1# Change Log
2
3## v2.11
4### Highlights
5
6* FF-A v1.2 (continued adoption):
7    * Direct messaging:
8        * New ABIs `FFA_MSG_SEND_DIRECT_REQ2` and `FFA_MSG_SEND_DIRECT_RESP2`.
9        * Support extended register set and use of service UUID.
10    * Memory management:
11        * ABIs support the impdef field in memory access descriptor.
12        * Lend device memory from an SP to another SP, and from a VM to an SP.
13    * Setup and discovery:
14        * Support multiple UUIDs per SP, both in manifest parsing and
15          `FFA_PARTITION_INFO_GET`.
16        * The `FFA_FEATURES` ABI reports RX/TX buffer max size.
17    * Support extended set of registers with `FFA_CONSOLE_LOG` for v1.2 SPs.
18
19* Runtime support:
20    * Trap SP access to AMU counters.
21    * SIMD context:
22	* Refactored Advanced SIMD/SVE save and restore operations.
23        * Introduce context save and restore of SME registers.
24        * Leverage the SMCCC SVE hint bit mask.
25        * Trap SP access to SVE/SME registers.
26    * Realm Management Extension support:
27        * On `FFA_MEM_DONATE` or `FFA_MEM_LEND` from VM/OS Kernel to SPs, change the physical
28          address space of the memory regions from non-secure to secure.
29        * On `FFA_MEM_RECLAIM`, if memory's address space was changed from non-secure to secure
30          address space, revert physical address space change (from secure to non-secure).
31        * The SPMC can handle a Granule Protection Fault: exception handler refactored
32          to trap the new `memcpy_trapped` function, which returns error if copy failed due to GPF.
33        * FFA_PARTITION_INFO_GET and FFA_MSG_SEND2 interfaces return FFA_ERROR(FFA_ABORTED) in case
34          of hitting a Granule Protection Fault.
35    * SMMUv3:
36        * Support for static DMA isolation of upstream devices.
37        * Access from DMA capable devices are only permitted to specific memory regions
38          via dedicated DMA properties in the memory region node of an partition manifest.
39    * SPMC saves and restores the NS-EL1 system registers context, to help reduce memory from
40      EL3 monitor.
41    * GICv3 driver to support two security states for interrupts.
42
43* Hardware architecture support:
44    * New platform build for RD fremont.
45    * TC platform remapped the UART devices.
46
47* Tests, scripts and testing framework:
48    * TF-A prebuilt image used in Hafnium tests updated to support v1.2 interfaces.
49    * S-EL0 partitions bumped to FF-A v1.2 version in general functionality tests.
50    * The `SERVICE_SELECT_MP` macro was added to allow for tests to target a different vCPU
51      than the primary vCPU.
52    * Various new tests added to cover the newly added functionalities.
53
54* Bug fixes:
55    * FF-A memory management:
56        * `FFA_MEM_RELINQUISH` returns `FFA_ERROR(FFA_DENIED)`, if clear memory flag is used
57          when borrower's permission is RO.
58        * `FFA_MEM_RETRIEVE_REQ` returns `FFA_ERROR(FFA_DENIED)` if sender ID is not correct in
59          memory region descriptor.
60        * Hypervisor retrieve request updated to support FF-A v1.2 descriptors and avoid
61          conflicting checks with normal retrieve requests from FF-A endpoints.
62        * `FFA_MEM_RETRIEVE_REQ` returns `FFA_ERROR(FFA_INVALID_PARAMETERS)` if receiver count
63          is zero in memory region descriptor.
64    * Interrupt handling:
65        * Secure interrupt implicit completion flag reset in the runtime model for `FFA_RUN`.
66        * Intercept `FFA_MSG_SEND_DIRECT_RESP/FFA_MSG_SEND_DIRECT_RESP2` and `FFA_MSG_WAIT` if SP
67          relinquishes CPU cycles with pending secure interrupts.
68        * Ignore spurious interrupt 1023 when SP is executing.
69        * Unwind call chain when intercepting a direct response, to avoid SPs crashing.
70    * Check that platform exists before building.
71    * `FFA_FEATURES` interface:
72        * SPMC returns `FFA_ERROR(FFA_NOT_SUPPORTED)` if func ID is `FFA_EL3_INTR_HANDLE`, and
73          call is from hyperviosr/OS kernel.
74        * SPMC returns `FFA_ERROR(FFA_NOT_SUPPORTED)` if feature ID is `SRI`, and call is from SP.
75        * SPMC returns `FFA_ERROR(FFA_NOT_SUPPORTED)` if feature ID is `NPI` or `ME`, and call is
76          from Hypervisor/OS Kernel.
