code used for the initialization of BL31 is 459 not needed again after boot time. In order to reduce the runtime memory 460 footprint, the memory used for this code can be reclaimed after 461 initialization. 462 463 Certain boot-time functions were marked with the ``__init`` attribute to 464 enable this reclamation. 465 466- CPU Support 467 - cortex-a76: Workaround for erratum 1073348 468 - cortex-a76: Workaround for erratum 1220197 469 - cortex-a76: Workaround for erratum 1130799 470 471 - cortex-a75: Workaround for erratum 790748 472 - cortex-a75: Workaround for erratum 764081 473 474 - cortex-a73: Workaround for erratum 852427 475 - cortex-a73: Workaround for erratum 855423 476 477 - cortex-a57: Workaround for erratum 817169 478 - cortex-a57: Workaround for erratum 814670 479 480 - cortex-a55: Workaround for erratum 903758 481 - cortex-a55: Workaround for erratum 846532 482 - cortex-a55: Workaround for erratum 798797 483 - cortex-a55: Workaround for erratum 778703 484 - cortex-a55: Workaround for erratum 768277 485 486 - cortex-a53: Workaround for erratum 819472 487 - cortex-a53: Workaround for erratum 824069 488 - cortex-a53: Workaround for erratum 827319 489 490 - cortex-a17: Workaround for erratum 852423 491 - cortex-a17: Workaround for erratum 852421 492 493 - cortex-a15: Workaround for erratum 816470 494 - cortex-a15: Workaround for erratum 827671 495 496- Documentation 497 - Exception Handling Framework documentation 498 499 - Library at ROM (romlib) documentation 500 501 - RAS framework documentation 502 503 - Coding Guidelines document 504 505- Drivers 506 - ccn: Add API for setting and reading node registers 507 - Adds ``ccn_read_node_reg`` function 508 - Adds ``ccn_write_node_reg`` function 509 510 - partition: Support MBR partition entries 511 512 - scmi: Add ``plat_css_get_scmi_info`` function 513 514 Adds a new API ``plat_css_get_scmi_info`` which lets the platform 515 register a platform-specific instance of ``scmi_channel_plat_info_t`` and 516 remove the default values 517 518 - tzc380: Add TZC-380 TrustZone Controller driver 519 520 - tzc-dmc620: Add driver to manage the TrustZone Controller within the 521 DMC-620 Dynamic Memory Controller 522 523- Library at ROM (romlib) 524 - Add platform-specific jump table list 525 526 - Allow patching of romlib functions 527 528 This change allows patching of functions in the romlib. This can be done by 529 adding "patch" at the end of the jump table entry for the function that 530 needs to be patched in the file jmptbl.i. 531 532- Library Code 533 - Support non-LPAE-enabled MMU tables in AArch32 534 535 - mmio: Add ``mmio_clrsetbits_16`` function 536 - 16-bit variant of ``mmio_clrsetbits`` 537 538 - object_pool: Add Object Pool Allocator 539 - Manages object allocation using a fixed-size static array 540 - Adds ``pool_alloc`` and ``pool_alloc_n`` functions 541 - Does not provide any functions to free allocated objects (by design) 542 543 - libc: Added ``strlcpy`` function 544 545 - libc: Import ``strrchr`` function from FreeBSD 546 547 - xlat_tables: Add support for ARMv8.4-TTST 548 549 - xlat_tables: Support mapping regions without an explicitly specified VA 550 551- Math 552 - Added softudiv macro to support software division 553 554- Memory Partitioning And Monitoring (MPAM) 555 - Enabled MPAM EL2 traps (``MPAMHCR_EL2`` and ``MPAM_EL2``) 556 557- Platforms 558 - amlogic: Add support for Meson S905 (GXBB) 559 560 - arm/fvp_ve: Add support for FVP Versatile Express platform 561 562 - arm/n1sdp: Add support for Neoverse N1 System Development platform 563 564 - arm/rde1edge: Add support for Neoverse E1 platform 565 566 - arm/rdn1edge: Add support for Neoverse N1 platform 567 568 - arm: Add support for booting directly to Linux without an intermediate 569 loader (AArch32) 570 571 - arm/juno: Enable new CPU errata workarounds for A53 and A57 572 573 - arm/juno: Add romlib support 574 575 Building a combined BL1 and ROMLIB binary file with the correct page 576 alignment is now supported on the Juno platform. When ``USE_ROMLIB`` is set 577 for Juno, it generates the combined file ``bl1_romlib.bin`` which needs to 578 be used instead of bl1.bin. 579 580 - intel/stratix: Add support for Intel Stratix 10 SoC FPGA platform 581 582 - marvell: Add support for Armada-37xx SoC platform 583 584 - nxp: Add support for i.MX8M and i.MX7 Warp7 platforms 585 586 - renesas: Add support for R-Car Gen3 platform 587 588 - xilinx: Add support for Versal ACAP platforms 589 590- Position-Independent Executable (PIE) 591 592 PIE support has initially been added to BL31. The ``ENABLE_PIE`` build flag is 593 used to enable or disable this functionality as required. 594 595- Secure Partition Manager 596 - New SPM implementation based on SPCI Alpha 1 draft specification 597 598 A new version of SPM has been implemented, based on the SPCI (Secure 599 Partition Client Interface) and SPRT (Secure Partition Runtime) draft 600 specifications. 601 602 The new implementation is a prototype that is expected to undergo intensive 603 rework as the specifications change. It has basic support for multiple 604 Secure Partitions and Resource Descriptions. 605 606 The older version of SPM, based on MM (ARM Management Mode Interface 607 Specification), is still present in the codebase. A new build flag, 608 ``SPM_MM`` has been added to allow selection of the desired implementation. 609 This flag defaults to 1, selecting the MM-based implementation. 610 611- Security 612 - Spectre Variant-1 mitigations (``CVE-2017-5753``) 613 614 - Use Speculation Store Bypass Safe (SSBS) functionality where available 615 616 Provides mitigation against ``CVE-2018-19440`` (Not saving x0 to x3 617 registers can leak information from one Normal World SMC client to another) 618 619 620Changed 621^^^^^^^ 622 623- Build System 624 - Warning levels are now selectable with ``W=<1,2,3>`` 625 626 - Removed unneeded include paths in PLAT_INCLUDES 627 628 - "Warnings as errors" (Werror) can be disabled using ``E=0`` 629 630 - Support totally quiet output with ``-s`` flag 631 632 - Support passing options to checkpatch using ``CHECKPATCH_OPTS=<opts>`` 633 634 - Invoke host compiler with ``HOSTCC / HOSTCCFLAGS`` instead of ``CC / CFLAGS`` 635 636 - Make device tree pre-processing similar to U-boot/Linux by: 637 - Creating separate ``CPPFLAGS`` for DT preprocessing so that compiler 638 options specific to it can be accommodated. 639 - Replacing ``CPP`` with ``PP`` for DT pre-processing 640 641- CPU Support 642 - Errata report function definition is now mandatory for CPU support files 643 644 CPU operation files must now define a ``<name>_errata_report`` function to 645 print errata status. This is no longer a weak reference. 646 647- Documentation 648 - Migrated some content from GitHub wiki to ``docs/`` directory 649 650 - Security advisories now have CVE links 651 652 - Updated copyright guidelines 653 654- Drivers 655 - console: The ``MULTI_CONSOLE_API`` framework has been rewritten in C 656 657 - console: Ported multi-console driver to AArch32 658 659 - gic: Remove 'lowest priority' constants 660 661 Removed ``GIC_LOWEST_SEC_PRIORITY`` and ``GIC_LOWEST_NS_PRIORITY``. 662 Platforms should define these if required, or instead determine the correct 663 priority values at runtime. 664 665 - delay_timer: Check that the Generic Timer extension is present 666 667 - mmc: Increase command reply timeout to 10 milliseconds 668 669 - mmc: Poll eMMC device status to ensure ``EXT_CSD`` command completion 670 671 - mmc: Correctly check return code from ``mmc_fill_device_info`` 672 673- External Libraries 674 675 - libfdt: Upgraded from 1.4.2 to 1.4.6-9 676 677 - mbed TLS: Upgraded from 2.12 to 2.16 678 679 This change incorporates fixes for security issues that should be reviewed 680 to determine if they are relevant for software implementations using 681 Trusted Firmware-A. See the `mbed TLS releases`_ page for details on 682 changes from the 2.12 to the 2.16 release. 683 684- Library Code 685 - compiler-rt: Updated ``lshrdi3.c`` and ``int_lib.h`` with changes from 686 LLVM master branch (r345645) 687 688 - cpu: Updated macro that checks need for ``CVE-2017-5715`` mitigation 689 690 - libc: Made setjmp and longjmp C standard compliant 691 692 - libc: Allowed overriding the default libc (use ``OVERRIDE_LIBC``) 693 694 - libc: Moved setjmp and longjmp to the ``libc/`` directory 695 696- Platforms 697 - Removed Mbed TLS dependency from plat_bl_common.c 698 699 - arm: Removed unused ``ARM_MAP_BL_ROMLIB`` macro 700 701 - arm: Removed ``ARM_BOARD_OPTIMISE_MEM`` feature and build flag 702 703 - arm: Moved several components into ``drivers/`` directory 704 705 This affects the SDS, SCP, SCPI, MHU and SCMI components 706 707 - arm/juno: Increased maximum BL2 image size to ``0xF000`` 708 709 This change was required to accommodate a larger ``libfdt`` library 710 711- SCMI 712 - Optimized bakery locks when hardware-assisted coherency is enabled using the 713 ``HW_ASSISTED_COHERENCY`` build flag 714 715- SDEI 716 - Added support for unconditionally resuming secure world execution after 717 |SDEI| event processing completes 718 719 |SDEI| interrupts, although targeting EL3, occur on behalf of the non-secure 720 world, and may have higher priority than secure world 721 interrupts. Therefore they might preempt secure execution and yield 722 execution to the non-secure |SDEI| handler. Upon completion of |SDEI| event 723 handling, resume secure execution if it was preempted. 724 725- Translation Tables (XLAT) 726 - Dynamically detect need for ``Common not Private (TTBRn_ELx.CnP)`` bit 727 728 Properly handle the case where ``ARMv8.2-TTCNP`` is implemented in a CPU 729 that does not implement all mandatory v8.2 features (and so must claim to 730 implement a lower architecture version). 731 732 733Resolved Issues 734^^^^^^^^^^^^^^^ 735 736- Architecture 737 - Incorrect check for SSBS feature detection 738 739 - Unintentional register clobber in AArch32 reset_handler function 740 741- Build System 742 - Dependency issue during DTB image build 743 744 - Incorrect variable expansion in Arm platform makefiles 745 746 - Building on Windows with verbose mode (``V=1``) enabled is broken 747 748 - AArch32 compilation flags is missing ``$(march32-directive)`` 749 750- BL-Specific Issues 751 - bl2: ``uintptr_t is not defined`` error when ``BL2_IN_XIP_MEM`` is defined 752 753 - bl2: Missing prototype warning in ``bl2_arch_setup`` 754 755 - bl31: Omission of Global Offset Table (GOT) section 756 757- Code Quality Issues 758 - Multiple MISRA compliance issues 759 760 - Potential NULL pointer dereference (Coverity-detected) 761 762- Drivers 763 - mmc: Local declaration of ``scr`` variable causes a cache issue when 764 invalidating after the read DMA transfer completes 765 766 - mmc: ``ACMD41`` does not send voltage information during initialization, 767 resulting in the command being treated as a query. This prevents the 768 command from initializing the controller. 769 770 - mmc: When checking device state using ``mmc_device_state()`` there are no 771 retries attempted in the event of an error 772 773 - ccn: Incorrect Region ID calculation for RN-I nodes 774 775 - console: ``Fix MULTI_CONSOLE_API`` when used as a crash console 776 777 - partition: Improper NULL checking in gpt.c 778 779 - partition: Compilation failure in ``VERBOSE`` mode (``V=1``) 780 781- Library Code 782 - common: Incorrect check for Address Authentication support 783 784 - xlat: Fix XLAT_V1 / XLAT_V2 incompatibility 785 786 The file ``arm_xlat_tables.h`` has been renamed to ``xlat_tables_compat.h`` 787 and has been moved to a common folder. This header can be used to guarantee 788 compatibility, as it includes the correct header based on 789 ``XLAT_TABLES_LIB_V2``. 