1Change Log & Release Notes 2========================== 3 4This document contains a summary of the new features, changes, fixes and known 5issues in each release of Trusted Firmware-A. 6 7Version 2.4 8----------- 9 10New Features 11^^^^^^^^^^^^ 12 13- Architecture support 14 - Armv8.6-A 15 - Added support for Armv8.6 Enhanced Counter Virtualization (ECV) 16 - Added support for Armv8.6 Fine Grained Traps (FGT) 17 - Added support for Armv8.6 WFE trap delays 18 19- Bootloader images 20 - Added support for Measured Boot 21 22- Build System 23 - Added build option ``COT_DESC_IN_DTB`` to create Chain of Trust at runtime 24 - Added build option ``OPENSSL_DIR`` to direct tools to OpenSSL libraries 25 - Added build option ``RAS_TRAP_LOWER_EL_ERR_ACCESS`` to enable trapping RAS 26 register accesses from EL1/EL2 to EL3 27 - Extended build option ``BRANCH_PROTECTION`` to support branch target 28 identification 29 30- Common components 31 - Added support for exporting CPU nodes to the device tree 32 - Added support for single and dual-root Chains of Trust in secure 33 partitions 34 35- Drivers 36 - Added Broadcom RNG driver 37 - Added Marvell ``mg_conf_cm3`` driver 38 - Added System Control and Management Interface (SCMI) driver 39 - Added STMicroelectronics ETZPC driver 40 41 - Arm GICv3 42 - Added support for detecting topology at runtime 43 44 - Dual Root 45 - Added support for platform certificates 46 47 - Marvell Cache LLC 48 - Added support for mapping the entire LLC into SRAM 49 50 - Marvell CCU 51 - Added workaround for erratum 3033912 52 53 - Marvell CP110 COMPHY 54 - Added support for SATA COMPHY polarity inversion 55 - Added support for USB COMPHY polarity inversion 56 - Added workaround for erratum IPCE_COMPHY-1353 57 58 - STM32MP1 Clocks 59 - Added ``RTC`` as a gateable clock 60 - Added support for shifted clock selector bit masks 61 - Added support for using additional clocks as parents 62 63- Libraries 64 - C standard library 65 - Added support for hexadecimal and pointer format specifiers in 66 ``snprint()`` 67 - Added assembly alternatives for various library functions 68 69 - CPU support 70 - Arm Cortex-A53 71 - Added workaround for erratum 1530924 72 73 - Arm Cortex-A55 74 - Added workaround for erratum 1530923 75 76 - Arm Cortex-A57 77 - Added workaround for erratum 1319537 78 79 - Arm Cortex-A76 80 - Added workaround for erratum 1165522 81 - Added workaround for erratum 1791580 82 - Added workaround for erratum 1868343 83 84 - Arm Cortex-A72 85 - Added workaround for erratum 1319367 86 87 - Arm Cortex-A77 88 - Added workaround for erratum 1508412 89 - Added workaround for erratum 1800714 90 - Added workaround for erratum 1925769 91 92 - Arm Neoverse N1 93 - Added workaround for erratum 1868343 94 95 - EL3 Runtime 96 - Added support for saving/restoring registers related to nested 97 virtualization in EL2 context switches if the architecture supports it 98 99 - FCONF 100 - Added support for Measured Boot 101 - Added support for populating Chain of Trust properties 102 - Added support for loading the ``fw_config`` image 103 104 - Measured Boot 105 - Added support for event logging 106 107- Platforms 108 - Added support for Arm Morello 109 - Added support for Arm TC0 110 - Added support for iEi PUZZLE-M801 111 - Added support for Marvell OCTEON TX2 T9130 112 - Added support for MediaTek MT8192 113 - Added support for NXP i.MX 8M Nano 114 - Added support for NXP i.MX 8M Plus 115 - Added support for QTI CHIP SC7180 116 - Added support for STM32MP151F 117 - Added support for STM32MP153F 118 - Added support for STM32MP157F 119 - Added support for STM32MP151D 120 - Added support for STM32MP153D 121 - Added support for STM32MP157D 122 123 - Arm 124 - Added support for platform-owned SPs 125 - Added support for resetting to BL31 126 127 - Arm FPGA 128 - Added support for Klein 129 - Added support for Matterhorn 130 - Added support for additional CPU clusters 131 132 - Arm FVP 133 - Added support for performing SDEI platform setup at runtime 134 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 135 - Added an ``id`` field under the NV-counter node in the device tree to 136 differentiate between trusted and non-trusted NV-counters 137 - Added support for extracting the clock frequency from the timer node 138 in the device tree 139 140 - Arm Juno 141 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 142 143 - Arm N1SDP 144 - Added support for cross-chip PCI-e 145 146 - Marvell 147 - Added support for AVS reduction 148 149 - Marvell ARMADA 150 - Added support for twin-die combined memory device 151 152 - Marvell ARMADA A8K 153 - Added support for DDR with 32-bit bus width (both ECC and non-ECC) 154 155 - Marvell AP806 156 - Added workaround for erratum FE-4265711 157 158 - Marvell AP807 159 - Added workaround for erratum 3033912 160 161 - Nvidia Tegra 162 - Added debug printouts indicating SC7 entry sequence completion 163 - Added support for SDEI 164 - Added support for stack protection 165 - Added support for GICv3 166 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 167 168 - Nvidia Tegra194 169 - Added support for RAS exception handling 170 - Added support for SPM 171 172 - NXP i.MX 173 - Added support for SDEI 174 175 - QEMU SBSA 176 - Added support for the Secure Partition Manager 177 178 - QTI 179 - Added RNG driver 180 - Added SPMI PMIC arbitrator driver 181 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 182 183 - STM32MP1 184 - Added support for exposing peripheral interfaces to the non-secure 185 world at runtime 186 - Added support for SCMI clock and reset services 187 - Added support for STM32MP15x CPU revision Z 188 - Added support for SMCCC services in ``SP_MIN`` 189 190- Services 191 - Secure Payload Dispatcher 192 - Added a provision to allow clients to retrieve the service UUID 193 194 - SPMC 195 - Added secondary core endpoint information to the SPMC context 196 structure 197 198 - SPMD 199 - Added support for booting OP-TEE as a guest S-EL1 Secure Partition on 200 top of Hafnium in S-EL2 201 - Added a provision for handling SPMC messages to register secondary 202 core entry points 203 - Added support for power management operations 204 205- Tools 206 - CertCreate 207 - Added support for secure partitions 208 209 - CertTool 210 - Added support for the ``fw_config`` image 211 212 - FIPTool 213 - Added support for the ``fw_config`` image 214 215Changed 216^^^^^^^ 217 218- Architecture support 219 220- Bootloader images 221 222- Build System 223 - The top-level Makefile now supports building FipTool on Windows 224 - The default value of ``KEY_SIZE`` has been changed to to 2048 when RSA is 225 in use 226 - The previously-deprecated macro ``__ASSEMBLY__`` has now been removed 227 228- Common components 229 - Certain functions that flush the console will no longer return error 230 information 231 232- Drivers 233 - Arm GIC 234 - Usage of ``drivers/arm/gic/common/gic_common.c`` has now been 235 deprecated in favour of ``drivers/arm/gic/vX/gicvX.mk`` 236 - Added support for detecting the presence of a GIC600-AE 237 - Added support for detecting the presence of a GIC-Clayton 238 239 - Marvell MCI 240 - Now performs link tuning for all MCI interfaces to improve performance 241 242 - Marvell MoChi 243 - PIDI masters are no longer forced into a non-secure access level when 244 ``LLC_SRAM`` is enabled 245 - The SD/MMC controllers are now accessible from guest virtual machines 246 247 - Mbed TLS 248 - Migrated to Mbed TLS v2.24.0 249 250 - STM32 FMC2 NAND 251 - Adjusted FMC node bindings to include an EBI controller node 252 253 - STM32 Reset 254 - Added an optional timeout argument to assertion functions 255 256 - STM32MP1 Clocks 257 - Enabled several additional system clocks during initialization 258 259- Libraries 260 - C Standard Library 261 - Improved ``memset`` performance by avoiding single-byte writes 262 - Added optimized assembly variants of ``memset`` 263 264 - CPU support 265 - Renamed Cortex-Hercules to Cortex-A78 266 - Renamed Cortex-Hercules AE to Cortex-A78 AE 267 - Renamed Neoverse Zeus to Neoverse V1 268 269 - Coreboot 270 - Updated ‘coreboot_get_memory_type’ API to take an extra argument as a 271 ’memory size’ that used to return a valid memory type. 272 273 - libfdt 274 - Updated to latest upstream version 275 276- Platforms 277 - Allwinner 278 - Disabled non-secure access to PRCM power control registers 279 280 - Arm 281 - ``BL32_BASE`` is now platform-dependent when ``SPD_spmd`` is enabled 282 - Added support for loading the Chain of Trust from the device tree 283 - The firmware update check is now executed only once 284 - NV-counter base addresses are now loaded from the device tree when 285 ``COT_DESC_IN_DTB`` is enabled 286 - Now loads and populates ``fw_config`` and ``tb_fw_config`` 287 - FCONF population now occurs after caches have been enabled in order 288 to reduce boot times 289 290 - Arm Corstone-700 291 - Platform support has been split into both an FVP and an FPGA variant 292 293 - Arm FPGA 294 - DTB and BL33 load addresses have been given sensible default values 295 - Now reads generic timer counter frequency, GICD and GICR base 296 addresses, and UART address from DT 297 - Now treats the primary PL011 UART as an SBSA Generic UART 298 299 - Arm FVP 300 - Secure interrupt descriptions, UART parameters, clock frequencies and 301 GICv3 parameters are now queried through FCONF 302 - UART parameters are now queried through the device tree 303 - Added an owner field to Cactus secure partitions 304 - Increased the maximum size of BL2 when the Chain of Trust is loaded 305 from the device tree 306 - Reduces the maximum size of BL31 307 - The ``FVP_USE_SP804_TIMER`` and ``FVP_VE_USE_SP804_TIMER`` build 308 options have been removed in favour of a common ``USE_SP804_TIMER`` 309 option 310 - Added a third Cactus partition to manifests 311 - Device tree nodes now store UUIDs in big-endian 312 313 - Arm Juno 314 - Increased the maximum size of BL2 when optimizations have not been 315 applied 316 - Reduced the maximum size of BL31 and BL32 317 318 - Marvell AP807 319 - Enabled snoop filters 320 321 - Marvell ARMADA A3K 322 - UART recovery images are now suffixed with ``.bin`` 323 324 - Marvell ARMADA A8K 325 - Option ``BL31_CACHE_DISABLE`` is now disabled (``0``) by default 326 327 - Nvidia Tegra 328 - Added VPR resize supported check when processing video memory resize 329 requests 330 - Added SMMU verification to prevent potential issues caused by 331 undetected corruption of the SMMU configuration during boot 332 - The GIC CPU interface is now properly disabled after CPU off 333 - The GICv2 sources list and the ``BL31_SIZE`` definition have been made 334 platform-specific 335 - The SPE driver will no longer flush the console when writing 336 individual characters 337 338 - Nvidia Tegra194 339 - TZDRAM setup has been moved to platform-specific early boot handlers 340 - Increased verbosity of debug prints for RAS SErrors 341 - Support for powering down CPUs during CPU suspend has been removed 342 - Now verifies firewall settings before using resources 343 344 - TI K3 345 - The UART number has been made configurable through ``K3_USART`` 346 347 - Rockchip RK3368 348 - The maximum number of memory map regions has been increased to 20 349 350 - Socionext Uniphier 351 - The maximum size of BL33 has been increased to support larger 352 bootloaders 353 354 - STM32 355 - Removed platform-specific DT functions in favour of using existing 356 generic alternatives 357 358 - STM32MP1 359 - Increased verbosity of exception reports in debug builds 360 - Device trees have been updated to align with the Linux kernel 361 - Now uses the ETZPC driver to configure secure-aware interfaces for 362 assignment to the non-secure world 363 - Finished good variants have been added to the board identifier 364 enumerations 365 - Non-secure access to clocks and reset domains now depends on their 366 state of registration 367 - NEON is now disabled in ``SP_MIN`` 368 - The last page of ``SYSRAM`` is now used as SCMI shared memory 369 - Checks to verify platform compatibility have been added to verify that 370 an image is compatible with the chip ID of the running platform 371 372 - QEMU SBSA 373 - Removed support for Arm's Cortex-A53 374 375- Services 376 - Renamed SPCI to FF-A 377 378 - SPMD 379 - No longer forwards requests to the non-secure world when retrieving 380 partition information 381 - SPMC manifest size is now retrieved directly from SPMD instead of the 382 device tree 383 - The FF-A version handler now returns SPMD's version when the origin 384 of the call is secure, and SPMC's version when the origin of the call 385 is non-secure 386 387 - SPMC 388 - Updated the manifest to declare CPU nodes in descending order as per 389 the SPM (Hafnium) multicore requirement 390 - Updated the device tree to mark 2GB as device memory for the first 391 partition excluding trusted DRAM region (which is reserved for SPMC) 392 - Increased the number of EC contexts to the maximum number of PEs as 393 per the FF-A specification 394 395- Tools 396 - FIPTool 397 - Now returns ``0`` on ``help`` and ``help <command>`` 398 399 - Marvell DoImage 400 - Updated Mbed TLS support to v2.8 401 402 - SPTool 403 - Now appends CertTool arguments 404 405Resolved Issues 406^^^^^^^^^^^^^^^ 407 408- Bootloader images 409 - Fixed compilation errors for dual-root Chains of Trust caused by symbol 410 collision 411 412 - BL31 413 - Fixed compilation errors on platforms with fewer than 4 cores caused 414 by initialization code exceeding the end of the stacks 415 - Fixed compilation errors when building a position-independent image 416 417- Build System 418 - Fixed invalid empty version strings 419 - Fixed compilation errors on Windows caused by a non-portable architecture 420 revision comparison 421 422- Drivers 423 - Arm GIC 424 - Fixed spurious interrupts caused by a missing barrier 425 426 - STM32 Flexible Memory Controller 2 (FMC2) NAND driver 427 - Fixed runtime instability caused by incorrect error detection logic 428 429 - STM32MP1 Clock driver 430 - Fixed incorrectly-formatted log messages 431 - Fixed runtime instability caused by improper clock gating procedures 432 433 - STMicroelectronics Raw NAND driver 434 - Fixed runtime instability caused by incorrect unit conversion when 435 waiting for NAND readiness 436 437- Libraries 438 - AMU 439 - Fixed timeout errors caused by excess error logging 440 441 - EL3 Runtime 442 - Fixed runtime instability caused by improper register save/restore 443 routine in EL2 444 445 - FCONF 446 - Fixed failure to initialize GICv3 caused by overly-strict device tree 447 requirements 448 449 - Measured Boot 450 - Fixed driver errors caused by a missing default value for the 451 ``HASH_ALG`` build option 452 453 - SPE 454 - Fixed feature detection check that prevented CPUs supporting SVE from 455 detecting support for SPE in the non-secure world 456 457 - Translation Tables 458 - Fixed various MISRA-C 2012 static analysis violations 459 460- Platforms 461 - Allwinner A64 462 - Fixed USB issues on certain battery-powered device caused by 463 improperly activated USB power rail 464 465 - Arm 466 - Fixed compilation errors caused by increase in BL2 size 467 - Fixed compilation errors caused by missing Makefile dependencies to 468 generated files when building the FIP 469 - Fixed MISRA-C 2012 static analysis violations caused by unused 470 structures in include directives intended to be feature-gated 471 472 - Arm FPGA 473 - Fixed initialization issues caused by incorrect MPIDR topology mapping 474 logic 475 476 - Arm RD-N1-edge 477 - Fixed compilation errors caused by mismatched parentheses in Makefile 478 479 - Arm SGI 480 - Fixed crashes due to the flash memory used for cold reboot attack 481 protection not being mapped 482 483 - Intel Agilex 484 - Fixed initialization issues caused by several compounding bugs 485 486 - Marvell 487 - Fixed compilation warnings caused by multiple Makefile inclusions 488 489 - Marvell ARMADA A3K 490 - Fixed boot issue in debug builds caused by checks on the BL33 load 491 address that are not appropriate for this platform 492 493 - Nvidia Tegra 494 - Fixed incorrect delay timer reads 495 - Fixed spurious interrupts in the non-secure world during cold boot 496 caused by the arbitration bit in the memory controller not being 497 cleared 498 - Fixed faulty video memory resize sequence 499 500 - Nvidia Tegra194 501 - Fixed incorrect alignment of TZDRAM base address 502 503 - NXP iMX8M 504 - Fixed CPU hot-plug issues caused by race condition 505 506 - STM32MP1 507 - Fixed compilation errors in highly-parallel builds caused by incorrect 508 Makefile dependencies 509 510 - STM32MP157C-ED1 511 - Fixed initialization issues caused by missing device tree hash node 512 513 - Raspberry Pi 3 514 - Fixed compilation errors caused by incorrect dependency ordering in 515 Makefile 516 517 - Rockchip 518 - Fixed initialization issues caused by non-critical errors when parsing 519 FDT being treated as critical 520 521 - Rockchip RK3368 522 - Fixed runtime instability caused by incorrect CPUID shift value 523 524 - QEMU 525 - Fixed compilation errors caused by incorrect dependency ordering in 526 Makefile 527 528 - QEMU SBSA 529 - Fixed initialization issues caused by FDT exceeding reserved memory 530 size 531 532 - QTI 533 - Fixed compilation errors caused by inclusion of a non-existent file 534 535- Services 536 - FF-A (previously SPCI) 537 - Fixed SPMD aborts caused by incorrect behaviour when the manifest is 538 page-aligned 539 540- Tools 541 - Fixed compilation issues when compiling tools from within their respective 542 directories 543 544 - FIPTool 545 - Fixed command line parsing issues on Windows when using arguments 546 whose names also happen to be a subset of another's 547 548 - Marvell DoImage 549 - Fixed PKCS signature verification errors at boot on some platforms 550 caused by generation of misaligned images 551 552Known Issues 553^^^^^^^^^^^^ 554 555- Platforms 556 - NVIDIA Tegra 557 - Signed comparison compiler warnings occurring in libfdt are currently 558 being worked around by disabling the warning for the platform until 559 the underlying issue is resolved in libfdt 560 561Version 2.3 562----------- 563 564New Features 565^^^^^^^^^^^^ 566 567- Arm Architecture 568 - Add support for Armv8.4-SecEL2 extension through the SPCI defined SPMD/SPMC 569 components. 570 571 - Build option to support EL2 context save and restore in the secure world 572 (CTX_INCLUDE_EL2_REGS). 573 574 - Add support for SMCCC v1.2 (introducing the new SMCCC_ARCH_SOC_ID SMC). 575 Note that the support is compliant, but the SVE registers save/restore will 576 be done as part of future S-EL2/SPM development. 577 578- BL-specific 579 - Enhanced BL2 bootloader flow to load secure partitions based on firmware 580 configuration data (fconf). 581 582 - Changes necessary to support SEPARATE_NOBITS_REGION feature 583 584 - TSP and BL2_AT_EL3: Add Position Independent Execution ``PIE`` support 585 586- Build System 587 - Add support for documentation build as a target in Makefile 588 589 - Add ``COT`` build option to select the Chain of Trust to use when the 590 Trusted Boot feature is enabled (default: ``tbbr``). 