Paul Beesley | 8aa0505 | 2019-03-07 15:47:15 +0000 | [diff] [blame] | 1 | Change Log & Release Notes |
| 2 | ========================== |
Douglas Raillard | 668c502 | 2017-06-28 16:14:55 +0100 | [diff] [blame] | 3 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 4 | This document contains a summary of the new features, changes, fixes and known |
| 5 | issues in each release of Trusted Firmware-A. |
Douglas Raillard | 668c502 | 2017-06-28 16:14:55 +0100 | [diff] [blame] | 6 | |
Chris Kay | 0bd1a2e | 2020-10-29 14:28:59 +0000 | [diff] [blame] | 7 | Version 2.4 |
| 8 | ----------- |
| 9 | |
| 10 | New Features |
| 11 | ^^^^^^^^^^^^ |
| 12 | |
| 13 | - Architecture support |
| 14 | - Armv8.6-A |
| 15 | - Added support for Armv8.6 Enhanced Counter Virtualization (ECV) |
| 16 | - Added support for Armv8.6 Fine Grained Traps (FGT) |
| 17 | - Added support for Armv8.6 WFE trap delays |
| 18 | |
| 19 | - Bootloader images |
| 20 | - Added support for Measured Boot |
| 21 | |
| 22 | - Build System |
| 23 | - Added build option ``COT_DESC_IN_DTB`` to create Chain of Trust at runtime |
| 24 | - Added build option ``OPENSSL_DIR`` to direct tools to OpenSSL libraries |
| 25 | - Added build option ``RAS_TRAP_LOWER_EL_ERR_ACCESS`` to enable trapping RAS |
| 26 | register accesses from EL1/EL2 to EL3 |
| 27 | - Extended build option ``BRANCH_PROTECTION`` to support branch target |
| 28 | identification |
| 29 | |
| 30 | - Common components |
| 31 | - Added support for exporting CPU nodes to the device tree |
| 32 | - Added support for single and dual-root Chains of Trust in secure |
| 33 | partitions |
| 34 | |
| 35 | - Drivers |
| 36 | - Added Broadcom RNG driver |
| 37 | - Added Marvell ``mg_conf_cm3`` driver |
| 38 | - Added System Control and Management Interface (SCMI) driver |
| 39 | - Added STMicroelectronics ETZPC driver |
| 40 | |
| 41 | - Arm GICv3 |
| 42 | - Added support for detecting topology at runtime |
| 43 | |
| 44 | - Dual Root |
| 45 | - Added support for platform certificates |
| 46 | |
| 47 | - Marvell Cache LLC |
| 48 | - Added support for mapping the entire LLC into SRAM |
| 49 | |
| 50 | - Marvell CCU |
| 51 | - Added workaround for erratum 3033912 |
| 52 | |
| 53 | - Marvell CP110 COMPHY |
| 54 | - Added support for SATA COMPHY polarity inversion |
| 55 | - Added support for USB COMPHY polarity inversion |
| 56 | - Added workaround for erratum IPCE_COMPHY-1353 |
| 57 | |
| 58 | - STM32MP1 Clocks |
| 59 | - Added ``RTC`` as a gateable clock |
| 60 | - Added support for shifted clock selector bit masks |
| 61 | - Added support for using additional clocks as parents |
| 62 | |
| 63 | - Libraries |
| 64 | - C standard library |
| 65 | - Added support for hexadecimal and pointer format specifiers in |
| 66 | ``snprint()`` |
| 67 | - Added assembly alternatives for various library functions |
| 68 | |
| 69 | - CPU support |
| 70 | - Arm Cortex-A53 |
| 71 | - Added workaround for erratum 1530924 |
| 72 | |
| 73 | - Arm Cortex-A55 |
| 74 | - Added workaround for erratum 1530923 |
| 75 | |
| 76 | - Arm Cortex-A57 |
| 77 | - Added workaround for erratum 1319537 |
| 78 | |
| 79 | - Arm Cortex-A76 |
| 80 | - Added workaround for erratum 1165522 |
| 81 | - Added workaround for erratum 1791580 |
| 82 | - Added workaround for erratum 1868343 |
| 83 | |
| 84 | - Arm Cortex-A72 |
| 85 | - Added workaround for erratum 1319367 |
| 86 | |
| 87 | - Arm Cortex-A77 |
| 88 | - Added workaround for erratum 1508412 |
| 89 | - Added workaround for erratum 1800714 |
| 90 | - Added workaround for erratum 1925769 |
| 91 | |
| 92 | - Arm Neoverse N1 |
| 93 | - Added workaround for erratum 1868343 |
| 94 | |
| 95 | - EL3 Runtime |
| 96 | - Added support for saving/restoring registers related to nested |
| 97 | virtualization in EL2 context switches if the architecture supports it |
| 98 | |
| 99 | - FCONF |
| 100 | - Added support for Measured Boot |
| 101 | - Added support for populating Chain of Trust properties |
| 102 | - Added support for loading the ``fw_config`` image |
| 103 | |
| 104 | - Measured Boot |
| 105 | - Added support for event logging |
| 106 | |
| 107 | - Platforms |
| 108 | - Added support for Arm Morello |
| 109 | - Added support for Arm TC0 |
| 110 | - Added support for iEi PUZZLE-M801 |
| 111 | - Added support for Marvell OCTEON TX2 T9130 |
| 112 | - Added support for MediaTek MT8192 |
| 113 | - Added support for NXP i.MX 8M Nano |
| 114 | - Added support for NXP i.MX 8M Plus |
| 115 | - Added support for QTI CHIP SC7180 |
| 116 | - Added support for STM32MP151F |
| 117 | - Added support for STM32MP153F |
| 118 | - Added support for STM32MP157F |
| 119 | - Added support for STM32MP151D |
| 120 | - Added support for STM32MP153D |
| 121 | - Added support for STM32MP157D |
| 122 | |
| 123 | - Arm |
| 124 | - Added support for platform-owned SPs |
| 125 | - Added support for resetting to BL31 |
| 126 | |
| 127 | - Arm FPGA |
| 128 | - Added support for Klein |
| 129 | - Added support for Matterhorn |
| 130 | - Added support for additional CPU clusters |
| 131 | |
| 132 | - Arm FVP |
| 133 | - Added support for performing SDEI platform setup at runtime |
| 134 | - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| 135 | - Added an ``id`` field under the NV-counter node in the device tree to |
| 136 | differentiate between trusted and non-trusted NV-counters |
| 137 | - Added support for extracting the clock frequency from the timer node |
| 138 | in the device tree |
| 139 | |
| 140 | - Arm Juno |
| 141 | - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| 142 | |
| 143 | - Arm N1SDP |
| 144 | - Added support for cross-chip PCI-e |
| 145 | |
| 146 | - Marvell |
| 147 | - Added support for AVS reduction |
| 148 | |
| 149 | - Marvell ARMADA |
| 150 | - Added support for twin-die combined memory device |
| 151 | |
| 152 | - Marvell ARMADA A8K |
| 153 | - Added support for DDR with 32-bit bus width (both ECC and non-ECC) |
| 154 | |
| 155 | - Marvell AP806 |
| 156 | - Added workaround for erratum FE-4265711 |
| 157 | |
| 158 | - Marvell AP807 |
| 159 | - Added workaround for erratum 3033912 |
| 160 | |
| 161 | - Nvidia Tegra |
| 162 | - Added debug printouts indicating SC7 entry sequence completion |
| 163 | - Added support for SDEI |
| 164 | - Added support for stack protection |
| 165 | - Added support for GICv3 |
| 166 | - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| 167 | |
| 168 | - Nvidia Tegra194 |
| 169 | - Added support for RAS exception handling |
| 170 | - Added support for SPM |
| 171 | |
| 172 | - NXP i.MX |
| 173 | - Added support for SDEI |
| 174 | |
| 175 | - QEMU SBSA |
| 176 | - Added support for the Secure Partition Manager |
| 177 | |
| 178 | - QTI |
| 179 | - Added RNG driver |
| 180 | - Added SPMI PMIC arbitrator driver |
| 181 | - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| 182 | |
| 183 | - STM32MP1 |
| 184 | - Added support for exposing peripheral interfaces to the non-secure |
| 185 | world at runtime |
| 186 | - Added support for SCMI clock and reset services |
| 187 | - Added support for STM32MP15x CPU revision Z |
| 188 | - Added support for SMCCC services in ``SP_MIN`` |
| 189 | |
| 190 | - Services |
| 191 | - Secure Payload Dispatcher |
| 192 | - Added a provision to allow clients to retrieve the service UUID |
| 193 | |
| 194 | - SPMC |
| 195 | - Added secondary core endpoint information to the SPMC context |
| 196 | structure |
| 197 | |
| 198 | - SPMD |
| 199 | - Added support for booting OP-TEE as a guest S-EL1 Secure Partition on |
| 200 | top of Hafnium in S-EL2 |
| 201 | - Added a provision for handling SPMC messages to register secondary |
| 202 | core entry points |
| 203 | - Added support for power management operations |
| 204 | |
| 205 | - Tools |
| 206 | - CertCreate |
| 207 | - Added support for secure partitions |
| 208 | |
| 209 | - CertTool |
| 210 | - Added support for the ``fw_config`` image |
| 211 | |
| 212 | - FIPTool |
| 213 | - Added support for the ``fw_config`` image |
| 214 | |
| 215 | Changed |
| 216 | ^^^^^^^ |
| 217 | |
| 218 | - Architecture support |
| 219 | |
| 220 | - Bootloader images |
| 221 | |
| 222 | - Build System |
| 223 | - The top-level Makefile now supports building FipTool on Windows |
| 224 | - The default value of ``KEY_SIZE`` has been changed to to 2048 when RSA is |
| 225 | in use |
| 226 | - The previously-deprecated macro ``__ASSEMBLY__`` has now been removed |
| 227 | |
| 228 | - Common components |
| 229 | - Certain functions that flush the console will no longer return error |
| 230 | information |
| 231 | |
| 232 | - Drivers |
| 233 | - Arm GIC |
| 234 | - Usage of ``drivers/arm/gic/common/gic_common.c`` has now been |
| 235 | deprecated in favour of ``drivers/arm/gic/vX/gicvX.mk`` |
| 236 | - Added support for detecting the presence of a GIC600-AE |
| 237 | - Added support for detecting the presence of a GIC-Clayton |
| 238 | |
| 239 | - Marvell MCI |
| 240 | - Now performs link tuning for all MCI interfaces to improve performance |
| 241 | |
| 242 | - Marvell MoChi |
| 243 | - PIDI masters are no longer forced into a non-secure access level when |
| 244 | ``LLC_SRAM`` is enabled |
| 245 | - The SD/MMC controllers are now accessible from guest virtual machines |
| 246 | |
| 247 | - Mbed TLS |
| 248 | - Migrated to Mbed TLS v2.24.0 |
| 249 | |
| 250 | - STM32 FMC2 NAND |
| 251 | - Adjusted FMC node bindings to include an EBI controller node |
| 252 | |
| 253 | - STM32 Reset |
| 254 | - Added an optional timeout argument to assertion functions |
| 255 | |
| 256 | - STM32MP1 Clocks |
| 257 | - Enabled several additional system clocks during initialization |
| 258 | |
| 259 | - Libraries |
| 260 | - C Standard Library |
| 261 | - Improved ``memset`` performance by avoiding single-byte writes |
| 262 | - Added optimized assembly variants of ``memset`` |
| 263 | |
| 264 | - CPU support |
| 265 | - Renamed Cortex-Hercules to Cortex-A78 |
| 266 | - Renamed Cortex-Hercules AE to Cortex-A78 AE |
| 267 | - Renamed Neoverse Zeus to Neoverse V1 |
| 268 | |
| 269 | - Coreboot |
| 270 | - Updated ‘coreboot_get_memory_type’ API to take an extra argument as a |
| 271 | ’memory size’ that used to return a valid memory type. |
| 272 | |
| 273 | - libfdt |
| 274 | - Updated to latest upstream version |
| 275 | |
| 276 | - Platforms |
| 277 | - Allwinner |
| 278 | - Disabled non-secure access to PRCM power control registers |
| 279 | |
| 280 | - Arm |
| 281 | - ``BL32_BASE`` is now platform-dependent when ``SPD_spmd`` is enabled |
| 282 | - Added support for loading the Chain of Trust from the device tree |
| 283 | - The firmware update check is now executed only once |
| 284 | - NV-counter base addresses are now loaded from the device tree when |
| 285 | ``COT_DESC_IN_DTB`` is enabled |
| 286 | - Now loads and populates ``fw_config`` and ``tb_fw_config`` |
| 287 | - FCONF population now occurs after caches have been enabled in order |
| 288 | to reduce boot times |
| 289 | |
| 290 | - Arm Corstone-700 |
| 291 | - Platform support has been split into both an FVP and an FPGA variant |
| 292 | |
| 293 | - Arm FPGA |
| 294 | - DTB and BL33 load addresses have been given sensible default values |
| 295 | - Now reads generic timer counter frequency, GICD and GICR base |
| 296 | addresses, and UART address from DT |
| 297 | - Now treats the primary PL011 UART as an SBSA Generic UART |
| 298 | |
| 299 | - Arm FVP |
| 300 | - Secure interrupt descriptions, UART parameters, clock frequencies and |
| 301 | GICv3 parameters are now queried through FCONF |
| 302 | - UART parameters are now queried through the device tree |
| 303 | - Added an owner field to Cactus secure partitions |
| 304 | - Increased the maximum size of BL2 when the Chain of Trust is loaded |
| 305 | from the device tree |
| 306 | - Reduces the maximum size of BL31 |
| 307 | - The ``FVP_USE_SP804_TIMER`` and ``FVP_VE_USE_SP804_TIMER`` build |
| 308 | options have been removed in favour of a common ``USE_SP804_TIMER`` |
| 309 | option |
| 310 | - Added a third Cactus partition to manifests |
| 311 | - Device tree nodes now store UUIDs in big-endian |
| 312 | |
| 313 | - Arm Juno |
| 314 | - Increased the maximum size of BL2 when optimizations have not been |
| 315 | applied |
| 316 | - Reduced the maximum size of BL31 and BL32 |
| 317 | |
| 318 | - Marvell AP807 |
| 319 | - Enabled snoop filters |
| 320 | |
| 321 | - Marvell ARMADA A3K |
| 322 | - UART recovery images are now suffixed with ``.bin`` |
| 323 | |
| 324 | - Marvell ARMADA A8K |
| 325 | - Option ``BL31_CACHE_DISABLE`` is now disabled (``0``) by default |
| 326 | |
| 327 | - Nvidia Tegra |
| 328 | - Added VPR resize supported check when processing video memory resize |
| 329 | requests |
| 330 | - Added SMMU verification to prevent potential issues caused by |
| 331 | undetected corruption of the SMMU configuration during boot |
| 332 | - The GIC CPU interface is now properly disabled after CPU off |
| 333 | - The GICv2 sources list and the ``BL31_SIZE`` definition have been made |
| 334 | platform-specific |
| 335 | - The SPE driver will no longer flush the console when writing |
| 336 | individual characters |
| 337 | |
| 338 | - Nvidia Tegra194 |
| 339 | - TZDRAM setup has been moved to platform-specific early boot handlers |
| 340 | - Increased verbosity of debug prints for RAS SErrors |
| 341 | - Support for powering down CPUs during CPU suspend has been removed |
| 342 | - Now verifies firewall settings before using resources |
| 343 | |
| 344 | - TI K3 |
| 345 | - The UART number has been made configurable through ``K3_USART`` |
| 346 | |
| 347 | - Rockchip RK3368 |
| 348 | - The maximum number of memory map regions has been increased to 20 |
| 349 | |
| 350 | - Socionext Uniphier |
| 351 | - The maximum size of BL33 has been increased to support larger |
| 352 | bootloaders |
| 353 | |
| 354 | - STM32 |
| 355 | - Removed platform-specific DT functions in favour of using existing |
| 356 | generic alternatives |
| 357 | |
| 358 | - STM32MP1 |
| 359 | - Increased verbosity of exception reports in debug builds |
| 360 | - Device trees have been updated to align with the Linux kernel |
| 361 | - Now uses the ETZPC driver to configure secure-aware interfaces for |
| 362 | assignment to the non-secure world |
| 363 | - Finished good variants have been added to the board identifier |
| 364 | enumerations |
| 365 | - Non-secure access to clocks and reset domains now depends on their |
| 366 | state of registration |
| 367 | - NEON is now disabled in ``SP_MIN`` |
| 368 | - The last page of ``SYSRAM`` is now used as SCMI shared memory |
| 369 | - Checks to verify platform compatibility have been added to verify that |
| 370 | an image is compatible with the chip ID of the running platform |
| 371 | |
| 372 | - QEMU SBSA |
| 373 | - Removed support for Arm's Cortex-A53 |
| 374 | |
| 375 | - Services |
| 376 | - Renamed SPCI to FF-A |
| 377 | |
| 378 | - SPMD |
| 379 | - No longer forwards requests to the non-secure world when retrieving |
| 380 | partition information |
| 381 | - SPMC manifest size is now retrieved directly from SPMD instead of the |
| 382 | device tree |
| 383 | - The FF-A version handler now returns SPMD's version when the origin |
| 384 | of the call is secure, and SPMC's version when the origin of the call |
| 385 | is non-secure |
| 386 | |
| 387 | - SPMC |
| 388 | - Updated the manifest to declare CPU nodes in descending order as per |
| 389 | the SPM (Hafnium) multicore requirement |
| 390 | - Updated the device tree to mark 2GB as device memory for the first |
| 391 | partition excluding trusted DRAM region (which is reserved for SPMC) |
| 392 | - Increased the number of EC contexts to the maximum number of PEs as |
| 393 | per the FF-A specification |
| 394 | |
| 395 | - Tools |
| 396 | - FIPTool |
| 397 | - Now returns ``0`` on ``help`` and ``help <command>`` |
| 398 | |
| 399 | - Marvell DoImage |
| 400 | - Updated Mbed TLS support to v2.8 |
| 401 | |
| 402 | - SPTool |
| 403 | - Now appends CertTool arguments |
| 404 | |
| 405 | Resolved Issues |
| 406 | ^^^^^^^^^^^^^^^ |
| 407 | |
| 408 | - Bootloader images |
| 409 | - Fixed compilation errors for dual-root Chains of Trust caused by symbol |
| 410 | collision |
| 411 | |
| 412 | - BL31 |
| 413 | - Fixed compilation errors on platforms with fewer than 4 cores caused |
| 414 | by initialization code exceeding the end of the stacks |
| 415 | - Fixed compilation errors when building a position-independent image |
| 416 | |
| 417 | - Build System |
| 418 | - Fixed invalid empty version strings |
| 419 | - Fixed compilation errors on Windows caused by a non-portable architecture |
| 420 | revision comparison |
| 421 | |
| 422 | - Drivers |
| 423 | - Arm GIC |
| 424 | - Fixed spurious interrupts caused by a missing barrier |
| 425 | |
| 426 | - STM32 Flexible Memory Controller 2 (FMC2) NAND driver |
| 427 | - Fixed runtime instability caused by incorrect error detection logic |
| 428 | |
| 429 | - STM32MP1 Clock driver |
| 430 | - Fixed incorrectly-formatted log messages |
| 431 | - Fixed runtime instability caused by improper clock gating procedures |
| 432 | |
| 433 | - STMicroelectronics Raw NAND driver |
| 434 | - Fixed runtime instability caused by incorrect unit conversion when |
| 435 | waiting for NAND readiness |
| 436 | |
| 437 | - Libraries |
| 438 | - AMU |
| 439 | - Fixed timeout errors caused by excess error logging |
| 440 | |
| 441 | - EL3 Runtime |
| 442 | - Fixed runtime instability caused by improper register save/restore |
| 443 | routine in EL2 |
| 444 | |
| 445 | - FCONF |
| 446 | - Fixed failure to initialize GICv3 caused by overly-strict device tree |
| 447 | requirements |
| 448 | |
| 449 | - Measured Boot |
| 450 | - Fixed driver errors caused by a missing default value for the |
| 451 | ``HASH_ALG`` build option |
| 452 | |
| 453 | - SPE |
| 454 | - Fixed feature detection check that prevented CPUs supporting SVE from |
| 455 | detecting support for SPE in the non-secure world |
| 456 | |
| 457 | - Translation Tables |
| 458 | - Fixed various MISRA-C 2012 static analysis violations |
| 459 | |
| 460 | - Platforms |
| 461 | - Allwinner A64 |
| 462 | - Fixed USB issues on certain battery-powered device caused by |
| 463 | improperly activated USB power rail |
| 464 | |
| 465 | - Arm |
| 466 | - Fixed compilation errors caused by increase in BL2 size |
| 467 | - Fixed compilation errors caused by missing Makefile dependencies to |
| 468 | generated files when building the FIP |
| 469 | - Fixed MISRA-C 2012 static analysis violations caused by unused |
| 470 | structures in include directives intended to be feature-gated |
| 471 | |
| 472 | - Arm FPGA |
| 473 | - Fixed initialization issues caused by incorrect MPIDR topology mapping |
| 474 | logic |
| 475 | |
| 476 | - Arm RD-N1-edge |
| 477 | - Fixed compilation errors caused by mismatched parentheses in Makefile |
| 478 | |
| 479 | - Arm SGI |
| 480 | - Fixed crashes due to the flash memory used for cold reboot attack |
| 481 | protection not being mapped |
| 482 | |
| 483 | - Intel Agilex |
| 484 | - Fixed initialization issues caused by several compounding bugs |
| 485 | |
| 486 | - Marvell |
| 487 | - Fixed compilation warnings caused by multiple Makefile inclusions |
| 488 | |
| 489 | - Marvell ARMADA A3K |
| 490 | - Fixed boot issue in debug builds caused by checks on the BL33 load |
| 491 | address that are not appropriate for this platform |
| 492 | |
| 493 | - Nvidia Tegra |
| 494 | - Fixed incorrect delay timer reads |
| 495 | - Fixed spurious interrupts in the non-secure world during cold boot |
| 496 | caused by the arbitration bit in the memory controller not being |
| 497 | cleared |
| 498 | - Fixed faulty video memory resize sequence |
| 499 | |
| 500 | - Nvidia Tegra194 |
| 501 | - Fixed incorrect alignment of TZDRAM base address |
| 502 | |
| 503 | - NXP iMX8M |
| 504 | - Fixed CPU hot-plug issues caused by race condition |
| 505 | |
| 506 | - STM32MP1 |
| 507 | - Fixed compilation errors in highly-parallel builds caused by incorrect |
| 508 | Makefile dependencies |
| 509 | |
| 510 | - STM32MP157C-ED1 |
| 511 | - Fixed initialization issues caused by missing device tree hash node |
| 512 | |
| 513 | - Raspberry Pi 3 |
| 514 | - Fixed compilation errors caused by incorrect dependency ordering in |
| 515 | Makefile |
| 516 | |
| 517 | - Rockchip |
| 518 | - Fixed initialization issues caused by non-critical errors when parsing |
| 519 | FDT being treated as critical |
| 520 | |
| 521 | - Rockchip RK3368 |
| 522 | - Fixed runtime instability caused by incorrect CPUID shift value |
| 523 | |
| 524 | - QEMU |
| 525 | - Fixed compilation errors caused by incorrect dependency ordering in |
| 526 | Makefile |
| 527 | |
| 528 | - QEMU SBSA |
| 529 | - Fixed initialization issues caused by FDT exceeding reserved memory |
| 530 | size |
| 531 | |
| 532 | - QTI |
| 533 | - Fixed compilation errors caused by inclusion of a non-existent file |
| 534 | |
| 535 | - Services |
| 536 | - FF-A (previously SPCI) |
| 537 | - Fixed SPMD aborts caused by incorrect behaviour when the manifest is |
| 538 | page-aligned |
| 539 | |
| 540 | - Tools |
| 541 | - Fixed compilation issues when compiling tools from within their respective |
| 542 | directories |
| 543 | |
| 544 | - FIPTool |
| 545 | - Fixed command line parsing issues on Windows when using arguments |
| 546 | whose names also happen to be a subset of another's |
| 547 | |
| 548 | - Marvell DoImage |
| 549 | - Fixed PKCS signature verification errors at boot on some platforms |
| 550 | caused by generation of misaligned images |
| 551 | |
| 552 | Known Issues |
| 553 | ^^^^^^^^^^^^ |
| 554 | |
| 555 | - Platforms |
| 556 | - NVIDIA Tegra |
| 557 | - Signed comparison compiler warnings occurring in libfdt are currently |
| 558 | being worked around by disabling the warning for the platform until |
| 559 | the underlying issue is resolved in libfdt |
| 560 | |
laurenw-arm | 4204e07 | 2020-04-14 16:44:52 -0500 | [diff] [blame] | 561 | Version 2.3 |
| 562 | ----------- |
| 563 | |
| 564 | New Features |
| 565 | ^^^^^^^^^^^^ |
| 566 | |
| 567 | - Arm Architecture |
| 568 | - Add support for Armv8.4-SecEL2 extension through the SPCI defined SPMD/SPMC |
| 569 | components. |
| 570 | |
| 571 | - Build option to support EL2 context save and restore in the secure world |
| 572 | (CTX_INCLUDE_EL2_REGS). |
| 573 | |
| 574 | - Add support for SMCCC v1.2 (introducing the new SMCCC_ARCH_SOC_ID SMC). |
| 575 | Note that the support is compliant, but the SVE registers save/restore will |
| 576 | be done as part of future S-EL2/SPM development. |
| 577 | |
| 578 | - BL-specific |
| 579 | - Enhanced BL2 bootloader flow to load secure partitions based on firmware |
| 580 | configuration data (fconf). |
| 581 | |
| 582 | - Changes necessary to support SEPARATE_NOBITS_REGION feature |
| 583 | |
| 584 | - TSP and BL2_AT_EL3: Add Position Independent Execution ``PIE`` support |
| 585 | |
| 586 | - Build System |
| 587 | - Add support for documentation build as a target in Makefile |
| 588 | |
Chris Kay | 0bd1a2e | 2020-10-29 14:28:59 +0000 | [diff] [blame] | 589 | - Add ``COT`` build option to select the Chain of Trust to use when the |
laurenw-arm | 4204e07 | 2020-04-14 16:44:52 -0500 | [diff] [blame] | 590 | Trusted Boot feature is enabled (default: ``tbbr``). |
| 591 | |
| 592 | - Added creation and injection of secure partition packages into the FIP. |
| 593 | |
| 594 | - Build option to support SPMC component loading and run at S-EL1 |
| 595 | or S-EL2 (SPMD_SPM_AT_SEL2). |
| 596 | |
| 597 | - Enable MTE support |
| 598 | |
| 599 | - Enable Link Time Optimization in GCC |
| 600 | |
| 601 | - Enable -Wredundant-decls warning check |
| 602 | |
| 603 | - Makefile: Add support to optionally encrypt BL31 and BL32 |
| 604 | |
| 605 | - Add support to pass the nt_fw_config DTB to OP-TEE. |
| 606 | |
| 607 | - Introduce per-BL ``CPPFLAGS``, ``ASFLAGS``, and ``LDFLAGS`` |
| 608 | |
| 609 | - build_macros: Add CREATE_SEQ function to generate sequence of numbers |
| 610 | |
| 611 | - CPU Support |
| 612 | - cortex-a57: Enable higher performance non-cacheable load forwarding |
| 613 | |
| 614 | - Hercules: Workaround for Errata 1688305 |
| 615 | |
| 616 | - Klein: Support added for Klein CPU |
| 617 | |
| 618 | - Matterhorn: Support added for Matterhorn CPU |
| 619 | |
| 620 | - Drivers |
| 621 | - auth: Add ``calc_hash`` function for hash calculation. Used for |
| 622 | authentication of images when measured boot is enabled. |
