[PATCH v4 1/6] docker: add OP-TEE and TF-A build for testing Firmware Handoff

[Jerome Forissier]

Hi Raymond,

On 10/15/25 16:18, Raymond Mao wrote:
> Fetch OP-TEE (4.7.0), TF-A (v2.13.0), MbedTLS (v3.6) and build
> bl1 and fip with both Firmware Handoff and Measured Boot enabled.
> 
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
> Changes in V2:
> - Move OP-TEE dependencies into the common group.
> - Fetch MbedTLS/TF-A and build bl1/fip in dockerfile instead of
>   post-buildman script.
> - Remove Trust Boot related build options.
> Changes in V3:
> - Clean-up of OP-TEE deps.
> Changes in V4:
> - Minimize OP-TEE build options.
> 
>  tools/docker/Dockerfile | 38 ++++++++++++++++++++++++++++++++++++--
>  1 file changed, 36 insertions(+), 2 deletions(-)
> 
> diff --git a/tools/docker/Dockerfile b/tools/docker/Dockerfile
> index 5b4c75f8400..73c1589e260 100644
> --- a/tools/docker/Dockerfile
> +++ b/tools/docker/Dockerfile
> @@ -122,8 +122,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
>  	python-is-python3 \
>  	python2.7 \
>  	python3 \
> +	python3-cryptography \
>  	python3-dev \
>  	python3-pip \
> +	python3-pyelftools \
>  	python3-sphinx \
>  	python3-tomli \
>  	python3-venv \
> @@ -227,10 +229,24 @@ RUN git clone https://gitlab.com/qemu-project/qemu.git /tmp/qemu && \
>  	make -j$(nproc) all install && \
>  	rm -rf /tmp/qemu
>  
> -# Build fiptool
> +# Build OP-TEE for qemu_arm64
> +RUN git clone https://github.com/OP-TEE/optee_os.git /tmp/optee_os && \
> +	cd /tmp/optee_os/ && \

I would recommend:

git clone -b 4.7.0 --depth=1 https://github.com/OP-TEE/optee_os.git /tmp/optee_os

...which will directly obtain the proper tag (-b 4.7.0), and minimize the amount
of cloned data (--depth=1 i.e., no full history, just the last commit).

With or without this change:

Acked-by: Jerome Forissier <jerome.forissier at linaro.org>

Thanks,
-- 
Jerome

> +	git checkout 4.7.0 && \
> +	make CROSS_COMPILE32=/opt/gcc-${TCVER}-nolibc/arm-linux-gnueabi/bin/arm-linux-gnueabi- \
> +		CROSS_COMPILE64=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
> +		CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y \
> +		PLATFORM=vexpress-qemu_armv8a CFG_RPMB_FS=y \
> +		CFG_RPMB_WRITE_KEY=y CFG_RPMB_TESTKEY=y \
> +		CFG_CORE_HEAP_SIZE=524288 \
> +		CFG_REE_FS=n CFG_CORE_ARM64_PA_BITS=48  \
> +		CFG_TEE_CORE_LOG_LEVEL=2
> +
> +# Build fiptool, bl1 and fip for fvp and qemu_arm64
> +RUN git clone --branch mbedtls-3.6 https://github.com/ARMmbed/mbedtls.git /tmp/mbedtls
>  RUN git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git /tmp/tf-a && \
>  	cd /tmp/tf-a/ && \
> -	git checkout v2.12.0 && \
> +	git checkout v2.13.0 && \
>  	make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
>  		PLAT=fvp BL33=/dev/null -j$(nproc) all fip && \
>  	mkdir -p /usr/local/bin /opt/tf-a/vexpress_fvp && \
> @@ -243,6 +259,24 @@ RUN git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git /tmp/t
>  	mkdir -p /opt/tf-a/vexpress_fvp_bloblist && \
>  	cp build/fvp/release/fip.bin build/fvp/release/bl1.bin \
>  		/opt/tf-a/vexpress_fvp_bloblist/ && \
> +	make CROSS_COMPILE=/opt/gcc-${TCVER}-nolibc/aarch64-linux/bin/aarch64-linux- \
> +		PLAT=qemu \
> +		BL33=/dev/null \
> +		BL32=/tmp/optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin \
> +		BL32_EXTRA1=/tmp/optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin \
> +		BL32_EXTRA2=/tmp/optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin \
> +		BL32_RAM_LOCATION=tdram SPD=opteed \
> +		TRANSFER_LIST=1 E=0 \
> +		MEASURED_BOOT=1 \
> +		EVENT_LOG_LEVEL=10 \
> +		MBOOT_EL_HASH_ALG=sha256 \
> +		MBEDTLS_DIR=/tmp/mbedtls \
> +		-j$(nproc) all fip && \
> +	mkdir -p /opt/tf-a/qemu_arm64_fw_handoff_tfa_optee && \
> +	cp build/qemu/release/fip.bin build/qemu/release/bl1.bin \
> +		/opt/tf-a/qemu_arm64_fw_handoff_tfa_optee/ && \
> +	rm -rf /tmp/optee_os && \
> +	rm -rf /tmp/mbedtls && \
>  	rm -rf /tmp/tf-a
>  
>  # Download the Arm Architecture FVP platform. This file is double compressed.