seL4/CHANGES

Revision history for seL4

For more information see the release notes at https://docs.sel4.systems/sel4_release/

This file should be word wrapped to 120 characters

The upcoming release notes should indicate whether it is a SOURCE COMPATIBLE, BINARY COMPATIBLE or BREAKING change. As
changes are added the compatibility information should be updated.

---
Upcoming release: BREAKING

## Changes

 * Add GrantReply access right for endpoint capabilities.
   - seL4_Call is permitted on endpoints with either the Grant or the GrantReply access rights.
   - Capabilities can only be transferred in a reply message if receiver's endpoint capability has the Grant right.
 * `seL4_CapRights_new` now takes 4 parameters
 * seL4_CapRightsBits added to libsel4. seL4_CapRightsBits is the number of bits
   to encode seL4_CapRights.
 * `seL4_UserTop` added
    - a new constant in libsel4 that contains the first virtual address unavailable to
      user level.
* Support added for Aarch64 hypervisor mode (EL2) for Nvidia TX1 and TX2. This is not verified.
* Support for generating ARM machine header files (memory regions and interrupts) based on a device tree.
* Support added for ARM kernel serial driver to be linked in at build time based on the device tree compatibility string.
* Support added for compiling verified configurations of the kernel with Clang 7.
* Support added for Hardkernel ODROID-C2.
* Added extended bootinfo header for device tree (SEL4_BOOTINFO_HEADER_FDT).
* Support added for passing a device tree from the bootloader to the root task on ARM.
* Add seL4_VSpaceBits, the size of the top level page table.
* The root cnode size is now a minimum of 4K.
* Fix seL4_MappingFailedLookupLevel() for EPTs on x86.
    - add SEL4_MAPING_LOOKUP_NO_[EPTPDPT, EPTPD, EPTPT] which now correspond to
      the value returned by seL4_MappingFailedLookupLevel on X86 EPT mapping calls.
* BeagleBone Black renamed from am335x to am335x-boneblack.
* Supported added for BeagleBone Blue (am335x-boneblue).
* Remove IPC Buffer register in user space on all platforms
* Add managed TLS register for all platforms
* Add configurable system call allowing userspace to set TLS register without capability on all platforms.
* Non-hyp support added for Arm GICv3 interrupt controller.
* Add initial i.MX8M Quad evk 64-bit Support. Currently only AArch64 EL1 non-secure is supported.
* Add FVP platform with fixed configuration. This currently assumes A57 configuration described in tools/dts/fvp.dts.
* Add new seL4_DebugSendIPI syscall to send arbitrary SGIs on ARM when SMP and DEBUG_BUILD are activated.
* Support for aarch64-hyp configurations with 40-bit physical addresses (PA) added.
    - The aarch64 api now refers to VSpaces rather than PageGlobalDirectories,
      as depending on the PA the top level translation structure can change.
    - all `seL4_ARM_PageGlobalDirectory` invocations are now `seL4_ARM_VSpace` invocations.
    - new constants 'seL4_ARM_VSpaceObject` and `seL4_VSpaceIndexBits`.
* Merged MCS kernel feature.
  - this is not verified and is under active verification.
  - The goals of the MCS kernel is to provide strong temporal isolation and a basis for reasoning about time.
* Moved aarch64 kernel window
    - aarch64 kernel window is now placed at 0, meaning the kernel can access memory
      below where the kernel image is mapped.
* aarch64: Moved TPIDRRO_EL0 (EL0 Read-Only Thread ID register) to TCB register context from VCPU registers. This means
  changes to this register from user level have to go via seL4_TCB_Write Registers instead of seL4_ARM_VCPU_WriteRegs.
* Merge ARCH_Page_Remap functionality into ARCH_Page_Map. Remap was used for updating the mapping attributes of a page
  without changing its virtual address. Now ARCH_Page_Map can be performed on an existing mapping to achieve the same
  result. The ARCH_Page_Remap invocation has been removed from all configurations.

