9 files changed, 1181 insertions, 468 deletions

diff --git a/docs/process/code-review-guidelines.rst b/docs/process/code-review-guidelines.rst
new file mode 100644
index 000000000..67a211f75
--- /dev/null
+++ b/docs/process/code-review-guidelines.rst
@@ -0,0 +1,216 @@
+Code Review Guidelines
+======================
+
+This document provides TF-A specific details about the project's code review
+process. It should be read in conjunction with the `Project Maintenance
+Process`_, which it supplements.
+
+
+Why do we do code reviews?
+--------------------------
+
+The main goal of code reviews is to improve the code quality. By reviewing each
+other's code, we can help catch issues that were missed by the author
+before they are integrated in the source tree. Different people bring different
+perspectives, depending on their past work, experiences and their current use
+cases of TF-A in their products.
+
+Code reviews also play a key role in sharing knowledge within the
+community. People with more expertise in one area of the code base can
+help those that are less familiar with it.
+
+Code reviews are meant to benefit everyone through team work. It is not about
+unfairly criticizing or belittling the work of any contributor.
+
+
+Good practices
+--------------
+
+To ensure the code review gives the greatest possible benefit, participants in
+the project should:
+
+-  Be considerate of other people and their needs. Participants may be working
+   to different timescales, and have different priorities. Keep this in
+   mind - be gracious while waiting for action from others, and timely in your
+   actions when others are waiting for you.
+
+-  Review other people's patches where possible. The more active reviewers there
+   are, the more quickly new patches can be reviewed and merged. Contributing to
+   code review helps everyone in the long run, as it creates a culture of
+   participation which serves everyone's interests.
+
+
+Guidelines for patch contributors
+---------------------------------
+
+In addition to the rules outlined in the :ref:`Contributor's Guide`, as a patch
+contributor you are expected to:
+
+-  Answer all comments from people who took the time to review your
+   patches.
+
+-  Be patient and resilient. It is quite common for patches to go through
+   several rounds of reviews and rework before they get approved, especially
+   for larger features.
+
+   In the event that a code review takes longer than you would hope for, you
+   may try the following actions to speed it up:
+
+  -  Ping the reviewers on Gerrit or on the mailing list. If it is urgent,
+     explain why. Please remain courteous and do not abuse this.
+
+  -  If one code owner has become unresponsive, ask the other code owners for
+     help progressing the patch.
+
+  -  If there is only one code owner and they have become unresponsive, ask one
+     of the project maintainers for help.
+
+-  Do the right thing for the project, not the fastest thing to get code merged.
+
+   For example, if some existing piece of code - say a driver - does not quite
+   meet your exact needs, go the extra mile and extend the code with the missing
+   functionality you require - as opposed to copying the code into some other
+   directory to have the freedom to change it in any way. This way, your changes
+   benefit everyone and will be maintained over time.
+
+
+Guidelines for all reviewers
+----------------------------
+
+There are no good or bad review comments. If you have any doubt about a patch or
+need some clarifications, it's better to ask rather than letting a potential
+issue slip. Examples of review comments could be:
+
+- Questions ("Why do you need to do this?", "What if X happens?")
+- Bugs ("I think you need a logical \|\| rather than a bitwise \|.")
+- Design issues ("This won't scale well when we introduce feature X.")
+- Improvements ("Would it be better if we did Y instead?")
+
+
+Guidelines for code owners
+--------------------------
+
+Code owners are listed on the :ref:`Project Maintenance<code owners>` page,
+along with the module(s) they look after.
+
+When reviewing a patch, code owners are expected to check the following:
+
+-  The patch looks good from a technical point of view. For example:
+
+  -  The structure of the code is clear.
+
+  -  It complies with the relevant standards or technical documentation (where
+     applicable).
+
+  -  It leverages existing interfaces rather than introducing new ones
+     unnecessarily.
+
+  -  It fits well in the design of the module.
+
+  -  It adheres to the security model of the project. In particular, it does not
+     increase the attack surface (e.g. new SMCs) without justification.
+
+-  The patch adheres to the TF-A :ref:`Coding Style`. The CI system should help
+   catch coding style violations.
+
+-  (Only applicable to generic code) The code is MISRA-compliant (see
+   :ref:`misra-compliance`). The CI system should help catch violations.
+
+-  Documentation is provided/updated (where applicable).
+
+-  The patch has had an appropriate level of testing. Testing details are
+   expected to be provided by the patch author. If they are not, do not hesitate
+   to request this information.
+
+-  All CI automated tests pass.
+
+If a code owner is happy with a patch, they should give their approval
+through the ``Code-Owner-Review+1`` label in Gerrit. If instead, they have
+concerns, questions, or any other type of blocking comment, they should set
+``Code-Owner-Review-1``.
+
+Code owners are expected to behave professionally and responsibly. Here are some
+guidelines for them:
+
+-  Once you are engaged in a review, make sure you stay involved until the patch
+   is merged. Rejecting a patch and going away is not very helpful. You are
+   expected to monitor the patch author's answers to your review comments,
+   answer back if needed and review new revisions of their patch.
+
+-  Provide constructive feedback. Just saying, "This is wrong, you should do X
+   instead." is usually not very helpful. The patch author is unlikely to
+   understand why you are requesting this change and might feel personally
+   attacked.
+
+-  Be mindful when reviewing a patch. As a code owner, you are viewed as
+   the expert for the relevant module. By approving a patch, you are partially
+   responsible for its quality and the effects it has for all TF-A users. Make
+   sure you fully understand what the implications of a patch might be.
+
+
+Guidelines for maintainers
+--------------------------
+
+Maintainers are listed on the :ref:`Project Maintenance<maintainers>` page.
+
+When reviewing a patch, maintainers are expected to check the following:
+
+-  The general structure of the patch looks good. This covers things like:
+
+   -  Code organization.
+
+   -  Files and directories, names and locations.
+
+      For example, platform code should be added under the ``plat/`` directory.
+
+   -  Naming conventions.
+
+      For example, platform identifiers should be properly namespaced to avoid
+      name clashes with generic code.
+
+   -  API design.
+
+-  Interaction of the patch with other modules in the code base.
+
+-  The patch aims at complying with any standard or technical documentation
+   that applies.
+
+-  New files must have the correct license and copyright headers. See :ref:`this
+   paragraph<copyright-license-guidance>` for more information. The CI system
+   should help catch files with incorrect or no copyright/license headers.
+
+-  There is no third party code or binary blobs with potential IP concerns.
+   Maintainers should look for copyright or license notices in code, and use
+   their best judgement. If they are unsure about a patch, they should ask
+   other maintainers for help.
+
+-  Generally speaking, new driver code should be placed in the generic
+   layer. There are cases where a driver has to stay into the platform layer but
+   this should be the exception, rather than the rule.
+
+-  Existing common drivers (in particular for Arm IPs like the GIC driver) should
+   not be copied into the platform layer to cater for platform quirks. This
+   type of code duplication hurts the maintainability of the project. The
+   duplicate driver is less likely to benefit from bug fixes and future
+   enhancements. In most cases, it is possible to rework a generic driver to
+   make it more flexible and fit slightly different use cases. That way, these
+   enhancements benefit everyone.
+
+-  When a platform specific driver really is required, the burden lies with the
+   patch author to prove the need for it. A detailed justification should be
+   posted via the commit message or on the mailing list.
+
+-  Before merging a patch, verify that all review comments have been addressed.
+   If this is not the case, encourage the patch author and the relevant
+   reviewers to resolve these together.
+
+If a maintainer is happy with a patch, they should give their approval
+through the ``Maintainer-Review+1`` label in Gerrit. If instead, they have
+concerns, questions, or any other type of blocking comment, they should set
+``Maintainer-Review-1``.
+
+--------------
+
+*Copyright (c) 2020, Arm Limited. All rights reserved.*
+
+.. _Project Maintenance Process: https://developer.trustedfirmware.org/w/collaboration/project-maintenance-process/
diff --git a/docs/process/coding-guidelines.rst b/docs/process/coding-guidelines.rst
index cb8b89245..ef319e441 100644
--- a/docs/process/coding-guidelines.rst
+++ b/docs/process/coding-guidelines.rst
@@ -1,232 +1,130 @@
-Coding Style & Guidelines
-=========================
+Coding Guidelines
+=================
 
-The following sections contain TF coding guidelines. They are continually
-evolving and should not be considered "set in stone". Feel free to question them
-and provide feedback.
+This document provides some additional guidelines to consider when writing
+|TF-A| code. These are not intended to be strictly-enforced rules like the
+contents of the :ref:`Coding Style`.
 
