xref: /rk3399_ARM-atf/docs/change-log.md (revision 532ed6183868036e4a4f83cd7a71b93266a3bdb7) 
1ARM Trusted Firmware - version 1.2
2==================================
3
4New features
5------------
6
7*   The Trusted Board Boot implementation on ARM platforms now conforms to the
8    mandatory requirements of the TBBR specification.
9
10    In particular, the boot process is now guarded by a Trusted Watchdog, which
11    will reset the system in case of an authentication or loading error. On ARM
12    platforms, a secure instance of ARM SP805 is used as the Trusted Watchdog.
13
14    Also, a firmware update process has been implemented. It enables
15    authenticated firmware to update firmware images from external interfaces to
16    SoC Non-Volatile memories. This feature functions even when the current
17    firmware in the system is corrupt or missing; it therefore may be used as
18    a recovery mode.
19
20*   Improvements have been made to the Certificate Generation Tool
21    (`cert_create`) as follows.
22
23    *   Added support for the Firmware Update process by extending the Chain
24        of Trust definition in the tool to include the Firmware Update
25        certificate and the required extensions.
26
27    *   Introduced a new API that allows one to specify command line options in
28        the Chain of Trust description. This makes the declaration of the tool's
29        arguments more flexible and easier to extend.
30
31    *   The tool has been reworked to follow a data driven approach, which
32        makes it easier to maintain and extend.
33
34*   Extended the FIP tool (`fip_create`) to support the new set of images
35    involved in the Firmware Update process.
36
37*   Various memory footprint improvements. In particular:
38
39    *   The bakery lock structure for coherent memory has been optimised.
40
41    *   The mbed TLS SHA1 functions are not needed, as SHA256 is used to
42        generate the certificate signature. Therefore, they have been compiled
43        out, reducing the memory footprint of BL1 and BL2 by approximately
44        6 KB.
45
46    *   On ARM development platforms, each BL stage now individually defines
47        the number of regions that it needs to map in the MMU.
48
49*   Added the following new design documents:
50
51    *   [Authentication framework]
52    *   [Firmware Update]
53    *   [TF Reset Design]
54    *   [Power Domain Topology Design]
55
56*   Applied the new image terminology to the code base and documentation, as
57    described on the [TF wiki on GitHub][TF Image Terminology].
58
59*   The build system has been reworked to improve readability and facilitate
60    adding future extensions.
61
62*   On ARM standard platforms, BL31 uses the boot console during cold boot
63    but switches to the runtime console for any later logs at runtime. The TSP
64    uses the runtime console for all output.
65
66*   Implemented a basic NOR flash driver for ARM platforms. It programs the
67    device using CFI (Common Flash Interface) standard commands.
68
69*   Implemented support for booting EL3 payloads on ARM platforms, which
70    reduces the complexity of developing EL3 baremetal code by doing essential
71    baremetal initialization.
72
73*   Provided separate drivers for GICv3 and GICv2. These expect the entire
74    software stack to use either GICv2 or GICv3; hybrid GIC software systems
75    are no longer supported and the legacy ARM GIC driver has been deprecated.
76
77*   Added support for Juno r1 and r2. A single set of Juno TF binaries can run
78    on Juno r0, r1 and r2 boards. Note that this TF version depends on a Linaro
79    release that does *not* contain Juno r2 support.
80
81*   Added support for MediaTek mt8173 platform.
82
83*   Implemented a generic driver for ARM CCN IP.
84
85*   Major rework of the PSCI implementation.
86
87    *   Added framework to handle composite power states.
88
89    *   Decoupled the notions of affinity instances (which describes the
90        hierarchical arrangement of cores) and of power domain topology, instead
91        of assuming a one-to-one mapping.
92
93    *   Better alignment with version 1.0 of the PSCI specification.
94
95*   Added support for the SYSTEM_SUSPEND PSCI API on ARM platforms. When invoked
96    on the last running core on a supported platform, this puts the system
97    into a low power mode with memory retention.
98
99*   Unified the reset handling code as much as possible across BL stages.
100    Also introduced some build options to enable optimization of the reset path
101    on platforms that support it.
102
103*   Added a simple delay timer API, as well as an SP804 timer driver, which is
104    enabled on FVP.
