[Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: optional Linux as BL33

[Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: optional Linux as BL33

[Jakob Kastelic]

Arm Trusted Firmware (TF-A) can be used to load U-Boot or another
bootloader, which in turn loads the Linux kernel. However, TF-A is
capable of loading the kernel directly. To this end, we need to define
the BL33 and BL33_CFG compile options containing, respectively, the
zImage and the DTB.

This config introduces a new config option,
BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33, which sets the BL33 and
BL33_CFG parameters, and ensures that the kernel is built before the
TF-A by having linux as a _DEPENDENCY of the TF-A.

Signed-off-by: Jakob Kastelic <jkastelic@thinksrs.com>
---
 boot/arm-trusted-firmware/Config.in           | 19 +++++++++++++++++++
 .../arm-trusted-firmware.mk                   |  6 ++++++
 2 files changed, 25 insertions(+)

diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index c8deede9cd..929561fc87 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -182,6 +182,25 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
 	  for the 'qemu_sbsa' platform. In this case, due to the EDK2
 	  build system, the dependency between ATF and EDK is reversed.
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33
+	bool "Linux kernel"
+	depends on BR2_LINUX_KERNEL
+	help
+	  This option allows to embed the Linux kernel as the BL33 part
+	  of the ARM Trusted Firmware.
+
+	  Do not choose this option if you intend to use U-Boot or
+	  another second-stage bootloader. With this option, TF-A starts
+	  Linux directly.
+
+	  With this option chosen, whenever the Linux zImage changes,
+	  TF-A may need need to be re-built to create the latest FIP
+	  file. Since Buildroot does not track package dependencies,
+	  this has to be done manually by invoking `make
+	  arm-trusted-firmware-rebuild`. The final boot medium image may
+	  need to be re-generated as well to include the latest FIP file
+	  version.
+
 endchoice
 
 if BR2_TARGET_ARM_TRUSTED_FIRMWARE_BAREBOX_AS_BL33
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index 172a930b5c..6fc15ab700 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -132,6 +132,12 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/$(ARM_TRUSTED_FIRMWARE_UB
 ARM_TRUSTED_FIRMWARE_DEPENDENCIES += uboot
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33),y)
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/zImage
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33_CFG=$(BINARIES_DIR)/$(LINUX_DTBS)
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += linux
+endif
+
 ifeq ($(BR2_TARGET_VEXPRESS_FIRMWARE),y)
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += SCP_BL2=$(BINARIES_DIR)/scp-fw.bin
 ARM_TRUSTED_FIRMWARE_DEPENDENCIES += vexpress-firmware
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] boot/arm-trusted-firmware: optional Linux as BL33

[Arnout Vandecappelle via buildroot]

  Hi Jakob,

  Very interesting contribution! Sorry that it took us so long to react... I 
have a few questions. I'm also adding Vincent in Cc since he has more knowledge 
about this.

On 19/12/2024 22:45, Jakob Kastelic wrote:
> Arm Trusted Firmware (TF-A) can be used to load U-Boot or another
> bootloader, which in turn loads the Linux kernel. However, TF-A is
> capable of loading the kernel directly. To this end, we need to define
> the BL33 and BL33_CFG compile options containing, respectively, the
> zImage and the DTB.

  I didn't even know this was possible, so I checked the documentation, and it 
talks about setting ARM_LINUX_KERNEL_AS_BL33=1 so I think that should be set as 
well? Perhaps you use a patched TF-A version that has this set by default?

  Also, on aarch64, it seems you have to set RESET_TO_SP_MIN=1 to be able to use 
this option.

  Perhaps it would also be a good idea to add a variant of the qemu defconfigs 
that tests this option. We can use the qemu_arm_vexpress_tz_defconfig, drop 
U-Boot from it, and switch to booting to Linux directly from TF-A. For aarch64 
unfortunately we have no defconfigs that don't require UEFI so we don't have 
anything to test this option with.

  If you don't feel comfortable testing on aarch64, please add a "depends on 
BR2_arm || BR2_armeb" and mention in the commit message why it's excluded.


