1Change Log & Release Notes 2========================== 3 4This document contains a summary of the new features, changes, fixes and known 5issues in each release of Trusted Firmware-A. 6 7Version 2.5 8----------- 9 10New Features 11^^^^^^^^^^^^ 12 13- Architecture support 14 - Added support for speculation barrier(``FEAT_SB``) for non-Armv8.5 15 platforms starting from Armv8.0 16 - Added support for Activity Monitors Extension version 1.1(``FEAT_AMUv1p1``) 17 - Added helper functions for Random number generator(``FEAT_RNG``) registers 18 - Added support for Armv8.6 Multi-threaded PMU extensions (``FEAT_MTPMU``) 19 - Added support for MTE Asymmetric Fault Handling extensions(``FEAT_MTE3``) 20 - Added support for Privileged Access Never extensions(``FEAT_PANx``) 21 22- Bootloader images 23 - Added PIE support for AArch32 builds 24 - Enable Trusted Random Number Generator service for BL32(sp_min) 25 26- Build System 27 - Added build option for Arm Feature Modifiers 28 29- Drivers 30 - Added support for interrupts in TZC-400 driver 31 32 - Broadcom 33 - Added support for I2C, MDIO and USB drivers 34 35 - Marvell 36 - Added support for secure read/write of dfc register-set 37 - Added support for thermal sensor driver 38 - Implement a3700_core_getc API in console driver 39 - Added rx training on 10G port 40 41 - Marvell Mochi 42 - Added support for cn913x in PCIe mode 43 44 - Marvell Armada A8K 45 - Added support for TRNG-IP-76 driver and accessing RNG register 46 47 - Mediatek MT8192 48 - Added support for following drivers 49 - MPU configuration for SCP/PCIe 50 - SPM suspend 51 - Vcore DVFS 52 - LPM 53 - PTP3 54 - UART save and restore 55 - Power-off 56 - PMIC 57 - CPU hotplug and MCDI support 58 - SPMC 59 - MPU 60 61 - Mediatek MT8195 62 - Added support for following drivers 63 - GPIO, NCDI, SPMC drivers 64 - Power-off 65 - CPU hotplug, reboot and MCDI 66 - Delay timer and sys timer 67 - GIC 68 69 - NXP 70 - Added support for 71 - non-volatile storage API 72 - chain of trust and trusted board boot using two modes: MBEDTLS and CSF 73 - fip-handler necessary for DDR initialization 74 - SMMU and console drivers 75 - crypto hardware accelerator driver 76 - following drivers: SD, EMMC, QSPI, FLEXSPI, GPIO, GIC, CSU, PMU, DDR 77 - NXP Security Monitor and SFP driver 78 - interconnect config APIs using ARM CCN-CCI driver 79 - TZC APIs to configure DDR region 80 - generic timer driver 81 - Device configuration driver 82 83 - IMX 84 - Added support for image loading and io-storage driver for TBBR fip booting 85 86 - Renesas 87 - Added support for PFC and EMMC driver 88 89 - RZ Family: 90 - G2N, G2E and G2H SoCs 91 - Added support for watchdog, QoS, PFC and DRAM initialization 92 93 - RZG Family: 94 - G2M 95 - Added support for QoS and DRAM initialization 96 97 - Xilinx 98 - Added JTAG DCC support for Versal and ZynqMP SoC family. 99 100- Libraries 101 - C standard library 102 - Added support to print ``%`` in ``snprintf()`` and ``printf()`` APIs 103 - Added support for strtoull, strtoll, strtoul, strtol APIs from FreeBSD project 104 105 - CPU support 106 - Added support for 107 - Cortex_A78C CPU 108 - Makalu ELP CPU 109 - Makalu CPU 110 - Matterhorn CPU 111 - Neoverse-N2 CPU 112 113 - CPU Errata 114 - Arm Cortex-A76: Added workaround for erratum 1946160 115 116 - Arm Cortex-A77: Added workaround for erratum 1946167 117 118 - Arm Cortex-A78: Added workaround for erratum 1941498 and 1951500 119 120 - Arm Neoverse-N1: Added workaround for erratum 1946160 121 122 - Flattened device tree(libfdt) 123 - Added support for wrapper function to read UUIDs in string format from dtb 124 125- Platforms 126 - Added support for MediaTek MT8195 127 - Added support for Arm RD-N2 board 128 129 - Allwinner 130 - Added support for H616 SoC 131 132 - Arm 133 - Added support for GPT parser 134 - Protect GICR frames for fused/unused cores 135 136 - Arm Morello 137 - Added VirtIO network device to Morello FVP fdts 138 139 - Arm RD-N2 140 - Added support for variant 1 of RD-N2 platform 141 - Enable AMU support 142 143 - Arm RD-V1 144 - Enable AMU support 145 146 - Arm SGI 147 - Added support for platform variant build option 148 149 - Arm TC0 150 - Added Matterhorn ELP CPU support 151 - Added support for opteed 152 153 - Arm Juno 154 - Added support to use hw_config in BL31 155 - Use TRNG entropy source for SMCCC TRNG interface 156 - Condition Juno entropy source with CRC instructions 157 158 - Marvell Mochi 159 - Added support for detection of secure mode 160 161 - Marvell ARMADA 162 - Added support for new compile option A3720_DB_PM_WAKEUP_SRC 163 - Added support doing system reset via CM3 secure coprocessor 164 - Made several makefile enhancements required to build WTMI_MULTI_IMG and TIMDDRTOOL 165 - Added support for building DOIMAGETOOL tool 166 - Added new target mrvl_bootimage 167 168 - Mediatek MT8192 169 - Added support for rtc power off sequence 170 171 - Mediatek MT8195 172 - Added support for SiP service 173 174 - STM32MP1 175 - Added support for 176 - Seeed ODYSSEY SoM and board 177 - SDMMC2 and I2C2 pins in pinctrl 178 - I2C2 peripheral in DTS 179 - PIE for BL32 180 - TZC-400 interrupt managament 181 - Linux Automation MC-1 board 182 183 - Renesas RZG 184 - Added support for identifying EK874 RZ/G2E board 185 - Added support for identifying HopeRun HiHope RZ/G2H and RZ/G2H boards 186 187 - Rockchip 188 - Added support for stack protector 189 190 - QEMU 191 - Added support for ``max`` CPU 192 - Added Cortex-A72 support to ``virt`` platform 193 - Enabled trigger reboot from secure pl061 194 195 - QEMU SBSA 196 - Added support for sbsa-ref Embedded Controller 197 198 - NXP 199 - Added support for warm reset to retain ddr content 200 - Added support for image loader necessary for loading fip image 201 202 - lx2160a SoC Family 203 - Added support for 204 - new platform lx2160a-aqds 205 - new platform lx2160a-rdb 206 - new platform lx2162a-aqds 207 - errata handling 208 209 - IMX imx8mm 210 - Added support for trusted board boot 211 212 - TI K3 213 - Added support for lite device board 214 - Enabled Cortex-A72 erratum 1319367 215 - Enabled Cortex-A53 erratum 1530924 216 217 - Xilinx ZynqMP 218 - Added support for PS and system reset on WDT restart 219 - Added support for error management 220 - Enable support for log messages necessary for debug 221 - Added support for PM API SMC call for efuse and register access 222 223- Processes 224 - Introduced process for platform deprecation 225 - Added documentation for TF-A threat model 226 - Provided a copy of the MIT license to comply with the license 227 requirements of the arm-gic.h source file (originating from the Linux 228 kernel project and re-distributed in TF-A). 229 230- Services 231 - Added support for TRNG firmware interface service 232 233 - Arm 234 - Added SiP service to configure Ethos-N NPU 235 236 - SPMC 237 - Added documentation for SPM(Hafnium) SMMUv3 driver 238 239 - SPMD 240 - Added support for 241 - FFA_INTERRUPT forwading ABI 242 - FFA_SECONDARY_EP_REGISTER ABI 243 - FF-A v1.0 boot time power management, SPMC secondary core boot and 244 early run-time power management 245 246- Tools 247 248 - FIPTool 249 - Added mechanism to allow platform specific image UUID 250 251 - git hooks 252 - Added support for conventional commits through commitlint hook, 253 commitizen hook and husky configuration files. 254 255 - NXP tool 256 - Added support for a tool that creates pbl file from BL2 257 258 - Renesas RZ/G2 259 - Added tool support for creating bootparam and cert_header images 260 261 - CertCreate 262 - Added support for platform-defined certificates, keys, and extensions using 263 the platform's makefile 264 265 - shared tools 266 - Added EFI_GUID representation to uuid helper data structure 267 268Changed 269^^^^^^^ 270 271- Common components 272 - Print newline after hex address in aarch64 el3_panic function 273 - Use proper ``#address-cells`` and ``#size-cells`` for reserved-memory in dtbs 274 275- Drivers 276 277 - Move SCMI driver from ST platform directory and make it common to all platforms 278 279 - Arm GICv3 280 - Shift eSPI register offset in GICD_OFFSET_64() 281 - Use mpidr to probe GICR for current CPU 282 283 - Arm TZC-400 284 - Adjust filter tag if it set to FILTER_BIT_ALL 285 286 - Cadence 287 - Enhance UART driver APIs to put characters to fifo 288 289 - Mediatek MT8192 290 - Move timer driver to common folder 291 - Enhanced sys_cirq driver to add more IC services 292 293 - Renesas 294 - Move ddr and delay driver to common directory 295 296 - Renesas rcar 297 - Treat log as device memory in console driver 298 299 - Renesas RZ Family: 300 - G2N and G2H SoCs 301 - Select MMC_CH1 for eMMC channel 302 303 - Marvell 304 - Added support for checking if TRNG unit is present 305 306 - Marvell A3K 307 - Set TXDCLK_2X_SEL bit during PCIe initialization 308 - Set mask parameter for every reg_set call 309 310 - Marvell Mochi 311 - Added missing stream IDs configurations 312 313 - MbedTLS 314 - Migrated to Mbed TLS v2.26.0 315 316 - IMX imx8mp 317 - Change the bl31 physical load address 318 319 - QEMU SBSA 320 - Enable secure variable storage 321 322 - SCMI 323 - Update power domain protocol version to 2.0 324 325 - STM32 326 - Remove dead code from nand FMC driver 327 328- Libraries 329 - C Standard Library 330 - Use macros to reduce duplicated code between snprintf and printf 331 332 - CPU support 333 - Sanity check pointers before use in AArch32 builds 334 335 - Arm Cortex-A78 336 - Remove rainier cpu workaround for errata 1542319 337 338 - Arm Makalu ELP 339 - Added "_arm" suffix to Makalu ELP CPU lib 340 341 342- Miscellaneous 343 - Editorconfig 344 - set max line length to 100 345 346- Platforms 347 - Allwinner 348 - Added reserved-memory node to DT 349 - Express memmap more dynamically 350 - Move SEPARATE_NOBITS_REGION to platforms 351 - Limit FDT checks to reduce code size 352 - Use CPUIDLE hardware when available 353 - Allow conditional compilation of SCPI and native PSCI ops 354 - Always use a 3MHz RSB bus clock 355 - Enable workaround for Cortex-A53 erratum 1530924 356 - Fixed non-default PRELOADED_BL33_BASE 357 - Leave CPU power alone during BL31 setup 358 - Added several psci hooks enhancements to improve system shutdown/reset 359 sequence 360 - Return the PMIC to I2C mode after use 361 - Separate code to power off self and other CPUs 362 - Split native and SCPI-based PSCI implementations 363 364 - Allwinner H6 365 - Added R_PRCM security setup for H6 board 366 - Added SPC security setup for H6 board 367 - Use RSB for the PMIC connection on H6 368 369 - Arm 370 - Store UUID as a string, rather than ints 371 - Replace FIP base and size macro with a generic name 372 - Move compile time switch from source to dt file 373 - Don't provide NT_FW_CONFIG when booting hafnium 374 - Do not setup 'disabled' regulator 375 - Increase SP max size 376 - Remove false dependency of ARM_LINUX_KERNEL_AS_BL33 on RESET_TO_BL31 377 and allow it to be enabled independently 378 379 - Arm FVP 380 - Do not map GIC region in BL1 and BL2 381 382 - Arm Juno 383 - Refactor juno_getentropy() to return 64 bits on each call 384 385 - Arm Morello 386 - Remove "virtio-rng" from Morello FVP 387 - Enable virtIO P9 device for Morello fvp 388 389 - Arm RDV1 390 - Allow all PSCI callbacks on RD-V1 391 - Rename rddaniel to rdv1 392 393 - Arm RDV1MC 394 - Rename rddanielxlr to rdv1mc 395 - Initialize TZC-400 controllers 396 397 - Arm TC0 398 - Updated GICR base address 399 - Use scmi_dvfs clock index 1 for cores 4-7 through fdt 400 - Added reserved-memory node for OP-TEE fdts 401 - Enabled Theodul DSU in TC platform 402 - OP-TEE as S-EL1 SP with SPMC at S-EL2 403 - Update Matterhorm ELP DVFS clock index 404 405 - Arm SGI 406 - Allow access to TZC controller on all chips 407 - Define memory regions for multi-chip platforms 408 - Allow access to nor2 flash and system registers from S-EL0 409 - Define default list of memory regions for DMC-620 TZC 410 - Improve macros defining cper buffer memory region 411 - Refactor DMC-620 error handling SMC function id 412 - Refactor SDEI specific macros 413 - Added platform id value for RDN2 platform 414 - Refactored header file inclusions and inclusion of memory mapping 415 416 - Arm RDN2 417 - Allow usage of secure partitions on RDN2 platform 418 - Update GIC redistributor and TZC base address 419 420 - Arm SGM775 421 - Deprecate Arm sgm775 FVP platform 422 423 - Marvell 424 - Increase TX FIFO EMPTY timeout from 2ms to 3ms 425 - Update delay code to be compatible with 1200 MHz CPU 426 427 - Marvell ARMADA 428 - Postpone MSS CPU startup to BL31 stage 429 - Allow builds without MSS support 430 - Use MSS SRAM in secure mode 431 - Added missing FORCE, .PHONY and clean targets 432 - Cleanup MSS SRAM if used for copy 433 - Move definition of mrvl_flash target to common marvell_common.mk file 434 - Show informative build messages and blank lines 435 436 - Marvell ARMADA A3K 437 - Added a new target mrvl_uart which builds UART image 438 - Added checks that WTP, MV_DDR_PATH and CRYPTOPP_PATH are correctly defined 439 - Allow use of the system Crypto++ library 440 - Build $(WTMI_ENC_IMG) in $(BUILD_PLAT) directory 441 - Build intermediate files in $(BUILD_PLAT) directory 442 - Build UART image files directly in $(BUILD_UART) subdirectory 443 - Correctly set DDR_TOPOLOGY and CLOCKSPRESET for WTMI 444 - Do not use 'echo -e' in Makefile 445 - Improve 4GB DRAM usage from 3.375 GB to 3.75 GB 446 - Remove unused variable WTMI_SYSINIT_IMG from Makefile 447 - Simplify check if WTP variable is defined 448 - Split building $(WTMI_MULTI_IMG) and $(TIMDDRTOOL) 449 450 - Marvell ARMADA A8K 451 - Allow CP1/CP2 mapping at BLE stage 452 453 - Mediatek MT8183 454 - Added timer V20 compensation 455 456 - Nvidia Tegra 457 - Rename SMC API 458 459 - TI K3 460 - Make plat_get_syscnt_freq2 helper check CNT_FID0 register 461 - Fill non-message data fields in sec_proxy with 0x0 462 - Update ti_sci_msg_req_reboot ABI to include domain 463 - Enable USE_COHERENT_MEM only for the generic board 464 - Explicitly map SEC_SRAM_BASE to 0x0 465 - Use BL31_SIZE instead of computing 466 - Define the correct number of max table entries and increase SRAM size 467 to account for additional table 468 469 - Raspberry Pi4 470 - Switch to gicv2.mk and GICV2_SOURCES 471 472 - Renesas 473 - Move headers and assembly files to common folder 474 475 - Renesas rzg 476 - Added device tree memory node enhancements 477 478 - Rockchip 479 - Switch to using common gicv3.mk 480 481 - STM32MP1 482 - Set BL sizes regardless of flags 483 484 - QEMU 485 - Include gicv2.mk for compiling GICv2 source files 486 - Change DEVICE2 definition for MMU 487 - Added helper to calculate the position shift from MPIDR 488 489 - QEMU SBSA 490 - Include libraries for Cortex-A72 491 - Increase SHARED_RAM_SIZE 492 - Addes support in spm_mm for upto 512 cores 493 - Added support for topology handling 494 495 - QTI 496 - Mandate SMC implementation 497 498 - Xilinx 499 - Rename the IPI CRC checksum macro 500 - Use fno-jump-tables flag in CPPFLAGS 501 502 - Xilinx versal 503 - Added the IPI CRC checksum macro support 504 - Mark IPI calls secure/non-secure 505 - Enable sgi to communicate with linux using IPI 506 - Remove Cortex-A53 compilation 507 508 - Xilinx ZynqMP 509 - Configure counter frequency during initialization 510 - Filter errors related to clock gate permissions 511 - Implement pinctrl request/release EEMI API 512 - Reimplement pinctrl get/set config parameter EEMI API calls 513 - Reimplement pinctrl set/get function EEMI API 514 - Update error codes to match Linux and PMU Firmware 515 - Update PM version and support PM version check 516 - Update return type in query functions 517 - Added missing ids for 43/46/47dr devices 518 - Checked for DLL status before doing reset 519 - Disable ITAPDLYENA bit for zero ITAP delay 520 - Include GICv2 makefile 521 - Remove the custom crash implementation 522 523- Services 524 525 - SPMD 526 - Lock the g_spmd_pm structure 527 - Declare third cactus instance as UP SP 528 - Provide number of vCPUs and VM size for first SP 529 - Remove ``chosen`` node from SPMC manifests 530 - Move OP-TEE SP manifest DTS to FVP platform 531 - Update OP-TEE SP manifest with device-regions node 532 - Remove device-memory node from SPMC manifests 533 534 - SPM_MM 535 - Use sp_boot_info to set SP context 536 537 - SDEI 538 - Updata the affinity of shared event 539 540- Tools 541 - FIPtool 542 - Do not print duplicate verbose lines about building fiptool 543 544 - CertCreate 545 - Updated tool for platform defined certs, keys & extensions 546 - Create only requested certificates 547 - Avoid duplicates in extension stack 548 549Resolved Issues 550^^^^^^^^^^^^^^^ 551- Several fixes for typos and mis-spellings in documentation 552 553- Build system 554 - Fixed ${FIP_NAME} to be rebuilt only when needed in Makefile 555 - Do not mark file targets as .PHONY target in Makefile 556 557- Drivers 558 - Authorization 559 - Avoid NV counter upgrade without certificate validation 560 561 - Arm GICv3 562 - Fixed logical issue for num_eints 563 - Limit SPI ID to avoid misjudgement in GICD_OFFSET() 564 - Fixed potential GICD context override with ESPI enabled 565 566 - Marvell A3700 567 - Fixed configuring polarity invert bits 568 569 - Arm TZC-400 570 - Correct FAIL_CONTROL Privileged bit 571 - Fixed logical error in FILTER_BIT definitions 572 573 - Renesas rcar 574 - Fixed several coding style violations reported by checkpatch 575 576- Libraries 577 - Arch helpers 578 - Fixed assertions in processing dynamic relocations for AArch64 builds 579 580 - C standard library 581 - Fixed MISRA issues in memset() ABI 582 583 - RAS 584 - Fixed bug of binary search in RAS interrupt handler 585 586- Platforms 587 588 - Arm 589 - Fixed missing copyrights in arm-gic.h file 590 - Fixed the order of header files in several dts files 591 - Fixed error message printing in board makefile 592 - Fixed bug of overriding the last node in image load helper API 593 - Fixed stdout-path in fdts files of TC0 and N1SDP platforms 594 - Turn ON/OFF redistributor in sync with GIC CPU interface ON/OFF for css platforms 595 596 - Arm FVP 597 - Fixed Generic Timer interrupt types in platform dts files 598 599 - Arm Juno 600 - Fixed parallel build issue for romlib config 601 602 - Arm SGI 603 - Fixed bug in SDEI receive event of RAS handler 604 605 - Intel Agilex 606 - Fixed PLAT_MAX_PWR_LVL value 607 608 - Marvell 609 - Fixed SPD handling in dram port 610 611 - Marvell ARMADA 612 - Fixed TRNG return SMC handling 613 - Fixed the logic used for LD selector mask 614 - Fixed MSS firmware loader for A8K family 615 616 - ST 617 - Fixed few violations reported by coverity static checks 618 619 - STM32MP1 620 - Fixed SELFREF_TO_X32 mask in ddr driver 621 - Do not keep mmc_device_info in stack 622 - Correct plat_crash_console_flush() 623 624 - QEMU SBSA 625 - Fixed memory type of secure NOR flash 626 627 - QTI 628 - Fixed NUM_APID and REG_APID_MAP() argument in SPMI driver 629 630 - Intel 631 - Do not keep mmc_device_info in stack 632 633 - Hisilicon 634 - Do not keep mmc_device_info in stack 635 636 637- Services 638 639 - EL3 runtime 640 - Fixed the EL2 context save/restore routine by removing EL2 generic 641 timer system registers 642 - Added fix for exception handler in BL31 by synchronizing pending EA 643 using DSB barrier 644 645 - SPMD 646 - Fixed error codes to use int32_t type 647 648 - TSPD 649 - Added bug fix in tspd interrupt handling when TSP_NS_INTR_ASYNC_PREEMPT is enabled 650 651 - TRNG 652 - Fixed compilation errors with -O0 compile option 653 654 - DebugFS 655 - Checked channel index before calling clone function 656 657 - PSCI 658 - Fixed limit of 256 CPUs caused by cast to unsigned char 659 660 - TSP 661 - Fixed compilation erros when built with GCC 11.0.0 toolchain 662 663- Tools 664 - FIPtool 665 - Do not call ``make clean`` for ``all`` target 666 667 - CertCreate 668 - Fixed bug to avoid cleaning when building the binary 669 - Used preallocated parts of the HASH struct to avoid leaking HASH struct fields 670 - Free arguments copied with strdup 671 - Free keys after use 672 - Free X509_EXTENSION structures on stack to avoid leaking them 673 - Optimized the code to avoid unnecessary attempts to create non-requested 674 certificates 675 676Version 2.4 677----------- 678 679New Features 680^^^^^^^^^^^^ 681 682- Architecture support 683 - Armv8.6-A 684 - Added support for Armv8.6 Enhanced Counter Virtualization (ECV) 685 - Added support for Armv8.6 Fine Grained Traps (FGT) 686 - Added support for Armv8.6 WFE trap delays 687 688- Bootloader images 689 - Added support for Measured Boot 690 691- Build System 692 - Added build option ``COT_DESC_IN_DTB`` to create Chain of Trust at runtime 693 - Added build option ``OPENSSL_DIR`` to direct tools to OpenSSL libraries 694 - Added build option ``RAS_TRAP_LOWER_EL_ERR_ACCESS`` to enable trapping RAS 695 register accesses from EL1/EL2 to EL3 696 - Extended build option ``BRANCH_PROTECTION`` to support branch target 697 identification 698 699- Common components 700 - Added support for exporting CPU nodes to the device tree 701 - Added support for single and dual-root Chains of Trust in secure 702 partitions 703 704- Drivers 705 - Added Broadcom RNG driver 706 - Added Marvell ``mg_conf_cm3`` driver 707 - Added System Control and Management Interface (SCMI) driver 708 - Added STMicroelectronics ETZPC driver 709 710 - Arm GICv3 711 - Added support for detecting topology at runtime 712 713 - Dual Root 714 - Added support for platform certificates 715 716 - Marvell Cache LLC 717 - Added support for mapping the entire LLC into SRAM 718 719 - Marvell CCU 