1 2 .. section-numbering:: 3 :suffix: . 4 5 .. contents:: 6 7 ARM Trusted Firmware - version 1.4 8 ================================== 9 10 New features 11 ------------ 12 13 - Enabled support for platforms with hardware assisted coherency. 14 15 A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage 16 of the following optimisations: 17 18 - Skip performing cache maintenance during power-up and power-down. 19 20 - Use spin-locks instead of bakery locks. 21 22 - Enable data caches early on warm-booted CPUs. 23 24 - Added support for Cortex-A75 and Cortex-A55 processors. 25 26 Both Cortex-A75 and Cortex-A55 processors use the ARM DynamIQ Shared Unit 27 (DSU). The power-down and power-up sequences are therefore mostly managed in 28 hardware, reducing complexity of the software operations. 29 30 - Introduced ARM GIC-600 driver. 31 32 ARM GIC-600 IP complies with ARM GICv3 architecture. For FVP platforms, the 33 GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600. 34 35 - Updated GICv3 support: 36 37 - Introduced power management APIs for GICv3 Redistributor. These APIs 38 allow platforms to power down the Redistributor during CPU power on/off. 39 Requires the GICv3 implementations to have power management operations. 40 41 Implemented the power management APIs for FVP. 42 43 - GIC driver data is flushed by the primary CPU so that secondary CPU do 44 not read stale GIC data. 45 46 - Added support for ARM System Control and Management Interface v1.0 (SCMI). 47 48 The SCMI driver implements the power domain management and system power 49 management protocol of the SCMI specification (ARM DEN 0056ASCMI) for 50 communicating with any compliant power controller. 51 52 Support is added for the Juno platform. The driver can be found in the 53 plat/arm/css/drivers folder. 54 55 - Added support to enable pre-integration of TBB with the ARM TrustZone 56 CryptoCell product, to take advantage of its hardware Root of Trust and 57 crypto acceleration services. 58 59 - Enabled Statistical Profiling Extensions for lower ELs. 60 61 The firmware support is limited to the use of SPE in the Non-secure state 62 and accesses to the SPE specific registers from S-EL1 will trap to EL3. 63 64 The SPE are architecturally specified for AArch64 only. 65 66 - Code hygiene changes aligned with MISRA guidelines: 67 68 - Fixed signed / unsigned comparison warnings in the translation table 69 library. 70 71 - Added U(_x) macro and together with the existing ULL(_x) macro fixed 72 some of the signed-ness defects flagged by the MISRA scanner. 73 74 - Enhancements to Firmware Update feature: 75 76 - The FWU logic now checks for overlapping images to prevent execution of 77 unauthenticated arbitary code. 78 79 - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading 80 state machine to go from COPYING, COPIED or AUTHENTICATED states to 81 RESET state. Previously, this was only possible when the authentication 82 of an image failed or when the execution of the image finished. 83 84 - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update 85 SMC can result in copy of unexpectedly large data into secure memory. 86 87 - Introduced support for ARM Compiler 6 and LLVM (clang). 88 89 ARM TF can now also be built with the ARM Compiler 6 or the clang compilers. 90 The assembler and linker must be provided by the GNU toolchain. 91 92 Tested with ARM CC 6.7 and clang 3.9.x and 4.0.x. 93 94 - Memory footprint improvements: 95 96 - Introduced `tf_snprintf`, a reduced version of `snprintf` which has 97 support for a limited set of formats. 98 99 The mbedtls driver is updated to optionally use `tf_snprintf` instead of 100 `snprintf`. 101 102 - The `assert()` is updated to no longer print the function name, and 103 additional logging options are supported via an optional platform define 104 `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is. 105 106 - Enhancements to Trusted Firmware support when running in AArch32 execution 107 state: 108 109 - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to 110 hardware limitations, BL1 and BL2 boot in AArch64 state and there is 111 additional trampoline code to warm reset into SP_MIN in AArch32 execution 112 state. 113 114 - Added support for ARM Cortex-A53/57/72 MPCore processors including the 115 errata workarounds that are already implemented for AArch64 execution 116 state. 117 118 - For FVP platforms, added AArch32 Trusted Board Boot support, including the 119 Firmware Update feature. 120 121 - Introduced ARM SiP service for use by ARM standard platforms. 122 123 - Added new ARM SiP Service SMCs to enable the Non-secure world to read PMF 124 timestamps. 125 126 Added PMF instrumentation points in ARM TF in order to quantify the 127 overall time spent in the PSCI software implementation. 128 129 - Added new ARM SiP service SMC to switch execution state. 130 131 This allows the lower exception level to change its execution state from 132 AArch64 to AArch32, or vice verse, via a request to EL3. 133 134 - Migrated to use SPDX[0] license identifiers to make software license 135 auditing simpler. 136 137 *NOTE:* Files that have been imported by FreeBSD have not been modified. 138 139 [0]: https://spdx.org/ 140 141 - Enhancements to the translation table library: 142 143 - Added version 2 of translation table library that allows different 144 translation tables to be modified by using different 'contexts'. Version 1 145 of the transalation table library only allows the current EL's translation 146 tables to be modified. 147 148 Version 2 of the translation table also added support for dynamic 149 regions; regions that can be added and removed dynamically whilst the 150 MMU is enabled. Static regions can only be added or removed before the 151 MMU is enabled. 152 153 The dynamic mapping functionality is enabled or disabled when compiling 154 by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can 155 be done per-image. 156 157 - Added support for translation regimes with two virtual address spaces 158 such as the one shared by EL1 and EL0. 159 160 The library does not support initializing translation tables for EL0 161 software. 162 163 - Added support to mark the translation tables as non-cacheable using an 164 additional build option `XLAT_TABLE_NC`. 165 166 - Added support for GCC stack protection. A new build option 167 ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL 168 images with one of the GCC -fstack-protector-* options. 169 170 A new platform function plat_get_stack_protector_canary() was introduced 171 that returns a value used to initialize the canary for stack corruption 172 detection. For increased effectiveness of protection platforms must provide 173 an implementation that returns a random value. 174 175 - Enhanced support for ARM platforms: 176 177 - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR. 178 A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions 179 accessing MPIDR assume that the `MT` bit is set for the platform and 180 access the bit fields accordingly. 181 182 Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is 183 enabled, returning the Processing Element count within the physical CPU 184 corresponding to `mpidr`. 185 186 - The ARM platforms migrated to use version 2 of the translation tables. 187 188 - Introduced a new ARM platform layer API `plat_arm_psci_override_pm_ops` 189 which allows ARM platforms to modify `plat_arm_psci_pm_ops` and therefore 190 dynamically define PSCI capability. 