[PATCH v3 1/6] docker: add OP-TEE and TF-A build for testing Firmware Handoff
Jerome Forissier
jerome.forissier at linaro.org
Mon Oct 13 08:45:01 CEST 2025
Hi Raymond,
On 10/10/25 21:06, Raymond Mao wrote:
> Hi Jerome,
>
> On Fri, 10 Oct 2025 at 11:11, Jerome Forissier
> <jerome.forissier at linaro.org> wrote:
>>
>> Hi Raymond,
>>
>> On 10/10/25 16:45, Raymond Mao wrote:
>>> Fetch OP-TEE (4.7.0), TF-A (v2.13.0), MbedTLS (v3.6) and build
>>> bl1 and fip with both Firmware Handoff and Measured Boot enabled.
>>>
>>> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
>>> ---
>>> Changes in V2:
>>> - Move OP-TEE dependencies into the common group.
>>> - Fetch MbedTLS/TF-A and build bl1/fip in dockerfile instead of
>>> post-buildman script.
>>> - Remove Trust Boot related build options.
>>> Changes in V3:
>>> - Clean-up of OP-TEE deps.
>>>
>>> tools/docker/Dockerfile | 44 +++++++++++++++++++++++++++++++++++++++--
>>> 1 file changed, 42 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
>>> index 5b4c75f8400..51d07b1482c 100644
>>> --- a/tools/docker/Dockerfile
>>> +++ b/tools/docker/Dockerfile
>>> @@ -122,8 +122,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>>> python-is-python3 \
>>> python2.7 \
>>> python3 \
>>> + python3-cryptography \
>>> python3-dev \
>>> python3-pip \
>>> + python3-pyelftools \
>>> python3-sphinx \
>>> python3-tomli \
>>> python3-venv \
>>> @@ -227,10 +229,30 @@ RUN git clone https://gitlab.com/qemu-project/qemu.git /tmp/qemu && \
>>> make -j$(nproc) all install && \
>>> rm -rf /tmp/qemu
>>>
>>> -# Build fiptool
>>> +# Build OP-TEE for qemu_arm64
>>> +RUN git clone https://github.com/OP-TEE/optee_os.git /tmp/optee_os && \
>>> + cd /tmp/optee_os/ && \
>>> + git checkout 4.7.0 && \
>>> + make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
>>
>> OK
>>
>>> + CROSS_COMPILE_core=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
>>
>> Not needed (eventually defaults to $(CROSS_COMPILE))
>>
>
> Removing CROSS_COMPILE_core prompts "aarch64-linux-gnu-gcc: command
> not found", I think we need CROSS_COMPILE64 instead.
Correct.
>
>>> + CROSS_COMPILE32=/opt/gcc-${TCVER}-nolibc/arm-linux-gnueabi/bin/arm-linux-gnueabi- \
>>
>> OK
>>
>>> + CROSS_COMPILE_ta_arm32=/opt/gcc-${TCVER}-nolibc/arm-linux-gnueabi/bin/arm-linux-gnueabi- \
>>> + CROSS_COMPILE_ta_arm64=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
>>> + ARCH=arm \
>>> + CFG_ARM64_core=y \
>>
>> All 4 lines not needed (defaults)
>>
>
> Dito, removing CROSS_COMPILE_ta_arm64 prompts "aarch64-linux-gnu-gcc:
> command not found".
> I think for v4.7.0:
> CROSS_COMPILE_ta_arm64 defaults to CROSS_COMPILE64;
> CROSS_COMPILE_ta_arm32 defaults to CROSS_COMPILE32;
> CROSS_COMPILE32 defaults to CROSS_COMPILE.
> CROSS_COMPILE_core defaults to CROSS_COMPILE64 when CFG_ARM64_core=y.
>
> So actually CROSS_COMPILE and CROSS_COMPILE64 are required at least.
Again, this is totally correct. Sorry for mixing things up a bit ;-)
Anyway you got the point, I'd like to minimize the number of variables
set on the command line. I would recommend setting CROSS_COMPILE32 and
CROSS_COMPILE64 (and not CROSS_COMPILE).
Thanks,
--
Jerome
>
> Regards,
> Raymond
>
>
>>> + CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y \
>>> + PLATFORM=vexpress-qemu_armv8a CFG_RPMB_FS=y \
>>
>> OK
>>
>>> + CFG_RPMB_FS_DEV_ID=0 CFG_CORE_HEAP_SIZE=524288 CFG_RPMB_WRITE_KEY=y \
>>
>> CFG_RPMB_FS_DEV_ID=0 not needed (default)
>>
>>> + CFG_CORE_HEAP_SIZE=524288 CFG_CORE_DYN_SHM=y CFG_RPMB_TESTKEY=y \
>>
>> CFG_CORE_DYN_SHM=y not needed (default)
>>
>>> + CFG_RPMB_WRITE_KEY=1 \
>>
>> Already set above
>>
>>> + CFG_REE_FS=n CFG_CORE_ARM64_PA_BITS=48 \
>>
>> OK
>>
>>> + CFG_TEE_CORE_LOG_LEVEL=4 CFG_TEE_TA_LOG_LEVEL=1 DEBUG=y
>>
>> CFG_TEE_TA_LOG_LEVEL=1 not needed (default).
>> Would the CFG_TEE_CORE_LOG_LEVEL (2 == LOG_LEVEL_ERROR) and DEBUG (disabled) be OK?
>>
>>> +
>>> +# Build fiptool, bl1 and fip for fvp and qemu_arm64
>>> +RUN git clone --branch mbedtls-3.6 https://github.com/ARMmbed/mbedtls.git /tmp/mbedtls
>>> RUN git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git /tmp/tf-a && \
>>> cd /tmp/tf-a/ && \
>>> - git checkout v2.12.0 && \
>>> + git checkout v2.13.0 && \
>>> make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
>>> PLAT=fvp BL33=/dev/null -j$(nproc) all fip && \
>>> mkdir -p /usr/local/bin /opt/tf-a/vexpress_fvp && \
>>> @@ -243,6 +265,24 @@ RUN git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git /tmp/t
>>> mkdir -p /opt/tf-a/vexpress_fvp_bloblist && \
>>> cp build/fvp/release/fip.bin build/fvp/release/bl1.bin \
>>> /opt/tf-a/vexpress_fvp_bloblist/ && \
>>> + make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
>>> + PLAT=qemu \
>>> + BL33=/dev/null \
>>> + BL32=/tmp/optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin \
>>> + BL32_EXTRA1=/tmp/optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin \
>>> + BL32_EXTRA2=/tmp/optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin \
>>> + BL32_RAM_LOCATION=tdram SPD=opteed \
>>> + TRANSFER_LIST=1 E=0 \
>>> + MEASURED_BOOT=1 \
>>> + EVENT_LOG_LEVEL=10 \
>>> + MBOOT_EL_HASH_ALG=sha256 \
>>> + MBEDTLS_DIR=/tmp/mbedtls \
>>> + -j$(nproc) all fip && \
>>> + mkdir -p /opt/tf-a/qemu_arm64_fw_handoff_tfa_optee && \
>>> + cp build/qemu/release/fip.bin build/qemu/release/bl1.bin \
>>> + /opt/tf-a/qemu_arm64_fw_handoff_tfa_optee/ && \
>>> + rm -rf /tmp/optee_os && \
>>> + rm -rf /tmp/mbedtls && \
>>> rm -rf /tmp/tf-a
>>>
>>> # Download the Arm Architecture FVP platform. This file is double compressed.
>>
>> Thanks,
>> --
>> Jerome
More information about the U-Boot
mailing list