-Some of the guidelines may also apply to other codebases.
+Automatic Editor Configuration
+------------------------------
 
-.. note::
-   The existing TF codebase does not necessarily comply with all the
-   below guidelines but the intent is for it to do so eventually.
-
-Checkpatch overrides
---------------------
-
-Some checkpatch warnings in the TF codebase are deliberately ignored. These
-include:
-
-- ``**WARNING: line over 80 characters**``: Although the codebase should
-  generally conform to the 80 character limit this is overly restrictive in some
-  cases.
-
-- ``**WARNING: Use of volatile is usually wrong``: see
-  `Why the “volatile” type class should not be used`_ . Although this document
-  contains some very useful information, there are several legitimate uses of
-  the volatile keyword within the TF codebase.
-
-Headers and inclusion
----------------------
-
-Header guards
-^^^^^^^^^^^^^
-
-For a header file called "some_driver.h" the style used by the Trusted Firmware
-is:
-
-.. code:: c
-
-  #ifndef SOME_DRIVER_H
-  #define SOME_DRIVER_H
-
-  <header content>
+Many of the rules given below (such as indentation size, use of tabs, and
+newlines) can be set automatically using the `EditorConfig`_ configuration file
+in the root of the repository: ``.editorconfig``. With a supported editor, the
+rules set out in this file can be automatically applied when you are editing
+files in the |TF-A| repository.
 
-  #endif /* SOME_DRIVER_H */
+Several editors include built-in support for EditorConfig files, and many others
+support its functionality through plugins.
 
-Include statement ordering
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+Use of the EditorConfig file is suggested but is not required.
 
-All header files that are included by a source file must use the following,
-grouped ordering. This is to improve readability (by making it easier to quickly
-read through the list of headers) and maintainability.
+.. _automatic-compliance-checking:
 
-#. *System* includes: Header files from the standard *C* library, such as
-   ``stddef.h`` and ``string.h``.
-
-#. *Project* includes: Header files under the ``include/`` directory within TF
-   are *project* includes.
-
-#. *Platform* includes: Header files relating to a single, specific platform,
-   and which are located under the ``plat/<platform_name>`` directory within TF,
-   are *platform* includes.
+Automatic Compliance Checking
+-----------------------------
 
-Within each group, ``#include`` statements must be in alphabetical order,
-taking both the file and directory names into account.
+To assist with coding style compliance, the project Makefile contains two
+targets which both utilise the `checkpatch.pl` script that ships with the Linux
+source tree. The project also defines certain *checkpatch* options in the
+``.checkpatch.conf`` file in the top-level directory.
 
-Groups must be separated by a single blank line for clarity.
+.. note::
+   Checkpatch errors will gate upstream merging of pull requests.
+   Checkpatch warnings will not gate merging but should be reviewed and fixed if
+   possible.
 
-The example below illustrates the ordering rules using some contrived header
-file names; this type of name reuse should be otherwise avoided.
+To check the entire source tree, you must first download copies of
+``checkpatch.pl``, ``spelling.txt`` and ``const_structs.checkpatch`` available
+in the `Linux master tree`_ *scripts* directory, then set the ``CHECKPATCH``
+environment variable to point to ``checkpatch.pl`` (with the other 2 files in
+the same directory) and build the `checkcodebase` target:
 
-.. code:: c
+.. code:: shell
 
-  #include <string.h>
+    make CHECKPATCH=<path-to-linux>/linux/scripts/checkpatch.pl checkcodebase
 
-  #include <a_dir/example/a_header.h>
-  #include <a_dir/example/b_header.h>
-  #include <a_dir/test/a_header.h>
-  #include <b_dir/example/a_header.h>
+To just check the style on the files that differ between your local branch and
+the remote master, use:
 
-  #include "./a_header.h"
+.. code:: shell
 
-Include statement variants
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+    make CHECKPATCH=<path-to-linux>/linux/scripts/checkpatch.pl checkpatch
 
-Two variants of the ``#include`` directive are acceptable in the TF codebase.
-Correct use of the two styles improves readability by suggesting the location
-of the included header and reducing ambiguity in cases where generic and
-platform-specific headers share a name.
+If you wish to check your patch against something other than the remote master,
+set the ``BASE_COMMIT`` variable to your desired branch. By default,
+``BASE_COMMIT`` is set to ``origin/master``.
 
-For header files that are in the same directory as the source file that is
-including them, use the ``"..."`` variant.
-
-For header files that are **not** in the same directory as the source file that
-is including them, use the ``<...>`` variant.
+Ignored Checkpatch Warnings
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Example (bl1_fwu.c):
+Some checkpatch warnings in the TF codebase are deliberately ignored. These
+include:
 
-.. code:: c
+- ``**WARNING: line over 80 characters**``: Although the codebase should
+  generally conform to the 80 character limit this is overly restrictive in some
+  cases.
 
-  #include <assert.h>
-  #include <errno.h>
-  #include <string.h>
+- ``**WARNING: Use of volatile is usually wrong``: see
+  `Why the “volatile” type class should not be used`_ . Although this document
+  contains some very useful information, there are several legimate uses of the
+  volatile keyword within the TF codebase.
 
-  #include "bl1_private.h"
+Performance considerations
+--------------------------
 
-Platform include paths
-^^^^^^^^^^^^^^^^^^^^^^
+Avoid printf and use logging macros
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Platforms are allowed to add more include paths to be passed to the compiler.
-The ``PLAT_INCLUDES`` variable is used for this purpose. This is needed in
-particular for the file ``platform_def.h``.
+``debug.h`` provides logging macros (for example, ``WARN`` and ``ERROR``)
+which wrap ``tf_log`` and which allow the logging call to be compiled-out
+depending on the ``make`` command. Use these macros to avoid print statements
+being compiled unconditionally into the binary.
 
-Example:
+Each logging macro has a numerical log level:
 
 .. code:: c
 
-  PLAT_INCLUDES  += -Iinclude/plat/myplat/include
-
-Types and typedefs
-------------------
-
-Use of built-in *C* and *libc* data types
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The TF codebase should be kept as portable as possible, especially since both
-64-bit and 32-bit platforms are supported. To help with this, the following data
-type usage guidelines should be followed:
-
-- Where possible, use the built-in *C* data types for variable storage (for
-  example, ``char``, ``int``, ``long long``, etc) instead of the standard *C99*
-  types. Most code is typically only concerned with the minimum size of the
-  data stored, which the built-in *C* types guarantee.
-
-- Avoid using the exact-size standard *C99* types in general (for example,
-  ``uint16_t``, ``uint32_t``, ``uint64_t``, etc) since they can prevent the
-  compiler from making optimizations. There are legitimate uses for them,
-  for example to represent data of a known structure. When using them in struct
-  definitions, consider how padding in the struct will work across architectures.
-  For example, extra padding may be introduced in AArch32 systems if a struct
-  member crosses a 32-bit boundary.
-
-- Use ``int`` as the default integer type - it's likely to be the fastest on all
-  systems. Also this can be assumed to be 32-bit as a consequence of the
-  `Procedure Call Standard for the Arm Architecture`_ and the `Procedure Call
-  Standard for the Arm 64-bit Architecture`_ .
-
-- Avoid use of ``short`` as this may end up being slower than ``int`` in some
-  systems. If a variable must be exactly 16-bit, use ``int16_t`` or
-  ``uint16_t``.
-
-- Avoid use of ``long``. This is guaranteed to be at least 32-bit but, given
-  that `int` is 32-bit on Arm platforms, there is no use for it. For integers of
-  at least 64-bit, use ``long long``.
-
-- Use ``char`` for storing text. Use ``uint8_t`` for storing other 8-bit data.
-
-- Use ``unsigned`` for integers that can never be negative (counts,
-  indices, sizes, etc). TF intends to comply with MISRA "essential type" coding
-  rules (10.X), where signed and unsigned types are considered different
-  essential types. Choosing the correct type will aid this. MISRA static
-  analysers will pick up any implicit signed/unsigned conversions that may lead
-  to unexpected behaviour.
-
-- For pointer types:
-
-  - If an argument in a function declaration is pointing to a known type then
-    simply use a pointer to that type (for example: ``struct my_struct *``).
-
-  - If a variable (including an argument in a function declaration) is pointing
-    to a general, memory-mapped address, an array of pointers or another
-    structure that is likely to require pointer arithmetic then use
-    ``uintptr_t``. This will reduce the amount of casting required in the code.
-    Avoid using ``unsigned long`` or ``unsigned long long`` for this purpose; it
-    may work but is less portable.
-
-  - For other pointer arguments in a function declaration, use ``void *``. This
-    includes pointers to types that are abstracted away from the known API and
-    pointers to arbitrary data. This allows the calling function to pass a
-    pointer argument to the function without any explicit casting (the cast to
-    ``void *`` is implicit). The function implementation can then do the
-    appropriate casting to a specific type.
-
-  - Use ``ptrdiff_t`` to compare the difference between 2 pointers.
-
-- Use ``size_t`` when storing the ``sizeof()`` something.
-
-- Use ``ssize_t`` when returning the ``sizeof()`` something from a function that
-  can also return an error code; the signed type allows for a negative return
-  code in case of error. This practice should be used sparingly.
-
-- Use ``u_register_t`` when it's important to store the contents of a register
-  in its native size (32-bit in AArch32 and 64-bit in AArch64). This is not a
-  standard *C99* type but is widely available in libc implementations,
-  including the FreeBSD version included with the TF codebase. Where possible,
-  cast the variable to a more appropriate type before interpreting the data. For
-  example, the following struct in ``ep_info.h`` could use this type to minimize
-  the storage required for the set of registers:
+  #define LOG_LEVEL_NONE    0
+  #define LOG_LEVEL_ERROR   10
+  #define LOG_LEVEL_NOTICE  20
+  #define LOG_LEVEL_WARNING 30
+  #define LOG_LEVEL_INFO    40
+  #define LOG_LEVEL_VERBOSE 50
 
-.. code:: c
+By default, all logging statements with a log level ``<= LOG_LEVEL_INFO`` will
+be compiled into debug builds and all statements with a log level
+``<= LOG_LEVEL_NOTICE`` will be compiled into release builds. This can be
+overridden from the command line or by the platform makefile (although it may be
+necessary to clean the build directory first).
 
