1ARM Trusted Firmware - version 0.4 2================================== 3 4New features 5------------ 6 7* Makefile improvements: 8 9 * Improved dependency checking when building. 10 11 * Removed `dump` target (build now always produces dump files). 12 13 * Enabled platform ports to optionally make use of parts of the Trusted 14 Firmware (e.g. BL3-1 only), rather than being forced to use all parts. 15 Also made the `fip` target optional. 16 17 * Specified the full path to source files and removed use of the `vpath` 18 keyword. 19 20* Provided translation table library code for potential re-use by platforms 21 other than the FVPs. 22 23* Moved architectural timer setup to platform-specific code. 24 25* Added standby state support to PSCI cpu_suspend implementation. 26 27* SRAM usage improvements: 28 29 * Started using the `-ffunction-sections`, `-fdata-sections` and 30 `--gc-sections` compiler/linker options to remove unused code and data 31 from the images. Previously, all common functions were being built into 32 all binary images, whether or not they were actually used. 33 34 * Placed all assembler functions in their own section to allow more unused 35 functions to be removed from images. 36 37 * Updated BL1 and BL2 to use a single coherent stack each, rather than one 38 per CPU. 39 40 * Changed variables that were unnecessarily declared and initialized as 41 non-const (i.e. in the .data section) so they are either uninitialized 42 (zero init) or const. 43 44* Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by 45 default. The option for it to run in Trusted DRAM remains. 46 47* Implemented a TrustZone Address Space Controller (TZC-400) driver. A 48 default configuration is provided for the Base FVPs. This means the model 49 parameter `-C bp.secure_memory=1` is now supported. 50 51* Started saving the PSCI cpu_suspend 'power_state' parameter prior to 52 suspending a CPU. This allows platforms that implement multiple power-down 53 states at the same affinity level to identify a specific state. 54 55* Refactored the entire codebase to reduce the amount of nesting in header 56 files and to make the use of system/user includes more consistent. Also 57 split platform.h to separate out the platform porting declarations from the 58 required platform porting definitions and the definitions/declarations 59 specific to the platform port. 60 61* Optimized the data cache clean/invalidate operations. 62 63* Improved the BL3-1 unhandled exception handling and reporting. Unhandled 64 exceptions now result in a dump of registers to the console. 65 66* Major rework to the handover interface between BL stages, in particular the 67 interface to BL3-1. The interface now conforms to a specification and is 68 more future proof. 69 70* Added support for optionally making the BL3-1 entrypoint a reset handler 71 (instead of BL1). This allows platforms with an alternative image loading 72 architecture to re-use BL3-1 with fewer modifications to generic code. 73 74* Reserved some DDR DRAM for secure use on FVP platforms to avoid future 75 compatibility problems with non-secure software. 76 77* Added support for secure interrupts targeting the Secure-EL1 Payload (SP) 78 (using GICv2 routing only). Demonstrated this working by adding an interrupt 79 target and supporting test code to the TSP. Also demonstrated non-secure 80 interrupt handling during TSP processing. 81 82 83Issues resolved since last release 84---------------------------------- 85 86* Now support use of the model parameter `-C bp.secure_memory=1` in the Base 87 FVPs (see **New features**). 88 89* Support for secure world interrupt handling now available (see **New 90 features**). 91 92* Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 93 Payload (BL3-2) to execute in Trusted SRAM by default. 94 95* The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 96 14.04) now correctly reports progress in the console. 97 98* Improved the Makefile structure to make it easier to separate out parts of 99 the Trusted Firmware for re-use in platform ports. Also, improved target 100 dependency checking. 101 102 103Known issues 104------------ 105 106* GICv3 support is experimental. The Linux kernel patches to support this are 107 not widely available. There are known issues with GICv3 initialization in 108 the ARM Trusted Firmware. 109 110* Dynamic image loading is not available yet. The current image loader 111 implementation (used to load BL2 and all subsequent images) has some 112 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 113 to loading errors, even if the images should theoretically fit in memory. 114 115* The ARM Trusted Firmware still uses too much on-chip Trusted SRAM. A number 116 of RAM usage enhancements have been identified to rectify this situation. 117 118* CPU idle does not work on the advertised version of the Foundation FVP. 119 Some FVP fixes are required that are not available externally at the time 120 of writing. This can be worked around by disabling CPU idle in the Linux 121 kernel. 