1 2ARM Trusted Firmware - version 1.3 3================================== 4 5New features 6------------ 7 8* Added support for running Trusted Firmware in AArch32 execution state. 9 10 The PSCI library has been refactored to allow integration with **EL3 Runtime 11 Software**. This is software that is executing at the highest secure 12 privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See 13 [PSCI Integration Guide]. 14 15 Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates 16 the usage and integration of the PSCI library with EL3 Runtime Software 17 running in AArch32 state. 18 19 Booting to the BL1/BL2 images as well as booting straight to the Secure 20 Payload is supported. 21 22* Improvements to the initialization framework for the PSCI service and ARM 23 Standard Services in general. 24 25 The PSCI service is now initialized as part of ARM Standard Service 26 initialization. This consolidates the initializations of any ARM Standard 27 Service that may be added in the future. 28 29 A new function `get_arm_std_svc_args()` is introduced to get arguments 30 corresponding to each standard service and must be implemented by the EL3 31 Runtime Software. 32 33 For PSCI, a new versioned structure `psci_lib_args_t` is introduced to 34 initialize the PSCI Library. **Note** this is a compatibility break due to 35 the change in the prototype of `psci_setup()`. 36 37* To support AArch32 builds of BL1 and BL2, implemented a new, alternative 38 firmware image loading mechanism that adds flexibility. 39 40 The current mechanism has a hard-coded set of images and execution order 41 (BL31, BL32, etc). The new mechanism is data-driven by a list of image 42 descriptors provided by the platform code. 43 44 ARM platforms have been updated to support the new loading mechanism. 45 46 The new mechanism is enabled by a build flag (`LOAD_IMAGE_V2`) which is 47 currently off by default for the AArch64 build. 48 49 **Note** `TRUSTED_BOARD_BOOT` is currently not supported when 50 `LOAD_IMAGE_V2` is enabled. 51 52* Updated requirements for making contributions to ARM TF. 53 54 Commits now must have a 'Signed-off-by:' field to certify that the 55 contribution has been made under the terms of the 56 [Developer Certificate of Origin]. 57 58 A signed CLA is no longer required. 59 60 The [Contribution Guide] has been updated to reflect this change. 61 62* Introduced Performance Measurement Framework (PMF) which provides support 63 for capturing, storing, dumping and retrieving time-stamps to measure the 64 execution time of critical paths in the firmware. This relies on defining 65 fixed sample points at key places in the code. 66 67* To support the QEMU platform port, imported libfdt v1.4.1 from 68 https://git.kernel.org/cgit/utils/dtc/dtc.git 69 70* Updated PSCI support: 71 72 * Added support for PSCI NODE_HW_STATE API for ARM platforms. 73 74 * New optional platform hook, `pwr_domain_pwr_down_wfi()`, in 75 `plat_psci_ops` to enable platforms to perform platform-specific actions 76 needed to enter powerdown, including the 'wfi' invocation. 77 78 * PSCI STAT residency and count functions have been added on ARM platforms 79 by using PMF. 80 81* Enhancements to the translation table library: 82 83 * Limited memory mapping support for region overlaps to only allow regions 84 to overlap that are identity mapped or have the same virtual to physical 85 address offset, and overlap completely but must not cover the same area. 86 87 This limitation will enable future enhancements without having to 88 support complex edge cases that may not be necessary. 89 90 * The initial translation lookup level is now inferred from the virtual 91 address space size. Previously, it was hard-coded. 92 93 * Added support for mapping Normal, Inner Non-cacheable, Outer 94 Non-cacheable memory in the translation table library. 95 96 This can be useful to map a non-cacheable memory region, such as a DMA 97 buffer. 98 99 * Introduced the MT_EXECUTE/MT_EXECUTE_NEVER memory mapping attributes to 100 specify the access permissions for instruction execution of a memory 101 region. 102 103* Enabled support to isolate code and read-only data on separate memory pages, 104 allowing independent access control to be applied to each. 105 106* Enabled SCR_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common 107 architectural setup code, preventing fetching instructions from non-secure 108 memory when in secure state. 109 110* Enhancements to FIP support: 111 112 * Replaced `fip_create` with `fiptool` which provides a more consistent 113 and intuitive interface as well as additional support to remove an image 114 from a FIP file. 115 116 * Enabled printing the SHA256 digest with info command, allowing quick 117 verification of an image within a FIP without having to extract the 118 image and running sha256sum on it. 119 120 * Added support for unpacking the contents of an existing FIP file into 121 the working directory. 122 123 * Aligned command line options for specifying images to use same naming 124 convention as specified by TBBR and already used in cert_create tool. 125 126* Refactored the TZC-400 driver to also support memory controllers that 127 integrate TZC functionality, for example ARM CoreLink DMC-500. Also added 128 DMC-500 specific support. 129 130* Implemented generic delay timer based on the system generic counter and 131 migrated all platforms to use it. 132 133* Enhanced support for ARM platforms: 134 135 * Updated image loading support to make SCP images (SCP_BL2 and SCP_BL2U) 136 optional. 137 138 * Enhanced topology description support to allow multi-cluster topology 139 definitions. 140 141 * Added interconnect abstraction layer to help platform ports select the 142 right interconnect driver, CCI or CCN, for the platform. 