3. Change-log and Release notes

3.1. v0.4.0

The following sections have the details on the release. This release has been verified with TF-A v2.10 release.

3.1.1. New features in this release

• Added initial partial support for analysing RMM source code with CBMC (https://www.cprover.org/cbmc/).

  • A new HOST_VARIANT, host_cbmc, has been introduced for this purpose.

  • The CBMC testbench files and autogenerated files from RMM machine readable specification are imported into the source tree.

  • An application note for the same is added to the documentation.

• Aligned the implementation to RMM v1.0 EAC5 specification.

  • The relevant tag for the alignment is rmm-spec-v1.0-eac5.

  • There is also an intermediate RMM v1.0 EAC2 alignment which is tagged rmm-spec-v1.0-eac2.

• Supported save and restore of Non Secure SME context when Realms are scheduled.

  • The SIMD abstraction in RMM was reworked to cater for this requirement.

  • Added support to emulate SME specific feature ID registers.

  • Support injecting UNDEF exception into realm when SME is accessed within it.

  • Also RMM now can handle SVE hint bit as specified by SMCCC v1.3 specification.

• Added TF-RMM Threat Model to the documentation.

• Added capability to privately map the per-CPU stack.

  • This contains any stack overflows to the particular CPU and prevents a CPU from corrupting another CPU stack.

• Added FEAT_PAUTH and FEAT_BTI support to RMM and also capability to use FEAT_PAUTH within realms.

• Migrate to PSA Crypto API for attestation and measurement functionality in RMM.

• Added FEAT_LPA2 support to Stage 1 MMU code (lib/xlat) in RMM.

• Added Stage 1 MMU setup design document.

3.1.2. Build/Testing/Tooling improvements

• Added static commit message checker which enforces the commit message guidelines mandated for the project.

• Added clang-tidy checker as one of the static analyzers.

  • Several fixes to errors flagged by the static checker have been fixed.

• Fixed issues found in xlat lib unittests.

• Added github workflow for git submodules so that the TF-RMM dependencies display correctly in github.

• Added github workflow to configure an automatic message for PRs on GitHub and also build and run RMM unittests for every update of the main branch.

• Added FEAT_LPA2 unit tests for lib/xlat module.

• Added RSI logger unit tests.

3.1.3. Platforms

• The support for QEMU virt platform was merged.

3.1.4. Bug fixes/improvements in this release

• Fixed issue with TLB invalidations for unprotected mappings during RMI_RTT_DESTROY command.

• Fixed an issue wherein attest token write may return without releasing lock on the last level RTT of the mapped buffer.

• Enable TSW bit in hcr_el2 when executing in Realm world so as to trap any data cache maintenance instructions that operate by Set/Way.

• Fixed issues flagged by coverity online scan. The defects detected can be found in the TF-RMM coverity scan online homepage.

• Fixed issues in s2tt management related to NS memory assignment/unassignment.

• Added missing check to gicv3_hcr field.

• Cache line align xlat lib data structures accessed by secondary CPUs to avoid data corruption due to mismatched memory attribute accesses by RMM during warm boot.

• Corrected linker options when building qcbor library.

• Fixes to comply with MISRA coding guidelines.

• Adjusted mbedTLS heap size depending on MAX_CPUS in RMM.

• Fixed issue with RMI_DATA_CREATE_UNKNOWN setting RIPAS to RAM.

• Added ‘ipa_bound’ failure condition in RMI_DATA_DESTROY handler. Also added ‘level_bound’ failure condition for RMI_RTT_MAP_UNPROTECTED and RMI_RTT_UNMAP_UNPROTECTED command handlers.

• Fixed issue with rsi_log_on_exit() and modified the logging format.

• Fixed issue with change ipa_align failure condition.

• Unified design of RSI/PSCI handlers.

• The issue with RMM config RMM_FPU_USE_AT_REL2 is fixed and the SIMD registers are saved and restored depending on the live register context in use which be one of FPU, SVE or SME.

• The compatibility check for RMM-EL3 interface version is hardened.

• Issue related to attestation token interruption flow is fixed.

• Enhanced the fake_host sample application to do Realm token creation.

• Fixed D-cache maintenance in fvp_set_dram_layout().

• Updated t_cose submodule to use upstream version rather than a forked version.

3.1.5. Known issues and limitations

• Some capabilities as mentioned in RMM v1.0 EAC5 specification are restricted or absent in TF-RMM as listed below:

  • The RMI_RTT_FOLD command only allows folding upto Level 2 even though the specification allows upto Level 1.

  • The support for Self-hosted debug in Realms is not implemented.

  • Although the RMM allows CCA attestation token sizes of larger than 4KB, there is a limitation on the size of the Platform attestation token part. On the RMM-EL3 interface, there is only a shared buffer of 4KB that is currently shared on the FVP. This needs to be enhanced so that larger platform token sizes can be tested.

• The rmm-el3-ifc component does not always reset the RMM to the correct state on encountering an error. This needs to be corrected.

• The invocation of mmio_emulation() and sea_inj() functions need to be mutually exclusive during schedule of a REC. Currently both the cases are allowed to be satisfied at the same time which is incorrect.

3.1.6. Upcoming features

• FEAT_LPA2 support for Stage 2 MMU code (s2tt) in RMM.

• Add unit-tests for Stage 2 MMU code (s2tt) and also any associated rework for the s2tt component.

• Enhance CBMC analysis to more RMI commands.

• Fuzz testing for RMM utilizing the fake_host architecture.