105
106*   Added support for NVidia Tegra T210 and T132 SoCs.
107
108*   Reorganised ARM platforms ports to greatly improve code shareability and
109    facilitate the reuse of some of this code by other platforms.
110
111*   Added support for ARM Cortex-A72 processor in the CPU specific framework.
112
113*   Provided better error handling. Platform ports can now define their own
114    error handling, for example to perform platform specific bookkeeping or
115    post-error actions.
116
117*   Implemented a unified driver for ARM Cache Coherent Interconnects used for
118    both CCI-400 & CCI-500 IPs. ARM platforms ports have been migrated to this
119    common driver. The standalone CCI-400 driver has been deprecated.
120
121
122Issues resolved since last release
123----------------------------------
124
125*   The Trusted Board Boot implementation has been redesigned to provide greater
126    modularity and scalability. See the [Authentication Framework] document.
127    All missing mandatory features are now implemented.
128
129*   The FVP and Juno ports may now use the hash of the ROTPK stored in the
130    Trusted Key Storage registers to verify the ROTPK. Alternatively, a
131    development public key hash embedded in the BL1 and BL2 binaries might be
132    used instead. The location of the ROTPK is chosen at build-time using the
133    `ARM_ROTPK_LOCATION` build option.
134
135*   GICv3 is now fully supported and stable.
136
137
138Known issues
139------------
140
141*   The version of the AEMv8 Base FVP used in this release resets the model
142    instead of terminating its execution in response to a shutdown request using
143    the PSCI `SYSTEM_OFF` API. This issue will be fixed in a future version of
144    the model.
145
146*   While this version has low on-chip RAM requirements, there are further
147    RAM usage enhancements that could be made.
148
149*   The upstream documentation could be improved for structural consistency,
150    clarity and completeness. In particular, the design documentation is
151    incomplete for PSCI, the TSP(D) and the Juno platform.
152
153*   Building TF with compiler optimisations disabled (`-O0`) fails.
154
155
156ARM Trusted Firmware - version 1.1
157==================================
158
159New features
160------------
161
162*   A prototype implementation of Trusted Board Boot has been added. Boot
163    loader images are verified by BL1 and BL2 during the cold boot path. BL1 and
164    BL2 use the PolarSSL SSL library to verify certificates and images. The
165    OpenSSL library is used to create the X.509 certificates. Support has been
166    added to `fip_create` tool to package the certificates in a FIP.
167
168*   Support for calling CPU and platform specific reset handlers upon entry into
169    BL3-1 during the cold and warm boot paths has been added. This happens after
170    another Boot ROM `reset_handler()` has already run. This enables a developer
171    to perform additional actions or undo actions already performed during the
172    first call of the reset handlers e.g. apply additional errata workarounds.
173
174*   Support has been added to demonstrate routing of IRQs to EL3 instead of
175    S-EL1 when execution is in secure world.
176
177*   The PSCI implementation now conforms to version 1.0 of the PSCI
178    specification. All the mandatory APIs and selected optional APIs are
179    supported. In particular, support for the `PSCI_FEATURES` API has been
180    added. A capability variable is constructed during initialization by
181    examining the `plat_pm_ops` and `spd_pm_ops` exported by the platform and
182    the Secure Payload Dispatcher.  This is used by the PSCI FEATURES function
183    to determine which PSCI APIs are supported by the platform.
184
185*   Improvements have been made to the PSCI code as follows.
186
187    *   The code has been refactored to remove redundant parameters from
188        internal functions.
189
190    *   Changes have been made to the code for PSCI `CPU_SUSPEND`, `CPU_ON` and
191        `CPU_OFF` calls to facilitate an early return to the caller in case a
192        failure condition is detected. For example, a PSCI `CPU_SUSPEND` call
193        returns `SUCCESS` to the caller if a pending interrupt is detected early
194        in the code path.
195
196    *   Optional platform APIs have been added to validate the `power_state` and
197        `entrypoint` parameters early in PSCI `CPU_ON` and `CPU_SUSPEND` code
198        paths.
199
200    *   PSCI migrate APIs have been reworked to invoke the SPD hook to determine
201        the type of Trusted OS and the CPU it is resident on (if
202        applicable). Also, during a PSCI `MIGRATE` call, the SPD hook to migrate
203        the Trusted OS is invoked.