77    * FF-A notifications:
78        * Return error code `FFA_INVALID_PARAMETERS` when provided invalid partition IDs
79          in `FFA_NOTIFICATION_BITMAP_CREATE/DESTROY` and `FFA_NOTIFICATION_BIND/UNBIND`.
80        * Return error `FFA_INVALID_PARAMETERS` to `FFA_NOTIFICATION_SET` if flags that
81          Must Be Zero are not.
82        * The vCPU argument must be zero in `FFA_NOTIFICATION_SET` for global notifications,
83          else return error `FFA_INVALID_PARAMETERS`.
84    * FF-A Indirect messaging:
85        * Fix the checks to messages offset and total size.
86        * Validate that SPMC has mapped the hypervisor/OS Kernel RX/TX buffers before
87          accessing the buffers.
88    * The handling of `FFA_MSG_WAIT` shall not change the SPMC's internal state of the
89      RX buffer.
90    * The interfaces `FFA_MEM_PERM_SET/GET` return error `FFA_DENIED` if used after
91      SP's initializing.
92    * The `kokoro/test_spmc.sh` terminates when hitting a failure for runs that are not
93      collecting coverage data.
94    * Device memory regions are mapped with attributes nGnRnE.
95
96* Misc:
97    * Building multiple targets with a single command with PLATFORM variable, providing
98      multiple targets separated by ','.
99    * Dropped the clang toolchain from the 'prebuilts' submodule to save repository space.
100    * Dropped implementation of `HF_INTERRUPT_INJECT` out of SPMC implementation, as it was
101      designed for Hypervisor and has no use in the SPMC.
102    * Code static checks were separated into a dedicated script.
103    * The interfaces `FFA_RXTX_MAP` and `FFA_RXTX_UNMAP` are restricted to NS memory provided
104      in the SPMC manifest.
105    * Improved handling of device region nodes in SP manifest:
106        * The ranges specified were restricted to those specified in the designated nodes of
107          the SPMC manifest.
108        * Check overlaps with other memory regions in the system, such as partitions address
109          space.
110    * Avoid tracking the sender ID and descriptor size for memory management ABIs, in
111      Hafnium's mailbox internal structures.
112    * Helpers to log the names of FF-A ABIs and FF-A error codes.
113    * Increase timeout for tests in `kokoro/test_spmc.sh` to cater for CI speed.
114    * Use bitfield structures for permissions and attributes from the FF-A memory access
115      descriptors.
116
117## v2.10
118### Highlights
119
120* FF-A v1.2 (continued adoption):
121    * `FFA_YIELD` interface:
122        * Allow to be invoked while endpoint's partition runtime model is
123          either direct message request or secure interrupt handling.
124        * Allow an endpoint to specify an optional timeout such that it can be
125          rescheduled after appropriate time to avoid busy wait.
126    * Handle the `FFA_ERROR` interface at the SPs initialisation runtime model
127      to put the SP in an aborted state.
128    * Support for Logical Secure Partitions at EL3, managed by the SPMD:
129        * Direct messaging request from LSPs to SPs at the virtual FF-A instance.
130        * Discovery of LSPs via `FFA_PARTITION_INFO_GET(_REGS)` interfaces.
131    * Support flag to bypass multiple borrower checks as part of `FFA_MEM_RETRIEVE_REQ`
132      handling.
133    * Memory region nodes support addresses relative to partition's load address.
134* Hardware architecture support:
135    * Fix to SMCCC use on Hafnium, to support use of extended register set as per
136      SMCCCv1.2 for FF-A v1.2 and above.
137    * GICv3: Enable platforms to leverage Shared Peripheral Interrupts extended ranges.
138    * New paravirtualized interfaces to reconfigure a physical interrupt at runtime:
139      target CPU, disabling/enabling the secure interrupt, and changing interrupt's
140      security state.
141    * Leverage support of secure and non-secure set of page tables for SMMUv3 streams.
142    * Platform description of secure and non-secure memory is mandatory in the  SPMC
143      manifest.
144    * Use security state information in the S2 page tables to invalidate SP's TLB.
145* Tests, scripts and testing framework:
146    * Test framework improved to add tests into the SP's intialisation, via means of
147      a helper macro.
148    * Removed duplicated set of tests that were used to enable support of EL0
149      partitions.
150    * Hypervisor build refactored to track the state of memory sharing operations.
151    * Few memory sharing related tests to run on EL3 SPMC, and serve as an indicator
152      about feature parity.
153    * Added ability to perform test coverage analysis, via Hafnium's testing scripts.
154    * Increased test coverage of memory sharing functionality.
