blob: ec88df921aecc2aaba0374c387d2e88b9c705141 [file] [log] [blame]
Paul Beesley8aa05052019-03-07 15:47:15 +00001Change Log & Release Notes
2==========================
Douglas Raillard668c5022017-06-28 16:14:55 +01003
Paul Beesleyc48991e2019-02-11 17:58:21 +00004This document contains a summary of the new features, changes, fixes and known
5issues in each release of Trusted Firmware-A.
Douglas Raillard668c5022017-06-28 16:14:55 +01006
Chris Kay0bd1a2e2020-10-29 14:28:59 +00007Version 2.4
8-----------
9
10New Features
11^^^^^^^^^^^^
12
13- Architecture support
14 - Armv8.6-A
15 - Added support for Armv8.6 Enhanced Counter Virtualization (ECV)
16 - Added support for Armv8.6 Fine Grained Traps (FGT)
17 - Added support for Armv8.6 WFE trap delays
18
19- Bootloader images
20 - Added support for Measured Boot
21
22- Build System
23 - Added build option ``COT_DESC_IN_DTB`` to create Chain of Trust at runtime
24 - Added build option ``OPENSSL_DIR`` to direct tools to OpenSSL libraries
25 - Added build option ``RAS_TRAP_LOWER_EL_ERR_ACCESS`` to enable trapping RAS
26 register accesses from EL1/EL2 to EL3
27 - Extended build option ``BRANCH_PROTECTION`` to support branch target
28 identification
29
30- Common components
31 - Added support for exporting CPU nodes to the device tree
32 - Added support for single and dual-root Chains of Trust in secure
33 partitions
34
35- Drivers
36 - Added Broadcom RNG driver
37 - Added Marvell ``mg_conf_cm3`` driver
38 - Added System Control and Management Interface (SCMI) driver
39 - Added STMicroelectronics ETZPC driver
40
41 - Arm GICv3
42 - Added support for detecting topology at runtime
43
44 - Dual Root
45 - Added support for platform certificates
46
47 - Marvell Cache LLC
48 - Added support for mapping the entire LLC into SRAM
49
50 - Marvell CCU
51 - Added workaround for erratum 3033912
52
53 - Marvell CP110 COMPHY
54 - Added support for SATA COMPHY polarity inversion
55 - Added support for USB COMPHY polarity inversion
56 - Added workaround for erratum IPCE_COMPHY-1353
57
58 - STM32MP1 Clocks
59 - Added ``RTC`` as a gateable clock
60 - Added support for shifted clock selector bit masks
61 - Added support for using additional clocks as parents
62
63- Libraries
64 - C standard library
65 - Added support for hexadecimal and pointer format specifiers in
66 ``snprint()``
67 - Added assembly alternatives for various library functions
68
69 - CPU support
70 - Arm Cortex-A53
71 - Added workaround for erratum 1530924
72
73 - Arm Cortex-A55
74 - Added workaround for erratum 1530923
75
76 - Arm Cortex-A57
77 - Added workaround for erratum 1319537
78
79 - Arm Cortex-A76
80 - Added workaround for erratum 1165522
81 - Added workaround for erratum 1791580
82 - Added workaround for erratum 1868343
83
84 - Arm Cortex-A72
85 - Added workaround for erratum 1319367
86
87 - Arm Cortex-A77
88 - Added workaround for erratum 1508412
89 - Added workaround for erratum 1800714
90 - Added workaround for erratum 1925769
91
92 - Arm Neoverse N1
93 - Added workaround for erratum 1868343
94
95 - EL3 Runtime
96 - Added support for saving/restoring registers related to nested
97 virtualization in EL2 context switches if the architecture supports it
98
99 - FCONF
100 - Added support for Measured Boot
101 - Added support for populating Chain of Trust properties
102 - Added support for loading the ``fw_config`` image
103
104 - Measured Boot
105 - Added support for event logging
106
107- Platforms
108 - Added support for Arm Morello
109 - Added support for Arm TC0
110 - Added support for iEi PUZZLE-M801
111 - Added support for Marvell OCTEON TX2 T9130
112 - Added support for MediaTek MT8192
113 - Added support for NXP i.MX 8M Nano
114 - Added support for NXP i.MX 8M Plus
115 - Added support for QTI CHIP SC7180
116 - Added support for STM32MP151F
117 - Added support for STM32MP153F
118 - Added support for STM32MP157F
119 - Added support for STM32MP151D
120 - Added support for STM32MP153D
121 - Added support for STM32MP157D
122
123 - Arm
124 - Added support for platform-owned SPs
125 - Added support for resetting to BL31
126
127 - Arm FPGA
128 - Added support for Klein
129 - Added support for Matterhorn
130 - Added support for additional CPU clusters
131
132 - Arm FVP
133 - Added support for performing SDEI platform setup at runtime
134 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command
135 - Added an ``id`` field under the NV-counter node in the device tree to
136 differentiate between trusted and non-trusted NV-counters
137 - Added support for extracting the clock frequency from the timer node
138 in the device tree
139
140 - Arm Juno
141 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command
142
143 - Arm N1SDP
144 - Added support for cross-chip PCI-e
145
146 - Marvell
147 - Added support for AVS reduction
148
149 - Marvell ARMADA
150 - Added support for twin-die combined memory device
151
152 - Marvell ARMADA A8K
153 - Added support for DDR with 32-bit bus width (both ECC and non-ECC)
154
155 - Marvell AP806
156 - Added workaround for erratum FE-4265711
157
158 - Marvell AP807
159 - Added workaround for erratum 3033912
160
161 - Nvidia Tegra
162 - Added debug printouts indicating SC7 entry sequence completion
163 - Added support for SDEI
164 - Added support for stack protection
165 - Added support for GICv3
166 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command
167
168 - Nvidia Tegra194
169 - Added support for RAS exception handling
170 - Added support for SPM
171
172 - NXP i.MX
173 - Added support for SDEI
174
175 - QEMU SBSA
176 - Added support for the Secure Partition Manager
177
178 - QTI
179 - Added RNG driver
180 - Added SPMI PMIC arbitrator driver
181 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command
182
183 - STM32MP1
184 - Added support for exposing peripheral interfaces to the non-secure
185 world at runtime
186 - Added support for SCMI clock and reset services
187 - Added support for STM32MP15x CPU revision Z
188 - Added support for SMCCC services in ``SP_MIN``
189
190- Services
191 - Secure Payload Dispatcher
192 - Added a provision to allow clients to retrieve the service UUID
193
194 - SPMC
195 - Added secondary core endpoint information to the SPMC context
196 structure
197
198 - SPMD
199 - Added support for booting OP-TEE as a guest S-EL1 Secure Partition on
200 top of Hafnium in S-EL2
201 - Added a provision for handling SPMC messages to register secondary
202 core entry points
203 - Added support for power management operations
204
205- Tools
206 - CertCreate
207 - Added support for secure partitions
208
209 - CertTool
210 - Added support for the ``fw_config`` image
211
212 - FIPTool
213 - Added support for the ``fw_config`` image
214
215Changed
216^^^^^^^
217
218- Architecture support
219
220- Bootloader images
221
222- Build System
223 - The top-level Makefile now supports building FipTool on Windows
224 - The default value of ``KEY_SIZE`` has been changed to to 2048 when RSA is
225 in use
226 - The previously-deprecated macro ``__ASSEMBLY__`` has now been removed
227
228- Common components
229 - Certain functions that flush the console will no longer return error
230 information
231
232- Drivers
233 - Arm GIC
234 - Usage of ``drivers/arm/gic/common/gic_common.c`` has now been
235 deprecated in favour of ``drivers/arm/gic/vX/gicvX.mk``
236 - Added support for detecting the presence of a GIC600-AE
237 - Added support for detecting the presence of a GIC-Clayton
238
239 - Marvell MCI
240 - Now performs link tuning for all MCI interfaces to improve performance
241
242 - Marvell MoChi
243 - PIDI masters are no longer forced into a non-secure access level when
244 ``LLC_SRAM`` is enabled
245 - The SD/MMC controllers are now accessible from guest virtual machines
246
247 - Mbed TLS
248 - Migrated to Mbed TLS v2.24.0
249
250 - STM32 FMC2 NAND
251 - Adjusted FMC node bindings to include an EBI controller node
252
253 - STM32 Reset
254 - Added an optional timeout argument to assertion functions
255
256 - STM32MP1 Clocks
257 - Enabled several additional system clocks during initialization
258
259- Libraries
260 - C Standard Library
261 - Improved ``memset`` performance by avoiding single-byte writes
262 - Added optimized assembly variants of ``memset``
263
264 - CPU support
265 - Renamed Cortex-Hercules to Cortex-A78
266 - Renamed Cortex-Hercules AE to Cortex-A78 AE
267 - Renamed Neoverse Zeus to Neoverse V1
268
269 - Coreboot
270 - Updated ‘coreboot_get_memory_type’ API to take an extra argument as a
271 ’memory size’ that used to return a valid memory type.
272
273 - libfdt
274 - Updated to latest upstream version
275
276- Platforms
277 - Allwinner
278 - Disabled non-secure access to PRCM power control registers
279
280 - Arm
281 - ``BL32_BASE`` is now platform-dependent when ``SPD_spmd`` is enabled
282 - Added support for loading the Chain of Trust from the device tree
283 - The firmware update check is now executed only once
284 - NV-counter base addresses are now loaded from the device tree when
285 ``COT_DESC_IN_DTB`` is enabled
286 - Now loads and populates ``fw_config`` and ``tb_fw_config``
287 - FCONF population now occurs after caches have been enabled in order
288 to reduce boot times
289
290 - Arm Corstone-700
291 - Platform support has been split into both an FVP and an FPGA variant
292
293 - Arm FPGA
294 - DTB and BL33 load addresses have been given sensible default values
295 - Now reads generic timer counter frequency, GICD and GICR base
296 addresses, and UART address from DT
297 - Now treats the primary PL011 UART as an SBSA Generic UART
298
299 - Arm FVP
300 - Secure interrupt descriptions, UART parameters, clock frequencies and
301 GICv3 parameters are now queried through FCONF
302 - UART parameters are now queried through the device tree
303 - Added an owner field to Cactus secure partitions
304 - Increased the maximum size of BL2 when the Chain of Trust is loaded
305 from the device tree
306 - Reduces the maximum size of BL31
307 - The ``FVP_USE_SP804_TIMER`` and ``FVP_VE_USE_SP804_TIMER`` build
308 options have been removed in favour of a common ``USE_SP804_TIMER``
309 option
310 - Added a third Cactus partition to manifests
311 - Device tree nodes now store UUIDs in big-endian
312
313 - Arm Juno
314 - Increased the maximum size of BL2 when optimizations have not been
315 applied
316 - Reduced the maximum size of BL31 and BL32
317
318 - Marvell AP807
319 - Enabled snoop filters
320
321 - Marvell ARMADA A3K
322 - UART recovery images are now suffixed with ``.bin``
323
324 - Marvell ARMADA A8K
325 - Option ``BL31_CACHE_DISABLE`` is now disabled (``0``) by default
326
327 - Nvidia Tegra
328 - Added VPR resize supported check when processing video memory resize
329 requests
330 - Added SMMU verification to prevent potential issues caused by
331 undetected corruption of the SMMU configuration during boot
332 - The GIC CPU interface is now properly disabled after CPU off
333 - The GICv2 sources list and the ``BL31_SIZE`` definition have been made
334 platform-specific
335 - The SPE driver will no longer flush the console when writing
336 individual characters
337
338 - Nvidia Tegra194
339 - TZDRAM setup has been moved to platform-specific early boot handlers
340 - Increased verbosity of debug prints for RAS SErrors
341 - Support for powering down CPUs during CPU suspend has been removed
342 - Now verifies firewall settings before using resources
343
344 - TI K3
345 - The UART number has been made configurable through ``K3_USART``
346
347 - Rockchip RK3368
348 - The maximum number of memory map regions has been increased to 20
349
350 - Socionext Uniphier
351 - The maximum size of BL33 has been increased to support larger
352 bootloaders
353
354 - STM32
355 - Removed platform-specific DT functions in favour of using existing
356 generic alternatives
357
358 - STM32MP1
359 - Increased verbosity of exception reports in debug builds
360 - Device trees have been updated to align with the Linux kernel
361 - Now uses the ETZPC driver to configure secure-aware interfaces for
362 assignment to the non-secure world
363 - Finished good variants have been added to the board identifier
364 enumerations
365 - Non-secure access to clocks and reset domains now depends on their
366 state of registration
367 - NEON is now disabled in ``SP_MIN``
368 - The last page of ``SYSRAM`` is now used as SCMI shared memory
369 - Checks to verify platform compatibility have been added to verify that
370 an image is compatible with the chip ID of the running platform
371
372 - QEMU SBSA
373 - Removed support for Arm's Cortex-A53
374
375- Services
376 - Renamed SPCI to FF-A
377
378 - SPMD
379 - No longer forwards requests to the non-secure world when retrieving
380 partition information
381 - SPMC manifest size is now retrieved directly from SPMD instead of the
382 device tree
383 - The FF-A version handler now returns SPMD's version when the origin
384 of the call is secure, and SPMC's version when the origin of the call
385 is non-secure
386
387 - SPMC
388 - Updated the manifest to declare CPU nodes in descending order as per
389 the SPM (Hafnium) multicore requirement
390 - Updated the device tree to mark 2GB as device memory for the first
391 partition excluding trusted DRAM region (which is reserved for SPMC)
392 - Increased the number of EC contexts to the maximum number of PEs as
393 per the FF-A specification
394
395- Tools
396 - FIPTool
397 - Now returns ``0`` on ``help`` and ``help <command>``
398
399 - Marvell DoImage
400 - Updated Mbed TLS support to v2.8
401
402 - SPTool
403 - Now appends CertTool arguments
404
405Resolved Issues
406^^^^^^^^^^^^^^^
407
408- Bootloader images
409 - Fixed compilation errors for dual-root Chains of Trust caused by symbol
410 collision
411
412 - BL31
413 - Fixed compilation errors on platforms with fewer than 4 cores caused
414 by initialization code exceeding the end of the stacks
415 - Fixed compilation errors when building a position-independent image
416
417- Build System
418 - Fixed invalid empty version strings
419 - Fixed compilation errors on Windows caused by a non-portable architecture
420 revision comparison
421
422- Drivers
423 - Arm GIC
424 - Fixed spurious interrupts caused by a missing barrier
425
426 - STM32 Flexible Memory Controller 2 (FMC2) NAND driver
427 - Fixed runtime instability caused by incorrect error detection logic
428
429 - STM32MP1 Clock driver
430 - Fixed incorrectly-formatted log messages
431 - Fixed runtime instability caused by improper clock gating procedures
432
433 - STMicroelectronics Raw NAND driver
434 - Fixed runtime instability caused by incorrect unit conversion when
435 waiting for NAND readiness
436
437- Libraries
438 - AMU
439 - Fixed timeout errors caused by excess error logging
440
441 - EL3 Runtime
442 - Fixed runtime instability caused by improper register save/restore
443 routine in EL2
444
445 - FCONF
446 - Fixed failure to initialize GICv3 caused by overly-strict device tree
447 requirements
448
449 - Measured Boot
450 - Fixed driver errors caused by a missing default value for the
451 ``HASH_ALG`` build option
452
453 - SPE
454 - Fixed feature detection check that prevented CPUs supporting SVE from
455 detecting support for SPE in the non-secure world
456
457 - Translation Tables
458 - Fixed various MISRA-C 2012 static analysis violations
459
460- Platforms
461 - Allwinner A64
462 - Fixed USB issues on certain battery-powered device caused by
463 improperly activated USB power rail
464
465 - Arm
466 - Fixed compilation errors caused by increase in BL2 size
467 - Fixed compilation errors caused by missing Makefile dependencies to
468 generated files when building the FIP
469 - Fixed MISRA-C 2012 static analysis violations caused by unused
470 structures in include directives intended to be feature-gated
471
472 - Arm FPGA
473 - Fixed initialization issues caused by incorrect MPIDR topology mapping
474 logic
475
476 - Arm RD-N1-edge
477 - Fixed compilation errors caused by mismatched parentheses in Makefile
478
479 - Arm SGI
480 - Fixed crashes due to the flash memory used for cold reboot attack
481 protection not being mapped
482
483 - Intel Agilex
484 - Fixed initialization issues caused by several compounding bugs
485
486 - Marvell
487 - Fixed compilation warnings caused by multiple Makefile inclusions
488
489 - Marvell ARMADA A3K
490 - Fixed boot issue in debug builds caused by checks on the BL33 load
491 address that are not appropriate for this platform
492
493 - Nvidia Tegra
494 - Fixed incorrect delay timer reads
495 - Fixed spurious interrupts in the non-secure world during cold boot
496 caused by the arbitration bit in the memory controller not being
497 cleared
498 - Fixed faulty video memory resize sequence
499
500 - Nvidia Tegra194
501 - Fixed incorrect alignment of TZDRAM base address
502
503 - NXP iMX8M
504 - Fixed CPU hot-plug issues caused by race condition
505
506 - STM32MP1
507 - Fixed compilation errors in highly-parallel builds caused by incorrect
508 Makefile dependencies
509
510 - STM32MP157C-ED1
511 - Fixed initialization issues caused by missing device tree hash node
512
513 - Raspberry Pi 3
514 - Fixed compilation errors caused by incorrect dependency ordering in
515 Makefile
516
517 - Rockchip
518 - Fixed initialization issues caused by non-critical errors when parsing
519 FDT being treated as critical
520
521 - Rockchip RK3368
522 - Fixed runtime instability caused by incorrect CPUID shift value
523
524 - QEMU
525 - Fixed compilation errors caused by incorrect dependency ordering in
526 Makefile
527
528 - QEMU SBSA
529 - Fixed initialization issues caused by FDT exceeding reserved memory
530 size
531
532 - QTI
533 - Fixed compilation errors caused by inclusion of a non-existent file
534
535- Services
536 - FF-A (previously SPCI)
537 - Fixed SPMD aborts caused by incorrect behaviour when the manifest is
538 page-aligned
539
540- Tools
541 - Fixed compilation issues when compiling tools from within their respective
542 directories
543
544 - FIPTool
545 - Fixed command line parsing issues on Windows when using arguments
546 whose names also happen to be a subset of another's
547
548 - Marvell DoImage
549 - Fixed PKCS signature verification errors at boot on some platforms
550 caused by generation of misaligned images
551
552Known Issues
553^^^^^^^^^^^^
554
555- Platforms
556 - NVIDIA Tegra
557 - Signed comparison compiler warnings occurring in libfdt are currently
558 being worked around by disabling the warning for the platform until
559 the underlying issue is resolved in libfdt
560
laurenw-arm4204e072020-04-14 16:44:52 -0500561Version 2.3
562-----------
563
564New Features
565^^^^^^^^^^^^
566
567- Arm Architecture
568 - Add support for Armv8.4-SecEL2 extension through the SPCI defined SPMD/SPMC
569 components.
570
571 - Build option to support EL2 context save and restore in the secure world
572 (CTX_INCLUDE_EL2_REGS).
573
574 - Add support for SMCCC v1.2 (introducing the new SMCCC_ARCH_SOC_ID SMC).
575 Note that the support is compliant, but the SVE registers save/restore will
576 be done as part of future S-EL2/SPM development.
577
578- BL-specific
579 - Enhanced BL2 bootloader flow to load secure partitions based on firmware
580 configuration data (fconf).
581
582 - Changes necessary to support SEPARATE_NOBITS_REGION feature
583
584 - TSP and BL2_AT_EL3: Add Position Independent Execution ``PIE`` support
585
586- Build System
587 - Add support for documentation build as a target in Makefile
588
Chris Kay0bd1a2e2020-10-29 14:28:59 +0000589 - Add ``COT`` build option to select the Chain of Trust to use when the
laurenw-arm4204e072020-04-14 16:44:52 -0500590 Trusted Boot feature is enabled (default: ``tbbr``).
591
592 - Added creation and injection of secure partition packages into the FIP.
593
594 - Build option to support SPMC component loading and run at S-EL1
595 or S-EL2 (SPMD_SPM_AT_SEL2).
596
597 - Enable MTE support
598
599 - Enable Link Time Optimization in GCC
600
601 - Enable -Wredundant-decls warning check
602
603 - Makefile: Add support to optionally encrypt BL31 and BL32
604
605 - Add support to pass the nt_fw_config DTB to OP-TEE.
606
607 - Introduce per-BL ``CPPFLAGS``, ``ASFLAGS``, and ``LDFLAGS``
608
609 - build_macros: Add CREATE_SEQ function to generate sequence of numbers
610
611- CPU Support
612 - cortex-a57: Enable higher performance non-cacheable load forwarding
613
614 - Hercules: Workaround for Errata 1688305
615
616 - Klein: Support added for Klein CPU
617
618 - Matterhorn: Support added for Matterhorn CPU
619
620- Drivers
621 - auth: Add ``calc_hash`` function for hash calculation. Used for
622 authentication of images when measured boot is enabled.
