[PATCH v2] doc: emulation: qemu-arm: add secure state steps

Heinrich Schuchardt xypron.glpk at gmx.de
Mon Apr 20 19:41:24 CEST 2026 

On 4/20/26 13:29, Johannes Krottmayer wrote:
> Add build steps for building U-Boot in secure state with
> TF-A and OP-TEE. It includes the full steps for building
> OP-TEE and TF-A to use with U-Boot. Also a short description
> how to invoke QEMU with enabled EL3 and EL2. EL3 (machine
> option secure=on) is required to run TF-A.
> 
> Signed-off-by: Johannes Krottmayer <krotti83 at proton.me>
> Cc: Tom Rini <trini at konsulko.com>
> Cc: Tuomas Tynkkynen <tuomas.tynkkynen at iki.fi>
> ---
> 
> Changes PATCH v2:
> - Fix typo (OT-TEE -> OP-TEE)
> - Fix grammatic and correct spellings
> - Fix line warp and formatting
> - Add 'git checkout' for the specific (tested) version in the used build commands
> - Change misleading filename 'flash.bin' to 'qemu_fw.bios'
> 
> 
>   doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++--
>   1 file changed, 84 insertions(+), 4 deletions(-)
> 
> diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst
> index 1c91c7f3ac6..9e993ca9783 100644
> --- a/doc/board/emulation/qemu-arm.rst
> +++ b/doc/board
> /emulation/qemu-arm.rst
> @@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus.
>   See :doc:`../../develop/devicetree/dt_qemu` for information on how to see
>   the devicetree actually generated by QEMU.
>   
> -Building U-Boot
> ----------------
> +Building (secure)
> +-----------------
> +
> +U-Boot
> +^^^^^^
> +
> +- For AArch64::
> +
> +    make qemu_arm64_defconfig
> +    make
> +
> +On successful build 'u-boot.bin' should be created. It's necessary in the following
> +steps (building TF-A).
> +
> +OP-TEE
> +^^^^^^
> +
> +- For AArch64::
> +
> +    git clone https://github.com/OP-TEE/optee_os.git
> +    cd optee_os
> +    git checkout 4.9.0
> +    export CROSS_COMPILE64=aarch64-none-elf-
> +    export CROSS_COMPILE32=arm-none-eabi-
> +    make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y
> +
> +At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for
> +a successful build. On a successful build following files should
> be created under the
> +directory 'out/arm-plat-vexpress/core' from OP-TEE::
> +
> +    optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin
> +    optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin
> +    optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin
> +
> +TF-A
> +^^^^
> +
> +- For AArch64::
> +
> +    git clone https://github.com/ARM-software/arm-trusted-firmware.git
> +    cd arm-trusted-firmware
> +    git submodule update --init
> +    git checkout v2.14.0
> +    export CROSS_COMPILE=aarch64-none-elf-
> +    export BL32=path/to/tee-header_v2.bin
> +    export BL32_EXTRA1=path/to/tee-pager_v2.bin
> +    export BL32_EXTRA2=path/to/tee-pageable_v2.bin
> +    export BL33=path/to/u-boot.bin
> +    make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip
> +
> +On successful build the following files should be created under the directory
> +'build/qemu/release' from TF-A::
> +
> +    arm-trusted-firmware/build/qemu/release/bl1.bin
> +    arm-trusted-firmware/build/qemu/release/fip.b
> in
> +
> +The following file is at least created with TF-A v2.14.0 and can be directly passed
> +with the '-bios' option to QEMU::
> +
> +    arm-trusted-firmware/build/qemu/release/qemu_fw.bios
> +
> +If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be
> +concatenated with the command 'dd' alternatively::
> +
> +    dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc
> +    dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc
> +
> +Building (non-secure)
> +---------------------
> +
> +U-Boot
> +^^^^^^
>   Set the CROSS_COMPILE environment variable as usual, and run:
>   
>   - For ARM::
> @@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run:
>       make qemu_arm64_defconfig
>       make
>   
> -Running U-Boot
> ---------------
> +Running U-Boot (secure)
> +-----------------------
> +
> +- For AArch64::
> +
> +    qemu-system-aarch64 -machine virt,secure=on,virtualization=on \
> +    -nographic -cpu cortex-a57 -bios qemu_fw.bios
> +
> +For additional QEMU comman
> d description see running U-Boot in non-secure state.

This is not a valid patch:

b4 shazam 
https://lore.kernel.org/u-boot/20260420112815.1448132-1-krotti83@proton.me/T/#u

Applying: doc: emulation: qemu-arm: add secure state steps
Patch failed at 0001 doc: emulation: qemu-arm: add secure state steps
error: patch with only garbage at line 17

Best regards

Heinrich

> +
> +Running U-Boot (non-secure)
> +---------------------------
>   The minimal QEMU command line to get U-Boot up and running is:
>   
>   - For ARM::

More information about the U-Boot mailing list