720 - Added workaround for erratum 3033912 721 722 - Marvell CP110 COMPHY 723 - Added support for SATA COMPHY polarity inversion 724 - Added support for USB COMPHY polarity inversion 725 - Added workaround for erratum IPCE_COMPHY-1353 726 727 - STM32MP1 Clocks 728 - Added ``RTC`` as a gateable clock 729 - Added support for shifted clock selector bit masks 730 - Added support for using additional clocks as parents 731 732- Libraries 733 - C standard library 734 - Added support for hexadecimal and pointer format specifiers in 735 ``snprint()`` 736 - Added assembly alternatives for various library functions 737 738 - CPU support 739 - Arm Cortex-A53 740 - Added workaround for erratum 1530924 741 742 - Arm Cortex-A55 743 - Added workaround for erratum 1530923 744 745 - Arm Cortex-A57 746 - Added workaround for erratum 1319537 747 748 - Arm Cortex-A76 749 - Added workaround for erratum 1165522 750 - Added workaround for erratum 1791580 751 - Added workaround for erratum 1868343 752 753 - Arm Cortex-A72 754 - Added workaround for erratum 1319367 755 756 - Arm Cortex-A77 757 - Added workaround for erratum 1508412 758 - Added workaround for erratum 1800714 759 - Added workaround for erratum 1925769 760 761 - Arm Neoverse-N1 762 - Added workaround for erratum 1868343 763 764 - EL3 Runtime 765 - Added support for saving/restoring registers related to nested 766 virtualization in EL2 context switches if the architecture supports it 767 768 - FCONF 769 - Added support for Measured Boot 770 - Added support for populating Chain of Trust properties 771 - Added support for loading the ``fw_config`` image 772 773 - Measured Boot 774 - Added support for event logging 775 776- Platforms 777 - Added support for Arm Morello 778 - Added support for Arm TC0 779 - Added support for iEi PUZZLE-M801 780 - Added support for Marvell OCTEON TX2 T9130 781 - Added support for MediaTek MT8192 782 - Added support for NXP i.MX 8M Nano 783 - Added support for NXP i.MX 8M Plus 784 - Added support for QTI CHIP SC7180 785 - Added support for STM32MP151F 786 - Added support for STM32MP153F 787 - Added support for STM32MP157F 788 - Added support for STM32MP151D 789 - Added support for STM32MP153D 790 - Added support for STM32MP157D 791 792 - Arm 793 - Added support for platform-owned SPs 794 - Added support for resetting to BL31 795 796 - Arm FPGA 797 - Added support for Klein 798 - Added support for Matterhorn 799 - Added support for additional CPU clusters 800 801 - Arm FVP 802 - Added support for performing SDEI platform setup at runtime 803 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 804 - Added an ``id`` field under the NV-counter node in the device tree to 805 differentiate between trusted and non-trusted NV-counters 806 - Added support for extracting the clock frequency from the timer node 807 in the device tree 808 809 - Arm Juno 810 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 811 812 - Arm N1SDP 813 - Added support for cross-chip PCI-e 814 815 - Marvell 816 - Added support for AVS reduction 817 818 - Marvell ARMADA 819 - Added support for twin-die combined memory device 820 821 - Marvell ARMADA A8K 822 - Added support for DDR with 32-bit bus width (both ECC and non-ECC) 823 824 - Marvell AP806 825 - Added workaround for erratum FE-4265711 826 827 - Marvell AP807 828 - Added workaround for erratum 3033912 829 830 - Nvidia Tegra 831 - Added debug printouts indicating SC7 entry sequence completion 832 - Added support for SDEI 833 - Added support for stack protection 834 - Added support for GICv3 835 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 836 837 - Nvidia Tegra194 838 - Added support for RAS exception handling 839 - Added support for SPM 840 841 - NXP i.MX 842 - Added support for SDEI 843 844 - QEMU SBSA 845 - Added support for the Secure Partition Manager 846 847 - QTI 848 - Added RNG driver 849 - Added SPMI PMIC arbitrator driver 850 - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command 851 852 - STM32MP1 853 - Added support for exposing peripheral interfaces to the non-secure 854 world at runtime 855 - Added support for SCMI clock and reset services 856 - Added support for STM32MP15x CPU revision Z 857 - Added support for SMCCC services in ``SP_MIN`` 858 859- Services 860 - Secure Payload Dispatcher 861 - Added a provision to allow clients to retrieve the service UUID 862 863 - SPMC 864 - Added secondary core endpoint information to the SPMC context 865 structure 866 867 - SPMD 868 - Added support for booting OP-TEE as a guest S-EL1 Secure Partition on 869 top of Hafnium in S-EL2 870 - Added a provision for handling SPMC messages to register secondary 871 core entry points 872 - Added support for power management operations 873 874- Tools 875 - CertCreate 876 - Added support for secure partitions 877 878 - CertTool 879 - Added support for the ``fw_config`` image 880 881 - FIPTool 882 - Added support for the ``fw_config`` image 883 884Changed 885^^^^^^^ 886 887- Architecture support 888 889- Bootloader images 890 891- Build System 892 - The top-level Makefile now supports building FipTool on Windows 893 - The default value of ``KEY_SIZE`` has been changed to to 2048 when RSA is 894 in use 895 - The previously-deprecated macro ``__ASSEMBLY__`` has now been removed 896 897- Common components 898 - Certain functions that flush the console will no longer return error 899 information 900 901- Drivers 902 - Arm GIC 903 - Usage of ``drivers/arm/gic/common/gic_common.c`` has now been 904 deprecated in favour of ``drivers/arm/gic/vX/gicvX.mk`` 905 - Added support for detecting the presence of a GIC600-AE 906 - Added support for detecting the presence of a GIC-Clayton 907 908 - Marvell MCI 909 - Now performs link tuning for all MCI interfaces to improve performance 910 911 - Marvell MoChi 912 - PIDI masters are no longer forced into a non-secure access level when 913 ``LLC_SRAM`` is enabled 914 - The SD/MMC controllers are now accessible from guest virtual machines 915 916 - Mbed TLS 917 - Migrated to Mbed TLS v2.24.0 918 919 - STM32 FMC2 NAND 920 - Adjusted FMC node bindings to include an EBI controller node 921 922 - STM32 Reset 923 - Added an optional timeout argument to assertion functions 924 925 - STM32MP1 Clocks 926 - Enabled several additional system clocks during initialization 927 928- Libraries 929 - C Standard Library 930 - Improved ``memset`` performance by avoiding single-byte writes 931 - Added optimized assembly variants of ``memset`` 932 933 - CPU support 934 - Renamed Cortex-Hercules to Cortex-A78 935 - Renamed Cortex-Hercules AE to Cortex-A78 AE 936 - Renamed Neoverse Zeus to Neoverse V1 937 938 - Coreboot 939 - Updated ‘coreboot_get_memory_type’ API to take an extra argument as a 940 ’memory size’ that used to return a valid memory type. 941 942 - libfdt 943 - Updated to latest upstream version 944 945- Platforms 946 - Allwinner 947 - Disabled non-secure access to PRCM power control registers 948 949 - Arm 950 - ``BL32_BASE`` is now platform-dependent when ``SPD_spmd`` is enabled 951 - Added support for loading the Chain of Trust from the device tree 952 - The firmware update check is now executed only once 953 - NV-counter base addresses are now loaded from the device tree when 954 ``COT_DESC_IN_DTB`` is enabled 955 - Now loads and populates ``fw_config`` and ``tb_fw_config`` 956 - FCONF population now occurs after caches have been enabled in order 957 to reduce boot times 958 959 - Arm Corstone-700 960 - Platform support has been split into both an FVP and an FPGA variant 961 962 - Arm FPGA 963 - DTB and BL33 load addresses have been given sensible default values 964 - Now reads generic timer counter frequency, GICD and GICR base 965 addresses, and UART address from DT 966 - Now treats the primary PL011 UART as an SBSA Generic UART 967 968 - Arm FVP 969 - Secure interrupt descriptions, UART parameters, clock frequencies and 970 GICv3 parameters are now queried through FCONF 971 - UART parameters are now queried through the device tree 972 - Added an owner field to Cactus secure partitions 973 - Increased the maximum size of BL2 when the Chain of Trust is loaded 974 from the device tree 975 - Reduces the maximum size of BL31 976 - The ``FVP_USE_SP804_TIMER`` and ``FVP_VE_USE_SP804_TIMER`` build 977 options have been removed in favour of a common ``USE_SP804_TIMER`` 978 option 979 - Added a third Cactus partition to manifests 980 - Device tree nodes now store UUIDs in big-endian 981 982 - Arm Juno 983 - Increased the maximum size of BL2 when optimizations have not been 984 applied 985 - Reduced the maximum size of BL31 and BL32 986 987 - Marvell AP807 988 - Enabled snoop filters 989 990 - Marvell ARMADA A3K 991 - UART recovery images are now suffixed with ``.bin`` 992 993 - Marvell ARMADA A8K 994 - Option ``BL31_CACHE_DISABLE`` is now disabled (``0``) by default 995 996 - Nvidia Tegra 997 - Added VPR resize supported check when processing video memory resize 998 requests 999 - Added SMMU verification to prevent potential issues caused by 1000 undetected corruption of the SMMU configuration during boot 1001 - The GIC CPU interface is now properly disabled after CPU off 1002 - The GICv2 sources list and the ``BL31_SIZE`` definition have been made 1003 platform-specific 1004 - The SPE driver will no longer flush the console when writing 1005 individual characters 1006 1007 - Nvidia Tegra194 1008 - TZDRAM setup has been moved to platform-specific early boot handlers 1009 - Increased verbosity of debug prints for RAS SErrors 1010 - Support for powering down CPUs during CPU suspend has been removed 1011 - Now verifies firewall settings before using resources 1012 1013 - TI K3 1014 - The UART number has been made configurable through ``K3_USART`` 1015 1016 - Rockchip RK3368 1017 - The maximum number of memory map regions has been increased to 20 1018 1019 - Socionext Uniphier 1020 - The maximum size of BL33 has been increased to support larger 1021 bootloaders 1022 1023 - STM32 1024 - Removed platform-specific DT functions in favour of using existing 1025 generic alternatives 1026 1027 - STM32MP1 1028 - Increased verbosity of exception reports in debug builds 1029 - Device trees have been updated to align with the Linux kernel 1030 - Now uses the ETZPC driver to configure secure-aware interfaces for 1031 assignment to the non-secure world 1032 - Finished good variants have been added to the board identifier 1033 enumerations 1034 - Non-secure access to clocks and reset domains now depends on their 1035 state of registration 1036 - NEON is now disabled in ``SP_MIN`` 1037 - The last page of ``SYSRAM`` is now used as SCMI shared memory 1038 - Checks to verify platform compatibility have been added to verify that 1039 an image is compatible with the chip ID of the running platform 1040 1041 - QEMU SBSA 1042 - Removed support for Arm's Cortex-A53 1043 1044- Services 1045 - Renamed SPCI to FF-A 1046 1047 - SPMD 1048 - No longer forwards requests to the non-secure world when retrieving 1049 partition information 1050 - SPMC manifest size is now retrieved directly from SPMD instead of the 1051 device tree 1052 - The FF-A version handler now returns SPMD's version when the origin 1053 of the call is secure, and SPMC's version when the origin of the call 1054 is non-secure 1055 1056 - SPMC 1057 - Updated the manifest to declare CPU nodes in descending order as per 1058 the SPM (Hafnium) multicore requirement 1059 - Updated the device tree to mark 2GB as device memory for the first 1060 partition excluding trusted DRAM region (which is reserved for SPMC) 1061 - Increased the number of EC contexts to the maximum number of PEs as 1062 per the FF-A specification 1063 1064- Tools 1065 - FIPTool 1066 - Now returns ``0`` on ``help`` and ``help <command>`` 1067 1068 - Marvell DoImage 1069 - Updated Mbed TLS support to v2.8 1070 1071 - SPTool 1072 - Now appends CertTool arguments 1073 1074Resolved Issues 1075^^^^^^^^^^^^^^^ 1076 1077- Bootloader images 1078 - Fixed compilation errors for dual-root Chains of Trust caused by symbol 1079 collision 1080 1081 - BL31 1082 - Fixed compilation errors on platforms with fewer than 4 cores caused 1083 by initialization code exceeding the end of the stacks 1084 - Fixed compilation errors when building a position-independent image 1085 1086- Build System 1087 - Fixed invalid empty version strings 1088 - Fixed compilation errors on Windows caused by a non-portable architecture 1089 revision comparison 1090 1091- Drivers 1092 - Arm GIC 1093 - Fixed spurious interrupts caused by a missing barrier 1094 1095 - STM32 Flexible Memory Controller 2 (FMC2) NAND driver 1096 - Fixed runtime instability caused by incorrect error detection logic 1097 1098 - STM32MP1 Clock driver 1099 - Fixed incorrectly-formatted log messages 1100 - Fixed runtime instability caused by improper clock gating procedures 1101 1102 - STMicroelectronics Raw NAND driver 1103 - Fixed runtime instability caused by incorrect unit conversion when 1104 waiting for NAND readiness 1105 1106- Libraries 1107 - AMU 1108 - Fixed timeout errors caused by excess error logging 1109 1110 - EL3 Runtime 1111 - Fixed runtime instability caused by improper register save/restore 1112 routine in EL2 1113 1114 - FCONF 1115 - Fixed failure to initialize GICv3 caused by overly-strict device tree 1116 requirements 1117 1118 - Measured Boot 1119 - Fixed driver errors caused by a missing default value for the 1120 ``HASH_ALG`` build option 1121 1122 - SPE 1123 - Fixed feature detection check that prevented CPUs supporting SVE from 1124 detecting support for SPE in the non-secure world 1125 1126 - Translation Tables 1127 - Fixed various MISRA-C 2012 static analysis violations 1128 1129- Platforms 1130 - Allwinner A64 1131 - Fixed USB issues on certain battery-powered device caused by 1132 improperly activated USB power rail 1133 1134 - Arm 1135 - Fixed compilation errors caused by increase in BL2 size 1136 - Fixed compilation errors caused by missing Makefile dependencies to 1137 generated files when building the FIP 1138 - Fixed MISRA-C 2012 static analysis violations caused by unused 1139 structures in include directives intended to be feature-gated 1140 1141 - Arm FPGA 1142 - Fixed initialization issues caused by incorrect MPIDR topology mapping 1143 logic 1144 1145 - Arm RD-N1-edge 1146 - Fixed compilation errors caused by mismatched parentheses in Makefile 1147 1148 - Arm SGI 1149 - Fixed crashes due to the flash memory used for cold reboot attack 1150 protection not being mapped 1151 1152 - Intel Agilex 1153 - Fixed initialization issues caused by several compounding bugs 1154 1155 - Marvell 1156 - Fixed compilation warnings caused by multiple Makefile inclusions 1157 1158 - Marvell ARMADA A3K 1159 - Fixed boot issue in debug builds caused by checks on the BL33 load 1160 address that are not appropriate for this platform 1161 1162 - Nvidia Tegra 1163 - Fixed incorrect delay timer reads 1164 - Fixed spurious interrupts in the non-secure world during cold boot 1165 caused by the arbitration bit in the memory controller not being 1166 cleared 1167 - Fixed faulty video memory resize sequence 1168 1169 - Nvidia Tegra194 1170 - Fixed incorrect alignment of TZDRAM base address 1171 1172 - NXP iMX8M 1173 - Fixed CPU hot-plug issues caused by race condition 1174 1175 - STM32MP1 1176 - Fixed compilation errors in highly-parallel builds caused by incorrect 1177 Makefile dependencies 1178 1179 - STM32MP157C-ED1 1180 - Fixed initialization issues caused by missing device tree hash node 1181 1182 - Raspberry Pi 3 1183 - Fixed compilation errors caused by incorrect dependency ordering in 1184 Makefile 1185 1186 - Rockchip 1187 - Fixed initialization issues caused by non-critical errors when parsing 1188 FDT being treated as critical 1189 1190 - Rockchip RK3368 1191 - Fixed runtime instability caused by incorrect CPUID shift value 1192 1193 - QEMU 1194 - Fixed compilation errors caused by incorrect dependency ordering in 1195 Makefile 1196 1197 - QEMU SBSA 1198 - Fixed initialization issues caused by FDT exceeding reserved memory 1199 size 1200 1201 - QTI 1202 - Fixed compilation errors caused by inclusion of a non-existent file 1203 1204- Services 1205 - FF-A (previously SPCI) 1206 - Fixed SPMD aborts caused by incorrect behaviour when the manifest is 1207 page-aligned 1208 1209- Tools 1210 - Fixed compilation issues when compiling tools from within their respective 1211 directories 1212 1213 - FIPTool 1214 - Fixed command line parsing issues on Windows when using arguments 1215 whose names also happen to be a subset of another's 1216 1217 - Marvell DoImage 1218 - Fixed PKCS signature verification errors at boot on some platforms 1219 caused by generation of misaligned images 1220 1221Known Issues 1222^^^^^^^^^^^^ 1223 1224- Platforms 1225 - NVIDIA Tegra 1226 - Signed comparison compiler warnings occurring in libfdt are currently 1227 being worked around by disabling the warning for the platform until 1228 the underlying issue is resolved in libfdt 1229 1230Version 2.3 1231----------- 1232 1233New Features 1234^^^^^^^^^^^^ 1235 1236- Arm Architecture 1237 - Add support for Armv8.4-SecEL2 extension through the SPCI defined SPMD/SPMC 1238 components. 1239 1240 - Build option to support EL2 context save and restore in the secure world 1241 (CTX_INCLUDE_EL2_REGS). 1242 1243 - Add support for SMCCC v1.2 (introducing the new SMCCC_ARCH_SOC_ID SMC). 1244 Note that the support is compliant, but the SVE registers save/restore will 1245 be done as part of future S-EL2/SPM development. 1246 1247- BL-specific 1248 - Enhanced BL2 bootloader flow to load secure partitions based on firmware 1249 configuration data (fconf). 1250 1251 - Changes necessary to support SEPARATE_NOBITS_REGION feature 1252 1253 - TSP and BL2_AT_EL3: Add Position Independent Execution ``PIE`` support 1254 1255- Build System 1256 - Add support for documentation build as a target in Makefile 1257 1258 - Add ``COT`` build option to select the Chain of Trust to use when the 1259 Trusted Boot feature is enabled (default: ``tbbr``). 1260 1261 - Added creation and injection of secure partition packages into the FIP. 1262 1263 - Build option to support SPMC component loading and run at S-EL1 1264 or S-EL2 (SPMD_SPM_AT_SEL2). 1265 1266 - Enable MTE support 1267 1268 - Enable Link Time Optimization in GCC 1269 1270 - Enable -Wredundant-decls warning check 1271 1272 - Makefile: Add support to optionally encrypt BL31 and BL32 1273 1274 - Add support to pass the nt_fw_config DTB to OP-TEE. 1275 1276 - Introduce per-BL ``CPPFLAGS``, ``ASFLAGS``, and ``LDFLAGS`` 1277 1278 - build_macros: Add CREATE_SEQ function to generate sequence of numbers 1279 1280- CPU Support 1281 - cortex-a57: Enable higher performance non-cacheable load forwarding 1282 1283 - Hercules: Workaround for Errata 1688305 1284 1285 - Klein: Support added for Klein CPU 1286 1287 - Matterhorn: Support added for Matterhorn CPU 1288 1289- Drivers 1290 - auth: Add ``calc_hash`` function for hash calculation. Used for 1291 authentication of images when measured boot is enabled. 1292 1293 - cryptocell: Add authenticated decryption framework, and support 1294 for CryptoCell-713 and CryptoCell-712 RSA 3K 1295 1296 - gic600: Add support for multichip configuration and Clayton 1297 - gicv3: Introduce makefile, Add extended PPI and SPI range, 1298 Add support for probing multiple GIC Redistributor frames 1299 - gicv4: Add GICv4 extension for GIC driver 1300 1301 - io: Add an IO abstraction layer to load encrypted firmwares 1302 1303 - mhu: Derive doorbell base address 1304 1305 - mtd: Add SPI-NOR, SPI-NAND, SPI-MEM, and raw NAND framework 1306 1307 - scmi: Allow use of multiple SCMI channels 1308 1309 - scu: Add a driver for snoop control unit 1310 1311- Libraries 1312 - coreboot: Add memory range parsing and use generic base address 1313 1314 - compiler_rt: Import popcountdi2.c and popcountsi2.c files, 1315 aeabi_ldivmode.S file and dependencies 1316 1317 - debugFS: Add DebugFS functionality 1318 1319 - el3_runtime: Add support for enabling S-EL2 1320 1321 - fconf: Add Firmware Configuration Framework (fconf) (experimental). 