155* Bug fixes:
156    * Various fixes to memory sharing functionality:
157        * Clear memory operations retrieve security state from S2 translation
158          attributes.
159        * Validation to page count field in the composite memory descriptor.
160        * No overlapping of memory constituents.
161        * Restrict SP from doing lend/share/donate targeting a normal world borrower.
162        * Processing of instruction permissions specified in the lend/share/donate
163          and by the borrower in the memory retrieve operation.
164        * Use the NS bit in the `FFA_MEM_RETRIEVE_RESP` from SPMC to SP.
165    * Force uniqueness of boot order field in the partition's manifest.
166    * Added `FFA_RUN` interface restriction towards vCPU cores migration.
167    * Refactor use of locked vCPU structures in few identified scenarios, that
168      were prone to creating deadlocks.
169    * Fixed the version compatibility rules in handling of the `FFA_VERSION`
170      interface.
171* Misc:
172    * Migration of Hafnium documentation as the reference Secure Partition Manager
173      into its own pages, leveraging the sphinx documentation framework.
174    * Free resources allocated to SP if it gets to an aborted state, including
175      disabling any physical interrupts that might trigger.
176    * Deprecation of legacy hypervisor calls `HF_MAILBOX_*_GET`.
177    * Simplified code path in the handling of secure interrupts.
178    * Added build option to specify build target, which allows for faster builds,
179      e.g. `make PLATFORM=secure_aem_v8a_fvp_vhe`.
180
181## v2.9
182### Highlights
183
184* FF-A v1.2 (early adoption)
185    * Implemented `FFA_PARTITION_INFO_GET_REGS` ABI permitting discovery of
186      secure partitions by the use of general purpose registers instead of RX/TX
187      buffers.
188    * `FFA_CONSOLE_LOG` ABI support is improved from earlier release. It permits
189      handling multiple characters passed through general purpose registers.
190      The intent is to deprecate the legacy `HF_DEBUG_LOG` hypercall in a next
191      release.
192    * Introduced `FFA_EL3_INTR_HANDLE` ABI permitting the delegation of Group0
193      physical secure interrupt handling to EL3. A G0 interrupt triggered while
194      an SP is running traps to S-EL2 and is routed to the SPMD by the use of
195      this ABI. Conversely, a G0 interrupt triggered while the normal world runs
196      traps to EL3.
197* FF-A v1.1 interrupt handling
198    * Added support for secure interrupt signalling to S-EL0 partitions.
199    * Increased the maximum number of virtual interrupts supported by an SP to a
200      platform defined value (default 1024). This lifts a limitation in which
201      SPs were allowed to declare only the first 64 physical interrupt IDs.
202    * Added the impdef 'other-s-interrupts-action' field to SP manifests
203      specifying the action to be taken (queued or signaled) in response to a
204      secure interrupt targetted to an SP that is not the currently running SP.
205    * For S-EL1 SP vCPUs, enable the notification pending and managed exit
206      virtual interrupts if requested in the manifest.
207      For S-EL0 SP vCPUs, enable virtual interrupts IDs matching the secure
208      physical interrupt IDs declared in device regions.
209    * Allow a physical interrupt declared in a SP manifest device region to be
210      routed to any PE specified by its MPIDR. Introduce the 'interrupts-target'
211      manifest field for this purpose.
212* FF-A v1.1 memory sharing
213    * Implemented changes to memory sharing structures to support FF-A backwards
214      compatibility updates in the specification. The SPMC implementation caters
215      for the case of existing FF-A v1.0 endpoints on top of the FF-A v1.1 SPMC.
216      The latter performs the necessary conversions in the memory sharing
217      structures.
218    * Implemented capability to share/lend/donate memory to multiple borrowers
219      including VMs or SPs.
220    * Fragmented memory sharing is supported between normal world and secure
221      world endpoints.
222* FF-A v1.1 power management
223    * Added the impdef 'power-management-messages' field to SP manifests
224      specifying the type of power management events relayed to the SPMC.
225    * Removed the limitation in which the first SP must be a MP SP.
226      The configuration where all deployed SPs are S-EL0 SPs is now supported.
227* FF-A v1.1 Indirect messaging
228    * Updated mailbox internal state structures to align with RX/TX buffer
229      synchronization rules (buffer state and ownership transfer).
230* Misc and bug fixes
231    * Introduced SPMC manifest memory region nodes specifying the system address
232      ranges for secure and non-secure memory. This permits further hardening in
233      which the SPMC needs to know the security state of a memory range. This
234      helps boot time validation of SP manifests, and run-time checks in the
235      memory sharing protocol.
