[PATCH v2] doc: emulation: qemu-arm: add secure state steps

Johannes Krottmayer krotti83 at proton.me
Mon Apr 20 13:29:51 CEST 2026 

Add build steps for building U-Boot in secure state with
TF-A and OP-TEE. It includes the full steps for building
OP-TEE and TF-A to use with U-Boot. Also a short description
how to invoke QEMU with enabled EL3 and EL2. EL3 (machine
option secure=on) is required to run TF-A.

Signed-off-by: Johannes Krottmayer <krotti83 at proton.me>
Cc: Tom Rini <trini at konsulko.com>
Cc: Tuomas Tynkkynen <tuomas.tynkkynen at iki.fi>
---

Changes PATCH v2:
- Fix typo (OT-TEE -> OP-TEE)
- Fix grammatic and correct spellings
- Fix line warp and formatting
- Add 'git checkout' for the specific (tested) version in the used build commands
- Change misleading filename 'flash.bin' to 'qemu_fw.bios'


 doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++--
 1 file changed, 84 insertions(+), 4 deletions(-)

diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst
index 1c91c7f3ac6..9e993ca9783 100644
--- a/doc/board/emulation/qemu-arm.rst
+++ b/doc/board
/emulation/qemu-arm.rst
@@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus.
 See :doc:`../../develop/devicetree/dt_qemu` for information on how to see
 the devicetree actually generated by QEMU.
 
-Building U-Boot
----------------
+Building (secure)
+-----------------
+
+U-Boot
+^^^^^^
+
+- For AArch64::
+
+    make qemu_arm64_defconfig
+    make
+
+On successful build 'u-boot.bin' should be created. It's necessary in the following
+steps (building TF-A).
+
+OP-TEE
+^^^^^^
+
+- For AArch64::
+
+    git clone https://github.com/OP-TEE/optee_os.git
+    cd optee_os
+    git checkout 4.9.0
+    export CROSS_COMPILE64=aarch64-none-elf-
+    export CROSS_COMPILE32=arm-none-eabi-
+    make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y
+
+At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for
+a successful build. On a successful build following files should 
be created under the
+directory 'out/arm-plat-vexpress/core' from OP-TEE::
+
+    optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin
+    optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin
+    optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin
+
+TF-A
+^^^^
+
+- For AArch64::
+
+    git clone https://github.com/ARM-software/arm-trusted-firmware.git
+    cd arm-trusted-firmware
+    git submodule update --init
+    git checkout v2.14.0
+    export CROSS_COMPILE=aarch64-none-elf-
+    export BL32=path/to/tee-header_v2.bin
+    export BL32_EXTRA1=path/to/tee-pager_v2.bin
+    export BL32_EXTRA2=path/to/tee-pageable_v2.bin
+    export BL33=path/to/u-boot.bin
+    make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip
+
+On successful build the following files should be created under the directory
+'build/qemu/release' from TF-A::
+
+    arm-trusted-firmware/build/qemu/release/bl1.bin
+    arm-trusted-firmware/build/qemu/release/fip.b
in
+
+The following file is at least created with TF-A v2.14.0 and can be directly passed
+with the '-bios' option to QEMU::
+
+    arm-trusted-firmware/build/qemu/release/qemu_fw.bios
+
+If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be
+concatenated with the command 'dd' alternatively::
+
+    dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc
+    dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc
+
+Building (non-secure)
+---------------------
+
+U-Boot
+^^^^^^
 Set the CROSS_COMPILE environment variable as usual, and run:
 
 - For ARM::
@@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run:
     make qemu_arm64_defconfig
     make
 
-Running U-Boot
---------------
+Running U-Boot (secure)
+-----------------------
+
+- For AArch64::
+
+    qemu-system-aarch64 -machine virt,secure=on,virtualization=on \
+    -nographic -cpu cortex-a57 -bios qemu_fw.bios
+
+For additional QEMU comman
d description see running U-Boot in non-secure state.
+
+Running U-Boot (non-secure)
+---------------------------
 The minimal QEMU command line to get U-Boot up and running is:
 
 - For ARM::
-- 
2.47.3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - krotti83 at proton.me - 0x1A5D6E0E.asc
Type: application/pgp-keys
Size: 888 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260420/1fb541c2/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 322 bytes
Desc: OpenPGP digital signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260420/1fb541c2/attachment.sig>

More information about the U-Boot mailing list