790 791 - xlat: armclang unused-function warning on ``xlat_clean_dcache_range`` 792 793 - xlat: Invalid ``mm_cursor`` checks in ``mmap_add`` and ``mmap_add_ctx`` 794 795 - sdei: Missing ``context.h`` header 796 797- Platforms 798 - common: Missing prototype warning for ``plat_log_get_prefix`` 799 800 - arm: Insufficient maximum BL33 image size 801 802 - arm: Potential memory corruption during BL2-BL31 transition 803 804 On Arm platforms, the BL2 memory can be overlaid by BL31/BL32. The memory 805 descriptors describing the list of executable images are created in BL2 806 R/W memory, which could be possibly corrupted later on by BL31/BL32 due 807 to overlay. This patch creates a reserved location in SRAM for these 808 descriptors and are copied over by BL2 before handing over to next BL 809 image. 810 811 - juno: Invalid behaviour when ``CSS_USE_SCMI_SDS_DRIVER`` is not set 812 813 In ``juno_pm.c`` the ``css_scmi_override_pm_ops`` function was used 814 regardless of whether the build flag was set. The original behaviour has 815 been restored in the case where the build flag is not set. 816 817- Tools 818 - fiptool: Incorrect UUID parsing of blob parameters 819 820 - doimage: Incorrect object rules in Makefile 821 822 823Deprecations 824^^^^^^^^^^^^ 825 826- Common Code 827 - ``plat_crash_console_init`` function 828 829 - ``plat_crash_console_putc`` function 830 831 - ``plat_crash_console_flush`` function 832 833 - ``finish_console_register`` macro 834 835- AArch64-specific Code 836 - helpers: ``get_afflvl_shift`` 837 838 - helpers: ``mpidr_mask_lower_afflvls`` 839 840 - helpers: ``eret`` 841 842- Secure Partition Manager (SPM) 843 - Boot-info structure 844 845 846Known Issues 847^^^^^^^^^^^^ 848 849- Build System Issues 850 - dtb: DTB creation not supported when building on a Windows host. 851 852 This step in the build process is skipped when running on a Windows host. A 853 known issue from the 1.6 release. 854 855- Platform Issues 856 - arm/juno: System suspend from Linux does not function as documented in the 857 user guide 858 859 Following the instructions provided in the user guide document does not 860 result in the platform entering system suspend state as expected. A message 861 relating to the hdlcd driver failing to suspend will be emitted on the 862 Linux terminal. 863 864 - arm/juno: The firmware update use-cases do not work with motherboard 865 firmware version < v1.5.0 (the reset reason is not preserved). The Linaro 866 18.04 release has MB v1.4.9. The MB v1.5.0 is available in Linaro 18.10 867 release. 868 869 - mediatek/mt6795: This platform does not build in this release 870 871Version 2.0 872----------- 873 874New Features 875^^^^^^^^^^^^ 876 877- Removal of a number of deprecated APIs 878 879 - A new Platform Compatibility Policy document has been created which 880 references a wiki page that maintains a listing of deprecated 881 interfaces and the release after which they will be removed. 882 883 - All deprecated interfaces except the MULTI_CONSOLE_API have been removed 884 from the code base. 885 886 - Various Arm and partner platforms have been updated to remove the use of 887 removed APIs in this release. 888 889 - This release is otherwise unchanged from 1.6 release 890 891Issues resolved since last release 892^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 893 894- No issues known at 1.6 release resolved in 2.0 release 895 896Known Issues 897^^^^^^^^^^^^ 898 899- DTB creation not supported when building on a Windows host. This step in the 900 build process is skipped when running on a Windows host. Known issue from 901 1.6 version. 902 903- As a result of removal of deprecated interfaces the Nvidia Tegra, Marvell 904 Armada 8K and MediaTek MT6795 platforms do not build in this release. 905 Also MediaTek MT8173, NXP QorIQ LS1043A, NXP i.MX8QX, NXP i.MX8QMa, 906 Rockchip RK3328, Rockchip RK3368 and Rockchip RK3399 platforms have not been 907 confirmed to be working after the removal of the deprecated interfaces 908 although they do build. 909 910Version 1.6 911----------- 912 913New Features 914^^^^^^^^^^^^ 915 916- Addressing Speculation Security Vulnerabilities 917 918 - Implement static workaround for CVE-2018-3639 for AArch32 and AArch64 919 920 - Add support for dynamic mitigation for CVE-2018-3639 921 922 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 923 924 - Ensure |SDEI| handler executes with CVE-2018-3639 mitigation enabled 925 926- Introduce RAS handling on AArch64 927 928 - Some RAS extensions are mandatory for Armv8.2 CPUs, with others 929 mandatory for Armv8.4 CPUs however, all extensions are also optional 930 extensions to the base Armv8.0 architecture. 931 932 - The Armv8 RAS Extensions introduced Standard Error Records which are a 933 set of standard registers to configure RAS node policy and allow RAS 934 Nodes to record and expose error information for error handling agents. 935 936 - Capabilities are provided to support RAS Node enumeration and iteration 937 along with individual interrupt registrations and fault injections 938 support. 939 940 - Introduce handlers for Uncontainable errors, Double Faults and EL3 941 External Aborts 942 943- Enable Memory Partitioning And Monitoring (MPAM) for lower EL's 944 945 - Memory Partitioning And Monitoring is an Armv8.4 feature that enables 946 various memory system components and resources to define partitions. 947 Software running at various ELs can then assign themselves to the 948 desired partition to control their performance aspects. 949 950 - When ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows 951 lower ELs to access their own MPAM registers without trapping to EL3. 952 This patch however, doesn't make use of partitioning in EL3; platform 953 initialisation code should configure and use partitions in EL3 if 954 required. 955 956- Introduce ROM Lib Feature 957 958 - Support combining several libraries into a self-called "romlib" image, 959 that may be shared across images to reduce memory footprint. The romlib 960 image is stored in ROM but is accessed through a jump-table that may be 961 stored in read-write memory, allowing for the library code to be patched. 962 963- Introduce Backtrace Feature 964 965 - This function displays the backtrace, the current EL and security state 966 to allow a post-processing tool to choose the right binary to interpret 967 the dump. 968 969 - Print backtrace in assert() and panic() to the console. 970 971- Code hygiene changes and alignment with MISRA C-2012 guideline with fixes 972 addressing issues complying to the following rules: 973 974 - MISRA rules 4.9, 5.1, 5.3, 5.7, 8.2-8.5, 8.8, 8.13, 9.3, 10.1, 975 10.3-10.4, 10.8, 11.3, 11.6, 12.1, 14.4, 15.7, 16.1-16.7, 17.7-17.8, 976 20.7, 20.10, 20.12, 21.1, 21.15, 22.7 977 978 - Clean up the usage of void pointers to access symbols 979 980 - Increase usage of static qualifier to locally used functions and data 981 982 - Migrated to use of u_register_t for register read/write to better 983 match AArch32 and AArch64 type sizes 984 985 - Use int-ll64 for both AArch32 and AArch64 to assist in consistent 986 format strings between architectures 987 988 - Clean up TF-A libc by removing non arm copyrighted implementations 989 and replacing them with modified FreeBSD and SCC implementations 990 991- Various changes to support Clang linker and assembler 992 993 - The clang assembler/preprocessor is used when Clang is selected. However, 994 the clang linker is not used because it is unable to link TF-A objects 995 due to immaturity of clang linker functionality at this time. 996 997- Refactor support APIs into Libraries 998 999 - Evolve libfdt, mbed TLS library and standard C library sources as 1000 proper libraries that TF-A may be linked against. 1001 1002- CPU Enhancements 1003 1004 - Add CPU support for Cortex-Ares and Cortex-A76 1005 1006 - Add AMU support for Cortex-Ares 1007 1008 - Add initial CPU support for Cortex-Deimos 1009 1010 - Add initial CPU support for Cortex-Helios 1011 1012 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 1013 1014 - Implement Cortex-Ares erratum 1043202 workaround 1015 1016 - Implement DSU erratum 936184 workaround 1017 1018 - Check presence of fix for errata 843419 in Cortex-A53 1019 1020 - Check presence of fix for errata 835769 in Cortex-A53 1021 1022- Translation Tables Enhancements 1023 1024 - The xlat v2 library has been refactored in order to be reused by 1025 different TF components at different EL's including the addition of EL2. 1026 Some refactoring to make the code more generic and less specific to TF, 1027 in order to reuse the library outside of this project. 1028 1029- SPM Enhancements 1030 1031 - General cleanups and refactoring to pave the way to multiple partitions 1032 support 1033 1034- SDEI Enhancements 1035 1036 - Allow platforms to define explicit events 1037 1038 - Determine client EL from NS context's SCR_EL3 1039 1040 - Make dispatches synchronous 1041 1042 - Introduce jump primitives for BL31 1043 1044 - Mask events after CPU wakeup in |SDEI| dispatcher to conform to the 1045 specification 1046 1047- Misc TF-A Core Common Code Enhancements 1048 1049 - Add support for eXecute In Place (XIP) memory in BL2 1050 1051 - Add support for the SMC Calling Convention 2.0 1052 1053 - Introduce External Abort handling on AArch64 1054 External Abort routed to EL3 was reported as an unhandled exception 1055 and caused a panic. This change enables Trusted Firmware-A to handle 1056 External Aborts routed to EL3. 1057 1058 - Save value of ACTLR_EL1 implementation-defined register in the CPU 1059 context structure rather than forcing it to 0. 1060 1061 - Introduce ARM_LINUX_KERNEL_AS_BL33 build option, which allows BL31 to 1062 directly jump to a Linux kernel. This makes for a quicker and simpler 1063 boot flow, which might be useful in some test environments. 1064 1065 - Add dynamic configurations for BL31, BL32 and BL33 enabling support for 1066 Chain of Trust (COT). 1067 1068 - Make TF UUID RFC 4122 compliant 1069 1070- New Platform Support 1071 1072 - Arm SGI-575 1073 1074 - Arm SGM-775 1075 1076 - Allwinner sun50i_64 1077 1078 - Allwinner sun50i_h6 1079 1080 - NXP QorIQ LS1043A 1081 1082 - NXP i.MX8QX 1083 1084 - NXP i.MX8QM 1085 1086 - NXP i.MX7Solo WaRP7 1087 1088 - TI K3 1089 1090 - Socionext Synquacer SC2A11 1091 1092 - Marvell Armada 8K 1093 1094 - STMicroelectronics STM32MP1 1095 1096- Misc Generic Platform Common Code Enhancements 1097 1098 - Add MMC framework that supports both eMMC and SD card devices 1099 1100- Misc Arm Platform Common Code Enhancements 1101 1102 - Demonstrate PSCI MEM_PROTECT from el3_runtime 1103 1104 - Provide RAS support 1105 1106 - Migrate AArch64 port to the multi console driver. The old API is 1107 deprecated and will eventually be removed. 1108 1109 - Move BL31 below BL2 to enable BL2 overlay resulting in changes in the 1110 layout of BL images in memory to enable more efficient use of available 1111 space. 1112 1113 - Add cpp build processing for dtb that allows processing device tree 1114 with external includes. 