236    * SP manifest memory regions validation is hardened such that one SP cannot
237      declare a memory region overlapping another SP's memory region.
238    * Drop dynamic allocation of memory region base address. The option for
239      declaring a memory region without its base address (and let the SPMC
240      choose it) is removed.
241    * Fixed handling of FEAT_LPA/FEAT_LPA2.
242    * SMMUv3: fix SIDSIZE field usage.
243    * GIC: fixed interrupt type configuration (edge/level).
244* CI and test infrastructure
245    * Migration to LLVM/clang 15.0.6
246    * Removal of non-VHE configurations. Keep only configurations assuming
247      Armv8.1 Virtualization Host Extensions is implemented. This implies
248      HCR_EL2.E2H is always set. This change is transparent for the end user as
249      configurations supported with VHE enabled are a superset of legacy non-VHE
250      configurations.
251    * EL3 SPMC: added test configurations to permit testing TF-A's EL3 SPMC
252      by the use of Hafnium's CI test and infrastructure. The goal is to improve
253      the test coverage for this alternative SPMC configuration and maintain a
254      feature set parity with the S-EL2 SPMC.
255    * Added debug capabilities to hftest script.
256
257### Known limitations:
258* Power management support limits to cpu on and cpu off events. Only S-EL1
259  partitions can opt in for power management events. A power management
260  event is forwarded from the SPMD to the SPMC and isn't forwarded to a SP.
261
262## v2.8
263### Highlights
264
265* FF-A v1.1 partition runtime model and CPU cycle allocation modes
266    * Implemented partition runtime models for secure partitions entered at
267      initialization, processing a secure interrupt or as a result of allocation
268      of CPU cycles by `FFA_RUN` and `FFA_MSG_SEND_DIRECT_REQ` ABIs invocations.
269    * Added state machine checks related to above, in which a partition has a
270      set of allowed transitions to enter and exit a partition runtime model.
271    * Implemented CPU cycle allocation modes and winding/unwinding of call
272      chains.
273    * Refactored managed exit field in manifests to use one of the possible
274      "Action for a non-secure interrupt" defined by the specification.
275    * Added support for preferred managed exit signal (among vIRQ or vFIQ).
276    * Support for precedence of the NS interrupt action in unwinding a normal
277      world scheduled call chain.
278* FF-A v1.1 memory sharing
279    * Preparation changes for multiple borrowers and fragmented memory
280      sharing support.
281    * Fixed memory attributes checks as they are passed to memory sharing
282      primitives (`FFA_MEM_SHARE/LEND/DONATE` and `FFA_MEM_RETRIEVE_REQ`).
283    * Memory sharing support for S-EL0 partitions.
284* FF-A v1.1 notifications
285    * Added framework notifications support.
286      The supported use case is for indirect messaging to notify a partition
287      about a message pending in its RX buffer (or 'RX buffer full' framework
288      notification).
289    * Added support for notification pending interrupt injection on a RX buffer
290      full event.
291* FF-A v1.1 Indirect messaging
292    * Added support for VM-VM, VM-SP, SP-SP indirect messaging scenarios.
293    * Added partition message header structures.
294    * Implemented `FFA_MSG_SEND2` and `FFA_RX_ACQUIRE` ABIs.
295    * Refactored VM internal state tracking in the SPMC to support forwarding
296      of RX/TX buffer mapping/unmapping, notifications creation/destruction,
297      RX buffer acquire/release.
298    * Refactored VM mailbox states to support the RX buffer full event.
299* FF-A console log ABI
300    * Added the `FFA_CONSOLE_LOG` ABI as a simple and standardized means to print
301      characters without depending on an MMIO device mapped into the VM.
302      This allows a VM to print debug or information strings through an
303      hypervisor call service using general-purpose registers rather than a
304      shared buffer. Multiple VMs can use the ABI concurrently as the SPMC
305      buffers data per VM and serializes output to the physical serial device.
306* FF-A v1.1 Setup & Discovery
307    * Updated the `PARTITION_INFO_GET` ABI to return the partition UUID in the
308      partition information descriptors. Additionaly the partition information
309      descriptor size is returned as part of the response.
310    * Added `FFA_MEM_FRAG_RX/TX` as supported interface in `FFA_FEATURE` response.
311* Image footprint optimization
312    * The following updates were made with the general idea of reducing the
313      flash and RAM footprints. They are also means to adjust the memory
314      utilization based on the target market segment.
315        * Added platform defines to state the per-VM maximum number of memory and
316          device regions, interrupts and SMMU streams per device.
317        * Dynamically allocate per vCPU notifications.
318        * Allocate vCPU structures from heap.