591 592 - Added creation and injection of secure partition packages into the FIP. 593 594 - Build option to support SPMC component loading and run at S-EL1 595 or S-EL2 (SPMD_SPM_AT_SEL2). 596 597 - Enable MTE support 598 599 - Enable Link Time Optimization in GCC 600 601 - Enable -Wredundant-decls warning check 602 603 - Makefile: Add support to optionally encrypt BL31 and BL32 604 605 - Add support to pass the nt_fw_config DTB to OP-TEE. 606 607 - Introduce per-BL ``CPPFLAGS``, ``ASFLAGS``, and ``LDFLAGS`` 608 609 - build_macros: Add CREATE_SEQ function to generate sequence of numbers 610 611- CPU Support 612 - cortex-a57: Enable higher performance non-cacheable load forwarding 613 614 - Hercules: Workaround for Errata 1688305 615 616 - Klein: Support added for Klein CPU 617 618 - Matterhorn: Support added for Matterhorn CPU 619 620- Drivers 621 - auth: Add ``calc_hash`` function for hash calculation. Used for 622 authentication of images when measured boot is enabled. 623 624 - cryptocell: Add authenticated decryption framework, and support 625 for CryptoCell-713 and CryptoCell-712 RSA 3K 626 627 - gic600: Add support for multichip configuration and Clayton 628 - gicv3: Introduce makefile, Add extended PPI and SPI range, 629 Add support for probing multiple GIC Redistributor frames 630 - gicv4: Add GICv4 extension for GIC driver 631 632 - io: Add an IO abstraction layer to load encrypted firmwares 633 634 - mhu: Derive doorbell base address 635 636 - mtd: Add SPI-NOR, SPI-NAND, SPI-MEM, and raw NAND framework 637 638 - scmi: Allow use of multiple SCMI channels 639 640 - scu: Add a driver for snoop control unit 641 642- Libraries 643 - coreboot: Add memory range parsing and use generic base address 644 645 - compiler_rt: Import popcountdi2.c and popcountsi2.c files, 646 aeabi_ldivmode.S file and dependencies 647 648 - debugFS: Add DebugFS functionality 649 650 - el3_runtime: Add support for enabling S-EL2 651 652 - fconf: Add Firmware Configuration Framework (fconf) (experimental). 653 654 - libc: Add memrchr function 655 656 - locks: bakery: Use is_dcache_enabled() helper and add a DMB to 657 the 'read_cache_op' macro 658 659 - psci: Add support to enable different personality of the same soc. 660 661 - xlat_tables_v2: Add support to pass shareability attribute for 662 normal memory region, use get_current_el_maybe_constant() in 663 is_dcache_enabled(), read-only xlat tables for BL31 memory, and 664 add enable_mmu() 665 666- New Platforms Support 667 - arm/arm_fpga: New platform support added for FPGA 668 669 - arm/rddaniel: New platform support added for rd-daniel platform 670 671 - brcm/stingray: New platform support added for Broadcom stingray platform 672 673 - nvidia/tegra194: New platform support for Nvidia Tegra194 platform 674 675- Platforms 676 - allwinner: Implement PSCI system suspend using SCPI, add a msgbox 677 driver for use with SCPI, and reserve and map space for the SCP firmware 678 - allwinner: axp: Add AXP805 support 679 - allwinner: power: Add DLDO4 power rail 680 681 - amlogic: axg: Add a build flag when using ATOS as BL32 and support for 682 the A113D (AXG) platform 683 684 - arm/a5ds: Add ethernet node and L2 cache node in devicetree 685 686 - arm/common: Add support for the new `dualroot` chain of trust 687 - arm/common: Add support for SEPARATE_NOBITS_REGION 688 - arm/common: Re-enable PIE when RESET_TO_BL31=1 689 - arm/common: Allow boards to specify second DRAM Base address 690 and to define PLAT_ARM_TZC_FILTERS 691 692 - arm/corstone700: Add support for mhuv2 and stack protector 693 694 - arm/fvp: Add support for fconf in BL31 and SP_MIN. Populate power 695 domain descriptor dynamically by leveraging fconf APIs. 696 - arm/fvp: Add Cactus/Ivy Secure Partition information and use two 697 instances of Cactus at S-EL1 698 - arm/fvp: Add support to run BL32 in TDRAM and BL31 in secure DRAM 699 - arm/fvp: Add support for GICv4 extension and BL2 hash calculation in BL1 700 701 - arm/n1sdp: Setup multichip gic routing table, update platform macros 702 for dual-chip setup, introduce platform information SDS region, add 703 support to update presence of External LLC, and enable the 704 NEOVERSE_N1_EXTERNAL_LLC flag 705 706 - arm/rdn1edge: Add support for dual-chip configuration and use 707 CREATE_SEQ helper macro to compare chip count 708 709 - arm/sgm: Always use SCMI for SGM platforms 710 - arm/sgm775: Add support for dynamic config using fconf 711 712 - arm/sgi: Add multi-chip mode parameter in HW_CONFIG dts, macros for 713 remote chip device region, chip_id and multi_chip_mode to platform 714 variant info, and introduce number of chips macro 715 716 - brcm: Add BL2 and BL31 support common across Broadcom platforms 717 - brcm: Add iproc SPI Nor flash support, spi driver, emmc driver, 718 and support to retrieve plat_toc_flags 719 720 - hisilicon: hikey960: Enable system power off callback 721 722 - intel: Enable bridge access, SiP SMC secure register access, and uboot 723 entrypoint support 724 - intel: Implement platform specific system reset 2 725 - intel: Introduce mailbox response length handling 726 727 - imx: console: Use CONSOLE_T_BASE for UART base address and generic console_t 728 data structure 729 - imx8mm: Provide uart base as build option and add the support for opteed spd 730 on imx8mq/imx8mm 731 - imx8qx: Provide debug uart num as build 732 - imx8qm: Apply clk/pinmux configuration for DEBUG_CONSOLE and provide debug 733 uart num as build param 734 735 - marvell: a8k: Implement platform specific power off and add support 736 for loading MG CM3 images 737 738 - mediatek: mt8183: Add Vmodem/Vcore DVS init level 739 740 - qemu: Support optional encryption of BL31 and BL32 images 741 and ARM_LINUX_KERNEL_AS_BL33 to pass FDT address 742 - qemu: Define ARMV7_SUPPORTS_VFP 743 - qemu: Implement PSCI_CPU_OFF and qemu_system_off via semihosting 744 745 - renesas: rcar_gen3: Add new board revision for M3ULCB 746 747 - rockchip: Enable workaround for erratum 855873, claim a macro to enable 748 hdcp feature for DP, enable power domains of rk3399 before reset, add 749 support for UART3 as serial output, and initialize reset and poweroff 750 GPIOs with known invalid value 751 752 - rpi: Implement PSCI CPU_OFF, use MMIO accessor, autodetect Mini-UART 753 vs. PL011 configuration, and allow using PL011 UART for RPi3/RPi4 754 - rpi3: Include GPIO driver in all BL stages and use same "clock-less" 755 setup scheme as RPi4 756 - rpi3/4: Add support for offlining CPUs 757 758 - st: stm32mp1: platform.mk: Support generating multiple images in one build, 759 migrate to implicit rules, derive map file name from target name, generate 760 linker script with fixed name, and use PHONY for the appropriate targets 761 - st: stm32mp1: Add support for SPI-NOR, raw NAND, and SPI-NAND boot device, 762 QSPI, FMC2 driver 763 - st: stm32mp1: Use stm32mp_get_ddr_ns_size() function, set XN attribute for 764 some areas in BL2, dynamically map DDR later and non-cacheable during its 765 test, add a function to get non-secure DDR size, add DT helper for reg by 766 name, and add compilation flags for boot devices 767 768 - socionext: uniphier: Turn on ENABLE_PIE 769 770 - ti: k3: Add PIE support 771 772 - xilinx: versal: Add set wakeup source, client wakeup, query data, request 773 wakeup, PM_INIT_FINALIZE, PM_GET_TRUSTZONE_VERSION, PM IOCTL, support for 774 suspend related, and Get_ChipID APIs 775 - xilinx: versal: Implement power down/restart related EEMI, SMC handler for 776 EEMI, PLL related PM, clock related PM, pin control related PM, reset related 777 PM, device related PM , APIs 778 - xilinx: versal: Enable ipi mailbox service 779 - xilinx: versal: Add get_api_version support and support to send PM API to PMC 780 using IPI 781 - xilinx: zynqmp: Add checksum support for IPI data, GET_CALLBACK_DATA 782 function, support to query max divisor, CLK_SET_RATE_PARENT in gem clock 783 node, support for custom type flags, LPD WDT clock to the pm_clock structure, 784 idcodes for new RFSoC silicons ZU48DR and ZU49DR, and id for new RFSoC device 785 ZU39DR 786 787- Security 788 - Use Speculation Barrier instruction for v8.5+ cores 789 790 - Add support for optional firmware encryption feature (experimental). 791 792 - Introduce a new `dualroot` chain of trust. 793 794 - aarch64: Prevent speculative execution past ERET 795 - aarch32: Stop speculative execution past exception returns. 796 797- SPCI 798 - Introduced the Secure Partition Manager Dispatcher (SPMD) component as a 799 new standard service. 800 801- Tools 802 - cert_create: Introduce CoT build option and TBBR CoT makefile, 803 and define the dualroot CoT 804 805 - encrypt_fw: Add firmware authenticated encryption tool 806 807 - memory: Add show_memory script that prints a representation 808 of the memory layout for the latest build 809 810Changed 811^^^^^^^ 812 813- Arm Architecture 814 - PIE: Make call to GDT relocation fixup generalized 815 816- BL-Specific 817 - Increase maximum size of BL2 image 818 819 - BL31: Discard .dynsym .dynstr .hash sections to make ENABLE_PIE work 820 - BL31: Split into two separate memory regions 821 822 - Unify BL linker scripts and reduce code duplication. 823 824- Build System 825 - Changes to drive cert_create for dualroot CoT 826 827 - Enable -Wlogical-op always 828 829 - Enable -Wshadow always 830 831 - Refactor the warning flags 832 833 - PIE: Pass PIE options only to BL31 834 835 - Reduce space lost to object alignment 836 837 - Set lld as the default linker for Clang builds 838 839 - Remove -Wunused-const-variable and -Wpadded warning 840 841 - Remove -Wmissing-declarations warning from WARNING1 level 842 843- Drivers 844 - authentication: Necessary fix in drivers to upgrade to mbedtls-2.18.0 845 846 - console: Integrate UART base address in generic console_t 847 848 - gicv3: Change API for GICR_IPRIORITYR accessors and separate 849 GICD and GICR accessor functions 850 851 - io: Change seek offset to signed long long and panic in case 852 of io setup failure 853 854 - smmu: SMMUv3: Changed retry loop to delay timer 855 856 - tbbr: Reduce size of hash and ECDSA key buffers when possible 857 858- Library Code 859 - libc: Consolidate the size_t, unified, and NULL definitions, 860 and unify intmax_t and uintmax_t on AArch32/64 861 862 - ROMLIB: Optimize memory layout when ROMLIB is used 863 864 - xlat_tables_v2: Use ARRAY_SIZE in REGISTER_XLAT_CONTEXT_FULL_SPEC, 865 merge REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE}, 866 and simplify end address checks in mmap_add_region_check() 867 868- Platforms 869 - allwinner: Adjust SRAM A2 base to include the ARISC vectors, clean up MMU 870 setup, reenable USE_COHERENT_MEM, remove unused include path, move the 871 NOBITS region to SRAM A1, convert AXP803 regulator setup code into a driver, 872 enable clock before resetting I2C/RSB 873 - allwinner: h6: power: Switch to using the AXP driver 874 - allwinner: a64: power: Use fdt_for_each_subnode, remove obsolete register 875 check, remove duplicate DT check, and make sunxi_turn_off_soc static 876 - allwinner: Build PMIC bus drivers only in BL31, clean up PMIC-related error 877 handling, and synchronize PMIC enumerations 878 879 - arm/a5ds: Change boot address to point to DDR address 880 881 - arm/common: Check for out-of-bound accesses in the platform io policies 882 883 - arm/corstone700: Updating the kernel arguments to support initramfs, 884 use fdts DDR memory and XIP rootfs, and set UART clocks to 32MHz 885 886 - arm/fvp: Modify multithreaded dts file of DynamIQ FVPs, slightly bump 887 the stack size for bl1 and bl2, remove re-definition of topology related 888 build options, stop reclaiming init code with Clang builds, and map only 889 the needed DRAM region statically in BL31/SP_MIN 890 891 - arm/juno: Maximize space allocated to SCP_BL2 892 893 - arm/sgi: Bump bl1 RW limit, mark remote chip shared ram as non-cacheable, 894 move GIC related constants to board files, include AFF3 affinity in core 895 position calculation, move bl31_platform_setup to board file, and move 896 topology information to board folder 897 898 - common: Refactor load_auth_image_internal(). 899 900 - hisilicon: Remove uefi-tools in hikey and hikey960 documentation 901 902 - intel: Modify non secure access function, BL31 address mapping, mailbox's 903 get_config_status, and stratix10 BL31 parameter handling 904 - intel: Remove un-needed checks for qspi driver r/w and s10 unused source code 905 - intel: Change all global sip function to static 906 - intel: Refactor common platform code 907 - intel: Create SiP service header file 908 909 910 - marvell: armada: scp_bl2: Allow loading up to 8 images 911 - marvell: comphy-a3700: Support SGMII COMPHY power off and fix USB3 912 powering on when on lane 2 913 - marvell: Consolidate console register calls 914 915 - mediatek: mt8183: Protect 4GB~8GB dram memory, refine GIC driver for 916 low power scenarios, and switch PLL/CLKSQ/ck_off/axi_26m control to SPM 917 918 - qemu: Update flash address map to keep FIP in secure FLASH0 919 920 - renesas: rcar_gen3: Update IPL and Secure Monitor Rev.2.0.6, update DDR 921 setting for H3, M3, M3N, change fixed destination address of BL31 and BL32, 922 add missing #{address,size}-cells into generated DT, pass DT to OpTee OS, 923 and move DDR drivers out of staging 924 925 - rockchip: Make miniloader ddr_parameter handling optional, cleanup securing 926 of ddr regions, move secure init to separate file, use base+size for secure 927 ddr regions, bring TZRAM_SIZE values in lined, and prevent macro expansion 928 in paths 929 930 - rpi: Move plat_helpers.S to common 931 - rpi3: gpio: Simplify GPIO setup 932 - rpi4: Skip UART initialisation 933 934 - st: stm32m1: Use generic console_t data structure, remove second 935 QSPI flash instance, update for FMC2 pin muxing, and reduce MAX_XLAT_TABLES 936 to 4 937 938 - socionext: uniphier: Make on-chip SRAM and I/O register regions configurable 939 - socionext: uniphier: Make PSCI related, counter control, UART, pinmon, NAND 940 controller, and eMMC controller base addresses configurable 941 - socionext: uniphier: Change block_addressing flag and the return value type 942 of .is_usb_boot() to bool 943 - socionext: uniphier: Run BL33 at EL2, call uniphier_scp_is_running() only 944 when on-chip STM is supported, define PLAT_XLAT_TABLES_DYNAMIC only for BL2, 945 support read-only xlat tables, use enable_mmu() in common function, shrink 946 UNIPHIER_ROM_REGION_SIZE, prepare uniphier_soc_info() for next SoC, extend 947 boot device detection for future SoCs, make all BL images completely 948 position-independent, make uniphier_mmap_setup() work with PIE, pass SCP 949 base address as a function parameter, set buffer offset and length for 950 io_block dynamically, and use more mmap_add_dynamic_region() for loading 951 images 952 953 - spd/trusty: Disable error messages seen during boot, allow gic base to be 954 specified with GICD_BASE, and allow getting trusty memsize from BL32_MEM_SIZE 955 instead of TSP_SEC_MEM_SIZE 956 957 - ti: k3: common: Enable ARM cluster power down and rename device IDs to 958 be more consistent 959 - ti: k3: drivers: ti_sci: Put sequence number in coherent memory and 960 remove indirect structure of const data 961 962 - xilinx: Move ipi mailbox svc to xilinx common 963 - xilinx: zynqmp: Use GIC framework for warm restart 964 - xilinx: zynqmp: pm: Move custom clock flags to typeflags, remove 965 CLK_TOPSW_LSBUS from invalid clock list and rename FPD WDT clock ID 966 - xilinx: versal: Increase OCM memory size for DEBUG builds and adjust 967 cpu clock, Move versal_def.h and versal_private to include directory 968 969- Tools 970 - sptool: Updated sptool to accommodate building secure partition packages. 971 972Resolved Issues 973^^^^^^^^^^^^^^^ 974 975- Arm Architecture 976 - Fix crash dump for lower EL 977 978- BL-Specific 979 - Bug fix: Protect TSP prints with lock 980 981 - Fix boot failures on some builds linked with ld.lld. 982 983- Build System 984 - Fix clang build if CC is not in the path. 985 986 - Fix 'BL stage' comment for build macros 987 988- Code Quality 989 - coverity: Fix various MISRA violations including null pointer violations, 990 C issues in BL1/BL2/BL31 and FDT helper functions, using boolean essential, 991 type, and removing unnecessary header file and comparisons to LONG_MAX in 992 debugfs devfip 993 994 - Based on coding guidelines, replace all `unsigned long` depending on if 995 fixed based on AArch32 or AArch64. 996 997 - Unify type of "cpu_idx" and Platform specific defines across PSCI module. 998 999- Drivers 1000 - auth: Necessary fix in drivers to upgrade to mbedtls-2.18.0 1001 1002 - delay_timer: Fix non-standard frequency issue in udelay 1003 1004 - gicv3: Fix compiler dependent behavior 1005 - gic600: Fix include ordering according to the coding style and power up sequence 1006 1007- Library Code 1008 - el3_runtime: Fix stack pointer maintenance on EA handling path, 1009 fixup 'cm_setup_context' prototype, and adds TPIDR_EL2 register 1010 to the context save restore routines 1011 1012 - libc: Fix SIZE_MAX on AArch32 1013 1014 - locks: T589: Fix insufficient ordering guarantees in bakery lock 1015 1016 - pmf: Fix 'tautological-constant-compare' error, Make the runtime 1017 instrumentation work on AArch32, and Simplify PMF helper macro 1018 definitions across header files 1019 1020 - xlat_tables_v2: Fix assembler warning of PLAT_RO_XLAT_TABLES 1021 1022- Platforms 1023 - allwinner: Fix H6 GPIO and CCU memory map addresses and incorrect ARISC 1024 code patch offset check 1025 1026 - arm/a5ds: Correct system freq and Cache Writeback Granule, and cleanup 1027 enable-method in devicetree 1028 1029 - arm/fvp: Fix incorrect GIC mapping, BL31 load address and image size 1030 for RESET_TO_BL31=1, topology description of cpus for DynamIQ based 1031 FVP, and multithreaded FVP power domain tree 1032 - arm/fvp: spm-mm: Correcting instructions to build SPM for FVP 1033 1034 - arm/common: Fix ROTPK hash generation for ECDSA encryption, BL2 bug in 1035 dynamic configuration initialisation, and current RECLAIM_INIT_CODE behavior 1036 1037 - arm/rde1edge: Fix incorrect topology tree description 1038 1039 - arm/sgi: Fix the incorrect check for SCMI channel ID 1040 1041 - common: Flush dcache when storing timestamp 1042 1043 - intel: Fix UEFI decompression issue, memory calibration, SMC SIP service, 1044 mailbox config return status, mailbox driver logic, FPGA manager on 1045 reconfiguration, and mailbox send_cmd issue 1046 1047 - imx: Fix shift-overflow errors, the rdc memory region slot's offset, 1048 multiple definition of ipc_handle, missing inclusion of cdefs.h, and 1049 correct the SGIs that used for secure interrupt 1050 1051 - mediatek: mt8183: Fix AARCH64 init fail on CPU0 1052 1053 - rockchip: Fix definition of struct param_ddr_usage 1054 1055 - rpi4: Fix documentation of armstub config entry 1056 1057 - st: Correct io possible NULL pointer dereference and device_size type, 1058 nand xor_ecc.val assigned value, static analysis tool issues, and fix 1059 incorrect return value and correctly check pwr-regulators node 1060 1061 - xilinx: zynqmp: Correct syscnt freq for QEMU and fix clock models 1062 and IDs of GEM-related clocks 1063 1064Known Issues 1065^^^^^^^^^^^^ 1066 1067- Build System 1068 - dtb: DTB creation not supported when building on a Windows host. 1069 1070 This step in the build process is skipped when running on a Windows host. A 1071 known issue from the 1.6 release. 