diff options
Diffstat (limited to 'docs/change-log.rst')
| -rw-r--r-- | docs/change-log.rst | 1090 |
1 files changed, 1090 insertions, 0 deletions
diff --git a/docs/change-log.rst b/docs/change-log.rst new file mode 100644 index 00000000..04f16445 --- /dev/null +++ b/docs/change-log.rst @@ -0,0 +1,1090 @@ + +.. section-numbering:: + :suffix: . + +.. contents:: + +ARM Trusted Firmware - version 1.3 +================================== + + +New features +------------ + +- Added support for running Trusted Firmware in AArch32 execution state. + + The PSCI library has been refactored to allow integration with **EL3 Runtime + Software**. This is software that is executing at the highest secure + privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See + `PSCI Integration Guide`_. + + Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates + the usage and integration of the PSCI library with EL3 Runtime Software + running in AArch32 state. + + Booting to the BL1/BL2 images as well as booting straight to the Secure + Payload is supported. + +- Improvements to the initialization framework for the PSCI service and ARM + Standard Services in general. + + The PSCI service is now initialized as part of ARM Standard Service + initialization. This consolidates the initializations of any ARM Standard + Service that may be added in the future. + + A new function ``get_arm_std_svc_args()`` is introduced to get arguments + corresponding to each standard service and must be implemented by the EL3 + Runtime Software. + + For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to + initialize the PSCI Library. **Note** this is a compatibility break due to + the change in the prototype of ``psci_setup()``. + +- To support AArch32 builds of BL1 and BL2, implemented a new, alternative + firmware image loading mechanism that adds flexibility. + + The current mechanism has a hard-coded set of images and execution order + (BL31, BL32, etc). The new mechanism is data-driven by a list of image + descriptors provided by the platform code. + + ARM platforms have been updated to support the new loading mechanism. + + The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is + currently off by default for the AArch64 build. + + **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when + ``LOAD_IMAGE_V2`` is enabled. + +- Updated requirements for making contributions to ARM TF. + + Commits now must have a 'Signed-off-by:' field to certify that the + contribution has been made under the terms of the + `Developer Certificate of Origin`_. + + A signed CLA is no longer required. + + The `Contribution Guide`_ has been updated to reflect this change. + +- Introduced Performance Measurement Framework (PMF) which provides support + for capturing, storing, dumping and retrieving time-stamps to measure the + execution time of critical paths in the firmware. This relies on defining + fixed sample points at key places in the code. + +- To support the QEMU platform port, imported libfdt v1.4.1 from + https://git.kernel.org/cgit/utils/dtc/dtc.git + +- Updated PSCI support: + + - Added support for PSCI NODE\_HW\_STATE API for ARM platforms. + + - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in + ``plat_psci_ops`` to enable platforms to perform platform-specific actions + needed to enter powerdown, including the 'wfi' invocation. + + - PSCI STAT residency and count functions have been added on ARM platforms + by using PMF. + +- Enhancements to the translation table library: + + - Limited memory mapping support for region overlaps to only allow regions + to overlap that are identity mapped or have the same virtual to physical + address offset, and overlap completely but must not cover the same area. + + This limitation will enable future enhancements without having to + support complex edge cases that may not be necessary. + + - The initial translation lookup level is now inferred from the virtual + address space size. Previously, it was hard-coded. + + - Added support for mapping Normal, Inner Non-cacheable, Outer + Non-cacheable memory in the translation table library. + + This can be useful to map a non-cacheable memory region, such as a DMA + buffer. + + - Introduced the MT\_EXECUTE/MT\_EXECUTE\_NEVER memory mapping attributes to + specify the access permissions for instruction execution of a memory + region. + +- Enabled support to isolate code and read-only data on separate memory pages, + allowing independent access control to be applied to each. + +- Enabled SCR\_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common + architectural setup code, preventing fetching instructions from non-secure + memory when in secure state. + +- Enhancements to FIP support: + + - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent + and intuitive interface as well as additional support to remove an image + from a FIP file. + + - Enabled printing the SHA256 digest with info command, allowing quick + verification of an image within a FIP without having to extract the + image and running sha256sum on it. + + - Added support for unpacking the contents of an existing FIP file into + the working directory. + + - Aligned command line options for specifying images to use same naming + convention as specified by TBBR and already used in cert\_create tool. + +- Refactored the TZC-400 driver to also support memory controllers that + integrate TZC functionality, for example ARM CoreLink DMC-500. Also added + DMC-500 specific support. + +- Implemented generic delay timer based on the system generic counter and + migrated all platforms to use