| Change Log & Release Notes |
| ========================== |
| |
| This document contains a summary of the new features, changes, fixes and known |
| issues in each release of Trusted Firmware-A. |
| |
| Version 2.5 |
| ----------- |
| |
| New Features |
| ^^^^^^^^^^^^ |
| |
| - Architecture support |
| - Added support for speculation barrier(``FEAT_SB``) for non-Armv8.5 |
| platforms starting from Armv8.0 |
| - Added support for Activity Monitors Extension version 1.1(``FEAT_AMUv1p1``) |
| - Added helper functions for Random number generator(``FEAT_RNG``) registers |
| - Added support for Armv8.6 Multi-threaded PMU extensions (``FEAT_MTPMU``) |
| - Added support for MTE Asymmetric Fault Handling extensions(``FEAT_MTE3``) |
| - Added support for Privileged Access Never extensions(``FEAT_PANx``) |
| |
| - Bootloader images |
| - Added PIE support for AArch32 builds |
| - Enable Trusted Random Number Generator service for BL32(sp_min) |
| |
| - Build System |
| - Added build option for Arm Feature Modifiers |
| |
| - Drivers |
| - Added support for interrupts in TZC-400 driver |
| |
| - Broadcom |
| - Added support for I2C, MDIO and USB drivers |
| |
| - Marvell |
| - Added support for secure read/write of dfc register-set |
| - Added support for thermal sensor driver |
| - Implement a3700_core_getc API in console driver |
| - Added rx training on 10G port |
| |
| - Marvell Mochi |
| - Added support for cn913x in PCIe mode |
| |
| - Marvell Armada A8K |
| - Added support for TRNG-IP-76 driver and accessing RNG register |
| |
| - Mediatek MT8192 |
| - Added support for following drivers |
| - MPU configuration for SCP/PCIe |
| - SPM suspend |
| - Vcore DVFS |
| - LPM |
| - PTP3 |
| - UART save and restore |
| - Power-off |
| - PMIC |
| - CPU hotplug and MCDI support |
| - SPMC |
| - MPU |
| |
| - Mediatek MT8195 |
| - Added support for following drivers |
| - GPIO, NCDI, SPMC drivers |
| - Power-off |
| - CPU hotplug, reboot and MCDI |
| - Delay timer and sys timer |
| - GIC |
| |
| - NXP |
| - Added support for |
| - non-volatile storage API |
| - chain of trust and trusted board boot using two modes: MBEDTLS and CSF |
| - fip-handler necessary for DDR initialization |
| - SMMU and console drivers |
| - crypto hardware accelerator driver |
| - following drivers: SD, EMMC, QSPI, FLEXSPI, GPIO, GIC, CSU, PMU, DDR |
| - NXP Security Monitor and SFP driver |
| - interconnect config APIs using ARM CCN-CCI driver |
| - TZC APIs to configure DDR region |
| - generic timer driver |
| - Device configuration driver |
| |
| - IMX |
| - Added support for image loading and io-storage driver for TBBR fip booting |
| |
| - Renesas |
| - Added support for PFC and EMMC driver |
| |
| - RZ Family: |
| - G2N, G2E and G2H SoCs |
| - Added support for watchdog, QoS, PFC and DRAM initialization |
| |
| - RZG Family: |
| - G2M |
| - Added support for QoS and DRAM initialization |
| |
| - Xilinx |
| - Added JTAG DCC support for Versal and ZynqMP SoC family. |
| |
| - Libraries |
| - C standard library |
| - Added support to print ``%`` in ``snprintf()`` and ``printf()`` APIs |
| - Added support for strtoull, strtoll, strtoul, strtol APIs from FreeBSD project |
| |
| - CPU support |
| - Added support for |
| - Cortex_A78C CPU |
| - Makalu ELP CPU |
| - Makalu CPU |
| - Matterhorn ELP CPU |
| - Neoverse-N2 CPU |
| |
| - CPU Errata |
| - Arm Cortex-A76: Added workaround for erratum 1946160 |
| |
| - Arm Cortex-A77: Added workaround for erratum 1946167 |
| |
| - Arm Cortex-A78: Added workaround for erratum 1941498 and 1951500 |
| |
| - Arm Neoverse-N1: Added workaround for erratum 1946160 |
| |
| - Flattened device tree(libfdt) |
| - Added support for wrapper function to read UUIDs in string format from dtb |
| |
| - Platforms |
| - Added support for MediaTek MT8195 |
| - Added support for Arm RD-N2 board |
| |
| - Allwinner |
| - Added support for H616 SoC |
| |
| - Arm |
| - Added support for GPT parser |
| - Protect GICR frames for fused/unused cores |
| |
| - Arm Morello |
| - Added VirtIO network device to Morello FVP fdts |
| |
| - Arm RD-N2 |
| - Added support for variant 1 of RD-N2 platform |
| - Enable AMU support |
| |
| - Arm RD-V1 |
| - Enable AMU support |
| |
| - Arm SGI |
| - Added support for platform variant build option |
| |
| - Arm TC0 |
| - Added Matterhorn ELP CPU support |
| - Added support for opteed |
| |
| - Arm Juno |
| - Added support to use hw_config in BL31 |
| - Use TRNG entropy source for SMCCC TRNG interface |
| - Condition Juno entropy source with CRC instructions |
| |
| - Marvell Mochi |
| - Added support for detection of secure mode |
| |
| - Marvell ARMADA |
| - Added support for new compile option A3720_DB_PM_WAKEUP_SRC |
| - Added support doing system reset via CM3 secure coprocessor |
| - Made several makefile enhancements required to build WTMI_MULTI_IMG and TIMDDRTOOL |
| - Added support for building DOIMAGETOOL tool |
| - Added new target mrvl_bootimage |
| |
| - Mediatek MT8192 |
| - Added support for rtc power off sequence |
| |
| - Mediatek MT8195 |
| - Added support for SiP service |
| |
| - STM32MP1 |
| - Added support for |
| - Seeed ODYSSEY SoM and board |
| - SDMMC2 and I2C2 pins in pinctrl |
| - I2C2 peripheral in DTS |
| - PIE for BL32 |
| - TZC-400 interrupt managament |
| - Linux Automation MC-1 board |
| |
| - Renesas RZG |
| - Added support for identifying EK874 RZ/G2E board |
| - Added support for identifying HopeRun HiHope RZ/G2H and RZ/G2H boards |
| |
| - Rockchip |
| - Added support for stack protector |
| |
| - QEMU |
| - Added support for ``max`` CPU |
| - Added Cortex-A72 support to ``virt`` platform |
| - Enabled trigger reboot from secure pl061 |
| |
| - QEMU SBSA |
| - Added support for sbsa-ref Embedded Controller |
| |
| - NXP |
| - Added support for warm reset to retain ddr content |
| - Added support for image loader necessary for loading fip image |
| |
| - lx2160a SoC Family |
| - Added support for |
| - new platform lx2160a-aqds |
| - new platform lx2160a-rdb |
| - new platform lx2162a-aqds |
| - errata handling |
| |
| - IMX imx8mm |
| - Added support for trusted board boot |
| |
| - TI K3 |
| - Added support for lite device board |
| - Enabled Cortex-A72 erratum 1319367 |
| - Enabled Cortex-A53 erratum 1530924 |
| |
| - Xilinx ZynqMP |
| - Added support for PS and system reset on WDT restart |
| - Added support for error management |
| - Enable support for log messages necessary for debug |
| - Added support for PM API SMC call for efuse and register access |
| |
| - Processes |
| - Introduced process for platform deprecation |
| - Added documentation for TF-A threat model |
| - Provided a copy of the MIT license to comply with the license |
| requirements of the arm-gic.h source file (originating from the Linux |
| kernel project and re-distributed in TF-A). |
| |
| - Services |
| - Added support for TRNG firmware interface service |
| |
| - Arm |
| - Added SiP service to configure Ethos-N NPU |
| |
| - SPMC |
| - Added documentation for SPM(Hafnium) SMMUv3 driver |
| |
| - SPMD |
| - Added support for |
| - FFA_INTERRUPT forwading ABI |
| - FFA_SECONDARY_EP_REGISTER ABI |
| - FF-A v1.0 boot time power management, SPMC secondary core boot and |
| early run-time power management |
| |
| - Tools |
| |
| - FIPTool |
| - Added mechanism to allow platform specific image UUID |
| |
| - git hooks |
| - Added support for conventional commits through commitlint hook, |
| commitizen hook and husky configuration files. |
| |
| - NXP tool |
| - Added support for a tool that creates pbl file from BL2 |
| |
| - Renesas RZ/G2 |
| - Added tool support for creating bootparam and cert_header images |
| |
| - CertCreate |
| - Added support for platform-defined certificates, keys, and extensions using |
| the platform's makefile |
| |
| - shared tools |
| - Added EFI_GUID representation to uuid helper data structure |
| |
| Changed |
| ^^^^^^^ |
| |
| - Common components |
| - Print newline after hex address in aarch64 el3_panic function |
| - Use proper ``#address-cells`` and ``#size-cells`` for reserved-memory in dtbs |
| |
| - Drivers |
| |
| - Move SCMI driver from ST platform directory and make it common to all platforms |
| |
| - Arm GICv3 |
| - Shift eSPI register offset in GICD_OFFSET_64() |
| - Use mpidr to probe GICR for current CPU |
| |
| - Arm TZC-400 |
| - Adjust filter tag if it set to FILTER_BIT_ALL |
| |
| - Cadence |
| - Enhance UART driver APIs to put characters to fifo |
| |
| - Mediatek MT8192 |
| - Move timer driver to common folder |
| - Enhanced sys_cirq driver to add more IC services |
| |
| - Renesas |
| - Move ddr and delay driver to common directory |
| |
| - Renesas rcar |
| - Treat log as device memory in console driver |
| |
| - Renesas RZ Family: |
| - G2N and G2H SoCs |
| - Select MMC_CH1 for eMMC channel |
| |
| - Marvell |
| - Added support for checking if TRNG unit is present |
| |
| - Marvell A3K |
| - Set TXDCLK_2X_SEL bit during PCIe initialization |
| - Set mask parameter for every reg_set call |
| |
| - Marvell Mochi |
| - Added missing stream IDs configurations |
| |
| - MbedTLS |
| - Migrated to Mbed TLS v2.26.0 |
| |
| - IMX imx8mp |
| - Change the bl31 physical load address |
| |
| - QEMU SBSA |
| - Enable secure variable storage |
| |
| - SCMI |
| - Update power domain protocol version to 2.0 |
| |
| - STM32 |
| - Remove dead code from nand FMC driver |
| |
| - Libraries |
| - C Standard Library |
| - Use macros to reduce duplicated code between snprintf and printf |
| |
| - CPU support |
| - Sanity check pointers before use in AArch32 builds |
| |
| - Arm Cortex-A78 |
| - Remove rainier cpu workaround for errata 1542319 |
| |
| - Arm Makalu ELP |
| - Added "_arm" suffix to Makalu ELP CPU lib |
| |
| |
| - Miscellaneous |
| - Editorconfig |
| - set max line length to 100 |
| |
| - Platforms |
| - Allwinner |
| - Added reserved-memory node to DT |
| - Express memmap more dynamically |
| - Move SEPARATE_NOBITS_REGION to platforms |
| - Limit FDT checks to reduce code size |
| - Use CPUIDLE hardware when available |
| - Allow conditional compilation of SCPI and native PSCI ops |
| - Always use a 3MHz RSB bus clock |
| - Enable workaround for Cortex-A53 erratum 1530924 |
| - Fixed non-default PRELOADED_BL33_BASE |
| - Leave CPU power alone during BL31 setup |
| - Added several psci hooks enhancements to improve system shutdown/reset |
| sequence |
| - Return the PMIC to I2C mode after use |
| - Separate code to power off self and other CPUs |
| - Split native and SCPI-based PSCI implementations |
| |
| - Allwinner H6 |
| - Added R_PRCM security setup for H6 board |
| - Added SPC security setup for H6 board |
| - Use RSB for the PMIC connection on H6 |
| |
| - Arm |
| - Store UUID as a string, rather than ints |
| - Replace FIP base and size macro with a generic name |
| - Move compile time switch from source to dt file |
| - Don't provide NT_FW_CONFIG when booting hafnium |
| - Do not setup 'disabled' regulator |
| - Increase SP max size |
| - Remove false dependency of ARM_LINUX_KERNEL_AS_BL33 on RESET_TO_BL31 |
| and allow it to be enabled independently |
| |
| - Arm FVP |
| - Do not map GIC region in BL1 and BL2 |
| |
| - Arm Juno |
| - Refactor juno_getentropy() to return 64 bits on each call |
| |
| - Arm Morello |
| - Remove "virtio-rng" from Morello FVP |
| - Enable virtIO P9 device for Morello fvp |
| |
| - Arm RDV1 |
| - Allow all PSCI callbacks on RD-V1 |
| - Rename rddaniel to rdv1 |
| |
| - Arm RDV1MC |
| - Rename rddanielxlr to rdv1mc |
| - Initialize TZC-400 controllers |
| |
| - Arm TC0 |
| - Updated GICR base address |
| - Use scmi_dvfs clock index 1 for cores 4-7 through fdt |
| - Added reserved-memory node for OP-TEE fdts |
| - Enabled Theodul DSU in TC platform |
| - OP-TEE as S-EL1 SP with SPMC at S-EL2 |
| - Update Matterhorm ELP DVFS clock index |
| |
| - Arm SGI |
| - Allow access to TZC controller on all chips |
| - Define memory regions for multi-chip platforms |
| - Allow access to nor2 flash and system registers from S-EL0 |
| - Define default list of memory regions for DMC-620 TZC |
| - Improve macros defining cper buffer memory region |
| - Refactor DMC-620 error handling SMC function id |
| - Refactor SDEI specific macros |
| - Added platform id value for RDN2 platform |
| - Refactored header file inclusions and inclusion of memory mapping |
| |
| - Arm RDN2 |
| - Allow usage of secure partitions on RDN2 platform |
| - Update GIC redistributor and TZC base address |
| |
| - Arm SGM775 |
| - Deprecate Arm sgm775 FVP platform |
| |
| - Marvell |
| - Increase TX FIFO EMPTY timeout from 2ms to 3ms |
| - Update delay code to be compatible with 1200 MHz CPU |
| |
| - Marvell ARMADA |
| - Postpone MSS CPU startup to BL31 stage |
| - Allow builds without MSS support |
| - Use MSS SRAM in secure mode |
| - Added missing FORCE, .PHONY and clean targets |
| - Cleanup MSS SRAM if used for copy |
| - Move definition of mrvl_flash target to common marvell_common.mk file |
| - Show informative build messages and blank lines |
| |
| - Marvell ARMADA A3K |
| - Added a new target mrvl_uart which builds UART image |
| - Added checks that WTP, MV_DDR_PATH and CRYPTOPP_PATH are correctly defined |
| - Allow use of the system Crypto++ library |
| - Build $(WTMI_ENC_IMG) in $(BUILD_PLAT) directory |
| - Build intermediate files in $(BUILD_PLAT) directory |
| - Build UART image files directly in $(BUILD_UART) subdirectory |
| - Correctly set DDR_TOPOLOGY and CLOCKSPRESET for WTMI |
| - Do not use 'echo -e' in Makefile |
| - Improve 4GB DRAM usage from 3.375 GB to 3.75 GB |
| - Remove unused variable WTMI_SYSINIT_IMG from Makefile |
| - Simplify check if WTP variable is defined |
| - Split building $(WTMI_MULTI_IMG) and $(TIMDDRTOOL) |
| |
| - Marvell ARMADA A8K |
| - Allow CP1/CP2 mapping at BLE stage |
| |
| - Mediatek MT8183 |
| - Added timer V20 compensation |
| |
| - Nvidia Tegra |
| - Rename SMC API |
| |
| - TI K3 |
| - Make plat_get_syscnt_freq2 helper check CNT_FID0 register |
| - Fill non-message data fields in sec_proxy with 0x0 |
| - Update ti_sci_msg_req_reboot ABI to include domain |
| - Enable USE_COHERENT_MEM only for the generic board |
| - Explicitly map SEC_SRAM_BASE to 0x0 |
| - Use BL31_SIZE instead of computing |
| - Define the correct number of max table entries and increase SRAM size |
| to account for additional table |
| |
| - Raspberry Pi4 |
| - Switch to gicv2.mk and GICV2_SOURCES |
| |
| - Renesas |
| - Move headers and assembly files to common folder |
| |
| - Renesas rzg |
| - Added device tree memory node enhancements |
| |
| - Rockchip |
| - Switch to using common gicv3.mk |
| |
| - STM32MP1 |
| - Set BL sizes regardless of flags |
| |
| - QEMU |
| - Include gicv2.mk for compiling GICv2 source files |
| - Change DEVICE2 definition for MMU |
| - Added helper to calculate the position shift from MPIDR |
| |
| - QEMU SBSA |
| - Include libraries for Cortex-A72 |
| - Increase SHARED_RAM_SIZE |
| - Addes support in spm_mm for upto 512 cores |
| - Added support for topology handling |
| |
| - QTI |
| - Mandate SMC implementation |
| |
| - Xilinx |
| - Rename the IPI CRC checksum macro |
| - Use fno-jump-tables flag in CPPFLAGS |
| |
| - Xilinx versal |
| - Added the IPI CRC checksum macro support |
| - Mark IPI calls secure/non-secure |
| - Enable sgi to communicate with linux using IPI |
| - Remove Cortex-A53 compilation |
| |
| - Xilinx ZynqMP |
| - Configure counter frequency during initialization |
| - Filter errors related to clock gate permissions |
| - Implement pinctrl request/release EEMI API |
| - Reimplement pinctrl get/set config parameter EEMI API calls |
| - Reimplement pinctrl set/get function EEMI API |
| - Update error codes to match Linux and PMU Firmware |
| - Update PM version and support PM version check |
| - Update return type in query functions |
| - Added missing ids for 43/46/47dr devices |
| - Checked for DLL status before doing reset |
| - Disable ITAPDLYENA bit for zero ITAP delay |
| - Include GICv2 makefile |
| - Remove the custom crash implementation |
| |
| - Services |
| |
| - SPMD |
| - Lock the g_spmd_pm structure |
| - Declare third cactus instance as UP SP |
| - Provide number of vCPUs and VM size for first SP |
| - Remove ``chosen`` node from SPMC manifests |
| - Move OP-TEE SP manifest DTS to FVP platform |
| - Update OP-TEE SP manifest with device-regions node |
| - Remove device-memory node from SPMC manifests |
| |
| - SPM_MM |
| - Use sp_boot_info to set SP context |
| |
| - SDEI |
| - Updata the affinity of shared event |
| |
| - Tools |
| - FIPtool |
| - Do not print duplicate verbose lines about building fiptool |
| |
| - CertCreate |
| - Updated tool for platform defined certs, keys & extensions |
| - Create only requested certificates |
| - Avoid duplicates in extension stack |
| |
| Resolved Issues |
| ^^^^^^^^^^^^^^^ |
| - Several fixes for typos and mis-spellings in documentation |
| |
| - Build system |
| - Fixed ${FIP_NAME} to be rebuilt only when needed in Makefile |
| - Do not mark file targets as .PHONY target in Makefile |
| |
| - Drivers |
| - Authorization |
| - Avoid NV counter upgrade without certificate validation |
| |
| - Arm GICv3 |
| - Fixed logical issue for num_eints |
| - Limit SPI ID to avoid misjudgement in GICD_OFFSET() |
| - Fixed potential GICD context override with ESPI enabled |
| |
| - Marvell A3700 |
| - Fixed configuring polarity invert bits |
| |
| - Arm TZC-400 |
| - Correct FAIL_CONTROL Privileged bit |
| - Fixed logical error in FILTER_BIT definitions |
| |
| - Renesas rcar |
| - Fixed several coding style violations reported by checkpatch |
| |
| - Libraries |
| - Arch helpers |
| - Fixed assertions in processing dynamic relocations for AArch64 builds |
| |
| - C standard library |
| - Fixed MISRA issues in memset() ABI |
| |
| - RAS |
| - Fixed bug of binary search in RAS interrupt handler |
| |
| - Platforms |
| |
| - Arm |
| - Fixed missing copyrights in arm-gic.h file |
| - Fixed the order of header files in several dts files |
| - Fixed error message printing in board makefile |
| - Fixed bug of overriding the last node in image load helper API |
| - Fixed stdout-path in fdts files of TC0 and N1SDP platforms |
| - Turn ON/OFF redistributor in sync with GIC CPU interface ON/OFF for css platforms |
| |
| - Arm FVP |
| - Fixed Generic Timer interrupt types in platform dts files |
| |
| - Arm Juno |
| - Fixed parallel build issue for romlib config |
| |
| - Arm SGI |
| - Fixed bug in SDEI receive event of RAS handler |
| |
| - Intel Agilex |
| - Fixed PLAT_MAX_PWR_LVL value |
| |
| - Marvell |
| - Fixed SPD handling in dram port |
| |
| - Marvell ARMADA |
| - Fixed TRNG return SMC handling |
| - Fixed the logic used for LD selector mask |
| - Fixed MSS firmware loader for A8K family |
| |
| - ST |
| - Fixed few violations reported by coverity static checks |
| |
| - STM32MP1 |
| - Fixed SELFREF_TO_X32 mask in ddr driver |
| - Do not keep mmc_device_info in stack |
| - Correct plat_crash_console_flush() |
| |
| - QEMU SBSA |
| - Fixed memory type of secure NOR flash |
| |
| - QTI |
| - Fixed NUM_APID and REG_APID_MAP() argument in SPMI driver |
| |
| - Intel |
| - Do not keep mmc_device_info in stack |
| |
| - Hisilicon |
| - Do not keep mmc_device_info in stack |
| |
| |
| - Services |
| |
| - EL3 runtime |
| - Fixed the EL2 context save/restore routine by removing EL2 generic |
| timer system registers |
| - Added fix for exception handler in BL31 by synchronizing pending EA |
| using DSB barrier |
| |
| - SPMD |
| - Fixed error codes to use int32_t type |
| |
| - TSPD |
| - Added bug fix in tspd interrupt handling when TSP_NS_INTR_ASYNC_PREEMPT is enabled |
| |
| - TRNG |
| - Fixed compilation errors with -O0 compile option |
| |
| - DebugFS |
| - Checked channel index before calling clone function |