## Upgrade Notes
---
10.1.1 2018-11-12: BINARY COMPATIBLE

## Changes
 * Remove theoretical uninitialised variable use in infer_cpu_gic_id for binary translation validation

## Upgrade Notes
 * 10.1.0 has a known broken test in the proofs.  10.1.1 fixes this test.

---
10.1.0 2018-11-07: SOURCE COMPATIBLE

## Changes

 * structures in the boot info are not declared 'packed'
    - these were previously packed (in the GCC attribute sense)
    - some field lengths are tweaked to avoid padding
    - this is a source-compatible change
 * ARM platforms can now set the trigger of an IRQ Handler capability
     - seL4_IRQControl_GetTrigger allows users to obtain an IRQ Handler capability
       and set the trigger (edge or level) in the interrupt controller.
 * Initial support for NVIDIA Jetson TX2 (ARMv8a, Cortex A57)
 * AARCH64 support added for raspberry pi 3 platform.
 * Code generation now use jinja2 instead of tempita.
 * AARCH32 HYP support added for running multiple ARM VMs
 * AARCH32 HYP VCPU registers updated.
 * A new invocation for setting TLSBase on all platforms.
     - seL4_TCB_SetTLSBase
 * Kbuild/Kconfig/Makefile build system removed.

---
10.0.0 2018-05-28: BREAKING

- Final version of the kernel  which supports integration with Kbuild based projects
- Future versions, including this one, provide a CMake based build system

For more information see https://docs.sel4.systems/Developing/Building.

## Changes

 * x86 IO ports now have an explicit IOPortControl capability to gate their creation. IOPort capabilities  may now only
   be created through the IOPortControl capability that is passed to the rootserver. Additionally IOPort capabilities
   may not be derived to have smaller ranges and the IOPortControl will not issue overlapping IOPorts
 * 32-bit support added for the initial prototype RISC-V architecture port

## Upgrade Notes

 * A rootserver must now create IOPort capabilities from the provided IOPortControl capability. As IOPorts can not
   have their ranges further restricted after creation it must create capabilities with the final desired granularity,
   remembering that since ranges cannot overlap you cannot issue a larger and smaller range that have any IO ports
   in common.

---
9.0.1 2018-04-18: BINARY COMPATIBLE

## Changes
 * On 64-bit architectures, the `label` field of `seL4_MessageInfo` is now 52 bits wide. User-level programs
   which use any of the following functions may break, if the program relies on these functions to mask the
   `label` field to the previous width of 20 bits.
     - `seL4_MessageInfo_new`
     - `seL4_MessageInfo_get_label`
     - `seL4_MessageInfo_set_label`
 * Initial prototype RISC-V architecture port. This port currently only supports running in 64-bit mode without FPU or
   or multicore support on the Spike simulation platform. There is *no verification* for this platform.

## Upgrade Notes
---
9.0.0 2018-04-11: BREAKING

= Changes =
 * Debugging option on x86 for syscall interface to read/write MSRs (this is an, equally dangerous, alternative to
   dangerous code injection)
 * Mitigation for Meltdown (https://meltdownattack.com) on x86-64 implemented. Mitigation is via a form of kernel
   page table isolation through the use of a Static Kernel Image with Microstate (SKIM) window that is used for
   trapping to and from the kernel address space. This can be enabled/disabled through the build configuration
   depending on whether you are running on vulnerable hardware or not.
 * Mitigation for Spectre (https://spectreattack.com) on x86 against the kernel implemented. Default is software
   mitigation and is the best performing so users need to do nothing. This does *not* prevent user processes from
   exploiting each other.
 * x86 configuration option for performing branch prediction barrier on context switch to prevent Spectre style
   attacks between user processes using the indirect branch predictor
 * x86 configuration option for flushing the RSB on context switch to prevent Spectre style attacks between user
   processes using the RSB
 * Define extended bootinfo header for the x86 TSC frequency
 * x86 TSC frequency exported in extended bootinfo header
 * `archInfo` is no longer a member of the bootinfo struct. Its only use was for TSC frequency on x86, which
   can now be retrieved through the extended bootinfo
 * Invocations to set thread priority and maximum control priority (MCP) have changed.
     - For both invocations, users must now provide a TCB capability `auth`
     - The requested MCP/priority is checked against the MCP of the `auth` capability.
     - Previous behavior checked against the invoked TCB, which could be subject to the confused deputy
       problem.
 * seL4_TCB_Configure no longer takes prio, mcp as an argument. Instead these fields must be set separately
   with seL4_TCB_SetPriority and seL4_TCB_SetMCPriority.
 * seL4_TCB_SetPriority and seL4_TCB_SetMCPriority now take seL4_Word instead of seL4_Uint8.
       - seL4_MaxPrio remains at 255.
 * seL4_TCB_SetSchedParams is a new method where MCP and priority can be set in the same sytsem call.
 * Size of the TCB object is increased for some build configurations