319        * Manifest data allocation from page pool.
320        * Fixed core stacks section with noload attribute.
321* GIC
322    * Added support for GICv3.1 extended SPI / PPI INTID ranges.
323    * Add build options to extend the number of supported virtual interrupt IDs.
324* SVE
325    * Detect the platform supported SVE vector length or set the limit for the
326      lower ELs.
327    * Increased the SVE NS context to support the maximum vector length
328      permitted by the architecture.
329    * Above changes lift the limit about a fixed sized SVE vector length (of
330      512 bits) used in earlier releases.
331* Misc
332    * Partition manifest parsing:
333        * Added checks forbidding SPs to declare overlapping memory regions and
334	  conflicting device interrupt ID resources.
335        * Add ability to specify the security state of a memory region
336	  for S-EL0 partitions.
337    * Fixed system register trap exception injection.
338    * Removed hypervisor tables defragmentation.
339    * Add ability to define a log level per platform.
340    * Disable alignment check for EL0 partitions (when VHE is enabled).
341
342### Known limitations:
343* S-EL0 partitions interrupt handling is work in progress.
344* Normal world to secure world fragmented memory sharing and sharing to multiple
345  borrowers is work in progress.
346
347## v2.7
348### Highlights
349
350* Boot protocol (FF-A v1.1 EAC0)
351    * The SPMC primarily supports passing the SP manifest address at boot time.
352    * In a secure partition package, partition manifest and image offsets are
353      configurable.
354      * Allows for larger partition manifest sizes.
355* Setup and discovery (FF-A v1.1 EAC0)
356    * `FFA_VERSION` is forwarded from SPMD to SPMC. SPMC records the version of
357      a normal world endpoint.
358    * Added UUID to partition info descriptors.
359    * Introduced count flag to `FFA_PARTITION_INFO_GET`.
360* Interrupt handling (FF-A v1.1 Beta0)
361    * Physical GIC registers trapped when accessed from secure partitions.
362    * Priority mask register saved/restored on world switches.
363    * Interrupts masked before resuming a pre-empted vCPU.
364    * Implemented implicit secure interrupt completion signal.
365    * Allow unused GICR frame for non-existent PEs.
366* Notifications (FF-A v1.1 EAC0)
367    * Implemented notification pending interrupt and additional test coverage.
368* MTE stack tagging
369    * Implemented `FEAT_MTE2` stack tagging support at S-EL2.
370    * Core stacks marked as normal tagged memory. A synchronous abort triggers
371      on a load/store tag check failure.
372    * This permits detection of wrong operations affecting buffers allocated
373      from the stack.
374* FF-A v1.0 compliance
375    * Check composite memory region offset is defined in FF-A memory sharing.
376    * Check sender and receiver memory attributes in a FF-A memory sharing
377      operation match the attributes expected in the Hafnium implementation.
378    * Fix clear memory bit use in FF-A memory sharing from NWd to SWd.
379    * Prevent FF-A memory sharing from a SP to a NS endpoint.
380    * Reject a FF-A memory retrieve operation with the 'Address Range Alignment
381      Hint' bit set (not supported by the implementation).
382    * Refine usage of FF-A memory sharing 'clear memory flag'.
383* Misc
384    * Improved extended memory address ranges support:
385        * 52 bits PA (`FEAT_LPA`/`FEAT_LPA2`) architecture extension detected
386	  results in limiting the EL2 Stage-1 physical address range to 48 bits.
387        * In the FF-A memory sharing operations, harden address width checks on
388	  buffer mapping.
389    * Improved MP SP and S-EL0 partitions support
390      * The physical core index is passed to a SP vCPU0 on booting.
391      * Added MP SP and S-EL0 partitions boot test coverage.
392    * Emulate SMCCC VERSION to the primary VM.
393    * Memory config registers (non-secure and secure virtualization control and
394      translation table base) moved to the vCPU context.
395    * EL2 stage 1 mapping extended to 1TB to support systems with physical
396      address space larger than 512GB.
397    * `FFA_RUN` ABI hardened to check the vCPU index matches the PE index onto
398      which a vCPU is requested to run.
399    * Fixed missing ISB after `CPTR_EL2` update upon PE initialization.
400    * Fixed stage 2 default shareability to inner shareable (from non-shareable)
401      to better support vCPU migration.
402    * Fixed manifest structure allocation from BSS rather than stack
403      at initialization.
404    * Fixed an issue with FF-A memory reclaim executed after memory donate
405      resulting in a returned error code.
406* Build and test environment
407    * Add the ability to use an out-of-tree toolchain.
408      * Primary intent is to permit building Hafnium on Aarch64 hosts.