623
624 - cryptocell: Add authenticated decryption framework, and support
625 for CryptoCell-713 and CryptoCell-712 RSA 3K
626
627 - gic600: Add support for multichip configuration and Clayton
628 - gicv3: Introduce makefile, Add extended PPI and SPI range,
629 Add support for probing multiple GIC Redistributor frames
630 - gicv4: Add GICv4 extension for GIC driver
631
632 - io: Add an IO abstraction layer to load encrypted firmwares
633
634 - mhu: Derive doorbell base address
635
636 - mtd: Add SPI-NOR, SPI-NAND, SPI-MEM, and raw NAND framework
637
638 - scmi: Allow use of multiple SCMI channels
639
640 - scu: Add a driver for snoop control unit
641
642- Libraries
643 - coreboot: Add memory range parsing and use generic base address
644
645 - compiler_rt: Import popcountdi2.c and popcountsi2.c files,
646 aeabi_ldivmode.S file and dependencies
647
648 - debugFS: Add DebugFS functionality
649
650 - el3_runtime: Add support for enabling S-EL2
651
652 - fconf: Add Firmware Configuration Framework (fconf) (experimental).
653
654 - libc: Add memrchr function
655
656 - locks: bakery: Use is_dcache_enabled() helper and add a DMB to
657 the 'read_cache_op' macro
658
659 - psci: Add support to enable different personality of the same soc.
660
661 - xlat_tables_v2: Add support to pass shareability attribute for
662 normal memory region, use get_current_el_maybe_constant() in
663 is_dcache_enabled(), read-only xlat tables for BL31 memory, and
664 add enable_mmu()
665
666- New Platforms Support
667 - arm/arm_fpga: New platform support added for FPGA
668
669 - arm/rddaniel: New platform support added for rd-daniel platform
670
671 - brcm/stingray: New platform support added for Broadcom stingray platform
672
673 - nvidia/tegra194: New platform support for Nvidia Tegra194 platform
674
675- Platforms
676 - allwinner: Implement PSCI system suspend using SCPI, add a msgbox
677 driver for use with SCPI, and reserve and map space for the SCP firmware
678 - allwinner: axp: Add AXP805 support
679 - allwinner: power: Add DLDO4 power rail
680
681 - amlogic: axg: Add a build flag when using ATOS as BL32 and support for
682 the A113D (AXG) platform
683
684 - arm/a5ds: Add ethernet node and L2 cache node in devicetree
685
686 - arm/common: Add support for the new `dualroot` chain of trust
687 - arm/common: Add support for SEPARATE_NOBITS_REGION
688 - arm/common: Re-enable PIE when RESET_TO_BL31=1
689 - arm/common: Allow boards to specify second DRAM Base address
690 and to define PLAT_ARM_TZC_FILTERS
691
David Horstmann47147012021-01-21 12:29:59 +0000692 - arm/corstone700: Add support for mhuv2 and stack protector
laurenw-arm4204e072020-04-14 16:44:52 -0500693
694 - arm/fvp: Add support for fconf in BL31 and SP_MIN. Populate power
David Horstmann47147012021-01-21 12:29:59 +0000695 domain descriptor dynamically by leveraging fconf APIs.
laurenw-arm4204e072020-04-14 16:44:52 -0500696 - arm/fvp: Add Cactus/Ivy Secure Partition information and use two
697 instances of Cactus at S-EL1
698 - arm/fvp: Add support to run BL32 in TDRAM and BL31 in secure DRAM
699 - arm/fvp: Add support for GICv4 extension and BL2 hash calculation in BL1
700
701 - arm/n1sdp: Setup multichip gic routing table, update platform macros
702 for dual-chip setup, introduce platform information SDS region, add
703 support to update presence of External LLC, and enable the
704 NEOVERSE_N1_EXTERNAL_LLC flag
705
706 - arm/rdn1edge: Add support for dual-chip configuration and use
707 CREATE_SEQ helper macro to compare chip count
708
709 - arm/sgm: Always use SCMI for SGM platforms
710 - arm/sgm775: Add support for dynamic config using fconf
711
712 - arm/sgi: Add multi-chip mode parameter in HW_CONFIG dts, macros for
713 remote chip device region, chip_id and multi_chip_mode to platform
714 variant info, and introduce number of chips macro
715
716 - brcm: Add BL2 and BL31 support common across Broadcom platforms
717 - brcm: Add iproc SPI Nor flash support, spi driver, emmc driver,
718 and support to retrieve plat_toc_flags
719
720 - hisilicon: hikey960: Enable system power off callback
721
722 - intel: Enable bridge access, SiP SMC secure register access, and uboot
723 entrypoint support
724 - intel: Implement platform specific system reset 2
725 - intel: Introduce mailbox response length handling
726
727 - imx: console: Use CONSOLE_T_BASE for UART base address and generic console_t
728 data structure
729 - imx8mm: Provide uart base as build option and add the support for opteed spd
730 on imx8mq/imx8mm
731 - imx8qx: Provide debug uart num as build
732 - imx8qm: Apply clk/pinmux configuration for DEBUG_CONSOLE and provide debug
733 uart num as build param
734
735 - marvell: a8k: Implement platform specific power off and add support
736 for loading MG CM3 images
737
738 - mediatek: mt8183: Add Vmodem/Vcore DVS init level
739
740 - qemu: Support optional encryption of BL31 and BL32 images
741 and ARM_LINUX_KERNEL_AS_BL33 to pass FDT address
742 - qemu: Define ARMV7_SUPPORTS_VFP
743 - qemu: Implement PSCI_CPU_OFF and qemu_system_off via semihosting
744
745 - renesas: rcar_gen3: Add new board revision for M3ULCB
746
747 - rockchip: Enable workaround for erratum 855873, claim a macro to enable
748 hdcp feature for DP, enable power domains of rk3399 before reset, add
749 support for UART3 as serial output, and initialize reset and poweroff
750 GPIOs with known invalid value
751
752 - rpi: Implement PSCI CPU_OFF, use MMIO accessor, autodetect Mini-UART
753 vs. PL011 configuration, and allow using PL011 UART for RPi3/RPi4
754 - rpi3: Include GPIO driver in all BL stages and use same "clock-less"
755 setup scheme as RPi4
756 - rpi3/4: Add support for offlining CPUs
757
758 - st: stm32mp1: platform.mk: Support generating multiple images in one build,
759 migrate to implicit rules, derive map file name from target name, generate
760 linker script with fixed name, and use PHONY for the appropriate targets
761 - st: stm32mp1: Add support for SPI-NOR, raw NAND, and SPI-NAND boot device,
762 QSPI, FMC2 driver
763 - st: stm32mp1: Use stm32mp_get_ddr_ns_size() function, set XN attribute for
764 some areas in BL2, dynamically map DDR later and non-cacheable during its
765 test, add a function to get non-secure DDR size, add DT helper for reg by
766 name, and add compilation flags for boot devices
767
768 - socionext: uniphier: Turn on ENABLE_PIE
769
770 - ti: k3: Add PIE support
771
772 - xilinx: versal: Add set wakeup source, client wakeup, query data, request
773 wakeup, PM_INIT_FINALIZE, PM_GET_TRUSTZONE_VERSION, PM IOCTL, support for
774 suspend related, and Get_ChipID APIs
775 - xilinx: versal: Implement power down/restart related EEMI, SMC handler for
776 EEMI, PLL related PM, clock related PM, pin control related PM, reset related
777 PM, device related PM , APIs
778 - xilinx: versal: Enable ipi mailbox service
779 - xilinx: versal: Add get_api_version support and support to send PM API to PMC
780 using IPI
781 - xilinx: zynqmp: Add checksum support for IPI data, GET_CALLBACK_DATA
782 function, support to query max divisor, CLK_SET_RATE_PARENT in gem clock
783 node, support for custom type flags, LPD WDT clock to the pm_clock structure,
784 idcodes for new RFSoC silicons ZU48DR and ZU49DR, and id for new RFSoC device
785 ZU39DR
786
787- Security
788 - Use Speculation Barrier instruction for v8.5+ cores
789
790 - Add support for optional firmware encryption feature (experimental).
791
792 - Introduce a new `dualroot` chain of trust.
793
794 - aarch64: Prevent speculative execution past ERET
795 - aarch32: Stop speculative execution past exception returns.
796
797- SPCI
798 - Introduced the Secure Partition Manager Dispatcher (SPMD) component as a
799 new standard service.
800
801- Tools
802 - cert_create: Introduce CoT build option and TBBR CoT makefile,
803 and define the dualroot CoT
804
805 - encrypt_fw: Add firmware authenticated encryption tool
806
807 - memory: Add show_memory script that prints a representation
808 of the memory layout for the latest build
809
810Changed
811^^^^^^^
812
813- Arm Architecture
814 - PIE: Make call to GDT relocation fixup generalized
815
816- BL-Specific
817 - Increase maximum size of BL2 image
818
819 - BL31: Discard .dynsym .dynstr .hash sections to make ENABLE_PIE work
820 - BL31: Split into two separate memory regions
821
822 - Unify BL linker scripts and reduce code duplication.
823
824- Build System
825 - Changes to drive cert_create for dualroot CoT
826
827 - Enable -Wlogical-op always
828
829 - Enable -Wshadow always
830
831 - Refactor the warning flags
832
833 - PIE: Pass PIE options only to BL31
834
835 - Reduce space lost to object alignment
836
837 - Set lld as the default linker for Clang builds
838
839 - Remove -Wunused-const-variable and -Wpadded warning
840
841 - Remove -Wmissing-declarations warning from WARNING1 level
842
843- Drivers
844 - authentication: Necessary fix in drivers to upgrade to mbedtls-2.18.0
845
846 - console: Integrate UART base address in generic console_t
847
848 - gicv3: Change API for GICR_IPRIORITYR accessors and separate
849 GICD and GICR accessor functions
850
851 - io: Change seek offset to signed long long and panic in case
852 of io setup failure
853
854 - smmu: SMMUv3: Changed retry loop to delay timer
855
856 - tbbr: Reduce size of hash and ECDSA key buffers when possible
857
858- Library Code
859 - libc: Consolidate the size_t, unified, and NULL definitions,
860 and unify intmax_t and uintmax_t on AArch32/64
861
862 - ROMLIB: Optimize memory layout when ROMLIB is used
863
864 - xlat_tables_v2: Use ARRAY_SIZE in REGISTER_XLAT_CONTEXT_FULL_SPEC,
865 merge REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE},
866 and simplify end address checks in mmap_add_region_check()
867
868- Platforms
869 - allwinner: Adjust SRAM A2 base to include the ARISC vectors, clean up MMU
870 setup, reenable USE_COHERENT_MEM, remove unused include path, move the
871 NOBITS region to SRAM A1, convert AXP803 regulator setup code into a driver,
872 enable clock before resetting I2C/RSB
873 - allwinner: h6: power: Switch to using the AXP driver
874 - allwinner: a64: power: Use fdt_for_each_subnode, remove obsolete register
875 check, remove duplicate DT check, and make sunxi_turn_off_soc static
876 - allwinner: Build PMIC bus drivers only in BL31, clean up PMIC-related error
877 handling, and synchronize PMIC enumerations
878
879 - arm/a5ds: Change boot address to point to DDR address
880
881 - arm/common: Check for out-of-bound accesses in the platform io policies
882
883 - arm/corstone700: Updating the kernel arguments to support initramfs,
884 use fdts DDR memory and XIP rootfs, and set UART clocks to 32MHz
885
886 - arm/fvp: Modify multithreaded dts file of DynamIQ FVPs, slightly bump
887 the stack size for bl1 and bl2, remove re-definition of topology related
888 build options, stop reclaiming init code with Clang builds, and map only
889 the needed DRAM region statically in BL31/SP_MIN
890
891 - arm/juno: Maximize space allocated to SCP_BL2
892
893 - arm/sgi: Bump bl1 RW limit, mark remote chip shared ram as non-cacheable,
894 move GIC related constants to board files, include AFF3 affinity in core
895 position calculation, move bl31_platform_setup to board file, and move
896 topology information to board folder
897
898 - common: Refactor load_auth_image_internal().
899
900 - hisilicon: Remove uefi-tools in hikey and hikey960 documentation
901
902 - intel: Modify non secure access function, BL31 address mapping, mailbox's
903 get_config_status, and stratix10 BL31 parameter handling
904 - intel: Remove un-needed checks for qspi driver r/w and s10 unused source code
905 - intel: Change all global sip function to static
906 - intel: Refactor common platform code
907 - intel: Create SiP service header file
908
909
910 - marvell: armada: scp_bl2: Allow loading up to 8 images
911 - marvell: comphy-a3700: Support SGMII COMPHY power off and fix USB3
912 powering on when on lane 2
913 - marvell: Consolidate console register calls
914
915 - mediatek: mt8183: Protect 4GB~8GB dram memory, refine GIC driver for
916 low power scenarios, and switch PLL/CLKSQ/ck_off/axi_26m control to SPM
917
918 - qemu: Update flash address map to keep FIP in secure FLASH0
919
920 - renesas: rcar_gen3: Update IPL and Secure Monitor Rev.2.0.6, update DDR
921 setting for H3, M3, M3N, change fixed destination address of BL31 and BL32,
922 add missing #{address,size}-cells into generated DT, pass DT to OpTee OS,
923 and move DDR drivers out of staging
924
925 - rockchip: Make miniloader ddr_parameter handling optional, cleanup securing
926 of ddr regions, move secure init to separate file, use base+size for secure
927 ddr regions, bring TZRAM_SIZE values in lined, and prevent macro expansion
928 in paths
929
930 - rpi: Move plat_helpers.S to common
931 - rpi3: gpio: Simplify GPIO setup
932 - rpi4: Skip UART initialisation
933
934 - st: stm32m1: Use generic console_t data structure, remove second
935 QSPI flash instance, update for FMC2 pin muxing, and reduce MAX_XLAT_TABLES
936 to 4
937
938 - socionext: uniphier: Make on-chip SRAM and I/O register regions configurable
939 - socionext: uniphier: Make PSCI related, counter control, UART, pinmon, NAND
940 controller, and eMMC controller base addresses configurable
941 - socionext: uniphier: Change block_addressing flag and the return value type
942 of .is_usb_boot() to bool
943 - socionext: uniphier: Run BL33 at EL2, call uniphier_scp_is_running() only
944 when on-chip STM is supported, define PLAT_XLAT_TABLES_DYNAMIC only for BL2,
945 support read-only xlat tables, use enable_mmu() in common function, shrink
946 UNIPHIER_ROM_REGION_SIZE, prepare uniphier_soc_info() for next SoC, extend
947 boot device detection for future SoCs, make all BL images completely
948 position-independent, make uniphier_mmap_setup() work with PIE, pass SCP
949 base address as a function parameter, set buffer offset and length for
950 io_block dynamically, and use more mmap_add_dynamic_region() for loading
951 images
952
953 - spd/trusty: Disable error messages seen during boot, allow gic base to be
954 specified with GICD_BASE, and allow getting trusty memsize from BL32_MEM_SIZE
955 instead of TSP_SEC_MEM_SIZE
956
957 - ti: k3: common: Enable ARM cluster power down and rename device IDs to
958 be more consistent
959 - ti: k3: drivers: ti_sci: Put sequence number in coherent memory and
960 remove indirect structure of const data
961
962 - xilinx: Move ipi mailbox svc to xilinx common
963 - xilinx: zynqmp: Use GIC framework for warm restart
964 - xilinx: zynqmp: pm: Move custom clock flags to typeflags, remove
965 CLK_TOPSW_LSBUS from invalid clock list and rename FPD WDT clock ID
966 - xilinx: versal: Increase OCM memory size for DEBUG builds and adjust
967 cpu clock, Move versal_def.h and versal_private to include directory
968
969- Tools
David Horstmann47147012021-01-21 12:29:59 +0000970 - sptool: Updated sptool to accommodate building secure partition packages.
laurenw-arm4204e072020-04-14 16:44:52 -0500971
972Resolved Issues
973^^^^^^^^^^^^^^^
974
975- Arm Architecture
976 - Fix crash dump for lower EL
977
978- BL-Specific
979 - Bug fix: Protect TSP prints with lock
980
981 - Fix boot failures on some builds linked with ld.lld.
982
983- Build System
984 - Fix clang build if CC is not in the path.
985
986 - Fix 'BL stage' comment for build macros
987
988- Code Quality
989 - coverity: Fix various MISRA violations including null pointer violations,
990 C issues in BL1/BL2/BL31 and FDT helper functions, using boolean essential,
991 type, and removing unnecessary header file and comparisons to LONG_MAX in
992 debugfs devfip
993
994 - Based on coding guidelines, replace all `unsigned long` depending on if
995 fixed based on AArch32 or AArch64.
996
997 - Unify type of "cpu_idx" and Platform specific defines across PSCI module.
998
999- Drivers
1000 - auth: Necessary fix in drivers to upgrade to mbedtls-2.18.0
1001
1002 - delay_timer: Fix non-standard frequency issue in udelay
1003
1004 - gicv3: Fix compiler dependent behavior
1005 - gic600: Fix include ordering according to the coding style and power up sequence
1006
1007- Library Code
1008 - el3_runtime: Fix stack pointer maintenance on EA handling path,
1009 fixup 'cm_setup_context' prototype, and adds TPIDR_EL2 register
1010 to the context save restore routines
1011
1012 - libc: Fix SIZE_MAX on AArch32
1013
1014 - locks: T589: Fix insufficient ordering guarantees in bakery lock
1015
1016 - pmf: Fix 'tautological-constant-compare' error, Make the runtime
1017 instrumentation work on AArch32, and Simplify PMF helper macro
1018 definitions across header files
1019
1020 - xlat_tables_v2: Fix assembler warning of PLAT_RO_XLAT_TABLES
1021
1022- Platforms
1023 - allwinner: Fix H6 GPIO and CCU memory map addresses and incorrect ARISC
1024 code patch offset check
1025
1026 - arm/a5ds: Correct system freq and Cache Writeback Granule, and cleanup
1027 enable-method in devicetree
1028
1029 - arm/fvp: Fix incorrect GIC mapping, BL31 load address and image size
1030 for RESET_TO_BL31=1, topology description of cpus for DynamIQ based
1031 FVP, and multithreaded FVP power domain tree
1032 - arm/fvp: spm-mm: Correcting instructions to build SPM for FVP
1033
1034 - arm/common: Fix ROTPK hash generation for ECDSA encryption, BL2 bug in
1035 dynamic configuration initialisation, and current RECLAIM_INIT_CODE behavior
1036
1037 - arm/rde1edge: Fix incorrect topology tree description
1038
1039 - arm/sgi: Fix the incorrect check for SCMI channel ID
1040
1041 - common: Flush dcache when storing timestamp
1042
1043 - intel: Fix UEFI decompression issue, memory calibration, SMC SIP service,
1044 mailbox config return status, mailbox driver logic, FPGA manager on
1045 reconfiguration, and mailbox send_cmd issue
1046
1047 - imx: Fix shift-overflow errors, the rdc memory region slot's offset,
1048 multiple definition of ipc_handle, missing inclusion of cdefs.h, and
1049 correct the SGIs that used for secure interrupt
1050
1051 - mediatek: mt8183: Fix AARCH64 init fail on CPU0
1052
1053 - rockchip: Fix definition of struct param_ddr_usage
1054
1055 - rpi4: Fix documentation of armstub config entry
1056
1057 - st: Correct io possible NULL pointer dereference and device_size type,
1058 nand xor_ecc.val assigned value, static analysis tool issues, and fix
1059 incorrect return value and correctly check pwr-regulators node
1060
1061 - xilinx: zynqmp: Correct syscnt freq for QEMU and fix clock models
1062 and IDs of GEM-related clocks
1063
1064Known Issues
1065^^^^^^^^^^^^
1066
1067- Build System
1068 - dtb: DTB creation not supported when building on a Windows host.
1069
1070 This step in the build process is skipped when running on a Windows host. A
1071 known issue from the 1.6 release.
1072
1073 - Intermittent assertion firing `ASSERT: services/spd/tspd/tspd_main.c:105`
1074
1075- Coverity
1076 - Intermittent Race condition in Coverity Jenkins Build Job
1077
1078- Platforms
1079 - arm/juno: System suspend from Linux does not function as documented in the
1080 user guide
1081
1082 Following the instructions provided in the user guide document does not
1083 result in the platform entering system suspend state as expected. A message
1084 relating to the hdlcd driver failing to suspend will be emitted on the
1085 Linux terminal.
1086
1087 - mediatek/mt6795: This platform does not build in this release
1088
laurenw-arm77caea22019-10-11 14:10:09 -05001089Version 2.2
1090-----------
1091
1092New Features
1093^^^^^^^^^^^^
1094
1095- Architecture
1096 - Enable Pointer Authentication (PAuth) support for Secure World
1097 - Adds support for ARMv8.3-PAuth in BL1 SMC calls and
1098 BL2U image for firmware updates.
1099
1100 - Enable Memory Tagging Extension (MTE) support in both secure and non-secure
1101 worlds
Louis Mayencourta5bb3892020-03-27 11:49:20 +00001102
laurenw-arm77caea22019-10-11 14:10:09 -05001103 - Adds support for the new Memory Tagging Extension arriving in
1104 ARMv8.5. MTE support is now enabled by default on systems that
1105 support it at EL0.