143 144 * Added support to allow loading BL31 in the TZC-secured DRAM instead of 145 the default secure SRAM. 146 147 * Added support to use a System Security Control (SSC) Registers Unit 148 enabling ARM TF to be compiled to support multiple ARM platforms and 149 then select one at runtime. 150 151 * Restricted mapping of Trusted ROM in BL1 to what is actually needed by 152 BL1 rather than entire Trusted ROM region. 153 154 * Flash is now mapped as execute-never by default. This increases security 155 by restricting the executable region to what is strictly needed. 156 157* Applied following erratum workarounds for Cortex-A57: 833471, 826977, 158 829520, 828024 and 826974. 159 160* Added support for Mediatek MT6795 platform. 161 162* Added support for QEMU virtualization ARMv8-A target. 163 164* Added support for Rockchip RK3368 and RK3399 platforms. 165 166* Added support for Xilinx Zynq UltraScale+ MPSoC platform. 167 168* Added support for ARM Cortex-A73 MPCore Processor. 169 170* Added support for ARM Cortex-A72 processor. 171 172* Added support for ARM Cortex-A35 processor. 173 174* Added support for ARM Cortex-A32 MPCore Processor. 175 176* Enabled preloaded BL33 alternative boot flow, in which BL2 does not load 177 BL33 from non-volatile storage and BL31 hands execution over to a preloaded 178 BL33. The User Guide has been updated with an example of how to use this 179 option with a bootwrapped kernel. 180 181* Added support to build ARM TF on a Windows-based host machine. 182 183* Updated Trusted Board Boot prototype implementation: 184 185 * Enabled the ability for a production ROM with TBBR enabled to boot test 186 software before a real ROTPK is deployed (e.g. manufacturing mode). 187 Added support to use ROTPK in certificate without verifying against the 188 platform value when `ROTPK_NOT_DEPLOYED` bit is set. 189 190 * Added support for non-volatile counter authentication to the 191 Authentication Module to protect against roll-back. 192 193* Updated GICv3 support: 194 195 * Enabled processor power-down and automatic power-on using GICv3. 196 197 * Enabled G1S or G0 interrupts to be configured independently. 198 199 * Changed FVP default interrupt driver to be the GICv3-only driver. 200 **Note** the default build of Trusted Firmware will not be able to boot 201 Linux kernel with GICv2 FDT blob. 202 203 * Enabled wake-up from CPU_SUSPEND to stand-by by temporarily re-routing 204 interrupts and then restoring after resume. 205 206Issues resolved since last release 207---------------------------------- 208 209Known issues 210------------ 211 212* The version of the AEMv8 Base FVP used in this release resets the model 213 instead of terminating its execution in response to a shutdown request using 214 the PSCI `SYSTEM_OFF` API. This issue will be fixed in a future version of 215 the model. 216 217* Building TF with compiler optimisations disabled (`-O0`) fails. 218 219 220* ARM TF cannot be built with mbed TLS version v2.3.0 due to build warnings 221 that the ARM TF build system interprets as errors. 222 223* TBBR is not currently supported when running Trusted Firmware in AArch32 224 state. 225 226 227ARM Trusted Firmware - version 1.2 228================================== 229 230New features 231------------ 232 233* The Trusted Board Boot implementation on ARM platforms now conforms to the 234 mandatory requirements of the TBBR specification. 235 236 In particular, the boot process is now guarded by a Trusted Watchdog, which 237 will reset the system in case of an authentication or loading error. On ARM 238 platforms, a secure instance of ARM SP805 is used as the Trusted Watchdog. 239 240 Also, a firmware update process has been implemented. It enables 241 authenticated firmware to update firmware images from external interfaces to 242 SoC Non-Volatile memories. This feature functions even when the current 243 firmware in the system is corrupt or missing; it therefore may be used as 244 a recovery mode. 245 246* Improvements have been made to the Certificate Generation Tool 247 (`cert_create`) as follows. 248 249 * Added support for the Firmware Update process by extending the Chain 250 of Trust definition in the tool to include the Firmware Update 251 certificate and the required extensions. 252 253 * Introduced a new API that allows one to specify command line options in 254 the Chain of Trust description. This makes the declaration of the tool's 255 arguments more flexible and easier to extend. 256 257 * The tool has been reworked to follow a data driven approach, which 258 makes it easier to maintain and extend. 259 260* Extended the FIP tool (`fip_create`) to support the new set of images 261 involved in the Firmware Update process. 262 263* Various memory footprint improvements. In particular: 264 265 * The bakery lock structure for coherent memory has been optimised. 266 267 * The mbed TLS SHA1 functions are not needed, as SHA256 is used to 268 generate the certificate signature. Therefore, they have been compiled 269 out, reducing the memory footprint of BL1 and BL2 by approximately 270 6 KB. 271 272 * On ARM development platforms, each BL stage now individually defines 273 the number of regions that it needs to map in the MMU. 274 275* Added the following new design documents: 276 277 * [Authentication framework] 278 * [Firmware Update] 279 * [TF Reset Design] 280 * [Power Domain Topology Design] 281 282* Applied the new image terminology to the code base and documentation, as 283 described on the [TF wiki on GitHub][TF Image Terminology]. 284 285* The build system has been reworked to improve readability and facilitate 286 adding future extensions. 287 288* On ARM standard platforms, BL31 uses the boot console during cold boot 289 but switches to the runtime console for any later logs at runtime. The TSP 290 uses the runtime console for all output. 291 292* Implemented a basic NOR flash driver for ARM platforms. It programs the 293 device using CFI (Common Flash Interface) standard commands. 