122 123* Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been 124 observed when using Linaro toolchain versions later than 13.11. Although 125 most of these have been fixed, some remain at the time of writing. These 126 mainly seem to relate to a subtle change in the way the compiler converts 127 between 64-bit and 32-bit values (e.g. during casting operations), which 128 reveals previously hidden bugs in client code. 129 130* The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 131 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 132 133 134ARM Trusted Firmware - version 0.3 135================================== 136 137New features 138------------ 139 140* Support for Foundation FVP Version 2.0 added. 141 The documented UEFI configuration disables some devices that are unavailable 142 in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can 143 be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation 144 FVP. 145 146 NOTE: The software will not work on Version 1.0 of the Foundation FVP. 147 148* Enabled third party contributions. Added a new contributing.md containing 149 instructions for how to contribute and updated copyright text in all files 150 to acknowledge contributors. 151 152* The PSCI CPU_SUSPEND API has been stabilised to the extent where it can be 153 used for entry into power down states with the following restrictions: 154 - Entry into standby states is not supported. 155 - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. 156 157* The PSCI AFFINITY_INFO api has undergone limited testing on the Base FVPs to 158 allow experimental use. 159 160* Required C library and runtime header files are now included locally in ARM 161 Trusted Firmware instead of depending on the toolchain standard include 162 paths. The local implementation has been cleaned up and reduced in scope. 163 164* Added I/O abstraction framework, primarily to allow generic code to load 165 images in a platform-independent way. The existing image loading code has 166 been reworked to use the new framework. Semi-hosting and NOR flash I/O 167 drivers are provided. 168 169* Introduced Firmware Image Package (FIP) handling code and tools. A FIP 170 combines multiple firmware images with a Table of Contents (ToC) into a 171 single binary image. The new FIP driver is another type of I/O driver. The 172 Makefile builds a FIP by default and the FVP platform code expect to load a 173 FIP from NOR flash, although some support for image loading using semi- 174 hosting is retained. 175 176 NOTE: Building a FIP by default is a non-backwards-compatible change. 177 178 NOTE: Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into 179 DRAM instead of expecting this to be pre-loaded at known location. This is 180 also a non-backwards-compatible change. 181 182 NOTE: Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that 183 it knows the new location to execute from and no longer needs to copy 184 particular code modules to DRAM itself. 185 186* Reworked BL2 to BL3-1 handover interface. A new composite structure 187 (bl31_args) holds the superset of information that needs to be passed from 188 BL2 to BL3-1, including information on how handover execution control to 189 BL3-2 (if present) and BL3-3 (non-trusted firmware). 190 191* Added library support for CPU context management, allowing the saving and 192 restoring of 193 - Shared system registers between Secure-EL1 and EL1. 194 - VFP registers. 195 - Essential EL3 system registers. 196 197* Added a framework for implementing EL3 runtime services. Reworked the PSCI 198 implementation to be one such runtime service. 199 200* Reworked the exception handling logic, making use of both SP_EL0 and SP_EL3 201 stack pointers for determining the type of exception, managing general 202 purpose and system register context on exception entry/exit, and handling 203 SMCs. SMCs are directed to the correct EL3 runtime service. 204 205* Added support for a Test Secure-EL1 Payload (TSP) and a corresponding 206 Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD 207 implements Secure Monitor functionality such as world switching and 208 EL1 context management, and is responsible for communication with the TSP. 209 NOTE: The TSPD does not yet contain support for secure world interrupts. 210 NOTE: The TSP/TSPD is not built by default. 211 212 213Issues resolved since last release 214---------------------------------- 215 216* Support has been added for switching context between secure and normal 217 worlds in EL3. 218 219* PSCI API calls `AFFINITY_INFO` & `PSCI_VERSION` have now been tested (to 220 a limited extent). 221 222* The ARM Trusted Firmware build artifacts are now placed in the `./build` 223 directory and sub-directories instead of being placed in the root of the 224 project. 225 226* The ARM Trusted Firmware is now free from build warnings. Build warnings 227 are now treated as errors. 228 229* The ARM Trusted Firmware now provides C library support locally within the 230 project to maintain compatibility between toolchains/systems. 231 232* The PSCI locking code has been reworked so it no longer takes locks in an 233 incorrect sequence. 234 235* The RAM-disk method of loading a Linux file-system has been confirmed to 236 work with the ARM Trusted Firmware and Linux kernel version (based on 237 version 3.13) used in this release, for both Foundation and Base FVPs. 238 239 240Known issues 241------------ 242 243The following is a list of issues which are expected to be fixed in the future 244releases of the ARM Trusted Firmware. 