[{"id":3679500,"web_url":"http://patchwork.ozlabs.org/comment/3679500/","msgid":"","list_archive_url":null,"date":"2026-04-20T17:41:24","subject":"Re: [PATCH v2] doc: emulation: qemu-arm: add secure state steps","submitter":{"id":61270,"url":"http://patchwork.ozlabs.org/api/people/61270/","name":"Heinrich Schuchardt","email":"xypron.glpk@gmx.de"},"content":"On 4/20/26 13:29, Johannes Krottmayer wrote:\n> Add build steps for building U-Boot in secure state with\n> TF-A and OP-TEE. It includes the full steps for building\n> OP-TEE and TF-A to use with U-Boot. Also a short description\n> how to invoke QEMU with enabled EL3 and EL2. EL3 (machine\n> option secure=on) is required to run TF-A.\n> \n> Signed-off-by: Johannes Krottmayer \n> Cc: Tom Rini \n> Cc: Tuomas Tynkkynen \n> ---\n> \n> Changes PATCH v2:\n> - Fix typo (OT-TEE -> OP-TEE)\n> - Fix grammatic and correct spellings\n> - Fix line warp and formatting\n> - Add 'git checkout' for the specific (tested) version in the used build commands\n> - Change misleading filename 'flash.bin' to 'qemu_fw.bios'\n> \n> \n> doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++--\n> 1 file changed, 84 insertions(+), 4 deletions(-)\n> \n> diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst\n> index 1c91c7f3ac6..9e993ca9783 100644\n> --- a/doc/board/emulation/qemu-arm.rst\n> +++ b/doc/board\n> /emulation/qemu-arm.rst\n> @@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus.\n> See :doc:`../../develop/devicetree/dt_qemu` for information on how to see\n> the devicetree actually generated by QEMU.\n> \n> -Building U-Boot\n> ----------------\n> +Building (secure)\n> +-----------------\n> +\n> +U-Boot\n> +^^^^^^\n> +\n> +- For AArch64::\n> +\n> + make qemu_arm64_defconfig\n> + make\n> +\n> +On successful build 'u-boot.bin' should be created. It's necessary in the following\n> +steps (building TF-A).\n> +\n> +OP-TEE\n> +^^^^^^\n> +\n> +- For AArch64::\n> +\n> + git clone https://github.com/OP-TEE/optee_os.git\n> + cd optee_os\n> + git checkout 4.9.0\n> + export CROSS_COMPILE64=aarch64-none-elf-\n> + export CROSS_COMPILE32=arm-none-eabi-\n> + make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y\n> +\n> +At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for\n> +a successful build. On a successful build following files should\n> be created under the\n> +directory 'out/arm-plat-vexpress/core' from OP-TEE::\n> +\n> + optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin\n> + optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin\n> + optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin\n> +\n> +TF-A\n> +^^^^\n> +\n> +- For AArch64::\n> +\n> + git clone https://github.com/ARM-software/arm-trusted-firmware.git\n> + cd arm-trusted-firmware\n> + git submodule