409      * CI runs using the toolchain versioned in prebuilts submodule.
410        A developer can still use this version as well.
411    * Introduce an assert macro enabled by a build option on the command line.
412      Assertions are checked by default. Production builds can optionally
413      disable assertions.
414    * Added manifest options to permit loading VMs using an FF-A manifest.
415* CI
416    * Added job running the Hypervisor + SPMC configuration on patch
417      submissions.
418    * FVP
419      * Enable secure memory option.
420      * Remove restriction on speculative execution options.
421      * Updated to use model version 11.17 build 21.
422    * Updated linux submodule to v5.10.
423    * VHE EL0 partitions tests automated through jenkins.
424
425### Known limitations:
426* FF-A v1.1 EAC0 implementation is partial mainly on interrupt handling and
427  memory sharing.
428* Hafnium limits physical interrupt IDs to 64. The legacy virtual interrupt
429  controller driver limits to 64. The recent addition of physical interrupt
430  handling in the SPMC through the GIC assumes a 1:1 mapping of a physical
431  interrupt ID to a virtual interrupt ID.
432* Secure timer virtualization is not supported.
433* The security state of memory or device region cannot be specified in a SP
434  manifest.
435
436## v2.6
437### Highlights
438* FF-A Setup and discovery
439    * FF-A build time version updated to v1.1.
440    * Managed exit and notifications feature support enabled in SP manifests.
441    * Updated `FFA_FEATURES` to permit discovery of managed exit, schedule receiver,
442      and notification pending interrupt IDs.
443    * `FFA_PARTITION_INFO_GET` updated to permit managed exit and notification
444      support discovery.
445    * `FFA_SPM_ID_GET` added to permit discovering the SPMC endpoint ID (or the
446      SPMD ID at the secure physical FF-A instance).
447    * `FFA_RXTX_UNMAP` implementation added.
448* FF-A v1.1 notifications
449    * Added ABIs permitting VM (or OS kernel) to SP, and SP to SP asynchronous
450      signaling.
451    * Added generation of scheduler receiver (NS physical) and notification
452      pending (secure virtual) interrupts.
453    * The schedule receiver interrupt is donated from the secure world SGI
454      interrupt ID range.
455* FF-A v1.1 interrupt handling
456    * Added a GIC driver at S-EL2 permitting to trap and handle non-secure and
457      secure interrupts while the secure world runs.
458    * Added forwarding and handling of a secure interrupt while the normal world
459      runs.
460    * Added secure interrupt forwarding to the secure partition that had the
461      interrupt registered in its partition manifest.
462    * The interrupt deactivation happens through the Hafnium para-virtualized
463      interrupt controller interface.
464    * vCPU states, run time models and SP scheduling model are revisited as per
465      FF-A v1.1 Beta0 specification (see 'Known limitations' section below).
466* S-EL0 partitions support
467    * Added support for VHE architecture extension in the secure world (through
468      a build option).
469    * A partition bootstraps as an S-EL0 partition based on the exception-level
470      field in the FF-A manifest.
471    * It permits the implementation of applications on top of Hafnium without
472      relying on an operating system at S-EL1.
473    * It leverages the EL2&0 Stage-1 translation regime. Apps use FF-A
474      ABIs through the SVC conduit.
475    * Added FF-A v1.1 `FFA_MEM_PERM_GET/SET` ABIs permitting run-time update of
476      memory region permissions.
477    * It supersedes the existing S-EL1 shim architecture (without removing its
478      support).
479    * S-EL1 SP, S-EL0 SP or former S-EL0 SP+shim can all co-exist in the same
480      system.
481* SVE
482    * Support for saving/restoring the SVE live state such that S-EL2/Hafnium
483      preserves the normal world state on world switches.
484    * Secure partitions are permitted to use FP/SIMD while normal world uses
485      SVE/SIMD/FP on the same core.
486    * The SVE NS live state comprises FPCR/FPSR/FFR/p[16]/Z[32] registers.
487* LLVM/Clang 12
488    * The toolchain stored in prebuilts submodule is updated to LLVM 12.0.5.
489    * Build/static analyzer fixes done in the top and third party projects.
490    * Linux sources (used by the test infrastructure) are updated to 5.4.148.
491      The linux test kernel module build is updated to only depend on LLVM
492      toolchain.
493* Hafnium CI improvements
494    * Added two configurations permitting Hafnium testing in the secure world.
495    * First configuration launches both the Hypervisor in the normal world
496      and the SPMC in the secure world. This permits thorough FF-A ABI testing
497      among normal and secure world endpoints.
498    * The second configuration launches the SPMC alone for component testing
499      or SP to SP ABI testing.