-    typedef struct aapcs64_params {
-            u_register_t arg0;
-            u_register_t arg1;
-            u_register_t arg2;
-            u_register_t arg3;
-            u_register_t arg4;
-            u_register_t arg5;
-            u_register_t arg6;
-            u_register_t arg7;
-    } aapcs64_params_t;
+For example, to enable ``VERBOSE`` logging on FVP:
 
-If some code wants to operate on ``arg0`` and knows that it represents a 32-bit
-unsigned integer on all systems, cast it to ``unsigned int``.
+.. code:: shell
 
-These guidelines should be updated if additional types are needed.
+  make PLAT=fvp LOG_LEVEL=50 all
 
-Avoid anonymous typedefs of structs/enums in headers
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Use const data where possible
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-For example, the following definition:
+For example, the following code:
 
 .. code:: c
 
-  typedef struct {
+  struct my_struct {
           int arg1;
           int arg2;
-  } my_struct_t;
+  };
 
+  void init(struct my_struct *ptr);
+
+  void main(void)
+  {
+          struct my_struct x;
+          x.arg1 = 1;
+          x.arg2 = 2;
+          init(&x);
+  }
 
 is better written as:
 
@@ -237,31 +135,18 @@ is better written as:
           int arg2;
   };
 
-This allows function declarations in other header files that depend on the
-struct/enum to forward declare the struct/enum instead of including the
-entire header:
-
-.. code:: c
-
-  #include <my_struct.h>
-  void my_func(my_struct_t *arg);
-
-instead of:
-
-.. code:: c
-
-  struct my_struct;
-  void my_func(struct my_struct *arg);
-
-Some TF definitions use both a struct/enum name **and** a typedef name. This
-is discouraged for new definitions as it makes it difficult for TF to comply
-with MISRA rule 8.3, which states that "All declarations of an object or
-function shall use the same names and type qualifiers".
+  void init(const struct my_struct *ptr);
 
-The Linux coding standards also discourage new typedefs and checkpatch emits
-a warning for this.
+  void main(void)
+  {
+          const struct my_struct x = { 1, 2 };
+          init(&x);
+  }
 
-Existing typedefs will be retained for compatibility.
+This allows the linker to put the data in a read-only data section instead of a
+writeable data section, which may result in a smaller and faster binary. Note
+that this may require dependent functions (``init()`` in the above example) to
+have ``const`` arguments, assuming they don't need to modify the data.
 
 Libc functions that are banned or to be used with caution
 ---------------------------------------------------------
@@ -410,14 +295,14 @@ error. This situation should be handled in one of the following ways:
    then emit an ``ERROR`` message and call the platform-specific function
    ``plat_error_handler()``.
 
-Cases 1 and 2 are subtly different. A platform may implement ``plat_panic_handler``
-and ``plat_error_handler`` in the same way (for example, by waiting for a secure
-watchdog to time-out or by invoking an interface on the platform's power
-controller to reset the platform). However, ``plat_error_handler`` may take
-additional action for some errors (for example, it may set a flag so the
-platform resets into a different mode). Also, ``plat_panic_handler()`` may
-implement additional debug functionality (for example, invoking a hardware
-breakpoint).
+Cases 1 and 2 are subtly different. A platform may implement
+``plat_panic_handler`` and ``plat_error_handler`` in the same way (for example,
+by waiting for a secure watchdog to time-out or by invoking an interface on the
+platform's power controller to reset the platform). However,
+``plat_error_handler`` may take additional action for some errors (for example,
+it may set a flag so the platform resets into a different mode). Also,
+``plat_panic_handler()`` may implement additional debug functionality (for
+example, invoking a hardware breakpoint).
 
 Examples of unexpected unrecoverable errors:
 
@@ -456,131 +341,134 @@ Examples:
 - Secure world is waiting for a hardware response that is critical for continued
   operation.
 
-Security considerations
------------------------
-
-Part of the security of a platform is handling errors correctly, as described in
-the previous section. There are several other security considerations covered in
-this section.
-
-Do not leak secrets to the normal world
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The secure world **must not** leak secrets to the normal world, for example in
-response to an SMC.
-
-Handling Denial of Service attacks
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Use of built-in *C* and *libc* data types
+-----------------------------------------
 
-The secure world **should never** crash or become unusable due to receiving too
-many normal world requests (a *Denial of Service* or *DoS* attack). It should
-have a mechanism for throttling or ignoring normal world requests.
+The |TF-A| codebase should be kept as portable as possible, especially since
+both 64-bit and 32-bit platforms are supported. To help with this, the following
+data type usage guidelines should be followed:
 
-Performance considerations
---------------------------
+- Where possible, use the built-in *C* data types for variable storage (for
+  example, ``char``, ``int``, ``long long``, etc) instead of the standard *C99*
+  types. Most code is typically only concerned with the minimum size of the
+  data stored, which the built-in *C* types guarantee.
 
-Avoid printf and use logging macros
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+- Avoid using the exact-size standard *C99* types in general (for example,
+  ``uint16_t``, ``uint32_t``, ``uint64_t``, etc) since they can prevent the
+  compiler from making optimizations. There are legitimate uses for them,
+  for example to represent data of a known structure. When using them in struct
+  definitions, consider how padding in the struct will work across architectures.
+  For example, extra padding may be introduced in |AArch32| systems if a struct
+  member crosses a 32-bit boundary.
 
-``debug.h`` provides logging macros (for example, ``WARN`` and ``ERROR``)
-which wrap ``tf_log`` and which allow the logging call to be compiled-out
-depending on the ``make`` command. Use these macros to avoid print statements
-being compiled unconditionally into the binary.
+- Use ``int`` as the default integer type - it's likely to be the fastest on all
+  systems. Also this can be assumed to be 32-bit as a consequence of the
+  `Procedure Call Standard for the Arm Architecture`_ and the `Procedure Call
+  Standard for the Arm 64-bit Architecture`_ .
 
-Each logging macro has a numerical log level:
+- Avoid use of ``short`` as this may end up being slower than ``int`` in some
+  systems. If a variable must be exactly 16-bit, use ``int16_t`` or
+  ``uint16_t``.
 
-.. code:: c
+- Avoid use of ``long``. This is guaranteed to be at least 32-bit but, given
+  that `int` is 32-bit on Arm platforms, there is no use for it. For integers of
+  at least 64-bit, use ``long long``.
 
-  #define LOG_LEVEL_NONE    0
-  #define LOG_LEVEL_ERROR   10
-  #define LOG_LEVEL_NOTICE  20
-  #define LOG_LEVEL_WARNING 30
-  #define LOG_LEVEL_INFO    40
-  #define LOG_LEVEL_VERBOSE 50
+- Use ``char`` for storing text. Use ``uint8_t`` for storing other 8-bit data.
 
+- Use ``unsigned`` for integers that can never be negative (counts,
+  indices, sizes, etc). TF intends to comply with MISRA "essential type" coding
+  rules (10.X), where signed and unsigned types are considered different
+  essential types. Choosing the correct type will aid this. MISRA static
+  analysers will pick up any implicit signed/unsigned conversions that may lead
+  to unexpected behaviour.
 
-By default, all logging statements with a log level ``<= LOG_LEVEL_INFO`` will
-be compiled into debug builds and all statements with a log level
-``<= LOG_LEVEL_NOTICE`` will be compiled into release builds. This can be
-overridden from the command line or by the platform makefile (although it may be
-necessary to clean the build directory first). For example, to enable
-``VERBOSE`` logging on FVP:
+- For pointer types:
 
-``make PLAT=fvp LOG_LEVEL=50 all``
+  - If an argument in a function declaration is pointing to a known type then
+    simply use a pointer to that type (for example: ``struct my_struct *``).
 
-Use const data where possible
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+  - If a variable (including an argument in a function declaration) is pointing
+    to a general, memory-mapped address, an array of pointers or another
+    structure that is likely to require pointer arithmetic then use
+    ``uintptr_t``. This will reduce the amount of casting required in the code.
+    Avoid using ``unsigned long`` or ``unsigned long long`` for this purpose; it
+    may work but is less portable.
 
-For example, the following code:
+  - For other pointer arguments in a function declaration, use ``void *``. This
+    includes pointers to types that are abstracted away from the known API and
+    pointers to arbitrary data. This allows the calling function to pass a
+    pointer argument to the function without any explicit casting (the cast to
+    ``void *`` is implicit). The function implementation can then do the
+    appropriate casting to a specific type.
 
-.. code:: c
+  - Avoid pointer arithmetic generally (as this violates MISRA C 2012 rule
+    18.4) and especially on void pointers (as this is only supported via
+    language extensions and is considered non-standard). In TF-A, setting the
+    ``W`` build flag to ``W=3`` enables the *-Wpointer-arith* compiler flag and
+    this will emit warnings where pointer arithmetic is used.
 