1322 1323 - libc: Add memrchr function 1324 1325 - locks: bakery: Use is_dcache_enabled() helper and add a DMB to 1326 the 'read_cache_op' macro 1327 1328 - psci: Add support to enable different personality of the same soc. 1329 1330 - xlat_tables_v2: Add support to pass shareability attribute for 1331 normal memory region, use get_current_el_maybe_constant() in 1332 is_dcache_enabled(), read-only xlat tables for BL31 memory, and 1333 add enable_mmu() 1334 1335- New Platforms Support 1336 - arm/arm_fpga: New platform support added for FPGA 1337 1338 - arm/rddaniel: New platform support added for rd-daniel platform 1339 1340 - brcm/stingray: New platform support added for Broadcom stingray platform 1341 1342 - nvidia/tegra194: New platform support for Nvidia Tegra194 platform 1343 1344- Platforms 1345 - allwinner: Implement PSCI system suspend using SCPI, add a msgbox 1346 driver for use with SCPI, and reserve and map space for the SCP firmware 1347 - allwinner: axp: Add AXP805 support 1348 - allwinner: power: Add DLDO4 power rail 1349 1350 - amlogic: axg: Add a build flag when using ATOS as BL32 and support for 1351 the A113D (AXG) platform 1352 1353 - arm/a5ds: Add ethernet node and L2 cache node in devicetree 1354 1355 - arm/common: Add support for the new `dualroot` chain of trust 1356 - arm/common: Add support for SEPARATE_NOBITS_REGION 1357 - arm/common: Re-enable PIE when RESET_TO_BL31=1 1358 - arm/common: Allow boards to specify second DRAM Base address 1359 and to define PLAT_ARM_TZC_FILTERS 1360 1361 - arm/corstone700: Add support for mhuv2 and stack protector 1362 1363 - arm/fvp: Add support for fconf in BL31 and SP_MIN. Populate power 1364 domain descriptor dynamically by leveraging fconf APIs. 1365 - arm/fvp: Add Cactus/Ivy Secure Partition information and use two 1366 instances of Cactus at S-EL1 1367 - arm/fvp: Add support to run BL32 in TDRAM and BL31 in secure DRAM 1368 - arm/fvp: Add support for GICv4 extension and BL2 hash calculation in BL1 1369 1370 - arm/n1sdp: Setup multichip gic routing table, update platform macros 1371 for dual-chip setup, introduce platform information SDS region, add 1372 support to update presence of External LLC, and enable the 1373 NEOVERSE_N1_EXTERNAL_LLC flag 1374 1375 - arm/rdn1edge: Add support for dual-chip configuration and use 1376 CREATE_SEQ helper macro to compare chip count 1377 1378 - arm/sgm: Always use SCMI for SGM platforms 1379 - arm/sgm775: Add support for dynamic config using fconf 1380 1381 - arm/sgi: Add multi-chip mode parameter in HW_CONFIG dts, macros for 1382 remote chip device region, chip_id and multi_chip_mode to platform 1383 variant info, and introduce number of chips macro 1384 1385 - brcm: Add BL2 and BL31 support common across Broadcom platforms 1386 - brcm: Add iproc SPI Nor flash support, spi driver, emmc driver, 1387 and support to retrieve plat_toc_flags 1388 1389 - hisilicon: hikey960: Enable system power off callback 1390 1391 - intel: Enable bridge access, SiP SMC secure register access, and uboot 1392 entrypoint support 1393 - intel: Implement platform specific system reset 2 1394 - intel: Introduce mailbox response length handling 1395 1396 - imx: console: Use CONSOLE_T_BASE for UART base address and generic console_t 1397 data structure 1398 - imx8mm: Provide uart base as build option and add the support for opteed spd 1399 on imx8mq/imx8mm 1400 - imx8qx: Provide debug uart num as build 1401 - imx8qm: Apply clk/pinmux configuration for DEBUG_CONSOLE and provide debug 1402 uart num as build param 1403 1404 - marvell: a8k: Implement platform specific power off and add support 1405 for loading MG CM3 images 1406 1407 - mediatek: mt8183: Add Vmodem/Vcore DVS init level 1408 1409 - qemu: Support optional encryption of BL31 and BL32 images 1410 and ARM_LINUX_KERNEL_AS_BL33 to pass FDT address 1411 - qemu: Define ARMV7_SUPPORTS_VFP 1412 - qemu: Implement PSCI_CPU_OFF and qemu_system_off via semihosting 1413 1414 - renesas: rcar_gen3: Add new board revision for M3ULCB 1415 1416 - rockchip: Enable workaround for erratum 855873, claim a macro to enable 1417 hdcp feature for DP, enable power domains of rk3399 before reset, add 1418 support for UART3 as serial output, and initialize reset and poweroff 1419 GPIOs with known invalid value 1420 1421 - rpi: Implement PSCI CPU_OFF, use MMIO accessor, autodetect Mini-UART 1422 vs. PL011 configuration, and allow using PL011 UART for RPi3/RPi4 1423 - rpi3: Include GPIO driver in all BL stages and use same "clock-less" 1424 setup scheme as RPi4 1425 - rpi3/4: Add support for offlining CPUs 1426 1427 - st: stm32mp1: platform.mk: Support generating multiple images in one build, 1428 migrate to implicit rules, derive map file name from target name, generate 1429 linker script with fixed name, and use PHONY for the appropriate targets 1430 - st: stm32mp1: Add support for SPI-NOR, raw NAND, and SPI-NAND boot device, 1431 QSPI, FMC2 driver 1432 - st: stm32mp1: Use stm32mp_get_ddr_ns_size() function, set XN attribute for 1433 some areas in BL2, dynamically map DDR later and non-cacheable during its 1434 test, add a function to get non-secure DDR size, add DT helper for reg by 1435 name, and add compilation flags for boot devices 1436 1437 - socionext: uniphier: Turn on ENABLE_PIE 1438 1439 - ti: k3: Add PIE support 1440 1441 - xilinx: versal: Add set wakeup source, client wakeup, query data, request 1442 wakeup, PM_INIT_FINALIZE, PM_GET_TRUSTZONE_VERSION, PM IOCTL, support for 1443 suspend related, and Get_ChipID APIs 1444 - xilinx: versal: Implement power down/restart related EEMI, SMC handler for 1445 EEMI, PLL related PM, clock related PM, pin control related PM, reset related 1446 PM, device related PM , APIs 1447 - xilinx: versal: Enable ipi mailbox service 1448 - xilinx: versal: Add get_api_version support and support to send PM API to PMC 1449 using IPI 1450 - xilinx: zynqmp: Add checksum support for IPI data, GET_CALLBACK_DATA 1451 function, support to query max divisor, CLK_SET_RATE_PARENT in gem clock 1452 node, support for custom type flags, LPD WDT clock to the pm_clock structure, 1453 idcodes for new RFSoC silicons ZU48DR and ZU49DR, and id for new RFSoC device 1454 ZU39DR 1455 1456- Security 1457 - Use Speculation Barrier instruction for v8.5+ cores 1458 1459 - Add support for optional firmware encryption feature (experimental). 1460 1461 - Introduce a new `dualroot` chain of trust. 1462 1463 - aarch64: Prevent speculative execution past ERET 1464 - aarch32: Stop speculative execution past exception returns. 1465 1466- SPCI 1467 - Introduced the Secure Partition Manager Dispatcher (SPMD) component as a 1468 new standard service. 1469 1470- Tools 1471 - cert_create: Introduce CoT build option and TBBR CoT makefile, 1472 and define the dualroot CoT 1473 1474 - encrypt_fw: Add firmware authenticated encryption tool 1475 1476 - memory: Add show_memory script that prints a representation 1477 of the memory layout for the latest build 1478 1479Changed 1480^^^^^^^ 1481 1482- Arm Architecture 1483 - PIE: Make call to GDT relocation fixup generalized 1484 1485- BL-Specific 1486 - Increase maximum size of BL2 image 1487 1488 - BL31: Discard .dynsym .dynstr .hash sections to make ENABLE_PIE work 1489 - BL31: Split into two separate memory regions 1490 1491 - Unify BL linker scripts and reduce code duplication. 1492 1493- Build System 1494 - Changes to drive cert_create for dualroot CoT 1495 1496 - Enable -Wlogical-op always 1497 1498 - Enable -Wshadow always 1499 1500 - Refactor the warning flags 1501 1502 - PIE: Pass PIE options only to BL31 1503 1504 - Reduce space lost to object alignment 1505 1506 - Set lld as the default linker for Clang builds 1507 1508 - Remove -Wunused-const-variable and -Wpadded warning 1509 1510 - Remove -Wmissing-declarations warning from WARNING1 level 1511 1512- Drivers 1513 - authentication: Necessary fix in drivers to upgrade to mbedtls-2.18.0 1514 1515 - console: Integrate UART base address in generic console_t 1516 1517 - gicv3: Change API for GICR_IPRIORITYR accessors and separate 1518 GICD and GICR accessor functions 1519 1520 - io: Change seek offset to signed long long and panic in case 1521 of io setup failure 1522 1523 - smmu: SMMUv3: Changed retry loop to delay timer 1524 1525 - tbbr: Reduce size of hash and ECDSA key buffers when possible 1526 1527- Library Code 1528 - libc: Consolidate the size_t, unified, and NULL definitions, 1529 and unify intmax_t and uintmax_t on AArch32/64 1530 1531 - ROMLIB: Optimize memory layout when ROMLIB is used 1532 1533 - xlat_tables_v2: Use ARRAY_SIZE in REGISTER_XLAT_CONTEXT_FULL_SPEC, 1534 merge REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE}, 1535 and simplify end address checks in mmap_add_region_check() 1536 1537- Platforms 1538 - allwinner: Adjust SRAM A2 base to include the ARISC vectors, clean up MMU 1539 setup, reenable USE_COHERENT_MEM, remove unused include path, move the 1540 NOBITS region to SRAM A1, convert AXP803 regulator setup code into a driver, 1541 enable clock before resetting I2C/RSB 1542 - allwinner: h6: power: Switch to using the AXP driver 1543 - allwinner: a64: power: Use fdt_for_each_subnode, remove obsolete register 1544 check, remove duplicate DT check, and make sunxi_turn_off_soc static 1545 - allwinner: Build PMIC bus drivers only in BL31, clean up PMIC-related error 1546 handling, and synchronize PMIC enumerations 1547 1548 - arm/a5ds: Change boot address to point to DDR address 1549 1550 - arm/common: Check for out-of-bound accesses in the platform io policies 1551 1552 - arm/corstone700: Updating the kernel arguments to support initramfs, 1553 use fdts DDR memory and XIP rootfs, and set UART clocks to 32MHz 1554 1555 - arm/fvp: Modify multithreaded dts file of DynamIQ FVPs, slightly bump 1556 the stack size for bl1 and bl2, remove re-definition of topology related 1557 build options, stop reclaiming init code with Clang builds, and map only 1558 the needed DRAM region statically in BL31/SP_MIN 1559 1560 - arm/juno: Maximize space allocated to SCP_BL2 1561 1562 - arm/sgi: Bump bl1 RW limit, mark remote chip shared ram as non-cacheable, 1563 move GIC related constants to board files, include AFF3 affinity in core 1564 position calculation, move bl31_platform_setup to board file, and move 1565 topology information to board folder 1566 1567 - common: Refactor load_auth_image_internal(). 1568 1569 - hisilicon: Remove uefi-tools in hikey and hikey960 documentation 1570 1571 - intel: Modify non secure access function, BL31 address mapping, mailbox's 1572 get_config_status, and stratix10 BL31 parameter handling 1573 - intel: Remove un-needed checks for qspi driver r/w and s10 unused source code 1574 - intel: Change all global sip function to static 1575 - intel: Refactor common platform code 1576 - intel: Create SiP service header file 1577 1578 1579 - marvell: armada: scp_bl2: Allow loading up to 8 images 1580 - marvell: comphy-a3700: Support SGMII COMPHY power off and fix USB3 1581 powering on when on lane 2 1582 - marvell: Consolidate console register calls 1583 1584 - mediatek: mt8183: Protect 4GB~8GB dram memory, refine GIC driver for 1585 low power scenarios, and switch PLL/CLKSQ/ck_off/axi_26m control to SPM 1586 1587 - qemu: Update flash address map to keep FIP in secure FLASH0 1588 1589 - renesas: rcar_gen3: Update IPL and Secure Monitor Rev.2.0.6, update DDR 1590 setting for H3, M3, M3N, change fixed destination address of BL31 and BL32, 1591 add missing #{address,size}-cells into generated DT, pass DT to OpTee OS, 1592 and move DDR drivers out of staging 1593 1594 - rockchip: Make miniloader ddr_parameter handling optional, cleanup securing 1595 of ddr regions, move secure init to separate file, use base+size for secure 1596 ddr regions, bring TZRAM_SIZE values in lined, and prevent macro expansion 1597 in paths 1598 1599 - rpi: Move plat_helpers.S to common 1600 - rpi3: gpio: Simplify GPIO setup 1601 - rpi4: Skip UART initialisation 1602 1603 - st: stm32m1: Use generic console_t data structure, remove second 1604 QSPI flash instance, update for FMC2 pin muxing, and reduce MAX_XLAT_TABLES 1605 to 4 1606 1607 - socionext: uniphier: Make on-chip SRAM and I/O register regions configurable 1608 - socionext: uniphier: Make PSCI related, counter control, UART, pinmon, NAND 1609 controller, and eMMC controller base addresses configurable 1610 - socionext: uniphier: Change block_addressing flag and the return value type 1611 of .is_usb_boot() to bool 1612 - socionext: uniphier: Run BL33 at EL2, call uniphier_scp_is_running() only 1613 when on-chip STM is supported, define PLAT_XLAT_TABLES_DYNAMIC only for BL2, 1614 support read-only xlat tables, use enable_mmu() in common function, shrink 1615 UNIPHIER_ROM_REGION_SIZE, prepare uniphier_soc_info() for next SoC, extend 1616 boot device detection for future SoCs, make all BL images completely 1617 position-independent, make uniphier_mmap_setup() work with PIE, pass SCP 1618 base address as a function parameter, set buffer offset and length for 1619 io_block dynamically, and use more mmap_add_dynamic_region() for loading 1620 images 1621 1622 - spd/trusty: Disable error messages seen during boot, allow gic base to be 1623 specified with GICD_BASE, and allow getting trusty memsize from BL32_MEM_SIZE 1624 instead of TSP_SEC_MEM_SIZE 1625 1626 - ti: k3: common: Enable ARM cluster power down and rename device IDs to 1627 be more consistent 1628 - ti: k3: drivers: ti_sci: Put sequence number in coherent memory and 1629 remove indirect structure of const data 1630 1631 - xilinx: Move ipi mailbox svc to xilinx common 1632 - xilinx: zynqmp: Use GIC framework for warm restart 1633 - xilinx: zynqmp: pm: Move custom clock flags to typeflags, remove 1634 CLK_TOPSW_LSBUS from invalid clock list and rename FPD WDT clock ID 1635 - xilinx: versal: Increase OCM memory size for DEBUG builds and adjust 1636 cpu clock, Move versal_def.h and versal_private to include directory 1637 1638- Tools 1639 - sptool: Updated sptool to accommodate building secure partition packages. 1640 1641Resolved Issues 1642^^^^^^^^^^^^^^^ 1643 1644- Arm Architecture 1645 - Fix crash dump for lower EL 1646 1647- BL-Specific 1648 - Bug fix: Protect TSP prints with lock 1649 1650 - Fix boot failures on some builds linked with ld.lld. 1651 1652- Build System 1653 - Fix clang build if CC is not in the path. 1654 1655 - Fix 'BL stage' comment for build macros 1656 1657- Code Quality 1658 - coverity: Fix various MISRA violations including null pointer violations, 1659 C issues in BL1/BL2/BL31 and FDT helper functions, using boolean essential, 1660 type, and removing unnecessary header file and comparisons to LONG_MAX in 1661 debugfs devfip 1662 1663 - Based on coding guidelines, replace all `unsigned long` depending on if 1664 fixed based on AArch32 or AArch64. 1665 1666 - Unify type of "cpu_idx" and Platform specific defines across PSCI module. 1667 1668- Drivers 1669 - auth: Necessary fix in drivers to upgrade to mbedtls-2.18.0 1670 1671 - delay_timer: Fix non-standard frequency issue in udelay 1672 1673 - gicv3: Fix compiler dependent behavior 1674 - gic600: Fix include ordering according to the coding style and power up sequence 1675 1676- Library Code 1677 - el3_runtime: Fix stack pointer maintenance on EA handling path, 1678 fixup 'cm_setup_context' prototype, and adds TPIDR_EL2 register 1679 to the context save restore routines 1680 1681 - libc: Fix SIZE_MAX on AArch32 1682 1683 - locks: T589: Fix insufficient ordering guarantees in bakery lock 1684 1685 - pmf: Fix 'tautological-constant-compare' error, Make the runtime 1686 instrumentation work on AArch32, and Simplify PMF helper macro 1687 definitions across header files 1688 1689 - xlat_tables_v2: Fix assembler warning of PLAT_RO_XLAT_TABLES 1690 1691- Platforms 1692 - allwinner: Fix H6 GPIO and CCU memory map addresses and incorrect ARISC 1693 code patch offset check 1694 1695 - arm/a5ds: Correct system freq and Cache Writeback Granule, and cleanup 1696 enable-method in devicetree 1697 1698 - arm/fvp: Fix incorrect GIC mapping, BL31 load address and image size 1699 for RESET_TO_BL31=1, topology description of cpus for DynamIQ based 1700 FVP, and multithreaded FVP power domain tree 1701 - arm/fvp: spm-mm: Correcting instructions to build SPM for FVP 1702 1703 - arm/common: Fix ROTPK hash generation for ECDSA encryption, BL2 bug in 1704 dynamic configuration initialisation, and current RECLAIM_INIT_CODE behavior 1705 1706 - arm/rde1edge: Fix incorrect topology tree description 1707 1708 - arm/sgi: Fix the incorrect check for SCMI channel ID 1709 1710 - common: Flush dcache when storing timestamp 1711 1712 - intel: Fix UEFI decompression issue, memory calibration, SMC SIP service, 1713 mailbox config return status, mailbox driver logic, FPGA manager on 1714 reconfiguration, and mailbox send_cmd issue 1715 1716 - imx: Fix shift-overflow errors, the rdc memory region slot's offset, 1717 multiple definition of ipc_handle, missing inclusion of cdefs.h, and 1718 correct the SGIs that used for secure interrupt 1719 1720 - mediatek: mt8183: Fix AARCH64 init fail on CPU0 1721 1722 - rockchip: Fix definition of struct param_ddr_usage 1723 1724 - rpi4: Fix documentation of armstub config entry 1725 1726 - st: Correct io possible NULL pointer dereference and device_size type, 1727 nand xor_ecc.val assigned value, static analysis tool issues, and fix 1728 incorrect return value and correctly check pwr-regulators node 1729 1730 - xilinx: zynqmp: Correct syscnt freq for QEMU and fix clock models 1731 and IDs of GEM-related clocks 1732 1733Known Issues 1734^^^^^^^^^^^^ 1735 1736- Build System 1737 - dtb: DTB creation not supported when building on a Windows host. 1738 1739 This step in the build process is skipped when running on a Windows host. A 1740 known issue from the 1.6 release. 1741 1742 - Intermittent assertion firing `ASSERT: services/spd/tspd/tspd_main.c:105` 1743 1744- Coverity 1745 - Intermittent Race condition in Coverity Jenkins Build Job 1746 1747- Platforms 1748 - arm/juno: System suspend from Linux does not function as documented in the 1749 user guide 1750 1751 Following the instructions provided in the user guide document does not 1752 result in the platform entering system suspend state as expected. A message 1753 relating to the hdlcd driver failing to suspend will be emitted on the 1754 Linux terminal. 1755 1756 - mediatek/mt6795: This platform does not build in this release 1757 1758Version 2.2 1759----------- 1760 1761New Features 1762^^^^^^^^^^^^ 1763 1764- Architecture 1765 - Enable Pointer Authentication (PAuth) support for Secure World 1766 - Adds support for ARMv8.3-PAuth in BL1 SMC calls and 1767 BL2U image for firmware updates. 1768 1769 - Enable Memory Tagging Extension (MTE) support in both secure and non-secure 1770 worlds 1771 1772 - Adds support for the new Memory Tagging Extension arriving in 1773 ARMv8.5. MTE support is now enabled by default on systems that 1774 support it at EL0. 1775 - To enable it at ELx for both the non-secure and the secure 1776 world, the compiler flag ``CTX_INCLUDE_MTE_REGS`` includes register 1777 saving and restoring when necessary in order to prevent information 1778 leakage between the worlds. 1779 1780 - Add support for Branch Target Identification (BTI) 1781 1782- Build System 1783 - Modify FVP makefile for CPUs that support both AArch64/32 1784 1785 - AArch32: Allow compiling with soft-float toolchain 1786 1787 - Makefile: Add default warning flags 1788 1789 - Add Makefile check for PAuth and AArch64 1790 1791 - Add compile-time errors for HW_ASSISTED_COHERENCY flag 1792 1793 - Apply compile-time check for AArch64-only CPUs 1794 1795 - build_macros: Add mechanism to prevent bin generation. 1796 1797 - Add support for default stack-protector flag 1798 1799 - spd: opteed: Enable NS_TIMER_SWITCH 1800 1801 - plat/arm: Skip BL2U if RESET_TO_SP_MIN flag is set 1802 1803 - Add new build option to let each platform select which implementation of spinlocks 1804 it wants to use 1805 1806- CPU Support 1807 - DSU: Workaround for erratum 798953 and 936184 1808 1809 - Neoverse N1: Force cacheable atomic to near atomic 1810 - Neoverse N1: Workaround for erratum 1073348, 1130799, 1165347, 1207823, 1811 1220197, 1257314, 1262606, 1262888, 1275112, 1315703, 1542419 1812 1813 - Neoverse Zeus: Apply the MSR SSBS instruction 1814 1815 - cortex-Hercules/HerculesAE: Support added for Cortex-Hercules and 1816 Cortex-HerculesAE CPUs 1817 - cortex-Hercules/HerculesAE: Enable AMU for Cortex-Hercules and Cortex-HerculesAE 1818 1819 - cortex-a76AE: Support added for Cortex-A76AE CPU 1820 - cortex-a76: Workaround for erratum 1257314, 1262606, 1262888, 1275112, 1821 1286807 1822 1823 - cortex-a65/a65AE: Support added for Cortex-A65 and Cortex-A65AE CPUs 1824 - cortex-a65: Enable AMU for Cortex-A65 1825 1826 - cortex-a55: Workaround for erratum 1221012 1827 1828 - cortex-a35: Workaround for erratum 855472 1829 1830 - cortex-a9: Workaround for erratum 794073 1831 1832- Drivers 1833 - console: Allow the console to register multiple times 1834 1835 - delay: Timeout detection support 1836 1837 - gicv3: Enabled multi-socket GIC redistributor frame discovery and migrated 1838 ARM platforms to the new API 1839 1840 - Adds ``gicv3_rdistif_probe`` function that delegates the responsibility 1841 of discovering the corresponding redistributor base frame to each CPU 1842 itself. 1843 1844 - sbsa: Add SBSA watchdog driver 1845 1846 - st/stm32_hash: Add HASH driver 1847 1848 - ti/uart: Add an AArch32 variant 1849 1850- Library at ROM (romlib) 1851 - Introduce BTI support in Library at ROM (romlib) 1852 1853- New Platforms Support 1854 - amlogic: g12a: New platform support added for the S905X2 (G12A) platform 1855 - amlogic: meson/gxl: New platform support added for Amlogic Meson 1856 S905x (GXL) 1857 1858 - arm/a5ds: New platform support added for A5 DesignStart 1859 1860 - arm/corstone: New platform support added for Corstone-700 1861 1862 - intel: New platform support added for Agilex 1863 1864 - mediatek: New platform support added for MediaTek mt8183 1865 1866 - qemu/qemu_sbsa: New platform support added for QEMU SBSA platform 1867 1868 - renesas/rcar_gen3: plat: New platform support added for D3 1869 1870 - rockchip: New platform support added for px30 1871 - rockchip: New platform support added for rk3288 1872 1873 - rpi: New platform support added for Raspberry Pi 4 1874 1875- Platforms 1876 - arm/common: Introduce wrapper functions to setup secure watchdog 1877 1878 - arm/fvp: Add Delay Timer driver to BL1 and BL31 and option for defining 1879 platform DRAM2 base 1880 - arm/fvp: Add Linux DTS files for 32 bit threaded FVPs 1881 1882 - arm/n1sdp: Add code for DDR ECC enablement and BL33 copy to DDR, Initialise CNTFRQ 1883 in Non Secure CNTBaseN 1884 1885 - arm/juno: Use shared mbedtls heap between BL1 and BL2 and add basic support for 1886 dynamic config 1887 1888 - imx: Basic support for PicoPi iMX7D, rdc module init, caam module init, 1889 aipstz init, IMX_SIP_GET_SOC_INFO, IMX_SIP_BUILDINFO added 1890 1891 - intel: Add ncore ccu driver 1892 1893 - mediatek/mt81*: Use new bl31_params_parse() helper 1894 1895 - nvidia: tegra: Add support for multi console interface 1896 1897 - qemu/qemu_sbsa: Adding memory mapping for both FLASH0/FLASH1 1898 - qemu: Added gicv3 support, new console interface in AArch32, and sub-platforms 1899 1900 - renesas/rcar_gen3: plat: Add R-Car V3M support, new board revision for H3ULCB, DBSC4 1901 setting before self-refresh mode 1902 1903 - socionext/uniphier: Support console based on multi-console 1904 1905 - st: stm32mp1: Add OP-TEE, Avenger96, watchdog, LpDDR3, authentication support 1906 and general SYSCFG management 1907 1908 - ti/k3: common: Add support for J721E, Use coherent memory for shared data, Trap all 1909 asynchronous bus errors to EL3 1910 1911 - xilinx/zynqmp: Add support for multi console interface, Initialize IPI table from 1912 zynqmp_config_setup() 1913 1914- PSCI 1915 - Adding new optional PSCI hook ``pwr_domain_on_finish_late`` 1916 - This PSCI hook ``pwr_domain_on_finish_late`` is similar to 1917 ``pwr_domain_on_finish`` but is guaranteed to be invoked when the 1918 respective core and cluster are participating in coherency. 