- TF-A - lists.trustedfirmware.org

Re: [PATCH] fix(st): reset SoC instead of panic() on MMC init failure

by Yann Gautier

Hello, Thanks for the patch and the detailed commit message. For ST boards, we usually treat this kind of issues with watchdog. But I admit some watchdogs patches are still missing upstream. I'll try to send them soon. We are discussing internally to see if this particular use-case could be done as you proposed. I'll get back to you next week about this, when one of my colleagues comes back. Maybe this could be selected with a compilation flag. About the patch submission, TF-A uses gerrit, and we do not merge patches from mailing-list like Linux does. Please check this page: https://trustedfirmware-a.readthedocs.io/en/latest/process/contributing.html Best regards, Yann On 4/29/26 05:21, Chanhong Jung wrote: > A failed eMMC initialization in BL2's boot_mmc() currently calls > panic(), leaving the system spinning forever and forcing an external > power cycle to recover. In production deployments where the eMMC is > the on-board boot medium, transient init failures (power-rail ramp > timing, bus-line noise just after eMMC fast-boot mode entry, RCC > clock-domain settling jitter, etc.) are far more common than hard > failures, and the recovery path for all of them is "boot again from > cold." > > Invoke stm32mp_system_reset() before panic() in the > stm32_sdmmc2_mmc_init() failure path so the SoC restarts and BootROM > re-runs the entire boot chain from scratch. Transient failures that > clear themselves between cold boots are then resolved automatically > without operator intervention. > > stm32mp_system_reset() carries the __dead2 (no-return) attribute, so > control never reaches the following panic() in normal operation. The > panic() call is intentionally retained for two reasons: > > 1. Defensive fallback should the reset circuit / power sequencer > fail to actually issue a reset; staying in a tight panic() loop > is then still preferable to executing past the failure point. > > 2. As an explicit "this branch must not continue" signal to static > analyzers and future readers, so a subsequent edit cannot > accidentally drop the reset call and silently revert the policy. > > This change has been in production on a downstream STM32MP153D board > running a TF-A v2.4 backport for over a year. Only the central > panic-to-reset change is sent here; related debug NOTICE() prints and > an MMC retry-count bump that lived alongside the downstream patch are > intentionally not included, as the unconditional reset fallback > already covers the recovery cases the retry bump targeted. > > Signed-off-by: Chanhong Jung <happycpu(a)gmail.com> > --- > plat/st/common/bl2_io_storage.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > diff --git a/plat/st/common/bl2_io_storage.c b/plat/st/common/bl2_io_storage.c > index c478b497c..e6a73e0d3 100644 > --- a/plat/st/common/bl2_io_storage.c > +++ b/plat/st/common/bl2_io_storage.c > @@ -28,6 +28,7 @@ > #include <drivers/st/stm32_fmc2_nand.h> > #include <drivers/st/stm32_qspi.h> > #include <drivers/st/stm32_sdmmc2.h> > +#include <drivers/st/stm32mp_reset.h> > #include <drivers/usb_device.h> > #include <lib/fconf/fconf.h> > #include <lib/mmio.h> > @@ -255,7 +256,19 @@ static void boot_mmc(enum mmc_device_type mmc_dev_type, > > params.device_info = &mmc_info; > if (stm32_sdmmc2_mmc_init(&params) != 0) { > - ERROR("SDMMC%u init failed\n", boot_interface_instance); > + ERROR("SDMMC%u init failed - resetting system\n", > + boot_interface_instance); > + /* > + * eMMC init failures here are usually transient (rail-ramp > + * timing, bus-line noise on fast-boot entry, RCC clock-domain > + * settling jitter). panic() leaves the SoC frozen and forces > + * an external power cycle; a system reset lets BootROM re-run > + * the entire boot path, which most transient failures survive. > + * stm32mp_system_reset() is __dead2, so panic() below is a > + * defensive fallback if the reset circuit is itself wedged, > + * and a no-return marker for analyzers. > + */ > + stm32mp_system_reset(); > panic(); > } > > > base-commit: de387341ee73d99446fbbf6a7053d7b759b8b3a6