-  struct my_struct {
-          int arg1;
-          int arg2;
-  };
+  - Use ``ptrdiff_t`` to compare the difference between 2 pointers.
 
-  void init(struct my_struct *ptr);
+- Use ``size_t`` when storing the ``sizeof()`` something.
 
-  void main(void)
-  {
-          struct my_struct x;
-          x.arg1 = 1;
-          x.arg2 = 2;
-          init(&x);
-  }
+- Use ``ssize_t`` when returning the ``sizeof()`` something from a function that
+  can also return an error code; the signed type allows for a negative return
+  code in case of error. This practice should be used sparingly.
 
-is better written as:
+- Use ``u_register_t`` when it's important to store the contents of a register
+  in its native size (32-bit in |AArch32| and 64-bit in |AArch64|). This is not a
+  standard *C99* type but is widely available in libc implementations,
+  including the FreeBSD version included with the TF codebase. Where possible,
+  cast the variable to a more appropriate type before interpreting the data. For
+  example, the following struct in ``ep_info.h`` could use this type to minimize
+  the storage required for the set of registers:
 
 .. code:: c
 
-  struct my_struct {
-          int arg1;
-          int arg2;
-  };
+    typedef struct aapcs64_params {
+            u_register_t arg0;
+            u_register_t arg1;
+            u_register_t arg2;
+            u_register_t arg3;
+            u_register_t arg4;
+            u_register_t arg5;
+            u_register_t arg6;
+            u_register_t arg7;
+    } aapcs64_params_t;
 
-  void init(const struct my_struct *ptr);
+If some code wants to operate on ``arg0`` and knows that it represents a 32-bit
+unsigned integer on all systems, cast it to ``unsigned int``.
 
-  void main(void)
-  {
-          const struct my_struct x = { 1, 2 };
-          init(&x);
-  }
+These guidelines should be updated if additional types are needed.
 
-This allows the linker to put the data in a read-only data section instead of a
-writeable data section, which may result in a smaller and faster binary. Note
-that this may require dependent functions (``init()`` in the above example) to
-have ``const`` arguments, assuming they don't need to modify the data.
+Favor C language over assembly language
+---------------------------------------
+
+Generally, prefer code written in C over assembly. Assembly code is less
+portable, harder to understand, maintain and audit security wise. Also, static
+analysis tools generally don't analyze assembly code.
 
-Library and driver code
------------------------
+There are, however, legitimate uses of assembly language. These include:
 
-TF library code (under ``lib/`` and ``include/lib``) is any code that provides a
-reusable interface to other code, potentially even to code outside of TF.
+  - Early boot code executed before the C runtime environment is setup.
 
-In some systems drivers must conform to a specific driver framework to provide
-services to the rest of the system. TF has no driver framework and the
-distinction between a driver and library is somewhat subjective.
+  - Exception handling code.
 
-A driver (under ``drivers/`` and ``include/drivers/``) is defined as code that
-interfaces with hardware via a memory mapped interface.
+  - Low-level code where the exact sequence of instructions executed on the CPU
+    matters, such as CPU reset sequences.
 
-Some drivers (for example, the Arm CCI driver in ``include/drivers/arm/cci.h``)
-provide a general purpose API to that specific hardware. Other drivers (for
-example, the Arm PL011 console driver in ``drivers/arm/pl011/pl011_console.S``)
-provide a specific hardware implementation of a more abstract library API. In
-the latter case there may potentially be multiple drivers for the same hardware
-device.
+  - Low-level code where specific system-level instructions must be used, such
+    as cache maintenance operations.
 
-Neither libraries nor drivers should depend on platform-specific code. If they
-require platform-specific data (for example, a base address) to operate then
-they should provide an initialization function that takes the platform-specific
-data as arguments.
+--------------
 
-TF common code (under ``common/`` and ``include/common/``) is code that is re-used
-by other generic (non-platform-specific) TF code. It is effectively internal
-library code.
+*Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.*
 
