blob: a26b13a67f0a656c2a956d2fc0dd3024ef52e5d4 [file] [log] [blame] [view]
J-Alvesbec49a12023-10-18 13:27:41 +01001# Change Log
Olivier Deprez55b74f82021-11-10 11:32:31 +01002
J-Alves92be99e2025-05-08 14:33:52 +01003## v2.13
4### Highlights
5
6* FF-A v1.3 (early adoption):
7 * The `FFA_MEM_PERM_GET` ABI was changed to return permissions over a range of pages. If the range
8 has varying permissions, it returns the last address to which the same permissions apply.
9
10* FF-A v1.2:
11 * Added support for the `FFA_MSG_SEND2` ABI to send indirect messages specifying a service UUID.
12
13* Runtime Support:
14 * Secure Partition Package format using a Transfer List, following the Firmware Hand-Off
15 specification:
16 * Transfer List library was added to the codebase.
17 * The legacy SP package format and TL are differentiated using a `magic` value.
18 * Unpacks the SP manifest and retrieves the SP binary from the TL.
19 * Passing the HOB structure to SP as boot information:
20 * TL package format leveraged to convey a HOB-like structure to the SPMC as part of the
21 corresponding SP package.
22 * FF-A boot information protocol used to propagate the HOB reference to the SP.
23 * Added ability to trigger SRI when handling an interrupt for an SP in a waiting state:
24 * New `sri-interrupts-policy` configuration in the SP manifest initiates this behavior.
25 * SPs are included in the return of `FFA_NOTIFICATION_INFO_GET` if they are in a waiting
26 state, have pending interrupts, and have configured the `sri-interrupts-policy` field.
27 * Allowed use of `HF_INTERRUPT_SEND_IPI` with the ID of the calling vCPU.
28 * Bootstrapped all secondary vCPUs from all MP SPs when bringing up secondary cores.
29 * Deprecated subscriptions to CPU power-on events for SPs.
30 * Unified the tracking of all virtual interrupts:
31 * Deprecated the `HF_INTERRUPT_DEACTIVATE` ABI for handling secure interrupts, as it wasn't
32 needed for others.
33 * Virtual interrupts returned in the order they were pended via `HF_INTERRUPT_GET`.
34 * Cleared the state of virtual interrupts when returning `FFA_INTERRUPT` to an S-EL0
35 partition.
36 * Unconditionally cleared the ME interrupt when the SP enters the waiting state.
37 * Multiple SPs can send an IPI targeting vCPUs pinned to the same physical core.
38 * SPs can subscribe to CPU power off event and SPMC informs it through a FF-A direct request
39 with a power management framework message.
40 * Allowed memory regions defined in the SP manifest using `load-address-relative-offset` to
41 overlap with the SP's address space useful for setting permissions to specific regions.
42
43* Bug fixes:
44 * The `dlog` functions did not handle the `%*` format specifier. This is now supported.
45 * Corrected the Schedule Receiver Interrupt priority to fit within the 'non-secure' interrupt
46 priority range.
47 * Fixed an issue where, with MTE enabled, the synchronous exception handler did not cover all
48 exception codes.
49 * The `FFA_PARTITION_INFO_GET` ABI now provides partition information with multiple UUIDs only
50 to those using FF-A v1.2 or later.
51 * Previously, virtual interrupts targeting a vCPU in a waiting state (and migrated to another
52 physical CPU) were simply queued. Now, the vCPU is resumed on the target CPU and the interrupt
53 is signaled for handling.
54 * When the SPMC intercepts an `FFA_MSG_WAIT` or `FFA_MSG_SEND_DIRECT_RESP`/
55 `FFA_MSG_SEND_DIRECT_RESP2` and returns with `FFA_INTERRUPT`, it sets the SP in SPMC scheduled
56 mode and masks all other interrupts.
57 * In `FFA_MEM_RETRIEVE_REQ` ABI handling, if the flag to bypass multiple borrower checks is set,
58 then exactly one receiver is expected.
59 * Fixed incorrect reporting of pending notifications in `FFA_NOTIFICATION_INFO_GET` when none
60 remained.
61 * Enabled G1S interrupts if they were not previously enabled by EL3.
62 * Fixed a memory leak during FF-A memory share/lend/donate operations, where a page allocated
63 for the memory region descriptor could leak if a copy operation failed.
64 * Fixed misreporting in the `FFA_FEATURES` interface regarding support of certain ABIs based on
65 FF-A version.
66 * The SPMC now accepts either the 32-bit or 64-bit version of the `FFA_SUCCESS` ABI in response
67 to `FFA_SECONDARY_EP_REGISTER` from the SPMD.
68 * Added support for specifying `FFA_VERSION_COMPILED` in GN build system options.
69
70* Tests, scripts, testing framework and build:
71 * Increased test coverage for the IPI feature: non-primary CPUs, multiple IPIs pending on a CPU,
72 one-to-many tests, unit tests.
73 * Improved performance of static checks using `clang-tidy` and `checkpatch.pl`.
74 * `hftest.py` can now process logs with invalid UTF-8 bytes.
75 * `hftest.py` can use the `HAFNIUM_FVP` environment variable to locate the FVP binary for
76 spawning tests.
77 * Added a Hafnium Hypervisor target built with FF-A v1.1 for testing integration with EL3 SPMC.
78 * Revived Docker image to enable building the project on macOS.
79 * Modified `kokoro/test_spmc.sh` to optionally continue running all tests even if some fail.
80 * Added dedicated `make` rules for the various test scripts under `kokoro/*`.
81
82* Miscellaneous:
83 * The `ffa` module, encapsulating behavior specific to the Hypervisor and SPMC, was moved to
84 `src/ffa`. Files were split for a tidier and more modular implementation.
85
J-Alves2cf2ca72024-11-15 15:12:06 +000086## v2.12
87### Highlights
88
89* FF-A v1.2 (continued adoption):
90 * Restrict use of the `FFA_VERSION` ABI: FF-A endpoint version is locked from the first
91 FF-A ABI call handled in the SPMC.
92 * `FFA_MSG_WAIT` ABI update:
93 * Transfer the ownership of RX buffer from consumer to producer.
94 * Bypass the mentioned transfer of ownership via dedicated flag.
95 * Support for VM availibility messages:
96 * Subscription through the FF-A manifest.
97 * Discovery through `FFA_PARTITION_INFO_GET` only at the NS FF-A instance.
98 * Relay the framework message to the subscribed partition.
99
100* Runtime support:
101 * `FFA_CONSOLE_LOG` ABI:
102 * SPMC adds the string `[<SP ID> <vCPU ID>]` to line logs from SPs.
103 * Console log for each partition is tracked per vCPU, to avoid corrupting the buffer
104 from concurrent logging from the same partition.
105 * Exceptions related to synchronous tag faults in S-EL2 are now logged.