| 623 | |
| 624 | - cryptocell: Add authenticated decryption framework, and support |
| 625 | for CryptoCell-713 and CryptoCell-712 RSA 3K |
| 626 | |
| 627 | - gic600: Add support for multichip configuration and Clayton |
| 628 | - gicv3: Introduce makefile, Add extended PPI and SPI range, |
| 629 | Add support for probing multiple GIC Redistributor frames |
| 630 | - gicv4: Add GICv4 extension for GIC driver |
| 631 | |
| 632 | - io: Add an IO abstraction layer to load encrypted firmwares |
| 633 | |
| 634 | - mhu: Derive doorbell base address |
| 635 | |
| 636 | - mtd: Add SPI-NOR, SPI-NAND, SPI-MEM, and raw NAND framework |
| 637 | |
| 638 | - scmi: Allow use of multiple SCMI channels |
| 639 | |
| 640 | - scu: Add a driver for snoop control unit |
| 641 | |
| 642 | - Libraries |
| 643 | - coreboot: Add memory range parsing and use generic base address |
| 644 | |
| 645 | - compiler_rt: Import popcountdi2.c and popcountsi2.c files, |
| 646 | aeabi_ldivmode.S file and dependencies |
| 647 | |
| 648 | - debugFS: Add DebugFS functionality |
| 649 | |
| 650 | - el3_runtime: Add support for enabling S-EL2 |
| 651 | |
| 652 | - fconf: Add Firmware Configuration Framework (fconf) (experimental). |
| 653 | |
| 654 | - libc: Add memrchr function |
| 655 | |
| 656 | - locks: bakery: Use is_dcache_enabled() helper and add a DMB to |
| 657 | the 'read_cache_op' macro |
| 658 | |
| 659 | - psci: Add support to enable different personality of the same soc. |
| 660 | |
| 661 | - xlat_tables_v2: Add support to pass shareability attribute for |
| 662 | normal memory region, use get_current_el_maybe_constant() in |
| 663 | is_dcache_enabled(), read-only xlat tables for BL31 memory, and |
| 664 | add enable_mmu() |
| 665 | |
| 666 | - New Platforms Support |
| 667 | - arm/arm_fpga: New platform support added for FPGA |
| 668 | |
| 669 | - arm/rddaniel: New platform support added for rd-daniel platform |
| 670 | |
| 671 | - brcm/stingray: New platform support added for Broadcom stingray platform |
| 672 | |
| 673 | - nvidia/tegra194: New platform support for Nvidia Tegra194 platform |
| 674 | |
| 675 | - Platforms |
| 676 | - allwinner: Implement PSCI system suspend using SCPI, add a msgbox |
| 677 | driver for use with SCPI, and reserve and map space for the SCP firmware |
| 678 | - allwinner: axp: Add AXP805 support |
| 679 | - allwinner: power: Add DLDO4 power rail |
| 680 | |
| 681 | - amlogic: axg: Add a build flag when using ATOS as BL32 and support for |
| 682 | the A113D (AXG) platform |
| 683 | |
| 684 | - arm/a5ds: Add ethernet node and L2 cache node in devicetree |
| 685 | |
| 686 | - arm/common: Add support for the new `dualroot` chain of trust |
| 687 | - arm/common: Add support for SEPARATE_NOBITS_REGION |
| 688 | - arm/common: Re-enable PIE when RESET_TO_BL31=1 |
| 689 | - arm/common: Allow boards to specify second DRAM Base address |
| 690 | and to define PLAT_ARM_TZC_FILTERS |
| 691 | |
David Horstmann | 4714701 | 2021-01-21 12:29:59 +0000 | [diff] [blame] | 692 | - arm/corstone700: Add support for mhuv2 and stack protector |
laurenw-arm | 4204e07 | 2020-04-14 16:44:52 -0500 | [diff] [blame] | 693 | |
| 694 | - arm/fvp: Add support for fconf in BL31 and SP_MIN. Populate power |
David Horstmann | 4714701 | 2021-01-21 12:29:59 +0000 | [diff] [blame] | 695 | domain descriptor dynamically by leveraging fconf APIs. |
laurenw-arm | 4204e07 | 2020-04-14 16:44:52 -0500 | [diff] [blame] | 696 | - arm/fvp: Add Cactus/Ivy Secure Partition information and use two |
| 697 | instances of Cactus at S-EL1 |
| 698 | - arm/fvp: Add support to run BL32 in TDRAM and BL31 in secure DRAM |
| 699 | - arm/fvp: Add support for GICv4 extension and BL2 hash calculation in BL1 |
| 700 | |
| 701 | - arm/n1sdp: Setup multichip gic routing table, update platform macros |
| 702 | for dual-chip setup, introduce platform information SDS region, add |
| 703 | support to update presence of External LLC, and enable the |
| 704 | NEOVERSE_N1_EXTERNAL_LLC flag |
| 705 | |
| 706 | - arm/rdn1edge: Add support for dual-chip configuration and use |
| 707 | CREATE_SEQ helper macro to compare chip count |
| 708 | |
| 709 | - arm/sgm: Always use SCMI for SGM platforms |
| 710 | - arm/sgm775: Add support for dynamic config using fconf |
| 711 | |
| 712 | - arm/sgi: Add multi-chip mode parameter in HW_CONFIG dts, macros for |
| 713 | remote chip device region, chip_id and multi_chip_mode to platform |
| 714 | variant info, and introduce number of chips macro |
| 715 | |
| 716 | - brcm: Add BL2 and BL31 support common across Broadcom platforms |
| 717 | - brcm: Add iproc SPI Nor flash support, spi driver, emmc driver, |
| 718 | and support to retrieve plat_toc_flags |
| 719 | |
| 720 | - hisilicon: hikey960: Enable system power off callback |
| 721 | |
| 722 | - intel: Enable bridge access, SiP SMC secure register access, and uboot |
| 723 | entrypoint support |
| 724 | - intel: Implement platform specific system reset 2 |
| 725 | - intel: Introduce mailbox response length handling |
| 726 | |
| 727 | - imx: console: Use CONSOLE_T_BASE for UART base address and generic console_t |
| 728 | data structure |
| 729 | - imx8mm: Provide uart base as build option and add the support for opteed spd |
| 730 | on imx8mq/imx8mm |
| 731 | - imx8qx: Provide debug uart num as build |
| 732 | - imx8qm: Apply clk/pinmux configuration for DEBUG_CONSOLE and provide debug |
| 733 | uart num as build param |
| 734 | |
| 735 | - marvell: a8k: Implement platform specific power off and add support |
| 736 | for loading MG CM3 images |
| 737 | |
| 738 | - mediatek: mt8183: Add Vmodem/Vcore DVS init level |
| 739 | |
| 740 | - qemu: Support optional encryption of BL31 and BL32 images |
| 741 | and ARM_LINUX_KERNEL_AS_BL33 to pass FDT address |
| 742 | - qemu: Define ARMV7_SUPPORTS_VFP |
| 743 | - qemu: Implement PSCI_CPU_OFF and qemu_system_off via semihosting |
| 744 | |
| 745 | - renesas: rcar_gen3: Add new board revision for M3ULCB |
| 746 | |
| 747 | - rockchip: Enable workaround for erratum 855873, claim a macro to enable |
| 748 | hdcp feature for DP, enable power domains of rk3399 before reset, add |
| 749 | support for UART3 as serial output, and initialize reset and poweroff |
| 750 | GPIOs with known invalid value |
| 751 | |
| 752 | - rpi: Implement PSCI CPU_OFF, use MMIO accessor, autodetect Mini-UART |
| 753 | vs. PL011 configuration, and allow using PL011 UART for RPi3/RPi4 |
| 754 | - rpi3: Include GPIO driver in all BL stages and use same "clock-less" |
| 755 | setup scheme as RPi4 |
| 756 | - rpi3/4: Add support for offlining CPUs |
| 757 | |
| 758 | - st: stm32mp1: platform.mk: Support generating multiple images in one build, |
| 759 | migrate to implicit rules, derive map file name from target name, generate |
| 760 | linker script with fixed name, and use PHONY for the appropriate targets |
| 761 | - st: stm32mp1: Add support for SPI-NOR, raw NAND, and SPI-NAND boot device, |
| 762 | QSPI, FMC2 driver |
| 763 | - st: stm32mp1: Use stm32mp_get_ddr_ns_size() function, set XN attribute for |
| 764 | some areas in BL2, dynamically map DDR later and non-cacheable during its |
| 765 | test, add a function to get non-secure DDR size, add DT helper for reg by |
| 766 | name, and add compilation flags for boot devices |
| 767 | |
| 768 | - socionext: uniphier: Turn on ENABLE_PIE |
| 769 | |
| 770 | - ti: k3: Add PIE support |
| 771 | |
| 772 | - xilinx: versal: Add set wakeup source, client wakeup, query data, request |
| 773 | wakeup, PM_INIT_FINALIZE, PM_GET_TRUSTZONE_VERSION, PM IOCTL, support for |
| 774 | suspend related, and Get_ChipID APIs |
| 775 | - xilinx: versal: Implement power down/restart related EEMI, SMC handler for |
| 776 | EEMI, PLL related PM, clock related PM, pin control related PM, reset related |
| 777 | PM, device related PM , APIs |
| 778 | - xilinx: versal: Enable ipi mailbox service |
| 779 | - xilinx: versal: Add get_api_version support and support to send PM API to PMC |
| 780 | using IPI |
| 781 | - xilinx: zynqmp: Add checksum support for IPI data, GET_CALLBACK_DATA |
| 782 | function, support to query max divisor, CLK_SET_RATE_PARENT in gem clock |
| 783 | node, support for custom type flags, LPD WDT clock to the pm_clock structure, |
| 784 | idcodes for new RFSoC silicons ZU48DR and ZU49DR, and id for new RFSoC device |
| 785 | ZU39DR |
| 786 | |
| 787 | - Security |
| 788 | - Use Speculation Barrier instruction for v8.5+ cores |
| 789 | |
| 790 | - Add support for optional firmware encryption feature (experimental). |
| 791 | |
| 792 | - Introduce a new `dualroot` chain of trust. |
| 793 | |
| 794 | - aarch64: Prevent speculative execution past ERET |
| 795 | - aarch32: Stop speculative execution past exception returns. |
| 796 | |
| 797 | - SPCI |
| 798 | - Introduced the Secure Partition Manager Dispatcher (SPMD) component as a |
| 799 | new standard service. |
| 800 | |
| 801 | - Tools |
| 802 | - cert_create: Introduce CoT build option and TBBR CoT makefile, |
| 803 | and define the dualroot CoT |
| 804 | |
| 805 | - encrypt_fw: Add firmware authenticated encryption tool |
| 806 | |
| 807 | - memory: Add show_memory script that prints a representation |
| 808 | of the memory layout for the latest build |
| 809 | |
| 810 | Changed |
| 811 | ^^^^^^^ |
| 812 | |
| 813 | - Arm Architecture |
| 814 | - PIE: Make call to GDT relocation fixup generalized |
| 815 | |
| 816 | - BL-Specific |
| 817 | - Increase maximum size of BL2 image |
| 818 | |
| 819 | - BL31: Discard .dynsym .dynstr .hash sections to make ENABLE_PIE work |
| 820 | - BL31: Split into two separate memory regions |
| 821 | |
| 822 | - Unify BL linker scripts and reduce code duplication. |
| 823 | |
| 824 | - Build System |
| 825 | - Changes to drive cert_create for dualroot CoT |
| 826 | |
| 827 | - Enable -Wlogical-op always |
| 828 | |
| 829 | - Enable -Wshadow always |
| 830 | |
| 831 | - Refactor the warning flags |
| 832 | |
| 833 | - PIE: Pass PIE options only to BL31 |
| 834 | |
| 835 | - Reduce space lost to object alignment |
| 836 | |
| 837 | - Set lld as the default linker for Clang builds |
| 838 | |
| 839 | - Remove -Wunused-const-variable and -Wpadded warning |
| 840 | |
| 841 | - Remove -Wmissing-declarations warning from WARNING1 level |
| 842 | |
| 843 | - Drivers |
| 844 | - authentication: Necessary fix in drivers to upgrade to mbedtls-2.18.0 |
| 845 | |
| 846 | - console: Integrate UART base address in generic console_t |
| 847 | |
| 848 | - gicv3: Change API for GICR_IPRIORITYR accessors and separate |
| 849 | GICD and GICR accessor functions |
| 850 | |
| 851 | - io: Change seek offset to signed long long and panic in case |
| 852 | of io setup failure |
| 853 | |
| 854 | - smmu: SMMUv3: Changed retry loop to delay timer |
| 855 | |
| 856 | - tbbr: Reduce size of hash and ECDSA key buffers when possible |
| 857 | |
| 858 | - Library Code |
| 859 | - libc: Consolidate the size_t, unified, and NULL definitions, |
| 860 | and unify intmax_t and uintmax_t on AArch32/64 |
| 861 | |
| 862 | - ROMLIB: Optimize memory layout when ROMLIB is used |
| 863 | |
| 864 | - xlat_tables_v2: Use ARRAY_SIZE in REGISTER_XLAT_CONTEXT_FULL_SPEC, |
| 865 | merge REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE}, |
| 866 | and simplify end address checks in mmap_add_region_check() |
| 867 | |
| 868 | - Platforms |
| 869 | - allwinner: Adjust SRAM A2 base to include the ARISC vectors, clean up MMU |
| 870 | setup, reenable USE_COHERENT_MEM, remove unused include path, move the |
| 871 | NOBITS region to SRAM A1, convert AXP803 regulator setup code into a driver, |
| 872 | enable clock before resetting I2C/RSB |
| 873 | - allwinner: h6: power: Switch to using the AXP driver |
| 874 | - allwinner: a64: power: Use fdt_for_each_subnode, remove obsolete register |
| 875 | check, remove duplicate DT check, and make sunxi_turn_off_soc static |
| 876 | - allwinner: Build PMIC bus drivers only in BL31, clean up PMIC-related error |
| 877 | handling, and synchronize PMIC enumerations |
| 878 | |
| 879 | - arm/a5ds: Change boot address to point to DDR address |
| 880 | |
| 881 | - arm/common: Check for out-of-bound accesses in the platform io policies |
| 882 | |
| 883 | - arm/corstone700: Updating the kernel arguments to support initramfs, |
| 884 | use fdts DDR memory and XIP rootfs, and set UART clocks to 32MHz |
| 885 | |
| 886 | - arm/fvp: Modify multithreaded dts file of DynamIQ FVPs, slightly bump |
| 887 | the stack size for bl1 and bl2, remove re-definition of topology related |
| 888 | build options, stop reclaiming init code with Clang builds, and map only |
| 889 | the needed DRAM region statically in BL31/SP_MIN |
| 890 | |
| 891 | - arm/juno: Maximize space allocated to SCP_BL2 |
| 892 | |
| 893 | - arm/sgi: Bump bl1 RW limit, mark remote chip shared ram as non-cacheable, |
| 894 | move GIC related constants to board files, include AFF3 affinity in core |
| 895 | position calculation, move bl31_platform_setup to board file, and move |
| 896 | topology information to board folder |
| 897 | |
| 898 | - common: Refactor load_auth_image_internal(). |
| 899 | |
| 900 | - hisilicon: Remove uefi-tools in hikey and hikey960 documentation |
| 901 | |
| 902 | - intel: Modify non secure access function, BL31 address mapping, mailbox's |
| 903 | get_config_status, and stratix10 BL31 parameter handling |
| 904 | - intel: Remove un-needed checks for qspi driver r/w and s10 unused source code |
| 905 | - intel: Change all global sip function to static |
| 906 | - intel: Refactor common platform code |
| 907 | - intel: Create SiP service header file |
| 908 | |
| 909 | |
| 910 | - marvell: armada: scp_bl2: Allow loading up to 8 images |
| 911 | - marvell: comphy-a3700: Support SGMII COMPHY power off and fix USB3 |
| 912 | powering on when on lane 2 |
| 913 | - marvell: Consolidate console register calls |
| 914 | |
| 915 | - mediatek: mt8183: Protect 4GB~8GB dram memory, refine GIC driver for |
| 916 | low power scenarios, and switch PLL/CLKSQ/ck_off/axi_26m control to SPM |
| 917 | |
| 918 | - qemu: Update flash address map to keep FIP in secure FLASH0 |
| 919 | |
| 920 | - renesas: rcar_gen3: Update IPL and Secure Monitor Rev.2.0.6, update DDR |
| 921 | setting for H3, M3, M3N, change fixed destination address of BL31 and BL32, |
| 922 | add missing #{address,size}-cells into generated DT, pass DT to OpTee OS, |
| 923 | and move DDR drivers out of staging |
| 924 | |
| 925 | - rockchip: Make miniloader ddr_parameter handling optional, cleanup securing |
| 926 | of ddr regions, move secure init to separate file, use base+size for secure |
| 927 | ddr regions, bring TZRAM_SIZE values in lined, and prevent macro expansion |
| 928 | in paths |
| 929 | |
| 930 | - rpi: Move plat_helpers.S to common |
| 931 | - rpi3: gpio: Simplify GPIO setup |
| 932 | - rpi4: Skip UART initialisation |
| 933 | |
| 934 | - st: stm32m1: Use generic console_t data structure, remove second |
| 935 | QSPI flash instance, update for FMC2 pin muxing, and reduce MAX_XLAT_TABLES |
| 936 | to 4 |
| 937 | |
| 938 | - socionext: uniphier: Make on-chip SRAM and I/O register regions configurable |
| 939 | - socionext: uniphier: Make PSCI related, counter control, UART, pinmon, NAND |
| 940 | controller, and eMMC controller base addresses configurable |
| 941 | - socionext: uniphier: Change block_addressing flag and the return value type |
| 942 | of .is_usb_boot() to bool |
| 943 | - socionext: uniphier: Run BL33 at EL2, call uniphier_scp_is_running() only |
| 944 | when on-chip STM is supported, define PLAT_XLAT_TABLES_DYNAMIC only for BL2, |
| 945 | support read-only xlat tables, use enable_mmu() in common function, shrink |
| 946 | UNIPHIER_ROM_REGION_SIZE, prepare uniphier_soc_info() for next SoC, extend |
| 947 | boot device detection for future SoCs, make all BL images completely |
| 948 | position-independent, make uniphier_mmap_setup() work with PIE, pass SCP |
| 949 | base address as a function parameter, set buffer offset and length for |
| 950 | io_block dynamically, and use more mmap_add_dynamic_region() for loading |
| 951 | images |
| 952 | |
| 953 | - spd/trusty: Disable error messages seen during boot, allow gic base to be |
| 954 | specified with GICD_BASE, and allow getting trusty memsize from BL32_MEM_SIZE |
| 955 | instead of TSP_SEC_MEM_SIZE |
| 956 | |
| 957 | - ti: k3: common: Enable ARM cluster power down and rename device IDs to |
| 958 | be more consistent |
| 959 | - ti: k3: drivers: ti_sci: Put sequence number in coherent memory and |
| 960 | remove indirect structure of const data |
| 961 | |
| 962 | - xilinx: Move ipi mailbox svc to xilinx common |
| 963 | - xilinx: zynqmp: Use GIC framework for warm restart |
| 964 | - xilinx: zynqmp: pm: Move custom clock flags to typeflags, remove |
| 965 | CLK_TOPSW_LSBUS from invalid clock list and rename FPD WDT clock ID |
| 966 | - xilinx: versal: Increase OCM memory size for DEBUG builds and adjust |
| 967 | cpu clock, Move versal_def.h and versal_private to include directory |
| 968 | |
| 969 | - Tools |
David Horstmann | 4714701 | 2021-01-21 12:29:59 +0000 | [diff] [blame] | 970 | - sptool: Updated sptool to accommodate building secure partition packages. |
laurenw-arm | 4204e07 | 2020-04-14 16:44:52 -0500 | [diff] [blame] | 971 | |
| 972 | Resolved Issues |
| 973 | ^^^^^^^^^^^^^^^ |
| 974 | |
| 975 | - Arm Architecture |
| 976 | - Fix crash dump for lower EL |
| 977 | |
| 978 | - BL-Specific |
| 979 | - Bug fix: Protect TSP prints with lock |
| 980 | |
| 981 | - Fix boot failures on some builds linked with ld.lld. |
| 982 | |
| 983 | - Build System |
| 984 | - Fix clang build if CC is not in the path. |
| 985 | |
| 986 | - Fix 'BL stage' comment for build macros |
| 987 | |
| 988 | - Code Quality |
| 989 | - coverity: Fix various MISRA violations including null pointer violations, |
| 990 | C issues in BL1/BL2/BL31 and FDT helper functions, using boolean essential, |
| 991 | type, and removing unnecessary header file and comparisons to LONG_MAX in |
| 992 | debugfs devfip |
| 993 | |
| 994 | - Based on coding guidelines, replace all `unsigned long` depending on if |
| 995 | fixed based on AArch32 or AArch64. |
| 996 | |
| 997 | - Unify type of "cpu_idx" and Platform specific defines across PSCI module. |
| 998 | |
| 999 | - Drivers |
| 1000 | - auth: Necessary fix in drivers to upgrade to mbedtls-2.18.0 |
| 1001 | |
| 1002 | - delay_timer: Fix non-standard frequency issue in udelay |
| 1003 | |
| 1004 | - gicv3: Fix compiler dependent behavior |
| 1005 | - gic600: Fix include ordering according to the coding style and power up sequence |
| 1006 | |
| 1007 | - Library Code |
| 1008 | - el3_runtime: Fix stack pointer maintenance on EA handling path, |
| 1009 | fixup 'cm_setup_context' prototype, and adds TPIDR_EL2 register |
| 1010 | to the context save restore routines |
| 1011 | |
| 1012 | - libc: Fix SIZE_MAX on AArch32 |
| 1013 | |
| 1014 | - locks: T589: Fix insufficient ordering guarantees in bakery lock |
| 1015 | |
| 1016 | - pmf: Fix 'tautological-constant-compare' error, Make the runtime |
| 1017 | instrumentation work on AArch32, and Simplify PMF helper macro |
| 1018 | definitions across header files |
| 1019 | |
| 1020 | - xlat_tables_v2: Fix assembler warning of PLAT_RO_XLAT_TABLES |
| 1021 | |
| 1022 | - Platforms |
| 1023 | - allwinner: Fix H6 GPIO and CCU memory map addresses and incorrect ARISC |
| 1024 | code patch offset check |
| 1025 | |
| 1026 | - arm/a5ds: Correct system freq and Cache Writeback Granule, and cleanup |
| 1027 | enable-method in devicetree |
| 1028 | |
| 1029 | - arm/fvp: Fix incorrect GIC mapping, BL31 load address and image size |
| 1030 | for RESET_TO_BL31=1, topology description of cpus for DynamIQ based |
| 1031 | FVP, and multithreaded FVP power domain tree |
| 1032 | - arm/fvp: spm-mm: Correcting instructions to build SPM for FVP |
| 1033 | |
| 1034 | - arm/common: Fix ROTPK hash generation for ECDSA encryption, BL2 bug in |
| 1035 | dynamic configuration initialisation, and current RECLAIM_INIT_CODE behavior |
| 1036 | |
| 1037 | - arm/rde1edge: Fix incorrect topology tree description |
| 1038 | |
| 1039 | - arm/sgi: Fix the incorrect check for SCMI channel ID |
| 1040 | |
| 1041 | - common: Flush dcache when storing timestamp |
| 1042 | |
| 1043 | - intel: Fix UEFI decompression issue, memory calibration, SMC SIP service, |
| 1044 | mailbox config return status, mailbox driver logic, FPGA manager on |
| 1045 | reconfiguration, and mailbox send_cmd issue |
| 1046 | |
| 1047 | - imx: Fix shift-overflow errors, the rdc memory region slot's offset, |
| 1048 | multiple definition of ipc_handle, missing inclusion of cdefs.h, and |
| 1049 | correct the SGIs that used for secure interrupt |
| 1050 | |
| 1051 | - mediatek: mt8183: Fix AARCH64 init fail on CPU0 |
| 1052 | |
| 1053 | - rockchip: Fix definition of struct param_ddr_usage |
| 1054 | |
| 1055 | - rpi4: Fix documentation of armstub config entry |
| 1056 | |
| 1057 | - st: Correct io possible NULL pointer dereference and device_size type, |
| 1058 | nand xor_ecc.val assigned value, static analysis tool issues, and fix |
| 1059 | incorrect return value and correctly check pwr-regulators node |
| 1060 | |
| 1061 | - xilinx: zynqmp: Correct syscnt freq for QEMU and fix clock models |
| 1062 | and IDs of GEM-related clocks |
| 1063 | |
| 1064 | Known Issues |
| 1065 | ^^^^^^^^^^^^ |
| 1066 | |
| 1067 | - Build System |
| 1068 | - dtb: DTB creation not supported when building on a Windows host. |
| 1069 | |
| 1070 | This step in the build process is skipped when running on a Windows host. A |
| 1071 | known issue from the 1.6 release. |
| 1072 | |
| 1073 | - Intermittent assertion firing `ASSERT: services/spd/tspd/tspd_main.c:105` |
| 1074 | |
| 1075 | - Coverity |
| 1076 | - Intermittent Race condition in Coverity Jenkins Build Job |
| 1077 | |
| 1078 | - Platforms |
| 1079 | - arm/juno: System suspend from Linux does not function as documented in the |
| 1080 | user guide |
| 1081 | |
| 1082 | Following the instructions provided in the user guide document does not |
| 1083 | result in the platform entering system suspend state as expected. A message |
| 1084 | relating to the hdlcd driver failing to suspend will be emitted on the |
| 1085 | Linux terminal. |
| 1086 | |
| 1087 | - mediatek/mt6795: This platform does not build in this release |
| 1088 | |
laurenw-arm | 77caea2 | 2019-10-11 14:10:09 -0500 | [diff] [blame] | 1089 | Version 2.2 |
| 1090 | ----------- |
| 1091 | |
| 1092 | New Features |
| 1093 | ^^^^^^^^^^^^ |
| 1094 | |
| 1095 | - Architecture |
| 1096 | - Enable Pointer Authentication (PAuth) support for Secure World |
| 1097 | - Adds support for ARMv8.3-PAuth in BL1 SMC calls and |
| 1098 | BL2U image for firmware updates. |
| 1099 | |
| 1100 | - Enable Memory Tagging Extension (MTE) support in both secure and non-secure |
| 1101 | worlds |
Louis Mayencourt | a5bb389 | 2020-03-27 11:49:20 +0000 | [diff] [blame] | 1102 | |
laurenw-arm | 77caea2 | 2019-10-11 14:10:09 -0500 | [diff] [blame] | 1103 | - Adds support for the new Memory Tagging Extension arriving in |
| 1104 | ARMv8.5. MTE support is now enabled by default on systems that |
| 1105 | support it at EL0. |
| 1106 | - To enable it at ELx for both the non-secure and the secure |
| 1107 | world, the compiler flag ``CTX_INCLUDE_MTE_REGS`` includes register |
| 1108 | saving and restoring when necessary in order to prevent information |
| 1109 | leakage between the worlds. |
| 1110 | |
| 1111 | - Add support for Branch Target Identification (BTI) |
| 1112 | |
| 1113 | - Build System |
| 1114 | - Modify FVP makefile for CPUs that support both AArch64/32 |
| 1115 | |
| 1116 | - AArch32: Allow compiling with soft-float toolchain |
| 1117 | |
| 1118 | - Makefile: Add default warning flags |
| 1119 | |
| 1120 | - Add Makefile check for PAuth and AArch64 |
| 1121 | |
| 1122 | - Add compile-time errors for HW_ASSISTED_COHERENCY flag |
| 1123 | |
| 1124 | - Apply compile-time check for AArch64-only CPUs |
| 1125 | |
| 1126 | - build_macros: Add mechanism to prevent bin generation. |
| 1127 | |
| 1128 | - Add support for default stack-protector flag |
| 1129 | |
| 1130 | - spd: opteed: Enable NS_TIMER_SWITCH |
| 1131 | |
| 1132 | - plat/arm: Skip BL2U if RESET_TO_SP_MIN flag is set |
| 1133 | |
| 1134 | - Add new build option to let each platform select which implementation of spinlocks |
| 1135 | it wants to use |
| 1136 | |