+.. _`Linux master tree`: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/
+.. _`Procedure Call Standard for the Arm Architecture`: https://developer.arm.com/docs/ihi0042/latest/
+.. _`Procedure Call Standard for the Arm 64-bit Architecture`: https://developer.arm.com/docs/ihi0055/latest/
+.. _`EditorConfig`: http://editorconfig.org/
 .. _`Why the “volatile” type class should not be used`: https://www.kernel.org/doc/html/latest/process/volatile-considered-harmful.html
-.. _`Procedure Call Standard for the Arm Architecture`: http://infocenter.arm.com/help/topic/com.arm.doc.ihi0042f/IHI0042F_aapcs.pdf
-.. _`Procedure Call Standard for the Arm 64-bit Architecture`: http://infocenter.arm.com/help/topic/com.arm.doc.ihi0055b/IHI0055B_aapcs64.pdf
+.. _`MISRA C:2012 Guidelines`: https://www.misra.org.uk/Activities/MISRAC/tabid/160/Default.aspx
+.. _`a spreadsheet`: https://developer.trustedfirmware.org/file/download/lamajxif3w7c4mpjeoo5/PHID-FILE-fp7c7acszn6vliqomyhn/MISRA-and-TF-Analysis-v1.3.ods
diff --git a/docs/process/coding-style.rst b/docs/process/coding-style.rst
new file mode 100644
index 000000000..be13b14fa
--- /dev/null
+++ b/docs/process/coding-style.rst
@@ -0,0 +1,470 @@
+Coding Style
+============
+
+The following sections outline the |TF-A| coding style for *C* code. The style
+is based on the `Linux kernel coding style`_, with a few modifications.
+
+The style should not be considered *set in stone*. Feel free to provide feedback
+and suggestions.
+
+.. note::
+   You will almost certainly find code in the |TF-A| repository that does not
+   follow the style. The intent is for all code to do so eventually.
+
+File Encoding
+-------------
+
+The source code must use the **UTF-8** character encoding. Comments and
+documentation may use non-ASCII characters when required (e.g. Greek letters
+used for units) but code itself is still limited to ASCII characters.
+
+Newlines must be in **Unix** style, which means that only the Line Feed (``LF``)
+character is used to break a line and reset to the first column.
+
+Language
+--------
+
+The primary language for comments and naming must be International English. In
+cases where there is a conflict between the American English and British English
+spellings of a word, the American English spelling is used.
+
+Exceptions are made when referring directly to something that does not use
+international style, such as the name of a company. In these cases the existing
+name should be used as-is.
+
+C Language Standard
+-------------------
+
+The C language mode used for TF-A is *GNU99*. This is the "GNU dialect of ISO
+C99", which implies the *ISO C99* standard with GNU extensions.
+
+Both GCC and Clang compiler toolchains have support for *GNU99* mode, though
+Clang does lack support for a small number of GNU extensions. These
+missing extensions are rarely used, however, and should not pose a problem.
+
+.. _misra-compliance:
+
+MISRA Compliance
+----------------
+
+TF-A attempts to comply with the `MISRA C:2012 Guidelines`_. Coverity
+Static Analysis is used to regularly generate a report of current MISRA defects
+and to prevent the addition of new ones.
+
+It is not possible for the project to follow all MISRA guidelines. We maintain
+`a spreadsheet`_ that lists all rules and directives and whether we aim to
+comply with them or not. A rationale is given for each deviation.
+
+.. note::
+   Enforcing a rule does not mean that the codebase is free of defects
+   of that rule, only that they would ideally be removed.
+
+.. note::
+   Third-party libraries are not considered in our MISRA analysis and we do not
+   intend to modify them to make them MISRA compliant.
+
+Indentation
+-----------
+
+Use **tabs** for indentation. The use of spaces for indentation is forbidden
+except in the case where a term is being indented to a boundary that cannot be
+achieved using tabs alone.
+
+Tab spacing should be set to **8 characters**.
+
+Trailing whitespace is not allowed and must be trimmed.
+
+Spacing
+-------
+
+Single spacing should be used around most operators, including:
+
+- Arithmetic operators (``+``, ``-``, ``/``, ``*``)
+- Assignment operators (``=``, ``+=``, etc)
+- Boolean operators (``&&``, ``||``)
+- Comparison operators (``<``, ``>``, ``==``, etc)
+
+A space should also be used to separate parentheses and braces when they are not
+already separated by a newline, such as for the ``if`` statement in the
+following example:
+
+.. code:: c
+
+  int function_foo(bool bar)
+  {
+      if (bar) {
+          function_baz();
+      }
+  }
+
+Note that there is no space between the name of a function and the following
+parentheses.
+
+Control statements (``if``, ``for``, ``switch``, ``while``, etc) must be
+separated from the following open parenthesis by a single space. The previous
+example illustrates this for an ``if`` statement.
+
+Line Length
+-----------
+
+Line length *should* be at most **80 characters**. This limit does not include
+non-printing characters such as the line feed.
+
+This rule is a *should*, not a must, and it is acceptable to exceed the limit
+**slightly** where the readability of the code would otherwise be significantly
+reduced. Use your judgement in these cases.
+
+Blank Lines
+-----------
+
+Functions are usually separated by a single blank line. In certain cases it is
+acceptable to use additional blank lines for clarity, if required.
+
+The file must end with a single newline character. Many editors have the option
+to insert this automatically and to trim multiple blank lines at the end of the
+file.
+
+Braces
+------
+
+Opening Brace Placement
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Braces follow the **Kernighan and Ritchie (K&R)** style, where the opening brace
+is **not** placed on a new line.
+
+Example for a ``while`` loop:
+
+.. code:: c
+
+  while (condition) {
+      foo();
+      bar();
+  }
+
+This style applies to all blocks except for functions which, following the Linux
+style, **do** place the opening brace on a new line.
+
+Example for a function:
+
+.. code:: c
+
+  int my_function(void)
+  {
+      int a;
+
+      a = 1;
+      return a;
+  }
+
+Conditional Statement Bodies
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Where conditional statements (such as ``if``, ``for``, ``while`` and ``do``) are
+used, braces must be placed around the statements that form the body of the
+conditional. This is the case regardless of the number of statements in the
+body.
+
+.. note::
+  This is a notable departure from the Linux coding style that has been
+  adopted to follow MISRA guidelines more closely and to help prevent errors.
+
+For example, use the following style:
+
+.. code:: c
+
+  if (condition) {
+      foo++;
+  }
+
+instead of omitting the optional braces around a single statement:
+
+.. code:: c
+
+  /* This is violating MISRA C 2012: Rule 15.6 */
+  if (condition)
+      foo++;
+
+The reason for this is to prevent accidental changes to control flow when
+modifying the body of the conditional. For example, at a quick glance it is easy
+to think that the value of ``bar`` is only incremented if ``condition``
+evaluates to ``true`` but this is not the case - ``bar`` will always be
+incremented regardless of the condition evaluation. If the developer forgets to
+add braces around the conditional body when adding the ``bar++;`` statement then
+the program execution will not proceed as intended.
+
+.. code:: c
+
+  /* This is violating MISRA C 2012: Rule 15.6 */
+  if (condition)
+      foo++;
+      bar++;
+
+Naming
+------
+
+Functions
+^^^^^^^^^
+
+Use lowercase for function names, separating multiple words with an underscore
+character (``_``). This is sometimes referred to as *Snake Case*. An example is
+given below:
+
+.. code:: c
+
+  void bl2_arch_setup(void)
+  {
+      ...
+  }
+
+Local Variables and Parameters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Local variables and function parameters use the same format as function names:
+lowercase with underscore separation between multiple words. An example is
+given below:
+
+.. code:: c
+
+  static void set_scr_el3_from_rm(uint32_t type,
+                                  uint32_t interrupt_type_flags,
+                                  uint32_t security_state)
+  {
+      uint32_t flag, bit_pos;
+
+      ...
+
+  }
+
+Preprocessor Macros
+^^^^^^^^^^^^^^^^^^^
+
+Identifiers that are defined using preprocessor macros are written in all
+uppercase text.
+
+.. code:: c
+
+  #define BUFFER_SIZE_BYTES 64
+
+Function Attributes
+-------------------
+
+Place any function attributes after the function type and before the function
+name.
+
+.. code:: c
+
+   void __init plat_arm_interconnect_init(void);
+
+Alignment
+---------
+
+Alignment should be performed primarily with tabs, adding spaces if required to
+achieve a granularity that is smaller than the tab size. For example, with a tab
+size of eight columns it would be necessary to use one tab character and two
+spaces to indent text by ten columns.
+
+Switch Statement Alignment
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+When using ``switch`` statements, align each ``case`` statement with the
+``switch`` so that they are in the same column.
+
+.. code:: c
+
+  switch (condition) {
+  case A:
+      foo();
+  case B:
+      bar();
+  default:
+      baz();
+  }
+
+Pointer Alignment
+^^^^^^^^^^^^^^^^^
+
+The reference and dereference operators (ampersand and *pointer star*) must be
+aligned with the name of the object on which they are operating, as opposed to
+the type of the object.
+
+.. code:: c
+
+  uint8_t *foo;
+
+  foo = &bar;
+
+
+Comments
+--------
+
+The general rule for comments is that the double-slash style of comment (``//``)
+is not allowed. Examples of the allowed comment formats are shown below:
+
+.. code:: c
+
+  /*
+   * This example illustrates the first allowed style for multi-line comments.
+   *
+   * Blank lines within multi-lines are allowed when they add clarity or when
+   * they separate multiple contexts.
+   *
+   */
+
+.. code:: c
+
+  /**************************************************************************
+   * This is the second allowed style for multi-line comments.
+   *
+   * In this style, the first and last lines use asterisks that run the full
+   * width of the comment at its widest point.
+   *
+   * This style can be used for additional emphasis.
+   *
+   *************************************************************************/
+
+.. code:: c
+
+  /* Single line comments can use this format */
+
+.. code:: c
+
+  /***************************************************************************
+   * This alternative single-line comment style can also be used for emphasis.
+   **************************************************************************/
+
+Headers and inclusion
+---------------------
+
+Header guards
+^^^^^^^^^^^^^
+
+For a header file called "some_driver.h" the style used by |TF-A| is:
+
+.. code:: c
+
+  #ifndef SOME_DRIVER_H
+  #define SOME_DRIVER_H
+
+  <header content>
+
+  #endif /* SOME_DRIVER_H */
+
+Include statement ordering
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+All header files that are included by a source file must use the following,
+grouped ordering. This is to improve readability (by making it easier to quickly
+read through the list of headers) and maintainability.
+
+#. *System* includes: Header files from the standard *C* library, such as
+   ``stddef.h`` and ``string.h``.
+
+#. *Project* includes: Header files under the ``include/`` directory within
+   |TF-A| are *project* includes.
+
+#. *Platform* includes: Header files relating to a single, specific platform,
+   and which are located under the ``plat/<platform_name>`` directory within
+   |TF-A|, are *platform* includes.
+
+Within each group, ``#include`` statements must be in alphabetical order,
+taking both the file and directory names into account.
+
+Groups must be separated by a single blank line for clarity.
+
+The example below illustrates the ordering rules using some contrived header
+file names; this type of name reuse should be otherwise avoided.
+
+.. code:: c
+
+  #include <string.h>
+
+  #include <a_dir/example/a_header.h>
+  #include <a_dir/example/b_header.h>
+  #include <a_dir/test/a_header.h>
+  #include <b_dir/example/a_header.h>
+
+  #include "a_header.h"
+
+Include statement variants
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Two variants of the ``#include`` directive are acceptable in the |TF-A|
+codebase. Correct use of the two styles improves readability by suggesting the
+location of the included header and reducing ambiguity in cases where generic
+and platform-specific headers share a name.
+
+For header files that are in the same directory as the source file that is
+including them, use the ``"..."`` variant.
+
+For header files that are **not** in the same directory as the source file that
+is including them, use the ``<...>`` variant.
+
+Example (bl1_fwu.c):
+
+.. code:: c
+
+  #include <assert.h>
+  #include <errno.h>
+  #include <string.h>
+
+  #include "bl1_private.h"
+
+Typedefs
+--------
+
+Avoid anonymous typedefs of structs/enums in headers
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+For example, the following definition:
+
+.. code:: c
+
+  typedef struct {
+          int arg1;
+          int arg2;
+  } my_struct_t;
+
+
+is better written as:
+
+.. code:: c
+
+  struct my_struct {
+          int arg1;
+          int arg2;
+  };
+
+This allows function declarations in other header files that depend on the
+struct/enum to forward declare the struct/enum instead of including the
+entire header:
+
+.. code:: c
+
+  struct my_struct;
+  void my_func(struct my_struct *arg);
+
+instead of:
+
+.. code:: c
+
+  #include <my_struct.h>
+  void my_func(my_struct_t *arg);
+
+Some TF definitions use both a struct/enum name **and** a typedef name. This
+is discouraged for new definitions as it makes it difficult for TF to comply
+with MISRA rule 8.3, which states that "All declarations of an object or
+function shall use the same names and type qualifiers".
+
+The Linux coding standards also discourage new typedefs and checkpatch emits
+a warning for this.
+
+Existing typedefs will be retained for compatibility.
+
+--------------
+
+*Copyright (c) 2020, Arm Limited. All rights reserved.*
+
+.. _`Linux kernel coding style`: https://www.kernel.org/doc/html/latest/process/coding-style.html
+.. _`MISRA C:2012 Guidelines`: https://www.misra.org.uk/Activities/MISRAC/tabid/160/Default.aspx
+.. _`a spreadsheet`: https://developer.trustedfirmware.org/file/download/lamajxif3w7c4mpjeoo5/PHID-FILE-fp7c7acszn6vliqomyhn/MISRA-and-TF-Analysis-v1.3.ods
diff --git a/docs/process/contributing.rst b/docs/process/contributing.rst
index f569fcbe7..15c2b4529 100644
--- a/docs/process/contributing.rst
+++ b/docs/process/contributing.rst
@@ -4,17 +4,22 @@ Contributor's Guide
 Getting Started
 ---------------
 
--  Make sure you have a Github account and you are logged on
-   `developer.trustedfirmware.org`_.
--  Create an `issue`_ for your work if one does not already exist. This gives
-   everyone visibility of whether others are working on something similar.
+-  Make sure you have a Github account and you are logged on both
+   `developer.trustedfirmware.org`_ and `review.trustedfirmware.org`_.
 