1919 1920- Security 1921 - Speculative Store Bypass Safe (SSBS): Further enhance protection against Spectre 1922 variant 4 by disabling speculative loads/stores (SPSR.SSBS bit) by default. 1923 1924 - UBSAN support and handlers 1925 - Adds support for the Undefined Behaviour sanitizer. There are two types of 1926 support offered - minimalistic trapping support which essentially immediately 1927 crashes on undefined behaviour and full support with full debug messages. 1928 1929- Tools 1930 - cert_create: Add support for bigger RSA key sizes (3KB and 4KB), 1931 previously the maximum size was 2KB. 1932 1933 - fiptool: Add support to build fiptool on Windows. 1934 1935 1936Changed 1937^^^^^^^ 1938 1939- Architecture 1940 - Refactor ARMv8.3 Pointer Authentication support code 1941 1942 - backtrace: Strip PAC field when PAUTH is enabled 1943 1944 - Prettify crash reporting output on AArch64. 1945 1946 - Rework smc_unknown return code path in smc_handler 1947 - Leverage the existing ``el3_exit()`` return routine for smc_unknown return 1948 path rather than a custom set of instructions. 1949 1950- BL-Specific 1951 - Invalidate dcache build option for BL2 entry at EL3 1952 1953 - Add missing support for BL2_AT_EL3 in XIP memory 1954 1955- Boot Flow 1956 - Add helper to parse BL31 parameters (both versions) 1957 1958 - Factor out cross-BL API into export headers suitable for 3rd party code 1959 1960 - Introduce lightweight BL platform parameter library 1961 1962- Drivers 1963 - auth: Memory optimization for Chain of Trust (CoT) description 1964 1965 - bsec: Move bsec_mode_is_closed_device() service to platform 1966 1967 - cryptocell: Move Cryptocell specific API into driver 1968 1969 - gicv3: Prevent pending G1S interrupt from becoming G0 interrupt 1970 1971 - mbedtls: Remove weak heap implementation 1972 1973 - mmc: Increase delay between ACMD41 retries 1974 - mmc: stm32_sdmmc2: Correctly manage block size 1975 - mmc: stm32_sdmmc2: Manage max-frequency property from DT 1976 1977 - synopsys/emmc: Do not change FIFO TH as this breaks some platforms 1978 - synopsys: Update synopsys drivers to not rely on undefined overflow behaviour 1979 1980 - ufs: Extend the delay after reset to wait for some slower chips 1981 1982- Platforms 1983 - amlogic/meson/gxl: Remove BL2 dependency from BL31 1984 1985 - arm/common: Shorten the Firmware Update (FWU) process 1986 1987 - arm/fvp: Remove GIC initialisation from secondary core cold boot 1988 1989 - arm/sgm: Temporarily disable shared Mbed TLS heap for SGM 1990 1991 - hisilicon: Update hisilicon drivers to not rely on undefined overflow behaviour 1992 1993 - imx: imx8: Replace PLAT_IMX8* with PLAT_imx8*, remove duplicated linker symbols and 1994 deprecated code include, keep only IRQ 32 unmasked, enable all power domain by default 1995 1996 - marvell: Prevent SError accessing PCIe link, Switch to xlat_tables_v2, do not rely on 1997 argument passed via smc, make sure that comphy init will use correct address 1998 1999 - mediatek: mt8173: Refactor RTC and PMIC drivers 2000 - mediatek: mt8173: Apply MULTI_CONSOLE framework 2001 2002 - nvidia: Tegra: memctrl_v2: fix "overflow before widen" coverity issue 2003 2004 - qemu: Simplify the image size calculation, Move and generalise FDT PSCI fixup, move 2005 gicv2 codes to separate file 2006 2007 - renesas/rcar_gen3: Convert to multi-console API, update QoS setting, Update IPL and 2008 Secure Monitor Rev2.0.4, Change to restore timer counter value at resume, Update DDR 2009 setting rev.0.35, qos: change subslot cycle, Change periodic write DQ training option. 2010 2011 - rockchip: Allow SOCs with undefined wfe check bits, Streamline and complete UARTn_BASE 2012 macros, drop rockchip-specific imported linker symbols for bl31, Disable binary generation 2013 for all SOCs, Allow console device to be set by DTB, Use new bl31_params_parse functions 2014 2015 - rpi/rpi3: Move shared rpi3 files into common directory 2016 2017 - socionext/uniphier: Set CONSOLE_FLAG_TRANSLATE_CRLF and clean up console driver 2018 - socionext/uniphier: Replace DIV_ROUND_UP() with div_round_up() from utils_def.h 2019 2020 - st/stm32mp: Split stm32mp_io_setup function, move stm32_get_gpio_bank_clock() to private 2021 file, correctly handle Clock Spreading Generator, move oscillator functions to generic file, 2022 realign device tree files with internal devs, enable RTCAPB clock for dual-core chips, use a 2023 common function to check spinlock is available, move check_header() to common code 2024 2025 - ti/k3: Enable SEPARATE_CODE_AND_RODATA by default, Remove shared RAM space, 2026 Drop _ADDRESS from K3_USART_BASE to match other defines, Remove MSMC port 2027 definitions, Allow USE_COHERENT_MEM for K3, Set L2 latency on A72 cores 2028 2029- PSCI 2030 - PSCI: Lookup list of parent nodes to lock only once 2031 2032- Secure Partition Manager (SPM): SPCI Prototype 2033 - Fix service UUID lookup 2034 2035 - Adjust size of virtual address space per partition 2036 2037 - Refactor xlat context creation 2038 2039 - Move shim layer to TTBR1_EL1 2040 2041 - Ignore empty regions in resource description 2042 2043- Security 2044 - Refactor SPSR initialisation code 2045 2046 - SMMUv3: Abort DMA transactions 2047 - For security DMA should be blocked at the SMMU by default unless explicitly 2048 enabled for a device. SMMU is disabled after reset with all streams bypassing 2049 the SMMU, and abortion of all incoming transactions implements a default deny 2050 policy on reset. 2051 - Moves ``bl1_platform_setup()`` function from arm_bl1_setup.c to FVP platforms' 2052 fvp_bl1_setup.c and fvp_ve_bl1_setup.c files. 2053 2054- Tools 2055 - cert_create: Remove RSA PKCS#1 v1.5 support 2056 2057 2058Resolved Issues 2059^^^^^^^^^^^^^^^ 2060 2061- Architecture 2062 - Fix the CAS spinlock implementation by adding a missing DSB in ``spin_unlock()`` 2063 2064 - AArch64: Fix SCTLR bit definitions 2065 - Removes incorrect ``SCTLR_V_BIT`` definition and adds definitions for 2066 ARMv8.3-Pauth `EnIB`, `EnDA` and `EnDB` bits. 2067 2068 - Fix restoration of PAuth context 2069 - Replace call to ``pauth_context_save()`` with ``pauth_context_restore()`` in 2070 case of unknown SMC call. 2071 2072- BL-Specific Issues 2073 - Fix BL31 crash reporting on AArch64 only platforms 2074 2075- Build System 2076 - Remove several warnings reported with W=2 and W=1 2077 2078- Code Quality Issues 2079 - SCTLR and ACTLR are 32-bit for AArch32 and 64-bit for AArch64 2080 - Unify type of "cpu_idx" across PSCI module. 2081 - Assert if power level value greater then PSCI_INVALID_PWR_LVL 2082 - Unsigned long should not be used as per coding guidelines 2083 - Reduce the number of memory leaks in cert_create 2084 - Fix type of cot_desc_ptr 2085 - Use explicit-width data types in AAPCS parameter structs 2086 - Add python configuration for editorconfig 2087 - BL1: Fix type consistency 2088 2089 - Enable -Wshift-overflow=2 to check for undefined shift behavior 2090 - Updated upstream platforms to not rely on undefined overflow behaviour 2091 2092- Coverity Quality Issues 2093 - Remove GGC ignore -Warray-bounds 2094 - Fix Coverity #261967, Infinite loop 2095 - Fix Coverity #343017, Missing unlock 2096 - Fix Coverity #343008, Side affect in assertion 2097 - Fix Coverity #342970, Uninitialized scalar variable 2098 2099- CPU Support 2100 - cortex-a12: Fix MIDR mask 2101 2102- Drivers 2103 - console: Remove Arm console unregister on suspend 2104 2105 - gicv3: Fix support for full SPI range 2106 2107 - scmi: Fix wrong payload length 2108 2109- Library Code 2110 - libc: Fix sparse warning for __assert() 2111 2112 - libc: Fix memchr implementation 2113 2114- Platforms 2115 - rpi: rpi3: Fix compilation error when stack protector is enabled 2116 2117 - socionext/uniphier: Fix compilation fail for SPM support build config 2118 2119 - st/stm32mp1: Fix TZC400 configuration against non-secure DDR 2120 2121 - ti/k3: common: Fix RO data area size calculation 2122 2123- Security 2124 - AArch32: Disable Secure Cycle Counter 2125 - Changes the implementation for disabling Secure Cycle Counter. 2126 For ARMv8.5 the counter gets disabled by setting ``SDCR.SCCD`` bit on 2127 CPU cold/warm boot. For the earlier architectures PMCR register is 2128 saved/restored on secure world entry/exit from/to Non-secure state, 2129 and cycle counting gets disabled by setting PMCR.DP bit. 2130 - AArch64: Disable Secure Cycle Counter 2131 - For ARMv8.5 the counter gets disabled by setting ``MDCR_El3.SCCD`` bit on 2132 CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is 2133 saved/restored on secure world entry/exit from/to Non-secure state, 2134 and cycle counting gets disabled by setting PMCR_EL0.DP bit. 2135 2136Deprecations 2137^^^^^^^^^^^^ 2138 2139- Common Code 2140 - Remove MULTI_CONSOLE_API flag and references to it 2141 2142 - Remove deprecated `plat_crash_console_*` 2143 2144 - Remove deprecated interfaces `get_afflvl_shift`, `mpidr_mask_lower_afflvls`, `eret` 2145 2146 - AARCH32/AARCH64 macros are now deprecated in favor of ``__aarch64__`` 2147 2148 - ``__ASSEMBLY__`` macro is now deprecated in favor of ``__ASSEMBLER__`` 2149 2150- Drivers 2151 - console: Removed legacy console API 2152 - console: Remove deprecated finish_console_register 2153 2154 - tzc: Remove deprecated types `tzc_action_t` and `tzc_region_attributes_t` 2155 2156- Secure Partition Manager (SPM): 2157 - Prototype SPCI-based SPM (services/std_svc/spm) will be replaced with alternative 2158 methods of secure partitioning support. 2159 2160Known Issues 2161^^^^^^^^^^^^ 2162 2163- Build System Issues 2164 - dtb: DTB creation not supported when building on a Windows host. 2165 2166 This step in the build process is skipped when running on a Windows host. A 2167 known issue from the 1.6 release. 2168 2169- Platform Issues 2170 - arm/juno: System suspend from Linux does not function as documented in the 2171 user guide 2172 2173 Following the instructions provided in the user guide document does not 2174 result in the platform entering system suspend state as expected. A message 2175 relating to the hdlcd driver failing to suspend will be emitted on the 2176 Linux terminal. 2177 2178 - mediatek/mt6795: This platform does not build in this release 2179 2180Version 2.1 2181----------- 2182 2183New Features 2184^^^^^^^^^^^^ 2185 2186- Architecture 2187 - Support for ARMv8.3 pointer authentication in the normal and secure worlds 2188 2189 The use of pointer authentication in the normal world is enabled whenever 2190 architectural support is available, without the need for additional build 2191 flags. 2192 2193 Use of pointer authentication in the secure world remains an 2194 experimental configuration at this time. Using both the ``ENABLE_PAUTH`` 2195 and ``CTX_INCLUDE_PAUTH_REGS`` build flags, pointer authentication can be 2196 enabled in EL3 and S-EL1/0. 2197 2198 See the :ref:`Firmware Design` document for additional details on the use 2199 of pointer authentication. 2200 2201 - Enable Data Independent Timing (DIT) in EL3, where supported 2202 2203- Build System 2204 - Support for BL-specific build flags 2205 2206 - Support setting compiler target architecture based on ``ARM_ARCH_MINOR`` 2207 build option. 2208 2209 - New ``RECLAIM_INIT_CODE`` build flag: 2210 2211 A significant amount of the code used for the initialization of BL31 is 2212 not needed again after boot time. In order to reduce the runtime memory 2213 footprint, the memory used for this code can be reclaimed after 2214 initialization. 2215 2216 Certain boot-time functions were marked with the ``__init`` attribute to 2217 enable this reclamation. 2218 2219- CPU Support 2220 - cortex-a76: Workaround for erratum 1073348 2221 - cortex-a76: Workaround for erratum 1220197 2222 - cortex-a76: Workaround for erratum 1130799 2223 2224 - cortex-a75: Workaround for erratum 790748 2225 - cortex-a75: Workaround for erratum 764081 2226 2227 - cortex-a73: Workaround for erratum 852427 2228 - cortex-a73: Workaround for erratum 855423 2229 2230 - cortex-a57: Workaround for erratum 817169 2231 - cortex-a57: Workaround for erratum 814670 2232 2233 - cortex-a55: Workaround for erratum 903758 2234 - cortex-a55: Workaround for erratum 846532 2235 - cortex-a55: Workaround for erratum 798797 2236 - cortex-a55: Workaround for erratum 778703 2237 - cortex-a55: Workaround for erratum 768277 2238 2239 - cortex-a53: Workaround for erratum 819472 2240 - cortex-a53: Workaround for erratum 824069 2241 - cortex-a53: Workaround for erratum 827319 2242 2243 - cortex-a17: Workaround for erratum 852423 2244 - cortex-a17: Workaround for erratum 852421 2245 2246 - cortex-a15: Workaround for erratum 816470 2247 - cortex-a15: Workaround for erratum 827671 2248 2249- Documentation 2250 - Exception Handling Framework documentation 2251 2252 - Library at ROM (romlib) documentation 2253 2254 - RAS framework documentation 2255 2256 - Coding Guidelines document 2257 2258- Drivers 2259 - ccn: Add API for setting and reading node registers 2260 - Adds ``ccn_read_node_reg`` function 2261 - Adds ``ccn_write_node_reg`` function 2262 2263 - partition: Support MBR partition entries 2264 2265 - scmi: Add ``plat_css_get_scmi_info`` function 2266 2267 Adds a new API ``plat_css_get_scmi_info`` which lets the platform 2268 register a platform-specific instance of ``scmi_channel_plat_info_t`` and 2269 remove the default values 2270 2271 - tzc380: Add TZC-380 TrustZone Controller driver 2272 2273 - tzc-dmc620: Add driver to manage the TrustZone Controller within the 2274 DMC-620 Dynamic Memory Controller 2275 2276- Library at ROM (romlib) 2277 - Add platform-specific jump table list 2278 2279 - Allow patching of romlib functions 2280 2281 This change allows patching of functions in the romlib. This can be done by 2282 adding "patch" at the end of the jump table entry for the function that 2283 needs to be patched in the file jmptbl.i. 2284 2285- Library Code 2286 - Support non-LPAE-enabled MMU tables in AArch32 2287 2288 - mmio: Add ``mmio_clrsetbits_16`` function 2289 - 16-bit variant of ``mmio_clrsetbits`` 2290 2291 - object_pool: Add Object Pool Allocator 2292 - Manages object allocation using a fixed-size static array 2293 - Adds ``pool_alloc`` and ``pool_alloc_n`` functions 2294 - Does not provide any functions to free allocated objects (by design) 2295 2296 - libc: Added ``strlcpy`` function 2297 2298 - libc: Import ``strrchr`` function from FreeBSD 2299 2300 - xlat_tables: Add support for ARMv8.4-TTST 2301 2302 - xlat_tables: Support mapping regions without an explicitly specified VA 2303 2304- Math 2305 - Added softudiv macro to support software division 2306 2307- Memory Partitioning And Monitoring (MPAM) 2308 - Enabled MPAM EL2 traps (``MPAMHCR_EL2`` and ``MPAM_EL2``) 2309 2310- Platforms 2311 - amlogic: Add support for Meson S905 (GXBB) 2312 2313 - arm/fvp_ve: Add support for FVP Versatile Express platform 2314 2315 - arm/n1sdp: Add support for Neoverse N1 System Development platform 2316 2317 - arm/rde1edge: Add support for Neoverse E1 platform 2318 2319 - arm/rdn1edge: Add support for Neoverse N1 platform 2320 2321 - arm: Add support for booting directly to Linux without an intermediate 2322 loader (AArch32) 2323 2324 - arm/juno: Enable new CPU errata workarounds for A53 and A57 2325 2326 - arm/juno: Add romlib support 2327 2328 Building a combined BL1 and ROMLIB binary file with the correct page 2329 alignment is now supported on the Juno platform. When ``USE_ROMLIB`` is set 2330 for Juno, it generates the combined file ``bl1_romlib.bin`` which needs to 2331 be used instead of bl1.bin. 2332 2333 - intel/stratix: Add support for Intel Stratix 10 SoC FPGA platform 2334 2335 - marvell: Add support for Armada-37xx SoC platform 2336 2337 - nxp: Add support for i.MX8M and i.MX7 Warp7 platforms 2338 2339 - renesas: Add support for R-Car Gen3 platform 2340 2341 - xilinx: Add support for Versal ACAP platforms 2342 2343- Position-Independent Executable (PIE) 2344 2345 PIE support has initially been added to BL31. The ``ENABLE_PIE`` build flag is 2346 used to enable or disable this functionality as required. 2347 2348- Secure Partition Manager 2349 - New SPM implementation based on SPCI Alpha 1 draft specification 2350 2351 A new version of SPM has been implemented, based on the SPCI (Secure 2352 Partition Client Interface) and SPRT (Secure Partition Runtime) draft 2353 specifications. 2354 2355 The new implementation is a prototype that is expected to undergo intensive 2356 rework as the specifications change. It has basic support for multiple 2357 Secure Partitions and Resource Descriptions. 2358 2359 The older version of SPM, based on MM (ARM Management Mode Interface 2360 Specification), is still present in the codebase. A new build flag, 2361 ``SPM_MM`` has been added to allow selection of the desired implementation. 2362 This flag defaults to 1, selecting the MM-based implementation. 2363 2364- Security 2365 - Spectre Variant-1 mitigations (``CVE-2017-5753``) 2366 2367 - Use Speculation Store Bypass Safe (SSBS) functionality where available 2368 2369 Provides mitigation against ``CVE-2018-19440`` (Not saving x0 to x3 2370 registers can leak information from one Normal World SMC client to another) 2371 2372 2373Changed 2374^^^^^^^ 2375 2376- Build System 2377 - Warning levels are now selectable with ``W=<1,2,3>`` 2378 2379 - Removed unneeded include paths in PLAT_INCLUDES 2380 2381 - "Warnings as errors" (Werror) can be disabled using ``E=0`` 2382 2383 - Support totally quiet output with ``-s`` flag 2384 2385 - Support passing options to checkpatch using ``CHECKPATCH_OPTS=<opts>`` 2386 2387 - Invoke host compiler with ``HOSTCC / HOSTCCFLAGS`` instead of ``CC / CFLAGS`` 2388 2389 - Make device tree pre-processing similar to U-boot/Linux by: 2390 - Creating separate ``CPPFLAGS`` for DT preprocessing so that compiler 2391 options specific to it can be accommodated. 2392 - Replacing ``CPP`` with ``PP`` for DT pre-processing 2393 2394- CPU Support 2395 - Errata report function definition is now mandatory for CPU support files 2396 2397 CPU operation files must now define a ``<name>_errata_report`` function to 2398 print errata status. This is no longer a weak reference. 2399 2400- Documentation 2401 - Migrated some content from GitHub wiki to ``docs/`` directory 2402 2403 - Security advisories now have CVE links 2404 2405 - Updated copyright guidelines 2406 2407- Drivers 2408 - console: The ``MULTI_CONSOLE_API`` framework has been rewritten in C 2409 2410 - console: Ported multi-console driver to AArch32 2411 2412 - gic: Remove 'lowest priority' constants 2413 2414 Removed ``GIC_LOWEST_SEC_PRIORITY`` and ``GIC_LOWEST_NS_PRIORITY``. 2415 Platforms should define these if required, or instead determine the correct 2416 priority values at runtime. 2417 2418 - delay_timer: Check that the Generic Timer extension is present 2419 2420 - mmc: Increase command reply timeout to 10 milliseconds 2421 2422 - mmc: Poll eMMC device status to ensure ``EXT_CSD`` command completion 2423 2424 - mmc: Correctly check return code from ``mmc_fill_device_info`` 2425 2426- External Libraries 2427 2428 - libfdt: Upgraded from 1.4.2 to 1.4.6-9 2429 2430 - mbed TLS: Upgraded from 2.12 to 2.16 2431 2432 This change incorporates fixes for security issues that should be reviewed 2433 to determine if they are relevant for software implementations using 2434 Trusted Firmware-A. See the `mbed TLS releases`_ page for details on 2435 changes from the 2.12 to the 2.16 release. 2436 2437- Library Code 2438 - compiler-rt: Updated ``lshrdi3.c`` and ``int_lib.h`` with changes from 2439 LLVM master branch (r345645) 2440 2441 - cpu: Updated macro that checks need for ``CVE-2017-5715`` mitigation 2442 2443 - libc: Made setjmp and longjmp C standard compliant 2444 2445 - libc: Allowed overriding the default libc (use ``OVERRIDE_LIBC``) 2446 2447 - libc: Moved setjmp and longjmp to the ``libc/`` directory 2448 2449- Platforms 2450 - Removed Mbed TLS dependency from plat_bl_common.c 2451 2452 - arm: Removed unused ``ARM_MAP_BL_ROMLIB`` macro 2453 2454 - arm: Removed ``ARM_BOARD_OPTIMISE_MEM`` feature and build flag 2455 2456 - arm: Moved several components into ``drivers/`` directory 2457 2458 This affects the SDS, SCP, SCPI, MHU and SCMI components 2459 2460 - arm/juno: Increased maximum BL2 image size to ``0xF000`` 2461 2462 This change was required to accommodate a larger ``libfdt`` library 2463 2464- SCMI 2465 - Optimized bakery locks when hardware-assisted coherency is enabled using the 2466 ``HW_ASSISTED_COHERENCY`` build flag 2467 2468- SDEI 2469 - Added support for unconditionally resuming secure world execution after 2470 |SDEI| event processing completes 2471 2472 |SDEI| interrupts, although targeting EL3, occur on behalf of the non-secure 2473 world, and may have higher priority than secure world 2474 interrupts. Therefore they might preempt secure execution and yield 2475 execution to the non-secure |SDEI| handler. Upon completion of |SDEI| event 2476 handling, resume secure execution if it was preempted. 