| 1137 | - CPU Support |
| 1138 | - DSU: Workaround for erratum 798953 and 936184 |
| 1139 | |
| 1140 | - Neoverse N1: Force cacheable atomic to near atomic |
| 1141 | - Neoverse N1: Workaround for erratum 1073348, 1130799, 1165347, 1207823, |
| 1142 | 1220197, 1257314, 1262606, 1262888, 1275112, 1315703, 1542419 |
| 1143 | |
| 1144 | - Neoverse Zeus: Apply the MSR SSBS instruction |
| 1145 | |
laurenw-arm | 3900903 | 2019-10-23 15:39:31 -0500 | [diff] [blame] | 1146 | - cortex-Hercules/HerculesAE: Support added for Cortex-Hercules and |
| 1147 | Cortex-HerculesAE CPUs |
| 1148 | - cortex-Hercules/HerculesAE: Enable AMU for Cortex-Hercules and Cortex-HerculesAE |
| 1149 | |
laurenw-arm | 77caea2 | 2019-10-11 14:10:09 -0500 | [diff] [blame] | 1150 | - cortex-a76AE: Support added for Cortex-A76AE CPU |
| 1151 | - cortex-a76: Workaround for erratum 1257314, 1262606, 1262888, 1275112, |
| 1152 | 1286807 |
| 1153 | |
| 1154 | - cortex-a65/a65AE: Support added for Cortex-A65 and Cortex-A65AE CPUs |
| 1155 | - cortex-a65: Enable AMU for Cortex-A65 |
| 1156 | |
| 1157 | - cortex-a55: Workaround for erratum 1221012 |
| 1158 | |
| 1159 | - cortex-a35: Workaround for erratum 855472 |
| 1160 | |
| 1161 | - cortex-a9: Workaround for erratum 794073 |
| 1162 | |
| 1163 | - Drivers |
| 1164 | - console: Allow the console to register multiple times |
| 1165 | |
| 1166 | - delay: Timeout detection support |
| 1167 | |
| 1168 | - gicv3: Enabled multi-socket GIC redistributor frame discovery and migrated |
| 1169 | ARM platforms to the new API |
Louis Mayencourt | a5bb389 | 2020-03-27 11:49:20 +0000 | [diff] [blame] | 1170 | |
laurenw-arm | 77caea2 | 2019-10-11 14:10:09 -0500 | [diff] [blame] | 1171 | - Adds ``gicv3_rdistif_probe`` function that delegates the responsibility |
| 1172 | of discovering the corresponding redistributor base frame to each CPU |
| 1173 | itself. |
| 1174 | |
| 1175 | - sbsa: Add SBSA watchdog driver |
| 1176 | |
| 1177 | - st/stm32_hash: Add HASH driver |
| 1178 | |
| 1179 | - ti/uart: Add an AArch32 variant |
| 1180 | |
| 1181 | - Library at ROM (romlib) |
| 1182 | - Introduce BTI support in Library at ROM (romlib) |
| 1183 | |
| 1184 | - New Platforms Support |
| 1185 | - amlogic: g12a: New platform support added for the S905X2 (G12A) platform |
| 1186 | - amlogic: meson/gxl: New platform support added for Amlogic Meson |
| 1187 | S905x (GXL) |
| 1188 | |
| 1189 | - arm/a5ds: New platform support added for A5 DesignStart |
| 1190 | |
| 1191 | - arm/corstone: New platform support added for Corstone-700 |
| 1192 | |
| 1193 | - intel: New platform support added for Agilex |
| 1194 | |
| 1195 | - mediatek: New platform support added for MediaTek mt8183 |
| 1196 | |
| 1197 | - qemu/qemu_sbsa: New platform support added for QEMU SBSA platform |
| 1198 | |
| 1199 | - renesas/rcar_gen3: plat: New platform support added for D3 |
| 1200 | |
| 1201 | - rockchip: New platform support added for px30 |
| 1202 | - rockchip: New platform support added for rk3288 |
| 1203 | |
| 1204 | - rpi: New platform support added for Raspberry Pi 4 |
| 1205 | |
| 1206 | - Platforms |
| 1207 | - arm/common: Introduce wrapper functions to setup secure watchdog |
| 1208 | |
| 1209 | - arm/fvp: Add Delay Timer driver to BL1 and BL31 and option for defining |
| 1210 | platform DRAM2 base |
| 1211 | - arm/fvp: Add Linux DTS files for 32 bit threaded FVPs |
| 1212 | |
| 1213 | - arm/n1sdp: Add code for DDR ECC enablement and BL33 copy to DDR, Initialise CNTFRQ |
| 1214 | in Non Secure CNTBaseN |
| 1215 | |
| 1216 | - arm/juno: Use shared mbedtls heap between BL1 and BL2 and add basic support for |
| 1217 | dynamic config |
| 1218 | |
| 1219 | - imx: Basic support for PicoPi iMX7D, rdc module init, caam module init, |
| 1220 | aipstz init, IMX_SIP_GET_SOC_INFO, IMX_SIP_BUILDINFO added |
| 1221 | |
| 1222 | - intel: Add ncore ccu driver |
| 1223 | |
| 1224 | - mediatek/mt81*: Use new bl31_params_parse() helper |
| 1225 | |
| 1226 | - nvidia: tegra: Add support for multi console interface |
| 1227 | |
| 1228 | - qemu/qemu_sbsa: Adding memory mapping for both FLASH0/FLASH1 |
| 1229 | - qemu: Added gicv3 support, new console interface in AArch32, and sub-platforms |
| 1230 | |
| 1231 | - renesas/rcar_gen3: plat: Add R-Car V3M support, new board revision for H3ULCB, DBSC4 |
| 1232 | setting before self-refresh mode |
| 1233 | |
| 1234 | - socionext/uniphier: Support console based on multi-console |
| 1235 | |
| 1236 | - st: stm32mp1: Add OP-TEE, Avenger96, watchdog, LpDDR3, authentication support |
| 1237 | and general SYSCFG management |
| 1238 | |
| 1239 | - ti/k3: common: Add support for J721E, Use coherent memory for shared data, Trap all |
| 1240 | asynchronous bus errors to EL3 |
| 1241 | |
| 1242 | - xilinx/zynqmp: Add support for multi console interface, Initialize IPI table from |
| 1243 | zynqmp_config_setup() |
| 1244 | |
| 1245 | - PSCI |
| 1246 | - Adding new optional PSCI hook ``pwr_domain_on_finish_late`` |
| 1247 | - This PSCI hook ``pwr_domain_on_finish_late`` is similar to |
| 1248 | ``pwr_domain_on_finish`` but is guaranteed to be invoked when the |
| 1249 | respective core and cluster are participating in coherency. |
| 1250 | |
| 1251 | - Security |
| 1252 | - Speculative Store Bypass Safe (SSBS): Further enhance protection against Spectre |
| 1253 | variant 4 by disabling speculative loads/stores (SPSR.SSBS bit) by default. |
| 1254 | |
| 1255 | - UBSAN support and handlers |
| 1256 | - Adds support for the Undefined Behaviour sanitizer. There are two types of |
| 1257 | support offered - minimalistic trapping support which essentially immediately |
| 1258 | crashes on undefined behaviour and full support with full debug messages. |
| 1259 | |
| 1260 | - Tools |
| 1261 | - cert_create: Add support for bigger RSA key sizes (3KB and 4KB), |
| 1262 | previously the maximum size was 2KB. |
| 1263 | |
| 1264 | - fiptool: Add support to build fiptool on Windows. |
| 1265 | |
| 1266 | |
| 1267 | Changed |
| 1268 | ^^^^^^^ |
| 1269 | |
| 1270 | - Architecture |
| 1271 | - Refactor ARMv8.3 Pointer Authentication support code |
| 1272 | |
| 1273 | - backtrace: Strip PAC field when PAUTH is enabled |
| 1274 | |
| 1275 | - Prettify crash reporting output on AArch64. |
| 1276 | |
| 1277 | - Rework smc_unknown return code path in smc_handler |
| 1278 | - Leverage the existing ``el3_exit()`` return routine for smc_unknown return |
| 1279 | path rather than a custom set of instructions. |
| 1280 | |
| 1281 | - BL-Specific |
| 1282 | - Invalidate dcache build option for BL2 entry at EL3 |
| 1283 | |
| 1284 | - Add missing support for BL2_AT_EL3 in XIP memory |
| 1285 | |
| 1286 | - Boot Flow |
| 1287 | - Add helper to parse BL31 parameters (both versions) |
| 1288 | |
| 1289 | - Factor out cross-BL API into export headers suitable for 3rd party code |
| 1290 | |
| 1291 | - Introduce lightweight BL platform parameter library |
| 1292 | |
| 1293 | - Drivers |
| 1294 | - auth: Memory optimization for Chain of Trust (CoT) description |
| 1295 | |
| 1296 | - bsec: Move bsec_mode_is_closed_device() service to platform |
| 1297 | |
| 1298 | - cryptocell: Move Cryptocell specific API into driver |
| 1299 | |
| 1300 | - gicv3: Prevent pending G1S interrupt from becoming G0 interrupt |
| 1301 | |
| 1302 | - mbedtls: Remove weak heap implementation |
| 1303 | |
| 1304 | - mmc: Increase delay between ACMD41 retries |
| 1305 | - mmc: stm32_sdmmc2: Correctly manage block size |
| 1306 | - mmc: stm32_sdmmc2: Manage max-frequency property from DT |
| 1307 | |
| 1308 | - synopsys/emmc: Do not change FIFO TH as this breaks some platforms |
| 1309 | - synopsys: Update synopsys drivers to not rely on undefined overflow behaviour |
| 1310 | |
| 1311 | - ufs: Extend the delay after reset to wait for some slower chips |
| 1312 | |
| 1313 | - Platforms |
| 1314 | - amlogic/meson/gxl: Remove BL2 dependency from BL31 |
| 1315 | |
| 1316 | - arm/common: Shorten the Firmware Update (FWU) process |
| 1317 | |
| 1318 | - arm/fvp: Remove GIC initialisation from secondary core cold boot |
| 1319 | |
| 1320 | - arm/sgm: Temporarily disable shared Mbed TLS heap for SGM |
| 1321 | |
| 1322 | - hisilicon: Update hisilicon drivers to not rely on undefined overflow behaviour |
| 1323 | |
| 1324 | - imx: imx8: Replace PLAT_IMX8* with PLAT_imx8*, remove duplicated linker symbols and |
| 1325 | deprecated code include, keep only IRQ 32 unmasked, enable all power domain by default |
| 1326 | |
| 1327 | - marvell: Prevent SError accessing PCIe link, Switch to xlat_tables_v2, do not rely on |
| 1328 | argument passed via smc, make sure that comphy init will use correct address |
| 1329 | |
| 1330 | - mediatek: mt8173: Refactor RTC and PMIC drivers |
| 1331 | - mediatek: mt8173: Apply MULTI_CONSOLE framework |
| 1332 | |
| 1333 | - nvidia: Tegra: memctrl_v2: fix "overflow before widen" coverity issue |
| 1334 | |
| 1335 | - qemu: Simplify the image size calculation, Move and generalise FDT PSCI fixup, move |
| 1336 | gicv2 codes to separate file |
| 1337 | |
| 1338 | - renesas/rcar_gen3: Convert to multi-console API, update QoS setting, Update IPL and |
| 1339 | Secure Monitor Rev2.0.4, Change to restore timer counter value at resume, Update DDR |
| 1340 | setting rev.0.35, qos: change subslot cycle, Change periodic write DQ training option. |
| 1341 | |
| 1342 | - rockchip: Allow SOCs with undefined wfe check bits, Streamline and complete UARTn_BASE |
| 1343 | macros, drop rockchip-specific imported linker symbols for bl31, Disable binary generation |
| 1344 | for all SOCs, Allow console device to be set by DTB, Use new bl31_params_parse functions |
| 1345 | |
| 1346 | - rpi/rpi3: Move shared rpi3 files into common directory |
| 1347 | |
| 1348 | - socionext/uniphier: Set CONSOLE_FLAG_TRANSLATE_CRLF and clean up console driver |
| 1349 | - socionext/uniphier: Replace DIV_ROUND_UP() with div_round_up() from utils_def.h |
| 1350 | |
| 1351 | - st/stm32mp: Split stm32mp_io_setup function, move stm32_get_gpio_bank_clock() to private |
| 1352 | file, correctly handle Clock Spreading Generator, move oscillator functions to generic file, |
| 1353 | realign device tree files with internal devs, enable RTCAPB clock for dual-core chips, use a |
| 1354 | common function to check spinlock is available, move check_header() to common code |
| 1355 | |
| 1356 | - ti/k3: Enable SEPARATE_CODE_AND_RODATA by default, Remove shared RAM space, |
| 1357 | Drop _ADDRESS from K3_USART_BASE to match other defines, Remove MSMC port |
| 1358 | definitions, Allow USE_COHERENT_MEM for K3, Set L2 latency on A72 cores |
| 1359 | |
| 1360 | - PSCI |
| 1361 | - PSCI: Lookup list of parent nodes to lock only once |
| 1362 | |
| 1363 | - Secure Partition Manager (SPM): SPCI Prototype |
| 1364 | - Fix service UUID lookup |
| 1365 | |
| 1366 | - Adjust size of virtual address space per partition |
| 1367 | |
| 1368 | - Refactor xlat context creation |
| 1369 | |
| 1370 | - Move shim layer to TTBR1_EL1 |
| 1371 | |
| 1372 | - Ignore empty regions in resource description |
| 1373 | |
| 1374 | - Security |
| 1375 | - Refactor SPSR initialisation code |
| 1376 | |
| 1377 | - SMMUv3: Abort DMA transactions |
| 1378 | - For security DMA should be blocked at the SMMU by default unless explicitly |
| 1379 | enabled for a device. SMMU is disabled after reset with all streams bypassing |
| 1380 | the SMMU, and abortion of all incoming transactions implements a default deny |
| 1381 | policy on reset. |
| 1382 | - Moves ``bl1_platform_setup()`` function from arm_bl1_setup.c to FVP platforms' |
| 1383 | fvp_bl1_setup.c and fvp_ve_bl1_setup.c files. |
| 1384 | |
| 1385 | - Tools |
| 1386 | - cert_create: Remove RSA PKCS#1 v1.5 support |
| 1387 | |
| 1388 | |
| 1389 | Resolved Issues |
| 1390 | ^^^^^^^^^^^^^^^ |
| 1391 | |
| 1392 | - Architecture |
| 1393 | - Fix the CAS spinlock implementation by adding a missing DSB in ``spin_unlock()`` |
| 1394 | |
| 1395 | - AArch64: Fix SCTLR bit definitions |
| 1396 | - Removes incorrect ``SCTLR_V_BIT`` definition and adds definitions for |
| 1397 | ARMv8.3-Pauth `EnIB`, `EnDA` and `EnDB` bits. |
| 1398 | |
| 1399 | - Fix restoration of PAuth context |
| 1400 | - Replace call to ``pauth_context_save()`` with ``pauth_context_restore()`` in |
| 1401 | case of unknown SMC call. |
| 1402 | |
| 1403 | - BL-Specific Issues |
| 1404 | - Fix BL31 crash reporting on AArch64 only platforms |
| 1405 | |
| 1406 | - Build System |
| 1407 | - Remove several warnings reported with W=2 and W=1 |
| 1408 | |
| 1409 | - Code Quality Issues |
| 1410 | - SCTLR and ACTLR are 32-bit for AArch32 and 64-bit for AArch64 |
| 1411 | - Unify type of "cpu_idx" across PSCI module. |
| 1412 | - Assert if power level value greater then PSCI_INVALID_PWR_LVL |
| 1413 | - Unsigned long should not be used as per coding guidelines |
| 1414 | - Reduce the number of memory leaks in cert_create |
| 1415 | - Fix type of cot_desc_ptr |
| 1416 | - Use explicit-width data types in AAPCS parameter structs |
| 1417 | - Add python configuration for editorconfig |
| 1418 | - BL1: Fix type consistency |
| 1419 | |
| 1420 | - Enable -Wshift-overflow=2 to check for undefined shift behavior |
| 1421 | - Updated upstream platforms to not rely on undefined overflow behaviour |
| 1422 | |
| 1423 | - Coverity Quality Issues |
| 1424 | - Remove GGC ignore -Warray-bounds |
| 1425 | - Fix Coverity #261967, Infinite loop |
| 1426 | - Fix Coverity #343017, Missing unlock |
| 1427 | - Fix Coverity #343008, Side affect in assertion |
| 1428 | - Fix Coverity #342970, Uninitialized scalar variable |
| 1429 | |
| 1430 | - CPU Support |
| 1431 | - cortex-a12: Fix MIDR mask |
| 1432 | |
| 1433 | - Drivers |
| 1434 | - console: Remove Arm console unregister on suspend |
| 1435 | |
| 1436 | - gicv3: Fix support for full SPI range |
| 1437 | |
| 1438 | - scmi: Fix wrong payload length |
| 1439 | |
| 1440 | - Library Code |
| 1441 | - libc: Fix sparse warning for __assert() |
| 1442 | |
| 1443 | - libc: Fix memchr implementation |
| 1444 | |
| 1445 | - Platforms |
| 1446 | - rpi: rpi3: Fix compilation error when stack protector is enabled |
| 1447 | |
| 1448 | - socionext/uniphier: Fix compilation fail for SPM support build config |
| 1449 | |
| 1450 | - st/stm32mp1: Fix TZC400 configuration against non-secure DDR |
| 1451 | |
| 1452 | - ti/k3: common: Fix RO data area size calculation |
| 1453 | |
| 1454 | - Security |
| 1455 | - AArch32: Disable Secure Cycle Counter |
| 1456 | - Changes the implementation for disabling Secure Cycle Counter. |
| 1457 | For ARMv8.5 the counter gets disabled by setting ``SDCR.SCCD`` bit on |
| 1458 | CPU cold/warm boot. For the earlier architectures PMCR register is |
| 1459 | saved/restored on secure world entry/exit from/to Non-secure state, |
| 1460 | and cycle counting gets disabled by setting PMCR.DP bit. |
| 1461 | - AArch64: Disable Secure Cycle Counter |
| 1462 | - For ARMv8.5 the counter gets disabled by setting ``MDCR_El3.SCCD`` bit on |
| 1463 | CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is |
| 1464 | saved/restored on secure world entry/exit from/to Non-secure state, |
| 1465 | and cycle counting gets disabled by setting PMCR_EL0.DP bit. |
| 1466 | |
| 1467 | Deprecations |
| 1468 | ^^^^^^^^^^^^ |
| 1469 | |
| 1470 | - Common Code |
| 1471 | - Remove MULTI_CONSOLE_API flag and references to it |
| 1472 | |
| 1473 | - Remove deprecated `plat_crash_console_*` |
| 1474 | |
| 1475 | - Remove deprecated interfaces `get_afflvl_shift`, `mpidr_mask_lower_afflvls`, `eret` |
| 1476 | |
| 1477 | - AARCH32/AARCH64 macros are now deprecated in favor of ``__aarch64__`` |
| 1478 | |
| 1479 | - ``__ASSEMBLY__`` macro is now deprecated in favor of ``__ASSEMBLER__`` |
| 1480 | |
| 1481 | - Drivers |
| 1482 | - console: Removed legacy console API |
| 1483 | - console: Remove deprecated finish_console_register |
| 1484 | |
| 1485 | - tzc: Remove deprecated types `tzc_action_t` and `tzc_region_attributes_t` |
| 1486 | |
| 1487 | - Secure Partition Manager (SPM): |
| 1488 | - Prototype SPCI-based SPM (services/std_svc/spm) will be replaced with alternative |
| 1489 | methods of secure partitioning support. |
| 1490 | |
| 1491 | Known Issues |
| 1492 | ^^^^^^^^^^^^ |
| 1493 | |
| 1494 | - Build System Issues |
| 1495 | - dtb: DTB creation not supported when building on a Windows host. |
| 1496 | |
| 1497 | This step in the build process is skipped when running on a Windows host. A |
| 1498 | known issue from the 1.6 release. |
| 1499 | |
| 1500 | - Platform Issues |
| 1501 | - arm/juno: System suspend from Linux does not function as documented in the |
| 1502 | user guide |
| 1503 | |
| 1504 | Following the instructions provided in the user guide document does not |
| 1505 | result in the platform entering system suspend state as expected. A message |
| 1506 | relating to the hdlcd driver failing to suspend will be emitted on the |
| 1507 | Linux terminal. |
| 1508 | |
| 1509 | - mediatek/mt6795: This platform does not build in this release |
| 1510 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1511 | Version 2.1 |
| 1512 | ----------- |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1513 | |
| 1514 | New Features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1515 | ^^^^^^^^^^^^ |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1516 | |
| 1517 | - Architecture |
| 1518 | - Support for ARMv8.3 pointer authentication in the normal and secure worlds |
| 1519 | |
| 1520 | The use of pointer authentication in the normal world is enabled whenever |
| 1521 | architectural support is available, without the need for additional build |
| 1522 | flags. |
| 1523 | |
| 1524 | Use of pointer authentication in the secure world remains an |
| 1525 | experimental configuration at this time. Using both the ``ENABLE_PAUTH`` |
| 1526 | and ``CTX_INCLUDE_PAUTH_REGS`` build flags, pointer authentication can be |
| 1527 | enabled in EL3 and S-EL1/0. |
| 1528 | |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 1529 | See the :ref:`Firmware Design` document for additional details on the use |
| 1530 | of pointer authentication. |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1531 | |
| 1532 | - Enable Data Independent Timing (DIT) in EL3, where supported |
| 1533 | |
| 1534 | - Build System |
| 1535 | - Support for BL-specific build flags |
| 1536 | |
| 1537 | - Support setting compiler target architecture based on ``ARM_ARCH_MINOR`` |
| 1538 | build option. |
| 1539 | |
| 1540 | - New ``RECLAIM_INIT_CODE`` build flag: |
| 1541 | |
| 1542 | A significant amount of the code used for the initialization of BL31 is |
| 1543 | not needed again after boot time. In order to reduce the runtime memory |
| 1544 | footprint, the memory used for this code can be reclaimed after |
| 1545 | initialization. |
| 1546 | |
| 1547 | Certain boot-time functions were marked with the ``__init`` attribute to |
| 1548 | enable this reclamation. |
| 1549 | |
| 1550 | - CPU Support |
| 1551 | - cortex-a76: Workaround for erratum 1073348 |
| 1552 | - cortex-a76: Workaround for erratum 1220197 |
| 1553 | - cortex-a76: Workaround for erratum 1130799 |
| 1554 | |
| 1555 | - cortex-a75: Workaround for erratum 790748 |
| 1556 | - cortex-a75: Workaround for erratum 764081 |
| 1557 | |
| 1558 | - cortex-a73: Workaround for erratum 852427 |
| 1559 | - cortex-a73: Workaround for erratum 855423 |
| 1560 | |
| 1561 | - cortex-a57: Workaround for erratum 817169 |
| 1562 | - cortex-a57: Workaround for erratum 814670 |
| 1563 | |
| 1564 | - cortex-a55: Workaround for erratum 903758 |
| 1565 | - cortex-a55: Workaround for erratum 846532 |
| 1566 | - cortex-a55: Workaround for erratum 798797 |
| 1567 | - cortex-a55: Workaround for erratum 778703 |
| 1568 | - cortex-a55: Workaround for erratum 768277 |
| 1569 | |
| 1570 | - cortex-a53: Workaround for erratum 819472 |
| 1571 | - cortex-a53: Workaround for erratum 824069 |
| 1572 | - cortex-a53: Workaround for erratum 827319 |
| 1573 | |
| 1574 | - cortex-a17: Workaround for erratum 852423 |
| 1575 | - cortex-a17: Workaround for erratum 852421 |
| 1576 | |
| 1577 | - cortex-a15: Workaround for erratum 816470 |
| 1578 | - cortex-a15: Workaround for erratum 827671 |
| 1579 | |
| 1580 | - Documentation |
| 1581 | - Exception Handling Framework documentation |
| 1582 | |
| 1583 | - Library at ROM (romlib) documentation |
| 1584 | |
| 1585 | - RAS framework documentation |
| 1586 | |
| 1587 | - Coding Guidelines document |
| 1588 | |
| 1589 | - Drivers |
| 1590 | - ccn: Add API for setting and reading node registers |
| 1591 | - Adds ``ccn_read_node_reg`` function |
| 1592 | - Adds ``ccn_write_node_reg`` function |
| 1593 | |
| 1594 | - partition: Support MBR partition entries |
| 1595 | |
| 1596 | - scmi: Add ``plat_css_get_scmi_info`` function |
| 1597 | |
| 1598 | Adds a new API ``plat_css_get_scmi_info`` which lets the platform |
| 1599 | register a platform-specific instance of ``scmi_channel_plat_info_t`` and |
| 1600 | remove the default values |
| 1601 | |
Paul Beesley | bf32bc9 | 2019-03-29 10:14:56 +0000 | [diff] [blame] | 1602 | - tzc380: Add TZC-380 TrustZone Controller driver |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1603 | |
| 1604 | - tzc-dmc620: Add driver to manage the TrustZone Controller within the |
| 1605 | DMC-620 Dynamic Memory Controller |
| 1606 | |
| 1607 | - Library at ROM (romlib) |
| 1608 | - Add platform-specific jump table list |
| 1609 | |
| 1610 | - Allow patching of romlib functions |
| 1611 | |
| 1612 | This change allows patching of functions in the romlib. This can be done by |
| 1613 | adding "patch" at the end of the jump table entry for the function that |
| 1614 | needs to be patched in the file jmptbl.i. |
| 1615 | |
| 1616 | - Library Code |
| 1617 | - Support non-LPAE-enabled MMU tables in AArch32 |
| 1618 | |
| 1619 | - mmio: Add ``mmio_clrsetbits_16`` function |
| 1620 | - 16-bit variant of ``mmio_clrsetbits`` |
| 1621 | |
| 1622 | - object_pool: Add Object Pool Allocator |
| 1623 | - Manages object allocation using a fixed-size static array |
| 1624 | - Adds ``pool_alloc`` and ``pool_alloc_n`` functions |
| 1625 | - Does not provide any functions to free allocated objects (by design) |
| 1626 | |
| 1627 | - libc: Added ``strlcpy`` function |
| 1628 | |
| 1629 | - libc: Import ``strrchr`` function from FreeBSD |
| 1630 | |
| 1631 | - xlat_tables: Add support for ARMv8.4-TTST |
| 1632 | |
| 1633 | - xlat_tables: Support mapping regions without an explicitly specified VA |
| 1634 | |
| 1635 | - Math |
| 1636 | - Added softudiv macro to support software division |
| 1637 | |
| 1638 | - Memory Partitioning And Monitoring (MPAM) |
| 1639 | - Enabled MPAM EL2 traps (``MPAMHCR_EL2`` and ``MPAM_EL2``) |
| 1640 | |
| 1641 | - Platforms |
| 1642 | - amlogic: Add support for Meson S905 (GXBB) |
| 1643 | |
| 1644 | - arm/fvp_ve: Add support for FVP Versatile Express platform |
| 1645 | |
| 1646 | - arm/n1sdp: Add support for Neoverse N1 System Development platform |
| 1647 | |
| 1648 | - arm/rde1edge: Add support for Neoverse E1 platform |
| 1649 | |
| 1650 | - arm/rdn1edge: Add support for Neoverse N1 platform |
| 1651 | |
| 1652 | - arm: Add support for booting directly to Linux without an intermediate |
| 1653 | loader (AArch32) |
| 1654 | |
| 1655 | - arm/juno: Enable new CPU errata workarounds for A53 and A57 |
| 1656 | |
| 1657 | - arm/juno: Add romlib support |
| 1658 | |
| 1659 | Building a combined BL1 and ROMLIB binary file with the correct page |
| 1660 | alignment is now supported on the Juno platform. When ``USE_ROMLIB`` is set |
| 1661 | for Juno, it generates the combined file ``bl1_romlib.bin`` which needs to |
| 1662 | be used instead of bl1.bin. |
| 1663 | |
| 1664 | - intel/stratix: Add support for Intel Stratix 10 SoC FPGA platform |
| 1665 | |
| 1666 | - marvell: Add support for Armada-37xx SoC platform |
| 1667 | |
| 1668 | - nxp: Add support for i.MX8M and i.MX7 Warp7 platforms |
| 1669 | |
| 1670 | - renesas: Add support for R-Car Gen3 platform |
| 1671 | |
| 1672 | - xilinx: Add support for Versal ACAP platforms |
| 1673 | |
| 1674 | - Position-Independent Executable (PIE) |
| 1675 | |
| 1676 | PIE support has initially been added to BL31. The ``ENABLE_PIE`` build flag is |
| 1677 | used to enable or disable this functionality as required. |
| 1678 | |
| 1679 | - Secure Partition Manager |
Paul Beesley | bf32bc9 | 2019-03-29 10:14:56 +0000 | [diff] [blame] | 1680 | - New SPM implementation based on SPCI Alpha 1 draft specification |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1681 | |