it. + +- Enhanced support for ARM platforms: + + - Updated image loading support to make SCP images (SCP\_BL2 and SCP\_BL2U) + optional. + + - Enhanced topology description support to allow multi-cluster topology + definitions. + + - Added interconnect abstraction layer to help platform ports select the + right interconnect driver, CCI or CCN, for the platform. + + - Added support to allow loading BL31 in the TZC-secured DRAM instead of + the default secure SRAM. + + - Added support to use a System Security Control (SSC) Registers Unit + enabling ARM TF to be compiled to support multiple ARM platforms and + then select one at runtime. + + - Restricted mapping of Trusted ROM in BL1 to what is actually needed by + BL1 rather than entire Trusted ROM region. + + - Flash is now mapped as execute-never by default. This increases security + by restricting the executable region to what is strictly needed. + +- Applied following erratum workarounds for Cortex-A57: 833471, 826977, + 829520, 828024 and 826974. + +- Added support for Mediatek MT6795 platform. + +- Added support for QEMU virtualization ARMv8-A target. + +- Added support for Rockchip RK3368 and RK3399 platforms. + +- Added support for Xilinx Zynq UltraScale+ MPSoC platform. + +- Added support for ARM Cortex-A73 MPCore Processor. + +- Added support for ARM Cortex-A72 processor. + +- Added support for ARM Cortex-A35 processor. + +- Added support for ARM Cortex-A32 MPCore Processor. + +- Enabled preloaded BL33 alternative boot flow, in which BL2 does not load + BL33 from non-volatile storage and BL31 hands execution over to a preloaded + BL33. The User Guide has been updated with an example of how to use this + option with a bootwrapped kernel. + +- Added support to build ARM TF on a Windows-based host machine. + +- Updated Trusted Board Boot prototype implementation: + + - Enabled the ability for a production ROM with TBBR enabled to boot test + software before a real ROTPK is deployed (e.g. manufacturing mode). + Added support to use ROTPK in certificate without verifying against the + platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. + + - Added support for non-volatile counter authentication to the + Authentication Module to protect against roll-back. + +- Updated GICv3 support: + + - Enabled processor power-down and automatic power-on using GICv3. + + - Enabled G1S or G0 interrupts to be configured independently. + + - Changed FVP default interrupt driver to be the GICv3-only driver. + **Note** the default build of Trusted Firmware will not be able to boot + Linux kernel with GICv2 FDT blob. + + - Enabled wake-up from CPU\_SUSPEND to stand-by by temporarily re-routing + interrupts and then restoring after resume. + +Issues resolved since last release +---------------------------------- + +Known issues +------------ + +- The version of the AEMv8 Base FVP used in this release resets the model + instead of terminating its execution in response to a shutdown request using + the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of + the model. + +- Building TF with compiler optimisations disabled (``-O0``) fails. + +- ARM TF cannot be built with mbed TLS version v2.3.0 due to build warnings + that the ARM TF build system interprets as errors. + +- TBBR is not currently supported when running Trusted Firmware in AArch32 + state. + +ARM Trusted Firmware - version 1.2 +================================== + +New features +------------ + +- The Trusted Board Boot implementation on ARM platforms now conforms to the + mandatory requirements of the TBBR specification. + + In particular, the boot process is now guarded by a Trusted Watchdog, which + will reset the system in case of an authentication or loading error. On ARM + platforms, a secure instance of ARM SP805 is used as the Trusted Watchdog. + + Also, a firmware update process has been implemented. It enables + authenticated firmware to update firmware images from external interfaces to + SoC Non-Volatile memories. This feature functions even when the current + firmware in the system is corrupt or missing; it therefore may be used as + a recovery mode. + +- Improvements have been made to the Certificate Generation Tool + (``cert_create``) as follows. + + - Added support for the Firmware Update process by extending the Chain + of Trust definition in the tool to include the Firmware Update + certificate and the required extensions. + + - Introduced a new API that allows one to specify command line options in + the Chain of Trust description. This makes the declaration of the tool's + arguments more flexible and easier to extend. + + - The tool has been reworked to follow a data driven approach, which + makes it easier to maintain and extend. + +- Extended the FIP tool (``fip_create``) to support the new set of images + involved in the Firmware Update process. + +- Various memory footprint improvements. In particular: + + - The bakery lock structure for coherent memory has been optimised. + + - The mbed TLS SHA1 functions are not needed, as SHA256 is used to + generate the certificate signature. Therefore, they have been compiled + out, reducing the memory footprint of BL1 and BL2 by approximately + 6 KB. + + - On ARM development platforms, each BL stage now individually defines + the number of regions that it needs to map in the MMU. + +- Added the following new design documents: + + - `Authentication framework`_ + - `Firmware Update`_ + - `TF Reset Design`_ + - `Power Domain Topology Design`_ + +- Applied the new image terminology to the code base and documentation, as + described on the `TF wiki