106 * FF-A memory management:
107 * Support of the SMC64 ABI version of all FF-A memory management interfaces.
108 * Handle GPF exception caused by accessing non-secure RX/TX buffers in the handling
109 of FF-A memory management ABIs.
110 * Support for sharing and lending device memory.
111 * Allocate the boot parameters for Hafnium's initialisation functions in the memory
112 pool.
113 * Paravirtualized interface for sending IPI (`HF_INTERRUPT_SEND_IPI`).
114 * IPI injected straight away to target vCPUs in the running state.
115 * Sending `SRI` interrupt to the NWd, when the target vCPU is in the waiting state.
116 * Report the partitions and vCPUs which require CPU cycles to handle IPI through
117 `FFA_NOTIFICATION_INFO_GET`.
118 * If target vCPU is in blocked/preempted state, then pend/queue the virtual
119 interrupt.
120 * Secure Interrupt handling:
121 * Support for queueing secure interrupts.
122 * Support for S-EL1 UP SPs to handle interrupts.
123 * Support interrupts sent during runtime model for intialisation (`RTM_INIT`).
124 * Always eret `FFA_RUN` to the target SP, regardless of if it has pending messages,
125 secure interrupts or notifications.
126
127* Hardware architecture support:
128 * Architectural physical timer emulation for SPs.
129 * TC platform enabled branch protection feature.
130 * Support for platforms with non-linear GIC redistributor frames.
131 * Enabled S-EL0 partitions Pointer Authentication feature.
132
133* Tests, scripts, testing framework and build:
134 * Improved readability of the error messages for failed assertions.
135 * Enabled the build flags '-Wextra' and '-Wsign-compare'.
136 * Definition of assertion helpers to check content of strings.
137 * Using enum types for the FF-A ABIs, FF-A errors, and test SP service commands.
138 * Toolchain upgrade to clang-18.
139 * Improved performance of `clang-tidy`.
140 * Always expand the `assert` macro, to make sure arguments are type checked even
141 when `ENABLE_ASSERTIONS` is not enabled.
142 * Adopted `FFA_CONSOLE_LOG` ABI on `dlog` instances from SPs.
143 * Restricted the functions defined with `SERVICE_SETUP` macros to run on the primary
144 core.
145 * Support for using the generic timer in the test partitions.
146 * Support for using a watchdog timer from NWd test VMs.
147 * Added new system setup, loading S-EL1 UP partitions on top of SPMC.
148
149* Bug fixes:
150 * Incorrect calculation of number of FF-A boot information descriptors.
151 * FF-A memory management:
152 * Drop unnecessary check to instruction permissions in the handling of
153 `FFA_MEM_RELINQUISH`.
154 * Sender with no Write access to a given memory region is prevented from using
155 the clear/zero memory flags, in the descriptor to `FFA_MEM_LEND`, `FFA_MEM_SHARE`
156 or `FFA_MEM_DONATE`.
157 * Checks to the `impdef` field in the FF-A memory access descriptor done in accordance
158 to FF-A version.
159 * Consider the memory region descriptor format according to FF-A version, when
160 processing an hypervisor retrieve request.
161 * Platform build options:
162 * Attest the option `enable_mte` can only have legal values 0 or 1, to enable
163 and disable MTE feature use, respectively.
164 * Attest the options `gic_version` and `gic_enable_espi` are configured with
165 correct values, according to what is supported in Hafnium.
166 * Attest the option `branch_protection` can only be configured with values
167 `standard`, `pac-ret`, `pac-ret+leaf` and `bti`.
168 * FF-A Notifications:
169 * Set framework notifications only when recipient supports notifications.
170 * Delay SRI flag can only be used on `FFA_NOTIFICATION_SET` from SPs. Return
171 `FFA_ERROR(FFA_INVALID_PARAMETERS)` in invocations from the NWd that use it.
172 * Allow for a caller to invoke`FFA_NOTIFICATION_GET` specifying a vCPU ID different
173 than the calling vCPU.
174 * `FFA_FEATURES` ABI:
175 * Reports `FFA_YIELD` only to SPs.
176 * Reports `ME` and `NPI` VI Id to S-EL1 partitions only.
177 * Reports `FFA_SECONDARY_EP_REGISTER` to MP partitions only.
178 * Reports `FFA_MEM_PERM_SET/GET` to S-EL0 partitions only.
179 * The `FFA_PARTITION_INFO_GET(_REGS)` ABI reports the support of indirect message and direct
180 message request/response 2, considering the version of the caller.
181 * Prevent secure interrupt from preempting an SP in `SPMC` scheduled mode.
182 * Ensure the FF-A error codes are be 32-bit unsigned values.
183 * The error return for `FFA_FEATURES` ABI is restricted to `FFA_ERROR(FFA_NOT_SUPPORTED)`
184 according to the FF-A v1.2 specification.
185 * Ensure that accesses to `GICD_CTLR` register are complete by checking the state of
186 the bit RWP.
187 * Add check that manifest declared memory regions shouldn't overlap with SPMC address
188 space.
189 * First vCPU to boot ever from any SP was booting with the wrong vCPU state, fixed to
190 `VCPU_STATE_RUNNING`.
191 * Correctly define stack for the test SPs.
192 * Report error when there are too many UUIDs defined in the partition's FF-A manifest.
193 * Fix out of tree buid: use of `OUT` make argument such that the output directory can point
194 to another location other than out/project/reference.
195 * Memory regions specified with offset relative to partition's image position, rather than
196 partition package load-address.
197 * The SPMC enables a physical interrupt when the SP enables the respective virtual interrupt,
198 instead of enabling by default during load of owner SP.
199
200* Miscellaneous:
201 * Improved `dlog` functions with compile time type checking to the arguments of
202 logged strings.
203 * Reduced complexity of utility functions defined in `std.h`.
204 * The documentation of FF-A manifest bindings now refer to TF-A documentation as the common
205 resource for all reference SPMC implementations.
206 * Simplified the code for handling the preemption of `FFA_MSG_WAIT`/`FFA_MSG_SEND_DIRECT_RESP`
207 due to a pending interrupt.
208 * Dropped legacy code/tests:
209 * Legacy hypervisor tests for timer support in NWd VMs.
210 * Legacy hypervisor interface `HF_INTERRUPT_INJECT` and respective tests.
211 * Legacy hypervisor waiting list concept.
212 * The linux kernel tests in the Hafnium tests scripts. Hafnium driver code supports the
213 hypervisor runtime model not the SPMC.
214 * The linux kernel and hafnium driver submodules.
215 * Legacy hypervisor `FFA_RUN` ABI tests.
216 * Refactored the code enforcing the `boot-order` according to FF-A boot protocol to use
217 `list.h` header.
218 * Refactored the UUID packing/unpacking functions.