204
205*   It is now possible to build Trusted Firmware without marking at least an
206    extra page of memory as coherent. The build flag `USE_COHERENT_MEM` can be
207    used to choose between the two implementations. This has been made possible
208    through these changes.
209
210    *   An implementation of Bakery locks, where the locks are not allocated in
211        coherent memory has been added.
212
213    *   Memory which was previously marked as coherent is now kept coherent
214        through the use of software cache maintenance operations.
215
216    Approximately, 4K worth of memory is saved for each boot loader stage when
217    `USE_COHERENT_MEM=0`. Enabling this option increases the latencies
218    associated with acquire and release of locks. It also requires changes to
219    the platform ports.
220
221*   It is now possible to specify the name of the FIP at build time by defining
222    the `FIP_NAME` variable.
223
224*   Issues with depedencies on the 'fiptool' makefile target have been
225    rectified. The `fip_create` tool is now rebuilt whenever its source files
226    change.
227
228*   The BL3-1 runtime console is now also used as the crash console. The crash
229    console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0)
230    on Juno. In FVP, it is changed from UART0 to UART1.
231
232*   CPU errata workarounds are applied only when the revision and part number
233    match. This behaviour has been made consistent across the debug and release
234    builds. The debug build additionally prints a warning if a mismatch is
235    detected.
236
237*   It is now possible to issue cache maintenance operations by set/way for a
238    particular level of data cache. Levels 1-3 are currently supported.
239
240*   The following improvements have been made to the FVP port.
241
242    *   The build option `FVP_SHARED_DATA_LOCATION` which allowed relocation of
243        shared data into the Trusted DRAM has been deprecated. Shared data is
244        now always located at the base of Trusted SRAM.
245
246    *   BL2 Translation tables have been updated to map only the region of
247        DRAM which is accessible to normal world. This is the region of the 2GB
248        DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is
249        accessible to only the secure world.
250
251    *   BL3-2 can now reside in the top 16MB of DRAM which is accessible only to
252        the secure world. This can be done by setting the build flag
253        `FVP_TSP_RAM_LOCATION` to the value `dram`.
254
255*   Separate transation tables are created for each boot loader image. The
256    `IMAGE_BLx` build options are used to do this.  This allows each stage to
257    create mappings only for areas in the memory map that it needs.
258
259*   A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been
260    added.  Details of using it with ARM Trusted Firmware can be found in
261    [OP-TEE Dispatcher]
262
263
264
265Issues resolved since last release
266----------------------------------
267
268*   The Juno port has been aligned with the FVP port as follows.
269
270    *   Support for reclaiming all BL1 RW memory and BL2 memory by overlaying
271        the BL3-1/BL3-2 NOBITS sections on top of them has been added to the
272        Juno port.
273
274    *   The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured
275        using the TZC-400 controller to be accessible only to the secure world.
276
277    *   The ARM GIC driver is used to configure the GIC-400 instead of using a
278        GIC driver private to the Juno port.
279
280    *   PSCI `CPU_SUSPEND` calls that target a standby state are now supported.
281
282    *   The TZC-400 driver is used to configure the controller instead of direct
283        accesses to the registers.
284
285*   The Linux kernel version referred to in the user guide has DVFS and HMP
286    support enabled.
287
288*   DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in
289    CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of
290    the Cortex-A57-A53 Base FVPs.
291
292
293Known issues
294------------
295
296*   The Trusted Board Boot implementation is a prototype. There are issues with
297    the modularity and scalability of the design. Support for a Trusted
298    Watchdog, firmware update mechanism, recovery images and Trusted debug is
299    absent. These issues will be addressed in future releases.
300
301*   The FVP and Juno ports do not use the hash of the ROTPK stored in the
302    Trusted Key Storage registers to verify the ROTPK in the
303    `plat_match_rotpk()` function. This prevents the correct establishment of
304    the Chain of Trust at the first step in the Trusted Board Boot process.
305
306*   The version of the AEMv8 Base FVP used in this release resets the model
307    instead of terminating its execution in response to a shutdown request using
308    the PSCI `SYSTEM_OFF` API. This issue will be fixed in a future version of
309    the model.