update --init\n> + git checkout v2.14.0\n> + export CROSS_COMPILE=aarch64-none-elf-\n> + export BL32=path/to/tee-header_v2.bin\n> + export BL32_EXTRA1=path/to/tee-pager_v2.bin\n> + export BL32_EXTRA2=path/to/tee-pageable_v2.bin\n> + export BL33=path/to/u-boot.bin\n> + make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip\n> +\n> +On successful build the following files should be created under the directory\n> +'build/qemu/release' from TF-A::\n> +\n> + arm-trusted-firmware/build/qemu/release/bl1.bin\n> + arm-trusted-firmware/build/qemu/release/fip.b\n> in\n> +\n> +The following file is at least created with TF-A v2.14.0 and can be directly passed\n> +with the '-bios' option to QEMU::\n> +\n> + arm-trusted-firmware/build/qemu/release/qemu_fw.bios\n> +\n> +If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be\n> +concatenated with the command 'dd' alternatively::\n> +\n> + dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc\n> + dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc\n> +\n> +Building (non-secure)\n> +---------------------\n> +\n> +U-Boot\n> +^^^^^^\n> Set the CROSS_COMPILE environment variable as usual, and run:\n> \n> - For ARM::\n> @@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run:\n> make qemu_arm64_defconfig\n> make\n> \n> -Running U-Boot\n> ---------------\n> +Running U-Boot (secure)\n> +-----------------------\n> +\n> +- For AArch64::\n> +\n> + qemu-system-aarch64 -machine virt,secure=on,virtualization=on \\\n> + -nographic -cpu cortex-a57 -bios qemu_fw.bios\n> +\n> +For additional QEMU comman\n> d description see running U-Boot in non-secure state.\n\nThis is not a valid patch:\n\nb4 shazam \nhttps://lore.kernel.org/u-boot/20260420112815.1448132-1-krotti83@proton.me/T/#u\n\nApplying: doc: emulation: qemu-arm: add secure state steps\nPatch failed at 0001 doc: emulation: qemu-arm: add secure state steps\nerror: patch with only garbage at line 17\n\nBest regards\n\nHeinrich\n\n> +\n> +Running U-Boot (non-secure)\n> +---------------------------\n> The minimal QEMU command line to get U-Boot up and running is:\n> \n> - For ARM::","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=gmx.de header.i=xypron.glpk@gmx.de header.a=rsa-sha256\n header.s=s31663417 header.b=eIT1H2SD;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=gmx.de","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n secure) header.d=gmx.de header.i=xypron.glpk@gmx.de header.b=\"eIT1H2SD\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=gmx.de","phobos.denx.de;\n spf=pass smtp.mailfrom=xypron.glpk@gmx.de"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzt8W5x4hz1yD4\n\tfor ; Tue, 21 Apr 2026 03:41:47 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id C41F484310;\n\tMon, 20 Apr 2026 19:41:39 