219 * Dropped the SRI state tracking within the SPMC, to simplify notifications code.
220
J-Alves2bef7ab2024-05-10 14:24:39 +0100221## v2.11
222### Highlights
223
224* FF-A v1.2 (continued adoption):
225 * Direct messaging:
226 * New ABIs `FFA_MSG_SEND_DIRECT_REQ2` and `FFA_MSG_SEND_DIRECT_RESP2`.
227 * Support extended register set and use of service UUID.
228 * Memory management:
229 * ABIs support the impdef field in memory access descriptor.
230 * Lend device memory from an SP to another SP, and from a VM to an SP.
231 * Setup and discovery:
232 * Support multiple UUIDs per SP, both in manifest parsing and
233 `FFA_PARTITION_INFO_GET`.
234 * The `FFA_FEATURES` ABI reports RX/TX buffer max size.
235 * Support extended set of registers with `FFA_CONSOLE_LOG` for v1.2 SPs.
236
237* Runtime support:
238 * Trap SP access to AMU counters.
239 * SIMD context:
240 * Refactored Advanced SIMD/SVE save and restore operations.
241 * Introduce context save and restore of SME registers.
242 * Leverage the SMCCC SVE hint bit mask.
243 * Trap SP access to SVE/SME registers.
244 * Realm Management Extension support:
245 * On `FFA_MEM_DONATE` or `FFA_MEM_LEND` from VM/OS Kernel to SPs, change the physical
246 address space of the memory regions from non-secure to secure.
247 * On `FFA_MEM_RECLAIM`, if memory's address space was changed from non-secure to secure
248 address space, revert physical address space change (from secure to non-secure).
249 * The SPMC can handle a Granule Protection Fault: exception handler refactored
250 to trap the new `memcpy_trapped` function, which returns error if copy failed due to GPF.
251 * FFA_PARTITION_INFO_GET and FFA_MSG_SEND2 interfaces return FFA_ERROR(FFA_ABORTED) in case
252 of hitting a Granule Protection Fault.
253 * SMMUv3:
254 * Support for static DMA isolation of upstream devices.
255 * Access from DMA capable devices are only permitted to specific memory regions
256 via dedicated DMA properties in the memory region node of an partition manifest.
257 * SPMC saves and restores the NS-EL1 system registers context, to help reduce memory from
258 EL3 monitor.
259 * GICv3 driver to support two security states for interrupts.
260
261* Hardware architecture support:
262 * New platform build for RD fremont.
263 * TC platform remapped the UART devices.
264
265* Tests, scripts and testing framework:
266 * TF-A prebuilt image used in Hafnium tests updated to support v1.2 interfaces.
267 * S-EL0 partitions bumped to FF-A v1.2 version in general functionality tests.
268 * The `SERVICE_SELECT_MP` macro was added to allow for tests to target a different vCPU
269 than the primary vCPU.
270 * Various new tests added to cover the newly added functionalities.
271
272* Bug fixes:
273 * FF-A memory management:
274 * `FFA_MEM_RELINQUISH` returns `FFA_ERROR(FFA_DENIED)`, if clear memory flag is used
275 when borrower's permission is RO.
276 * `FFA_MEM_RETRIEVE_REQ` returns `FFA_ERROR(FFA_DENIED)` if sender ID is not correct in
277 memory region descriptor.
278 * Hypervisor retrieve request updated to support FF-A v1.2 descriptors and avoid
279 conflicting checks with normal retrieve requests from FF-A endpoints.
280 * `FFA_MEM_RETRIEVE_REQ` returns `FFA_ERROR(FFA_INVALID_PARAMETERS)` if receiver count
281 is zero in memory region descriptor.
282 * Interrupt handling:
283 * Secure interrupt implicit completion flag reset in the runtime model for `FFA_RUN`.
284 * Intercept `FFA_MSG_SEND_DIRECT_RESP/FFA_MSG_SEND_DIRECT_RESP2` and `FFA_MSG_WAIT` if SP
285 relinquishes CPU cycles with pending secure interrupts.
286 * Ignore spurious interrupt 1023 when SP is executing.
287 * Unwind call chain when intercepting a direct response, to avoid SPs crashing.
288 * Check that platform exists before building.
289 * `FFA_FEATURES` interface:
290 * SPMC returns `FFA_ERROR(FFA_NOT_SUPPORTED)` if func ID is `FFA_EL3_INTR_HANDLE`, and
291 call is from hyperviosr/OS kernel.
292 * SPMC returns `FFA_ERROR(FFA_NOT_SUPPORTED)` if feature ID is `SRI`, and call is from SP.
293 * SPMC returns `FFA_ERROR(FFA_NOT_SUPPORTED)` if feature ID is `NPI` or `ME`, and call is
294 from Hypervisor/OS Kernel.
295 * FF-A notifications:
296 * Return error code `FFA_INVALID_PARAMETERS` when provided invalid partition IDs
297 in `FFA_NOTIFICATION_BITMAP_CREATE/DESTROY` and `FFA_NOTIFICATION_BIND/UNBIND`.
298 * Return error `FFA_INVALID_PARAMETERS` to `FFA_NOTIFICATION_SET` if flags that
299 Must Be Zero are not.
300 * The vCPU argument must be zero in `FFA_NOTIFICATION_SET` for global notifications,
301 else return error `FFA_INVALID_PARAMETERS`.
302 * FF-A Indirect messaging:
303 * Fix the checks to messages offset and total size.
304 * Validate that SPMC has mapped the hypervisor/OS Kernel RX/TX buffers before
305 accessing the buffers.
306 * The handling of `FFA_MSG_WAIT` shall not change the SPMC's internal state of the
307 RX buffer.
308 * The interfaces `FFA_MEM_PERM_SET/GET` return error `FFA_DENIED` if used after
309 SP's initializing.
310 * The `kokoro/test_spmc.sh` terminates when hitting a failure for runs that are not
311 collecting coverage data.
312 * Device memory regions are mapped with attributes nGnRnE.
313
314* Misc:
315 * Building multiple targets with a single command with PLATFORM variable, providing
316 multiple targets separated by ','.
317 * Dropped the clang toolchain from the 'prebuilts' submodule to save repository space.
318 * Dropped implementation of `HF_INTERRUPT_INJECT` out of SPMC implementation, as it was
319 designed for Hypervisor and has no use in the SPMC.
320 * Code static checks were separated into a dedicated script.
321 * The interfaces `FFA_RXTX_MAP` and `FFA_RXTX_UNMAP` are restricted to NS memory provided
322 in the SPMC manifest.
323 * Improved handling of device region nodes in SP manifest:
324 * The ranges specified were restricted to those specified in the designated nodes of
325 the SPMC manifest.
326 * Check overlaps with other memory regions in the system, such as partitions address
327 space.