on GitHub`_. + +- The build system has been reworked to improve readability and facilitate + adding future extensions. + +- On ARM standard platforms, BL31 uses the boot console during cold boot + but switches to the runtime console for any later logs at runtime. The TSP + uses the runtime console for all output. + +- Implemented a basic NOR flash driver for ARM platforms. It programs the + device using CFI (Common Flash Interface) standard commands. + +- Implemented support for booting EL3 payloads on ARM platforms, which + reduces the complexity of developing EL3 baremetal code by doing essential + baremetal initialization. + +- Provided separate drivers for GICv3 and GICv2. These expect the entire + software stack to use either GICv2 or GICv3; hybrid GIC software systems + are no longer supported and the legacy ARM GIC driver has been deprecated. + +- Added support for Juno r1 and r2. A single set of Juno TF binaries can run + on Juno r0, r1 and r2 boards. Note that this TF version depends on a Linaro + release that does *not* contain Juno r2 support. + +- Added support for MediaTek mt8173 platform. + +- Implemented a generic driver for ARM CCN IP. + +- Major rework of the PSCI implementation. + + - Added framework to handle composite power states. + + - Decoupled the notions of affinity instances (which describes the + hierarchical arrangement of cores) and of power domain topology, instead + of assuming a one-to-one mapping. + + - Better alignment with version 1.0 of the PSCI specification. + +- Added support for the SYSTEM\_SUSPEND PSCI API on ARM platforms. When invoked + on the last running core on a supported platform, this puts the system + into a low power mode with memory retention. + +- Unified the reset handling code as much as possible across BL stages. + Also introduced some build options to enable optimization of the reset path + on platforms that support it. + +- Added a simple delay timer API, as well as an SP804 timer driver, which is + enabled on FVP. + +- Added support for NVidia Tegra T210 and T132 SoCs. + +- Reorganised ARM platforms ports to greatly improve code shareability and + facilitate the reuse of some of this code by other platforms. + +- Added support for ARM Cortex-A72 processor in the CPU specific framework. + +- Provided better error handling. Platform ports can now define their own + error handling, for example to perform platform specific bookkeeping or + post-error actions. + +- Implemented a unified driver for ARM Cache Coherent Interconnects used for + both CCI-400 & CCI-500 IPs. ARM platforms ports have been migrated to this + common driver. The standalone CCI-400 driver has been deprecated. + +Issues resolved since last release +---------------------------------- + +- The Trusted Board Boot implementation has been redesigned to provide greater + modularity and scalability. See the `Authentication Framework`_ document. + All missing mandatory features are now implemented. + +- The FVP and Juno ports may now use the hash of the ROTPK stored in the + Trusted Key Storage registers to verify the ROTPK. Alternatively, a + development public key hash embedded in the BL1 and BL2 binaries might be + used instead. The location of the ROTPK is chosen at build-time using the + ``ARM_ROTPK_LOCATION`` build option. + +- GICv3 is now fully supported and stable. + +Known issues +------------ + +- The version of the AEMv8 Base FVP used in this release resets the model + instead of terminating its execution in response to a shutdown request using + the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of + the model. + +- While this version has low on-chip RAM requirements, there are further + RAM usage enhancements that could be made. + +- The upstream documentation could be improved for structural consistency, + clarity and completeness. In particular, the design documentation is + incomplete for PSCI, the TSP(D) and the Juno platform. + +- Building TF with compiler optimisations disabled (``-O0``) fails. + +ARM Trusted Firmware - version 1.1 +================================== + +New features +------------ + +- A prototype implementation of Trusted Board Boot has been added. Boot + loader images are verified by BL1 and BL2 during the cold boot path. BL1 and + BL2 use the PolarSSL SSL library to verify certificates and images. The + OpenSSL library is used to create the X.509 certificates. Support has been + added to ``fip_create`` tool to package the certificates in a FIP. + +- Support for calling CPU and platform specific reset handlers upon entry into + BL3-1 during the cold and warm boot paths has been added. This happens after + another Boot ROM ``reset_handler()`` has already run. This enables a developer + to perform additional actions or undo actions already performed during the + first call of the reset handlers e.g. apply additional errata workarounds. + +- Support has been added to demonstrate routing of IRQs to EL3 instead of + S-EL1 when execution is in secure world. + +- The PSCI implementation now conforms to version 1.0 of the PSCI + specification. All the mandatory APIs and selected optional APIs are + supported. In particular, support for the ``PSCI_FEATURES`` API has been + added. A capability variable is constructed during initialization by + examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and + the Secure Payload Dispatcher. This is used by the PSCI FEATURES function + to determine which PSCI APIs are supported by the platform. + +- Improvements have been made to the PSCI code as follows. + + - The code has been refactored to remove redundant