1115 1116 - Extend FIP io driver to support multiple FIP devices 1117 1118 - Add support for SCMI AP core configuration protocol v1.0 1119 1120 - Use SCMI AP core protocol to set the warm boot entrypoint 1121 1122 - Add support to Mbed TLS drivers for shared heap among different 1123 BL images to help optimise memory usage 1124 1125 - Enable non-secure access to UART1 through a build option to support 1126 a serial debug port for debugger connection 1127 1128- Enhancements for Arm Juno Platform 1129 1130 - Add support for TrustZone Media Protection 1 (TZMP1) 1131 1132- Enhancements for Arm FVP Platform 1133 1134 - Dynamic_config: remove the FVP dtb files 1135 1136 - Set DYNAMIC_WORKAROUND_CVE_2018_3639=1 on FVP by default 1137 1138 - Set the ability to dynamically disable Trusted Boot Board 1139 authentication to be off by default with DYN_DISABLE_AUTH 1140 1141 - Add librom enhancement support in FVP 1142 1143 - Support shared Mbed TLS heap between BL1 and BL2 that allow a 1144 reduction in BL2 size for FVP 1145 1146- Enhancements for Arm SGI/SGM Platform 1147 1148 - Enable ARM_PLAT_MT flag for SGI-575 1149 1150 - Add dts files to enable support for dynamic config 1151 1152 - Add RAS support 1153 1154 - Support shared Mbed TLS heap for SGI and SGM between BL1 and BL2 1155 1156- Enhancements for Non Arm Platforms 1157 1158 - Raspberry Pi Platform 1159 1160 - Hikey Platforms 1161 1162 - Xilinx Platforms 1163 1164 - QEMU Platform 1165 1166 - Rockchip rk3399 Platform 1167 1168 - TI Platforms 1169 1170 - Socionext Platforms 1171 1172 - Allwinner Platforms 1173 1174 - NXP Platforms 1175 1176 - NVIDIA Tegra Platform 1177 1178 - Marvell Platforms 1179 1180 - STMicroelectronics STM32MP1 Platform 1181 1182Issues resolved since last release 1183^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1184 1185- No issues known at 1.5 release resolved in 1.6 release 1186 1187Known Issues 1188^^^^^^^^^^^^ 1189 1190- DTB creation not supported when building on a Windows host. This step in the 1191 build process is skipped when running on a Windows host. Known issue from 1192 1.5 version. 1193 1194Version 1.5 1195----------- 1196 1197New features 1198^^^^^^^^^^^^ 1199 1200- Added new firmware support to enable RAS (Reliability, Availability, and 1201 Serviceability) functionality. 1202 1203 - Secure Partition Manager (SPM): A Secure Partition is a software execution 1204 environment instantiated in S-EL0 that can be used to implement simple 1205 management and security services. The SPM is the firmware component that 1206 is responsible for managing a Secure Partition. 1207 1208 - SDEI dispatcher: Support for interrupt-based |SDEI| events and all 1209 interfaces as defined by the |SDEI| specification v1.0, see 1210 `SDEI Specification`_ 1211 1212 - Exception Handling Framework (EHF): Framework that allows dispatching of 1213 EL3 interrupts to their registered handlers which are registered based on 1214 their priorities. Facilitates firmware-first error handling policy where 1215 asynchronous exceptions may be routed to EL3. 1216 1217 Integrated the TSPD with EHF. 1218 1219- Updated PSCI support: 1220 1221 - Implemented PSCI v1.1 optional features `MEM_PROTECT` and `SYSTEM_RESET2`. 1222 The supported PSCI version was updated to v1.1. 1223 1224 - Improved PSCI STAT timestamp collection, including moving accounting for 1225 retention states to be inside the locks and fixing handling of wrap-around 1226 when calculating residency in AArch32 execution state. 1227 1228 - Added optional handler for early suspend that executes when suspending to 1229 a power-down state and with data caches enabled. 1230 1231 This may provide a performance improvement on platforms where it is safe 1232 to perform some or all of the platform actions from `pwr_domain_suspend` 1233 with the data caches enabled. 1234 1235- Enabled build option, BL2_AT_EL3, for BL2 to allow execution at EL3 without 1236 any dependency on TF BL1. 1237 1238 This allows platforms which already have a non-TF Boot ROM to directly load 1239 and execute BL2 and subsequent BL stages without need for BL1. This was not 1240 previously possible because BL2 executes at S-EL1 and cannot jump straight to 1241 EL3. 1242 1243- Implemented support for SMCCC v1.1, including `SMCCC_VERSION` and 1244 `SMCCC_ARCH_FEATURES`. 1245 1246 Additionally, added support for `SMCCC_VERSION` in PSCI features to enable 1247 discovery of the SMCCC version via PSCI feature call. 1248 1249- Added Dynamic Configuration framework which enables each of the boot loader 1250 stages to be dynamically configured at runtime if required by the platform. 1251 The boot loader stage may optionally specify a firmware configuration file 1252 and/or hardware configuration file that can then be shared with the next boot 1253 loader stage. 1254 1255 Introduced a new BL handover interface that essentially allows passing of 4 1256 arguments between the different BL stages. 1257 1258 Updated cert_create and fip_tool to support the dynamic configuration files. 1259 The COT also updated to support these new files. 1260 1261- Code hygiene changes and alignment with MISRA guideline: 1262 1263 - Fix use of undefined macros. 1264 1265 - Achieved compliance with Mandatory MISRA coding rules. 1266 1267 - Achieved compliance for following Required MISRA rules for the default 1268 build configurations on FVP and Juno platforms : 7.3, 8.3, 8.4, 8.5 and 1269 8.8. 1270 1271- Added support for Armv8.2-A architectural features: 1272 1273 - Updated translation table set-up to set the CnP (Common not Private) bit 1274 for secure page tables so that multiple PEs in the same Inner Shareable 1275 domain can use the same translation table entries for a given stage of 1276 translation in a particular translation regime. 1277 1278 - Extended the supported values of ID_AA64MMFR0_EL1.PARange to include the 1279 52-bit Physical Address range. 1280 1281 - Added support for the Scalable Vector Extension to allow Normal world 1282 software to access SVE functionality but disable access to SVE, SIMD and 1283 floating point functionality from the Secure world in order to prevent 1284 corruption of the Z-registers. 1285 1286- Added support for Armv8.4-A architectural feature Activity Monitor Unit (AMU) 1287 extensions. 1288 1289 In addition to the v8.4 architectural extension, AMU support on Cortex-A75 1290 was implemented. 1291 1292- Enhanced OP-TEE support to enable use of pageable OP-TEE image. The Arm 1293 standard platforms are updated to load up to 3 images for OP-TEE; header, 1294 pager image and paged image. 1295 1296 The chain of trust is extended to support the additional images. 1297 1298- Enhancements to the translation table library: 1299 1300 - Introduced APIs to get and set the memory attributes of a region. 1301 1302 - Added support to manage both privilege levels in translation regimes that 1303 describe translations for 2 Exception levels, specifically the EL1&0 1304 translation regime, and extended the memory map region attributes to 1305 include specifying Non-privileged access. 1306 1307 - Added support to specify the granularity of the mappings of each region, 1308 for instance a 2MB region can be specified to be mapped with 4KB page 1309 tables instead of a 2MB block. 1310 1311 - Disabled the higher VA range to avoid unpredictable behaviour if there is 1312 an attempt to access addresses in the higher VA range. 1313 1314 - Added helpers for Device and Normal memory MAIR encodings that align with 1315 the Arm Architecture Reference Manual for Armv8-A (Arm DDI0487B.b). 1316 1317 - Code hygiene including fixing type length and signedness of constants, 1318 refactoring of function to enable the MMU, removing all instances where 1319 the virtual address space is hardcoded and added comments that document 1320 alignment needed between memory attributes and attributes specified in 1321 TCR_ELx. 1322 1323- Updated GIC support: 1324 1325 - Introduce new APIs for GICv2 and GICv3 that provide the capability to 1326 specify interrupt properties rather than list of interrupt numbers alone. 1327 The Arm platforms and other upstream platforms are migrated to use 1328 interrupt properties. 1329 1330 - Added helpers to save / restore the GICv3 context, specifically the 1331 Distributor and Redistributor contexts and architectural parts of the ITS 1332 power management. The Distributor and Redistributor helpers also support 1333 the implementation-defined part of GIC-500 and GIC-600. 1334 1335 Updated the Arm FVP platform to save / restore the GICv3 context on system 1336 suspend / resume as an example of how to use the helpers. 1337 1338 Introduced a new TZC secured DDR carve-out for use by Arm platforms for 1339 storing EL3 runtime data such as the GICv3 register context. 1340 1341- Added support for Armv7-A architecture via build option ARM_ARCH_MAJOR=7. 1342 This includes following features: 1343 1344 - Updates GICv2 driver to manage GICv1 with security extensions. 1345 1346 - Software implementation for 32bit division. 1347 1348 - Enabled use of generic timer for platforms that do not set 1349 ARM_CORTEX_Ax=yes. 1350 1351 - Support for Armv7-A Virtualization extensions [DDI0406C_C]. 1352 1353 - Support for both Armv7-A platforms that only have 32-bit addressing and 1354 Armv7-A platforms that support large page addressing. 1355 1356 - Included support for following Armv7 CPUs: Cortex-A12, Cortex-A17, 1357 Cortex-A7, Cortex-A5, Cortex-A9, Cortex-A15. 1358 1359 - Added support in QEMU for Armv7-A/Cortex-A15. 1360 1361- Enhancements to Firmware Update feature: 1362 1363 - Updated the FWU documentation to describe the additional images needed for 1364 Firmware update, and how they are used for both the Juno platform and the 1365 Arm FVP platforms. 1366 1367- Enhancements to Trusted Board Boot feature: 1368 1369 - Added support to cert_create tool for RSA PKCS1# v1.5 and SHA384, SHA512 1370 and SHA256. 1371 1372 - For Arm platforms added support to use ECDSA keys. 1373 1374 - Enhanced the mbed TLS wrapper layer to include support for both RSA and 1375 ECDSA to enable runtime selection between RSA and ECDSA keys. 1376 1377- Added support for secure interrupt handling in AArch32 sp_min, hardcoded to 1378 only handle FIQs. 1379 1380- Added support to allow a platform to load images from multiple boot sources, 1381 for example from a second flash drive. 1382 1383- Added a logging framework that allows platforms to reduce the logging level 1384 at runtime and additionally the prefix string can be defined by the platform. 1385 1386- Further improvements to register initialisation: 1387 1388 - Control register PMCR_EL0 / PMCR is set to prohibit cycle counting in the 1389 secure world. This register is added to the list of registers that are 1390 saved and restored during world switch. 1391 1392 - When EL3 is running in AArch32 execution state, the Non-secure version of 1393 SCTLR is explicitly initialised during the warmboot flow rather than 1394 relying on the hardware to set the correct reset values. 1395 1396- Enhanced support for Arm platforms: 1397 1398 - Introduced driver for Shared-Data-Structure (SDS) framework which is used 1399 for communication between SCP and the AP CPU, replacing Boot-Over_MHU 1400 (BOM) protocol. 1401 1402 The Juno platform is migrated to use SDS with the SCMI support added in 1403 v1.3 and is set as default. 1404 1405 The driver can be found in the plat/arm/css/drivers folder. 1406 1407 - Improved memory usage by only mapping TSP memory region when the TSPD has 1408 been included in the build. This reduces the memory footprint and avoids 1409 unnecessary memory being mapped. 1410 1411 - Updated support for multi-threading CPUs for FVP platforms - always check 1412 the MT field in MPDIR and access the bit fields accordingly. 1413 1414 - Support building for platforms that model DynamIQ configuration by 1415 implementing all CPUs in a single cluster. 1416 1417 - Improved nor flash driver, for instance clearing status registers before 1418 sending commands. Driver can be found plat/arm/board/common folder. 1419 1420- Enhancements to QEMU platform: 1421 1422 - Added support for TBB. 1423 1424 - Added support for using OP-TEE pageable image. 1425 1426 - Added support for LOAD_IMAGE_V2. 1427 1428 - Migrated to use translation table library v2 by default. 1429 1430 - Added support for SEPARATE_CODE_AND_RODATA. 1431 1432- Applied workarounds CVE-2017-5715 on Arm Cortex-A57, -A72, -A73 and -A75, and 1433 for Armv7-A CPUs Cortex-A9, -A15 and -A17. 1434 1435- Applied errata workaround for Arm Cortex-A57: 859972. 1436 1437- Applied errata workaround for Arm Cortex-A72: 859971. 1438 1439- Added support for Poplar 96Board platform. 1440 1441- Added support for Raspberry Pi 3 platform. 1442 1443- Added Call Frame Information (CFI) assembler directives to the vector entries 1444 which enables debuggers to display the backtrace of functions that triggered 1445 a synchronous abort. 