Paul Beesley | bf32bc9 | 2019-03-29 10:14:56 +0000 | [diff] [blame] | 1682 | A new version of SPM has been implemented, based on the SPCI (Secure |
| 1683 | Partition Client Interface) and SPRT (Secure Partition Runtime) draft |
| 1684 | specifications. |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1685 | |
| 1686 | The new implementation is a prototype that is expected to undergo intensive |
| 1687 | rework as the specifications change. It has basic support for multiple |
| 1688 | Secure Partitions and Resource Descriptions. |
| 1689 | |
Paul Beesley | bf32bc9 | 2019-03-29 10:14:56 +0000 | [diff] [blame] | 1690 | The older version of SPM, based on MM (ARM Management Mode Interface |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1691 | Specification), is still present in the codebase. A new build flag, |
| 1692 | ``SPM_MM`` has been added to allow selection of the desired implementation. |
| 1693 | This flag defaults to 1, selecting the MM-based implementation. |
| 1694 | |
| 1695 | - Security |
| 1696 | - Spectre Variant-1 mitigations (``CVE-2017-5753``) |
| 1697 | |
| 1698 | - Use Speculation Store Bypass Safe (SSBS) functionality where available |
| 1699 | |
| 1700 | Provides mitigation against ``CVE-2018-19440`` (Not saving x0 to x3 |
| 1701 | registers can leak information from one Normal World SMC client to another) |
| 1702 | |
| 1703 | |
| 1704 | Changed |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1705 | ^^^^^^^ |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1706 | |
| 1707 | - Build System |
| 1708 | - Warning levels are now selectable with ``W=<1,2,3>`` |
| 1709 | |
| 1710 | - Removed unneeded include paths in PLAT_INCLUDES |
| 1711 | |
| 1712 | - "Warnings as errors" (Werror) can be disabled using ``E=0`` |
| 1713 | |
| 1714 | - Support totally quiet output with ``-s`` flag |
| 1715 | |
| 1716 | - Support passing options to checkpatch using ``CHECKPATCH_OPTS=<opts>`` |
| 1717 | |
| 1718 | - Invoke host compiler with ``HOSTCC / HOSTCCFLAGS`` instead of ``CC / CFLAGS`` |
| 1719 | |
| 1720 | - Make device tree pre-processing similar to U-boot/Linux by: |
| 1721 | - Creating separate ``CPPFLAGS`` for DT preprocessing so that compiler |
| 1722 | options specific to it can be accommodated. |
| 1723 | - Replacing ``CPP`` with ``PP`` for DT pre-processing |
| 1724 | |
| 1725 | - CPU Support |
| 1726 | - Errata report function definition is now mandatory for CPU support files |
| 1727 | |
| 1728 | CPU operation files must now define a ``<name>_errata_report`` function to |
| 1729 | print errata status. This is no longer a weak reference. |
| 1730 | |
| 1731 | - Documentation |
| 1732 | - Migrated some content from GitHub wiki to ``docs/`` directory |
| 1733 | |
| 1734 | - Security advisories now have CVE links |
| 1735 | |
| 1736 | - Updated copyright guidelines |
| 1737 | |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1738 | - Drivers |
| 1739 | - console: The ``MULTI_CONSOLE_API`` framework has been rewritten in C |
Paul Beesley | bf32bc9 | 2019-03-29 10:14:56 +0000 | [diff] [blame] | 1740 | |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1741 | - console: Ported multi-console driver to AArch32 |
| 1742 | |
| 1743 | - gic: Remove 'lowest priority' constants |
| 1744 | |
| 1745 | Removed ``GIC_LOWEST_SEC_PRIORITY`` and ``GIC_LOWEST_NS_PRIORITY``. |
| 1746 | Platforms should define these if required, or instead determine the correct |
| 1747 | priority values at runtime. |
| 1748 | |
| 1749 | - delay_timer: Check that the Generic Timer extension is present |
| 1750 | |
| 1751 | - mmc: Increase command reply timeout to 10 milliseconds |
| 1752 | |
| 1753 | - mmc: Poll eMMC device status to ensure ``EXT_CSD`` command completion |
| 1754 | |
| 1755 | - mmc: Correctly check return code from ``mmc_fill_device_info`` |
| 1756 | |
| 1757 | - External Libraries |
| 1758 | |
| 1759 | - libfdt: Upgraded from 1.4.2 to 1.4.6-9 |
| 1760 | |
| 1761 | - mbed TLS: Upgraded from 2.12 to 2.16 |
| 1762 | |
| 1763 | This change incorporates fixes for security issues that should be reviewed |
| 1764 | to determine if they are relevant for software implementations using |
| 1765 | Trusted Firmware-A. See the `mbed TLS releases`_ page for details on |
| 1766 | changes from the 2.12 to the 2.16 release. |
| 1767 | |
| 1768 | - Library Code |
| 1769 | - compiler-rt: Updated ``lshrdi3.c`` and ``int_lib.h`` with changes from |
| 1770 | LLVM master branch (r345645) |
| 1771 | |
| 1772 | - cpu: Updated macro that checks need for ``CVE-2017-5715`` mitigation |
| 1773 | |
| 1774 | - libc: Made setjmp and longjmp C standard compliant |
| 1775 | |
| 1776 | - libc: Allowed overriding the default libc (use ``OVERRIDE_LIBC``) |
| 1777 | |
| 1778 | - libc: Moved setjmp and longjmp to the ``libc/`` directory |
| 1779 | |
| 1780 | - Platforms |
| 1781 | - Removed Mbed TLS dependency from plat_bl_common.c |
| 1782 | |
| 1783 | - arm: Removed unused ``ARM_MAP_BL_ROMLIB`` macro |
| 1784 | |
| 1785 | - arm: Removed ``ARM_BOARD_OPTIMISE_MEM`` feature and build flag |
| 1786 | |
| 1787 | - arm: Moved several components into ``drivers/`` directory |
| 1788 | |
| 1789 | This affects the SDS, SCP, SCPI, MHU and SCMI components |
| 1790 | |
| 1791 | - arm/juno: Increased maximum BL2 image size to ``0xF000`` |
| 1792 | |
| 1793 | This change was required to accommodate a larger ``libfdt`` library |
| 1794 | |
| 1795 | - SCMI |
| 1796 | - Optimized bakery locks when hardware-assisted coherency is enabled using the |
| 1797 | ``HW_ASSISTED_COHERENCY`` build flag |
| 1798 | |
| 1799 | - SDEI |
| 1800 | - Added support for unconditionally resuming secure world execution after |
Paul Beesley | 8f62ca7 | 2019-03-13 13:58:02 +0000 | [diff] [blame] | 1801 | |SDEI| event processing completes |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1802 | |
Paul Beesley | 8f62ca7 | 2019-03-13 13:58:02 +0000 | [diff] [blame] | 1803 | |SDEI| interrupts, although targeting EL3, occur on behalf of the non-secure |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1804 | world, and may have higher priority than secure world |
| 1805 | interrupts. Therefore they might preempt secure execution and yield |
Paul Beesley | 8f62ca7 | 2019-03-13 13:58:02 +0000 | [diff] [blame] | 1806 | execution to the non-secure |SDEI| handler. Upon completion of |SDEI| event |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1807 | handling, resume secure execution if it was preempted. |
| 1808 | |
| 1809 | - Translation Tables (XLAT) |
| 1810 | - Dynamically detect need for ``Common not Private (TTBRn_ELx.CnP)`` bit |
| 1811 | |
| 1812 | Properly handle the case where ``ARMv8.2-TTCNP`` is implemented in a CPU |
| 1813 | that does not implement all mandatory v8.2 features (and so must claim to |
| 1814 | implement a lower architecture version). |
| 1815 | |
| 1816 | |
| 1817 | Resolved Issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1818 | ^^^^^^^^^^^^^^^ |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1819 | |
| 1820 | - Architecture |
| 1821 | - Incorrect check for SSBS feature detection |
| 1822 | |
| 1823 | - Unintentional register clobber in AArch32 reset_handler function |
| 1824 | |
| 1825 | - Build System |
| 1826 | - Dependency issue during DTB image build |
| 1827 | |
| 1828 | - Incorrect variable expansion in Arm platform makefiles |
| 1829 | |
| 1830 | - Building on Windows with verbose mode (``V=1``) enabled is broken |
| 1831 | |
| 1832 | - AArch32 compilation flags is missing ``$(march32-directive)`` |
| 1833 | |
| 1834 | - BL-Specific Issues |
| 1835 | - bl2: ``uintptr_t is not defined`` error when ``BL2_IN_XIP_MEM`` is defined |
| 1836 | |
| 1837 | - bl2: Missing prototype warning in ``bl2_arch_setup`` |
| 1838 | |
| 1839 | - bl31: Omission of Global Offset Table (GOT) section |
| 1840 | |
| 1841 | - Code Quality Issues |
| 1842 | - Multiple MISRA compliance issues |
| 1843 | |
| 1844 | - Potential NULL pointer dereference (Coverity-detected) |
| 1845 | |
| 1846 | - Drivers |
| 1847 | - mmc: Local declaration of ``scr`` variable causes a cache issue when |
| 1848 | invalidating after the read DMA transfer completes |
| 1849 | |
| 1850 | - mmc: ``ACMD41`` does not send voltage information during initialization, |
| 1851 | resulting in the command being treated as a query. This prevents the |
| 1852 | command from initializing the controller. |
| 1853 | |
| 1854 | - mmc: When checking device state using ``mmc_device_state()`` there are no |
| 1855 | retries attempted in the event of an error |
| 1856 | |
| 1857 | - ccn: Incorrect Region ID calculation for RN-I nodes |
| 1858 | |
| 1859 | - console: ``Fix MULTI_CONSOLE_API`` when used as a crash console |
| 1860 | |
| 1861 | - partition: Improper NULL checking in gpt.c |
| 1862 | |
| 1863 | - partition: Compilation failure in ``VERBOSE`` mode (``V=1``) |
| 1864 | |
| 1865 | - Library Code |
| 1866 | - common: Incorrect check for Address Authentication support |
| 1867 | |
| 1868 | - xlat: Fix XLAT_V1 / XLAT_V2 incompatibility |
| 1869 | |
| 1870 | The file ``arm_xlat_tables.h`` has been renamed to ``xlat_tables_compat.h`` |
| 1871 | and has been moved to a common folder. This header can be used to guarantee |
| 1872 | compatibility, as it includes the correct header based on |
| 1873 | ``XLAT_TABLES_LIB_V2``. |
| 1874 | |
| 1875 | - xlat: armclang unused-function warning on ``xlat_clean_dcache_range`` |
| 1876 | |
| 1877 | - xlat: Invalid ``mm_cursor`` checks in ``mmap_add`` and ``mmap_add_ctx`` |
| 1878 | |
| 1879 | - sdei: Missing ``context.h`` header |
| 1880 | |
| 1881 | - Platforms |
| 1882 | - common: Missing prototype warning for ``plat_log_get_prefix`` |
| 1883 | |
| 1884 | - arm: Insufficient maximum BL33 image size |
| 1885 | |
| 1886 | - arm: Potential memory corruption during BL2-BL31 transition |
| 1887 | |
| 1888 | On Arm platforms, the BL2 memory can be overlaid by BL31/BL32. The memory |
| 1889 | descriptors describing the list of executable images are created in BL2 |
| 1890 | R/W memory, which could be possibly corrupted later on by BL31/BL32 due |
| 1891 | to overlay. This patch creates a reserved location in SRAM for these |
| 1892 | descriptors and are copied over by BL2 before handing over to next BL |
| 1893 | image. |
| 1894 | |
| 1895 | - juno: Invalid behaviour when ``CSS_USE_SCMI_SDS_DRIVER`` is not set |
| 1896 | |
| 1897 | In ``juno_pm.c`` the ``css_scmi_override_pm_ops`` function was used |
| 1898 | regardless of whether the build flag was set. The original behaviour has |
| 1899 | been restored in the case where the build flag is not set. |
| 1900 | |
| 1901 | - Tools |
| 1902 | - fiptool: Incorrect UUID parsing of blob parameters |
| 1903 | |
| 1904 | - doimage: Incorrect object rules in Makefile |
| 1905 | |
| 1906 | |
| 1907 | Deprecations |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1908 | ^^^^^^^^^^^^ |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1909 | |
| 1910 | - Common Code |
| 1911 | - ``plat_crash_console_init`` function |
| 1912 | |
| 1913 | - ``plat_crash_console_putc`` function |
| 1914 | |
| 1915 | - ``plat_crash_console_flush`` function |
| 1916 | |
| 1917 | - ``finish_console_register`` macro |
| 1918 | |
| 1919 | - AArch64-specific Code |
| 1920 | - helpers: ``get_afflvl_shift`` |
| 1921 | |
| 1922 | - helpers: ``mpidr_mask_lower_afflvls`` |
| 1923 | |
| 1924 | - helpers: ``eret`` |
| 1925 | |
| 1926 | - Secure Partition Manager (SPM) |
| 1927 | - Boot-info structure |
| 1928 | |
| 1929 | |
| 1930 | Known Issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1931 | ^^^^^^^^^^^^ |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1932 | |
| 1933 | - Build System Issues |
| 1934 | - dtb: DTB creation not supported when building on a Windows host. |
| 1935 | |
| 1936 | This step in the build process is skipped when running on a Windows host. A |
| 1937 | known issue from the 1.6 release. |
| 1938 | |
| 1939 | - Platform Issues |
| 1940 | - arm/juno: System suspend from Linux does not function as documented in the |
| 1941 | user guide |
| 1942 | |
| 1943 | Following the instructions provided in the user guide document does not |
| 1944 | result in the platform entering system suspend state as expected. A message |
| 1945 | relating to the hdlcd driver failing to suspend will be emitted on the |
| 1946 | Linux terminal. |
| 1947 | |
Soby Mathew | 97fc196 | 2019-03-28 13:46:40 +0000 | [diff] [blame] | 1948 | - arm/juno: The firmware update use-cases do not work with motherboard |
| 1949 | firmware version < v1.5.0 (the reset reason is not preserved). The Linaro |
| 1950 | 18.04 release has MB v1.4.9. The MB v1.5.0 is available in Linaro 18.10 |
| 1951 | release. |
| 1952 | |
Paul Beesley | 9e437f2 | 2019-03-25 12:21:57 +0000 | [diff] [blame] | 1953 | - mediatek/mt6795: This platform does not build in this release |
| 1954 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1955 | Version 2.0 |
| 1956 | ----------- |
Joanna Farley | f9f26a5 | 2018-09-28 08:38:17 +0100 | [diff] [blame] | 1957 | |
| 1958 | New Features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1959 | ^^^^^^^^^^^^ |
Joanna Farley | f9f26a5 | 2018-09-28 08:38:17 +0100 | [diff] [blame] | 1960 | |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 1961 | - Removal of a number of deprecated APIs |
Joanna Farley | f9f26a5 | 2018-09-28 08:38:17 +0100 | [diff] [blame] | 1962 | |
| 1963 | - A new Platform Compatibility Policy document has been created which |
| 1964 | references a wiki page that maintains a listing of deprecated |
| 1965 | interfaces and the release after which they will be removed. |
| 1966 | |
| 1967 | - All deprecated interfaces except the MULTI_CONSOLE_API have been removed |
| 1968 | from the code base. |
| 1969 | |
| 1970 | - Various Arm and partner platforms have been updated to remove the use of |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 1971 | removed APIs in this release. |
Joanna Farley | f9f26a5 | 2018-09-28 08:38:17 +0100 | [diff] [blame] | 1972 | |
| 1973 | - This release is otherwise unchanged from 1.6 release |
| 1974 | |
| 1975 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1976 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Joanna Farley | f9f26a5 | 2018-09-28 08:38:17 +0100 | [diff] [blame] | 1977 | |
| 1978 | - No issues known at 1.6 release resolved in 2.0 release |
| 1979 | |
| 1980 | Known Issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1981 | ^^^^^^^^^^^^ |
Joanna Farley | f9f26a5 | 2018-09-28 08:38:17 +0100 | [diff] [blame] | 1982 | |
| 1983 | - DTB creation not supported when building on a Windows host. This step in the |
| 1984 | build process is skipped when running on a Windows host. Known issue from |
| 1985 | 1.6 version. |
| 1986 | |
| 1987 | - As a result of removal of deprecated interfaces the Nvidia Tegra, Marvell |
| 1988 | Armada 8K and MediaTek MT6795 platforms do not build in this release. |
| 1989 | Also MediaTek MT8173, NXP QorIQ LS1043A, NXP i.MX8QX, NXP i.MX8QMa, |
| 1990 | Rockchip RK3328, Rockchip RK3368 and Rockchip RK3399 platforms have not been |
| 1991 | confirmed to be working after the removal of the deprecated interfaces |
| 1992 | although they do build. |
| 1993 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1994 | Version 1.6 |
| 1995 | ----------- |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 1996 | |
| 1997 | New Features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 1998 | ^^^^^^^^^^^^ |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 1999 | |
Joanna Farley | f9f26a5 | 2018-09-28 08:38:17 +0100 | [diff] [blame] | 2000 | - Addressing Speculation Security Vulnerabilities |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2001 | |
| 2002 | - Implement static workaround for CVE-2018-3639 for AArch32 and AArch64 |
| 2003 | |
| 2004 | - Add support for dynamic mitigation for CVE-2018-3639 |
| 2005 | |
| 2006 | - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 |
| 2007 | |
Paul Beesley | 8f62ca7 | 2019-03-13 13:58:02 +0000 | [diff] [blame] | 2008 | - Ensure |SDEI| handler executes with CVE-2018-3639 mitigation enabled |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2009 | |
| 2010 | - Introduce RAS handling on AArch64 |
| 2011 | |
John Tsichritzis | fadd215 | 2018-10-05 14:16:26 +0100 | [diff] [blame] | 2012 | - Some RAS extensions are mandatory for Armv8.2 CPUs, with others |
| 2013 | mandatory for Armv8.4 CPUs however, all extensions are also optional |
| 2014 | extensions to the base Armv8.0 architecture. |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2015 | |
John Tsichritzis | fadd215 | 2018-10-05 14:16:26 +0100 | [diff] [blame] | 2016 | - The Armv8 RAS Extensions introduced Standard Error Records which are a |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2017 | set of standard registers to configure RAS node policy and allow RAS |
| 2018 | Nodes to record and expose error information for error handling agents. |
| 2019 | |
| 2020 | - Capabilities are provided to support RAS Node enumeration and iteration |
| 2021 | along with individual interrupt registrations and fault injections |
| 2022 | support. |
| 2023 | |
| 2024 | - Introduce handlers for Uncontainable errors, Double Faults and EL3 |
| 2025 | External Aborts |
| 2026 | |
| 2027 | - Enable Memory Partitioning And Monitoring (MPAM) for lower EL's |
| 2028 | |
| 2029 | - Memory Partitioning And Monitoring is an Armv8.4 feature that enables |
| 2030 | various memory system components and resources to define partitions. |
| 2031 | Software running at various ELs can then assign themselves to the |
| 2032 | desired partition to control their performance aspects. |
| 2033 | |
| 2034 | - When ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows |
| 2035 | lower ELs to access their own MPAM registers without trapping to EL3. |
| 2036 | This patch however, doesn't make use of partitioning in EL3; platform |
| 2037 | initialisation code should configure and use partitions in EL3 if |
| 2038 | required. |
| 2039 | |
| 2040 | - Introduce ROM Lib Feature |
| 2041 | |
| 2042 | - Support combining several libraries into a self-called "romlib" image, |
| 2043 | that may be shared across images to reduce memory footprint. The romlib |
| 2044 | image is stored in ROM but is accessed through a jump-table that may be |
| 2045 | stored in read-write memory, allowing for the library code to be patched. |
| 2046 | |
| 2047 | - Introduce Backtrace Feature |
| 2048 | |
| 2049 | - This function displays the backtrace, the current EL and security state |
| 2050 | to allow a post-processing tool to choose the right binary to interpret |
| 2051 | the dump. |
| 2052 | |
| 2053 | - Print backtrace in assert() and panic() to the console. |
| 2054 | |
| 2055 | - Code hygiene changes and alignment with MISRA C-2012 guideline with fixes |
| 2056 | addressing issues complying to the following rules: |
| 2057 | |
| 2058 | - MISRA rules 4.9, 5.1, 5.3, 5.7, 8.2-8.5, 8.8, 8.13, 9.3, 10.1, |
| 2059 | 10.3-10.4, 10.8, 11.3, 11.6, 12.1, 14.4, 15.7, 16.1-16.7, 17.7-17.8, |
| 2060 | 20.7, 20.10, 20.12, 21.1, 21.15, 22.7 |
| 2061 | |
| 2062 | - Clean up the usage of void pointers to access symbols |
| 2063 | |
| 2064 | - Increase usage of static qualifier to locally used functions and data |
| 2065 | |
| 2066 | - Migrated to use of u_register_t for register read/write to better |
| 2067 | match AArch32 and AArch64 type sizes |
| 2068 | |
| 2069 | - Use int-ll64 for both AArch32 and AArch64 to assist in consistent |
| 2070 | format strings between architectures |
| 2071 | |
| 2072 | - Clean up TF-A libc by removing non arm copyrighted implementations |
| 2073 | and replacing them with modified FreeBSD and SCC implementations |
| 2074 | |
| 2075 | - Various changes to support Clang linker and assembler |
| 2076 | |
John Tsichritzis | fadd215 | 2018-10-05 14:16:26 +0100 | [diff] [blame] | 2077 | - The clang assembler/preprocessor is used when Clang is selected. However, |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2078 | the clang linker is not used because it is unable to link TF-A objects |
| 2079 | due to immaturity of clang linker functionality at this time. |
| 2080 | |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 2081 | - Refactor support APIs into Libraries |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2082 | |
| 2083 | - Evolve libfdt, mbed TLS library and standard C library sources as |
| 2084 | proper libraries that TF-A may be linked against. |
| 2085 | |
| 2086 | - CPU Enhancements |
| 2087 | |
| 2088 | - Add CPU support for Cortex-Ares and Cortex-A76 |
| 2089 | |
| 2090 | - Add AMU support for Cortex-Ares |
| 2091 | |
| 2092 | - Add initial CPU support for Cortex-Deimos |
| 2093 | |
| 2094 | - Add initial CPU support for Cortex-Helios |
| 2095 | |
| 2096 | - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 |
| 2097 | |
| 2098 | - Implement Cortex-Ares erratum 1043202 workaround |
| 2099 | |
| 2100 | - Implement DSU erratum 936184 workaround |
| 2101 | |
| 2102 | - Check presence of fix for errata 843419 in Cortex-A53 |
| 2103 | |
| 2104 | - Check presence of fix for errata 835769 in Cortex-A53 |
| 2105 | |
| 2106 | - Translation Tables Enhancements |
| 2107 | |
| 2108 | - The xlat v2 library has been refactored in order to be reused by |
| 2109 | different TF components at different EL's including the addition of EL2. |
| 2110 | Some refactoring to make the code more generic and less specific to TF, |
| 2111 | in order to reuse the library outside of this project. |
| 2112 | |
| 2113 | - SPM Enhancements |
| 2114 | |
| 2115 | - General cleanups and refactoring to pave the way to multiple partitions |
| 2116 | support |
| 2117 | |
| 2118 | - SDEI Enhancements |
| 2119 | |
| 2120 | - Allow platforms to define explicit events |
| 2121 | |
| 2122 | - Determine client EL from NS context's SCR_EL3 |
| 2123 | |
| 2124 | - Make dispatches synchronous |
| 2125 | |
| 2126 | - Introduce jump primitives for BL31 |
| 2127 | |
Paul Beesley | 8f62ca7 | 2019-03-13 13:58:02 +0000 | [diff] [blame] | 2128 | - Mask events after CPU wakeup in |SDEI| dispatcher to conform to the |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2129 | specification |
| 2130 | |
| 2131 | - Misc TF-A Core Common Code Enhancements |
| 2132 | |
| 2133 | - Add support for eXecute In Place (XIP) memory in BL2 |
| 2134 | |
| 2135 | - Add support for the SMC Calling Convention 2.0 |
| 2136 | |
| 2137 | - Introduce External Abort handling on AArch64 |
| 2138 | External Abort routed to EL3 was reported as an unhandled exception |
John Tsichritzis | bd97f83 | 2019-07-05 14:22:12 +0100 | [diff] [blame] | 2139 | and caused a panic. This change enables Trusted Firmware-A to handle |
| 2140 | External Aborts routed to EL3. |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2141 | |
| 2142 | - Save value of ACTLR_EL1 implementation-defined register in the CPU |
| 2143 | context structure rather than forcing it to 0. |
| 2144 | |
| 2145 | - Introduce ARM_LINUX_KERNEL_AS_BL33 build option, which allows BL31 to |
| 2146 | directly jump to a Linux kernel. This makes for a quicker and simpler |
| 2147 | boot flow, which might be useful in some test environments. |
| 2148 | |
| 2149 | - Add dynamic configurations for BL31, BL32 and BL33 enabling support for |
| 2150 | Chain of Trust (COT). |
| 2151 | |
| 2152 | - Make TF UUID RFC 4122 compliant |
| 2153 | |
| 2154 | - New Platform Support |
| 2155 | |
| 2156 | - Arm SGI-575 |
| 2157 | |
| 2158 | - Arm SGM-775 |
| 2159 | |
| 2160 | - Allwinner sun50i_64 |
| 2161 | |
| 2162 | - Allwinner sun50i_h6 |
| 2163 | |
John Tsichritzis | fadd215 | 2018-10-05 14:16:26 +0100 | [diff] [blame] | 2164 | - NXP QorIQ LS1043A |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2165 | |
| 2166 | - NXP i.MX8QX |
| 2167 | |
| 2168 | - NXP i.MX8QM |
| 2169 | |
John Tsichritzis | fadd215 | 2018-10-05 14:16:26 +0100 | [diff] [blame] | 2170 | - NXP i.MX7Solo WaRP7 |
| 2171 | |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2172 | - TI K3 |
| 2173 | |
| 2174 | - Socionext Synquacer SC2A11 |
| 2175 | |
| 2176 | - Marvell Armada 8K |
| 2177 | |
| 2178 | - STMicroelectronics STM32MP1 |
| 2179 | |
| 2180 | - Misc Generic Platform Common Code Enhancements |
| 2181 | |
| 2182 | - Add MMC framework that supports both eMMC and SD card devices |
| 2183 | |
| 2184 | - Misc Arm Platform Common Code Enhancements |
| 2185 | |