| |
| - PSCI |
| - Fixed limit of 256 CPUs caused by cast to unsigned char |
| |
| - TSP |
| - Fixed compilation erros when built with GCC 11.0.0 toolchain |
| |
| - Tools |
| - FIPtool |
| - Do not call ``make clean`` for ``all`` target |
| |
| - CertCreate |
| - Fixed bug to avoid cleaning when building the binary |
| - Used preallocated parts of the HASH struct to avoid leaking HASH struct fields |
| - Free arguments copied with strdup |
| - Free keys after use |
| - Free X509_EXTENSION structures on stack to avoid leaking them |
| - Optimized the code to avoid unnecessary attempts to create non-requested |
| certificates |
| |
| Version 2.4 |
| ----------- |
| |
| New Features |
| ^^^^^^^^^^^^ |
| |
| - Architecture support |
| - Armv8.6-A |
| - Added support for Armv8.6 Enhanced Counter Virtualization (ECV) |
| - Added support for Armv8.6 Fine Grained Traps (FGT) |
| - Added support for Armv8.6 WFE trap delays |
| |
| - Bootloader images |
| - Added support for Measured Boot |
| |
| - Build System |
| - Added build option ``COT_DESC_IN_DTB`` to create Chain of Trust at runtime |
| - Added build option ``OPENSSL_DIR`` to direct tools to OpenSSL libraries |
| - Added build option ``RAS_TRAP_LOWER_EL_ERR_ACCESS`` to enable trapping RAS |
| register accesses from EL1/EL2 to EL3 |
| - Extended build option ``BRANCH_PROTECTION`` to support branch target |
| identification |
| |
| - Common components |
| - Added support for exporting CPU nodes to the device tree |
| - Added support for single and dual-root Chains of Trust in secure |
| partitions |
| |
| - Drivers |
| - Added Broadcom RNG driver |
| - Added Marvell ``mg_conf_cm3`` driver |
| - Added System Control and Management Interface (SCMI) driver |
| - Added STMicroelectronics ETZPC driver |
| |
| - Arm GICv3 |
| - Added support for detecting topology at runtime |
| |
| - Dual Root |
| - Added support for platform certificates |
| |
| - Marvell Cache LLC |
| - Added support for mapping the entire LLC into SRAM |
| |
| - Marvell CCU |
| - Added workaround for erratum 3033912 |
| |
| - Marvell CP110 COMPHY |
| - Added support for SATA COMPHY polarity inversion |
| - Added support for USB COMPHY polarity inversion |
| - Added workaround for erratum IPCE_COMPHY-1353 |
| |
| - STM32MP1 Clocks |
| - Added ``RTC`` as a gateable clock |
| - Added support for shifted clock selector bit masks |
| - Added support for using additional clocks as parents |
| |
| - Libraries |
| - C standard library |
| - Added support for hexadecimal and pointer format specifiers in |
| ``snprint()`` |
| - Added assembly alternatives for various library functions |
| |
| - CPU support |
| - Arm Cortex-A53 |
| - Added workaround for erratum 1530924 |
| |
| - Arm Cortex-A55 |
| - Added workaround for erratum 1530923 |
| |
| - Arm Cortex-A57 |
| - Added workaround for erratum 1319537 |
| |
| - Arm Cortex-A76 |
| - Added workaround for erratum 1165522 |
| - Added workaround for erratum 1791580 |
| - Added workaround for erratum 1868343 |
| |
| - Arm Cortex-A72 |
| - Added workaround for erratum 1319367 |
| |
| - Arm Cortex-A77 |
| - Added workaround for erratum 1508412 |
| - Added workaround for erratum 1800714 |
| - Added workaround for erratum 1925769 |
| |
| - Arm Neoverse-N1 |
| - Added workaround for erratum 1868343 |
| |
| - EL3 Runtime |
| - Added support for saving/restoring registers related to nested |
| virtualization in EL2 context switches if the architecture supports it |
| |
| - FCONF |
| - Added support for Measured Boot |
| - Added support for populating Chain of Trust properties |
| - Added support for loading the ``fw_config`` image |
| |
| - Measured Boot |
| - Added support for event logging |
| |
| - Platforms |
| - Added support for Arm Morello |
| - Added support for Arm TC0 |
| - Added support for iEi PUZZLE-M801 |
| - Added support for Marvell OCTEON TX2 T9130 |
| - Added support for MediaTek MT8192 |
| - Added support for NXP i.MX 8M Nano |
| - Added support for NXP i.MX 8M Plus |
| - Added support for QTI CHIP SC7180 |
| - Added support for STM32MP151F |
| - Added support for STM32MP153F |
| - Added support for STM32MP157F |
| - Added support for STM32MP151D |
| - Added support for STM32MP153D |
| - Added support for STM32MP157D |
| |
| - Arm |
| - Added support for platform-owned SPs |
| - Added support for resetting to BL31 |
| |
| - Arm FPGA |
| - Added support for Klein |
| - Added support for Matterhorn |
| - Added support for additional CPU clusters |
| |
| - Arm FVP |
| - Added support for performing SDEI platform setup at runtime |
| - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| - Added an ``id`` field under the NV-counter node in the device tree to |
| differentiate between trusted and non-trusted NV-counters |
| - Added support for extracting the clock frequency from the timer node |
| in the device tree |
| |
| - Arm Juno |
| - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| |
| - Arm N1SDP |
| - Added support for cross-chip PCI-e |
| |
| - Marvell |
| - Added support for AVS reduction |
| |
| - Marvell ARMADA |
| - Added support for twin-die combined memory device |
| |
| - Marvell ARMADA A8K |
| - Added support for DDR with 32-bit bus width (both ECC and non-ECC) |
| |
| - Marvell AP806 |
| - Added workaround for erratum FE-4265711 |
| |
| - Marvell AP807 |
| - Added workaround for erratum 3033912 |
| |
| - Nvidia Tegra |
| - Added debug printouts indicating SC7 entry sequence completion |
| - Added support for SDEI |
| - Added support for stack protection |
| - Added support for GICv3 |
| - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| |
| - Nvidia Tegra194 |
| - Added support for RAS exception handling |
| - Added support for SPM |
| |
| - NXP i.MX |
| - Added support for SDEI |
| |
| - QEMU SBSA |
| - Added support for the Secure Partition Manager |
| |
| - QTI |
| - Added RNG driver |
| - Added SPMI PMIC arbitrator driver |
| - Added support for SMCCC's ``SMCCC_ARCH_SOC_ID`` command |
| |
| - STM32MP1 |
| - Added support for exposing peripheral interfaces to the non-secure |
| world at runtime |
| - Added support for SCMI clock and reset services |
| - Added support for STM32MP15x CPU revision Z |
| - Added support for SMCCC services in ``SP_MIN`` |
| |
| - Services |
| - Secure Payload Dispatcher |
| - Added a provision to allow clients to retrieve the service UUID |
| |
| - SPMC |
| - Added secondary core endpoint information to the SPMC context |
| structure |
| |
| - SPMD |
| - Added support for booting OP-TEE as a guest S-EL1 Secure Partition on |
| top of Hafnium in S-EL2 |
| - Added a provision for handling SPMC messages to register secondary |
| core entry points |
| - Added support for power management operations |
| |
| - Tools |
| - CertCreate |
| - Added support for secure partitions |
| |
| - CertTool |
| - Added support for the ``fw_config`` image |
| |
| - FIPTool |
| - Added support for the ``fw_config`` image |
| |
| Changed |
| ^^^^^^^ |
| |
| - Architecture support |
| |
| - Bootloader images |
| |
| - Build System |
| - The top-level Makefile now supports building FipTool on Windows |
| - The default value of ``KEY_SIZE`` has been changed to to 2048 when RSA is |
| in use |
| - The previously-deprecated macro ``__ASSEMBLY__`` has now been removed |
| |
| - Common components |
| - Certain functions that flush the console will no longer return error |
| information |
| |
| - Drivers |
| - Arm GIC |
| - Usage of ``drivers/arm/gic/common/gic_common.c`` has now been |
| deprecated in favour of ``drivers/arm/gic/vX/gicvX.mk`` |
| - Added support for detecting the presence of a GIC600-AE |
| - Added support for detecting the presence of a GIC-Clayton |
| |
| - Marvell MCI |
| - Now performs link tuning for all MCI interfaces to improve performance |
| |
| - Marvell MoChi |
| - PIDI masters are no longer forced into a non-secure access level when |
| ``LLC_SRAM`` is enabled |
| - The SD/MMC controllers are now accessible from guest virtual machines |
| |
| - Mbed TLS |
| - Migrated to Mbed TLS v2.24.0 |
| |
| - STM32 FMC2 NAND |
| - Adjusted FMC node bindings to include an EBI controller node |
| |
| - STM32 Reset |
| - Added an optional timeout argument to assertion functions |
| |
| - STM32MP1 Clocks |
| - Enabled several additional system clocks during initialization |
| |
| - Libraries |
| - C Standard Library |
| - Improved ``memset`` performance by avoiding single-byte writes |
| - Added optimized assembly variants of ``memset`` |
| |
| - CPU support |
| - Renamed Cortex-Hercules to Cortex-A78 |
| - Renamed Cortex-Hercules AE to Cortex-A78 AE |
| - Renamed Neoverse Zeus to Neoverse V1 |
| |
| - Coreboot |
| - Updated ‘coreboot_get_memory_type’ API to take an extra argument as a |
| ’memory size’ that used to return a valid memory type. |
| |
| - libfdt |
| - Updated to latest upstream version |
| |
| - Platforms |
| - Allwinner |
| - Disabled non-secure access to PRCM power control registers |
| |
| - Arm |
| - ``BL32_BASE`` is now platform-dependent when ``SPD_spmd`` is enabled |
| - Added support for loading the Chain of Trust from the device tree |
| - The firmware update check is now executed only once |
| - NV-counter base addresses are now loaded from the device tree when |
| ``COT_DESC_IN_DTB`` is enabled |
| - Now loads and populates ``fw_config`` and ``tb_fw_config`` |
| - FCONF population now occurs after caches have been enabled in order |
| to reduce boot times |
| |
| - Arm Corstone-700 |
| - Platform support has been split into both an FVP and an FPGA variant |
| |
| - Arm FPGA |
| - DTB and BL33 load addresses have been given sensible default values |
| - Now reads generic timer counter frequency, GICD and GICR base |
| addresses, and UART address from DT |
| - Now treats the primary PL011 UART as an SBSA Generic UART |
| |
| - Arm FVP |
| - Secure interrupt descriptions, UART parameters, clock frequencies and |
| GICv3 parameters are now queried through FCONF |
| - UART parameters are now queried through the device tree |
| - Added an owner field to Cactus secure partitions |
| - Increased the maximum size of BL2 when the Chain of Trust is loaded |
| from the device tree |
| - Reduces the maximum size of BL31 |
| - The ``FVP_USE_SP804_TIMER`` and ``FVP_VE_USE_SP804_TIMER`` build |
| options have been removed in favour of a common ``USE_SP804_TIMER`` |
| option |
| - Added a third Cactus partition to manifests |
| - Device tree nodes now store UUIDs in big-endian |
| |
| - Arm Juno |
| - Increased the maximum size of BL2 when optimizations have not been |
| applied |
| - Reduced the maximum size of BL31 and BL32 |
| |
| - Marvell AP807 |
| - Enabled snoop filters |
| |
| - Marvell ARMADA A3K |
| - UART recovery images are now suffixed with ``.bin`` |
| |
| - Marvell ARMADA A8K |
| - Option ``BL31_CACHE_DISABLE`` is now disabled (``0``) by default |
| |
| - Nvidia Tegra |
| - Added VPR resize supported check when processing video memory resize |
| requests |
| - Added SMMU verification to prevent potential issues caused by |
| undetected corruption of the SMMU configuration during boot |
| - The GIC CPU interface is now properly disabled after CPU off |
| - The GICv2 sources list and the ``BL31_SIZE`` definition have been made |
| platform-specific |
| - The SPE driver will no longer flush the console when writing |
| individual characters |
| |
| - Nvidia Tegra194 |
| - TZDRAM setup has been moved to platform-specific early boot handlers |
| - Increased verbosity of debug prints for RAS SErrors |
| - Support for powering down CPUs during CPU suspend has been removed |
| - Now verifies firewall settings before using resources |
| |
| - TI K3 |
| - The UART number has been made configurable through ``K3_USART`` |
| |
| - Rockchip RK3368 |
| - The maximum number of memory map regions has been increased to 20 |
| |
| - Socionext Uniphier |
| - The maximum size of BL33 has been increased to support larger |
| bootloaders |
| |
| - STM32 |
| - Removed platform-specific DT functions in favour of using existing |
| generic alternatives |
| |
| - STM32MP1 |
| - Increased verbosity of exception reports in debug builds |
| - Device trees have been updated to align with the Linux kernel |
| - Now uses the ETZPC driver to configure secure-aware interfaces for |
| assignment to the non-secure world |
| - Finished good variants have been added to the board identifier |
| enumerations |
| - Non-secure access to clocks and reset domains now depends on their |
| state of registration |
| - NEON is now disabled in ``SP_MIN`` |
| - The last page of ``SYSRAM`` is now used as SCMI shared memory |
| - Checks to verify platform compatibility have been added to verify that |
| an image is compatible with the chip ID of the running platform |
| |
| - QEMU SBSA |
| - Removed support for Arm's Cortex-A53 |
| |
| - Services |
| - Renamed SPCI to FF-A |
| |
| - SPMD |
| - No longer forwards requests to the non-secure world when retrieving |
| partition information |
| - SPMC manifest size is now retrieved directly from SPMD instead of the |
| device tree |
| - The FF-A version handler now returns SPMD's version when the origin |
| of the call is secure, and SPMC's version when the origin of the call |
| is non-secure |
| |
| - SPMC |
| - Updated the manifest to declare CPU nodes in descending order as per |
| the SPM (Hafnium) multicore requirement |
| - Updated the device tree to mark 2GB as device memory for the first |
| partition excluding trusted DRAM region (which is reserved for SPMC) |
| - Increased the number of EC contexts to the maximum number of PEs as |
| per the FF-A specification |
| |
| - Tools |
| - FIPTool |
| - Now returns ``0`` on ``help`` and ``help <command>`` |
| |
| - Marvell DoImage |
| - Updated Mbed TLS support to v2.8 |
| |
| - SPTool |
| - Now appends CertTool arguments |
| |
| Resolved Issues |
| ^^^^^^^^^^^^^^^ |
| |
| - Bootloader images |
| - Fixed compilation errors for dual-root Chains of Trust caused by symbol |
| collision |
| |
| - BL31 |
| - Fixed compilation errors on platforms with fewer than 4 cores caused |
| by initialization code exceeding the end of the stacks |
| - Fixed compilation errors when building a position-independent image |
| |
| - Build System |
| - Fixed invalid empty version strings |
| - Fixed compilation errors on Windows caused by a non-portable architecture |
| revision comparison |
| |
| - Drivers |
| - Arm GIC |
| - Fixed spurious interrupts caused by a missing barrier |
| |
| - STM32 Flexible Memory Controller 2 (FMC2) NAND driver |
| - Fixed runtime instability caused by incorrect error detection logic |
| |
| - STM32MP1 Clock driver |
| - Fixed incorrectly-formatted log messages |
| - Fixed runtime instability caused by improper clock gating procedures |
| |
| - STMicroelectronics Raw NAND driver |
| - Fixed runtime instability caused by incorrect unit conversion when |
| waiting for NAND readiness |
| |
| - Libraries |
| - AMU |
| - Fixed timeout errors caused by excess error logging |
| |
| - EL3 Runtime |
| - Fixed runtime instability caused by improper register save/restore |
| routine in EL2 |
| |
| - FCONF |
| - Fixed failure to initialize GICv3 caused by overly-strict device tree |
| requirements |
| |
| - Measured Boot |
| - Fixed driver errors caused by a missing default value for the |
| ``HASH_ALG`` build option |
| |
| - SPE |
| - Fixed feature detection check that prevented CPUs supporting SVE from |
| detecting support for SPE in the non-secure world |
| |
| - Translation Tables |
| - Fixed various MISRA-C 2012 static analysis violations |
| |
| - Platforms |
| - Allwinner A64 |
| - Fixed USB issues on certain battery-powered device caused by |
| improperly activated USB power rail |
| |
| - Arm |
| - Fixed compilation errors caused by increase in BL2 size |
| - Fixed compilation errors caused by missing Makefile dependencies to |
| generated files when building the FIP |
| - Fixed MISRA-C 2012 static analysis violations caused by unused |
| structures in include directives intended to be feature-gated |
| |
| - Arm FPGA |
| - Fixed initialization issues caused by incorrect MPIDR topology mapping |
| logic |
| |
| - Arm RD-N1-edge |
| - Fixed compilation errors caused by mismatched parentheses in Makefile |
| |
| - Arm SGI |
| - Fixed crashes due to the flash memory used for cold reboot attack |
| protection not being mapped |
| |
| - Intel Agilex |
| - Fixed initialization issues caused by several compounding bugs |
| |
| - Marvell |
| - Fixed compilation warnings caused by multiple Makefile inclusions |
| |
| - Marvell ARMADA A3K |
| - Fixed boot issue in debug builds caused by checks on the BL33 load |
| address that are not appropriate for this platform |
| |
| - Nvidia Tegra |
| - Fixed incorrect delay timer reads |
| - Fixed spurious interrupts in the non-secure world during cold boot |
| caused by the arbitration bit in the memory controller not being |
| cleared |
| - Fixed faulty video memory resize sequence |
| |
| - Nvidia Tegra194 |
| - Fixed incorrect alignment of TZDRAM base address |
| |
| - NXP iMX8M |
| - Fixed CPU hot-plug issues caused by race condition |
| |
| - STM32MP1 |
| - Fixed compilation errors in highly-parallel builds caused by incorrect |
| Makefile dependencies |
| |
| - STM32MP157C-ED1 |
| - Fixed initialization issues caused by missing device tree hash node |
| |
| - Raspberry Pi 3 |
| - Fixed compilation errors caused by incorrect dependency ordering in |
| Makefile |
| |
| - Rockchip |
| - Fixed initialization issues caused by non-critical errors when parsing |
| FDT being treated as critical |
| |
| - Rockchip RK3368 |
| - Fixed runtime instability caused by incorrect CPUID shift value |
| |
| - QEMU |
| - Fixed compilation errors caused by incorrect dependency ordering in |
| Makefile |
| |
| - QEMU SBSA |
| - Fixed initialization issues caused by FDT exceeding reserved memory |
| size |
| |
| - QTI |
| - Fixed compilation errors caused by inclusion of a non-existent file |
| |
| - Services |
| - FF-A (previously SPCI) |
| - Fixed SPMD aborts caused by incorrect behaviour when the manifest is |
| page-aligned |
| |
| - Tools |
| - Fixed compilation issues when compiling tools from within their respective |
| directories |
| |
| - FIPTool |
| - Fixed command line parsing issues on Windows when using arguments |
| whose names also happen to be a subset of another's |
| |
| - Marvell DoImage |
| - Fixed PKCS signature verification errors at boot on some platforms |
| caused by generation of misaligned images |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - Platforms |
| - NVIDIA Tegra |
| - Signed comparison compiler warnings occurring in libfdt are currently |
| being worked around by disabling the warning for the platform until |
| the underlying issue is resolved in libfdt |
| |
| Version 2.3 |
| ----------- |
| |
| New Features |
| ^^^^^^^^^^^^ |
| |
| - Arm Architecture |
| - Add support for Armv8.4-SecEL2 extension through the SPCI defined SPMD/SPMC |
| components. |
| |
| - Build option to support EL2 context save and restore in the secure world |
| (CTX_INCLUDE_EL2_REGS). |
| |
| - Add support for SMCCC v1.2 (introducing the new SMCCC_ARCH_SOC_ID SMC). |
| Note that the support is compliant, but the SVE registers save/restore will |
| be done as part of future S-EL2/SPM development. |
| |
| - BL-specific |
| - Enhanced BL2 bootloader flow to load secure partitions based on firmware |
| configuration data (fconf). |
| |
| - Changes necessary to support SEPARATE_NOBITS_REGION feature |
| |
| - TSP and BL2_AT_EL3: Add Position Independent Execution ``PIE`` support |
| |
| - Build System |
| - Add support for documentation build as a target in Makefile |
| |
| - Add ``COT`` build option to select the Chain of Trust to use when the |