1072 1073 - Intermittent assertion firing `ASSERT: services/spd/tspd/tspd_main.c:105` 1074 1075- Coverity 1076 - Intermittent Race condition in Coverity Jenkins Build Job 1077 1078- Platforms 1079 - arm/juno: System suspend from Linux does not function as documented in the 1080 user guide 1081 1082 Following the instructions provided in the user guide document does not 1083 result in the platform entering system suspend state as expected. A message 1084 relating to the hdlcd driver failing to suspend will be emitted on the 1085 Linux terminal. 1086 1087 - mediatek/mt6795: This platform does not build in this release 1088 1089Version 2.2 1090----------- 1091 1092New Features 1093^^^^^^^^^^^^ 1094 1095- Architecture 1096 - Enable Pointer Authentication (PAuth) support for Secure World 1097 - Adds support for ARMv8.3-PAuth in BL1 SMC calls and 1098 BL2U image for firmware updates. 1099 1100 - Enable Memory Tagging Extension (MTE) support in both secure and non-secure 1101 worlds 1102 1103 - Adds support for the new Memory Tagging Extension arriving in 1104 ARMv8.5. MTE support is now enabled by default on systems that 1105 support it at EL0. 1106 - To enable it at ELx for both the non-secure and the secure 1107 world, the compiler flag ``CTX_INCLUDE_MTE_REGS`` includes register 1108 saving and restoring when necessary in order to prevent information 1109 leakage between the worlds. 1110 1111 - Add support for Branch Target Identification (BTI) 1112 1113- Build System 1114 - Modify FVP makefile for CPUs that support both AArch64/32 1115 1116 - AArch32: Allow compiling with soft-float toolchain 1117 1118 - Makefile: Add default warning flags 1119 1120 - Add Makefile check for PAuth and AArch64 1121 1122 - Add compile-time errors for HW_ASSISTED_COHERENCY flag 1123 1124 - Apply compile-time check for AArch64-only CPUs 1125 1126 - build_macros: Add mechanism to prevent bin generation. 1127 1128 - Add support for default stack-protector flag 1129 1130 - spd: opteed: Enable NS_TIMER_SWITCH 1131 1132 - plat/arm: Skip BL2U if RESET_TO_SP_MIN flag is set 1133 1134 - Add new build option to let each platform select which implementation of spinlocks 1135 it wants to use 1136 1137- CPU Support 1138 - DSU: Workaround for erratum 798953 and 936184 1139 1140 - Neoverse N1: Force cacheable atomic to near atomic 1141 - Neoverse N1: Workaround for erratum 1073348, 1130799, 1165347, 1207823, 1142 1220197, 1257314, 1262606, 1262888, 1275112, 1315703, 1542419 1143 1144 - Neoverse Zeus: Apply the MSR SSBS instruction 1145 1146 - cortex-Hercules/HerculesAE: Support added for Cortex-Hercules and 1147 Cortex-HerculesAE CPUs 1148 - cortex-Hercules/HerculesAE: Enable AMU for Cortex-Hercules and Cortex-HerculesAE 1149 1150 - cortex-a76AE: Support added for Cortex-A76AE CPU 1151 - cortex-a76: Workaround for erratum 1257314, 1262606, 1262888, 1275112, 1152 1286807 1153 1154 - cortex-a65/a65AE: Support added for Cortex-A65 and Cortex-A65AE CPUs 1155 - cortex-a65: Enable AMU for Cortex-A65 1156 1157 - cortex-a55: Workaround for erratum 1221012 1158 1159 - cortex-a35: Workaround for erratum 855472 1160 1161 - cortex-a9: Workaround for erratum 794073 1162 1163- Drivers 1164 - console: Allow the console to register multiple times 1165 1166 - delay: Timeout detection support 1167 1168 - gicv3: Enabled multi-socket GIC redistributor frame discovery and migrated 1169 ARM platforms to the new API 1170 1171 - Adds ``gicv3_rdistif_probe`` function that delegates the responsibility 1172 of discovering the corresponding redistributor base frame to each CPU 1173 itself. 1174 1175 - sbsa: Add SBSA watchdog driver 1176 1177 - st/stm32_hash: Add HASH driver 1178 1179 - ti/uart: Add an AArch32 variant 1180 1181- Library at ROM (romlib) 1182 - Introduce BTI support in Library at ROM (romlib) 1183 1184- New Platforms Support 1185 - amlogic: g12a: New platform support added for the S905X2 (G12A) platform 1186 - amlogic: meson/gxl: New platform support added for Amlogic Meson 1187 S905x (GXL) 1188 1189 - arm/a5ds: New platform support added for A5 DesignStart 1190 1191 - arm/corstone: New platform support added for Corstone-700 1192 1193 - intel: New platform support added for Agilex 1194 1195 - mediatek: New platform support added for MediaTek mt8183 1196 1197 - qemu/qemu_sbsa: New platform support added for QEMU SBSA platform 1198 1199 - renesas/rcar_gen3: plat: New platform support added for D3 1200 1201 - rockchip: New platform support added for px30 1202 - rockchip: New platform support added for rk3288 1203 1204 - rpi: New platform support added for Raspberry Pi 4 1205 1206- Platforms 1207 - arm/common: Introduce wrapper functions to setup secure watchdog 1208 1209 - arm/fvp: Add Delay Timer driver to BL1 and BL31 and option for defining 1210 platform DRAM2 base 1211 - arm/fvp: Add Linux DTS files for 32 bit threaded FVPs 1212 1213 - arm/n1sdp: Add code for DDR ECC enablement and BL33 copy to DDR, Initialise CNTFRQ 1214 in Non Secure CNTBaseN 1215 1216 - arm/juno: Use shared mbedtls heap between BL1 and BL2 and add basic support for 1217 dynamic config 1218 1219 - imx: Basic support for PicoPi iMX7D, rdc module init, caam module init, 1220 aipstz init, IMX_SIP_GET_SOC_INFO, IMX_SIP_BUILDINFO added 1221 1222 - intel: Add ncore ccu driver 1223 1224 - mediatek/mt81*: Use new bl31_params_parse() helper 1225 1226 - nvidia: tegra: Add support for multi console interface 1227 1228 - qemu/qemu_sbsa: Adding memory mapping for both FLASH0/FLASH1 1229 - qemu: Added gicv3 support, new console interface in AArch32, and sub-platforms 1230 1231 - renesas/rcar_gen3: plat: Add R-Car V3M support, new board revision for H3ULCB, DBSC4 1232 setting before self-refresh mode 1233 1234 - socionext/uniphier: Support console based on multi-console 1235 1236 - st: stm32mp1: Add OP-TEE, Avenger96, watchdog, LpDDR3, authentication support 1237 and general SYSCFG management 1238 1239 - ti/k3: common: Add support for J721E, Use coherent memory for shared data, Trap all 1240 asynchronous bus errors to EL3 1241 1242 - xilinx/zynqmp: Add support for multi console interface, Initialize IPI table from 1243 zynqmp_config_setup() 1244 1245- PSCI 1246 - Adding new optional PSCI hook ``pwr_domain_on_finish_late`` 1247 - This PSCI hook ``pwr_domain_on_finish_late`` is similar to 1248 ``pwr_domain_on_finish`` but is guaranteed to be invoked when the 1249 respective core and cluster are participating in coherency. 1250 1251- Security 1252 - Speculative Store Bypass Safe (SSBS): Further enhance protection against Spectre 1253 variant 4 by disabling speculative loads/stores (SPSR.SSBS bit) by default. 1254 1255 - UBSAN support and handlers 1256 - Adds support for the Undefined Behaviour sanitizer. There are two types of 1257 support offered - minimalistic trapping support which essentially immediately 1258 crashes on undefined behaviour and full support with full debug messages. 1259 1260- Tools 1261 - cert_create: Add support for bigger RSA key sizes (3KB and 4KB), 1262 previously the maximum size was 2KB. 1263 1264 - fiptool: Add support to build fiptool on Windows. 1265 1266 1267Changed 1268^^^^^^^ 1269 1270- Architecture 1271 - Refactor ARMv8.3 Pointer Authentication support code 1272 1273 - backtrace: Strip PAC field when PAUTH is enabled 1274 1275 - Prettify crash reporting output on AArch64. 1276 1277 - Rework smc_unknown return code path in smc_handler 1278 - Leverage the existing ``el3_exit()`` return routine for smc_unknown return 1279 path rather than a custom set of instructions. 1280 1281- BL-Specific 1282 - Invalidate dcache build option for BL2 entry at EL3 1283 1284 - Add missing support for BL2_AT_EL3 in XIP memory 1285 1286- Boot Flow 1287 - Add helper to parse BL31 parameters (both versions) 1288 1289 - Factor out cross-BL API into export headers suitable for 3rd party code 1290 1291 - Introduce lightweight BL platform parameter library 1292 1293- Drivers 1294 - auth: Memory optimization for Chain of Trust (CoT) description 1295 1296 - bsec: Move bsec_mode_is_closed_device() service to platform 1297 1298 - cryptocell: Move Cryptocell specific API into driver 1299 1300 - gicv3: Prevent pending G1S interrupt from becoming G0 interrupt 1301 1302 - mbedtls: Remove weak heap implementation 1303 1304 - mmc: Increase delay between ACMD41 retries 1305 - mmc: stm32_sdmmc2: Correctly manage block size 1306 - mmc: stm32_sdmmc2: Manage max-frequency property from DT 1307 1308 - synopsys/emmc: Do not change FIFO TH as this breaks some platforms 1309 - synopsys: Update synopsys drivers to not rely on undefined overflow behaviour 1310 1311 - ufs: Extend the delay after reset to wait for some slower chips 1312 1313- Platforms 1314 - amlogic/meson/gxl: Remove BL2 dependency from BL31 1315 1316 - arm/common: Shorten the Firmware Update (FWU) process 1317 1318 - arm/fvp: Remove GIC initialisation from secondary core cold boot 1319 1320 - arm/sgm: Temporarily disable shared Mbed TLS heap for SGM 1321 1322 - hisilicon: Update hisilicon drivers to not rely on undefined overflow behaviour 1323 1324 - imx: imx8: Replace PLAT_IMX8* with PLAT_imx8*, remove duplicated linker symbols and 1325 deprecated code include, keep only IRQ 32 unmasked, enable all power domain by default 1326 1327 - marvell: Prevent SError accessing PCIe link, Switch to xlat_tables_v2, do not rely on 1328 argument passed via smc, make sure that comphy init will use correct address 1329 1330 - mediatek: mt8173: Refactor RTC and PMIC drivers 1331 - mediatek: mt8173: Apply MULTI_CONSOLE framework 1332 1333 - nvidia: Tegra: memctrl_v2: fix "overflow before widen" coverity issue 1334 1335 - qemu: Simplify the image size calculation, Move and generalise FDT PSCI fixup, move 1336 gicv2 codes to separate file 1337 1338 - renesas/rcar_gen3: Convert to multi-console API, update QoS setting, Update IPL and 1339 Secure Monitor Rev2.0.4, Change to restore timer counter value at resume, Update DDR 1340 setting rev.0.35, qos: change subslot cycle, Change periodic write DQ training option. 1341 1342 - rockchip: Allow SOCs with undefined wfe check bits, Streamline and complete UARTn_BASE 1343 macros, drop rockchip-specific imported linker symbols for bl31, Disable binary generation 1344 for all SOCs, Allow console device to be set by DTB, Use new bl31_params_parse functions 1345 1346 - rpi/rpi3: Move shared rpi3 files into common directory 1347 1348 - socionext/uniphier: Set CONSOLE_FLAG_TRANSLATE_CRLF and clean up console driver 1349 - socionext/uniphier: Replace DIV_ROUND_UP() with div_round_up() from utils_def.h 1350 1351 - st/stm32mp: Split stm32mp_io_setup function, move stm32_get_gpio_bank_clock() to private 1352 file, correctly handle Clock Spreading Generator, move oscillator functions to generic file, 1353 realign device tree files with internal devs, enable RTCAPB clock for dual-core chips, use a 1354 common function to check spinlock is available, move check_header() to common code 1355 1356 - ti/k3: Enable SEPARATE_CODE_AND_RODATA by default, Remove shared RAM space, 1357 Drop _ADDRESS from K3_USART_BASE to match other defines, Remove MSMC port 1358 definitions, Allow USE_COHERENT_MEM for K3, Set L2 latency on A72 cores 1359 1360- PSCI 1361 - PSCI: Lookup list of parent nodes to lock only once 1362 1363- Secure Partition Manager (SPM): SPCI Prototype 1364 - Fix service UUID lookup 1365 1366 - Adjust size of virtual address space per partition 1367 1368 - Refactor xlat context creation 1369 1370 - Move shim layer to TTBR1_EL1 1371 1372 - Ignore empty regions in resource description 1373 1374- Security 1375 - Refactor SPSR initialisation code 1376 1377 - SMMUv3: Abort DMA transactions 1378 - For security DMA should be blocked at the SMMU by default unless explicitly 1379 enabled for a device. SMMU is disabled after reset with all streams bypassing 1380 the SMMU, and abortion of all incoming transactions implements a default deny 1381 policy on reset. 1382 - Moves ``bl1_platform_setup()`` function from arm_bl1_setup.c to FVP platforms' 1383 fvp_bl1_setup.c and fvp_ve_bl1_setup.c files. 1384 1385- Tools 1386 - cert_create: Remove RSA PKCS#1 v1.5 support 1387 1388 1389Resolved Issues 1390^^^^^^^^^^^^^^^ 1391 1392- Architecture 1393 - Fix the CAS spinlock implementation by adding a missing DSB in ``spin_unlock()`` 1394 1395 - AArch64: Fix SCTLR bit definitions 1396 - Removes incorrect ``SCTLR_V_BIT`` definition and adds definitions for 1397 ARMv8.3-Pauth `EnIB`, `EnDA` and `EnDB` bits. 1398 1399 - Fix restoration of PAuth context 1400 - Replace call to ``pauth_context_save()`` with ``pauth_context_restore()`` in 1401 case of unknown SMC call. 1402 1403- BL-Specific Issues 1404 - Fix BL31 crash reporting on AArch64 only platforms 1405 1406- Build System 1407 - Remove several warnings reported with W=2 and W=1 1408 1409- Code Quality Issues 1410 - SCTLR and ACTLR are 32-bit for AArch32 and 64-bit for AArch64 1411 - Unify type of "cpu_idx" across PSCI module. 1412 - Assert if power level value greater then PSCI_INVALID_PWR_LVL 1413 - Unsigned long should not be used as per coding guidelines 1414 - Reduce the number of memory leaks in cert_create 1415 - Fix type of cot_desc_ptr 1416 - Use explicit-width data types in AAPCS parameter structs 1417 - Add python configuration for editorconfig 1418 - BL1: Fix type consistency 1419 1420 - Enable -Wshift-overflow=2 to check for undefined shift behavior 1421 - Updated upstream platforms to not rely on undefined overflow behaviour 1422 1423- Coverity Quality Issues 1424 - Remove GGC ignore -Warray-bounds 1425 - Fix Coverity #261967, Infinite loop 1426 - Fix Coverity #343017, Missing unlock 1427 - Fix Coverity #343008, Side affect in assertion 1428 - Fix Coverity #342970, Uninitialized scalar variable 1429 1430- CPU Support 1431 - cortex-a12: Fix MIDR mask 1432 1433- Drivers 1434 - console: Remove Arm console unregister on suspend 1435 1436 - gicv3: Fix support for full SPI range 1437 1438 - scmi: Fix wrong payload length 1439 1440- Library Code 1441 - libc: Fix sparse warning for __assert() 1442 1443 - libc: Fix memchr implementation 1444 1445- Platforms 1446 - rpi: rpi3: Fix compilation error when stack protector is enabled 1447 1448 - socionext/uniphier: Fix compilation fail for SPM support build config 1449 1450 - st/stm32mp1: Fix TZC400 configuration against non-secure DDR 1451 1452 - ti/k3: common: Fix RO data area size calculation 1453 1454- Security 1455 - AArch32: Disable Secure Cycle Counter 1456 - Changes the implementation for disabling Secure Cycle Counter. 1457 For ARMv8.5 the counter gets disabled by setting ``SDCR.SCCD`` bit on 1458 CPU cold/warm boot. For the earlier architectures PMCR register is 1459 saved/restored on secure world entry/exit from/to Non-secure state, 1460 and cycle counting gets disabled by setting PMCR.DP bit. 1461 - AArch64: Disable Secure Cycle Counter 1462 - For ARMv8.5 the counter gets disabled by setting ``MDCR_El3.SCCD`` bit on 1463 CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is 1464 saved/restored on secure world entry/exit from/to Non-secure state, 1465 and cycle counting gets disabled by setting PMCR_EL0.DP bit. 1466 1467Deprecations 1468^^^^^^^^^^^^ 1469 1470- Common Code 1471 - Remove MULTI_CONSOLE_API flag and references to it 1472 1473 - Remove deprecated `plat_crash_console_*` 1474 1475 - Remove deprecated interfaces `get_afflvl_shift`, `mpidr_mask_lower_afflvls`, `eret` 1476 1477 - AARCH32/AARCH64 macros are now deprecated in favor of ``__aarch64__`` 1478 1479 - ``__ASSEMBLY__`` macro is now deprecated in favor of ``__ASSEMBLER__`` 1480 1481- Drivers 1482 - console: Removed legacy console API 1483 - console: Remove deprecated finish_console_register 1484 1485 - tzc: Remove deprecated types `tzc_action_t` and `tzc_region_attributes_t` 1486 1487- Secure Partition Manager (SPM): 1488 - Prototype SPCI-based SPM (services/std_svc/spm) will be replaced with alternative 1489 methods of secure partitioning support. 1490 1491Known Issues 1492^^^^^^^^^^^^ 1493 1494- Build System Issues 1495 - dtb: DTB creation not supported when building on a Windows host. 1496 1497 This step in the build process is skipped when running on a Windows host. A 1498 known issue from the 1.6 release. 1499 1500- Platform Issues 1501 - arm/juno: System suspend from Linux does not function as documented in the 1502 user guide 1503 1504 Following the instructions provided in the user guide document does not 1505 result in the platform entering system suspend state as expected. A message 1506 relating to the hdlcd driver failing to suspend will be emitted on the 1507 Linux terminal. 1508 1509 - mediatek/mt6795: This platform does not build in this release 1510 1511Version 2.1 1512----------- 1513 1514New Features 1515^^^^^^^^^^^^ 1516 1517- Architecture 1518 - Support for ARMv8.3 pointer authentication in the normal and secure worlds 1519 1520 The use of pointer authentication in the normal world is enabled whenever 1521 architectural support is available, without the need for additional build 1522 flags. 1523 1524 Use of pointer authentication in the secure world remains an 1525 experimental configuration at this time. Using both the ``ENABLE_PAUTH`` 1526 and ``CTX_INCLUDE_PAUTH_REGS`` build flags, pointer authentication can be 1527 enabled in EL3 and S-EL1/0. 1528 1529 See the :ref:`Firmware Design` document for additional details on the use 1530 of pointer authentication. 1531 1532 - Enable Data Independent Timing (DIT) in EL3, where supported 1533 1534- Build System 1535 - Support for BL-specific build flags 1536 1537 - Support setting compiler target architecture based on ``ARM_ARCH_MINOR`` 1538 build option. 1539 1540 - New ``RECLAIM_INIT_CODE`` build flag: 1541 1542 A significant amount of the code used for the initialization of BL31 is 1543 not needed again after boot time. In order to reduce the runtime memory 1544 footprint, the memory used for this code can be reclaimed after 1545 initialization. 1546 1547 Certain boot-time functions were marked with the ``__init`` attribute to 1548 enable this reclamation. 