2 months

1
0
0 0

Firmware-A v2.15 release code freeze notification

by Harrison Mutai

Hi All, The next release of the Firmware-A bundle of projects tagged v2.15 has an expected code freeze date of 15/05/2026. Refer to the release cadence section from TF-A documentation (https://trustedfirmware-a.readthedocs.io/en/latest/about/release-informatio…). Closing out the release takes around 6-10 working days after the code freeze. v2.15 release preparation tasks are on-going and well progressed. We want to ensure that planned feature patches for the release are submitted in good time for the review process to conclude. As a kind reminder and a matter of sharing CI resources, please launch CI jobs with care e.g.: * For simple platform, docs changes, or one liners, use Allow-CI+1 label (no need for a full Allow-CI+2 run). * For large patch stacks use Allow-CI+2 at top of the patch stack (and if required few individual Allow+CI+1 labels in the middle of the patch stack). * Carefully analyze results and fix the change if required, before launching new jobs on the same change. * If after issuing a Allow-CI+1 or Allow-CI+2 label a Build start notice is not added as a gerrit comment on the patch right away please be patient as under heavy load CI jobs can be queued and in extreme conditions it can be over an hour before the Build start notice is issued. Issuing another Allow-CI+1 or Allow-CI+2 label will just result in an additional job being queued. Thanks & Regards, Harrison on behalf of the TF-A team

2 months

1
0
0 0

Canceled event with note: TF-A Tech Forum @ Thu Apr 16, 2026 5pm - 6pm (GMT+2) (tf-a@lists.trustedfirmware.org)

by Olivier Deprez

This event has been canceled with a note: "Hi , Cancelling as no topic this week. Thanks, Olivier. " TF-A Tech Forum Thursday Apr 16, 2026 ⋅ 5pm – 6pm Central European Time - Paris Location https://linaro-org.zoom.us/j/93557863987?pwd=56a1l8cBnetDTZ6eazHGaE1Ctk4W34… https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9355786… Trusted Firmware is inviting you to a scheduled Zoom meeting.Topic: TF-A Tech ForumTime: May 15, 2025 02:00 PM London Every 2 weeks on Thu, 78 occurrence(s)Please download and import the following iCalendar (.ics) files to your calendar system.Weekly: https://linaro-org.zoom.us/meeting/tJcocu6gqDgjEtOkyBhSQauR1sUyFwIcNKLa/ics… Zoom Meetinghttps://linaro-org.zoom.us/j/93557863987?pwd=56a1l8cBnetDTZ6eazHGaE1Ctk4W34.1Meeting ID: 935 5786 3987Passcode: 939141---One tap mobile+12532158782,,93557863987# US (Tacoma)+13017158592,,93557863987# US (Washington DC)---Dial by your location• +1 253 215 8782 US (Tacoma)• +1 301 715 8592 US (Washington DC)• +1 305 224 1968 US• +1 309 205 3325 US• +1 312 626 6799 US (Chicago)• +1 346 248 7799 US (Houston)• +1 360 209 5623 US• +1 386 347 5053 US• +1 507 473 4847 US• +1 564 217 2000 US• +1 646 558 8656 US (New York)• +1 646 931 3860 US• +1 669 444 9171 US• +1 669 900 9128 US (San Jose)• +1 689 278 1000 US• +1 719 359 4580 US• +1 253 205 0468 US• 833 548 0276 US Toll-free• 833 548 0282 US Toll-free• 833 928 4608 US Toll-free• 833 928 4609 US Toll-free• 833 928 4610 US Toll-free• 877 853 5247 US Toll-free• 888 788 0099 US Toll-freeMeeting ID: 935 5786 3987Find your local number: https://linaro-org.zoom.us/u/adoz9mILli Guests qwandor(a)google.com praan(a)google.com jeremimiller(a)google.com jagdish.gediya(a)linaro.org khilman(a)baylibre.com tf-a(a)lists.trustedfirmware.org ~~//~~ Invitation from Google Calendar: https://calendar.google.com/calendar/ You are receiving this email because you are an attendee on the event. Forwarding this invitation could allow any recipient to send a response to the organizer, be added to the guest list, invite others regardless of their own invitation status, or modify your RSVP. Learn more https://support.google.com/calendar/answer/37135#forwarding