294 295* Implemented support for booting EL3 payloads on ARM platforms, which 296 reduces the complexity of developing EL3 baremetal code by doing essential 297 baremetal initialization. 298 299* Provided separate drivers for GICv3 and GICv2. These expect the entire 300 software stack to use either GICv2 or GICv3; hybrid GIC software systems 301 are no longer supported and the legacy ARM GIC driver has been deprecated. 302 303* Added support for Juno r1 and r2. A single set of Juno TF binaries can run 304 on Juno r0, r1 and r2 boards. Note that this TF version depends on a Linaro 305 release that does *not* contain Juno r2 support. 306 307* Added support for MediaTek mt8173 platform. 308 309* Implemented a generic driver for ARM CCN IP. 310 311* Major rework of the PSCI implementation. 312 313 * Added framework to handle composite power states. 314 315 * Decoupled the notions of affinity instances (which describes the 316 hierarchical arrangement of cores) and of power domain topology, instead 317 of assuming a one-to-one mapping. 318 319 * Better alignment with version 1.0 of the PSCI specification. 320 321* Added support for the SYSTEM_SUSPEND PSCI API on ARM platforms. When invoked 322 on the last running core on a supported platform, this puts the system 323 into a low power mode with memory retention. 324 325* Unified the reset handling code as much as possible across BL stages. 326 Also introduced some build options to enable optimization of the reset path 327 on platforms that support it. 328 329* Added a simple delay timer API, as well as an SP804 timer driver, which is 330 enabled on FVP. 331 332* Added support for NVidia Tegra T210 and T132 SoCs. 333 334* Reorganised ARM platforms ports to greatly improve code shareability and 335 facilitate the reuse of some of this code by other platforms. 336 337* Added support for ARM Cortex-A72 processor in the CPU specific framework. 338 339* Provided better error handling. Platform ports can now define their own 340 error handling, for example to perform platform specific bookkeeping or 341 post-error actions. 342 343* Implemented a unified driver for ARM Cache Coherent Interconnects used for 344 both CCI-400 & CCI-500 IPs. ARM platforms ports have been migrated to this 345 common driver. The standalone CCI-400 driver has been deprecated. 346 347 348Issues resolved since last release 349---------------------------------- 350 351* The Trusted Board Boot implementation has been redesigned to provide greater 352 modularity and scalability. See the [Authentication Framework] document. 353 All missing mandatory features are now implemented. 354 355* The FVP and Juno ports may now use the hash of the ROTPK stored in the 356 Trusted Key Storage registers to verify the ROTPK. Alternatively, a 357 development public key hash embedded in the BL1 and BL2 binaries might be 358 used instead. The location of the ROTPK is chosen at build-time using the 359 `ARM_ROTPK_LOCATION` build option. 360 361* GICv3 is now fully supported and stable. 362 363 364Known issues 365------------ 366 367* The version of the AEMv8 Base FVP used in this release resets the model 368 instead of terminating its execution in response to a shutdown request using 369 the PSCI `SYSTEM_OFF` API. This issue will be fixed in a future version of 370 the model. 371 372* While this version has low on-chip RAM requirements, there are further 373 RAM usage enhancements that could be made. 374 375* The upstream documentation could be improved for structural consistency, 376 clarity and completeness. In particular, the design documentation is 377 incomplete for PSCI, the TSP(D) and the Juno platform. 378 379* Building TF with compiler optimisations disabled (`-O0`) fails. 380 381 382ARM Trusted Firmware - version 1.1 383================================== 384 385New features 386------------ 387 388* A prototype implementation of Trusted Board Boot has been added. Boot 389 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and 390 BL2 use the PolarSSL SSL library to verify certificates and images. The 391 OpenSSL library is used to create the X.509 certificates. Support has been 392 added to `fip_create` tool to package the certificates in a FIP. 393 394* Support for calling CPU and platform specific reset handlers upon entry into 395 BL3-1 during the cold and warm boot paths has been added. This happens after 396 another Boot ROM `reset_handler()` has already run. This enables a developer 397 to perform additional actions or undo actions already performed during the 398 first call of the reset handlers e.g. apply additional errata workarounds. 399 400* Support has been added to demonstrate routing of IRQs to EL3 instead of 401 S-EL1 when execution is in secure world. 402 403* The PSCI implementation now conforms to version 1.0 of the PSCI 404 specification. All the mandatory APIs and selected optional APIs are 405 supported. In particular, support for the `PSCI_FEATURES` API has been 406 added. A capability variable is constructed during initialization by 407 examining the `plat_pm_ops` and `spd_pm_ops` exported by the platform and 408 the Secure Payload Dispatcher. This is used by the PSCI FEATURES function 409 to determine which PSCI APIs are supported by the platform. 410 411* Improvements have been made to the PSCI code as follows. 412 413 * The code has been refactored to remove redundant parameters from 414 internal functions. 415 416 * Changes have been made to the code for PSCI `CPU_SUSPEND`, `CPU_ON` and 417 `CPU_OFF` calls to facilitate an early return to the caller in case a 418 failure condition is detected. For example, a PSCI `CPU_SUSPEND` call 419 returns `SUCCESS` to the caller if a pending interrupt is detected early 420 in the code path. 421 422 * Optional platform APIs have been added to validate the `power_state` and 423 `entrypoint` parameters early in PSCI `CPU_ON` and `CPU_SUSPEND` code 424 paths. 