| 2186 | - Demonstrate PSCI MEM_PROTECT from el3_runtime |
| 2187 | |
| 2188 | - Provide RAS support |
| 2189 | |
| 2190 | - Migrate AArch64 port to the multi console driver. The old API is |
| 2191 | deprecated and will eventually be removed. |
| 2192 | |
| 2193 | - Move BL31 below BL2 to enable BL2 overlay resulting in changes in the |
| 2194 | layout of BL images in memory to enable more efficient use of available |
| 2195 | space. |
| 2196 | |
| 2197 | - Add cpp build processing for dtb that allows processing device tree |
| 2198 | with external includes. |
| 2199 | |
| 2200 | - Extend FIP io driver to support multiple FIP devices |
| 2201 | |
| 2202 | - Add support for SCMI AP core configuration protocol v1.0 |
| 2203 | |
| 2204 | - Use SCMI AP core protocol to set the warm boot entrypoint |
| 2205 | |
| 2206 | - Add support to Mbed TLS drivers for shared heap among different |
| 2207 | BL images to help optimise memory usage |
| 2208 | |
| 2209 | - Enable non-secure access to UART1 through a build option to support |
| 2210 | a serial debug port for debugger connection |
| 2211 | |
| 2212 | - Enhancements for Arm Juno Platform |
| 2213 | |
| 2214 | - Add support for TrustZone Media Protection 1 (TZMP1) |
| 2215 | |
| 2216 | - Enhancements for Arm FVP Platform |
| 2217 | |
| 2218 | - Dynamic_config: remove the FVP dtb files |
| 2219 | |
| 2220 | - Set DYNAMIC_WORKAROUND_CVE_2018_3639=1 on FVP by default |
| 2221 | |
| 2222 | - Set the ability to dynamically disable Trusted Boot Board |
| 2223 | authentication to be off by default with DYN_DISABLE_AUTH |
| 2224 | |
| 2225 | - Add librom enhancement support in FVP |
| 2226 | |
| 2227 | - Support shared Mbed TLS heap between BL1 and BL2 that allow a |
| 2228 | reduction in BL2 size for FVP |
| 2229 | |
| 2230 | - Enhancements for Arm SGI/SGM Platform |
| 2231 | |
| 2232 | - Enable ARM_PLAT_MT flag for SGI-575 |
| 2233 | |
| 2234 | - Add dts files to enable support for dynamic config |
| 2235 | |
| 2236 | - Add RAS support |
| 2237 | |
| 2238 | - Support shared Mbed TLS heap for SGI and SGM between BL1 and BL2 |
| 2239 | |
| 2240 | - Enhancements for Non Arm Platforms |
| 2241 | |
| 2242 | - Raspberry Pi Platform |
| 2243 | |
| 2244 | - Hikey Platforms |
| 2245 | |
| 2246 | - Xilinx Platforms |
| 2247 | |
| 2248 | - QEMU Platform |
| 2249 | |
| 2250 | - Rockchip rk3399 Platform |
| 2251 | |
| 2252 | - TI Platforms |
| 2253 | |
| 2254 | - Socionext Platforms |
| 2255 | |
| 2256 | - Allwinner Platforms |
| 2257 | |
| 2258 | - NXP Platforms |
| 2259 | |
| 2260 | - NVIDIA Tegra Platform |
| 2261 | |
| 2262 | - Marvell Platforms |
| 2263 | |
| 2264 | - STMicroelectronics STM32MP1 Platform |
| 2265 | |
| 2266 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2267 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2268 | |
| 2269 | - No issues known at 1.5 release resolved in 1.6 release |
| 2270 | |
| 2271 | Known Issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2272 | ^^^^^^^^^^^^ |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2273 | |
| 2274 | - DTB creation not supported when building on a Windows host. This step in the |
| 2275 | build process is skipped when running on a Windows host. Known issue from |
| 2276 | 1.5 version. |
| 2277 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2278 | Version 1.5 |
| 2279 | ----------- |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2280 | |
| 2281 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2282 | ^^^^^^^^^^^^ |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2283 | |
| 2284 | - Added new firmware support to enable RAS (Reliability, Availability, and |
| 2285 | Serviceability) functionality. |
| 2286 | |
| 2287 | - Secure Partition Manager (SPM): A Secure Partition is a software execution |
| 2288 | environment instantiated in S-EL0 that can be used to implement simple |
| 2289 | management and security services. The SPM is the firmware component that |
| 2290 | is responsible for managing a Secure Partition. |
| 2291 | |
Paul Beesley | 8f62ca7 | 2019-03-13 13:58:02 +0000 | [diff] [blame] | 2292 | - SDEI dispatcher: Support for interrupt-based |SDEI| events and all |
| 2293 | interfaces as defined by the |SDEI| specification v1.0, see |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2294 | `SDEI Specification`_ |
| 2295 | |
| 2296 | - Exception Handling Framework (EHF): Framework that allows dispatching of |
| 2297 | EL3 interrupts to their registered handlers which are registered based on |
| 2298 | their priorities. Facilitates firmware-first error handling policy where |
| 2299 | asynchronous exceptions may be routed to EL3. |
| 2300 | |
| 2301 | Integrated the TSPD with EHF. |
| 2302 | |
| 2303 | - Updated PSCI support: |
| 2304 | |
| 2305 | - Implemented PSCI v1.1 optional features `MEM_PROTECT` and `SYSTEM_RESET2`. |
| 2306 | The supported PSCI version was updated to v1.1. |
| 2307 | |
| 2308 | - Improved PSCI STAT timestamp collection, including moving accounting for |
| 2309 | retention states to be inside the locks and fixing handling of wrap-around |
| 2310 | when calculating residency in AArch32 execution state. |
| 2311 | |
| 2312 | - Added optional handler for early suspend that executes when suspending to |
| 2313 | a power-down state and with data caches enabled. |
| 2314 | |
| 2315 | This may provide a performance improvement on platforms where it is safe |
| 2316 | to perform some or all of the platform actions from `pwr_domain_suspend` |
| 2317 | with the data caches enabled. |
| 2318 | |
| 2319 | - Enabled build option, BL2_AT_EL3, for BL2 to allow execution at EL3 without |
| 2320 | any dependency on TF BL1. |
| 2321 | |
| 2322 | This allows platforms which already have a non-TF Boot ROM to directly load |
| 2323 | and execute BL2 and subsequent BL stages without need for BL1. This was not |
| 2324 | previously possible because BL2 executes at S-EL1 and cannot jump straight to |
| 2325 | EL3. |
| 2326 | |
| 2327 | - Implemented support for SMCCC v1.1, including `SMCCC_VERSION` and |
| 2328 | `SMCCC_ARCH_FEATURES`. |
| 2329 | |
| 2330 | Additionally, added support for `SMCCC_VERSION` in PSCI features to enable |
| 2331 | discovery of the SMCCC version via PSCI feature call. |
| 2332 | |
| 2333 | - Added Dynamic Configuration framework which enables each of the boot loader |
| 2334 | stages to be dynamically configured at runtime if required by the platform. |
| 2335 | The boot loader stage may optionally specify a firmware configuration file |
| 2336 | and/or hardware configuration file that can then be shared with the next boot |
| 2337 | loader stage. |
| 2338 | |
| 2339 | Introduced a new BL handover interface that essentially allows passing of 4 |
| 2340 | arguments between the different BL stages. |
| 2341 | |
| 2342 | Updated cert_create and fip_tool to support the dynamic configuration files. |
| 2343 | The COT also updated to support these new files. |
| 2344 | |
| 2345 | - Code hygiene changes and alignment with MISRA guideline: |
| 2346 | |
| 2347 | - Fix use of undefined macros. |
| 2348 | |
| 2349 | - Achieved compliance with Mandatory MISRA coding rules. |
| 2350 | |
| 2351 | - Achieved compliance for following Required MISRA rules for the default |
| 2352 | build configurations on FVP and Juno platforms : 7.3, 8.3, 8.4, 8.5 and |
| 2353 | 8.8. |
| 2354 | |
| 2355 | - Added support for Armv8.2-A architectural features: |
| 2356 | |
| 2357 | - Updated translation table set-up to set the CnP (Common not Private) bit |
| 2358 | for secure page tables so that multiple PEs in the same Inner Shareable |
| 2359 | domain can use the same translation table entries for a given stage of |
| 2360 | translation in a particular translation regime. |
| 2361 | |
| 2362 | - Extended the supported values of ID_AA64MMFR0_EL1.PARange to include the |
| 2363 | 52-bit Physical Address range. |
| 2364 | |
| 2365 | - Added support for the Scalable Vector Extension to allow Normal world |
| 2366 | software to access SVE functionality but disable access to SVE, SIMD and |
| 2367 | floating point functionality from the Secure world in order to prevent |
| 2368 | corruption of the Z-registers. |
| 2369 | |
| 2370 | - Added support for Armv8.4-A architectural feature Activity Monitor Unit (AMU) |
| 2371 | extensions. |
| 2372 | |
| 2373 | In addition to the v8.4 architectural extension, AMU support on Cortex-A75 |
| 2374 | was implemented. |
| 2375 | |
| 2376 | - Enhanced OP-TEE support to enable use of pageable OP-TEE image. The Arm |
| 2377 | standard platforms are updated to load up to 3 images for OP-TEE; header, |
| 2378 | pager image and paged image. |
| 2379 | |
| 2380 | The chain of trust is extended to support the additional images. |
| 2381 | |
| 2382 | - Enhancements to the translation table library: |
| 2383 | |
| 2384 | - Introduced APIs to get and set the memory attributes of a region. |
| 2385 | |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 2386 | - Added support to manage both privilege levels in translation regimes that |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2387 | describe translations for 2 Exception levels, specifically the EL1&0 |
| 2388 | translation regime, and extended the memory map region attributes to |
| 2389 | include specifying Non-privileged access. |
| 2390 | |
| 2391 | - Added support to specify the granularity of the mappings of each region, |
| 2392 | for instance a 2MB region can be specified to be mapped with 4KB page |
| 2393 | tables instead of a 2MB block. |
| 2394 | |
| 2395 | - Disabled the higher VA range to avoid unpredictable behaviour if there is |
| 2396 | an attempt to access addresses in the higher VA range. |
| 2397 | |
| 2398 | - Added helpers for Device and Normal memory MAIR encodings that align with |
| 2399 | the Arm Architecture Reference Manual for Armv8-A (Arm DDI0487B.b). |
| 2400 | |
| 2401 | - Code hygiene including fixing type length and signedness of constants, |
| 2402 | refactoring of function to enable the MMU, removing all instances where |
| 2403 | the virtual address space is hardcoded and added comments that document |
| 2404 | alignment needed between memory attributes and attributes specified in |
| 2405 | TCR_ELx. |
| 2406 | |
| 2407 | - Updated GIC support: |
| 2408 | |
| 2409 | - Introduce new APIs for GICv2 and GICv3 that provide the capability to |
| 2410 | specify interrupt properties rather than list of interrupt numbers alone. |
| 2411 | The Arm platforms and other upstream platforms are migrated to use |
| 2412 | interrupt properties. |
| 2413 | |
| 2414 | - Added helpers to save / restore the GICv3 context, specifically the |
| 2415 | Distributor and Redistributor contexts and architectural parts of the ITS |
| 2416 | power management. The Distributor and Redistributor helpers also support |
| 2417 | the implementation-defined part of GIC-500 and GIC-600. |
| 2418 | |
| 2419 | Updated the Arm FVP platform to save / restore the GICv3 context on system |
| 2420 | suspend / resume as an example of how to use the helpers. |
| 2421 | |
| 2422 | Introduced a new TZC secured DDR carve-out for use by Arm platforms for |
| 2423 | storing EL3 runtime data such as the GICv3 register context. |
| 2424 | |
| 2425 | - Added support for Armv7-A architecture via build option ARM_ARCH_MAJOR=7. |
| 2426 | This includes following features: |
| 2427 | |
| 2428 | - Updates GICv2 driver to manage GICv1 with security extensions. |
| 2429 | |
| 2430 | - Software implementation for 32bit division. |
| 2431 | |
| 2432 | - Enabled use of generic timer for platforms that do not set |
| 2433 | ARM_CORTEX_Ax=yes. |
| 2434 | |
| 2435 | - Support for Armv7-A Virtualization extensions [DDI0406C_C]. |
| 2436 | |
| 2437 | - Support for both Armv7-A platforms that only have 32-bit addressing and |
| 2438 | Armv7-A platforms that support large page addressing. |
| 2439 | |
| 2440 | - Included support for following Armv7 CPUs: Cortex-A12, Cortex-A17, |
| 2441 | Cortex-A7, Cortex-A5, Cortex-A9, Cortex-A15. |
| 2442 | |
| 2443 | - Added support in QEMU for Armv7-A/Cortex-A15. |
| 2444 | |
| 2445 | - Enhancements to Firmware Update feature: |
| 2446 | |
| 2447 | - Updated the FWU documentation to describe the additional images needed for |
| 2448 | Firmware update, and how they are used for both the Juno platform and the |
| 2449 | Arm FVP platforms. |
| 2450 | |
| 2451 | - Enhancements to Trusted Board Boot feature: |
| 2452 | |
| 2453 | - Added support to cert_create tool for RSA PKCS1# v1.5 and SHA384, SHA512 |
| 2454 | and SHA256. |
| 2455 | |
| 2456 | - For Arm platforms added support to use ECDSA keys. |
| 2457 | |
| 2458 | - Enhanced the mbed TLS wrapper layer to include support for both RSA and |
| 2459 | ECDSA to enable runtime selection between RSA and ECDSA keys. |
| 2460 | |
| 2461 | - Added support for secure interrupt handling in AArch32 sp_min, hardcoded to |
| 2462 | only handle FIQs. |
| 2463 | |
| 2464 | - Added support to allow a platform to load images from multiple boot sources, |
| 2465 | for example from a second flash drive. |
| 2466 | |
| 2467 | - Added a logging framework that allows platforms to reduce the logging level |
| 2468 | at runtime and additionally the prefix string can be defined by the platform. |
| 2469 | |
| 2470 | - Further improvements to register initialisation: |
| 2471 | |
| 2472 | - Control register PMCR_EL0 / PMCR is set to prohibit cycle counting in the |
| 2473 | secure world. This register is added to the list of registers that are |
| 2474 | saved and restored during world switch. |
| 2475 | |
| 2476 | - When EL3 is running in AArch32 execution state, the Non-secure version of |
| 2477 | SCTLR is explicitly initialised during the warmboot flow rather than |
| 2478 | relying on the hardware to set the correct reset values. |
| 2479 | |
| 2480 | - Enhanced support for Arm platforms: |
| 2481 | |
| 2482 | - Introduced driver for Shared-Data-Structure (SDS) framework which is used |
| 2483 | for communication between SCP and the AP CPU, replacing Boot-Over_MHU |
| 2484 | (BOM) protocol. |
| 2485 | |
| 2486 | The Juno platform is migrated to use SDS with the SCMI support added in |
| 2487 | v1.3 and is set as default. |
| 2488 | |
| 2489 | The driver can be found in the plat/arm/css/drivers folder. |
| 2490 | |
| 2491 | - Improved memory usage by only mapping TSP memory region when the TSPD has |
| 2492 | been included in the build. This reduces the memory footprint and avoids |
| 2493 | unnecessary memory being mapped. |
| 2494 | |
| 2495 | - Updated support for multi-threading CPUs for FVP platforms - always check |
| 2496 | the MT field in MPDIR and access the bit fields accordingly. |
| 2497 | |
| 2498 | - Support building for platforms that model DynamIQ configuration by |
| 2499 | implementing all CPUs in a single cluster. |
| 2500 | |
| 2501 | - Improved nor flash driver, for instance clearing status registers before |
| 2502 | sending commands. Driver can be found plat/arm/board/common folder. |
| 2503 | |
| 2504 | - Enhancements to QEMU platform: |
| 2505 | |
| 2506 | - Added support for TBB. |
| 2507 | |
| 2508 | - Added support for using OP-TEE pageable image. |
| 2509 | |
| 2510 | - Added support for LOAD_IMAGE_V2. |
| 2511 | |
| 2512 | - Migrated to use translation table library v2 by default. |
| 2513 | |
| 2514 | - Added support for SEPARATE_CODE_AND_RODATA. |
| 2515 | |
| 2516 | - Applied workarounds CVE-2017-5715 on Arm Cortex-A57, -A72, -A73 and -A75, and |
| 2517 | for Armv7-A CPUs Cortex-A9, -A15 and -A17. |
| 2518 | |
| 2519 | - Applied errata workaround for Arm Cortex-A57: 859972. |
| 2520 | |
| 2521 | - Applied errata workaround for Arm Cortex-A72: 859971. |
| 2522 | |
| 2523 | - Added support for Poplar 96Board platform. |
| 2524 | |
| 2525 | - Added support for Raspberry Pi 3 platform. |
| 2526 | |
| 2527 | - Added Call Frame Information (CFI) assembler directives to the vector entries |
| 2528 | which enables debuggers to display the backtrace of functions that triggered |
| 2529 | a synchronous abort. |
| 2530 | |
| 2531 | - Added ability to build dtb. |
| 2532 | |
| 2533 | - Added support for pre-tool (cert_create and fiptool) image processing |
| 2534 | enabling compression of the image files before processing by cert_create and |
| 2535 | fiptool. |
| 2536 | |
| 2537 | This can reduce fip size and may also speed up loading of images. The image |
| 2538 | verification will also get faster because certificates are generated based on |
| 2539 | compressed images. |
| 2540 | |
| 2541 | Imported zlib 1.2.11 to implement gunzip() for data compression. |
| 2542 | |
| 2543 | - Enhancements to fiptool: |
| 2544 | |
| 2545 | - Enabled the fiptool to be built using Visual Studio. |
| 2546 | |
| 2547 | - Added padding bytes at the end of the last image in the fip to be |
| 2548 | facilitate transfer by DMA. |
| 2549 | |
| 2550 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2551 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2552 | |
| 2553 | - TF-A can be built with optimisations disabled (-O0). |
| 2554 | |
| 2555 | - Memory layout updated to enable Trusted Board Boot on Juno platform when |
| 2556 | running TF-A in AArch32 execution mode (resolving `tf-issue#501`_). |
| 2557 | |
| 2558 | Known Issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2559 | ^^^^^^^^^^^^ |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2560 | |
Joanna Farley | d83bf0b | 2018-09-11 15:51:31 +0100 | [diff] [blame] | 2561 | - DTB creation not supported when building on a Windows host. This step in the |
| 2562 | build process is skipped when running on a Windows host. |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2563 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2564 | Version 1.4 |
| 2565 | ----------- |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2566 | |
| 2567 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2568 | ^^^^^^^^^^^^ |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2569 | |
| 2570 | - Enabled support for platforms with hardware assisted coherency. |
| 2571 | |
| 2572 | A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage |
| 2573 | of the following optimisations: |
| 2574 | |
| 2575 | - Skip performing cache maintenance during power-up and power-down. |
| 2576 | |
| 2577 | - Use spin-locks instead of bakery locks. |
| 2578 | |
| 2579 | - Enable data caches early on warm-booted CPUs. |
| 2580 | |
| 2581 | - Added support for Cortex-A75 and Cortex-A55 processors. |
| 2582 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2583 | Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2584 | (DSU). The power-down and power-up sequences are therefore mostly managed in |
| 2585 | hardware, reducing complexity of the software operations. |
| 2586 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2587 | - Introduced Arm GIC-600 driver. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2588 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2589 | Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2590 | GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600. |
| 2591 | |
| 2592 | - Updated GICv3 support: |
| 2593 | |
| 2594 | - Introduced power management APIs for GICv3 Redistributor. These APIs |
| 2595 | allow platforms to power down the Redistributor during CPU power on/off. |
| 2596 | Requires the GICv3 implementations to have power management operations. |
| 2597 | |
| 2598 | Implemented the power management APIs for FVP. |
| 2599 | |
| 2600 | - GIC driver data is flushed by the primary CPU so that secondary CPU do |
| 2601 | not read stale GIC data. |
| 2602 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2603 | - Added support for Arm System Control and Management Interface v1.0 (SCMI). |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2604 | |
| 2605 | The SCMI driver implements the power domain management and system power |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2606 | management protocol of the SCMI specification (Arm DEN 0056ASCMI) for |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2607 | communicating with any compliant power controller. |
| 2608 | |
| 2609 | Support is added for the Juno platform. The driver can be found in the |
| 2610 | plat/arm/css/drivers folder. |
| 2611 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2612 | - Added support to enable pre-integration of TBB with the Arm TrustZone |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2613 | CryptoCell product, to take advantage of its hardware Root of Trust and |
| 2614 | crypto acceleration services. |
| 2615 | |
| 2616 | - Enabled Statistical Profiling Extensions for lower ELs. |
| 2617 | |
| 2618 | The firmware support is limited to the use of SPE in the Non-secure state |
| 2619 | and accesses to the SPE specific registers from S-EL1 will trap to EL3. |
| 2620 | |
| 2621 | The SPE are architecturally specified for AArch64 only. |
| 2622 | |
| 2623 | - Code hygiene changes aligned with MISRA guidelines: |
| 2624 | |
| 2625 | - Fixed signed / unsigned comparison warnings in the translation table |
| 2626 | library. |
| 2627 | |
| 2628 | - Added U(_x) macro and together with the existing ULL(_x) macro fixed |
| 2629 | some of the signed-ness defects flagged by the MISRA scanner. |
| 2630 | |
| 2631 | - Enhancements to Firmware Update feature: |
| 2632 | |
| 2633 | - The FWU logic now checks for overlapping images to prevent execution of |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 2634 | unauthenticated arbitrary code. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2635 | |
| 2636 | - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading |
| 2637 | state machine to go from COPYING, COPIED or AUTHENTICATED states to |
| 2638 | RESET state. Previously, this was only possible when the authentication |
| 2639 | of an image failed or when the execution of the image finished. |
| 2640 | |
| 2641 | - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update |
| 2642 | SMC can result in copy of unexpectedly large data into secure memory. |
| 2643 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2644 | - Introduced support for Arm Compiler 6 and LLVM (clang). |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2645 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2646 | TF-A can now also be built with the Arm Compiler 6 or the clang compilers. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2647 | The assembler and linker must be provided by the GNU toolchain. |
| 2648 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2649 | Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2650 | |
| 2651 | - Memory footprint improvements: |
| 2652 | |
| 2653 | - Introduced `tf_snprintf`, a reduced version of `snprintf` which has |
| 2654 | support for a limited set of formats. |
| 2655 | |
| 2656 | The mbedtls driver is updated to optionally use `tf_snprintf` instead of |
| 2657 | `snprintf`. |
| 2658 | |
| 2659 | - The `assert()` is updated to no longer print the function name, and |
| 2660 | additional logging options are supported via an optional platform define |
| 2661 | `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is. |
| 2662 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2663 | - Enhancements to TF-A support when running in AArch32 execution state: |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2664 | |
| 2665 | - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to |
| 2666 | hardware limitations, BL1 and BL2 boot in AArch64 state and there is |
| 2667 | additional trampoline code to warm reset into SP_MIN in AArch32 execution |
| 2668 | state. |
| 2669 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2670 | - Added support for Arm Cortex-A53/57/72 MPCore processors including the |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2671 | errata workarounds that are already implemented for AArch64 execution |
| 2672 | state. |
| 2673 | |
| 2674 | - For FVP platforms, added AArch32 Trusted Board Boot support, including the |
| 2675 | Firmware Update feature. |
| 2676 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2677 | - Introduced Arm SiP service for use by Arm standard platforms. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2678 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2679 | - Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2680 | timestamps. |