191 192 - The ARM platforms migrated to use IMAGE_LOAD_V2 by default. 193 194 - Enhanced reporting of errata workaround status with the following policy: 195 196 - If an errata workaround is enabled: 197 198 - If it applies (i.e. the CPU is affected by the errata), an INFO message 199 is printed, confirming that the errata workaround has been applied. 200 201 - If it does not apply, a VERBOSE message is printed, confirming that the 202 errata workaround has been skipped. 203 204 - If an errata workaround is not enabled, but would have applied had it 205 been, a WARN message is printed, alerting that errata workaround is 206 missing. 207 208 - Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the 209 architecture version to target ARM TF. 210 211 - Updated the spin lock implementation to use the more efficient CAS (Compare 212 And Swap) instruction when available. This instruction was introduced in 213 ARMv8.1-A. 214 215 - Applied errata workaround for ARM Cortex-A53: 855873. 216 217 - Applied errata workaround for ARM-Cortex-A57: 813419. 218 219 - Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and 220 AArch32 execution states. 221 222 - Added support for Socionext UniPhier SoC platform. 223 224 - Added support for Hikey960 and Hikey platforms. 225 226 - Added support for Rockchip RK3328 platform. 227 228 - Added support for NVidia Tegra T186 platform. 229 230 - Added support for Designware emmc driver. 231 232 - Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr(). 233 234 - Enhanced the CPU operations framework to allow power handlers to be 235 registered on per-level basis. This enables support for future CPUs that 236 have multiple threads which might need powering down individually. 237 238 - Updated register initialisation to prevent unexpected behaviour: 239 240 - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid 241 unexpected traps into the higher exception levels and disable secure 242 self-hosted debug. Additionally, secure privileged external debug on 243 Juno is disabled by programming the appropriate Juno SoC registers. 244 245 - EL2 and EL3 configurable controls are initialised to avoid unexpected 246 traps in the higher exception levels. 247 248 - Essential control registers are fully initialised on EL3 start-up, when 249 initialising the non-secure and secure context structures and when 250 preparing to leave EL3 for a lower EL. This gives better alignement with 251 the ARM ARM which states that software must initialise RES0 and RES1 252 fields with 0 / 1. 253 254 - Enhanced PSCI support: 255 256 - Introduced new platform interfaces that decouple PSCI stat residency 257 calculation from PMF, enabling platforms to use alternative methods of 258 capturing timestamps. 259 260 - PSCI stat accounting performed for retention/standby states when 261 requested at multiple power levels. 262 263 - Simplified fiptool to have a single linked list of image descriptors. 264 265 - For the TSP, resolved corruption of pre-empted secure context by aborting any 266 pre-empted SMC during PSCI power management requests. 267 268 Issues resolved since last release 269 ---------------------------------- 270 271 - ARM TF can be built with the latest mbed TLS version (v2.4.2). The earlier 272 version 2.3.0 cannot be used due to build warnings that the ARM TF build 273 system interprets as errors. 274 275 - TBBR, including the Firmware Update feature is now supported on FVP 276 platforms when running Trusted Firmware in AArch32 state. 277 278 - The version of the AEMv8 Base FVP used in this release has resolved the issue 279 of the model executing a reset instead of terminating in response to a 280 shutdown request using the PSCI SYSTEM_OFF API. 281 282 Known Issues 283 ------------ 284 285 - Building TF with compiler optimisations disabled (-O0) fails. 286 287 - Trusted Board Boot currently does not work on Juno when running Trusted 288 Firmware in AArch32 execution state due to error when loading the sp_min to 289 memory becasue of lack of free space available. See `tf-issue#501`_ for more 290 details. 291 292 - The errata workaround for A53 errata 843419 is only available from binutils 293 2.26 and is not present in GCC4.9. If this errata is applicable to the 294 platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for 295 more details. 296 297 ARM Trusted Firmware - version 1.3 298 ================================== 299 300 301 New features 302 ------------ 303 304 - Added support for running Trusted Firmware in AArch32 execution state. 305 306 The PSCI library has been refactored to allow integration with **EL3 Runtime 307 Software**. This is software that is executing at the highest secure 308 privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See 309 `PSCI Integration Guide`_. 310 311 Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates 312 the usage and integration of the PSCI library with EL3 Runtime Software 313 running in AArch32 state. 314 315 Booting to the BL1/BL2 images as well as booting straight to the Secure 316 Payload is supported. 317 318 - Improvements to the initialization framework for the PSCI service and ARM 319 Standard Services in general. 320 321 The PSCI service is now initialized as part of ARM Standard Service 322 initialization. This consolidates the initializations of any ARM Standard 323 Service that may be added in the future. 324 325 A new function ``get_arm_std_svc_args()`` is introduced to get arguments 326 corresponding to each standard service and must be implemented by the EL3 327 Runtime Software. 328 329 For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to 330 initialize the PSCI Library. **Note** this is a compatibility break due to 331 the change in the prototype of ``psci_setup()``. 332 333 - To support AArch32 builds of BL1 and BL2, implemented a new, alternative 334 firmware image loading mechanism that adds flexibility. 335 336 The current mechanism has a hard-coded set of images and execution order 337 (BL31, BL32, etc). The new mechanism is data-driven by a list of image 338 descriptors provided by the platform code. 339 340 ARM platforms have been updated to support the new loading mechanism. 341 342 The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is 343 currently off by default for the AArch64 build. 344 345 **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when 346 ``LOAD_IMAGE_V2`` is enabled. 347 348 - Updated requirements for making contributions to ARM TF. 349 350 Commits now must have a 'Signed-off-by:' field to certify that the 351 contribution has been made under the terms of the 352 `Developer Certificate of Origin`_. 353 354 A signed CLA is no longer required. 355 356 The `Contribution Guide`_ has been updated to reflect this change. 357 358 - Introduced Performance Measurement Framework (PMF) which provides support 359 for capturing, storing, dumping and retrieving time-stamps to measure the 360 execution time of critical paths in the firmware. This relies on defining 361 fixed sample points at key places in the code. 362 363 - To support the QEMU platform port, imported libfdt v1.4.1 from 364 https://git.kernel.org/cgit/utils/dtc/dtc.git 365 366 - Updated PSCI support: 367 368 - Added support for PSCI NODE\_HW\_STATE API for ARM platforms. 