425 426 * PSCI migrate APIs have been reworked to invoke the SPD hook to determine 427 the type of Trusted OS and the CPU it is resident on (if 428 applicable). Also, during a PSCI `MIGRATE` call, the SPD hook to migrate 429 the Trusted OS is invoked. 430 431* It is now possible to build Trusted Firmware without marking at least an 432 extra page of memory as coherent. The build flag `USE_COHERENT_MEM` can be 433 used to choose between the two implementations. This has been made possible 434 through these changes. 435 436 * An implementation of Bakery locks, where the locks are not allocated in 437 coherent memory has been added. 438 439 * Memory which was previously marked as coherent is now kept coherent 440 through the use of software cache maintenance operations. 441 442 Approximately, 4K worth of memory is saved for each boot loader stage when 443 `USE_COHERENT_MEM=0`. Enabling this option increases the latencies 444 associated with acquire and release of locks. It also requires changes to 445 the platform ports. 446 447* It is now possible to specify the name of the FIP at build time by defining 448 the `FIP_NAME` variable. 449 450* Issues with depedencies on the 'fiptool' makefile target have been 451 rectified. The `fip_create` tool is now rebuilt whenever its source files 452 change. 453 454* The BL3-1 runtime console is now also used as the crash console. The crash 455 console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) 456 on Juno. In FVP, it is changed from UART0 to UART1. 457 458* CPU errata workarounds are applied only when the revision and part number 459 match. This behaviour has been made consistent across the debug and release 460 builds. The debug build additionally prints a warning if a mismatch is 461 detected. 462 463* It is now possible to issue cache maintenance operations by set/way for a 464 particular level of data cache. Levels 1-3 are currently supported. 465 466* The following improvements have been made to the FVP port. 467 468 * The build option `FVP_SHARED_DATA_LOCATION` which allowed relocation of 469 shared data into the Trusted DRAM has been deprecated. Shared data is 470 now always located at the base of Trusted SRAM. 471 472 * BL2 Translation tables have been updated to map only the region of 473 DRAM which is accessible to normal world. This is the region of the 2GB 474 DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is 475 accessible to only the secure world. 476 477 * BL3-2 can now reside in the top 16MB of DRAM which is accessible only to 478 the secure world. This can be done by setting the build flag 479 `FVP_TSP_RAM_LOCATION` to the value `dram`. 480 481* Separate transation tables are created for each boot loader image. The 482 `IMAGE_BLx` build options are used to do this. This allows each stage to 483 create mappings only for areas in the memory map that it needs. 484 485* A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been 486 added. Details of using it with ARM Trusted Firmware can be found in 487 [OP-TEE Dispatcher] 488 489 490 491Issues resolved since last release 492---------------------------------- 493 494* The Juno port has been aligned with the FVP port as follows. 495 496 * Support for reclaiming all BL1 RW memory and BL2 memory by overlaying 497 the BL3-1/BL3-2 NOBITS sections on top of them has been added to the 498 Juno port. 499 500 * The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured 501 using the TZC-400 controller to be accessible only to the secure world. 502 503 * The ARM GIC driver is used to configure the GIC-400 instead of using a 504 GIC driver private to the Juno port. 505 506 * PSCI `CPU_SUSPEND` calls that target a standby state are now supported. 507 508 * The TZC-400 driver is used to configure the controller instead of direct 509 accesses to the registers. 510 511* The Linux kernel version referred to in the user guide has DVFS and HMP 512 support enabled. 513 514* DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 515 CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of 516 the Cortex-A57-A53 Base FVPs. 517 518 519Known issues 520------------ 521 522* The Trusted Board Boot implementation is a prototype. There are issues with 523 the modularity and scalability of the design. Support for a Trusted 524 Watchdog, firmware update mechanism, recovery images and Trusted debug is 525 absent. These issues will be addressed in future releases. 526 527* The FVP and Juno ports do not use the hash of the ROTPK stored in the 528 Trusted Key Storage registers to verify the ROTPK in the 529 `plat_match_rotpk()` function. This prevents the correct establishment of 530 the Chain of Trust at the first step in the Trusted Board Boot process. 531 532* The version of the AEMv8 Base FVP used in this release resets the model 533 instead of terminating its execution in response to a shutdown request using 534 the PSCI `SYSTEM_OFF` API. This issue will be fixed in a future version of 535 the model. 536 537* GICv3 support is experimental. There are known issues with GICv3 538 initialization in the ARM Trusted Firmware. 539 540* While this version greatly reduces the on-chip RAM requirements, there are 541 further RAM usage enhancements that could be made. 542 543* The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 544 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 545 546* The Juno-specific firmware design documentation is incomplete. 547 548 549ARM Trusted Firmware - version 1.0 550================================== 551 552New features 553------------ 554 555* It is now possible to map higher physical addresses using non-flat virtual 556 to physical address mappings in the MMU setup. 