parameters from + internal functions. + + - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and + ``CPU_OFF`` calls to facilitate an early return to the caller in case a + failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call + returns ``SUCCESS`` to the caller if a pending interrupt is detected early + in the code path. + + - Optional platform APIs have been added to validate the ``power_state`` and + ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code + paths. + + - PSCI migrate APIs have been reworked to invoke the SPD hook to determine + the type of Trusted OS and the CPU it is resident on (if + applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate + the Trusted OS is invoked. + +- It is now possible to build Trusted Firmware without marking at least an + extra page of memory as coherent. The build flag ``USE_COHERENT_MEM`` can be + used to choose between the two implementations. This has been made possible + through these changes. + + - An implementation of Bakery locks, where the locks are not allocated in + coherent memory has been added. + + - Memory which was previously marked as coherent is now kept coherent + through the use of software cache maintenance operations. + + Approximately, 4K worth of memory is saved for each boot loader stage when + ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies + associated with acquire and release of locks. It also requires changes to + the platform ports. + +- It is now possible to specify the name of the FIP at build time by defining + the ``FIP_NAME`` variable. + +- Issues with depedencies on the 'fiptool' makefile target have been + rectified. The ``fip_create`` tool is now rebuilt whenever its source files + change. + +- The BL3-1 runtime console is now also used as the crash console. The crash + console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) + on Juno. In FVP, it is changed from UART0 to UART1. + +- CPU errata workarounds are applied only when the revision and part number + match. This behaviour has been made consistent across the debug and release + builds. The debug build additionally prints a warning if a mismatch is + detected. + +- It is now possible to issue cache maintenance operations by set/way for a + particular level of data cache. Levels 1-3 are currently supported. + +- The following improvements have been made to the FVP port. + + - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of + shared data into the Trusted DRAM has been deprecated. Shared data is + now always located at the base of Trusted SRAM. + + - BL2 Translation tables have been updated to map only the region of + DRAM which is accessible to normal world. This is the region of the 2GB + DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is + accessible to only the secure world. + + - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to + the secure world. This can be done by setting the build flag + ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. + +- Separate transation tables are created for each boot loader image. The + ``IMAGE_BLx`` build options are used to do this. This allows each stage to + create mappings only for areas in the memory map that it needs. + +- A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been + added. Details of using it with ARM Trusted Firmware can be found in + `OP-TEE Dispatcher`_ + +Issues resolved since last release +---------------------------------- + +- The Juno port has been aligned with the FVP port as follows. + + - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying + the BL3-1/BL3-2 NOBITS sections on top of them has been added to the + Juno port. + + - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured + using the TZC-400 controller to be accessible only to the secure world. + + - The ARM GIC driver is used to configure the GIC-400 instead of using a + GIC driver private to the Juno port. + + - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. + + - The TZC-400 driver is used to configure the controller instead of direct + accesses to the registers. + +- The Linux kernel version referred to in the user guide has DVFS and HMP + support enabled. + +- DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in + CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of + the Cortex-A57-A53 Base FVPs. + +Known issues +------------ + +- The Trusted Board Boot implementation is a prototype. There are issues with + the modularity and scalability of the design. Support for a Trusted + Watchdog, firmware update mechanism, recovery images and Trusted debug is + absent. These issues will be addressed in future releases. + +- The FVP and Juno ports do not use the hash of the ROTPK stored in the + Trusted Key Storage registers to verify the ROTPK in the + ``plat_match_rotpk()`` function. This prevents the correct establishment of + the Chain of Trust at the first step in the Trusted Board Boot process. + +- The version of the AEMv8 Base FVP used in this release resets the model + instead of terminating its execution in response to a shutdown request using + the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of + the model. + +- GICv3 support is experimental. There are known issues with GICv3 + initialization in the ARM Trusted Firmware. + +- While this version greatly reduces the on-chip RAM requirements, there are + further RAM usage enhancements that could be made. + +- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and + its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. + +- The Juno-specific firmware design documentation is incomplete. + +ARM