2 months, 1 week

1
0
0 0

Why can TF-A code still run in an address space that it itself has set to be "Execute-Never"?

by Hughard

*Environment:* - *Exception Level:* EL3 (AArch64) - *Component:* [image: 微信图片_20260304154227_69_553.png] ARM Trusted Firmware (TF-A) - BL2/BL31 - *Platform:* Arm FVP / Base_Revc_2xAEMvA / Bare Metal Debug /ARMAEM-A_MP_0 [ Arm Development Studio ] *Observation:* I am observing a strange thing of the ARMv8-A architecture's memory translation rules. Despite the translation table explicitly marking the memory region as Execute-Never, the CPU continues to fetch and execute instructions from this region without triggering an exception. I'm a student with limited hardware background, and I'm learning TF-A and doing porting during my internship. I'd really like to know the reason behind this. *Code I use:* ARM Trusted Firmware v2.13 *Github:* github.com/.../arm-trusted-firmware <https://github.com/ARM-software/arm-trusted-firmware> *Take the case of running BL31 in Development Studio as an example. （Breakpoint at the beginning of bl31_setup）* *Technical Evidence (Verified via Debugger):* SCTLR_EL3: M=1 (MMU enabled), WXN=1 (Write implies execute-never), I=1 (Instruction Cache enabled). BL31’s code is loaded at: 0x04003000 Translation Table Entry (L3 Descriptor): 0x00400000_04003743 Physical Address: Verified via TTBR0_EL3 walk. (0x04034600 -> 0x04035003 -> 0x04037003 -> 0x00400000_04003743) Attributes: AP[2:1]=0x1 (Read/Write), XN=1 (Execute-Never), AF=1, SH=0x3 (Inner Shareable), NS=0, AttrIndx = 0x0 (See the MAIR_EL3) MAIR_EL3: 0x4404FF (Attr0 = 0xFF, Normal Memory). Synchronization Performed: DSB SY + ISB The PC (Program Counter) is confirmed to executing from the first instruction of BL31 code at address 0x04003000. *The Problem:* This evidence should point to one conclusion: it cannot execute the BL31 code and will report an error. However, the execution flow remains uninterrupted. From my point of view, it should cause "ESR_EL3 = 0x8600000F", which means: "Instruction Abort taken without a change in Exception level. Used for MMU faults generated by instruction accesses and synchronous External aborts, including synchronous parity or ECC errors. Not used for debug-related exceptions." + "Permission Fault, level 3". As I test on a real fpga by using similar code by making some changes at the end of BL1 so that it would execute BL2 at level EL3 (but instead of bl2_el3_entrypoint.S, it would execute bl2_entrypoint.S). In this case, it throws an error when it jumps to the first instruction of BL2, and the ESR_EL3 register displays "Permission Fault, level 3". If I add the instruction to disable the MMU (setting SCTLR_EL3.M_BIT to 0) at the end of BL1, and change the function to enable the MMU in the official code "arm_bl2_plat_arch_setup" to use "enable_mmu_el3(0)", it can run normally on the FPGA and bring up the UEFI. (In this real-world test, I used DDR instead of SRAM, so BL2 and BL31 were also placed here after being parsed.) *Request for Help:* The above content is beyond my comprehension; even my internship supervisor doesn't understand the reasoning behind it. Therefore, I need help from the experts on this forum. *Reference:* DDI0487M_a_a-profile_architecture_reference_manual.pdf ARM Development Studio@Docs (such as Docs/ARM_A/xhtml/AArch64-esr_el3.html) armv8_a_address_translation version1.1