557 558* Wider use is now made of the per-CPU data cache in BL3-1 to store: 559 560 * Pointers to the non-secure and secure security state contexts. 561 562 * A pointer to the CPU-specific operations. 563 564 * A pointer to PSCI specific information (for example the current power 565 state). 566 567 * A crash reporting buffer. 568 569* The following RAM usage improvements result in a BL3-1 RAM usage reduction 570 from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction 571 across all images from 208KB to 88KB, compared to the previous release. 572 573 * Removed the separate `early_exception` vectors from BL3-1 (2KB code size 574 saving). 575 576 * Removed NSRAM from the FVP memory map, allowing the removal of one 577 (4KB) translation table. 578 579 * Eliminated the internal `psci_suspend_context` array, saving 2KB. 580 581 * Correctly dimensioned the PSCI `aff_map_node` array, saving 1.5KB in the 582 FVP port. 583 584 * Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. 585 586 * Removed current CPU mpidr from PSCI common code, saving 160 bytes. 587 588 * Inlined the mmio accessor functions, saving 360 bytes. 589 590 * Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by 591 overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. 592 593 * Made storing the FP register context optional, saving 0.5KB per context 594 (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). 595 596 * Implemented a leaner `tf_printf()` function, allowing the stack to be 597 greatly reduced. 598 599 * Removed coherent stacks from the codebase. Stacks allocated in normal 600 memory are now used before and after the MMU is enabled. This saves 768 601 bytes per CPU in BL3-1. 602 603 * Reworked the crash reporting in BL3-1 to use less stack. 604 605 * Optimized the EL3 register state stored in the `cpu_context` structure 606 so that registers that do not change during normal execution are 607 re-initialized each time during cold/warm boot, rather than restored 608 from memory. This saves about 1.2KB. 609 610 * As a result of some of the above, reduced the runtime stack size in all 611 BL images. For BL3-1, this saves 1KB per CPU. 612 613* PSCI SMC handler improvements to correctly handle calls from secure states 614 and from AArch32. 615 616* CPU contexts are now initialized from the `entry_point_info`. BL3-1 fully 617 determines the exception level to use for the non-trusted firmware (BL3-3) 618 based on the SPSR value provided by the BL2 platform code (or otherwise 619 provided to BL3-1). This allows platform code to directly run non-trusted 620 firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS 621 loader. 622 623* Code refactoring improvements: 624 625 * Refactored `fvp_config` into a common platform header. 626 627 * Refactored the fvp gic code to be a generic driver that no longer has an 628 explicit dependency on platform code. 629 630 * Refactored the CCI-400 driver to not have dependency on platform code. 631 632 * Simplified the IO driver so it's no longer necessary to call `io_init()` 633 and moved all the IO storage framework code to one place. 634 635 * Simplified the interface the the TZC-400 driver. 636 637 * Clarified the platform porting interface to the TSP. 638 639 * Reworked the TSPD setup code to support the alternate BL3-2 640 intialization flow where BL3-1 generic code hands control to BL3-2, 641 rather than expecting the TSPD to hand control directly to BL3-2. 642 643 * Considerable rework to PSCI generic code to support CPU specific 644 operations. 645 646* Improved console log output, by: 647 648 * Adding the concept of debug log levels. 649 650 * Rationalizing the existing debug messages and adding new ones. 651 652 * Printing out the version of each BL stage at runtime. 653 654 * Adding support for printing console output from assembler code, 655 including when a crash occurs before the C runtime is initialized. 656 657* Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro 658 file system and DS-5. 659 660* On the FVP port, made the use of the Trusted DRAM region optional at build 661 time (off by default). Normal platforms will not have such a "ready-to-use" 662 DRAM area so it is not a good example to use it. 663 664* Added support for PSCI `SYSTEM_OFF` and `SYSTEM_RESET` APIs. 665 666* Added support for CPU specific reset sequences, power down sequences and 667 register dumping during crash reporting. The CPU specific reset sequences 668 include support for errata workarounds. 669 670* Merged the Juno port into the master branch. Added support for CPU hotplug 671 and CPU idle. Updated the user guide to describe how to build and run on the 672 Juno platform. 673 674 675Issues resolved since last release 676---------------------------------- 677 678* Removed the concept of top/bottom image loading. The image loader now 679 automatically detects the position of the image inside the current memory 680 layout and updates the layout to minimize fragementation. This resolves the 681 image loader limitations of previously releases. There are currently no 682 plans to support dynamic image loading. 683 684* CPU idle now works on the publicized version of the Foundation FVP. 685 686* All known issues relating to the compiler version used have now been 687 resolved. This TF version uses Linaro toolchain 14.07 (based on GCC 4.9). 688 689 690Known issues 691------------ 692 693* GICv3 support is experimental. The Linux kernel patches to support this are 694 not widely available. There are known issues with GICv3 initialization in 695 the ARM Trusted Firmware. 696 697* While this version greatly reduces the on-chip RAM requirements, there are 698 further RAM usage enhancements that could be made. 699 700* The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 701 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 702 703* The Juno-specific firmware design documentation is incomplete. 