2477 2478- Translation Tables (XLAT) 2479 - Dynamically detect need for ``Common not Private (TTBRn_ELx.CnP)`` bit 2480 2481 Properly handle the case where ``ARMv8.2-TTCNP`` is implemented in a CPU 2482 that does not implement all mandatory v8.2 features (and so must claim to 2483 implement a lower architecture version). 2484 2485 2486Resolved Issues 2487^^^^^^^^^^^^^^^ 2488 2489- Architecture 2490 - Incorrect check for SSBS feature detection 2491 2492 - Unintentional register clobber in AArch32 reset_handler function 2493 2494- Build System 2495 - Dependency issue during DTB image build 2496 2497 - Incorrect variable expansion in Arm platform makefiles 2498 2499 - Building on Windows with verbose mode (``V=1``) enabled is broken 2500 2501 - AArch32 compilation flags is missing ``$(march32-directive)`` 2502 2503- BL-Specific Issues 2504 - bl2: ``uintptr_t is not defined`` error when ``BL2_IN_XIP_MEM`` is defined 2505 2506 - bl2: Missing prototype warning in ``bl2_arch_setup`` 2507 2508 - bl31: Omission of Global Offset Table (GOT) section 2509 2510- Code Quality Issues 2511 - Multiple MISRA compliance issues 2512 2513 - Potential NULL pointer dereference (Coverity-detected) 2514 2515- Drivers 2516 - mmc: Local declaration of ``scr`` variable causes a cache issue when 2517 invalidating after the read DMA transfer completes 2518 2519 - mmc: ``ACMD41`` does not send voltage information during initialization, 2520 resulting in the command being treated as a query. This prevents the 2521 command from initializing the controller. 2522 2523 - mmc: When checking device state using ``mmc_device_state()`` there are no 2524 retries attempted in the event of an error 2525 2526 - ccn: Incorrect Region ID calculation for RN-I nodes 2527 2528 - console: ``Fix MULTI_CONSOLE_API`` when used as a crash console 2529 2530 - partition: Improper NULL checking in gpt.c 2531 2532 - partition: Compilation failure in ``VERBOSE`` mode (``V=1``) 2533 2534- Library Code 2535 - common: Incorrect check for Address Authentication support 2536 2537 - xlat: Fix XLAT_V1 / XLAT_V2 incompatibility 2538 2539 The file ``arm_xlat_tables.h`` has been renamed to ``xlat_tables_compat.h`` 2540 and has been moved to a common folder. This header can be used to guarantee 2541 compatibility, as it includes the correct header based on 2542 ``XLAT_TABLES_LIB_V2``. 2543 2544 - xlat: armclang unused-function warning on ``xlat_clean_dcache_range`` 2545 2546 - xlat: Invalid ``mm_cursor`` checks in ``mmap_add`` and ``mmap_add_ctx`` 2547 2548 - sdei: Missing ``context.h`` header 2549 2550- Platforms 2551 - common: Missing prototype warning for ``plat_log_get_prefix`` 2552 2553 - arm: Insufficient maximum BL33 image size 2554 2555 - arm: Potential memory corruption during BL2-BL31 transition 2556 2557 On Arm platforms, the BL2 memory can be overlaid by BL31/BL32. The memory 2558 descriptors describing the list of executable images are created in BL2 2559 R/W memory, which could be possibly corrupted later on by BL31/BL32 due 2560 to overlay. This patch creates a reserved location in SRAM for these 2561 descriptors and are copied over by BL2 before handing over to next BL 2562 image. 2563 2564 - juno: Invalid behaviour when ``CSS_USE_SCMI_SDS_DRIVER`` is not set 2565 2566 In ``juno_pm.c`` the ``css_scmi_override_pm_ops`` function was used 2567 regardless of whether the build flag was set. The original behaviour has 2568 been restored in the case where the build flag is not set. 2569 2570- Tools 2571 - fiptool: Incorrect UUID parsing of blob parameters 2572 2573 - doimage: Incorrect object rules in Makefile 2574 2575 2576Deprecations 2577^^^^^^^^^^^^ 2578 2579- Common Code 2580 - ``plat_crash_console_init`` function 2581 2582 - ``plat_crash_console_putc`` function 2583 2584 - ``plat_crash_console_flush`` function 2585 2586 - ``finish_console_register`` macro 2587 2588- AArch64-specific Code 2589 - helpers: ``get_afflvl_shift`` 2590 2591 - helpers: ``mpidr_mask_lower_afflvls`` 2592 2593 - helpers: ``eret`` 2594 2595- Secure Partition Manager (SPM) 2596 - Boot-info structure 2597 2598 2599Known Issues 2600^^^^^^^^^^^^ 2601 2602- Build System Issues 2603 - dtb: DTB creation not supported when building on a Windows host. 2604 2605 This step in the build process is skipped when running on a Windows host. A 2606 known issue from the 1.6 release. 2607 2608- Platform Issues 2609 - arm/juno: System suspend from Linux does not function as documented in the 2610 user guide 2611 2612 Following the instructions provided in the user guide document does not 2613 result in the platform entering system suspend state as expected. A message 2614 relating to the hdlcd driver failing to suspend will be emitted on the 2615 Linux terminal. 2616 2617 - arm/juno: The firmware update use-cases do not work with motherboard 2618 firmware version < v1.5.0 (the reset reason is not preserved). The Linaro 2619 18.04 release has MB v1.4.9. The MB v1.5.0 is available in Linaro 18.10 2620 release. 2621 2622 - mediatek/mt6795: This platform does not build in this release 2623 2624Version 2.0 2625----------- 2626 2627New Features 2628^^^^^^^^^^^^ 2629 2630- Removal of a number of deprecated APIs 2631 2632 - A new Platform Compatibility Policy document has been created which 2633 references a wiki page that maintains a listing of deprecated 2634 interfaces and the release after which they will be removed. 2635 2636 - All deprecated interfaces except the MULTI_CONSOLE_API have been removed 2637 from the code base. 2638 2639 - Various Arm and partner platforms have been updated to remove the use of 2640 removed APIs in this release. 2641 2642 - This release is otherwise unchanged from 1.6 release 2643 2644Issues resolved since last release 2645^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2646 2647- No issues known at 1.6 release resolved in 2.0 release 2648 2649Known Issues 2650^^^^^^^^^^^^ 2651 2652- DTB creation not supported when building on a Windows host. This step in the 2653 build process is skipped when running on a Windows host. Known issue from 2654 1.6 version. 2655 2656- As a result of removal of deprecated interfaces the Nvidia Tegra, Marvell 2657 Armada 8K and MediaTek MT6795 platforms do not build in this release. 2658 Also MediaTek MT8173, NXP QorIQ LS1043A, NXP i.MX8QX, NXP i.MX8QMa, 2659 Rockchip RK3328, Rockchip RK3368 and Rockchip RK3399 platforms have not been 2660 confirmed to be working after the removal of the deprecated interfaces 2661 although they do build. 2662 2663Version 1.6 2664----------- 2665 2666New Features 2667^^^^^^^^^^^^ 2668 2669- Addressing Speculation Security Vulnerabilities 2670 2671 - Implement static workaround for CVE-2018-3639 for AArch32 and AArch64 2672 2673 - Add support for dynamic mitigation for CVE-2018-3639 2674 2675 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 2676 2677 - Ensure |SDEI| handler executes with CVE-2018-3639 mitigation enabled 2678 2679- Introduce RAS handling on AArch64 2680 2681 - Some RAS extensions are mandatory for Armv8.2 CPUs, with others 2682 mandatory for Armv8.4 CPUs however, all extensions are also optional 2683 extensions to the base Armv8.0 architecture. 2684 2685 - The Armv8 RAS Extensions introduced Standard Error Records which are a 2686 set of standard registers to configure RAS node policy and allow RAS 2687 Nodes to record and expose error information for error handling agents. 2688 2689 - Capabilities are provided to support RAS Node enumeration and iteration 2690 along with individual interrupt registrations and fault injections 2691 support. 2692 2693 - Introduce handlers for Uncontainable errors, Double Faults and EL3 2694 External Aborts 2695 2696- Enable Memory Partitioning And Monitoring (MPAM) for lower EL's 2697 2698 - Memory Partitioning And Monitoring is an Armv8.4 feature that enables 2699 various memory system components and resources to define partitions. 2700 Software running at various ELs can then assign themselves to the 2701 desired partition to control their performance aspects. 2702 2703 - When ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows 2704 lower ELs to access their own MPAM registers without trapping to EL3. 2705 This patch however, doesn't make use of partitioning in EL3; platform 2706 initialisation code should configure and use partitions in EL3 if 2707 required. 2708 2709- Introduce ROM Lib Feature 2710 2711 - Support combining several libraries into a self-called "romlib" image, 2712 that may be shared across images to reduce memory footprint. The romlib 2713 image is stored in ROM but is accessed through a jump-table that may be 2714 stored in read-write memory, allowing for the library code to be patched. 2715 2716- Introduce Backtrace Feature 2717 2718 - This function displays the backtrace, the current EL and security state 2719 to allow a post-processing tool to choose the right binary to interpret 2720 the dump. 2721 2722 - Print backtrace in assert() and panic() to the console. 2723 2724- Code hygiene changes and alignment with MISRA C-2012 guideline with fixes 2725 addressing issues complying to the following rules: 2726 2727 - MISRA rules 4.9, 5.1, 5.3, 5.7, 8.2-8.5, 8.8, 8.13, 9.3, 10.1, 2728 10.3-10.4, 10.8, 11.3, 11.6, 12.1, 14.4, 15.7, 16.1-16.7, 17.7-17.8, 2729 20.7, 20.10, 20.12, 21.1, 21.15, 22.7 2730 2731 - Clean up the usage of void pointers to access symbols 2732 2733 - Increase usage of static qualifier to locally used functions and data 2734 2735 - Migrated to use of u_register_t for register read/write to better 2736 match AArch32 and AArch64 type sizes 2737 2738 - Use int-ll64 for both AArch32 and AArch64 to assist in consistent 2739 format strings between architectures 2740 2741 - Clean up TF-A libc by removing non arm copyrighted implementations 2742 and replacing them with modified FreeBSD and SCC implementations 2743 2744- Various changes to support Clang linker and assembler 2745 2746 - The clang assembler/preprocessor is used when Clang is selected. However, 2747 the clang linker is not used because it is unable to link TF-A objects 2748 due to immaturity of clang linker functionality at this time. 2749 2750- Refactor support APIs into Libraries 2751 2752 - Evolve libfdt, mbed TLS library and standard C library sources as 2753 proper libraries that TF-A may be linked against. 2754 2755- CPU Enhancements 2756 2757 - Add CPU support for Cortex-Ares and Cortex-A76 2758 2759 - Add AMU support for Cortex-Ares 2760 2761 - Add initial CPU support for Cortex-Deimos 2762 2763 - Add initial CPU support for Cortex-Helios 2764 2765 - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 2766 2767 - Implement Cortex-Ares erratum 1043202 workaround 2768 2769 - Implement DSU erratum 936184 workaround 2770 2771 - Check presence of fix for errata 843419 in Cortex-A53 2772 2773 - Check presence of fix for errata 835769 in Cortex-A53 2774 2775- Translation Tables Enhancements 2776 2777 - The xlat v2 library has been refactored in order to be reused by 2778 different TF components at different EL's including the addition of EL2. 2779 Some refactoring to make the code more generic and less specific to TF, 2780 in order to reuse the library outside of this project. 2781 2782- SPM Enhancements 2783 2784 - General cleanups and refactoring to pave the way to multiple partitions 2785 support 2786 2787- SDEI Enhancements 2788 2789 - Allow platforms to define explicit events 2790 2791 - Determine client EL from NS context's SCR_EL3 2792 2793 - Make dispatches synchronous 2794 2795 - Introduce jump primitives for BL31 2796 2797 - Mask events after CPU wakeup in |SDEI| dispatcher to conform to the 2798 specification 2799 2800- Misc TF-A Core Common Code Enhancements 2801 2802 - Add support for eXecute In Place (XIP) memory in BL2 2803 2804 - Add support for the SMC Calling Convention 2.0 2805 2806 - Introduce External Abort handling on AArch64 2807 External Abort routed to EL3 was reported as an unhandled exception 2808 and caused a panic. This change enables Trusted Firmware-A to handle 2809 External Aborts routed to EL3. 2810 2811 - Save value of ACTLR_EL1 implementation-defined register in the CPU 2812 context structure rather than forcing it to 0. 2813 2814 - Introduce ARM_LINUX_KERNEL_AS_BL33 build option, which allows BL31 to 2815 directly jump to a Linux kernel. This makes for a quicker and simpler 2816 boot flow, which might be useful in some test environments. 2817 2818 - Add dynamic configurations for BL31, BL32 and BL33 enabling support for 2819 Chain of Trust (COT). 2820 2821 - Make TF UUID RFC 4122 compliant 2822 2823- New Platform Support 2824 2825 - Arm SGI-575 2826 2827 - Arm SGM-775 2828 2829 - Allwinner sun50i_64 2830 2831 - Allwinner sun50i_h6 2832 2833 - NXP QorIQ LS1043A 2834 2835 - NXP i.MX8QX 2836 2837 - NXP i.MX8QM 2838 2839 - NXP i.MX7Solo WaRP7 2840 2841 - TI K3 2842 2843 - Socionext Synquacer SC2A11 2844 2845 - Marvell Armada 8K 2846 2847 - STMicroelectronics STM32MP1 2848 2849- Misc Generic Platform Common Code Enhancements 2850 2851 - Add MMC framework that supports both eMMC and SD card devices 2852 2853- Misc Arm Platform Common Code Enhancements 2854 2855 - Demonstrate PSCI MEM_PROTECT from el3_runtime 2856 2857 - Provide RAS support 2858 2859 - Migrate AArch64 port to the multi console driver. The old API is 2860 deprecated and will eventually be removed. 2861 2862 - Move BL31 below BL2 to enable BL2 overlay resulting in changes in the 2863 layout of BL images in memory to enable more efficient use of available 2864 space. 2865 2866 - Add cpp build processing for dtb that allows processing device tree 2867 with external includes. 2868 2869 - Extend FIP io driver to support multiple FIP devices 2870 2871 - Add support for SCMI AP core configuration protocol v1.0 2872 2873 - Use SCMI AP core protocol to set the warm boot entrypoint 2874 2875 - Add support to Mbed TLS drivers for shared heap among different 2876 BL images to help optimise memory usage 2877 2878 - Enable non-secure access to UART1 through a build option to support 2879 a serial debug port for debugger connection 2880 2881- Enhancements for Arm Juno Platform 2882 2883 - Add support for TrustZone Media Protection 1 (TZMP1) 2884 2885- Enhancements for Arm FVP Platform 2886 2887 - Dynamic_config: remove the FVP dtb files 2888 2889 - Set DYNAMIC_WORKAROUND_CVE_2018_3639=1 on FVP by default 2890 2891 - Set the ability to dynamically disable Trusted Boot Board 2892 authentication to be off by default with DYN_DISABLE_AUTH 2893 2894 - Add librom enhancement support in FVP 2895 2896 - Support shared Mbed TLS heap between BL1 and BL2 that allow a 2897 reduction in BL2 size for FVP 2898 2899- Enhancements for Arm SGI/SGM Platform 2900 2901 - Enable ARM_PLAT_MT flag for SGI-575 2902 2903 - Add dts files to enable support for dynamic config 2904 2905 - Add RAS support 2906 2907 - Support shared Mbed TLS heap for SGI and SGM between BL1 and BL2 2908 2909- Enhancements for Non Arm Platforms 2910 2911 - Raspberry Pi Platform 2912 2913 - Hikey Platforms 2914 2915 - Xilinx Platforms 2916 2917 - QEMU Platform 2918 2919 - Rockchip rk3399 Platform 2920 2921 - TI Platforms 2922 2923 - Socionext Platforms 2924 2925 - Allwinner Platforms 2926 2927 - NXP Platforms 2928 2929 - NVIDIA Tegra Platform 2930 2931 - Marvell Platforms 2932 2933 - STMicroelectronics STM32MP1 Platform 2934 2935Issues resolved since last release 2936^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2937 2938- No issues known at 1.5 release resolved in 1.6 release 2939 2940Known Issues 2941^^^^^^^^^^^^ 2942 2943- DTB creation not supported when building on a Windows host. This step in the 2944 build process is skipped when running on a Windows host. Known issue from 2945 1.5 version. 2946 2947Version 1.5 2948----------- 2949 2950New features 2951^^^^^^^^^^^^ 2952 2953- Added new firmware support to enable RAS (Reliability, Availability, and 2954 Serviceability) functionality. 2955 2956 - Secure Partition Manager (SPM): A Secure Partition is a software execution 2957 environment instantiated in S-EL0 that can be used to implement simple 2958 management and security services. The SPM is the firmware component that 2959 is responsible for managing a Secure Partition. 2960 2961 - SDEI dispatcher: Support for interrupt-based |SDEI| events and all 2962 interfaces as defined by the |SDEI| specification v1.0, see 2963 `SDEI Specification`_ 2964 2965 - Exception Handling Framework (EHF): Framework that allows dispatching of 2966 EL3 interrupts to their registered handlers which are registered based on 2967 their priorities. Facilitates firmware-first error handling policy where 2968 asynchronous exceptions may be routed to EL3. 2969 2970 Integrated the TSPD with EHF. 2971 2972- Updated PSCI support: 2973 2974 - Implemented PSCI v1.1 optional features `MEM_PROTECT` and `SYSTEM_RESET2`. 2975 The supported PSCI version was updated to v1.1. 2976 2977 - Improved PSCI STAT timestamp collection, including moving accounting for 2978 retention states to be inside the locks and fixing handling of wrap-around 2979 when calculating residency in AArch32 execution state. 2980 2981 - Added optional handler for early suspend that executes when suspending to 2982 a power-down state and with data caches enabled. 2983 2984 This may provide a performance improvement on platforms where it is safe 2985 to perform some or all of the platform actions from `pwr_domain_suspend` 2986 with the data caches enabled. 2987 2988- Enabled build option, BL2_AT_EL3, for BL2 to allow execution at EL3 without 2989 any dependency on TF BL1. 2990 2991 This allows platforms which already have a non-TF Boot ROM to directly load 2992 and execute BL2 and subsequent BL stages without need for BL1. This was not 2993 previously possible because BL2 executes at S-EL1 and cannot jump straight to 2994 EL3. 2995 2996- Implemented support for SMCCC v1.1, including `SMCCC_VERSION` and 2997 `SMCCC_ARCH_FEATURES`. 2998 2999 Additionally, added support for `SMCCC_VERSION` in PSCI features to enable 3000 discovery of the SMCCC version via PSCI feature call. 3001 3002- Added Dynamic Configuration framework which enables each of the boot loader 3003 stages to be dynamically configured at runtime if required by the platform. 3004 The boot loader stage may optionally specify a firmware configuration file 3005 and/or hardware configuration file that can then be shared with the next boot 3006 loader stage. 3007 3008 Introduced a new BL handover interface that essentially allows passing of 4 3009 arguments between the different BL stages. 3010 3011 Updated cert_create and fip_tool to support the dynamic configuration files. 3012 The COT also updated to support these new files. 3013 3014- Code hygiene changes and alignment with MISRA guideline: 3015 3016 - Fix use of undefined macros. 3017 3018 - Achieved compliance with Mandatory MISRA coding rules. 3019 3020 - Achieved compliance for following Required MISRA rules for the default 3021 build configurations on FVP and Juno platforms : 7.3, 8.3, 8.4, 8.5 and 3022 8.8. 3023 3024- Added support for Armv8.2-A architectural features: 3025 3026 - Updated translation table set-up to set the CnP (Common not Private) bit 3027 for secure page tables so that multiple PEs in the same Inner Shareable 3028 domain can use the same translation table entries for a given stage of 3029 translation in a particular translation regime. 3030 3031 - Extended the supported values of ID_AA64MMFR0_EL1.PARange to include the 3032 52-bit Physical Address range. 3033 3034 - Added support for the Scalable Vector Extension to allow Normal world 3035 software to access SVE functionality but disable access to SVE, SIMD and 3036 floating point functionality from the Secure world in order to prevent 3037 corruption of the Z-registers. 3038 3039- Added support for Armv8.4-A architectural feature Activity Monitor Unit (AMU) 3040 extensions. 3041 3042 In addition to the v8.4 architectural extension, AMU support on Cortex-A75 3043 was implemented. 3044 3045- Enhanced OP-TEE support to enable use of pageable OP-TEE image. The Arm 3046 standard platforms are updated to load up to 3 images for OP-TEE; header, 3047 pager image and paged image. 3048 3049 The chain of trust is extended to support the additional images. 3050 3051- Enhancements to the translation table library: 3052 3053 - Introduced APIs to get and set the memory attributes of a region. 3054 3055 - Added support to manage both privilege levels in translation regimes that 3056 describe translations for 2 Exception levels, specifically the EL1&0 3057 translation regime, and extended the memory map region attributes to 3058 include specifying Non-privileged access. 3059 3060 - Added support to specify the granularity of the mappings of each region, 3061 for instance a 2MB region can be specified to be mapped with 4KB page 3062 tables instead of a 2MB block. 3063 3064 - Disabled the higher VA range to avoid unpredictable behaviour if there is 3065 an attempt to access addresses in the higher VA range. 3066 3067 - Added helpers for Device and Normal memory MAIR encodings that align with 3068 the Arm Architecture Reference Manual for Armv8-A (Arm DDI0487B.b). 