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id BE7EE84315; Mon, 20 Apr 2026 19:41:38 +0200 (CEST)","from mout.gmx.net (mout.gmx.net [212.227.17.22])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 47A548425F\n for ; Mon, 20 Apr 2026 19:41:36 +0200 (CEST)","from client.hidden.invalid by mail.gmx.net (mrgmx105\n [212.227.17.168]) with ESMTPSA (Nemesis) id 1MDhhX-1w4fUY4AH1-007wxN; Mon, 20\n Apr 2026 19:41:34 +0200"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de;\n s=s31663417; t=1776706894; x=1777311694; i=xypron.glpk@gmx.de;\n bh=WjNwcsDBbwwW9k95B7X2n6ojYpbOAFvAjEiuoD1R8vU=;\n h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To:Cc:\n References:From:In-Reply-To:Content-Type:\n Content-Transfer-Encoding:cc:content-transfer-encoding:\n content-type:date:from:message-id:mime-version:reply-to:subject:\n to;\n b=eIT1H2SDiuh/+9CDa57EFdAQeW3i2sHRlNBv05Mk8C/QLl8J5dSkYAmEb46OzEij\n DxgH1BqGqYB5KD2Gg2875AlzoOR8OluPgtdVF/qVf8m/32r2JH8AC0fszy8eE5ciA\n WXMWlM3chG7Gphh3JZ2kWowQ8Ly8iNEDhUmAB+E2GBpl8gbtDYwhEzDaSv9FigAp+\n e7b8DE4GQco/R7x12048lMM8Nz+PGSDCXNGt3m2h49jzyeML7Plhov3KDqFGUysF4\n YXtpfil6tK7rPACzfMrgpu6WSjptt8c/w+fUZbXY6Vqum0oMczZJGXwYXLVbIhuoh\n Xx2ooJpKDFHTT+9CIg==","X-UI-Sender-Class":"724b4f7f-cbec-4199-ad4e-598c01a50d3a","Message-ID":"","Date":"Mon, 20 Apr 2026 19:41:24 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH v2] doc: emulation: qemu-arm: add secure state steps","To":"Johannes Krottmayer ","Cc":"trini@konsulko.com, tuomas.tynkkynen@iki.fi, u-boot@lists.denx.de,\n sjg@chromium.org","References":"\n <20260224170908.GZ3233182@bill-the-cat>\n <37429ec3-d174-44d3-b113-bf6ce6d71096@proton.me>\n <20260224193312.GB3233182@bill-the-cat>\n <02e49242-da72-4bcd-a428-f7e8c9aee742@proton.me>\n <20260225004838.GA1593142@bill-the-cat>\n <20260225020042.20823-1-krotti83@proton.me>\n <20260225020042.20823-2-krotti83@proton.me>\n \n <20260420112815.1448132-1-krotti83@proton.me>","Content-Language":"en-US","From":"Heinrich Schuchardt ","In-Reply-To":"<20260420112815.1448132-1-krotti83@proton.me>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"quoted-printable","X-Provags-ID":"V03:K1:m5uLlaKO7wwPzFMKcF7Du5qXQEfkcu4bCAapFb1FUA9+X5N8atz\n isiFgHCtJbTiE+nphnM2D6vrteoep6sFXwtNd4TgGyWh+bxUqox4mRMQFvSJhlpLX+17FM3\n bmzSVdKZjVkEWEf+Ks5pCMNGxNs6LalDSuIBFAFVXHL7HCCg8ISWI0lsiqVcXhxyesu8wqp\n 9+a1u3bY/FdGAMUSMf2Yw==","UI-OutboundReport":"notjunk:1;M01:P0:+yQ15sXwChY=;hemZx59IlaSsKWGpi2Quf6R0IEK\n P61mjmemTrit6+2EQoFLJdiOPi4JisuxS/SJATQezdBDU+2/m152gUCq188jts+KOdiTIBjqO\n YzjX6dv8OUKgpqzkjnRVSvOOm249NfoA2/gEbA/z9Neudrw0fuaNx3XnVrAKCKNZ4tLJA4zWH\n gHH2Vr18W60V5b8WhXkjNLDsdcl9bH0WPpoVc1vv8jOeTzW6o86i4gxrmMaR1/fFiDzQOQvpa\n cSuDWgjxl+IcotczS6KUevBntIcrJq3ZvhgIxv1noSI4rGTHIt5pN/JVmumb2GzFloJjoFWqz\n