328 * Avoid tracking the sender ID and descriptor size for memory management ABIs, in
329 Hafnium's mailbox internal structures.
330 * Helpers to log the names of FF-A ABIs and FF-A error codes.
331 * Increase timeout for tests in `kokoro/test_spmc.sh` to cater for CI speed.
332 * Use bitfield structures for permissions and attributes from the FF-A memory access
333 descriptors.
334
J-Alves946fde92023-11-03 17:34:20 +0000335## v2.10
336### Highlights
337
338* FF-A v1.2 (continued adoption):
339 * `FFA_YIELD` interface:
340 * Allow to be invoked while endpoint's partition runtime model is
341 either direct message request or secure interrupt handling.
342 * Allow an endpoint to specify an optional timeout such that it can be
343 rescheduled after appropriate time to avoid busy wait.
344 * Handle the `FFA_ERROR` interface at the SPs initialisation runtime model
345 to put the SP in an aborted state.
346 * Support for Logical Secure Partitions at EL3, managed by the SPMD:
347 * Direct messaging request from LSPs to SPs at the virtual FF-A instance.
348 * Discovery of LSPs via `FFA_PARTITION_INFO_GET(_REGS)` interfaces.
349 * Support flag to bypass multiple borrower checks as part of `FFA_MEM_RETRIEVE_REQ`
350 handling.
351 * Memory region nodes support addresses relative to partition's load address.
352* Hardware architecture support:
353 * Fix to SMCCC use on Hafnium, to support use of extended register set as per
354 SMCCCv1.2 for FF-A v1.2 and above.
355 * GICv3: Enable platforms to leverage Shared Peripheral Interrupts extended ranges.
356 * New paravirtualized interfaces to reconfigure a physical interrupt at runtime:
357 target CPU, disabling/enabling the secure interrupt, and changing interrupt's
358 security state.
359 * Leverage support of secure and non-secure set of page tables for SMMUv3 streams.
360 * Platform description of secure and non-secure memory is mandatory in the SPMC
361 manifest.
362 * Use security state information in the S2 page tables to invalidate SP's TLB.
363* Tests, scripts and testing framework:
364 * Test framework improved to add tests into the SP's intialisation, via means of
365 a helper macro.
366 * Removed duplicated set of tests that were used to enable support of EL0
367 partitions.
368 * Hypervisor build refactored to track the state of memory sharing operations.
369 * Few memory sharing related tests to run on EL3 SPMC, and serve as an indicator
370 about feature parity.
371 * Added ability to perform test coverage analysis, via Hafnium's testing scripts.
372 * Increased test coverage of memory sharing functionality.
373* Bug fixes:
374 * Various fixes to memory sharing functionality:
375 * Clear memory operations retrieve security state from S2 translation
376 attributes.
377 * Validation to page count field in the composite memory descriptor.
378 * No overlapping of memory constituents.
379 * Restrict SP from doing lend/share/donate targeting a normal world borrower.
380 * Processing of instruction permissions specified in the lend/share/donate
381 and by the borrower in the memory retrieve operation.
382 * Use the NS bit in the `FFA_MEM_RETRIEVE_RESP` from SPMC to SP.
383 * Force uniqueness of boot order field in the partition's manifest.
384 * Added `FFA_RUN` interface restriction towards vCPU cores migration.
385 * Refactor use of locked vCPU structures in few identified scenarios, that
386 were prone to creating deadlocks.
387 * Fixed the version compatibility rules in handling of the `FFA_VERSION`
388 interface.
389* Misc:
390 * Migration of Hafnium documentation as the reference Secure Partition Manager
391 into its own pages, leveraging the sphinx documentation framework.
392 * Free resources allocated to SP if it gets to an aborted state, including
393 disabling any physical interrupts that might trigger.
394 * Deprecation of legacy hypervisor calls `HF_MAILBOX_*_GET`.
395 * Simplified code path in the handling of secure interrupts.
396 * Added build option to specify build target, which allows for faster builds,
397 e.g. `make PLATFORM=secure_aem_v8a_fvp_vhe`.
398
Olivier Deprez0715b8e2023-05-11 12:28:03 +0200399## v2.9
Olivier Deprez28c95f42023-05-22 14:28:39 +0200400### Highlights
Olivier Deprez0715b8e2023-05-11 12:28:03 +0200401
402* FF-A v1.2 (early adoption)
403 * Implemented `FFA_PARTITION_INFO_GET_REGS` ABI permitting discovery of
404 secure partitions by the use of general purpose registers instead of RX/TX
405 buffers.
406 * `FFA_CONSOLE_LOG` ABI support is improved from earlier release. It permits
407 handling multiple characters passed through general purpose registers.
408 The intent is to deprecate the legacy `HF_DEBUG_LOG` hypercall in a next
409 release.
410 * Introduced `FFA_EL3_INTR_HANDLE` ABI permitting the delegation of Group0
411 physical secure interrupt handling to EL3. A G0 interrupt triggered while
412 an SP is running traps to S-EL2 and is routed to the SPMD by the use of
413 this ABI. Conversely, a G0 interrupt triggered while the normal world runs
414 traps to EL3.
415* FF-A v1.1 interrupt handling
416 * Added support for secure interrupt signalling to S-EL0 partitions.
417 * Increased the maximum number of virtual interrupts supported by an SP to a
418 platform defined value (default 1024). This lifts a limitation in which
419 SPs were allowed to declare only the first 64 physical interrupt IDs.
420 * Added the impdef 'other-s-interrupts-action' field to SP manifests
421 specifying the action to be taken (queued or signaled) in response to a
422 secure interrupt targetted to an SP that is not the currently running SP.
423 * For S-EL1 SP vCPUs, enable the notification pending and managed exit
424 virtual interrupts if requested in the manifest.
425 For S-EL0 SP vCPUs, enable virtual interrupts IDs matching the secure
426 physical interrupt IDs declared in device regions.
427 * Allow a physical interrupt declared in a SP manifest device region to be
428 routed to any PE specified by its MPIDR. Introduce the 'interrupts-target'
429 manifest field for this purpose.
430* FF-A v1.1 memory sharing
431 * Implemented changes to memory sharing structures to support FF-A backwards
432 compatibility updates in the specification. The SPMC implementation caters
433 for the case of existing FF-A v1.0 endpoints on top of the FF-A v1.1 SPMC.
434 The latter performs the necessary conversions in the memory sharing
435 structures.
436 * Implemented capability to share/lend/donate memory to multiple borrowers
437 including VMs or SPs.
438 * Fragmented memory sharing is supported between normal world and secure
439 world endpoints.
440* FF-A v1.1 power management
441 * Added the impdef 'power-management-messages' field to SP manifests
442 specifying the type of power management events relayed to the SPMC.
443 * Removed the limitation in which the first SP must be a MP SP.