| Trusted Boot feature is enabled (default: ``tbbr``). |
| |
| - Added creation and injection of secure partition packages into the FIP. |
| |
| - Build option to support SPMC component loading and run at S-EL1 |
| or S-EL2 (SPMD_SPM_AT_SEL2). |
| |
| - Enable MTE support |
| |
| - Enable Link Time Optimization in GCC |
| |
| - Enable -Wredundant-decls warning check |
| |
| - Makefile: Add support to optionally encrypt BL31 and BL32 |
| |
| - Add support to pass the nt_fw_config DTB to OP-TEE. |
| |
| - Introduce per-BL ``CPPFLAGS``, ``ASFLAGS``, and ``LDFLAGS`` |
| |
| - build_macros: Add CREATE_SEQ function to generate sequence of numbers |
| |
| - CPU Support |
| - cortex-a57: Enable higher performance non-cacheable load forwarding |
| |
| - Hercules: Workaround for Errata 1688305 |
| |
| - Klein: Support added for Klein CPU |
| |
| - Matterhorn: Support added for Matterhorn CPU |
| |
| - Drivers |
| - auth: Add ``calc_hash`` function for hash calculation. Used for |
| authentication of images when measured boot is enabled. |
| |
| - cryptocell: Add authenticated decryption framework, and support |
| for CryptoCell-713 and CryptoCell-712 RSA 3K |
| |
| - gic600: Add support for multichip configuration and Clayton |
| - gicv3: Introduce makefile, Add extended PPI and SPI range, |
| Add support for probing multiple GIC Redistributor frames |
| - gicv4: Add GICv4 extension for GIC driver |
| |
| - io: Add an IO abstraction layer to load encrypted firmwares |
| |
| - mhu: Derive doorbell base address |
| |
| - mtd: Add SPI-NOR, SPI-NAND, SPI-MEM, and raw NAND framework |
| |
| - scmi: Allow use of multiple SCMI channels |
| |
| - scu: Add a driver for snoop control unit |
| |
| - Libraries |
| - coreboot: Add memory range parsing and use generic base address |
| |
| - compiler_rt: Import popcountdi2.c and popcountsi2.c files, |
| aeabi_ldivmode.S file and dependencies |
| |
| - debugFS: Add DebugFS functionality |
| |
| - el3_runtime: Add support for enabling S-EL2 |
| |
| - fconf: Add Firmware Configuration Framework (fconf) (experimental). |
| |
| - libc: Add memrchr function |
| |
| - locks: bakery: Use is_dcache_enabled() helper and add a DMB to |
| the 'read_cache_op' macro |
| |
| - psci: Add support to enable different personality of the same soc. |
| |
| - xlat_tables_v2: Add support to pass shareability attribute for |
| normal memory region, use get_current_el_maybe_constant() in |
| is_dcache_enabled(), read-only xlat tables for BL31 memory, and |
| add enable_mmu() |
| |
| - New Platforms Support |
| - arm/arm_fpga: New platform support added for FPGA |
| |
| - arm/rddaniel: New platform support added for rd-daniel platform |
| |
| - brcm/stingray: New platform support added for Broadcom stingray platform |
| |
| - nvidia/tegra194: New platform support for Nvidia Tegra194 platform |
| |
| - Platforms |
| - allwinner: Implement PSCI system suspend using SCPI, add a msgbox |
| driver for use with SCPI, and reserve and map space for the SCP firmware |
| - allwinner: axp: Add AXP805 support |
| - allwinner: power: Add DLDO4 power rail |
| |
| - amlogic: axg: Add a build flag when using ATOS as BL32 and support for |
| the A113D (AXG) platform |
| |
| - arm/a5ds: Add ethernet node and L2 cache node in devicetree |
| |
| - arm/common: Add support for the new `dualroot` chain of trust |
| - arm/common: Add support for SEPARATE_NOBITS_REGION |
| - arm/common: Re-enable PIE when RESET_TO_BL31=1 |
| - arm/common: Allow boards to specify second DRAM Base address |
| and to define PLAT_ARM_TZC_FILTERS |
| |
| - arm/corstone700: Add support for mhuv2 and stack protector |
| |
| - arm/fvp: Add support for fconf in BL31 and SP_MIN. Populate power |
| domain descriptor dynamically by leveraging fconf APIs. |
| - arm/fvp: Add Cactus/Ivy Secure Partition information and use two |
| instances of Cactus at S-EL1 |
| - arm/fvp: Add support to run BL32 in TDRAM and BL31 in secure DRAM |
| - arm/fvp: Add support for GICv4 extension and BL2 hash calculation in BL1 |
| |
| - arm/n1sdp: Setup multichip gic routing table, update platform macros |
| for dual-chip setup, introduce platform information SDS region, add |
| support to update presence of External LLC, and enable the |
| NEOVERSE_N1_EXTERNAL_LLC flag |
| |
| - arm/rdn1edge: Add support for dual-chip configuration and use |
| CREATE_SEQ helper macro to compare chip count |
| |
| - arm/sgm: Always use SCMI for SGM platforms |
| - arm/sgm775: Add support for dynamic config using fconf |
| |
| - arm/sgi: Add multi-chip mode parameter in HW_CONFIG dts, macros for |
| remote chip device region, chip_id and multi_chip_mode to platform |
| variant info, and introduce number of chips macro |
| |
| - brcm: Add BL2 and BL31 support common across Broadcom platforms |
| - brcm: Add iproc SPI Nor flash support, spi driver, emmc driver, |
| and support to retrieve plat_toc_flags |
| |
| - hisilicon: hikey960: Enable system power off callback |
| |
| - intel: Enable bridge access, SiP SMC secure register access, and uboot |
| entrypoint support |
| - intel: Implement platform specific system reset 2 |
| - intel: Introduce mailbox response length handling |
| |
| - imx: console: Use CONSOLE_T_BASE for UART base address and generic console_t |
| data structure |
| - imx8mm: Provide uart base as build option and add the support for opteed spd |
| on imx8mq/imx8mm |
| - imx8qx: Provide debug uart num as build |
| - imx8qm: Apply clk/pinmux configuration for DEBUG_CONSOLE and provide debug |
| uart num as build param |
| |
| - marvell: a8k: Implement platform specific power off and add support |
| for loading MG CM3 images |
| |
| - mediatek: mt8183: Add Vmodem/Vcore DVS init level |
| |
| - qemu: Support optional encryption of BL31 and BL32 images |
| and ARM_LINUX_KERNEL_AS_BL33 to pass FDT address |
| - qemu: Define ARMV7_SUPPORTS_VFP |
| - qemu: Implement PSCI_CPU_OFF and qemu_system_off via semihosting |
| |
| - renesas: rcar_gen3: Add new board revision for M3ULCB |
| |
| - rockchip: Enable workaround for erratum 855873, claim a macro to enable |
| hdcp feature for DP, enable power domains of rk3399 before reset, add |
| support for UART3 as serial output, and initialize reset and poweroff |
| GPIOs with known invalid value |
| |
| - rpi: Implement PSCI CPU_OFF, use MMIO accessor, autodetect Mini-UART |
| vs. PL011 configuration, and allow using PL011 UART for RPi3/RPi4 |
| - rpi3: Include GPIO driver in all BL stages and use same "clock-less" |
| setup scheme as RPi4 |
| - rpi3/4: Add support for offlining CPUs |
| |
| - st: stm32mp1: platform.mk: Support generating multiple images in one build, |
| migrate to implicit rules, derive map file name from target name, generate |
| linker script with fixed name, and use PHONY for the appropriate targets |
| - st: stm32mp1: Add support for SPI-NOR, raw NAND, and SPI-NAND boot device, |
| QSPI, FMC2 driver |
| - st: stm32mp1: Use stm32mp_get_ddr_ns_size() function, set XN attribute for |
| some areas in BL2, dynamically map DDR later and non-cacheable during its |
| test, add a function to get non-secure DDR size, add DT helper for reg by |
| name, and add compilation flags for boot devices |
| |
| - socionext: uniphier: Turn on ENABLE_PIE |
| |
| - ti: k3: Add PIE support |
| |
| - xilinx: versal: Add set wakeup source, client wakeup, query data, request |
| wakeup, PM_INIT_FINALIZE, PM_GET_TRUSTZONE_VERSION, PM IOCTL, support for |
| suspend related, and Get_ChipID APIs |
| - xilinx: versal: Implement power down/restart related EEMI, SMC handler for |
| EEMI, PLL related PM, clock related PM, pin control related PM, reset related |
| PM, device related PM , APIs |
| - xilinx: versal: Enable ipi mailbox service |
| - xilinx: versal: Add get_api_version support and support to send PM API to PMC |
| using IPI |
| - xilinx: zynqmp: Add checksum support for IPI data, GET_CALLBACK_DATA |
| function, support to query max divisor, CLK_SET_RATE_PARENT in gem clock |
| node, support for custom type flags, LPD WDT clock to the pm_clock structure, |
| idcodes for new RFSoC silicons ZU48DR and ZU49DR, and id for new RFSoC device |
| ZU39DR |
| |
| - Security |
| - Use Speculation Barrier instruction for v8.5+ cores |
| |
| - Add support for optional firmware encryption feature (experimental). |
| |
| - Introduce a new `dualroot` chain of trust. |
| |
| - aarch64: Prevent speculative execution past ERET |
| - aarch32: Stop speculative execution past exception returns. |
| |
| - SPCI |
| - Introduced the Secure Partition Manager Dispatcher (SPMD) component as a |
| new standard service. |
| |
| - Tools |
| - cert_create: Introduce CoT build option and TBBR CoT makefile, |
| and define the dualroot CoT |
| |
| - encrypt_fw: Add firmware authenticated encryption tool |
| |
| - memory: Add show_memory script that prints a representation |
| of the memory layout for the latest build |
| |
| Changed |
| ^^^^^^^ |
| |
| - Arm Architecture |
| - PIE: Make call to GDT relocation fixup generalized |
| |
| - BL-Specific |
| - Increase maximum size of BL2 image |
| |
| - BL31: Discard .dynsym .dynstr .hash sections to make ENABLE_PIE work |
| - BL31: Split into two separate memory regions |
| |
| - Unify BL linker scripts and reduce code duplication. |
| |
| - Build System |
| - Changes to drive cert_create for dualroot CoT |
| |
| - Enable -Wlogical-op always |
| |
| - Enable -Wshadow always |
| |
| - Refactor the warning flags |
| |
| - PIE: Pass PIE options only to BL31 |
| |
| - Reduce space lost to object alignment |
| |
| - Set lld as the default linker for Clang builds |
| |
| - Remove -Wunused-const-variable and -Wpadded warning |
| |
| - Remove -Wmissing-declarations warning from WARNING1 level |
| |
| - Drivers |
| - authentication: Necessary fix in drivers to upgrade to mbedtls-2.18.0 |
| |
| - console: Integrate UART base address in generic console_t |
| |
| - gicv3: Change API for GICR_IPRIORITYR accessors and separate |
| GICD and GICR accessor functions |
| |
| - io: Change seek offset to signed long long and panic in case |
| of io setup failure |
| |
| - smmu: SMMUv3: Changed retry loop to delay timer |
| |
| - tbbr: Reduce size of hash and ECDSA key buffers when possible |
| |
| - Library Code |
| - libc: Consolidate the size_t, unified, and NULL definitions, |
| and unify intmax_t and uintmax_t on AArch32/64 |
| |
| - ROMLIB: Optimize memory layout when ROMLIB is used |
| |
| - xlat_tables_v2: Use ARRAY_SIZE in REGISTER_XLAT_CONTEXT_FULL_SPEC, |
| merge REGISTER_XLAT_CONTEXT_{FULL_SPEC,RO_BASE_TABLE}, |
| and simplify end address checks in mmap_add_region_check() |
| |
| - Platforms |
| - allwinner: Adjust SRAM A2 base to include the ARISC vectors, clean up MMU |
| setup, reenable USE_COHERENT_MEM, remove unused include path, move the |
| NOBITS region to SRAM A1, convert AXP803 regulator setup code into a driver, |
| enable clock before resetting I2C/RSB |
| - allwinner: h6: power: Switch to using the AXP driver |
| - allwinner: a64: power: Use fdt_for_each_subnode, remove obsolete register |
| check, remove duplicate DT check, and make sunxi_turn_off_soc static |
| - allwinner: Build PMIC bus drivers only in BL31, clean up PMIC-related error |
| handling, and synchronize PMIC enumerations |
| |
| - arm/a5ds: Change boot address to point to DDR address |
| |
| - arm/common: Check for out-of-bound accesses in the platform io policies |
| |
| - arm/corstone700: Updating the kernel arguments to support initramfs, |
| use fdts DDR memory and XIP rootfs, and set UART clocks to 32MHz |
| |
| - arm/fvp: Modify multithreaded dts file of DynamIQ FVPs, slightly bump |
| the stack size for bl1 and bl2, remove re-definition of topology related |
| build options, stop reclaiming init code with Clang builds, and map only |
| the needed DRAM region statically in BL31/SP_MIN |
| |
| - arm/juno: Maximize space allocated to SCP_BL2 |
| |
| - arm/sgi: Bump bl1 RW limit, mark remote chip shared ram as non-cacheable, |
| move GIC related constants to board files, include AFF3 affinity in core |
| position calculation, move bl31_platform_setup to board file, and move |
| topology information to board folder |
| |
| - common: Refactor load_auth_image_internal(). |
| |
| - hisilicon: Remove uefi-tools in hikey and hikey960 documentation |
| |
| - intel: Modify non secure access function, BL31 address mapping, mailbox's |
| get_config_status, and stratix10 BL31 parameter handling |
| - intel: Remove un-needed checks for qspi driver r/w and s10 unused source code |
| - intel: Change all global sip function to static |
| - intel: Refactor common platform code |
| - intel: Create SiP service header file |
| |
| |
| - marvell: armada: scp_bl2: Allow loading up to 8 images |
| - marvell: comphy-a3700: Support SGMII COMPHY power off and fix USB3 |
| powering on when on lane 2 |
| - marvell: Consolidate console register calls |
| |
| - mediatek: mt8183: Protect 4GB~8GB dram memory, refine GIC driver for |
| low power scenarios, and switch PLL/CLKSQ/ck_off/axi_26m control to SPM |
| |
| - qemu: Update flash address map to keep FIP in secure FLASH0 |
| |
| - renesas: rcar_gen3: Update IPL and Secure Monitor Rev.2.0.6, update DDR |
| setting for H3, M3, M3N, change fixed destination address of BL31 and BL32, |
| add missing #{address,size}-cells into generated DT, pass DT to OpTee OS, |
| and move DDR drivers out of staging |
| |
| - rockchip: Make miniloader ddr_parameter handling optional, cleanup securing |
| of ddr regions, move secure init to separate file, use base+size for secure |
| ddr regions, bring TZRAM_SIZE values in lined, and prevent macro expansion |
| in paths |
| |
| - rpi: Move plat_helpers.S to common |
| - rpi3: gpio: Simplify GPIO setup |
| - rpi4: Skip UART initialisation |
| |
| - st: stm32m1: Use generic console_t data structure, remove second |
| QSPI flash instance, update for FMC2 pin muxing, and reduce MAX_XLAT_TABLES |
| to 4 |
| |
| - socionext: uniphier: Make on-chip SRAM and I/O register regions configurable |
| - socionext: uniphier: Make PSCI related, counter control, UART, pinmon, NAND |
| controller, and eMMC controller base addresses configurable |
| - socionext: uniphier: Change block_addressing flag and the return value type |
| of .is_usb_boot() to bool |
| - socionext: uniphier: Run BL33 at EL2, call uniphier_scp_is_running() only |
| when on-chip STM is supported, define PLAT_XLAT_TABLES_DYNAMIC only for BL2, |
| support read-only xlat tables, use enable_mmu() in common function, shrink |
| UNIPHIER_ROM_REGION_SIZE, prepare uniphier_soc_info() for next SoC, extend |
| boot device detection for future SoCs, make all BL images completely |
| position-independent, make uniphier_mmap_setup() work with PIE, pass SCP |
| base address as a function parameter, set buffer offset and length for |
| io_block dynamically, and use more mmap_add_dynamic_region() for loading |
| images |
| |
| - spd/trusty: Disable error messages seen during boot, allow gic base to be |
| specified with GICD_BASE, and allow getting trusty memsize from BL32_MEM_SIZE |
| instead of TSP_SEC_MEM_SIZE |
| |
| - ti: k3: common: Enable ARM cluster power down and rename device IDs to |
| be more consistent |
| - ti: k3: drivers: ti_sci: Put sequence number in coherent memory and |
| remove indirect structure of const data |
| |
| - xilinx: Move ipi mailbox svc to xilinx common |
| - xilinx: zynqmp: Use GIC framework for warm restart |
| - xilinx: zynqmp: pm: Move custom clock flags to typeflags, remove |
| CLK_TOPSW_LSBUS from invalid clock list and rename FPD WDT clock ID |
| - xilinx: versal: Increase OCM memory size for DEBUG builds and adjust |
| cpu clock, Move versal_def.h and versal_private to include directory |
| |
| - Tools |
| - sptool: Updated sptool to accommodate building secure partition packages. |
| |
| Resolved Issues |
| ^^^^^^^^^^^^^^^ |
| |
| - Arm Architecture |
| - Fix crash dump for lower EL |
| |
| - BL-Specific |
| - Bug fix: Protect TSP prints with lock |
| |
| - Fix boot failures on some builds linked with ld.lld. |
| |
| - Build System |
| - Fix clang build if CC is not in the path. |
| |
| - Fix 'BL stage' comment for build macros |
| |
| - Code Quality |
| - coverity: Fix various MISRA violations including null pointer violations, |
| C issues in BL1/BL2/BL31 and FDT helper functions, using boolean essential, |
| type, and removing unnecessary header file and comparisons to LONG_MAX in |
| debugfs devfip |
| |
| - Based on coding guidelines, replace all `unsigned long` depending on if |
| fixed based on AArch32 or AArch64. |
| |
| - Unify type of "cpu_idx" and Platform specific defines across PSCI module. |
| |
| - Drivers |
| - auth: Necessary fix in drivers to upgrade to mbedtls-2.18.0 |
| |
| - delay_timer: Fix non-standard frequency issue in udelay |
| |
| - gicv3: Fix compiler dependent behavior |
| - gic600: Fix include ordering according to the coding style and power up sequence |
| |
| - Library Code |
| - el3_runtime: Fix stack pointer maintenance on EA handling path, |
| fixup 'cm_setup_context' prototype, and adds TPIDR_EL2 register |
| to the context save restore routines |
| |
| - libc: Fix SIZE_MAX on AArch32 |
| |
| - locks: T589: Fix insufficient ordering guarantees in bakery lock |
| |
| - pmf: Fix 'tautological-constant-compare' error, Make the runtime |
| instrumentation work on AArch32, and Simplify PMF helper macro |
| definitions across header files |
| |
| - xlat_tables_v2: Fix assembler warning of PLAT_RO_XLAT_TABLES |
| |
| - Platforms |
| - allwinner: Fix H6 GPIO and CCU memory map addresses and incorrect ARISC |
| code patch offset check |
| |
| - arm/a5ds: Correct system freq and Cache Writeback Granule, and cleanup |
| enable-method in devicetree |
| |
| - arm/fvp: Fix incorrect GIC mapping, BL31 load address and image size |
| for RESET_TO_BL31=1, topology description of cpus for DynamIQ based |
| FVP, and multithreaded FVP power domain tree |
| - arm/fvp: spm-mm: Correcting instructions to build SPM for FVP |
| |
| - arm/common: Fix ROTPK hash generation for ECDSA encryption, BL2 bug in |
| dynamic configuration initialisation, and current RECLAIM_INIT_CODE behavior |
| |
| - arm/rde1edge: Fix incorrect topology tree description |
| |
| - arm/sgi: Fix the incorrect check for SCMI channel ID |
| |
| - common: Flush dcache when storing timestamp |
| |
| - intel: Fix UEFI decompression issue, memory calibration, SMC SIP service, |
| mailbox config return status, mailbox driver logic, FPGA manager on |
| reconfiguration, and mailbox send_cmd issue |
| |
| - imx: Fix shift-overflow errors, the rdc memory region slot's offset, |
| multiple definition of ipc_handle, missing inclusion of cdefs.h, and |
| correct the SGIs that used for secure interrupt |
| |
| - mediatek: mt8183: Fix AARCH64 init fail on CPU0 |
| |
| - rockchip: Fix definition of struct param_ddr_usage |
| |
| - rpi4: Fix documentation of armstub config entry |
| |
| - st: Correct io possible NULL pointer dereference and device_size type, |
| nand xor_ecc.val assigned value, static analysis tool issues, and fix |
| incorrect return value and correctly check pwr-regulators node |
| |
| - xilinx: zynqmp: Correct syscnt freq for QEMU and fix clock models |
| and IDs of GEM-related clocks |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - Build System |
| - dtb: DTB creation not supported when building on a Windows host. |
| |
| This step in the build process is skipped when running on a Windows host. A |
| known issue from the 1.6 release. |
| |
| - Intermittent assertion firing `ASSERT: services/spd/tspd/tspd_main.c:105` |
| |
| - Coverity |
| - Intermittent Race condition in Coverity Jenkins Build Job |
| |
| - Platforms |
| - arm/juno: System suspend from Linux does not function as documented in the |
