Douglas Raillard | 30d7b36 | 2017-06-28 16:14:55 +0100 | [diff] [blame] | 1 | |
| 2 | .. section-numbering:: |
| 3 | :suffix: . |
| 4 | |
| 5 | .. contents:: |
| 6 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 7 | Trusted Firmware-A - version 1.4 |
| 8 | ================================ |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 9 | |
| 10 | New features |
| 11 | ------------ |
| 12 | |
| 13 | - Enabled support for platforms with hardware assisted coherency. |
| 14 | |
| 15 | A new build option HW_ASSISTED_COHERENCY allows platforms to take advantage |
| 16 | of the following optimisations: |
| 17 | |
| 18 | - Skip performing cache maintenance during power-up and power-down. |
| 19 | |
| 20 | - Use spin-locks instead of bakery locks. |
| 21 | |
| 22 | - Enable data caches early on warm-booted CPUs. |
| 23 | |
| 24 | - Added support for Cortex-A75 and Cortex-A55 processors. |
| 25 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 26 | Both Cortex-A75 and Cortex-A55 processors use the Arm DynamIQ Shared Unit |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 27 | (DSU). The power-down and power-up sequences are therefore mostly managed in |
| 28 | hardware, reducing complexity of the software operations. |
| 29 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 30 | - Introduced Arm GIC-600 driver. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 31 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 32 | Arm GIC-600 IP complies with Arm GICv3 architecture. For FVP platforms, the |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 33 | GIC-600 driver is chosen when FVP_USE_GIC_DRIVER is set to FVP_GIC600. |
| 34 | |
| 35 | - Updated GICv3 support: |
| 36 | |
| 37 | - Introduced power management APIs for GICv3 Redistributor. These APIs |
| 38 | allow platforms to power down the Redistributor during CPU power on/off. |
| 39 | Requires the GICv3 implementations to have power management operations. |
| 40 | |
| 41 | Implemented the power management APIs for FVP. |
| 42 | |
| 43 | - GIC driver data is flushed by the primary CPU so that secondary CPU do |
| 44 | not read stale GIC data. |
| 45 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 46 | - Added support for Arm System Control and Management Interface v1.0 (SCMI). |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 47 | |
| 48 | The SCMI driver implements the power domain management and system power |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 49 | management protocol of the SCMI specification (Arm DEN 0056ASCMI) for |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 50 | communicating with any compliant power controller. |
| 51 | |
| 52 | Support is added for the Juno platform. The driver can be found in the |
| 53 | plat/arm/css/drivers folder. |
| 54 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 55 | - Added support to enable pre-integration of TBB with the Arm TrustZone |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 56 | CryptoCell product, to take advantage of its hardware Root of Trust and |
| 57 | crypto acceleration services. |
| 58 | |
| 59 | - Enabled Statistical Profiling Extensions for lower ELs. |
| 60 | |
| 61 | The firmware support is limited to the use of SPE in the Non-secure state |
| 62 | and accesses to the SPE specific registers from S-EL1 will trap to EL3. |
| 63 | |
| 64 | The SPE are architecturally specified for AArch64 only. |
| 65 | |
| 66 | - Code hygiene changes aligned with MISRA guidelines: |
| 67 | |
| 68 | - Fixed signed / unsigned comparison warnings in the translation table |
| 69 | library. |
| 70 | |
| 71 | - Added U(_x) macro and together with the existing ULL(_x) macro fixed |
| 72 | some of the signed-ness defects flagged by the MISRA scanner. |
| 73 | |
| 74 | - Enhancements to Firmware Update feature: |
| 75 | |
| 76 | - The FWU logic now checks for overlapping images to prevent execution of |
| 77 | unauthenticated arbitary code. |
| 78 | |
| 79 | - Introduced new FWU_SMC_IMAGE_RESET SMC that changes the image loading |
| 80 | state machine to go from COPYING, COPIED or AUTHENTICATED states to |
| 81 | RESET state. Previously, this was only possible when the authentication |
| 82 | of an image failed or when the execution of the image finished. |
| 83 | |
| 84 | - Fixed integer overflow which addressed TFV-1: Malformed Firmware Update |
| 85 | SMC can result in copy of unexpectedly large data into secure memory. |
| 86 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 87 | - Introduced support for Arm Compiler 6 and LLVM (clang). |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 88 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 89 | TF-A can now also be built with the Arm Compiler 6 or the clang compilers. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 90 | The assembler and linker must be provided by the GNU toolchain. |
| 91 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 92 | Tested with Arm CC 6.7 and clang 3.9.x and 4.0.x. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 93 | |
| 94 | - Memory footprint improvements: |
| 95 | |
| 96 | - Introduced `tf_snprintf`, a reduced version of `snprintf` which has |
| 97 | support for a limited set of formats. |
| 98 | |
| 99 | The mbedtls driver is updated to optionally use `tf_snprintf` instead of |
| 100 | `snprintf`. |
| 101 | |
| 102 | - The `assert()` is updated to no longer print the function name, and |
| 103 | additional logging options are supported via an optional platform define |
| 104 | `PLAT_LOG_LEVEL_ASSERT`, which controls how verbose the assert output is. |
| 105 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 106 | - Enhancements to TF-A support when running in AArch32 execution state: |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 107 | |
| 108 | - Support booting SP_MIN and BL33 in AArch32 execution mode on Juno. Due to |
| 109 | hardware limitations, BL1 and BL2 boot in AArch64 state and there is |
| 110 | additional trampoline code to warm reset into SP_MIN in AArch32 execution |
| 111 | state. |
| 112 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 113 | - Added support for Arm Cortex-A53/57/72 MPCore processors including the |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 114 | errata workarounds that are already implemented for AArch64 execution |
| 115 | state. |
| 116 | |
| 117 | - For FVP platforms, added AArch32 Trusted Board Boot support, including the |
| 118 | Firmware Update feature. |
| 119 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 120 | - Introduced Arm SiP service for use by Arm standard platforms. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 121 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 122 | - Added new Arm SiP Service SMCs to enable the Non-secure world to read PMF |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 123 | timestamps. |
| 124 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 125 | Added PMF instrumentation points in TF-A in order to quantify the |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 126 | overall time spent in the PSCI software implementation. |
| 127 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 128 | - Added new Arm SiP service SMC to switch execution state. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 129 | |
| 130 | This allows the lower exception level to change its execution state from |
| 131 | AArch64 to AArch32, or vice verse, via a request to EL3. |
| 132 | |
| 133 | - Migrated to use SPDX[0] license identifiers to make software license |
| 134 | auditing simpler. |
| 135 | |
| 136 | *NOTE:* Files that have been imported by FreeBSD have not been modified. |
| 137 | |
| 138 | [0]: https://spdx.org/ |
| 139 | |
| 140 | - Enhancements to the translation table library: |
| 141 | |
| 142 | - Added version 2 of translation table library that allows different |
| 143 | translation tables to be modified by using different 'contexts'. Version 1 |
| 144 | of the transalation table library only allows the current EL's translation |
| 145 | tables to be modified. |
| 146 | |
| 147 | Version 2 of the translation table also added support for dynamic |
| 148 | regions; regions that can be added and removed dynamically whilst the |
| 149 | MMU is enabled. Static regions can only be added or removed before the |
| 150 | MMU is enabled. |
| 151 | |
| 152 | The dynamic mapping functionality is enabled or disabled when compiling |
| 153 | by setting the build option PLAT_XLAT_TABLES_DYNAMIC to 1 or 0. This can |
| 154 | be done per-image. |
| 155 | |
| 156 | - Added support for translation regimes with two virtual address spaces |
| 157 | such as the one shared by EL1 and EL0. |
| 158 | |
| 159 | The library does not support initializing translation tables for EL0 |
| 160 | software. |
| 161 | |
| 162 | - Added support to mark the translation tables as non-cacheable using an |
| 163 | additional build option `XLAT_TABLE_NC`. |
| 164 | |
| 165 | - Added support for GCC stack protection. A new build option |
| 166 | ENABLE_STACK_PROTECTOR was introduced that enables compilation of all BL |
| 167 | images with one of the GCC -fstack-protector-* options. |
| 168 | |
| 169 | A new platform function plat_get_stack_protector_canary() was introduced |
| 170 | that returns a value used to initialize the canary for stack corruption |
| 171 | detection. For increased effectiveness of protection platforms must provide |
| 172 | an implementation that returns a random value. |
| 173 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 174 | - Enhanced support for Arm platforms: |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 175 | |
| 176 | - Added support for multi-threading CPUs, indicated by `MT` field in MPDIR. |