245 246* The TrustZone Address Space Controller (TZC-400) is not being programmed 247 yet. Use of model parameter `-C bp.secure_memory=1` is not supported. 248 249* No support yet for secure world interrupt handling. 250 251* GICv3 support is experimental. The Linux kernel patches to support this are 252 not widely available. There are known issues with GICv3 initialization in 253 the ARM Trusted Firmware. 254 255* Dynamic image loading is not available yet. The current image loader 256 implementation (used to load BL2 and all subsequent images) has some 257 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 258 to loading errors, even if the images should theoretically fit in memory. 259 260* The ARM Trusted Firmware uses too much on-chip Trusted SRAM. Currently the 261 Test Secure-EL1 Payload (BL3-2) executes in Trusted DRAM since there is not 262 enough SRAM. A number of RAM usage enhancements have been identified to 263 rectify this situation. 264 265* CPU idle does not work on the advertised version of the Foundation FVP. 266 Some FVP fixes are required that are not available externally at the time 267 of writing. 268 269* Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been 270 observed when using Linaro toolchain versions later than 13.11. Although 271 most of these have been fixed, some remain at the time of writing. These 272 mainly seem to relate to a subtle change in the way the compiler converts 273 between 64-bit and 32-bit values (e.g. during casting operations), which 274 reveals previously hidden bugs in client code. 275 276* The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 277 14.01) does not report progress correctly in the console. It only seems to 278 produce error output, not standard output. It otherwise appears to function 279 correctly. Other filesystem versions on the same software stack do not 280 exhibit the problem. 281 282* The Makefile structure doesn't make it easy to separate out parts of the 283 Trusted Firmware for re-use in platform ports, for example if only BL3-1 is 284 required in a platform port. Also, dependency checking in the Makefile is 285 flawed. 286 287* The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 288 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 289 290 291ARM Trusted Firmware - version 0.2 292================================== 293 294New features 295------------ 296 297* First source release. 298 299* Code for the PSCI suspend feature is supplied, although this is not enabled 300 by default since there are known issues (see below). 301 302 303Issues resolved since last release 304---------------------------------- 305 306* The "psci" nodes in the FDTs provided in this release now fully comply 307 with the recommendations made in the PSCI specification. 308 309 310Known issues 311------------ 312 313The following is a list of issues which are expected to be fixed in the future 314releases of the ARM Trusted Firmware. 315 316* The TrustZone Address Space Controller (TZC-400) is not being programmed 317 yet. Use of model parameter `-C bp.secure_memory=1` is not supported. 318 319* No support yet for secure world interrupt handling or for switching context 320 between secure and normal worlds in EL3. 321 322* GICv3 support is experimental. The Linux kernel patches to support this are 323 not widely available. There are known issues with GICv3 initialization in 324 the ARM Trusted Firmware. 325 326* Dynamic image loading is not available yet. The current image loader 327 implementation (used to load BL2 and all subsequent images) has some 328 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 329 to loading errors, even if the images should theoretically fit in memory. 330 331* Although support for PSCI `CPU_SUSPEND` is present, it is not yet stable 332 and ready for use. 333 334* PSCI API calls `AFFINITY_INFO` & `PSCI_VERSION` are implemented but have not 335 been tested. 336 337* The ARM Trusted Firmware make files result in all build artifacts being 338 placed in the root of the project. These should be placed in appropriate 339 sub-directories. 340 341* The compilation of ARM Trusted Firmware is not free from compilation 342 warnings. Some of these warnings have not been investigated yet so they 343 could mask real bugs. 344 345* The ARM Trusted Firmware currently uses toolchain/system include files like 346 stdio.h. It should provide versions of these within the project to maintain 347 compatibility between toolchains/systems. 348 349* The PSCI code takes some locks in an incorrect sequence. This may cause 350 problems with suspend and hotplug in certain conditions. 351 352* The Linux kernel used in this release is based on version 3.12-rc4. Using 353 this kernel with the ARM Trusted Firmware fails to start the file-system as 354 a RAM-disk. It fails to execute user-space `init` from the RAM-disk. As an 355 alternative, the VirtioBlock mechanism can be used to provide a file-system 356 to the kernel. 357 358 359- - - - - - - - - - - - - - - - - - - - - - - - - - 360 361_Copyright (c) 2013-2014, ARM Limited and Contributors. All rights reserved._ 362