| user guide |
| |
| Following the instructions provided in the user guide document does not |
| result in the platform entering system suspend state as expected. A message |
| relating to the hdlcd driver failing to suspend will be emitted on the |
| Linux terminal. |
| |
| - mediatek/mt6795: This platform does not build in this release |
| |
| Version 2.2 |
| ----------- |
| |
| New Features |
| ^^^^^^^^^^^^ |
| |
| - Architecture |
| - Enable Pointer Authentication (PAuth) support for Secure World |
| - Adds support for ARMv8.3-PAuth in BL1 SMC calls and |
| BL2U image for firmware updates. |
| |
| - Enable Memory Tagging Extension (MTE) support in both secure and non-secure |
| worlds |
| |
| - Adds support for the new Memory Tagging Extension arriving in |
| ARMv8.5. MTE support is now enabled by default on systems that |
| support it at EL0. |
| - To enable it at ELx for both the non-secure and the secure |
| world, the compiler flag ``CTX_INCLUDE_MTE_REGS`` includes register |
| saving and restoring when necessary in order to prevent information |
| leakage between the worlds. |
| |
| - Add support for Branch Target Identification (BTI) |
| |
| - Build System |
| - Modify FVP makefile for CPUs that support both AArch64/32 |
| |
| - AArch32: Allow compiling with soft-float toolchain |
| |
| - Makefile: Add default warning flags |
| |
| - Add Makefile check for PAuth and AArch64 |
| |
| - Add compile-time errors for HW_ASSISTED_COHERENCY flag |
| |
| - Apply compile-time check for AArch64-only CPUs |
| |
| - build_macros: Add mechanism to prevent bin generation. |
| |
| - Add support for default stack-protector flag |
| |
| - spd: opteed: Enable NS_TIMER_SWITCH |
| |
| - plat/arm: Skip BL2U if RESET_TO_SP_MIN flag is set |
| |
| - Add new build option to let each platform select which implementation of spinlocks |
| it wants to use |
| |
| - CPU Support |
| - DSU: Workaround for erratum 798953 and 936184 |
| |
| - Neoverse N1: Force cacheable atomic to near atomic |
| - Neoverse N1: Workaround for erratum 1073348, 1130799, 1165347, 1207823, |
| 1220197, 1257314, 1262606, 1262888, 1275112, 1315703, 1542419 |
| |
| - Neoverse Zeus: Apply the MSR SSBS instruction |
| |
| - cortex-Hercules/HerculesAE: Support added for Cortex-Hercules and |
| Cortex-HerculesAE CPUs |
| - cortex-Hercules/HerculesAE: Enable AMU for Cortex-Hercules and Cortex-HerculesAE |
| |
| - cortex-a76AE: Support added for Cortex-A76AE CPU |
| - cortex-a76: Workaround for erratum 1257314, 1262606, 1262888, 1275112, |
| 1286807 |
| |
| - cortex-a65/a65AE: Support added for Cortex-A65 and Cortex-A65AE CPUs |
| - cortex-a65: Enable AMU for Cortex-A65 |
| |
| - cortex-a55: Workaround for erratum 1221012 |
| |
| - cortex-a35: Workaround for erratum 855472 |
| |
| - cortex-a9: Workaround for erratum 794073 |
| |
| - Drivers |
| - console: Allow the console to register multiple times |
| |
| - delay: Timeout detection support |
| |
| - gicv3: Enabled multi-socket GIC redistributor frame discovery and migrated |
| ARM platforms to the new API |
| |
| - Adds ``gicv3_rdistif_probe`` function that delegates the responsibility |
| of discovering the corresponding redistributor base frame to each CPU |
| itself. |
| |
| - sbsa: Add SBSA watchdog driver |
| |
| - st/stm32_hash: Add HASH driver |
| |
| - ti/uart: Add an AArch32 variant |
| |
| - Library at ROM (romlib) |
| - Introduce BTI support in Library at ROM (romlib) |
| |
| - New Platforms Support |
| - amlogic: g12a: New platform support added for the S905X2 (G12A) platform |
| - amlogic: meson/gxl: New platform support added for Amlogic Meson |
| S905x (GXL) |
| |
| - arm/a5ds: New platform support added for A5 DesignStart |
| |
| - arm/corstone: New platform support added for Corstone-700 |
| |
| - intel: New platform support added for Agilex |
| |
| - mediatek: New platform support added for MediaTek mt8183 |
| |
| - qemu/qemu_sbsa: New platform support added for QEMU SBSA platform |
| |
| - renesas/rcar_gen3: plat: New platform support added for D3 |
| |
| - rockchip: New platform support added for px30 |
| - rockchip: New platform support added for rk3288 |
| |
| - rpi: New platform support added for Raspberry Pi 4 |
| |
| - Platforms |
| - arm/common: Introduce wrapper functions to setup secure watchdog |
| |
| - arm/fvp: Add Delay Timer driver to BL1 and BL31 and option for defining |
| platform DRAM2 base |
| - arm/fvp: Add Linux DTS files for 32 bit threaded FVPs |
| |
| - arm/n1sdp: Add code for DDR ECC enablement and BL33 copy to DDR, Initialise CNTFRQ |
| in Non Secure CNTBaseN |
| |
| - arm/juno: Use shared mbedtls heap between BL1 and BL2 and add basic support for |
| dynamic config |
| |
| - imx: Basic support for PicoPi iMX7D, rdc module init, caam module init, |
| aipstz init, IMX_SIP_GET_SOC_INFO, IMX_SIP_BUILDINFO added |
| |
| - intel: Add ncore ccu driver |
| |
| - mediatek/mt81*: Use new bl31_params_parse() helper |
| |
| - nvidia: tegra: Add support for multi console interface |
| |
| - qemu/qemu_sbsa: Adding memory mapping for both FLASH0/FLASH1 |
| - qemu: Added gicv3 support, new console interface in AArch32, and sub-platforms |
| |
| - renesas/rcar_gen3: plat: Add R-Car V3M support, new board revision for H3ULCB, DBSC4 |
| setting before self-refresh mode |
| |
| - socionext/uniphier: Support console based on multi-console |
| |
| - st: stm32mp1: Add OP-TEE, Avenger96, watchdog, LpDDR3, authentication support |
| and general SYSCFG management |
| |
| - ti/k3: common: Add support for J721E, Use coherent memory for shared data, Trap all |
| asynchronous bus errors to EL3 |
| |
| - xilinx/zynqmp: Add support for multi console interface, Initialize IPI table from |
| zynqmp_config_setup() |
| |
| - PSCI |
| - Adding new optional PSCI hook ``pwr_domain_on_finish_late`` |
| - This PSCI hook ``pwr_domain_on_finish_late`` is similar to |
| ``pwr_domain_on_finish`` but is guaranteed to be invoked when the |
| respective core and cluster are participating in coherency. |
| |
| - Security |
| - Speculative Store Bypass Safe (SSBS): Further enhance protection against Spectre |
| variant 4 by disabling speculative loads/stores (SPSR.SSBS bit) by default. |
| |
| - UBSAN support and handlers |
| - Adds support for the Undefined Behaviour sanitizer. There are two types of |
| support offered - minimalistic trapping support which essentially immediately |
| crashes on undefined behaviour and full support with full debug messages. |
| |
| - Tools |
| - cert_create: Add support for bigger RSA key sizes (3KB and 4KB), |
| previously the maximum size was 2KB. |
| |
| - fiptool: Add support to build fiptool on Windows. |
| |
| |
| Changed |
| ^^^^^^^ |
| |
| - Architecture |
| - Refactor ARMv8.3 Pointer Authentication support code |
| |
| - backtrace: Strip PAC field when PAUTH is enabled |
| |
| - Prettify crash reporting output on AArch64. |
| |
| - Rework smc_unknown return code path in smc_handler |
| - Leverage the existing ``el3_exit()`` return routine for smc_unknown return |
| path rather than a custom set of instructions. |
| |
| - BL-Specific |
| - Invalidate dcache build option for BL2 entry at EL3 |
| |
| - Add missing support for BL2_AT_EL3 in XIP memory |
| |
| - Boot Flow |
| - Add helper to parse BL31 parameters (both versions) |
| |
| - Factor out cross-BL API into export headers suitable for 3rd party code |
| |
| - Introduce lightweight BL platform parameter library |
| |
| - Drivers |
| - auth: Memory optimization for Chain of Trust (CoT) description |
| |
| - bsec: Move bsec_mode_is_closed_device() service to platform |
| |
| - cryptocell: Move Cryptocell specific API into driver |
| |
| - gicv3: Prevent pending G1S interrupt from becoming G0 interrupt |
| |
| - mbedtls: Remove weak heap implementation |
| |
| - mmc: Increase delay between ACMD41 retries |
| - mmc: stm32_sdmmc2: Correctly manage block size |
| - mmc: stm32_sdmmc2: Manage max-frequency property from DT |
| |
| - synopsys/emmc: Do not change FIFO TH as this breaks some platforms |
| - synopsys: Update synopsys drivers to not rely on undefined overflow behaviour |
| |
| - ufs: Extend the delay after reset to wait for some slower chips |
| |
| - Platforms |
| - amlogic/meson/gxl: Remove BL2 dependency from BL31 |
| |
| - arm/common: Shorten the Firmware Update (FWU) process |
| |
| - arm/fvp: Remove GIC initialisation from secondary core cold boot |
| |
| - arm/sgm: Temporarily disable shared Mbed TLS heap for SGM |
| |
| - hisilicon: Update hisilicon drivers to not rely on undefined overflow behaviour |
| |
| - imx: imx8: Replace PLAT_IMX8* with PLAT_imx8*, remove duplicated linker symbols and |
| deprecated code include, keep only IRQ 32 unmasked, enable all power domain by default |
| |
| - marvell: Prevent SError accessing PCIe link, Switch to xlat_tables_v2, do not rely on |
| argument passed via smc, make sure that comphy init will use correct address |
| |
| - mediatek: mt8173: Refactor RTC and PMIC drivers |
| - mediatek: mt8173: Apply MULTI_CONSOLE framework |
| |
| - nvidia: Tegra: memctrl_v2: fix "overflow before widen" coverity issue |
| |
| - qemu: Simplify the image size calculation, Move and generalise FDT PSCI fixup, move |
| gicv2 codes to separate file |
| |
| - renesas/rcar_gen3: Convert to multi-console API, update QoS setting, Update IPL and |
| Secure Monitor Rev2.0.4, Change to restore timer counter value at resume, Update DDR |
| setting rev.0.35, qos: change subslot cycle, Change periodic write DQ training option. |
| |
| - rockchip: Allow SOCs with undefined wfe check bits, Streamline and complete UARTn_BASE |
| macros, drop rockchip-specific imported linker symbols for bl31, Disable binary generation |
| for all SOCs, Allow console device to be set by DTB, Use new bl31_params_parse functions |
| |
| - rpi/rpi3: Move shared rpi3 files into common directory |
| |
| - socionext/uniphier: Set CONSOLE_FLAG_TRANSLATE_CRLF and clean up console driver |
| - socionext/uniphier: Replace DIV_ROUND_UP() with div_round_up() from utils_def.h |
| |
| - st/stm32mp: Split stm32mp_io_setup function, move stm32_get_gpio_bank_clock() to private |
| file, correctly handle Clock Spreading Generator, move oscillator functions to generic file, |
| realign device tree files with internal devs, enable RTCAPB clock for dual-core chips, use a |
| common function to check spinlock is available, move check_header() to common code |
| |
| - ti/k3: Enable SEPARATE_CODE_AND_RODATA by default, Remove shared RAM space, |
| Drop _ADDRESS from K3_USART_BASE to match other defines, Remove MSMC port |
| definitions, Allow USE_COHERENT_MEM for K3, Set L2 latency on A72 cores |
| |
| - PSCI |
| - PSCI: Lookup list of parent nodes to lock only once |
| |
| - Secure Partition Manager (SPM): SPCI Prototype |
| - Fix service UUID lookup |
| |
| - Adjust size of virtual address space per partition |
| |
| - Refactor xlat context creation |
| |
| - Move shim layer to TTBR1_EL1 |
| |
| - Ignore empty regions in resource description |
| |
| - Security |
| - Refactor SPSR initialisation code |
| |
| - SMMUv3: Abort DMA transactions |
| - For security DMA should be blocked at the SMMU by default unless explicitly |
| enabled for a device. SMMU is disabled after reset with all streams bypassing |
| the SMMU, and abortion of all incoming transactions implements a default deny |
| policy on reset. |
| - Moves ``bl1_platform_setup()`` function from arm_bl1_setup.c to FVP platforms' |
| fvp_bl1_setup.c and fvp_ve_bl1_setup.c files. |
| |
| - Tools |
| - cert_create: Remove RSA PKCS#1 v1.5 support |
| |
| |
| Resolved Issues |
| ^^^^^^^^^^^^^^^ |
| |
| - Architecture |
| - Fix the CAS spinlock implementation by adding a missing DSB in ``spin_unlock()`` |
| |
| - AArch64: Fix SCTLR bit definitions |
| - Removes incorrect ``SCTLR_V_BIT`` definition and adds definitions for |
| ARMv8.3-Pauth `EnIB`, `EnDA` and `EnDB` bits. |
| |
| - Fix restoration of PAuth context |
| - Replace call to ``pauth_context_save()`` with ``pauth_context_restore()`` in |
| case of unknown SMC call. |
| |
| - BL-Specific Issues |
| - Fix BL31 crash reporting on AArch64 only platforms |
| |
| - Build System |
| - Remove several warnings reported with W=2 and W=1 |
| |
| - Code Quality Issues |
| - SCTLR and ACTLR are 32-bit for AArch32 and 64-bit for AArch64 |
| - Unify type of "cpu_idx" across PSCI module. |
| - Assert if power level value greater then PSCI_INVALID_PWR_LVL |
| - Unsigned long should not be used as per coding guidelines |
| - Reduce the number of memory leaks in cert_create |
| - Fix type of cot_desc_ptr |
| - Use explicit-width data types in AAPCS parameter structs |
| - Add python configuration for editorconfig |
| - BL1: Fix type consistency |
| |
| - Enable -Wshift-overflow=2 to check for undefined shift behavior |
| - Updated upstream platforms to not rely on undefined overflow behaviour |
| |
| - Coverity Quality Issues |
| - Remove GGC ignore -Warray-bounds |
| - Fix Coverity #261967, Infinite loop |
| - Fix Coverity #343017, Missing unlock |
| - Fix Coverity #343008, Side affect in assertion |
| - Fix Coverity #342970, Uninitialized scalar variable |
| |
| - CPU Support |
| - cortex-a12: Fix MIDR mask |
| |
| - Drivers |
| - console: Remove Arm console unregister on suspend |
| |
| - gicv3: Fix support for full SPI range |
| |
| - scmi: Fix wrong payload length |
| |
| - Library Code |
| - libc: Fix sparse warning for __assert() |
| |
| - libc: Fix memchr implementation |
| |
| - Platforms |
| - rpi: rpi3: Fix compilation error when stack protector is enabled |
| |
| - socionext/uniphier: Fix compilation fail for SPM support build config |
| |
| - st/stm32mp1: Fix TZC400 configuration against non-secure DDR |
| |
| - ti/k3: common: Fix RO data area size calculation |
| |
| - Security |
| - AArch32: Disable Secure Cycle Counter |
| - Changes the implementation for disabling Secure Cycle Counter. |
| For ARMv8.5 the counter gets disabled by setting ``SDCR.SCCD`` bit on |
| CPU cold/warm boot. For the earlier architectures PMCR register is |
| saved/restored on secure world entry/exit from/to Non-secure state, |
| and cycle counting gets disabled by setting PMCR.DP bit. |
| - AArch64: Disable Secure Cycle Counter |
| - For ARMv8.5 the counter gets disabled by setting ``MDCR_El3.SCCD`` bit on |
| CPU cold/warm boot. For the earlier architectures PMCR_EL0 register is |
| saved/restored on secure world entry/exit from/to Non-secure state, |
| and cycle counting gets disabled by setting PMCR_EL0.DP bit. |
| |
| Deprecations |
| ^^^^^^^^^^^^ |
| |
| - Common Code |
| - Remove MULTI_CONSOLE_API flag and references to it |
| |
| - Remove deprecated `plat_crash_console_*` |
| |
| - Remove deprecated interfaces `get_afflvl_shift`, `mpidr_mask_lower_afflvls`, `eret` |
| |
| - AARCH32/AARCH64 macros are now deprecated in favor of ``__aarch64__`` |
| |
| - ``__ASSEMBLY__`` macro is now deprecated in favor of ``__ASSEMBLER__`` |
| |
| - Drivers |
| - console: Removed legacy console API |
| - console: Remove deprecated finish_console_register |
| |
| - tzc: Remove deprecated types `tzc_action_t` and `tzc_region_attributes_t` |
| |
| - Secure Partition Manager (SPM): |
| - Prototype SPCI-based SPM (services/std_svc/spm) will be replaced with alternative |
| methods of secure partitioning support. |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - Build System Issues |
| - dtb: DTB creation not supported when building on a Windows host. |
| |
| This step in the build process is skipped when running on a Windows host. A |
| known issue from the 1.6 release. |
| |
| - Platform Issues |
| - arm/juno: System suspend from Linux does not function as documented in the |
| user guide |
| |
| Following the instructions provided in the user guide document does not |
| result in the platform entering system suspend state as expected. A message |
| relating to the hdlcd driver failing to suspend will be emitted on the |
| Linux terminal. |
| |
| - mediatek/mt6795: This platform does not build in this release |
| |
| Version 2.1 |
| ----------- |
| |
| New Features |
| ^^^^^^^^^^^^ |
| |
| - Architecture |
| - Support for ARMv8.3 pointer authentication in the normal and secure worlds |
| |
| The use of pointer authentication in the normal world is enabled whenever |
| architectural support is available, without the need for additional build |
| flags. |
| |
| Use of pointer authentication in the secure world remains an |
| experimental configuration at this time. Using both the ``ENABLE_PAUTH`` |
| and ``CTX_INCLUDE_PAUTH_REGS`` build flags, pointer authentication can be |
| enabled in EL3 and S-EL1/0. |
| |
| See the :ref:`Firmware Design` document for additional details on the use |
| of pointer authentication. |
| |
| - Enable Data Independent Timing (DIT) in EL3, where supported |
| |
| - Build System |
| - Support for BL-specific build flags |
| |
| - Support setting compiler target architecture based on ``ARM_ARCH_MINOR`` |
| build option. |
| |
| - New ``RECLAIM_INIT_CODE`` build flag: |
| |
| A significant amount of the code used for the initialization of BL31 is |
| not needed again after boot time. In order to reduce the runtime memory |
| footprint, the memory used for this code can be reclaimed after |
| initialization. |
| |
| Certain boot-time functions were marked with the ``__init`` attribute to |
| enable this reclamation. |
| |
| - CPU Support |
| - cortex-a76: Workaround for erratum 1073348 |
| - cortex-a76: Workaround for erratum 1220197 |
| - cortex-a76: Workaround for erratum 1130799 |
| |
| - cortex-a75: Workaround for erratum 790748 |
| - cortex-a75: Workaround for erratum 764081 |
| |
| - cortex-a73: Workaround for erratum 852427 |
| - cortex-a73: Workaround for erratum 855423 |
| |
| - cortex-a57: Workaround for erratum 817169 |
| - cortex-a57: Workaround for erratum 814670 |
| |
| - cortex-a55: Workaround for erratum 903758 |
| - cortex-a55: Workaround for erratum 846532 |
| - cortex-a55: Workaround for erratum 798797 |
| - cortex-a55: Workaround for erratum 778703 |
| - cortex-a55: Workaround for erratum 768277 |
| |
| - cortex-a53: Workaround for erratum 819472 |
| - cortex-a53: Workaround for erratum 824069 |
| - cortex-a53: Workaround for erratum 827319 |
| |
| - cortex-a17: Workaround for erratum 852423 |
| - cortex-a17: Workaround for erratum 852421 |
| |
| - cortex-a15: Workaround for erratum 816470 |
| - cortex-a15: Workaround for erratum 827671 |
| |
| - Documentation |
| - Exception Handling Framework documentation |
| |
| - Library at ROM (romlib) documentation |
| |
| - RAS framework documentation |
| |
| - Coding Guidelines document |
| |
| - Drivers |
| - ccn: Add API for setting and reading node registers |
| - Adds ``ccn_read_node_reg`` function |
| - Adds ``ccn_write_node_reg`` function |
| |
| - partition: Support MBR partition entries |
| |
| - scmi: Add ``plat_css_get_scmi_info`` function |
| |
| Adds a new API ``plat_css_get_scmi_info`` which lets the platform |
| register a platform-specific instance of ``scmi_channel_plat_info_t`` and |
| remove the default values |
| |
| - tzc380: Add TZC-380 TrustZone Controller driver |
| |
| - tzc-dmc620: Add driver to manage the TrustZone Controller within the |
| DMC-620 Dynamic Memory Controller |
| |
| - Library at ROM (romlib) |
| - Add platform-specific jump table list |
| |
| - Allow patching of romlib functions |
| |
| This change allows patching of functions in the romlib. This can be done by |
| adding "patch" at the end of the jump table entry for the function that |
| needs to be patched in the file jmptbl.i. |
| |
| - Library Code |
| - Support non-LPAE-enabled MMU tables in AArch32 |
| |
| - mmio: Add ``mmio_clrsetbits_16`` function |
| - 16-bit variant of ``mmio_clrsetbits`` |
| |
| - object_pool: Add Object Pool Allocator |