2 months, 4 weeks

2
1
0 0

TF-A Tech Forum (April 2nd 2026 4.00pm BST) s2idle-driven Low Power Mode Selection using PSCI on

by Olivier Deprez

Hi, On Apr, 2nd Scaria Kochidanadu @ Texas Instruments will present on the topic "s2idle-driven Low Power Mode Selection using PSCI on AM62L" See the abstract https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.… Regards, Olivier. TF-A Tech Forum Thursday Apr 2, 2026 ⋅ 5pm – 6pm Central European Time - Paris Location https://linaro-org.zoom.us/j/93557863987?pwd=56a1l8cBnetDTZ6eazHGaE1Ctk4W34… https://www.google.com/url?q=https%3A%2F%2Flinaro-org.zoom.us%2Fj%2F9355786… Trusted Firmware is inviting you to a scheduled Zoom meeting.Topic: TF-A Tech ForumTime: May 15, 2025 02:00 PM London Every 2 weeks on Thu, 78 occurrence(s)Please download and import the following iCalendar (.ics) files to your calendar system.Weekly: https://linaro-org.zoom.us/meeting/tJcocu6gqDgjEtOkyBhSQauR1sUyFwIcNKLa/ics… Zoom Meetinghttps://linaro-org.zoom.us/j/93557863987?pwd=56a1l8cBnetDTZ6eazHGaE1Ctk4W34.1Meeting ID: 935 5786 3987Passcode: 939141---One tap mobile+12532158782,,93557863987# US (Tacoma)+13017158592,,93557863987# US (Washington DC)---Dial by your location• +1 253 215 8782 US (Tacoma)• +1 301 715 8592 US (Washington DC)• +1 305 224 1968 US• +1 309 205 3325 US• +1 312 626 6799 US (Chicago)• +1 346 248 7799 US (Houston)• +1 360 209 5623 US• +1 386 347 5053 US• +1 507 473 4847 US• +1 564 217 2000 US• +1 646 558 8656 US (New York)• +1 646 931 3860 US• +1 669 444 9171 US• +1 669 900 9128 US (San Jose)• +1 689 278 1000 US• +1 719 359 4580 US• +1 253 205 0468 US• 833 548 0276 US Toll-free• 833 548 0282 US Toll-free• 833 928 4608 US Toll-free• 833 928 4609 US Toll-free• 833 928 4610 US Toll-free• 877 853 5247 US Toll-free• 888 788 0099 US Toll-freeMeeting ID: 935 5786 3987Find your local number: https://linaro-org.zoom.us/u/adoz9mILli Guests qwandor(a)google.com praan(a)google.com jeremimiller(a)google.com jagdish.gediya(a)linaro.org khilman(a)baylibre.com tf-a(a)lists.trustedfirmware.org

2 months, 4 weeks

1
0
0 0

TF-A Tech Forum @ April 2, 2026

by Scaria Kochidanadu

Hi, this is Scaria Kochidanadu, from Texas Instruments and would like to present : "s2idle-driven Low Power Mode Selection using PSCI on AM62L", in the TF-A tech forum on April 2nd, 2026. We present a runtime-configurable low power mode(LPM) management approach for *PSCI* firmware in ATF, implemented on the AM62L SoC, a 2-core system with A53 cores. The primary goal of this session is to gather feedback on the *suitability of this design for upstreaming*, and to get guidance on key challenges encountered during implementation before proceeding with further debugging and optimization. In this design, we transition to an *s2idle-based flow* where Linux cpuidle framework and governor drive idle state selection, from the multiple platform-specific standby and low power modes that are provided in the devicetree. The PSCI driver in ATF is then responsible for the validation of the idle-states passed and the entire suspend-resume flow, with the *Operating-System Initiated (OSI) mode in PSCI*. As ATF now handles the full suspend-resume flow, it has the responsibility of managing the powering down and bringing up of the cores, along with the state of the system. We observe issues related to core *coordination in a multi-core system*, as well as system state management during resume, including *GIC* and (*Interrupt Translation Service*)ITS context handling. In this session, we will present our suspend and resume design in the AM62L PSCI implementation and discuss these challenges in detail. We would also like to discuss the *current validation logic* for the context-preserving retention states like standby and our approach to enable standby mode. We are particularly interested in feedback on whether this *OS-driven LPM selection model aligns with ATF design expectations*, and on recommended approaches for handling *inter-core coordination and system state restoration within PSCI-based flows*. Regards, Scaria Kochidanadu, Texas Instruments.