AQZV+bFrNJADCd3cIpI9kUSXvsOnt/s7LTwwGlkVQbcoSoDxNumesIIxNbhFnHFYX5tfXMWNg\n YIwrYkYjjU9jGoZx4/Xant6wc8LCHzNavWQAjKVZyDg8QRspXr/2JvSzJB34NEaB1NrnoMxhW\n nZvrqlqV5DftPRshiD60kn4/la3hLU8BXZ9JcdNr2jnOVF3CH8deRwl8Du7fdUBdJzhX7HQdQ\n Wwh9UNu/aHUVYiaoz7aGInfjdLdFwf2YciTnDYKuqofC+tGbVUG2eeKkZFuxFV0xoUadfUWIM\n 8lgfdfrkai+Qk2rqdR5U7ZdABFdFLvT057kpYlNpdEoPw3kbc63KjjV4x2vBRex6zpMzFVeCq\n EjGe6OmvVJuYUuJ8XPdpo3hvBftSguYcZBUknOf2UEezff/mLHrsmSsfS2WkAf7UGpBilk7LV\n vgepZ02+xr6SaiuCgryEYtmpQHnl/goyKpbqy9BTNZpKvuZfRJ5+V9DsytxCqeX08Om1+5Bc8\n SzMQSuCgmkdEOfpxAqo1JZ8HKufZJ7acf1PdsLSTDgEzkGV2SfV9Mj+UWjvBZiN/2hf42t52v\n LdKS+2kI9HnhPUslDKM85qBzubT7Qq8YfJnfia/ScmjNKPKAEKvzb2mO6l6m1VHYYcc7wgtie\n wQ2qiO9YV/5lsD/ZVdWEIdVYugkjPseEwe3InQAf4q/y2wz8zIOW/uyphAXqI2yfPgQItuKyx\n RR3uZxl1Jyhq4kxRmjTpFyCWUWZz/YeqmqRp2TMWWh9GHtCZzm0CiOyzlmMgBRsct7sqUHQhO\n jz0FrJsAgLh9XvaP0CCg1wFMhKw2XQeHFiRcEAnACEuQVXI1moAORTUwTmhIUgOMKkuBufUit\n hkDsQwzIElSng6t0NYZ3fd2H4Dn3he8eQb0Tl1/UcEBeVJcF+iFP/H8ZNbGzNokpuX1YGJux4\n a7tOJWHUK34bE27pw4Ew7UfmABVogCOnaGGei//tM1Hi68R+0Ysw4JdtW/CYkPI1qw1oywNRG\n GJ1EB25I/FLfjSsxmwDK7vf7CF152PwmIjCVn3mbVpR0oXUq3/4AxnFWJIm339hQxqc7FvmDC\n izF7IZ8p/i7whEomufN1IZKUb2vYrBFPy1zr+HE8vUFotq1kn9PXhjIEBXAzO0vF2sAmUeoFh\n NpwLmtGi8bhP6hcb2IzoFJ1037+5YfHieV36BC3LJkE6nwaKPCM2HD+XQ/uAkQeL8DKuUt7z/\n AhjmJUIk3wwmMGxCLtTrdDcHobK6wp1/Xha1cns6qVdxTk9nCLCH5B/KXEAcleSgQvkFCP3wV\n 58cqNBm1IKxjRdibidYaM60oj9tsoODpji9476nYZhp6gw3BmVB/L9TtVwpOnVskZ6DeqBwfl\n FvdYXCrganWqfMYVXocZ4JknB3JOx9RWavVUmUlmzBKjBGagKsk113We9YUzS3vu983OJ9Qr8\n JWa/MnF9BhLF8ZcsGtI4kbJMrYDAKuBvd0GpcTMuUqfab8M1UWjZi0O7w+qQo3kIwyAUt8rGa\n Mjz+smC25oy04f4E8YTDLBGmSLn0axgQe/bqw2UPzcGYQwdiM3T6Pa78tqfsEOC1rdPA9+jxO\n 9ImEtJfJmWbz5d+OQ4r1SSDCljYqaj7wkQcCXcN7M++4s3vcaLwahmK4gFQDHmKtK3PYSR8Ak\n JMF0YfOmB4qnEpgS6muuC5X9/JpU5zna/P/XYjJ7yp9wrW0IT32E22aBHMCJGf/mh4iSSNIaI\n et1bXvO/UqAiN+U1yEmWOr2HQoA+wzYf2cvwljBM18seT31QYzx2ybF8n/w/gcRlN99wFWj4V\n YHGeBm9kAxnisEZ1zbpk0I15tHnXNDir5wD6ViHxKhxfRGs0vz7uCxnopyFevpPsfOEw+ndSe\n 5dfPGrZnqRsd/9AMLV7Qprxw1A6FMijX/GVg5OE7cYDp17QI7DTVtKD8D1aWqczW0na/K97G0\n fpnWgG2+tFKQ8si84yOz+mlebgLTUD+JG4OvypbOylikeF39oVBVs6m31qa5AGMG0o1CnN2oO\n tWrWf5kF0AhH87v+dJiE0855Ime/STqEeMaLOYiXM+coMNNc/HuvRUWiZ6RC3yjyqP5+h5ytN\n b4b/VPLgfdOI8ew7nchRhDMKVeAnkDZSbivNuEJr8PBzl2nqVwebtZ0BBhqbJdMXiy27T/GGu\n cF5Sjt6xvGRkkpjDhW0fHFPoUGDGMquOoCGovrqevsZFgb007/slKFbzR1clcQhV/QiumHQGK\n uxl+cBXYjIxoxKPuSpmULhilbNiF6adP7hftpHijt/3zB+iRejXLYqMpRevy5NJ0NQpyHaTK2\n 3wpa5q05Qe3r1eDOWd2ZGbRGAcwxhf87RwT7/9YG+qsC6B++FDqPA4LvwqpYf4ymlM0pqtLLW\n OyKx2YDHgD5+BMuE0YUwpsFfOXeejZdafbzuSFRDx5ZjBGoHeg8AyaznHrmSF3CvjekAZXRvW\n CnvhP5GqaoMbwp9JBk1moAKk1S5xn7d0DfS3Qnfqqj3WXRLP07ka7Ab6Yn2HI6eDBNEvB1mfi\n 8X/zCssD9GImkH2aXSzoA37G59kLsluEV3ux0kepc4YAomeWZegL94vIKz29QPm4BIwILvsyZ\n mExLWO/G9ybb260qFt+YNQOSSvu8OZOyYyVmXx+hJhFVP9tZa3Wffed+nUUciStGcF6y6Rvaa\n 