From 559a5c03549855e09c9362284088d4944e75a7d8 Mon Sep 17 00:00:00 2001 From: Johannes Krottmayer Date: Mon, 20 Apr 2026 12:08:07 +0200 Subject: [PATCH v2] doc: emulation: qemu-arm: add secure state steps Add build steps for building U-Boot in secure state with TF-A and OP-TEE. It includes the full steps for building OP-TEE and TF-A to use with U-Boot. Also a short description how to invoke QEMU with enabled EL3 and EL2. EL3 (machine option secure=on) is required to run TF-A. Signed-off-by: Johannes Krottmayer Cc: Tom Rini Cc: Tuomas Tynkkynen --- Changes PATCH v2: - Fix typo (OT-TEE -> OP-TEE) - Fix grammatic and correct spellings - Fix line warp and formatting - Add 'git checkout' for the specific (tested) version in the used build commands - Change misleading filename 'flash.bin' to 'qemu_fw.bios' doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++-- 1 file changed, 84 insertions(+), 4 deletions(-) diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst index 1c91c7f3ac6..9e993ca9783 100644 --- a/doc/board/emulation/qemu-arm.rst +++ b/doc/board/emulation/qemu-arm.rst @@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus. See :doc:`../../develop/devicetree/dt_qemu` for information on how to see the devicetree actually generated by QEMU. -Building U-Boot ---------------- +Building (secure) +----------------- + +U-Boot +^^^^^^ + +- For AArch64:: + + make qemu_arm64_defconfig + make + +On successful build 'u-boot.bin' should be created. It's necessary in the following +steps (building TF-A). + +OP-TEE +^^^^^^ + +- For AArch64:: + + git clone https://github.com/OP-TEE/optee_os.git + cd optee_os + git checkout 4.9.0 + export CROSS_COMPILE64=aarch64-none-elf- + export CROSS_COMPILE32=arm-none-eabi- + make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y + +At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for +a successful build. On a successful build following files should be created under the +directory 'out/arm-plat-vexpress/core' from OP-TEE:: + + optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin + optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin + optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin + +TF-A +^^^^ + +- For AArch64:: + + git clone https://github.com/ARM-software/arm-trusted-firmware.git + cd arm-trusted-firmware + git submodule update --init + git checkout v2.14.0 + export CROSS_COMPILE=aarch64-none-elf- + export BL32=path/to/tee-header_v2.bin + export BL32_EXTRA1=path/to/tee-pager_v2.bin + export BL32_EXTRA2=path/to/tee-pageable_v2.bin + export BL33=path/to/u-boot.bin + make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip + +On successful build the following files should be created under the directory +'build/qemu/release' from TF-A:: + + arm-trusted-firmware/build/qemu/release/bl1.bin + arm-trusted-firmware/build/qemu/release/fip.bin + +The following file is at least created with TF-A v2.14.0 and can be directly passed +with the '-bios' option to QEMU:: + + arm-trusted-firmware/build/qemu/release/qemu_fw.bios + +If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be +concatenated with the command 'dd' alternatively:: + + dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc + dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc + +Building (non-secure) +--------------------- + +U-Boot +^^^^^^ Set the CROSS_COMPILE environment variable as usual, and run: - For ARM:: @@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run: make qemu_arm64_defconfig make -Running U-Boot --------------- +Running U-Boot (secure) +----------------------- + +- For AArch64:: + + qemu-system-aarch64 -machine virt,secure=on,virtualization=on \ + -nographic -cpu cortex-a57 -bios qemu_fw.bios + +For additional QEMU command description see running U-Boot in non-secure state. + +Running U-Boot (non-secure) +--------------------------- The minimal QEMU command line to get U-Boot up and running is: - For ARM:: -- 2.47.3