| 177 | A new build flag `ARM_PLAT_MT` is added, and when enabled, the functions |
| 178 | accessing MPIDR assume that the `MT` bit is set for the platform and |
| 179 | access the bit fields accordingly. |
| 180 | |
| 181 | Also, a new API `plat_arm_get_cpu_pe_count` is added when `ARM_PLAT_MT` is |
| 182 | enabled, returning the Processing Element count within the physical CPU |
| 183 | corresponding to `mpidr`. |
| 184 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 185 | - The Arm platforms migrated to use version 2 of the translation tables. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 186 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 187 | - Introduced a new Arm platform layer API `plat_arm_psci_override_pm_ops` |
| 188 | which allows Arm platforms to modify `plat_arm_psci_pm_ops` and therefore |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 189 | dynamically define PSCI capability. |
| 190 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 191 | - The Arm platforms migrated to use IMAGE_LOAD_V2 by default. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 192 | |
| 193 | - Enhanced reporting of errata workaround status with the following policy: |
| 194 | |
| 195 | - If an errata workaround is enabled: |
| 196 | |
| 197 | - If it applies (i.e. the CPU is affected by the errata), an INFO message |
| 198 | is printed, confirming that the errata workaround has been applied. |
| 199 | |
| 200 | - If it does not apply, a VERBOSE message is printed, confirming that the |
| 201 | errata workaround has been skipped. |
| 202 | |
| 203 | - If an errata workaround is not enabled, but would have applied had it |
| 204 | been, a WARN message is printed, alerting that errata workaround is |
| 205 | missing. |
| 206 | |
| 207 | - Added build options ARM_ARCH_MAJOR and ARM_ARM_MINOR to choose the |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 208 | architecture version to target TF-A. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 209 | |
| 210 | - Updated the spin lock implementation to use the more efficient CAS (Compare |
| 211 | And Swap) instruction when available. This instruction was introduced in |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 212 | Armv8.1-A. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 213 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 214 | - Applied errata workaround for Arm Cortex-A53: 855873. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 215 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 216 | - Applied errata workaround for Arm-Cortex-A57: 813419. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 217 | |
| 218 | - Enabled all A53 and A57 errata workarounds for Juno, both in AArch64 and |
| 219 | AArch32 execution states. |
| 220 | |
| 221 | - Added support for Socionext UniPhier SoC platform. |
| 222 | |
| 223 | - Added support for Hikey960 and Hikey platforms. |
| 224 | |
| 225 | - Added support for Rockchip RK3328 platform. |
| 226 | |
| 227 | - Added support for NVidia Tegra T186 platform. |
| 228 | |
| 229 | - Added support for Designware emmc driver. |
| 230 | |
| 231 | - Imported libfdt v1.4.2 that addresses buffer overflow in fdt_offset_ptr(). |
| 232 | |
| 233 | - Enhanced the CPU operations framework to allow power handlers to be |
| 234 | registered on per-level basis. This enables support for future CPUs that |
| 235 | have multiple threads which might need powering down individually. |
| 236 | |
| 237 | - Updated register initialisation to prevent unexpected behaviour: |
| 238 | |
| 239 | - Debug registers MDCR-EL3/SDCR and MDCR_EL2/HDCR are initialised to avoid |
| 240 | unexpected traps into the higher exception levels and disable secure |
| 241 | self-hosted debug. Additionally, secure privileged external debug on |
| 242 | Juno is disabled by programming the appropriate Juno SoC registers. |
| 243 | |
| 244 | - EL2 and EL3 configurable controls are initialised to avoid unexpected |
| 245 | traps in the higher exception levels. |
| 246 | |
| 247 | - Essential control registers are fully initialised on EL3 start-up, when |
| 248 | initialising the non-secure and secure context structures and when |
| 249 | preparing to leave EL3 for a lower EL. This gives better alignement with |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 250 | the Arm ARM which states that software must initialise RES0 and RES1 |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 251 | fields with 0 / 1. |
| 252 | |
| 253 | - Enhanced PSCI support: |
| 254 | |
| 255 | - Introduced new platform interfaces that decouple PSCI stat residency |
| 256 | calculation from PMF, enabling platforms to use alternative methods of |
| 257 | capturing timestamps. |
| 258 | |
| 259 | - PSCI stat accounting performed for retention/standby states when |
| 260 | requested at multiple power levels. |
| 261 | |
| 262 | - Simplified fiptool to have a single linked list of image descriptors. |
| 263 | |
| 264 | - For the TSP, resolved corruption of pre-empted secure context by aborting any |
| 265 | pre-empted SMC during PSCI power management requests. |
| 266 | |
| 267 | Issues resolved since last release |
David Cunado | 923fac2 | 2017-07-19 12:31:11 +0100 | [diff] [blame] | 268 | ---------------------------------- |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 269 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 270 | - TF-A can be built with the latest mbed TLS version (v2.4.2). The earlier |
| 271 | version 2.3.0 cannot be used due to build warnings that the TF-A build |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 272 | system interprets as errors. |
| 273 | |
| 274 | - TBBR, including the Firmware Update feature is now supported on FVP |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 275 | platforms when running TF-A in AArch32 state. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 276 | |
| 277 | - The version of the AEMv8 Base FVP used in this release has resolved the issue |
| 278 | of the model executing a reset instead of terminating in response to a |
| 279 | shutdown request using the PSCI SYSTEM_OFF API. |
| 280 | |
| 281 | Known Issues |
David Cunado | 923fac2 | 2017-07-19 12:31:11 +0100 | [diff] [blame] | 282 | ------------ |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 283 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 284 | - Building TF-A with compiler optimisations disabled (-O0) fails. |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 285 | |
| 286 | - Trusted Board Boot currently does not work on Juno when running Trusted |
| 287 | Firmware in AArch32 execution state due to error when loading the sp_min to |
| 288 | memory becasue of lack of free space available. See `tf-issue#501`_ for more |
| 289 | details. |
| 290 | |
| 291 | - The errata workaround for A53 errata 843419 is only available from binutils |
| 292 | 2.26 and is not present in GCC4.9. If this errata is applicable to the |
| 293 | platform, please use GCC compiler version of at least 5.0. See `PR#1002`_ for |
| 294 | more details. |
| 295 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 296 | Trusted Firmware-A - version 1.3 |
| 297 | ================================ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 298 | |
Douglas Raillard | 30d7b36 | 2017-06-28 16:14:55 +0100 | [diff] [blame] | 299 | |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 300 | New features |
| 301 | ------------ |
| 302 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 303 | - Added support for running TF-A in AArch32 execution state. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 304 | |
| 305 | The PSCI library has been refactored to allow integration with **EL3 Runtime |
| 306 | Software**. This is software that is executing at the highest secure |
| 307 | privilege which is EL3 in AArch64 or Secure SVC/Monitor mode in AArch32. See |
| 308 | `PSCI Integration Guide`_. |
| 309 | |
| 310 | Included is a minimal AArch32 Secure Payload, **SP-MIN**, that illustrates |
| 311 | the usage and integration of the PSCI library with EL3 Runtime Software |
| 312 | running in AArch32 state. |
| 313 | |
| 314 | Booting to the BL1/BL2 images as well as booting straight to the Secure |
| 315 | Payload is supported. |
| 316 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 317 | - Improvements to the initialization framework for the PSCI service and Arm |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 318 | Standard Services in general. |
| 319 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 320 | The PSCI service is now initialized as part of Arm Standard Service |
| 321 | initialization. This consolidates the initializations of any Arm Standard |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 322 | Service that may be added in the future. |
| 323 | |
| 324 | A new function ``get_arm_std_svc_args()`` is introduced to get arguments |
| 325 | corresponding to each standard service and must be implemented by the EL3 |
| 326 | Runtime Software. |
| 327 | |
| 328 | For PSCI, a new versioned structure ``psci_lib_args_t`` is introduced to |
| 329 | initialize the PSCI Library. **Note** this is a compatibility break due to |
| 330 | the change in the prototype of ``psci_setup()``. |
| 331 | |
| 332 | - To support AArch32 builds of BL1 and BL2, implemented a new, alternative |
| 333 | firmware image loading mechanism that adds flexibility. |
| 334 | |
| 335 | The current mechanism has a hard-coded set of images and execution order |
| 336 | (BL31, BL32, etc). The new mechanism is data-driven by a list of image |
| 337 | descriptors provided by the platform code. |