> This config introduces a new config option,
> BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33, which sets the BL33 and
> BL33_CFG parameters, and ensures that the kernel is built before the
> TF-A by having linux as a _DEPENDENCY of the TF-A.
> 
> Signed-off-by: Jakob Kastelic <jkastelic@thinksrs.com>
> ---
>   boot/arm-trusted-firmware/Config.in           | 19 +++++++++++++++++++
>   .../arm-trusted-firmware.mk                   |  6 ++++++
>   2 files changed, 25 insertions(+)
> 
> diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
> index c8deede9cd..929561fc87 100644
> --- a/boot/arm-trusted-firmware/Config.in
> +++ b/boot/arm-trusted-firmware/Config.in
> @@ -182,6 +182,25 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
>   	  for the 'qemu_sbsa' platform. In this case, due to the EDK2
>   	  build system, the dependency between ATF and EDK is reversed.
>   
> +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33
> +	bool "Linux kernel"
> +	depends on BR2_LINUX_KERNEL
> +	help
> +	  This option allows to embed the Linux kernel as the BL33 part
> +	  of the ARM Trusted Firmware.
> +
> +	  Do not choose this option if you intend to use U-Boot or
> +	  another second-stage bootloader. With this option, TF-A starts
> +	  Linux directly.
> +
> +	  With this option chosen, whenever the Linux zImage changes,
> +	  TF-A may need need to be re-built to create the latest FIP
> +	  file. Since Buildroot does not track package dependencies,
> +	  this has to be done manually by invoking `make
> +	  arm-trusted-firmware-rebuild`. The final boot medium image may
> +	  need to be re-generated as well to include the latest FIP file
> +	  version.
> +
>   endchoice
>   
>   if BR2_TARGET_ARM_TRUSTED_FIRMWARE_BAREBOX_AS_BL33
> diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> index 172a930b5c..6fc15ab700 100644
> --- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> +++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
> @@ -132,6 +132,12 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/$(ARM_TRUSTED_FIRMWARE_UB
>   ARM_TRUSTED_FIRMWARE_DEPENDENCIES += uboot
>   endif
>   
> +ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33),y)
> +ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/zImage

  On aarch64, it is Image, not zImage. If you can't test it on aarch64, I'

  Perhaps we should also depend on BR2_LINUX_KERNEL_ZIMAGE || 
BR2_LINUX_KERNEL_APPENDED_ZIMAGE (|| BR2_LINUX_KERNEL_IMAGE for aarch64) 
otherwise the zImage will not appear in BINARIES_DIR.


  Regards,
  Arnout

> +ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33_CFG=$(BINARIES_DIR)/$(LINUX_DTBS)
> +ARM_TRUSTED_FIRMWARE_DEPENDENCIES += linux
> +endif
> +
>   ifeq ($(BR2_TARGET_VEXPRESS_FIRMWARE),y)
>   ARM_TRUSTED_FIRMWARE_MAKE_OPTS += SCP_BL2=$(BINARIES_DIR)/scp-fw.bin
>   ARM_TRUSTED_FIRMWARE_DEPENDENCIES += vexpress-firmware

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 0/2] Linux as BL33 in TF-A

[Jakob Kastelic]

This patch series allows one to run Linux directly from Arm Trusted Firmware
(TF-A) without U-Boot or another SPL (sometimes referred to as "falcon mode").

In my original submission, the patch introduced the new TF-A build option.
Arnout Vandecappelle suggested to also include a Qemu-based defconfig in which
this new flag can be tested. This patch series also includes the new defconfig.

Note that TF-A documentation talks about a ARM_LINUX_KERNEL_AS_BL33 option which
is intended for a similar purpose. However, on AArch32, that flag can only be
used with SP_MIN, which is not supported on all platforms. (For example, in the
present defconfig we use OP-TEE.)

The new flag applies only to AArch32 since I do not have a means of testing it
on AArch64.