Trusted Firmware - version 1.0 +================================== + +New features +------------ + +- It is now possible to map higher physical addresses using non-flat virtual + to physical address mappings in the MMU setup. + +- Wider use is now made of the per-CPU data cache in BL3-1 to store: + + - Pointers to the non-secure and secure security state contexts. + + - A pointer to the CPU-specific operations. + + - A pointer to PSCI specific information (for example the current power + state). + + - A crash reporting buffer. + +- The following RAM usage improvements result in a BL3-1 RAM usage reduction + from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction + across all images from 208KB to 88KB, compared to the previous release. + + - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size + saving). + + - Removed NSRAM from the FVP memory map, allowing the removal of one + (4KB) translation table. + + - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. + + - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the + FVP port. + + - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. + + - Removed current CPU mpidr from PSCI common code, saving 160 bytes. + + - Inlined the mmio accessor functions, saving 360 bytes. + + - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by + overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. + + - Made storing the FP register context optional, saving 0.5KB per context + (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). + + - Implemented a leaner ``tf_printf()`` function, allowing the stack to be + greatly reduced. + + - Removed coherent stacks from the codebase. Stacks allocated in normal + memory are now used before and after the MMU is enabled. This saves 768 + bytes per CPU in BL3-1. + + - Reworked the crash reporting in BL3-1 to use less stack. + + - Optimized the EL3 register state stored in the ``cpu_context`` structure + so that registers that do not change during normal execution are + re-initialized each time during cold/warm boot, rather than restored + from memory. This saves about 1.2KB. + + - As a result of some of the above, reduced the runtime stack size in all + BL images. For BL3-1, this saves 1KB per CPU. + +- PSCI SMC handler improvements to correctly handle calls from secure states + and from AArch32. + +- CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully + determines the exception level to use for the non-trusted firmware (BL3-3) + based on the SPSR value provided by the BL2 platform code (or otherwise + provided to BL3-1). This allows platform code to directly run non-trusted + firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS + loader. + +- Code refactoring improvements: + + - Refactored ``fvp_config`` into a common platform header. + + - Refactored the fvp gic code to be a generic driver that no longer has an + explicit dependency on platform code. + + - Refactored the CCI-400 driver to not have dependency on platform code. + + - Simplified the IO driver so it's no longer necessary to call ``io_init()`` + and moved all the IO storage framework code to one place. + + - Simplified the interface the the TZC-400 driver. + + - Clarified the platform porting interface to the TSP. + + - Reworked the TSPD setup code to support the alternate BL3-2 + intialization flow where BL3-1 generic code hands control to BL3-2, + rather than expecting the TSPD to hand control directly to BL3-2. + + - Considerable rework to PSCI generic code to support CPU specific + operations. + +- Improved console log output, by: + + - Adding the concept of debug log levels. + + - Rationalizing the existing debug messages and adding new ones. + + - Printing out the version of each BL stage at runtime. + + - Adding support for printing console output from assembler code, + including when a crash occurs before the C runtime is initialized. + +- Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro + file system and DS-5. + +- On the FVP port, made the use of the Trusted DRAM region optional at build + time (off by default). Normal platforms will not have such a "ready-to-use" + DRAM area so it is not a good example to use it. + +- Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. + +- Added support for CPU specific reset sequences, power down sequences and + register dumping during crash reporting. The CPU specific reset sequences + include support for errata workarounds. + +- Merged the Juno port into the master branch. Added support for CPU hotplug + and CPU idle. Updated the user guide to describe how to build and run on the + Juno platform. + +Issues resolved since last release +---------------------------------- + +- Removed the concept of top/bottom image loading. The image loader now + automatically detects the position of the image inside the current memory + layout and updates the layout to minimize fragementation. This resolves the + image loader limitations of previously releases. There are currently no + plans to support dynamic image loading. + +- CPU idle now works on the publicized version of the Foundation FVP. + +- All known issues relating to the compiler version used have now been + resolved. This TF version uses Linaro toolchain 14.07 (based on GCC 4.9). + +Known issues +------------ + +- GICv3 support is experimental. The Linux kernel patches to support this are + not widely available. There are known issues with GICv3 initialization in + the ARM Trusted Firmware. + +- While this version greatly reduces the on-chip RAM requirements, there are + further RAM usage enhancements that could be