2RJQg9JgeEH4/8KB1nBxdcy6t9m1CeZA9hnDOie4lB9a9nr/nTu+nULj/mZjC9hLawYH7BceX\n D3kRGtNEb3USu+nDZbIxC3sJQ/Z5RXa+4zzikgvS7XUW/0PYeo8wInFT7gRgrYjM1/YvBni3x\n Tgy0DpfUmI0OFFJLBpLl3VwDUogodmPFLOAyv8x43Fc/1e04BNtWoG91R81mxY29RwleLFn6A\n hRbDWtSyJ3rwDOGecZinyzuZ4zz7I4GxZrAYybd5lkU6sX/BAB8wqRWWh2VAFOzmiRvZ2fXxo\n iYCApWfAVxjxn0NcB7P73l462O8XlsQR7hcQXpHrnJiWhZU8ki8lP31OMnWuVSM1dM6UCgH8B\n 0rLr3l4WRIbXcbSEstGrHoDnTbCeEjyW6ELxTP+APEiKLxkhVnRZYSOERaBPkj/5gEzpfkxam\n NhlTzc/cbQ1WJT8DdBvs1we7OgjHotGYfAZOlMlvhHYE2JFu+NvDb86NFF1k9tYWuUjngXfuU\n u8GDvqiAWl26zqSoWf6HbkAIuQOigLX1I47AUqe3hQwo3de0OLFagXQUMoOECwMfc+pR7euhj\n S3kcuVc9QVJSg3pEf8w28wbXZU3XNvmVSnMxAgRU0pEQWtIe9y1QmvbCkzljfIdQgMy4ctwdL\n /eeu1vH3vrik/bPBjv6Y+pXtSHGDCIpJVl53MAUU+NJqqvUBhpjrXBf+13TeURlW0/zEB8UjG\n dTiQWyagbYFnBsP9nRbDmfE05UnxlpYoPE4I51uCceYrY2io8MygjSuDPf2qxlM0nMRRanulZ\n zILTDtiM4TTLEzyaDsMZMDL8I61HBegOHFwR6bXj4tLc97wzlYvvgOtD2ThDaf8ptRQJ3F5lr\n qRv2HGdOftZGLkopO8Yp9Hqph7S0hAr4Xs88PYeDM1Pw46jhY84yhkYZ6ENjFHxBxhINxcHDW\n N9ZsVgvbgbSB1eupzQrirZzEYn0T/A/qT83ToNPacd89v21c0A7WKDVXwQIYrXyYfgfwtGmZc\n mK0vOYUR3N44heJNTqOhVOWFcKligog+zstXghMOLfim46qUi1kZF8AFbSxtK1o55pVZlIfsM\n pS4h69UkI4Wp+8VQvIn1l2zsGPFUrJC7qLI5ObPSYc8a1HmlD3S0ZsCUXmU7Ksurd5tRboVfb\n uBDK2HavgJpdLoB3YVx+j98KM8PF8F3eK7eDJSeRHsII16sAj7beKAeE8Evbya1t0W25rw4m2\n y9dtu47VbhaABkcSmGP1zYUDzw5YAxCayG1dx9SXqD4+kQzkZ9dG+6SwH5Zyucn2pomMCy9iX\n phTgQeNXd8+EBbI3p6RWFaypj/WRvELiBZnJCIdgv4fDQwlwGu5Y2yvNtHAEOQx3Um8Q/Duos\n ay2f4LGN/lJ8iwwH4d9W+rExBgUxFIuo0BKpCpmE2vAI2N5NIKYgWFi4kunyY/cAF4j5TSPE7\n WEjI6ZLHbGPNC9G2xgtxATyfUDPccJGc8iFmTvmSfu8/eb0QF2LawdiD+66NitzGQTnUXDZ25\n 9F9YmYd3y12pTBe9Vpr5PfASbLF4rFtcnjWLwTs7ItM1LCw132HkJlKIdSLBLlwZTxNzAWRos\n WRzOxMrX6zz7rNM0U5Ls2cak2pW/o8NdGXc8DetTQ5edQy103/0CBFQogHcynXwFpSwjUdKvY\n Ug48797twfa0hW1uIjC+C3elAIF6YdzL9MsPq/HCrSbmSyjLuRRFA7nQttw+GQXG7Lay073hl\n 8peMEWykNt5a65YhNQC7f/IigY3KVYMSRJX7zMmYEaX7CqIikhwmPPeXiO3i7Ljm8dgsYVS8o\n cU6IJ8qbdVvaS79p+QaKFb5urlbDlPnF6YWSIZXYvL2EC4FNjzPgc9c20j/VKLPqSgXR1QD1+\n 3KerPzrXFSxLNo6cDajZLajU+xL1YDpt2FZSX77qwRn3sBCosIRsVvsengdzMX0YccDN+tW5u\n a3N/3jMtOEhz78vQpNE+iuP9nmvYGMFzQqflEY4dpx/4Ds1bw6un3kN7wyYRDYXDGWYMj7dWd\n gR36rGd7clX8Pi6TfGn685JFLj2LEUxzfG/31dw061Ts0PQlGRwuQYVAQXSUSzu/GXHVvIIhm\n ms83wrSPnOjYicO5mpx39PVILbZS2Heg9xsaVXZE1eeKnf99CzIB6rme9z5ZGpBBjDz4WnhWz\n 9vlXGLtPqZuDEz9hSkucR/QfmJNOJ5in0MGp5HAgl3HAtQsJXnZYkEkPEVqu/nEqY6utEBRPC\n 4cBrxayY0ds0+23vujp/YoxzckuvPKLVhq7348xTEe3lbyZNtHCDxapTZEm1AS+d/tyfBVXPA\n yL//8YCNJGzI3/oVFlEABknf2cMq0yrwVvB9AB6wc5q2EnBdDbk1l2R4eTOCOUGiLKPEMVE9D\n dW5i0yxhYAs/QdKU8wkHZfqaX2zJA3FiWTAx+IdLeBiFY8qmeUKK4uhT4HgHYaEzDpdY3wfYI\n QGsPkyXWugPSwdbf9qw+vj0nCOOHEwmnpREd2UAdwTIuQR2VKU2R1EpGqLE+rN8xGIuKK9OCe\n