3069 3070 - Code hygiene including fixing type length and signedness of constants, 3071 refactoring of function to enable the MMU, removing all instances where 3072 the virtual address space is hardcoded and added comments that document 3073 alignment needed between memory attributes and attributes specified in 3074 TCR_ELx. 3075 3076- Updated GIC support: 3077 3078 - Introduce new APIs for GICv2 and GICv3 that provide the capability to 3079 specify interrupt properties rather than list of interrupt numbers alone. 3080 The Arm platforms and other upstream platforms are migrated to use 3081 interrupt properties. 3082 3083 - Added helpers to save / restore the GICv3 context, specifically the 3084 Distributor and Redistributor contexts and architectural parts of the ITS 3085 power management. The Distributor and Redistributor helpers also support 3086 the implementation-defined part of GIC-500 and GIC-600. 3087 3088 Updated the Arm FVP platform to save / restore the GICv3 context on system 3089 suspend / resume as an example of how to use the helpers. 3090 3091 Introduced a new TZC secured DDR carve-out for use by Arm platforms for 3092 storing EL3 runtime data such as the GICv3 register context. 3093 3094- Added support for Armv7-A architecture via build option ARM_ARCH_MAJOR=7. 3095 This includes following features: 3096 3097 - Updates GICv2 driver to manage GICv1 with security extensions. 3098 3099 - Software implementation for 32bit division. 3100 3101 - Enabled use of generic timer for platforms that do not set 3102 ARM_CORTEX_Ax=yes. 3103 3104 - Support for Armv7-A Virtualization extensions [DDI0406C_C]. 3105 3106 - Support for both Armv7-A platforms that only have 32-bit addressing and 3107 Armv7-A platforms that support large page addressing. 3108 3109 - Included support for following Armv7 CPUs: Cortex-A12, Cortex-A17, 3110 Cortex-A7, Cortex-A5, Cortex-A9, Cortex-A15. 3111 3112 - Added support in QEMU for Armv7-A/Cortex-A15. 3113 3114- Enhancements to Firmware Update feature: 3115 3116 - Updated the FWU documentation to describe the additional images needed for 3117 Firmware update, and how they are used for both the Juno platform and the 3118 Arm FVP platforms. 3119 3120- Enhancements to Trusted Board Boot feature: 3121 3122 - Added support to cert_create tool for RSA PKCS1# v1.5 and SHA384, SHA512 3123 and SHA256. 3124 3125 - For Arm platforms added support to use ECDSA keys. 3126 3127 - Enhanced the mbed TLS wrapper layer to include support for both RSA and 3128 ECDSA to enable runtime selection between RSA and ECDSA keys. 3129 3130- Added support for secure interrupt handling in AArch32 sp_min, hardcoded to 3131 only handle FIQs. 3132 3133- Added support to allow a platform to load images from multiple boot sources, 3134 for example from a second flash drive. 3135 3136- Added a logging framework that allows platforms to reduce the logging level 3137 at runtime and additionally the prefix string can be defined by the platform. 3138 3139- Further improvements to register initialisation: 3140 3141 - Control register PMCR_EL0 / PMCR is set to prohibit cycle counting in the 3142 secure world. This register is added to the list of registers that are 3143 saved and restored during world switch. 3144 3145 - When EL3 is running in AArch32 execution state, the Non-secure version of 3146 SCTLR is explicitly initialised during the warmboot flow rather than 3147 relying on the hardware to set the correct reset values. 3148 3149- Enhanced support for Arm platforms: 3150 3151 - Introduced driver for Shared-Data-Structure (SDS) framework which is used 3152 for communication between SCP and the AP CPU, replacing Boot-Over_MHU 3153 (BOM) protocol. 3154 3155 The Juno platform is migrated to use SDS with the SCMI support added in 3156 v1.3 and is set as default. 3157 3158 The driver can be found in the plat/arm/css/drivers folder. 3159 3160 - Improved memory usage by only mapping TSP memory region when the TSPD has 3161 been included in the build. This reduces the memory footprint and avoids 3162 unnecessary memory being mapped. 3163 3164 - Updated support for multi-threading CPUs for FVP platforms - always check 3165 the MT field in MPDIR and access the bit fields accordingly. 3166 3167 - Support building for platforms that model DynamIQ configuration by 3168 implementing all CPUs in a single cluster. 3169 3170 - Improved nor flash driver, for instance clearing status registers before 3171 sending commands. Driver can be found plat/arm/board/common folder. 3172 3173- Enhancements to QEMU platform: 3174 3175 - Added support for TBB. 3176 3177 - Added support for using OP-TEE pageable image. 3178 3179 - Added support for LOAD_IMAGE_V2. 3180 3181 - Migrated to use translation table library v2 by default. 3182 3183 - Added support for SEPARATE_CODE_AND_RODATA. 3184 3185- Applied workarounds CVE-2017-5715 on Arm Cortex-A57, -A72, -A73 and -A75, and 3186 for Armv7-A CPUs Cortex-A9, -A15 and -A17. 3187 3188- Applied errata workaround for Arm Cortex-A57: 859972. 3189 3190- Applied errata workaround for Arm Cortex-A72: 859971. 3191 3192- Added support for Poplar 96Board platform. 3193 3194- Added support for Raspberry Pi 3 platform. 3195 3196- Added Call Frame Information (CFI) assembler directives to the vector entries 3197 which enables debuggers to display the backtrace of functions that triggered 3198 a synchronous abort. 3199 3200- Added ability to build dtb. 3201 3202- Added support for pre-tool (cert_create and fiptool) image processing 3203 enabling compression of the image files before processing by cert_create and 3204 fiptool. 3205 3206 This can reduce fip size and may also speed up loading of images. The image 3207 verification will also get faster because certificates are generated based on 3208 compressed images. 3209 3210 Imported zlib 1.2.11 to implement gunzip() for data compression. 3211 3212- Enhancements to fiptool: 3213 3214 - Enabled the fiptool to be built using Visual Studio. 3215 3216 - Added padding bytes at the end of the last image in the fip to be 3217 facilitate transfer by DMA. 3218 3219Issues resolved since last release 3220^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3221 3222- TF-A can be built with optimisations disabled (-O0). 3223 3224- Memory layout updated to enable Trusted Board Boot on Juno platform when 3225 running TF-A in AArch32 execution mode (resolving `tf-issue#501`_). 3226 3227Known Issues 3228^^^^^^^^^^^^ 3229 3230- DTB creation not supported when building on a Windows host. This step in the 3231 build process is skipped when running on a Windows host. 3232 3233Version 1.4 3234----------- 3235 3236New features 3237^^^^^^^^^^^^ 3238 3239- Enabled support for platforms with hardware assisted coherency. 3240 3241 A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage 3242 of the following optimisations: 3243 3244 - Skip performing cache maintenance during power-up and power-down. 3245 3246 - Use spin-locks instead of bakery locks. 3247 3248 - Enable data caches early on warm-booted CPUs. 3249 3250- Added support for Cortex-A75 and Cortex-A55 processors. 3251 3252 Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit 3253 (DSU). The power-down and power-up sequences are therefore mostly managed in 3254 hardware, reducing complexity of the software operations. 3255 3256- Introduced Arm GIC-600 driver. 3257 3258 Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the 3259 GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600. 3260 3261- Updated GICv3 support: 3262 3263 - Introduced power management APIs for GICv3 Redistributor. These APIs 3264 allow platforms to power down the Redistributor during CPU power on/off. 3265 Requires the GICv3 implementations to have power management operations. 3266 3267 Implemented the power management APIs for FVP. 3268 3269 - GIC driver data is flushed by the primary CPU so that secondary CPU do 3270 not read stale GIC data. 3271 3272- Added support for Arm System Control and Management Interface v1.0 (SCMI). 3273 3274 The SCMI driver implements the power domain management and system power 3275 management protocol of the SCMI specification (Arm DEN 0056ASCMI) for 3276 communicating with any compliant power controller. 3277 3278 Support is added for the Juno platform. The driver can be found in the 3279 plat/arm/css/drivers folder. 3280 3281- Added support to enable pre-integration of TBB with the Arm TrustZone 3282 CryptoCell product, to take advantage of its hardware Root of Trust and 3283 crypto acceleration services. 3284 3285- Enabled Statistical Profiling Extensions for lower ELs. 3286 3287 The firmware support is limited to the use of SPE in the Non-secure state 3288 and accesses to the SPE specific registers from S-EL1 will trap to EL3. 3289 3290 The SPE are architecturally specified for AArch64 only. 3291 3292- Code hygiene changes aligned with MISRA guidelines: 3293 3294 - Fixed signed / unsigned comparison warnings in the translation table 3295 library. 3296 3297 - Added U(_x) macro and together with the existing ULL(_x) macro fixed 3298 some of the signed-ness defects flagged by the MISRA scanner. 3299 3300- Enhancements to Firmware Update feature: 3301 3302 - The FWU logic now checks for overlapping images to prevent execution of 3303 unauthenticated arbitrary code. 3304 3305 - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading 3306 state machine to go from COPYING, COPIED or AUTHENTICATED states to 3307 RESET state. Previously, this was only possible when the authentication 3308 of an image failed or when the execution of the image finished. 3309 3310 - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update 3311 SMC can result in copy of unexpectedly large data into secure memory. 3312 3313- Introduced support for Arm Compiler 6 and LLVM (clang). 3314 3315 TF-A can now also be built with the Arm Compiler 6 or the clang compilers. 3316 The assembler and linker must be provided by the GNU toolchain. 3317 3318 Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x. 3319 3320- Memory footprint improvements: 3321 3322 - Introduced `tf_snprintf`, a reduced version of `snprintf` which has 3323 support for a limited set of formats. 3324 3325 The mbedtls driver is updated to optionally use `tf_snprintf` instead of 3326 `snprintf`. 3327 3328 - The `assert()` is updated to no longer print the function name, and 3329 additional logging options are supported via an optional platform define 3330 `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is. 3331 3332- Enhancements to TF-A support when running in AArch32 execution state: 3333 3334 - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to 3335 hardware limitations, BL1 and BL2 boot in AArch64 state and there is 3336 additional trampoline code to warm reset into SP_MIN in AArch32 execution 3337 state. 3338 3339 - Added support for Arm Cortex-A53/57/72 MPCore processors including the 3340 errata workarounds that are already implemented for AArch64 execution 3341 state. 3342 3343 - For FVP platforms, added AArch32 Trusted Board Boot support, including the 3344 Firmware Update feature. 3345 3346- Introduced Arm SiP service for use by Arm standard platforms. 3347 3348 - Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF 3349 timestamps. 3350 3351 Added PMF instrumentation points in TF-A in order to quantify the 3352 overall time spent in the PSCI software implementation. 3353 3354 - Added new Arm SiP service SMC to switch execution state. 3355 3356 This allows the lower exception level to change its execution state from 3357 AArch64 to AArch32, or vice verse, via a request to EL3. 3358 3359- Migrated to use SPDX[0] license identifiers to make software license 3360 auditing simpler. 3361 3362 .. note:: 3363 Files that have been imported by FreeBSD have not been modified. 3364 3365 [0]: https://spdx.org/ 3366 3367- Enhancements to the translation table library: 3368 3369 - Added version 2 of translation table library that allows different 3370 translation tables to be modified by using different 'contexts'. Version 1 3371 of the translation table library only allows the current EL's translation 3372 tables to be modified. 3373 3374 Version 2 of the translation table also added support for dynamic 3375 regions; regions that can be added and removed dynamically whilst the 3376 MMU is enabled. Static regions can only be added or removed before the 3377 MMU is enabled. 3378 3379 The dynamic mapping functionality is enabled or disabled when compiling 3380 by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can 3381 be done per-image. 3382 3383 - Added support for translation regimes with two virtual address spaces 3384 such as the one shared by EL1 and EL0. 3385 3386 The library does not support initializing translation tables for EL0 3387 software. 3388 3389 - Added support to mark the translation tables as non-cacheable using an 3390 additional build option `XLAT_TABLE_NC`. 3391 3392- Added support for GCC stack protection. A new build option 3393 ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL 3394 images with one of the GCC -fstack-protector-* options. 3395 3396 A new platform function plat_get_stack_protector_canary() was introduced 3397 that returns a value used to initialize the canary for stack corruption 3398 detection. For increased effectiveness of protection platforms must provide 3399 an implementation that returns a random value. 3400 3401- Enhanced support for Arm platforms: 3402 3403 - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR. 3404 A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions 3405 accessing MPIDR assume that the `MT` bit is set for the platform and 3406 access the bit fields accordingly. 3407 3408 Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is 3409 enabled, returning the Processing Element count within the physical CPU 3410 corresponding to `mpidr`. 3411 3412 - The Arm platforms migrated to use version 2 of the translation tables. 3413 3414 - Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops` 3415 which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore 3416 dynamically define PSCI capability. 3417 3418 - The Arm platforms migrated to use IMAGE_LOAD_V2 by default. 3419 3420- Enhanced reporting of errata workaround status with the following policy: 3421 3422 - If an errata workaround is enabled: 3423 3424 - If it applies (i.e. the CPU is affected by the errata), an INFO message 3425 is printed, confirming that the errata workaround has been applied. 3426 3427 - If it does not apply, a VERBOSE message is printed, confirming that the 3428 errata workaround has been skipped. 3429 3430 - If an errata workaround is not enabled, but would have applied had it 3431 been, a WARN message is printed, alerting that errata workaround is 3432 missing. 3433 3434- Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the 3435 architecture version to target TF-A. 3436 3437- Updated the spin lock implementation to use the more efficient CAS (Compare 3438 And Swap) instruction when available. This instruction was introduced in 3439 Armv8.1-A. 3440 3441- Applied errata workaround for Arm Cortex-A53: 855873. 3442 3443- Applied errata workaround for Arm-Cortex-A57: 813419. 3444 3445- Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and 3446 AArch32 execution states. 3447 3448- Added support for Socionext UniPhier SoC platform. 3449 3450- Added support for Hikey960 and Hikey platforms. 3451 3452- Added support for Rockchip RK3328 platform. 3453 3454- Added support for NVidia Tegra T186 platform. 3455 3456- Added support for Designware emmc driver. 3457 3458- Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr(). 3459 3460- Enhanced the CPU operations framework to allow power handlers to be 3461 registered on per-level basis. This enables support for future CPUs that 3462 have multiple threads which might need powering down individually. 3463 3464- Updated register initialisation to prevent unexpected behaviour: 3465 3466 - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid 3467 unexpected traps into the higher exception levels and disable secure 3468 self-hosted debug. Additionally, secure privileged external debug on 3469 Juno is disabled by programming the appropriate Juno SoC registers. 3470 3471 - EL2 and EL3 configurable controls are initialised to avoid unexpected 3472 traps in the higher exception levels. 3473 3474 - Essential control registers are fully initialised on EL3 start-up, when 3475 initialising the non-secure and secure context structures and when 3476 preparing to leave EL3 for a lower EL. This gives better alignment with 3477 the Arm ARM which states that software must initialise RES0 and RES1 3478 fields with 0 / 1. 3479 3480- Enhanced PSCI support: 3481 3482 - Introduced new platform interfaces that decouple PSCI stat residency 3483 calculation from PMF, enabling platforms to use alternative methods of 3484 capturing timestamps. 3485 3486 - PSCI stat accounting performed for retention/standby states when 3487 requested at multiple power levels. 3488 3489- Simplified fiptool to have a single linked list of image descriptors. 3490 3491- For the TSP, resolved corruption of pre-empted secure context by aborting any 3492 pre-empted SMC during PSCI power management requests. 3493 3494Issues resolved since last release 3495^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3496 3497- TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier 3498 version 2.3.0 cannot be used due to build warnings that the TF-A build 3499 system interprets as errors. 3500 3501- TBBR, including the Firmware Update feature is now supported on FVP 3502 platforms when running TF-A in AArch32 state. 3503 3504- The version of the AEMv8 Base FVP used in this release has resolved the issue 3505 of the model executing a reset instead of terminating in response to a 3506 shutdown request using the PSCI SYSTEM_OFF API. 3507 3508Known Issues 3509^^^^^^^^^^^^ 3510 3511- Building TF-A with compiler optimisations disabled (-O0) fails. 3512 3513- Trusted Board Boot currently does not work on Juno when running Trusted 3514 Firmware in AArch32 execution state due to error when loading the sp_min to 3515 memory because of lack of free space available. See `tf-issue#501`_ for more 3516 details. 3517 3518- The errata workaround for A53 errata 843419 is only available from binutils 3519 2.26 and is not present in GCC4.9. If this errata is applicable to the 3520 platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for 3521 more details. 3522 3523Version 1.3 3524----------- 3525 3526 3527New features 3528^^^^^^^^^^^^ 3529 3530- Added support for running TF-A in AArch32 execution state. 3531 3532 The PSCI library has been refactored to allow integration with **EL3 Runtime 3533 Software**. This is software that is executing at the highest secure 3534 privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See 3535 :ref:`PSCI Library Integration guide for Armv8-A AArch32 systems`. 3536 3537 Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates 3538 the usage and integration of the PSCI library with EL3 Runtime Software 3539 running in AArch32 state. 3540 3541 Booting to the BL1/BL2 images as well as booting straight to the Secure 3542 Payload is supported. 3543 3544- Improvements to the initialization framework for the PSCI service and Arm 3545 Standard Services in general. 3546 3547 The PSCI service is now initialized as part of Arm Standard Service 3548 initialization. This consolidates the initializations of any Arm Standard 3549 Service that may be added in the future. 3550 3551 A new function ``get_arm_std_svc_args()`` is introduced to get arguments 3552 corresponding to each standard service and must be implemented by the EL3 3553 Runtime Software. 3554 3555 For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to 3556 initialize the PSCI Library. **Note** this is a compatibility break due to 3557 the change in the prototype of ``psci_setup()``. 3558 3559- To support AArch32 builds of BL1 and BL2, implemented a new, alternative 3560 firmware image loading mechanism that adds flexibility. 3561 3562 The current mechanism has a hard-coded set of images and execution order 3563 (BL31, BL32, etc). The new mechanism is data-driven by a list of image 3564 descriptors provided by the platform code. 3565 3566 Arm platforms have been updated to support the new loading mechanism. 3567 3568 The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is 3569 currently off by default for the AArch64 build. 3570 3571 **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when 3572 ``LOAD_IMAGE_V2`` is enabled. 3573 3574- Updated requirements for making contributions to TF-A. 3575 3576 Commits now must have a 'Signed-off-by:' field to certify that the 3577 contribution has been made under the terms of the 3578 :download:`Developer Certificate of Origin <../dco.txt>`. 3579 3580 A signed CLA is no longer required. 3581 3582 The :ref:`Contributor's Guide` has been updated to reflect this change. 3583 3584- Introduced Performance Measurement Framework (PMF) which provides support 3585 for capturing, storing, dumping and retrieving time-stamps to measure the 3586 execution time of critical paths in the firmware. This relies on defining 3587 fixed sample points at key places in the code. 3588 3589- To support the QEMU platform port, imported libfdt v1.4.1 from 3590 https://git.kernel.org/pub/scm/utils/dtc/dtc.git 3591 3592- Updated PSCI support: 3593 3594 - Added support for PSCI NODE_HW_STATE API for Arm platforms. 3595 3596 - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in 3597 ``plat_psci_ops`` to enable platforms to perform platform-specific actions 3598 needed to enter powerdown, including the 'wfi' invocation. 