704 705* Some recent enhancements to the FVP port have not yet been translated into 706 the Juno port. These will be tracked via the tf-issues project. 707 708* The Linux kernel version referred to in the user guide has DVFS and HMP 709 support disabled due to some known instabilities at the time of this 710 release. A future kernel version will re-enable these features. 711 712* DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 713 CADI server mode. This is because the `<SimName>` reported by the FVP in 714 this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, 715 the `<SimName>` reported by the FVP is `FVP_Base_Cortex_A57x4_A53x4`, while 716 DS-5 expects it to be `FVP_Base_A57x4_A53x4`. 717 718 The temporary fix to this problem is to change the name of the FVP in 719 `sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml`. 720 Change the following line: 721 722 <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> 723 to 724 <SimName>System Generator:FVP_Base_Cortex-A57x4_A53x4</SimName> 725 726 A similar change can be made to the other Cortex-A57-A53 Base FVP variants. 727 728 729ARM Trusted Firmware - version 0.4 730================================== 731 732New features 733------------ 734 735* Makefile improvements: 736 737 * Improved dependency checking when building. 738 739 * Removed `dump` target (build now always produces dump files). 740 741 * Enabled platform ports to optionally make use of parts of the Trusted 742 Firmware (e.g. BL3-1 only), rather than being forced to use all parts. 743 Also made the `fip` target optional. 744 745 * Specified the full path to source files and removed use of the `vpath` 746 keyword. 747 748* Provided translation table library code for potential re-use by platforms 749 other than the FVPs. 750 751* Moved architectural timer setup to platform-specific code. 752 753* Added standby state support to PSCI cpu_suspend implementation. 754 755* SRAM usage improvements: 756 757 * Started using the `-ffunction-sections`, `-fdata-sections` and 758 `--gc-sections` compiler/linker options to remove unused code and data 759 from the images. Previously, all common functions were being built into 760 all binary images, whether or not they were actually used. 761 762 * Placed all assembler functions in their own section to allow more unused 763 functions to be removed from images. 764 765 * Updated BL1 and BL2 to use a single coherent stack each, rather than one 766 per CPU. 767 768 * Changed variables that were unnecessarily declared and initialized as 769 non-const (i.e. in the .data section) so they are either uninitialized 770 (zero init) or const. 771 772* Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by 773 default. The option for it to run in Trusted DRAM remains. 774 775* Implemented a TrustZone Address Space Controller (TZC-400) driver. A 776 default configuration is provided for the Base FVPs. This means the model 777 parameter `-C bp.secure_memory=1` is now supported. 778 779* Started saving the PSCI cpu_suspend 'power_state' parameter prior to 780 suspending a CPU. This allows platforms that implement multiple power-down 781 states at the same affinity level to identify a specific state. 782 783* Refactored the entire codebase to reduce the amount of nesting in header 784 files and to make the use of system/user includes more consistent. Also 785 split platform.h to separate out the platform porting declarations from the 786 required platform porting definitions and the definitions/declarations 787 specific to the platform port. 788 789* Optimized the data cache clean/invalidate operations. 790 791* Improved the BL3-1 unhandled exception handling and reporting. Unhandled 792 exceptions now result in a dump of registers to the console. 793 794* Major rework to the handover interface between BL stages, in particular the 795 interface to BL3-1. The interface now conforms to a specification and is 796 more future proof. 797 798* Added support for optionally making the BL3-1 entrypoint a reset handler 799 (instead of BL1). This allows platforms with an alternative image loading 800 architecture to re-use BL3-1 with fewer modifications to generic code. 801 802* Reserved some DDR DRAM for secure use on FVP platforms to avoid future 803 compatibility problems with non-secure software. 804 805* Added support for secure interrupts targeting the Secure-EL1 Payload (SP) 806 (using GICv2 routing only). Demonstrated this working by adding an interrupt 807 target and supporting test code to the TSP. Also demonstrated non-secure 808 interrupt handling during TSP processing. 809 810 811Issues resolved since last release 812---------------------------------- 813 814* Now support use of the model parameter `-C bp.secure_memory=1` in the Base 815 FVPs (see **New features**). 816 817* Support for secure world interrupt handling now available (see **New 818 features**). 819 820* Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 821 Payload (BL3-2) to execute in Trusted SRAM by default. 822 823* The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 824 14.04) now correctly reports progress in the console. 825 826* Improved the Makefile structure to make it easier to separate out parts of 827 the Trusted Firmware for re-use in platform ports. Also, improved target 828 dependency checking. 829 830 831Known issues 832------------ 833 834* GICv3 support is experimental. The Linux kernel patches to support this are 835 not widely available. There are known issues with GICv3 initialization in 836 the ARM Trusted Firmware. 837 838* Dynamic image loading is not available yet. The current image loader 839 implementation (used to load BL2 and all subsequent images) has some 840 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 841 to loading errors, even if the images should theoretically fit in memory. 