310
311*   GICv3 support is experimental. There are known issues with GICv3
312    initialization in the ARM Trusted Firmware.
313
314*   While this version greatly reduces the on-chip RAM requirements, there are
315    further RAM usage enhancements that could be made.
316
317*   The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
318    its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
319
320*   The Juno-specific firmware design documentation is incomplete.
321
322
323ARM Trusted Firmware - version 1.0
324==================================
325
326New features
327------------
328
329*   It is now possible to map higher physical addresses using non-flat virtual
330    to physical address mappings in the MMU setup.
331
332*   Wider use is now made of the per-CPU data cache in BL3-1 to store:
333
334    *   Pointers to the non-secure and secure security state contexts.
335
336    *   A pointer to the CPU-specific operations.
337
338    *   A pointer to PSCI specific information (for example the current power
339        state).
340
341    *   A crash reporting buffer.
342
343*   The following RAM usage improvements result in a BL3-1 RAM usage reduction
344    from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction
345    across all images from 208KB to 88KB, compared to the previous release.
346
347    *   Removed the separate `early_exception` vectors from BL3-1 (2KB code size
348        saving).
349
350    *   Removed NSRAM from the FVP memory map, allowing the removal of one
351        (4KB) translation table.
352
353    *   Eliminated the internal `psci_suspend_context` array, saving 2KB.
354
355    *   Correctly dimensioned the PSCI `aff_map_node` array, saving 1.5KB in the
356        FVP port.
357
358    *   Removed calling CPU mpidr from the bakery lock API, saving 160 bytes.
359
360    *   Removed current CPU mpidr from PSCI common code, saving 160 bytes.
361
362    *   Inlined the mmio accessor functions, saving 360 bytes.
363
364    *   Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by
365        overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime.
366
367    *   Made storing the FP register context optional, saving 0.5KB per context
368        (8KB on the FVP port, with TSPD enabled and running on 8 CPUs).
369
370    *   Implemented a leaner `tf_printf()` function, allowing the stack to be
371        greatly reduced.
372
373    *   Removed coherent stacks from the codebase. Stacks allocated in normal
374        memory are now used before and after the MMU is enabled. This saves 768
375        bytes per CPU in BL3-1.
376
377    *   Reworked the crash reporting in BL3-1 to use less stack.
378
379    *   Optimized the EL3 register state stored in the `cpu_context` structure
380        so that registers that do not change during normal execution are
381        re-initialized each time during cold/warm boot, rather than restored
382        from memory. This saves about 1.2KB.
383
384    *   As a result of some of the above, reduced the runtime stack size in all
385        BL images. For BL3-1, this saves 1KB per CPU.
386
387*   PSCI SMC handler improvements to correctly handle calls from secure states
388    and from AArch32.
389
390*   CPU contexts are now initialized from the `entry_point_info`. BL3-1 fully
391    determines the exception level to use for the non-trusted firmware (BL3-3)
392    based on the SPSR value provided by the BL2 platform code (or otherwise
393    provided to BL3-1). This allows platform code to directly run non-trusted
394    firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS
395    loader.
396
397*   Code refactoring improvements:
398
399    *   Refactored `fvp_config` into a common platform header.
400
401    *   Refactored the fvp gic code to be a generic driver that no longer has an
402        explicit dependency on platform code.
403
404    *   Refactored the CCI-400 driver to not have dependency on platform code.
405
406    *   Simplified the IO driver so it's no longer necessary to call `io_init()`
407        and moved all the IO storage framework code to one place.
408
409    *   Simplified the interface the the TZC-400 driver.
410
411    *   Clarified the platform porting interface to the TSP.
412
413    *   Reworked the TSPD setup code to support the alternate BL3-2
414        intialization flow where BL3-1 generic code hands control to BL3-2,
415        rather than expecting the TSPD to hand control directly to BL3-2.
416
417    *   Considerable rework to PSCI generic code to support CPU specific
418        operations.
419
420*   Improved console log output, by:
421
422    *   Adding the concept of debug log levels.
423
424    *   Rationalizing the existing debug messages and adding new ones.