1549 1550- CPU Support 1551 - cortex-a76: Workaround for erratum 1073348 1552 - cortex-a76: Workaround for erratum 1220197 1553 - cortex-a76: Workaround for erratum 1130799 1554 1555 - cortex-a75: Workaround for erratum 790748 1556 - cortex-a75: Workaround for erratum 764081 1557 1558 - cortex-a73: Workaround for erratum 852427 1559 - cortex-a73: Workaround for erratum 855423 1560 1561 - cortex-a57: Workaround for erratum 817169 1562 - cortex-a57: Workaround for erratum 814670 1563 1564 - cortex-a55: Workaround for erratum 903758 1565 - cortex-a55: Workaround for erratum 846532 1566 - cortex-a55: Workaround for erratum 798797 1567 - cortex-a55: Workaround for erratum 778703 1568 - cortex-a55: Workaround for erratum 768277 1569 1570 - cortex-a53: Workaround for erratum 819472 1571 - cortex-a53: Workaround for erratum 824069 1572 - cortex-a53: Workaround for erratum 827319 1573 1574 - cortex-a17: Workaround for erratum 852423 1575 - cortex-a17: Workaround for erratum 852421 1576 1577 - cortex-a15: Workaround for erratum 816470 1578 - cortex-a15: Workaround for erratum 827671 1579 1580- Documentation 1581 - Exception Handling Framework documentation 1582 1583 - Library at ROM (romlib) documentation 1584 1585 - RAS framework documentation 1586 1587 - Coding Guidelines document 1588 1589- Drivers 1590 - ccn: Add API for setting and reading node registers 1591 - Adds ``ccn_read_node_reg`` function 1592 - Adds ``ccn_write_node_reg`` function 1593 1594 - partition: Support MBR partition entries 1595 1596 - scmi: Add ``plat_css_get_scmi_info`` function 1597 1598 Adds a new API ``plat_css_get_scmi_info`` which lets the platform 1599 register a platform-specific instance of ``scmi_channel_plat_info_t`` and 1600 remove the default values 1601 1602 - tzc380: Add TZC-380 TrustZone Controller driver 1603 1604 - tzc-dmc620: Add driver to manage the TrustZone Controller within the 1605 DMC-620 Dynamic Memory Controller 1606 1607- Library at ROM (romlib) 1608 - Add platform-specific jump table list 1609 1610 - Allow patching of romlib functions 1611 1612 This change allows patching of functions in the romlib. This can be done by 1613 adding "patch" at the end of the jump table entry for the function that 1614 needs to be patched in the file jmptbl.i. 1615 1616- Library Code 1617 - Support non-LPAE-enabled MMU tables in AArch32 1618 1619 - mmio: Add ``mmio_clrsetbits_16`` function 1620 - 16-bit variant of ``mmio_clrsetbits`` 1621 1622 - object_pool: Add Object Pool Allocator 1623 - Manages object allocation using a fixed-size static array 1624 - Adds ``pool_alloc`` and ``pool_alloc_n`` functions 1625 - Does not provide any functions to free allocated objects (by design) 1626 1627 - libc: Added ``strlcpy`` function 1628 1629 - libc: Import ``strrchr`` function from FreeBSD 1630 1631 - xlat_tables: Add support for ARMv8.4-TTST 1632 1633 - xlat_tables: Support mapping regions without an explicitly specified VA 1634 1635- Math 1636 - Added softudiv macro to support software division 1637 1638- Memory Partitioning And Monitoring (MPAM) 1639 - Enabled MPAM EL2 traps (``MPAMHCR_EL2`` and ``MPAM_EL2``) 1640 1641- Platforms 1642 - amlogic: Add support for Meson S905 (GXBB) 1643 1644 - arm/fvp_ve: Add support for FVP Versatile Express platform 1645 1646 - arm/n1sdp: Add support for Neoverse N1 System Development platform 1647 1648 - arm/rde1edge: Add support for Neoverse E1 platform 1649 1650 - arm/rdn1edge: Add support for Neoverse N1 platform 1651 1652 - arm: Add support for booting directly to Linux without an intermediate 1653 loader (AArch32) 1654 1655 - arm/juno: Enable new CPU errata workarounds for A53 and A57 1656 1657 - arm/juno: Add romlib support 1658 1659 Building a combined BL1 and ROMLIB binary file with the correct page 1660 alignment is now supported on the Juno platform. When ``USE_ROMLIB`` is set 1661 for Juno, it generates the combined file ``bl1_romlib.bin`` which needs to 1662 be used instead of bl1.bin. 1663 1664 - intel/stratix: Add support for Intel Stratix 10 SoC FPGA platform 1665 1666 - marvell: Add support for Armada-37xx SoC platform 1667 1668 - nxp: Add support for i.MX8M and i.MX7 Warp7 platforms 1669 1670 - renesas: Add support for R-Car Gen3 platform 1671 1672 - xilinx: Add support for Versal ACAP platforms 1673 1674- Position-Independent Executable (PIE) 1675 1676 PIE support has initially been added to BL31. The ``ENABLE_PIE`` build flag is 1677 used to enable or disable this functionality as required. 1678 1679- Secure Partition Manager 1680 - New SPM implementation based on SPCI Alpha 1 draft specification 1681 1682 A new version of SPM has been implemented, based on the SPCI (Secure 1683 Partition Client Interface) and SPRT (Secure Partition Runtime) draft 1684 specifications. 1685 1686 The new implementation is a prototype that is expected to undergo intensive 1687 rework as the specifications change. It has basic support for multiple 1688 Secure Partitions and Resource Descriptions. 1689 1690 The older version of SPM, based on MM (ARM Management Mode Interface 1691 Specification), is still present in the codebase. A new build flag, 1692 ``SPM_MM`` has been added to allow selection of the desired implementation. 1693 This flag defaults to 1, selecting the MM-based implementation. 1694 1695- Security 1696 - Spectre Variant-1 mitigations (``CVE-2017-5753``) 1697 1698 - Use Speculation Store Bypass Safe (SSBS) functionality where available 1699 1700 Provides mitigation against ``CVE-2018-19440`` (Not saving x0 to x3 1701 registers can leak information from one Normal World SMC client to another) 1702 1703 1704Changed 1705^^^^^^^ 1706 1707- Build System 1708 - Warning levels are now selectable with ``W=<1,2,3>`` 1709 1710 - Removed unneeded include paths in PLAT_INCLUDES 1711 1712 - "Warnings as errors" (Werror) can be disabled using ``E=0`` 1713 1714 - Support totally quiet output with ``-s`` flag 1715 1716 - Support passing options to checkpatch using ``CHECKPATCH_OPTS=<opts>`` 1717 1718 - Invoke host compiler with ``HOSTCC / HOSTCCFLAGS`` instead of ``CC / CFLAGS`` 1719 1720 - Make device tree pre-processing similar to U-boot/Linux by: 1721 - Creating separate ``CPPFLAGS`` for DT preprocessing so that compiler 1722 options specific to it can be accommodated. 1723 - Replacing ``CPP`` with ``PP`` for DT pre-processing 1724 1725- CPU Support 1726 - Errata report function definition is now mandatory for CPU support files 1727 1728 CPU operation files must now define a ``<name>_errata_report`` function to 1729 print errata status. This is no longer a weak reference. 1730 1731- Documentation 1732 - Migrated some content from GitHub wiki to ``docs/`` directory 1733 1734 - Security advisories now have CVE links 1735 1736 - Updated copyright guidelines 1737 1738- Drivers 1739 - console: The ``MULTI_CONSOLE_API`` framework has been rewritten in C 1740 1741 - console: Ported multi-console driver to AArch32 1742 1743 - gic: Remove 'lowest priority' constants 1744 1745 Removed ``GIC_LOWEST_SEC_PRIORITY`` and ``GIC_LOWEST_NS_PRIORITY``. 1746 Platforms should define these if required, or instead determine the correct 1747 priority values at runtime. 1748 1749 - delay_timer: Check that the Generic Timer extension is present 1750 1751 - mmc: Increase command reply timeout to 10 milliseconds 1752 1753 - mmc: Poll eMMC device status to ensure ``EXT_CSD`` command completion 1754 1755 - mmc: Correctly check return code from ``mmc_fill_device_info`` 1756 1757- External Libraries 1758 1759 - libfdt: Upgraded from 1.4.2 to 1.4.6-9 1760 1761 - mbed TLS: Upgraded from 2.12 to 2.16 1762 1763 This change incorporates fixes for security issues that should be reviewed 1764 to determine if they are relevant for software implementations using 1765 Trusted Firmware-A. See the `mbed TLS releases`_ page for details on 1766 changes from the 2.12 to the 2.16 release. 1767 1768- Library Code 1769 - compiler-rt: Updated ``lshrdi3.c`` and ``int_lib.h`` with changes from 1770 LLVM master branch (r345645) 1771 1772 - cpu: Updated macro that checks need for ``CVE-2017-5715`` mitigation 1773 1774 - libc: Made setjmp and longjmp C standard compliant 1775 1776 - libc: Allowed overriding the default libc (use ``OVERRIDE_LIBC``) 1777 1778 - libc: Moved setjmp and longjmp to the ``libc/`` directory 1779 1780- Platforms 1781 - Removed Mbed TLS dependency from plat_bl_common.c 1782 1783 - arm: Removed unused ``ARM_MAP_BL_ROMLIB`` macro 1784 1785 - arm: Removed ``ARM_BOARD_OPTIMISE_MEM`` feature and build flag 1786 1787 - arm: Moved several components into ``drivers/`` directory 1788 1789 This affects the SDS, SCP, SCPI, MHU and SCMI components 1790 1791 - arm/juno: Increased maximum BL2 image size to ``0xF000`` 1792 1793 This change was required to accommodate a larger ``libfdt`` library 1794 1795- SCMI 1796 - Optimized bakery locks when hardware-assisted coherency is enabled using the 1797 ``HW_ASSISTED_COHERENCY`` build flag 1798 1799- SDEI 1800 - Added support for unconditionally resuming secure world execution after 1801 |SDEI| event processing completes 1802 1803 |SDEI| interrupts, although targeting EL3, occur on behalf of the non-secure 1804 world, and may have higher priority than secure world 1805 interrupts. Therefore they might preempt secure execution and yield 1806 execution to the non-secure |SDEI| handler. Upon completion of |SDEI| event 1807 handling, resume secure execution if it was preempted. 1808 1809- Translation Tables (XLAT) 1810 - Dynamically detect need for ``Common not Private (TTBRn_ELx.CnP)`` bit 1811 1812 Properly handle the case where ``ARMv8.2-TTCNP`` is implemented in a CPU 1813 that does not implement all mandatory v8.2 features (and so must claim to 1814 implement a lower architecture version). 1815 1816 1817Resolved Issues 1818^^^^^^^^^^^^^^^ 1819 1820- Architecture 1821 - Incorrect check for SSBS feature detection 1822 1823 - Unintentional register clobber in AArch32 reset_handler function 1824 1825- Build System 1826 - Dependency issue during DTB image build 1827 1828 - Incorrect variable expansion in Arm platform makefiles 1829 1830 - Building on Windows with verbose mode (``V=1``) enabled is broken 1831 1832 - AArch32 compilation flags is missing ``$(march32-directive)`` 1833 1834- BL-Specific Issues 1835 - bl2: ``uintptr_t is not defined`` error when ``BL2_IN_XIP_MEM`` is defined 1836 1837 - bl2: Missing prototype warning in ``bl2_arch_setup`` 1838 1839 - bl31: Omission of Global Offset Table (GOT) section 1840 1841- Code Quality Issues 1842 - Multiple MISRA compliance issues 1843 1844 - Potential NULL pointer dereference (Coverity-detected) 1845 1846- Drivers 1847 - mmc: Local declaration of ``scr`` variable causes a cache issue when 1848 invalidating after the read DMA transfer completes 1849 1850 - mmc: ``ACMD41`` does not send voltage information during initialization, 1851 resulting in the command being treated as a query. This prevents the 1852 command from initializing the controller. 1853 1854 - mmc: When checking device state using ``mmc_device_state()`` there are no 1855 retries attempted in the event of an error 1856 1857 - ccn: Incorrect Region ID calculation for RN-I nodes 1858 1859 - console: ``Fix MULTI_CONSOLE_API`` when used as a crash console 1860 1861 - partition: Improper NULL checking in gpt.c 1862 1863 - partition: Compilation failure in ``VERBOSE`` mode (``V=1``) 1864 1865- Library Code 1866 - common: Incorrect check for Address Authentication support 1867 1868 - xlat: Fix XLAT_V1 / XLAT_V2 incompatibility 1869 1870 The file ``arm_xlat_tables.h`` has been renamed to ``xlat_tables_compat.h`` 1871 and has been moved to a common folder. This header can be used to guarantee 1872 compatibility, as it includes the correct header based on 1873 ``XLAT_TABLES_LIB_V2``. 1874 1875 - xlat: armclang unused-function warning on ``xlat_clean_dcache_range`` 1876 1877 - xlat: Invalid ``mm_cursor`` checks in ``mmap_add`` and ``mmap_add_ctx`` 1878 1879 - sdei: Missing ``context.h`` header 1880 1881- Platforms 1882 - common: Missing prototype warning for ``plat_log_get_prefix`` 1883 1884 - arm: Insufficient maximum BL33 image size 1885 1886 - arm: Potential memory corruption during BL2-BL31 transition 1887 1888 On Arm platforms, the BL2 memory can be overlaid by BL31/BL32. The memory 1889 descriptors describing the list of executable images are created in BL2 1890 R/W memory, which could be possibly corrupted later on by BL31/BL32 due 1891 to overlay. This patch creates a reserved location in SRAM for these 1892 descriptors and are copied over by BL2 before handing over to next BL 1893 image. 1894 1895 - juno: Invalid behaviour when ``CSS_USE_SCMI_SDS_DRIVER`` is not set 1896 1897 In ``juno_pm.c`` the ``css_scmi_override_pm_ops`` function was used 1898 regardless of whether the build flag was set. The original behaviour has 1899 been restored in the case where the build flag is not set. 1900 1901- Tools 1902 - fiptool: Incorrect UUID parsing of blob parameters 1903 1904 - doimage: Incorrect object rules in Makefile 1905 1906 1907Deprecations 1908^^^^^^^^^^^^ 1909 1910- Common Code 1911 - ``plat_crash_console_init`` function 1912 1913 - ``plat_crash_console_putc`` function 1914 1915 - ``plat_crash_console_flush`` function 1916 1917 - ``finish_console_register`` macro 1918 1919- AArch64-specific Code 1920 - helpers: ``get_afflvl_shift`` 1921 1922 - helpers: ``mpidr_mask_lower_afflvls`` 1923 1924 - helpers: ``eret`` 1925 1926- Secure Partition Manager (SPM) 1927 - Boot-info structure 1928 1929 1930Known Issues 1931^^^^^^^^^^^^ 1932 1933- Build System Issues 1934 - dtb: DTB creation not supported when building on a Windows host. 1935 1936 This step in the build process is skipped when running on a Windows host. A 1937 known issue from the 1.6 release. 1938 1939- Platform Issues 1940 - arm/juno: System suspend from Linux does not function as documented in the 1941 user guide 1942 1943 Following the instructions provided in the user guide document does not 1944 result in the platform entering system suspend state as expected. A message 1945 relating to the hdlcd driver failing to suspend will be emitted on the 1946 Linux terminal. 1947 1948 - arm/juno: The firmware update use-cases do not work with motherboard 1949 firmware version < v1.5.0 (the reset reason is not preserved). The Linaro 1950 18.04 release has MB v1.4.9. The MB v1.5.0 is available in Linaro 18.10 1951 release. 1952 1953 - mediatek/mt6795: This platform does not build in this release 1954 1955Version 2.0 1956----------- 1957 1958New Features 1959^^^^^^^^^^^^ 1960 1961- Removal of a number of deprecated APIs 1962 1963 - A new Platform Compatibility Policy document has been created which 1964 references a wiki page that maintains a listing of deprecated 1965 interfaces and the release after which they will be removed. 1966 1967 - All deprecated interfaces except the MULTI_CONSOLE_API have been removed 1968 from the code base. 1969 1970 - Various Arm and partner platforms have been updated to remove the use of 1971 removed APIs in this release. 1972 1973 - This release is otherwise unchanged from 1.6 release 1974 1975Issues resolved since last release 1976^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1977 1978- No issues known at 1.6 release resolved in 2.0 release 1979 1980Known Issues 1981^^^^^^^^^^^^ 1982 1983- DTB creation not supported when building on a Windows host. This step in the 1984 build process is skipped when running on a Windows host. Known issue from 1985 1.6 version. 1986 1987- As a result of removal of deprecated interfaces the Nvidia Tegra, Marvell 1988 Armada 8K and MediaTek MT6795 platforms do not build in this release. 1989 Also MediaTek MT8173, NXP QorIQ LS1043A, NXP i.MX8QX, NXP i.MX8QMa, 1990 Rockchip RK3328, Rockchip RK3368 and Rockchip RK3399 platforms have not been 1991 confirmed to be working after the removal of the deprecated interfaces 1992 although they do build. 1993 1994Version 1.6 1995----------- 1996 1997New Features 1998^^^^^^^^^^^^ 1999 2000- Addressing Speculation Security Vulnerabilities 2001 2002 - Implement static workaround for CVE-2018-3639 for AArch32 and AArch64 2003 2004 - Add support for dynamic mitigation for CVE-2018-3639 2005 2006 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 2007 2008 - Ensure |SDEI| handler executes with CVE-2018-3639 mitigation enabled 2009 2010- Introduce RAS handling on AArch64 2011 2012 - Some RAS extensions are mandatory for Armv8.2 CPUs, with others 2013 mandatory for Armv8.4 CPUs however, all extensions are also optional 2014 extensions to the base Armv8.0 architecture. 2015 2016 - The Armv8 RAS Extensions introduced Standard Error Records which are a 2017 set of standard registers to configure RAS node policy and allow RAS 2018 Nodes to record and expose error information for error handling agents. 2019 2020 - Capabilities are provided to support RAS Node enumeration and iteration 2021 along with individual interrupt registrations and fault injections 2022 support. 2023 2024 - Introduce handlers for Uncontainable errors, Double Faults and EL3 2025 External Aborts 2026 2027- Enable Memory Partitioning And Monitoring (MPAM) for lower EL's 2028 2029 - Memory Partitioning And Monitoring is an Armv8.4 feature that enables 2030 various memory system components and resources to define partitions. 2031 Software running at various ELs can then assign themselves to the 2032 desired partition to control their performance aspects. 2033 2034 - When ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows 2035 lower ELs to access their own MPAM registers without trapping to EL3. 2036 This patch however, doesn't make use of partitioning in EL3; platform 2037 initialisation code should configure and use partitions in EL3 if 2038 required. 2039 2040- Introduce ROM Lib Feature 2041 2042 - Support combining several libraries into a self-called "romlib" image, 2043 that may be shared across images to reduce memory footprint. The romlib 2044 image is stored in ROM but is accessed through a jump-table that may be 2045 stored in read-write memory, allowing for the library code to be patched. 2046 2047- Introduce Backtrace Feature 2048 2049 - This function displays the backtrace, the current EL and security state 2050 to allow a post-processing tool to choose the right binary to interpret 2051 the dump. 2052 2053 - Print backtrace in assert() and panic() to the console. 2054 2055- Code hygiene changes and alignment with MISRA C-2012 guideline with fixes 2056 addressing issues complying to the following rules: 2057 2058 - MISRA rules 4.9, 5.1, 5.3, 5.7, 8.2-8.5, 8.8, 8.13, 9.3, 10.1, 2059 10.3-10.4, 10.8, 11.3, 11.6, 12.1, 14.4, 15.7, 16.1-16.7, 17.7-17.8, 2060 20.7, 20.10, 20.12, 21.1, 21.15, 22.7 2061 2062 - Clean up the usage of void pointers to access symbols 2063 2064 - Increase usage of static qualifier to locally used functions and data 2065 2066 - Migrated to use of u_register_t for register read/write to better 2067 match AArch32 and AArch64 type sizes 2068 2069 - Use int-ll64 for both AArch32 and AArch64 to assist in consistent 2070 format strings between architectures 2071 2072 - Clean up TF-A libc by removing non arm copyrighted implementations 2073 and replacing them with modified FreeBSD and SCC implementations 2074 2075- Various changes to support Clang linker and assembler 2076 2077 - The clang assembler/preprocessor is used when Clang is selected. However, 2078 the clang linker is not used because it is unable to link TF-A objects 2079 due to immaturity of clang linker functionality at this time. 2080 2081- Refactor support APIs into Libraries 2082 2083 - Evolve libfdt, mbed TLS library and standard C library sources as 2084 proper libraries that TF-A may be linked against. 