444 The configuration where all deployed SPs are S-EL0 SPs is now supported.
445* FF-A v1.1 Indirect messaging
446 * Updated mailbox internal state structures to align with RX/TX buffer
447 synchronization rules (buffer state and ownership transfer).
448* Misc and bug fixes
449 * Introduced SPMC manifest memory region nodes specifying the system address
450 ranges for secure and non-secure memory. This permits further hardening in
451 which the SPMC needs to know the security state of a memory range. This
452 helps boot time validation of SP manifests, and run-time checks in the
453 memory sharing protocol.
454 * SP manifest memory regions validation is hardened such that one SP cannot
455 declare a memory region overlapping another SP's memory region.
456 * Drop dynamic allocation of memory region base address. The option for
457 declaring a memory region without its base address (and let the SPMC
458 choose it) is removed.
459 * Fixed handling of FEAT_LPA/FEAT_LPA2.
460 * SMMUv3: fix SIDSIZE field usage.
461 * GIC: fixed interrupt type configuration (edge/level).
462* CI and test infrastructure
463 * Migration to LLVM/clang 15.0.6
464 * Removal of non-VHE configurations. Keep only configurations assuming
465 Armv8.1 Virtualization Host Extensions is implemented. This implies
466 HCR_EL2.E2H is always set. This change is transparent for the end user as
467 configurations supported with VHE enabled are a superset of legacy non-VHE
468 configurations.
469 * EL3 SPMC: added test configurations to permit testing TF-A's EL3 SPMC
470 by the use of Hafnium's CI test and infrastructure. The goal is to improve
471 the test coverage for this alternative SPMC configuration and maintain a
472 feature set parity with the S-EL2 SPMC.
473 * Added debug capabilities to hftest script.
474
Olivier Deprez28c95f42023-05-22 14:28:39 +0200475### Known limitations:
Olivier Deprez0715b8e2023-05-11 12:28:03 +0200476* Power management support limits to cpu on and cpu off events. Only S-EL1
477 partitions can opt in for power management events. A power management
478 event is forwarded from the SPMD to the SPMC and isn't forwarded to a SP.
479
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100480## v2.8
Olivier Deprez28c95f42023-05-22 14:28:39 +0200481### Highlights
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100482
483* FF-A v1.1 partition runtime model and CPU cycle allocation modes
484 * Implemented partition runtime models for secure partitions entered at
485 initialization, processing a secure interrupt or as a result of allocation
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500486 of CPU cycles by `FFA_RUN` and `FFA_MSG_SEND_DIRECT_REQ` ABIs invocations.
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100487 * Added state machine checks related to above, in which a partition has a
488 set of allowed transitions to enter and exit a partition runtime model.
489 * Implemented CPU cycle allocation modes and winding/unwinding of call
490 chains.
491 * Refactored managed exit field in manifests to use one of the possible
492 "Action for a non-secure interrupt" defined by the specification.
493 * Added support for preferred managed exit signal (among vIRQ or vFIQ).
494 * Support for precedence of the NS interrupt action in unwinding a normal
495 world scheduled call chain.
496* FF-A v1.1 memory sharing
497 * Preparation changes for multiple borrowers and fragmented memory
498 sharing support.
499 * Fixed memory attributes checks as they are passed to memory sharing
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500500 primitives (`FFA_MEM_SHARE/LEND/DONATE` and `FFA_MEM_RETRIEVE_REQ`).
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100501 * Memory sharing support for S-EL0 partitions.
502* FF-A v1.1 notifications
503 * Added framework notifications support.
504 The supported use case is for indirect messaging to notify a partition
505 about a message pending in its RX buffer (or 'RX buffer full' framework
506 notification).
507 * Added support for notification pending interrupt injection on a RX buffer
508 full event.
509* FF-A v1.1 Indirect messaging
510 * Added support for VM-VM, VM-SP, SP-SP indirect messaging scenarios.
511 * Added partition message header structures.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500512 * Implemented `FFA_MSG_SEND2` and `FFA_RX_ACQUIRE` ABIs.
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100513 * Refactored VM internal state tracking in the SPMC to support forwarding
514 of RX/TX buffer mapping/unmapping, notifications creation/destruction,
515 RX buffer acquire/release.
516 * Refactored VM mailbox states to support the RX buffer full event.
517* FF-A console log ABI
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500518 * Added the `FFA_CONSOLE_LOG` ABI as a simple and standardized means to print
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100519 characters without depending on an MMIO device mapped into the VM.
520 This allows a VM to print debug or information strings through an
521 hypervisor call service using general-purpose registers rather than a
522 shared buffer. Multiple VMs can use the ABI concurrently as the SPMC
523 buffers data per VM and serializes output to the physical serial device.
524* FF-A v1.1 Setup & Discovery
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500525 * Updated the `PARTITION_INFO_GET` ABI to return the partition UUID in the
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100526 partition information descriptors. Additionaly the partition information
527 descriptor size is returned as part of the response.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500528 * Added `FFA_MEM_FRAG_RX/TX` as supported interface in `FFA_FEATURE` response.
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100529* Image footprint optimization
530 * The following updates were made with the general idea of reducing the
531 flash and RAM footprints. They are also means to adjust the memory
532 utilization based on the target market segment.
533 * Added platform defines to state the per-VM maximum number of memory and
534 device regions, interrupts and SMMU streams per device.
535 * Dynamically allocate per vCPU notifications.
536 * Allocate vCPU structures from heap.
537 * Manifest data allocation from page pool.
538 * Fixed core stacks section with noload attribute.
539* GIC
540 * Added support for GICv3.1 extended SPI / PPI INTID ranges.
541 * Add build options to extend the number of supported virtual interrupt IDs.
542* SVE
543 * Detect the platform supported SVE vector length or set the limit for the
544 lower ELs.
545 * Increased the SVE NS context to support the maximum vector length
546 permitted by the architecture.
547 * Above changes lift the limit about a fixed sized SVE vector length (of
548 512 bits) used in earlier releases.
549* Misc
550 * Partition manifest parsing:
551 * Added checks forbidding SPs to declare overlapping memory regions and
552 conflicting device interrupt ID resources.
553 * Add ability to specify the security state of a memory region
554 for S-EL0 partitions.
555 * Fixed system register trap exception injection.
556 * Removed hypervisor tables defragmentation.
557 * Add ability to define a log level per platform.
558 * Disable alignment check for EL0 partitions (when VHE is enabled).
559
Olivier Deprez28c95f42023-05-22 14:28:39 +0200560### Known limitations:
Olivier Deprezb7d27ac2022-11-14 09:49:50 +0100561* S-EL0 partitions interrupt handling is work in progress.
562* Normal world to secure world fragmented memory sharing and sharing to multiple
563 borrowers is work in progress.