| 2681 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2682 | Added PMF instrumentation points in TF-A in order to quantify the |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2683 | overall time spent in the PSCI software implementation. |
| 2684 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2685 | - Added new Arm SiP service SMC to switch execution state. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2686 | |
| 2687 | This allows the lower exception level to change its execution state from |
| 2688 | AArch64 to AArch32, or vice verse, via a request to EL3. |
| 2689 | |
| 2690 | - Migrated to use SPDX[0] license identifiers to make software license |
| 2691 | auditing simpler. |
| 2692 | |
Paul Beesley | e1c5026 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 2693 | .. note:: |
| 2694 | Files that have been imported by FreeBSD have not been modified. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2695 | |
| 2696 | [0]: https://spdx.org/ |
| 2697 | |
| 2698 | - Enhancements to the translation table library: |
| 2699 | |
| 2700 | - Added version 2 of translation table library that allows different |
| 2701 | translation tables to be modified by using different 'contexts'. Version 1 |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2702 | of the translation table library only allows the current EL's translation |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2703 | tables to be modified. |
| 2704 | |
| 2705 | Version 2 of the translation table also added support for dynamic |
| 2706 | regions; regions that can be added and removed dynamically whilst the |
| 2707 | MMU is enabled. Static regions can only be added or removed before the |
| 2708 | MMU is enabled. |
| 2709 | |
| 2710 | The dynamic mapping functionality is enabled or disabled when compiling |
| 2711 | by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can |
| 2712 | be done per-image. |
| 2713 | |
| 2714 | - Added support for translation regimes with two virtual address spaces |
| 2715 | such as the one shared by EL1 and EL0. |
| 2716 | |
| 2717 | The library does not support initializing translation tables for EL0 |
| 2718 | software. |
| 2719 | |
| 2720 | - Added support to mark the translation tables as non-cacheable using an |
| 2721 | additional build option `XLAT_TABLE_NC`. |
| 2722 | |
| 2723 | - Added support for GCC stack protection. A new build option |
| 2724 | ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL |
| 2725 | images with one of the GCC -fstack-protector-* options. |
| 2726 | |
| 2727 | A new platform function plat_get_stack_protector_canary() was introduced |
| 2728 | that returns a value used to initialize the canary for stack corruption |
| 2729 | detection. For increased effectiveness of protection platforms must provide |
| 2730 | an implementation that returns a random value. |
| 2731 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2732 | - Enhanced support for Arm platforms: |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2733 | |
| 2734 | - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR. |
| 2735 | A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions |
| 2736 | accessing MPIDR assume that the `MT` bit is set for the platform and |
| 2737 | access the bit fields accordingly. |
| 2738 | |
| 2739 | Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is |
| 2740 | enabled, returning the Processing Element count within the physical CPU |
| 2741 | corresponding to `mpidr`. |
| 2742 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2743 | - The Arm platforms migrated to use version 2 of the translation tables. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2744 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2745 | - Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops` |
| 2746 | which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2747 | dynamically define PSCI capability. |
| 2748 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2749 | - The Arm platforms migrated to use IMAGE_LOAD_V2 by default. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2750 | |
| 2751 | - Enhanced reporting of errata workaround status with the following policy: |
| 2752 | |
| 2753 | - If an errata workaround is enabled: |
| 2754 | |
| 2755 | - If it applies (i.e. the CPU is affected by the errata), an INFO message |
| 2756 | is printed, confirming that the errata workaround has been applied. |
| 2757 | |
| 2758 | - If it does not apply, a VERBOSE message is printed, confirming that the |
| 2759 | errata workaround has been skipped. |
| 2760 | |
| 2761 | - If an errata workaround is not enabled, but would have applied had it |
| 2762 | been, a WARN message is printed, alerting that errata workaround is |
| 2763 | missing. |
| 2764 | |
| 2765 | - Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2766 | architecture version to target TF-A. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2767 | |
| 2768 | - Updated the spin lock implementation to use the more efficient CAS (Compare |
| 2769 | And Swap) instruction when available. This instruction was introduced in |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2770 | Armv8.1-A. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2771 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2772 | - Applied errata workaround for Arm Cortex-A53: 855873. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2773 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2774 | - Applied errata workaround for Arm-Cortex-A57: 813419. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2775 | |
| 2776 | - Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and |
| 2777 | AArch32 execution states. |
| 2778 | |
| 2779 | - Added support for Socionext UniPhier SoC platform. |
| 2780 | |
| 2781 | - Added support for Hikey960 and Hikey platforms. |
| 2782 | |
| 2783 | - Added support for Rockchip RK3328 platform. |
| 2784 | |
| 2785 | - Added support for NVidia Tegra T186 platform. |
| 2786 | |
| 2787 | - Added support for Designware emmc driver. |
| 2788 | |
| 2789 | - Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr(). |
| 2790 | |
| 2791 | - Enhanced the CPU operations framework to allow power handlers to be |
| 2792 | registered on per-level basis. This enables support for future CPUs that |
| 2793 | have multiple threads which might need powering down individually. |
| 2794 | |
| 2795 | - Updated register initialisation to prevent unexpected behaviour: |
| 2796 | |
| 2797 | - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid |
| 2798 | unexpected traps into the higher exception levels and disable secure |
| 2799 | self-hosted debug. Additionally, secure privileged external debug on |
| 2800 | Juno is disabled by programming the appropriate Juno SoC registers. |
| 2801 | |
| 2802 | - EL2 and EL3 configurable controls are initialised to avoid unexpected |
| 2803 | traps in the higher exception levels. |
| 2804 | |
| 2805 | - Essential control registers are fully initialised on EL3 start-up, when |
| 2806 | initialising the non-secure and secure context structures and when |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 2807 | preparing to leave EL3 for a lower EL. This gives better alignment with |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2808 | the Arm ARM which states that software must initialise RES0 and RES1 |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2809 | fields with 0 / 1. |
| 2810 | |
| 2811 | - Enhanced PSCI support: |
| 2812 | |
| 2813 | - Introduced new platform interfaces that decouple PSCI stat residency |
| 2814 | calculation from PMF, enabling platforms to use alternative methods of |
| 2815 | capturing timestamps. |
| 2816 | |
| 2817 | - PSCI stat accounting performed for retention/standby states when |
| 2818 | requested at multiple power levels. |
| 2819 | |
| 2820 | - Simplified fiptool to have a single linked list of image descriptors. |
| 2821 | |
| 2822 | - For the TSP, resolved corruption of pre-empted secure context by aborting any |
| 2823 | pre-empted SMC during PSCI power management requests. |
| 2824 | |
| 2825 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2826 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2827 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2828 | - TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier |
| 2829 | version 2.3.0 cannot be used due to build warnings that the TF-A build |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2830 | system interprets as errors. |
| 2831 | |
| 2832 | - TBBR, including the Firmware Update feature is now supported on FVP |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2833 | platforms when running TF-A in AArch32 state. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2834 | |
| 2835 | - The version of the AEMv8 Base FVP used in this release has resolved the issue |
| 2836 | of the model executing a reset instead of terminating in response to a |
| 2837 | shutdown request using the PSCI SYSTEM_OFF API. |
| 2838 | |
| 2839 | Known Issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2840 | ^^^^^^^^^^^^ |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2841 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2842 | - Building TF-A with compiler optimisations disabled (-O0) fails. |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2843 | |
| 2844 | - Trusted Board Boot currently does not work on Juno when running Trusted |
| 2845 | Firmware in AArch32 execution state due to error when loading the sp_min to |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 2846 | memory because of lack of free space available. See `tf-issue#501`_ for more |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 2847 | details. |
| 2848 | |
| 2849 | - The errata workaround for A53 errata 843419 is only available from binutils |
| 2850 | 2.26 and is not present in GCC4.9. If this errata is applicable to the |
| 2851 | platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for |
| 2852 | more details. |
| 2853 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2854 | Version 1.3 |
| 2855 | ----------- |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2856 | |
Douglas Raillard | 668c502 | 2017-06-28 16:14:55 +0100 | [diff] [blame] | 2857 | |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2858 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 2859 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2860 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2861 | - Added support for running TF-A in AArch32 execution state. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2862 | |
| 2863 | The PSCI library has been refactored to allow integration with **EL3 Runtime |
| 2864 | Software**. This is software that is executing at the highest secure |
| 2865 | privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 2866 | :ref:`PSCI Library Integration guide for Armv8-A AArch32 systems`. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2867 | |
| 2868 | Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates |
| 2869 | the usage and integration of the PSCI library with EL3 Runtime Software |
| 2870 | running in AArch32 state. |
| 2871 | |
| 2872 | Booting to the BL1/BL2 images as well as booting straight to the Secure |
| 2873 | Payload is supported. |
| 2874 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2875 | - Improvements to the initialization framework for the PSCI service and Arm |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2876 | Standard Services in general. |
| 2877 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2878 | The PSCI service is now initialized as part of Arm Standard Service |
| 2879 | initialization. This consolidates the initializations of any Arm Standard |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2880 | Service that may be added in the future. |
| 2881 | |
| 2882 | A new function ``get_arm_std_svc_args()`` is introduced to get arguments |
| 2883 | corresponding to each standard service and must be implemented by the EL3 |
| 2884 | Runtime Software. |
| 2885 | |
| 2886 | For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to |
| 2887 | initialize the PSCI Library. **Note** this is a compatibility break due to |
| 2888 | the change in the prototype of ``psci_setup()``. |
| 2889 | |
| 2890 | - To support AArch32 builds of BL1 and BL2, implemented a new, alternative |
| 2891 | firmware image loading mechanism that adds flexibility. |
| 2892 | |
| 2893 | The current mechanism has a hard-coded set of images and execution order |
| 2894 | (BL31, BL32, etc). The new mechanism is data-driven by a list of image |
| 2895 | descriptors provided by the platform code. |
| 2896 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2897 | Arm platforms have been updated to support the new loading mechanism. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2898 | |
| 2899 | The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is |
| 2900 | currently off by default for the AArch64 build. |
| 2901 | |
| 2902 | **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when |
| 2903 | ``LOAD_IMAGE_V2`` is enabled. |
| 2904 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2905 | - Updated requirements for making contributions to TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2906 | |
| 2907 | Commits now must have a 'Signed-off-by:' field to certify that the |
| 2908 | contribution has been made under the terms of the |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 2909 | :download:`Developer Certificate of Origin <../dco.txt>`. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2910 | |
| 2911 | A signed CLA is no longer required. |
| 2912 | |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 2913 | The :ref:`Contributor's Guide` has been updated to reflect this change. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2914 | |
| 2915 | - Introduced Performance Measurement Framework (PMF) which provides support |
| 2916 | for capturing, storing, dumping and retrieving time-stamps to measure the |
| 2917 | execution time of critical paths in the firmware. This relies on defining |
| 2918 | fixed sample points at key places in the code. |
| 2919 | |
| 2920 | - To support the QEMU platform port, imported libfdt v1.4.1 from |
Paul Beesley | dd4e9a7 | 2019-02-08 16:43:05 +0000 | [diff] [blame] | 2921 | https://git.kernel.org/pub/scm/utils/dtc/dtc.git |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2922 | |
| 2923 | - Updated PSCI support: |
| 2924 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 2925 | - Added support for PSCI NODE_HW_STATE API for Arm platforms. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2926 | |
| 2927 | - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in |
| 2928 | ``plat_psci_ops`` to enable platforms to perform platform-specific actions |
| 2929 | needed to enter powerdown, including the 'wfi' invocation. |
| 2930 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2931 | - PSCI STAT residency and count functions have been added on Arm platforms |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2932 | by using PMF. |
| 2933 | |
| 2934 | - Enhancements to the translation table library: |
| 2935 | |
| 2936 | - Limited memory mapping support for region overlaps to only allow regions |
| 2937 | to overlap that are identity mapped or have the same virtual to physical |
| 2938 | address offset, and overlap completely but must not cover the same area. |
| 2939 | |
| 2940 | This limitation will enable future enhancements without having to |
| 2941 | support complex edge cases that may not be necessary. |
| 2942 | |
| 2943 | - The initial translation lookup level is now inferred from the virtual |
| 2944 | address space size. Previously, it was hard-coded. |
| 2945 | |
| 2946 | - Added support for mapping Normal, Inner Non-cacheable, Outer |
| 2947 | Non-cacheable memory in the translation table library. |
| 2948 | |
| 2949 | This can be useful to map a non-cacheable memory region, such as a DMA |
| 2950 | buffer. |
| 2951 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 2952 | - Introduced the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes to |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2953 | specify the access permissions for instruction execution of a memory |
| 2954 | region. |
| 2955 | |
| 2956 | - Enabled support to isolate code and read-only data on separate memory pages, |
| 2957 | allowing independent access control to be applied to each. |
| 2958 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 2959 | - Enabled SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2960 | architectural setup code, preventing fetching instructions from non-secure |
| 2961 | memory when in secure state. |
| 2962 | |
| 2963 | - Enhancements to FIP support: |
| 2964 | |
| 2965 | - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent |
| 2966 | and intuitive interface as well as additional support to remove an image |
| 2967 | from a FIP file. |
| 2968 | |
| 2969 | - Enabled printing the SHA256 digest with info command, allowing quick |
| 2970 | verification of an image within a FIP without having to extract the |
| 2971 | image and running sha256sum on it. |
| 2972 | |
| 2973 | - Added support for unpacking the contents of an existing FIP file into |
| 2974 | the working directory. |
| 2975 | |
| 2976 | - Aligned command line options for specifying images to use same naming |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 2977 | convention as specified by TBBR and already used in cert_create tool. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2978 | |
| 2979 | - Refactored the TZC-400 driver to also support memory controllers that |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2980 | integrate TZC functionality, for example Arm CoreLink DMC-500. Also added |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2981 | DMC-500 specific support. |
| 2982 | |
| 2983 | - Implemented generic delay timer based on the system generic counter and |
| 2984 | migrated all platforms to use it. |
| 2985 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 2986 | - Enhanced support for Arm platforms: |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2987 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 2988 | - Updated image loading support to make SCP images (SCP_BL2 and SCP_BL2U) |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 2989 | optional. |
| 2990 | |
| 2991 | - Enhanced topology description support to allow multi-cluster topology |
| 2992 | definitions. |
| 2993 | |
| 2994 | - Added interconnect abstraction layer to help platform ports select the |
| 2995 | right interconnect driver, CCI or CCN, for the platform. |
| 2996 | |
| 2997 | - Added support to allow loading BL31 in the TZC-secured DRAM instead of |
| 2998 | the default secure SRAM. |
| 2999 | |
| 3000 | - Added support to use a System Security Control (SSC) Registers Unit |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3001 | enabling TF-A to be compiled to support multiple Arm platforms and |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3002 | then select one at runtime. |
| 3003 | |
| 3004 | - Restricted mapping of Trusted ROM in BL1 to what is actually needed by |
| 3005 | BL1 rather than entire Trusted ROM region. |
| 3006 | |
| 3007 | - Flash is now mapped as execute-never by default. This increases security |
| 3008 | by restricting the executable region to what is strictly needed. |
| 3009 | |
| 3010 | - Applied following erratum workarounds for Cortex-A57: 833471, 826977, |
| 3011 | 829520, 828024 and 826974. |
| 3012 | |
| 3013 | - Added support for Mediatek MT6795 platform. |
| 3014 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3015 | - Added support for QEMU virtualization Armv8-A target. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3016 | |
| 3017 | - Added support for Rockchip RK3368 and RK3399 platforms. |
| 3018 | |
| 3019 | - Added support for Xilinx Zynq UltraScale+ MPSoC platform. |
| 3020 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3021 | - Added support for Arm Cortex-A73 MPCore Processor. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3022 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3023 | - Added support for Arm Cortex-A72 processor. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3024 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3025 | - Added support for Arm Cortex-A35 processor. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3026 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3027 | - Added support for Arm Cortex-A32 MPCore Processor. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3028 | |
| 3029 | - Enabled preloaded BL33 alternative boot flow, in which BL2 does not load |
| 3030 | BL33 from non-volatile storage and BL31 hands execution over to a preloaded |
| 3031 | BL33. The User Guide has been updated with an example of how to use this |
| 3032 | option with a bootwrapped kernel. |
| 3033 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3034 | - Added support to build TF-A on a Windows-based host machine. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3035 | |
| 3036 | - Updated Trusted Board Boot prototype implementation: |
| 3037 | |
| 3038 | - Enabled the ability for a production ROM with TBBR enabled to boot test |
| 3039 | software before a real ROTPK is deployed (e.g. manufacturing mode). |
| 3040 | Added support to use ROTPK in certificate without verifying against the |
| 3041 | platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. |
| 3042 | |
| 3043 | - Added support for non-volatile counter authentication to the |
| 3044 | Authentication Module to protect against roll-back. |
| 3045 | |
| 3046 | - Updated GICv3 support: |
| 3047 | |
| 3048 | - Enabled processor power-down and automatic power-on using GICv3. |
| 3049 | |
| 3050 | - Enabled G1S or G0 interrupts to be configured independently. |
| 3051 | |
| 3052 | - Changed FVP default interrupt driver to be the GICv3-only driver. |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3053 | **Note** the default build of TF-A will not be able to boot |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3054 | Linux kernel with GICv2 FDT blob. |
| 3055 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3056 | - Enabled wake-up from CPU_SUSPEND to stand-by by temporarily re-routing |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3057 | interrupts and then restoring after resume. |
| 3058 | |
| 3059 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3060 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3061 | |
| 3062 | Known issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3063 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3064 | |
| 3065 | - The version of the AEMv8 Base FVP used in this release resets the model |
| 3066 | instead of terminating its execution in response to a shutdown request using |
| 3067 | the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| 3068 | the model. |
| 3069 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3070 | - Building TF-A with compiler optimisations disabled (``-O0``) fails. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3071 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3072 | - TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings |
| 3073 | that the TF-A build system interprets as errors. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3074 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3075 | - TBBR is not currently supported when running TF-A in AArch32 state. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3076 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3077 | Version 1.2 |
| 3078 | ----------- |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3079 | |
| 3080 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3081 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3082 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3083 | - The Trusted Board Boot implementation on Arm platforms now conforms to the |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3084 | mandatory requirements of the TBBR specification. |
| 3085 | |
| 3086 | In particular, the boot process is now guarded by a Trusted Watchdog, which |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3087 | will reset the system in case of an authentication or loading error. On Arm |
| 3088 | platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3089 | |
| 3090 | Also, a firmware update process has been implemented. It enables |