For a consideration of alternative approaches, refer to the write-up here:
https://embd.cc/linux-tfa-bl33-qemu

Jakob Kastelic (2):
  boot/arm-trusted-firmware: optional Linux as BL33
  configs/qemu_arm_vexpress_tz_falcon_defconfig: new

 DEVELOPERS                                    |  3 ++
 .../qemu/arm-vexpress-tz-falcon/patch-dts.sh  | 21 +++++++++++
 board/qemu/arm-vexpress-tz-falcon/readme.txt  | 28 +++++++++++++++
 boot/arm-trusted-firmware/Config.in           | 21 +++++++++++
 .../arm-trusted-firmware.mk                   |  8 +++++
 configs/qemu_arm_vexpress_tz_falcon_defconfig | 36 +++++++++++++++++++
 6 files changed, 117 insertions(+)
 create mode 100755 board/qemu/arm-vexpress-tz-falcon/patch-dts.sh
 create mode 100644 board/qemu/arm-vexpress-tz-falcon/readme.txt
 create mode 100644 configs/qemu_arm_vexpress_tz_falcon_defconfig

-- 
2.39.5

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 1/2] boot/arm-trusted-firmware: optional Linux as BL33

[Jakob Kastelic]

Arm Trusted Firmware (TF-A) can be used to load U-Boot or another
bootloader, which in turn loads the Linux kernel. However, TF-A is
capable of loading the kernel directly. To this end, we need to define
the BL33 and BL33_CFG compile options containing, respectively, the
zImage and the DTB.

This config introduces a new config option,
BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33, which sets the BL33 and
BL33_CFG parameters, and ensures that the kernel is built before the
TF-A by having linux as a _DEPENDENCY of the TF-A.

---
Changes v1 -> v2:
  - add depend on AArch32 and zImage
  - for STM32MP1, point BL33_CFG to the DTB

Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>
---
 boot/arm-trusted-firmware/Config.in           | 21 +++++++++++++++++++
 .../arm-trusted-firmware.mk                   |  8 +++++++
 2 files changed, 29 insertions(+)

diff --git a/boot/arm-trusted-firmware/Config.in b/boot/arm-trusted-firmware/Config.in
index 72684e5974..42f44a7036 100644
--- a/boot/arm-trusted-firmware/Config.in
+++ b/boot/arm-trusted-firmware/Config.in
@@ -188,6 +188,27 @@ config BR2_TARGET_ARM_TRUSTED_FIRMWARE_EDK2_AS_BL33
 	  for the 'qemu_sbsa' platform. In this case, due to the EDK2
 	  build system, the dependency between ATF and EDK is reversed.
 
+config BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33
+	bool "Linux kernel"
+	depends on BR2_LINUX_KERNEL
+	depends on (BR2_arm || BR2_armeb)
+	depends on (BR2_LINUX_KERNEL_ZIMAGE || BR2_LINUX_KERNEL_APPENDED_ZIMAGE)
+	help
+	  This option allows to embed the Linux kernel as the BL33 part
+	  of the ARM Trusted Firmware.
+
+	  Do not choose this option if you intend to use U-Boot or
+	  another second-stage bootloader. With this option, TF-A starts
+	  Linux directly.
+
+	  With this option chosen, whenever the Linux zImage changes,
+	  TF-A may need need to be re-built to create the latest FIP
+	  file. Since Buildroot does not track package dependencies,
+	  this has to be done manually by invoking `make
+	  arm-trusted-firmware-rebuild`. The final boot medium image may
+	  need to be re-generated as well to include the latest FIP file
+	  version.
+
 endchoice
 
 if BR2_TARGET_ARM_TRUSTED_FIRMWARE_BAREBOX_AS_BL33
diff --git a/boot/arm-trusted-firmware/arm-trusted-firmware.mk b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
index dca16d3960..ce7ac86290 100644
--- a/boot/arm-trusted-firmware/arm-trusted-firmware.mk
+++ b/boot/arm-trusted-firmware/arm-trusted-firmware.mk
@@ -132,6 +132,14 @@ ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/$(ARM_TRUSTED_FIRMWARE_UB
 ARM_TRUSTED_FIRMWARE_DEPENDENCIES += uboot
 endif
 
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33),y)
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/zImage
+ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM),stm32mp1)
+ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33_CFG=$(BINARIES_DIR)/$(LINUX_DTBS)
+endif
+ARM_TRUSTED_FIRMWARE_DEPENDENCIES += linux
+endif
+
 ifeq ($(BR2_TARGET_VEXPRESS_FIRMWARE),y)
 ARM_TRUSTED_FIRMWARE_MAKE_OPTS += SCP_BL2=$(BINARIES_DIR)/scp-fw.bin
 ARM_TRUSTED_FIRMWARE_DEPENDENCIES += vexpress-firmware
-- 
2.39.5

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/2] configs/qemu_arm_vexpress_tz_falcon_defconfig: new

[Jakob Kastelic]

This commit adds a new configuration, in which TF-A loads Linux directly
(as BL33) under Qemu. This defconfig can be used to test the new TF-A
flag, BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33.

Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>
---
 DEVELOPERS                                    |  3 ++
 .../qemu/arm-vexpress-tz-falcon/patch-dts.sh  | 21 +++++++++++
 board/qemu/arm-vexpress-tz-falcon/readme.txt  | 28 +++++++++++++++
 configs/qemu_arm_vexpress_tz_falcon_defconfig | 36 +++++++++++++++++++
 4 files changed, 88 insertions(+)
 create mode 100755 board/qemu/arm-vexpress-tz-falcon/patch-dts.sh
 create mode 100644 board/qemu/arm-vexpress-tz-falcon/readme.txt
 create mode 100644 configs/qemu_arm_vexpress_tz_falcon_defconfig

diff --git a/DEVELOPERS b/DEVELOPERS
index 16d9ee892b..227b239bea 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -3537,3 +3537,6 @@ F:	package/quazip/
 F:	package/shapelib/
 F:	package/simple-mail/
 F:	package/tinc/
+
+N:	Jakob Kastelic <kastelic.jakob@gmail.com>
+F:	configs/qemu_arm_vexpress_tz_falcon_defconfig
diff --git a/board/qemu/arm-vexpress-tz-falcon/patch-dts.sh b/board/qemu/arm-vexpress-tz-falcon/patch-dts.sh
new file mode 100755
index 0000000000..896ae317b5
--- /dev/null
+++ b/board/qemu/arm-vexpress-tz-falcon/patch-dts.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -u
+set -e
+
+QEMU_BOARD_DIR="$(dirname "$0")"
+INITRD_ADDR=$(sed -n 's/.*addr=\(0x[0-9a-fA-F]*\).*/\1/p' "${QEMU_BOARD_DIR}/readme.txt" | head -n1)
+ROOTFS_SIZE=$(stat -c %s "${BINARIES_DIR}/rootfs.cpio.gz")
+INITRD_END=$(printf '0x%x' $((0x${INITRD_ADDR#0x} + ROOTFS_SIZE)))
+TMP_DTB="${BINARIES_DIR}/falcon.tmp.dtb"
+FINAL_DTB="${BINARIES_DIR}/falcon.dtb"
+
+# Extract the DTB from Qemu
+qemu-system-arm -smp 1 -s -m 1024 -d unimp \
+	-machine virt,dumpdtb="${TMP_DTB}",secure=on -cpu cortex-a15
+
+# Insert intramfs address into /chosen
+fdtput -t x "${TMP_DTB}" /chosen linux,initrd-start "${INITRD_ADDR}"
+fdtput -t x "${TMP_DTB}" /chosen linux,initrd-end "${INITRD_END}"
+
+mv "${TMP_DTB}" "${FINAL_DTB}"
diff --git a/board/qemu/arm-vexpress-tz-falcon/readme.txt b/board/qemu/arm-vexpress-tz-falcon/readme.txt
new file mode 100644
index 0000000000..a7bf5c01e1
--- /dev/null
+++ b/board/qemu/arm-vexpress-tz-falcon/readme.txt
@@ -0,0 +1,28 @@
+Board qemu_arm_vexpress_tz_falcon builds a QEMU ARMv7-A target system with
+OP-TEE running in the TrustZone secure world and a Linux based
+OS running in the non-secure world. The board configuration enables
+builds of the QEMU host ARM target emulator.
+
+  make qemu_arm_vexpress_tz_falcon_defconfig
+  make
+
+The BIOS used in the QEMU host is the ARM Trusted Firmware-A (TF-A).
+Since TF-A loads the Linux kernel directly, Qemu is expected to place both the
+DTB and the rootfs image in memory. For this reason the emulation needs to be
+run from the image directory:
+
+  cd output/images && ../host/bin/qemu-system-arm \
+	-machine virt -machine secure=on -cpu cortex-a15 \
+	-dtb falcon.dtb -device loader,file=rootfs.cpio.gz,addr=0x76000040 \
+	-smp 1 -s -m 1024 -d unimp \
+	-serial stdio \
+	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
+	-semihosting-config enable=on,target=native \
+	-bios flash.bin # qemu_arm_vexpress_tz_falcon_defconfig
+
+The boot stage traces (if any) followed by the login prompt will appear
+in the terminal that started QEMU.
+
+For all other details, check out the Readme for qemu_arm_vexpress_tz_defconfig.
+That configuration differs from the present one only in that it uses U-Boot to
+load Linux, rather than loading it from TF-A directly as we do here.
diff --git a/configs/qemu_arm_vexpress_tz_falcon_defconfig b/configs/qemu_arm_vexpress_tz_falcon_defconfig
new file mode 100644
index 0000000000..5ca6e74668
--- /dev/null
+++ b/configs/qemu_arm_vexpress_tz_falcon_defconfig
@@ -0,0 +1,36 @@
+BR2_arm=y
+BR2_cortex_a15=y
+BR2_ARM_FPU_VFPV3D16=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
+BR2_TOOLCHAIN_BUILDROOT_CXX=y
+BR2_GLOBAL_PATCH_DIR="board/qemu/patches"
+BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
+BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh"
+BR2_ROOTFS_POST_IMAGE_SCRIPT="board/qemu/post-image.sh board/qemu/arm-vexpress-tz-falcon/patch-dts.sh"
+BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_DEFCONFIG)"
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.12.27"
+BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
+BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment"
+BR2_PACKAGE_OPENSSL=y
+BR2_PACKAGE_OPTEE_EXAMPLES=y
+BR2_PACKAGE_OPTEE_TEST=y
+BR2_TARGET_ROOTFS_CPIO=y
+BR2_TARGET_ROOTFS_CPIO_GZIP=y
+BR2_TARGET_ROOTFS_CPIO_UIMAGE=y
+# BR2_TARGET_ROOTFS_TAR is not set
+BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
+BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION=y
+BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE="v2.7"
+BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="qemu"
+BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
+BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE=y
+BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33=y
+BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="BL32_RAM_LOCATION=tdram"
+BR2_TARGET_OPTEE_OS=y
+BR2_TARGET_OPTEE_OS_NEEDS_DTC=y
+BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt"
+BR2_PACKAGE_HOST_QEMU=y
+BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
-- 
2.39.5