564
Olivier Deprez79e95222022-05-09 17:21:08 +0200565## v2.7
Olivier Deprez28c95f42023-05-22 14:28:39 +0200566### Highlights
Olivier Deprez79e95222022-05-09 17:21:08 +0200567
568* Boot protocol (FF-A v1.1 EAC0)
569 * The SPMC primarily supports passing the SP manifest address at boot time.
570 * In a secure partition package, partition manifest and image offsets are
571 configurable.
572 * Allows for larger partition manifest sizes.
573* Setup and discovery (FF-A v1.1 EAC0)
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500574 * `FFA_VERSION` is forwarded from SPMD to SPMC. SPMC records the version of
Olivier Deprez79e95222022-05-09 17:21:08 +0200575 a normal world endpoint.
576 * Added UUID to partition info descriptors.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500577 * Introduced count flag to `FFA_PARTITION_INFO_GET`.
Olivier Deprez79e95222022-05-09 17:21:08 +0200578* Interrupt handling (FF-A v1.1 Beta0)
579 * Physical GIC registers trapped when accessed from secure partitions.
580 * Priority mask register saved/restored on world switches.
581 * Interrupts masked before resuming a pre-empted vCPU.
582 * Implemented implicit secure interrupt completion signal.
583 * Allow unused GICR frame for non-existent PEs.
584* Notifications (FF-A v1.1 EAC0)
585 * Implemented notification pending interrupt and additional test coverage.
586* MTE stack tagging
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500587 * Implemented `FEAT_MTE2` stack tagging support at S-EL2.
Olivier Deprez79e95222022-05-09 17:21:08 +0200588 * Core stacks marked as normal tagged memory. A synchronous abort triggers
589 on a load/store tag check failure.
590 * This permits detection of wrong operations affecting buffers allocated
591 from the stack.
592* FF-A v1.0 compliance
593 * Check composite memory region offset is defined in FF-A memory sharing.
594 * Check sender and receiver memory attributes in a FF-A memory sharing
595 operation match the attributes expected in the Hafnium implementation.
596 * Fix clear memory bit use in FF-A memory sharing from NWd to SWd.
597 * Prevent FF-A memory sharing from a SP to a NS endpoint.
598 * Reject a FF-A memory retrieve operation with the 'Address Range Alignment
599 Hint' bit set (not supported by the implementation).
600 * Refine usage of FF-A memory sharing 'clear memory flag'.
601* Misc
602 * Improved extended memory address ranges support:
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500603 * 52 bits PA (`FEAT_LPA`/`FEAT_LPA2`) architecture extension detected
Olivier Deprez79e95222022-05-09 17:21:08 +0200604 results in limiting the EL2 Stage-1 physical address range to 48 bits.
605 * In the FF-A memory sharing operations, harden address width checks on
606 buffer mapping.
607 * Improved MP SP and S-EL0 partitions support
608 * The physical core index is passed to a SP vCPU0 on booting.
609 * Added MP SP and S-EL0 partitions boot test coverage.
610 * Emulate SMCCC VERSION to the primary VM.
611 * Memory config registers (non-secure and secure virtualization control and
612 translation table base) moved to the vCPU context.
613 * EL2 stage 1 mapping extended to 1TB to support systems with physical
614 address space larger than 512GB.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500615 * `FFA_RUN` ABI hardened to check the vCPU index matches the PE index onto
Olivier Deprez79e95222022-05-09 17:21:08 +0200616 which a vCPU is requested to run.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500617 * Fixed missing ISB after `CPTR_EL2` update upon PE initialization.
Olivier Deprez79e95222022-05-09 17:21:08 +0200618 * Fixed stage 2 default shareability to inner shareable (from non-shareable)
619 to better support vCPU migration.
620 * Fixed manifest structure allocation from BSS rather than stack
621 at initialization.
622 * Fixed an issue with FF-A memory reclaim executed after memory donate
623 resulting in a returned error code.
624* Build and test environment
625 * Add the ability to use an out-of-tree toolchain.
626 * Primary intent is to permit building Hafnium on Aarch64 hosts.
627 * CI runs using the toolchain versioned in prebuilts submodule.
628 A developer can still use this version as well.
629 * Introduce an assert macro enabled by a build option on the command line.
630 Assertions are checked by default. Production builds can optionally
631 disable assertions.
632 * Added manifest options to permit loading VMs using an FF-A manifest.
633* CI
634 * Added job running the Hypervisor + SPMC configuration on patch
635 submissions.
636 * FVP
637 * Enable secure memory option.
638 * Remove restriction on speculative execution options.
639 * Updated to use model version 11.17 build 21.
640 * Updated linux submodule to v5.10.
641 * VHE EL0 partitions tests automated through jenkins.
642
Olivier Deprez28c95f42023-05-22 14:28:39 +0200643### Known limitations:
Olivier Deprez79e95222022-05-09 17:21:08 +0200644* FF-A v1.1 EAC0 implementation is partial mainly on interrupt handling and
645 memory sharing.
646* Hafnium limits physical interrupt IDs to 64. The legacy virtual interrupt
647 controller driver limits to 64. The recent addition of physical interrupt
648 handling in the SPMC through the GIC assumes a 1:1 mapping of a physical
649 interrupt ID to a virtual interrupt ID.
650* Secure timer virtualization is not supported.
651* The security state of memory or device region cannot be specified in a SP
652 manifest.
653
Olivier Deprez55b74f82021-11-10 11:32:31 +0100654## v2.6
Olivier Deprez28c95f42023-05-22 14:28:39 +0200655### Highlights
Olivier Deprez55b74f82021-11-10 11:32:31 +0100656* FF-A Setup and discovery
657 * FF-A build time version updated to v1.1.
658 * Managed exit and notifications feature support enabled in SP manifests.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500659 * Updated `FFA_FEATURES` to permit discovery of managed exit, schedule receiver,
Olivier Deprez55b74f82021-11-10 11:32:31 +0100660 and notification pending interrupt IDs.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500661 * `FFA_PARTITION_INFO_GET` updated to permit managed exit and notification
Olivier Deprez55b74f82021-11-10 11:32:31 +0100662 support discovery.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500663 * `FFA_SPM_ID_GET` added to permit discovering the SPMC endpoint ID (or the
Olivier Deprez55b74f82021-11-10 11:32:31 +0100664 SPMD ID at the secure physical FF-A instance).
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500665 * `FFA_RXTX_UNMAP` implementation added.
Olivier Deprez55b74f82021-11-10 11:32:31 +0100666* FF-A v1.1 notifications
667 * Added ABIs permitting VM (or OS kernel) to SP, and SP to SP asynchronous
668 signaling.
669 * Added generation of scheduler receiver (NS physical) and notification
670 pending (secure virtual) interrupts.
671 * The schedule receiver interrupt is donated from the secure world SGI
672 interrupt ID range.
673* FF-A v1.1 interrupt handling
674 * Added a GIC driver at S-EL2 permitting to trap and handle non-secure and
675 secure interrupts while the secure world runs.