wPFSWoXvRXUiYjfFXtw9eYecsulCoaFFigprDWIgiNjS0UpovEsBSKLIX","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}},{"id":3679522,"web_url":"http://patchwork.ozlabs.org/comment/3679522/","msgid":"<3468f39a-8a0a-4123-a0db-9f21b3bf5333@proton.me>","list_archive_url":null,"date":"2026-04-20T18:20:10","subject":"Re: [PATCH v2] doc: emulation: qemu-arm: add secure state steps","submitter":{"id":92708,"url":"http://patchwork.ozlabs.org/api/people/92708/","name":"Johannes Krottmayer","email":"krotti83@proton.me"},"content":"Hi Heinrich!\n\nI'm really sorry about that. Seems I have some troubles\nwith my mail provider or the software (Proton Mail Bridge).\n\nWill definitely try to fix the issues.\n\nI have test the raw patch file with success on a local branch.\nHaven't got any errors.\n\nI know it's might not be ideal but I attach the raw patch\nand it's might violates the contributing guidelines.\n\nWould be nice if you can test the patch file and report if\nthere are still errors please.\n\nThanks in advance!\n\nOn 4/20/26 7:41 PM, Heinrich Schuchardt wrote:\n> On 4/20/26 13:29, Johannes Krottmayer wrote:\n>> Add build steps for building U-Boot in secure state with\n>> TF-A and OP-TEE. It includes the full steps for building\n>> OP-TEE and TF-A to use with U-Boot. Also a short description\n>> how to invoke QEMU with enabled EL3 and EL2. EL3 (machine\n>> option secure=on) is required to run TF-A.\n>>\n>> Signed-off-by: Johannes Krottmayer \n>> Cc: Tom Rini \n>> Cc:\n Tuomas Tynkkynen \n>> ---\n>>\n>> Changes PATCH v2:\n>> - Fix typo (OT-TEE -> OP-TEE)\n>> - Fix grammatic and correct spellings\n>> - Fix line warp and formatting\n>> - Add 'git checkout' for the specific (tested) version in the used build commands\n>> - Change misleading filename 'flash.bin' to 'qemu_fw.bios'\n>>\n>>\n>> doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++--\n>> 1 file changed, 84 insertions(+), 4 deletions(-)\n>>\n>> diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst\n>> index 1c91c7f3ac6..9e993ca9783 100644\n>> --- a/doc/board/emulation/qemu-arm.rst\n>> +++ b/doc/board\n>> /emulation/qemu-arm.rst\n>> @@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus.\n>> See :doc:`../../develop/devicetree/dt_qemu` for information on how to see\n>> the devicetree actually generated by QEMU.\n>>\n>> -Building U-Boot\n>> ----------------\n>> +Building (secure)\n>>\n +-----------------\n>> +\n>> +U-Boot\n>> +^^^^^^\n>> +\n>> +- For AArch64::\n>> +\n>> + make qemu_arm64_defconfig\n>> + make\n>> +\n>> +On successful build 'u-boot.bin' should be created. It's necessary in the following\n>> +steps (building TF-A).