500    * Hafnium CI Qemu version updated to v6.0.0 (implements VHE and `FEAT_SEL2`
501      extensions).
502* FF-A compliance fixes
503    * Added checks for valid memory permissions values in manifest memory and
504      device regions declarations.
505    * `FFA_FEATURES` fixed to state indirect messages are not supported by
506      the SPMC.
507    * Limit an SP to emit a direct request to another SP only.
508    * Memory sharing: fixed input validation and return values.
509    * `FFA_RXTX_MAP` fixed returned error codes.
510    * `FFA_MSG_WAIT` input parameters check hardened.
511
512### Known limitations:
513* S-EL0 partitions/VHE: the feature is in an experimental stage and not all use
514  cases have been implemented or tested. Normal world to SP and SP to SP memory
515  sharing is not tested. Interrupt handling is not tested.
516* The current implementation does not support handling a secure interrupt that
517  is triggered while currently handling a secure interrupt. This restricts to
518  scenarios described in Table 8.13 and Table 8.14 of the FF-A v1.1 Beta0
519  specification. Priority Mask Register is not saved/restored during context
520  switching while handling secure interrupt.
521* Hafnium CI: scenarios involving the Hypervisor are left as test harness
522  purposes only, not meant for production use cases.
523
524## v2.5
525### Highlights
526* BTI/Pointer authentication support
527    * Add branch protection build option for `FEAT_PAuth` and `FEAT_BTI` to the
528      clang command line. This only affects the S-EL2 image.
529    * Enable pointer authentication by supplying a platform defined pseudo
530      random key.
531    * Enable BTI by setting the guarded page bit in MMU descriptors for
532      executable pages.
533* SMMUv3.2 S-EL2 support
534    * Add support for SMMUv3 driver to perform stage 2 translation, protection
535      and isolation of upstream peripheral device's DMA transactions.
536* FF-A v1.0 Non-secure interrupt handling
537    * Trap physical interrupts to S-EL2 when running a SP.
538    * Handle non secure interrupts that occur while an SP is executing,
539      performing managed exit if supported.
540    * Add basic support for the GICv3 interrupt controller for the AArch64
541      platform.
542* FF-A power management support at boot time
543    * Provide platform-independent power management implementations for the
544      Hypervisor and SPMC.
545    * Implement the `FFA_SECONDARY_EP_REGISTER` interface for an MP SP or SPMC
546      to register the secondary core cold boot entry point for each of their
547      execution contexts.
548    * Introduce a generic "SPMD handler" to process the power management events
549      that may be conveyed from SPMD to SPMC, such as core off.
550* FF-A Direct message interfaces
551    * Introduce SP to SP direct messaging.
552    * Fix bug in the MP SP to UP SP direct response handling.
553* FF-A Memory sharing interfaces
554    * Introduce SP to SP memory sharing.
555    * When a sender of a memory management operation reclaims memory, set the
556      memory regions permissions back to it's original configuration.
557    * Require default permissions to be supplied to the function
558      `ffa_memory_permissions_to_mode`, so in the case where no permissions are
559      specified for a memory operation, the data and instruction permissions can
560      be set to the default.
561    * Encode Bit[63] of the memory region handle according to if the handle is
562      allocated by the Hypervisor or SPMC.
563* FF-A v1.0 spec compliance
564    * Return `INVALID_PARAMETER` error code instead of `NOT_SUPPORTED` for direct
565      messaging interfaces when an invalid sender or receiver id is given.
566    * Check that reserved parameter registers are 0 when invoking direct
567      messaging ABI interfaces.
568    * For SMC32 compliant direct message interfaces, only copy 32-bits
569      parameter values.
570    * Change the FF-A error codes to 32-bit to match the FF-A specification.
571    * Fix consistency with maintaining the calling convention bit of the
572      func id between the `ffa_handler` and the `FFA_FEATURES` function.
573* Remove primary VM dependencies in the SPMC
574    * Treat normal world as primary VM when running in the secure world.
575    * Create an SPMC boot flow.
576* Hafnium CI
577    * Enable Hafnium CI to include tests for Hafnium SPMC.
578    * Add basic exception handler to service VM's.
579* SIMD support
580    * Add saving/restoring of other world FP/NEON/SIMD state when entering and
581      exiting the SPMC.
582* SPMC early boot cache fix
583    * Import data cache clean and invalidation helpers from TF-A project and
584      provide an arch module for cache operations.
585    * Invalidate the SPMC image in the data cache at boot time to prevent
586      potential access to stale cache entries left by earlier boots stages.
587* Misc and bug fixes
588    * Complete vCPU state save prior to normal world exit.