369 370 - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in 371 ``plat_psci_ops`` to enable platforms to perform platform-specific actions 372 needed to enter powerdown, including the 'wfi' invocation. 373 374 - PSCI STAT residency and count functions have been added on ARM platforms 375 by using PMF. 376 377 - Enhancements to the translation table library: 378 379 - Limited memory mapping support for region overlaps to only allow regions 380 to overlap that are identity mapped or have the same virtual to physical 381 address offset, and overlap completely but must not cover the same area. 382 383 This limitation will enable future enhancements without having to 384 support complex edge cases that may not be necessary. 385 386 - The initial translation lookup level is now inferred from the virtual 387 address space size. Previously, it was hard-coded. 388 389 - Added support for mapping Normal, Inner Non-cacheable, Outer 390 Non-cacheable memory in the translation table library. 391 392 This can be useful to map a non-cacheable memory region, such as a DMA 393 buffer. 394 395 - Introduced the MT\_EXECUTE/MT\_EXECUTE\_NEVER memory mapping attributes to 396 specify the access permissions for instruction execution of a memory 397 region. 398 399 - Enabled support to isolate code and read-only data on separate memory pages, 400 allowing independent access control to be applied to each. 401 402 - Enabled SCR\_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common 403 architectural setup code, preventing fetching instructions from non-secure 404 memory when in secure state. 405 406 - Enhancements to FIP support: 407 408 - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent 409 and intuitive interface as well as additional support to remove an image 410 from a FIP file. 411 412 - Enabled printing the SHA256 digest with info command, allowing quick 413 verification of an image within a FIP without having to extract the 414 image and running sha256sum on it. 415 416 - Added support for unpacking the contents of an existing FIP file into 417 the working directory. 418 419 - Aligned command line options for specifying images to use same naming 420 convention as specified by TBBR and already used in cert\_create tool. 421 422 - Refactored the TZC-400 driver to also support memory controllers that 423 integrate TZC functionality, for example ARM CoreLink DMC-500. Also added 424 DMC-500 specific support. 425 426 - Implemented generic delay timer based on the system generic counter and 427 migrated all platforms to use it. 428 429 - Enhanced support for ARM platforms: 430 431 - Updated image loading support to make SCP images (SCP\_BL2 and SCP\_BL2U) 432 optional. 433 434 - Enhanced topology description support to allow multi-cluster topology 435 definitions. 436 437 - Added interconnect abstraction layer to help platform ports select the 438 right interconnect driver, CCI or CCN, for the platform. 439 440 - Added support to allow loading BL31 in the TZC-secured DRAM instead of 441 the default secure SRAM. 442 443 - Added support to use a System Security Control (SSC) Registers Unit 444 enabling ARM TF to be compiled to support multiple ARM platforms and 445 then select one at runtime. 446 447 - Restricted mapping of Trusted ROM in BL1 to what is actually needed by 448 BL1 rather than entire Trusted ROM region. 449 450 - Flash is now mapped as execute-never by default. This increases security 451 by restricting the executable region to what is strictly needed. 452 453 - Applied following erratum workarounds for Cortex-A57: 833471, 826977, 454 829520, 828024 and 826974. 455 456 - Added support for Mediatek MT6795 platform. 457 458 - Added support for QEMU virtualization ARMv8-A target. 459 460 - Added support for Rockchip RK3368 and RK3399 platforms. 461 462 - Added support for Xilinx Zynq UltraScale+ MPSoC platform. 463 464 - Added support for ARM Cortex-A73 MPCore Processor. 465 466 - Added support for ARM Cortex-A72 processor. 467 468 - Added support for ARM Cortex-A35 processor. 469 470 - Added support for ARM Cortex-A32 MPCore Processor. 471 472 - Enabled preloaded BL33 alternative boot flow, in which BL2 does not load 473 BL33 from non-volatile storage and BL31 hands execution over to a preloaded 474 BL33. The User Guide has been updated with an example of how to use this 475 option with a bootwrapped kernel. 476 477 - Added support to build ARM TF on a Windows-based host machine. 478 479 - Updated Trusted Board Boot prototype implementation: 480 481 - Enabled the ability for a production ROM with TBBR enabled to boot test 482 software before a real ROTPK is deployed (e.g. manufacturing mode). 483 Added support to use ROTPK in certificate without verifying against the 484 platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. 485 486 - Added support for non-volatile counter authentication to the 487 Authentication Module to protect against roll-back. 488 489 - Updated GICv3 support: 490 491 - Enabled processor power-down and automatic power-on using GICv3. 492 493 - Enabled G1S or G0 interrupts to be configured independently. 494 495 - Changed FVP default interrupt driver to be the GICv3-only driver. 496 **Note** the default build of Trusted Firmware will not be able to boot 497 Linux kernel with GICv2 FDT blob. 498 499 - Enabled wake-up from CPU\_SUSPEND to stand-by by temporarily re-routing 500 interrupts and then restoring after resume. 501 502 Issues resolved since last release 503 ---------------------------------- 504 505 Known issues 506 ------------ 507 508 - The version of the AEMv8 Base FVP used in this release resets the model 509 instead of terminating its execution in response to a shutdown request using 510 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 511 the model. 512 513 - Building TF with compiler optimisations disabled (``-O0``) fails. 514 515 - ARM TF cannot be built with mbed TLS version v2.3.0 due to build warnings 516 that the ARM TF build system interprets as errors. 517 518 - TBBR is not currently supported when running Trusted Firmware in AArch32 519 state. 520 521 ARM Trusted Firmware - version 1.2 522 ================================== 523 524 New features 525 ------------ 526 527 - The Trusted Board Boot implementation on ARM platforms now conforms to the 528 mandatory requirements of the TBBR specification. 529 530 In particular, the boot process is now guarded by a Trusted Watchdog, which 531 will reset the system in case of an authentication or loading error. On ARM 532 platforms, a secure instance of ARM SP805 is used as the Trusted Watchdog. 533 534 Also, a firmware update process has been implemented. It enables 535 authenticated firmware to update firmware images from external interfaces to 536 SoC Non-Volatile memories. This feature functions even when the current 537 firmware in the system is corrupt or missing; it therefore may be used as 538 a recovery mode. 539 540 - Improvements have been made to the Certificate Generation Tool 541 (``cert_create``) as follows. 542 543 - Added support for the Firmware Update process by extending the Chain 544 of Trust definition in the tool to include the Firmware Update 545 certificate and the required extensions. 546 547 - Introduced a new API that allows one to specify command line options in 548 the Chain of Trust description. This makes the declaration of the tool's 549 arguments more flexible and easier to extend. 