1Change Log & Release Notes
2==========================
3
4This document contains a summary of the new features, changes, fixes and known issues in each release of Trusted
5Services.
6
7Version v1.1.0
8--------------
9
10- Trustedfirmware.org has deprecated Phabricator, the wiki and issue tracking provider. This functionality has been
11  moved to GitHub. See the `Trusted Services organization`_. The project wiki has been moved
12  `to here <https://github.com/Trusted-Services/trusted-services/wiki>`_
13
14
15Feature Highlights
16^^^^^^^^^^^^^^^^^^
17
18- Add documentation covering the :ref:`OP-TEE SPMC tests`.
19- :ref:`UEFI SMM Services`:
20
21    - Extend the implementation to support Authenticated Variables.
22    - Relax the UEFI variable name length limit imposed by the size of the RPC buffer.
23
24- Introduce a work in progress RPMB implementation and integrate it to the Block Storage service. The current
25  configuration uses an SWd RAM buffer for data storage, and is not connected to the RPMB provider running in the NWd.
26  This is the first baseline to implement a scenario where the RPMB owner is an S-EL0 SP.
27- Introduce the :ref:`Logging Service`.
28- Add crypto key store partitioning support to the Crypto Service. This feature allows isolating clients running in
29  different SPs.
30- Add the "RSE Com" protocol. RSE Com is a new protocol used between secure partitions and security subsystems like the
31  Secure Enclave on Corstone-1000 or Runtime Security Engine on `RD-1 AE`_.
32- libsp learnt to support FF-A v1.1 and all SPs are updated to use this version.
33- tstee Linux driver was merged upstream and the LinuxFfaTEEDriver external component is removed.
34- All SP and arm-linux deployments are updated to support Armv8.5-A Branch Protection feature.
35  See: :ref:`branch_protection`
36- A new FWU agent implementation is introduced, which implements a `PSA Certified Firmware Update API 1.0`_ client. This
37  component can be used to implement an FWU proxy on A+M systems like Corstone1000 and RD-1 AE. For more details see:
38  :ref:`Firmware update on A+M systems`
39- A new shared library called ``libpsats`` is introduced to help integration of PSA clients to 3rd party linux
40  user-space projects. For details see: :ref:`libs-libpsats`
41- The following new tests and enhancements have been added to :ref:`OP-TEE SPMC tests`:
42
43    - FFA_MEM_PERM_GET/SET tests.
44    - Memory sharing test updated to cover invalid requests.
45    - VM availability message tests.
46    - Endpoint ID checking is fixed.
47
48Deprecations
49^^^^^^^^^^^^
50
51- This OpenAMP based psa_ipc implementation is deprecated and will be removed in the future.
52
53
54Updated external components
55^^^^^^^^^^^^^^^^^^^^^^^^^^^
56
57- MbedTLS version in the Crypto service is updated to v3.6.0.
58- NanoPB has been upgraded to v0.4.8.
59- Newlib is no longer required and the newlib external component is removed.
60
61Breaking changes
62^^^^^^^^^^^^^^^^
63
64None.
65
66Resolved issues
67^^^^^^^^^^^^^^^
68
69- Fix psa-ps-api-test test case 414.
70- Crypto key store partitioning has been implemented, and clients accessing the crypto service from different FF-A
71  endpoints can not access each other's assets anymore.
72
73Known limitations
74^^^^^^^^^^^^^^^^^
75
76None.
77
78Version 1.0.0
79-------------
80
81The first stabilised release of the project from previously prototype releases ready for product use.
82
83Feature Highlights
84^^^^^^^^^^^^^^^^^^
85
86- Introduce the :doc:`Block Storage Service </services/block-storage-service-description>`. The Block Storage service
87  can be used to share a block-oriented storage device such as a QSPI flash between a set of independent secure world
88  clients.
89
90- Introduce the :doc:`Firmware Update Service </services/fwu/index>`. The FWU service implements the Update Agent
91  defined in the `Arm FWU-A specification`_ and allows replacing FW components with newer versions.
92
93- Refactor FF-A UUID policy. Reinterpret the FF-A UUID to identify the protocol supported by TS SP instead of the
94  service. This removes the maintenance burden of keeping an up to date UUID list in the service locator. All SPs start
95  using the same protocol UUID, and implement a new discovery service (see the next point).
96
97- Overhaul the RPC protocol. The main driver is to remove the single shared memory region limitation, which does not
98  allow separating shared regions of clients running over Linux in the user-space. The second driver is to add
99  versioning support to the RPC layer.
100
101    - Allow multiple shared memory regions between endpoints.
102    - Implement the discovery service in the RPC layer.
103    - Allow assigning a UUID to interfaces. This mechanism replaces the protocol identifier used earlier. Each protocol
104      of a service is represented as a dedicated interface.
105    - Add versioning support to the RPC layer.
106
107- Refactor the discovery service. The is removing the runtime overhead of memory sharing during the discovery and
108  decreases code size and duplication using the same code for service discovery.
109
110    - Implement the discovery service in the RPC layer for efficiency reasons.
111    - Implement service identity discovery for all services.
112    - Remove the encoding type entity and use service UUIDs to represent the serialization type.
113    - Service property discovery is to be implemented in the future.
114
115- Add support for the Corstone-1000 platform. For more information about this platform please see:
116  `Corstone-1000 product homepage`_
117
118- SPs now indicate support of :term:`Normal World` interrupt preemption capability in their SP manifest and allow the
119  SPMC to enable preemption if possible. This removes NWd interrupts being disabled for long periods due to long service
120  calls.