1106 - To enable it at ELx for both the non-secure and the secure
1107 world, the compiler flag ``CTX_INCLUDE_MTE_REGS`` includes register
1108 saving and restoring when necessary in order to prevent information
1109 leakage between the worlds.
1110
1111 - Add support for Branch Target Identification (BTI)
1112
1113- Build System
1114 - Modify FVP makefile for CPUs that support both AArch64/32
1115
1116 - AArch32: Allow compiling with soft-float toolchain
1117
1118 - Makefile: Add default warning flags
1119
1120 - Add Makefile check for PAuth and AArch64
1121
1122 - Add compile-time errors for HW_ASSISTED_COHERENCY flag
1123
1124 - Apply compile-time check for AArch64-only CPUs
1125
1126 - build_macros: Add mechanism to prevent bin generation.
1127
1128 - Add support for default stack-protector flag
1129
1130 - spd: opteed: Enable NS_TIMER_SWITCH
1131
1132 - plat/arm: Skip BL2U if RESET_TO_SP_MIN flag is set
1133
1134 - Add new build option to let each platform select which implementation of spinlocks
1135 it wants to use
1136
1137- CPU Support
1138 - DSU: Workaround for erratum 798953 and 936184
1139
1140 - Neoverse N1: Force cacheable atomic to near atomic
1141 - Neoverse N1: Workaround for erratum 1073348, 1130799, 1165347, 1207823,
1142 1220197, 1257314, 1262606, 1262888, 1275112, 1315703, 1542419
1143
1144 - Neoverse Zeus: Apply the MSR SSBS instruction
1145
laurenw-arm39009032019-10-23 15:39:31 -05001146 - cortex-Hercules/HerculesAE: Support added for Cortex-Hercules and
1147 Cortex-HerculesAE CPUs
1148 - cortex-Hercules/HerculesAE: Enable AMU for Cortex-Hercules and Cortex-HerculesAE
1149
laurenw-arm77caea22019-10-11 14:10:09 -05001150 - cortex-a76AE: Support added for Cortex-A76AE CPU
1151 - cortex-a76: Workaround for erratum 1257314, 1262606, 1262888, 1275112,
1152 1286807
1153
1154 - cortex-a65/a65AE: Support added for Cortex-A65 and Cortex-A65AE CPUs
1155 - cortex-a65: Enable AMU for Cortex-A65
1156
1157 - cortex-a55: Workaround for erratum 1221012
1158
1159 - cortex-a35: Workaround for erratum 855472
1160
1161 - cortex-a9: Workaround for erratum 794073
1162
1163- Drivers
1164 - console: Allow the console to register multiple times
1165
1166 - delay: Timeout detection support
1167
1168 - gicv3: Enabled multi-socket GIC redistributor frame discovery and migrated
1169 ARM platforms to the new API
Louis Mayencourta5bb3892020-03-27 11:49:20 +00001170
laurenw-arm77caea22019-10-11 14:10:09 -05001171 - Adds ``gicv3_rdistif_probe`` function that delegates the responsibility
1172 of discovering the corresponding redistributor base frame to each CPU
1173 itself.
1174
1175 - sbsa: Add SBSA watchdog driver
1176
1177 - st/stm32_hash: Add HASH driver
1178
1179 - ti/uart: Add an AArch32 variant
1180
1181- Library at ROM (romlib)
1182 - Introduce BTI support in Library at ROM (romlib)
1183
1184- New Platforms Support
1185 - amlogic: g12a: New platform support added for the S905X2 (G12A) platform
1186 - amlogic: meson/gxl: New platform support added for Amlogic Meson
1187 S905x (GXL)
1188
1189 - arm/a5ds: New platform support added for A5 DesignStart
1190
1191 - arm/corstone: New platform support added for Corstone-700
1192
1193 - intel: New platform support added for Agilex
1194
1195 - mediatek: New platform support added for MediaTek mt8183
1196
1197 - qemu/qemu_sbsa: New platform support added for QEMU SBSA platform
1198
1199 - renesas/rcar_gen3: plat: New platform support added for D3
1200
1201 - rockchip: New platform support added for px30
1202 - rockchip: New platform support added for rk3288
1203
1204 - rpi: New platform support added for Raspberry Pi 4
1205
1206- Platforms
1207 - arm/common: Introduce wrapper functions to setup secure watchdog
1208
1209 - arm/fvp: Add Delay Timer driver to BL1 and BL31 and option for defining
1210 platform DRAM2 base
1211 - arm/fvp: Add Linux DTS files for 32 bit threaded FVPs
1212
1213 - arm/n1sdp: Add code for DDR ECC enablement and BL33 copy to DDR, Initialise CNTFRQ
1214 in Non Secure CNTBaseN
1215
1216 - arm/juno: Use shared mbedtls heap between BL1 and BL2 and add basic support for
1217 dynamic config
1218
1219 - imx: Basic support for PicoPi iMX7D, rdc module init, caam module init,
1220 aipstz init, IMX_SIP_GET_SOC_INFO, IMX_SIP_BUILDINFO added
1221
1222 - intel: Add ncore ccu driver
1223
1224 - mediatek/mt81*: Use new bl31_params_parse() helper
1225
1226 - nvidia: tegra: Add support for multi console interface
1227
1228 - qemu/qemu_sbsa: Adding memory mapping for both FLASH0/FLASH1
1229 - qemu: Added gicv3 support, new console interface in AArch32, and sub-platforms
1230
1231 - renesas/rcar_gen3: plat: Add R-Car V3M support, new board revision for H3ULCB, DBSC4
1232 setting before self-refresh mode
1233
1234 - socionext/uniphier: Support console based on multi-console
1235
1236 - st: stm32mp1: Add OP-TEE, Avenger96, watchdog, LpDDR3, authentication support
1237 and general SYSCFG management
1238
1239 - ti/k3: common: Add support for J721E, Use coherent memory for shared data, Trap all
1240 asynchronous bus errors to EL3
1241
1242 - xilinx/zynqmp: Add support for multi console interface, Initialize IPI table from
1243 zynqmp_config_setup()
1244
1245- PSCI
1246 - Adding new optional PSCI hook ``pwr_domain_on_finish_late``
1247 - This PSCI hook ``pwr_domain_on_finish_late`` is similar to
1248 ``pwr_domain_on_finish`` but is guaranteed to be invoked when the
1249 respective core and cluster are participating in coherency.
1250
1251- Security
1252 - Speculative Store Bypass Safe (SSBS): Further enhance protection against Spectre
1253 variant 4 by disabling speculative loads/stores (SPSR.SSBS bit) by default.
1254
1255 - UBSAN support and handlers
1256 - Adds support for the Undefined Behaviour sanitizer. There are two types of
1257 support offered - minimalistic trapping support which essentially immediately
1258 crashes on undefined behaviour and full support with full debug messages.
1259
1260- Tools
1261 - cert_create: Add support for bigger RSA key sizes (3KB and 4KB),
1262 previously the maximum size was 2KB.
1263
1264 - fiptool: Add support to build fiptool on Windows.
1265
1266
1267Changed
1268^^^^^^^
1269
1270- Architecture
1271 - Refactor ARMv8.3 Pointer Authentication support code
1272
1273 - backtrace: Strip PAC field when PAUTH is enabled
1274
1275 - Prettify crash reporting output on AArch64.
1276
1277 - Rework smc_unknown return code path in smc_handler
1278 - Leverage the existing ``el3_exit()`` return routine for smc_unknown return
1279 path rather than a custom set of instructions.
1280
1281- BL-Specific
1282 - Invalidate dcache build option for BL2 entry at EL3
1283
1284 - Add missing support for BL2_AT_EL3 in XIP memory
1285
1286- Boot Flow
1287 - Add helper to parse BL31 parameters (both versions)
1288
1289 - Factor out cross-BL API into export headers suitable for 3rd party code
1290
1291 - Introduce lightweight BL platform parameter library
1292
1293- Drivers
1294 - auth: Memory optimization for Chain of Trust (CoT) description
1295
1296 - bsec: Move bsec_mode_is_closed_device() service to platform
1297
1298 - cryptocell: Move Cryptocell specific API into driver
1299
1300 - gicv3: Prevent pending G1S interrupt from becoming G0 interrupt
1301
1302 - mbedtls: Remove weak heap implementation
1303
1304 - mmc: Increase delay between ACMD41 retries
1305 - mmc: stm32_sdmmc2: Correctly manage block size
1306 - mmc: stm32_sdmmc2: Manage max-frequency property from DT
1307
1308 - synopsys/emmc: Do not change FIFO TH as this breaks some platforms
1309 - synopsys: Update synopsys drivers to not rely on undefined overflow behaviour
1310
1311 - ufs: Extend the delay after reset to wait for some slower chips
1312
1313- Platforms
1314 - amlogic/meson/gxl: Remove BL2 dependency from BL31
1315
1316 - arm/common: Shorten the Firmware Update (FWU) process
1317
1318 - arm/fvp: Remove GIC initialisation from secondary core cold boot
1319
1320 - arm/sgm: Temporarily disable shared Mbed TLS heap for SGM
1321
1322 - hisilicon: Update hisilicon drivers to not rely on undefined overflow behaviour
1323
1324 - imx: imx8: Replace PLAT_IMX8* with PLAT_imx8*, remove duplicated linker symbols and
1325 deprecated code include, keep only IRQ 32 unmasked, enable all power domain by default
1326
1327 - marvell: Prevent SError accessing PCIe link, Switch to xlat_tables_v2, do not rely on
1328 argument passed via smc, make sure that comphy init will use correct address
1329
1330 - mediatek: mt8173: Refactor RTC and PMIC drivers
1331 - mediatek: mt8173: Apply MULTI_CONSOLE framework
1332
1333 - nvidia: Tegra: memctrl_v2: fix "overflow before widen" coverity issue
1334
1335 - qemu: Simplify the image size calculation, Move and generalise FDT PSCI fixup, move
1336 gicv2 codes to separate file
1337
1338 - renesas/rcar_gen3: Convert to multi-console API, update QoS setting, Update IPL and
1339 Secure Monitor Rev2.0.4, Change to restore timer counter value at resume, Update DDR
1340 setting rev.0.35, qos: change subslot cycle, Change periodic write DQ training option.
1341
1342 - rockchip: Allow SOCs with undefined wfe check bits, Streamline and complete UARTn_BASE
1343 macros, drop rockchip-specific imported linker symbols for bl31, Disable binary generation
1344 for all SOCs, Allow console device to be set by DTB, Use new bl31_params_parse functions
1345
1346 - rpi/rpi3: Move shared rpi3 files into common directory
1347
1348 - socionext/uniphier: Set CONSOLE_FLAG_TRANSLATE_CRLF and clean up console driver
1349 - socionext/uniphier: Replace DIV_ROUND_UP() with div_round_up() from utils_def.h
1350
1351 - st/stm32mp: Split stm32mp_io_setup function, move stm32_get_gpio_bank_clock() to private
1352 file, correctly handle Clock Spreading Generator, move oscillator functions to generic file,
1353 realign device tree files with internal devs, enable RTCAPB clock for dual-core chips, use a
1354 common function to check spinlock is available, move check_header() to common code
1355
1356 - ti/k3: Enable SEPARATE_CODE_AND_RODATA by default, Remove shared RAM space,
1357 Drop _ADDRESS from K3_USART_BASE to match other defines, Remove MSMC port
1358 definitions, Allow USE_COHERENT_MEM for K3, Set L2 latency on A72 cores
1359
1360- PSCI
1361 - PSCI: Lookup list of parent nodes to lock only once
1362
1363- Secure Partition Manager (SPM): SPCI Prototype
1364 - Fix service UUID lookup
1365
1366 - Adjust size of virtual address space per partition
1367
1368 - Refactor xlat context creation
1369
1370 - Move shim layer to TTBR1_EL1
1371
1372 - Ignore empty regions in resource description
1373
1374- Security
1375 - Refactor SPSR initialisation code
1376
1377 - SMMUv3: Abort DMA transactions
1378 - For security DMA should be blocked at the SMMU by default unless explicitly
1379 enabled for a device. SMMU is disabled after reset with all streams bypassing
1380 the SMMU, and abortion of all incoming transactions implements a default deny
1381 policy on reset.
1382 - Moves ``bl1_platform_setup()`` function from arm_bl1_setup.c to FVP platforms'
1383 fvp_bl1_setup.c and fvp_ve_bl1_setup.c files.
1384
1385- Tools
1386 - cert_create: Remove RSA PKCS#1 v1.5 support
1387
1388
1389Resolved Issues
1390^^^^^^^^^^^^^^^
1391
1392- Architecture
1393 - Fix the CAS spinlock implementation by adding a missing DSB in ``spin_unlock()``
1394
1395 - AArch64: Fix SCTLR bit definitions
1396 - Removes incorrect ``SCTLR_V_BIT`` definition and adds definitions for
1397 ARMv8.3-Pauth `EnIB`, `EnDA` and `EnDB` bits.
1398
1399 - Fix restoration of PAuth context
1400 - Replace call to ``pauth_context_save()`` with ``pauth_context_restore()`` in
1401 case of unknown SMC call.
1402
1403- BL-Specific Issues
1404 - Fix BL31 crash reporting on AArch64 only platforms
1405
1406- Build System
1407 - Remove several warnings reported with W=2 and W=1
1408
1409- Code Quality Issues
1410 - SCTLR and ACTLR are 32-bit for AArch32 and 64-bit for AArch64
1411 - Unify type of "cpu_idx" across PSCI module.
1412 - Assert if power level value greater then PSCI_INVALID_PWR_LVL
1413 - Unsigned long should not be used as per coding guidelines
1414 - Reduce the number of memory leaks in cert_create
1415 - Fix type of cot_desc_ptr
1416 - Use explicit-width data types in AAPCS parameter structs
1417 - Add python configuration for editorconfig
1418 - BL1: Fix type consistency
1419
1420 - Enable -Wshift-overflow=2 to check for undefined shift behavior
1421 - Updated upstream platforms to not rely on undefined overflow behaviour
1422
1423- Coverity Quality Issues
1424 - Remove GGC ignore -Warray-bounds
1425 - Fix Coverity #261967, Infinite loop
1426 - Fix Coverity #343017, Missing unlock
1427 - Fix Coverity #343008, Side affect in assertion
1428 - Fix Coverity #342970, Uninitialized scalar variable
1429
1430- CPU Support
1431 - cortex-a12: Fix MIDR mask
1432
1433- Drivers
1434 - console: Remove Arm console unregister on suspend
1435
1436 - gicv3: Fix support for full SPI range
1437
1438 - scmi: Fix wrong payload length
1439
1440- Library Code
1441 - libc: Fix sparse warning for __assert()
1442
1443 - libc: Fix memchr implementation
1444
1445- Platforms
1446 - rpi: rpi3: Fix compilation error when stack protector is enabled
1447
1448 - socionext/uniphier: Fix compilation fail for SPM support build config
1449
1450 - st/stm32mp1: Fix TZC400 configuration against non-secure DDR
1451
1452 - ti/k3: common: Fix RO data area size calculation
1453
1454- Security
1455 - AArch32: Disable Secure Cycle Counter
1456 - Changes the implementation for disabling Secure Cycle Counter.
1457 For ARMv8.5 the counter gets disabled by setting ``SDCR.SCCD`` bit on
1458 CPU cold/warm boot. For the earlier architectures PMCR register is
1459 saved/restored on secure world entry/exit from/to Non-secure state,
1460 and cycle counting gets disabled by setting PMCR.DP bit.
1461 - AArch64: Disable Secure Cycle Counter
1462 - For ARMv8.5 the counter gets disabled by setting ``MDCR_El3.SCCD`` bit on
1463 CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is
1464 saved/restored on secure world entry/exit from/to Non-secure state,
1465 and cycle counting gets disabled by setting PMCR_EL0.DP bit.
1466
1467Deprecations
1468^^^^^^^^^^^^
1469
1470- Common Code
1471 - Remove MULTI_CONSOLE_API flag and references to it
1472
1473 - Remove deprecated `plat_crash_console_*`
1474
1475 - Remove deprecated interfaces `get_afflvl_shift`, `mpidr_mask_lower_afflvls`, `eret`
1476
1477 - AARCH32/AARCH64 macros are now deprecated in favor of ``__aarch64__``
1478
1479 - ``__ASSEMBLY__`` macro is now deprecated in favor of ``__ASSEMBLER__``
1480
1481- Drivers
1482 - console: Removed legacy console API
1483 - console: Remove deprecated finish_console_register
1484
1485 - tzc: Remove deprecated types `tzc_action_t` and `tzc_region_attributes_t`
1486
1487- Secure Partition Manager (SPM):
1488 - Prototype SPCI-based SPM (services/std_svc/spm) will be replaced with alternative
1489 methods of secure partitioning support.
1490
1491Known Issues
1492^^^^^^^^^^^^
1493
1494- Build System Issues
1495 - dtb: DTB creation not supported when building on a Windows host.
1496
1497 This step in the build process is skipped when running on a Windows host. A
1498 known issue from the 1.6 release.
1499
1500- Platform Issues
1501 - arm/juno: System suspend from Linux does not function as documented in the
1502 user guide
1503
1504 Following the instructions provided in the user guide document does not
1505 result in the platform entering system suspend state as expected. A message
1506 relating to the hdlcd driver failing to suspend will be emitted on the
1507 Linux terminal.
1508
1509 - mediatek/mt6795: This platform does not build in this release
1510
Paul Beesleyc48991e2019-02-11 17:58:21 +00001511Version 2.1
1512-----------
Paul Beesley9e437f22019-03-25 12:21:57 +00001513
1514New Features
Paul Beesleyc48991e2019-02-11 17:58:21 +00001515^^^^^^^^^^^^
Paul Beesley9e437f22019-03-25 12:21:57 +00001516
1517- Architecture
1518 - Support for ARMv8.3 pointer authentication in the normal and secure worlds
1519
1520 The use of pointer authentication in the normal world is enabled whenever
1521 architectural support is available, without the need for additional build
1522 flags.
1523
1524 Use of pointer authentication in the secure world remains an
1525 experimental configuration at this time. Using both the ``ENABLE_PAUTH``
1526 and ``CTX_INCLUDE_PAUTH_REGS`` build flags, pointer authentication can be
1527 enabled in EL3 and S-EL1/0.
1528
Paul Beesley34760952019-04-12 14:19:42 +01001529 See the :ref:`Firmware Design` document for additional details on the use
1530 of pointer authentication.
Paul Beesley9e437f22019-03-25 12:21:57 +00001531
1532 - Enable Data Independent Timing (DIT) in EL3, where supported
1533
1534- Build System
1535 - Support for BL-specific build flags
1536
1537 - Support setting compiler target architecture based on ``ARM_ARCH_MINOR``
1538 build option.
1539
1540 - New ``RECLAIM_INIT_CODE`` build flag:
1541
1542 A significant amount of the code used for the initialization of BL31 is
1543 not needed again after boot time. In order to reduce the runtime memory
1544 footprint, the memory used for this code can be reclaimed after
1545 initialization.
1546
1547 Certain boot-time functions were marked with the ``__init`` attribute to
1548 enable this reclamation.
1549
1550- CPU Support
1551 - cortex-a76: Workaround for erratum 1073348
1552 - cortex-a76: Workaround for erratum 1220197
1553 - cortex-a76: Workaround for erratum 1130799
1554
1555 - cortex-a75: Workaround for erratum 790748
1556 - cortex-a75: Workaround for erratum 764081
1557
1558 - cortex-a73: Workaround for erratum 852427
1559 - cortex-a73: Workaround for erratum 855423
1560
1561 - cortex-a57: Workaround for erratum 817169
1562 - cortex-a57: Workaround for erratum 814670
1563
1564 - cortex-a55: Workaround for erratum 903758
1565 - cortex-a55: Workaround for erratum 846532
1566 - cortex-a55: Workaround for erratum 798797
1567 - cortex-a55: Workaround for erratum 778703
1568 - cortex-a55: Workaround for erratum 768277
1569
1570 - cortex-a53: Workaround for erratum 819472
1571 - cortex-a53: Workaround for erratum 824069
1572 - cortex-a53: Workaround for erratum 827319
1573
1574 - cortex-a17: Workaround for erratum 852423
1575 - cortex-a17: Workaround for erratum 852421
1576
1577 - cortex-a15: Workaround for erratum 816470
1578 - cortex-a15: Workaround for erratum 827671
1579
1580- Documentation
1581 - Exception Handling Framework documentation
1582
1583 - Library at ROM (romlib) documentation
1584
1585 - RAS framework documentation
1586
1587 - Coding Guidelines document
1588
1589- Drivers
1590 - ccn: Add API for setting and reading node registers
1591 - Adds ``ccn_read_node_reg`` function
1592 - Adds ``ccn_write_node_reg`` function
1593
1594 - partition: Support MBR partition entries
1595
1596 - scmi: Add ``plat_css_get_scmi_info`` function
1597
1598 Adds a new API ``plat_css_get_scmi_info`` which lets the platform
1599 register a platform-specific instance of ``scmi_channel_plat_info_t`` and
1600 remove the default values
1601
Paul Beesleybf32bc92019-03-29 10:14:56 +00001602 - tzc380: Add TZC-380 TrustZone Controller driver
Paul Beesley9e437f22019-03-25 12:21:57 +00001603
1604 - tzc-dmc620: Add driver to manage the TrustZone Controller within the
1605 DMC-620 Dynamic Memory Controller
1606
1607- Library at ROM (romlib)
1608 - Add platform-specific jump table list
1609
1610 - Allow patching of romlib functions
1611
1612 This change allows patching of functions in the romlib. This can be done by
1613 adding "patch" at the end of the jump table entry for the function that
1614 needs to be patched in the file jmptbl.i.