| 338 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 339 | Arm platforms have been updated to support the new loading mechanism. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 340 | |
| 341 | The new mechanism is enabled by a build flag (``LOAD_IMAGE_V2``) which is |
| 342 | currently off by default for the AArch64 build. |
| 343 | |
| 344 | **Note** ``TRUSTED_BOARD_BOOT`` is currently not supported when |
| 345 | ``LOAD_IMAGE_V2`` is enabled. |
| 346 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 347 | - Updated requirements for making contributions to TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 348 | |
| 349 | Commits now must have a 'Signed-off-by:' field to certify that the |
| 350 | contribution has been made under the terms of the |
| 351 | `Developer Certificate of Origin`_. |
| 352 | |
| 353 | A signed CLA is no longer required. |
| 354 | |
| 355 | The `Contribution Guide`_ has been updated to reflect this change. |
| 356 | |
| 357 | - Introduced Performance Measurement Framework (PMF) which provides support |
| 358 | for capturing, storing, dumping and retrieving time-stamps to measure the |
| 359 | execution time of critical paths in the firmware. This relies on defining |
| 360 | fixed sample points at key places in the code. |
| 361 | |
| 362 | - To support the QEMU platform port, imported libfdt v1.4.1 from |
| 363 | https://git.kernel.org/cgit/utils/dtc/dtc.git |
| 364 | |
| 365 | - Updated PSCI support: |
| 366 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 367 | - Added support for PSCI NODE\_HW\_STATE API for Arm platforms. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 368 | |
| 369 | - New optional platform hook, ``pwr_domain_pwr_down_wfi()``, in |
| 370 | ``plat_psci_ops`` to enable platforms to perform platform-specific actions |
| 371 | needed to enter powerdown, including the 'wfi' invocation. |
| 372 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 373 | - PSCI STAT residency and count functions have been added on Arm platforms |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 374 | by using PMF. |
| 375 | |
| 376 | - Enhancements to the translation table library: |
| 377 | |
| 378 | - Limited memory mapping support for region overlaps to only allow regions |
| 379 | to overlap that are identity mapped or have the same virtual to physical |
| 380 | address offset, and overlap completely but must not cover the same area. |
| 381 | |
| 382 | This limitation will enable future enhancements without having to |
| 383 | support complex edge cases that may not be necessary. |
| 384 | |
| 385 | - The initial translation lookup level is now inferred from the virtual |
| 386 | address space size. Previously, it was hard-coded. |
| 387 | |
| 388 | - Added support for mapping Normal, Inner Non-cacheable, Outer |
| 389 | Non-cacheable memory in the translation table library. |
| 390 | |
| 391 | This can be useful to map a non-cacheable memory region, such as a DMA |
| 392 | buffer. |
| 393 | |
| 394 | - Introduced the MT\_EXECUTE/MT\_EXECUTE\_NEVER memory mapping attributes to |
| 395 | specify the access permissions for instruction execution of a memory |
| 396 | region. |
| 397 | |
| 398 | - Enabled support to isolate code and read-only data on separate memory pages, |
| 399 | allowing independent access control to be applied to each. |
| 400 | |
| 401 | - Enabled SCR\_EL3.SIF (Secure Instruction Fetch) bit in BL1 and BL31 common |
| 402 | architectural setup code, preventing fetching instructions from non-secure |
| 403 | memory when in secure state. |
| 404 | |
| 405 | - Enhancements to FIP support: |
| 406 | |
| 407 | - Replaced ``fip_create`` with ``fiptool`` which provides a more consistent |
| 408 | and intuitive interface as well as additional support to remove an image |
| 409 | from a FIP file. |
| 410 | |
| 411 | - Enabled printing the SHA256 digest with info command, allowing quick |
| 412 | verification of an image within a FIP without having to extract the |
| 413 | image and running sha256sum on it. |
| 414 | |
| 415 | - Added support for unpacking the contents of an existing FIP file into |
| 416 | the working directory. |
| 417 | |
| 418 | - Aligned command line options for specifying images to use same naming |
| 419 | convention as specified by TBBR and already used in cert\_create tool. |
| 420 | |
| 421 | - Refactored the TZC-400 driver to also support memory controllers that |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 422 | integrate TZC functionality, for example Arm CoreLink DMC-500. Also added |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 423 | DMC-500 specific support. |
| 424 | |
| 425 | - Implemented generic delay timer based on the system generic counter and |
| 426 | migrated all platforms to use it. |
| 427 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 428 | - Enhanced support for Arm platforms: |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 429 | |
| 430 | - Updated image loading support to make SCP images (SCP\_BL2 and SCP\_BL2U) |
| 431 | optional. |
| 432 | |
| 433 | - Enhanced topology description support to allow multi-cluster topology |
| 434 | definitions. |
| 435 | |
| 436 | - Added interconnect abstraction layer to help platform ports select the |
| 437 | right interconnect driver, CCI or CCN, for the platform. |
| 438 | |
| 439 | - Added support to allow loading BL31 in the TZC-secured DRAM instead of |
| 440 | the default secure SRAM. |
| 441 | |
| 442 | - Added support to use a System Security Control (SSC) Registers Unit |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 443 | enabling TF-A to be compiled to support multiple Arm platforms and |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 444 | then select one at runtime. |
| 445 | |
| 446 | - Restricted mapping of Trusted ROM in BL1 to what is actually needed by |
| 447 | BL1 rather than entire Trusted ROM region. |
| 448 | |
| 449 | - Flash is now mapped as execute-never by default. This increases security |
| 450 | by restricting the executable region to what is strictly needed. |
| 451 | |
| 452 | - Applied following erratum workarounds for Cortex-A57: 833471, 826977, |
| 453 | 829520, 828024 and 826974. |
| 454 | |
| 455 | - Added support for Mediatek MT6795 platform. |
| 456 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 457 | - Added support for QEMU virtualization Armv8-A target. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 458 | |
| 459 | - Added support for Rockchip RK3368 and RK3399 platforms. |
| 460 | |
| 461 | - Added support for Xilinx Zynq UltraScale+ MPSoC platform. |
| 462 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 463 | - Added support for Arm Cortex-A73 MPCore Processor. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 464 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 465 | - Added support for Arm Cortex-A72 processor. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 466 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 467 | - Added support for Arm Cortex-A35 processor. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 468 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 469 | - Added support for Arm Cortex-A32 MPCore Processor. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 470 | |
| 471 | - Enabled preloaded BL33 alternative boot flow, in which BL2 does not load |
| 472 | BL33 from non-volatile storage and BL31 hands execution over to a preloaded |
| 473 | BL33. The User Guide has been updated with an example of how to use this |
| 474 | option with a bootwrapped kernel. |
| 475 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 476 | - Added support to build TF-A on a Windows-based host machine. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 477 | |
| 478 | - Updated Trusted Board Boot prototype implementation: |
| 479 | |
| 480 | - Enabled the ability for a production ROM with TBBR enabled to boot test |
| 481 | software before a real ROTPK is deployed (e.g. manufacturing mode). |
| 482 | Added support to use ROTPK in certificate without verifying against the |
| 483 | platform value when ``ROTPK_NOT_DEPLOYED`` bit is set. |
| 484 | |
| 485 | - Added support for non-volatile counter authentication to the |
| 486 | Authentication Module to protect against roll-back. |
| 487 | |
| 488 | - Updated GICv3 support: |
| 489 | |
| 490 | - Enabled processor power-down and automatic power-on using GICv3. |
| 491 | |
| 492 | - Enabled G1S or G0 interrupts to be configured independently. |
| 493 | |
| 494 | - Changed FVP default interrupt driver to be the GICv3-only driver. |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 495 | **Note** the default build of TF-A will not be able to boot |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 496 | Linux kernel with GICv2 FDT blob. |
| 497 | |
| 498 | - Enabled wake-up from CPU\_SUSPEND to stand-by by temporarily re-routing |
| 499 | interrupts and then restoring after resume. |
| 500 | |
| 501 | Issues resolved since last release |
| 502 | ---------------------------------- |
| 503 | |
| 504 | Known issues |
| 505 | ------------ |
| 506 | |
| 507 | - The version of the AEMv8 Base FVP used in this release resets the model |
| 508 | instead of terminating its execution in response to a shutdown request using |
| 509 | the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| 510 | the model. |
| 511 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 512 | - Building TF-A with compiler optimisations disabled (``-O0``) fails. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 513 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 514 | - TF-A cannot be built with mbed TLS version v2.3.0 due to build warnings |