121
122- Add support for the Armv8-A CRC32 feature for :term:`Secure World` and :term:`Normal World` components.
123
124- Extend FF-A support with:
125
126    - FF-A v1.1 boot protocol between the SPM and SPs.
127    - FF-A v1.2 FFA_CONSOLE_LOG call. This allows SPs to emit log messages in an SPMC agonistic way.
128
129- Improve the build system to allow setting the build steps of external components to be verbose.
130
131- Add support for runtime (dynamic) psa-acs test case configuration.
132
133Updated external components
134^^^^^^^^^^^^^^^^^^^^^^^^^^^
135
136- MbedTLS version integration into the Crypto service is updated to v3.4.0.
137- The PSA Arch test is updated to version `74dc6646ff594e131a726a5305aba77bac30eceb`.
138
139Breaking changes
140^^^^^^^^^^^^^^^^
141
142- The new RPC ABI is not backwards compatible and needs recent version of all depending components.
143
144Resolved issues
145^^^^^^^^^^^^^^^
146
147- The new RPC version allows having multiple shared memory regions between endpoints. This allows each NWd client
148  running in Linux user-space to use a dedicated buffer.
149
150Known limitations
151^^^^^^^^^^^^^^^^^
152
153  - Crypto key store partitioning by client is not yet supported. This means multiple clients running at the same FF-A
154    endpoint use a shared key space.
155  - The full firmware update process implementation and testing is work-in-progress. The FWU process relies on the
156    cooperation of multiple FW components owned by multiple FW projects. Some 3rd party components do not implement the
157    needed features yet and thus, the FWU service was validated in "isolation" and exercised by TS test on the FVP
158    platform and on the host PC only.
159  - Service property discovery is not implemented yet.
160  - Discovering the maximum payload size of a service is not supported yet and buffer sizes are hardcoded.
161
162Version 1.0.0-Beta
163------------------
164
165The first tagged release of the project.
166
167Feature Highlights
168^^^^^^^^^^^^^^^^^^
169
170The project supports the following services:
171
172  - Secure Storage
173  - Crypto
174  - Initial Attestation
175  - Smm Variable
176
177Services may be accessed using client components that implement "`Psacertified v1.0 APIs`_". The project includes
178deployments that integrate `PSA API certification tests`_ with API clients to facilitate end-to-end PSA certification
179testing.
180
181Known limitations
182'''''''''''''''''
183
184  - Crypto key store partitioning by client is not yet supported.
185  - Discovery support is only currently integrated into the Crypto service provider. In case of services not supporting
186    this feature yet, communication parameters (e.g. maximum buffer size) and supported feature set needs to be hardcode
187    to the service provider and service client.
188
189Supported Trusted Environments
190''''''''''''''''''''''''''''''
191
192In the default configuration each service is deployed to a dedicated FF-A Secure Partition and executes isolated.
193Service implementations are platform, trusted environment and service deployment agonistic. With appropriate enablement
194work services can be enabled to work in any combination of these.
195
196The reference integration uses the SPMC implemented in OP-TEE OS to manage TS SPs. This release supports `OP-TEE v3.19`_.
197
198Supported Integration Systems
199'''''''''''''''''''''''''''''
200
201The reference solution uses the OP-TEE integration methodology. This relies on the google repo tool for high-level
202dependency management and a set of makefiles to capture the build configuration information. For details please refer to
203`OP-TEE git repo documentation`_.
204
205The project is officially enabled in `Yocto meta-arm`_.
206
207Supported Target Platforms
208''''''''''''''''''''''''''
209
210The only reference platform supported by this release is the `AEM FVP`_ build using the OP-TEE integration method.
211
212Known limitations:
213
214  - Non-volatile backend secure storage is not currently provided.
215
216Test Report
217^^^^^^^^^^^
218
219Please find the Test Report covering this release in the `project wiki`_.
220
221
222--------------
223
224.. _`FF-A Specification v1.1`: https://developer.arm.com/documentation/den0077/e
225.. _`Psacertified v1.0 APIs`: https://www.psacertified.org/development-resources/building-in-security/specifications-implementations/
226.. _`OP-TEE v3.19`: https://github.com/OP-TEE/optee_os/tree/3.19.0
227.. _`Yocto meta-arm` : https://gitlab.oss.arm.com/engineering/yocto/meta-arm/-/tree/master/meta-arm/recipes-security/trusted-services
228.. _`project wiki`: https://github.com/Trusted-Services/trusted-services/wiki/Trusted-Services-test-reports
229.. _`AEM FVP`: https://developer.arm.com/-/media/Files/downloads/ecosystem-models/FVP_Base_RevC-2xAEMvA_11.22_14_Linux64.tgz
230.. _`PSA API certification tests`: https://github.com/ARM-software/psa-arch-tests
231.. _`OP-TEE git repo documentation`: https://optee.readthedocs.io/en/latest/building/gits/build.html
232.. _`Corstone-1000 product homepage`: https://developer.arm.com/Processors/Corstone-1000
233.. _`Arm FWU-A specification`: https://developer.arm.com/documentation/den0118
234.. _`Trusted Services organization`: https://github.com/Trusted-Services
235.. _`RD-1 AE`: https://developer.arm.com/Tools%20and%20Software/Arm%20Reference%20Design-1%20AE
236.. _`PSA Certified Firmware Update API 1.0`: https://arm-software.github.io/psa-api/fwu/1.0/
237
238*Copyright (c) 2020-2024, Arm Limited and Contributors. All rights reserved.*
239
240SPDX-License-Identifier: BSD-3-Clause
241