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] boot/arm-trusted-firmware: optional Linux as BL33

[Thomas Petazzoni via buildroot]

Hello Jakob,

Thanks for your patch, and sorry for the delay in getting back to you!

On Tue, Sep 16, 2025 at 07:45:40PM -0700, Jakob Kastelic wrote:
> Arm Trusted Firmware (TF-A) can be used to load U-Boot or another
> bootloader, which in turn loads the Linux kernel. However, TF-A is
> capable of loading the kernel directly. To this end, we need to define
> the BL33 and BL33_CFG compile options containing, respectively, the
> zImage and the DTB.
> 
> This config introduces a new config option,
> BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33, which sets the BL33 and
> BL33_CFG parameters, and ensures that the kernel is built before the
> TF-A by having linux as a _DEPENDENCY of the TF-A.
>

Your Signed-off-by should have been here. Indeed, anything after "---"
gets stripped when applying your patch.

> +config BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33
> +	bool "Linux kernel"
> +	depends on BR2_LINUX_KERNEL
> +	depends on (BR2_arm || BR2_armeb)
> +	depends on (BR2_LINUX_KERNEL_ZIMAGE || BR2_LINUX_KERNEL_APPENDED_ZIMAGE)
> +	help
> +	  This option allows to embed the Linux kernel as the BL33 part
> +	  of the ARM Trusted Firmware.
> +
> +	  Do not choose this option if you intend to use U-Boot or
> +	  another second-stage bootloader. With this option, TF-A starts
> +	  Linux directly.
> +
> +	  With this option chosen, whenever the Linux zImage changes,
> +	  TF-A may need need to be re-built to create the latest FIP
> +	  file. Since Buildroot does not track package dependencies,
> +	  this has to be done manually by invoking `make
> +	  arm-trusted-firmware-rebuild`. The final boot medium image may
> +	  need to be re-generated as well to include the latest FIP file
> +	  version.