2085 2086- CPU Enhancements 2087 2088 - Add CPU support for Cortex-Ares and Cortex-A76 2089 2090 - Add AMU support for Cortex-Ares 2091 2092 - Add initial CPU support for Cortex-Deimos 2093 2094 - Add initial CPU support for Cortex-Helios 2095 2096 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 2097 2098 - Implement Cortex-Ares erratum 1043202 workaround 2099 2100 - Implement DSU erratum 936184 workaround 2101 2102 - Check presence of fix for errata 843419 in Cortex-A53 2103 2104 - Check presence of fix for errata 835769 in Cortex-A53 2105 2106- Translation Tables Enhancements 2107 2108 - The xlat v2 library has been refactored in order to be reused by 2109 different TF components at different EL's including the addition of EL2. 2110 Some refactoring to make the code more generic and less specific to TF, 2111 in order to reuse the library outside of this project. 2112 2113- SPM Enhancements 2114 2115 - General cleanups and refactoring to pave the way to multiple partitions 2116 support 2117 2118- SDEI Enhancements 2119 2120 - Allow platforms to define explicit events 2121 2122 - Determine client EL from NS context's SCR_EL3 2123 2124 - Make dispatches synchronous 2125 2126 - Introduce jump primitives for BL31 2127 2128 - Mask events after CPU wakeup in |SDEI| dispatcher to conform to the 2129 specification 2130 2131- Misc TF-A Core Common Code Enhancements 2132 2133 - Add support for eXecute In Place (XIP) memory in BL2 2134 2135 - Add support for the SMC Calling Convention 2.0 2136 2137 - Introduce External Abort handling on AArch64 2138 External Abort routed to EL3 was reported as an unhandled exception 2139 and caused a panic. This change enables Trusted Firmware-A to handle 2140 External Aborts routed to EL3. 2141 2142 - Save value of ACTLR_EL1 implementation-defined register in the CPU 2143 context structure rather than forcing it to 0. 2144 2145 - Introduce ARM_LINUX_KERNEL_AS_BL33 build option, which allows BL31 to 2146 directly jump to a Linux kernel. This makes for a quicker and simpler 2147 boot flow, which might be useful in some test environments. 2148 2149 - Add dynamic configurations for BL31, BL32 and BL33 enabling support for 2150 Chain of Trust (COT). 2151 2152 - Make TF UUID RFC 4122 compliant 2153 2154- New Platform Support 2155 2156 - Arm SGI-575 2157 2158 - Arm SGM-775 2159 2160 - Allwinner sun50i_64 2161 2162 - Allwinner sun50i_h6 2163 2164 - NXP QorIQ LS1043A 2165 2166 - NXP i.MX8QX 2167 2168 - NXP i.MX8QM 2169 2170 - NXP i.MX7Solo WaRP7 2171 2172 - TI K3 2173 2174 - Socionext Synquacer SC2A11 2175 2176 - Marvell Armada 8K 2177 2178 - STMicroelectronics STM32MP1 2179 2180- Misc Generic Platform Common Code Enhancements 2181 2182 - Add MMC framework that supports both eMMC and SD card devices 2183 2184- Misc Arm Platform Common Code Enhancements 2185 2186 - Demonstrate PSCI MEM_PROTECT from el3_runtime 2187 2188 - Provide RAS support 2189 2190 - Migrate AArch64 port to the multi console driver. The old API is 2191 deprecated and will eventually be removed. 2192 2193 - Move BL31 below BL2 to enable BL2 overlay resulting in changes in the 2194 layout of BL images in memory to enable more efficient use of available 2195 space. 2196 2197 - Add cpp build processing for dtb that allows processing device tree 2198 with external includes. 2199 2200 - Extend FIP io driver to support multiple FIP devices 2201 2202 - Add support for SCMI AP core configuration protocol v1.0 2203 2204 - Use SCMI AP core protocol to set the warm boot entrypoint 2205 2206 - Add support to Mbed TLS drivers for shared heap among different 2207 BL images to help optimise memory usage 2208 2209 - Enable non-secure access to UART1 through a build option to support 2210 a serial debug port for debugger connection 2211 2212- Enhancements for Arm Juno Platform 2213 2214 - Add support for TrustZone Media Protection 1 (TZMP1) 2215 2216- Enhancements for Arm FVP Platform 2217 2218 - Dynamic_config: remove the FVP dtb files 2219 2220 - Set DYNAMIC_WORKAROUND_CVE_2018_3639=1 on FVP by default 2221 2222 - Set the ability to dynamically disable Trusted Boot Board 2223 authentication to be off by default with DYN_DISABLE_AUTH 2224 2225 - Add librom enhancement support in FVP 2226 2227 - Support shared Mbed TLS heap between BL1 and BL2 that allow a 2228 reduction in BL2 size for FVP 2229 2230- Enhancements for Arm SGI/SGM Platform 2231 2232 - Enable ARM_PLAT_MT flag for SGI-575 2233 2234 - Add dts files to enable support for dynamic config 2235 2236 - Add RAS support 2237 2238 - Support shared Mbed TLS heap for SGI and SGM between BL1 and BL2 2239 2240- Enhancements for Non Arm Platforms 2241 2242 - Raspberry Pi Platform 2243 2244 - Hikey Platforms 2245 2246 - Xilinx Platforms 2247 2248 - QEMU Platform 2249 2250 - Rockchip rk3399 Platform 2251 2252 - TI Platforms 2253 2254 - Socionext Platforms 2255 2256 - Allwinner Platforms 2257 2258 - NXP Platforms 2259 2260 - NVIDIA Tegra Platform 2261 2262 - Marvell Platforms 2263 2264 - STMicroelectronics STM32MP1 Platform 2265 2266Issues resolved since last release 2267^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2268 2269- No issues known at 1.5 release resolved in 1.6 release 2270 2271Known Issues 2272^^^^^^^^^^^^ 2273 2274- DTB creation not supported when building on a Windows host. This step in the 2275 build process is skipped when running on a Windows host. Known issue from 2276 1.5 version. 2277 2278Version 1.5 2279----------- 2280 2281New features 2282^^^^^^^^^^^^ 2283 2284- Added new firmware support to enable RAS (Reliability, Availability, and 2285 Serviceability) functionality. 2286 2287 - Secure Partition Manager (SPM): A Secure Partition is a software execution 2288 environment instantiated in S-EL0 that can be used to implement simple 2289 management and security services. The SPM is the firmware component that 2290 is responsible for managing a Secure Partition. 2291 2292 - SDEI dispatcher: Support for interrupt-based |SDEI| events and all 2293 interfaces as defined by the |SDEI| specification v1.0, see 2294 `SDEI Specification`_ 2295 2296 - Exception Handling Framework (EHF): Framework that allows dispatching of 2297 EL3 interrupts to their registered handlers which are registered based on 2298 their priorities. Facilitates firmware-first error handling policy where 2299 asynchronous exceptions may be routed to EL3. 2300 2301 Integrated the TSPD with EHF. 2302 2303- Updated PSCI support: 2304 2305 - Implemented PSCI v1.1 optional features `MEM_PROTECT` and `SYSTEM_RESET2`. 2306 The supported PSCI version was updated to v1.1. 2307 2308 - Improved PSCI STAT timestamp collection, including moving accounting for 2309 retention states to be inside the locks and fixing handling of wrap-around 2310 when calculating residency in AArch32 execution state. 2311 2312 - Added optional handler for early suspend that executes when suspending to 2313 a power-down state and with data caches enabled. 2314 2315 This may provide a performance improvement on platforms where it is safe 2316 to perform some or all of the platform actions from `pwr_domain_suspend` 2317 with the data caches enabled. 2318 2319- Enabled build option, BL2_AT_EL3, for BL2 to allow execution at EL3 without 2320 any dependency on TF BL1. 2321 2322 This allows platforms which already have a non-TF Boot ROM to directly load 2323 and execute BL2 and subsequent BL stages without need for BL1. This was not 2324 previously possible because BL2 executes at S-EL1 and cannot jump straight to 2325 EL3. 2326 2327- Implemented support for SMCCC v1.1, including `SMCCC_VERSION` and 2328 `SMCCC_ARCH_FEATURES`. 2329 2330 Additionally, added support for `SMCCC_VERSION` in PSCI features to enable 2331 discovery of the SMCCC version via PSCI feature call. 2332 2333- Added Dynamic Configuration framework which enables each of the boot loader 2334 stages to be dynamically configured at runtime if required by the platform. 2335 The boot loader stage may optionally specify a firmware configuration file 2336 and/or hardware configuration file that can then be shared with the next boot 2337 loader stage. 2338 2339 Introduced a new BL handover interface that essentially allows passing of 4 2340 arguments between the different BL stages. 2341 2342 Updated cert_create and fip_tool to support the dynamic configuration files. 2343 The COT also updated to support these new files. 2344 2345- Code hygiene changes and alignment with MISRA guideline: 2346 2347 - Fix use of undefined macros. 2348 2349 - Achieved compliance with Mandatory MISRA coding rules. 2350 2351 - Achieved compliance for following Required MISRA rules for the default 2352 build configurations on FVP and Juno platforms : 7.3, 8.3, 8.4, 8.5 and 2353 8.8. 2354 2355- Added support for Armv8.2-A architectural features: 2356 2357 - Updated translation table set-up to set the CnP (Common not Private) bit 2358 for secure page tables so that multiple PEs in the same Inner Shareable 2359 domain can use the same translation table entries for a given stage of 2360 translation in a particular translation regime. 2361 2362 - Extended the supported values of ID_AA64MMFR0_EL1.PARange to include the 2363 52-bit Physical Address range. 2364 2365 - Added support for the Scalable Vector Extension to allow Normal world 2366 software to access SVE functionality but disable access to SVE, SIMD and 2367 floating point functionality from the Secure world in order to prevent 2368 corruption of the Z-registers. 2369 2370- Added support for Armv8.4-A architectural feature Activity Monitor Unit (AMU) 2371 extensions. 2372 2373 In addition to the v8.4 architectural extension, AMU support on Cortex-A75 2374 was implemented. 2375 2376- Enhanced OP-TEE support to enable use of pageable OP-TEE image. The Arm 2377 standard platforms are updated to load up to 3 images for OP-TEE; header, 2378 pager image and paged image. 2379 2380 The chain of trust is extended to support the additional images. 2381 2382- Enhancements to the translation table library: 2383 2384 - Introduced APIs to get and set the memory attributes of a region. 2385 2386 - Added support to manage both privilege levels in translation regimes that 2387 describe translations for 2 Exception levels, specifically the EL1&0 2388 translation regime, and extended the memory map region attributes to 2389 include specifying Non-privileged access. 2390 2391 - Added support to specify the granularity of the mappings of each region, 2392 for instance a 2MB region can be specified to be mapped with 4KB page 2393 tables instead of a 2MB block. 2394 2395 - Disabled the higher VA range to avoid unpredictable behaviour if there is 2396 an attempt to access addresses in the higher VA range. 2397 2398 - Added helpers for Device and Normal memory MAIR encodings that align with 2399 the Arm Architecture Reference Manual for Armv8-A (Arm DDI0487B.b). 2400 2401 - Code hygiene including fixing type length and signedness of constants, 2402 refactoring of function to enable the MMU, removing all instances where 2403 the virtual address space is hardcoded and added comments that document 2404 alignment needed between memory attributes and attributes specified in 2405 TCR_ELx. 2406 2407- Updated GIC support: 2408 2409 - Introduce new APIs for GICv2 and GICv3 that provide the capability to 2410 specify interrupt properties rather than list of interrupt numbers alone. 2411 The Arm platforms and other upstream platforms are migrated to use 2412 interrupt properties. 2413 2414 - Added helpers to save / restore the GICv3 context, specifically the 2415 Distributor and Redistributor contexts and architectural parts of the ITS 2416 power management. The Distributor and Redistributor helpers also support 2417 the implementation-defined part of GIC-500 and GIC-600. 2418 2419 Updated the Arm FVP platform to save / restore the GICv3 context on system 2420 suspend / resume as an example of how to use the helpers. 2421 2422 Introduced a new TZC secured DDR carve-out for use by Arm platforms for 2423 storing EL3 runtime data such as the GICv3 register context. 2424 2425- Added support for Armv7-A architecture via build option ARM_ARCH_MAJOR=7. 2426 This includes following features: 2427 2428 - Updates GICv2 driver to manage GICv1 with security extensions. 2429 2430 - Software implementation for 32bit division. 2431 2432 - Enabled use of generic timer for platforms that do not set 2433 ARM_CORTEX_Ax=yes. 2434 2435 - Support for Armv7-A Virtualization extensions [DDI0406C_C]. 2436 2437 - Support for both Armv7-A platforms that only have 32-bit addressing and 2438 Armv7-A platforms that support large page addressing. 2439 2440 - Included support for following Armv7 CPUs: Cortex-A12, Cortex-A17, 2441 Cortex-A7, Cortex-A5, Cortex-A9, Cortex-A15. 2442 2443 - Added support in QEMU for Armv7-A/Cortex-A15. 2444 2445- Enhancements to Firmware Update feature: 2446 2447 - Updated the FWU documentation to describe the additional images needed for 2448 Firmware update, and how they are used for both the Juno platform and the 2449 Arm FVP platforms. 2450 2451- Enhancements to Trusted Board Boot feature: 2452 2453 - Added support to cert_create tool for RSA PKCS1# v1.5 and SHA384, SHA512 2454 and SHA256. 2455 2456 - For Arm platforms added support to use ECDSA keys. 2457 2458 - Enhanced the mbed TLS wrapper layer to include support for both RSA and 2459 ECDSA to enable runtime selection between RSA and ECDSA keys. 2460 2461- Added support for secure interrupt handling in AArch32 sp_min, hardcoded to 2462 only handle FIQs. 2463 2464- Added support to allow a platform to load images from multiple boot sources, 2465 for example from a second flash drive. 2466 2467- Added a logging framework that allows platforms to reduce the logging level 2468 at runtime and additionally the prefix string can be defined by the platform. 2469 2470- Further improvements to register initialisation: 2471 2472 - Control register PMCR_EL0 / PMCR is set to prohibit cycle counting in the 2473 secure world. This register is added to the list of registers that are 2474 saved and restored during world switch. 2475 2476 - When EL3 is running in AArch32 execution state, the Non-secure version of 2477 SCTLR is explicitly initialised during the warmboot flow rather than 2478 relying on the hardware to set the correct reset values. 2479 2480- Enhanced support for Arm platforms: 2481 2482 - Introduced driver for Shared-Data-Structure (SDS) framework which is used 2483 for communication between SCP and the AP CPU, replacing Boot-Over_MHU 2484 (BOM) protocol. 2485 2486 The Juno platform is migrated to use SDS with the SCMI support added in 2487 v1.3 and is set as default. 2488 2489 The driver can be found in the plat/arm/css/drivers folder. 2490 2491 - Improved memory usage by only mapping TSP memory region when the TSPD has 2492 been included in the build. This reduces the memory footprint and avoids 2493 unnecessary memory being mapped. 2494 2495 - Updated support for multi-threading CPUs for FVP platforms - always check 2496 the MT field in MPDIR and access the bit fields accordingly. 2497 2498 - Support building for platforms that model DynamIQ configuration by 2499 implementing all CPUs in a single cluster. 2500 2501 - Improved nor flash driver, for instance clearing status registers before 2502 sending commands. Driver can be found plat/arm/board/common folder. 2503 2504- Enhancements to QEMU platform: 2505 2506 - Added support for TBB. 2507 2508 - Added support for using OP-TEE pageable image. 2509 2510 - Added support for LOAD_IMAGE_V2. 2511 2512 - Migrated to use translation table library v2 by default. 2513 2514 - Added support for SEPARATE_CODE_AND_RODATA. 2515 2516- Applied workarounds CVE-2017-5715 on Arm Cortex-A57, -A72, -A73 and -A75, and 2517 for Armv7-A CPUs Cortex-A9, -A15 and -A17. 2518 2519- Applied errata workaround for Arm Cortex-A57: 859972. 2520 2521- Applied errata workaround for Arm Cortex-A72: 859971. 2522 2523- Added support for Poplar 96Board platform. 2524 2525- Added support for Raspberry Pi 3 platform. 2526 2527- Added Call Frame Information (CFI) assembler directives to the vector entries 2528 which enables debuggers to display the backtrace of functions that triggered 2529 a synchronous abort. 2530 2531- Added ability to build dtb. 2532 2533- Added support for pre-tool (cert_create and fiptool) image processing 2534 enabling compression of the image files before processing by cert_create and 2535 fiptool. 2536 2537 This can reduce fip size and may also speed up loading of images. The image 2538 verification will also get faster because certificates are generated based on 2539 compressed images. 2540 2541 Imported zlib 1.2.11 to implement gunzip() for data compression. 2542 2543- Enhancements to fiptool: 2544 2545 - Enabled the fiptool to be built using Visual Studio. 2546 2547 - Added padding bytes at the end of the last image in the fip to be 2548 facilitate transfer by DMA. 2549 2550Issues resolved since last release 2551^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2552 2553- TF-A can be built with optimisations disabled (-O0). 2554 2555- Memory layout updated to enable Trusted Board Boot on Juno platform when 2556 running TF-A in AArch32 execution mode (resolving `tf-issue#501`_). 2557 2558Known Issues 2559^^^^^^^^^^^^ 2560 2561- DTB creation not supported when building on a Windows host. This step in the 2562 build process is skipped when running on a Windows host. 2563 2564Version 1.4 2565----------- 2566 2567New features 2568^^^^^^^^^^^^ 2569 2570- Enabled support for platforms with hardware assisted coherency. 2571 2572 A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage 2573 of the following optimisations: 2574 2575 - Skip performing cache maintenance during power-up and power-down. 2576 2577 - Use spin-locks instead of bakery locks. 2578 2579 - Enable data caches early on warm-booted CPUs. 2580 2581- Added support for Cortex-A75 and Cortex-A55 processors. 2582 2583 Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit 2584 (DSU). The power-down and power-up sequences are therefore mostly managed in 2585 hardware, reducing complexity of the software operations. 2586 2587- Introduced Arm GIC-600 driver. 2588 2589 Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the 2590 GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600. 2591 2592- Updated GICv3 support: 2593 2594 - Introduced power management APIs for GICv3 Redistributor. These APIs 2595 allow platforms to power down the Redistributor during CPU power on/off. 2596 Requires the GICv3 implementations to have power management operations. 2597 2598 Implemented the power management APIs for FVP. 2599 2600 - GIC driver data is flushed by the primary CPU so that secondary CPU do 2601 not read stale GIC data. 2602 2603- Added support for Arm System Control and Management Interface v1.0 (SCMI). 