676 * Added forwarding and handling of a secure interrupt while the normal world
677 runs.
678 * Added secure interrupt forwarding to the secure partition that had the
679 interrupt registered in its partition manifest.
680 * The interrupt deactivation happens through the Hafnium para-virtualized
681 interrupt controller interface.
682 * vCPU states, run time models and SP scheduling model are revisited as per
683 FF-A v1.1 Beta0 specification (see 'Known limitations' section below).
684* S-EL0 partitions support
685 * Added support for VHE architecture extension in the secure world (through
686 a build option).
687 * A partition bootstraps as an S-EL0 partition based on the exception-level
688 field in the FF-A manifest.
689 * It permits the implementation of applications on top of Hafnium without
690 relying on an operating system at S-EL1.
691 * It leverages the EL2&0 Stage-1 translation regime. Apps use FF-A
692 ABIs through the SVC conduit.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500693 * Added FF-A v1.1 `FFA_MEM_PERM_GET/SET` ABIs permitting run-time update of
Olivier Deprez55b74f82021-11-10 11:32:31 +0100694 memory region permissions.
695 * It supersedes the existing S-EL1 shim architecture (without removing its
696 support).
697 * S-EL1 SP, S-EL0 SP or former S-EL0 SP+shim can all co-exist in the same
698 system.
699* SVE
700 * Support for saving/restoring the SVE live state such that S-EL2/Hafnium
701 preserves the normal world state on world switches.
702 * Secure partitions are permitted to use FP/SIMD while normal world uses
703 SVE/SIMD/FP on the same core.
704 * The SVE NS live state comprises FPCR/FPSR/FFR/p[16]/Z[32] registers.
705* LLVM/Clang 12
706 * The toolchain stored in prebuilts submodule is updated to LLVM 12.0.5.
707 * Build/static analyzer fixes done in the top and third party projects.
708 * Linux sources (used by the test infrastructure) are updated to 5.4.148.
709 The linux test kernel module build is updated to only depend on LLVM
710 toolchain.
711* Hafnium CI improvements
712 * Added two configurations permitting Hafnium testing in the secure world.
713 * First configuration launches both the Hypervisor in the normal world
714 and the SPMC in the secure world. This permits thorough FF-A ABI testing
715 among normal and secure world endpoints.
716 * The second configuration launches the SPMC alone for component testing
717 or SP to SP ABI testing.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500718 * Hafnium CI Qemu version updated to v6.0.0 (implements VHE and `FEAT_SEL2`
Olivier Deprez55b74f82021-11-10 11:32:31 +0100719 extensions).
720* FF-A compliance fixes
721 * Added checks for valid memory permissions values in manifest memory and
722 device regions declarations.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500723 * `FFA_FEATURES` fixed to state indirect messages are not supported by
Olivier Deprez55b74f82021-11-10 11:32:31 +0100724 the SPMC.
725 * Limit an SP to emit a direct request to another SP only.
726 * Memory sharing: fixed input validation and return values.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500727 * `FFA_RXTX_MAP` fixed returned error codes.
728 * `FFA_MSG_WAIT` input parameters check hardened.
Olivier Deprez55b74f82021-11-10 11:32:31 +0100729
Olivier Deprez28c95f42023-05-22 14:28:39 +0200730### Known limitations:
Olivier Deprez55b74f82021-11-10 11:32:31 +0100731* S-EL0 partitions/VHE: the feature is in an experimental stage and not all use
732 cases have been implemented or tested. Normal world to SP and SP to SP memory
733 sharing is not tested. Interrupt handling is not tested.
734* The current implementation does not support handling a secure interrupt that
735 is triggered while currently handling a secure interrupt. This restricts to
736 scenarios described in Table 8.13 and Table 8.14 of the FF-A v1.1 Beta0
737 specification. Priority Mask Register is not saved/restored during context
738 switching while handling secure interrupt.
739* Hafnium CI: scenarios involving the Hypervisor are left as test harness
740 purposes only, not meant for production use cases.
Daniel Boulbyccb70682021-04-28 19:40:39 +0100741
742## v2.5
Olivier Deprez28c95f42023-05-22 14:28:39 +0200743### Highlights
Daniel Boulbyccb70682021-04-28 19:40:39 +0100744* BTI/Pointer authentication support
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500745 * Add branch protection build option for `FEAT_PAuth` and `FEAT_BTI` to the
Daniel Boulbyccb70682021-04-28 19:40:39 +0100746 clang command line. This only affects the S-EL2 image.
747 * Enable pointer authentication by supplying a platform defined pseudo
748 random key.
749 * Enable BTI by setting the guarded page bit in MMU descriptors for
750 executable pages.
751* SMMUv3.2 S-EL2 support
752 * Add support for SMMUv3 driver to perform stage 2 translation, protection
753 and isolation of upstream peripheral device's DMA transactions.
754* FF-A v1.0 Non-secure interrupt handling
755 * Trap physical interrupts to S-EL2 when running a SP.
756 * Handle non secure interrupts that occur while an SP is executing,
757 performing managed exit if supported.
758 * Add basic support for the GICv3 interrupt controller for the AArch64
759 platform.
760* FF-A power management support at boot time
761 * Provide platform-independent power management implementations for the
762 Hypervisor and SPMC.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500763 * Implement the `FFA_SECONDARY_EP_REGISTER` interface for an MP SP or SPMC
Daniel Boulbyccb70682021-04-28 19:40:39 +0100764 to register the secondary core cold boot entry point for each of their
765 execution contexts.
766 * Introduce a generic "SPMD handler" to process the power management events
767 that may be conveyed from SPMD to SPMC, such as core off.
768* FF-A Direct message interfaces
769 * Introduce SP to SP direct messaging.
770 * Fix bug in the MP SP to UP SP direct response handling.
771* FF-A Memory sharing interfaces
772 * Introduce SP to SP memory sharing.
773 * When a sender of a memory management operation reclaims memory, set the
774 memory regions permissions back to it's original configuration.
775 * Require default permissions to be supplied to the function
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500776 `ffa_memory_permissions_to_mode`, so in the case where no permissions are
Daniel Boulbyccb70682021-04-28 19:40:39 +0100777 specified for a memory operation, the data and instruction permissions can
778 be set to the default.
779 * Encode Bit[63] of the memory region handle according to if the handle is
780 allocated by the Hypervisor or SPMC.
781* FF-A v1.0 spec compliance
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500782 * Return `INVALID_PARAMETER` error code instead of `NOT_SUPPORTED` for direct
Daniel Boulbyccb70682021-04-28 19:40:39 +0100783 messaging interfaces when an invalid sender or receiver id is given.
784 * Check that reserved parameter registers are 0 when invoking direct
785 messaging ABI interfaces.