1615
1616- Library Code
1617 - Support non-LPAE-enabled MMU tables in AArch32
1618
1619 - mmio: Add ``mmio_clrsetbits_16`` function
1620 - 16-bit variant of ``mmio_clrsetbits``
1621
1622 - object_pool: Add Object Pool Allocator
1623 - Manages object allocation using a fixed-size static array
1624 - Adds ``pool_alloc`` and ``pool_alloc_n`` functions
1625 - Does not provide any functions to free allocated objects (by design)
1626
1627 - libc: Added ``strlcpy`` function
1628
1629 - libc: Import ``strrchr`` function from FreeBSD
1630
1631 - xlat_tables: Add support for ARMv8.4-TTST
1632
1633 - xlat_tables: Support mapping regions without an explicitly specified VA
1634
1635- Math
1636 - Added softudiv macro to support software division
1637
1638- Memory Partitioning And Monitoring (MPAM)
1639 - Enabled MPAM EL2 traps (``MPAMHCR_EL2`` and ``MPAM_EL2``)
1640
1641- Platforms
1642 - amlogic: Add support for Meson S905 (GXBB)
1643
1644 - arm/fvp_ve: Add support for FVP Versatile Express platform
1645
1646 - arm/n1sdp: Add support for Neoverse N1 System Development platform
1647
1648 - arm/rde1edge: Add support for Neoverse E1 platform
1649
1650 - arm/rdn1edge: Add support for Neoverse N1 platform
1651
1652 - arm: Add support for booting directly to Linux without an intermediate
1653 loader (AArch32)
1654
1655 - arm/juno: Enable new CPU errata workarounds for A53 and A57
1656
1657 - arm/juno: Add romlib support
1658
1659 Building a combined BL1 and ROMLIB binary file with the correct page
1660 alignment is now supported on the Juno platform. When ``USE_ROMLIB`` is set
1661 for Juno, it generates the combined file ``bl1_romlib.bin`` which needs to
1662 be used instead of bl1.bin.
1663
1664 - intel/stratix: Add support for Intel Stratix 10 SoC FPGA platform
1665
1666 - marvell: Add support for Armada-37xx SoC platform
1667
1668 - nxp: Add support for i.MX8M and i.MX7 Warp7 platforms
1669
1670 - renesas: Add support for R-Car Gen3 platform
1671
1672 - xilinx: Add support for Versal ACAP platforms
1673
1674- Position-Independent Executable (PIE)
1675
1676 PIE support has initially been added to BL31. The ``ENABLE_PIE`` build flag is
1677 used to enable or disable this functionality as required.
1678
1679- Secure Partition Manager
Paul Beesleybf32bc92019-03-29 10:14:56 +00001680 - New SPM implementation based on SPCI Alpha 1 draft specification
Paul Beesley9e437f22019-03-25 12:21:57 +00001681
Paul Beesleybf32bc92019-03-29 10:14:56 +00001682 A new version of SPM has been implemented, based on the SPCI (Secure
1683 Partition Client Interface) and SPRT (Secure Partition Runtime) draft
1684 specifications.
Paul Beesley9e437f22019-03-25 12:21:57 +00001685
1686 The new implementation is a prototype that is expected to undergo intensive
1687 rework as the specifications change. It has basic support for multiple
1688 Secure Partitions and Resource Descriptions.
1689
Paul Beesleybf32bc92019-03-29 10:14:56 +00001690 The older version of SPM, based on MM (ARM Management Mode Interface
Paul Beesley9e437f22019-03-25 12:21:57 +00001691 Specification), is still present in the codebase. A new build flag,
1692 ``SPM_MM`` has been added to allow selection of the desired implementation.
1693 This flag defaults to 1, selecting the MM-based implementation.
1694
1695- Security
1696 - Spectre Variant-1 mitigations (``CVE-2017-5753``)
1697
1698 - Use Speculation Store Bypass Safe (SSBS) functionality where available
1699
1700 Provides mitigation against ``CVE-2018-19440`` (Not saving x0 to x3
1701 registers can leak information from one Normal World SMC client to another)
1702
1703
1704Changed
Paul Beesleyc48991e2019-02-11 17:58:21 +00001705^^^^^^^
Paul Beesley9e437f22019-03-25 12:21:57 +00001706
1707- Build System
1708 - Warning levels are now selectable with ``W=<1,2,3>``
1709
1710 - Removed unneeded include paths in PLAT_INCLUDES
1711
1712 - "Warnings as errors" (Werror) can be disabled using ``E=0``
1713
1714 - Support totally quiet output with ``-s`` flag
1715
1716 - Support passing options to checkpatch using ``CHECKPATCH_OPTS=<opts>``
1717
1718 - Invoke host compiler with ``HOSTCC / HOSTCCFLAGS`` instead of ``CC / CFLAGS``
1719
1720 - Make device tree pre-processing similar to U-boot/Linux by:
1721 - Creating separate ``CPPFLAGS`` for DT preprocessing so that compiler
1722 options specific to it can be accommodated.
1723 - Replacing ``CPP`` with ``PP`` for DT pre-processing
1724
1725- CPU Support
1726 - Errata report function definition is now mandatory for CPU support files
1727
1728 CPU operation files must now define a ``<name>_errata_report`` function to
1729 print errata status. This is no longer a weak reference.
1730
1731- Documentation
1732 - Migrated some content from GitHub wiki to ``docs/`` directory
1733
1734 - Security advisories now have CVE links
1735
1736 - Updated copyright guidelines
1737
Paul Beesley9e437f22019-03-25 12:21:57 +00001738- Drivers
1739 - console: The ``MULTI_CONSOLE_API`` framework has been rewritten in C
Paul Beesleybf32bc92019-03-29 10:14:56 +00001740
Paul Beesley9e437f22019-03-25 12:21:57 +00001741 - console: Ported multi-console driver to AArch32
1742
1743 - gic: Remove 'lowest priority' constants
1744
1745 Removed ``GIC_LOWEST_SEC_PRIORITY`` and ``GIC_LOWEST_NS_PRIORITY``.
1746 Platforms should define these if required, or instead determine the correct
1747 priority values at runtime.
1748
1749 - delay_timer: Check that the Generic Timer extension is present
1750
1751 - mmc: Increase command reply timeout to 10 milliseconds
1752
1753 - mmc: Poll eMMC device status to ensure ``EXT_CSD`` command completion
1754
1755 - mmc: Correctly check return code from ``mmc_fill_device_info``
1756
1757- External Libraries
1758
1759 - libfdt: Upgraded from 1.4.2 to 1.4.6-9
1760
1761 - mbed TLS: Upgraded from 2.12 to 2.16
1762
1763 This change incorporates fixes for security issues that should be reviewed
1764 to determine if they are relevant for software implementations using
1765 Trusted Firmware-A. See the `mbed TLS releases`_ page for details on
1766 changes from the 2.12 to the 2.16 release.
1767
1768- Library Code
1769 - compiler-rt: Updated ``lshrdi3.c`` and ``int_lib.h`` with changes from
1770 LLVM master branch (r345645)
1771
1772 - cpu: Updated macro that checks need for ``CVE-2017-5715`` mitigation
1773
1774 - libc: Made setjmp and longjmp C standard compliant
1775
1776 - libc: Allowed overriding the default libc (use ``OVERRIDE_LIBC``)
1777
1778 - libc: Moved setjmp and longjmp to the ``libc/`` directory
1779
1780- Platforms
1781 - Removed Mbed TLS dependency from plat_bl_common.c
1782
1783 - arm: Removed unused ``ARM_MAP_BL_ROMLIB`` macro
1784
1785 - arm: Removed ``ARM_BOARD_OPTIMISE_MEM`` feature and build flag
1786
1787 - arm: Moved several components into ``drivers/`` directory
1788
1789 This affects the SDS, SCP, SCPI, MHU and SCMI components
1790
1791 - arm/juno: Increased maximum BL2 image size to ``0xF000``
1792
1793 This change was required to accommodate a larger ``libfdt`` library
1794
1795- SCMI
1796 - Optimized bakery locks when hardware-assisted coherency is enabled using the
1797 ``HW_ASSISTED_COHERENCY`` build flag
1798
1799- SDEI
1800 - Added support for unconditionally resuming secure world execution after
Paul Beesley8f62ca72019-03-13 13:58:02 +00001801 |SDEI| event processing completes
Paul Beesley9e437f22019-03-25 12:21:57 +00001802
Paul Beesley8f62ca72019-03-13 13:58:02 +00001803 |SDEI| interrupts, although targeting EL3, occur on behalf of the non-secure
Paul Beesley9e437f22019-03-25 12:21:57 +00001804 world, and may have higher priority than secure world
1805 interrupts. Therefore they might preempt secure execution and yield
Paul Beesley8f62ca72019-03-13 13:58:02 +00001806 execution to the non-secure |SDEI| handler. Upon completion of |SDEI| event
Paul Beesley9e437f22019-03-25 12:21:57 +00001807 handling, resume secure execution if it was preempted.
1808
1809- Translation Tables (XLAT)
1810 - Dynamically detect need for ``Common not Private (TTBRn_ELx.CnP)`` bit
1811
1812 Properly handle the case where ``ARMv8.2-TTCNP`` is implemented in a CPU
1813 that does not implement all mandatory v8.2 features (and so must claim to
1814 implement a lower architecture version).
1815
1816
1817Resolved Issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00001818^^^^^^^^^^^^^^^
Paul Beesley9e437f22019-03-25 12:21:57 +00001819
1820- Architecture
1821 - Incorrect check for SSBS feature detection
1822
1823 - Unintentional register clobber in AArch32 reset_handler function
1824
1825- Build System
1826 - Dependency issue during DTB image build
1827
1828 - Incorrect variable expansion in Arm platform makefiles
1829
1830 - Building on Windows with verbose mode (``V=1``) enabled is broken
1831
1832 - AArch32 compilation flags is missing ``$(march32-directive)``
1833
1834- BL-Specific Issues
1835 - bl2: ``uintptr_t is not defined`` error when ``BL2_IN_XIP_MEM`` is defined
1836
1837 - bl2: Missing prototype warning in ``bl2_arch_setup``
1838
1839 - bl31: Omission of Global Offset Table (GOT) section
1840
1841- Code Quality Issues
1842 - Multiple MISRA compliance issues
1843
1844 - Potential NULL pointer dereference (Coverity-detected)
1845
1846- Drivers
1847 - mmc: Local declaration of ``scr`` variable causes a cache issue when
1848 invalidating after the read DMA transfer completes
1849
1850 - mmc: ``ACMD41`` does not send voltage information during initialization,
1851 resulting in the command being treated as a query. This prevents the
1852 command from initializing the controller.
1853
1854 - mmc: When checking device state using ``mmc_device_state()`` there are no
1855 retries attempted in the event of an error
1856
1857 - ccn: Incorrect Region ID calculation for RN-I nodes
1858
1859 - console: ``Fix MULTI_CONSOLE_API`` when used as a crash console
1860
1861 - partition: Improper NULL checking in gpt.c
1862
1863 - partition: Compilation failure in ``VERBOSE`` mode (``V=1``)
1864
1865- Library Code
1866 - common: Incorrect check for Address Authentication support
1867
1868 - xlat: Fix XLAT_V1 / XLAT_V2 incompatibility
1869
1870 The file ``arm_xlat_tables.h`` has been renamed to ``xlat_tables_compat.h``
1871 and has been moved to a common folder. This header can be used to guarantee
1872 compatibility, as it includes the correct header based on
1873 ``XLAT_TABLES_LIB_V2``.
1874
1875 - xlat: armclang unused-function warning on ``xlat_clean_dcache_range``
1876
1877 - xlat: Invalid ``mm_cursor`` checks in ``mmap_add`` and ``mmap_add_ctx``
1878
1879 - sdei: Missing ``context.h`` header
1880
1881- Platforms
1882 - common: Missing prototype warning for ``plat_log_get_prefix``
1883
1884 - arm: Insufficient maximum BL33 image size
1885
1886 - arm: Potential memory corruption during BL2-BL31 transition
1887
1888 On Arm platforms, the BL2 memory can be overlaid by BL31/BL32. The memory
1889 descriptors describing the list of executable images are created in BL2
1890 R/W memory, which could be possibly corrupted later on by BL31/BL32 due
1891 to overlay. This patch creates a reserved location in SRAM for these
1892 descriptors and are copied over by BL2 before handing over to next BL
1893 image.
1894
1895 - juno: Invalid behaviour when ``CSS_USE_SCMI_SDS_DRIVER`` is not set
1896
1897 In ``juno_pm.c`` the ``css_scmi_override_pm_ops`` function was used
1898 regardless of whether the build flag was set. The original behaviour has
1899 been restored in the case where the build flag is not set.
1900
1901- Tools
1902 - fiptool: Incorrect UUID parsing of blob parameters
1903
1904 - doimage: Incorrect object rules in Makefile
1905
1906
1907Deprecations
Paul Beesleyc48991e2019-02-11 17:58:21 +00001908^^^^^^^^^^^^
Paul Beesley9e437f22019-03-25 12:21:57 +00001909
1910- Common Code
1911 - ``plat_crash_console_init`` function
1912
1913 - ``plat_crash_console_putc`` function
1914
1915 - ``plat_crash_console_flush`` function
1916
1917 - ``finish_console_register`` macro
1918
1919- AArch64-specific Code
1920 - helpers: ``get_afflvl_shift``
1921
1922 - helpers: ``mpidr_mask_lower_afflvls``
1923
1924 - helpers: ``eret``
1925
1926- Secure Partition Manager (SPM)
1927 - Boot-info structure
1928
1929
1930Known Issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00001931^^^^^^^^^^^^
Paul Beesley9e437f22019-03-25 12:21:57 +00001932
1933- Build System Issues
1934 - dtb: DTB creation not supported when building on a Windows host.
1935
1936 This step in the build process is skipped when running on a Windows host. A
1937 known issue from the 1.6 release.
1938
1939- Platform Issues
1940 - arm/juno: System suspend from Linux does not function as documented in the
1941 user guide
1942
1943 Following the instructions provided in the user guide document does not
1944 result in the platform entering system suspend state as expected. A message
1945 relating to the hdlcd driver failing to suspend will be emitted on the
1946 Linux terminal.
1947
Soby Mathew97fc1962019-03-28 13:46:40 +00001948 - arm/juno: The firmware update use-cases do not work with motherboard
1949 firmware version < v1.5.0 (the reset reason is not preserved). The Linaro
1950 18.04 release has MB v1.4.9. The MB v1.5.0 is available in Linaro 18.10
1951 release.
1952
Paul Beesley9e437f22019-03-25 12:21:57 +00001953 - mediatek/mt6795: This platform does not build in this release
1954
Paul Beesleyc48991e2019-02-11 17:58:21 +00001955Version 2.0
1956-----------
Joanna Farleyf9f26a52018-09-28 08:38:17 +01001957
1958New Features
Paul Beesleyc48991e2019-02-11 17:58:21 +00001959^^^^^^^^^^^^
Joanna Farleyf9f26a52018-09-28 08:38:17 +01001960
Paul Beesley8aabea32019-01-11 18:26:51 +00001961- Removal of a number of deprecated APIs
Joanna Farleyf9f26a52018-09-28 08:38:17 +01001962
1963 - A new Platform Compatibility Policy document has been created which
1964 references a wiki page that maintains a listing of deprecated
1965 interfaces and the release after which they will be removed.
1966
1967 - All deprecated interfaces except the MULTI_CONSOLE_API have been removed
1968 from the code base.
1969
1970 - Various Arm and partner platforms have been updated to remove the use of
Paul Beesley8aabea32019-01-11 18:26:51 +00001971 removed APIs in this release.
Joanna Farleyf9f26a52018-09-28 08:38:17 +01001972
1973 - This release is otherwise unchanged from 1.6 release
1974
1975Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00001976^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Joanna Farleyf9f26a52018-09-28 08:38:17 +01001977
1978- No issues known at 1.6 release resolved in 2.0 release
1979
1980Known Issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00001981^^^^^^^^^^^^
Joanna Farleyf9f26a52018-09-28 08:38:17 +01001982
1983- DTB creation not supported when building on a Windows host. This step in the
1984 build process is skipped when running on a Windows host. Known issue from
1985 1.6 version.
1986
1987- As a result of removal of deprecated interfaces the Nvidia Tegra, Marvell
1988 Armada 8K and MediaTek MT6795 platforms do not build in this release.
1989 Also MediaTek MT8173, NXP QorIQ LS1043A, NXP i.MX8QX, NXP i.MX8QMa,
1990 Rockchip RK3328, Rockchip RK3368 and Rockchip RK3399 platforms have not been
1991 confirmed to be working after the removal of the deprecated interfaces
1992 although they do build.
1993
Paul Beesleyc48991e2019-02-11 17:58:21 +00001994Version 1.6
1995-----------
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01001996
1997New Features
Paul Beesleyc48991e2019-02-11 17:58:21 +00001998^^^^^^^^^^^^
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01001999
Joanna Farleyf9f26a52018-09-28 08:38:17 +01002000- Addressing Speculation Security Vulnerabilities
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002001
2002 - Implement static workaround for CVE-2018-3639 for AArch32 and AArch64
2003
2004 - Add support for dynamic mitigation for CVE-2018-3639
2005
2006 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76
2007
Paul Beesley8f62ca72019-03-13 13:58:02 +00002008 - Ensure |SDEI| handler executes with CVE-2018-3639 mitigation enabled
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002009
2010- Introduce RAS handling on AArch64
2011
John Tsichritzisfadd2152018-10-05 14:16:26 +01002012 - Some RAS extensions are mandatory for Armv8.2 CPUs, with others
2013 mandatory for Armv8.4 CPUs however, all extensions are also optional
2014 extensions to the base Armv8.0 architecture.
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002015
John Tsichritzisfadd2152018-10-05 14:16:26 +01002016 - The Armv8 RAS Extensions introduced Standard Error Records which are a
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002017 set of standard registers to configure RAS node policy and allow RAS
2018 Nodes to record and expose error information for error handling agents.
2019
2020 - Capabilities are provided to support RAS Node enumeration and iteration
2021 along with individual interrupt registrations and fault injections
2022 support.
2023
2024 - Introduce handlers for Uncontainable errors, Double Faults and EL3
2025 External Aborts
2026
2027- Enable Memory Partitioning And Monitoring (MPAM) for lower EL's
2028
2029 - Memory Partitioning And Monitoring is an Armv8.4 feature that enables
2030 various memory system components and resources to define partitions.
2031 Software running at various ELs can then assign themselves to the
2032 desired partition to control their performance aspects.
2033
2034 - When ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows
2035 lower ELs to access their own MPAM registers without trapping to EL3.
2036 This patch however, doesn't make use of partitioning in EL3; platform
2037 initialisation code should configure and use partitions in EL3 if
2038 required.
2039
2040- Introduce ROM Lib Feature
2041
2042 - Support combining several libraries into a self-called "romlib" image,
2043 that may be shared across images to reduce memory footprint. The romlib
2044 image is stored in ROM but is accessed through a jump-table that may be
2045 stored in read-write memory, allowing for the library code to be patched.
2046
2047- Introduce Backtrace Feature
2048
2049 - This function displays the backtrace, the current EL and security state
2050 to allow a post-processing tool to choose the right binary to interpret
2051 the dump.
2052
2053 - Print backtrace in assert() and panic() to the console.
