1************* 2Version 2.2.0 3************* 4 5New major features 6================== 7 8 - LLVM build support (MPS2/3/4, RSE) 9 10 - Mbed TLS upgrade to v3.6.3. 11 12 - Compliant with PSA Architecture Compliance Kit tests v1.6 13 14 - Initial support for on-core and off-core clients on Hybrid platforms (A-profile + M-profile or 15 multiple M-profile) using HYBRID_PLAT_SCHED_TYPE=NSPE (a.k.a. solution 2) as described in [1]_. 16 The functionality is still under active testing and development. 17 18 19Other relevant changes 20====================== 21 22 - BL1 changes to: key config, crypto api, image layout, BL2 hash removal, fixes for encodings, 23 ECC keys derivation support, all crypto functions are FIH enabled, shared symbols list updates. 24 - BL2 changes to: dynamic arbitrary numbers of ROTPKs, shared regions indirection, config options 25 - Tools: Option to generate signing requests, key_derivation module 26 - COSE: Switch to upstream t_cose repo 27 - NS agent mailbox: Support multiple mailbox sources in RPC callback 28 - Logs: Clean-up macros 29 - CC3XX: sanity checks, enhancements for PKA & ECDSA, alignments, tests, DRBG additions 30 - Threat Model: Add mitigation strategies 31 - MISRA-C: Document status of reported violations 32 33 34New security advisories 35======================= 36 37None. 38 39 40New platforms support 41===================== 42 43 - Initial support for building nRF54L15 44 - Initial support for building stm32wba65i-dk 45 46 47Deprecated platforms 48==================== 49 50TC2: arm/rse/tc/tc2 51 52 53Tested platforms 54================ 55 56The following platforms are successfully tested in this release. 57 58- **Arm** 59 60 - AN519 61 - AN521 62 - AN555 63 - Corstone-300 64 - Corstone-310 65 - Corstone-315 66 - Corstone-320 67 - Corstone-1000 68 - Musca-B1 69 - Musca-S1 70 71- **ArmChina** 72 73 - Alcor (AN557) 74 75- **STM** 76 77 - NUCLEO-L552ZE-Q 78 - STM32H573idk 79 80- **NXP** 81 82 - LPCXpresso55S69 83 84- **Nordic** 85 86 - nrf5340dk_nrf5340_cpuapp 87 - nrf9160dk_nrf9160 88 - nrf9161dk_nrf9161 89 90Reference memory footprint 91========================== 92 93All measurements below are made for *AN521* platform, built `TF-Mv2.2.0-RC2 94<https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tag/?h=TF-Mv2.2.0-RC2>`_ 95on Windows 10 using Armclang v6.18 and build type MinSizeRel. 96 97All modules are measured in bytes. Some minor modules are not shown in the table below. 98 99.. note:: 100 101 Profile `Medium-ARoT-less` built with disabled Firmware Update service to align with other 102 TF-M Profiles. 103 104+----------------------+--------------+--------------+--------------+--------------+--------------+ 105| Module | Base | Small | ARoT-less | Medium | Large | 106+ +-------+------+-------+------+-------+------+-------+------+-------+------+ 107| Module | Base | RAM | Small | RAM | ARoT | RAM | Med. | RAM | Large | RAM | 108+======================+=======+======+=======+======+=======+======+=======+======+=======+======+ 109|Generated | 112| 3184| 208| 3184| 224| 3184| 272| 3184| 272| 3184| 110+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 111|Objects | 972| 1056| 1280| 5188| 1379| 5872| 1513| 1468| 1587| 1468| 112+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 113|c_w.l | 190| 0| 506| 0| 548| 0| 506| 0| 746| 0| 114+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 115|platform_s.a | 5312| 281| 5644| 281| 6044| 281| 6426| 281| 6556| 281| 116+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 117|spm.a | 3678| 173| 4716| 173| 4054| 173| 6652| 1409| 6854| 1414| 118+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 119|sprt.a | 274| 0| 1488| 0| 1402| 0| 2530| 4| 2530| 4| 120+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 121|mbedcrypto.a | 0| 0| 24464| 2108| 28292| 2108| 28392| 2108| 77692| 1992| 122+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 123|PROT_attestation.a | 0| 0| 1610| 557| 1579| 1153| 1583| 3201| 1699| 3201| 124+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 125|PROT_crypto.a | 0| 0| 3596| 2046| 4042| 16002| 4092| 22146| 4600| 28226| 126+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 127|PROT_its.a | 0| 0| 4830| 80| 4864| 112| 5064| 1988| 5072| 2468| 128+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 129|PROT_platform.a | 0| 0| 0| 0| 532| 0| 522| 1280| 522| 1280| 130+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 131|AROT_ps.a | 0| 0| 0| 0| 0| 0| 3312| 4344| 3312| 4344| 132+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 133|Padding | 26| 38| 95| 43| 126| 43| 117| 59| 169| 50| 134+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 135|platform_crypto_keys.a| 0| 0| 258| 0| 276| 0| 276| 0| 276| 0| 136+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 137|qcbor.a | 0| 0| 854| 0| 1070| 0| 1070| 0| 1070| 0| 138+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 139|crypto_service_p256m.a| 0| 0| 0| 0| 3612| 0| 3602| 0| 0| 0| 140+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 141|t_cose_s.a | 0| 0| 1007| 0| 2164| 0| 2159| 0| 2159| 0| 142+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 143|Total inc. Padding | 10564| 4732| 50556| 13660| 60208| 28928| 68088| 41472| 115116| 47912| 144+----------------------+-------+------+-------+------+-------+------+-------+------+-------+------+ 145 146Known issues 147============ 148 149Some open issues are not fixed in this release. 150 151.. list-table:: 152 :header-rows: 1 153 154 * - Descriptions 155 - Issue links 156 * - SPM does not automatically unmap mm-iovecs. It will be recovered in a future release. 157 - https://github.com/TrustedFirmware-M/trusted-firmware-m/issues/20 158 159 160Issues fixed since v2.1.1 161------------------------- 162 163The following issues have been fixed since the v2.1.1 release. 164 165.. list-table:: 166 :header-rows: 1 167 168 * - Descriptions 169 - Issue links 170 * - KConfig build has been fixed 171 - <None> 172 * - Services do not unmap IOVECS 173 - https://github.com/TrustedFirmware-M/trusted-firmware-m/issues/19 174 * - SPM does not return PSA_ERROR on refused psa_connect 175 - https://github.com/TrustedFirmware-M/trusted-firmware-m/issues/21 176 * - Fix wrapper to properly mark NSPE images as such 177 - https://github.com/TrustedFirmware-M/trusted-firmware-m/issues/24 178 * - Protected Storage content can be lost 179 - https://github.com/TrustedFirmware-M/trusted-firmware-m/issues/26 180 181 182Reference 183========= 184 185.. [1] `Trusted Firmware-M and Hybrid platforms, TF-M tech forum 14-09-2023 <https://www.trustedfirmware.org/docs/tech_forum_20230914_non_seucure_clients.pdf>`_ 186 187-------------- 188 189 *SPDX-License-Identifier: BSD-3-Clause* 190 191 *SPDX-FileCopyrightText: Copyright The TrustedFirmware-M Contributors* 192