| 515 | that the TF-A build system interprets as errors. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 516 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 517 | - TBBR is not currently supported when running TF-A in AArch32 state. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 518 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 519 | Trusted Firmware-A - version 1.2 |
| 520 | ================================ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 521 | |
| 522 | New features |
| 523 | ------------ |
| 524 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 525 | - The Trusted Board Boot implementation on Arm platforms now conforms to the |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 526 | mandatory requirements of the TBBR specification. |
| 527 | |
| 528 | In particular, the boot process is now guarded by a Trusted Watchdog, which |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 529 | will reset the system in case of an authentication or loading error. On Arm |
| 530 | platforms, a secure instance of Arm SP805 is used as the Trusted Watchdog. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 531 | |
| 532 | Also, a firmware update process has been implemented. It enables |
| 533 | authenticated firmware to update firmware images from external interfaces to |
| 534 | SoC Non-Volatile memories. This feature functions even when the current |
| 535 | firmware in the system is corrupt or missing; it therefore may be used as |
| 536 | a recovery mode. |
| 537 | |
| 538 | - Improvements have been made to the Certificate Generation Tool |
| 539 | (``cert_create``) as follows. |
| 540 | |
| 541 | - Added support for the Firmware Update process by extending the Chain |
| 542 | of Trust definition in the tool to include the Firmware Update |
| 543 | certificate and the required extensions. |
| 544 | |
| 545 | - Introduced a new API that allows one to specify command line options in |
| 546 | the Chain of Trust description. This makes the declaration of the tool's |
| 547 | arguments more flexible and easier to extend. |
| 548 | |
| 549 | - The tool has been reworked to follow a data driven approach, which |
| 550 | makes it easier to maintain and extend. |
| 551 | |
| 552 | - Extended the FIP tool (``fip_create``) to support the new set of images |
| 553 | involved in the Firmware Update process. |
| 554 | |
| 555 | - Various memory footprint improvements. In particular: |
| 556 | |
| 557 | - The bakery lock structure for coherent memory has been optimised. |
| 558 | |
| 559 | - The mbed TLS SHA1 functions are not needed, as SHA256 is used to |
| 560 | generate the certificate signature. Therefore, they have been compiled |
| 561 | out, reducing the memory footprint of BL1 and BL2 by approximately |
| 562 | 6 KB. |
| 563 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 564 | - On Arm development platforms, each BL stage now individually defines |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 565 | the number of regions that it needs to map in the MMU. |
| 566 | |
| 567 | - Added the following new design documents: |
| 568 | |
| 569 | - `Authentication framework`_ |
| 570 | - `Firmware Update`_ |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 571 | - `TF-A Reset Design`_ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 572 | - `Power Domain Topology Design`_ |
| 573 | |
| 574 | - Applied the new image terminology to the code base and documentation, as |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 575 | described on the `TF-A wiki on GitHub`_. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 576 | |
| 577 | - The build system has been reworked to improve readability and facilitate |
| 578 | adding future extensions. |
| 579 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 580 | - On Arm standard platforms, BL31 uses the boot console during cold boot |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 581 | but switches to the runtime console for any later logs at runtime. The TSP |
| 582 | uses the runtime console for all output. |
| 583 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 584 | - Implemented a basic NOR flash driver for Arm platforms. It programs the |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 585 | device using CFI (Common Flash Interface) standard commands. |
| 586 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 587 | - Implemented support for booting EL3 payloads on Arm platforms, which |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 588 | reduces the complexity of developing EL3 baremetal code by doing essential |
| 589 | baremetal initialization. |
| 590 | |
| 591 | - Provided separate drivers for GICv3 and GICv2. These expect the entire |
| 592 | software stack to use either GICv2 or GICv3; hybrid GIC software systems |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 593 | are no longer supported and the legacy Arm GIC driver has been deprecated. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 594 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 595 | - Added support for Juno r1 and r2. A single set of Juno TF-A binaries can run |
| 596 | on Juno r0, r1 and r2 boards. Note that this TF-A version depends on a Linaro |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 597 | release that does *not* contain Juno r2 support. |
| 598 | |
| 599 | - Added support for MediaTek mt8173 platform. |
| 600 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 601 | - Implemented a generic driver for Arm CCN IP. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 602 | |
| 603 | - Major rework of the PSCI implementation. |
| 604 | |
| 605 | - Added framework to handle composite power states. |
| 606 | |
| 607 | - Decoupled the notions of affinity instances (which describes the |
| 608 | hierarchical arrangement of cores) and of power domain topology, instead |
| 609 | of assuming a one-to-one mapping. |
| 610 | |
| 611 | - Better alignment with version 1.0 of the PSCI specification. |
| 612 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 613 | - Added support for the SYSTEM\_SUSPEND PSCI API on Arm platforms. When invoked |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 614 | on the last running core on a supported platform, this puts the system |
| 615 | into a low power mode with memory retention. |
| 616 | |
| 617 | - Unified the reset handling code as much as possible across BL stages. |
| 618 | Also introduced some build options to enable optimization of the reset path |
| 619 | on platforms that support it. |
| 620 | |
| 621 | - Added a simple delay timer API, as well as an SP804 timer driver, which is |
| 622 | enabled on FVP. |
| 623 | |
| 624 | - Added support for NVidia Tegra T210 and T132 SoCs. |
| 625 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 626 | - Reorganised Arm platforms ports to greatly improve code shareability and |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 627 | facilitate the reuse of some of this code by other platforms. |
| 628 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 629 | - Added support for Arm Cortex-A72 processor in the CPU specific framework. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 630 | |
| 631 | - Provided better error handling. Platform ports can now define their own |
| 632 | error handling, for example to perform platform specific bookkeeping or |
| 633 | post-error actions. |
| 634 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 635 | - Implemented a unified driver for Arm Cache Coherent Interconnects used for |
| 636 | both CCI-400 & CCI-500 IPs. Arm platforms ports have been migrated to this |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 637 | common driver. The standalone CCI-400 driver has been deprecated. |
| 638 | |
| 639 | Issues resolved since last release |
| 640 | ---------------------------------- |
| 641 | |
| 642 | - The Trusted Board Boot implementation has been redesigned to provide greater |
| 643 | modularity and scalability. See the `Authentication Framework`_ document. |
| 644 | All missing mandatory features are now implemented. |
| 645 | |
| 646 | - The FVP and Juno ports may now use the hash of the ROTPK stored in the |
| 647 | Trusted Key Storage registers to verify the ROTPK. Alternatively, a |
| 648 | development public key hash embedded in the BL1 and BL2 binaries might be |
| 649 | used instead. The location of the ROTPK is chosen at build-time using the |
| 650 | ``ARM_ROTPK_LOCATION`` build option. |
| 651 | |
| 652 | - GICv3 is now fully supported and stable. |
| 653 | |
| 654 | Known issues |
| 655 | ------------ |
| 656 | |
| 657 | - The version of the AEMv8 Base FVP used in this release resets the model |
| 658 | instead of terminating its execution in response to a shutdown request using |
| 659 | the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| 660 | the model. |
| 661 | |
| 662 | - While this version has low on-chip RAM requirements, there are further |
| 663 | RAM usage enhancements that could be made. |
| 664 | |
| 665 | - The upstream documentation could be improved for structural consistency, |
| 666 | clarity and completeness. In particular, the design documentation is |
| 667 | incomplete for PSCI, the TSP(D) and the Juno platform. |
| 668 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 669 | - Building TF-A with compiler optimisations disabled (``-O0``) fails. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 670 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 671 | Trusted Firmware-A - version 1.1 |
| 672 | ================================ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 673 | |
| 674 | New features |
| 675 | ------------ |
| 676 | |
| 677 | - A prototype implementation of Trusted Board Boot has been added. Boot |
| 678 | loader images are verified by BL1 and BL2 during the cold boot path. BL1 and |