| - Manages object allocation using a fixed-size static array |
| - Adds ``pool_alloc`` and ``pool_alloc_n`` functions |
| - Does not provide any functions to free allocated objects (by design) |
| |
| - libc: Added ``strlcpy`` function |
| |
| - libc: Import ``strrchr`` function from FreeBSD |
| |
| - xlat_tables: Add support for ARMv8.4-TTST |
| |
| - xlat_tables: Support mapping regions without an explicitly specified VA |
| |
| - Math |
| - Added softudiv macro to support software division |
| |
| - Memory Partitioning And Monitoring (MPAM) |
| - Enabled MPAM EL2 traps (``MPAMHCR_EL2`` and ``MPAM_EL2``) |
| |
| - Platforms |
| - amlogic: Add support for Meson S905 (GXBB) |
| |
| - arm/fvp_ve: Add support for FVP Versatile Express platform |
| |
| - arm/n1sdp: Add support for Neoverse N1 System Development platform |
| |
| - arm/rde1edge: Add support for Neoverse E1 platform |
| |
| - arm/rdn1edge: Add support for Neoverse N1 platform |
| |
| - arm: Add support for booting directly to Linux without an intermediate |
| loader (AArch32) |
| |
| - arm/juno: Enable new CPU errata workarounds for A53 and A57 |
| |
| - arm/juno: Add romlib support |
| |
| Building a combined BL1 and ROMLIB binary file with the correct page |
| alignment is now supported on the Juno platform. When ``USE_ROMLIB`` is set |
| for Juno, it generates the combined file ``bl1_romlib.bin`` which needs to |
| be used instead of bl1.bin. |
| |
| - intel/stratix: Add support for Intel Stratix 10 SoC FPGA platform |
| |
| - marvell: Add support for Armada-37xx SoC platform |
| |
| - nxp: Add support for i.MX8M and i.MX7 Warp7 platforms |
| |
| - renesas: Add support for R-Car Gen3 platform |
| |
| - xilinx: Add support for Versal ACAP platforms |
| |
| - Position-Independent Executable (PIE) |
| |
| PIE support has initially been added to BL31. The ``ENABLE_PIE`` build flag is |
| used to enable or disable this functionality as required. |
| |
| - Secure Partition Manager |
| - New SPM implementation based on SPCI Alpha 1 draft specification |
| |
| A new version of SPM has been implemented, based on the SPCI (Secure |
| Partition Client Interface) and SPRT (Secure Partition Runtime) draft |
| specifications. |
| |
| The new implementation is a prototype that is expected to undergo intensive |
| rework as the specifications change. It has basic support for multiple |
| Secure Partitions and Resource Descriptions. |
| |
| The older version of SPM, based on MM (ARM Management Mode Interface |
| Specification), is still present in the codebase. A new build flag, |
| ``SPM_MM`` has been added to allow selection of the desired implementation. |
| This flag defaults to 1, selecting the MM-based implementation. |
| |
| - Security |
| - Spectre Variant-1 mitigations (``CVE-2017-5753``) |
| |
| - Use Speculation Store Bypass Safe (SSBS) functionality where available |
| |
| Provides mitigation against ``CVE-2018-19440`` (Not saving x0 to x3 |
| registers can leak information from one Normal World SMC client to another) |
| |
| |
| Changed |
| ^^^^^^^ |
| |
| - Build System |
| - Warning levels are now selectable with ``W=<1,2,3>`` |
| |
| - Removed unneeded include paths in PLAT_INCLUDES |
| |
| - "Warnings as errors" (Werror) can be disabled using ``E=0`` |
| |
| - Support totally quiet output with ``-s`` flag |
| |
| - Support passing options to checkpatch using ``CHECKPATCH_OPTS=<opts>`` |
| |
| - Invoke host compiler with ``HOSTCC / HOSTCCFLAGS`` instead of ``CC / CFLAGS`` |
| |
| - Make device tree pre-processing similar to U-boot/Linux by: |
| - Creating separate ``CPPFLAGS`` for DT preprocessing so that compiler |
| options specific to it can be accommodated. |
| - Replacing ``CPP`` with ``PP`` for DT pre-processing |
| |
| - CPU Support |
| - Errata report function definition is now mandatory for CPU support files |
| |
| CPU operation files must now define a ``<name>_errata_report`` function to |
| print errata status. This is no longer a weak reference. |
| |
| - Documentation |
| - Migrated some content from GitHub wiki to ``docs/`` directory |
| |
| - Security advisories now have CVE links |
| |
| - Updated copyright guidelines |
| |
| - Drivers |
| - console: The ``MULTI_CONSOLE_API`` framework has been rewritten in C |
| |
| - console: Ported multi-console driver to AArch32 |
| |
| - gic: Remove 'lowest priority' constants |
| |
| Removed ``GIC_LOWEST_SEC_PRIORITY`` and ``GIC_LOWEST_NS_PRIORITY``. |
| Platforms should define these if required, or instead determine the correct |
| priority values at runtime. |
| |
| - delay_timer: Check that the Generic Timer extension is present |
| |
| - mmc: Increase command reply timeout to 10 milliseconds |
| |
| - mmc: Poll eMMC device status to ensure ``EXT_CSD`` command completion |
| |
| - mmc: Correctly check return code from ``mmc_fill_device_info`` |
| |
| - External Libraries |
| |
| - libfdt: Upgraded from 1.4.2 to 1.4.6-9 |
| |
| - mbed TLS: Upgraded from 2.12 to 2.16 |
| |
| This change incorporates fixes for security issues that should be reviewed |
| to determine if they are relevant for software implementations using |
| Trusted Firmware-A. See the `mbed TLS releases`_ page for details on |
| changes from the 2.12 to the 2.16 release. |
| |
| - Library Code |
| - compiler-rt: Updated ``lshrdi3.c`` and ``int_lib.h`` with changes from |
| LLVM master branch (r345645) |
| |
| - cpu: Updated macro that checks need for ``CVE-2017-5715`` mitigation |
| |
| - libc: Made setjmp and longjmp C standard compliant |
| |
| - libc: Allowed overriding the default libc (use ``OVERRIDE_LIBC``) |
| |
| - libc: Moved setjmp and longjmp to the ``libc/`` directory |
| |
| - Platforms |
| - Removed Mbed TLS dependency from plat_bl_common.c |
| |
| - arm: Removed unused ``ARM_MAP_BL_ROMLIB`` macro |
| |
| - arm: Removed ``ARM_BOARD_OPTIMISE_MEM`` feature and build flag |
| |
| - arm: Moved several components into ``drivers/`` directory |
| |
| This affects the SDS, SCP, SCPI, MHU and SCMI components |
| |
| - arm/juno: Increased maximum BL2 image size to ``0xF000`` |
| |
| This change was required to accommodate a larger ``libfdt`` library |
| |
| - SCMI |
| - Optimized bakery locks when hardware-assisted coherency is enabled using the |
| ``HW_ASSISTED_COHERENCY`` build flag |
| |
| - SDEI |
| - Added support for unconditionally resuming secure world execution after |
| |SDEI| event processing completes |
| |
| |SDEI| interrupts, although targeting EL3, occur on behalf of the non-secure |
| world, and may have higher priority than secure world |
| interrupts. Therefore they might preempt secure execution and yield |
| execution to the non-secure |SDEI| handler. Upon completion of |SDEI| event |
| handling, resume secure execution if it was preempted. |
| |
| - Translation Tables (XLAT) |
| - Dynamically detect need for ``Common not Private (TTBRn_ELx.CnP)`` bit |
| |
| Properly handle the case where ``ARMv8.2-TTCNP`` is implemented in a CPU |
| that does not implement all mandatory v8.2 features (and so must claim to |
| implement a lower architecture version). |
| |
| |
| Resolved Issues |
| ^^^^^^^^^^^^^^^ |
| |
| - Architecture |
| - Incorrect check for SSBS feature detection |
| |
| - Unintentional register clobber in AArch32 reset_handler function |
| |
| - Build System |
| - Dependency issue during DTB image build |
| |
| - Incorrect variable expansion in Arm platform makefiles |
| |
| - Building on Windows with verbose mode (``V=1``) enabled is broken |
| |
| - AArch32 compilation flags is missing ``$(march32-directive)`` |
| |
| - BL-Specific Issues |
| - bl2: ``uintptr_t is not defined`` error when ``BL2_IN_XIP_MEM`` is defined |
| |
| - bl2: Missing prototype warning in ``bl2_arch_setup`` |
| |
| - bl31: Omission of Global Offset Table (GOT) section |
| |
| - Code Quality Issues |
| - Multiple MISRA compliance issues |
| |
| - Potential NULL pointer dereference (Coverity-detected) |
| |
| - Drivers |
| - mmc: Local declaration of ``scr`` variable causes a cache issue when |
| invalidating after the read DMA transfer completes |
| |
| - mmc: ``ACMD41`` does not send voltage information during initialization, |
| resulting in the command being treated as a query. This prevents the |
| command from initializing the controller. |
| |
| - mmc: When checking device state using ``mmc_device_state()`` there are no |
| retries attempted in the event of an error |
| |
| - ccn: Incorrect Region ID calculation for RN-I nodes |
| |
| - console: ``Fix MULTI_CONSOLE_API`` when used as a crash console |
| |
| - partition: Improper NULL checking in gpt.c |
| |
| - partition: Compilation failure in ``VERBOSE`` mode (``V=1``) |
| |
| - Library Code |
| - common: Incorrect check for Address Authentication support |
| |
| - xlat: Fix XLAT_V1 / XLAT_V2 incompatibility |
| |
| The file ``arm_xlat_tables.h`` has been renamed to ``xlat_tables_compat.h`` |
| and has been moved to a common folder. This header can be used to guarantee |
| compatibility, as it includes the correct header based on |
| ``XLAT_TABLES_LIB_V2``. |
| |
| - xlat: armclang unused-function warning on ``xlat_clean_dcache_range`` |
| |
| - xlat: Invalid ``mm_cursor`` checks in ``mmap_add`` and ``mmap_add_ctx`` |
| |
| - sdei: Missing ``context.h`` header |
| |
| - Platforms |
| - common: Missing prototype warning for ``plat_log_get_prefix`` |
| |
| - arm: Insufficient maximum BL33 image size |
| |
| - arm: Potential memory corruption during BL2-BL31 transition |
| |
| On Arm platforms, the BL2 memory can be overlaid by BL31/BL32. The memory |
| descriptors describing the list of executable images are created in BL2 |
| R/W memory, which could be possibly corrupted later on by BL31/BL32 due |
| to overlay. This patch creates a reserved location in SRAM for these |
| descriptors and are copied over by BL2 before handing over to next BL |
| image. |
| |
| - juno: Invalid behaviour when ``CSS_USE_SCMI_SDS_DRIVER`` is not set |
| |
| In ``juno_pm.c`` the ``css_scmi_override_pm_ops`` function was used |
| regardless of whether the build flag was set. The original behaviour has |
| been restored in the case where the build flag is not set. |
| |
| - Tools |
| - fiptool: Incorrect UUID parsing of blob parameters |
| |
| - doimage: Incorrect object rules in Makefile |
| |
| |
| Deprecations |
| ^^^^^^^^^^^^ |
| |
| - Common Code |
| - ``plat_crash_console_init`` function |
| |
| - ``plat_crash_console_putc`` function |
| |
| - ``plat_crash_console_flush`` function |
| |
| - ``finish_console_register`` macro |
| |
| - AArch64-specific Code |
| - helpers: ``get_afflvl_shift`` |
| |
| - helpers: ``mpidr_mask_lower_afflvls`` |
| |
| - helpers: ``eret`` |
| |
| - Secure Partition Manager (SPM) |
| - Boot-info structure |
| |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - Build System Issues |
| - dtb: DTB creation not supported when building on a Windows host. |
| |
| This step in the build process is skipped when running on a Windows host. A |
| known issue from the 1.6 release. |
| |
| - Platform Issues |
| - arm/juno: System suspend from Linux does not function as documented in the |
| user guide |
| |
| Following the instructions provided in the user guide document does not |
| result in the platform entering system suspend state as expected. A message |
| relating to the hdlcd driver failing to suspend will be emitted on the |
| Linux terminal. |
| |
| - arm/juno: The firmware update use-cases do not work with motherboard |
| firmware version < v1.5.0 (the reset reason is not preserved). The Linaro |
| 18.04 release has MB v1.4.9. The MB v1.5.0 is available in Linaro 18.10 |
| release. |
| |
| - mediatek/mt6795: This platform does not build in this release |
| |
| Version 2.0 |
| ----------- |
| |
| New Features |
| ^^^^^^^^^^^^ |
| |
| - Removal of a number of deprecated APIs |
| |
| - A new Platform Compatibility Policy document has been created which |
| references a wiki page that maintains a listing of deprecated |
| interfaces and the release after which they will be removed. |
| |
| - All deprecated interfaces except the MULTI_CONSOLE_API have been removed |
| from the code base. |
| |
| - Various Arm and partner platforms have been updated to remove the use of |
| removed APIs in this release. |
| |
| - This release is otherwise unchanged from 1.6 release |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - No issues known at 1.6 release resolved in 2.0 release |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - DTB creation not supported when building on a Windows host. This step in the |
| build process is skipped when running on a Windows host. Known issue from |
| 1.6 version. |
| |
| - As a result of removal of deprecated interfaces the Nvidia Tegra, Marvell |
| Armada 8K and MediaTek MT6795 platforms do not build in this release. |
| Also MediaTek MT8173, NXP QorIQ LS1043A, NXP i.MX8QX, NXP i.MX8QMa, |
| Rockchip RK3328, Rockchip RK3368 and Rockchip RK3399 platforms have not been |
| confirmed to be working after the removal of the deprecated interfaces |
| although they do build. |
| |
| Version 1.6 |
| ----------- |
| |
| New Features |
| ^^^^^^^^^^^^ |
| |
| - Addressing Speculation Security Vulnerabilities |
| |
| - Implement static workaround for CVE-2018-3639 for AArch32 and AArch64 |
| |
| - Add support for dynamic mitigation for CVE-2018-3639 |
| |
| - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 |
| |
| - Ensure |SDEI| handler executes with CVE-2018-3639 mitigation enabled |
| |
| - Introduce RAS handling on AArch64 |
| |
| - Some RAS extensions are mandatory for Armv8.2 CPUs, with others |
| mandatory for Armv8.4 CPUs however, all extensions are also optional |
| extensions to the base Armv8.0 architecture. |
| |
| - The Armv8 RAS Extensions introduced Standard Error Records which are a |
| set of standard registers to configure RAS node policy and allow RAS |
| Nodes to record and expose error information for error handling agents. |
| |
| - Capabilities are provided to support RAS Node enumeration and iteration |
| along with individual interrupt registrations and fault injections |
| support. |
| |
| - Introduce handlers for Uncontainable errors, Double Faults and EL3 |
| External Aborts |
| |
| - Enable Memory Partitioning And Monitoring (MPAM) for lower EL's |
| |
| - Memory Partitioning And Monitoring is an Armv8.4 feature that enables |
| various memory system components and resources to define partitions. |
| Software running at various ELs can then assign themselves to the |
| desired partition to control their performance aspects. |
| |
| - When ENABLE_MPAM_FOR_LOWER_ELS is set to 1, EL3 allows |
| lower ELs to access their own MPAM registers without trapping to EL3. |
| This patch however, doesn't make use of partitioning in EL3; platform |
| initialisation code should configure and use partitions in EL3 if |
| required. |
| |
| - Introduce ROM Lib Feature |
| |
| - Support combining several libraries into a self-called "romlib" image, |
| that may be shared across images to reduce memory footprint. The romlib |
| image is stored in ROM but is accessed through a jump-table that may be |
| stored in read-write memory, allowing for the library code to be patched. |
| |
| - Introduce Backtrace Feature |
| |
| - This function displays the backtrace, the current EL and security state |
| to allow a post-processing tool to choose the right binary to interpret |
| the dump. |
| |
| - Print backtrace in assert() and panic() to the console. |
| |
| - Code hygiene changes and alignment with MISRA C-2012 guideline with fixes |
| addressing issues complying to the following rules: |
| |
| - MISRA rules 4.9, 5.1, 5.3, 5.7, 8.2-8.5, 8.8, 8.13, 9.3, 10.1, |
| 10.3-10.4, 10.8, 11.3, 11.6, 12.1, 14.4, 15.7, 16.1-16.7, 17.7-17.8, |
| 20.7, 20.10, 20.12, 21.1, 21.15, 22.7 |
| |
| - Clean up the usage of void pointers to access symbols |
| |
| - Increase usage of static qualifier to locally used functions and data |
| |
| - Migrated to use of u_register_t for register read/write to better |
| match AArch32 and AArch64 type sizes |
| |
| - Use int-ll64 for both AArch32 and AArch64 to assist in consistent |
| format strings between architectures |
| |
| - Clean up TF-A libc by removing non arm copyrighted implementations |
| and replacing them with modified FreeBSD and SCC implementations |
| |
| - Various changes to support Clang linker and assembler |
| |
| - The clang assembler/preprocessor is used when Clang is selected. However, |
| the clang linker is not used because it is unable to link TF-A objects |
| due to immaturity of clang linker functionality at this time. |
| |
| - Refactor support APIs into Libraries |
| |
| - Evolve libfdt, mbed TLS library and standard C library sources as |
| proper libraries that TF-A may be linked against. |
| |
| - CPU Enhancements |
| |
| - Add CPU support for Cortex-Ares and Cortex-A76 |
| |
| - Add AMU support for Cortex-Ares |
| |
| - Add initial CPU support for Cortex-Deimos |
| |
| - Add initial CPU support for Cortex-Helios |
| |
| - Implement dynamic mitigation for CVE-2018-3639 on Cortex-A76 |
| |
| - Implement Cortex-Ares erratum 1043202 workaround |
| |
| - Implement DSU erratum 936184 workaround |
| |
| - Check presence of fix for errata 843419 in Cortex-A53 |
| |
| - Check presence of fix for errata 835769 in Cortex-A53 |
| |
| - Translation Tables Enhancements |
| |
| - The xlat v2 library has been refactored in order to be reused by |
| different TF components at different EL's including the addition of EL2. |
| Some refactoring to make the code more generic and less specific to TF, |
| in order to reuse the library outside of this project. |
| |
| - SPM Enhancements |
| |
| - General cleanups and refactoring to pave the way to multiple partitions |
| support |
| |
| - SDEI Enhancements |
| |
| - Allow platforms to define explicit events |
| |
| - Determine client EL from NS context's SCR_EL3 |
| |
| - Make dispatches synchronous |
| |
| - Introduce jump primitives for BL31 |
| |
| - Mask events after CPU wakeup in |SDEI| dispatcher to conform to the |
| specification |
| |
| - Misc TF-A Core Common Code Enhancements |
| |
| - Add support for eXecute In Place (XIP) memory in BL2 |
| |
| - Add support for the SMC Calling Convention 2.0 |
| |
| - Introduce External Abort handling on AArch64 |
| External Abort routed to EL3 was reported as an unhandled exception |
| and caused a panic. This change enables Trusted Firmware-A to handle |
| External Aborts routed to EL3. |
| |
| - Save value of ACTLR_EL1 implementation-defined register in the CPU |
| context structure rather than forcing it to 0. |
| |
| - Introduce ARM_LINUX_KERNEL_AS_BL33 build option, which allows BL31 to |
| directly jump to a Linux kernel. This makes for a quicker and simpler |
| boot flow, which might be useful in some test environments. |
| |
| - Add dynamic configurations for BL31, BL32 and BL33 enabling support for |
| Chain of Trust (COT). |
| |
| - Make TF UUID RFC 4122 compliant |
| |
| - New Platform Support |
| |
| - Arm SGI-575 |
| |
| - Arm SGM-775 |
| |
| - Allwinner sun50i_64 |
| |
| - Allwinner sun50i_h6 |
| |
| - NXP QorIQ LS1043A |
| |
| - NXP i.MX8QX |
| |
| - NXP i.MX8QM |
| |
| - NXP i.MX7Solo WaRP7 |
| |
| - TI K3 |
| |
| - Socionext Synquacer SC2A11 |
| |
| - Marvell Armada 8K |
| |
| - STMicroelectronics STM32MP1 |
| |
| - Misc Generic Platform Common Code Enhancements |
| |
| - Add MMC framework that supports both eMMC and SD card devices |
| |
| - Misc Arm Platform Common Code Enhancements |
| |
| - Demonstrate PSCI MEM_PROTECT from el3_runtime |
| |
| - Provide RAS support |
| |
| - Migrate AArch64 port to the multi console driver. The old API is |
| deprecated and will eventually be removed. |
| |
| - Move BL31 below BL2 to enable BL2 overlay resulting in changes in the |