made. + +- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and + its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. + +- The Juno-specific firmware design documentation is incomplete. + +- Some recent enhancements to the FVP port have not yet been translated into + the Juno port. These will be tracked via the tf-issues project. + +- The Linux kernel version referred to in the user guide has DVFS and HMP + support disabled due to some known instabilities at the time of this + release. A future kernel version will re-enable these features. + +- DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in + CADI server mode. This is because the ``<SimName>`` reported by the FVP in + this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, + the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while + DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. + + The temporary fix to this problem is to change the name of the FVP in + ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. + Change the following line: + + :: + + <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> + + to + System Generator:FVP\_Base\_Cortex-A57x4\_A53x4 + + A similar change can be made to the other Cortex-A57-A53 Base FVP variants. + +ARM Trusted Firmware - version 0.4 +================================== + +New features +------------ + +- Makefile improvements: + + - Improved dependency checking when building. + + - Removed ``dump`` target (build now always produces dump files). + + - Enabled platform ports to optionally make use of parts of the Trusted + Firmware (e.g. BL3-1 only), rather than being forced to use all parts. + Also made the ``fip`` target optional. + + - Specified the full path to source files and removed use of the ``vpath`` + keyword. + +- Provided translation table library code for potential re-use by platforms + other than the FVPs. + +- Moved architectural timer setup to platform-specific code. + +- Added standby state support to PSCI cpu\_suspend implementation. + +- SRAM usage improvements: + + - Started using the ``-ffunction-sections``, ``-fdata-sections`` and + ``--gc-sections`` compiler/linker options to remove unused code and data + from the images. Previously, all common functions were being built into + all binary images, whether or not they were actually used. + + - Placed all assembler functions in their own section to allow more unused + functions to be removed from images. + + - Updated BL1 and BL2 to use a single coherent stack each, rather than one + per CPU. + + - Changed variables that were unnecessarily declared and initialized as + non-const (i.e. in the .data section) so they are either uninitialized + (zero init) or const. + +- Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by + default. The option for it to run in Trusted DRAM remains. + +- Implemented a TrustZone Address Space Controller (TZC-400) driver. A + default configuration is provided for the Base FVPs. This means the model + parameter ``-C bp.secure_memory=1`` is now supported. + +- Started saving the PSCI cpu\_suspend 'power\_state' parameter prior to + suspending a CPU. This allows platforms that implement multiple power-down + states at the same affinity level to identify a specific state. + +- Refactored the entire codebase to reduce the amount of nesting in header + files and to make the use of system/user includes more consistent. Also + split platform.h to separate out the platform porting declarations from the + required platform porting definitions and the definitions/declarations + specific to the platform port. + +- Optimized the data cache clean/invalidate operations. + +- Improved the BL3-1 unhandled exception handling and reporting. Unhandled + exceptions now result in a dump of registers to the console. + +- Major rework to the handover interface between BL stages, in particular the + interface to BL3-1. The interface now conforms to a specification and is + more future proof. + +- Added support for optionally making the BL3-1 entrypoint a reset handler + (instead of BL1). This allows platforms with an alternative image loading + architecture to re-use BL3-1 with fewer modifications to generic code. + +- Reserved some DDR DRAM for secure use on FVP platforms to avoid future + compatibility problems with non-secure software. + +- Added support for secure interrupts targeting the Secure-EL1 Payload (SP) + (using GICv2 routing only). Demonstrated this working by adding an interrupt + target and supporting test code to the TSP. Also demonstrated non-secure + interrupt handling during TSP processing. + +Issues resolved since last release +---------------------------------- + +- Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base + FVPs (see **New features**). + +- Support for secure world interrupt handling now available (see **New + features**). + +- Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 + Payload (BL3-2) to execute in Trusted SRAM by default. + +- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded + 14.04) now correctly reports progress in the console. + +- Improved the Makefile structure to make it easier to separate out parts of + the Trusted Firmware for re-use in platform ports. Also, improved target + dependency checking. + +Known issues +------------ + +- GICv3 support is experimental. The Linux kernel patches to support this are + not widely available. There are known issues with GICv3 initialization in + the ARM Trusted Firmware. + +- Dynamic image loading is not available yet. The current image loader + implementation (used to load BL2 and all subsequent images) has some + limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead + to loading errors, even if the images should theoretically fit in memory. + +- The ARM Trusted Firmware still uses too much on-chip Trusted SRAM. A number + of RAM usage enhancements have been identified to rectify this situation. + +- CPU idle does not work on the advertised version of the Foundation FVP. + Some FVP fixes are required that are not available externally at the time + of writing. This can be worked around by disabling CPU idle in the Linux + kernel. + +- Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been + observed when using Linaro toolchain versions later than 13.11. Although + most of these have been fixed, some remain at the time of writing. These + mainly seem to relate to a subtle change in the way the compiler converts + between 64-bit and 32-bit values (e.g. during casting operations), which + reveals previously hidden bugs in client code. + +- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and + its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. + +ARM Trusted Firmware - version 0.3 +================================== + +New features +------------ + +- Support for Foundation FVP Version 2.0 added. + The documented UEFI configuration disables some devices that are unavailable + in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can + be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation + FVP. + + NOTE: The software will not work on Version 1.0 of the Foundation FVP. + +- Enabled third party contributions. Added a new contributing.md containing + instructions for how to contribute and updated copyright text in all files + to acknowledge contributors. + +- The PSCI CPU\_SUSPEND API has been stabilised to the extent where it can be + used for entry into power down states with the following restrictions: + + - Entry into standby states is not supported. + - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. + +- The PSCI AFFINITY\_INFO api has undergone limited testing on the Base FVPs to + allow experimental use. + +- Required C library and runtime header files are now included locally in ARM + Trusted Firmware instead of depending on the toolchain standard include + paths. The local implementation has been cleaned up and reduced in scope. + +- Added I/O abstraction framework, primarily to allow generic code to load + images in a platform-independent way. The existing image loading code has + been reworked to use the new framework. Semi-hosting and NOR flash I/O + drivers are provided. + +- Introduced Firmware Image Package (FIP) handling code and tools. A FIP + combines multiple firmware images with a Table of Contents (ToC) into a + single binary image. The new FIP driver is another type of I/O driver. The + Makefile builds a FIP by default and the FVP platform code expect to load a + FIP from NOR flash, although some support for image loading using semi- + hosting is retained. + + NOTE: Building a FIP by default is a non-backwards-compatible change. + + NOTE: Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into + DRAM instead of expecting this to be pre-loaded at known location. This is + also a non-backwards-compatible change. + + NOTE: Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that + it knows the new location to execute from and no longer needs to copy + particular code modules to DRAM itself. + +- Reworked BL2 to BL3-1 handover interface. A new composite structure + (bl31\_args) holds the superset of information that needs to be passed from + BL2 to BL3-1, including information on how handover execution control to + BL3-2 (if present) and BL3-3 (non-trusted firmware). + +- Added library support for CPU context management, allowing the saving and + restoring of + + - Shared system registers between Secure-EL1 and EL1. + - VFP registers. + - Essential EL3 system registers. + +- Added a framework for implementing EL3 runtime services. Reworked the PSCI + implementation to be one such runtime service. + +- Reworked the exception handling logic, making use of both SP\_EL0 and SP\_EL3 + stack pointers for determining the type of exception, managing general + purpose and system register context on exception entry/exit, and handling + SMCs. SMCs are directed to the correct EL3 runtime service. + +- Added support for a Test Secure-EL1 Payload (TSP) and a corresponding + Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD + implements Secure Monitor functionality such as world switching and + EL1 context management, and is responsible for communication with the TSP. + NOTE: The TSPD does not yet contain support for secure world interrupts. + NOTE: The TSP/TSPD is not built by default. + +Issues resolved since last release +---------------------------------- + +- Support has been added for switching context between secure and normal + worlds in EL3. + +- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to + a limited extent). + +- The ARM Trusted Firmware build artifacts are now placed in the ``./build`` + directory and sub-directories instead of being placed in the root of the + project. + +- The ARM Trusted Firmware is now free from build warnings. Build warnings + are now treated as errors. + +- The ARM Trusted Firmware now provides C library support locally within the + project to maintain compatibility between toolchains/systems. + +- The PSCI locking code has been reworked so it no longer takes locks in an + incorrect sequence. + +- The RAM-disk method of loading a Linux file-system has been confirmed to + work with the ARM Trusted Firmware and Linux kernel