1446 1447- Added ability to build dtb. 1448 1449- Added support for pre-tool (cert_create and fiptool) image processing 1450 enabling compression of the image files before processing by cert_create and 1451 fiptool. 1452 1453 This can reduce fip size and may also speed up loading of images. The image 1454 verification will also get faster because certificates are generated based on 1455 compressed images. 1456 1457 Imported zlib 1.2.11 to implement gunzip() for data compression. 1458 1459- Enhancements to fiptool: 1460 1461 - Enabled the fiptool to be built using Visual Studio. 1462 1463 - Added padding bytes at the end of the last image in the fip to be 1464 facilitate transfer by DMA. 1465 1466Issues resolved since last release 1467^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1468 1469- TF-A can be built with optimisations disabled (-O0). 1470 1471- Memory layout updated to enable Trusted Board Boot on Juno platform when 1472 running TF-A in AArch32 execution mode (resolving `tf-issue#501`_). 1473 1474Known Issues 1475^^^^^^^^^^^^ 1476 1477- DTB creation not supported when building on a Windows host. This step in the 1478 build process is skipped when running on a Windows host. 1479 1480Version 1.4 1481----------- 1482 1483New features 1484^^^^^^^^^^^^ 1485 1486- Enabled support for platforms with hardware assisted coherency. 1487 1488 A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage 1489 of the following optimisations: 1490 1491 - Skip performing cache maintenance during power-up and power-down. 1492 1493 - Use spin-locks instead of bakery locks. 1494 1495 - Enable data caches early on warm-booted CPUs. 1496 1497- Added support for Cortex-A75 and Cortex-A55 processors. 1498 1499 Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit 1500 (DSU). The power-down and power-up sequences are therefore mostly managed in 1501 hardware, reducing complexity of the software operations. 1502 1503- Introduced Arm GIC-600 driver. 1504 1505 Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the 1506 GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600. 1507 1508- Updated GICv3 support: 1509 1510 - Introduced power management APIs for GICv3 Redistributor. These APIs 1511 allow platforms to power down the Redistributor during CPU power on/off. 1512 Requires the GICv3 implementations to have power management operations. 1513 1514 Implemented the power management APIs for FVP. 1515 1516 - GIC driver data is flushed by the primary CPU so that secondary CPU do 1517 not read stale GIC data. 1518 1519- Added support for Arm System Control and Management Interface v1.0 (SCMI). 1520 1521 The SCMI driver implements the power domain management and system power 1522 management protocol of the SCMI specification (Arm DEN 0056ASCMI) for 1523 communicating with any compliant power controller. 1524 1525 Support is added for the Juno platform. The driver can be found in the 1526 plat/arm/css/drivers folder. 1527 1528- Added support to enable pre-integration of TBB with the Arm TrustZone 1529 CryptoCell product, to take advantage of its hardware Root of Trust and 1530 crypto acceleration services. 1531 1532- Enabled Statistical Profiling Extensions for lower ELs. 1533 1534 The firmware support is limited to the use of SPE in the Non-secure state 1535 and accesses to the SPE specific registers from S-EL1 will trap to EL3. 1536 1537 The SPE are architecturally specified for AArch64 only. 1538 1539- Code hygiene changes aligned with MISRA guidelines: 1540 1541 - Fixed signed / unsigned comparison warnings in the translation table 1542 library. 1543 1544 - Added U(_x) macro and together with the existing ULL(_x) macro fixed 1545 some of the signed-ness defects flagged by the MISRA scanner. 1546 1547- Enhancements to Firmware Update feature: 1548 1549 - The FWU logic now checks for overlapping images to prevent execution of 1550 unauthenticated arbitrary code. 1551 1552 - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading 1553 state machine to go from COPYING, COPIED or AUTHENTICATED states to 1554 RESET state. Previously, this was only possible when the authentication 1555 of an image failed or when the execution of the image finished. 1556 1557 - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update 1558 SMC can result in copy of unexpectedly large data into secure memory. 1559 1560- Introduced support for Arm Compiler 6 and LLVM (clang). 1561 1562 TF-A can now also be built with the Arm Compiler 6 or the clang compilers. 1563 The assembler and linker must be provided by the GNU toolchain. 1564 1565 Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x. 1566 1567- Memory footprint improvements: 1568 1569 - Introduced `tf_snprintf`, a reduced version of `snprintf` which has 1570 support for a limited set of formats. 1571 1572 The mbedtls driver is updated to optionally use `tf_snprintf` instead of 1573 `snprintf`. 1574 1575 - The `assert()` is updated to no longer print the function name, and 1576 additional logging options are supported via an optional platform define 1577 `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is. 1578 1579- Enhancements to TF-A support when running in AArch32 execution state: 1580 1581 - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to 1582 hardware limitations, BL1 and BL2 boot in AArch64 state and there is 1583 additional trampoline code to warm reset into SP_MIN in AArch32 execution 1584 state. 1585 1586 - Added support for Arm Cortex-A53/57/72 MPCore processors including the 1587 errata workarounds that are already implemented for AArch64 execution 1588 state. 1589 1590 - For FVP platforms, added AArch32 Trusted Board Boot support, including the 1591 Firmware Update feature. 1592 1593- Introduced Arm SiP service for use by Arm standard platforms. 1594 1595 - Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF 1596 timestamps. 1597 1598 Added PMF instrumentation points in TF-A in order to quantify the 1599 overall time spent in the PSCI software implementation. 1600 1601 - Added new Arm SiP service SMC to switch execution state. 1602 1603 This allows the lower exception level to change its execution state from 1604 AArch64 to AArch32, or vice verse, via a request to EL3. 1605 1606- Migrated to use SPDX[0] license identifiers to make software license 1607 auditing simpler. 1608 1609 .. note:: 1610 Files that have been imported by FreeBSD have not been modified. 1611 1612 [0]: https://spdx.org/ 1613 1614- Enhancements to the translation table library: 1615 1616 - Added version 2 of translation table library that allows different 1617 translation tables to be modified by using different 'contexts'. Version 1 1618 of the translation table library only allows the current EL's translation 1619 tables to be modified. 1620 1621 Version 2 of the translation table also added support for dynamic 1622 regions; regions that can be added and removed dynamically whilst the 1623 MMU is enabled. Static regions can only be added or removed before the 1624 MMU is enabled. 1625 1626 The dynamic mapping functionality is enabled or disabled when compiling 1627 by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can 1628 be done per-image. 1629 1630 - Added support for translation regimes with two virtual address spaces 1631 such as the one shared by EL1 and EL0. 1632 1633 The library does not support initializing translation tables for EL0 1634 software. 1635 1636 - Added support to mark the translation tables as non-cacheable using an 1637 additional build option `XLAT_TABLE_NC`. 1638 1639- Added support for GCC stack protection. A new build option 1640 ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL 1641 images with one of the GCC -fstack-protector-* options. 1642 1643 A new platform function plat_get_stack_protector_canary() was introduced 1644 that returns a value used to initialize the canary for stack corruption 1645 detection. For increased effectiveness of protection platforms must provide 1646 an implementation that returns a random value. 1647 1648- Enhanced support for Arm platforms: 1649 1650 - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR. 1651 A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions 1652 accessing MPIDR assume that the `MT` bit is set for the platform and 1653 access the bit fields accordingly. 1654 1655 Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is 1656 enabled, returning the Processing Element count within the physical CPU 1657 corresponding to `mpidr`. 1658 1659 - The Arm platforms migrated to use version 2 of the translation tables. 1660 1661 - Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops` 1662 which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore 1663 dynamically define PSCI capability. 1664 1665 - The Arm platforms migrated to use IMAGE_LOAD_V2 by default. 1666 1667- Enhanced reporting of errata workaround status with the following policy: 1668 1669 - If an errata workaround is enabled: 1670 1671 - If it applies (i.e. the CPU is affected by the errata), an INFO message 1672 is printed, confirming that the errata workaround has been applied. 1673 1674 - If it does not apply, a VERBOSE message is printed, confirming that the 1675 errata workaround has been skipped. 1676 1677 - If an errata workaround is not enabled, but would have applied had it 1678 been, a WARN message is printed, alerting that errata workaround is 1679 missing. 1680 1681- Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the 1682 architecture version to target TF-A. 1683 1684- Updated the spin lock implementation to use the more efficient CAS (Compare 1685 And Swap) instruction when available. This instruction was introduced in 1686 Armv8.1-A. 1687 1688- Applied errata workaround for Arm Cortex-A53: 855873. 1689 1690- Applied errata workaround for Arm-Cortex-A57: 813419. 1691 1692- Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and 1693 AArch32 execution states. 1694 1695- Added support for Socionext UniPhier SoC platform. 1696 1697- Added support for Hikey960 and Hikey platforms. 1698 1699- Added support for Rockchip RK3328 platform. 1700 1701- Added support for NVidia Tegra T186 platform. 1702 1703- Added support for Designware emmc driver. 1704 1705- Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr(). 1706 1707- Enhanced the CPU operations framework to allow power handlers to be 1708 registered on per-level basis. This enables support for future CPUs that 1709 have multiple threads which might need powering down individually. 1710 1711- Updated register initialisation to prevent unexpected behaviour: 1712 1713 - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid 1714 unexpected traps into the higher exception levels and disable secure 1715 self-hosted debug. Additionally, secure privileged external debug on 1716 Juno is disabled by programming the appropriate Juno SoC registers. 1717 1718 - EL2 and EL3 configurable controls are initialised to avoid unexpected 1719 traps in the higher exception levels. 1720 1721 - Essential control registers are fully initialised on EL3 start-up, when 1722 initialising the non-secure and secure context structures and when 1723 preparing to leave EL3 for a lower EL. This gives better alignment with 1724 the Arm ARM which states that software must initialise RES0 and RES1 1725 fields with 0 / 1. 1726 1727- Enhanced PSCI support: 1728 1729 - Introduced new platform interfaces that decouple PSCI stat residency 1730 calculation from PMF, enabling platforms to use alternative methods of 1731 capturing timestamps. 1732 1733 - PSCI stat accounting performed for retention/standby states when 1734 requested at multiple power levels. 1735 1736- Simplified fiptool to have a single linked list of image descriptors. 1737 1738- For the TSP, resolved corruption of pre-empted secure context by aborting any 1739 pre-empted SMC during PSCI power management requests. 