| 679 | BL2 use the PolarSSL SSL library to verify certificates and images. The |
| 680 | OpenSSL library is used to create the X.509 certificates. Support has been |
| 681 | added to ``fip_create`` tool to package the certificates in a FIP. |
| 682 | |
| 683 | - Support for calling CPU and platform specific reset handlers upon entry into |
| 684 | BL3-1 during the cold and warm boot paths has been added. This happens after |
| 685 | another Boot ROM ``reset_handler()`` has already run. This enables a developer |
| 686 | to perform additional actions or undo actions already performed during the |
| 687 | first call of the reset handlers e.g. apply additional errata workarounds. |
| 688 | |
| 689 | - Support has been added to demonstrate routing of IRQs to EL3 instead of |
| 690 | S-EL1 when execution is in secure world. |
| 691 | |
| 692 | - The PSCI implementation now conforms to version 1.0 of the PSCI |
| 693 | specification. All the mandatory APIs and selected optional APIs are |
| 694 | supported. In particular, support for the ``PSCI_FEATURES`` API has been |
| 695 | added. A capability variable is constructed during initialization by |
| 696 | examining the ``plat_pm_ops`` and ``spd_pm_ops`` exported by the platform and |
| 697 | the Secure Payload Dispatcher. This is used by the PSCI FEATURES function |
| 698 | to determine which PSCI APIs are supported by the platform. |
| 699 | |
| 700 | - Improvements have been made to the PSCI code as follows. |
| 701 | |
| 702 | - The code has been refactored to remove redundant parameters from |
| 703 | internal functions. |
| 704 | |
| 705 | - Changes have been made to the code for PSCI ``CPU_SUSPEND``, ``CPU_ON`` and |
| 706 | ``CPU_OFF`` calls to facilitate an early return to the caller in case a |
| 707 | failure condition is detected. For example, a PSCI ``CPU_SUSPEND`` call |
| 708 | returns ``SUCCESS`` to the caller if a pending interrupt is detected early |
| 709 | in the code path. |
| 710 | |
| 711 | - Optional platform APIs have been added to validate the ``power_state`` and |
| 712 | ``entrypoint`` parameters early in PSCI ``CPU_ON`` and ``CPU_SUSPEND`` code |
| 713 | paths. |
| 714 | |
| 715 | - PSCI migrate APIs have been reworked to invoke the SPD hook to determine |
| 716 | the type of Trusted OS and the CPU it is resident on (if |
| 717 | applicable). Also, during a PSCI ``MIGRATE`` call, the SPD hook to migrate |
| 718 | the Trusted OS is invoked. |
| 719 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 720 | - It is now possible to build TF-A without marking at least an extra page of |
| 721 | memory as coherent. The build flag ``USE_COHERENT_MEM`` can be used to |
| 722 | choose between the two implementations. This has been made possible through |
| 723 | these changes. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 724 | |
| 725 | - An implementation of Bakery locks, where the locks are not allocated in |
| 726 | coherent memory has been added. |
| 727 | |
| 728 | - Memory which was previously marked as coherent is now kept coherent |
| 729 | through the use of software cache maintenance operations. |
| 730 | |
| 731 | Approximately, 4K worth of memory is saved for each boot loader stage when |
| 732 | ``USE_COHERENT_MEM=0``. Enabling this option increases the latencies |
| 733 | associated with acquire and release of locks. It also requires changes to |
| 734 | the platform ports. |
| 735 | |
| 736 | - It is now possible to specify the name of the FIP at build time by defining |
| 737 | the ``FIP_NAME`` variable. |
| 738 | |
| 739 | - Issues with depedencies on the 'fiptool' makefile target have been |
| 740 | rectified. The ``fip_create`` tool is now rebuilt whenever its source files |
| 741 | change. |
| 742 | |
| 743 | - The BL3-1 runtime console is now also used as the crash console. The crash |
| 744 | console is changed to SoC UART0 (UART2) from the previous FPGA UART0 (UART0) |
| 745 | on Juno. In FVP, it is changed from UART0 to UART1. |
| 746 | |
| 747 | - CPU errata workarounds are applied only when the revision and part number |
| 748 | match. This behaviour has been made consistent across the debug and release |
| 749 | builds. The debug build additionally prints a warning if a mismatch is |
| 750 | detected. |
| 751 | |
| 752 | - It is now possible to issue cache maintenance operations by set/way for a |
| 753 | particular level of data cache. Levels 1-3 are currently supported. |
| 754 | |
| 755 | - The following improvements have been made to the FVP port. |
| 756 | |
| 757 | - The build option ``FVP_SHARED_DATA_LOCATION`` which allowed relocation of |
| 758 | shared data into the Trusted DRAM has been deprecated. Shared data is |
| 759 | now always located at the base of Trusted SRAM. |
| 760 | |
| 761 | - BL2 Translation tables have been updated to map only the region of |
| 762 | DRAM which is accessible to normal world. This is the region of the 2GB |
| 763 | DDR-DRAM memory at 0x80000000 excluding the top 16MB. The top 16MB is |
| 764 | accessible to only the secure world. |
| 765 | |
| 766 | - BL3-2 can now reside in the top 16MB of DRAM which is accessible only to |
| 767 | the secure world. This can be done by setting the build flag |
| 768 | ``FVP_TSP_RAM_LOCATION`` to the value ``dram``. |
| 769 | |
| 770 | - Separate transation tables are created for each boot loader image. The |
| 771 | ``IMAGE_BLx`` build options are used to do this. This allows each stage to |
| 772 | create mappings only for areas in the memory map that it needs. |
| 773 | |
| 774 | - A Secure Payload Dispatcher (OPTEED) for the OP-TEE Trusted OS has been |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 775 | added. Details of using it with TF-A can be found in `OP-TEE Dispatcher`_ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 776 | |
| 777 | Issues resolved since last release |
| 778 | ---------------------------------- |
| 779 | |
| 780 | - The Juno port has been aligned with the FVP port as follows. |
| 781 | |
| 782 | - Support for reclaiming all BL1 RW memory and BL2 memory by overlaying |
| 783 | the BL3-1/BL3-2 NOBITS sections on top of them has been added to the |
| 784 | Juno port. |
| 785 | |
| 786 | - The top 16MB of the 2GB DDR-DRAM memory at 0x80000000 is configured |
| 787 | using the TZC-400 controller to be accessible only to the secure world. |
| 788 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 789 | - The Arm GIC driver is used to configure the GIC-400 instead of using a |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 790 | GIC driver private to the Juno port. |
| 791 | |
| 792 | - PSCI ``CPU_SUSPEND`` calls that target a standby state are now supported. |
| 793 | |
| 794 | - The TZC-400 driver is used to configure the controller instead of direct |
| 795 | accesses to the registers. |
| 796 | |
| 797 | - The Linux kernel version referred to in the user guide has DVFS and HMP |
| 798 | support enabled. |
| 799 | |
| 800 | - DS-5 v5.19 did not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in |
| 801 | CADI server mode. This issue is not seen with DS-5 v5.20 and Version 6.2 of |
| 802 | the Cortex-A57-A53 Base FVPs. |
| 803 | |
| 804 | Known issues |
| 805 | ------------ |
| 806 | |
| 807 | - The Trusted Board Boot implementation is a prototype. There are issues with |
| 808 | the modularity and scalability of the design. Support for a Trusted |
| 809 | Watchdog, firmware update mechanism, recovery images and Trusted debug is |
| 810 | absent. These issues will be addressed in future releases. |
| 811 | |
| 812 | - The FVP and Juno ports do not use the hash of the ROTPK stored in the |
| 813 | Trusted Key Storage registers to verify the ROTPK in the |
| 814 | ``plat_match_rotpk()`` function. This prevents the correct establishment of |
| 815 | the Chain of Trust at the first step in the Trusted Board Boot process. |
| 816 | |
| 817 | - The version of the AEMv8 Base FVP used in this release resets the model |
| 818 | instead of terminating its execution in response to a shutdown request using |
| 819 | the PSCI ``SYSTEM_OFF`` API. This issue will be fixed in a future version of |
| 820 | the model. |
| 821 | |
| 822 | - GICv3 support is experimental. There are known issues with GICv3 |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 823 | initialization in the TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 824 | |
| 825 | - While this version greatly reduces the on-chip RAM requirements, there are |
| 826 | further RAM usage enhancements that could be made. |
| 827 | |
| 828 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 829 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 830 | |
| 831 | - The Juno-specific firmware design documentation is incomplete. |
| 832 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 833 | Trusted Firmware-A - version 1.0 |
| 834 | ================================ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 835 | |
| 836 | New features |
| 837 | ------------ |
| 838 | |
| 839 | - It is now possible to map higher physical addresses using non-flat virtual |
| 840 | to physical address mappings in the MMU setup. |
| 841 | |
| 842 | - Wider use is now made of the per-CPU data cache in BL3-1 to store: |
| 843 | |
| 844 | - Pointers to the non-secure and secure security state contexts. |
| 845 | |
| 846 | - A pointer to the CPU-specific operations. |
| 847 | |
| 848 | - A pointer to PSCI specific information (for example the current power |
| 849 | state). |
| 850 | |
| 851 | - A crash reporting buffer. |
| 852 | |
| 853 | - The following RAM usage improvements result in a BL3-1 RAM usage reduction |
| 854 | from 96KB to 56KB (for FVP with TSPD), and a total RAM usage reduction |
