{"id":2225117,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2225117/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260420112815.1448132-1-krotti83@proton.me/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.1/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260420112815.1448132-1-krotti83@proton.me>","date":"2026-04-20T11:29:51","name":"[v2] doc: emulation: qemu-arm: add secure state steps","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"52390ce46d0bc92b6414d740fd384bddbdf4f39b","submitter":{"id":92708,"url":"http://patchwork.ozlabs.org/api/1.1/people/92708/?format=json","name":"Johannes Krottmayer","email":"krotti83@proton.me"},"delegate":{"id":68728,"url":"http://patchwork.ozlabs.org/api/1.1/users/68728/?format=json","username":"xypron","first_name":"Heinrich","last_name":"Schuchardt","email":"xypron.glpk@gmx.de"},"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260420112815.1448132-1-krotti83@proton.me/mbox/","series":[{"id":500599,"url":"http://patchwork.ozlabs.org/api/1.1/series/500599/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=500599","date":"2026-04-20T11:29:51","name":"[v2] doc: emulation: qemu-arm: add secure state steps","version":2,"mbox":"http://patchwork.ozlabs.org/series/500599/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225117/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225117/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=proton.me header.i=@proton.me header.a=rsa-sha256\n header.s=protonmail header.b=i13cATjq;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=quarantine dis=none) header.from=proton.me","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n secure) header.d=proton.me header.i=@proton.me header.b=\"i13cATjq\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=pass (p=quarantine dis=none)\n header.from=proton.me","phobos.denx.de;\n spf=pass smtp.mailfrom=krotti83@proton.me"],"Received":["from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzjvg6QkYz1yGs\n\tfor ; Mon, 20 Apr 2026 21:30:07 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id E204484309;\n\tMon, 20 Apr 2026 13:30:04 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 5161C8430F; Mon, 20 Apr 2026 13:30:01 +0200 (CEST)","from mail-10630.protonmail.ch (mail-10630.protonmail.ch\n [79.135.106.30])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 4FAD883E16\n for ; Mon, 20 Apr 2026 13:29:58 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-3.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS\n autolearn=ham autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me;\n s=protonmail; t=1776684597; x=1776943797;\n bh=ai6c7uDUWb1q6YOur99NKGjcEHtAzyXjb0zHuL+U/DY=;\n h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:\n Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:\n Message-ID:BIMI-Selector;\n b=i13cATjq+r9Hr3Mb1qq42vDxBHVoyMgrMuR0tuYYmSRatASB5FDprGgaMUbUYwO+5\n DHn0Kif61Bx2JTRwnR9yR6SzFwA3whgkeun2pR1vS/dv+BwRydHP9MIRMe/5gWo7XW\n zMn05kKuZ2ZIa61sHuJtCLyf1z7dXGG6LtWujBnTcJ6QyR+i+vLXTvN03shMDlGLVF\n bzOtPlwOmmCGa+9yGBZWss3iZuKCWqPsHoX0vrS+MTUhEGeIsEub1iEYpDLvlAmB02\n zBO+E7fxdidMQbD/wyCXUBcy2vQbaLgHsakQcrNw8WYcSUDDtMBg682JaiIuXzKzzK\n DCpVpl8sX6K3g==","Date":"Mon, 20 Apr 2026 11:29:51 +0000","To":"u-boot@lists.denx.de, xypron.glpk@gmx.de, sjg@chromium.org","From":"Johannes Krottmayer ","Cc":"trini@konsulko.com, tuomas.tynkkynen@iki.fi,\n Johannes Krottmayer ","Subject":"[PATCH v2] doc: emulation: qemu-arm: add secure state steps","Message-ID":"<20260420112815.1448132-1-krotti83@proton.me>","In-Reply-To":"\n ","References":"\n <20260224170908.GZ3233182@bill-the-cat>\n <37429ec3-d174-44d3-b113-bf6ce6d71096@proton.me>\n <20260224193312.GB3233182@bill-the-cat>\n <02e49242-da72-4bcd-a428-f7e8c9aee742@proton.me>\n <20260225004838.GA1593142@bill-the-cat>\n <20260225020042.20823-1-krotti83@proton.me>\n <20260225020042.20823-2-krotti83@proton.me>\n ","Feedback-ID":"148511850:user:proton","X-Pm-Message-ID":"82bfb3b5f183d211d3b77889838abee73230c2a7","MIME-Version":"1.0","Content-Type":"multipart/signed; protocol=\"application/pgp-signature\";\n micalg=pgp-sha256;\n boundary=\"------7d89ee979fa324c35dfa3bf7c6a37a5b377ceb077db4317b47724c5ffc990ceb\";\n charset=utf-8","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"Add build steps for building U-Boot in secure state with\nTF-A and OP-TEE. It includes the full steps for building\nOP-TEE and TF-A to use with U-Boot. Also a short description\nhow to invoke QEMU with enabled EL3 and EL2. EL3 (machine\noption secure=on) is required to run TF-A.