| layout of BL images in memory to enable more efficient use of available |
| space. |
| |
| - Add cpp build processing for dtb that allows processing device tree |
| with external includes. |
| |
| - Extend FIP io driver to support multiple FIP devices |
| |
| - Add support for SCMI AP core configuration protocol v1.0 |
| |
| - Use SCMI AP core protocol to set the warm boot entrypoint |
| |
| - Add support to Mbed TLS drivers for shared heap among different |
| BL images to help optimise memory usage |
| |
| - Enable non-secure access to UART1 through a build option to support |
| a serial debug port for debugger connection |
| |
| - Enhancements for Arm Juno Platform |
| |
| - Add support for TrustZone Media Protection 1 (TZMP1) |
| |
| - Enhancements for Arm FVP Platform |
| |
| - Dynamic_config: remove the FVP dtb files |
| |
| - Set DYNAMIC_WORKAROUND_CVE_2018_3639=1 on FVP by default |
| |
| - Set the ability to dynamically disable Trusted Boot Board |
| authentication to be off by default with DYN_DISABLE_AUTH |
| |
| - Add librom enhancement support in FVP |
| |
| - Support shared Mbed TLS heap between BL1 and BL2 that allow a |
| reduction in BL2 size for FVP |
| |
| - Enhancements for Arm SGI/SGM Platform |
| |
| - Enable ARM_PLAT_MT flag for SGI-575 |
| |
| - Add dts files to enable support for dynamic config |
| |
| - Add RAS support |
| |
| - Support shared Mbed TLS heap for SGI and SGM between BL1 and BL2 |
| |
| - Enhancements for Non Arm Platforms |
| |
| - Raspberry Pi Platform |
| |
| - Hikey Platforms |
| |
| - Xilinx Platforms |
| |
| - QEMU Platform |
| |
| - Rockchip rk3399 Platform |
| |
| - TI Platforms |
| |
| - Socionext Platforms |
| |
| - Allwinner Platforms |
| |
| - NXP Platforms |
| |
| - NVIDIA Tegra Platform |
| |
| - Marvell Platforms |
| |
| - STMicroelectronics STM32MP1 Platform |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - No issues known at 1.5 release resolved in 1.6 release |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - DTB creation not supported when building on a Windows host. This step in the |
| build process is skipped when running on a Windows host. Known issue from |
| 1.5 version. |
| |
| Version 1.5 |
| ----------- |
| |
| New features |
| ^^^^^^^^^^^^ |
| |
| - Added new firmware support to enable RAS (Reliability, Availability, and |
| Serviceability) functionality. |
| |
| - Secure Partition Manager (SPM): A Secure Partition is a software execution |
| environment instantiated in S-EL0 that can be used to implement simple |
| management and security services. The SPM is the firmware component that |
| is responsible for managing a Secure Partition. |
| |
| - SDEI dispatcher: Support for interrupt-based |SDEI| events and all |
| interfaces as defined by the |SDEI| specification v1.0, see |
| `SDEI Specification`_ |
| |
| - Exception Handling Framework (EHF): Framework that allows dispatching of |
| EL3 interrupts to their registered handlers which are registered based on |
| their priorities. Facilitates firmware-first error handling policy where |
| asynchronous exceptions may be routed to EL3. |
| |
| Integrated the TSPD with EHF. |
| |
| - Updated PSCI support: |
| |
| - Implemented PSCI v1.1 optional features `MEM_PROTECT` and `SYSTEM_RESET2`. |
| The supported PSCI version was updated to v1.1. |
| |
| - Improved PSCI STAT timestamp collection, including moving accounting for |
| retention states to be inside the locks and fixing handling of wrap-around |
| when calculating residency in AArch32 execution state. |
| |
| - Added optional handler for early suspend that executes when suspending to |
| a power-down state and with data caches enabled. |
| |
| This may provide a performance improvement on platforms where it is safe |
| to perform some or all of the platform actions from `pwr_domain_suspend` |
| with the data caches enabled. |
| |
| - Enabled build option, BL2_AT_EL3, for BL2 to allow execution at EL3 without |
| any dependency on TF BL1. |
| |
| This allows platforms which already have a non-TF Boot ROM to directly load |
| and execute BL2 and subsequent BL stages without need for BL1. This was not |
| previously possible because BL2 executes at S-EL1 and cannot jump straight to |
| EL3. |
| |
| - Implemented support for SMCCC v1.1, including `SMCCC_VERSION` and |
| `SMCCC_ARCH_FEATURES`. |
| |
| Additionally, added support for `SMCCC_VERSION` in PSCI features to enable |
| discovery of the SMCCC version via PSCI feature call. |
| |
| - Added Dynamic Configuration framework which enables each of the boot loader |
| stages to be dynamically configured at runtime if required by the platform. |
| The boot loader stage may optionally specify a firmware configuration file |
| and/or hardware configuration file that can then be shared with the next boot |
| loader stage. |
| |
| Introduced a new BL handover interface that essentially allows passing of 4 |
| arguments between the different BL stages. |
| |
| Updated cert_create and fip_tool to support the dynamic configuration files. |
| The COT also updated to support these new files. |
| |
| - Code hygiene changes and alignment with MISRA guideline: |
| |
| - Fix use of undefined macros. |
| |
| - Achieved compliance with Mandatory MISRA coding rules. |
| |
| - Achieved compliance for following Required MISRA rules for the default |
| build configurations on FVP and Juno platforms : 7.3, 8.3, 8.4, 8.5 and |
| 8.8. |
| |
| - Added support for Armv8.2-A architectural features: |
| |
| - Updated translation table set-up to set the CnP (Common not Private) bit |
| for secure page tables so that multiple PEs in the same Inner Shareable |
| domain can use the same translation table entries for a given stage of |
| translation in a particular translation regime. |
| |
| - Extended the supported values of ID_AA64MMFR0_EL1.PARange to include the |
| 52-bit Physical Address range. |
| |
| - Added support for the Scalable Vector Extension to allow Normal world |
| software to access SVE functionality but disable access to SVE, SIMD and |
| floating point functionality from the Secure world in order to prevent |
| corruption of the Z-registers. |
| |
| - Added support for Armv8.4-A architectural feature Activity Monitor Unit (AMU) |
| extensions. |
| |
| In addition to the v8.4 architectural extension, AMU support on Cortex-A75 |
| was implemented. |
| |
| - Enhanced OP-TEE support to enable use of pageable OP-TEE image. The Arm |
| standard platforms are updated to load up to 3 images for OP-TEE; header, |
| pager image and paged image. |
| |
| The chain of trust is extended to support the additional images. |
| |
| - Enhancements to the translation table library: |
| |
| - Introduced APIs to get and set the memory attributes of a region. |
| |
| - Added support to manage both privilege levels in translation regimes that |
| describe translations for 2 Exception levels, specifically the EL1&0 |
| translation regime, and extended the memory map region attributes to |
| include specifying Non-privileged access. |
| |
| - Added support to specify the granularity of the mappings of each region, |
| for instance a 2MB region can be specified to be mapped with 4KB page |
| tables instead of a 2MB block. |
| |
| - Disabled the higher VA range to avoid unpredictable behaviour if there is |
| an attempt to access addresses in the higher VA range. |
| |
| - Added helpers for Device and Normal memory MAIR encodings that align with |
| the Arm Architecture Reference Manual for Armv8-A (Arm DDI0487B.b). |
| |
| - Code hygiene including fixing type length and signedness of constants, |
| refactoring of function to enable the MMU, removing all instances where |
| the virtual address space is hardcoded and added comments that document |
| alignment needed between memory attributes and attributes specified in |
| TCR_ELx. |
| |
| - Updated GIC support: |
| |
| - Introduce new APIs for GICv2 and GICv3 that provide the capability to |
| specify interrupt properties rather than list of interrupt numbers alone. |
| The Arm platforms and other upstream platforms are migrated to use |
| interrupt properties. |
| |
| - Added helpers to save / restore the GICv3 context, specifically the |
| Distributor and Redistributor contexts and architectural parts of the ITS |
| power management. The Distributor and Redistributor helpers also support |
| the implementation-defined part of GIC-500 and GIC-600. |
| |
| Updated the Arm FVP platform to save / restore the GICv3 context on system |
| suspend / resume as an example of how to use the helpers. |
| |
| Introduced a new TZC secured DDR carve-out for use by Arm platforms for |
| storing EL3 runtime data such as the GICv3 register context. |
| |
| - Added support for Armv7-A architecture via build option ARM_ARCH_MAJOR=7. |
| This includes following features: |
| |
| - Updates GICv2 driver to manage GICv1 with security extensions. |
| |
| - Software implementation for 32bit division. |
| |
| - Enabled use of generic timer for platforms that do not set |
| ARM_CORTEX_Ax=yes. |
| |
| - Support for Armv7-A Virtualization extensions [DDI0406C_C]. |
| |
| - Support for both Armv7-A platforms that only have 32-bit addressing and |
| Armv7-A platforms that support large page addressing. |
| |
| - Included support for following Armv7 CPUs: Cortex-A12, Cortex-A17, |
| Cortex-A7, Cortex-A5, Cortex-A9, Cortex-A15. |
| |
| - Added support in QEMU for Armv7-A/Cortex-A15. |
| |
| - Enhancements to Firmware Update feature: |
| |
| - Updated the FWU documentation to describe the additional images needed for |
| Firmware update, and how they are used for both the Juno platform and the |
| Arm FVP platforms. |
| |
| - Enhancements to Trusted Board Boot feature: |
| |
| - Added support to cert_create tool for RSA PKCS1# v1.5 and SHA384, SHA512 |
| and SHA256. |
| |
| - For Arm platforms added support to use ECDSA keys. |
| |
| - Enhanced the mbed TLS wrapper layer to include support for both RSA and |
| ECDSA to enable runtime selection between RSA and ECDSA keys. |
| |
| - Added support for secure interrupt handling in AArch32 sp_min, hardcoded to |
| only handle FIQs. |
| |
| - Added support to allow a platform to load images from multiple boot sources, |
| for example from a second flash drive. |
| |
| - Added a logging framework that allows platforms to reduce the logging level |
| at runtime and additionally the prefix string can be defined by the platform. |
| |
| - Further improvements to register initialisation: |
| |
| - Control register PMCR_EL0 / PMCR is set to prohibit cycle counting in the |
| secure world. This register is added to the list of registers that are |
| saved and restored during world switch. |
| |
| - When EL3 is running in AArch32 execution state, the Non-secure version of |
| SCTLR is explicitly initialised during the warmboot flow rather than |
| relying on the hardware to set the correct reset values. |
| |
| - Enhanced support for Arm platforms: |
| |
| - Introduced driver for Shared-Data-Structure (SDS) framework which is used |
| for communication between SCP and the AP CPU, replacing Boot-Over_MHU |
| (BOM) protocol. |
| |
| The Juno platform is migrated to use SDS with the SCMI support added in |
| v1.3 and is set as default. |
| |
| The driver can be found in the plat/arm/css/drivers folder. |
| |
| - Improved memory usage by only mapping TSP memory region when the TSPD has |
| been included in the build. This reduces the memory footprint and avoids |
| unnecessary memory being mapped. |
| |
| - Updated support for multi-threading CPUs for FVP platforms - always check |
| the MT field in MPDIR and access the bit fields accordingly. |
| |
| - Support building for platforms that model DynamIQ configuration by |
| implementing all CPUs in a single cluster. |
| |
| - Improved nor flash driver, for instance clearing status registers before |
| sending commands. Driver can be found plat/arm/board/common folder. |
| |
| - Enhancements to QEMU platform: |
| |
| - Added support for TBB. |
| |
| - Added support for using OP-TEE pageable image. |
| |
| - Added support for LOAD_IMAGE_V2. |
| |
| - Migrated to use translation table library v2 by default. |
| |
| - Added support for SEPARATE_CODE_AND_RODATA. |
| |
| - Applied workarounds CVE-2017-5715 on Arm Cortex-A57, -A72, -A73 and -A75, and |
| for Armv7-A CPUs Cortex-A9, -A15 and -A17. |
| |
| - Applied errata workaround for Arm Cortex-A57: 859972. |
| |
| - Applied errata workaround for Arm Cortex-A72: 859971. |
| |
| - Added support for Poplar 96Board platform. |
| |
| - Added support for Raspberry Pi 3 platform. |
| |
| - Added Call Frame Information (CFI) assembler directives to the vector entries |
| which enables debuggers to display the backtrace of functions that triggered |
| a synchronous abort. |
| |
| - Added ability to build dtb. |
| |
| - Added support for pre-tool (cert_create and fiptool) image processing |
| enabling compression of the image files before processing by cert_create and |
| fiptool. |
| |
| This can reduce fip size and may also speed up loading of images. The image |
| verification will also get faster because certificates are generated based on |
| compressed images. |
| |
| Imported zlib 1.2.11 to implement gunzip() for data compression. |
| |
| - Enhancements to fiptool: |
| |
| - Enabled the fiptool to be built using Visual Studio. |
| |
| - Added padding bytes at the end of the last image in the fip to be |
| facilitate transfer by DMA. |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - TF-A can be built with optimisations disabled (-O0). |
| |
| - Memory layout updated to enable Trusted Board Boot on Juno platform when |
| running TF-A in AArch32 execution mode (resolving `tf-issue#501`_). |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - DTB creation not supported when building on a Windows host. This step in the |
| build process is skipped when running on a Windows host. |
| |
| Version 1.4 |
| ----------- |
| |
| New features |
| ^^^^^^^^^^^^ |
| |
| - Enabled support for platforms with hardware assisted coherency. |
| |
| A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage |
| of the following optimisations: |
| |
| - Skip performing cache maintenance during power-up and power-down. |
| |
| - Use spin-locks instead of bakery locks. |
| |
| - Enable data caches early on warm-booted CPUs. |
| |
| - Added support for Cortex-A75 and Cortex-A55 processors. |
| |
| Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit |
| (DSU). The power-down and power-up sequences are therefore mostly managed in |
| hardware, reducing complexity of the software operations. |
| |
| - Introduced Arm GIC-600 driver. |
| |
| Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the |
| GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600. |
| |
| - Updated GICv3 support: |
| |
| - Introduced power management APIs for GICv3 Redistributor. These APIs |
| allow platforms to power down the Redistributor during CPU power on/off. |
| Requires the GICv3 implementations to have power management operations. |
| |
| Implemented the power management APIs for FVP. |
| |
| - GIC driver data is flushed by the primary CPU so that secondary CPU do |
| not read stale GIC data. |
| |
| - Added support for Arm System Control and Management Interface v1.0 (SCMI). |
| |
| The SCMI driver implements the power domain management and system power |
| management protocol of the SCMI specification (Arm DEN 0056ASCMI) for |
| communicating with any compliant power controller. |
| |
| Support is added for the Juno platform. The driver can be found in the |
| plat/arm/css/drivers folder. |
| |
| - Added support to enable pre-integration of TBB with the Arm TrustZone |
| CryptoCell product, to take advantage of its hardware Root of Trust and |
| crypto acceleration services. |
| |
| - Enabled Statistical Profiling Extensions for lower ELs. |
| |
| The firmware support is limited to the use of SPE in the Non-secure state |
| and accesses to the SPE specific registers from S-EL1 will trap to EL3. |
| |
| The SPE are architecturally specified for AArch64 only. |
| |
| - Code hygiene changes aligned with MISRA guidelines: |
| |
| - Fixed signed / unsigned comparison warnings in the translation table |
| library. |
| |
| - Added U(_x) macro and together with the existing ULL(_x) macro fixed |
| some of the signed-ness defects flagged by the MISRA scanner. |
| |
| - Enhancements to Firmware Update feature: |
| |
| - The FWU logic now checks for overlapping images to prevent execution of |
| unauthenticated arbitrary code. |
| |
| - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading |
| state machine to go from COPYING, COPIED or AUTHENTICATED states to |
| RESET state. Previously, this was only possible when the authentication |
| of an image failed or when the execution of the image finished. |
| |
| - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update |
| SMC can result in copy of unexpectedly large data into secure memory. |
| |
| - Introduced support for Arm Compiler 6 and LLVM (clang). |
| |
| TF-A can now also be built with the Arm Compiler 6 or the clang compilers. |
| The assembler and linker must be provided by the GNU toolchain. |
| |
| Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x. |
| |
| - Memory footprint improvements: |
| |
| - Introduced `tf_snprintf`, a reduced version of `snprintf` which has |
| support for a limited set of formats. |
| |
| The mbedtls driver is updated to optionally use `tf_snprintf` instead of |
| `snprintf`. |
| |
| - The `assert()` is updated to no longer print the function name, and |
| additional logging options are supported via an optional platform define |
| `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is. |
| |
| - Enhancements to TF-A support when running in AArch32 execution state: |
| |
| - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to |
| hardware limitations, BL1 and BL2 boot in AArch64 state and there is |
| additional trampoline code to warm reset into SP_MIN in AArch32 execution |
| state. |
| |
| - Added support for Arm Cortex-A53/57/72 MPCore processors including the |
| errata workarounds that are already implemented for AArch64 execution |
| state. |
| |
| - For FVP platforms, added AArch32 Trusted Board Boot support, including the |
| Firmware Update feature. |
| |
| - Introduced Arm SiP service for use by Arm standard platforms. |
| |
| - Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF |
| timestamps. |
| |
| Added PMF instrumentation points in TF-A in order to quantify the |
| overall time spent in the PSCI software implementation. |
| |
| - Added new Arm SiP service SMC to switch execution state. |
| |
| This allows the lower exception level to change its execution state from |
| AArch64 to AArch32, or vice verse, via a request to EL3. |
| |
| - Migrated to use SPDX[0] license identifiers to make software license |
| auditing simpler. |
| |
| .. note:: |
| Files that have been imported by FreeBSD have not been modified. |
| |
| [0]: https://spdx.org/ |
| |
| - Enhancements to the translation table library: |
| |
| - Added version 2 of translation table library that allows different |
| translation tables to be modified by using different 'contexts'. Version 1 |
| of the translation table library only allows the current EL's translation |
| tables to be modified. |
| |
| Version 2 of the translation table also added support for dynamic |
| regions; regions that can be added and removed dynamically whilst the |
| MMU is enabled. Static regions can only be added or removed before the |
| MMU is enabled. |
| |
| The dynamic mapping functionality is enabled or disabled when compiling |
| by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can |