| 855 | across all images from 208KB to 88KB, compared to the previous release. |
| 856 | |
| 857 | - Removed the separate ``early_exception`` vectors from BL3-1 (2KB code size |
| 858 | saving). |
| 859 | |
| 860 | - Removed NSRAM from the FVP memory map, allowing the removal of one |
| 861 | (4KB) translation table. |
| 862 | |
| 863 | - Eliminated the internal ``psci_suspend_context`` array, saving 2KB. |
| 864 | |
| 865 | - Correctly dimensioned the PSCI ``aff_map_node`` array, saving 1.5KB in the |
| 866 | FVP port. |
| 867 | |
| 868 | - Removed calling CPU mpidr from the bakery lock API, saving 160 bytes. |
| 869 | |
| 870 | - Removed current CPU mpidr from PSCI common code, saving 160 bytes. |
| 871 | |
| 872 | - Inlined the mmio accessor functions, saving 360 bytes. |
| 873 | |
| 874 | - Fully reclaimed all BL1 RW memory and BL2 memory on the FVP port by |
| 875 | overlaying the BL3-1/BL3-2 NOBITS sections on top of these at runtime. |
| 876 | |
| 877 | - Made storing the FP register context optional, saving 0.5KB per context |
| 878 | (8KB on the FVP port, with TSPD enabled and running on 8 CPUs). |
| 879 | |
| 880 | - Implemented a leaner ``tf_printf()`` function, allowing the stack to be |
| 881 | greatly reduced. |
| 882 | |
| 883 | - Removed coherent stacks from the codebase. Stacks allocated in normal |
| 884 | memory are now used before and after the MMU is enabled. This saves 768 |
| 885 | bytes per CPU in BL3-1. |
| 886 | |
| 887 | - Reworked the crash reporting in BL3-1 to use less stack. |
| 888 | |
| 889 | - Optimized the EL3 register state stored in the ``cpu_context`` structure |
| 890 | so that registers that do not change during normal execution are |
| 891 | re-initialized each time during cold/warm boot, rather than restored |
| 892 | from memory. This saves about 1.2KB. |
| 893 | |
| 894 | - As a result of some of the above, reduced the runtime stack size in all |
| 895 | BL images. For BL3-1, this saves 1KB per CPU. |
| 896 | |
| 897 | - PSCI SMC handler improvements to correctly handle calls from secure states |
| 898 | and from AArch32. |
| 899 | |
| 900 | - CPU contexts are now initialized from the ``entry_point_info``. BL3-1 fully |
| 901 | determines the exception level to use for the non-trusted firmware (BL3-3) |
| 902 | based on the SPSR value provided by the BL2 platform code (or otherwise |
| 903 | provided to BL3-1). This allows platform code to directly run non-trusted |
| 904 | firmware payloads at either EL2 or EL1 without requiring an EL2 stub or OS |
| 905 | loader. |
| 906 | |
| 907 | - Code refactoring improvements: |
| 908 | |
| 909 | - Refactored ``fvp_config`` into a common platform header. |
| 910 | |
| 911 | - Refactored the fvp gic code to be a generic driver that no longer has an |
| 912 | explicit dependency on platform code. |
| 913 | |
| 914 | - Refactored the CCI-400 driver to not have dependency on platform code. |
| 915 | |
| 916 | - Simplified the IO driver so it's no longer necessary to call ``io_init()`` |
| 917 | and moved all the IO storage framework code to one place. |
| 918 | |
| 919 | - Simplified the interface the the TZC-400 driver. |
| 920 | |
| 921 | - Clarified the platform porting interface to the TSP. |
| 922 | |
| 923 | - Reworked the TSPD setup code to support the alternate BL3-2 |
| 924 | intialization flow where BL3-1 generic code hands control to BL3-2, |
| 925 | rather than expecting the TSPD to hand control directly to BL3-2. |
| 926 | |
| 927 | - Considerable rework to PSCI generic code to support CPU specific |
| 928 | operations. |
| 929 | |
| 930 | - Improved console log output, by: |
| 931 | |
| 932 | - Adding the concept of debug log levels. |
| 933 | |
| 934 | - Rationalizing the existing debug messages and adding new ones. |
| 935 | |
| 936 | - Printing out the version of each BL stage at runtime. |
| 937 | |
| 938 | - Adding support for printing console output from assembler code, |
| 939 | including when a crash occurs before the C runtime is initialized. |
| 940 | |
| 941 | - Moved up to the latest versions of the FVPs, toolchain, EDK2, kernel, Linaro |
| 942 | file system and DS-5. |
| 943 | |
| 944 | - On the FVP port, made the use of the Trusted DRAM region optional at build |
| 945 | time (off by default). Normal platforms will not have such a "ready-to-use" |
| 946 | DRAM area so it is not a good example to use it. |
| 947 | |
| 948 | - Added support for PSCI ``SYSTEM_OFF`` and ``SYSTEM_RESET`` APIs. |
| 949 | |
| 950 | - Added support for CPU specific reset sequences, power down sequences and |
| 951 | register dumping during crash reporting. The CPU specific reset sequences |
| 952 | include support for errata workarounds. |
| 953 | |
| 954 | - Merged the Juno port into the master branch. Added support for CPU hotplug |
| 955 | and CPU idle. Updated the user guide to describe how to build and run on the |
| 956 | Juno platform. |
| 957 | |
| 958 | Issues resolved since last release |
| 959 | ---------------------------------- |
| 960 | |
| 961 | - Removed the concept of top/bottom image loading. The image loader now |
| 962 | automatically detects the position of the image inside the current memory |
| 963 | layout and updates the layout to minimize fragementation. This resolves the |
| 964 | image loader limitations of previously releases. There are currently no |
| 965 | plans to support dynamic image loading. |
| 966 | |
| 967 | - CPU idle now works on the publicized version of the Foundation FVP. |
| 968 | |
| 969 | - All known issues relating to the compiler version used have now been |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 970 | resolved. This TF-A version uses Linaro toolchain 14.07 (based on GCC 4.9). |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 971 | |
| 972 | Known issues |
| 973 | ------------ |
| 974 | |
| 975 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 976 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 977 | the TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 978 | |
| 979 | - While this version greatly reduces the on-chip RAM requirements, there are |
| 980 | further RAM usage enhancements that could be made. |
| 981 | |
| 982 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 983 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 984 | |
| 985 | - The Juno-specific firmware design documentation is incomplete. |
| 986 | |
| 987 | - Some recent enhancements to the FVP port have not yet been translated into |
| 988 | the Juno port. These will be tracked via the tf-issues project. |
| 989 | |
| 990 | - The Linux kernel version referred to in the user guide has DVFS and HMP |
| 991 | support disabled due to some known instabilities at the time of this |
| 992 | release. A future kernel version will re-enable these features. |
| 993 | |
| 994 | - DS-5 v5.19 does not detect Version 5.8 of the Cortex-A57-A53 Base FVPs in |
| 995 | CADI server mode. This is because the ``<SimName>`` reported by the FVP in |
| 996 | this version has changed. For example, for the Cortex-A57x4-A53x4 Base FVP, |
| 997 | the ``<SimName>`` reported by the FVP is ``FVP_Base_Cortex_A57x4_A53x4``, while |
| 998 | DS-5 expects it to be ``FVP_Base_A57x4_A53x4``. |
| 999 | |
| 1000 | The temporary fix to this problem is to change the name of the FVP in |
| 1001 | ``sw/debugger/configdb/Boards/ARM FVP/Base_A57x4_A53x4/cadi_config.xml``. |
| 1002 | Change the following line: |
| 1003 | |
| 1004 | :: |
| 1005 | |
| 1006 | <SimName>System Generator:FVP_Base_A57x4_A53x4</SimName> |
| 1007 | |
| 1008 | to |
| 1009 | System Generator:FVP\_Base\_Cortex-A57x4\_A53x4 |
| 1010 | |
| 1011 | A similar change can be made to the other Cortex-A57-A53 Base FVP variants. |
| 1012 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1013 | Trusted Firmware-A - version 0.4 |
| 1014 | ================================ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1015 | |
| 1016 | New features |
| 1017 | ------------ |
| 1018 | |
| 1019 | - Makefile improvements: |
| 1020 | |
| 1021 | - Improved dependency checking when building. |
| 1022 | |
| 1023 | - Removed ``dump`` target (build now always produces dump files). |
| 1024 | |
| 1025 | - Enabled platform ports to optionally make use of parts of the Trusted |
| 1026 | Firmware (e.g. BL3-1 only), rather than being forced to use all parts. |
| 1027 | Also made the ``fip`` target optional. |
| 1028 | |
| 1029 | - Specified the full path to source files and removed use of the ``vpath`` |
| 1030 | keyword. |
| 1031 | |
| 1032 | - Provided translation table library code for potential re-use by platforms |
| 1033 | other than the FVPs. |
| 1034 | |
| 1035 | - Moved architectural timer setup to platform-specific code. |
| 1036 | |
| 1037 | - Added standby state support to PSCI cpu\_suspend implementation. |
| 1038 | |
| 1039 | - SRAM usage improvements: |
| 1040 | |
| 1041 | - Started using the ``-ffunction-sections``, ``-fdata-sections`` and |
| 1042 | ``--gc-sections`` compiler/linker options to remove unused code and data |
| 1043 | from the images. Previously, all common functions were being built into |
| 1044 | all binary images, whether or not they were actually used. |
| 1045 | |
| 1046 | - Placed all assembler functions in their own section to allow more unused |
| 1047 | functions to be removed from images. |
| 1048 | |
| 1049 | - Updated BL1 and BL2 to use a single coherent stack each, rather than one |
| 1050 | per CPU. |
| 1051 | |
| 1052 | - Changed variables that were unnecessarily declared and initialized as |
| 1053 | non-const (i.e. in the .data section) so they are either uninitialized |
| 1054 | (zero init) or const. |
| 1055 | |
| 1056 | - Moved the Test Secure-EL1 Payload (BL3-2) to execute in Trusted SRAM by |