version (based on + version 3.13) used in this release, for both Foundation and Base FVPs. + +Known issues +------------ + +The following is a list of issues which are expected to be fixed in the future +releases of the ARM Trusted Firmware. + +- The TrustZone Address Space Controller (TZC-400) is not being programmed + yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. + +- No support yet for secure world interrupt handling. + +- GICv3 support is experimental. The Linux kernel patches to support this are + not widely available. There are known issues with GICv3 initialization in + the ARM Trusted Firmware. + +- Dynamic image loading is not available yet. The current image loader + implementation (used to load BL2 and all subsequent images) has some + limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead + to loading errors, even if the images should theoretically fit in memory. + +- The ARM Trusted Firmware uses too much on-chip Trusted SRAM. Currently the + Test Secure-EL1 Payload (BL3-2) executes in Trusted DRAM since there is not + enough SRAM. A number of RAM usage enhancements have been identified to + rectify this situation. + +- CPU idle does not work on the advertised version of the Foundation FVP. + Some FVP fixes are required that are not available externally at the time + of writing. + +- Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been + observed when using Linaro toolchain versions later than 13.11. Although + most of these have been fixed, some remain at the time of writing. These + mainly seem to relate to a subtle change in the way the compiler converts + between 64-bit and 32-bit values (e.g. during casting operations), which + reveals previously hidden bugs in client code. + +- The tested filesystem used for this release (Linaro AArch64 OpenEmbedded + 14.01) does not report progress correctly in the console. It only seems to + produce error output, not standard output. It otherwise appears to function + correctly. Other filesystem versions on the same software stack do not + exhibit the problem. + +- The Makefile structure doesn't make it easy to separate out parts of the + Trusted Firmware for re-use in platform ports, for example if only BL3-1 is + required in a platform port. Also, dependency checking in the Makefile is + flawed. + +- The firmware design documentation for the Test Secure-EL1 Payload (TSP) and + its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. + +ARM Trusted Firmware - version 0.2 +================================== + +New features +------------ + +- First source release. + +- Code for the PSCI suspend feature is supplied, although this is not enabled + by default since there are known issues (see below). + +Issues resolved since last release +---------------------------------- + +- The "psci" nodes in the FDTs provided in this release now fully comply + with the recommendations made in the PSCI specification. + +Known issues +------------ + +The following is a list of issues which are expected to be fixed in the future +releases of the ARM Trusted Firmware. + +- The TrustZone Address Space Controller (TZC-400) is not being programmed + yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. + +- No support yet for secure world interrupt handling or for switching context + between secure and normal worlds in EL3. + +- GICv3 support is experimental. The Linux kernel patches to support this are + not widely available. There are known issues with GICv3 initialization in + the ARM Trusted Firmware. + +- Dynamic image loading is not available yet. The current image loader + implementation (used to load BL2 and all subsequent images) has some + limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead + to loading errors, even if the images should theoretically fit in memory. + +- Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable + and ready for use. + +- PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have not + been tested. + +- The ARM Trusted Firmware make files result in all build artifacts being + placed in the root of the project. These should be placed in appropriate + sub-directories. + +- The compilation of ARM Trusted Firmware is not free from compilation + warnings. Some of these warnings have not been investigated yet so they + could mask real bugs. + +- The ARM Trusted Firmware currently uses toolchain/system include files like + stdio.h. It should provide versions of these within the project to maintain + compatibility between toolchains/systems. + +- The PSCI code takes some locks in an incorrect sequence. This may cause + problems with suspend and hotplug in certain conditions. + +- The Linux kernel used in this release is based on version 3.12-rc4. Using + this kernel with the ARM Trusted Firmware fails to start the file-system as + a RAM-disk. It fails to execute user-space ``init`` from the RAM-disk. As an + alternative, the VirtioBlock mechanism can be used to provide a file-system + to the kernel. + +-------------- + +*Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved.* + +.. _PSCI Integration Guide: psci-lib-integration-guide.rst +.. _Developer Certificate of Origin: ../dco.txt +.. _Contribution Guide: ../contributing.rst +.. _Authentication framework: auth-framework.rst +.. _Firmware Update: firmware-update.rst +.. _TF Reset Design: reset-design.rst +.. _Power Domain Topology Design: psci-pd-tree.rst +.. _TF wiki on GitHub: https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Image-Terminology +.. _Authentication Framework: auth-framework.rst +.. _OP-TEE Dispatcher: optee-dispatcher.rst |