2604 2605 The SCMI driver implements the power domain management and system power 2606 management protocol of the SCMI specification (Arm DEN 0056ASCMI) for 2607 communicating with any compliant power controller. 2608 2609 Support is added for the Juno platform. The driver can be found in the 2610 plat/arm/css/drivers folder. 2611 2612- Added support to enable pre-integration of TBB with the Arm TrustZone 2613 CryptoCell product, to take advantage of its hardware Root of Trust and 2614 crypto acceleration services. 2615 2616- Enabled Statistical Profiling Extensions for lower ELs. 2617 2618 The firmware support is limited to the use of SPE in the Non-secure state 2619 and accesses to the SPE specific registers from S-EL1 will trap to EL3. 2620 2621 The SPE are architecturally specified for AArch64 only. 2622 2623- Code hygiene changes aligned with MISRA guidelines: 2624 2625 - Fixed signed / unsigned comparison warnings in the translation table 2626 library. 2627 2628 - Added U(_x) macro and together with the existing ULL(_x) macro fixed 2629 some of the signed-ness defects flagged by the MISRA scanner. 2630 2631- Enhancements to Firmware Update feature: 2632 2633 - The FWU logic now checks for overlapping images to prevent execution of 2634 unauthenticated arbitrary code. 2635 2636 - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading 2637 state machine to go from COPYING, COPIED or AUTHENTICATED states to 2638 RESET state. Previously, this was only possible when the authentication 2639 of an image failed or when the execution of the image finished. 2640 2641 - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update 2642 SMC can result in copy of unexpectedly large data into secure memory. 2643 2644- Introduced support for Arm Compiler 6 and LLVM (clang). 2645 2646 TF-A can now also be built with the Arm Compiler 6 or the clang compilers. 2647 The assembler and linker must be provided by the GNU toolchain. 2648 2649 Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x. 2650 2651- Memory footprint improvements: 2652 2653 - Introduced `tf_snprintf`, a reduced version of `snprintf` which has 2654 support for a limited set of formats. 2655 2656 The mbedtls driver is updated to optionally use `tf_snprintf` instead of 2657 `snprintf`. 2658 2659 - The `assert()` is updated to no longer print the function name, and 2660 additional logging options are supported via an optional platform define 2661 `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is. 2662 2663- Enhancements to TF-A support when running in AArch32 execution state: 2664 2665 - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to 2666 hardware limitations, BL1 and BL2 boot in AArch64 state and there is 2667 additional trampoline code to warm reset into SP_MIN in AArch32 execution 2668 state. 2669 2670 - Added support for Arm Cortex-A53/57/72 MPCore processors including the 2671 errata workarounds that are already implemented for AArch64 execution 2672 state. 2673 2674 - For FVP platforms, added AArch32 Trusted Board Boot support, including the 2675 Firmware Update feature. 2676 2677- Introduced Arm SiP service for use by Arm standard platforms. 2678 2679 - Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF 2680 timestamps. 2681 2682 Added PMF instrumentation points in TF-A in order to quantify the 2683 overall time spent in the PSCI software implementation. 2684 2685 - Added new Arm SiP service SMC to switch execution state. 2686 2687 This allows the lower exception level to change its execution state from 2688 AArch64 to AArch32, or vice verse, via a request to EL3. 2689 2690- Migrated to use SPDX[0] license identifiers to make software license 2691 auditing simpler. 2692 2693 .. note:: 2694 Files that have been imported by FreeBSD have not been modified. 2695 2696 [0]: https://spdx.org/ 2697 2698- Enhancements to the translation table library: 2699 2700 - Added version 2 of translation table library that allows different 2701 translation tables to be modified by using different 'contexts'. Version 1 2702 of the translation table library only allows the current EL's translation 2703 tables to be modified. 2704 2705 Version 2 of the translation table also added support for dynamic 2706 regions; regions that can be added and removed dynamically whilst the 2707 MMU is enabled. Static regions can only be added or removed before the 2708 MMU is enabled. 2709 2710 The dynamic mapping functionality is enabled or disabled when compiling 2711 by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can 2712 be done per-image. 2713 2714 - Added support for translation regimes with two virtual address spaces 2715 such as the one shared by EL1 and EL0. 2716 2717 The library does not support initializing translation tables for EL0 2718 software. 2719 2720 - Added support to mark the translation tables as non-cacheable using an 2721 additional build option `XLAT_TABLE_NC`. 2722 2723- Added support for GCC stack protection. A new build option 2724 ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL 2725 images with one of the GCC -fstack-protector-* options. 2726 2727 A new platform function plat_get_stack_protector_canary() was introduced 2728 that returns a value used to initialize the canary for stack corruption 2729 detection. For increased effectiveness of protection platforms must provide 2730 an implementation that returns a random value. 2731 2732- Enhanced support for Arm platforms: 2733 2734 - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR. 2735 A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions 2736 accessing MPIDR assume that the `MT` bit is set for the platform and 2737 access the bit fields accordingly. 2738 2739 Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is 2740 enabled, returning the Processing Element count within the physical CPU 2741 corresponding to `mpidr`. 2742 2743 - The Arm platforms migrated to use version 2 of the translation tables. 2744 2745 - Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops` 2746 which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore 2747 dynamically define PSCI capability. 2748 2749 - The Arm platforms migrated to use IMAGE_LOAD_V2 by default. 2750 2751- Enhanced reporting of errata workaround status with the following policy: 2752 2753 - If an errata workaround is enabled: 2754 2755 - If it applies (i.e. the CPU is affected by the errata), an INFO message 2756 is printed, confirming that the errata workaround has been applied. 2757 2758 - If it does not apply, a VERBOSE message is printed, confirming that the 2759 errata workaround has been skipped. 2760 2761 - If an errata workaround is not enabled, but would have applied had it 2762 been, a WARN message is printed, alerting that errata workaround is 2763 missing. 2764 2765- Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the 2766 architecture version to target TF-A. 2767 2768- Updated the spin lock implementation to use the more efficient CAS (Compare 2769 And Swap) instruction when available. This instruction was introduced in 2770 Armv8.1-A. 2771 2772- Applied errata workaround for Arm Cortex-A53: 855873. 2773 2774- Applied errata workaround for Arm-Cortex-A57: 813419. 2775 2776- Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and 2777 AArch32 execution states. 2778 2779- Added support for Socionext UniPhier SoC platform. 2780 2781- Added support for Hikey960 and Hikey platforms. 2782 2783- Added support for Rockchip RK3328 platform. 2784 2785- Added support for NVidia Tegra T186 platform. 2786 2787- Added support for Designware emmc driver. 2788 2789- Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr(). 2790 2791- Enhanced the CPU operations framework to allow power handlers to be 2792 registered on per-level basis. This enables support for future CPUs that 2793 have multiple threads which might need powering down individually. 2794 2795- Updated register initialisation to prevent unexpected behaviour: 2796 2797 - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid 2798 unexpected traps into the higher exception levels and disable secure 2799 self-hosted debug. Additionally, secure privileged external debug on 2800 Juno is disabled by programming the appropriate Juno SoC registers. 2801 2802 - EL2 and EL3 configurable controls are initialised to avoid unexpected 2803 traps in the higher exception levels. 2804 2805 - Essential control registers are fully initialised on EL3 start-up, when 2806 initialising the non-secure and secure context structures and when 2807 preparing to leave EL3 for a lower EL. This gives better alignment with 2808 the Arm ARM which states that software must initialise RES0 and RES1 2809 fields with 0 / 1. 2810 2811- Enhanced PSCI support: 2812 2813 - Introduced new platform interfaces that decouple PSCI stat residency 2814 calculation from PMF, enabling platforms to use alternative methods of 2815 capturing timestamps. 2816 2817 - PSCI stat accounting performed for retention/standby states when 2818 requested at multiple power levels. 2819 2820- Simplified fiptool to have a single linked list of image descriptors. 2821 2822- For the TSP, resolved corruption of pre-empted secure context by aborting any 2823 pre-empted SMC during PSCI power management requests. 2824 2825Issues resolved since last release 2826^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2827 2828- TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier 2829 version 2.3.0 cannot be used due to build warnings that the TF-A build 2830 system interprets as errors. 2831 2832- TBBR, including the Firmware Update feature is now supported on FVP 2833 platforms when running TF-A in AArch32 state. 2834 2835- The version of the AEMv8 Base FVP used in this release has resolved the issue 2836 of the model executing a reset instead of terminating in response to a 2837 shutdown request using the PSCI SYSTEM_OFF API. 2838 2839Known Issues 2840^^^^^^^^^^^^ 2841 2842- Building TF-A with compiler optimisations disabled (-O0) fails. 2843 2844- Trusted Board Boot currently does not work on Juno when running Trusted 2845 Firmware in AArch32 execution state due to error when loading the sp_min to 2846 memory because of lack of free space available. See `tf-issue#501`_ for more 2847 details. 2848 2849- The errata workaround for A53 errata 843419 is only available from binutils 2850 2.26 and is not present in GCC4.9. If this errata is applicable to the 2851 platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for 2852 more details. 2853 2854Version 1.3 2855----------- 2856 2857 2858New features 2859^^^^^^^^^^^^ 2860 2861- Added support for running TF-A in AArch32 execution state. 2862 2863 The PSCI library has been refactored to allow integration with **EL3 Runtime 2864 Software**. This is software that is executing at the highest secure 2865 privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See 2866 :ref:`PSCI Library Integration guide for Armv8-A AArch32 systems`. 2867 2868 Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates 2869 the usage and integration of the PSCI library with EL3 Runtime Software 2870 running in AArch32 state. 2871 2872 Booting to the BL1/BL2 images as well as booting straight to the Secure 2873 Payload is supported. 2874 2875- Improvements to the initialization framework for the PSCI service and Arm 2876 Standard Services in general. 2877 2878 The PSCI service is now initialized as part of Arm Standard Service 2879 initialization. This consolidates the initializations of any Arm Standard 2880 Service that may be added in the future. 2881 2882 A new function ``get_arm_std_svc_args()`` is introduced to get arguments 2883 corresponding to each standard service and must be implemented by the EL3 2884 Runtime Software. 2885 2886 For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to 2887 initialize the PSCI Library. **Note** this is a compatibility break due to 2888 the change in the prototype of ``psci_setup()``. 2889 2890- To support AArch32 builds of BL1 and BL2, implemented a new, alternative 2891 firmware image loading mechanism that adds flexibility. 2892 2893 The current mechanism has a hard-coded set of images and execution order 2894 (BL31, BL32, etc). The new mechanism is data-driven by a list of image 2895 descriptors provided by the platform code. 2896 2897 Arm platforms have been updated to support the new loading mechanism. 2898 2899 The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is 2900 currently off by default for the AArch64 build. 2901 2902 **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when 2903 ``LOAD_IMAGE_V2`` is enabled. 2904 2905- Updated requirements for making contributions to TF-A. 2906 2907 Commits now must have a 'Signed-off-by:' field to certify that the 2908 contribution has been made under the terms of the 2909 :download:`Developer Certificate of Origin <../dco.txt>`. 2910 2911 A signed CLA is no longer required. 2912 2913 The :ref:`Contributor's Guide` has been updated to reflect this change. 2914 2915- Introduced Performance Measurement Framework (PMF) which provides support 2916 for capturing, storing, dumping and retrieving time-stamps to measure the 2917 execution time of critical paths in the firmware. This relies on defining 2918 fixed sample points at key places in the code. 2919 2920- To support the QEMU platform port, imported libfdt v1.4.1 from 2921 https://git.kernel.org/pub/scm/utils/dtc/dtc.git 2922 2923- Updated PSCI support: 2924 2925 - Added support for PSCI NODE_HW_STATE API for Arm platforms. 2926 2927 - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in 2928 ``plat_psci_ops`` to enable platforms to perform platform-specific actions 2929 needed to enter powerdown, including the 'wfi' invocation. 2930 2931 - PSCI STAT residency and count functions have been added on Arm platforms 2932 by using PMF. 2933 2934- Enhancements to the translation table library: 2935 2936 - Limited memory mapping support for region overlaps to only allow regions 2937 to overlap that are identity mapped or have the same virtual to physical 2938 address offset, and overlap completely but must not cover the same area. 2939 2940 This limitation will enable future enhancements without having to 2941 support complex edge cases that may not be necessary. 2942 2943 - The initial translation lookup level is now inferred from the virtual 2944 address space size. Previously, it was hard-coded. 2945 2946 - Added support for mapping Normal, Inner Non-cacheable, Outer 2947 Non-cacheable memory in the translation table library. 2948 2949 This can be useful to map a non-cacheable memory region, such as a DMA 2950 buffer. 2951 2952 - Introduced the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes to 2953 specify the access permissions for instruction execution of a memory 2954 region. 2955 2956- Enabled support to isolate code and read-only data on separate memory pages, 2957 allowing independent access control to be applied to each. 2958 2959- Enabled SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common 2960 architectural setup code, preventing fetching instructions from non-secure 2961 memory when in secure state. 2962 2963- Enhancements to FIP support: 2964 2965 - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent 2966 and intuitive interface as well as additional support to remove an image 2967 from a FIP file. 2968 2969 - Enabled printing the SHA256 digest with info command, allowing quick 2970 verification of an image within a FIP without having to extract the 2971 image and running sha256sum on it. 2972 2973 - Added support for unpacking the contents of an existing FIP file into 2974 the working directory. 2975 2976 - Aligned command line options for specifying images to use same naming 2977 convention as specified by TBBR and already used in cert_create tool. 2978 2979- Refactored the TZC-400 driver to also support memory controllers that 2980 integrate TZC functionality, for example Arm CoreLink DMC-500. Also added 2981 DMC-500 specific support. 2982 2983- Implemented generic delay timer based on the system generic counter and 2984 migrated all platforms to use it. 2985 2986- Enhanced support for Arm platforms: 2987 2988 - Updated image loading support to make SCP images (SCP_BL2 and SCP_BL2U) 2989 optional. 2990 2991 - Enhanced topology description support to allow multi-cluster topology 2992 definitions. 2993 2994 - Added interconnect abstraction layer to help platform ports select the 2995 right interconnect driver, CCI or CCN, for the platform. 2996 2997 - Added support to allow loading BL31 in the TZC-secured DRAM instead of 2998 the default secure SRAM. 2999 3000 - Added support to use a System Security Control (SSC) Registers Unit 3001 enabling TF-A to be compiled to support multiple Arm platforms and 3002 then select one at runtime. 3003 3004 - Restricted mapping of Trusted ROM in BL1 to what is actually needed by 3005 BL1 rather than entire Trusted ROM region. 3006 3007 - Flash is now mapped as execute-never by default. This increases security 3008 by restricting the executable region to what is strictly needed. 3009 3010- Applied following erratum workarounds for Cortex-A57: 833471, 826977, 3011 829520, 828024 and 826974. 3012 3013- Added support for Mediatek MT6795 platform. 3014 3015- Added support for QEMU virtualization Armv8-A target. 3016 3017- Added support for Rockchip RK3368 and RK3399 platforms. 3018 3019- Added support for Xilinx Zynq UltraScale+ MPSoC platform. 3020 3021- Added support for Arm Cortex-A73 MPCore Processor. 3022 3023- Added support for Arm Cortex-A72 processor. 3024 3025- Added support for Arm Cortex-A35 processor. 3026 3027- Added support for Arm Cortex-A32 MPCore Processor. 3028 3029- Enabled preloaded BL33 alternative boot flow, in which BL2 does not load 3030 BL33 from non-volatile storage and BL31 hands execution over to a preloaded 3031 BL33. The User Guide has been updated with an example of how to use this 3032 option with a bootwrapped kernel. 3033 3034- Added support to build TF-A on a Windows-based host machine. 3035 3036- Updated Trusted Board Boot prototype implementation: 3037 3038 - Enabled the ability for a production ROM with TBBR enabled to boot test 3039 software before a real ROTPK is deployed (e.g. manufacturing mode). 3040 Added support to use ROTPK in certificate without verifying against the 3041 platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. 3042 3043 - Added support for non-volatile counter authentication to the 3044 Authentication Module to protect against roll-back. 3045 3046- Updated GICv3 support: 3047 3048 - Enabled processor power-down and automatic power-on using GICv3. 3049 3050 - Enabled G1S or G0 interrupts to be configured independently. 3051 3052 - Changed FVP default interrupt driver to be the GICv3-only driver. 3053 **Note** the default build of TF-A will not be able to boot 3054 Linux kernel with GICv2 FDT blob. 3055 3056 - Enabled wake-up from CPU_SUSPEND to stand-by by temporarily re-routing 3057 interrupts and then restoring after resume. 