3599 3600 - PSCI STAT residency and count functions have been added on Arm platforms 3601 by using PMF. 3602 3603- Enhancements to the translation table library: 3604 3605 - Limited memory mapping support for region overlaps to only allow regions 3606 to overlap that are identity mapped or have the same virtual to physical 3607 address offset, and overlap completely but must not cover the same area. 3608 3609 This limitation will enable future enhancements without having to 3610 support complex edge cases that may not be necessary. 3611 3612 - The initial translation lookup level is now inferred from the virtual 3613 address space size. Previously, it was hard-coded. 3614 3615 - Added support for mapping Normal, Inner Non-cacheable, Outer 3616 Non-cacheable memory in the translation table library. 3617 3618 This can be useful to map a non-cacheable memory region, such as a DMA 3619 buffer. 3620 3621 - Introduced the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes to 3622 specify the access permissions for instruction execution of a memory 3623 region. 3624 3625- Enabled support to isolate code and read-only data on separate memory pages, 3626 allowing independent access control to be applied to each. 3627 3628- Enabled SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common 3629 architectural setup code, preventing fetching instructions from non-secure 3630 memory when in secure state. 3631 3632- Enhancements to FIP support: 3633 3634 - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent 3635 and intuitive interface as well as additional support to remove an image 3636 from a FIP file. 3637 3638 - Enabled printing the SHA256 digest with info command, allowing quick 3639 verification of an image within a FIP without having to extract the 3640 image and running sha256sum on it. 3641 3642 - Added support for unpacking the contents of an existing FIP file into 3643 the working directory. 3644 3645 - Aligned command line options for specifying images to use same naming 3646 convention as specified by TBBR and already used in cert_create tool. 3647 3648- Refactored the TZC-400 driver to also support memory controllers that 3649 integrate TZC functionality, for example Arm CoreLink DMC-500. Also added 3650 DMC-500 specific support. 3651 3652- Implemented generic delay timer based on the system generic counter and 3653 migrated all platforms to use it. 3654 3655- Enhanced support for Arm platforms: 3656 3657 - Updated image loading support to make SCP images (SCP_BL2 and SCP_BL2U) 3658 optional. 3659 3660 - Enhanced topology description support to allow multi-cluster topology 3661 definitions. 3662 3663 - Added interconnect abstraction layer to help platform ports select the 3664 right interconnect driver, CCI or CCN, for the platform. 3665 3666 - Added support to allow loading BL31 in the TZC-secured DRAM instead of 3667 the default secure SRAM. 3668 3669 - Added support to use a System Security Control (SSC) Registers Unit 3670 enabling TF-A to be compiled to support multiple Arm platforms and 3671 then select one at runtime. 3672 3673 - Restricted mapping of Trusted ROM in BL1 to what is actually needed by 3674 BL1 rather than entire Trusted ROM region. 3675 3676 - Flash is now mapped as execute-never by default. This increases security 3677 by restricting the executable region to what is strictly needed. 3678 3679- Applied following erratum workarounds for Cortex-A57: 833471, 826977, 3680 829520, 828024 and 826974. 3681 3682- Added support for Mediatek MT6795 platform. 3683 3684- Added support for QEMU virtualization Armv8-A target. 3685 3686- Added support for Rockchip RK3368 and RK3399 platforms. 3687 3688- Added support for Xilinx Zynq UltraScale+ MPSoC platform. 3689 3690- Added support for Arm Cortex-A73 MPCore Processor. 3691 3692- Added support for Arm Cortex-A72 processor. 3693 3694- Added support for Arm Cortex-A35 processor. 3695 3696- Added support for Arm Cortex-A32 MPCore Processor. 3697 3698- Enabled preloaded BL33 alternative boot flow, in which BL2 does not load 3699 BL33 from non-volatile storage and BL31 hands execution over to a preloaded 3700 BL33. The User Guide has been updated with an example of how to use this 3701 option with a bootwrapped kernel. 3702 3703- Added support to build TF-A on a Windows-based host machine. 3704 3705- Updated Trusted Board Boot prototype implementation: 3706 3707 - Enabled the ability for a production ROM with TBBR enabled to boot test 3708 software before a real ROTPK is deployed (e.g. manufacturing mode). 3709 Added support to use ROTPK in certificate without verifying against the 3710 platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. 3711 3712 - Added support for non-volatile counter authentication to the 3713 Authentication Module to protect against roll-back. 3714 3715- Updated GICv3 support: 3716 3717 - Enabled processor power-down and automatic power-on using GICv3. 3718 3719 - Enabled G1S or G0 interrupts to be configured independently. 3720 3721 - Changed FVP default interrupt driver to be the GICv3-only driver. 3722 **Note** the default build of TF-A will not be able to boot 3723 Linux kernel with GICv2 FDT blob. 3724 3725 - Enabled wake-up from CPU_SUSPEND to stand-by by temporarily re-routing 3726 interrupts and then restoring after resume. 3727 3728Issues resolved since last release 3729^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3730 3731Known issues 3732^^^^^^^^^^^^ 3733 3734- The version of the AEMv8 Base FVP used in this release resets the model 3735 instead of terminating its execution in response to a shutdown request using 3736 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 3737 the model. 3738 3739- Building TF-A with compiler optimisations disabled (``-O0``) fails. 3740 3741- TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings 3742 that the TF-A build system interprets as errors. 3743 3744- TBBR is not currently supported when running TF-A in AArch32 state. 3745 3746Version 1.2 3747----------- 3748 3749New features 3750^^^^^^^^^^^^ 3751 3752- The Trusted Board Boot implementation on Arm platforms now conforms to the 3753 mandatory requirements of the TBBR specification. 3754 3755 In particular, the boot process is now guarded by a Trusted Watchdog, which 3756 will reset the system in case of an authentication or loading error. On Arm 3757 platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog. 3758 3759 Also, a firmware update process has been implemented. It enables 3760 authenticated firmware to update firmware images from external interfaces to 3761 SoC Non-Volatile memories. This feature functions even when the current 3762 firmware in the system is corrupt or missing; it therefore may be used as 3763 a recovery mode. 3764 3765- Improvements have been made to the Certificate Generation Tool 3766 (``cert_create``) as follows. 3767 3768 - Added support for the Firmware Update process by extending the Chain 3769 of Trust definition in the tool to include the Firmware Update 3770 certificate and the required extensions. 3771 3772 - Introduced a new API that allows one to specify command line options in 3773 the Chain of Trust description. This makes the declaration of the tool's 3774 arguments more flexible and easier to extend. 3775 3776 - The tool has been reworked to follow a data driven approach, which 3777 makes it easier to maintain and extend. 3778 3779- Extended the FIP tool (``fip_create``) to support the new set of images 3780 involved in the Firmware Update process. 3781 3782- Various memory footprint improvements. In particular: 3783 3784 - The bakery lock structure for coherent memory has been optimised. 3785 3786 - The mbed TLS SHA1 functions are not needed, as SHA256 is used to 3787 generate the certificate signature. Therefore, they have been compiled 3788 out, reducing the memory footprint of BL1 and BL2 by approximately 3789 6 KB. 3790 3791 - On Arm development platforms, each BL stage now individually defines 3792 the number of regions that it needs to map in the MMU. 3793 3794- Added the following new design documents: 3795 3796 - :ref:`Authentication Framework & Chain of Trust` 3797 - :ref:`Firmware Update (FWU)` 3798 - :ref:`CPU Reset` 3799 - :ref:`PSCI Power Domain Tree Structure` 3800 3801- Applied the new image terminology to the code base and documentation, as 3802 described in the :ref:`Image Terminology` document. 3803 3804- The build system has been reworked to improve readability and facilitate 3805 adding future extensions. 3806 3807- On Arm standard platforms, BL31 uses the boot console during cold boot 3808 but switches to the runtime console for any later logs at runtime. The TSP 3809 uses the runtime console for all output. 3810 3811- Implemented a basic NOR flash driver for Arm platforms. It programs the 3812 device using CFI (Common Flash Interface) standard commands. 3813 3814- Implemented support for booting EL3 payloads on Arm platforms, which 3815 reduces the complexity of developing EL3 baremetal code by doing essential 3816 baremetal initialization. 3817 3818- Provided separate drivers for GICv3 and GICv2. These expect the entire 3819 software stack to use either GICv2 or GICv3; hybrid GIC software systems 3820 are no longer supported and the legacy Arm GIC driver has been deprecated. 3821 3822- Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run 3823 on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro 3824 release that does *not* contain Juno r2 support. 3825 3826- Added support for MediaTek mt8173 platform. 3827 3828- Implemented a generic driver for Arm CCN IP. 3829 3830- Major rework of the PSCI implementation. 3831 3832 - Added framework to handle composite power states. 3833 3834 - Decoupled the notions of affinity instances (which describes the 3835 hierarchical arrangement of cores) and of power domain topology, instead 3836 of assuming a one-to-one mapping. 3837 3838 - Better alignment with version 1.0 of the PSCI specification. 3839 3840- Added support for the SYSTEM_SUSPEND PSCI API on Arm platforms. When invoked 3841 on the last running core on a supported platform, this puts the system 3842 into a low power mode with memory retention. 3843 3844- Unified the reset handling code as much as possible across BL stages. 3845 Also introduced some build options to enable optimization of the reset path 3846 on platforms that support it. 3847 3848- Added a simple delay timer API, as well as an SP804 timer driver, which is 3849 enabled on FVP. 3850 3851- Added support for NVidia Tegra T210 and T132 SoCs. 3852 3853- Reorganised Arm platforms ports to greatly improve code shareability and 3854 facilitate the reuse of some of this code by other platforms. 3855 3856- Added support for Arm Cortex-A72 processor in the CPU specific framework. 3857 3858- Provided better error handling. Platform ports can now define their own 3859 error handling, for example to perform platform specific bookkeeping or 3860 post-error actions. 3861 3862- Implemented a unified driver for Arm Cache Coherent Interconnects used for 3863 both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this 3864 common driver. The standalone CCI-400 driver has been deprecated. 3865 3866Issues resolved since last release 3867^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3868 3869- The Trusted Board Boot implementation has been redesigned to provide greater 3870 modularity and scalability. See the 3871 :ref:`Authentication Framework & Chain of Trust` document. 3872 All missing mandatory features are now implemented. 3873 3874- The FVP and Juno ports may now use the hash of the ROTPK stored in the 3875 Trusted Key Storage registers to verify the ROTPK. Alternatively, a 3876 development public key hash embedded in the BL1 and BL2 binaries might be 3877 used instead. The location of the ROTPK is chosen at build-time using the 3878 ``ARM_ROTPK_LOCATION`` build option. 3879 3880- GICv3 is now fully supported and stable. 3881 3882Known issues 3883^^^^^^^^^^^^ 3884 3885- The version of the AEMv8 Base FVP used in this release resets the model 3886 instead of terminating its execution in response to a shutdown request using 3887 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 3888 the model. 3889 3890- While this version has low on-chip RAM requirements, there are further 3891 RAM usage enhancements that could be made. 3892 3893- The upstream documentation could be improved for structural consistency, 3894 clarity and completeness. In particular, the design documentation is 3895 incomplete for PSCI, the TSP(D) and the Juno platform. 3896 3897- Building TF-A with compiler optimisations disabled (``-O0``) fails. 3898 3899Version 1.1 3900----------- 3901 3902New features 3903^^^^^^^^^^^^ 3904 3905- A prototype implementation of Trusted Board Boot has been added. Boot 3906 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and 3907 BL2 use the PolarSSL SSL library to verify certificates and images. The 3908 OpenSSL library is used to create the X.509 certificates. Support has been 3909 added to ``fip_create`` tool to package the certificates in a FIP. 3910 3911- Support for calling CPU and platform specific reset handlers upon entry into 3912 BL3-1 during the cold and warm boot paths has been added. This happens after 3913 another Boot ROM ``reset_handler()`` has already run. This enables a developer 3914 to perform additional actions or undo actions already performed during the 3915 first call of the reset handlers e.g. apply additional errata workarounds. 3916 3917- Support has been added to demonstrate routing of IRQs to EL3 instead of 3918 S-EL1 when execution is in secure world. 3919 3920- The PSCI implementation now conforms to version 1.0 of the PSCI 3921 specification. All the mandatory APIs and selected optional APIs are 3922 supported. In particular, support for the ``PSCI_FEATURES`` API has been 3923 added. A capability variable is constructed during initialization by 3924 examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and 3925 the Secure Payload Dispatcher. This is used by the PSCI FEATURES function 3926 to determine which PSCI APIs are supported by the platform. 3927 3928- Improvements have been made to the PSCI code as follows. 3929 3930 - The code has been refactored to remove redundant parameters from 3931 internal functions. 3932 3933 - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and 3934 ``CPU_OFF`` calls to facilitate an early return to the caller in case a 3935 failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call 3936 returns ``SUCCESS`` to the caller if a pending interrupt is detected early 3937 in the code path. 3938 3939 - Optional platform APIs have been added to validate the ``power_state`` and 3940 ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code 3941 paths. 3942 3943 - PSCI migrate APIs have been reworked to invoke the SPD hook to determine 3944 the type of Trusted OS and the CPU it is resident on (if 3945 applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate 3946 the Trusted OS is invoked. 3947 3948- It is now possible to build TF-A without marking at least an extra page of 3949 memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to 3950 choose between the two implementations. This has been made possible through 3951 these changes. 3952 3953 - An implementation of Bakery locks, where the locks are not allocated in 3954 coherent memory has been added. 3955 3956 - Memory which was previously marked as coherent is now kept coherent 3957 through the use of software cache maintenance operations. 3958 3959 Approximately, 4K worth of memory is saved for each boot loader stage when 3960 ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies 3961 associated with acquire and release of locks. It also requires changes to 3962 the platform ports. 3963 3964- It is now possible to specify the name of the FIP at build time by defining 3965 the ``FIP_NAME`` variable. 3966 3967- Issues with dependencies on the 'fiptool' makefile target have been 3968 rectified. The ``fip_create`` tool is now rebuilt whenever its source files 3969 change. 3970 3971- The BL3-1 runtime console is now also used as the crash console. The crash 3972 console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) 3973 on Juno. In FVP, it is changed from UART0 to UART1. 3974 3975- CPU errata workarounds are applied only when the revision and part number 3976 match. This behaviour has been made consistent across the debug and release 3977 builds. The debug build additionally prints a warning if a mismatch is 3978 detected. 3979 3980- It is now possible to issue cache maintenance operations by set/way for a 3981 particular level of data cache. Levels 1-3 are currently supported. 3982 3983- The following improvements have been made to the FVP port. 3984 3985 - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of 3986 shared data into the Trusted DRAM has been deprecated. Shared data is 3987 now always located at the base of Trusted SRAM. 3988 3989 - BL2 Translation tables have been updated to map only the region of 3990 DRAM which is accessible to normal world. This is the region of the 2GB 3991 DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is 3992 accessible to only the secure world. 3993 3994 - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to 3995 the secure world. This can be done by setting the build flag 3996 ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. 3997 3998- Separate translation tables are created for each boot loader image. The 3999 ``IMAGE_BLx`` build options are used to do this. This allows each stage to 4000 create mappings only for areas in the memory map that it needs. 4001 4002- A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been 4003 added. Details of using it with TF-A can be found in :ref:`OP-TEE Dispatcher` 4004 4005Issues resolved since last release 4006^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4007 4008- The Juno port has been aligned with the FVP port as follows. 4009 4010 - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying 4011 the BL3-1/BL3-2 NOBITS sections on top of them has been added to the 4012 Juno port. 4013 4014 - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured 4015 using the TZC-400 controller to be accessible only to the secure world. 4016 4017 - The Arm GIC driver is used to configure the GIC-400 instead of using a 4018 GIC driver private to the Juno port. 4019 4020 - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. 4021 4022 - The TZC-400 driver is used to configure the controller instead of direct 4023 accesses to the registers. 4024 4025- The Linux kernel version referred to in the user guide has DVFS and HMP 4026 support enabled. 4027 4028- DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 4029 CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of 4030 the Cortex-A57-A53 Base FVPs. 4031 4032Known issues 4033^^^^^^^^^^^^ 4034 4035- The Trusted Board Boot implementation is a prototype. There are issues with 4036 the modularity and scalability of the design. Support for a Trusted 4037 Watchdog, firmware update mechanism, recovery images and Trusted debug is 4038 absent. These issues will be addressed in future releases. 4039 4040- The FVP and Juno ports do not use the hash of the ROTPK stored in the 4041 Trusted Key Storage registers to verify the ROTPK in the 4042 ``plat_match_rotpk()`` function. This prevents the correct establishment of 4043 the Chain of Trust at the first step in the Trusted Board Boot process. 4044 4045- The version of the AEMv8 Base FVP used in this release resets the model 4046 instead of terminating its execution in response to a shutdown request using 4047 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 4048 the model. 4049 4050- GICv3 support is experimental. There are known issues with GICv3 4051 initialization in the TF-A. 4052 4053- While this version greatly reduces the on-chip RAM requirements, there are 4054 further RAM usage enhancements that could be made. 4055 4056- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 4057 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 4058 4059- The Juno-specific firmware design documentation is incomplete. 4060 4061Version 1.0 4062----------- 4063 4064New features 4065^^^^^^^^^^^^ 4066 4067- It is now possible to map higher physical addresses using non-flat virtual 4068 to physical address mappings in the MMU setup. 4069 4070- Wider use is now made of the per-CPU data cache in BL3-1 to store: 4071 4072 - Pointers to the non-secure and secure security state contexts. 4073 4074 - A pointer to the CPU-specific operations. 4075 4076 - A pointer to PSCI specific information (for example the current power 4077 state). 4078 4079 - A crash reporting buffer. 4080 4081- The following RAM usage improvements result in a BL3-1 RAM usage reduction 4082 from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction 4083 across all images from 208KB to 88KB, compared to the previous release. 4084 4085 - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size 4086 saving). 4087 4088 - Removed NSRAM from the FVP memory map, allowing the removal of one 4089 (4KB) translation table. 4090 4091 - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. 4092 4093 - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the 4094 FVP port. 4095 4096 - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. 4097 4098 - Removed current CPU mpidr from PSCI common code, saving 160 bytes. 4099 4100 - Inlined the mmio accessor functions, saving 360 bytes. 4101 4102 - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by 4103 overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. 