2 months, 4 weeks

1
0
0 0

Re: RMMv2.0 implementation plan for TF-RMM

by Soby Mathew

[+ TF-A list for FYI] Hi All, An update on v2.0 migration. As RMM and the rest of the software stack are being prepared for the initial v2.0 migration, TF-A has introduced a new build configuration flag, RMM_V1_COMPAT, to control the world-switch behaviour between RMM v1.x and RMM v2.0 [1] . This flag is enabled by default, meaning the default behaviour currently corresponds to RMM v1.x. Once TF-RMM is ready to merge the v2.0 support, the default value of this flag will be changed to 0. The flag also updates the EL3–RMM interface major version, allowing incompatibility with TF-A related to this build configuration to be detected at runtime. We expect the initial v2.0 changes in TF-RMM to be merged by the end of this month. As mentioned in the previous email, we will create a v1.x branch prior to this and provide an update here. [1] https://git.trustedfirmware.org/plugins/gitiles/TF-A/trusted-firmware-a/+/r… Best regards, Soby Mathew From: Soby Mathew via tf-rmm <tf-rmm(a)lists.trustedfirmware.org> Date: Thursday, 5 February 2026 at 09:42 To: tf-rmm(a)lists.trustedfirmware.org <tf-rmm(a)lists.trustedfirmware.org> Cc: nd <nd(a)arm.com> Subject: [tf-rmm] RMMv2.0 implementation plan for TF-RMM Hi Everyone, The RMM v2.0 Beta 0 specification has been published here: https://developer.arm.com/documentation/den0137/latest/ As you may have noticed, this release introduces breaking changes to the RMI APIs (host side), while the RSIs (guest side) remain backward compatible. Nearly all ABIs are affected, and the scope of these changes makes it highly disruptive to maintain support for both RMI v1.x and RMI v2.0 within the same codebase. We do not expect RMI v1.x to be deployed in production, and retaining support for it would increase development overhead and the risk of introducing bugs. A more pragmatic approach is to branch the current RMM codebase at the RMI v1.x ABI and then migrate the mainline to the RMI v2.0 ABI. This will be a breaking change for host-side components that rely on the older RMI ABI. Given the extent of the ABI changes, significant effort will be required to align with RMI v2.0, and this approach allows the team to focus on upstreaming the new ABI support efficiently. The initial RMI v2.0 upstreaming will consist of a series of commits that together form an initial RMM implementation targeting the RMM v2.0 specification. This initial implementation will not be fully feature-complete with respect to the v2.0 spec, and we expect to continue layering additional RMM v2.0 ABI-related changes on top as the implementation matures during the course of the year. That said, we intend to maintain integration with an externally available, compatible Linux host kernel branch throughout this process. The initial RMI v2.0 RMM implementation will be compatible with an initial v2.0-based host kernel, and we will notify the mailing list once this integration is available to pick up (likely end of March ’26). If and when we need to introduce further ABI changes that break compatibility with a previously published kernel branch, we will call this out explicitly in advance and indicate when an updated kernel branch will be available for integration. We plan to keep RMI v1.x ABI as a separate branch and selectively merge bug fixes on a request or need basis. Please let us know if you have any concerns regarding this plan within the next two weeks. Best Regards Soby Mathew