2054
2055- Code hygiene changes and alignment with MISRA C-2012 guideline with fixes
2056 addressing issues complying to the following rules:
2057
2058 - MISRA rules 4.9, 5.1, 5.3, 5.7, 8.2-8.5, 8.8, 8.13, 9.3, 10.1,
2059 10.3-10.4, 10.8, 11.3, 11.6, 12.1, 14.4, 15.7, 16.1-16.7, 17.7-17.8,
2060 20.7, 20.10, 20.12, 21.1, 21.15, 22.7
2061
2062 - Clean up the usage of void pointers to access symbols
2063
2064 - Increase usage of static qualifier to locally used functions and data
2065
2066 - Migrated to use of u_register_t for register read/write to better
2067 match AArch32 and AArch64 type sizes
2068
2069 - Use int-ll64 for both AArch32 and AArch64 to assist in consistent
2070 format strings between architectures
2071
2072 - Clean up TF-A libc by removing non arm copyrighted implementations
2073 and replacing them with modified FreeBSD and SCC implementations
2074
2075- Various changes to support Clang linker and assembler
2076
John Tsichritzisfadd2152018-10-05 14:16:26 +01002077 - The clang assembler/preprocessor is used when Clang is selected. However,
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002078 the clang linker is not used because it is unable to link TF-A objects
2079 due to immaturity of clang linker functionality at this time.
2080
Paul Beesley8aabea32019-01-11 18:26:51 +00002081- Refactor support APIs into Libraries
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002082
2083 - Evolve libfdt, mbed TLS library and standard C library sources as
2084 proper libraries that TF-A may be linked against.
2085
2086- CPU Enhancements
2087
2088 - Add CPU support for Cortex-Ares and Cortex-A76
2089
2090 - Add AMU support for Cortex-Ares
2091
2092 - Add initial CPU support for Cortex-Deimos
2093
2094 - Add initial CPU support for Cortex-Helios
2095
2096 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76
2097
2098 - Implement Cortex-Ares erratum 1043202 workaround
2099
2100 - Implement DSU erratum 936184 workaround
2101
2102 - Check presence of fix for errata 843419 in Cortex-A53
2103
2104 - Check presence of fix for errata 835769 in Cortex-A53
2105
2106- Translation Tables Enhancements
2107
2108 - The xlat v2 library has been refactored in order to be reused by
2109 different TF components at different EL's including the addition of EL2.
2110 Some refactoring to make the code more generic and less specific to TF,
2111 in order to reuse the library outside of this project.
2112
2113- SPM Enhancements
2114
2115 - General cleanups and refactoring to pave the way to multiple partitions
2116 support
2117
2118- SDEI Enhancements
2119
2120 - Allow platforms to define explicit events
2121
2122 - Determine client EL from NS context's SCR_EL3
2123
2124 - Make dispatches synchronous
2125
2126 - Introduce jump primitives for BL31
2127
Paul Beesley8f62ca72019-03-13 13:58:02 +00002128 - Mask events after CPU wakeup in |SDEI| dispatcher to conform to the
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002129 specification
2130
2131- Misc TF-A Core Common Code Enhancements
2132
2133 - Add support for eXecute In Place (XIP) memory in BL2
2134
2135 - Add support for the SMC Calling Convention 2.0
2136
2137 - Introduce External Abort handling on AArch64
2138 External Abort routed to EL3 was reported as an unhandled exception
John Tsichritzisbd97f832019-07-05 14:22:12 +01002139 and caused a panic. This change enables Trusted Firmware-A to handle
2140 External Aborts routed to EL3.
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002141
2142 - Save value of ACTLR_EL1 implementation-defined register in the CPU
2143 context structure rather than forcing it to 0.
2144
2145 - Introduce ARM_LINUX_KERNEL_AS_BL33 build option, which allows BL31 to
2146 directly jump to a Linux kernel. This makes for a quicker and simpler
2147 boot flow, which might be useful in some test environments.
2148
2149 - Add dynamic configurations for BL31, BL32 and BL33 enabling support for
2150 Chain of Trust (COT).
2151
2152 - Make TF UUID RFC 4122 compliant
2153
2154- New Platform Support
2155
2156 - Arm SGI-575
2157
2158 - Arm SGM-775
2159
2160 - Allwinner sun50i_64
2161
2162 - Allwinner sun50i_h6
2163
John Tsichritzisfadd2152018-10-05 14:16:26 +01002164 - NXP QorIQ LS1043A
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002165
2166 - NXP i.MX8QX
2167
2168 - NXP i.MX8QM
2169
John Tsichritzisfadd2152018-10-05 14:16:26 +01002170 - NXP i.MX7Solo WaRP7
2171
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002172 - TI K3
2173
2174 - Socionext Synquacer SC2A11
2175
2176 - Marvell Armada 8K
2177
2178 - STMicroelectronics STM32MP1
2179
2180- Misc Generic Platform Common Code Enhancements
2181
2182 - Add MMC framework that supports both eMMC and SD card devices
2183
2184- Misc Arm Platform Common Code Enhancements
2185
2186 - Demonstrate PSCI MEM_PROTECT from el3_runtime
2187
2188 - Provide RAS support
2189
2190 - Migrate AArch64 port to the multi console driver. The old API is
2191 deprecated and will eventually be removed.
2192
2193 - Move BL31 below BL2 to enable BL2 overlay resulting in changes in the
2194 layout of BL images in memory to enable more efficient use of available
2195 space.
2196
2197 - Add cpp build processing for dtb that allows processing device tree
2198 with external includes.
2199
2200 - Extend FIP io driver to support multiple FIP devices
2201
2202 - Add support for SCMI AP core configuration protocol v1.0
2203
2204 - Use SCMI AP core protocol to set the warm boot entrypoint
2205
2206 - Add support to Mbed TLS drivers for shared heap among different
2207 BL images to help optimise memory usage
2208
2209 - Enable non-secure access to UART1 through a build option to support
2210 a serial debug port for debugger connection
2211
2212- Enhancements for Arm Juno Platform
2213
2214 - Add support for TrustZone Media Protection 1 (TZMP1)
2215
2216- Enhancements for Arm FVP Platform
2217
2218 - Dynamic_config: remove the FVP dtb files
2219
2220 - Set DYNAMIC_WORKAROUND_CVE_2018_3639=1 on FVP by default
2221
2222 - Set the ability to dynamically disable Trusted Boot Board
2223 authentication to be off by default with DYN_DISABLE_AUTH
2224
2225 - Add librom enhancement support in FVP
2226
2227 - Support shared Mbed TLS heap between BL1 and BL2 that allow a
2228 reduction in BL2 size for FVP
2229
2230- Enhancements for Arm SGI/SGM Platform
2231
2232 - Enable ARM_PLAT_MT flag for SGI-575
2233
2234 - Add dts files to enable support for dynamic config
2235
2236 - Add RAS support
2237
2238 - Support shared Mbed TLS heap for SGI and SGM between BL1 and BL2
2239
2240- Enhancements for Non Arm Platforms
2241
2242 - Raspberry Pi Platform
2243
2244 - Hikey Platforms
2245
2246 - Xilinx Platforms
2247
2248 - QEMU Platform
2249
2250 - Rockchip rk3399 Platform
2251
2252 - TI Platforms
2253
2254 - Socionext Platforms
2255
2256 - Allwinner Platforms
2257
2258 - NXP Platforms
2259
2260 - NVIDIA Tegra Platform
2261
2262 - Marvell Platforms
2263
2264 - STMicroelectronics STM32MP1 Platform
2265
2266Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00002267^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002268
2269- No issues known at 1.5 release resolved in 1.6 release
2270
2271Known Issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00002272^^^^^^^^^^^^
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002273
2274- DTB creation not supported when building on a Windows host. This step in the
2275 build process is skipped when running on a Windows host. Known issue from
2276 1.5 version.
2277
Paul Beesleyc48991e2019-02-11 17:58:21 +00002278Version 1.5
2279-----------
David Cunado230326f2018-03-14 17:57:31 +00002280
2281New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00002282^^^^^^^^^^^^
David Cunado230326f2018-03-14 17:57:31 +00002283
2284- Added new firmware support to enable RAS (Reliability, Availability, and
2285 Serviceability) functionality.
2286
2287 - Secure Partition Manager (SPM): A Secure Partition is a software execution
2288 environment instantiated in S-EL0 that can be used to implement simple
2289 management and security services. The SPM is the firmware component that
2290 is responsible for managing a Secure Partition.
2291
Paul Beesley8f62ca72019-03-13 13:58:02 +00002292 - SDEI dispatcher: Support for interrupt-based |SDEI| events and all
2293 interfaces as defined by the |SDEI| specification v1.0, see
David Cunado230326f2018-03-14 17:57:31 +00002294 `SDEI Specification`_
2295
2296 - Exception Handling Framework (EHF): Framework that allows dispatching of
2297 EL3 interrupts to their registered handlers which are registered based on
2298 their priorities. Facilitates firmware-first error handling policy where
2299 asynchronous exceptions may be routed to EL3.
2300
2301 Integrated the TSPD with EHF.
2302
2303- Updated PSCI support:
2304
2305 - Implemented PSCI v1.1 optional features `MEM_PROTECT` and `SYSTEM_RESET2`.
2306 The supported PSCI version was updated to v1.1.
2307
2308 - Improved PSCI STAT timestamp collection, including moving accounting for
2309 retention states to be inside the locks and fixing handling of wrap-around
2310 when calculating residency in AArch32 execution state.
2311
2312 - Added optional handler for early suspend that executes when suspending to
2313 a power-down state and with data caches enabled.
2314
2315 This may provide a performance improvement on platforms where it is safe
2316 to perform some or all of the platform actions from `pwr_domain_suspend`
2317 with the data caches enabled.
2318
2319- Enabled build option, BL2_AT_EL3, for BL2 to allow execution at EL3 without
2320 any dependency on TF BL1.
2321
2322 This allows platforms which already have a non-TF Boot ROM to directly load
2323 and execute BL2 and subsequent BL stages without need for BL1. This was not
2324 previously possible because BL2 executes at S-EL1 and cannot jump straight to
2325 EL3.
2326
2327- Implemented support for SMCCC v1.1, including `SMCCC_VERSION` and
2328 `SMCCC_ARCH_FEATURES`.
2329
2330 Additionally, added support for `SMCCC_VERSION` in PSCI features to enable
2331 discovery of the SMCCC version via PSCI feature call.
2332
2333- Added Dynamic Configuration framework which enables each of the boot loader
2334 stages to be dynamically configured at runtime if required by the platform.
2335 The boot loader stage may optionally specify a firmware configuration file
2336 and/or hardware configuration file that can then be shared with the next boot
2337 loader stage.
2338
2339 Introduced a new BL handover interface that essentially allows passing of 4
2340 arguments between the different BL stages.
2341
2342 Updated cert_create and fip_tool to support the dynamic configuration files.
2343 The COT also updated to support these new files.
2344
2345- Code hygiene changes and alignment with MISRA guideline:
2346
2347 - Fix use of undefined macros.
2348
2349 - Achieved compliance with Mandatory MISRA coding rules.
2350
2351 - Achieved compliance for following Required MISRA rules for the default
2352 build configurations on FVP and Juno platforms : 7.3, 8.3, 8.4, 8.5 and
2353 8.8.
2354
2355- Added support for Armv8.2-A architectural features:
2356
2357 - Updated translation table set-up to set the CnP (Common not Private) bit
2358 for secure page tables so that multiple PEs in the same Inner Shareable
2359 domain can use the same translation table entries for a given stage of
2360 translation in a particular translation regime.
2361
2362 - Extended the supported values of ID_AA64MMFR0_EL1.PARange to include the
2363 52-bit Physical Address range.
2364
2365 - Added support for the Scalable Vector Extension to allow Normal world
2366 software to access SVE functionality but disable access to SVE, SIMD and
2367 floating point functionality from the Secure world in order to prevent
2368 corruption of the Z-registers.
2369
2370- Added support for Armv8.4-A architectural feature Activity Monitor Unit (AMU)
2371 extensions.
2372
2373 In addition to the v8.4 architectural extension, AMU support on Cortex-A75
2374 was implemented.
2375
2376- Enhanced OP-TEE support to enable use of pageable OP-TEE image. The Arm
2377 standard platforms are updated to load up to 3 images for OP-TEE; header,
2378 pager image and paged image.
2379
2380 The chain of trust is extended to support the additional images.
2381
2382- Enhancements to the translation table library:
2383
2384 - Introduced APIs to get and set the memory attributes of a region.
2385
Paul Beesley8aabea32019-01-11 18:26:51 +00002386 - Added support to manage both privilege levels in translation regimes that
David Cunado230326f2018-03-14 17:57:31 +00002387 describe translations for 2 Exception levels, specifically the EL1&0
2388 translation regime, and extended the memory map region attributes to
2389 include specifying Non-privileged access.
2390
2391 - Added support to specify the granularity of the mappings of each region,
2392 for instance a 2MB region can be specified to be mapped with 4KB page
2393 tables instead of a 2MB block.
2394
2395 - Disabled the higher VA range to avoid unpredictable behaviour if there is
2396 an attempt to access addresses in the higher VA range.
2397
2398 - Added helpers for Device and Normal memory MAIR encodings that align with
2399 the Arm Architecture Reference Manual for Armv8-A (Arm DDI0487B.b).
2400
2401 - Code hygiene including fixing type length and signedness of constants,
2402 refactoring of function to enable the MMU, removing all instances where
2403 the virtual address space is hardcoded and added comments that document
2404 alignment needed between memory attributes and attributes specified in
2405 TCR_ELx.
2406
2407- Updated GIC support:
2408
2409 - Introduce new APIs for GICv2 and GICv3 that provide the capability to
2410 specify interrupt properties rather than list of interrupt numbers alone.
2411 The Arm platforms and other upstream platforms are migrated to use
2412 interrupt properties.
2413
2414 - Added helpers to save / restore the GICv3 context, specifically the
2415 Distributor and Redistributor contexts and architectural parts of the ITS
2416 power management. The Distributor and Redistributor helpers also support
2417 the implementation-defined part of GIC-500 and GIC-600.
2418
2419 Updated the Arm FVP platform to save / restore the GICv3 context on system
2420 suspend / resume as an example of how to use the helpers.
2421
2422 Introduced a new TZC secured DDR carve-out for use by Arm platforms for
2423 storing EL3 runtime data such as the GICv3 register context.
2424
2425- Added support for Armv7-A architecture via build option ARM_ARCH_MAJOR=7.
2426 This includes following features:
2427
2428 - Updates GICv2 driver to manage GICv1 with security extensions.
2429
2430 - Software implementation for 32bit division.
2431
2432 - Enabled use of generic timer for platforms that do not set
2433 ARM_CORTEX_Ax=yes.
2434
2435 - Support for Armv7-A Virtualization extensions [DDI0406C_C].
2436
2437 - Support for both Armv7-A platforms that only have 32-bit addressing and
2438 Armv7-A platforms that support large page addressing.
2439
2440 - Included support for following Armv7 CPUs: Cortex-A12, Cortex-A17,
2441 Cortex-A7, Cortex-A5, Cortex-A9, Cortex-A15.
2442
2443 - Added support in QEMU for Armv7-A/Cortex-A15.
2444
2445- Enhancements to Firmware Update feature:
2446
2447 - Updated the FWU documentation to describe the additional images needed for
2448 Firmware update, and how they are used for both the Juno platform and the
2449 Arm FVP platforms.
2450
2451- Enhancements to Trusted Board Boot feature:
2452
2453 - Added support to cert_create tool for RSA PKCS1# v1.5 and SHA384, SHA512
2454 and SHA256.
2455
2456 - For Arm platforms added support to use ECDSA keys.
2457
2458 - Enhanced the mbed TLS wrapper layer to include support for both RSA and
2459 ECDSA to enable runtime selection between RSA and ECDSA keys.
2460
2461- Added support for secure interrupt handling in AArch32 sp_min, hardcoded to
2462 only handle FIQs.
2463
2464- Added support to allow a platform to load images from multiple boot sources,
2465 for example from a second flash drive.
2466
2467- Added a logging framework that allows platforms to reduce the logging level
2468 at runtime and additionally the prefix string can be defined by the platform.
2469
2470- Further improvements to register initialisation:
2471
2472 - Control register PMCR_EL0 / PMCR is set to prohibit cycle counting in the
2473 secure world. This register is added to the list of registers that are
2474 saved and restored during world switch.
2475
2476 - When EL3 is running in AArch32 execution state, the Non-secure version of
2477 SCTLR is explicitly initialised during the warmboot flow rather than
2478 relying on the hardware to set the correct reset values.
2479
2480- Enhanced support for Arm platforms:
2481
2482 - Introduced driver for Shared-Data-Structure (SDS) framework which is used
2483 for communication between SCP and the AP CPU, replacing Boot-Over_MHU
2484 (BOM) protocol.
2485
2486 The Juno platform is migrated to use SDS with the SCMI support added in
2487 v1.3 and is set as default.
2488
2489 The driver can be found in the plat/arm/css/drivers folder.
2490
2491 - Improved memory usage by only mapping TSP memory region when the TSPD has
2492 been included in the build. This reduces the memory footprint and avoids
2493 unnecessary memory being mapped.
2494
2495 - Updated support for multi-threading CPUs for FVP platforms - always check
2496 the MT field in MPDIR and access the bit fields accordingly.
2497
2498 - Support building for platforms that model DynamIQ configuration by
2499 implementing all CPUs in a single cluster.
2500
2501 - Improved nor flash driver, for instance clearing status registers before
2502 sending commands. Driver can be found plat/arm/board/common folder.
2503
2504- Enhancements to QEMU platform:
2505
2506 - Added support for TBB.
2507
2508 - Added support for using OP-TEE pageable image.
2509
2510 - Added support for LOAD_IMAGE_V2.
2511
2512 - Migrated to use translation table library v2 by default.
2513
2514 - Added support for SEPARATE_CODE_AND_RODATA.
2515
2516- Applied workarounds CVE-2017-5715 on Arm Cortex-A57, -A72, -A73 and -A75, and
2517 for Armv7-A CPUs Cortex-A9, -A15 and -A17.
2518
2519- Applied errata workaround for Arm Cortex-A57: 859972.
2520
2521- Applied errata workaround for Arm Cortex-A72: 859971.
2522
2523- Added support for Poplar 96Board platform.
2524
2525- Added support for Raspberry Pi 3 platform.
2526
2527- Added Call Frame Information (CFI) assembler directives to the vector entries
2528 which enables debuggers to display the backtrace of functions that triggered
2529 a synchronous abort.
2530
2531- Added ability to build dtb.
2532
2533- Added support for pre-tool (cert_create and fiptool) image processing
2534 enabling compression of the image files before processing by cert_create and
2535 fiptool.
2536
2537 This can reduce fip size and may also speed up loading of images. The image
2538 verification will also get faster because certificates are generated based on
2539 compressed images.
2540
2541 Imported zlib 1.2.11 to implement gunzip() for data compression.
2542
2543- Enhancements to fiptool:
2544
2545 - Enabled the fiptool to be built using Visual Studio.
2546
2547 - Added padding bytes at the end of the last image in the fip to be
2548 facilitate transfer by DMA.
2549
2550Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00002551^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
David Cunado230326f2018-03-14 17:57:31 +00002552
2553- TF-A can be built with optimisations disabled (-O0).
2554
2555- Memory layout updated to enable Trusted Board Boot on Juno platform when
2556 running TF-A in AArch32 execution mode (resolving `tf-issue#501`_).
2557
2558Known Issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00002559^^^^^^^^^^^^
David Cunado230326f2018-03-14 17:57:31 +00002560
Joanna Farleyd83bf0b2018-09-11 15:51:31 +01002561- DTB creation not supported when building on a Windows host. This step in the
2562 build process is skipped when running on a Windows host.
David Cunado230326f2018-03-14 17:57:31 +00002563
Paul Beesleyc48991e2019-02-11 17:58:21 +00002564Version 1.4
2565-----------
David Cunadoaee3ef42017-07-03 18:59:07 +01002566
2567New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00002568^^^^^^^^^^^^
David Cunadoaee3ef42017-07-03 18:59:07 +01002569
2570- Enabled support for platforms with hardware assisted coherency.
2571
2572 A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage
2573 of the following optimisations:
2574
2575 - Skip performing cache maintenance during power-up and power-down.
2576
2577 - Use spin-locks instead of bakery locks.
2578
2579 - Enable data caches early on warm-booted CPUs.
2580
2581- Added support for Cortex-A75 and Cortex-A55 processors.
2582
Dan Handley4def07d2018-03-01 18:44:00 +00002583 Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit
David Cunadoaee3ef42017-07-03 18:59:07 +01002584 (DSU). The power-down and power-up sequences are therefore mostly managed in
2585 hardware, reducing complexity of the software operations.
2586
Dan Handley4def07d2018-03-01 18:44:00 +00002587- Introduced Arm GIC-600 driver.
David Cunadoaee3ef42017-07-03 18:59:07 +01002588
Dan Handley4def07d2018-03-01 18:44:00 +00002589 Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the
David Cunadoaee3ef42017-07-03 18:59:07 +01002590 GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600.
2591
2592- Updated GICv3 support:
2593
2594 - Introduced power management APIs for GICv3 Redistributor. These APIs
2595 allow platforms to power down the Redistributor during CPU power on/off.
2596 Requires the GICv3 implementations to have power management operations.
2597
2598 Implemented the power management APIs for FVP.
2599
2600 - GIC driver data is flushed by the primary CPU so that secondary CPU do
2601 not read stale GIC data.