| 3091 | authenticated firmware to update firmware images from external interfaces to |
| 3092 | SoC Non-Volatile memories. This feature functions even when the current |
| 3093 | firmware in the system is corrupt or missing; it therefore may be used as |
| 3094 | a recovery mode. |
| 3095 | |
| 3096 | - Improvements have been made to the Certificate Generation Tool |
| 3097 | (``cert_create``) as follows. |
| 3098 | |
| 3099 | - Added support for the Firmware Update process by extending the Chain |
| 3100 | of Trust definition in the tool to include the Firmware Update |
| 3101 | certificate and the required extensions. |
| 3102 | |
| 3103 | - Introduced a new API that allows one to specify command line options in |
| 3104 | the Chain of Trust description. This makes the declaration of the tool's |
| 3105 | arguments more flexible and easier to extend. |
| 3106 | |
| 3107 | - The tool has been reworked to follow a data driven approach, which |
| 3108 | makes it easier to maintain and extend. |
| 3109 | |
| 3110 | - Extended the FIP tool (``fip_create``) to support the new set of images |
| 3111 | involved in the Firmware Update process. |
| 3112 | |
| 3113 | - Various memory footprint improvements. In particular: |
| 3114 | |
| 3115 | - The bakery lock structure for coherent memory has been optimised. |
| 3116 | |
| 3117 | - The mbed TLS SHA1 functions are not needed, as SHA256 is used to |
| 3118 | generate the certificate signature. Therefore, they have been compiled |
| 3119 | out, reducing the memory footprint of BL1 and BL2 by approximately |
| 3120 | 6 KB. |
| 3121 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3122 | - On Arm development platforms, each BL stage now individually defines |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3123 | the number of regions that it needs to map in the MMU. |
| 3124 | |
| 3125 | - Added the following new design documents: |
| 3126 | |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 3127 | - :ref:`Authentication Framework & Chain of Trust` |
| 3128 | - :ref:`Firmware Update (FWU)` |
| 3129 | - :ref:`CPU Reset` |
| 3130 | - :ref:`PSCI Power Domain Tree Structure` |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3131 | |
| 3132 | - Applied the new image terminology to the code base and documentation, as |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 3133 | described in the :ref:`Image Terminology` document. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3134 | |
| 3135 | - The build system has been reworked to improve readability and facilitate |
| 3136 | adding future extensions. |
| 3137 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3138 | - On Arm standard platforms, BL31 uses the boot console during cold boot |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3139 | but switches to the runtime console for any later logs at runtime. The TSP |
| 3140 | uses the runtime console for all output. |
| 3141 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3142 | - Implemented a basic NOR flash driver for Arm platforms. It programs the |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3143 | device using CFI (Common Flash Interface) standard commands. |
| 3144 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3145 | - Implemented support for booting EL3 payloads on Arm platforms, which |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3146 | reduces the complexity of developing EL3 baremetal code by doing essential |
| 3147 | baremetal initialization. |
| 3148 | |
| 3149 | - Provided separate drivers for GICv3 and GICv2. These expect the entire |
| 3150 | software stack to use either GICv2 or GICv3; hybrid GIC software systems |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3151 | are no longer supported and the legacy Arm GIC driver has been deprecated. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3152 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3153 | - Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run |
| 3154 | on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3155 | release that does *not* contain Juno r2 support. |
| 3156 | |
| 3157 | - Added support for MediaTek mt8173 platform. |
| 3158 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3159 | - Implemented a generic driver for Arm CCN IP. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3160 | |
| 3161 | - Major rework of the PSCI implementation. |
| 3162 | |
| 3163 | - Added framework to handle composite power states. |
| 3164 | |
| 3165 | - Decoupled the notions of affinity instances (which describes the |
| 3166 | hierarchical arrangement of cores) and of power domain topology, instead |
| 3167 | of assuming a one-to-one mapping. |
| 3168 | |
| 3169 | - Better alignment with version 1.0 of the PSCI specification. |
| 3170 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3171 | - Added support for the SYSTEM_SUSPEND PSCI API on Arm platforms. When invoked |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3172 | on the last running core on a supported platform, this puts the system |
| 3173 | into a low power mode with memory retention. |
| 3174 | |
| 3175 | - Unified the reset handling code as much as possible across BL stages. |
| 3176 | Also introduced some build options to enable optimization of the reset path |
| 3177 | on platforms that support it. |
| 3178 | |
| 3179 | - Added a simple delay timer API, as well as an SP804 timer driver, which is |
| 3180 | enabled on FVP. |
| 3181 | |
| 3182 | - Added support for NVidia Tegra T210 and T132 SoCs. |
| 3183 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3184 | - Reorganised Arm platforms ports to greatly improve code shareability and |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3185 | facilitate the reuse of some of this code by other platforms. |
| 3186 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3187 | - Added support for Arm Cortex-A72 processor in the CPU specific framework. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3188 | |
| 3189 | - Provided better error handling. Platform ports can now define their own |
| 3190 | error handling, for example to perform platform specific bookkeeping or |
| 3191 | post-error actions. |
| 3192 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3193 | - Implemented a unified driver for Arm Cache Coherent Interconnects used for |
| 3194 | both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3195 | common driver. The standalone CCI-400 driver has been deprecated. |
| 3196 | |
| 3197 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3198 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3199 | |
| 3200 | - The Trusted Board Boot implementation has been redesigned to provide greater |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 3201 | modularity and scalability. See the |
| 3202 | :ref:`Authentication Framework & Chain of Trust` document. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3203 | All missing mandatory features are now implemented. |
| 3204 | |
| 3205 | - The FVP and Juno ports may now use the hash of the ROTPK stored in the |
| 3206 | Trusted Key Storage registers to verify the ROTPK. Alternatively, a |
| 3207 | development public key hash embedded in the BL1 and BL2 binaries might be |
| 3208 | used instead. The location of the ROTPK is chosen at build-time using the |
| 3209 | ``ARM_ROTPK_LOCATION`` build option. |
| 3210 | |
| 3211 | - GICv3 is now fully supported and stable. |
| 3212 | |
| 3213 | Known issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3214 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3215 | |
| 3216 | - The version of the AEMv8 Base FVP used in this release resets the model |
| 3217 | instead of terminating its execution in response to a shutdown request using |
| 3218 | the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| 3219 | the model. |
| 3220 | |
| 3221 | - While this version has low on-chip RAM requirements, there are further |
| 3222 | RAM usage enhancements that could be made. |
| 3223 | |
| 3224 | - The upstream documentation could be improved for structural consistency, |
| 3225 | clarity and completeness. In particular, the design documentation is |
| 3226 | incomplete for PSCI, the TSP(D) and the Juno platform. |
| 3227 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3228 | - Building TF-A with compiler optimisations disabled (``-O0``) fails. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3229 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3230 | Version 1.1 |
| 3231 | ----------- |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3232 | |
| 3233 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3234 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3235 | |
| 3236 | - A prototype implementation of Trusted Board Boot has been added. Boot |
| 3237 | loader images are verified by BL1 and BL2 during the cold boot path. BL1 and |
| 3238 | BL2 use the PolarSSL SSL library to verify certificates and images. The |
| 3239 | OpenSSL library is used to create the X.509 certificates. Support has been |
| 3240 | added to ``fip_create`` tool to package the certificates in a FIP. |
| 3241 | |
| 3242 | - Support for calling CPU and platform specific reset handlers upon entry into |
| 3243 | BL3-1 during the cold and warm boot paths has been added. This happens after |
| 3244 | another Boot ROM ``reset_handler()`` has already run. This enables a developer |
| 3245 | to perform additional actions or undo actions already performed during the |
| 3246 | first call of the reset handlers e.g. apply additional errata workarounds. |
| 3247 | |
| 3248 | - Support has been added to demonstrate routing of IRQs to EL3 instead of |
| 3249 | S-EL1 when execution is in secure world. |
| 3250 | |
| 3251 | - The PSCI implementation now conforms to version 1.0 of the PSCI |
| 3252 | specification. All the mandatory APIs and selected optional APIs are |
| 3253 | supported. In particular, support for the ``PSCI_FEATURES`` API has been |
| 3254 | added. A capability variable is constructed during initialization by |
| 3255 | examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and |
| 3256 | the Secure Payload Dispatcher. This is used by the PSCI FEATURES function |
| 3257 | to determine which PSCI APIs are supported by the platform. |
| 3258 | |
| 3259 | - Improvements have been made to the PSCI code as follows. |
| 3260 | |
| 3261 | - The code has been refactored to remove redundant parameters from |
| 3262 | internal functions. |
| 3263 | |
| 3264 | - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and |
| 3265 | ``CPU_OFF`` calls to facilitate an early return to the caller in case a |
| 3266 | failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call |
| 3267 | returns ``SUCCESS`` to the caller if a pending interrupt is detected early |
| 3268 | in the code path. |
| 3269 | |
| 3270 | - Optional platform APIs have been added to validate the ``power_state`` and |
| 3271 | ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code |
| 3272 | paths. |
| 3273 | |
| 3274 | - PSCI migrate APIs have been reworked to invoke the SPD hook to determine |
| 3275 | the type of Trusted OS and the CPU it is resident on (if |
| 3276 | applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate |
| 3277 | the Trusted OS is invoked. |
| 3278 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3279 | - It is now possible to build TF-A without marking at least an extra page of |
| 3280 | memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to |
| 3281 | choose between the two implementations. This has been made possible through |
| 3282 | these changes. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3283 | |
| 3284 | - An implementation of Bakery locks, where the locks are not allocated in |
| 3285 | coherent memory has been added. |
| 3286 | |
| 3287 | - Memory which was previously marked as coherent is now kept coherent |
| 3288 | through the use of software cache maintenance operations. |
| 3289 | |
| 3290 | Approximately, 4K worth of memory is saved for each boot loader stage when |
| 3291 | ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies |
| 3292 | associated with acquire and release of locks. It also requires changes to |
| 3293 | the platform ports. |
| 3294 | |
| 3295 | - It is now possible to specify the name of the FIP at build time by defining |
| 3296 | the ``FIP_NAME`` variable. |
| 3297 | |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 3298 | - Issues with dependencies on the 'fiptool' makefile target have been |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3299 | rectified. The ``fip_create`` tool is now rebuilt whenever its source files |
| 3300 | change. |
| 3301 | |
| 3302 | - The BL3-1 runtime console is now also used as the crash console. The crash |
| 3303 | console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) |
| 3304 | on Juno. In FVP, it is changed from UART0 to UART1. |
| 3305 | |
| 3306 | - CPU errata workarounds are applied only when the revision and part number |
| 3307 | match. This behaviour has been made consistent across the debug and release |
| 3308 | builds. The debug build additionally prints a warning if a mismatch is |
| 3309 | detected. |
| 3310 | |
| 3311 | - It is now possible to issue cache maintenance operations by set/way for a |
| 3312 | particular level of data cache. Levels 1-3 are currently supported. |
| 3313 | |
| 3314 | - The following improvements have been made to the FVP port. |
| 3315 | |
| 3316 | - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of |
| 3317 | shared data into the Trusted DRAM has been deprecated. Shared data is |
| 3318 | now always located at the base of Trusted SRAM. |
| 3319 | |
| 3320 | - BL2 Translation tables have been updated to map only the region of |
| 3321 | DRAM which is accessible to normal world. This is the region of the 2GB |
| 3322 | DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is |
| 3323 | accessible to only the secure world. |
| 3324 | |
| 3325 | - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to |
| 3326 | the secure world. This can be done by setting the build flag |
| 3327 | ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. |
| 3328 | |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 3329 | - Separate translation tables are created for each boot loader image. The |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3330 | ``IMAGE_BLx`` build options are used to do this. This allows each stage to |
| 3331 | create mappings only for areas in the memory map that it needs. |
| 3332 | |
| 3333 | - A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 3334 | added. Details of using it with TF-A can be found in :ref:`OP-TEE Dispatcher` |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3335 | |
| 3336 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3337 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3338 | |
| 3339 | - The Juno port has been aligned with the FVP port as follows. |
| 3340 | |
| 3341 | - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying |
| 3342 | the BL3-1/BL3-2 NOBITS sections on top of them has been added to the |
| 3343 | Juno port. |
| 3344 | |
| 3345 | - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured |
| 3346 | using the TZC-400 controller to be accessible only to the secure world. |
| 3347 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3348 | - The Arm GIC driver is used to configure the GIC-400 instead of using a |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3349 | GIC driver private to the Juno port. |
| 3350 | |
| 3351 | - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. |
| 3352 | |
| 3353 | - The TZC-400 driver is used to configure the controller instead of direct |
| 3354 | accesses to the registers. |
| 3355 | |
| 3356 | - The Linux kernel version referred to in the user guide has DVFS and HMP |
| 3357 | support enabled. |
| 3358 | |
| 3359 | - DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in |
| 3360 | CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of |
| 3361 | the Cortex-A57-A53 Base FVPs. |
| 3362 | |
| 3363 | Known issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3364 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3365 | |
| 3366 | - The Trusted Board Boot implementation is a prototype. There are issues with |
| 3367 | the modularity and scalability of the design. Support for a Trusted |
| 3368 | Watchdog, firmware update mechanism, recovery images and Trusted debug is |
| 3369 | absent. These issues will be addressed in future releases. |
| 3370 | |
| 3371 | - The FVP and Juno ports do not use the hash of the ROTPK stored in the |
| 3372 | Trusted Key Storage registers to verify the ROTPK in the |
| 3373 | ``plat_match_rotpk()`` function. This prevents the correct establishment of |
| 3374 | the Chain of Trust at the first step in the Trusted Board Boot process. |
| 3375 | |
| 3376 | - The version of the AEMv8 Base FVP used in this release resets the model |
| 3377 | instead of terminating its execution in response to a shutdown request using |
| 3378 | the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| 3379 | the model. |
| 3380 | |
| 3381 | - GICv3 support is experimental. There are known issues with GICv3 |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3382 | initialization in the TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3383 | |
| 3384 | - While this version greatly reduces the on-chip RAM requirements, there are |
| 3385 | further RAM usage enhancements that could be made. |
| 3386 | |
| 3387 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 3388 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 3389 | |
| 3390 | - The Juno-specific firmware design documentation is incomplete. |
| 3391 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3392 | Version 1.0 |
| 3393 | ----------- |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3394 | |
| 3395 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3396 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3397 | |
| 3398 | - It is now possible to map higher physical addresses using non-flat virtual |
| 3399 | to physical address mappings in the MMU setup. |
| 3400 | |
| 3401 | - Wider use is now made of the per-CPU data cache in BL3-1 to store: |
| 3402 | |
| 3403 | - Pointers to the non-secure and secure security state contexts. |
| 3404 | |
| 3405 | - A pointer to the CPU-specific operations. |
| 3406 | |
| 3407 | - A pointer to PSCI specific information (for example the current power |
| 3408 | state). |
| 3409 | |
| 3410 | - A crash reporting buffer. |
| 3411 | |
| 3412 | - The following RAM usage improvements result in a BL3-1 RAM usage reduction |
| 3413 | from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction |
| 3414 | across all images from 208KB to 88KB, compared to the previous release. |
| 3415 | |
| 3416 | - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size |
| 3417 | saving). |
| 3418 | |
| 3419 | - Removed NSRAM from the FVP memory map, allowing the removal of one |
| 3420 | (4KB) translation table. |
| 3421 | |
| 3422 | - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. |
| 3423 | |
| 3424 | - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the |
| 3425 | FVP port. |
| 3426 | |
| 3427 | - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. |
| 3428 | |
| 3429 | - Removed current CPU mpidr from PSCI common code, saving 160 bytes. |
| 3430 | |
| 3431 | - Inlined the mmio accessor functions, saving 360 bytes. |
| 3432 | |
| 3433 | - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by |
| 3434 | overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. |
| 3435 | |
| 3436 | - Made storing the FP register context optional, saving 0.5KB per context |
| 3437 | (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). |
| 3438 | |
| 3439 | - Implemented a leaner ``tf_printf()`` function, allowing the stack to be |
| 3440 | greatly reduced. |
| 3441 | |
| 3442 | - Removed coherent stacks from the codebase. Stacks allocated in normal |
| 3443 | memory are now used before and after the MMU is enabled. This saves 768 |
| 3444 | bytes per CPU in BL3-1. |
| 3445 | |
| 3446 | - Reworked the crash reporting in BL3-1 to use less stack. |
| 3447 | |
| 3448 | - Optimized the EL3 register state stored in the ``cpu_context`` structure |
| 3449 | so that registers that do not change during normal execution are |
| 3450 | re-initialized each time during cold/warm boot, rather than restored |
| 3451 | from memory. This saves about 1.2KB. |
| 3452 | |
| 3453 | - As a result of some of the above, reduced the runtime stack size in all |
| 3454 | BL images. For BL3-1, this saves 1KB per CPU. |
| 3455 | |
| 3456 | - PSCI SMC handler improvements to correctly handle calls from secure states |
| 3457 | and from AArch32. |
| 3458 | |
| 3459 | - CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully |
| 3460 | determines the exception level to use for the non-trusted firmware (BL3-3) |
| 3461 | based on the SPSR value provided by the BL2 platform code (or otherwise |
| 3462 | provided to BL3-1). This allows platform code to directly run non-trusted |
| 3463 | firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS |
| 3464 | loader. |
| 3465 | |
| 3466 | - Code refactoring improvements: |
| 3467 | |
| 3468 | - Refactored ``fvp_config`` into a common platform header. |
| 3469 | |
| 3470 | - Refactored the fvp gic code to be a generic driver that no longer has an |
| 3471 | explicit dependency on platform code. |
| 3472 | |
| 3473 | - Refactored the CCI-400 driver to not have dependency on platform code. |
| 3474 | |
| 3475 | - Simplified the IO driver so it's no longer necessary to call ``io_init()`` |
| 3476 | and moved all the IO storage framework code to one place. |
| 3477 | |
| 3478 | - Simplified the interface the the TZC-400 driver. |
| 3479 | |
| 3480 | - Clarified the platform porting interface to the TSP. |
| 3481 | |
| 3482 | - Reworked the TSPD setup code to support the alternate BL3-2 |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 3483 | initialization flow where BL3-1 generic code hands control to BL3-2, |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3484 | rather than expecting the TSPD to hand control directly to BL3-2. |
| 3485 | |
| 3486 | - Considerable rework to PSCI generic code to support CPU specific |
| 3487 | operations. |
| 3488 | |
| 3489 | - Improved console log output, by: |
| 3490 | |
| 3491 | - Adding the concept of debug log levels. |
| 3492 | |
| 3493 | - Rationalizing the existing debug messages and adding new ones. |
| 3494 | |
| 3495 | - Printing out the version of each BL stage at runtime. |
| 3496 | |
| 3497 | - Adding support for printing console output from assembler code, |
| 3498 | including when a crash occurs before the C runtime is initialized. |
| 3499 | |
| 3500 | - Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro |
| 3501 | file system and DS-5. |
| 3502 | |
| 3503 | - On the FVP port, made the use of the Trusted DRAM region optional at build |
| 3504 | time (off by default). Normal platforms will not have such a "ready-to-use" |
| 3505 | DRAM area so it is not a good example to use it. |
| 3506 | |
| 3507 | - Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. |
| 3508 | |
| 3509 | - Added support for CPU specific reset sequences, power down sequences and |
| 3510 | register dumping during crash reporting. The CPU specific reset sequences |
| 3511 | include support for errata workarounds. |
| 3512 | |
| 3513 | - Merged the Juno port into the master branch. Added support for CPU hotplug |
| 3514 | and CPU idle. Updated the user guide to describe how to build and run on the |
| 3515 | Juno platform. |
| 3516 | |
| 3517 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3518 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3519 | |
| 3520 | - Removed the concept of top/bottom image loading. The image loader now |
| 3521 | automatically detects the position of the image inside the current memory |
Paul Beesley | 8aabea3 | 2019-01-11 18:26:51 +0000 | [diff] [blame] | 3522 | layout and updates the layout to minimize fragmentation. This resolves the |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3523 | image loader limitations of previously releases. There are currently no |
| 3524 | plans to support dynamic image loading. |
| 3525 | |
| 3526 | - CPU idle now works on the publicized version of the Foundation FVP. |
| 3527 | |