\n>> +\n>> +OP-TEE\n>> +^^^^^^\n>> +\n>> +- For AArch64::\n>> +\n>> + git clone https://github.com/OP-TEE/optee_os.git\n>> + cd optee_os\n>> + git checkout 4.9.0\n>> + export CROSS_COMPILE64=aarch64-none-elf-\n>> + export CROSS_COMPILE32=arm-none-eabi-\n>> + make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y\n>> +\n>> +At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for\n>> +a successful build. On a successful build following files should\n>> be created under the\n>> +directory 'out/arm-plat-vexpress/core' from OP-TEE::\n>> +\n>> + optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin\n>> + optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin\n>> +\n optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin\n>> +\n>> +TF-A\n>> +^^^^\n>> +\n>> +- For AArch64::\n>> +\n>> + git clone https://github.com/ARM-software/arm-trusted-firmware.git\n>> + cd arm-trusted-firmware\n>> + git submodule update --init\n>> + git checkout v2.14.0\n>> + export CROSS_COMPILE=aarch64-none-elf-\n>> + export BL32=path/to/tee-header_v2.bin\n>> + export BL32_EXTRA1=path/to/tee-pager_v2.bin\n>> + export BL32_EXTRA2=path/to/tee-pageable_v2.bin\n>> + export BL33=path/to/u-boot.bin\n>> + make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip\n>> +\n>> +On successful build the following files should be created under the directory\n>> +'build/qemu/release' from TF-A::\n>> +\n>> + arm-trusted-firmware/build/qemu/release/bl1.bin\n>> + arm-trusted-firmware/build/qemu/release/fip.b\n>> in\n>> +\n>> +The following file is at least created with TF-A v2.14.0 and can be directly passed\n>> +with the '-bios' option to QE\nMU::\n>> +\n>> + arm-trusted-firmware/build/qemu/release/qemu_fw.bios\n>> +\n>> +If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be\n>> +concatenated with the command 'dd' alternatively::\n>> +\n>> + dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc\n>> + dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc\n>> +\n>> +Building (non-secure)\n>> +---------------------\n>> +\n>> +U-Boot\n>> +^^^^^^\n>> Set the CROSS_COMPILE environment variable as usual, and run:\n>>\n>> - For ARM::\n>> @@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run:\n>> make qemu_arm64_defconfig\n>> make\n>>\n>> -Running U-Boot\n>> ---------------\n>> +Running U-Boot (secure)\n>> +-----------------------\n>> +\n>> +- For AArch64::\n>> +\n>> + qemu-system-aarch64 -machine virt,secure=on,virtualization=on \\\n>> + -nographic -cpu cortex-a57 -bios qemu_fw.bios\n>> +\n>> +For additional QEMU comman\n>> d description see runn\ning U-Boot in non-secure state.