786 * For SMC32 compliant direct message interfaces, only copy 32-bits
787 parameter values.
788 * Change the FF-A error codes to 32-bit to match the FF-A specification.
789 * Fix consistency with maintaining the calling convention bit of the
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500790 func id between the `ffa_handler` and the `FFA_FEATURES` function.
Daniel Boulbyccb70682021-04-28 19:40:39 +0100791* Remove primary VM dependencies in the SPMC
792 * Treat normal world as primary VM when running in the secure world.
793 * Create an SPMC boot flow.
794* Hafnium CI
795 * Enable Hafnium CI to include tests for Hafnium SPMC.
796 * Add basic exception handler to service VM's.
797* SIMD support
798 * Add saving/restoring of other world FP/NEON/SIMD state when entering and
799 exiting the SPMC.
800* SPMC early boot cache fix
801 * Import data cache clean and invalidation helpers from TF-A project and
802 provide an arch module for cache operations.
803 * Invalidate the SPMC image in the data cache at boot time to prevent
804 potential access to stale cache entries left by earlier boots stages.
805* Misc and bug fixes
806 * Complete vCPU state save prior to normal world exit.
807 * Update S-EL2 Stage-1 page table shareability from outer to inner.
808 * Add PL011 UART initialization code to set the IDRD and FBRD registers
809 according to the UART clock and baud rate specified at build time.
810 * License script checker fixes.
811
Olivier Deprez28c95f42023-05-22 14:28:39 +0200812### Known limitations:
Daniel Boulbyccb70682021-04-28 19:40:39 +0100813* Secure interrupts not supported.
814* FF-A indirect message interface not supported in the secure world.
815* Only supporting models of MultiProcessor SP (vCPUs pinned to physical
816 CPUs) or UniProcessor SP (single vCPU).
817* The first secure partition booted must be a MP SP.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500818* `FFA_RXTX_UNMAP` not implemented.
Daniel Boulbyccb70682021-04-28 19:40:39 +0100819* Use of an alternate caller provided buffer from RX/TX buffers for memory
820 sharing operations is not implemented.
821* A memory retrieve request to SPMC does not support the caller endpoint to
822 provide the range of IPA addresses to map the region to.
Olivier Deprez62405ad2020-10-26 18:51:49 +0100823
824## v2.4
825
826This is the first drop to implement the TrustZone secure side S-EL2 firmware
Olivier Deprez410a3ac2020-11-04 13:54:15 +0100827(SPM Core component) complying with FF-A v1.0.
Olivier Deprez62405ad2020-10-26 18:51:49 +0100828It is a companion to the broader TF-A v2.4 release.
829The normal world Hypervisor is maintained functional along with the
830Hafnium CI test suite.
831
Olivier Deprez28c95f42023-05-22 14:28:39 +0200832### Highlights
Olivier Deprez62405ad2020-10-26 18:51:49 +0100833* FF-A v1.0 Setup and discovery interface
834 * Hypervisor implementation re-used and extended to the SPMC and SPs.
835 * Added partition info get ABI and appropriate properties response depending
836 on partition capabilities (PVM, Secondary VM or Secure Partitions).
837 * FF-A device-tree manifest parsing.
838 * FF-A partitions can declare memory/device regions, and RX/TX buffers that
839 the SPMC sets up in the SP EL1&0 Stage-2 translation regime at boot time.
840 * FF-A IDs normal and secure world split ranges.
841 * The SPMC maps the Hypervisor (or OS kernel) RX/TX buffers as non-secure
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500842 buffers in its EL2 Stage-1 translation regime on `FFA_RXTX_MAP` ABI
Olivier Deprez62405ad2020-10-26 18:51:49 +0100843 invocation from the non-secure physical FF-A instance.
844* FF-A v1.0 Direct message interface
845 * Added implementation for the normal world Hypervisor and test cases.
846 * Implementation extended to the SPMC and SPs.
847 * Direct message requests emitted from the PVM to a Secondary VM or a
848 Secure Partition (or OS Kernel to a Secure Partition). Direct message
849 responses emitted from Secondary VMs and Secure Partitions to the PVM.
850 * The secure world represents the "other world" (normal world Hypervisor
851 or OS kernel) vCPUs in an abstract "Hypervisor VM".
852* FF-A v1.0 memory sharing
853 * Hypervisor implementation re-used and extended to the SPMC and SPs.
854 * A NS buffer can be shared/lent/donated by a VM to a SP (or OS Kernel
855 to a SP).
856 * The secure world configures Stage-1 NS IPA output to access the NS PA
857 space.
858 * The secure world represents the "other world" (normal world Hypervisor
859 or OS kernel) memory pages in an abstract "Hypervisor VM" and tracks
860 memory sharing permissions from incoming normal world requests.
861* Secure world enablement
Olivier Deprez410a3ac2020-11-04 13:54:15 +0100862 * Secure Partitions booted in sequence on their primary execution context,
863 according to the boot order field in their partition manifest.
864 This happens during the secure boot process before the normal world
865 actually runs.
Olivier Deprez62405ad2020-10-26 18:51:49 +0100866 * The SPMC implements the logic to receive FF-A messages through the EL3
867 SPMD, process them, and either return to the SPMD (and normal world) or
868 resume a Secure Partition.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500869 * Extract NS bit from `HPFAR_EL2` on Stage-2 page fault.
Olivier Deprez62405ad2020-10-26 18:51:49 +0100870 * Prevent setup of LOR regions in SWd.
871 * Avoid direct PSCI calls down to EL3.
872* Platforms
873 * Added Arm FVP secure Hafnium build support.
874 * Added Arm TC0 "Total Compute" secure Hafnium build support.
875* Other improvements
876 * Re-hosting to trustedfirmware.org
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500877 * `busy_secondary` timer increased to improve CI stability.
Olivier Deprez62405ad2020-10-26 18:51:49 +0100878 * Removed legacy Hypervisor calls.
Demi Marie Obenour1a55b772023-02-15 10:38:26 -0500879 * Fix `CPTR_EL2` TTA bit position.
880 * Report `FAR_EL2` on injecting EL1 exception.
Olivier Deprez28c95f42023-05-22 14:28:39 +0200881### Known limitations:
Daniel Boulbyccb70682021-04-28 19:40:39 +0100882* Not all fields of the FF-A manifest are actually processed by the Hafnium
883 device-tree parser.
884* SP to SP communication not supported.
885* SP to SP memory sharing not supported.
886* S-EL1 and SIMD contexts shall be saved/restored by EL3.
887* Multi-endpoint memory sharing not supported.
888* Interrupt management limited to trapping physical interrupts to
889 the first S-EL1 SP. Physical interrupt trapping at S-EL2 planned as
890 next release improvement.
891* Validation mostly performed using first SP Execution Context (vCPU0). More
892 comprehensive multicore enablement planned as next release improvement.