550 551 - The tool has been reworked to follow a data driven approach, which 552 makes it easier to maintain and extend. 553 554 - Extended the FIP tool (``fip_create``) to support the new set of images 555 involved in the Firmware Update process. 556 557 - Various memory footprint improvements. In particular: 558 559 - The bakery lock structure for coherent memory has been optimised. 560 561 - The mbed TLS SHA1 functions are not needed, as SHA256 is used to 562 generate the certificate signature. Therefore, they have been compiled 563 out, reducing the memory footprint of BL1 and BL2 by approximately 564 6 KB. 565 566 - On ARM development platforms, each BL stage now individually defines 567 the number of regions that it needs to map in the MMU. 568 569 - Added the following new design documents: 570 571 - `Authentication framework`_ 572 - `Firmware Update`_ 573 - `TF Reset Design`_ 574 - `Power Domain Topology Design`_ 575 576 - Applied the new image terminology to the code base and documentation, as 577 described on the `TF wiki on GitHub`_. 578 579 - The build system has been reworked to improve readability and facilitate 580 adding future extensions. 581 582 - On ARM standard platforms, BL31 uses the boot console during cold boot 583 but switches to the runtime console for any later logs at runtime. The TSP 584 uses the runtime console for all output. 585 586 - Implemented a basic NOR flash driver for ARM platforms. It programs the 587 device using CFI (Common Flash Interface) standard commands. 588 589 - Implemented support for booting EL3 payloads on ARM platforms, which 590 reduces the complexity of developing EL3 baremetal code by doing essential 591 baremetal initialization. 592 593 - Provided separate drivers for GICv3 and GICv2. These expect the entire 594 software stack to use either GICv2 or GICv3; hybrid GIC software systems 595 are no longer supported and the legacy ARM GIC driver has been deprecated. 596 597 - Added support for Juno r1 and r2. A single set of Juno TF binaries can run 598 on Juno r0, r1 and r2 boards. Note that this TF version depends on a Linaro 599 release that does *not* contain Juno r2 support. 600 601 - Added support for MediaTek mt8173 platform. 602 603 - Implemented a generic driver for ARM CCN IP. 604 605 - Major rework of the PSCI implementation. 606 607 - Added framework to handle composite power states. 608 609 - Decoupled the notions of affinity instances (which describes the 610 hierarchical arrangement of cores) and of power domain topology, instead 611 of assuming a one-to-one mapping. 612 613 - Better alignment with version 1.0 of the PSCI specification. 614 615 - Added support for the SYSTEM\_SUSPEND PSCI API on ARM platforms. When invoked 616 on the last running core on a supported platform, this puts the system 617 into a low power mode with memory retention. 618 619 - Unified the reset handling code as much as possible across BL stages. 620 Also introduced some build options to enable optimization of the reset path 621 on platforms that support it. 622 623 - Added a simple delay timer API, as well as an SP804 timer driver, which is 624 enabled on FVP. 625 626 - Added support for NVidia Tegra T210 and T132 SoCs. 627 628 - Reorganised ARM platforms ports to greatly improve code shareability and 629 facilitate the reuse of some of this code by other platforms. 630 631 - Added support for ARM Cortex-A72 processor in the CPU specific framework. 632 633 - Provided better error handling. Platform ports can now define their own 634 error handling, for example to perform platform specific bookkeeping or 635 post-error actions. 636 637 - Implemented a unified driver for ARM Cache Coherent Interconnects used for 638 both CCI-400 & CCI-500 IPs. ARM platforms ports have been migrated to this 639 common driver. The standalone CCI-400 driver has been deprecated. 640 641 Issues resolved since last release 642 ---------------------------------- 643 644 - The Trusted Board Boot implementation has been redesigned to provide greater 645 modularity and scalability. See the `Authentication Framework`_ document. 646 All missing mandatory features are now implemented. 647 648 - The FVP and Juno ports may now use the hash of the ROTPK stored in the 649 Trusted Key Storage registers to verify the ROTPK. Alternatively, a 650 development public key hash embedded in the BL1 and BL2 binaries might be 651 used instead. The location of the ROTPK is chosen at build-time using the 652 ``ARM_ROTPK_LOCATION`` build option. 653 654 - GICv3 is now fully supported and stable. 655 656 Known issues 657 ------------ 658 659 - The version of the AEMv8 Base FVP used in this release resets the model 660 instead of terminating its execution in response to a shutdown request using 661 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 662 the model. 663 664 - While this version has low on-chip RAM requirements, there are further 665 RAM usage enhancements that could be made. 666 667 - The upstream documentation could be improved for structural consistency, 668 clarity and completeness. In particular, the design documentation is 669 incomplete for PSCI, the TSP(D) and the Juno platform. 670 671 - Building TF with compiler optimisations disabled (``-O0``) fails. 672 673 ARM Trusted Firmware - version 1.1 674 ================================== 675 676 New features 677 ------------ 678 679 - A prototype implementation of Trusted Board Boot has been added. Boot 680 loader images are verified by BL1 and BL2 during the cold boot path. BL1 and 681 BL2 use the PolarSSL SSL library to verify certificates and images. The 682 OpenSSL library is used to create the X.509 certificates. Support has been 683 added to ``fip_create`` tool to package the certificates in a FIP. 684 685 - Support for calling CPU and platform specific reset handlers upon entry into 686 BL3-1 during the cold and warm boot paths has been added. This happens after 687 another Boot ROM ``reset_handler()`` has already run. This enables a developer 688 to perform additional actions or undo actions already performed during the 689 first call of the reset handlers e.g. apply additional errata workarounds. 690 691 - Support has been added to demonstrate routing of IRQs to EL3 instead of 692 S-EL1 when execution is in secure world. 693 694 - The PSCI implementation now conforms to version 1.0 of the PSCI 695 specification. All the mandatory APIs and selected optional APIs are 696 supported. In particular, support for the ``PSCI_FEATURES`` API has been 697 added. A capability variable is constructed during initialization by 698 examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and 699 the Secure Payload Dispatcher. This is used by the PSCI FEATURES function 700 to determine which PSCI APIs are supported by the platform. 701 702 - Improvements have been made to the PSCI code as follows. 703 704 - The code has been refactored to remove redundant parameters from 705 internal functions. 706 707 - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and 708 ``CPU_OFF`` calls to facilitate an early return to the caller in case a 709 failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call 710 returns ``SUCCESS`` to the caller if a pending interrupt is detected early 711 in the code path. 712 713 - Optional platform APIs have been added to validate the ``power_state`` and 714 ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code 715 paths. 