1740 1741Issues resolved since last release 1742^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1743 1744- TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier 1745 version 2.3.0 cannot be used due to build warnings that the TF-A build 1746 system interprets as errors. 1747 1748- TBBR, including the Firmware Update feature is now supported on FVP 1749 platforms when running TF-A in AArch32 state. 1750 1751- The version of the AEMv8 Base FVP used in this release has resolved the issue 1752 of the model executing a reset instead of terminating in response to a 1753 shutdown request using the PSCI SYSTEM_OFF API. 1754 1755Known Issues 1756^^^^^^^^^^^^ 1757 1758- Building TF-A with compiler optimisations disabled (-O0) fails. 1759 1760- Trusted Board Boot currently does not work on Juno when running Trusted 1761 Firmware in AArch32 execution state due to error when loading the sp_min to 1762 memory because of lack of free space available. See `tf-issue#501`_ for more 1763 details. 1764 1765- The errata workaround for A53 errata 843419 is only available from binutils 1766 2.26 and is not present in GCC4.9. If this errata is applicable to the 1767 platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for 1768 more details. 1769 1770Version 1.3 1771----------- 1772 1773 1774New features 1775^^^^^^^^^^^^ 1776 1777- Added support for running TF-A in AArch32 execution state. 1778 1779 The PSCI library has been refactored to allow integration with **EL3 Runtime 1780 Software**. This is software that is executing at the highest secure 1781 privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See 1782 :ref:`PSCI Library Integration guide for Armv8-A AArch32 systems`. 1783 1784 Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates 1785 the usage and integration of the PSCI library with EL3 Runtime Software 1786 running in AArch32 state. 1787 1788 Booting to the BL1/BL2 images as well as booting straight to the Secure 1789 Payload is supported. 1790 1791- Improvements to the initialization framework for the PSCI service and Arm 1792 Standard Services in general. 1793 1794 The PSCI service is now initialized as part of Arm Standard Service 1795 initialization. This consolidates the initializations of any Arm Standard 1796 Service that may be added in the future. 1797 1798 A new function ``get_arm_std_svc_args()`` is introduced to get arguments 1799 corresponding to each standard service and must be implemented by the EL3 1800 Runtime Software. 1801 1802 For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to 1803 initialize the PSCI Library. **Note** this is a compatibility break due to 1804 the change in the prototype of ``psci_setup()``. 1805 1806- To support AArch32 builds of BL1 and BL2, implemented a new, alternative 1807 firmware image loading mechanism that adds flexibility. 1808 1809 The current mechanism has a hard-coded set of images and execution order 1810 (BL31, BL32, etc). The new mechanism is data-driven by a list of image 1811 descriptors provided by the platform code. 1812 1813 Arm platforms have been updated to support the new loading mechanism. 1814 1815 The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is 1816 currently off by default for the AArch64 build. 1817 1818 **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when 1819 ``LOAD_IMAGE_V2`` is enabled. 1820 1821- Updated requirements for making contributions to TF-A. 1822 1823 Commits now must have a 'Signed-off-by:' field to certify that the 1824 contribution has been made under the terms of the 1825 :download:`Developer Certificate of Origin <../dco.txt>`. 1826 1827 A signed CLA is no longer required. 1828 1829 The :ref:`Contributor's Guide` has been updated to reflect this change. 1830 1831- Introduced Performance Measurement Framework (PMF) which provides support 1832 for capturing, storing, dumping and retrieving time-stamps to measure the 1833 execution time of critical paths in the firmware. This relies on defining 1834 fixed sample points at key places in the code. 1835 1836- To support the QEMU platform port, imported libfdt v1.4.1 from 1837 https://git.kernel.org/pub/scm/utils/dtc/dtc.git 1838 1839- Updated PSCI support: 1840 1841 - Added support for PSCI NODE_HW_STATE API for Arm platforms. 1842 1843 - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in 1844 ``plat_psci_ops`` to enable platforms to perform platform-specific actions 1845 needed to enter powerdown, including the 'wfi' invocation. 1846 1847 - PSCI STAT residency and count functions have been added on Arm platforms 1848 by using PMF. 1849 1850- Enhancements to the translation table library: 1851 1852 - Limited memory mapping support for region overlaps to only allow regions 1853 to overlap that are identity mapped or have the same virtual to physical 1854 address offset, and overlap completely but must not cover the same area. 1855 1856 This limitation will enable future enhancements without having to 1857 support complex edge cases that may not be necessary. 1858 1859 - The initial translation lookup level is now inferred from the virtual 1860 address space size. Previously, it was hard-coded. 1861 1862 - Added support for mapping Normal, Inner Non-cacheable, Outer 1863 Non-cacheable memory in the translation table library. 1864 1865 This can be useful to map a non-cacheable memory region, such as a DMA 1866 buffer. 1867 1868 - Introduced the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes to 1869 specify the access permissions for instruction execution of a memory 1870 region. 1871 1872- Enabled support to isolate code and read-only data on separate memory pages, 1873 allowing independent access control to be applied to each. 1874 1875- Enabled SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common 1876 architectural setup code, preventing fetching instructions from non-secure 1877 memory when in secure state. 1878 1879- Enhancements to FIP support: 1880 1881 - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent 1882 and intuitive interface as well as additional support to remove an image 1883 from a FIP file. 1884 1885 - Enabled printing the SHA256 digest with info command, allowing quick 1886 verification of an image within a FIP without having to extract the 1887 image and running sha256sum on it. 1888 1889 - Added support for unpacking the contents of an existing FIP file into 1890 the working directory. 1891 1892 - Aligned command line options for specifying images to use same naming 1893 convention as specified by TBBR and already used in cert_create tool. 1894 1895- Refactored the TZC-400 driver to also support memory controllers that 1896 integrate TZC functionality, for example Arm CoreLink DMC-500. Also added 1897 DMC-500 specific support. 1898 1899- Implemented generic delay timer based on the system generic counter and 1900 migrated all platforms to use it. 1901 1902- Enhanced support for Arm platforms: 1903 1904 - Updated image loading support to make SCP images (SCP_BL2 and SCP_BL2U) 1905 optional. 1906 1907 - Enhanced topology description support to allow multi-cluster topology 1908 definitions. 1909 1910 - Added interconnect abstraction layer to help platform ports select the 1911 right interconnect driver, CCI or CCN, for the platform. 1912 1913 - Added support to allow loading BL31 in the TZC-secured DRAM instead of 1914 the default secure SRAM. 1915 1916 - Added support to use a System Security Control (SSC) Registers Unit 1917 enabling TF-A to be compiled to support multiple Arm platforms and 1918 then select one at runtime. 1919 1920 - Restricted mapping of Trusted ROM in BL1 to what is actually needed by 1921 BL1 rather than entire Trusted ROM region. 1922 1923 - Flash is now mapped as execute-never by default. This increases security 1924 by restricting the executable region to what is strictly needed. 1925 1926- Applied following erratum workarounds for Cortex-A57: 833471, 826977, 1927 829520, 828024 and 826974. 1928 1929- Added support for Mediatek MT6795 platform. 1930 1931- Added support for QEMU virtualization Armv8-A target. 1932 1933- Added support for Rockchip RK3368 and RK3399 platforms. 1934 1935- Added support for Xilinx Zynq UltraScale+ MPSoC platform. 1936 1937- Added support for Arm Cortex-A73 MPCore Processor. 1938 1939- Added support for Arm Cortex-A72 processor. 1940 1941- Added support for Arm Cortex-A35 processor. 1942 1943- Added support for Arm Cortex-A32 MPCore Processor. 1944 1945- Enabled preloaded BL33 alternative boot flow, in which BL2 does not load 1946 BL33 from non-volatile storage and BL31 hands execution over to a preloaded 1947 BL33. The User Guide has been updated with an example of how to use this 1948 option with a bootwrapped kernel. 1949 1950- Added support to build TF-A on a Windows-based host machine. 1951 1952- Updated Trusted Board Boot prototype implementation: 1953 1954 - Enabled the ability for a production ROM with TBBR enabled to boot test 1955 software before a real ROTPK is deployed (e.g. manufacturing mode). 1956 Added support to use ROTPK in certificate without verifying against the 1957 platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. 1958 1959 - Added support for non-volatile counter authentication to the 1960 Authentication Module to protect against roll-back. 1961 1962- Updated GICv3 support: 1963 1964 - Enabled processor power-down and automatic power-on using GICv3. 1965 1966 - Enabled G1S or G0 interrupts to be configured independently. 1967 1968 - Changed FVP default interrupt driver to be the GICv3-only driver. 1969 **Note** the default build of TF-A will not be able to boot 1970 Linux kernel with GICv2 FDT blob. 1971 1972 - Enabled wake-up from CPU_SUSPEND to stand-by by temporarily re-routing 1973 interrupts and then restoring after resume. 1974 1975Issues resolved since last release 1976^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1977 1978Known issues 1979^^^^^^^^^^^^ 1980 1981- The version of the AEMv8 Base FVP used in this release resets the model 1982 instead of terminating its execution in response to a shutdown request using 1983 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 1984 the model. 1985 1986- Building TF-A with compiler optimisations disabled (``-O0``) fails. 1987 1988- TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings 1989 that the TF-A build system interprets as errors. 1990 1991- TBBR is not currently supported when running TF-A in AArch32 state. 1992 1993Version 1.2 1994----------- 1995 1996New features 1997^^^^^^^^^^^^ 1998 1999- The Trusted Board Boot implementation on Arm platforms now conforms to the 2000 mandatory requirements of the TBBR specification. 2001 2002 In particular, the boot process is now guarded by a Trusted Watchdog, which 2003 will reset the system in case of an authentication or loading error. On Arm 2004 platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog. 2005 2006 Also, a firmware update process has been implemented. It enables 2007 authenticated firmware to update firmware images from external interfaces to 2008 SoC Non-Volatile memories. This feature functions even when the current 2009 firmware in the system is corrupt or missing; it therefore may be used as 2010 a recovery mode. 2011 2012- Improvements have been made to the Certificate Generation Tool 2013 (``cert_create``) as follows. 2014 2015 - Added support for the Firmware Update process by extending the Chain 2016 of Trust definition in the tool to include the Firmware Update 2017 certificate and the required extensions. 2018 2019 - Introduced a new API that allows one to specify command line options in 2020 the Chain of Trust description. This makes the declaration of the tool's 2021 arguments more flexible and easier to extend. 2022 2023 - The tool has been reworked to follow a data driven approach, which 2024 makes it easier to maintain and extend. 2025 2026- Extended the FIP tool (``fip_create``) to support the new set of images 2027 involved in the Firmware Update process. 