I dropped this last paragraph, because this isn't specific to this
situation, it's also valid for any other BL33 payload.

> +ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33),y)
> +ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33=$(BINARIES_DIR)/zImage
> +ifeq ($(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM),stm32mp1)

I've used

+ifeq ($(ARM_TRUSTED_FIRMWARE_PLATFORM),stm32mp1)

instead, where ARM_TRUSTED_FIRMWARE_PLATFORM is already
quote-stripped, while $(BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM)
isn't.

> +ARM_TRUSTED_FIRMWARE_MAKE_OPTS += BL33_CFG=$(BINARIES_DIR)/$(LINUX_DTBS)

This is a bit "risky" as LINUX_DTBS can potentially contain multiple
entries. One option would be to add a check here that LINUX_DTBS only
contain one entry, like (untested)

ifneq ($(words $(LINUX_DTBS)),1)
$(error "Using BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33 only works when a single Linux DTB is used")
endif

If you think that's useful, you can send a follow-up patch adding
this. But I have applied your patch, with the other fixes mentioned in
this e-mail.

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] configs/qemu_arm_vexpress_tz_falcon_defconfig: new

[Thomas Petazzoni via buildroot]

Hello,

On Tue, Sep 16, 2025 at 07:45:41PM -0700, Jakob Kastelic wrote:
> This commit adds a new configuration, in which TF-A loads Linux directly
> (as BL33) under Qemu. This defconfig can be used to test the new TF-A
> flag, BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33.
> 
> Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>

Thanks for your patch! However, rather than having it as a defconfig,
we would prefer to have it as a runtime test, which builds this
configuration and boots it under Qemu.

There's already a TF-A test in
support/testing/tests/boot/test_atf.py. However, this existing test
only performs build testing of TF-A. In your case, we would also want
to boot the system into Qemu as part of the test.

You can for example have a look at
support/testing/tests/boot/test_edk2.py which also does run-time
testing in Qemu.

> diff --git a/DEVELOPERS b/DEVELOPERS
> index 16d9ee892b..227b239bea 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -3537,3 +3537,6 @@ F:	package/quazip/
>  F:	package/shapelib/
>  F:	package/simple-mail/
>  F:	package/tinc/
> +
> +N:	Jakob Kastelic <kastelic.jakob@gmail.com>
> +F:	configs/qemu_arm_vexpress_tz_falcon_defconfig

Make sure to add this entry not at the end of the file, but at the
right place based on the alphabetic ordering of developer names.

> diff --git a/board/qemu/arm-vexpress-tz-falcon/patch-dts.sh b/board/qemu/arm-vexpress-tz-falcon/patch-dts.sh
> new file mode 100755
> index 0000000000..896ae317b5
> --- /dev/null
> +++ b/board/qemu/arm-vexpress-tz-falcon/patch-dts.sh
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +
> +set -u
> +set -e
> +
> +QEMU_BOARD_DIR="$(dirname "$0")"
> +INITRD_ADDR=$(sed -n 's/.*addr=\(0x[0-9a-fA-F]*\).*/\1/p' "${QEMU_BOARD_DIR}/readme.txt" | head -n1)
> +ROOTFS_SIZE=$(stat -c %s "${BINARIES_DIR}/rootfs.cpio.gz")
> +INITRD_END=$(printf '0x%x' $((0x${INITRD_ADDR#0x} + ROOTFS_SIZE)))
> +TMP_DTB="${BINARIES_DIR}/falcon.tmp.dtb"
> +FINAL_DTB="${BINARIES_DIR}/falcon.dtb"
> +
> +# Extract the DTB from Qemu
> +qemu-system-arm -smp 1 -s -m 1024 -d unimp \
> +	-machine virt,dumpdtb="${TMP_DTB}",secure=on -cpu cortex-a15
> +
> +# Insert intramfs address into /chosen
> +fdtput -t x "${TMP_DTB}" /chosen linux,initrd-start "${INITRD_ADDR}"
> +fdtput -t x "${TMP_DTB}" /chosen linux,initrd-end "${INITRD_END}"
> +
> +mv "${TMP_DTB}" "${FINAL_DTB}"

Wouldn't the test be simpler if you were to mount a real rootfs from
storage, instead of using an initrd?