716 717 - PSCI migrate APIs have been reworked to invoke the SPD hook to determine 718 the type of Trusted OS and the CPU it is resident on (if 719 applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate 720 the Trusted OS is invoked. 721 722 - It is now possible to build Trusted Firmware without marking at least an 723 extra page of memory as coherent. The build flag ``USE_COHERENT_MEM`` can be 724 used to choose between the two implementations. This has been made possible 725 through these changes. 726 727 - An implementation of Bakery locks, where the locks are not allocated in 728 coherent memory has been added. 729 730 - Memory which was previously marked as coherent is now kept coherent 731 through the use of software cache maintenance operations. 732 733 Approximately, 4K worth of memory is saved for each boot loader stage when 734 ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies 735 associated with acquire and release of locks. It also requires changes to 736 the platform ports. 737 738 - It is now possible to specify the name of the FIP at build time by defining 739 the ``FIP_NAME`` variable. 740 741 - Issues with depedencies on the 'fiptool' makefile target have been 742 rectified. The ``fip_create`` tool is now rebuilt whenever its source files 743 change. 744 745 - The BL3-1 runtime console is now also used as the crash console. The crash 746 console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) 747 on Juno. In FVP, it is changed from UART0 to UART1. 748 749 - CPU errata workarounds are applied only when the revision and part number 750 match. This behaviour has been made consistent across the debug and release 751 builds. The debug build additionally prints a warning if a mismatch is 752 detected. 753 754 - It is now possible to issue cache maintenance operations by set/way for a 755 particular level of data cache. Levels 1-3 are currently supported. 756 757 - The following improvements have been made to the FVP port. 758 759 - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of 760 shared data into the Trusted DRAM has been deprecated. Shared data is 761 now always located at the base of Trusted SRAM. 762 763 - BL2 Translation tables have been updated to map only the region of 764 DRAM which is accessible to normal world. This is the region of the 2GB 765 DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is 766 accessible to only the secure world. 767 768 - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to 769 the secure world. This can be done by setting the build flag 770 ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. 771 772 - Separate transation tables are created for each boot loader image. The 773 ``IMAGE_BLx`` build options are used to do this. This allows each stage to 774 create mappings only for areas in the memory map that it needs. 775 776 - A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been 777 added. Details of using it with ARM Trusted Firmware can be found in 778 `OP-TEE Dispatcher`_ 779 780 Issues resolved since last release 781 ---------------------------------- 782 783 - The Juno port has been aligned with the FVP port as follows. 784 785 - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying 786 the BL3-1/BL3-2 NOBITS sections on top of them has been added to the 787 Juno port. 788 789 - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured 790 using the TZC-400 controller to be accessible only to the secure world. 791 792 - The ARM GIC driver is used to configure the GIC-400 instead of using a 793 GIC driver private to the Juno port. 794 795 - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. 796 797 - The TZC-400 driver is used to configure the controller instead of direct 798 accesses to the registers. 799 800 - The Linux kernel version referred to in the user guide has DVFS and HMP 801 support enabled. 802 803 - DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 804 CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of 805 the Cortex-A57-A53 Base FVPs. 806 807 Known issues 808 ------------ 809 810 - The Trusted Board Boot implementation is a prototype. There are issues with 811 the modularity and scalability of the design. Support for a Trusted 812 Watchdog, firmware update mechanism, recovery images and Trusted debug is 813 absent. These issues will be addressed in future releases. 814 815 - The FVP and Juno ports do not use the hash of the ROTPK stored in the 816 Trusted Key Storage registers to verify the ROTPK in the 817 ``plat_match_rotpk()`` function. This prevents the correct establishment of 818 the Chain of Trust at the first step in the Trusted Board Boot process. 819 820 - The version of the AEMv8 Base FVP used in this release resets the model 821 instead of terminating its execution in response to a shutdown request using 822 the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of 823 the model. 824 825 - GICv3 support is experimental. There are known issues with GICv3 826 initialization in the ARM Trusted Firmware. 827 828 - While this version greatly reduces the on-chip RAM requirements, there are 829 further RAM usage enhancements that could be made. 830 831 - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 832 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 833 834 - The Juno-specific firmware design documentation is incomplete. 835 836 ARM Trusted Firmware - version 1.0 837 ================================== 838 839 New features 840 ------------ 841 842 - It is now possible to map higher physical addresses using non-flat virtual 843 to physical address mappings in the MMU setup. 844 845 - Wider use is now made of the per-CPU data cache in BL3-1 to store: 846 847 - Pointers to the non-secure and secure security state contexts. 848 849 - A pointer to the CPU-specific operations. 850 851 - A pointer to PSCI specific information (for example the current power 852 state). 853 854 - A crash reporting buffer. 855 856 - The following RAM usage improvements result in a BL3-1 RAM usage reduction 857 from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction 858 across all images from 208KB to 88KB, compared to the previous release. 859 860 - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size 861 saving). 862 863 - Removed NSRAM from the FVP memory map, allowing the removal of one 864 (4KB) translation table. 865 866 - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. 867 868 - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the 869 FVP port. 870 871 - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. 872 873 - Removed current CPU mpidr from PSCI common code, saving 160 bytes. 874 875 - Inlined the mmio accessor functions, saving 360 bytes. 876 877 - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by 878 overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. 879 880 - Made storing the FP register context optional, saving 0.5KB per context 881 (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). 882 883 - Implemented a leaner ``tf_printf()`` function, allowing the stack to be 884 greatly reduced. 885 886 - Removed coherent stacks from the codebase. Stacks allocated in normal 887 memory are now used before and after the MMU is enabled. This saves 768 888 bytes per CPU in BL3-1. 889 890 - Reworked the crash reporting in BL3-1 to use less stack. 