| 3528 | - All known issues relating to the compiler version used have now been |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3529 | resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9). |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3530 | |
| 3531 | Known issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3532 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3533 | |
| 3534 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 3535 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3536 | the TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3537 | |
| 3538 | - While this version greatly reduces the on-chip RAM requirements, there are |
| 3539 | further RAM usage enhancements that could be made. |
| 3540 | |
| 3541 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 3542 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 3543 | |
| 3544 | - The Juno-specific firmware design documentation is incomplete. |
| 3545 | |
| 3546 | - Some recent enhancements to the FVP port have not yet been translated into |
| 3547 | the Juno port. These will be tracked via the tf-issues project. |
| 3548 | |
| 3549 | - The Linux kernel version referred to in the user guide has DVFS and HMP |
| 3550 | support disabled due to some known instabilities at the time of this |
| 3551 | release. A future kernel version will re-enable these features. |
| 3552 | |
| 3553 | - DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in |
| 3554 | CADI server mode. This is because the ``<SimName>`` reported by the FVP in |
| 3555 | this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, |
| 3556 | the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while |
| 3557 | DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. |
| 3558 | |
| 3559 | The temporary fix to this problem is to change the name of the FVP in |
| 3560 | ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. |
| 3561 | Change the following line: |
| 3562 | |
| 3563 | :: |
| 3564 | |
| 3565 | <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> |
| 3566 | |
| 3567 | to |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3568 | System Generator:FVP_Base_Cortex-A57x4_A53x4 |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3569 | |
| 3570 | A similar change can be made to the other Cortex-A57-A53 Base FVP variants. |
| 3571 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3572 | Version 0.4 |
| 3573 | ----------- |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3574 | |
| 3575 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3576 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3577 | |
| 3578 | - Makefile improvements: |
| 3579 | |
| 3580 | - Improved dependency checking when building. |
| 3581 | |
| 3582 | - Removed ``dump`` target (build now always produces dump files). |
| 3583 | |
| 3584 | - Enabled platform ports to optionally make use of parts of the Trusted |
| 3585 | Firmware (e.g. BL3-1 only), rather than being forced to use all parts. |
| 3586 | Also made the ``fip`` target optional. |
| 3587 | |
| 3588 | - Specified the full path to source files and removed use of the ``vpath`` |
| 3589 | keyword. |
| 3590 | |
| 3591 | - Provided translation table library code for potential re-use by platforms |
| 3592 | other than the FVPs. |
| 3593 | |
| 3594 | - Moved architectural timer setup to platform-specific code. |
| 3595 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3596 | - Added standby state support to PSCI cpu_suspend implementation. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3597 | |
| 3598 | - SRAM usage improvements: |
| 3599 | |
| 3600 | - Started using the ``-ffunction-sections``, ``-fdata-sections`` and |
| 3601 | ``--gc-sections`` compiler/linker options to remove unused code and data |
| 3602 | from the images. Previously, all common functions were being built into |
| 3603 | all binary images, whether or not they were actually used. |
| 3604 | |
| 3605 | - Placed all assembler functions in their own section to allow more unused |
| 3606 | functions to be removed from images. |
| 3607 | |
| 3608 | - Updated BL1 and BL2 to use a single coherent stack each, rather than one |
| 3609 | per CPU. |
| 3610 | |
| 3611 | - Changed variables that were unnecessarily declared and initialized as |
| 3612 | non-const (i.e. in the .data section) so they are either uninitialized |
| 3613 | (zero init) or const. |
| 3614 | |
| 3615 | - Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by |
| 3616 | default. The option for it to run in Trusted DRAM remains. |
| 3617 | |
| 3618 | - Implemented a TrustZone Address Space Controller (TZC-400) driver. A |
| 3619 | default configuration is provided for the Base FVPs. This means the model |
| 3620 | parameter ``-C bp.secure_memory=1`` is now supported. |
| 3621 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3622 | - Started saving the PSCI cpu_suspend 'power_state' parameter prior to |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3623 | suspending a CPU. This allows platforms that implement multiple power-down |
| 3624 | states at the same affinity level to identify a specific state. |
| 3625 | |
| 3626 | - Refactored the entire codebase to reduce the amount of nesting in header |
| 3627 | files and to make the use of system/user includes more consistent. Also |
| 3628 | split platform.h to separate out the platform porting declarations from the |
| 3629 | required platform porting definitions and the definitions/declarations |
| 3630 | specific to the platform port. |
| 3631 | |
| 3632 | - Optimized the data cache clean/invalidate operations. |
| 3633 | |
| 3634 | - Improved the BL3-1 unhandled exception handling and reporting. Unhandled |
| 3635 | exceptions now result in a dump of registers to the console. |
| 3636 | |
| 3637 | - Major rework to the handover interface between BL stages, in particular the |
| 3638 | interface to BL3-1. The interface now conforms to a specification and is |
| 3639 | more future proof. |
| 3640 | |
| 3641 | - Added support for optionally making the BL3-1 entrypoint a reset handler |
| 3642 | (instead of BL1). This allows platforms with an alternative image loading |
| 3643 | architecture to re-use BL3-1 with fewer modifications to generic code. |
| 3644 | |
| 3645 | - Reserved some DDR DRAM for secure use on FVP platforms to avoid future |
| 3646 | compatibility problems with non-secure software. |
| 3647 | |
| 3648 | - Added support for secure interrupts targeting the Secure-EL1 Payload (SP) |
| 3649 | (using GICv2 routing only). Demonstrated this working by adding an interrupt |
| 3650 | target and supporting test code to the TSP. Also demonstrated non-secure |
| 3651 | interrupt handling during TSP processing. |
| 3652 | |
| 3653 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3654 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3655 | |
| 3656 | - Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base |
| 3657 | FVPs (see **New features**). |
| 3658 | |
| 3659 | - Support for secure world interrupt handling now available (see **New |
| 3660 | features**). |
| 3661 | |
| 3662 | - Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 |
| 3663 | Payload (BL3-2) to execute in Trusted SRAM by default. |
| 3664 | |
| 3665 | - The tested filesystem used for this release (Linaro AArch64 OpenEmbedded |
| 3666 | 14.04) now correctly reports progress in the console. |
| 3667 | |
| 3668 | - Improved the Makefile structure to make it easier to separate out parts of |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3669 | the TF-A for re-use in platform ports. Also, improved target dependency |
| 3670 | checking. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3671 | |
| 3672 | Known issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3673 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3674 | |
| 3675 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 3676 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3677 | the TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3678 | |
| 3679 | - Dynamic image loading is not available yet. The current image loader |
| 3680 | implementation (used to load BL2 and all subsequent images) has some |
| 3681 | limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead |
| 3682 | to loading errors, even if the images should theoretically fit in memory. |
| 3683 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3684 | - TF-A still uses too much on-chip Trusted SRAM. A number of RAM usage |
| 3685 | enhancements have been identified to rectify this situation. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3686 | |
| 3687 | - CPU idle does not work on the advertised version of the Foundation FVP. |
| 3688 | Some FVP fixes are required that are not available externally at the time |
| 3689 | of writing. This can be worked around by disabling CPU idle in the Linux |
| 3690 | kernel. |
| 3691 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3692 | - Various bugs in TF-A, UEFI and the Linux kernel have been observed when |
| 3693 | using Linaro toolchain versions later than 13.11. Although most of these |
| 3694 | have been fixed, some remain at the time of writing. These mainly seem to |
| 3695 | relate to a subtle change in the way the compiler converts between 64-bit |
| 3696 | and 32-bit values (e.g. during casting operations), which reveals |
| 3697 | previously hidden bugs in client code. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3698 | |
| 3699 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 3700 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 3701 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3702 | Version 0.3 |
| 3703 | ----------- |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3704 | |
| 3705 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3706 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3707 | |
| 3708 | - Support for Foundation FVP Version 2.0 added. |
| 3709 | The documented UEFI configuration disables some devices that are unavailable |
| 3710 | in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can |
| 3711 | be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation |
| 3712 | FVP. |
| 3713 | |
Paul Beesley | e1c5026 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 3714 | .. note:: |
| 3715 | The software will not work on Version 1.0 of the Foundation FVP. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3716 | |
| 3717 | - Enabled third party contributions. Added a new contributing.md containing |
| 3718 | instructions for how to contribute and updated copyright text in all files |
| 3719 | to acknowledge contributors. |
| 3720 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3721 | - The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3722 | used for entry into power down states with the following restrictions: |
| 3723 | |
| 3724 | - Entry into standby states is not supported. |
| 3725 | - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. |
| 3726 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3727 | - The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3728 | allow experimental use. |
| 3729 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3730 | - Required C library and runtime header files are now included locally in |
| 3731 | TF-A instead of depending on the toolchain standard include paths. The |
| 3732 | local implementation has been cleaned up and reduced in scope. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3733 | |
| 3734 | - Added I/O abstraction framework, primarily to allow generic code to load |
| 3735 | images in a platform-independent way. The existing image loading code has |
| 3736 | been reworked to use the new framework. Semi-hosting and NOR flash I/O |
| 3737 | drivers are provided. |
| 3738 | |
| 3739 | - Introduced Firmware Image Package (FIP) handling code and tools. A FIP |
| 3740 | combines multiple firmware images with a Table of Contents (ToC) into a |
| 3741 | single binary image. The new FIP driver is another type of I/O driver. The |
| 3742 | Makefile builds a FIP by default and the FVP platform code expect to load a |
| 3743 | FIP from NOR flash, although some support for image loading using semi- |
| 3744 | hosting is retained. |
| 3745 | |
Paul Beesley | e1c5026 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 3746 | .. note:: |
| 3747 | Building a FIP by default is a non-backwards-compatible change. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3748 | |
Paul Beesley | e1c5026 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 3749 | .. note:: |
| 3750 | Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into |
| 3751 | DRAM instead of expecting this to be pre-loaded at known location. This is |
| 3752 | also a non-backwards-compatible change. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3753 | |
Paul Beesley | e1c5026 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 3754 | .. note:: |
| 3755 | Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that |
| 3756 | it knows the new location to execute from and no longer needs to copy |
| 3757 | particular code modules to DRAM itself. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3758 | |
| 3759 | - Reworked BL2 to BL3-1 handover interface. A new composite structure |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3760 | (bl31_args) holds the superset of information that needs to be passed from |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3761 | BL2 to BL3-1, including information on how handover execution control to |
| 3762 | BL3-2 (if present) and BL3-3 (non-trusted firmware). |
| 3763 | |
| 3764 | - Added library support for CPU context management, allowing the saving and |
| 3765 | restoring of |
| 3766 | |
| 3767 | - Shared system registers between Secure-EL1 and EL1. |
| 3768 | - VFP registers. |
| 3769 | - Essential EL3 system registers. |
| 3770 | |
| 3771 | - Added a framework for implementing EL3 runtime services. Reworked the PSCI |
| 3772 | implementation to be one such runtime service. |
| 3773 | |
Sandrine Bailleux | f3cacad | 2019-02-08 15:26:36 +0100 | [diff] [blame] | 3774 | - Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3 |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3775 | stack pointers for determining the type of exception, managing general |
| 3776 | purpose and system register context on exception entry/exit, and handling |
| 3777 | SMCs. SMCs are directed to the correct EL3 runtime service. |
| 3778 | |
| 3779 | - Added support for a Test Secure-EL1 Payload (TSP) and a corresponding |
| 3780 | Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD |
| 3781 | implements Secure Monitor functionality such as world switching and |
| 3782 | EL1 context management, and is responsible for communication with the TSP. |
Paul Beesley | e1c5026 | 2019-03-13 16:20:44 +0000 | [diff] [blame] | 3783 | |
| 3784 | .. note:: |
| 3785 | The TSPD does not yet contain support for secure world interrupts. |
| 3786 | .. note:: |
| 3787 | The TSP/TSPD is not built by default. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3788 | |
| 3789 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3790 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3791 | |
| 3792 | - Support has been added for switching context between secure and normal |
| 3793 | worlds in EL3. |
| 3794 | |
| 3795 | - PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to |
| 3796 | a limited extent). |
| 3797 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3798 | - The TF-A build artifacts are now placed in the ``./build`` directory and |
| 3799 | sub-directories instead of being placed in the root of the project. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3800 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3801 | - TF-A is now free from build warnings. Build warnings are now treated as |
| 3802 | errors. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3803 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3804 | - TF-A now provides C library support locally within the project to maintain |
| 3805 | compatibility between toolchains/systems. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3806 | |
| 3807 | - The PSCI locking code has been reworked so it no longer takes locks in an |
| 3808 | incorrect sequence. |
| 3809 | |
| 3810 | - The RAM-disk method of loading a Linux file-system has been confirmed to |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3811 | work with the TF-A and Linux kernel version (based on version 3.13) used |
| 3812 | in this release, for both Foundation and Base FVPs. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3813 | |
| 3814 | Known issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3815 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3816 | |
| 3817 | The following is a list of issues which are expected to be fixed in the future |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3818 | releases of TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3819 | |
| 3820 | - The TrustZone Address Space Controller (TZC-400) is not being programmed |
| 3821 | yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. |
| 3822 | |
| 3823 | - No support yet for secure world interrupt handling. |
| 3824 | |
| 3825 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 3826 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3827 | TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3828 | |
| 3829 | - Dynamic image loading is not available yet. The current image loader |
| 3830 | implementation (used to load BL2 and all subsequent images) has some |
| 3831 | limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead |
| 3832 | to loading errors, even if the images should theoretically fit in memory. |
| 3833 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3834 | - TF-A uses too much on-chip Trusted SRAM. Currently the Test Secure-EL1 |
| 3835 | Payload (BL3-2) executes in Trusted DRAM since there is not enough SRAM. |
| 3836 | A number of RAM usage enhancements have been identified to rectify this |
| 3837 | situation. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3838 | |
| 3839 | - CPU idle does not work on the advertised version of the Foundation FVP. |
| 3840 | Some FVP fixes are required that are not available externally at the time |
| 3841 | of writing. |
| 3842 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3843 | - Various bugs in TF-A, UEFI and the Linux kernel have been observed when |
| 3844 | using Linaro toolchain versions later than 13.11. Although most of these |
| 3845 | have been fixed, some remain at the time of writing. These mainly seem to |
| 3846 | relate to a subtle change in the way the compiler converts between 64-bit |
| 3847 | and 32-bit values (e.g. during casting operations), which reveals |
| 3848 | previously hidden bugs in client code. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3849 | |
| 3850 | - The tested filesystem used for this release (Linaro AArch64 OpenEmbedded |
| 3851 | 14.01) does not report progress correctly in the console. It only seems to |
| 3852 | produce error output, not standard output. It otherwise appears to function |
| 3853 | correctly. Other filesystem versions on the same software stack do not |
| 3854 | exhibit the problem. |
| 3855 | |
| 3856 | - The Makefile structure doesn't make it easy to separate out parts of the |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3857 | TF-A for re-use in platform ports, for example if only BL3-1 is required in |
| 3858 | a platform port. Also, dependency checking in the Makefile is flawed. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3859 | |
| 3860 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 3861 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 3862 | |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3863 | Version 0.2 |
| 3864 | ----------- |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3865 | |
| 3866 | New features |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3867 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3868 | |
| 3869 | - First source release. |
| 3870 | |
| 3871 | - Code for the PSCI suspend feature is supplied, although this is not enabled |
| 3872 | by default since there are known issues (see below). |
| 3873 | |
| 3874 | Issues resolved since last release |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3875 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3876 | |
| 3877 | - The "psci" nodes in the FDTs provided in this release now fully comply |
| 3878 | with the recommendations made in the PSCI specification. |
| 3879 | |
| 3880 | Known issues |
Paul Beesley | c48991e | 2019-02-11 17:58:21 +0000 | [diff] [blame] | 3881 | ^^^^^^^^^^^^ |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3882 | |
| 3883 | The following is a list of issues which are expected to be fixed in the future |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3884 | releases of TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3885 | |
| 3886 | - The TrustZone Address Space Controller (TZC-400) is not being programmed |
| 3887 | yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. |
| 3888 | |
| 3889 | - No support yet for secure world interrupt handling or for switching context |
| 3890 | between secure and normal worlds in EL3. |
| 3891 | |
| 3892 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 3893 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3894 | TF-A. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3895 | |
| 3896 | - Dynamic image loading is not available yet. The current image loader |
| 3897 | implementation (used to load BL2 and all subsequent images) has some |
| 3898 | limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead |
| 3899 | to loading errors, even if the images should theoretically fit in memory. |
| 3900 | |
| 3901 | - Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable |
| 3902 | and ready for use. |
| 3903 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3904 | - PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have |
| 3905 | not been tested. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3906 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3907 | - The TF-A make files result in all build artifacts being placed in the root |
| 3908 | of the project. These should be placed in appropriate sub-directories. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3909 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3910 | - The compilation of TF-A is not free from compilation warnings. Some of these |
| 3911 | warnings have not been investigated yet so they could mask real bugs. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3912 | |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3913 | - TF-A currently uses toolchain/system include files like stdio.h. It should |
| 3914 | provide versions of these within the project to maintain compatibility |
| 3915 | between toolchains/systems. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3916 | |
| 3917 | - The PSCI code takes some locks in an incorrect sequence. This may cause |
| 3918 | problems with suspend and hotplug in certain conditions. |
| 3919 | |
| 3920 | - The Linux kernel used in this release is based on version 3.12-rc4. Using |
Dan Handley | 4def07d | 2018-03-01 18:44:00 +0000 | [diff] [blame] | 3921 | this kernel with the TF-A fails to start the file-system as a RAM-disk. It |
| 3922 | fails to execute user-space ``init`` from the RAM-disk. As an alternative, |
| 3923 | the VirtioBlock mechanism can be used to provide a file-system to the |
| 3924 | kernel. |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3925 | |
| 3926 | -------------- |
| 3927 | |
Louis Mayencourt | a5bb389 | 2020-03-27 11:49:20 +0000 | [diff] [blame] | 3928 | *Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.* |
Douglas Raillard | 6f62574 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 3929 | |
David Cunado | 230326f | 2018-03-14 17:57:31 +0000 | [diff] [blame] | 3930 | .. _SDEI Specification: http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf |
David Cunado | aee3ef4 | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 3931 | .. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501 |
| 3932 | .. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193 |
Paul Beesley | 3476095 | 2019-04-12 14:19:42 +0100 | [diff] [blame] | 3933 | .. _mbed TLS releases: https://tls.mbed.org/tech-updates/releases |