2602
Dan Handley4def07d2018-03-01 18:44:00 +00002603- Added support for Arm System Control and Management Interface v1.0 (SCMI).
David Cunadoaee3ef42017-07-03 18:59:07 +01002604
2605 The SCMI driver implements the power domain management and system power
Dan Handley4def07d2018-03-01 18:44:00 +00002606 management protocol of the SCMI specification (Arm DEN 0056ASCMI) for
David Cunadoaee3ef42017-07-03 18:59:07 +01002607 communicating with any compliant power controller.
2608
2609 Support is added for the Juno platform. The driver can be found in the
2610 plat/arm/css/drivers folder.
2611
Dan Handley4def07d2018-03-01 18:44:00 +00002612- Added support to enable pre-integration of TBB with the Arm TrustZone
David Cunadoaee3ef42017-07-03 18:59:07 +01002613 CryptoCell product, to take advantage of its hardware Root of Trust and
2614 crypto acceleration services.
2615
2616- Enabled Statistical Profiling Extensions for lower ELs.
2617
2618 The firmware support is limited to the use of SPE in the Non-secure state
2619 and accesses to the SPE specific registers from S-EL1 will trap to EL3.
2620
2621 The SPE are architecturally specified for AArch64 only.
2622
2623- Code hygiene changes aligned with MISRA guidelines:
2624
2625 - Fixed signed / unsigned comparison warnings in the translation table
2626 library.
2627
2628 - Added U(_x) macro and together with the existing ULL(_x) macro fixed
2629 some of the signed-ness defects flagged by the MISRA scanner.
2630
2631- Enhancements to Firmware Update feature:
2632
2633 - The FWU logic now checks for overlapping images to prevent execution of
Paul Beesley8aabea32019-01-11 18:26:51 +00002634 unauthenticated arbitrary code.
David Cunadoaee3ef42017-07-03 18:59:07 +01002635
2636 - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading
2637 state machine to go from COPYING, COPIED or AUTHENTICATED states to
2638 RESET state. Previously, this was only possible when the authentication
2639 of an image failed or when the execution of the image finished.
2640
2641 - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update
2642 SMC can result in copy of unexpectedly large data into secure memory.
2643
Dan Handley4def07d2018-03-01 18:44:00 +00002644- Introduced support for Arm Compiler 6 and LLVM (clang).
David Cunadoaee3ef42017-07-03 18:59:07 +01002645
Dan Handley4def07d2018-03-01 18:44:00 +00002646 TF-A can now also be built with the Arm Compiler 6 or the clang compilers.
David Cunadoaee3ef42017-07-03 18:59:07 +01002647 The assembler and linker must be provided by the GNU toolchain.
2648
Dan Handley4def07d2018-03-01 18:44:00 +00002649 Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x.
David Cunadoaee3ef42017-07-03 18:59:07 +01002650
2651- Memory footprint improvements:
2652
2653 - Introduced `tf_snprintf`, a reduced version of `snprintf` which has
2654 support for a limited set of formats.
2655
2656 The mbedtls driver is updated to optionally use `tf_snprintf` instead of
2657 `snprintf`.
2658
2659 - The `assert()` is updated to no longer print the function name, and
2660 additional logging options are supported via an optional platform define
2661 `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is.
2662
Dan Handley4def07d2018-03-01 18:44:00 +00002663- Enhancements to TF-A support when running in AArch32 execution state:
David Cunadoaee3ef42017-07-03 18:59:07 +01002664
2665 - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to
2666 hardware limitations, BL1 and BL2 boot in AArch64 state and there is
2667 additional trampoline code to warm reset into SP_MIN in AArch32 execution
2668 state.
2669
Dan Handley4def07d2018-03-01 18:44:00 +00002670 - Added support for Arm Cortex-A53/57/72 MPCore processors including the
David Cunadoaee3ef42017-07-03 18:59:07 +01002671 errata workarounds that are already implemented for AArch64 execution
2672 state.
2673
2674 - For FVP platforms, added AArch32 Trusted Board Boot support, including the
2675 Firmware Update feature.
2676
Dan Handley4def07d2018-03-01 18:44:00 +00002677- Introduced Arm SiP service for use by Arm standard platforms.
David Cunadoaee3ef42017-07-03 18:59:07 +01002678
Dan Handley4def07d2018-03-01 18:44:00 +00002679 - Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF
David Cunadoaee3ef42017-07-03 18:59:07 +01002680 timestamps.
2681
Dan Handley4def07d2018-03-01 18:44:00 +00002682 Added PMF instrumentation points in TF-A in order to quantify the
David Cunadoaee3ef42017-07-03 18:59:07 +01002683 overall time spent in the PSCI software implementation.
2684
Dan Handley4def07d2018-03-01 18:44:00 +00002685 - Added new Arm SiP service SMC to switch execution state.
David Cunadoaee3ef42017-07-03 18:59:07 +01002686
2687 This allows the lower exception level to change its execution state from
2688 AArch64 to AArch32, or vice verse, via a request to EL3.
2689
2690- Migrated to use SPDX[0] license identifiers to make software license
2691 auditing simpler.
2692
Paul Beesleye1c50262019-03-13 16:20:44 +00002693 .. note::
2694 Files that have been imported by FreeBSD have not been modified.
David Cunadoaee3ef42017-07-03 18:59:07 +01002695
2696 [0]: https://spdx.org/
2697
2698- Enhancements to the translation table library:
2699
2700 - Added version 2 of translation table library that allows different
2701 translation tables to be modified by using different 'contexts'. Version 1
David Cunado230326f2018-03-14 17:57:31 +00002702 of the translation table library only allows the current EL's translation
David Cunadoaee3ef42017-07-03 18:59:07 +01002703 tables to be modified.
2704
2705 Version 2 of the translation table also added support for dynamic
2706 regions; regions that can be added and removed dynamically whilst the
2707 MMU is enabled. Static regions can only be added or removed before the
2708 MMU is enabled.
2709
2710 The dynamic mapping functionality is enabled or disabled when compiling
2711 by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can
2712 be done per-image.
2713
2714 - Added support for translation regimes with two virtual address spaces
2715 such as the one shared by EL1 and EL0.
2716
2717 The library does not support initializing translation tables for EL0
2718 software.
2719
2720 - Added support to mark the translation tables as non-cacheable using an
2721 additional build option `XLAT_TABLE_NC`.
2722
2723- Added support for GCC stack protection. A new build option
2724 ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL
2725 images with one of the GCC -fstack-protector-* options.
2726
2727 A new platform function plat_get_stack_protector_canary() was introduced
2728 that returns a value used to initialize the canary for stack corruption
2729 detection. For increased effectiveness of protection platforms must provide
2730 an implementation that returns a random value.
2731
Dan Handley4def07d2018-03-01 18:44:00 +00002732- Enhanced support for Arm platforms:
David Cunadoaee3ef42017-07-03 18:59:07 +01002733
2734 - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR.
2735 A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions
2736 accessing MPIDR assume that the `MT` bit is set for the platform and
2737 access the bit fields accordingly.
2738
2739 Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is
2740 enabled, returning the Processing Element count within the physical CPU
2741 corresponding to `mpidr`.
2742
Dan Handley4def07d2018-03-01 18:44:00 +00002743 - The Arm platforms migrated to use version 2 of the translation tables.
David Cunadoaee3ef42017-07-03 18:59:07 +01002744
Dan Handley4def07d2018-03-01 18:44:00 +00002745 - Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops`
2746 which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore
David Cunadoaee3ef42017-07-03 18:59:07 +01002747 dynamically define PSCI capability.
2748
Dan Handley4def07d2018-03-01 18:44:00 +00002749 - The Arm platforms migrated to use IMAGE_LOAD_V2 by default.
David Cunadoaee3ef42017-07-03 18:59:07 +01002750
2751- Enhanced reporting of errata workaround status with the following policy:
2752
2753 - If an errata workaround is enabled:
2754
2755 - If it applies (i.e. the CPU is affected by the errata), an INFO message
2756 is printed, confirming that the errata workaround has been applied.
2757
2758 - If it does not apply, a VERBOSE message is printed, confirming that the
2759 errata workaround has been skipped.
2760
2761 - If an errata workaround is not enabled, but would have applied had it
2762 been, a WARN message is printed, alerting that errata workaround is
2763 missing.
2764
2765- Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the
Dan Handley4def07d2018-03-01 18:44:00 +00002766 architecture version to target TF-A.
David Cunadoaee3ef42017-07-03 18:59:07 +01002767
2768- Updated the spin lock implementation to use the more efficient CAS (Compare
2769 And Swap) instruction when available. This instruction was introduced in
Dan Handley4def07d2018-03-01 18:44:00 +00002770 Armv8.1-A.
David Cunadoaee3ef42017-07-03 18:59:07 +01002771
Dan Handley4def07d2018-03-01 18:44:00 +00002772- Applied errata workaround for Arm Cortex-A53: 855873.
David Cunadoaee3ef42017-07-03 18:59:07 +01002773
Dan Handley4def07d2018-03-01 18:44:00 +00002774- Applied errata workaround for Arm-Cortex-A57: 813419.
David Cunadoaee3ef42017-07-03 18:59:07 +01002775
2776- Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and
2777 AArch32 execution states.
2778
2779- Added support for Socionext UniPhier SoC platform.
2780
2781- Added support for Hikey960 and Hikey platforms.
2782
2783- Added support for Rockchip RK3328 platform.
2784
2785- Added support for NVidia Tegra T186 platform.
2786
2787- Added support for Designware emmc driver.
2788
2789- Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr().
2790
2791- Enhanced the CPU operations framework to allow power handlers to be
2792 registered on per-level basis. This enables support for future CPUs that
2793 have multiple threads which might need powering down individually.
2794
2795- Updated register initialisation to prevent unexpected behaviour:
2796
2797 - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid
2798 unexpected traps into the higher exception levels and disable secure
2799 self-hosted debug. Additionally, secure privileged external debug on
2800 Juno is disabled by programming the appropriate Juno SoC registers.
2801
2802 - EL2 and EL3 configurable controls are initialised to avoid unexpected
2803 traps in the higher exception levels.
2804
2805 - Essential control registers are fully initialised on EL3 start-up, when
2806 initialising the non-secure and secure context structures and when
Paul Beesley8aabea32019-01-11 18:26:51 +00002807 preparing to leave EL3 for a lower EL. This gives better alignment with
Dan Handley4def07d2018-03-01 18:44:00 +00002808 the Arm ARM which states that software must initialise RES0 and RES1
David Cunadoaee3ef42017-07-03 18:59:07 +01002809 fields with 0 / 1.
2810
2811- Enhanced PSCI support:
2812
2813 - Introduced new platform interfaces that decouple PSCI stat residency
2814 calculation from PMF, enabling platforms to use alternative methods of
2815 capturing timestamps.
2816
2817 - PSCI stat accounting performed for retention/standby states when
2818 requested at multiple power levels.
2819
2820- Simplified fiptool to have a single linked list of image descriptors.
2821
2822- For the TSP, resolved corruption of pre-empted secure context by aborting any
2823 pre-empted SMC during PSCI power management requests.
2824
2825Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00002826^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
David Cunadoaee3ef42017-07-03 18:59:07 +01002827
Dan Handley4def07d2018-03-01 18:44:00 +00002828- TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier
2829 version 2.3.0 cannot be used due to build warnings that the TF-A build
David Cunadoaee3ef42017-07-03 18:59:07 +01002830 system interprets as errors.
2831
2832- TBBR, including the Firmware Update feature is now supported on FVP
Dan Handley4def07d2018-03-01 18:44:00 +00002833 platforms when running TF-A in AArch32 state.
David Cunadoaee3ef42017-07-03 18:59:07 +01002834
2835- The version of the AEMv8 Base FVP used in this release has resolved the issue
2836 of the model executing a reset instead of terminating in response to a
2837 shutdown request using the PSCI SYSTEM_OFF API.
2838
2839Known Issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00002840^^^^^^^^^^^^
David Cunadoaee3ef42017-07-03 18:59:07 +01002841
Dan Handley4def07d2018-03-01 18:44:00 +00002842- Building TF-A with compiler optimisations disabled (-O0) fails.
David Cunadoaee3ef42017-07-03 18:59:07 +01002843
2844- Trusted Board Boot currently does not work on Juno when running Trusted
2845 Firmware in AArch32 execution state due to error when loading the sp_min to
David Cunado230326f2018-03-14 17:57:31 +00002846 memory because of lack of free space available. See `tf-issue#501`_ for more
David Cunadoaee3ef42017-07-03 18:59:07 +01002847 details.
2848
2849- The errata workaround for A53 errata 843419 is only available from binutils
2850 2.26 and is not present in GCC4.9. If this errata is applicable to the
2851 platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for
2852 more details.
2853
Paul Beesleyc48991e2019-02-11 17:58:21 +00002854Version 1.3
2855-----------
Douglas Raillard6f625742017-06-28 15:23:03 +01002856
Douglas Raillard668c5022017-06-28 16:14:55 +01002857
Douglas Raillard6f625742017-06-28 15:23:03 +01002858New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00002859^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01002860
Dan Handley4def07d2018-03-01 18:44:00 +00002861- Added support for running TF-A in AArch32 execution state.
Douglas Raillard6f625742017-06-28 15:23:03 +01002862
2863 The PSCI library has been refactored to allow integration with **EL3 Runtime
2864 Software**. This is software that is executing at the highest secure
2865 privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See
Paul Beesley34760952019-04-12 14:19:42 +01002866 :ref:`PSCI Library Integration guide for Armv8-A AArch32 systems`.
Douglas Raillard6f625742017-06-28 15:23:03 +01002867
2868 Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates
2869 the usage and integration of the PSCI library with EL3 Runtime Software
2870 running in AArch32 state.
2871
2872 Booting to the BL1/BL2 images as well as booting straight to the Secure
2873 Payload is supported.
2874
Dan Handley4def07d2018-03-01 18:44:00 +00002875- Improvements to the initialization framework for the PSCI service and Arm
Douglas Raillard6f625742017-06-28 15:23:03 +01002876 Standard Services in general.
2877
Dan Handley4def07d2018-03-01 18:44:00 +00002878 The PSCI service is now initialized as part of Arm Standard Service
2879 initialization. This consolidates the initializations of any Arm Standard
Douglas Raillard6f625742017-06-28 15:23:03 +01002880 Service that may be added in the future.
2881
2882 A new function ``get_arm_std_svc_args()`` is introduced to get arguments
2883 corresponding to each standard service and must be implemented by the EL3
2884 Runtime Software.
2885
2886 For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to
2887 initialize the PSCI Library. **Note** this is a compatibility break due to
2888 the change in the prototype of ``psci_setup()``.
2889
2890- To support AArch32 builds of BL1 and BL2, implemented a new, alternative
2891 firmware image loading mechanism that adds flexibility.
2892
2893 The current mechanism has a hard-coded set of images and execution order
2894 (BL31, BL32, etc). The new mechanism is data-driven by a list of image
2895 descriptors provided by the platform code.
2896
Dan Handley4def07d2018-03-01 18:44:00 +00002897 Arm platforms have been updated to support the new loading mechanism.
Douglas Raillard6f625742017-06-28 15:23:03 +01002898
2899 The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is
2900 currently off by default for the AArch64 build.
2901
2902 **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when
2903 ``LOAD_IMAGE_V2`` is enabled.
2904
Dan Handley4def07d2018-03-01 18:44:00 +00002905- Updated requirements for making contributions to TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01002906
2907 Commits now must have a 'Signed-off-by:' field to certify that the
2908 contribution has been made under the terms of the
Paul Beesley34760952019-04-12 14:19:42 +01002909 :download:`Developer Certificate of Origin <../dco.txt>`.
Douglas Raillard6f625742017-06-28 15:23:03 +01002910
2911 A signed CLA is no longer required.
2912
Paul Beesley34760952019-04-12 14:19:42 +01002913 The :ref:`Contributor's Guide` has been updated to reflect this change.
Douglas Raillard6f625742017-06-28 15:23:03 +01002914
2915- Introduced Performance Measurement Framework (PMF) which provides support
2916 for capturing, storing, dumping and retrieving time-stamps to measure the
2917 execution time of critical paths in the firmware. This relies on defining
2918 fixed sample points at key places in the code.
2919
2920- To support the QEMU platform port, imported libfdt v1.4.1 from
Paul Beesleydd4e9a72019-02-08 16:43:05 +00002921 https://git.kernel.org/pub/scm/utils/dtc/dtc.git
Douglas Raillard6f625742017-06-28 15:23:03 +01002922
2923- Updated PSCI support:
2924
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01002925 - Added support for PSCI NODE_HW_STATE API for Arm platforms.
Douglas Raillard6f625742017-06-28 15:23:03 +01002926
2927 - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in
2928 ``plat_psci_ops`` to enable platforms to perform platform-specific actions
2929 needed to enter powerdown, including the 'wfi' invocation.
2930
Dan Handley4def07d2018-03-01 18:44:00 +00002931 - PSCI STAT residency and count functions have been added on Arm platforms
Douglas Raillard6f625742017-06-28 15:23:03 +01002932 by using PMF.
2933
2934- Enhancements to the translation table library:
2935
2936 - Limited memory mapping support for region overlaps to only allow regions
2937 to overlap that are identity mapped or have the same virtual to physical
2938 address offset, and overlap completely but must not cover the same area.
2939
2940 This limitation will enable future enhancements without having to
2941 support complex edge cases that may not be necessary.
2942
2943 - The initial translation lookup level is now inferred from the virtual
2944 address space size. Previously, it was hard-coded.
2945
2946 - Added support for mapping Normal, Inner Non-cacheable, Outer
2947 Non-cacheable memory in the translation table library.
2948
2949 This can be useful to map a non-cacheable memory region, such as a DMA
2950 buffer.
2951
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01002952 - Introduced the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes to
Douglas Raillard6f625742017-06-28 15:23:03 +01002953 specify the access permissions for instruction execution of a memory
2954 region.
2955
2956- Enabled support to isolate code and read-only data on separate memory pages,
2957 allowing independent access control to be applied to each.
2958
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01002959- Enabled SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common
Douglas Raillard6f625742017-06-28 15:23:03 +01002960 architectural setup code, preventing fetching instructions from non-secure
2961 memory when in secure state.
2962
2963- Enhancements to FIP support:
2964
2965 - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent
2966 and intuitive interface as well as additional support to remove an image
2967 from a FIP file.
2968
2969 - Enabled printing the SHA256 digest with info command, allowing quick
2970 verification of an image within a FIP without having to extract the
2971 image and running sha256sum on it.
2972
2973 - Added support for unpacking the contents of an existing FIP file into
2974 the working directory.
2975
2976 - Aligned command line options for specifying images to use same naming
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01002977 convention as specified by TBBR and already used in cert_create tool.
Douglas Raillard6f625742017-06-28 15:23:03 +01002978
2979- Refactored the TZC-400 driver to also support memory controllers that
Dan Handley4def07d2018-03-01 18:44:00 +00002980 integrate TZC functionality, for example Arm CoreLink DMC-500. Also added
Douglas Raillard6f625742017-06-28 15:23:03 +01002981 DMC-500 specific support.
2982
2983- Implemented generic delay timer based on the system generic counter and
2984 migrated all platforms to use it.
2985
Dan Handley4def07d2018-03-01 18:44:00 +00002986- Enhanced support for Arm platforms:
Douglas Raillard6f625742017-06-28 15:23:03 +01002987
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01002988 - Updated image loading support to make SCP images (SCP_BL2 and SCP_BL2U)
Douglas Raillard6f625742017-06-28 15:23:03 +01002989 optional.
2990
2991 - Enhanced topology description support to allow multi-cluster topology
2992 definitions.
2993
2994 - Added interconnect abstraction layer to help platform ports select the
2995 right interconnect driver, CCI or CCN, for the platform.
2996
2997 - Added support to allow loading BL31 in the TZC-secured DRAM instead of
2998 the default secure SRAM.
2999
3000 - Added support to use a System Security Control (SSC) Registers Unit
Dan Handley4def07d2018-03-01 18:44:00 +00003001 enabling TF-A to be compiled to support multiple Arm platforms and
Douglas Raillard6f625742017-06-28 15:23:03 +01003002 then select one at runtime.
3003
3004 - Restricted mapping of Trusted ROM in BL1 to what is actually needed by
3005 BL1 rather than entire Trusted ROM region.
3006
3007 - Flash is now mapped as execute-never by default. This increases security
3008 by restricting the executable region to what is strictly needed.
3009
3010- Applied following erratum workarounds for Cortex-A57: 833471, 826977,
3011 829520, 828024 and 826974.
3012
3013- Added support for Mediatek MT6795 platform.
3014
Dan Handley4def07d2018-03-01 18:44:00 +00003015- Added support for QEMU virtualization Armv8-A target.
Douglas Raillard6f625742017-06-28 15:23:03 +01003016
3017- Added support for Rockchip RK3368 and RK3399 platforms.