= Upgrade notes =
 * seL4_TCB_Configure calls that set priority should be changed to explicitly call seL4_TCB_SetSchedParams
   or SetPriority
 * seL4_TCB_Configure calls that set MCP should be changed to explicitly call seL4_TCB_SetSchedParams
   or seL4_TCB_SetMCPriority

---
8.0.0 2018-01-17

= Changes =
 * Support for additional zynq platform Zynq UltraScale+ MPSoC (Xilinx ZCU102, ARMv8a, Cortex A53)
 * Support for multiboot2 bootloaders on x86 (contributed change from Genode Labs)
 * Deprecate seL4_CapData_t type and functions related to it
 * A fastpath improvement means that when there are two runnable threads and the target thread is the highest priority
in the scheduler, the fastpath will be hit. Previously the fastpath would not be used on IPC from a high priority
thread to a low priority thread.
 * As a consequence of the above change, scheduling behaviour has changed in the case where a non-blocking IPC is sent
between two same priority threads: the sender will be scheduled, rather than the destination.
 * Benchmarking support for armv8/aarch64 is now available.
 * Additional x86 extra bootinfo type for retrieving frame buffer information from multiboot 2
 * Debugging option to export x86 Performance-Monitoring Counters to user level

= Upgrade notes =
 * seL4_CapData_t should be replaced with just seL4_Word. Construction of badges should just be `x` instead of
   `seL4_CapData_Badge_new(x)` and guards should be `seL4_CNode_CapData_new(x, y)` instead of
   `seL4_CapData_Guard_new(x, y)`
 * Code that relied on non-blocking IPC to switch between threads of the same priority may break.

---
7.0.0 2017-09-05

= Changes =
 * Support for building standalone ia32 kernel added
 * ia32: Set sensible defaults for FS and GS selectors
 * aarch64: Use tpidrro_el0 for IPC buffer instead of tpidr_el0
 * More seL4 manual documentation added for aarch64 object invocations
 * Default NUM_DOMAINS set to 16 for x86-64 standalone builds
 * libsel4: Return seL4_Error in invocation stubs in 8fb06eecff9 ''' This is a source code level breaking change '''
 * Add a CMake based build system
 * x86: Increase TCB size for debug builds
 * libsel4: x86: Remove nested struct declarations ''' This is a source code level breaking change '''
 * Bugfix: x86: Unmap pages when delete non final frame caps

= Upgrade notes =
 * This release is not source compatible with previous releases.
 * seL4 invocations that previously returned long now return seL4_Error which is an enum. Our libraries have already
   been updated to reflect this change, but in other places where seL4 invocations are used directly, the return types
   will need to be updated to reflect this change.
 * On x86 some structs in the Bootinfo have been rearranged. This only affects seL4_VBEModeInfoBlock_t which is used if
   VESA BIOS Extensions (VBE) information is being used.

= Known issues =
 * One of our tests is non-deterministicly becoming unresponsive on the SMP release build on the Sabre IMX.6 platform,
   which is a non verified configuration of the kernel.  We are working on fixing this problem, and will likely do a
   point release once it is fixed.

---
For previous releases see https://docs.sel4.systems/sel4_release/