• Support for new capabilities like Device assignment as mandated by future versions of RMM specification.

• Integrate more static analyzers into RMM build system.

• Implement support for Self-hosted debug in realms.

3.2. v0.3.0

The following sections have the details on the release. This release has been verified with TF-A v2.9 release.

3.2.1. New features in this release

• Add support to create Realms which can make use of SVE, if present in hardware.

• Refactor the Stage 1 translation table library lib/xlat API to better fit RMM usage. Also harden dynamic mapping via slot buffer mechanism by use of TRANSIENT software defined attribute.

• Add PMU support for Realms as described by RMM v1.0 Beta0 specification.

• Support getting DRAM info from the Boot manifest dynamically at runtime.

  • RMM can now support the 2nd DDR bank on FVP.

3.2.2. Build/Testing improvements

• Define a unit test framework using CppUTest for RMM.

• Add unittests for granule, slot-buffer and Stage 1 translation table lib xlat.

• Improve the fake-host mock capability by adding support for per PE sysreg emulation.

• Improve the VA to PA mock layer for fake-host.

• Enable generation of gprof profiling data as part of fake-host runs.

• Improve the sample application on host-build platform by adding the cold attestation initialization flow. Also a sample minimal Realm create, run and destroy sequence is added to showcase the RMI calls involved.

• Further improvements to the unit test framework :

  • Restore the sysreg state between test runs so each test gets a known sysreg state.

  • Add capability to test assertions.

  • Support dynamic behaviour for test harness depending on requirement.

  • Add support for coverage report generation as part of unit test run.

• Build improvements in RMM:

  • Move mbedTLS build from configure stage to build stage.

  • Simplify QCBOR build.

  • Fix build artefact directory path to better cater to multi-config builds.

3.2.3. Bug fixes in this release

• Remove HVC exit handling from RMI_REC_ENTER handler.

• Fix parameter in measurement_extend_sha512().

• Fix issues in lib/xlat for some corner cases.

• Mask MTE capability from id_aa64pfr1_el1 so that Realms can see that MTE is not supported.

• Add isb() after writes to cptr_el2 system register.

• Fix the granule alignment check on granule_addr.

• Fix some cppcheck warnings.

• Properly handle errors for granule (un)delegate calls.

• Fix the incorrect bit map manipulation for tracking VMID for realms.

• Fix some incorrect Block mapping cases in Stage 2 translation.

3.2.4. Upcoming features

• RMM EAC Specification alignment.

• Support Self-Hosted Debug Realms.

• Support FEAT_PAuth for Realms and utilize the same for RMM.

• Support LPA2 for Stage 2 Realm translation tables.

• Threat model covering RMM data flows.

• Enable Bounded Model Checker (CBMC) for source analysis.

• Save and restore SME/SME2 context belonging to NS Host. This allows NS Host to make use of SME/SME2 when Realms are scheduled.

3.2.5. Known issues and limitations

• The size of RsiHostCall structure is 256 bytes in the implementation and aligns to RMM Beta1 specification rather than the 4 KB size specified in RMM Beta0 specification.

• The RMM Beta0 specification does not require to have a CBOR bytestream wrapper around the cca-platform-token and cca-realm-delegated-token, but the RMM implementation does so and this is aligned with later versions of the RMM specification (Beta2 onwards).

• The RMM config RMM_FPU_USE_AT_REL2 does not work as intended and this config is disabled by default. This will be fixed in a future release.

• When the RSI_ATTEST_TOKEN_CONTINUE call is interrupted and then resumed later by Host via RMI_REC_ENTER, the original SMC is replayed again with the original arguments rather than returning RSI_INCOMPLETE error code to Realm. The result is that the interrupted RSI call is continued again till completion and then returns back to Realm with the appropriate error code.

3.3. v0.2.0

• This release has been verified with TF-A v2.8 release.

• The release has the following fixes and enhancements:

  • Add support to render documentation on read-the-docs.

  • Fix the known issue with RSI_IPA_STATE_GET returning RSI_ERROR_INPUT for a destroyed IPA instead of emulating data abort to NS Host.

  • Fix an issue with RSI_HOST_CALL not returning back to Host to emulate a stage2 data abort.

  • Harden an assertion check for do_host_call().

• The other known issues and limitations remain the same as listed for v0.1.0.

3.4. v0.1.0

• First TF-RMM source release aligned to RMM Beta0 specification. The specified interfaces : Realm Management Interface (RMI) and Realm Service Interface (RSI) are implemented which can attest and run Realm VMs as described by the Arm CCA Architecture.

3.4.1. Upcoming features

• Support SVE, Self-Hosted Debug and PMU in Realms

• Support LPA2 for Stage 2 Realm translation tables.

• Threat model covering RMM data flows.

• Enable Bounded Model Checker (CBMC) for source analysis.

• Unit test framework based on RMM Fake host architecture.

3.4.2. Known issues and limitations

The following is a list of issues which are expected to be fixed in the future releases of TF-RMM :

• The size of RsiHostCall structure is 256 bytes in the implementation and aligns to RMM Beta1 specification rather than the 4 KB size specified in RMM Beta0 specification.

• The RSI_IPA_STATE_GET command returns error RSI_ERROR_INPUT for a destroyed IPA instead of emulating data abort to Host.

• The RMM Beta0 specification does not require to have a CBOR bytestream wrapper around the cca-platform-token and cca-realm-delegated-token, but the RMM implementation does so.

---