[v3,2/4] configs/qemu_arm_vexpress_tz: Armv7-A emulation with TrustZone services
diff mbox series

Message ID 20190322095818.19914-2-etienne.carriere@linaro.org
State New
Headers show
  • [v3,1/4] boot/arm-trusted-firmware: support alternate image files
Related show

Commit Message

Etienne Carriere March 22, 2019, 9:58 a.m. UTC
This change introduces a Qemu board for an Armv7-A target executing
with OP-TEE secure world services. The target Linux based normal world
embeds the standard minimal filesystem with OP-TEE non-secure components
embedded files from OP-TEE test, examples and benchmark packages.

qemu_arm_vexpress_tz_defconfig differs from qemu_arm_vexpress_defconfig.
Supporting both secure and non-secure worlds on the Arm target mandates
a secure world, here OP-TEE OS, and a bootloader to boot both worlds,
here TF-A (boot/arm-trusted-firmware). Here non-secure Linux kernel is
booted through U-boot

  TF-A bootloader (BL1/BL2) => OP-TEE (BL32) => U-boot (BL33).
  | Executes as secure         | Secure         | Execs as Non-secure
  | Loads BL32/BL33 in RAM     | Jumps to BL33  | Always booted after
  | Jumps to BL32 once done    | as Non-secure  | secure world inits

Vexpress and vexpress-tz defconfigs also differs in that Qemu emulates
a Cortex-A9 in the former and a Cortex-A15 in the later. Cortex-A15
is the Armv7-A CPU used in upstream TF-A and OP-TEE OS packages hence
selected here.

Defconfig adds a fragment to the Linux kernel native configuration to
enable OP-TEE driver support.

Defconfig adds a fragment to the U-Boot native configuration set boot
command, enable semihosting and remove U-Boot persistent environment
storage support.

The defconfig also enables build of the Qemu emulator in case the
system installed Qemu does not yet support CPU TrustZone secure state.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Changes v2 -> v3:
  - Rename board/config: qemu_armv7a_tz_virt => qemu_arm_vexpress_tz
  - Remove some useless configuration from the defconfig: Linux 9P;
    Qemu virtfs; TF-A log level; OP-TEE log level.
  - Add post_build.sh script to rename files in output/images/.
  - Detail diffs between vexpress and vexpress-tz defconfigs in commit.
  - Fix typo in defconfig about Linux version number.
  - Remove info about virtfs from board readme.txt file.
  - Update TF-A config from recent changes: image filenames; OP-TEE.

Changes v1 -> v2:
  - Bump kernel to 4.19.
  - Use kernel defconfig and add optee and 9p as config fragments.
  - Remove ARM_ARCH_MAJOR from platform configuration directive
 board/qemu/arm-vexpress-tz/linux.fragment |   3 +
 board/qemu/arm-vexpress-tz/post-build.sh  |  10 ++
 board/qemu/arm-vexpress-tz/readme.txt     | 135 ++++++++++++++++++++++
 board/qemu/arm-vexpress-tz/u-boot.config  |   7 ++
 configs/qemu_arm_vexpress_tz_defconfig    |  47 ++++++++
 5 files changed, 202 insertions(+)
 create mode 100644 board/qemu/arm-vexpress-tz/linux.fragment
 create mode 100755 board/qemu/arm-vexpress-tz/post-build.sh
 create mode 100644 board/qemu/arm-vexpress-tz/readme.txt
 create mode 100644 board/qemu/arm-vexpress-tz/u-boot.config
 create mode 100644 configs/qemu_arm_vexpress_tz_defconfig