| 1057 | default. The option for it to run in Trusted DRAM remains. |
| 1058 | |
| 1059 | - Implemented a TrustZone Address Space Controller (TZC-400) driver. A |
| 1060 | default configuration is provided for the Base FVPs. This means the model |
| 1061 | parameter ``-C bp.secure_memory=1`` is now supported. |
| 1062 | |
| 1063 | - Started saving the PSCI cpu\_suspend 'power\_state' parameter prior to |
| 1064 | suspending a CPU. This allows platforms that implement multiple power-down |
| 1065 | states at the same affinity level to identify a specific state. |
| 1066 | |
| 1067 | - Refactored the entire codebase to reduce the amount of nesting in header |
| 1068 | files and to make the use of system/user includes more consistent. Also |
| 1069 | split platform.h to separate out the platform porting declarations from the |
| 1070 | required platform porting definitions and the definitions/declarations |
| 1071 | specific to the platform port. |
| 1072 | |
| 1073 | - Optimized the data cache clean/invalidate operations. |
| 1074 | |
| 1075 | - Improved the BL3-1 unhandled exception handling and reporting. Unhandled |
| 1076 | exceptions now result in a dump of registers to the console. |
| 1077 | |
| 1078 | - Major rework to the handover interface between BL stages, in particular the |
| 1079 | interface to BL3-1. The interface now conforms to a specification and is |
| 1080 | more future proof. |
| 1081 | |
| 1082 | - Added support for optionally making the BL3-1 entrypoint a reset handler |
| 1083 | (instead of BL1). This allows platforms with an alternative image loading |
| 1084 | architecture to re-use BL3-1 with fewer modifications to generic code. |
| 1085 | |
| 1086 | - Reserved some DDR DRAM for secure use on FVP platforms to avoid future |
| 1087 | compatibility problems with non-secure software. |
| 1088 | |
| 1089 | - Added support for secure interrupts targeting the Secure-EL1 Payload (SP) |
| 1090 | (using GICv2 routing only). Demonstrated this working by adding an interrupt |
| 1091 | target and supporting test code to the TSP. Also demonstrated non-secure |
| 1092 | interrupt handling during TSP processing. |
| 1093 | |
| 1094 | Issues resolved since last release |
| 1095 | ---------------------------------- |
| 1096 | |
| 1097 | - Now support use of the model parameter ``-C bp.secure_memory=1`` in the Base |
| 1098 | FVPs (see **New features**). |
| 1099 | |
| 1100 | - Support for secure world interrupt handling now available (see **New |
| 1101 | features**). |
| 1102 | |
| 1103 | - Made enough SRAM savings (see **New features**) to enable the Test Secure-EL1 |
| 1104 | Payload (BL3-2) to execute in Trusted SRAM by default. |
| 1105 | |
| 1106 | - The tested filesystem used for this release (Linaro AArch64 OpenEmbedded |
| 1107 | 14.04) now correctly reports progress in the console. |
| 1108 | |
| 1109 | - Improved the Makefile structure to make it easier to separate out parts of |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1110 | the TF-A for re-use in platform ports. Also, improved target dependency |
| 1111 | checking. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1112 | |
| 1113 | Known issues |
| 1114 | ------------ |
| 1115 | |
| 1116 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 1117 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1118 | the TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1119 | |
| 1120 | - Dynamic image loading is not available yet. The current image loader |
| 1121 | implementation (used to load BL2 and all subsequent images) has some |
| 1122 | limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead |
| 1123 | to loading errors, even if the images should theoretically fit in memory. |
| 1124 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1125 | - TF-A still uses too much on-chip Trusted SRAM. A number of RAM usage |
| 1126 | enhancements have been identified to rectify this situation. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1127 | |
| 1128 | - CPU idle does not work on the advertised version of the Foundation FVP. |
| 1129 | Some FVP fixes are required that are not available externally at the time |
| 1130 | of writing. This can be worked around by disabling CPU idle in the Linux |
| 1131 | kernel. |
| 1132 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1133 | - Various bugs in TF-A, UEFI and the Linux kernel have been observed when |
| 1134 | using Linaro toolchain versions later than 13.11. Although most of these |
| 1135 | have been fixed, some remain at the time of writing. These mainly seem to |
| 1136 | relate to a subtle change in the way the compiler converts between 64-bit |
| 1137 | and 32-bit values (e.g. during casting operations), which reveals |
| 1138 | previously hidden bugs in client code. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1139 | |
| 1140 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 1141 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 1142 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1143 | Trusted Firmware-A - version 0.3 |
| 1144 | ================================ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1145 | |
| 1146 | New features |
| 1147 | ------------ |
| 1148 | |
| 1149 | - Support for Foundation FVP Version 2.0 added. |
| 1150 | The documented UEFI configuration disables some devices that are unavailable |
| 1151 | in the Foundation FVP, including MMC and CLCD. The resultant UEFI binary can |
| 1152 | be used on the AEMv8 and Cortex-A57-A53 Base FVPs, as well as the Foundation |
| 1153 | FVP. |
| 1154 | |
| 1155 | NOTE: The software will not work on Version 1.0 of the Foundation FVP. |
| 1156 | |
| 1157 | - Enabled third party contributions. Added a new contributing.md containing |
| 1158 | instructions for how to contribute and updated copyright text in all files |
| 1159 | to acknowledge contributors. |
| 1160 | |
| 1161 | - The PSCI CPU\_SUSPEND API has been stabilised to the extent where it can be |
| 1162 | used for entry into power down states with the following restrictions: |
| 1163 | |
| 1164 | - Entry into standby states is not supported. |
| 1165 | - The API is only supported on the AEMv8 and Cortex-A57-A53 Base FVPs. |
| 1166 | |
| 1167 | - The PSCI AFFINITY\_INFO api has undergone limited testing on the Base FVPs to |
| 1168 | allow experimental use. |
| 1169 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1170 | - Required C library and runtime header files are now included locally in |
| 1171 | TF-A instead of depending on the toolchain standard include paths. The |
| 1172 | local implementation has been cleaned up and reduced in scope. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1173 | |
| 1174 | - Added I/O abstraction framework, primarily to allow generic code to load |
| 1175 | images in a platform-independent way. The existing image loading code has |
| 1176 | been reworked to use the new framework. Semi-hosting and NOR flash I/O |
| 1177 | drivers are provided. |
| 1178 | |
| 1179 | - Introduced Firmware Image Package (FIP) handling code and tools. A FIP |
| 1180 | combines multiple firmware images with a Table of Contents (ToC) into a |
| 1181 | single binary image. The new FIP driver is another type of I/O driver. The |
| 1182 | Makefile builds a FIP by default and the FVP platform code expect to load a |
| 1183 | FIP from NOR flash, although some support for image loading using semi- |
| 1184 | hosting is retained. |
| 1185 | |
| 1186 | NOTE: Building a FIP by default is a non-backwards-compatible change. |
| 1187 | |
| 1188 | NOTE: Generic BL2 code now loads a BL3-3 (non-trusted firmware) image into |
| 1189 | DRAM instead of expecting this to be pre-loaded at known location. This is |
| 1190 | also a non-backwards-compatible change. |
| 1191 | |
| 1192 | NOTE: Some non-trusted firmware (e.g. UEFI) will need to be rebuilt so that |
| 1193 | it knows the new location to execute from and no longer needs to copy |
| 1194 | particular code modules to DRAM itself. |
| 1195 | |
| 1196 | - Reworked BL2 to BL3-1 handover interface. A new composite structure |
| 1197 | (bl31\_args) holds the superset of information that needs to be passed from |
| 1198 | BL2 to BL3-1, including information on how handover execution control to |
| 1199 | BL3-2 (if present) and BL3-3 (non-trusted firmware). |
| 1200 | |
| 1201 | - Added library support for CPU context management, allowing the saving and |
| 1202 | restoring of |
| 1203 | |
| 1204 | - Shared system registers between Secure-EL1 and EL1. |
| 1205 | - VFP registers. |
| 1206 | - Essential EL3 system registers. |
| 1207 | |
| 1208 | - Added a framework for implementing EL3 runtime services. Reworked the PSCI |
| 1209 | implementation to be one such runtime service. |
| 1210 | |
| 1211 | - Reworked the exception handling logic, making use of both SP\_EL0 and SP\_EL3 |
| 1212 | stack pointers for determining the type of exception, managing general |
| 1213 | purpose and system register context on exception entry/exit, and handling |
| 1214 | SMCs. SMCs are directed to the correct EL3 runtime service. |
| 1215 | |
| 1216 | - Added support for a Test Secure-EL1 Payload (TSP) and a corresponding |
| 1217 | Dispatcher (TSPD), which is loaded as an EL3 runtime service. The TSPD |
| 1218 | implements Secure Monitor functionality such as world switching and |
| 1219 | EL1 context management, and is responsible for communication with the TSP. |
| 1220 | NOTE: The TSPD does not yet contain support for secure world interrupts. |
| 1221 | NOTE: The TSP/TSPD is not built by default. |
| 1222 | |
| 1223 | Issues resolved since last release |
| 1224 | ---------------------------------- |
| 1225 | |