> diff --git a/configs/qemu_arm_vexpress_tz_falcon_defconfig b/configs/qemu_arm_vexpress_tz_falcon_defconfig
> new file mode 100644
> index 0000000000..5ca6e74668
> --- /dev/null
> +++ b/configs/qemu_arm_vexpress_tz_falcon_defconfig
> @@ -0,0 +1,36 @@
> +BR2_arm=y
> +BR2_cortex_a15=y
> +BR2_ARM_FPU_VFPV3D16=y

In the runtime test infrastructure, you will want to use an external
toolchain (there are based toolchain configurations available that
might work).

> +BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_12=y
> +BR2_TOOLCHAIN_BUILDROOT_CXX=y
> +BR2_GLOBAL_PATCH_DIR="board/qemu/patches"
> +BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
> +BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
> +BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh"
> +BR2_ROOTFS_POST_IMAGE_SCRIPT="board/qemu/post-image.sh board/qemu/arm-vexpress-tz-falcon/patch-dts.sh"
> +BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_DEFCONFIG)"
> +BR2_LINUX_KERNEL=y
> +BR2_LINUX_KERNEL_CUSTOM_VERSION=y
> +BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.12.27"
> +BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
> +BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment"
> +BR2_PACKAGE_OPENSSL=y
> +BR2_PACKAGE_OPTEE_EXAMPLES=y
> +BR2_PACKAGE_OPTEE_TEST=y

If you have these on the target, then the runtime test should ideally
run the OP-TEE tests?

Could you rework, and send a new iteration?

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v3] support/testing/tests/boot/test_atf.py: test BL33

[Jakob Kastelic]

This commit adds a new runtime test, in which TF-A loads Linux directly
(as BL33) under Qemu. This test is used to test the new TF-A flag,
BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33.

Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>

---
Changes v2 -> v3:
  - reformat defconfig as runtime test
  - mount real rootfs from storage instead of using an initrd
  - run OP-TEE runtime tests
---
 DEVELOPERS                             |  3 +
 support/testing/tests/boot/test_atf.py | 95 ++++++++++++++++++++++++++
 2 files changed, 98 insertions(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index 225d1ac917..aca03b2d67 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1510,6 +1510,9 @@ F:	package/python-scipy/
 F:	support/testing/tests/package/sample_python_scipy.py
 F:	support/testing/tests/package/test_python_scipy.py
 
+N:	Jakob Kastelic <kastelic.jakob at gmail.com>
+F:	support/testing/tests/boot/test_atf.py
+
 N:	James Hilliard <james.hilliard1@gmail.com>
 F:	package/apcupsd/
 F:	package/bpftool/
diff --git a/support/testing/tests/boot/test_atf.py b/support/testing/tests/boot/test_atf.py
index b822b9d357..a54c6a7629 100644
--- a/support/testing/tests/boot/test_atf.py
+++ b/support/testing/tests/boot/test_atf.py
@@ -1,3 +1,6 @@
+import os
+import subprocess
+
 import infra.basetest
 
 
@@ -30,3 +33,95 @@ class TestATFAllwinner(infra.basetest.BRTest):
 
