[PATCH v2 1/5] docker: add OP-TEE and TF-A build for testing Firmware Handoff

Tom Rini trini at konsulko.com
Fri Oct 3 22:17:18 CEST 2025


On Fri, Oct 03, 2025 at 12:22:15PM -0700, Raymond Mao wrote:

> Fetch OP-TEE (4.7.0), TF-A (v2.13.0), MbedTLS (v3.6) and build
> bl1 and fip with both Firmware Handoff and Measured Boot enabled.
> 
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
> Changes in V2:
> - Move OP-TEE dependencies into the common group.
> - Fetch MbedTLS/TF-A and build bl1/fip in dockerfile instead of
>   post-buildman script.
> - Remove Trust Boot related build options.
> 
>  tools/docker/Dockerfile | 74 +++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 71 insertions(+), 3 deletions(-)
> 
> diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
> index 5b4c75f8400..0a213a7a61e 100644
> --- a/tools/docker/Dockerfile
> +++ b/tools/docker/Dockerfile
> @@ -58,6 +58,9 @@ RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
>  RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>      --mount=type=cache,target=/var/lib/apt,sharing=locked \
>      apt-get update && apt-get install -y \
> +	adb \
> +	acpica-tools \
> +	autoconf \
>  	automake \
>  	autopoint \
>  	bc \
> @@ -65,21 +68,26 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>  	bison \
>  	build-essential \
>  	byacc \
> +	ccache \
>  	cgpt \
>  	clang-18 \
>  	coreutils \
>  	cpio \
> +	cscope \
>  	curl \
>  	device-tree-compiler \
>  	dosfstools \
>  	e2fsprogs \
> +	e2tools \
>  	efitools \
>  	erofs-utils \
>  	exfatprogs \
>  	expect \
>  	fakeroot \
> +	fastboot \
>  	fdisk \
>  	flex \
> +	ftp-upload \
>  	gawk \
>  	gdisk \
>  	gettext \
> @@ -92,11 +100,20 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>  	imagemagick \
>  	inetutils-telnet \
>  	iputils-ping \
> +	libattr1-dev \
> +	libcap-ng-dev \
>  	libconfuse-dev \
> +	libfdt-dev \
> +	libftdi-dev \
>  	libgit2-dev \
>  	libjson-glib-dev \
> +	libglib2.0-dev \
> +	libgmp3-dev \
>  	libgnutls28-dev \
>  	libgnutls30 \
> +	libhidapi-dev \
> +	libmpc-dev \
> +	libncurses5-dev \
>  	libpixman-1-dev \
>  	libpython3-dev \
>  	libsdl1.2-dev \
> @@ -110,9 +127,11 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>  	lz4 \
>  	lzma-alone \
>  	lzop \
> +	make \
>  	mount \
>  	mtd-utils \
>  	mtools \
> +	netcat \
>  	net-tools \
>  	ninja-build \
>  	openssl \
> @@ -122,12 +141,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>  	python-is-python3 \
>  	python2.7 \
>  	python3 \
> +	python3-cryptography \
>  	python3-dev \
>  	python3-pip \
> +	python3-pyelftools \
> +	python3-serial \
>  	python3-sphinx \
>  	python3-tomli \
>  	python3-venv \
>  	rpm2cpio \
> +	rsync \
>  	sbsigntool \
>  	socat \
>  	softhsm2 \
> @@ -136,13 +159,20 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>  	sudo \
>  	swig \
>  	texinfo \
> +	unzip \
>  	util-linux \
>  	uuid-dev \
>  	vboot-kernel-utils \
>  	vboot-utils \
> +	wget \
> +	xdg-utils \
>  	xilinx-bootgen \
> +	xsltproc \
> +	xterm \
>  	xxd \
> -	zip
> +	xz-utils \
> +	zip \
> +	zlib1g-dev

Are some of these deps perhaps optional? I would hope we could build
without cscope and xterm, to pick randomly from the top and bottom of
the list. I ask since everything we add here makes the container larger,
and it's already very big. I'm almost wondering if we should (follow-up,
later) add a step where we remove things that tools we built needed, but
U-Boot doesn't need for build/tests.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20251003/0cda5be2/attachment.sig>


More information about the U-Boot mailing list