891 892 - Optimized the EL3 register state stored in the ``cpu_context`` structure 893 so that registers that do not change during normal execution are 894 re-initialized each time during cold/warm boot, rather than restored 895 from memory. This saves about 1.2KB. 896 897 - As a result of some of the above, reduced the runtime stack size in all 898 BL images. For BL3-1, this saves 1KB per CPU. 899 900 - PSCI SMC handler improvements to correctly handle calls from secure states 901 and from AArch32. 902 903 - CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully 904 determines the exception level to use for the non-trusted firmware (BL3-3) 905 based on the SPSR value provided by the BL2 platform code (or otherwise 906 provided to BL3-1). This allows platform code to directly run non-trusted 907 firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS 908 loader. 909 910 - Code refactoring improvements: 911 912 - Refactored ``fvp_config`` into a common platform header. 913 914 - Refactored the fvp gic code to be a generic driver that no longer has an 915 explicit dependency on platform code. 916 917 - Refactored the CCI-400 driver to not have dependency on platform code. 918 919 - Simplified the IO driver so it's no longer necessary to call ``io_init()`` 920 and moved all the IO storage framework code to one place. 921 922 - Simplified the interface the the TZC-400 driver. 923 924 - Clarified the platform porting interface to the TSP. 925 926 - Reworked the TSPD setup code to support the alternate BL3-2 927 intialization flow where BL3-1 generic code hands control to BL3-2, 928 rather than expecting the TSPD to hand control directly to BL3-2. 929 930 - Considerable rework to PSCI generic code to support CPU specific 931 operations. 932 933 - Improved console log output, by: 934 935 - Adding the concept of debug log levels. 936 937 - Rationalizing the existing debug messages and adding new ones. 938 939 - Printing out the version of each BL stage at runtime. 940 941 - Adding support for printing console output from assembler code, 942 including when a crash occurs before the C runtime is initialized. 943 944 - Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro 945 file system and DS-5. 946 947 - On the FVP port, made the use of the Trusted DRAM region optional at build 948 time (off by default). Normal platforms will not have such a "ready-to-use" 949 DRAM area so it is not a good example to use it. 950 951 - Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. 952 953 - Added support for CPU specific reset sequences, power down sequences and 954 register dumping during crash reporting. The CPU specific reset sequences 955 include support for errata workarounds. 956 957 - Merged the Juno port into the master branch. Added support for CPU hotplug 958 and CPU idle. Updated the user guide to describe how to build and run on the 959 Juno platform. 960 961 Issues resolved since last release 962 ---------------------------------- 963 964 - Removed the concept of top/bottom image loading. The image loader now 965 automatically detects the position of the image inside the current memory 966 layout and updates the layout to minimize fragementation. This resolves the 967 image loader limitations of previously releases. There are currently no 968 plans to support dynamic image loading. 969 970 - CPU idle now works on the publicized version of the Foundation FVP. 971 972 - All known issues relating to the compiler version used have now been 973 resolved. This TF version uses Linaro toolchain 14.07 (based on GCC 4.9). 974 975 Known issues 976 ------------ 977 978 - GICv3 support is experimental. The Linux kernel patches to support this are 979 not widely available. There are known issues with GICv3 initialization in 980 the ARM Trusted Firmware. 981 982 - While this version greatly reduces the on-chip RAM requirements, there are 983 further RAM usage enhancements that could be made. 984 985 - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 986 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 987 988 - The Juno-specific firmware design documentation is incomplete. 989 990 - Some recent enhancements to the FVP port have not yet been translated into 991 the Juno port. These will be tracked via the tf-issues project. 992 993 - The Linux kernel version referred to in the user guide has DVFS and HMP 994 support disabled due to some known instabilities at the time of this 995 release. A future kernel version will re-enable these features. 996 997 - DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in 998 CADI server mode. This is because the ``<SimName>`` reported by the FVP in 999 this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, 1000 the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while 1001 DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. 1002 1003 The temporary fix to this problem is to change the name of the FVP in 1004 ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. 1005 Change the following line: 1006 1007 :: 1008 1009 <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> 1010 1011 to 1012 System Generator:FVP\_Base\_Cortex-A57x4\_A53x4 1013 1014 A similar change can be made to the other Cortex-A57-A53 Base FVP variants. 1015 1016 ARM Trusted Firmware - version 0.4 1017 ================================== 1018 1019 New features 1020 ------------ 1021 1022 - Makefile improvements: 1023 1024 - Improved dependency checking when building. 1025 1026 - Removed ``dump`` target (build now always produces dump files). 1027 1028 - Enabled platform ports to optionally make use of parts of the Trusted 1029 Firmware (e.g. BL3-1 only), rather than being forced to use all parts. 1030 Also made the ``fip`` target optional. 1031 1032 - Specified the full path to source files and removed use of the ``vpath`` 1033 keyword. 1034 1035 - Provided translation table library code for potential re-use by platforms 1036 other than the FVPs. 1037 1038 - Moved architectural timer setup to platform-specific code. 1039 1040 - Added standby state support to PSCI cpu\_suspend implementation. 1041 1042 - SRAM usage improvements: 1043 1044 - Started using the ``-ffunction-sections``, ``-fdata-sections`` and 1045 ``--gc-sections`` compiler/linker options to remove unused code and data 1046 from the images. Previously, all common functions were being built into 1047 all binary images, whether or not they were actually used. 1048 1049 - Placed all assembler functions in their own section to allow more unused 1050 functions to be removed from images. 1051 1052 - Updated BL1 and BL2 to use a single coherent stack each, rather than one 1053 per CPU. 1054 1055 - Changed variables that were unnecessarily declared and initialized as 1056 non-const (i.e. in the .data section) so they are either uninitialized 1057 (zero init) or const. 1058 1059 - Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by 1060 default. The option for it to run in Trusted DRAM remains. 1061 1062 - Implemented a TrustZone Address Space Controller (TZC-400) driver. A 1063 default configuration is provided for the Base FVPs. This means the model 1064 parameter ``-C bp.secure_memory=1`` is now supported. 1065 1066 - Started saving the PSCI cpu\_suspend 'power\_state' parameter prior to 1067 suspending a CPU. This allows platforms that implement multiple power-down 1068 states at the same affinity level to identify a specific state. 