[PATCH v2 1/5] docker: add OP-TEE and TF-A build for testing Firmware Handoff

Raymond Mao raymond.mao at linaro.org
Fri Oct 3 21:22:15 CEST 2025 

Fetch OP-TEE (4.7.0), TF-A (v2.13.0), MbedTLS (v3.6) and build
bl1 and fip with both Firmware Handoff and Measured Boot enabled.

Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
---
Changes in V2:
- Move OP-TEE dependencies into the common group.
- Fetch MbedTLS/TF-A and build bl1/fip in dockerfile instead of
  post-buildman script.
- Remove Trust Boot related build options.

 tools/docker/Dockerfile | 74 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 71 insertions(+), 3 deletions(-)

diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
index 5b4c75f8400..0a213a7a61e 100644
--- a/tools/docker/Dockerfile
+++ b/tools/docker/Dockerfile
@@ -58,6 +58,9 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y \
+	adb \
+	acpica-tools \
+	autoconf \
 	automake \
 	autopoint \
 	bc \
@@ -65,21 +68,26 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 	bison \
 	build-essential \
 	byacc \
+	ccache \
 	cgpt \
 	clang-18 \
 	coreutils \
 	cpio \
+	cscope \
 	curl \
 	device-tree-compiler \
 	dosfstools \
 	e2fsprogs \
+	e2tools \
 	efitools \
 	erofs-utils \
 	exfatprogs \
 	expect \
 	fakeroot \
+	fastboot \
 	fdisk \
 	flex \
+	ftp-upload \
 	gawk \
 	gdisk \
 	gettext \
@@ -92,11 +100,20 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 	imagemagick \
 	inetutils-telnet \
 	iputils-ping \
+	libattr1-dev \
+	libcap-ng-dev \
 	libconfuse-dev \
+	libfdt-dev \
+	libftdi-dev \
 	libgit2-dev \
 	libjson-glib-dev \
+	libglib2.0-dev \
+	libgmp3-dev \
 	libgnutls28-dev \
 	libgnutls30 \
+	libhidapi-dev \
+	libmpc-dev \
+	libncurses5-dev \
 	libpixman-1-dev \
 	libpython3-dev \
 	libsdl1.2-dev \
@@ -110,9 +127,11 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 	lz4 \
 	lzma-alone \
 	lzop \
+	make \
 	mount \
 	mtd-utils \
 	mtools \
+	netcat \
 	net-tools \
 	ninja-build \
 	openssl \
@@ -122,12 +141,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 	python-is-python3 \
 	python2.7 \
 	python3 \
+	python3-cryptography \
 	python3-dev \
 	python3-pip \
+	python3-pyelftools \
+	python3-serial \
 	python3-sphinx \
 	python3-tomli \
 	python3-venv \
 	rpm2cpio \
+	rsync \
 	sbsigntool \
 	socat \
 	softhsm2 \
@@ -136,13 +159,20 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 	sudo \
 	swig \
 	texinfo \
+	unzip \
 	util-linux \
 	uuid-dev \
 	vboot-kernel-utils \
 	vboot-utils \
+	wget \
+	xdg-utils \
 	xilinx-bootgen \
+	xsltproc \
+	xterm \
 	xxd \
-	zip
+	xz-utils \
+	zip \
+	zlib1g-dev
 
 # Build GRUB UEFI targets for ARM & RISC-V, 32-bit and 64-bit
 RUN git clone git://git.savannah.gnu.org/grub.git /tmp/grub && \
@@ -227,10 +257,30 @@ RUN git clone https://gitlab.com/qemu-project/qemu.git /tmp/qemu && \
 	make -j$(nproc) all install && \
 	rm -rf /tmp/qemu
 
-# Build fiptool
+# Build OP-TEE for qemu_arm64
+RUN git clone https://github.com/OP-TEE/optee_os.git /tmp/optee_os && \
+	cd /tmp/optee_os/ && \
+	git checkout 4.7.0 && \
+	make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
+		CROSS_COMPILE_core=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
+		CROSS_COMPILE32=/opt/gcc-${TCVER}-nolibc/arm-linux-gnueabi/bin/arm-linux-gnueabi- \
+		CROSS_COMPILE_ta_arm32=/opt/gcc-${TCVER}-nolibc/arm-linux-gnueabi/bin/arm-linux-gnueabi- \
+		CROSS_COMPILE_ta_arm64=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
+		ARCH=arm \
+		CFG_ARM64_core=y \
+		CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y \
+		PLATFORM=vexpress-qemu_armv8a CFG_RPMB_FS=y \
+		CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_WRITE_KEY=y \
+		CFG_CORE_HEAP_SIZE=524288 CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
+		CFG_RPMB_WRITE_KEY=1 \
+		CFG_REE_FS=n CFG_CORE_ARM64_PA_BITS=48  \
+		CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_TA_LOG_LEVEL=1 DEBUG=y
+
+# Build fiptool, bl1 and fip for fvp and qemu_arm64
+RUN git clone --branch mbedtls-3.6 https://github.com/ARMmbed/mbedtls.git /tmp/mbedtls
 RUN git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git /tmp/tf-a && \
 	cd /tmp/tf-a/ && \
-	git checkout v2.12.0 && \
+	git checkout v2.13.0 && \
 	make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
 		PLAT=fvp BL33=/dev/null -j$(nproc) all fip && \
 	mkdir -p /usr/local/bin /opt/tf-a/vexpress_fvp && \
@@ -243,6 +293,24 @@ RUN git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git /tmp/t
 	mkdir -p /opt/tf-a/vexpress_fvp_bloblist && \
 	cp build/fvp/release/fip.bin build/fvp/release/bl1.bin \
 		/opt/tf-a/vexpress_fvp_bloblist/ && \
+	make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
+		PLAT=qemu \
+		BL33=/dev/null \
+		BL32=/tmp/optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin \
+		BL32_EXTRA1=/tmp/optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin \
+		BL32_EXTRA2=/tmp/optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin \
+		BL32_RAM_LOCATION=tdram SPD=opteed \
+		TRANSFER_LIST=1 E=0 \
+		MEASURED_BOOT=1 \
+		EVENT_LOG_LEVEL=10 \
+		MBOOT_EL_HASH_ALG=sha256 \
+		MBEDTLS_DIR=/tmp/mbedtls \
+		-j$(nproc) all fip && \
+	mkdir -p /opt/tf-a/qemu_arm64_fw_handoff_tfa_optee && \
+	cp build/qemu/release/fip.bin build/qemu/release/bl1.bin \
+		/opt/tf-a/qemu_arm64_fw_handoff_tfa_optee/ && \
+	rm -rf /tmp/optee_os && \
+	rm -rf /tmp/mbedtls && \
 	rm -rf /tmp/tf-a
 
 # Download the Arm Architecture FVP platform. This file is double compressed.
-- 
2.25.1

More information about the U-Boot mailing list