2028 2029- Various memory footprint improvements. In particular: 2030 2031 - The bakery lock structure for coherent memory has been optimised. 2032 2033 - The mbed TLS SHA1 functions are not needed, as SHA256 is used to 2034 generate the certificate signature. Therefore, they have been compiled 2035 out, reducing the memory footprint of BL1 and BL2 by approximately 2036 6 KB. 2037 2038 - On Arm development platforms, each BL stage now individually defines 2039 the number of regions that it needs to map in the MMU. 2040 2041- Added the following new design documents: 2042 2043 - :ref:`Authentication Framework & Chain of Trust` 2044 - :ref:`Firmware Update (FWU)` 2045 - :ref:`CPU Reset` 2046 - :ref:`PSCI Power Domain Tree Structure` 2047 2048- Applied the new image terminology to the code base and documentation, as 2049 described in the :ref:`Image Terminology` document. 2050 2051- The build system has been reworked to improve readability and facilitate 2052 adding future extensions. 2053 2054- On Arm standard platforms, BL31 uses the boot console during cold boot 2055 but switches to the runtime console for any later logs at runtime. The TSP 2056 uses the runtime console for all output. 2057 2058- Implemented a basic NOR flash driver for Arm platforms. It programs the 2059 device using CFI (Common Flash Interface) standard commands. 2060 2061- Implemented support for booting EL3 payloads on Arm platforms, which 2062 reduces the complexity of developing EL3 baremetal code by doing essential 2063 baremetal initialization. 2064 2065- Provided separate drivers for GICv3 and GICv2. These expect the entire 2066 software stack to use either GICv2 or GICv3; hybrid GIC software systems 2067 are no longer supported and the legacy Arm GIC driver has been deprecated. 2068 2069- Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run 2070 on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro 2071 release that does *not* contain Juno r2 support. 2072 2073- Added support for MediaTek mt8173 platform. 2074 2075- Implemented a generic driver for Arm CCN IP. 2076 2077- Major rework of the PSCI implementation. 2078 2079 - Added framework to handle composite power states. 2080 2081 - Decoupled the notions of affinity instances (which describes the 2082 hierarchical arrangement of cores) and of power domain topology, instead 2083 of assuming a one-to-one mapping. 2084 2085 - Better alignment with version 1.0 of the PSCI specification. 2086 2087- Added support for the SYSTEM_SUSPEND PSCI API on Arm platforms. When invoked 2088 on the last running core on a supported platform, this puts the system 2089 into a low power mode with memory retention. 2090 2091- Unified the reset handling code as much as possible across BL stages. 2092 Also introduced some build options to enable optimization of the reset path 2093 on platforms that support it. 2094 2095- Added a simple delay timer API, as well as an SP804 timer driver, which is 2096 enabled on FVP. 2097 2098- Added support for NVidia Tegra T210 and T132 SoCs. 2099 2100- Reorganised Arm platforms ports to greatly improve code shareability and 2101 facilitate the reuse of some of this code by other platforms. 2102 2103- Added support for Arm Cortex-A72 processor in the CPU specific framework. 2104 2105- Provided better error handling. Platform ports can now define their own 2106 error handling, for example to perform platform specific bookkeeping or 2107 post-error actions. 2108 2109- Implemented a unified driver for Arm Cache Coherent Interconnects used for 2110 both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this 2111 common driver. The standalone CCI-400 driver has been deprecated. 2112 2113Issues resolved since last release 2114^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2115 2116- The Trusted Board Boot implementation has been redesigned to provide greater 2117 modularity and scalability. See the 2118 :ref:`Authentication Framework & Chain of Trust` document. 2119 All missing mandatory features are now implemented. 2120 2121- The FVP and Juno ports may now use the hash of the ROTPK stored in the 2122 Trusted Key Storage registers to verify the ROTPK. Alternatively, a 2123 development public key hash embedded in the BL1 and BL2 binaries might be 2124 used instead. The location of the ROTPK is chosen at build-time using the 2125 ``ARM_ROTPK_LOCATION`` build option. 2126 2127- GICv3 is now fully supported and stable. 2128 2129Known issues 2130^^^^^^^^^^^^ 2131 2132- The version of the AEMv8 Base FVP used in this release resets the model 2133 instead of terminating its execution in response to a shutdown request using 2134 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 2135 the model. 2136 2137- While this version has low on-chip RAM requirements, there are further 2138 RAM usage enhancements that could be made. 2139 2140- The upstream documentation could be improved for structural consistency, 2141 clarity and completeness. In particular, the design documentation is 2142 incomplete for PSCI, the TSP(D) and the Juno platform. 2143 2144- Building TF-A with compiler optimisations disabled (``-O0``) fails. 2145 2146Version 1.1 2147----------- 2148 2149New features 2150^^^^^^^^^^^^ 2151 2152- A prototype implementation of Trusted Board Boot has been added. Boot 2153 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and 2154 BL2 use the PolarSSL SSL library to verify certificates and images. The 2155 OpenSSL library is used to create the X.509 certificates. Support has been 2156 added to ``fip_create`` tool to package the certificates in a FIP. 2157 2158- Support for calling CPU and platform specific reset handlers upon entry into 2159 BL3-1 during the cold and warm boot paths has been added. This happens after 2160 another Boot ROM ``reset_handler()`` has already run. This enables a developer 2161 to perform additional actions or undo actions already performed during the 2162 first call of the reset handlers e.g. apply additional errata workarounds. 2163 2164- Support has been added to demonstrate routing of IRQs to EL3 instead of 2165 S-EL1 when execution is in secure world. 2166 2167- The PSCI implementation now conforms to version 1.0 of the PSCI 2168 specification. All the mandatory APIs and selected optional APIs are 2169 supported. In particular, support for the ``PSCI_FEATURES`` API has been 2170 added. A capability variable is constructed during initialization by 2171 examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and 2172 the Secure Payload Dispatcher. This is used by the PSCI FEATURES function 2173 to determine which PSCI APIs are supported by the platform. 2174 2175- Improvements have been made to the PSCI code as follows. 2176 2177 - The code has been refactored to remove redundant parameters from 2178 internal functions. 2179 2180 - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and 2181 ``CPU_OFF`` calls to facilitate an early return to the caller in case a 2182 failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call 2183 returns ``SUCCESS`` to the caller if a pending interrupt is detected early 2184 in the code path. 2185 2186 - Optional platform APIs have been added to validate the ``power_state`` and 2187 ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code 2188 paths. 2189 2190 - PSCI migrate APIs have been reworked to invoke the SPD hook to determine 2191 the type of Trusted OS and the CPU it is resident on (if 2192 applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate 2193 the Trusted OS is invoked. 2194 2195- It is now possible to build TF-A without marking at least an extra page of 2196 memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to 2197 choose between the two implementations. This has been made possible through 2198 these changes. 2199 2200 - An implementation of Bakery locks, where the locks are not allocated in 2201 coherent memory has been added. 2202 2203 - Memory which was previously marked as coherent is now kept coherent 2204 through the use of software cache maintenance operations. 2205 2206 Approximately, 4K worth of memory is saved for each boot loader stage when 2207 ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies 2208 associated with acquire and release of locks. It also requires changes to 2209 the platform ports. 2210 2211- It is now possible to specify the name of the FIP at build time by defining 2212 the ``FIP_NAME`` variable. 2213 2214- Issues with dependencies on the 'fiptool' makefile target have been 2215 rectified. The ``fip_create`` tool is now rebuilt whenever its source files 2216 change. 2217 2218- The BL3-1 runtime console is now also used as the crash console. The crash 2219 console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) 2220 on Juno. In FVP, it is changed from UART0 to UART1. 2221 2222- CPU errata workarounds are applied only when the revision and part number 2223 match. This behaviour has been made consistent across the debug and release 2224 builds. The debug build additionally prints a warning if a mismatch is 2225 detected. 2226 2227- It is now possible to issue cache maintenance operations by set/way for a 2228 particular level of data cache. Levels 1-3 are currently supported. 2229 2230- The following improvements have been made to the FVP port. 2231 2232 - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of 2233 shared data into the Trusted DRAM has been deprecated. Shared data is 2234 now always located at the base of Trusted SRAM. 2235 2236 - BL2 Translation tables have been updated to map only the region of 2237 DRAM which is accessible to normal world. This is the region of the 2GB 2238 DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is 2239 accessible to only the secure world. 2240 2241 - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to 2242 the secure world. This can be done by setting the build flag 2243 ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. 2244 2245- Separate translation tables are created for each boot loader image. The 2246 ``IMAGE_BLx`` build options are used to do this. This allows each stage to 2247 create mappings only for areas in the memory map that it needs. 2248 2249- A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been 2250 added. Details of using it with TF-A can be found in :ref:`OP-TEE Dispatcher` 2251 2252Issues resolved since last release 2253^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2254 2255- The Juno port has been aligned with the FVP port as follows. 2256 2257 - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying 2258 the BL3-1/BL3-2 NOBITS sections on top of them has been added to the 2259 Juno port. 2260 2261 - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured 2262 using the TZC-400 controller to be accessible only to the secure world. 2263 2264 - The Arm GIC driver is used to configure the GIC-400 instead of using a 2265 GIC driver private to the Juno port. 2266 2267 - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. 2268 2269 - The TZC-400 driver is used to configure the controller instead of direct 2270 accesses to the registers. 2271 2272- The Linux kernel version referred to in the user guide has DVFS and HMP 2273 support enabled. 2274 2275- DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 2276 CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of 2277 the Cortex-A57-A53 Base FVPs. 2278 2279Known issues 2280^^^^^^^^^^^^ 2281 2282- The Trusted Board Boot implementation is a prototype. There are issues with 2283 the modularity and scalability of the design. Support for a Trusted 2284 Watchdog, firmware update mechanism, recovery images and Trusted debug is 2285 absent. These issues will be addressed in future releases. 2286 2287- The FVP and Juno ports do not use the hash of the ROTPK stored in the 2288 Trusted Key Storage registers to verify the ROTPK in the 2289 ``plat_match_rotpk()`` function. This prevents the correct establishment of 2290 the Chain of Trust at the first step in the Trusted Board Boot process. 