3058 3059Issues resolved since last release 3060^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3061 3062Known issues 3063^^^^^^^^^^^^ 3064 3065- The version of the AEMv8 Base FVP used in this release resets the model 3066 instead of terminating its execution in response to a shutdown request using 3067 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 3068 the model. 3069 3070- Building TF-A with compiler optimisations disabled (``-O0``) fails. 3071 3072- TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings 3073 that the TF-A build system interprets as errors. 3074 3075- TBBR is not currently supported when running TF-A in AArch32 state. 3076 3077Version 1.2 3078----------- 3079 3080New features 3081^^^^^^^^^^^^ 3082 3083- The Trusted Board Boot implementation on Arm platforms now conforms to the 3084 mandatory requirements of the TBBR specification. 3085 3086 In particular, the boot process is now guarded by a Trusted Watchdog, which 3087 will reset the system in case of an authentication or loading error. On Arm 3088 platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog. 3089 3090 Also, a firmware update process has been implemented. It enables 3091 authenticated firmware to update firmware images from external interfaces to 3092 SoC Non-Volatile memories. This feature functions even when the current 3093 firmware in the system is corrupt or missing; it therefore may be used as 3094 a recovery mode. 3095 3096- Improvements have been made to the Certificate Generation Tool 3097 (``cert_create``) as follows. 3098 3099 - Added support for the Firmware Update process by extending the Chain 3100 of Trust definition in the tool to include the Firmware Update 3101 certificate and the required extensions. 3102 3103 - Introduced a new API that allows one to specify command line options in 3104 the Chain of Trust description. This makes the declaration of the tool's 3105 arguments more flexible and easier to extend. 3106 3107 - The tool has been reworked to follow a data driven approach, which 3108 makes it easier to maintain and extend. 3109 3110- Extended the FIP tool (``fip_create``) to support the new set of images 3111 involved in the Firmware Update process. 3112 3113- Various memory footprint improvements. In particular: 3114 3115 - The bakery lock structure for coherent memory has been optimised. 3116 3117 - The mbed TLS SHA1 functions are not needed, as SHA256 is used to 3118 generate the certificate signature. Therefore, they have been compiled 3119 out, reducing the memory footprint of BL1 and BL2 by approximately 3120 6 KB. 3121 3122 - On Arm development platforms, each BL stage now individually defines 3123 the number of regions that it needs to map in the MMU. 3124 3125- Added the following new design documents: 3126 3127 - :ref:`Authentication Framework & Chain of Trust` 3128 - :ref:`Firmware Update (FWU)` 3129 - :ref:`CPU Reset` 3130 - :ref:`PSCI Power Domain Tree Structure` 3131 3132- Applied the new image terminology to the code base and documentation, as 3133 described in the :ref:`Image Terminology` document. 3134 3135- The build system has been reworked to improve readability and facilitate 3136 adding future extensions. 3137 3138- On Arm standard platforms, BL31 uses the boot console during cold boot 3139 but switches to the runtime console for any later logs at runtime. The TSP 3140 uses the runtime console for all output. 3141 3142- Implemented a basic NOR flash driver for Arm platforms. It programs the 3143 device using CFI (Common Flash Interface) standard commands. 3144 3145- Implemented support for booting EL3 payloads on Arm platforms, which 3146 reduces the complexity of developing EL3 baremetal code by doing essential 3147 baremetal initialization. 3148 3149- Provided separate drivers for GICv3 and GICv2. These expect the entire 3150 software stack to use either GICv2 or GICv3; hybrid GIC software systems 3151 are no longer supported and the legacy Arm GIC driver has been deprecated. 3152 3153- Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run 3154 on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro 3155 release that does *not* contain Juno r2 support. 3156 3157- Added support for MediaTek mt8173 platform. 3158 3159- Implemented a generic driver for Arm CCN IP. 3160 3161- Major rework of the PSCI implementation. 3162 3163 - Added framework to handle composite power states. 3164 3165 - Decoupled the notions of affinity instances (which describes the 3166 hierarchical arrangement of cores) and of power domain topology, instead 3167 of assuming a one-to-one mapping. 3168 3169 - Better alignment with version 1.0 of the PSCI specification. 3170 3171- Added support for the SYSTEM_SUSPEND PSCI API on Arm platforms. When invoked 3172 on the last running core on a supported platform, this puts the system 3173 into a low power mode with memory retention. 3174 3175- Unified the reset handling code as much as possible across BL stages. 3176 Also introduced some build options to enable optimization of the reset path 3177 on platforms that support it. 3178 3179- Added a simple delay timer API, as well as an SP804 timer driver, which is 3180 enabled on FVP. 3181 3182- Added support for NVidia Tegra T210 and T132 SoCs. 3183 3184- Reorganised Arm platforms ports to greatly improve code shareability and 3185 facilitate the reuse of some of this code by other platforms. 3186 3187- Added support for Arm Cortex-A72 processor in the CPU specific framework. 3188 3189- Provided better error handling. Platform ports can now define their own 3190 error handling, for example to perform platform specific bookkeeping or 3191 post-error actions. 3192 3193- Implemented a unified driver for Arm Cache Coherent Interconnects used for 3194 both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this 3195 common driver. The standalone CCI-400 driver has been deprecated. 3196 3197Issues resolved since last release 3198^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3199 3200- The Trusted Board Boot implementation has been redesigned to provide greater 3201 modularity and scalability. See the 3202 :ref:`Authentication Framework & Chain of Trust` document. 3203 All missing mandatory features are now implemented. 3204 3205- The FVP and Juno ports may now use the hash of the ROTPK stored in the 3206 Trusted Key Storage registers to verify the ROTPK. Alternatively, a 3207 development public key hash embedded in the BL1 and BL2 binaries might be 3208 used instead. The location of the ROTPK is chosen at build-time using the 3209 ``ARM_ROTPK_LOCATION`` build option. 3210 3211- GICv3 is now fully supported and stable. 3212 3213Known issues 3214^^^^^^^^^^^^ 3215 3216- The version of the AEMv8 Base FVP used in this release resets the model 3217 instead of terminating its execution in response to a shutdown request using 3218 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 3219 the model. 3220 3221- While this version has low on-chip RAM requirements, there are further 3222 RAM usage enhancements that could be made. 3223 3224- The upstream documentation could be improved for structural consistency, 3225 clarity and completeness. In particular, the design documentation is 3226 incomplete for PSCI, the TSP(D) and the Juno platform. 3227 3228- Building TF-A with compiler optimisations disabled (``-O0``) fails. 3229 3230Version 1.1 3231----------- 3232 3233New features 3234^^^^^^^^^^^^ 3235 3236- A prototype implementation of Trusted Board Boot has been added. Boot 3237 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and 3238 BL2 use the PolarSSL SSL library to verify certificates and images. The 3239 OpenSSL library is used to create the X.509 certificates. Support has been 3240 added to ``fip_create`` tool to package the certificates in a FIP. 3241 3242- Support for calling CPU and platform specific reset handlers upon entry into 3243 BL3-1 during the cold and warm boot paths has been added. This happens after 3244 another Boot ROM ``reset_handler()`` has already run. This enables a developer 3245 to perform additional actions or undo actions already performed during the 3246 first call of the reset handlers e.g. apply additional errata workarounds. 3247 3248- Support has been added to demonstrate routing of IRQs to EL3 instead of 3249 S-EL1 when execution is in secure world. 3250 3251- The PSCI implementation now conforms to version 1.0 of the PSCI 3252 specification. All the mandatory APIs and selected optional APIs are 3253 supported. In particular, support for the ``PSCI_FEATURES`` API has been 3254 added. A capability variable is constructed during initialization by 3255 examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and 3256 the Secure Payload Dispatcher. This is used by the PSCI FEATURES function 3257 to determine which PSCI APIs are supported by the platform. 3258 3259- Improvements have been made to the PSCI code as follows. 3260 3261 - The code has been refactored to remove redundant parameters from 3262 internal functions. 3263 3264 - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and 3265 ``CPU_OFF`` calls to facilitate an early return to the caller in case a 3266 failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call 3267 returns ``SUCCESS`` to the caller if a pending interrupt is detected early 3268 in the code path. 3269 3270 - Optional platform APIs have been added to validate the ``power_state`` and 3271 ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code 3272 paths. 3273 3274 - PSCI migrate APIs have been reworked to invoke the SPD hook to determine 3275 the type of Trusted OS and the CPU it is resident on (if 3276 applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate 3277 the Trusted OS is invoked. 3278 3279- It is now possible to build TF-A without marking at least an extra page of 3280 memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to 3281 choose between the two implementations. This has been made possible through 3282 these changes. 3283 3284 - An implementation of Bakery locks, where the locks are not allocated in 3285 coherent memory has been added. 3286 3287 - Memory which was previously marked as coherent is now kept coherent 3288 through the use of software cache maintenance operations. 3289 3290 Approximately, 4K worth of memory is saved for each boot loader stage when 3291 ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies 3292 associated with acquire and release of locks. It also requires changes to 3293 the platform ports. 3294 3295- It is now possible to specify the name of the FIP at build time by defining 3296 the ``FIP_NAME`` variable. 3297 3298- Issues with dependencies on the 'fiptool' makefile target have been 3299 rectified. The ``fip_create`` tool is now rebuilt whenever its source files 3300 change. 3301 3302- The BL3-1 runtime console is now also used as the crash console. The crash 3303 console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) 3304 on Juno. In FVP, it is changed from UART0 to UART1. 3305 3306- CPU errata workarounds are applied only when the revision and part number 3307 match. This behaviour has been made consistent across the debug and release 3308 builds. The debug build additionally prints a warning if a mismatch is 3309 detected. 3310 3311- It is now possible to issue cache maintenance operations by set/way for a 3312 particular level of data cache. Levels 1-3 are currently supported. 3313 3314- The following improvements have been made to the FVP port. 3315 3316 - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of 3317 shared data into the Trusted DRAM has been deprecated. Shared data is 3318 now always located at the base of Trusted SRAM. 3319 3320 - BL2 Translation tables have been updated to map only the region of 3321 DRAM which is accessible to normal world. This is the region of the 2GB 3322 DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is 3323 accessible to only the secure world. 3324 3325 - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to 3326 the secure world. This can be done by setting the build flag 3327 ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. 3328 3329- Separate translation tables are created for each boot loader image. The 3330 ``IMAGE_BLx`` build options are used to do this. This allows each stage to 3331 create mappings only for areas in the memory map that it needs. 3332 3333- A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been 3334 added. Details of using it with TF-A can be found in :ref:`OP-TEE Dispatcher` 3335 3336Issues resolved since last release 3337^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3338 3339- The Juno port has been aligned with the FVP port as follows. 3340 3341 - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying 3342 the BL3-1/BL3-2 NOBITS sections on top of them has been added to the 3343 Juno port. 3344 3345 - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured 3346 using the TZC-400 controller to be accessible only to the secure world. 3347 3348 - The Arm GIC driver is used to configure the GIC-400 instead of using a 3349 GIC driver private to the Juno port. 3350 3351 - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. 3352 3353 - The TZC-400 driver is used to configure the controller instead of direct 3354 accesses to the registers. 3355 3356- The Linux kernel version referred to in the user guide has DVFS and HMP 3357 support enabled. 3358 3359- DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 3360 CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of 3361 the Cortex-A57-A53 Base FVPs. 3362 3363Known issues 3364^^^^^^^^^^^^ 3365 3366- The Trusted Board Boot implementation is a prototype. There are issues with 3367 the modularity and scalability of the design. Support for a Trusted 3368 Watchdog, firmware update mechanism, recovery images and Trusted debug is 3369 absent. These issues will be addressed in future releases. 3370 3371- The FVP and Juno ports do not use the hash of the ROTPK stored in the 3372 Trusted Key Storage registers to verify the ROTPK in the 3373 ``plat_match_rotpk()`` function. This prevents the correct establishment of 3374 the Chain of Trust at the first step in the Trusted Board Boot process. 3375 3376- The version of the AEMv8 Base FVP used in this release resets the model 3377 instead of terminating its execution in response to a shutdown request using 3378 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 3379 the model. 3380 3381- GICv3 support is experimental. There are known issues with GICv3 3382 initialization in the TF-A. 3383 3384- While this version greatly reduces the on-chip RAM requirements, there are 3385 further RAM usage enhancements that could be made. 3386 3387- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 3388 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 3389 3390- The Juno-specific firmware design documentation is incomplete. 3391 3392Version 1.0 3393----------- 3394 3395New features 3396^^^^^^^^^^^^ 3397 3398- It is now possible to map higher physical addresses using non-flat virtual 3399 to physical address mappings in the MMU setup. 3400 3401- Wider use is now made of the per-CPU data cache in BL3-1 to store: 3402 3403 - Pointers to the non-secure and secure security state contexts. 3404 3405 - A pointer to the CPU-specific operations. 3406 3407 - A pointer to PSCI specific information (for example the current power 3408 state). 3409 3410 - A crash reporting buffer. 3411 3412- The following RAM usage improvements result in a BL3-1 RAM usage reduction 3413 from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction 3414 across all images from 208KB to 88KB, compared to the previous release. 3415 3416 - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size 3417 saving). 3418 3419 - Removed NSRAM from the FVP memory map, allowing the removal of one 3420 (4KB) translation table. 3421 3422 - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. 3423 3424 - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the 3425 FVP port. 3426 3427 - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. 3428 3429 - Removed current CPU mpidr from PSCI common code, saving 160 bytes. 3430 3431 - Inlined the mmio accessor functions, saving 360 bytes. 3432 3433 - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by 3434 overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. 3435 3436 - Made storing the FP register context optional, saving 0.5KB per context 3437 (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). 3438 3439 - Implemented a leaner ``tf_printf()`` function, allowing the stack to be 3440 greatly reduced. 3441 3442 - Removed coherent stacks from the codebase. Stacks allocated in normal 3443 memory are now used before and after the MMU is enabled. This saves 768 3444 bytes per CPU in BL3-1. 3445 3446 - Reworked the crash reporting in BL3-1 to use less stack. 3447 3448 - Optimized the EL3 register state stored in the ``cpu_context`` structure 3449 so that registers that do not change during normal execution are 3450 re-initialized each time during cold/warm boot, rather than restored 3451 from memory. This saves about 1.2KB. 3452 3453 - As a result of some of the above, reduced the runtime stack size in all 3454 BL images. For BL3-1, this saves 1KB per CPU. 3455 3456- PSCI SMC handler improvements to correctly handle calls from secure states 3457 and from AArch32. 3458 3459- CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully 3460 determines the exception level to use for the non-trusted firmware (BL3-3) 3461 based on the SPSR value provided by the BL2 platform code (or otherwise 3462 provided to BL3-1). This allows platform code to directly run non-trusted 3463 firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS 3464 loader. 3465 3466- Code refactoring improvements: 3467 3468 - Refactored ``fvp_config`` into a common platform header. 3469 3470 - Refactored the fvp gic code to be a generic driver that no longer has an 3471 explicit dependency on platform code. 3472 3473 - Refactored the CCI-400 driver to not have dependency on platform code. 3474 3475 - Simplified the IO driver so it's no longer necessary to call ``io_init()`` 3476 and moved all the IO storage framework code to one place. 3477 3478 - Simplified the interface the the TZC-400 driver. 3479 3480 - Clarified the platform porting interface to the TSP. 3481 3482 - Reworked the TSPD setup code to support the alternate BL3-2 3483 initialization flow where BL3-1 generic code hands control to BL3-2, 3484 rather than expecting the TSPD to hand control directly to BL3-2. 3485 3486 - Considerable rework to PSCI generic code to support CPU specific 3487 operations. 3488 3489- Improved console log output, by: 3490 3491 - Adding the concept of debug log levels. 3492 3493 - Rationalizing the existing debug messages and adding new ones. 3494 3495 - Printing out the version of each BL stage at runtime. 