3 months

1
1
0 0

Trusted Firmware-A LTS v2.12.11 Release Announcement

by svc_openci_enginfra＠arm.com

Hello, Trusted Firmware-A LTS version 2.12.11 is now available. This release contains the following patches: f8013b344 fix(security): add workaround for CVE-2025-0647 [1] 72301cc63 fix(security): add CVE-2025-0647 for Cortex-A710 [2] 69437f876 fix(security): add CVE-2025-0647 for Cortex-X2 [3] 48df3fd66 fix(security): add CVE-2025-0647 for Cortex-X3 [4] b2534f255 fix(security): add CVE-2025-0647 for Cortex-X4 [5] 9776ee7aa fix(security): add CVE-2025-0647 for Cortex-X925 [6] 723c2ec2c fix(security): add CVE-2025-0647 for Neoverse-N2 [7] 3d8da003c fix(security): add CVE-2025-0647 for Neoverse-V2 [8] 6232ed263 fix(security): add CVE-2025-0647 for Neoverse-V3 [9] 12e155e47 fix(security): add CVE-2025-0647 for C1-Ultra [10] c43bcc1e3 fix(cpus): correct CVE-2024-7881 workaround and drop duplicate erratum [11] 306acbd96 fix(cpus): remove C1-Ultra erratum 3651221 [12] 4cd3b2f8d fix(cpus): workaround for Cortex-A65AE erratum 1638571 [13] f80d2e80d fix(cpus): add missing add_erratum_entry [14] 8f9b4f2f9 fix(cpus): workaround for Cortex-A76 erratum 1165347 [15] 24056d15a fix(cpus): workaround for Cortex-A76 erratum 1207823 [16] 0a6f09f42 fix(cpus): update revisions for Cortex-A76 erratum 1946160 [17] 89a7ef458 fix(cpus): reorder docs for Cortex-A76 erratum 1165522 [18] a811bf47d fix(cpus): correct comments for Cortex-A720 erratum 3711910 [19] 59f718e59 refactor(cpus): make errata reporting more generic [20] 8dde508cc perf(cpus): reduce the footprint of errata reporting [21] d61856ce5 fix(cpus): enable Neoverse-V2 external LLC support [22] 7cc23b58b feat(locks): add non-blocking spinlock_try() API [23] f6b942b2c fix(locks): mark spin_trylock as a public function [24] [1] https://review.trustedfirmware.org/q/I5e7589afbeb69ebb79c01bec80e29f572aff3… [2] https://review.trustedfirmware.org/q/I522dedfffd3108f7a94df1ce2cabd742ce682… [3] https://review.trustedfirmware.org/q/Idba607340d944a6387759c856e8eacc967e0e… [4] https://review.trustedfirmware.org/q/Ic276befafc1ca0b456826532437ca453eb771… [5] https://review.trustedfirmware.org/q/I585a7ea516515fe16a3eca907695728068cef… [6] https://review.trustedfirmware.org/q/I4c1ac2be3620566813c90f5815ffcc7205bb5… [7] https://review.trustedfirmware.org/q/I366c2683cca22403d33f0761487e1ffa62e96… [8] https://review.trustedfirmware.org/q/I7ec215a9dd168eb045366b589a02b54148f58… [9] https://review.trustedfirmware.org/q/Ic52ad93474c5f81e01eb4839ece726c84c334… [10] https://review.trustedfirmware.org/q/I506007ec8702b183e377be50eede72d6803b3… [11] https://review.trustedfirmware.org/q/I6207c49486e4020f34c862ad40ec3137bd368… [12] https://review.trustedfirmware.org/q/If7ea433e4614f92333e788e3f6b366db22c92… [13] https://review.trustedfirmware.org/q/I861230de94a105fd52f9c8ef7e7551a2633c0… [14] https://review.trustedfirmware.org/q/I19a484c73ac31a90b3ff1b219f647c88a1c81… [15] https://review.trustedfirmware.org/q/If9817dc26d0df835d749f506de63a4f613735… [16] https://review.trustedfirmware.org/q/Ife06401f3946884872b733f98c08e61f586d8… [17] https://review.trustedfirmware.org/q/I532ce10c3037dd77e31d7df849beb578f8b5e… [18] https://review.trustedfirmware.org/q/I2e7c05d6355dfbaa69170fc098adc1f12edc6… [19] https://review.trustedfirmware.org/q/I8b070927c19c5982b2ded815e7673e0c4ff11… [20] https://review.trustedfirmware.org/q/I83710d8475a4a55046cf2eb6d16cd27b8ef0f… [21] https://review.trustedfirmware.org/q/I215a84bd2c91e33703349c41fc59f654f7764… [22] https://review.trustedfirmware.org/q/I9582c7405db6862e77db240822e241d408296… [23] https://review.trustedfirmware.org/q/I9483206952d1a34dc245ebf69e80c3645b658… [24] https://review.trustedfirmware.org/q/Id264a36490707a9377a221ed2b5bd27ca90bf… Alternatively, Change Log is available in the documentation section: https://trustedfirmware-a.readthedocs.io/en/lts-v2.12.11/change-log.html Thanks, TF-A LTS team