diff mbox series

diff --git a/board/qemu/arm-vexpress-tz/linux.fragment b/board/qemu/arm-vexpress-tz/linux.fragment
new file mode 100644
index 0000000000..1537d938f1
--- /dev/null
+++ b/board/qemu/arm-vexpress-tz/linux.fragment
@@ -0,0 +1,3 @@ 
+### Enable OP-TEE
diff --git a/board/qemu/arm-vexpress-tz/post-build.sh b/board/qemu/arm-vexpress-tz/post-build.sh
new file mode 100755
index 0000000000..7ead69a99a
--- /dev/null
+++ b/board/qemu/arm-vexpress-tz/post-build.sh
@@ -0,0 +1,10 @@ 
+set -u
+set -e
+# Rename boot images for the dear TF-A
+ln -sf u-boot.bin ${BINARIES_DIR}/bl33.bin
+ln -sf tee-header_v2.bin ${BINARIES_DIR}/bl32.bin
+ln -sf tee-pager_v2.bin ${BINARIES_DIR}/bl32_extra1.bin
+ln -sf tee-pageable_v2.bin ${BINARIES_DIR}/bl32_extra2.bin
diff --git a/board/qemu/arm-vexpress-tz/readme.txt b/board/qemu/arm-vexpress-tz/readme.txt
new file mode 100644
index 0000000000..95cd6da8c3
--- /dev/null
+++ b/board/qemu/arm-vexpress-tz/readme.txt
@@ -0,0 +1,135 @@ 
+Board qemu_arm_vexpress_tz builds a Qemu Armv7-A target system with
+OP-TEE running in the TrustZone secure world and a Linux based
+OS running in the non-secure world. The board configuration enable
+builds of the Qemu host Arm target emulator.
+  make qemu_arm_vexpress_tz_defconfig
+  make
+BIOS used in the Qemu host is the Arm Trusted Firmware-A (TF-A). TF-A
+uses Qemu semihosting file access to access boot image files. The
+Qemu platform is quite specific for that in TF-A and one needs to
+run the emulation from the image directory for TF-A to boot the
+secure and non-secure worlds.
+  cd output/images && ../host/bin/qemu-system-arm \
+	-machine virt -machine secure=on -cpu cortex-a15 \
+	-smp 1 -s -m 1024 -d unimp \
+	-serial stdio \
+	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
+	-semihosting-config enable,target=native \
+	-bios bl1.bin
+The boot stage traces (if any) followed by the login prompt will appear
+in the terminal that started Qemu.
+If you want to emulate more cores use "-smp {1|2|3|4}" to select the
+number of cores.
+Note "-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic"
+brings network support that is used i.e. in OP-TEE regression tests.
+Tested with QEMU 2.12.0, and 3.1.0.
+-- Boot Details --
+TF-A is used as Qemu BIOS. Its BL1 image boots and load its BL2 image. In turn, this
+image loads the OP-TEE secure world (Armv7-A BL32 stage) and the U-boot as non-secure
+bootloader (BL33 stage).
+The Qemu natively host and loads in RAM the Qemu Arm target device tree. OP-TEE reads
+and modifes its content according to OP-TEE configuration.
+Enable TF-A traces from LOG_LEVEL (I.e LOG_LEVEL=40) from
+-- OP-TEE Traces --
+Secure boot stages and/or secure runtime services may use a serial link for
+their traces.
+The Arm Trusted Firmware outputs its traces on the Qemu standard (first)
+serial  interface.
+The OP-TEE OS uses the Qemu second serial interface.
+To get the OP-TEE OS traces one shall append a second -serial argument after
+-serial stdio in the Qemu command line. I.e the following enables 2 serial
+consoles over telnet connections:
+  cd output/images && ../host/bin/qemu-system-arm \
+	-machine virt -machine secure=on -cpu cortex-a15 \
+	-smp 1 -s -m 1024 -d unimp \
+	-serial telnet:,server \
+	-serial telnet:,server \
+	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
+	-semihosting-config enable,target=native \
+	-bios bl1.bin
+Qemu is now waiting for the telnet connection. From another shell, open a
+telnet connection on the port for the U-boot and Linux consoles:
+  telnet 1235
+and again for the secure console
+  telnet 1236
+-- Using gdb --
+One can debug the OP-TEE secure world using GDB through the Qemu host.
+To do so, one can simply run the qemu-system-arm emulation then
+run a GDB client and connect the Qemu internal GDB server.
+The example below assumes we run Qemu and the GDB client from the same
+host computer. We use option -S of qemu-system-arm to make Qemu
+waiting for the GDB continue instruction before booting the images.
+From a first shell:
+  cd output/images && ../host/bin/qemu-system-arm \
+	-machine virt -machine secure=on -cpu cortex-a15 \
+	-smp 1 -s -m 1024 -d unimp \
+	-serial stdio \
+	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
+	-semihosting-config enable,target=native \
+	-bios bl1.bin \
+	-S
+From a second shell:
+  ./output/host/bin/arm-linux-gnueabihf-gd
+  GNU gdb (GNU Toolchain for the A-profile Architecture 8.2-2018-08 (arm-rel-8.23))
+  Copyright (C) 2018 Free Software Foundation, Inc.
+  ...
+  For help, type "help".
+  Type "apropos word" to search for commands related to "word".
+  (gdb) 
+From this GDB console, connect target, load OP-TEE core symbols, set a
+breakpoint to its entry (__text_start) and start emulation:
+  (gdb) target remote
+  (gdb) symbol-file ../build/optee_os-<reference>/out/arm/core/tee.elf
+  (gdb) hbreak __text_start
+  Hardware assisted breakpoint 1 at 0xe100000: file core/arch/arm/kernel/generic_entry_a32.S, line 246.
+  (gdb) cont
+  Continuing.
+  Thread 1 hit Breakpoint 1, _start () at core/arch/arm/kernel/generic_entry_a32.S:246
+  246		bootargs_entry
+  (gdb) 
+Emulation has started, TF-A has loaded OP-TEE and U-boot images in memory and
+has booted OP-TEE. Emulation stopped at OP-TEE core entry.
+Note: Qemu hosts a GDB service listening to TCP port 1234, as set through
+qemu-system-arm commandline option -s.
+Note: GDB server used above (from image/host/bin) was built from Buildroot
+using the following extra configuration directives:
diff --git a/board/qemu/arm-vexpress-tz/u-boot.config b/board/qemu/arm-vexpress-tz/u-boot.config
new file mode 100644
index 0000000000..fd74bf1fe7
--- /dev/null
+++ b/board/qemu/arm-vexpress-tz/u-boot.config
@@ -0,0 +1,7 @@ 
+CONFIG_BOOTCOMMAND="fdt addr ${fdt_addr} && fdt resize 1000 && smhload zImage ${kernel_addr_r} && smhload rootfs.cpio.gz ${ramdisk_addr_r} ramdisk_addr_end &&  setenv bootargs console=ttyAMA0,115200 earlyprintk=serial,ttyAMA0,115200 && fdt chosen ${ramdisk_addr_r} ${ramdisk_addr_end} && bootz ${kernel_addr_r} - ${fdt_addr}"
+# Drop flash accesses
diff --git a/configs/qemu_arm_vexpress_tz_defconfig b/configs/qemu_arm_vexpress_tz_defconfig
new file mode 100644
index 0000000000..3ea48768b0
--- /dev/null
+++ b/configs/qemu_arm_vexpress_tz_defconfig
@@ -0,0 +1,47 @@ 
+# Architecture
+# System
+# Filesystems (support several boot config)
+# Generic
+# Linux 4.19 series
+# TF-A for booting OP-TEE secure and uboot/linux non secure
+# OP-TEE components
+# U-boot for booting the dear Linux kernel
+# Build Qemu emulator for the Arm target