425
426    *   Printing out the version of each BL stage at runtime.
427
428    *   Adding support for printing console output from assembler code,
429        including when a crash occurs before the C runtime is initialized.
430
431*   Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro
432    file system and DS-5.
433
434*   On the FVP port, made the use of the Trusted DRAM region optional at build
435    time (off by default). Normal platforms will not have such a "ready-to-use"
436    DRAM area so it is not a good example to use it.
437
438*   Added support for PSCI `SYSTEM_OFF` and `SYSTEM_RESET` APIs.
439
440*   Added support for CPU specific reset sequences, power down sequences and
441    register dumping during crash reporting. The CPU specific reset sequences
442    include support for errata workarounds.
443
444*   Merged the Juno port into the master branch. Added support for CPU hotplug
445    and CPU idle. Updated the user guide to describe how to build and run on the
446    Juno platform.
447
448
449Issues resolved since last release
450----------------------------------
451
452*   Removed the concept of top/bottom image loading. The image loader now
453    automatically detects the position of the image inside the current memory
454    layout and updates the layout to minimize fragementation. This resolves the
455    image loader limitations of previously releases. There are currently no
456    plans to support dynamic image loading.
457
458*   CPU idle now works on the publicized version of the Foundation FVP.
459
460*   All known issues relating to the compiler version used have now been
461    resolved. This TF version uses Linaro toolchain 14.07 (based on GCC 4.9).
462
463
464Known issues
465------------
466
467*   GICv3 support is experimental. The Linux kernel patches to support this are
468    not widely available. There are known issues with GICv3 initialization in
469    the ARM Trusted Firmware.
470
471*   While this version greatly reduces the on-chip RAM requirements, there are
472    further RAM usage enhancements that could be made.
473
474*   The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
475    its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
476
477*   The Juno-specific firmware design documentation is incomplete.
478
479*   Some recent enhancements to the FVP port have not yet been translated into
480    the Juno port. These will be tracked via the tf-issues project.
481
482*   The Linux kernel version referred to in the user guide has DVFS and HMP
483    support disabled due to some known instabilities at the time of this
484    release. A future kernel version will re-enable these features.
485
486*   DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in
487    CADI server mode. This is because the `<SimName>` reported by the FVP in
488    this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP,
489    the `<SimName>` reported by the FVP is `FVP_Base_Cortex_A57x4_A53x4`, while
490    DS-5 expects it to be `FVP_Base_A57x4_A53x4`.
491
492    The temporary fix to this problem is to change the name of the FVP in
493    `sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml`.
494    Change the following line:
495
496        <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName>
497    to
498        <SimName>System Generator:FVP_Base_Cortex-A57x4_A53x4</SimName>
499
500    A similar change can be made to the other Cortex-A57-A53 Base FVP variants.
501
502
503ARM Trusted Firmware - version 0.4
504==================================
505
506New features
507------------
508
509*   Makefile improvements:
510
511    *   Improved dependency checking when building.
512
513    *   Removed `dump` target (build now always produces dump files).
514
515    *   Enabled platform ports to optionally make use of parts of the Trusted
516        Firmware (e.g. BL3-1 only), rather than being forced to use all parts.
517        Also made the `fip` target optional.
518
519    *   Specified the full path to source files and removed use of the `vpath`
520        keyword.
521
522*   Provided translation table library code for potential re-use by platforms
523    other than the FVPs.
524
525*   Moved architectural timer setup to platform-specific code.
526
527*   Added standby state support to PSCI cpu_suspend implementation.
528
529*   SRAM usage improvements:
530
531    *   Started using the `-ffunction-sections`, `-fdata-sections` and
532        `--gc-sections` compiler/linker options to remove unused code and data
533        from the images. Previously, all common functions were being built into
534        all binary images, whether or not they were actually used.
535
536    *   Placed all assembler functions in their own section to allow more unused
537        functions to be removed from images.
538
539    *   Updated BL1 and BL2 to use a single coherent stack each, rather than one
540        per CPU.
541
542    *   Changed variables that were unnecessarily declared and initialized as
543        non-const (i.e. in the .data section) so they are either uninitialized
544        (zero init) or const.
545
546*   Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by
547    default. The option for it to run in Trusted DRAM remains.