-   -  If you intend to include Third Party IP in your contribution, please
-      raise a separate `issue`_ for this and ensure that the changes that
-      include Third Party IP are made on a separate topic branch.
+-  If you plan to contribute a major piece of work, it is usually a good idea to
+   start a discussion around it on the mailing list. This gives everyone
+   visibility of what is coming up, you might learn that somebody else is
+   already working on something similar or the community might be able to
+   provide some early input to help shaping the design of the feature.
+
+   If you intend to include Third Party IP in your contribution, please mention
+   it explicitly in the email thread and ensure that the changes that include
+   Third Party IP are made in a separate patch (or patch series).
 
 -  Clone `Trusted Firmware-A`_ on your own machine as described in
    :ref:`prerequisites_get_source`.
+
 -  Create a local topic branch based on the `Trusted Firmware-A`_ ``master``
    branch.
 
@@ -23,61 +28,25 @@ Making Changes
 
 -  Make commits of logical units. See these general `Git guidelines`_ for
    contributing to a project.
--  Follow the :ref:`Coding Style & Guidelines`.
-
-   -  Use the checkpatch.pl script provided with the Linux source tree. A
-      Makefile target is provided for convenience.
 
 -  Keep the commits on topic. If you need to fix another bug or make another
-   enhancement, please create a separate `issue`_ and address it on a separate
-   topic branch.
--  Avoid long commit series. If you do have a long series, consider whether
-   some commits should be squashed together or addressed in a separate topic.
--  Make sure your commit messages are in the proper format. If a commit fixes
-   an `issue`_, include a reference.
--  Where appropriate, please update the documentation.
+   enhancement, please address it on a separate topic branch.
 
-   -  Consider whether the :ref:`Porting Guide`,
-      :ref:`Firmware Design` document or other in-source documentation needs
-      updating.
-   -  Ensure that each changed file has the correct copyright and license
-      information. Files that entirely consist of contributions to this
-      project should have a copyright notice and BSD-3-Clause SPDX license
-      identifier of the form as shown in :ref:`license`. Files that contain
-      changes to imported Third Party IP files should retain their original
-      copyright and license notices. For significant contributions you may
-      add your own copyright notice in following format:
-
-      ::
-
-          Portions copyright (c) [XXXX-]YYYY, <OWNER>. All rights reserved.
-
-      where XXXX is the year of first contribution (if different to YYYY) and
-      YYYY is the year of most recent contribution. <OWNER> is your name or
-      your company name.
-   -  If you are submitting new files that you intend to be the technical
-      sub-maintainer for (for example, a new platform port), then also update
-      the :ref:`maintainers` file.
-   -  For topics with multiple commits, you should make all documentation
-      changes (and nothing else) in the last commit of the series. Otherwise,
-      include the documentation changes within the single commit.
+-  Split the patch in manageable units. Small patches are usually easier to
+   review so this will speed up the review process.
 
--  Please test your changes. As a minimum, ensure that Linux boots on the
-   Foundation FVP. See :ref:`Arm Fixed Virtual Platforms (FVP)` for more
-   information. For more extensive testing, consider running the `TF-A Tests`_
-   against your patches.
-
-Submitting Changes
-------------------
+-  Avoid long commit series. If you do have a long series, consider whether
+   some commits should be squashed together or addressed in a separate topic.
 
 -  Ensure that each commit in the series has at least one ``Signed-off-by:``
    line, using your real name and email address. The names in the
-   ``Signed-off-by:`` and ``Author:`` lines must match. If anyone else
-   contributes to the commit, they must also add their own ``Signed-off-by:``
-   line. By adding this line the contributor certifies the contribution is made
-   under the terms of the
+   ``Signed-off-by:`` and ``Commit:`` lines must match. By adding this line the
+   contributor certifies the contribution is made under the terms of the
    :download:`Developer Certificate of Origin <../../dco.txt>`.
 
+   There might be multiple ``Signed-off-by:`` lines, depending on the history
+   of the patch.
+
    More details may be found in the `Gerrit Signed-off-by Lines guidelines`_.
 
 -  Ensure that each commit also has a unique ``Change-Id:`` line. If you have
@@ -87,27 +56,144 @@ Submitting Changes
 
    More details may be found in the `Gerrit Change-Ids documentation`_.
 
+-  Write informative and comprehensive commit messages. A good commit message
+   provides all the background information needed for reviewers to understand
+   the intent and rationale of the patch. This information is also useful for
+   future reference.
+
+   For example:
+
+   -  What does the patch do?
+   -  What motivated it?
+   -  What impact does it have?
+   -  How was it tested?
+   -  Have alternatives been considered? Why did you choose this approach over
+      another one?
+   -  If it fixes an `issue`_, include a reference.
+
+-  Follow the :ref:`Coding Style` and :ref:`Coding Guidelines`.
+
+   -  Use the checkpatch.pl script provided with the Linux source tree. A
+      Makefile target is provided for convenience, see :ref:`this
+      section<automatic-compliance-checking>` for more details.
+
+-  Where appropriate, please update the documentation.
+
+   -  Consider whether the :ref:`Porting Guide`, :ref:`Firmware Design` document
+      or other in-source documentation needs updating.
+
+   -  If you are submitting new files that you intend to be the code owner for
+      (for example, a new platform port), then also update the
+      :ref:`code owners` file.
+
+   -  For topics with multiple commits, you should make all documentation changes
+      (and nothing else) in the last commit of the series. Otherwise, include
+      the documentation changes within the single commit.
+
+.. _copyright-license-guidance:
+
+-  Ensure that each changed file has the correct copyright and license
+   information. Files that entirely consist of contributions to this project
+   should have a copyright notice and BSD-3-Clause SPDX license identifier of
+   the form as shown in :ref:`license`. Files that contain changes to imported
+   Third Party IP files should retain their original copyright and license
+   notices.
+
+   For significant contributions you may add your own copyright notice in the
+   following format:
+
+   ::
+
+       Portions copyright (c) [XXXX-]YYYY, <OWNER>. All rights reserved.
+
+   where XXXX is the year of first contribution (if different to YYYY) and YYYY
+   is the year of most recent contribution. <OWNER> is your name or your company
+   name.
+
+-  Ensure that each patch in the patch series compiles in all supported
+   configurations. Patches which do not compile will not be merged.
+
+-  Please test your changes. As a minimum, ensure that Linux boots on the
+   Foundation FVP. See :ref:`Arm Fixed Virtual Platforms (FVP)` for more
+   information. For more extensive testing, consider running the `TF-A Tests`_
+   against your patches.
+
+-  Ensure that all CI automated tests pass. Failures should be fixed. They might
+   block a patch, depending on how critical they are.
+
+Submitting Changes
+------------------
+
 -  Submit your changes for review at https://review.trustedfirmware.org
    targeting the ``integration`` branch.
 
-   -  The changes will then undergo further review and testing by the
-      :ref:`maintainers`. Any review comments will be made directly on your
-      patch. This may require you to do some rework.
+-  Add reviewers for your patch:
+
+   -  At least one code owner for each module modified by the patch. See the list
+      of modules and their :ref:`code owners`.
+
+   -  At least one maintainer. See the list of :ref:`maintainers`.
+
+   -  If some module has no code owner, try to identify a suitable (non-code
+      owner) reviewer. Running ``git blame`` on the module's source code can
+      help, as it shows who has been working the most recently on this area of
+      the code.
+
+      Alternatively, if it is impractical to identify such a reviewer, you might
+      send an email to the `TF-A mailing list`_ to broadcast your review request
+      to the community.
+
+   Note that self-reviewing a patch is prohibited, even if the patch author is
+   the only code owner of a module modified by the patch. Getting a second pair
+   of eyes on the code is essential to keep up with the quality standards the
+   project aspires to.
+
+-  The changes will then undergo further review by the designated people. Any
+   review comments will be made directly on your patch. This may require you to
+   do some rework. For controversial changes, the discussion might be moved to
+   the `TF-A mailing list`_ to involve more of the community.
 
    Refer to the `Gerrit Uploading Changes documentation`_ for more details.
 
+-  The patch submission rules are the following. For a patch to be approved
+   and merged in the tree, it must get:
+
+   -  One ``Code-Owner-Review+1`` for each of the modules modified by the patch.
+   -  A ``Maintainer-Review+1``.
+
+   In the case where a code owner could not be found for a given module,
+   ``Code-Owner-Review+1`` is substituted by ``Code-Review+1``.
+
+   In addition to these various code review labels, the patch must also get a
+   ``Verified+1``. This is usually set by the Continuous Integration (CI) bot
+   when all automated tests passed on the patch. Sometimes, some of these
+   automated tests may fail for reasons unrelated to the patch. In this case,
+   the maintainers might (after analysis of the failures) override the CI bot
+   score to certify that the patch has been correctly tested.
+
+   In the event where the CI system lacks proper tests for a patch, the patch
+   author or a reviewer might agree to perform additional manual tests
+   in their review and the reviewer incorporates the review of the additional
+   testing in the ``Code-Review+1`` or ``Code-Owner-Review+1`` as applicable to
+   attest that the patch works as expected. Where possible additional tests should
+   be added to the CI system as a follow up task. For example, for a
+   platform-dependent patch where the said platform is not available in the CI
+   system's board farm.
+
 -  When the changes are accepted, the :ref:`maintainers` will integrate them.
 