2291 2292- The version of the AEMv8 Base FVP used in this release resets the model 2293 instead of terminating its execution in response to a shutdown request using 2294 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 2295 the model. 2296 2297- GICv3 support is experimental. There are known issues with GICv3 2298 initialization in the TF-A. 2299 2300- While this version greatly reduces the on-chip RAM requirements, there are 2301 further RAM usage enhancements that could be made. 2302 2303- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 2304 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 2305 2306- The Juno-specific firmware design documentation is incomplete. 2307 2308Version 1.0 2309----------- 2310 2311New features 2312^^^^^^^^^^^^ 2313 2314- It is now possible to map higher physical addresses using non-flat virtual 2315 to physical address mappings in the MMU setup. 2316 2317- Wider use is now made of the per-CPU data cache in BL3-1 to store: 2318 2319 - Pointers to the non-secure and secure security state contexts. 2320 2321 - A pointer to the CPU-specific operations. 2322 2323 - A pointer to PSCI specific information (for example the current power 2324 state). 2325 2326 - A crash reporting buffer. 2327 2328- The following RAM usage improvements result in a BL3-1 RAM usage reduction 2329 from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction 2330 across all images from 208KB to 88KB, compared to the previous release. 2331 2332 - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size 2333 saving). 2334 2335 - Removed NSRAM from the FVP memory map, allowing the removal of one 2336 (4KB) translation table. 2337 2338 - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. 2339 2340 - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the 2341 FVP port. 2342 2343 - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. 2344 2345 - Removed current CPU mpidr from PSCI common code, saving 160 bytes. 2346 2347 - Inlined the mmio accessor functions, saving 360 bytes. 2348 2349 - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by 2350 overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. 2351 2352 - Made storing the FP register context optional, saving 0.5KB per context 2353 (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). 2354 2355 - Implemented a leaner ``tf_printf()`` function, allowing the stack to be 2356 greatly reduced. 2357 2358 - Removed coherent stacks from the codebase. Stacks allocated in normal 2359 memory are now used before and after the MMU is enabled. This saves 768 2360 bytes per CPU in BL3-1. 2361 2362 - Reworked the crash reporting in BL3-1 to use less stack. 2363 2364 - Optimized the EL3 register state stored in the ``cpu_context`` structure 2365 so that registers that do not change during normal execution are 2366 re-initialized each time during cold/warm boot, rather than restored 2367 from memory. This saves about 1.2KB. 2368 2369 - As a result of some of the above, reduced the runtime stack size in all 2370 BL images. For BL3-1, this saves 1KB per CPU. 2371 2372- PSCI SMC handler improvements to correctly handle calls from secure states 2373 and from AArch32. 2374 2375- CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully 2376 determines the exception level to use for the non-trusted firmware (BL3-3) 2377 based on the SPSR value provided by the BL2 platform code (or otherwise 2378 provided to BL3-1). This allows platform code to directly run non-trusted 2379 firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS 2380 loader. 2381 2382- Code refactoring improvements: 2383 2384 - Refactored ``fvp_config`` into a common platform header. 2385 2386 - Refactored the fvp gic code to be a generic driver that no longer has an 2387 explicit dependency on platform code. 2388 2389 - Refactored the CCI-400 driver to not have dependency on platform code. 2390 2391 - Simplified the IO driver so it's no longer necessary to call ``io_init()`` 2392 and moved all the IO storage framework code to one place. 2393 2394 - Simplified the interface the the TZC-400 driver. 2395 2396 - Clarified the platform porting interface to the TSP. 2397 2398 - Reworked the TSPD setup code to support the alternate BL3-2 2399 initialization flow where BL3-1 generic code hands control to BL3-2, 2400 rather than expecting the TSPD to hand control directly to BL3-2. 2401 2402 - Considerable rework to PSCI generic code to support CPU specific 2403 operations. 2404 2405- Improved console log output, by: 2406 2407 - Adding the concept of debug log levels. 2408 2409 - Rationalizing the existing debug messages and adding new ones. 2410 2411 - Printing out the version of each BL stage at runtime. 2412 2413 - Adding support for printing console output from assembler code, 2414 including when a crash occurs before the C runtime is initialized. 2415 2416- Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro 2417 file system and DS-5. 2418 2419- On the FVP port, made the use of the Trusted DRAM region optional at build 2420 time (off by default). Normal platforms will not have such a "ready-to-use" 2421 DRAM area so it is not a good example to use it. 2422 2423- Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. 2424 2425- Added support for CPU specific reset sequences, power down sequences and 2426 register dumping during crash reporting. The CPU specific reset sequences 2427 include support for errata workarounds. 2428 2429- Merged the Juno port into the master branch. Added support for CPU hotplug 2430 and CPU idle. Updated the user guide to describe how to build and run on the 2431 Juno platform. 2432 2433Issues resolved since last release 2434^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2435 2436- Removed the concept of top/bottom image loading. The image loader now 2437 automatically detects the position of the image inside the current memory 2438 layout and updates the layout to minimize fragmentation. This resolves the 2439 image loader limitations of previously releases. There are currently no 2440 plans to support dynamic image loading. 2441 2442- CPU idle now works on the publicized version of the Foundation FVP. 2443 2444- All known issues relating to the compiler version used have now been 2445 resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9). 2446 2447Known issues 2448^^^^^^^^^^^^ 2449 2450- GICv3 support is experimental. The Linux kernel patches to support this are 2451 not widely available. There are known issues with GICv3 initialization in 2452 the TF-A. 2453 2454- While this version greatly reduces the on-chip RAM requirements, there are 2455 further RAM usage enhancements that could be made. 2456 2457- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 2458 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 2459 2460- The Juno-specific firmware design documentation is incomplete. 2461 2462- Some recent enhancements to the FVP port have not yet been translated into 2463 the Juno port. These will be tracked via the tf-issues project. 2464 2465- The Linux kernel version referred to in the user guide has DVFS and HMP 2466 support disabled due to some known instabilities at the time of this 2467 release. A future kernel version will re-enable these features. 2468 2469- DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 2470 CADI server mode. This is because the ``<SimName>`` reported by the FVP in 2471 this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, 2472 the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while 2473 DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. 2474 2475 The temporary fix to this problem is to change the name of the FVP in 2476 ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. 2477 Change the following line: 2478 2479 :: 2480 2481 <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> 2482 2483 to 2484 System Generator:FVP_Base_Cortex-A57x4_A53x4 2485 2486 A similar change can be made to the other Cortex-A57-A53 Base FVP variants. 2487 2488Version 0.4 2489----------- 2490 2491New features 2492^^^^^^^^^^^^ 2493 2494- Makefile improvements: 2495 2496 - Improved dependency checking when building. 2497 2498 - Removed ``dump`` target (build now always produces dump files). 2499 2500 - Enabled platform ports to optionally make use of parts of the Trusted 2501 Firmware (e.g. BL3-1 only), rather than being forced to use all parts. 2502 Also made the ``fip`` target optional. 2503 2504 - Specified the full path to source files and removed use of the ``vpath`` 2505 keyword. 2506 2507- Provided translation table library code for potential re-use by platforms 2508 other than the FVPs. 2509 2510- Moved architectural timer setup to platform-specific code. 2511 2512- Added standby state support to PSCI cpu_suspend implementation. 2513 2514- SRAM usage improvements: 2515 2516 - Started using the ``-ffunction-sections``, ``-fdata-sections`` and 2517 ``--gc-sections`` compiler/linker options to remove unused code and data 2518 from the images. Previously, all common functions were being built into 2519 all binary images, whether or not they were actually used. 2520 2521 - Placed all assembler functions in their own section to allow more unused 2522 functions to be removed from images. 2523 2524 - Updated BL1 and BL2 to use a single coherent stack each, rather than one 2525 per CPU. 2526 2527 - Changed variables that were unnecessarily declared and initialized as 2528 non-const (i.e. in the .data section) so they are either uninitialized 2529 (zero init) or const. 2530 2531- Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by 2532 default. The option for it to run in Trusted DRAM remains. 2533 2534- Implemented a TrustZone Address Space Controller (TZC-400) driver. A 2535 default configuration is provided for the Base FVPs. This means the model 2536 parameter ``-C bp.secure_memory=1`` is now supported. 2537 2538- Started saving the PSCI cpu_suspend 'power_state' parameter prior to 2539 suspending a CPU. This allows platforms that implement multiple power-down 2540 states at the same affinity level to identify a specific state. 2541 2542- Refactored the entire codebase to reduce the amount of nesting in header 2543 files and to make the use of system/user includes more consistent. Also 2544 split platform.h to separate out the platform porting declarations from the 2545 required platform porting definitions and the definitions/declarations 2546 specific to the platform port. 2547 2548- Optimized the data cache clean/invalidate operations. 2549 2550- Improved the BL3-1 unhandled exception handling and reporting. Unhandled 2551 exceptions now result in a dump of registers to the console. 2552 2553- Major rework to the handover interface between BL stages, in particular the 2554 interface to BL3-1. The interface now conforms to a specification and is 2555 more future proof. 2556 2557- Added support for optionally making the BL3-1 entrypoint a reset handler 2558 (instead of BL1). This allows platforms with an alternative image loading 2559 architecture to re-use BL3-1 with fewer modifications to generic code. 2560 2561- Reserved some DDR DRAM for secure use on FVP platforms to avoid future 2562 compatibility problems with non-secure software. 2563 2564- Added support for secure interrupts targeting the Secure-EL1 Payload (SP) 2565 (using GICv2 routing only). Demonstrated this working by adding an interrupt 2566 target and supporting test code to the TSP. Also demonstrated non-secure 2567 interrupt handling during TSP processing. 2568 2569Issues resolved since last release 2570^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2571 2572- Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base 2573 FVPs (see **New features**). 2574 2575- Support for secure world interrupt handling now available (see **New 2576 features**). 2577 2578- Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 2579 Payload (BL3-2) to execute in Trusted SRAM by default. 