\n\nSigned-off-by: Johannes Krottmayer \nCc: Tom Rini \nCc: Tuomas Tynkkynen \n---\n\nChanges PATCH v2:\n- Fix typo (OT-TEE -> OP-TEE)\n- Fix grammatic and correct spellings\n- Fix line warp and formatting\n- Add 'git checkout' for the specific (tested) version in the used build commands\n- Change misleading filename 'flash.bin' to 'qemu_fw.bios'\n\n\n doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++--\n 1 file changed, 84 insertions(+), 4 deletions(-)\n\n+++ b/doc/board\n/emulation/qemu-arm.rst\n@@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus.\n See :doc:`../../develop/devicetree/dt_qemu` for information on how to see\n the devicetree actually generated by QEMU.\n \n-Building U-Boot\n----------------\n+Building (secure)\n+-----------------\n+\n+U-Boot\n+^^^^^^\n+\n+- For AArch64::\n+\n+ make qemu_arm64_defconfig\n+ make\n+\n+On successful build 'u-boot.bin' should be created. It's necessary in the following\n+steps (building TF-A).\n+\n+OP-TEE\n+^^^^^^\n+\n+- For AArch64::\n+\n+ git clone https://github.com/OP-TEE/optee_os.git\n+ cd optee_os\n+ git checkout 4.9.0\n+ export CROSS_COMPILE64=aarch64-none-elf-\n+ export CROSS_COMPILE32=arm-none-eabi-\n+ make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y\n+\n+At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for\n+a successful build. On a successful build following files should \nbe created under the\n+directory 'out/arm-plat-vexpress/core' from OP-TEE::\n+\n+ optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin\n+ optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin\n+ optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin\n+\n+TF-A\n+^^^^\n+\n+- For AArch64::\n+\n+ git clone https://github.com/ARM-software/arm-trusted-firmware.git\n+ cd arm-trusted-firmware\n+ git submodule update --init\n+ git checkout v2.14.0\n+ export CROSS_COMPILE=aarch64-none-elf-\n+ export BL32=path/to/tee-header_v2.bin\n+ export BL32_EXTRA1=path/to/tee-pager_v2.bin\n+ export BL32_EXTRA2=path/to/tee-pageable_v2.bin\n+ export BL33=path/to/u-boot.bin\n+ make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip\n+\n+On successful build the following files should be created under the directory\n+'build/qemu/release' from TF-A::\n+\n+ arm-trusted-firmware/build/qemu/release/bl1.bin\n+ arm-trusted-firmware/build/qemu/release/fip.b\nin\n+\n+The following file is at least created with TF-A v2.14.0 and can be directly passed\n+with the '-bios' option to QEMU::\n+\n+ arm-trusted-firmware/build/qemu/release/qemu_fw.bios\n+\n+If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be\n+concatenated with the command 'dd' alternatively::\n+\n+ dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc\n+ dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc\n+\n+Building (non-secure)\n+---------------------\n+\n+U-Boot\n+^^^^^^\n Set the CROSS_COMPILE environment variable as usual, and run:\n \n - For ARM::\n@@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run:\n make qemu_arm64_defconfig\n make\n \n-Running U-Boot\n---------------\n+Running U-Boot (secure)\n+-----------------------\n+\n+- For AArch64::\n+\n+ qemu-system-aarch64 -machine virt,secure=on,virtualization=on \\\n+ -nographic -cpu cortex-a57 -bios qemu_fw.bios\n+\n+For additional QEMU comman\nd description see running U-Boot in non-secure state.\n+\n+Running U-Boot (non-secure)\n+---------------------------\n The minimal QEMU command line to get U-Boot up and running is:\n \n - For ARM::","diff":"diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst\nindex 1c91c7f3ac6..9e993ca9783 100644\n--- a/doc/board/emulation/qemu-arm.rst\n","prefixes":["v2"]}