| be done per-image. |
| |
| - Added support for translation regimes with two virtual address spaces |
| such as the one shared by EL1 and EL0. |
| |
| The library does not support initializing translation tables for EL0 |
| software. |
| |
| - Added support to mark the translation tables as non-cacheable using an |
| additional build option `XLAT_TABLE_NC`. |
| |
| - Added support for GCC stack protection. A new build option |
| ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL |
| images with one of the GCC -fstack-protector-* options. |
| |
| A new platform function plat_get_stack_protector_canary() was introduced |
| that returns a value used to initialize the canary for stack corruption |
| detection. For increased effectiveness of protection platforms must provide |
| an implementation that returns a random value. |
| |
| - Enhanced support for Arm platforms: |
| |
| - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR. |
| A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions |
| accessing MPIDR assume that the `MT` bit is set for the platform and |
| access the bit fields accordingly. |
| |
| Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is |
| enabled, returning the Processing Element count within the physical CPU |
| corresponding to `mpidr`. |
| |
| - The Arm platforms migrated to use version 2 of the translation tables. |
| |
| - Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops` |
| which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore |
| dynamically define PSCI capability. |
| |
| - The Arm platforms migrated to use IMAGE_LOAD_V2 by default. |
| |
| - Enhanced reporting of errata workaround status with the following policy: |
| |
| - If an errata workaround is enabled: |
| |
| - If it applies (i.e. the CPU is affected by the errata), an INFO message |
| is printed, confirming that the errata workaround has been applied. |
| |
| - If it does not apply, a VERBOSE message is printed, confirming that the |
| errata workaround has been skipped. |
| |
| - If an errata workaround is not enabled, but would have applied had it |
| been, a WARN message is printed, alerting that errata workaround is |
| missing. |
| |
| - Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the |
| architecture version to target TF-A. |
| |
| - Updated the spin lock implementation to use the more efficient CAS (Compare |
| And Swap) instruction when available. This instruction was introduced in |
| Armv8.1-A. |
| |
| - Applied errata workaround for Arm Cortex-A53: 855873. |
| |
| - Applied errata workaround for Arm-Cortex-A57: 813419. |
| |
| - Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and |
| AArch32 execution states. |
| |
| - Added support for Socionext UniPhier SoC platform. |
| |
| - Added support for Hikey960 and Hikey platforms. |
| |
| - Added support for Rockchip RK3328 platform. |
| |
| - Added support for NVidia Tegra T186 platform. |
| |
| - Added support for Designware emmc driver. |
| |
| - Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr(). |
| |
| - Enhanced the CPU operations framework to allow power handlers to be |
| registered on per-level basis. This enables support for future CPUs that |
| have multiple threads which might need powering down individually. |
| |
| - Updated register initialisation to prevent unexpected behaviour: |
| |
| - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid |
| unexpected traps into the higher exception levels and disable secure |
| self-hosted debug. Additionally, secure privileged external debug on |
| Juno is disabled by programming the appropriate Juno SoC registers. |
| |
| - EL2 and EL3 configurable controls are initialised to avoid unexpected |
| traps in the higher exception levels. |
| |
| - Essential control registers are fully initialised on EL3 start-up, when |
| initialising the non-secure and secure context structures and when |
| preparing to leave EL3 for a lower EL. This gives better alignment with |
| the Arm ARM which states that software must initialise RES0 and RES1 |
| fields with 0 / 1. |
| |
| - Enhanced PSCI support: |
| |
| - Introduced new platform interfaces that decouple PSCI stat residency |
| calculation from PMF, enabling platforms to use alternative methods of |
| capturing timestamps. |
| |
| - PSCI stat accounting performed for retention/standby states when |
| requested at multiple power levels. |
| |
| - Simplified fiptool to have a single linked list of image descriptors. |
| |
| - For the TSP, resolved corruption of pre-empted secure context by aborting any |
| pre-empted SMC during PSCI power management requests. |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier |
| version 2.3.0 cannot be used due to build warnings that the TF-A build |
| system interprets as errors. |
| |
| - TBBR, including the Firmware Update feature is now supported on FVP |
| platforms when running TF-A in AArch32 state. |
| |
| - The version of the AEMv8 Base FVP used in this release has resolved the issue |
| of the model executing a reset instead of terminating in response to a |
| shutdown request using the PSCI SYSTEM_OFF API. |
| |
| Known Issues |
| ^^^^^^^^^^^^ |
| |
| - Building TF-A with compiler optimisations disabled (-O0) fails. |
| |
| - Trusted Board Boot currently does not work on Juno when running Trusted |
| Firmware in AArch32 execution state due to error when loading the sp_min to |
| memory because of lack of free space available. See `tf-issue#501`_ for more |
| details. |
| |
| - The errata workaround for A53 errata 843419 is only available from binutils |
| 2.26 and is not present in GCC4.9. If this errata is applicable to the |
| platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for |
| more details. |
| |
| Version 1.3 |
| ----------- |
| |
| |
| New features |
| ^^^^^^^^^^^^ |
| |
| - Added support for running TF-A in AArch32 execution state. |
| |
| The PSCI library has been refactored to allow integration with **EL3 Runtime |
| Software**. This is software that is executing at the highest secure |
| privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See |
| :ref:`PSCI Library Integration guide for Armv8-A AArch32 systems`. |
| |
| Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates |
| the usage and integration of the PSCI library with EL3 Runtime Software |
| running in AArch32 state. |
| |
| Booting to the BL1/BL2 images as well as booting straight to the Secure |
| Payload is supported. |
| |
| - Improvements to the initialization framework for the PSCI service and Arm |
| Standard Services in general. |
| |
| The PSCI service is now initialized as part of Arm Standard Service |
| initialization. This consolidates the initializations of any Arm Standard |
| Service that may be added in the future. |
| |
| A new function ``get_arm_std_svc_args()`` is introduced to get arguments |
| corresponding to each standard service and must be implemented by the EL3 |
| Runtime Software. |
| |
| For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to |
| initialize the PSCI Library. **Note** this is a compatibility break due to |
| the change in the prototype of ``psci_setup()``. |
| |
| - To support AArch32 builds of BL1 and BL2, implemented a new, alternative |
| firmware image loading mechanism that adds flexibility. |
| |
| The current mechanism has a hard-coded set of images and execution order |
| (BL31, BL32, etc). The new mechanism is data-driven by a list of image |
| descriptors provided by the platform code. |
| |
| Arm platforms have been updated to support the new loading mechanism. |
| |
| The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is |
| currently off by default for the AArch64 build. |
| |
| **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when |
| ``LOAD_IMAGE_V2`` is enabled. |
| |
| - Updated requirements for making contributions to TF-A. |
| |
| Commits now must have a 'Signed-off-by:' field to certify that the |
| contribution has been made under the terms of the |
| :download:`Developer Certificate of Origin <../dco.txt>`. |
| |
| A signed CLA is no longer required. |
| |
| The :ref:`Contributor's Guide` has been updated to reflect this change. |
| |
| - Introduced Performance Measurement Framework (PMF) which provides support |
| for capturing, storing, dumping and retrieving time-stamps to measure the |
| execution time of critical paths in the firmware. This relies on defining |
| fixed sample points at key places in the code. |
| |
| - To support the QEMU platform port, imported libfdt v1.4.1 from |
| https://git.kernel.org/pub/scm/utils/dtc/dtc.git |
| |
| - Updated PSCI support: |
| |
| - Added support for PSCI NODE_HW_STATE API for Arm platforms. |
| |
| - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in |
| ``plat_psci_ops`` to enable platforms to perform platform-specific actions |
| needed to enter powerdown, including the 'wfi' invocation. |
| |
| - PSCI STAT residency and count functions have been added on Arm platforms |
| by using PMF. |
| |
| - Enhancements to the translation table library: |
| |
| - Limited memory mapping support for region overlaps to only allow regions |
| to overlap that are identity mapped or have the same virtual to physical |
| address offset, and overlap completely but must not cover the same area. |
| |
| This limitation will enable future enhancements without having to |
| support complex edge cases that may not be necessary. |
| |
| - The initial translation lookup level is now inferred from the virtual |
| address space size. Previously, it was hard-coded. |
| |
| - Added support for mapping Normal, Inner Non-cacheable, Outer |
| Non-cacheable memory in the translation table library. |
| |
| This can be useful to map a non-cacheable memory region, such as a DMA |
| buffer. |
| |
| - Introduced the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes to |
| specify the access permissions for instruction execution of a memory |
| region. |
| |
| - Enabled support to isolate code and read-only data on separate memory pages, |
| allowing independent access control to be applied to each. |
| |
| - Enabled SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common |
| architectural setup code, preventing fetching instructions from non-secure |
| memory when in secure state. |
| |
| - Enhancements to FIP support: |
| |
| - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent |
| and intuitive interface as well as additional support to remove an image |
| from a FIP file. |
| |
| - Enabled printing the SHA256 digest with info command, allowing quick |
| verification of an image within a FIP without having to extract the |
| image and running sha256sum on it. |
| |
| - Added support for unpacking the contents of an existing FIP file into |
| the working directory. |
| |
| - Aligned command line options for specifying images to use same naming |
| convention as specified by TBBR and already used in cert_create tool. |
| |
| - Refactored the TZC-400 driver to also support memory controllers that |
| integrate TZC functionality, for example Arm CoreLink DMC-500. Also added |
| DMC-500 specific support. |
| |
| - Implemented generic delay timer based on the system generic counter and |
| migrated all platforms to use it. |
| |
| - Enhanced support for Arm platforms: |
| |
| - Updated image loading support to make SCP images (SCP_BL2 and SCP_BL2U) |
| optional. |
| |
| - Enhanced topology description support to allow multi-cluster topology |
| definitions. |
| |
| - Added interconnect abstraction layer to help platform ports select the |
| right interconnect driver, CCI or CCN, for the platform. |
| |
| - Added support to allow loading BL31 in the TZC-secured DRAM instead of |
| the default secure SRAM. |
| |
| - Added support to use a System Security Control (SSC) Registers Unit |
| enabling TF-A to be compiled to support multiple Arm platforms and |
| then select one at runtime. |
| |
| - Restricted mapping of Trusted ROM in BL1 to what is actually needed by |
| BL1 rather than entire Trusted ROM region. |
| |
| - Flash is now mapped as execute-never by default. This increases security |
| by restricting the executable region to what is strictly needed. |
| |
| - Applied following erratum workarounds for Cortex-A57: 833471, 826977, |
| 829520, 828024 and 826974. |
| |
| - Added support for Mediatek MT6795 platform. |
| |
| - Added support for QEMU virtualization Armv8-A target. |
| |
| - Added support for Rockchip RK3368 and RK3399 platforms. |
| |
| - Added support for Xilinx Zynq UltraScale+ MPSoC platform. |
| |
| - Added support for Arm Cortex-A73 MPCore Processor. |
| |
| - Added support for Arm Cortex-A72 processor. |
| |
| - Added support for Arm Cortex-A35 processor. |
| |
| - Added support for Arm Cortex-A32 MPCore Processor. |
| |
| - Enabled preloaded BL33 alternative boot flow, in which BL2 does not load |
| BL33 from non-volatile storage and BL31 hands execution over to a preloaded |
| BL33. The User Guide has been updated with an example of how to use this |
| option with a bootwrapped kernel. |
| |
| - Added support to build TF-A on a Windows-based host machine. |
| |
| - Updated Trusted Board Boot prototype implementation: |
| |
| - Enabled the ability for a production ROM with TBBR enabled to boot test |
| software before a real ROTPK is deployed (e.g. manufacturing mode). |
| Added support to use ROTPK in certificate without verifying against the |
| platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. |
| |
| - Added support for non-volatile counter authentication to the |
| Authentication Module to protect against roll-back. |
| |
| - Updated GICv3 support: |
| |
| - Enabled processor power-down and automatic power-on using GICv3. |
| |
| - Enabled G1S or G0 interrupts to be configured independently. |
| |
| - Changed FVP default interrupt driver to be the GICv3-only driver. |
| **Note** the default build of TF-A will not be able to boot |
| Linux kernel with GICv2 FDT blob. |
| |
| - Enabled wake-up from CPU_SUSPEND to stand-by by temporarily re-routing |
| interrupts and then restoring after resume. |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| Known issues |
| ^^^^^^^^^^^^ |
| |
| - The version of the AEMv8 Base FVP used in this release resets the model |
| instead of terminating its execution in response to a shutdown request using |
| the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| the model. |
| |
| - Building TF-A with compiler optimisations disabled (``-O0``) fails. |
| |
| - TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings |
| that the TF-A build system interprets as errors. |
| |
| - TBBR is not currently supported when running TF-A in AArch32 state. |
| |
| Version 1.2 |
| ----------- |
| |
| New features |
| ^^^^^^^^^^^^ |
| |
| - The Trusted Board Boot implementation on Arm platforms now conforms to the |
| mandatory requirements of the TBBR specification. |
| |
| In particular, the boot process is now guarded by a Trusted Watchdog, which |
| will reset the system in case of an authentication or loading error. On Arm |
| platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog. |
| |
| Also, a firmware update process has been implemented. It enables |
| authenticated firmware to update firmware images from external interfaces to |
| SoC Non-Volatile memories. This feature functions even when the current |
| firmware in the system is corrupt or missing; it therefore may be used as |
| a recovery mode. |
| |
| - Improvements have been made to the Certificate Generation Tool |
| (``cert_create``) as follows. |
| |
| - Added support for the Firmware Update process by extending the Chain |
| of Trust definition in the tool to include the Firmware Update |
| certificate and the required extensions. |
| |
| - Introduced a new API that allows one to specify command line options in |
| the Chain of Trust description. This makes the declaration of the tool's |
| arguments more flexible and easier to extend. |
| |
| - The tool has been reworked to follow a data driven approach, which |
| makes it easier to maintain and extend. |
| |
| - Extended the FIP tool (``fip_create``) to support the new set of images |
| involved in the Firmware Update process. |
| |
| - Various memory footprint improvements. In particular: |
| |
| - The bakery lock structure for coherent memory has been optimised. |
| |
| - The mbed TLS SHA1 functions are not needed, as SHA256 is used to |
| generate the certificate signature. Therefore, they have been compiled |
| out, reducing the memory footprint of BL1 and BL2 by approximately |
| 6 KB. |
| |
| - On Arm development platforms, each BL stage now individually defines |
| the number of regions that it needs to map in the MMU. |
| |
| - Added the following new design documents: |
| |
| - :ref:`Authentication Framework & Chain of Trust` |
| - :ref:`Firmware Update (FWU)` |
| - :ref:`CPU Reset` |
| - :ref:`PSCI Power Domain Tree Structure` |
| |
| - Applied the new image terminology to the code base and documentation, as |
| described in the :ref:`Image Terminology` document. |
| |
| - The build system has been reworked to improve readability and facilitate |
| adding future extensions. |
| |
| - On Arm standard platforms, BL31 uses the boot console during cold boot |
| but switches to the runtime console for any later logs at runtime. The TSP |
| uses the runtime console for all output. |
| |
| - Implemented a basic NOR flash driver for Arm platforms. It programs the |
| device using CFI (Common Flash Interface) standard commands. |
| |
| - Implemented support for booting EL3 payloads on Arm platforms, which |
| reduces the complexity of developing EL3 baremetal code by doing essential |
| baremetal initialization. |
| |
| - Provided separate drivers for GICv3 and GICv2. These expect the entire |
| software stack to use either GICv2 or GICv3; hybrid GIC software systems |
| are no longer supported and the legacy Arm GIC driver has been deprecated. |
| |
| - Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run |
| on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro |
| release that does *not* contain Juno r2 support. |
| |
| - Added support for MediaTek mt8173 platform. |
| |
| - Implemented a generic driver for Arm CCN IP. |
| |
| - Major rework of the PSCI implementation. |
| |
| - Added framework to handle composite power states. |
| |
| - Decoupled the notions of affinity instances (which describes the |
| hierarchical arrangement of cores) and of power domain topology, instead |
| of assuming a one-to-one mapping. |
| |
| - Better alignment with version 1.0 of the PSCI specification. |
| |
| - Added support for the SYSTEM_SUSPEND PSCI API on Arm platforms. When invoked |
| on the last running core on a supported platform, this puts the system |
| into a low power mode with memory retention. |
| |
| - Unified the reset handling code as much as possible across BL stages. |
| Also introduced some build options to enable optimization of the reset path |
| on platforms that support it. |
| |
| - Added a simple delay timer API, as well as an SP804 timer driver, which is |
| enabled on FVP. |
| |
| - Added support for NVidia Tegra T210 and T132 SoCs. |
| |
| - Reorganised Arm platforms ports to greatly improve code shareability and |
| facilitate the reuse of some of this code by other platforms. |
| |
| - Added support for Arm Cortex-A72 processor in the CPU specific framework. |
| |
| - Provided better error handling. Platform ports can now define their own |
| error handling, for example to perform platform specific bookkeeping or |
| post-error actions. |
| |
| - Implemented a unified driver for Arm Cache Coherent Interconnects used for |
| both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this |