842 843* The ARM Trusted Firmware still uses too much on-chip Trusted SRAM. A number 844 of RAM usage enhancements have been identified to rectify this situation. 845 846* CPU idle does not work on the advertised version of the Foundation FVP. 847 Some FVP fixes are required that are not available externally at the time 848 of writing. This can be worked around by disabling CPU idle in the Linux 849 kernel. 850 851* Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been 852 observed when using Linaro toolchain versions later than 13.11. Although 853 most of these have been fixed, some remain at the time of writing. These 854 mainly seem to relate to a subtle change in the way the compiler converts 855 between 64-bit and 32-bit values (e.g. during casting operations), which 856 reveals previously hidden bugs in client code. 857 858* The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 859 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 860 861 862ARM Trusted Firmware - version 0.3 863================================== 864 865New features 866------------ 867 868* Support for Foundation FVP Version 2.0 added. 869 The documented UEFI configuration disables some devices that are unavailable 870 in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can 871 be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation 872 FVP. 873 874 NOTE: The software will not work on Version 1.0 of the Foundation FVP. 875 876* Enabled third party contributions. Added a new contributing.md containing 877 instructions for how to contribute and updated copyright text in all files 878 to acknowledge contributors. 879 880* The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be 881 used for entry into power down states with the following restrictions: 882 - Entry into standby states is not supported. 883 - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. 884 885* The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to 886 allow experimental use. 887 888* Required C library and runtime header files are now included locally in ARM 889 Trusted Firmware instead of depending on the toolchain standard include 890 paths. The local implementation has been cleaned up and reduced in scope. 891 892* Added I/O abstraction framework, primarily to allow generic code to load 893 images in a platform-independent way. The existing image loading code has 894 been reworked to use the new framework. Semi-hosting and NOR flash I/O 895 drivers are provided. 896 897* Introduced Firmware Image Package (FIP) handling code and tools. A FIP 898 combines multiple firmware images with a Table of Contents (ToC) into a 899 single binary image. The new FIP driver is another type of I/O driver. The 900 Makefile builds a FIP by default and the FVP platform code expect to load a 901 FIP from NOR flash, although some support for image loading using semi- 902 hosting is retained. 903 904 NOTE: Building a FIP by default is a non-backwards-compatible change. 905 906 NOTE: Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into 907 DRAM instead of expecting this to be pre-loaded at known location. This is 908 also a non-backwards-compatible change. 909 910 NOTE: Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that 911 it knows the new location to execute from and no longer needs to copy 912 particular code modules to DRAM itself. 913 914* Reworked BL2 to BL3-1 handover interface. A new composite structure 915 (bl31_args) holds the superset of information that needs to be passed from 916 BL2 to BL3-1, including information on how handover execution control to 917 BL3-2 (if present) and BL3-3 (non-trusted firmware). 918 919* Added library support for CPU context management, allowing the saving and 920 restoring of 921 - Shared system registers between Secure-EL1 and EL1. 922 - VFP registers. 923 - Essential EL3 system registers. 924 925* Added a framework for implementing EL3 runtime services. Reworked the PSCI 926 implementation to be one such runtime service. 927 928* Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3 929 stack pointers for determining the type of exception, managing general 930 purpose and system register context on exception entry/exit, and handling 931 SMCs. SMCs are directed to the correct EL3 runtime service. 932 933* Added support for a Test Secure-EL1 Payload (TSP) and a corresponding 934 Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD 935 implements Secure Monitor functionality such as world switching and 936 EL1 context management, and is responsible for communication with the TSP. 937 NOTE: The TSPD does not yet contain support for secure world interrupts. 938 NOTE: The TSP/TSPD is not built by default. 939 940 941Issues resolved since last release 942---------------------------------- 943 944* Support has been added for switching context between secure and normal 945 worlds in EL3. 946 947* PSCI API calls `AFFINITY_INFO` & `PSCI_VERSION` have now been tested (to 948 a limited extent). 949 950* The ARM Trusted Firmware build artifacts are now placed in the `./build` 951 directory and sub-directories instead of being placed in the root of the 952 project. 953 954* The ARM Trusted Firmware is now free from build warnings. Build warnings 955 are now treated as errors. 956 957* The ARM Trusted Firmware now provides C library support locally within the 958 project to maintain compatibility between toolchains/systems. 959 960* The PSCI locking code has been reworked so it no longer takes locks in an 961 incorrect sequence. 962 963* The RAM-disk method of loading a Linux file-system has been confirmed to 964 work with the ARM Trusted Firmware and Linux kernel version (based on 965 version 3.13) used in this release, for both Foundation and Base FVPs. 966 967 968Known issues 969------------ 970 971The following is a list of issues which are expected to be fixed in the future 972releases of the ARM Trusted Firmware. 