1069 1070 - Refactored the entire codebase to reduce the amount of nesting in header 1071 files and to make the use of system/user includes more consistent. Also 1072 split platform.h to separate out the platform porting declarations from the 1073 required platform porting definitions and the definitions/declarations 1074 specific to the platform port. 1075 1076 - Optimized the data cache clean/invalidate operations. 1077 1078 - Improved the BL3-1 unhandled exception handling and reporting. Unhandled 1079 exceptions now result in a dump of registers to the console. 1080 1081 - Major rework to the handover interface between BL stages, in particular the 1082 interface to BL3-1. The interface now conforms to a specification and is 1083 more future proof. 1084 1085 - Added support for optionally making the BL3-1 entrypoint a reset handler 1086 (instead of BL1). This allows platforms with an alternative image loading 1087 architecture to re-use BL3-1 with fewer modifications to generic code. 1088 1089 - Reserved some DDR DRAM for secure use on FVP platforms to avoid future 1090 compatibility problems with non-secure software. 1091 1092 - Added support for secure interrupts targeting the Secure-EL1 Payload (SP) 1093 (using GICv2 routing only). Demonstrated this working by adding an interrupt 1094 target and supporting test code to the TSP. Also demonstrated non-secure 1095 interrupt handling during TSP processing. 1096 1097 Issues resolved since last release 1098 ---------------------------------- 1099 1100 - Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base 1101 FVPs (see **New features**). 1102 1103 - Support for secure world interrupt handling now available (see **New 1104 features**). 1105 1106 - Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 1107 Payload (BL3-2) to execute in Trusted SRAM by default. 1108 1109 - The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 1110 14.04) now correctly reports progress in the console. 1111 1112 - Improved the Makefile structure to make it easier to separate out parts of 1113 the Trusted Firmware for re-use in platform ports. Also, improved target 1114 dependency checking. 1115 1116 Known issues 1117 ------------ 1118 1119 - GICv3 support is experimental. The Linux kernel patches to support this are 1120 not widely available. There are known issues with GICv3 initialization in 1121 the ARM Trusted Firmware. 1122 1123 - Dynamic image loading is not available yet. The current image loader 1124 implementation (used to load BL2 and all subsequent images) has some 1125 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 1126 to loading errors, even if the images should theoretically fit in memory. 1127 1128 - The ARM Trusted Firmware still uses too much on-chip Trusted SRAM. A number 1129 of RAM usage enhancements have been identified to rectify this situation. 1130 1131 - CPU idle does not work on the advertised version of the Foundation FVP. 1132 Some FVP fixes are required that are not available externally at the time 1133 of writing. This can be worked around by disabling CPU idle in the Linux 1134 kernel. 1135 1136 - Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been 1137 observed when using Linaro toolchain versions later than 13.11. Although 1138 most of these have been fixed, some remain at the time of writing. These 1139 mainly seem to relate to a subtle change in the way the compiler converts 1140 between 64-bit and 32-bit values (e.g. during casting operations), which 1141 reveals previously hidden bugs in client code. 1142 1143 - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 1144 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 1145 1146 ARM Trusted Firmware - version 0.3 1147 ================================== 1148 1149 New features 1150 ------------ 1151 1152 - Support for Foundation FVP Version 2.0 added. 1153 The documented UEFI configuration disables some devices that are unavailable 1154 in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can 1155 be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation 1156 FVP. 1157 1158 NOTE: The software will not work on Version 1.0 of the Foundation FVP. 1159 1160 - Enabled third party contributions. Added a new contributing.md containing 1161 instructions for how to contribute and updated copyright text in all files 1162 to acknowledge contributors. 1163 1164 - The PSCI CPU\_SUSPEND API has been stabilised to the extent where it can be 1165 used for entry into power down states with the following restrictions: 1166 1167 - Entry into standby states is not supported. 1168 - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. 1169 1170 - The PSCI AFFINITY\_INFO api has undergone limited testing on the Base FVPs to 1171 allow experimental use. 1172 1173 - Required C library and runtime header files are now included locally in ARM 1174 Trusted Firmware instead of depending on the toolchain standard include 1175 paths. The local implementation has been cleaned up and reduced in scope. 1176 1177 - Added I/O abstraction framework, primarily to allow generic code to load 1178 images in a platform-independent way. The existing image loading code has 1179 been reworked to use the new framework. Semi-hosting and NOR flash I/O 1180 drivers are provided. 1181 1182 - Introduced Firmware Image Package (FIP) handling code and tools. A FIP 1183 combines multiple firmware images with a Table of Contents (ToC) into a 1184 single binary image. The new FIP driver is another type of I/O driver. The 1185 Makefile builds a FIP by default and the FVP platform code expect to load a 1186 FIP from NOR flash, although some support for image loading using semi- 1187 hosting is retained. 1188 1189 NOTE: Building a FIP by default is a non-backwards-compatible change. 1190 1191 NOTE: Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into 1192 DRAM instead of expecting this to be pre-loaded at known location. This is 1193 also a non-backwards-compatible change. 1194 1195 NOTE: Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that 1196 it knows the new location to execute from and no longer needs to copy 1197 particular code modules to DRAM itself. 1198 1199 - Reworked BL2 to BL3-1 handover interface. A new composite structure 1200 (bl31\_args) holds the superset of information that needs to be passed from 1201 BL2 to BL3-1, including information on how handover execution control to 1202 BL3-2 (if present) and BL3-3 (non-trusted firmware). 1203 1204 - Added library support for CPU context management, allowing the saving and 1205 restoring of 1206 1207 - Shared system registers between Secure-EL1 and EL1. 1208 - VFP registers. 1209 - Essential EL3 system registers. 1210 1211 - Added a framework for implementing EL3 runtime services. Reworked the PSCI 1212 implementation to be one such runtime service. 1213 1214 - Reworked the exception handling logic, making use of both SP\_EL0 and SP\_EL3 1215 stack pointers for determining the type of exception, managing general 1216 purpose and system register context on exception entry/exit, and handling 1217 SMCs. SMCs are directed to the correct EL3 runtime service. 1218 1219 - Added support for a Test Secure-EL1 Payload (TSP) and a corresponding 1220 Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD 1221 implements Secure Monitor functionality such as world switching and 1222 EL1 context management, and is responsible for communication with the TSP. 1223 NOTE: The TSPD does not yet contain support for secure world interrupts. 