\n> \n> This is not a valid patch:\n> \n> b4 shazam\n> https://lore.kernel.org/u-boot/20260420112815.1448132-1-krotti83@proton.me/T/#u\n> \n> Applying: doc: emulation: qemu-arm: add secure state steps\n> Patch failed at 0001 doc: emulation: qemu-arm: add secure state steps\n> error: patch with only garbage at line 17\n> \n> Best regards\n> \n> Heinrich\n> \n>> +\n>> +Running U-Boot (non-secure)\n>> +---------------------------\n>> The minimal QEMU command line to get U-Boot up and running is:\n>>\n>> - For ARM::\n>","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=proton.me header.i=@proton.me header.a=rsa-sha256\n header.s=protonmail header.b=iQCLT0xJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=proton.me","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n secure) header.d=proton.me header.i=@proton.me header.b=\"iQCLT0xJ\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=pass (p=quarantine dis=none)\n header.from=proton.me","phobos.denx.de;\n spf=pass smtp.mailfrom=krotti83@proton.me"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzv130ZxBz1yGs\n\tfor ; Tue, 21 Apr 2026 04:20:23 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 4DDFE84329;\n\tMon, 20 Apr 2026 20:20:20 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 34EB58432A; Mon, 20 Apr 2026 20:20:19 +0200 (CEST)","from mail-43101.protonmail.ch (mail-43101.protonmail.ch\n [185.70.43.101])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 3FCB4842BF\n for ; Mon, 20 Apr 2026 20:20:16 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;\n s=protonmail; t=1776709215; x=1776968415;\n bh=2IWCrizQdOmuw21/IeeLoGHxGAC8wNN/4pHir48bvP8=;\n h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:\n Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:\n Message-ID:BIMI-Selector;\n b=iQCLT0xJM6t57lKoyZfWnCYizYcpitiYcfD7NrFpf+6C82pG1mLWHJW2IG/L8A24d\n +jp35Wx7cbbWUYg6k9V1Z+NtOOpi2VP/3VurXlRgLckB2GiLQoucko8qQNtmTD9Dki\n HYYINLbWA1pV3wo56gR9ZdaBtNzvSO0dyh9W6IOT4AWrJuV6yf07YIG4cq2gPessLS\n cVOWPVA+FFsLfm4D8FApXS0lj7UgJFShmJk34hwuvT2tv+be7XTaKJWz73XsT9sdip\n liTXFZ/Bm4gZCo1XbF+OXy3il28Gh3AwrC/W76qvVC20BPLr8s+I3rmzaRIogunxp7\n DXVTJSBEqPS1Q==","Date":"Mon, 20 Apr 2026 18:20:10 +0000","To":"Heinrich Schuchardt ","From":"Johannes Krottmayer ","Cc":"trini@konsulko.com, tuomas.tynkkynen@iki.fi, u-boot@lists.denx.de,\n sjg@chromium.org","Subject":"Re: [PATCH v2] doc: emulation: qemu-arm: add secure state steps","Message-ID":"<3468f39a-8a0a-4123-a0db-9f21b3bf5333@proton.me>","In-Reply-To":"","References":"\n <20260224193312.GB3233182@bill-the-cat>\n <02e49242-da72-4bcd-a428-f7e8c9aee742@proton.me>\n <20260225004838.GA1593142@bill-the-cat>\n <20260225020042.20823-1-krotti83@proton.me>\n <20260225020042.20823-2-krotti83@proton.me>\n \n <20260420112815.1448132-1-krotti83@proton.me>\n ","Feedback-ID":"148511850:user:proton","X-Pm-Message-ID":"c6cd8f3c2b049ad2c813c87683b0a508f12322b9","MIME-Version":"1.0","Content-Type":"multipart/signed; protocol=\"application/pgp-signature\";\n micalg=pgp-sha256;\n boundary=\"------496d4e49b98a894d0ac83f32c4f8ed636a0dc77054c2a41052cee03d9daa9268\";\n charset=utf-8","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"}}]