973 974* The TrustZone Address Space Controller (TZC-400) is not being programmed 975 yet. Use of model parameter `-C bp.secure_memory=1` is not supported. 976 977* No support yet for secure world interrupt handling. 978 979* GICv3 support is experimental. The Linux kernel patches to support this are 980 not widely available. There are known issues with GICv3 initialization in 981 the ARM Trusted Firmware. 982 983* Dynamic image loading is not available yet. The current image loader 984 implementation (used to load BL2 and all subsequent images) has some 985 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 986 to loading errors, even if the images should theoretically fit in memory. 987 988* The ARM Trusted Firmware uses too much on-chip Trusted SRAM. Currently the 989 Test Secure-EL1 Payload (BL3-2) executes in Trusted DRAM since there is not 990 enough SRAM. A number of RAM usage enhancements have been identified to 991 rectify this situation. 992 993* CPU idle does not work on the advertised version of the Foundation FVP. 994 Some FVP fixes are required that are not available externally at the time 995 of writing. 996 997* Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been 998 observed when using Linaro toolchain versions later than 13.11. Although 999 most of these have been fixed, some remain at the time of writing. These 1000 mainly seem to relate to a subtle change in the way the compiler converts 1001 between 64-bit and 32-bit values (e.g. during casting operations), which 1002 reveals previously hidden bugs in client code. 1003 1004* The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 1005 14.01) does not report progress correctly in the console. It only seems to 1006 produce error output, not standard output. It otherwise appears to function 1007 correctly. Other filesystem versions on the same software stack do not 1008 exhibit the problem. 1009 1010* The Makefile structure doesn't make it easy to separate out parts of the 1011 Trusted Firmware for re-use in platform ports, for example if only BL3-1 is 1012 required in a platform port. Also, dependency checking in the Makefile is 1013 flawed. 1014 1015* The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 1016 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 1017 1018 1019ARM Trusted Firmware - version 0.2 1020================================== 1021 1022New features 1023------------ 1024 1025* First source release. 1026 1027* Code for the PSCI suspend feature is supplied, although this is not enabled 1028 by default since there are known issues (see below). 1029 1030 1031Issues resolved since last release 1032---------------------------------- 1033 1034* The "psci" nodes in the FDTs provided in this release now fully comply 1035 with the recommendations made in the PSCI specification. 1036 1037 1038Known issues 1039------------ 1040 1041The following is a list of issues which are expected to be fixed in the future 1042releases of the ARM Trusted Firmware. 1043 1044* The TrustZone Address Space Controller (TZC-400) is not being programmed 1045 yet. Use of model parameter `-C bp.secure_memory=1` is not supported. 1046 1047* No support yet for secure world interrupt handling or for switching context 1048 between secure and normal worlds in EL3. 1049 1050* GICv3 support is experimental. The Linux kernel patches to support this are 1051 not widely available. There are known issues with GICv3 initialization in 1052 the ARM Trusted Firmware. 1053 1054* Dynamic image loading is not available yet. The current image loader 1055 implementation (used to load BL2 and all subsequent images) has some 1056 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 1057 to loading errors, even if the images should theoretically fit in memory. 1058 1059* Although support for PSCI `CPU_SUSPEND` is present, it is not yet stable 1060 and ready for use. 1061 1062* PSCI API calls `AFFINITY_INFO` & `PSCI_VERSION` are implemented but have not 1063 been tested. 1064 1065* The ARM Trusted Firmware make files result in all build artifacts being 1066 placed in the root of the project. These should be placed in appropriate 1067 sub-directories. 1068 1069* The compilation of ARM Trusted Firmware is not free from compilation 1070 warnings. Some of these warnings have not been investigated yet so they 1071 could mask real bugs. 1072 1073* The ARM Trusted Firmware currently uses toolchain/system include files like 1074 stdio.h. It should provide versions of these within the project to maintain 1075 compatibility between toolchains/systems. 1076 1077* The PSCI code takes some locks in an incorrect sequence. This may cause 1078 problems with suspend and hotplug in certain conditions. 1079 1080* The Linux kernel used in this release is based on version 3.12-rc4. Using 1081 this kernel with the ARM Trusted Firmware fails to start the file-system as 1082 a RAM-disk. It fails to execute user-space `init` from the RAM-disk. As an 1083 alternative, the VirtioBlock mechanism can be used to provide a file-system 1084 to the kernel. 1085 1086 1087- - - - - - - - - - - - - - - - - - - - - - - - - - 1088 1089_Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved._ 1090 1091[OP-TEE Dispatcher]: optee-dispatcher.md 1092[Power Domain Topology Design]: psci-pd-tree.md 1093[TF Image Terminology]: https://github.com/ARM-software/arm-trusted-firmware/wiki/Trusted-Firmware-Image-Terminology 1094[Authentication Framework]: auth-framework.md 1095[Firmware Update]: firmware-update.md 1096[TF Reset Design]: reset-design.md 1097[PSCI Integration Guide]: psci-lib-integration-guide.md 1098[Firmware Design]: firmware-design.md 1099[CPU Specific Build Macros]: cpu-specific-build-macros.md 1100[User Guide]: user-guide.md 1101[Porting Guide]: porting-guide.md 1102[Developer Certificate of Origin]: ../dco.txt 1103[Contribution Guide]: ../contributing.md 1104