589    * Update S-EL2 Stage-1 page table shareability from outer to inner.
590    * Add PL011 UART initialization code to set the IDRD and FBRD registers
591      according to the UART clock and baud rate specified at build time.
592    * License script checker fixes.
593
594### Known limitations:
595* Secure interrupts not supported.
596* FF-A indirect message interface not supported in the secure world.
597* Only supporting models of MultiProcessor SP (vCPUs pinned to physical
598  CPUs) or UniProcessor SP (single vCPU).
599* The first secure partition booted must be a MP SP.
600* `FFA_RXTX_UNMAP` not implemented.
601* Use of an alternate caller provided buffer from RX/TX buffers for memory
602  sharing operations is not implemented.
603* A memory retrieve request to SPMC does not support the caller endpoint to
604  provide the range of IPA addresses to map the region to.
605
606## v2.4
607
608This is the first drop to implement the TrustZone secure side S-EL2 firmware
609(SPM Core component) complying with FF-A v1.0.
610It is a companion to the broader TF-A v2.4 release.
611The normal world Hypervisor is maintained functional along with the
612Hafnium CI test suite.
613
614### Highlights
615* FF-A v1.0 Setup and discovery interface
616    * Hypervisor implementation re-used and extended to the SPMC and SPs.
617    * Added partition info get ABI and appropriate properties response depending
618      on partition capabilities (PVM, Secondary VM or Secure Partitions).
619    * FF-A device-tree manifest parsing.
620    * FF-A partitions can declare memory/device regions, and RX/TX buffers that
621      the SPMC sets up in the SP EL1&0 Stage-2 translation regime at boot time.
622    * FF-A IDs normal and secure world split ranges.
623    * The SPMC maps the Hypervisor (or OS kernel) RX/TX buffers as non-secure
624      buffers in its EL2 Stage-1 translation regime on `FFA_RXTX_MAP` ABI
625      invocation from the non-secure physical FF-A instance.
626* FF-A v1.0 Direct message interface
627    * Added implementation for the normal world Hypervisor and test cases.
628    * Implementation extended to the SPMC and SPs.
629    * Direct message requests emitted from the PVM to a Secondary VM or a
630      Secure Partition (or OS Kernel to a Secure Partition). Direct message
631      responses emitted from Secondary VMs and Secure Partitions to the PVM.
632    * The secure world represents the "other world" (normal world Hypervisor
633      or OS kernel) vCPUs in an abstract "Hypervisor VM".
634* FF-A v1.0 memory sharing
635    * Hypervisor implementation re-used and extended to the SPMC and SPs.
636    * A NS buffer can be shared/lent/donated by a VM to a SP (or OS Kernel
637      to a SP).
638    * The secure world configures Stage-1 NS IPA output to access the NS PA
639      space.
640    * The secure world represents the "other world" (normal world Hypervisor
641      or OS kernel) memory pages in an abstract "Hypervisor VM" and tracks
642      memory sharing permissions from incoming normal world requests.
643* Secure world enablement
644    * Secure Partitions booted in sequence on their primary execution context,
645      according to the boot order field in their partition manifest.
646      This happens during the secure boot process before the normal world
647      actually runs.
648    * The SPMC implements the logic to receive FF-A messages through the EL3
649      SPMD, process them, and either return to the SPMD (and normal world) or
650      resume a Secure Partition.
651    * Extract NS bit from `HPFAR_EL2` on Stage-2 page fault.
652    * Prevent setup of LOR regions in SWd.
653    * Avoid direct PSCI calls down to EL3.
654* Platforms
655    * Added Arm FVP secure Hafnium build support.
656    * Added Arm TC0 "Total Compute" secure Hafnium build support.
657* Other improvements
658    * Re-hosting to trustedfirmware.org
659    * `busy_secondary` timer increased to improve CI stability.
660    * Removed legacy Hypervisor calls.
661    * Fix `CPTR_EL2` TTA bit position.
662    * Report `FAR_EL2` on injecting EL1 exception.
663### Known limitations:
664* Not all fields of the FF-A manifest are actually processed by the Hafnium
665  device-tree parser.
666* SP to SP communication not supported.
667* SP to SP memory sharing not supported.
668* S-EL1 and SIMD contexts shall be saved/restored by EL3.
669* Multi-endpoint memory sharing not supported.
670* Interrupt management limited to trapping physical interrupts to
671  the first S-EL1 SP. Physical interrupt trapping at S-EL2 planned as
672  next release improvement.
673* Validation mostly performed using first SP Execution Context (vCPU0). More
674  comprehensive multicore enablement planned as next release improvement.
675