548
549*   Implemented a TrustZone Address Space Controller (TZC-400) driver. A
550    default configuration is provided for the Base FVPs. This means the model
551    parameter `-C bp.secure_memory=1` is now supported.
552
553*   Started saving the PSCI cpu_suspend 'power_state' parameter prior to
554    suspending a CPU. This allows platforms that implement multiple power-down
555    states at the same affinity level to identify a specific state.
556
557*   Refactored the entire codebase to reduce the amount of nesting in header
558    files and to make the use of system/user includes more consistent. Also
559    split platform.h to separate out the platform porting declarations from the
560    required platform porting definitions and the definitions/declarations
561    specific to the platform port.
562
563*   Optimized the data cache clean/invalidate operations.
564
565*   Improved the BL3-1 unhandled exception handling and reporting. Unhandled
566    exceptions now result in a dump of registers to the console.
567
568*   Major rework to the handover interface between BL stages, in particular the
569    interface to BL3-1. The interface now conforms to a specification and is
570    more future proof.
571
572*   Added support for optionally making the BL3-1 entrypoint a reset handler
573    (instead of BL1). This allows platforms with an alternative image loading
574    architecture to re-use BL3-1 with fewer modifications to generic code.
575
576*   Reserved some DDR DRAM for secure use on FVP platforms to avoid future
577    compatibility problems with non-secure software.
578
579*   Added support for secure interrupts targeting the Secure-EL1 Payload (SP)
580    (using GICv2 routing only). Demonstrated this working by adding an interrupt
581    target and supporting test code to the TSP. Also demonstrated non-secure
582    interrupt handling during TSP processing.
583
584
585Issues resolved since last release
586----------------------------------
587
588*   Now support use of the model parameter `-C bp.secure_memory=1` in the Base
589    FVPs (see **New features**).
590
591*   Support for secure world interrupt handling now available (see **New
592    features**).
593
594*   Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1
595    Payload (BL3-2) to execute in Trusted SRAM by default.
596
597*   The tested filesystem used for this release (Linaro AArch64 OpenEmbedded
598    14.04) now correctly reports progress in the console.
599
600*   Improved the Makefile structure to make it easier to separate out parts of
601    the Trusted Firmware for re-use in platform ports. Also, improved target
602    dependency checking.
603
604
605Known issues
606------------
607
608*   GICv3 support is experimental. The Linux kernel patches to support this are
609    not widely available. There are known issues with GICv3 initialization in
610    the ARM Trusted Firmware.
611
612*   Dynamic image loading is not available yet. The current image loader
613    implementation (used to load BL2 and all subsequent images) has some
614    limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
615    to loading errors, even if the images should theoretically fit in memory.
616
617*   The ARM Trusted Firmware still uses too much on-chip Trusted SRAM. A number
618    of RAM usage enhancements have been identified to rectify this situation.
619
620*   CPU idle does not work on the advertised version of the Foundation FVP.
621    Some FVP fixes are required that are not available externally at the time
622    of writing. This can be worked around by disabling CPU idle in the Linux
623    kernel.
624
625*   Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been
626    observed when using Linaro toolchain versions later than 13.11. Although
627    most of these have been fixed, some remain at the time of writing. These
628    mainly seem to relate to a subtle change in the way the compiler converts
629    between 64-bit and 32-bit values (e.g. during casting operations), which
630    reveals previously hidden bugs in client code.
631
632*   The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
633    its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
634
635
636ARM Trusted Firmware - version 0.3
637==================================
638
639New features
640------------
641
642*   Support for Foundation FVP Version 2.0 added.
643    The documented UEFI configuration disables some devices that are unavailable
644    in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can
645    be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation
646    FVP.
647
648    NOTE: The software will not work on Version 1.0 of the Foundation FVP.
649
650*   Enabled third party contributions. Added a new contributing.md containing
651    instructions for how to contribute and updated copyright text in all files
652    to acknowledge contributors.
653
654*   The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be
655    used for entry into power down states with the following restrictions:
656    -   Entry into standby states is not supported.
657    -   The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs.
658
659*   The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to
660    allow experimental use.