3018
3019- Added support for Xilinx Zynq UltraScale+ MPSoC platform.
3020
Dan Handley4def07d2018-03-01 18:44:00 +00003021- Added support for Arm Cortex-A73 MPCore Processor.
Douglas Raillard6f625742017-06-28 15:23:03 +01003022
Dan Handley4def07d2018-03-01 18:44:00 +00003023- Added support for Arm Cortex-A72 processor.
Douglas Raillard6f625742017-06-28 15:23:03 +01003024
Dan Handley4def07d2018-03-01 18:44:00 +00003025- Added support for Arm Cortex-A35 processor.
Douglas Raillard6f625742017-06-28 15:23:03 +01003026
Dan Handley4def07d2018-03-01 18:44:00 +00003027- Added support for Arm Cortex-A32 MPCore Processor.
Douglas Raillard6f625742017-06-28 15:23:03 +01003028
3029- Enabled preloaded BL33 alternative boot flow, in which BL2 does not load
3030 BL33 from non-volatile storage and BL31 hands execution over to a preloaded
3031 BL33. The User Guide has been updated with an example of how to use this
3032 option with a bootwrapped kernel.
3033
Dan Handley4def07d2018-03-01 18:44:00 +00003034- Added support to build TF-A on a Windows-based host machine.
Douglas Raillard6f625742017-06-28 15:23:03 +01003035
3036- Updated Trusted Board Boot prototype implementation:
3037
3038 - Enabled the ability for a production ROM with TBBR enabled to boot test
3039 software before a real ROTPK is deployed (e.g. manufacturing mode).
3040 Added support to use ROTPK in certificate without verifying against the
3041 platform value when ``ROTPK_NOT_DEPLOYED`` bit is set.
3042
3043 - Added support for non-volatile counter authentication to the
3044 Authentication Module to protect against roll-back.
3045
3046- Updated GICv3 support:
3047
3048 - Enabled processor power-down and automatic power-on using GICv3.
3049
3050 - Enabled G1S or G0 interrupts to be configured independently.
3051
3052 - Changed FVP default interrupt driver to be the GICv3-only driver.
Dan Handley4def07d2018-03-01 18:44:00 +00003053 **Note** the default build of TF-A will not be able to boot
Douglas Raillard6f625742017-06-28 15:23:03 +01003054 Linux kernel with GICv2 FDT blob.
3055
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003056 - Enabled wake-up from CPU_SUSPEND to stand-by by temporarily re-routing
Douglas Raillard6f625742017-06-28 15:23:03 +01003057 interrupts and then restoring after resume.
3058
3059Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00003060^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003061
3062Known issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00003063^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003064
3065- The version of the AEMv8 Base FVP used in this release resets the model
3066 instead of terminating its execution in response to a shutdown request using
3067 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of
3068 the model.
3069
Dan Handley4def07d2018-03-01 18:44:00 +00003070- Building TF-A with compiler optimisations disabled (``-O0``) fails.
Douglas Raillard6f625742017-06-28 15:23:03 +01003071
Dan Handley4def07d2018-03-01 18:44:00 +00003072- TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings
3073 that the TF-A build system interprets as errors.
Douglas Raillard6f625742017-06-28 15:23:03 +01003074
Dan Handley4def07d2018-03-01 18:44:00 +00003075- TBBR is not currently supported when running TF-A in AArch32 state.
Douglas Raillard6f625742017-06-28 15:23:03 +01003076
Paul Beesleyc48991e2019-02-11 17:58:21 +00003077Version 1.2
3078-----------
Douglas Raillard6f625742017-06-28 15:23:03 +01003079
3080New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00003081^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003082
Dan Handley4def07d2018-03-01 18:44:00 +00003083- The Trusted Board Boot implementation on Arm platforms now conforms to the
Douglas Raillard6f625742017-06-28 15:23:03 +01003084 mandatory requirements of the TBBR specification.
3085
3086 In particular, the boot process is now guarded by a Trusted Watchdog, which
Dan Handley4def07d2018-03-01 18:44:00 +00003087 will reset the system in case of an authentication or loading error. On Arm
3088 platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog.
Douglas Raillard6f625742017-06-28 15:23:03 +01003089
3090 Also, a firmware update process has been implemented. It enables
3091 authenticated firmware to update firmware images from external interfaces to
3092 SoC Non-Volatile memories. This feature functions even when the current
3093 firmware in the system is corrupt or missing; it therefore may be used as
3094 a recovery mode.
3095
3096- Improvements have been made to the Certificate Generation Tool
3097 (``cert_create``) as follows.
3098
3099 - Added support for the Firmware Update process by extending the Chain
3100 of Trust definition in the tool to include the Firmware Update
3101 certificate and the required extensions.
3102
3103 - Introduced a new API that allows one to specify command line options in
3104 the Chain of Trust description. This makes the declaration of the tool's
3105 arguments more flexible and easier to extend.
3106
3107 - The tool has been reworked to follow a data driven approach, which
3108 makes it easier to maintain and extend.
3109
3110- Extended the FIP tool (``fip_create``) to support the new set of images
3111 involved in the Firmware Update process.
3112
3113- Various memory footprint improvements. In particular:
3114
3115 - The bakery lock structure for coherent memory has been optimised.
3116
3117 - The mbed TLS SHA1 functions are not needed, as SHA256 is used to
3118 generate the certificate signature. Therefore, they have been compiled
3119 out, reducing the memory footprint of BL1 and BL2 by approximately
3120 6 KB.
3121
Dan Handley4def07d2018-03-01 18:44:00 +00003122 - On Arm development platforms, each BL stage now individually defines
Douglas Raillard6f625742017-06-28 15:23:03 +01003123 the number of regions that it needs to map in the MMU.
3124
3125- Added the following new design documents:
3126
Paul Beesley34760952019-04-12 14:19:42 +01003127 - :ref:`Authentication Framework & Chain of Trust`
3128 - :ref:`Firmware Update (FWU)`
3129 - :ref:`CPU Reset`
3130 - :ref:`PSCI Power Domain Tree Structure`
Douglas Raillard6f625742017-06-28 15:23:03 +01003131
3132- Applied the new image terminology to the code base and documentation, as
Paul Beesley34760952019-04-12 14:19:42 +01003133 described in the :ref:`Image Terminology` document.
Douglas Raillard6f625742017-06-28 15:23:03 +01003134
3135- The build system has been reworked to improve readability and facilitate
3136 adding future extensions.
3137
Dan Handley4def07d2018-03-01 18:44:00 +00003138- On Arm standard platforms, BL31 uses the boot console during cold boot
Douglas Raillard6f625742017-06-28 15:23:03 +01003139 but switches to the runtime console for any later logs at runtime. The TSP
3140 uses the runtime console for all output.
3141
Dan Handley4def07d2018-03-01 18:44:00 +00003142- Implemented a basic NOR flash driver for Arm platforms. It programs the
Douglas Raillard6f625742017-06-28 15:23:03 +01003143 device using CFI (Common Flash Interface) standard commands.
3144
Dan Handley4def07d2018-03-01 18:44:00 +00003145- Implemented support for booting EL3 payloads on Arm platforms, which
Douglas Raillard6f625742017-06-28 15:23:03 +01003146 reduces the complexity of developing EL3 baremetal code by doing essential
3147 baremetal initialization.
3148
3149- Provided separate drivers for GICv3 and GICv2. These expect the entire
3150 software stack to use either GICv2 or GICv3; hybrid GIC software systems
Dan Handley4def07d2018-03-01 18:44:00 +00003151 are no longer supported and the legacy Arm GIC driver has been deprecated.
Douglas Raillard6f625742017-06-28 15:23:03 +01003152
Dan Handley4def07d2018-03-01 18:44:00 +00003153- Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run
3154 on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro
Douglas Raillard6f625742017-06-28 15:23:03 +01003155 release that does *not* contain Juno r2 support.
3156
3157- Added support for MediaTek mt8173 platform.
3158
Dan Handley4def07d2018-03-01 18:44:00 +00003159- Implemented a generic driver for Arm CCN IP.
Douglas Raillard6f625742017-06-28 15:23:03 +01003160
3161- Major rework of the PSCI implementation.
3162
3163 - Added framework to handle composite power states.
3164
3165 - Decoupled the notions of affinity instances (which describes the
3166 hierarchical arrangement of cores) and of power domain topology, instead
3167 of assuming a one-to-one mapping.
3168
3169 - Better alignment with version 1.0 of the PSCI specification.
3170
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003171- Added support for the SYSTEM_SUSPEND PSCI API on Arm platforms. When invoked
Douglas Raillard6f625742017-06-28 15:23:03 +01003172 on the last running core on a supported platform, this puts the system
3173 into a low power mode with memory retention.
3174
3175- Unified the reset handling code as much as possible across BL stages.
3176 Also introduced some build options to enable optimization of the reset path
3177 on platforms that support it.
3178
3179- Added a simple delay timer API, as well as an SP804 timer driver, which is
3180 enabled on FVP.
3181
3182- Added support for NVidia Tegra T210 and T132 SoCs.
3183
Dan Handley4def07d2018-03-01 18:44:00 +00003184- Reorganised Arm platforms ports to greatly improve code shareability and
Douglas Raillard6f625742017-06-28 15:23:03 +01003185 facilitate the reuse of some of this code by other platforms.
3186
Dan Handley4def07d2018-03-01 18:44:00 +00003187- Added support for Arm Cortex-A72 processor in the CPU specific framework.
Douglas Raillard6f625742017-06-28 15:23:03 +01003188
3189- Provided better error handling. Platform ports can now define their own
3190 error handling, for example to perform platform specific bookkeeping or
3191 post-error actions.
3192
Dan Handley4def07d2018-03-01 18:44:00 +00003193- Implemented a unified driver for Arm Cache Coherent Interconnects used for
3194 both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this
Douglas Raillard6f625742017-06-28 15:23:03 +01003195 common driver. The standalone CCI-400 driver has been deprecated.
3196
3197Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00003198^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003199
3200- The Trusted Board Boot implementation has been redesigned to provide greater
Paul Beesley34760952019-04-12 14:19:42 +01003201 modularity and scalability. See the
3202 :ref:`Authentication Framework & Chain of Trust` document.
Douglas Raillard6f625742017-06-28 15:23:03 +01003203 All missing mandatory features are now implemented.
3204
3205- The FVP and Juno ports may now use the hash of the ROTPK stored in the
3206 Trusted Key Storage registers to verify the ROTPK. Alternatively, a
3207 development public key hash embedded in the BL1 and BL2 binaries might be
3208 used instead. The location of the ROTPK is chosen at build-time using the
3209 ``ARM_ROTPK_LOCATION`` build option.
3210
3211- GICv3 is now fully supported and stable.
3212
3213Known issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00003214^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003215
3216- The version of the AEMv8 Base FVP used in this release resets the model
3217 instead of terminating its execution in response to a shutdown request using
3218 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of
3219 the model.
3220
3221- While this version has low on-chip RAM requirements, there are further
3222 RAM usage enhancements that could be made.
3223
3224- The upstream documentation could be improved for structural consistency,
3225 clarity and completeness. In particular, the design documentation is
3226 incomplete for PSCI, the TSP(D) and the Juno platform.
3227
Dan Handley4def07d2018-03-01 18:44:00 +00003228- Building TF-A with compiler optimisations disabled (``-O0``) fails.
Douglas Raillard6f625742017-06-28 15:23:03 +01003229
Paul Beesleyc48991e2019-02-11 17:58:21 +00003230Version 1.1
3231-----------
Douglas Raillard6f625742017-06-28 15:23:03 +01003232
3233New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00003234^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003235
3236- A prototype implementation of Trusted Board Boot has been added. Boot
3237 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and
3238 BL2 use the PolarSSL SSL library to verify certificates and images. The
3239 OpenSSL library is used to create the X.509 certificates. Support has been
3240 added to ``fip_create`` tool to package the certificates in a FIP.
3241
3242- Support for calling CPU and platform specific reset handlers upon entry into
3243 BL3-1 during the cold and warm boot paths has been added. This happens after
3244 another Boot ROM ``reset_handler()`` has already run. This enables a developer
3245 to perform additional actions or undo actions already performed during the
3246 first call of the reset handlers e.g. apply additional errata workarounds.
3247
3248- Support has been added to demonstrate routing of IRQs to EL3 instead of
3249 S-EL1 when execution is in secure world.
3250
3251- The PSCI implementation now conforms to version 1.0 of the PSCI
3252 specification. All the mandatory APIs and selected optional APIs are
3253 supported. In particular, support for the ``PSCI_FEATURES`` API has been
3254 added. A capability variable is constructed during initialization by
3255 examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and
3256 the Secure Payload Dispatcher. This is used by the PSCI FEATURES function
3257 to determine which PSCI APIs are supported by the platform.
3258
3259- Improvements have been made to the PSCI code as follows.
3260
3261 - The code has been refactored to remove redundant parameters from
3262 internal functions.
3263
3264 - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and
3265 ``CPU_OFF`` calls to facilitate an early return to the caller in case a
3266 failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call
3267 returns ``SUCCESS`` to the caller if a pending interrupt is detected early
3268 in the code path.
3269
3270 - Optional platform APIs have been added to validate the ``power_state`` and
3271 ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code
3272 paths.
3273
3274 - PSCI migrate APIs have been reworked to invoke the SPD hook to determine
3275 the type of Trusted OS and the CPU it is resident on (if
3276 applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate
3277 the Trusted OS is invoked.
3278
Dan Handley4def07d2018-03-01 18:44:00 +00003279- It is now possible to build TF-A without marking at least an extra page of
3280 memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to
3281 choose between the two implementations. This has been made possible through
3282 these changes.
Douglas Raillard6f625742017-06-28 15:23:03 +01003283
3284 - An implementation of Bakery locks, where the locks are not allocated in
3285 coherent memory has been added.
3286
3287 - Memory which was previously marked as coherent is now kept coherent
3288 through the use of software cache maintenance operations.
3289
3290 Approximately, 4K worth of memory is saved for each boot loader stage when
3291 ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies
3292 associated with acquire and release of locks. It also requires changes to
3293 the platform ports.
3294
3295- It is now possible to specify the name of the FIP at build time by defining
3296 the ``FIP_NAME`` variable.
3297
Paul Beesley8aabea32019-01-11 18:26:51 +00003298- Issues with dependencies on the 'fiptool' makefile target have been
Douglas Raillard6f625742017-06-28 15:23:03 +01003299 rectified. The ``fip_create`` tool is now rebuilt whenever its source files
3300 change.
3301
3302- The BL3-1 runtime console is now also used as the crash console. The crash
3303 console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0)
3304 on Juno. In FVP, it is changed from UART0 to UART1.
3305
3306- CPU errata workarounds are applied only when the revision and part number
3307 match. This behaviour has been made consistent across the debug and release
3308 builds. The debug build additionally prints a warning if a mismatch is
3309 detected.
3310
3311- It is now possible to issue cache maintenance operations by set/way for a
3312 particular level of data cache. Levels 1-3 are currently supported.
3313
3314- The following improvements have been made to the FVP port.
3315
3316 - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of
3317 shared data into the Trusted DRAM has been deprecated. Shared data is
3318 now always located at the base of Trusted SRAM.
3319
3320 - BL2 Translation tables have been updated to map only the region of
3321 DRAM which is accessible to normal world. This is the region of the 2GB
3322 DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is
3323 accessible to only the secure world.
3324
3325 - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to
3326 the secure world. This can be done by setting the build flag
3327 ``FVP_TSP_RAM_LOCATION`` to the value ``dram``.
3328
Paul Beesley8aabea32019-01-11 18:26:51 +00003329- Separate translation tables are created for each boot loader image. The
Douglas Raillard6f625742017-06-28 15:23:03 +01003330 ``IMAGE_BLx`` build options are used to do this. This allows each stage to
3331 create mappings only for areas in the memory map that it needs.
3332
3333- A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been
Paul Beesley34760952019-04-12 14:19:42 +01003334 added. Details of using it with TF-A can be found in :ref:`OP-TEE Dispatcher`
Douglas Raillard6f625742017-06-28 15:23:03 +01003335
3336Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00003337^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003338
3339- The Juno port has been aligned with the FVP port as follows.
3340
3341 - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying
3342 the BL3-1/BL3-2 NOBITS sections on top of them has been added to the
3343 Juno port.
3344
3345 - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured
3346 using the TZC-400 controller to be accessible only to the secure world.
3347
Dan Handley4def07d2018-03-01 18:44:00 +00003348 - The Arm GIC driver is used to configure the GIC-400 instead of using a
Douglas Raillard6f625742017-06-28 15:23:03 +01003349 GIC driver private to the Juno port.
3350
3351 - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported.
3352
3353 - The TZC-400 driver is used to configure the controller instead of direct
3354 accesses to the registers.
3355
3356- The Linux kernel version referred to in the user guide has DVFS and HMP
3357 support enabled.
3358
3359- DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in
3360 CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of
3361 the Cortex-A57-A53 Base FVPs.
3362
3363Known issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00003364^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003365
3366- The Trusted Board Boot implementation is a prototype. There are issues with
3367 the modularity and scalability of the design. Support for a Trusted
3368 Watchdog, firmware update mechanism, recovery images and Trusted debug is
3369 absent. These issues will be addressed in future releases.
3370
3371- The FVP and Juno ports do not use the hash of the ROTPK stored in the
3372 Trusted Key Storage registers to verify the ROTPK in the
3373 ``plat_match_rotpk()`` function. This prevents the correct establishment of
3374 the Chain of Trust at the first step in the Trusted Board Boot process.
3375
3376- The version of the AEMv8 Base FVP used in this release resets the model
3377 instead of terminating its execution in response to a shutdown request using
3378 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of
3379 the model.
3380
3381- GICv3 support is experimental. There are known issues with GICv3
Dan Handley4def07d2018-03-01 18:44:00 +00003382 initialization in the TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01003383
3384- While this version greatly reduces the on-chip RAM requirements, there are
3385 further RAM usage enhancements that could be made.
3386
3387- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
3388 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
3389
3390- The Juno-specific firmware design documentation is incomplete.
3391
Paul Beesleyc48991e2019-02-11 17:58:21 +00003392Version 1.0
3393-----------
Douglas Raillard6f625742017-06-28 15:23:03 +01003394
3395New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00003396^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003397
3398- It is now possible to map higher physical addresses using non-flat virtual
3399 to physical address mappings in the MMU setup.
3400
3401- Wider use is now made of the per-CPU data cache in BL3-1 to store:
3402
3403 - Pointers to the non-secure and secure security state contexts.
3404
3405 - A pointer to the CPU-specific operations.
3406
3407 - A pointer to PSCI specific information (for example the current power
3408 state).
3409
3410 - A crash reporting buffer.
3411
3412- The following RAM usage improvements result in a BL3-1 RAM usage reduction
3413 from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction
3414 across all images from 208KB to 88KB, compared to the previous release.
3415
3416 - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size
3417 saving).
3418
3419 - Removed NSRAM from the FVP memory map, allowing the removal of one
3420 (4KB) translation table.
3421
3422 - Eliminated the internal ``psci_suspend_context`` array, saving 2KB.
3423
3424 - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the
3425 FVP port.
3426
3427 - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes.
3428
3429 - Removed current CPU mpidr from PSCI common code, saving 160 bytes.
3430
3431 - Inlined the mmio accessor functions, saving 360 bytes.
3432
3433 - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by
3434 overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime.
3435
3436 - Made storing the FP register context optional, saving 0.5KB per context
3437 (8KB on the FVP port, with TSPD enabled and running on 8 CPUs).
3438
3439 - Implemented a leaner ``tf_printf()`` function, allowing the stack to be
3440 greatly reduced.
3441
3442 - Removed coherent stacks from the codebase. Stacks allocated in normal
3443 memory are now used before and after the MMU is enabled. This saves 768
3444 bytes per CPU in BL3-1.
3445
3446 - Reworked the crash reporting in BL3-1 to use less stack.
3447
3448 - Optimized the EL3 register state stored in the ``cpu_context`` structure
3449 so that registers that do not change during normal execution are
3450 re-initialized each time during cold/warm boot, rather than restored
3451 from memory. This saves about 1.2KB.
3452
3453 - As a result of some of the above, reduced the runtime stack size in all
3454 BL images. For BL3-1, this saves 1KB per CPU.
3455
3456- PSCI SMC handler improvements to correctly handle calls from secure states
3457 and from AArch32.
3458
3459- CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully
3460 determines the exception level to use for the non-trusted firmware (BL3-3)
3461 based on the SPSR value provided by the BL2 platform code (or otherwise
3462 provided to BL3-1). This allows platform code to directly run non-trusted
3463 firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS
3464 loader.
3465
3466- Code refactoring improvements:
3467
3468 - Refactored ``fvp_config`` into a common platform header.
3469
3470 - Refactored the fvp gic code to be a generic driver that no longer has an
3471 explicit dependency on platform code.
3472
3473 - Refactored the CCI-400 driver to not have dependency on platform code.