    -  Typically, the :ref:`maintainers` will merge the changes into the
       ``integration`` branch.
+
    -  If the changes are not based on a sufficiently-recent commit, or if they
       cannot be automatically rebased, then the :ref:`maintainers` may rebase it
-      on the ``master`` branch or ask you to do so.
+      on the ``integration`` branch or ask you to do so.
+
    -  After final integration testing, the changes will make their way into the
-      ``master`` branch. If a problem is found during integration, the merge
-      commit will be removed from the ``integration`` branch and the
-      :ref:`maintainers` will ask you to create a new patch set to resolve the
-      problem.
+      ``master`` branch. If a problem is found during integration, the
+      :ref:`maintainers` will request your help to solve the issue. They may
+      revert your patches and ask you to resubmit a reworked version of them or
+      they may ask you to provide a fix-up patch.
 
 Binary Components
 -----------------
@@ -128,15 +214,17 @@ Binary Components
 
 --------------
 
-*Copyright (c) 2013-2019, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.*
 
 .. _developer.trustedfirmware.org: https://developer.trustedfirmware.org
+.. _review.trustedfirmware.org: https://review.trustedfirmware.org
 .. _issue: https://developer.trustedfirmware.org/project/board/1/
 .. _Trusted Firmware-A: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git
 .. _Git guidelines: http://git-scm.com/book/ch5-2.html
 .. _Gerrit Uploading Changes documentation: https://review.trustedfirmware.org/Documentation/user-upload.html
 .. _Gerrit Signed-off-by Lines guidelines: https://review.trustedfirmware.org/Documentation/user-signedoffby.html
 .. _Gerrit Change-Ids documentation: https://review.trustedfirmware.org/Documentation/user-changeid.html
-.. _TF-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/
+.. _TF-A Tests: https://trustedfirmware-a-tests.readthedocs.io
 .. _Trusted Firmware binary repository: https://review.trustedfirmware.org/admin/repos/tf-binaries
 .. _tf-binaries-readme: https://git.trustedfirmware.org/tf-binaries.git/tree/readme.rst
+.. _TF-A mailing list: https://lists.trustedfirmware.org/mailman/listinfo/tf-a
diff --git a/docs/process/faq.rst b/docs/process/faq.rst
index 2c3658480..daab1987f 100644
--- a/docs/process/faq.rst
+++ b/docs/process/faq.rst
@@ -70,12 +70,10 @@ What are these strange comments in my changes?
 All the comments from ``ci-bot-user`` are associated with Continuous Integration
 infrastructure. The links published on the comment are not currently accessible,
 but would be after the CI has been transitioned to `trustedfirmware.org`_.
-Please refer to https://github.com/ARM-software/tf-issues/issues/681 for more
-details on the timelines.
 
 --------------
 
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*
 
 .. _Gerrit Upload Patch Set documentation: https://review.trustedfirmware.org/Documentation/intro-user.html#upload-patch-set
 .. _Gerrit Replace Changes documentation: https://review.trustedfirmware.org/Documentation/user-upload.html#push_replace
diff --git a/docs/process/index.rst b/docs/process/index.rst
index 9c12de82f..37324b0e9 100644
--- a/docs/process/index.rst
+++ b/docs/process/index.rst
@@ -8,7 +8,9 @@ Processes & Policies
 
    security
    platform-compatibility-policy
+   coding-style
    coding-guidelines
    contributing
+   code-review-guidelines
    faq
    security-hardening
diff --git a/docs/process/security-hardening.rst b/docs/process/security-hardening.rst
index a18a79203..507046f2e 100644
--- a/docs/process/security-hardening.rst
+++ b/docs/process/security-hardening.rst
@@ -1,10 +1,123 @@
-Security hardening
-==================
+Secure Development Guidelines
+=============================
 
 This page contains guidance on what to check for additional security measures,
 including build options that can be modified to improve security or catch issues
 early in development.
 
+Security considerations
+-----------------------
+
+Part of the security of a platform is handling errors correctly, as described in
+the previous section. There are several other security considerations covered in
+this section.
+
+Do not leak secrets to the normal world
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The secure world **must not** leak secrets to the normal world, for example in
+response to an SMC.
+
+Handling Denial of Service attacks
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The secure world **should never** crash or become unusable due to receiving too
+many normal world requests (a *Denial of Service* or *DoS* attack). It should
+have a mechanism for throttling or ignoring normal world requests.
+
+Preventing Secure-world timing information leakage via PMU counters
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The Secure world needs to implement some defenses to prevent the Non-secure
+world from making it leak timing information. In general, higher privilege
+levels must defend from those below when the PMU is treated as an attack
+vector.
+
+Refer to the :ref:`Performance Monitoring Unit` guide for detailed information
+on the PMU registers.
+
+Timing leakage attacks from the Non-secure world
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Since the Non-secure world has access to the ``PMCR`` register, it can
+configure the PMU to increment counters at any exception level and in both
+Secure and Non-secure state. Thus, it attempts to leak timing information from
+the Secure world.
+
+Shown below is an example of such a configuration:
+
+-  ``PMEVTYPER0_EL0`` and ``PMCCFILTR_EL0``:
+
+   -  Set ``P`` to ``0``.
+   -  Set ``NSK`` to ``1``.
+   -  Set ``M`` to ``0``.
+   -  Set ``NSH`` to ``0``.
+   -  Set ``SH`` to ``1``.
+
+-  ``PMCNTENSET_EL0``:
+
+   -  Set ``P[0]`` to ``1``.
+   -  Set ``C`` to ``1``.
+
+-  ``PMCR_EL0``:
+
+   -  Set ``DP`` to ``0``.
+   -  Set ``E`` to ``1``.
+
+This configuration instructs ``PMEVCNTR0_EL0`` and ``PMCCNTR_EL0`` to increment
+at Secure EL1, Secure EL2 (if implemented) and EL3.
+
+Since the Non-secure world has fine-grained control over where (at which
+exception levels) it instructs counters to increment, obtaining event counts
+would allow it to carry out side-channel timing attacks against the Secure
+world. Examples include Spectre, Meltdown, as well as extracting secrets from
+cryptographic algorithms with data-dependent variations in their execution
+time.
+
+Secure world mitigation strategies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The ``MDCR_EL3`` register allows EL3 to configure the PMU (among other things).
+The `Arm ARM`_ details all of the bit fields in this register, but for the PMU
+there are two bits which determine the permissions of the counters:
+
+-  ``SPME`` for the programmable counters.
+-  ``SCCD`` for the cycle counter.
+
+Depending on the implemented features, the Secure world can prohibit counting
+in AArch64 state via the following:
+
+-  ARMv8.2-Debug not implemented:
+
+   -  Prohibit general event counters and the cycle counter:
+      ``MDCR_EL3.SPME == 0 && PMCR_EL0.DP == 1 && !ExternalSecureNoninvasiveDebugEnabled()``.
+
+      -  ``MDCR_EL3.SPME`` resets to ``0``, so by default general events should
+         not be counted in the Secure world.
+      -  The ``PMCR_EL0.DP`` bit therefore needs to be set to ``1`` when EL3 is
+         entered and ``PMCR_EL0`` needs to be saved and restored in EL3.
+      -  ``ExternalSecureNoninvasiveDebugEnabled()`` is an authentication
+         interface which is implementation-defined unless ARMv8.4-Debug is
+         implemented. The `Arm ARM`_ has detailed information on this topic.
+
+   -  The only other way is to disable the ``PMCR_EL0.E`` bit upon entering
+      EL3, which disables counting altogether.
+
+-  ARMv8.2-Debug implemented:
+
+   -  Prohibit general event counters: ``MDCR_EL3.SPME == 0``.
+   -  Prohibit cycle counter: ``MDCR_EL3.SPME == 0 && PMCR_EL0.DP == 1``.
+      ``PMCR_EL0`` therefore needs to be saved and restored in EL3.
+
+-  ARMv8.5-PMU implemented:
+
+   -  Prohibit general event counters: as in ARMv8.2-Debug.
+   -  Prohibit cycle counter: ``MDCR_EL3.SCCD == 1``
+
+In Aarch32 execution state the ``MDCR_EL3`` alias is the ``SDCR`` register,
+which has some of the bit fields of ``MDCR_EL3``, most importantly the ``SPME``
+and ``SCCD`` bits.
+
 Build options
 -------------
 
@@ -51,6 +164,12 @@ Several build options can be used to check for security issues. Refer to the
   NB: The ``Werror`` flag is enabled by default in TF-A and can be disabled by
   setting the ``E`` build flag to 0.
 