| common driver. The standalone CCI-400 driver has been deprecated. |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - The Trusted Board Boot implementation has been redesigned to provide greater |
| modularity and scalability. See the |
| :ref:`Authentication Framework & Chain of Trust` document. |
| All missing mandatory features are now implemented. |
| |
| - The FVP and Juno ports may now use the hash of the ROTPK stored in the |
| Trusted Key Storage registers to verify the ROTPK. Alternatively, a |
| development public key hash embedded in the BL1 and BL2 binaries might be |
| used instead. The location of the ROTPK is chosen at build-time using the |
| ``ARM_ROTPK_LOCATION`` build option. |
| |
| - GICv3 is now fully supported and stable. |
| |
| Known issues |
| ^^^^^^^^^^^^ |
| |
| - The version of the AEMv8 Base FVP used in this release resets the model |
| instead of terminating its execution in response to a shutdown request using |
| the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| the model. |
| |
| - While this version has low on-chip RAM requirements, there are further |
| RAM usage enhancements that could be made. |
| |
| - The upstream documentation could be improved for structural consistency, |
| clarity and completeness. In particular, the design documentation is |
| incomplete for PSCI, the TSP(D) and the Juno platform. |
| |
| - Building TF-A with compiler optimisations disabled (``-O0``) fails. |
| |
| Version 1.1 |
| ----------- |
| |
| New features |
| ^^^^^^^^^^^^ |
| |
| - A prototype implementation of Trusted Board Boot has been added. Boot |
| loader images are verified by BL1 and BL2 during the cold boot path. BL1 and |
| BL2 use the PolarSSL SSL library to verify certificates and images. The |
| OpenSSL library is used to create the X.509 certificates. Support has been |
| added to ``fip_create`` tool to package the certificates in a FIP. |
| |
| - Support for calling CPU and platform specific reset handlers upon entry into |
| BL3-1 during the cold and warm boot paths has been added. This happens after |
| another Boot ROM ``reset_handler()`` has already run. This enables a developer |
| to perform additional actions or undo actions already performed during the |
| first call of the reset handlers e.g. apply additional errata workarounds. |
| |
| - Support has been added to demonstrate routing of IRQs to EL3 instead of |
| S-EL1 when execution is in secure world. |
| |
| - The PSCI implementation now conforms to version 1.0 of the PSCI |
| specification. All the mandatory APIs and selected optional APIs are |
| supported. In particular, support for the ``PSCI_FEATURES`` API has been |
| added. A capability variable is constructed during initialization by |
| examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and |
| the Secure Payload Dispatcher. This is used by the PSCI FEATURES function |
| to determine which PSCI APIs are supported by the platform. |
| |
| - Improvements have been made to the PSCI code as follows. |
| |
| - The code has been refactored to remove redundant parameters from |
| internal functions. |
| |
| - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and |
| ``CPU_OFF`` calls to facilitate an early return to the caller in case a |
| failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call |
| returns ``SUCCESS`` to the caller if a pending interrupt is detected early |
| in the code path. |
| |
| - Optional platform APIs have been added to validate the ``power_state`` and |
| ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code |
| paths. |
| |
| - PSCI migrate APIs have been reworked to invoke the SPD hook to determine |
| the type of Trusted OS and the CPU it is resident on (if |
| applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate |
| the Trusted OS is invoked. |
| |
| - It is now possible to build TF-A without marking at least an extra page of |
| memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to |
| choose between the two implementations. This has been made possible through |
| these changes. |
| |
| - An implementation of Bakery locks, where the locks are not allocated in |
| coherent memory has been added. |
| |
| - Memory which was previously marked as coherent is now kept coherent |
| through the use of software cache maintenance operations. |
| |
| Approximately, 4K worth of memory is saved for each boot loader stage when |
| ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies |
| associated with acquire and release of locks. It also requires changes to |
| the platform ports. |
| |
| - It is now possible to specify the name of the FIP at build time by defining |
| the ``FIP_NAME`` variable. |
| |
| - Issues with dependencies on the 'fiptool' makefile target have been |
| rectified. The ``fip_create`` tool is now rebuilt whenever its source files |
| change. |
| |
| - The BL3-1 runtime console is now also used as the crash console. The crash |
| console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) |
| on Juno. In FVP, it is changed from UART0 to UART1. |
| |
| - CPU errata workarounds are applied only when the revision and part number |
| match. This behaviour has been made consistent across the debug and release |
| builds. The debug build additionally prints a warning if a mismatch is |
| detected. |
| |
| - It is now possible to issue cache maintenance operations by set/way for a |
| particular level of data cache. Levels 1-3 are currently supported. |
| |
| - The following improvements have been made to the FVP port. |
| |
| - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of |
| shared data into the Trusted DRAM has been deprecated. Shared data is |
| now always located at the base of Trusted SRAM. |
| |
| - BL2 Translation tables have been updated to map only the region of |
| DRAM which is accessible to normal world. This is the region of the 2GB |
| DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is |
| accessible to only the secure world. |
| |
| - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to |
| the secure world. This can be done by setting the build flag |
| ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. |
| |
| - Separate translation tables are created for each boot loader image. The |
| ``IMAGE_BLx`` build options are used to do this. This allows each stage to |
| create mappings only for areas in the memory map that it needs. |
| |
| - A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been |
| added. Details of using it with TF-A can be found in :ref:`OP-TEE Dispatcher` |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - The Juno port has been aligned with the FVP port as follows. |
| |
| - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying |
| the BL3-1/BL3-2 NOBITS sections on top of them has been added to the |
| Juno port. |
| |
| - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured |
| using the TZC-400 controller to be accessible only to the secure world. |
| |
| - The Arm GIC driver is used to configure the GIC-400 instead of using a |
| GIC driver private to the Juno port. |
| |
| - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. |
| |
| - The TZC-400 driver is used to configure the controller instead of direct |
| accesses to the registers. |
| |
| - The Linux kernel version referred to in the user guide has DVFS and HMP |
| support enabled. |
| |
| - DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in |
| CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of |
| the Cortex-A57-A53 Base FVPs. |
| |
| Known issues |
| ^^^^^^^^^^^^ |
| |
| - The Trusted Board Boot implementation is a prototype. There are issues with |
| the modularity and scalability of the design. Support for a Trusted |
| Watchdog, firmware update mechanism, recovery images and Trusted debug is |
| absent. These issues will be addressed in future releases. |
| |
| - The FVP and Juno ports do not use the hash of the ROTPK stored in the |
| Trusted Key Storage registers to verify the ROTPK in the |
| ``plat_match_rotpk()`` function. This prevents the correct establishment of |
| the Chain of Trust at the first step in the Trusted Board Boot process. |
| |
| - The version of the AEMv8 Base FVP used in this release resets the model |
| instead of terminating its execution in response to a shutdown request using |
| the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| the model. |
| |
| - GICv3 support is experimental. There are known issues with GICv3 |
| initialization in the TF-A. |
| |
| - While this version greatly reduces the on-chip RAM requirements, there are |
| further RAM usage enhancements that could be made. |
| |
| - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| |
| - The Juno-specific firmware design documentation is incomplete. |
| |
| Version 1.0 |
| ----------- |
| |
| New features |
| ^^^^^^^^^^^^ |
| |
| - It is now possible to map higher physical addresses using non-flat virtual |
| to physical address mappings in the MMU setup. |
| |
| - Wider use is now made of the per-CPU data cache in BL3-1 to store: |
| |
| - Pointers to the non-secure and secure security state contexts. |
| |
| - A pointer to the CPU-specific operations. |
| |
| - A pointer to PSCI specific information (for example the current power |
| state). |
| |
| - A crash reporting buffer. |
| |
| - The following RAM usage improvements result in a BL3-1 RAM usage reduction |
| from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction |
| across all images from 208KB to 88KB, compared to the previous release. |
| |
| - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size |
| saving). |
| |
| - Removed NSRAM from the FVP memory map, allowing the removal of one |
| (4KB) translation table. |
| |
| - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. |
| |
| - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the |
| FVP port. |
| |
| - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. |
| |
| - Removed current CPU mpidr from PSCI common code, saving 160 bytes. |
| |
| - Inlined the mmio accessor functions, saving 360 bytes. |
| |
| - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by |
| overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. |
| |
| - Made storing the FP register context optional, saving 0.5KB per context |
| (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). |
| |
| - Implemented a leaner ``tf_printf()`` function, allowing the stack to be |
| greatly reduced. |
| |
| - Removed coherent stacks from the codebase. Stacks allocated in normal |
| memory are now used before and after the MMU is enabled. This saves 768 |
| bytes per CPU in BL3-1. |
| |
| - Reworked the crash reporting in BL3-1 to use less stack. |
| |
| - Optimized the EL3 register state stored in the ``cpu_context`` structure |
| so that registers that do not change during normal execution are |
| re-initialized each time during cold/warm boot, rather than restored |
| from memory. This saves about 1.2KB. |
| |
| - As a result of some of the above, reduced the runtime stack size in all |
| BL images. For BL3-1, this saves 1KB per CPU. |
| |
| - PSCI SMC handler improvements to correctly handle calls from secure states |
| and from AArch32. |
| |
| - CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully |
| determines the exception level to use for the non-trusted firmware (BL3-3) |
| based on the SPSR value provided by the BL2 platform code (or otherwise |
| provided to BL3-1). This allows platform code to directly run non-trusted |
| firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS |
| loader. |
| |
| - Code refactoring improvements: |
| |
| - Refactored ``fvp_config`` into a common platform header. |
| |
| - Refactored the fvp gic code to be a generic driver that no longer has an |
| explicit dependency on platform code. |
| |
| - Refactored the CCI-400 driver to not have dependency on platform code. |
| |
| - Simplified the IO driver so it's no longer necessary to call ``io_init()`` |
| and moved all the IO storage framework code to one place. |
| |
| - Simplified the interface the the TZC-400 driver. |
| |
| - Clarified the platform porting interface to the TSP. |
| |
| - Reworked the TSPD setup code to support the alternate BL3-2 |
| initialization flow where BL3-1 generic code hands control to BL3-2, |
| rather than expecting the TSPD to hand control directly to BL3-2. |
| |
| - Considerable rework to PSCI generic code to support CPU specific |
| operations. |
| |
| - Improved console log output, by: |
| |
| - Adding the concept of debug log levels. |
| |
| - Rationalizing the existing debug messages and adding new ones. |
| |
| - Printing out the version of each BL stage at runtime. |
| |
| - Adding support for printing console output from assembler code, |
| including when a crash occurs before the C runtime is initialized. |
| |
| - Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro |
| file system and DS-5. |
| |
| - On the FVP port, made the use of the Trusted DRAM region optional at build |
| time (off by default). Normal platforms will not have such a "ready-to-use" |
| DRAM area so it is not a good example to use it. |
| |
| - Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. |
| |
| - Added support for CPU specific reset sequences, power down sequences and |
| register dumping during crash reporting. The CPU specific reset sequences |
| include support for errata workarounds. |
| |
| - Merged the Juno port into the master branch. Added support for CPU hotplug |
| and CPU idle. Updated the user guide to describe how to build and run on the |
| Juno platform. |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - Removed the concept of top/bottom image loading. The image loader now |
| automatically detects the position of the image inside the current memory |
| layout and updates the layout to minimize fragmentation. This resolves the |
| image loader limitations of previously releases. There are currently no |
| plans to support dynamic image loading. |
| |
| - CPU idle now works on the publicized version of the Foundation FVP. |
| |
| - All known issues relating to the compiler version used have now been |
| resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9). |
| |
| Known issues |
| ^^^^^^^^^^^^ |
| |
| - GICv3 support is experimental. The Linux kernel patches to support this are |
| not widely available. There are known issues with GICv3 initialization in |
| the TF-A. |
| |
| - While this version greatly reduces the on-chip RAM requirements, there are |
| further RAM usage enhancements that could be made. |
| |
| - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| |
| - The Juno-specific firmware design documentation is incomplete. |
| |
| - Some recent enhancements to the FVP port have not yet been translated into |
| the Juno port. These will be tracked via the tf-issues project. |
| |
| - The Linux kernel version referred to in the user guide has DVFS and HMP |
| support disabled due to some known instabilities at the time of this |
| release. A future kernel version will re-enable these features. |
| |
| - DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in |
| CADI server mode. This is because the ``<SimName>`` reported by the FVP in |
| this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, |
| the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while |
| DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. |
| |
| The temporary fix to this problem is to change the name of the FVP in |
| ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. |
| Change the following line: |
| |
| :: |
| |
| <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> |
| |
| to |
| System Generator:FVP_Base_Cortex-A57x4_A53x4 |
| |
| A similar change can be made to the other Cortex-A57-A53 Base FVP variants. |
| |
| Version 0.4 |
| ----------- |
| |
| New features |
| ^^^^^^^^^^^^ |
| |
| - Makefile improvements: |
| |
| - Improved dependency checking when building. |
| |
| - Removed ``dump`` target (build now always produces dump files). |
| |
| - Enabled platform ports to optionally make use of parts of the Trusted |
| Firmware (e.g. BL3-1 only), rather than being forced to use all parts. |
| Also made the ``fip`` target optional. |
| |
| - Specified the full path to source files and removed use of the ``vpath`` |
| keyword. |
| |
| - Provided translation table library code for potential re-use by platforms |
| other than the FVPs. |
| |
| - Moved architectural timer setup to platform-specific code. |
| |
| - Added standby state support to PSCI cpu_suspend implementation. |
| |
| - SRAM usage improvements: |
| |
| - Started using the ``-ffunction-sections``, ``-fdata-sections`` and |
| ``--gc-sections`` compiler/linker options to remove unused code and data |
| from the images. Previously, all common functions were being built into |
| all binary images, whether or not they were actually used. |
| |
| - Placed all assembler functions in their own section to allow more unused |
| functions to be removed from images. |
| |
| - Updated BL1 and BL2 to use a single coherent stack each, rather than one |
| per CPU. |
| |
| - Changed variables that were unnecessarily declared and initialized as |
| non-const (i.e. in the .data section) so they are either uninitialized |
| (zero init) or const. |
| |
| - Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by |
| default. The option for it to run in Trusted DRAM remains. |
| |
| - Implemented a TrustZone Address Space Controller (TZC-400) driver. A |
| default configuration is provided for the Base FVPs. This means the model |
| parameter ``-C bp.secure_memory=1`` is now supported. |
| |
| - Started saving the PSCI cpu_suspend 'power_state' parameter prior to |
| suspending a CPU. This allows platforms that implement multiple power-down |
| states at the same affinity level to identify a specific state. |
| |
| - Refactored the entire codebase to reduce the amount of nesting in header |
| files and to make the use of system/user includes more consistent. Also |
| split platform.h to separate out the platform porting declarations from the |
| required platform porting definitions and the definitions/declarations |
| specific to the platform port. |
| |
| - Optimized the data cache clean/invalidate operations. |
| |
| - Improved the BL3-1 unhandled exception handling and reporting. Unhandled |
| exceptions now result in a dump of registers to the console. |
| |
| - Major rework to the handover interface between BL stages, in particular the |
| interface to BL3-1. The interface now conforms to a specification and is |
| more future proof. |
| |
| - Added support for optionally making the BL3-1 entrypoint a reset handler |
| (instead of BL1). This allows platforms with an alternative image loading |
| architecture to re-use BL3-1 with fewer modifications to generic code. |
| |
| - Reserved some DDR DRAM for secure use on FVP platforms to avoid future |
| compatibility problems with non-secure software. |
| |
| - Added support for secure interrupts targeting the Secure-EL1 Payload (SP) |
| (using GICv2 routing only). Demonstrated this working by adding an interrupt |
| target and supporting test code to the TSP. Also demonstrated non-secure |
| interrupt handling during TSP processing. |
| |
| Issues resolved since last release |
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| |
| - Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base |
| FVPs (see **New features**). |
| |
| - Support for secure world interrupt handling now available (see **New |
| features**). |
| |
| - Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 |
| Payload (BL3-2) to execute in Trusted SRAM by default. |
| |
| - The tested filesystem used for this release (Linaro AArch64 OpenEmbedded |
| 14.04) now correctly reports progress in the console. |
| |
|