[PATCH v2] doc: emulation: qemu-arm: add secure state steps

Johannes Krottmayer krotti83 at proton.me
Mon Apr 20 20:20:10 CEST 2026 

Hi Heinrich!

I'm really sorry about that. Seems I have some troubles
with my mail provider or the software (Proton Mail Bridge).

Will definitely try to fix the issues.

I have test the raw patch file with success on a local branch.
Haven't got any errors.

I know it's might not be ideal but I attach the raw patch
and it's might violates the contributing guidelines.

Would be nice if you can test the patch file and report if
there are still errors please.

Thanks in advance!

On 4/20/26 7:41 PM, Heinrich Schuchardt wrote:
> On 4/20/26 13:29, Johannes Krottmayer wrote:
>> Add build steps for building U-Boot in secure state with
>> TF-A and OP-TEE. It includes the full steps for building
>> OP-TEE and TF-A to use with U-Boot. Also a short description
>> how to invoke QEMU with enabled EL3 and EL2. EL3 (machine
>> option secure=on) is required to run TF-A.
>>
>> Signed-off-by: Johannes Krottmayer <krotti83 at proton.me>
>> Cc: Tom Rini <trini at konsulko.com>
>> Cc:
 Tuomas Tynkkynen <tuomas.tynkkynen at iki.fi>
>> ---
>>
>> Changes PATCH v2:
>> - Fix typo (OT-TEE -> OP-TEE)
>> - Fix grammatic and correct spellings
>> - Fix line warp and formatting
>> - Add 'git checkout' for the specific (tested) version in the used build commands
>> - Change misleading filename 'flash.bin' to 'qemu_fw.bios'
>>
>>
>>   doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++--
>>   1 file changed, 84 insertions(+), 4 deletions(-)
>>
>> diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst
>> index 1c91c7f3ac6..9e993ca9783 100644
>> --- a/doc/board/emulation/qemu-arm.rst
>> +++ b/doc/board
>> /emulation/qemu-arm.rst
>> @@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus.
>>   See :doc:`../../develop/devicetree/dt_qemu` for information on how to see
>>   the devicetree actually generated by QEMU.
>>
>> -Building U-Boot
>> ----------------
>> +Building (secure)
>>
 +-----------------
>> +
>> +U-Boot
>> +^^^^^^
>> +
>> +- For AArch64::
>> +
>> +    make qemu_arm64_defconfig
>> +    make
>> +
>> +On successful build 'u-boot.bin' should be created. It's necessary in the following
>> +steps (building TF-A).
>> +
>> +OP-TEE
>> +^^^^^^
>> +
>> +- For AArch64::
>> +
>> +    git clone https://github.com/OP-TEE/optee_os.git
>> +    cd optee_os
>> +    git checkout 4.9.0
>> +    export CROSS_COMPILE64=aarch64-none-elf-
>> +    export CROSS_COMPILE32=arm-none-eabi-
>> +    make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y
>> +
>> +At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for
>> +a successful build. On a successful build following files should
>> be created under the
>> +directory 'out/arm-plat-vexpress/core' from OP-TEE::
>> +
>> +    optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin
>> +    optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin
>> +
    optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin
>> +
>> +TF-A
>> +^^^^
>> +
>> +- For AArch64::
>> +
>> +    git clone https://github.com/ARM-software/arm-trusted-firmware.git
>> +    cd arm-trusted-firmware
>> +    git submodule update --init
>> +    git checkout v2.14.0
>> +    export CROSS_COMPILE=aarch64-none-elf-
>> +    export BL32=path/to/tee-header_v2.bin
>> +    export BL32_EXTRA1=path/to/tee-pager_v2.bin
>> +    export BL32_EXTRA2=path/to/tee-pageable_v2.bin
>> +    export BL33=path/to/u-boot.bin
>> +    make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip
>> +
>> +On successful build the following files should be created under the directory
>> +'build/qemu/release' from TF-A::
>> +
>> +    arm-trusted-firmware/build/qemu/release/bl1.bin
>> +    arm-trusted-firmware/build/qemu/release/fip.b
>> in
>> +
>> +The following file is at least created with TF-A v2.14.0 and can be directly passed
>> +with the '-bios' option to QE
MU::
>> +
>> +    arm-trusted-firmware/build/qemu/release/qemu_fw.bios
>> +
>> +If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be
>> +concatenated with the command 'dd' alternatively::
>> +
>> +    dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc
>> +    dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc
>> +
>> +Building (non-secure)
>> +---------------------
>> +
>> +U-Boot
>> +^^^^^^
>>   Set the CROSS_COMPILE environment variable as usual, and run:
>>
>>   - For ARM::
>> @@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run:
>>       make qemu_arm64_defconfig
>>       make
>>
>> -Running U-Boot
>> ---------------
>> +Running U-Boot (secure)
>> +-----------------------
>> +
>> +- For AArch64::
>> +
>> +    qemu-system-aarch64 -machine virt,secure=on,virtualization=on \
>> +    -nographic -cpu cortex-a57 -bios qemu_fw.bios
>> +
>> +For additional QEMU comman
>> d description see runn
ing U-Boot in non-secure state.
> 
> This is not a valid patch:
> 
> b4 shazam
> https://lore.kernel.org/u-boot/20260420112815.1448132-1-krotti83@proton.me/T/#u
> 
> Applying: doc: emulation: qemu-arm: add secure state steps
> Patch failed at 0001 doc: emulation: qemu-arm: add secure state steps
> error: patch with only garbage at line 17
> 
> Best regards
> 
> Heinrich
> 
>> +
>> +Running U-Boot (non-secure)
>> +---------------------------
>>   The minimal QEMU command line to get U-Boot up and running is:
>>
>>   - For ARM::
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-doc-emulation-qemu-arm-add-secure-state-steps.patch
Type: text/x-patch
Size: 4310 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260420/10522401/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - krotti83 at proton.me - 0x1A5D6E0E.asc
Type: application/pgp-keys
Size: 888 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260420/10522401/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 322 bytes
Desc: OpenPGP digital signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260420/10522401/attachment.sig>

More information about the U-Boot mailing list