| 1226 | - Support has been added for switching context between secure and normal |
| 1227 | worlds in EL3. |
| 1228 | |
| 1229 | - PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` have now been tested (to |
| 1230 | a limited extent). |
| 1231 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1232 | - The TF-A build artifacts are now placed in the ``./build`` directory and |
| 1233 | sub-directories instead of being placed in the root of the project. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1234 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1235 | - TF-A is now free from build warnings. Build warnings are now treated as |
| 1236 | errors. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1237 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1238 | - TF-A now provides C library support locally within the project to maintain |
| 1239 | compatibility between toolchains/systems. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1240 | |
| 1241 | - The PSCI locking code has been reworked so it no longer takes locks in an |
| 1242 | incorrect sequence. |
| 1243 | |
| 1244 | - The RAM-disk method of loading a Linux file-system has been confirmed to |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1245 | work with the TF-A and Linux kernel version (based on version 3.13) used |
| 1246 | in this release, for both Foundation and Base FVPs. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1247 | |
| 1248 | Known issues |
| 1249 | ------------ |
| 1250 | |
| 1251 | The following is a list of issues which are expected to be fixed in the future |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1252 | releases of TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1253 | |
| 1254 | - The TrustZone Address Space Controller (TZC-400) is not being programmed |
| 1255 | yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. |
| 1256 | |
| 1257 | - No support yet for secure world interrupt handling. |
| 1258 | |
| 1259 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 1260 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1261 | TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1262 | |
| 1263 | - Dynamic image loading is not available yet. The current image loader |
| 1264 | implementation (used to load BL2 and all subsequent images) has some |
| 1265 | limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead |
| 1266 | to loading errors, even if the images should theoretically fit in memory. |
| 1267 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1268 | - TF-A uses too much on-chip Trusted SRAM. Currently the Test Secure-EL1 |
| 1269 | Payload (BL3-2) executes in Trusted DRAM since there is not enough SRAM. |
| 1270 | A number of RAM usage enhancements have been identified to rectify this |
| 1271 | situation. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1272 | |
| 1273 | - CPU idle does not work on the advertised version of the Foundation FVP. |
| 1274 | Some FVP fixes are required that are not available externally at the time |
| 1275 | of writing. |
| 1276 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1277 | - Various bugs in TF-A, UEFI and the Linux kernel have been observed when |
| 1278 | using Linaro toolchain versions later than 13.11. Although most of these |
| 1279 | have been fixed, some remain at the time of writing. These mainly seem to |
| 1280 | relate to a subtle change in the way the compiler converts between 64-bit |
| 1281 | and 32-bit values (e.g. during casting operations), which reveals |
| 1282 | previously hidden bugs in client code. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1283 | |
| 1284 | - The tested filesystem used for this release (Linaro AArch64 OpenEmbedded |
| 1285 | 14.01) does not report progress correctly in the console. It only seems to |
| 1286 | produce error output, not standard output. It otherwise appears to function |
| 1287 | correctly. Other filesystem versions on the same software stack do not |
| 1288 | exhibit the problem. |
| 1289 | |
| 1290 | - The Makefile structure doesn't make it easy to separate out parts of the |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1291 | TF-A for re-use in platform ports, for example if only BL3-1 is required in |
| 1292 | a platform port. Also, dependency checking in the Makefile is flawed. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1293 | |
| 1294 | - The firmware design documentation for the Test Secure-EL1 Payload (TSP) and |
| 1295 | its dispatcher (TSPD) is incomplete. Similarly for the PSCI section. |
| 1296 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1297 | Trusted Firmware-A - version 0.2 |
| 1298 | ================================ |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1299 | |
| 1300 | New features |
| 1301 | ------------ |
| 1302 | |
| 1303 | - First source release. |
| 1304 | |
| 1305 | - Code for the PSCI suspend feature is supplied, although this is not enabled |
| 1306 | by default since there are known issues (see below). |
| 1307 | |
| 1308 | Issues resolved since last release |
| 1309 | ---------------------------------- |
| 1310 | |
| 1311 | - The "psci" nodes in the FDTs provided in this release now fully comply |
| 1312 | with the recommendations made in the PSCI specification. |
| 1313 | |
| 1314 | Known issues |
| 1315 | ------------ |
| 1316 | |
| 1317 | The following is a list of issues which are expected to be fixed in the future |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1318 | releases of TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1319 | |
| 1320 | - The TrustZone Address Space Controller (TZC-400) is not being programmed |
| 1321 | yet. Use of model parameter ``-C bp.secure_memory=1`` is not supported. |
| 1322 | |
| 1323 | - No support yet for secure world interrupt handling or for switching context |
| 1324 | between secure and normal worlds in EL3. |
| 1325 | |
| 1326 | - GICv3 support is experimental. The Linux kernel patches to support this are |
| 1327 | not widely available. There are known issues with GICv3 initialization in |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1328 | TF-A. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1329 | |
| 1330 | - Dynamic image loading is not available yet. The current image loader |
| 1331 | implementation (used to load BL2 and all subsequent images) has some |
| 1332 | limitations. Changing BL2 or BL3-1 load addresses in certain ways can lead |
| 1333 | to loading errors, even if the images should theoretically fit in memory. |
| 1334 | |
| 1335 | - Although support for PSCI ``CPU_SUSPEND`` is present, it is not yet stable |
| 1336 | and ready for use. |
| 1337 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1338 | - PSCI API calls ``AFFINITY_INFO`` & ``PSCI_VERSION`` are implemented but have |
| 1339 | not been tested. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1340 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1341 | - The TF-A make files result in all build artifacts being placed in the root |
| 1342 | of the project. These should be placed in appropriate sub-directories. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1343 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1344 | - The compilation of TF-A is not free from compilation warnings. Some of these |
| 1345 | warnings have not been investigated yet so they could mask real bugs. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1346 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1347 | - TF-A currently uses toolchain/system include files like stdio.h. It should |
| 1348 | provide versions of these within the project to maintain compatibility |
| 1349 | between toolchains/systems. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1350 | |
| 1351 | - The PSCI code takes some locks in an incorrect sequence. This may cause |
| 1352 | problems with suspend and hotplug in certain conditions. |
| 1353 | |
| 1354 | - The Linux kernel used in this release is based on version 3.12-rc4. Using |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1355 | this kernel with the TF-A fails to start the file-system as a RAM-disk. It |
| 1356 | fails to execute user-space ``init`` from the RAM-disk. As an alternative, |
| 1357 | the VirtioBlock mechanism can be used to provide a file-system to the |
| 1358 | kernel. |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1359 | |
| 1360 | -------------- |
| 1361 | |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1362 | *Copyright (c) 2013-2018, Arm Limited and Contributors. All rights reserved.* |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1363 | |
| 1364 | .. _PSCI Integration Guide: psci-lib-integration-guide.rst |
| 1365 | .. _Developer Certificate of Origin: ../dco.txt |
| 1366 | .. _Contribution Guide: ../contributing.rst |
| 1367 | .. _Authentication framework: auth-framework.rst |
| 1368 | .. _Firmware Update: firmware-update.rst |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1369 | .. _TF-A Reset Design: reset-design.rst |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1370 | .. _Power Domain Topology Design: psci-pd-tree.rst |
Dan Handley | 610e7e1 | 2018-03-01 18:44:00 +0000 | [diff] [blame^] | 1371 | .. _TF-A wiki on GitHub: https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Image-Terminology |
Douglas Raillard | d7c21b7 | 2017-06-28 15:23:03 +0100 | [diff] [blame] | 1372 | .. _Authentication Framework: auth-framework.rst |
| 1373 | .. _OP-TEE Dispatcher: optee-dispatcher.rst |
David Cunado | 1b796fa | 2017-07-03 18:59:07 +0100 | [diff] [blame] | 1374 | .. _tf-issue#501: https://github.com/ARM-software/tf-issues/issues/501 |
| 1375 | .. _PR#1002: https://github.com/ARM-software/arm-trusted-firmware/pull/1002#issuecomment-312650193 |