{"id":2225337,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2225337/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260420204247.6596-1-heinrich.schuchardt@canonical.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/1.1/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260420204247.6596-1-heinrich.schuchardt@canonical.com>","date":"2026-04-20T20:42:47","name":"[RESEND,v2,1/1] doc: emulation: qemu-arm: add secure state steps","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ccfede996a8b312ed94f546cd68a619d3e2c8c2d","submitter":{"id":82181,"url":"http://patchwork.ozlabs.org/api/1.1/people/82181/?format=json","name":"Heinrich Schuchardt","email":"heinrich.schuchardt@canonical.com"},"delegate":{"id":68728,"url":"http://patchwork.ozlabs.org/api/1.1/users/68728/?format=json","username":"xypron","first_name":"Heinrich","last_name":"Schuchardt","email":"xypron.glpk@gmx.de"},"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260420204247.6596-1-heinrich.schuchardt@canonical.com/mbox/","series":[{"id":500683,"url":"http://patchwork.ozlabs.org/api/1.1/series/500683/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=500683","date":"2026-04-20T20:42:47","name":"[RESEND,v2,1/1] doc: emulation: qemu-arm: add secure state steps","version":2,"mbox":"http://patchwork.ozlabs.org/series/500683/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225337/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225337/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=qItyg6Nh;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=canonical.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.b=\"qItyg6Nh\";\n\tdkim-atps=neutral","phobos.denx.de; dmarc=pass (p=reject dis=none)\n header.from=canonical.com","phobos.denx.de; spf=pass\n smtp.mailfrom=heinrich.schuchardt@canonical.com"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fzy9V6Fn0z1yHB\n\tfor ; Tue, 21 Apr 2026 06:42:54 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id CB6FF84476;\n\tMon, 20 Apr 2026 22:42:52 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id F1F9F844C1; Mon, 20 Apr 2026 22:42:51 +0200 (CEST)","from smtp-relay-canonical-0.canonical.com\n (smtp-relay-canonical-0.canonical.com [185.125.188.120])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id A7B2D8442E\n for ; Mon, 20 Apr 2026 22:42:49 +0200 (CEST)","from LT03.fritz.box (ip-176-199-115-125.um44.pools.vodafone-ip.de\n [176.199.115.125])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 1846E3F7D3;\n Mon, 20 Apr 2026 20:42:49 +0000 (UTC)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,\n DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,\n RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham\n autolearn_force=no version=3.4.2","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1776717769;\n bh=XOzBofOYcj1iNTQUUb4OWFfj1zDVS0B/8WwwxxyLLyU=;\n h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=qItyg6NhWarHbBaeSWldBM1FOUdr1Bof9uAf8Nv0ZIYSx6QnFC21B4V4KHKrxWroc\n KsSH3vSneUjoY0vklPX0IuxznZNqHCw/sZQgFeXL0A/uBsT+2HIpO0R2+YG1Fllyc5\n getxXSwMQ7NhixmRNOS0TMxMMqSe+Dnvqwhbbh5H3Y/ZSCDJ2aMhfmMG9deQjeic5w\n rqFYBP4xCCDtQ2LKExeug2AuW84l85rhef+vRelVDlgujlrxjldajhtMH7zIV4Tv4Y\n 1NL5PWzXN4ahqVWQq4/gcrEUUMHyUE7w11xwP8u72Z4tgBufigtkctSO+Df7VHJueN\n ozqZrDJNH4eajKP8jCdeRV8F5ehzbFT/dddRNE832jL2+MVsvuRWRWLB4vgt/59vJ7\n 3aEdbFPx/J0NC0eVQlC8IgeY7cUmSJj2ca6WUmox9lClhR8AusLSEXmVG7SkKYpLFn\n 4nsKuYli3tlZ6rRSI6631h4u5yo26QPt0PoSiXTrsWWUaLgklmeD0wDLYRC63YxIdF\n N5a4JxVsItsvMlrE+wwAIVqcCS9+Kkr+K9fx9aj1KMk1Hv3Tue2P7MYLDw9MwJ+s9F\n lz/Aq0f5ooUA5KctrW6rPf+1gYzIfqRA9tytotp+b1KQpo73sH29FrdGaX4ArHT1jY\n +mOiU36pTLxPWH3iNZq9+ZSs=","From":"Heinrich Schuchardt ","To":"Tom Rini ","Cc":"Tuomas Tynkkynen ,\n Johannes Krottmayer , u-boot@lists.denx.de,\n Heinrich Schuchardt ","Subject":"[PATCH RESEND v2 1/1] doc: emulation: qemu-arm: add secure state\n steps","Date":"Mon, 20 Apr 2026 22:42:47 +0200","Message-ID":"<20260420204247.6596-1-heinrich.schuchardt@canonical.com>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"From: Johannes Krottmayer \n\nAdd build steps for building U-Boot in secure state with\nTF-A and OP-TEE. It includes the full steps for building\nOP-TEE and TF-A to use with U-Boot. Also a short description\nhow to invoke QEMU with enabled EL3 and EL2. EL3 (machine\noption secure=on) is required to run TF-A.