1224 NOTE: The TSP/TSPD is not built by default. 1225 1226 Issues resolved since last release 1227 ---------------------------------- 1228 1229 - Support has been added for switching context between secure and normal 1230 worlds in EL3. 1231 1232 - PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to 1233 a limited extent). 1234 1235 - The ARM Trusted Firmware build artifacts are now placed in the ``./build`` 1236 directory and sub-directories instead of being placed in the root of the 1237 project. 1238 1239 - The ARM Trusted Firmware is now free from build warnings. Build warnings 1240 are now treated as errors. 1241 1242 - The ARM Trusted Firmware now provides C library support locally within the 1243 project to maintain compatibility between toolchains/systems. 1244 1245 - The PSCI locking code has been reworked so it no longer takes locks in an 1246 incorrect sequence. 1247 1248 - The RAM-disk method of loading a Linux file-system has been confirmed to 1249 work with the ARM Trusted Firmware and Linux kernel version (based on 1250 version 3.13) used in this release, for both Foundation and Base FVPs. 1251 1252 Known issues 1253 ------------ 1254 1255 The following is a list of issues which are expected to be fixed in the future 1256 releases of the ARM Trusted Firmware. 1257 1258 - The TrustZone Address Space Controller (TZC-400) is not being programmed 1259 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 1260 1261 - No support yet for secure world interrupt handling. 1262 1263 - GICv3 support is experimental. The Linux kernel patches to support this are 1264 not widely available. There are known issues with GICv3 initialization in 1265 the ARM Trusted Firmware. 1266 1267 - Dynamic image loading is not available yet. The current image loader 1268 implementation (used to load BL2 and all subsequent images) has some 1269 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 1270 to loading errors, even if the images should theoretically fit in memory. 1271 1272 - The ARM Trusted Firmware uses too much on-chip Trusted SRAM. Currently the 1273 Test Secure-EL1 Payload (BL3-2) executes in Trusted DRAM since there is not 1274 enough SRAM. A number of RAM usage enhancements have been identified to 1275 rectify this situation. 1276 1277 - CPU idle does not work on the advertised version of the Foundation FVP. 1278 Some FVP fixes are required that are not available externally at the time 1279 of writing. 1280 1281 - Various bugs in ARM Trusted Firmware, UEFI and the Linux kernel have been 1282 observed when using Linaro toolchain versions later than 13.11. Although 1283 most of these have been fixed, some remain at the time of writing. These 1284 mainly seem to relate to a subtle change in the way the compiler converts 1285 between 64-bit and 32-bit values (e.g. during casting operations), which 1286 reveals previously hidden bugs in client code. 1287 1288 - The tested filesystem used for this release (Linaro AArch64 OpenEmbedded 1289 14.01) does not report progress correctly in the console. It only seems to 1290 produce error output, not standard output. It otherwise appears to function 1291 correctly. Other filesystem versions on the same software stack do not 1292 exhibit the problem. 1293 1294 - The Makefile structure doesn't make it easy to separate out parts of the 1295 Trusted Firmware for re-use in platform ports, for example if only BL3-1 is 1296 required in a platform port. Also, dependency checking in the Makefile is 1297 flawed. 1298 1299 - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and 1300 its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. 1301 1302 ARM Trusted Firmware - version 0.2 1303 ================================== 1304 1305 New features 1306 ------------ 1307 1308 - First source release. 1309 1310 - Code for the PSCI suspend feature is supplied, although this is not enabled 1311 by default since there are known issues (see below). 1312 1313 Issues resolved since last release 1314 ---------------------------------- 1315 1316 - The "psci" nodes in the FDTs provided in this release now fully comply 1317 with the recommendations made in the PSCI specification. 1318 1319 Known issues 1320 ------------ 1321 1322 The following is a list of issues which are expected to be fixed in the future 1323 releases of the ARM Trusted Firmware. 1324 1325 - The TrustZone Address Space Controller (TZC-400) is not being programmed 1326 yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. 1327 1328 - No support yet for secure world interrupt handling or for switching context 1329 between secure and normal worlds in EL3. 1330 1331 - GICv3 support is experimental. The Linux kernel patches to support this are 1332 not widely available. There are known issues with GICv3 initialization in 1333 the ARM Trusted Firmware. 1334 1335 - Dynamic image loading is not available yet. The current image loader 1336 implementation (used to load BL2 and all subsequent images) has some 1337 limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead 1338 to loading errors, even if the images should theoretically fit in memory. 1339 1340 - Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable 1341 and ready for use. 1342 1343 - PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have not 1344 been tested. 1345 1346 - The ARM Trusted Firmware make files result in all build artifacts being 1347 placed in the root of the project. These should be placed in appropriate 1348 sub-directories. 1349 1350 - The compilation of ARM Trusted Firmware is not free from compilation 1351 warnings. Some of these warnings have not been investigated yet so they 1352 could mask real bugs. 1353 1354 - The ARM Trusted Firmware currently uses toolchain/system include files like 1355 stdio.h. It should provide versions of these within the project to maintain 1356 compatibility between toolchains/systems. 1357 1358 - The PSCI code takes some locks in an incorrect sequence. This may cause 1359 problems with suspend and hotplug in certain conditions. 1360 1361 - The Linux kernel used in this release is based on version 3.12-rc4. Using 1362 this kernel with the ARM Trusted Firmware fails to start the file-system as 1363 a RAM-disk. It fails to execute user-space ``init`` from the RAM-disk. As an 1364 alternative, the VirtioBlock mechanism can be used to provide a file-system 1365 to the kernel. 1366 1367 -------------- 1368 1369 *Copyright (c) 2013-2016, ARM Limited and Contributors. All rights reserved.* 1370 1371 .. _PSCI Integration Guide: psci-lib-integration-guide.rst 1372 .. _Developer Certificate of Origin: ../dco.txt 1373 .. _Contribution Guide: ../contributing.rst 1374 .. _Authentication framework: auth-framework.rst 1375 .. _Firmware Update: firmware-update.rst 1376 .. _TF Reset Design: reset-design.rst 1377 .. _Power Domain Topology Design: psci-pd-tree.rst 1378 .. _TF wiki on GitHub: https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Image-Terminology 1379 .. _Authentication Framework: auth-framework.rst 1380 .. _OP-TEE Dispatcher: optee-dispatcher.rst 1381 .. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501 1382 .. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193 1383