2580 2581- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 2582 14.04) now correctly reports progress in the console. 2583 2584- Improved the Makefile structure to make it easier to separate out parts of 2585 the TF-A for re-use in platform ports. Also, improved target dependency 2586 checking. 2587 2588Known issues 2589^^^^^^^^^^^^ 2590 2591- GICv3 support is experimental. The Linux kernel patches to support this are 2592 not widely available. There are known issues with GICv3 initialization in 2593 the TF-A. 2594 2595- Dynamic image loading is not available yet. The current image loader 2596 implementation (used to load BL2 and all subsequent images) has some 2597 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 2598 to loading errors, even if the images should theoretically fit in memory. 2599 2600- TF-A still uses too much on-chip Trusted SRAM. A number of RAM usage 2601 enhancements have been identified to rectify this situation. 2602 2603- CPU idle does not work on the advertised version of the Foundation FVP. 2604 Some FVP fixes are required that are not available externally at the time 2605 of writing. This can be worked around by disabling CPU idle in the Linux 2606 kernel. 2607 2608- Various bugs in TF-A, UEFI and the Linux kernel have been observed when 2609 using Linaro toolchain versions later than 13.11. Although most of these 2610 have been fixed, some remain at the time of writing. These mainly seem to 2611 relate to a subtle change in the way the compiler converts between 64-bit 2612 and 32-bit values (e.g. during casting operations), which reveals 2613 previously hidden bugs in client code. 2614 2615- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 2616 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 2617 2618Version 0.3 2619----------- 2620 2621New features 2622^^^^^^^^^^^^ 2623 2624- Support for Foundation FVP Version 2.0 added. 2625 The documented UEFI configuration disables some devices that are unavailable 2626 in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can 2627 be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation 2628 FVP. 2629 2630 .. note:: 2631 The software will not work on Version 1.0 of the Foundation FVP. 2632 2633- Enabled third party contributions. Added a new contributing.md containing 2634 instructions for how to contribute and updated copyright text in all files 2635 to acknowledge contributors. 2636 2637- The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be 2638 used for entry into power down states with the following restrictions: 2639 2640 - Entry into standby states is not supported. 2641 - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. 2642 2643- The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to 2644 allow experimental use. 2645 2646- Required C library and runtime header files are now included locally in 2647 TF-A instead of depending on the toolchain standard include paths. The 2648 local implementation has been cleaned up and reduced in scope. 2649 2650- Added I/O abstraction framework, primarily to allow generic code to load 2651 images in a platform-independent way. The existing image loading code has 2652 been reworked to use the new framework. Semi-hosting and NOR flash I/O 2653 drivers are provided. 2654 2655- Introduced Firmware Image Package (FIP) handling code and tools. A FIP 2656 combines multiple firmware images with a Table of Contents (ToC) into a 2657 single binary image. The new FIP driver is another type of I/O driver. The 2658 Makefile builds a FIP by default and the FVP platform code expect to load a 2659 FIP from NOR flash, although some support for image loading using semi- 2660 hosting is retained. 2661 2662 .. note:: 2663 Building a FIP by default is a non-backwards-compatible change. 2664 2665 .. note:: 2666 Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into 2667 DRAM instead of expecting this to be pre-loaded at known location. This is 2668 also a non-backwards-compatible change. 2669 2670 .. note:: 2671 Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that 2672 it knows the new location to execute from and no longer needs to copy 2673 particular code modules to DRAM itself. 2674 2675- Reworked BL2 to BL3-1 handover interface. A new composite structure 2676 (bl31_args) holds the superset of information that needs to be passed from 2677 BL2 to BL3-1, including information on how handover execution control to 2678 BL3-2 (if present) and BL3-3 (non-trusted firmware). 2679 2680- Added library support for CPU context management, allowing the saving and 2681 restoring of 2682 2683 - Shared system registers between Secure-EL1 and EL1. 2684 - VFP registers. 2685 - Essential EL3 system registers. 2686 2687- Added a framework for implementing EL3 runtime services. Reworked the PSCI 2688 implementation to be one such runtime service. 2689 2690- Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3 2691 stack pointers for determining the type of exception, managing general 2692 purpose and system register context on exception entry/exit, and handling 2693 SMCs. SMCs are directed to the correct EL3 runtime service. 2694 2695- Added support for a Test Secure-EL1 Payload (TSP) and a corresponding 2696 Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD 2697 implements Secure Monitor functionality such as world switching and 2698 EL1 context management, and is responsible for communication with the TSP. 2699 2700 .. note:: 2701 The TSPD does not yet contain support for secure world interrupts. 2702 .. note:: 2703 The TSP/TSPD is not built by default. 2704 2705Issues resolved since last release 2706^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2707 2708- Support has been added for switching context between secure and normal 2709 worlds in EL3. 2710 2711- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to 2712 a limited extent). 2713 2714- The TF-A build artifacts are now placed in the ``./build`` directory and 2715 sub-directories instead of being placed in the root of the project. 2716 2717- TF-A is now free from build warnings. Build warnings are now treated as 2718 errors. 2719 2720- TF-A now provides C library support locally within the project to maintain 2721 compatibility between toolchains/systems. 2722 2723- The PSCI locking code has been reworked so it no longer takes locks in an 2724 incorrect sequence. 2725 2726- The RAM-disk method of loading a Linux file-system has been confirmed to 2727 work with the TF-A and Linux kernel version (based on version 3.13) used 2728 in this release, for both Foundation and Base FVPs. 2729 2730Known issues 2731^^^^^^^^^^^^ 2732 2733The following is a list of issues which are expected to be fixed in the future 2734releases of TF-A. 2735 2736- The TrustZone Address Space Controller (TZC-400) is not being programmed 2737 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 2738 2739- No support yet for secure world interrupt handling. 2740 2741- GICv3 support is experimental. The Linux kernel patches to support this are 2742 not widely available. There are known issues with GICv3 initialization in 2743 TF-A. 2744 2745- Dynamic image loading is not available yet. The current image loader 2746 implementation (used to load BL2 and all subsequent images) has some 2747 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 2748 to loading errors, even if the images should theoretically fit in memory. 2749 2750- TF-A uses too much on-chip Trusted SRAM. Currently the Test Secure-EL1 2751 Payload (BL3-2) executes in Trusted DRAM since there is not enough SRAM. 2752 A number of RAM usage enhancements have been identified to rectify this 2753 situation. 2754 2755- CPU idle does not work on the advertised version of the Foundation FVP. 2756 Some FVP fixes are required that are not available externally at the time 2757 of writing. 2758 2759- Various bugs in TF-A, UEFI and the Linux kernel have been observed when 2760 using Linaro toolchain versions later than 13.11. Although most of these 2761 have been fixed, some remain at the time of writing. These mainly seem to 2762 relate to a subtle change in the way the compiler converts between 64-bit 2763 and 32-bit values (e.g. during casting operations), which reveals 2764 previously hidden bugs in client code. 2765 2766- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 2767 14.01) does not report progress correctly in the console. It only seems to 2768 produce error output, not standard output. It otherwise appears to function 2769 correctly. Other filesystem versions on the same software stack do not 2770 exhibit the problem. 2771 2772- The Makefile structure doesn't make it easy to separate out parts of the 2773 TF-A for re-use in platform ports, for example if only BL3-1 is required in 2774 a platform port. Also, dependency checking in the Makefile is flawed. 2775 2776- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 2777 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 2778 2779Version 0.2 2780----------- 2781 2782New features 2783^^^^^^^^^^^^ 2784 2785- First source release. 2786 2787- Code for the PSCI suspend feature is supplied, although this is not enabled 2788 by default since there are known issues (see below). 2789 2790Issues resolved since last release 2791^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2792 2793- The "psci" nodes in the FDTs provided in this release now fully comply 2794 with the recommendations made in the PSCI specification. 2795 2796Known issues 2797^^^^^^^^^^^^ 2798 2799The following is a list of issues which are expected to be fixed in the future 2800releases of TF-A. 2801 2802- The TrustZone Address Space Controller (TZC-400) is not being programmed 2803 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 2804 2805- No support yet for secure world interrupt handling or for switching context 2806 between secure and normal worlds in EL3. 2807 2808- GICv3 support is experimental. The Linux kernel patches to support this are 2809 not widely available. There are known issues with GICv3 initialization in 2810 TF-A. 2811 2812- Dynamic image loading is not available yet. The current image loader 2813 implementation (used to load BL2 and all subsequent images) has some 2814 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 2815 to loading errors, even if the images should theoretically fit in memory. 2816 2817- Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable 2818 and ready for use. 2819 2820- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have 2821 not been tested. 2822 2823- The TF-A make files result in all build artifacts being placed in the root 2824 of the project. These should be placed in appropriate sub-directories. 2825 2826- The compilation of TF-A is not free from compilation warnings. Some of these 2827 warnings have not been investigated yet so they could mask real bugs. 2828 2829- TF-A currently uses toolchain/system include files like stdio.h. It should 2830 provide versions of these within the project to maintain compatibility 2831 between toolchains/systems. 2832 2833- The PSCI code takes some locks in an incorrect sequence. This may cause 2834 problems with suspend and hotplug in certain conditions. 2835 2836- The Linux kernel used in this release is based on version 3.12-rc4. Using 2837 this kernel with the TF-A fails to start the file-system as a RAM-disk. It 2838 fails to execute user-space ``init`` from the RAM-disk. As an alternative, 2839 the VirtioBlock mechanism can be used to provide a file-system to the 2840 kernel. 2841 2842-------------- 2843 2844*Copyright (c) 2013-2019, Arm Limited and Contributors. All rights reserved.* 2845 2846.. _SDEI Specification: http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf 2847.. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501 2848.. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193 2849.. _mbed TLS releases: https://tls.mbed.org/tech-updates/releases 2850