\n\nSigned-off-by: Johannes Krottmayer \nAcked-by: Heinrich Schuchardt \nCc: Tom Rini \nCc: Tuomas Tynkkynen \n---\n doc/board/emulation/qemu-arm.rst | 88 ++++++++++++++++++++++++++++++--\n 1 file changed, 84 insertions(+), 4 deletions(-)","diff":"diff --git a/doc/board/emulation/qemu-arm.rst b/doc/board/emulation/qemu-arm.rst\nindex 1c91c7f3ac6..9e993ca9783 100644\n--- a/doc/board/emulation/qemu-arm.rst\n+++ b/doc/board/emulation/qemu-arm.rst\n@@ -24,8 +24,78 @@ Additionally, a number of optional peripherals can be added to the PCI bus.\n See :doc:`../../develop/devicetree/dt_qemu` for information on how to see\n the devicetree actually generated by QEMU.\n \n-Building U-Boot\n----------------\n+Building (secure)\n+-----------------\n+\n+U-Boot\n+^^^^^^\n+\n+- For AArch64::\n+\n+ make qemu_arm64_defconfig\n+ make\n+\n+On successful build 'u-boot.bin' should be created. It's necessary in the following\n+steps (building TF-A).\n+\n+OP-TEE\n+^^^^^^\n+\n+- For AArch64::\n+\n+ git clone https://github.com/OP-TEE/optee_os.git\n+ cd optee_os\n+ git checkout 4.9.0\n+ export CROSS_COMPILE64=aarch64-none-elf-\n+ export CROSS_COMPILE32=arm-none-eabi-\n+ make PLATFORM=vexpress-qemu_armv8a CFG_TRANSFER_LIST=y CFG_MAP_EXT_DT_SECURE=y\n+\n+At least OP-TEE v4.9.0 for AArch64 needs both compiler (64-Bit and 32-Bit edition) for\n+a successful build. On a successful build following files should be created under the\n+directory 'out/arm-plat-vexpress/core' from OP-TEE::\n+\n+ optee_os/out/arm-plat-vexpress/core/tee-header_v2.bin\n+ optee_os/out/arm-plat-vexpress/core/tee-pageable_v2.bin\n+ optee_os/out/arm-plat-vexpress/core/tee-pager_v2.bin\n+\n+TF-A\n+^^^^\n+\n+- For AArch64::\n+\n+ git clone https://github.com/ARM-software/arm-trusted-firmware.git\n+ cd arm-trusted-firmware\n+ git submodule update --init\n+ git checkout v2.14.0\n+ export CROSS_COMPILE=aarch64-none-elf-\n+ export BL32=path/to/tee-header_v2.bin\n+ export BL32_EXTRA1=path/to/tee-pager_v2.bin\n+ export BL32_EXTRA2=path/to/tee-pageable_v2.bin\n+ export BL33=path/to/u-boot.bin\n+ make PLAT=qemu BL32_RAM_LOCATION=tdram SPD=opteed TRANSFER_LIST=1 all fip\n+\n+On successful build the following files should be created under the directory\n+'build/qemu/release' from TF-A::\n+\n+ arm-trusted-firmware/build/qemu/release/bl1.bin\n+ arm-trusted-firmware/build/qemu/release/fip.bin\n+\n+The following file is at least created with TF-A v2.14.0 and can be directly passed\n+with the '-bios' option to QEMU::\n+\n+ arm-trusted-firmware/build/qemu/release/qemu_fw.bios\n+\n+If the single file ('qemu_fw.bios') doesn't exist, 'bl1.bin' and 'fip.bin' can be\n+concatenated with the command 'dd' alternatively::\n+\n+ dd if=bl1.bin of=qemu_fw.bios bs=4096 conv=notrunc\n+ dd if=fip.bin of=qemu_fw.bios seek=64 bs=4096 conv=notrunc\n+\n+Building (non-secure)\n+---------------------\n+\n+U-Boot\n+^^^^^^\n Set the CROSS_COMPILE environment variable as usual, and run:\n \n - For ARM::\n@@ -38,8 +108,18 @@ Set the CROSS_COMPILE environment variable as usual, and run:\n make qemu_arm64_defconfig\n make\n \n-Running U-Boot\n---------------\n+Running U-Boot (secure)\n+-----------------------\n+\n+- For AArch64::\n+\n+ qemu-system-aarch64 -machine virt,secure=on,virtualization=on \\\n+ -nographic -cpu cortex-a57 -bios qemu_fw.bios\n+\n+For additional QEMU command description see running U-Boot in non-secure state.\n+\n+Running U-Boot (non-secure)\n+---------------------------\n The minimal QEMU command line to get U-Boot up and running is:\n \n - For ARM::\n","prefixes":["RESEND","v2","1/1"]}