661
662*   Required C library and runtime header files are now included locally in ARM
663    Trusted Firmware instead of depending on the toolchain standard include
664    paths. The local implementation has been cleaned up and reduced in scope.
665
666*   Added I/O abstraction framework, primarily to allow generic code to load
667    images in a platform-independent way. The existing image loading code has
668    been reworked to use the new framework. Semi-hosting and NOR flash I/O
669    drivers are provided.
670
671*   Introduced Firmware Image Package (FIP) handling code and tools. A FIP
672    combines multiple firmware images with a Table of Contents (ToC) into a
673    single binary image. The new FIP driver is another type of I/O driver. The
674    Makefile builds a FIP by default and the FVP platform code expect to load a
675    FIP from NOR flash, although some support for image loading using semi-
676    hosting is retained.
677
678    NOTE: Building a FIP by default is a non-backwards-compatible change.
679
680    NOTE: Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into
681    DRAM instead of expecting this to be pre-loaded at known location. This is
682    also a non-backwards-compatible change.
683
684    NOTE: Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that
685    it knows the new location to execute from and no longer needs to copy
686    particular code modules to DRAM itself.
687
688*   Reworked BL2 to BL3-1 handover interface. A new composite structure
689    (bl31_args) holds the superset of information that needs to be passed from
690    BL2 to BL3-1, including information on how handover execution control to
691    BL3-2 (if present) and BL3-3 (non-trusted firmware).
692
693*   Added library support for CPU context management, allowing the saving and
694    restoring of
695    -   Shared system registers between Secure-EL1 and EL1.
696    -   VFP registers.
697    -   Essential EL3 system registers.
698
699*   Added a framework for implementing EL3 runtime services. Reworked the PSCI
700    implementation to be one such runtime service.
701
702*   Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3
703    stack pointers for determining the type of exception, managing general
704    purpose and system register context on exception entry/exit, and handling
705    SMCs. SMCs are directed to the correct EL3 runtime service.
706
707*   Added support for a Test Secure-EL1 Payload (TSP) and a corresponding
708    Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD
709    implements Secure Monitor functionality such as world switching and
710    EL1 context management, and is responsible for communication with the TSP.
711    NOTE: The TSPD does not yet contain support for secure world interrupts.
712    NOTE: The TSP/TSPD is not built by default.
713
714
715Issues resolved since last release
716----------------------------------
717
718*   Support has been added for switching context between secure and normal
719    worlds in EL3.
720
721*   PSCI API calls `AFFINITY_INFO` & `PSCI_VERSION` have now been tested (to
722    a limited extent).
723
724*   The ARM Trusted Firmware build artifacts are now placed in the `./build`
725    directory and sub-directories instead of being placed in the root of the
726    project.
727
728*   The ARM Trusted Firmware is now free from build warnings. Build warnings
729    are now treated as errors.
730
731*   The ARM Trusted Firmware now provides C library support locally within the
732    project to maintain compatibility between toolchains/systems.
733
734*   The PSCI locking code has been reworked so it no longer takes locks in an
735    incorrect sequence.
736
737*   The RAM-disk method of loading a Linux file-system has been confirmed to
738    work with the ARM Trusted Firmware and Linux kernel version (based on
739    version 3.13) used in this release, for both Foundation and Base FVPs.
740
741
742Known issues
743------------
744
745The following is a list of issues which are expected to be fixed in the future
746releases of the ARM Trusted Firmware.
747
748*   The TrustZone Address Space Controller (TZC-400) is not being programmed
749    yet. Use of model parameter `-C bp.secure_memory=1` is not supported.
750
751*   No support yet for secure world interrupt handling.
752
753*   GICv3 support is experimental. The Linux kernel patches to support this are
754    not widely available. There are known issues with GICv3 initialization in
755    the ARM Trusted Firmware.
756
757*   Dynamic image loading is not available yet. The current image loader
758    implementation (used to load BL2 and all subsequent images) has some
759    limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
760    to loading errors, even if the images should theoretically fit in memory.
761
762*   The ARM Trusted Firmware uses too much on-chip Trusted SRAM. Currently the
763    Test Secure-EL1 Payload (BL3-2) executes in Trusted DRAM since there is not
764    enough SRAM. A number of RAM usage enhancements have been identified to
765    rectify this situation.