+.. rubric:: References
+
+-  `Arm ARM`_
+
 --------------
 
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*
+
+.. _Arm ARM: https://developer.arm.com/docs/ddi0487/latest
diff --git a/docs/process/security-reporting.asc b/docs/process/security-reporting.asc
deleted file mode 100644
index 8c41f7bf6..000000000
--- a/docs/process/security-reporting.asc
+++ /dev/null
@@ -1,45 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: PGP Desktop 10.2.0 (Build 2317)
-
-mQENBFey/QMBCACyxJaLsMYU794ZfzLdY172tHXRJfP0X3b34HU35G7kYl1zNiYc
-/NoygtQdtDv/aW1B2A/YTNhGge+gX4BWAREd5CYDbdPEoMWC395/qbnmMmez7YNY
-PEJ9Iq9e5AayAWwZTL1zgKwdvE+WTwWok/nMbsifJSEdhdrOIHNqRcZgplUUyZ2R
-sDqFtSbACO3xj4Psk8KJ23Ax7UZgULouZOJaHOnyq8F9V/U7zWvX4Odf96XaC1Em
-cUTsG0kQfa7Y4Hqqjzowq366I4k2o2LAtuLPWNCvq5jjEceLs2+qV4cNLgyL2dzO
-wtUL6EdkrGfkxsPHpsVKXig4wjeX9ehCSqRlABEBAAG0PVRydXN0ZWQgRmlybXdh
-cmUgU2VjdXJpdHkgPHRydXN0ZWQtZmlybXdhcmUtc2VjdXJpdHlAYXJtLmNvbT6J
-AYwEEAECAHYFAley/SEwFIAAAAAAIAAHcHJlZmVycmVkLWVtYWlsLWVuY29kaW5n
-QHBncC5jb21wZ3BtaW1lCAsJCAcDAgEKAhkBGRhsZGFwOi8va2V5c2VydmVyLnBn
-cC5jb20FGwMAAAAFFgADAgEFHgEAAAAGFQgJCgMCAAoJEDq378tFoN/QFJsH/0ly
-H91LYYzKIQrbolQw7Rp47lgzH88uN1rInYpW2GaTbjwPffAhYJ4VsN8RaiFskD9m
-DjMg4vY8p0jPTCUX1Acq20Wq0Ybv3HcrtjUp4ie0+rLUi3043yJyKFMWkJC2Kr+p
-SobnxSrAie4HDFUgSaPoh9Qf1zXEzOavdgcziMiyS5iVUf6NXYZ9z82OTZ6TdPKS
-u+L5zOHTdrV3+hD54w00Xa+EIE7u4v0to6Uwm977508hyGuvpOVq+u7+S3qJQvnY
-+JheStbgLsm6CyoRjyrlTE01ujAD6hI6Ef9yMgEljOBEy4phKAJ67SCRLEOiCp5U
-YHFCULwhzIyg2y3WmZSJASIEEAECAAwFAlezAnwFAwASdQAACgkQlxC4m8pXrXzd
-GAf/T8YEICI9qQt2vnCtCbBvVaTc2sAphVZ51kZVDqCDPB7znDtJYRBpi/9IPELt
-mYwIElMx2mqmahVaeUghmbzmcLZe8QHUi8GanO1mh+ook6uyjRojSIq6VUVV5uUf
-tuscfhpilOvUclqMqYEIgXfl08YwS40Kmmj0qokwad0co0zGQ8GEhlgMi2yvJfiG
-fPS0Xcn1J0980E/VgJQCAKwZvukrbb32WVwuhgepqs/4/62PZNxglcErioFt6P0A
-ik4t9Hr0uErqCeEKiYtmEw5e9ioRdX7CV+tJgIk907Tpv6E0iDFRJHmJBvmsz82O
-stOazS3wZ5Xck7asTqkvoyo9Z7kBDQRXsv0DAQgAsmL1UUIWyoNmYJWixSPDmclP
-0ul3T1FCOsIlWTeVeshnHByYdgZOfce78ETCUoq8G7qvYm4GRrEDpqVbxqTxJioP
-4Li05WDdNCKzSoqWd8ADA48gYnnJEu2NhA7ZkEC6u3+Mdbmd3M0J6nsAWeE0BV1p
-F5zI600sJuoH2QNWB7Kv5N3GCFE4IgCIH8MwDo4Y4FTZtygx4GjEtSExiOIz+bpX
-2+GkFCQGpIyLHLP4FmQmrsNzsIdEyFuG0IdoVuQ2PtNLiw+Wkm7CXWgRmFx/dtPN
-eVnOFWdbTtjBWVv/Z6zbANos2knfc75KR4FCQ6pWRvVeJuMuMopUDkfFDMtR8QAR
-AQABiQJBBBgBAgErBQJXsv0EBRsMAAAAwF0gBBkBCAAGBQJXsv0DAAoJENaB8ph8
-s9hu/nsH/Rx696ZR+1vZi5qCTUwo6s0Qa15x4OuyJEM85VgMLVY7/MZpp1Y8If6u
-A5BynQpy4QIPxIRsRx6twduW9/gb8UVhpMRPyuJ+5sSv0/KeUqkPbKSUGro2zGlR
-sjqPrchi6uafWZqOR/y/DNkEvkgZZaP+f9xs2qWKuoF08yTioo76QoroA4DVuVAT
-MkDFe9d3natAmfmjO4kvxuthg3y7R+sdXrCHpYYJZdbiR6gyj7e8whlSLwHQT3lz
-7QBL/CvVvL/dmhu5pk8fsksbehepMQTkCJ6GGEamOPEhwh7IvlzhEt97U4uzjuMd
-BPjqOCes+4QTmn/+lMTySG0kXxnHOEUACgkQOrfvy0Wg39D8Jgf/Uf3epkMOJ9xm
-N1l5vW8tQQ6RR055YQxQ9P6JMyCQGEJmGOcvrasCho69wMQDy4AYVtJaZd25LH/3
-LX/lcyDOP4C9VYXM+IxlcaRmjBKqWx9UzQeeioIkfmjMpJFU846ZP1dacge0lPx8
-p6ocPbM0rkv0xuF/dwkDQd4BPSmv4/3/UM8FRoYo8Q7SHkDR98wJ8FCm6k9wRtWC
-K/jzmBswY2TewAHom3jLzTM0FZ/n5Sini3EGAI2EvnQrxWRpeE7ZOkHKqLHEOaHl
-zeST4U/cUgxhwgnhbGJ7zmrFsHpYnnZYM3mIKfQ3/EhksZ68TF9IB1tfUiQTij4r
-9jWa0ybRdQ==
-=nZZb
------END PGP PUBLIC KEY BLOCK-----
diff --git a/docs/process/security.rst b/docs/process/security.rst
index c3935daa1..a3b9971e4 100644
--- a/docs/process/security.rst
+++ b/docs/process/security.rst
@@ -20,40 +20,15 @@ Found a Security Issue?
 Although we try to keep TF-A secure, we can only do so with the help of the
 community of developers and security researchers.
 
-If you think you have found a security vulnerability, please **do not** report it
-in the `issue tracker`_. Instead send an email to
-trusted-firmware-security@arm.com
+.. warning::
+   If you think you have found a security vulnerability, please **do not**
+   report it in the `issue tracker`_ or on the `mailing list`_. Instead, please
+   follow the `TrustedFirmware.org security incident process`_.
 
-Please include:
-
-* Trusted Firmware-A version (or commit) affected
-
-* A description of the concern or vulnerability
-
-* Details on how to replicate the vulnerability, including:
-
-  - Configuration details
-
-  - Proof of concept exploit code
-
-  - Any additional software or tools required
-
-We recommend using :download:`this PGP/GPG key <./security-reporting.asc>` for
-encrypting the information. This key is also available at
-http://keyserver.pgp.com and LDAP port 389 of the same server.
-
-The fingerprint for this key is:
-
-::
-
-    1309 2C19 22B4 8E87 F17B FE5C 3AB7 EFCB 45A0 DFD0
-
-If you would like replies to be encrypted, please provide your public key.
-
-Please give us the time to respond to you and fix the vulnerability before going
-public. We do our best to respond and fix any issues quickly. We also need to
-ensure providers of products that use TF-A have a chance to consider the
-implications of the vulnerability and its remedy.
+One of the goals of this process is to ensure providers of products that use
+TF-A have a chance to consider the implications of the vulnerability and its
+remedy before it is made public. As such, please follow the disclosure plan
+outlined in the process. We do our best to respond and fix any issues quickly.
 
 Afterwards, we encourage you to write-up your findings about the TF-A source
 code.
@@ -61,8 +36,8 @@ code.
 Attribution
 -----------
 
-We will name and thank you in the :ref:`Change Log & Release Notes` distributed with the source
-code and in any published security advisory.
+We will name and thank you in the :ref:`Change Log & Release Notes` distributed
+with the source code and in any published security advisory.
 
 Security Advisories
 -------------------
@@ -96,7 +71,7 @@ Security Advisories
 +-----------+------------------------------------------------------------------+
 
 .. _issue tracker: https://developer.trustedfirmware.org/project/board/1/
-.. _this PGP/GPG key: security-reporting.asc
+.. _mailing list: https://lists.trustedfirmware.org/mailman/listinfo/tf-a
 
 .. |TFV-1| replace:: :ref:`Advisory TFV-1 (CVE-2016-10319)`
 .. |TFV-2| replace:: :ref:`Advisory TFV-2 (CVE-2017-7564)`
@@ -107,6 +82,8 @@ Security Advisories
 .. |TFV-7| replace:: :ref:`Advisory TFV-7 (CVE-2018-3639)`
 .. |TFV-8| replace:: :ref:`Advisory TFV-8 (CVE-2018-19440)`
 
+.. _TrustedFirmware.org security incident process: https://developer.trustedfirmware.org/w/collaboration/security_center/
+
 --------------
 
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*