3474
3475 - Simplified the IO driver so it's no longer necessary to call ``io_init()``
3476 and moved all the IO storage framework code to one place.
3477
3478 - Simplified the interface the the TZC-400 driver.
3479
3480 - Clarified the platform porting interface to the TSP.
3481
3482 - Reworked the TSPD setup code to support the alternate BL3-2
Paul Beesley8aabea32019-01-11 18:26:51 +00003483 initialization flow where BL3-1 generic code hands control to BL3-2,
Douglas Raillard6f625742017-06-28 15:23:03 +01003484 rather than expecting the TSPD to hand control directly to BL3-2.
3485
3486 - Considerable rework to PSCI generic code to support CPU specific
3487 operations.
3488
3489- Improved console log output, by:
3490
3491 - Adding the concept of debug log levels.
3492
3493 - Rationalizing the existing debug messages and adding new ones.
3494
3495 - Printing out the version of each BL stage at runtime.
3496
3497 - Adding support for printing console output from assembler code,
3498 including when a crash occurs before the C runtime is initialized.
3499
3500- Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro
3501 file system and DS-5.
3502
3503- On the FVP port, made the use of the Trusted DRAM region optional at build
3504 time (off by default). Normal platforms will not have such a "ready-to-use"
3505 DRAM area so it is not a good example to use it.
3506
3507- Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs.
3508
3509- Added support for CPU specific reset sequences, power down sequences and
3510 register dumping during crash reporting. The CPU specific reset sequences
3511 include support for errata workarounds.
3512
3513- Merged the Juno port into the master branch. Added support for CPU hotplug
3514 and CPU idle. Updated the user guide to describe how to build and run on the
3515 Juno platform.
3516
3517Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00003518^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003519
3520- Removed the concept of top/bottom image loading. The image loader now
3521 automatically detects the position of the image inside the current memory
Paul Beesley8aabea32019-01-11 18:26:51 +00003522 layout and updates the layout to minimize fragmentation. This resolves the
Douglas Raillard6f625742017-06-28 15:23:03 +01003523 image loader limitations of previously releases. There are currently no
3524 plans to support dynamic image loading.
3525
3526- CPU idle now works on the publicized version of the Foundation FVP.
3527
3528- All known issues relating to the compiler version used have now been
Dan Handley4def07d2018-03-01 18:44:00 +00003529 resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9).
Douglas Raillard6f625742017-06-28 15:23:03 +01003530
3531Known issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00003532^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003533
3534- GICv3 support is experimental. The Linux kernel patches to support this are
3535 not widely available. There are known issues with GICv3 initialization in
Dan Handley4def07d2018-03-01 18:44:00 +00003536 the TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01003537
3538- While this version greatly reduces the on-chip RAM requirements, there are
3539 further RAM usage enhancements that could be made.
3540
3541- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
3542 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
3543
3544- The Juno-specific firmware design documentation is incomplete.
3545
3546- Some recent enhancements to the FVP port have not yet been translated into
3547 the Juno port. These will be tracked via the tf-issues project.
3548
3549- The Linux kernel version referred to in the user guide has DVFS and HMP
3550 support disabled due to some known instabilities at the time of this
3551 release. A future kernel version will re-enable these features.
3552
3553- DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in
3554 CADI server mode. This is because the ``<SimName>`` reported by the FVP in
3555 this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP,
3556 the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while
3557 DS-5 expects it to be ``FVP_Base_A57x4_A53x4``.
3558
3559 The temporary fix to this problem is to change the name of the FVP in
3560 ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``.
3561 Change the following line:
3562
3563 ::
3564
3565 <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName>
3566
3567 to
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003568 System Generator:FVP_Base_Cortex-A57x4_A53x4
Douglas Raillard6f625742017-06-28 15:23:03 +01003569
3570 A similar change can be made to the other Cortex-A57-A53 Base FVP variants.
3571
Paul Beesleyc48991e2019-02-11 17:58:21 +00003572Version 0.4
3573-----------
Douglas Raillard6f625742017-06-28 15:23:03 +01003574
3575New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00003576^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003577
3578- Makefile improvements:
3579
3580 - Improved dependency checking when building.
3581
3582 - Removed ``dump`` target (build now always produces dump files).
3583
3584 - Enabled platform ports to optionally make use of parts of the Trusted
3585 Firmware (e.g. BL3-1 only), rather than being forced to use all parts.
3586 Also made the ``fip`` target optional.
3587
3588 - Specified the full path to source files and removed use of the ``vpath``
3589 keyword.
3590
3591- Provided translation table library code for potential re-use by platforms
3592 other than the FVPs.
3593
3594- Moved architectural timer setup to platform-specific code.
3595
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003596- Added standby state support to PSCI cpu_suspend implementation.
Douglas Raillard6f625742017-06-28 15:23:03 +01003597
3598- SRAM usage improvements:
3599
3600 - Started using the ``-ffunction-sections``, ``-fdata-sections`` and
3601 ``--gc-sections`` compiler/linker options to remove unused code and data
3602 from the images. Previously, all common functions were being built into
3603 all binary images, whether or not they were actually used.
3604
3605 - Placed all assembler functions in their own section to allow more unused
3606 functions to be removed from images.
3607
3608 - Updated BL1 and BL2 to use a single coherent stack each, rather than one
3609 per CPU.
3610
3611 - Changed variables that were unnecessarily declared and initialized as
3612 non-const (i.e. in the .data section) so they are either uninitialized
3613 (zero init) or const.
3614
3615- Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by
3616 default. The option for it to run in Trusted DRAM remains.
3617
3618- Implemented a TrustZone Address Space Controller (TZC-400) driver. A
3619 default configuration is provided for the Base FVPs. This means the model
3620 parameter ``-C bp.secure_memory=1`` is now supported.
3621
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003622- Started saving the PSCI cpu_suspend 'power_state' parameter prior to
Douglas Raillard6f625742017-06-28 15:23:03 +01003623 suspending a CPU. This allows platforms that implement multiple power-down
3624 states at the same affinity level to identify a specific state.
3625
3626- Refactored the entire codebase to reduce the amount of nesting in header
3627 files and to make the use of system/user includes more consistent. Also
3628 split platform.h to separate out the platform porting declarations from the
3629 required platform porting definitions and the definitions/declarations
3630 specific to the platform port.
3631
3632- Optimized the data cache clean/invalidate operations.
3633
3634- Improved the BL3-1 unhandled exception handling and reporting. Unhandled
3635 exceptions now result in a dump of registers to the console.
3636
3637- Major rework to the handover interface between BL stages, in particular the
3638 interface to BL3-1. The interface now conforms to a specification and is
3639 more future proof.
3640
3641- Added support for optionally making the BL3-1 entrypoint a reset handler
3642 (instead of BL1). This allows platforms with an alternative image loading
3643 architecture to re-use BL3-1 with fewer modifications to generic code.
3644
3645- Reserved some DDR DRAM for secure use on FVP platforms to avoid future
3646 compatibility problems with non-secure software.
3647
3648- Added support for secure interrupts targeting the Secure-EL1 Payload (SP)
3649 (using GICv2 routing only). Demonstrated this working by adding an interrupt
3650 target and supporting test code to the TSP. Also demonstrated non-secure
3651 interrupt handling during TSP processing.
3652
3653Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00003654^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003655
3656- Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base
3657 FVPs (see **New features**).
3658
3659- Support for secure world interrupt handling now available (see **New
3660 features**).
3661
3662- Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1
3663 Payload (BL3-2) to execute in Trusted SRAM by default.
3664
3665- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded
3666 14.04) now correctly reports progress in the console.
3667
3668- Improved the Makefile structure to make it easier to separate out parts of
Dan Handley4def07d2018-03-01 18:44:00 +00003669 the TF-A for re-use in platform ports. Also, improved target dependency
3670 checking.
Douglas Raillard6f625742017-06-28 15:23:03 +01003671
3672Known issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00003673^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003674
3675- GICv3 support is experimental. The Linux kernel patches to support this are
3676 not widely available. There are known issues with GICv3 initialization in
Dan Handley4def07d2018-03-01 18:44:00 +00003677 the TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01003678
3679- Dynamic image loading is not available yet. The current image loader
3680 implementation (used to load BL2 and all subsequent images) has some
3681 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
3682 to loading errors, even if the images should theoretically fit in memory.
3683
Dan Handley4def07d2018-03-01 18:44:00 +00003684- TF-A still uses too much on-chip Trusted SRAM. A number of RAM usage
3685 enhancements have been identified to rectify this situation.
Douglas Raillard6f625742017-06-28 15:23:03 +01003686
3687- CPU idle does not work on the advertised version of the Foundation FVP.
3688 Some FVP fixes are required that are not available externally at the time
3689 of writing. This can be worked around by disabling CPU idle in the Linux
3690 kernel.
3691
Dan Handley4def07d2018-03-01 18:44:00 +00003692- Various bugs in TF-A, UEFI and the Linux kernel have been observed when
3693 using Linaro toolchain versions later than 13.11. Although most of these
3694 have been fixed, some remain at the time of writing. These mainly seem to
3695 relate to a subtle change in the way the compiler converts between 64-bit
3696 and 32-bit values (e.g. during casting operations), which reveals
3697 previously hidden bugs in client code.
Douglas Raillard6f625742017-06-28 15:23:03 +01003698
3699- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
3700 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
3701
Paul Beesleyc48991e2019-02-11 17:58:21 +00003702Version 0.3
3703-----------
Douglas Raillard6f625742017-06-28 15:23:03 +01003704
3705New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00003706^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003707
3708- Support for Foundation FVP Version 2.0 added.
3709 The documented UEFI configuration disables some devices that are unavailable
3710 in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can
3711 be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation
3712 FVP.
3713
Paul Beesleye1c50262019-03-13 16:20:44 +00003714 .. note::
3715 The software will not work on Version 1.0 of the Foundation FVP.
Douglas Raillard6f625742017-06-28 15:23:03 +01003716
3717- Enabled third party contributions. Added a new contributing.md containing
3718 instructions for how to contribute and updated copyright text in all files
3719 to acknowledge contributors.
3720
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003721- The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be
Douglas Raillard6f625742017-06-28 15:23:03 +01003722 used for entry into power down states with the following restrictions:
3723
3724 - Entry into standby states is not supported.
3725 - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs.
3726
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003727- The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to
Douglas Raillard6f625742017-06-28 15:23:03 +01003728 allow experimental use.
3729
Dan Handley4def07d2018-03-01 18:44:00 +00003730- Required C library and runtime header files are now included locally in
3731 TF-A instead of depending on the toolchain standard include paths. The
3732 local implementation has been cleaned up and reduced in scope.
Douglas Raillard6f625742017-06-28 15:23:03 +01003733
3734- Added I/O abstraction framework, primarily to allow generic code to load
3735 images in a platform-independent way. The existing image loading code has
3736 been reworked to use the new framework. Semi-hosting and NOR flash I/O
3737 drivers are provided.
3738
3739- Introduced Firmware Image Package (FIP) handling code and tools. A FIP
3740 combines multiple firmware images with a Table of Contents (ToC) into a
3741 single binary image. The new FIP driver is another type of I/O driver. The
3742 Makefile builds a FIP by default and the FVP platform code expect to load a
3743 FIP from NOR flash, although some support for image loading using semi-
3744 hosting is retained.
3745
Paul Beesleye1c50262019-03-13 16:20:44 +00003746 .. note::
3747 Building a FIP by default is a non-backwards-compatible change.
Douglas Raillard6f625742017-06-28 15:23:03 +01003748
Paul Beesleye1c50262019-03-13 16:20:44 +00003749 .. note::
3750 Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into
3751 DRAM instead of expecting this to be pre-loaded at known location. This is
3752 also a non-backwards-compatible change.
Douglas Raillard6f625742017-06-28 15:23:03 +01003753
Paul Beesleye1c50262019-03-13 16:20:44 +00003754 .. note::
3755 Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that
3756 it knows the new location to execute from and no longer needs to copy
3757 particular code modules to DRAM itself.
Douglas Raillard6f625742017-06-28 15:23:03 +01003758
3759- Reworked BL2 to BL3-1 handover interface. A new composite structure
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003760 (bl31_args) holds the superset of information that needs to be passed from
Douglas Raillard6f625742017-06-28 15:23:03 +01003761 BL2 to BL3-1, including information on how handover execution control to
3762 BL3-2 (if present) and BL3-3 (non-trusted firmware).
3763
3764- Added library support for CPU context management, allowing the saving and
3765 restoring of
3766
3767 - Shared system registers between Secure-EL1 and EL1.
3768 - VFP registers.
3769 - Essential EL3 system registers.
3770
3771- Added a framework for implementing EL3 runtime services. Reworked the PSCI
3772 implementation to be one such runtime service.
3773
Sandrine Bailleuxf3cacad2019-02-08 15:26:36 +01003774- Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3
Douglas Raillard6f625742017-06-28 15:23:03 +01003775 stack pointers for determining the type of exception, managing general
3776 purpose and system register context on exception entry/exit, and handling
3777 SMCs. SMCs are directed to the correct EL3 runtime service.
3778
3779- Added support for a Test Secure-EL1 Payload (TSP) and a corresponding
3780 Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD
3781 implements Secure Monitor functionality such as world switching and
3782 EL1 context management, and is responsible for communication with the TSP.
Paul Beesleye1c50262019-03-13 16:20:44 +00003783
3784 .. note::
3785 The TSPD does not yet contain support for secure world interrupts.
3786 .. note::
3787 The TSP/TSPD is not built by default.
Douglas Raillard6f625742017-06-28 15:23:03 +01003788
3789Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00003790^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003791
3792- Support has been added for switching context between secure and normal
3793 worlds in EL3.
3794
3795- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to
3796 a limited extent).
3797
Dan Handley4def07d2018-03-01 18:44:00 +00003798- The TF-A build artifacts are now placed in the ``./build`` directory and
3799 sub-directories instead of being placed in the root of the project.
Douglas Raillard6f625742017-06-28 15:23:03 +01003800
Dan Handley4def07d2018-03-01 18:44:00 +00003801- TF-A is now free from build warnings. Build warnings are now treated as
3802 errors.
Douglas Raillard6f625742017-06-28 15:23:03 +01003803
Dan Handley4def07d2018-03-01 18:44:00 +00003804- TF-A now provides C library support locally within the project to maintain
3805 compatibility between toolchains/systems.
Douglas Raillard6f625742017-06-28 15:23:03 +01003806
3807- The PSCI locking code has been reworked so it no longer takes locks in an
3808 incorrect sequence.
3809
3810- The RAM-disk method of loading a Linux file-system has been confirmed to
Dan Handley4def07d2018-03-01 18:44:00 +00003811 work with the TF-A and Linux kernel version (based on version 3.13) used
3812 in this release, for both Foundation and Base FVPs.
Douglas Raillard6f625742017-06-28 15:23:03 +01003813
3814Known issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00003815^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003816
3817The following is a list of issues which are expected to be fixed in the future
Dan Handley4def07d2018-03-01 18:44:00 +00003818releases of TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01003819
3820- The TrustZone Address Space Controller (TZC-400) is not being programmed
3821 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported.
3822
3823- No support yet for secure world interrupt handling.
3824
3825- GICv3 support is experimental. The Linux kernel patches to support this are
3826 not widely available. There are known issues with GICv3 initialization in
Dan Handley4def07d2018-03-01 18:44:00 +00003827 TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01003828
3829- Dynamic image loading is not available yet. The current image loader
3830 implementation (used to load BL2 and all subsequent images) has some
3831 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
3832 to loading errors, even if the images should theoretically fit in memory.
3833
Dan Handley4def07d2018-03-01 18:44:00 +00003834- TF-A uses too much on-chip Trusted SRAM. Currently the Test Secure-EL1
3835 Payload (BL3-2) executes in Trusted DRAM since there is not enough SRAM.
3836 A number of RAM usage enhancements have been identified to rectify this
3837 situation.
Douglas Raillard6f625742017-06-28 15:23:03 +01003838
3839- CPU idle does not work on the advertised version of the Foundation FVP.
3840 Some FVP fixes are required that are not available externally at the time
3841 of writing.
3842
Dan Handley4def07d2018-03-01 18:44:00 +00003843- Various bugs in TF-A, UEFI and the Linux kernel have been observed when
3844 using Linaro toolchain versions later than 13.11. Although most of these
3845 have been fixed, some remain at the time of writing. These mainly seem to
3846 relate to a subtle change in the way the compiler converts between 64-bit
3847 and 32-bit values (e.g. during casting operations), which reveals
3848 previously hidden bugs in client code.
Douglas Raillard6f625742017-06-28 15:23:03 +01003849
3850- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded
3851 14.01) does not report progress correctly in the console. It only seems to
3852 produce error output, not standard output. It otherwise appears to function
3853 correctly. Other filesystem versions on the same software stack do not
3854 exhibit the problem.
3855
3856- The Makefile structure doesn't make it easy to separate out parts of the
Dan Handley4def07d2018-03-01 18:44:00 +00003857 TF-A for re-use in platform ports, for example if only BL3-1 is required in
3858 a platform port. Also, dependency checking in the Makefile is flawed.
Douglas Raillard6f625742017-06-28 15:23:03 +01003859
3860- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
3861 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
3862
Paul Beesleyc48991e2019-02-11 17:58:21 +00003863Version 0.2
3864-----------
Douglas Raillard6f625742017-06-28 15:23:03 +01003865
3866New features
Paul Beesleyc48991e2019-02-11 17:58:21 +00003867^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003868
3869- First source release.
3870
3871- Code for the PSCI suspend feature is supplied, although this is not enabled
3872 by default since there are known issues (see below).
3873
3874Issues resolved since last release
Paul Beesleyc48991e2019-02-11 17:58:21 +00003875^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003876
3877- The "psci" nodes in the FDTs provided in this release now fully comply
3878 with the recommendations made in the PSCI specification.
3879
3880Known issues
Paul Beesleyc48991e2019-02-11 17:58:21 +00003881^^^^^^^^^^^^
Douglas Raillard6f625742017-06-28 15:23:03 +01003882
3883The following is a list of issues which are expected to be fixed in the future
Dan Handley4def07d2018-03-01 18:44:00 +00003884releases of TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01003885
3886- The TrustZone Address Space Controller (TZC-400) is not being programmed
3887 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported.
3888
3889- No support yet for secure world interrupt handling or for switching context
3890 between secure and normal worlds in EL3.
3891
3892- GICv3 support is experimental. The Linux kernel patches to support this are
3893 not widely available. There are known issues with GICv3 initialization in
Dan Handley4def07d2018-03-01 18:44:00 +00003894 TF-A.
Douglas Raillard6f625742017-06-28 15:23:03 +01003895
3896- Dynamic image loading is not available yet. The current image loader
3897 implementation (used to load BL2 and all subsequent images) has some
3898 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
3899 to loading errors, even if the images should theoretically fit in memory.
3900
3901- Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable
3902 and ready for use.
3903
Dan Handley4def07d2018-03-01 18:44:00 +00003904- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have
3905 not been tested.
Douglas Raillard6f625742017-06-28 15:23:03 +01003906
Dan Handley4def07d2018-03-01 18:44:00 +00003907- The TF-A make files result in all build artifacts being placed in the root
3908 of the project. These should be placed in appropriate sub-directories.
Douglas Raillard6f625742017-06-28 15:23:03 +01003909
Dan Handley4def07d2018-03-01 18:44:00 +00003910- The compilation of TF-A is not free from compilation warnings. Some of these
3911 warnings have not been investigated yet so they could mask real bugs.
Douglas Raillard6f625742017-06-28 15:23:03 +01003912
Dan Handley4def07d2018-03-01 18:44:00 +00003913- TF-A currently uses toolchain/system include files like stdio.h. It should
3914 provide versions of these within the project to maintain compatibility
3915 between toolchains/systems.
Douglas Raillard6f625742017-06-28 15:23:03 +01003916
3917- The PSCI code takes some locks in an incorrect sequence. This may cause
3918 problems with suspend and hotplug in certain conditions.
3919
3920- The Linux kernel used in this release is based on version 3.12-rc4. Using
Dan Handley4def07d2018-03-01 18:44:00 +00003921 this kernel with the TF-A fails to start the file-system as a RAM-disk. It
3922 fails to execute user-space ``init`` from the RAM-disk. As an alternative,
3923 the VirtioBlock mechanism can be used to provide a file-system to the
3924 kernel.
Douglas Raillard6f625742017-06-28 15:23:03 +01003925
3926--------------
3927
Louis Mayencourta5bb3892020-03-27 11:49:20 +00003928*Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.*
Douglas Raillard6f625742017-06-28 15:23:03 +01003929
David Cunado230326f2018-03-14 17:57:31 +00003930.. _SDEI Specification: http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf
David Cunadoaee3ef42017-07-03 18:59:07 +01003931.. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501
3932.. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193
Paul Beesley34760952019-04-12 14:19:42 +01003933.. _mbed TLS releases: https://tls.mbed.org/tech-updates/releases