766
767*   CPU idle does not work on the advertised version of the Foundation FVP.
768    Some FVP fixes are required that are not available externally at the time
769    of writing.
770
771*   Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been
772    observed when using Linaro toolchain versions later than 13.11. Although
773    most of these have been fixed, some remain at the time of writing. These
774    mainly seem to relate to a subtle change in the way the compiler converts
775    between 64-bit and 32-bit values (e.g. during casting operations), which
776    reveals previously hidden bugs in client code.
777
778*   The tested filesystem used for this release (Linaro AArch64 OpenEmbedded
779    14.01) does not report progress correctly in the console. It only seems to
780    produce error output, not standard output. It otherwise appears to function
781    correctly. Other filesystem versions on the same software stack do not
782    exhibit the problem.
783
784*   The Makefile structure doesn't make it easy to separate out parts of the
785    Trusted Firmware for re-use in platform ports, for example if only BL3-1 is
786    required in a platform port. Also, dependency checking in the Makefile is
787    flawed.
788
789*   The firmware design documentation for the Test Secure-EL1 Payload (TSP) and
790    its dispatcher (TSPD) is incomplete. Similarly for the PSCI section.
791
792
793ARM Trusted Firmware - version 0.2
794==================================
795
796New features
797------------
798
799*   First source release.
800
801*   Code for the PSCI suspend feature is supplied, although this is not enabled
802    by default since there are known issues (see below).
803
804
805Issues resolved since last release
806----------------------------------
807
808*   The "psci" nodes in the FDTs provided in this release now fully comply
809    with the recommendations made in the PSCI specification.
810
811
812Known issues
813------------
814
815The following is a list of issues which are expected to be fixed in the future
816releases of the ARM Trusted Firmware.
817
818*   The TrustZone Address Space Controller (TZC-400) is not being programmed
819    yet. Use of model parameter `-C bp.secure_memory=1` is not supported.
820
821*   No support yet for secure world interrupt handling or for switching context
822    between secure and normal worlds in EL3.
823
824*   GICv3 support is experimental. The Linux kernel patches to support this are
825    not widely available. There are known issues with GICv3 initialization in
826    the ARM Trusted Firmware.
827
828*   Dynamic image loading is not available yet. The current image loader
829    implementation (used to load BL2 and all subsequent images) has some
830    limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead
831    to loading errors, even if the images should theoretically fit in memory.
832
833*   Although support for PSCI `CPU_SUSPEND` is present, it is not yet stable
834    and ready for use.
835
836*   PSCI API calls `AFFINITY_INFO` & `PSCI_VERSION` are implemented but have not
837    been tested.
838
839*   The ARM Trusted Firmware make files result in all build artifacts being
840    placed in the root of the project. These should be placed in appropriate
841    sub-directories.
842
843*   The compilation of ARM Trusted Firmware is not free from compilation
844    warnings. Some of these warnings have not been investigated yet so they
845    could mask real bugs.
846
847*   The ARM Trusted Firmware currently uses toolchain/system include files like
848    stdio.h. It should provide versions of these within the project to maintain
849    compatibility between toolchains/systems.
850
851*   The PSCI code takes some locks in an incorrect sequence. This may cause
852    problems with suspend and hotplug in certain conditions.
853
854*   The Linux kernel used in this release is based on version 3.12-rc4. Using
855    this kernel with the ARM Trusted Firmware fails to start the file-system as
856    a RAM-disk. It fails to execute user-space `init` from the RAM-disk. As an
857    alternative, the VirtioBlock mechanism can be used to provide a file-system
858    to the kernel.
859
860
861- - - - - - - - - - - - - - - - - - - - - - - - - -
862
863_Copyright (c) 2013-2015, ARM Limited and Contributors. All rights reserved._
864
865[OP-TEE Dispatcher]:                  optee-dispatcher.md
866[Power Domain Topology Design]:       psci-pd-tree.md
867[TF Image Terminology]:               https://github.com/ARM-software/arm-trusted-firmware/wiki/Trusted-Firmware-Image-Terminology
868[Authentication Framework]:           auth-framework.md
869[Firmware Update]:                    firmware-update.md
870[TF Reset Design]:                    reset-design.md
871