4104 4105 - Made storing the FP register context optional, saving 0.5KB per context 4106 (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). 4107 4108 - Implemented a leaner ``tf_printf()`` function, allowing the stack to be 4109 greatly reduced. 4110 4111 - Removed coherent stacks from the codebase. Stacks allocated in normal 4112 memory are now used before and after the MMU is enabled. This saves 768 4113 bytes per CPU in BL3-1. 4114 4115 - Reworked the crash reporting in BL3-1 to use less stack. 4116 4117 - Optimized the EL3 register state stored in the ``cpu_context`` structure 4118 so that registers that do not change during normal execution are 4119 re-initialized each time during cold/warm boot, rather than restored 4120 from memory. This saves about 1.2KB. 4121 4122 - As a result of some of the above, reduced the runtime stack size in all 4123 BL images. For BL3-1, this saves 1KB per CPU. 4124 4125- PSCI SMC handler improvements to correctly handle calls from secure states 4126 and from AArch32. 4127 4128- CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully 4129 determines the exception level to use for the non-trusted firmware (BL3-3) 4130 based on the SPSR value provided by the BL2 platform code (or otherwise 4131 provided to BL3-1). This allows platform code to directly run non-trusted 4132 firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS 4133 loader. 4134 4135- Code refactoring improvements: 4136 4137 - Refactored ``fvp_config`` into a common platform header. 4138 4139 - Refactored the fvp gic code to be a generic driver that no longer has an 4140 explicit dependency on platform code. 4141 4142 - Refactored the CCI-400 driver to not have dependency on platform code. 4143 4144 - Simplified the IO driver so it's no longer necessary to call ``io_init()`` 4145 and moved all the IO storage framework code to one place. 4146 4147 - Simplified the interface the the TZC-400 driver. 4148 4149 - Clarified the platform porting interface to the TSP. 4150 4151 - Reworked the TSPD setup code to support the alternate BL3-2 4152 initialization flow where BL3-1 generic code hands control to BL3-2, 4153 rather than expecting the TSPD to hand control directly to BL3-2. 4154 4155 - Considerable rework to PSCI generic code to support CPU specific 4156 operations. 4157 4158- Improved console log output, by: 4159 4160 - Adding the concept of debug log levels. 4161 4162 - Rationalizing the existing debug messages and adding new ones. 4163 4164 - Printing out the version of each BL stage at runtime. 4165 4166 - Adding support for printing console output from assembler code, 4167 including when a crash occurs before the C runtime is initialized. 4168 4169- Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro 4170 file system and DS-5. 4171 4172- On the FVP port, made the use of the Trusted DRAM region optional at build 4173 time (off by default). Normal platforms will not have such a "ready-to-use" 4174 DRAM area so it is not a good example to use it. 4175 4176- Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. 4177 4178- Added support for CPU specific reset sequences, power down sequences and 4179 register dumping during crash reporting. The CPU specific reset sequences 4180 include support for errata workarounds. 4181 4182- Merged the Juno port into the master branch. Added support for CPU hotplug 4183 and CPU idle. Updated the user guide to describe how to build and run on the 4184 Juno platform. 4185 4186Issues resolved since last release 4187^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4188 4189- Removed the concept of top/bottom image loading. The image loader now 4190 automatically detects the position of the image inside the current memory 4191 layout and updates the layout to minimize fragmentation. This resolves the 4192 image loader limitations of previously releases. There are currently no 4193 plans to support dynamic image loading. 4194 4195- CPU idle now works on the publicized version of the Foundation FVP. 4196 4197- All known issues relating to the compiler version used have now been 4198 resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9). 4199 4200Known issues 4201^^^^^^^^^^^^ 4202 4203- GICv3 support is experimental. The Linux kernel patches to support this are 4204 not widely available. There are known issues with GICv3 initialization in 4205 the TF-A. 4206 4207- While this version greatly reduces the on-chip RAM requirements, there are 4208 further RAM usage enhancements that could be made. 4209 4210- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 4211 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 4212 4213- The Juno-specific firmware design documentation is incomplete. 4214 4215- Some recent enhancements to the FVP port have not yet been translated into 4216 the Juno port. These will be tracked via the tf-issues project. 4217 4218- The Linux kernel version referred to in the user guide has DVFS and HMP 4219 support disabled due to some known instabilities at the time of this 4220 release. A future kernel version will re-enable these features. 4221 4222- DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 4223 CADI server mode. This is because the ``<SimName>`` reported by the FVP in 4224 this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, 4225 the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while 4226 DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. 4227 4228 The temporary fix to this problem is to change the name of the FVP in 4229 ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. 4230 Change the following line: 4231 4232 :: 4233 4234 <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> 4235 4236 to 4237 System Generator:FVP_Base_Cortex-A57x4_A53x4 4238 4239 A similar change can be made to the other Cortex-A57-A53 Base FVP variants. 4240 4241Version 0.4 4242----------- 4243 4244New features 4245^^^^^^^^^^^^ 4246 4247- Makefile improvements: 4248 4249 - Improved dependency checking when building. 4250 4251 - Removed ``dump`` target (build now always produces dump files). 4252 4253 - Enabled platform ports to optionally make use of parts of the Trusted 4254 Firmware (e.g. BL3-1 only), rather than being forced to use all parts. 4255 Also made the ``fip`` target optional. 4256 4257 - Specified the full path to source files and removed use of the ``vpath`` 4258 keyword. 4259 4260- Provided translation table library code for potential re-use by platforms 4261 other than the FVPs. 4262 4263- Moved architectural timer setup to platform-specific code. 4264 4265- Added standby state support to PSCI cpu_suspend implementation. 4266 4267- SRAM usage improvements: 4268 4269 - Started using the ``-ffunction-sections``, ``-fdata-sections`` and 4270 ``--gc-sections`` compiler/linker options to remove unused code and data 4271 from the images. Previously, all common functions were being built into 4272 all binary images, whether or not they were actually used. 4273 4274 - Placed all assembler functions in their own section to allow more unused 4275 functions to be removed from images. 4276 4277 - Updated BL1 and BL2 to use a single coherent stack each, rather than one 4278 per CPU. 4279 4280 - Changed variables that were unnecessarily declared and initialized as 4281 non-const (i.e. in the .data section) so they are either uninitialized 4282 (zero init) or const. 4283 4284- Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by 4285 default. The option for it to run in Trusted DRAM remains. 4286 4287- Implemented a TrustZone Address Space Controller (TZC-400) driver. A 4288 default configuration is provided for the Base FVPs. This means the model 4289 parameter ``-C bp.secure_memory=1`` is now supported. 4290 4291- Started saving the PSCI cpu_suspend 'power_state' parameter prior to 4292 suspending a CPU. This allows platforms that implement multiple power-down 4293 states at the same affinity level to identify a specific state. 4294 4295- Refactored the entire codebase to reduce the amount of nesting in header 4296 files and to make the use of system/user includes more consistent. Also 4297 split platform.h to separate out the platform porting declarations from the 4298 required platform porting definitions and the definitions/declarations 4299 specific to the platform port. 4300 4301- Optimized the data cache clean/invalidate operations. 4302 4303- Improved the BL3-1 unhandled exception handling and reporting. Unhandled 4304 exceptions now result in a dump of registers to the console. 4305 4306- Major rework to the handover interface between BL stages, in particular the 4307 interface to BL3-1. The interface now conforms to a specification and is 4308 more future proof. 4309 4310- Added support for optionally making the BL3-1 entrypoint a reset handler 4311 (instead of BL1). This allows platforms with an alternative image loading 4312 architecture to re-use BL3-1 with fewer modifications to generic code. 4313 4314- Reserved some DDR DRAM for secure use on FVP platforms to avoid future 4315 compatibility problems with non-secure software. 4316 4317- Added support for secure interrupts targeting the Secure-EL1 Payload (SP) 4318 (using GICv2 routing only). Demonstrated this working by adding an interrupt 4319 target and supporting test code to the TSP. Also demonstrated non-secure 4320 interrupt handling during TSP processing. 4321 4322Issues resolved since last release 4323^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4324 4325- Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base 4326 FVPs (see **New features**). 4327 4328- Support for secure world interrupt handling now available (see **New 4329 features**). 4330 4331- Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 4332 Payload (BL3-2) to execute in Trusted SRAM by default. 4333 4334- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 4335 14.04) now correctly reports progress in the console. 4336 4337- Improved the Makefile structure to make it easier to separate out parts of 4338 the TF-A for re-use in platform ports. Also, improved target dependency 4339 checking. 4340 4341Known issues 4342^^^^^^^^^^^^ 4343 4344- GICv3 support is experimental. The Linux kernel patches to support this are 4345 not widely available. There are known issues with GICv3 initialization in 4346 the TF-A. 4347 4348- Dynamic image loading is not available yet. The current image loader 4349 implementation (used to load BL2 and all subsequent images) has some 4350 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 4351 to loading errors, even if the images should theoretically fit in memory. 4352 4353- TF-A still uses too much on-chip Trusted SRAM. A number of RAM usage 4354 enhancements have been identified to rectify this situation. 4355 4356- CPU idle does not work on the advertised version of the Foundation FVP. 4357 Some FVP fixes are required that are not available externally at the time 4358 of writing. This can be worked around by disabling CPU idle in the Linux 4359 kernel. 4360 4361- Various bugs in TF-A, UEFI and the Linux kernel have been observed when 4362 using Linaro toolchain versions later than 13.11. Although most of these 4363 have been fixed, some remain at the time of writing. These mainly seem to 4364 relate to a subtle change in the way the compiler converts between 64-bit 4365 and 32-bit values (e.g. during casting operations), which reveals 4366 previously hidden bugs in client code. 4367 4368- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 4369 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 4370 4371Version 0.3 4372----------- 4373 4374New features 4375^^^^^^^^^^^^ 4376 4377- Support for Foundation FVP Version 2.0 added. 4378 The documented UEFI configuration disables some devices that are unavailable 4379 in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can 4380 be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation 4381 FVP. 4382 4383 .. note:: 4384 The software will not work on Version 1.0 of the Foundation FVP. 4385 4386- Enabled third party contributions. Added a new contributing.md containing 4387 instructions for how to contribute and updated copyright text in all files 4388 to acknowledge contributors. 4389 4390- The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be 4391 used for entry into power down states with the following restrictions: 4392 4393 - Entry into standby states is not supported. 4394 - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. 4395 4396- The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to 4397 allow experimental use. 4398 4399- Required C library and runtime header files are now included locally in 4400 TF-A instead of depending on the toolchain standard include paths. The 4401 local implementation has been cleaned up and reduced in scope. 4402 4403- Added I/O abstraction framework, primarily to allow generic code to load 4404 images in a platform-independent way. The existing image loading code has 4405 been reworked to use the new framework. Semi-hosting and NOR flash I/O 4406 drivers are provided. 4407 4408- Introduced Firmware Image Package (FIP) handling code and tools. A FIP 4409 combines multiple firmware images with a Table of Contents (ToC) into a 4410 single binary image. The new FIP driver is another type of I/O driver. The 4411 Makefile builds a FIP by default and the FVP platform code expect to load a 4412 FIP from NOR flash, although some support for image loading using semi- 4413 hosting is retained. 4414 4415 .. note:: 4416 Building a FIP by default is a non-backwards-compatible change. 4417 4418 .. note:: 4419 Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into 4420 DRAM instead of expecting this to be pre-loaded at known location. This is 4421 also a non-backwards-compatible change. 4422 4423 .. note:: 4424 Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that 4425 it knows the new location to execute from and no longer needs to copy 4426 particular code modules to DRAM itself. 4427 4428- Reworked BL2 to BL3-1 handover interface. A new composite structure 4429 (bl31_args) holds the superset of information that needs to be passed from 4430 BL2 to BL3-1, including information on how handover execution control to 4431 BL3-2 (if present) and BL3-3 (non-trusted firmware). 4432 4433- Added library support for CPU context management, allowing the saving and 4434 restoring of 4435 4436 - Shared system registers between Secure-EL1 and EL1. 4437 - VFP registers. 4438 - Essential EL3 system registers. 4439 4440- Added a framework for implementing EL3 runtime services. Reworked the PSCI 4441 implementation to be one such runtime service. 4442 4443- Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3 4444 stack pointers for determining the type of exception, managing general 4445 purpose and system register context on exception entry/exit, and handling 4446 SMCs. SMCs are directed to the correct EL3 runtime service. 4447 4448- Added support for a Test Secure-EL1 Payload (TSP) and a corresponding 4449 Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD 4450 implements Secure Monitor functionality such as world switching and 4451 EL1 context management, and is responsible for communication with the TSP. 4452 4453 .. note:: 4454 The TSPD does not yet contain support for secure world interrupts. 4455 .. note:: 4456 The TSP/TSPD is not built by default. 4457 4458Issues resolved since last release 4459^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4460 4461- Support has been added for switching context between secure and normal 4462 worlds in EL3. 4463 4464- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to 4465 a limited extent). 4466 4467- The TF-A build artifacts are now placed in the ``./build`` directory and 4468 sub-directories instead of being placed in the root of the project. 4469 4470- TF-A is now free from build warnings. Build warnings are now treated as 4471 errors. 4472 4473- TF-A now provides C library support locally within the project to maintain 4474 compatibility between toolchains/systems. 4475 4476- The PSCI locking code has been reworked so it no longer takes locks in an 4477 incorrect sequence. 4478 4479- The RAM-disk method of loading a Linux file-system has been confirmed to 4480 work with the TF-A and Linux kernel version (based on version 3.13) used 4481 in this release, for both Foundation and Base FVPs. 4482 4483Known issues 4484^^^^^^^^^^^^ 4485 4486The following is a list of issues which are expected to be fixed in the future 4487releases of TF-A. 4488 4489- The TrustZone Address Space Controller (TZC-400) is not being programmed 4490 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 4491 4492- No support yet for secure world interrupt handling. 4493 4494- GICv3 support is experimental. The Linux kernel patches to support this are 4495 not widely available. There are known issues with GICv3 initialization in 4496 TF-A. 4497 4498- Dynamic image loading is not available yet. The current image loader 4499 implementation (used to load BL2 and all subsequent images) has some 4500 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 4501 to loading errors, even if the images should theoretically fit in memory. 4502 4503- TF-A uses too much on-chip Trusted SRAM. Currently the Test Secure-EL1 4504 Payload (BL3-2) executes in Trusted DRAM since there is not enough SRAM. 4505 A number of RAM usage enhancements have been identified to rectify this 4506 situation. 4507 4508- CPU idle does not work on the advertised version of the Foundation FVP. 4509 Some FVP fixes are required that are not available externally at the time 4510 of writing. 4511 4512- Various bugs in TF-A, UEFI and the Linux kernel have been observed when 4513 using Linaro toolchain versions later than 13.11. Although most of these 4514 have been fixed, some remain at the time of writing. These mainly seem to 4515 relate to a subtle change in the way the compiler converts between 64-bit 4516 and 32-bit values (e.g. during casting operations), which reveals 4517 previously hidden bugs in client code. 4518 4519- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 4520 14.01) does not report progress correctly in the console. It only seems to 4521 produce error output, not standard output. It otherwise appears to function 4522 correctly. Other filesystem versions on the same software stack do not 4523 exhibit the problem. 4524 4525- The Makefile structure doesn't make it easy to separate out parts of the 4526 TF-A for re-use in platform ports, for example if only BL3-1 is required in 4527 a platform port. Also, dependency checking in the Makefile is flawed. 4528 4529- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 4530 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 4531 4532Version 0.2 4533----------- 4534 4535New features 4536^^^^^^^^^^^^ 4537 4538- First source release. 4539 4540- Code for the PSCI suspend feature is supplied, although this is not enabled 4541 by default since there are known issues (see below). 4542 4543Issues resolved since last release 4544^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4545 4546- The "psci" nodes in the FDTs provided in this release now fully comply 4547 with the recommendations made in the PSCI specification. 4548 4549Known issues 4550^^^^^^^^^^^^ 4551 4552The following is a list of issues which are expected to be fixed in the future 4553releases of TF-A. 4554 4555- The TrustZone Address Space Controller (TZC-400) is not being programmed 4556 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 4557 4558- No support yet for secure world interrupt handling or for switching context 4559 between secure and normal worlds in EL3. 4560 4561- GICv3 support is experimental. The Linux kernel patches to support this are 4562 not widely available. There are known issues with GICv3 initialization in 4563 TF-A. 4564 4565- Dynamic image loading is not available yet. The current image loader 4566 implementation (used to load BL2 and all subsequent images) has some 4567 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 4568 to loading errors, even if the images should theoretically fit in memory. 4569 4570- Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable 4571 and ready for use. 4572 4573- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have 4574 not been tested. 4575 4576- The TF-A make files result in all build artifacts being placed in the root 4577 of the project. These should be placed in appropriate sub-directories. 4578 4579- The compilation of TF-A is not free from compilation warnings. Some of these 4580 warnings have not been investigated yet so they could mask real bugs. 4581 4582- TF-A currently uses toolchain/system include files like stdio.h. It should 4583 provide versions of these within the project to maintain compatibility 4584 between toolchains/systems. 4585 4586- The PSCI code takes some locks in an incorrect sequence. This may cause 4587 problems with suspend and hotplug in certain conditions. 4588 4589- The Linux kernel used in this release is based on version 3.12-rc4. Using 4590 this kernel with the TF-A fails to start the file-system as a RAM-disk. It 4591 fails to execute user-space ``init`` from the RAM-disk. As an alternative, 4592 the VirtioBlock mechanism can be used to provide a file-system to the 4593 kernel. 4594 4595-------------- 4596 4597*Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.* 4598 4599.. _SDEI Specification: http://infocenter.arm.com/help/topic/com.arm.doc.den0054a/ARM_DEN0054A_Software_Delegated_Exception_Interface.pdf 4600.. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501 4601.. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193 4602.. _mbed TLS releases: https://tls.mbed.org/tech-updates/releases 4603