3496 3497 - Adding support for printing console output from assembler code, 3498 including when a crash occurs before the C runtime is initialized. 3499 3500- Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro 3501 file system and DS-5. 3502 3503- On the FVP port, made the use of the Trusted DRAM region optional at build 3504 time (off by default). Normal platforms will not have such a "ready-to-use" 3505 DRAM area so it is not a good example to use it. 3506 3507- Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. 3508 3509- Added support for CPU specific reset sequences, power down sequences and 3510 register dumping during crash reporting. The CPU specific reset sequences 3511 include support for errata workarounds. 3512 3513- Merged the Juno port into the master branch. Added support for CPU hotplug 3514 and CPU idle. Updated the user guide to describe how to build and run on the 3515 Juno platform. 3516 3517Issues resolved since last release 3518^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3519 3520- Removed the concept of top/bottom image loading. The image loader now 3521 automatically detects the position of the image inside the current memory 3522 layout and updates the layout to minimize fragmentation. This resolves the 3523 image loader limitations of previously releases. There are currently no 3524 plans to support dynamic image loading. 3525 3526- CPU idle now works on the publicized version of the Foundation FVP. 3527 3528- All known issues relating to the compiler version used have now been 3529 resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9). 3530 3531Known issues 3532^^^^^^^^^^^^ 3533 3534- GICv3 support is experimental. The Linux kernel patches to support this are 3535 not widely available. There are known issues with GICv3 initialization in 3536 the TF-A. 3537 3538- While this version greatly reduces the on-chip RAM requirements, there are 3539 further RAM usage enhancements that could be made. 3540 3541- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 3542 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 3543 3544- The Juno-specific firmware design documentation is incomplete. 3545 3546- Some recent enhancements to the FVP port have not yet been translated into 3547 the Juno port. These will be tracked via the tf-issues project. 3548 3549- The Linux kernel version referred to in the user guide has DVFS and HMP 3550 support disabled due to some known instabilities at the time of this 3551 release. A future kernel version will re-enable these features. 3552 3553- DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 3554 CADI server mode. This is because the ``<SimName>`` reported by the FVP in 3555 this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, 3556 the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while 3557 DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. 3558 3559 The temporary fix to this problem is to change the name of the FVP in 3560 ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. 3561 Change the following line: 3562 3563 :: 3564 3565 <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> 3566 3567 to 3568 System Generator:FVP_Base_Cortex-A57x4_A53x4 3569 3570 A similar change can be made to the other Cortex-A57-A53 Base FVP variants. 3571 3572Version 0.4 3573----------- 3574 3575New features 3576^^^^^^^^^^^^ 3577 3578- Makefile improvements: 3579 3580 - Improved dependency checking when building. 3581 3582 - Removed ``dump`` target (build now always produces dump files). 3583 3584 - Enabled platform ports to optionally make use of parts of the Trusted 3585 Firmware (e.g. BL3-1 only), rather than being forced to use all parts. 3586 Also made the ``fip`` target optional. 3587 3588 - Specified the full path to source files and removed use of the ``vpath`` 3589 keyword. 3590 3591- Provided translation table library code for potential re-use by platforms 3592 other than the FVPs. 3593 3594- Moved architectural timer setup to platform-specific code. 3595 3596- Added standby state support to PSCI cpu_suspend implementation. 3597 3598- SRAM usage improvements: 3599 3600 - Started using the ``-ffunction-sections``, ``-fdata-sections`` and 3601 ``--gc-sections`` compiler/linker options to remove unused code and data 3602 from the images. Previously, all common functions were being built into 3603 all binary images, whether or not they were actually used. 3604 3605 - Placed all assembler functions in their own section to allow more unused 3606 functions to be removed from images. 3607 3608 - Updated BL1 and BL2 to use a single coherent stack each, rather than one 3609 per CPU. 3610 3611 - Changed variables that were unnecessarily declared and initialized as 3612 non-const (i.e. in the .data section) so they are either uninitialized 3613 (zero init) or const. 3614 3615- Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by 3616 default. The option for it to run in Trusted DRAM remains. 3617 3618- Implemented a TrustZone Address Space Controller (TZC-400) driver. A 3619 default configuration is provided for the Base FVPs. This means the model 3620 parameter ``-C bp.secure_memory=1`` is now supported. 3621 3622- Started saving the PSCI cpu_suspend 'power_state' parameter prior to 3623 suspending a CPU. This allows platforms that implement multiple power-down 3624 states at the same affinity level to identify a specific state. 3625 3626- Refactored the entire codebase to reduce the amount of nesting in header 3627 files and to make the use of system/user includes more consistent. Also 3628 split platform.h to separate out the platform porting declarations from the 3629 required platform porting definitions and the definitions/declarations 3630 specific to the platform port. 3631 3632- Optimized the data cache clean/invalidate operations. 3633 3634- Improved the BL3-1 unhandled exception handling and reporting. Unhandled 3635 exceptions now result in a dump of registers to the console. 3636 3637- Major rework to the handover interface between BL stages, in particular the 3638 interface to BL3-1. The interface now conforms to a specification and is 3639 more future proof. 3640 3641- Added support for optionally making the BL3-1 entrypoint a reset handler 3642 (instead of BL1). This allows platforms with an alternative image loading 3643 architecture to re-use BL3-1 with fewer modifications to generic code. 3644 3645- Reserved some DDR DRAM for secure use on FVP platforms to avoid future 3646 compatibility problems with non-secure software. 3647 3648- Added support for secure interrupts targeting the Secure-EL1 Payload (SP) 3649 (using GICv2 routing only). Demonstrated this working by adding an interrupt 3650 target and supporting test code to the TSP. Also demonstrated non-secure 3651 interrupt handling during TSP processing. 3652 3653Issues resolved since last release 3654^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3655 3656- Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base 3657 FVPs (see **New features**). 3658 3659- Support for secure world interrupt handling now available (see **New 3660 features**). 3661 3662- Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 3663 Payload (BL3-2) to execute in Trusted SRAM by default. 3664 3665- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 3666 14.04) now correctly reports progress in the console. 3667 3668- Improved the Makefile structure to make it easier to separate out parts of 3669 the TF-A for re-use in platform ports. Also, improved target dependency 3670 checking. 3671 3672Known issues 3673^^^^^^^^^^^^ 3674 3675- GICv3 support is experimental. The Linux kernel patches to support this are 3676 not widely available. There are known issues with GICv3 initialization in 3677 the TF-A. 3678 3679- Dynamic image loading is not available yet. The current image loader 3680 implementation (used to load BL2 and all subsequent images) has some 3681 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 3682 to loading errors, even if the images should theoretically fit in memory. 3683 3684- TF-A still uses too much on-chip Trusted SRAM. A number of RAM usage 3685 enhancements have been identified to rectify this situation. 3686 3687- CPU idle does not work on the advertised version of the Foundation FVP. 3688 Some FVP fixes are required that are not available externally at the time 3689 of writing. This can be worked around by disabling CPU idle in the Linux 3690 kernel. 3691 3692- Various bugs in TF-A, UEFI and the Linux kernel have been observed when 3693 using Linaro toolchain versions later than 13.11. Although most of these 3694 have been fixed, some remain at the time of writing. These mainly seem to 3695 relate to a subtle change in the way the compiler converts between 64-bit 3696 and 32-bit values (e.g. during casting operations), which reveals 3697 previously hidden bugs in client code. 3698 3699- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 3700 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 3701 3702Version 0.3 3703----------- 3704 3705New features 3706^^^^^^^^^^^^ 3707 3708- Support for Foundation FVP Version 2.0 added. 3709 The documented UEFI configuration disables some devices that are unavailable 3710 in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can 3711 be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation 3712 FVP. 3713 3714 .. note:: 3715 The software will not work on Version 1.0 of the Foundation FVP. 3716 3717- Enabled third party contributions. Added a new contributing.md containing 3718 instructions for how to contribute and updated copyright text in all files 3719 to acknowledge contributors. 3720 3721- The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be 3722 used for entry into power down states with the following restrictions: 3723 3724 - Entry into standby states is not supported. 3725 - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. 3726 3727- The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to 3728 allow experimental use. 3729 3730- Required C library and runtime header files are now included locally in 3731 TF-A instead of depending on the toolchain standard include paths. The 3732 local implementation has been cleaned up and reduced in scope. 3733 3734- Added I/O abstraction framework, primarily to allow generic code to load 3735 images in a platform-independent way. The existing image loading code has 3736 been reworked to use the new framework. Semi-hosting and NOR flash I/O 3737 drivers are provided. 3738 3739- Introduced Firmware Image Package (FIP) handling code and tools. A FIP 3740 combines multiple firmware images with a Table of Contents (ToC) into a 3741 single binary image. The new FIP driver is another type of I/O driver. The 3742 Makefile builds a FIP by default and the FVP platform code expect to load a 3743 FIP from NOR flash, although some support for image loading using semi- 3744 hosting is retained. 3745 3746 .. note:: 3747 Building a FIP by default is a non-backwards-compatible change. 3748 3749 .. note:: 3750 Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into 3751 DRAM instead of expecting this to be pre-loaded at known location. This is 3752 also a non-backwards-compatible change. 3753 3754 .. note:: 3755 Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that 3756 it knows the new location to execute from and no longer needs to copy 3757 particular code modules to DRAM itself. 3758 3759- Reworked BL2 to BL3-1 handover interface. A new composite structure 3760 (bl31_args) holds the superset of information that needs to be passed from 3761 BL2 to BL3-1, including information on how handover execution control to 3762 BL3-2 (if present) and BL3-3 (non-trusted firmware). 3763 3764- Added library support for CPU context management, allowing the saving and 3765 restoring of 3766 3767 - Shared system registers between Secure-EL1 and EL1. 3768 - VFP registers. 3769 - Essential EL3 system registers. 3770 3771- Added a framework for implementing EL3 runtime services. Reworked the PSCI 3772 implementation to be one such runtime service. 3773 3774- Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3 3775 stack pointers for determining the type of exception, managing general 3776 purpose and system register context on exception entry/exit, and handling 3777 SMCs. SMCs are directed to the correct EL3 runtime service. 3778 3779- Added support for a Test Secure-EL1 Payload (TSP) and a corresponding 3780 Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD 3781 implements Secure Monitor functionality such as world switching and 3782 EL1 context management, and is responsible for communication with the TSP. 3783 3784 .. note:: 3785 The TSPD does not yet contain support for secure world interrupts. 3786 .. note:: 3787 The TSP/TSPD is not built by default. 3788 3789Issues resolved since last release 3790^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3791 3792- Support has been added for switching context between secure and normal 3793 worlds in EL3. 3794 3795- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to 3796 a limited extent). 3797 3798- The TF-A build artifacts are now placed in the ``./build`` directory and 3799 sub-directories instead of being placed in the root of the project. 3800 3801- TF-A is now free from build warnings. Build warnings are now treated as 3802 errors. 3803 3804- TF-A now provides C library support locally within the project to maintain 3805 compatibility between toolchains/systems. 3806 3807- The PSCI locking code has been reworked so it no longer takes locks in an 3808 incorrect sequence. 3809 3810- The RAM-disk method of loading a Linux file-system has been confirmed to 3811 work with the TF-A and Linux kernel version (based on version 3.13) used 3812 in this release, for both Foundation and Base FVPs. 3813 3814Known issues 3815^^^^^^^^^^^^ 3816 3817The following is a list of issues which are expected to be fixed in the future 3818releases of TF-A. 3819 3820- The TrustZone Address Space Controller (TZC-400) is not being programmed 3821 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 3822 3823- No support yet for secure world interrupt handling. 3824 3825- GICv3 support is experimental. The Linux kernel patches to support this are 3826 not widely available. There are known issues with GICv3 initialization in 3827 TF-A. 3828 3829- Dynamic image loading is not available yet. The current image loader 3830 implementation (used to load BL2 and all subsequent images) has some 3831 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 3832 to loading errors, even if the images should theoretically fit in memory. 3833 3834- TF-A uses too much on-chip Trusted SRAM. Currently the Test Secure-EL1 3835 Payload (BL3-2) executes in Trusted DRAM since there is not enough SRAM. 3836 A number of RAM usage enhancements have been identified to rectify this 3837 situation. 3838 3839- CPU idle does not work on the advertised version of the Foundation FVP. 3840 Some FVP fixes are required that are not available externally at the time 3841 of writing. 3842 3843- Various bugs in TF-A, UEFI and the Linux kernel have been observed when 3844 using Linaro toolchain versions later than 13.11. Although most of these 3845 have been fixed, some remain at the time of writing. These mainly seem to 3846 relate to a subtle change in the way the compiler converts between 64-bit 3847 and 32-bit values (e.g. during casting operations), which reveals 3848 previously hidden bugs in client code. 3849 3850- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 3851 14.01) does not report progress correctly in the console. It only seems to 3852 produce error output, not standard output. It otherwise appears to function 3853 correctly. Other filesystem versions on the same software stack do not 3854 exhibit the problem. 3855 3856- The Makefile structure doesn't make it easy to separate out parts of the 3857 TF-A for re-use in platform ports, for example if only BL3-1 is required in 3858 a platform port. Also, dependency checking in the Makefile is flawed. 3859 3860- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 3861 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 3862 3863Version 0.2 3864----------- 3865 3866New features 3867^^^^^^^^^^^^ 3868 3869- First source release. 3870 3871- Code for the PSCI suspend feature is supplied, although this is not enabled 3872 by default since there are known issues (see below). 3873 3874Issues resolved since last release 3875^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3876 3877- The "psci" nodes in the FDTs provided in this release now fully comply 3878 with the recommendations made in the PSCI specification. 3879 3880Known issues 3881^^^^^^^^^^^^ 3882 3883The following is a list of issues which are expected to be fixed in the future 3884releases of TF-A. 3885 3886- The TrustZone Address Space Controller (TZC-400) is not being programmed 3887 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 3888 3889- No support yet for secure world interrupt handling or for switching context 3890 between secure and normal worlds in EL3. 3891 3892- GICv3 support is experimental. The Linux kernel patches to support this are 3893 not widely available. There are known issues with GICv3 initialization in 3894 TF-A. 3895 3896- Dynamic image loading is not available yet. The current image loader 3897 implementation (used to load BL2 and all subsequent images) has some 3898 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 3899 to loading errors, even if the images should theoretically fit in memory. 3900 3901- Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable 3902 and ready for use. 3903 3904- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have 3905 not been tested. 3906 3907- The TF-A make files result in all build artifacts being placed in the root 3908 of the project. These should be placed in appropriate sub-directories. 3909 3910- The compilation of TF-A is not free from compilation warnings. Some of these 3911 warnings have not been investigated yet so they could mask real bugs. 3912 3913- TF-A currently uses toolchain/system include files like stdio.h. It should 3914 provide versions of these within the project to maintain compatibility 3915 between toolchains/systems. 3916 3917- The PSCI code takes some locks in an incorrect sequence. This may cause 3918 problems with suspend and hotplug in certain conditions. 3919 3920- The Linux kernel used in this release is based on version 3.12-rc4. Using 3921 this kernel with the TF-A fails to start the file-system as a RAM-disk. It 3922 fails to execute user-space ``init`` from the RAM-disk. As an alternative, 3923 the VirtioBlock mechanism can be used to provide a file-system to the 3924 kernel. 3925 3926-------------- 3927 3928*Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.* 3929 3930.. _SDEI Specification: http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf 3931.. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501 3932.. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193 3933.. _mbed TLS releases: https://tls.mbed.org/tech-updates/releases 3934