3 months

1
0
0 0

SCMI clock v3.0: Unannounced breaking change in v2.14

by Ahmad Fatoum

Hi, Commit 684952d17275 ("feat(scmi): add support for discovering and changing parent clocks") first introduced with TF-A v2.14 breaks the barebox bootloader on a STM32MP157-based MC-1 with SCMI clocks over SMC. The breakage for SCMI consumers is acknowledged in the Gerrit discussion[1], but unfortunately the resolution was limited to patching U-Boot[2]. I find this approach problematic, because it introduces a compatibility break for the whole SCMI ecosystem, e.g. following software is made incompatible with the newest TF-A this way: - Linux v6.6 and earlier (that's four official LTS releases) - U-Boot v2025.10 and earlier (only one newer release compatible) - barebox v2026.03.1 and earlier (no compatible releases yet) Firmware and kernel, and to a lesser degree firmware and bootloaders, are not always updated or rolled back in lockstep. A very normal scenario: - System with Linux v6.6 updates to newer LTS, e.g. v6.12 or v6.18 - In the same update, TF-A v2.14 is installed - New system fails to function for whatever reason - Kernel update is rolled back, but bootloader/firmware stays the same - Kernel v6.6 fails to boot with TF-A v2.14 - Technician moves out to unbrick device in the field At the very least, marking this feature a breaking change would have been appropriate. Preferably, TF-A would handle existing consumers using SCMI clock v3.0. I haven't looked into the technical feasibility myself and I am unsure it this had been considered. I will submit patches for the barebox bootloader, but these only solve the problem for new systems or ones where everything can be flashed at once with no rollback. Systems out in the field are at risk of bricking if not resolved properly. [1]: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/34226 [2]: https://lore.kernel.org/u-boot/20251104-b4-scmi-v1-v4-0-51f101a6f8c3@ti.com/ Thanks, Ahmad -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |

3 months

1
0
0 0

BERT Record Erase Only After Kernel Consumes

by Jaiprakash Singh

Hi All, BERT (Boot Error Record Table) captures errors which occurred in previous boot. Below is the Flow with FFH (firmware first handling) 1. Kernel is running 2. Fatal error happens, which requires reboot 3. Firmware decides to reboot system, before that capture current snapshot and save it as bert record on non-volatile memory 4. System reboot 5. On next boot, firmware read bert record from non-volatile memory 6. Copy bert record to ghes dram buffer 7. Kernel boots 8. Kernel reads ghes dram buffer and prints bert record. Problem in this flow is "When firmware should erase or delete bert records from non-volatile memory"? Ideally, when Kernel has consumed Bert record after that only firmware should erase them from non-volatile memory. But there is no communication from Kernel to firmware that it has consume bert record and now it is safe to erase them. Is there already a solution for this problem available in Kernel or firmware? Can generic SMC call from Kernel to firmware be a solution? Any other suggestion? Thanks Regards, Jaiprakash

3 months, 1 week

4
7
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

TF-A