     def test_run(self):
         pass
+
+
+class TestATFNoUBoot(infra.basetest.BRTest):
+    config = \
+        """
+        BR2_arm=y
+        BR2_cortex_a15=y
+        BR2_ARM_FPU_VFPV3D16=y
+        BR2_TOOLCHAIN_BUILDROOT_CXX=y
+        BR2_TARGET_ROOTFS_EXT2=y
+        BR2_TARGET_ROOTFS_EXT2_4=y
+        BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_18=y
+        BR2_GLOBAL_PATCH_DIR="board/qemu/patches"
+        BR2_DOWNLOAD_FORCE_CHECK_HASHES=y
+        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+        BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh"
+        BR2_ROOTFS_POST_IMAGE_SCRIPT="board/qemu/post-image.sh"
+        BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_DEFCONFIG)"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.7"
+        BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
+        BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment"
+        BR2_PACKAGE_OPENSSL=y
+        BR2_PACKAGE_OPTEE_EXAMPLES=y
+        BR2_PACKAGE_OPTEE_TEST=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE="v2.7"
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="qemu"
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="BL32_RAM_LOCATION=tdram"
+        BR2_TARGET_OPTEE_OS=y
+        BR2_TARGET_OPTEE_OS_NEEDS_DTC=y
+        BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt"
+        BR2_PACKAGE_HOST_QEMU=y
+        BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
+        """
+
+    def patch_dts(self):
+        """
+        Place the rootfs into the kernel command line via the DTB.
+
+        In qemu-system-arm, -append is only allowed with -kernel option. Since
+        we are using the -bios option to load TF-A (which in turn loads the
+        kernel), we have to manually patch the DTB to add the root option.
+        """
+        dtb = os.path.join(self.builddir, "images", "qemu.dtb")
+        rootfs = os.path.join(self.builddir, "images", "rootfs.ext4")
+        flash = os.path.join(self.builddir, "images", "flash.bin")
+        qemu = os.path.join(self.builddir, "host", "bin", "qemu-system-arm")
+        fdtput = os.path.join(self.builddir, "host", "bin", "fdtput")
+
+        # get the DTB from Qemu
+        subprocess.run([
+            qemu, "-machine", f"virt,dumpdtb={dtb}", "-machine",
+            "secure=on", "-cpu", "cortex-a15"
+            ], check=True)
+
+        # insert kernel command line argument into DTB
+        subprocess.run([fdtput, "-t", "s", f"{dtb}", "/chosen", "bootargs",
+            "root=/dev/vda" ], check=True)
+
+        return dtb, rootfs, flash
+
+    def test_run(self):
+        dtb, rootfs, flash = self.patch_dts()
+
+        self.emulator.boot(arch="arm", options=[
+            "-machine", f"virt", "-machine",
+            "secure=on", "-cpu", "cortex-a15", "-dtb", dtb, "-smp", "1",
+            "-s", "-m", "1024", "-d", "unimp", "-netdev", "user,id=vmnic",
+            "-device", "virtio-net-device,netdev=vmnic", "-semihosting-config",
+            "enable=on,target=native", "-bios", flash,
+            "-drive", f"file={rootfs},if=none,format=raw,id=hd0", "-device",
+            "virtio-blk-device,drive=hd0"
+            ])
+
+        self.emulator.login()
+
+        # Check the Kernel has OP-TEE messages
+        self.assertRunOk("dmesg | grep -F optee:")
+
+        # Check we have OP-TEE devices
+        self.assertRunOk("ls -al /dev/tee*")
+
+        # Run some OP-TEE examples
+        examples = ["aes", "hello_world", "hotp", "random", "secure_storage"]
+        for ex in examples:
+            self.assertRunOk(f"optee_example_{ex}")
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v3] support/testing/tests/boot/test_atf.py: test BL33

[Thomas Petazzoni via buildroot]

Hello,

Thanks for the patch!

On Wed, Feb 04, 2026 at 08:46:22PM -0800, Jakob Kastelic wrote:

> +class TestATFNoUBoot(infra.basetest.BRTest):
> +    config = \
> +        """
> +        BR2_arm=y
> +        BR2_cortex_a15=y
> +        BR2_ARM_FPU_VFPV3D16=y
> +        BR2_TOOLCHAIN_BUILDROOT_CXX=y

Can we use an external toolchain instead?

> +        BR2_TARGET_ROOTFS_EXT2=y
> +        BR2_TARGET_ROOTFS_EXT2_4=y
> +        BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_6_18=y
> +        BR2_GLOBAL_PATCH_DIR="board/qemu/patches"
> +        BR2_DOWNLOAD_FORCE_CHECK_HASHES=y

Not really useful for tests I'd say, and this would mean the test
would fail when we update qemu defconfigs as the test would no longer
be aligned with the hashes in board/qemu/patches/.

> +        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
> +        BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh"
> +        BR2_ROOTFS_POST_IMAGE_SCRIPT="board/qemu/post-image.sh"
> +        BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_DEFCONFIG)"
> +        BR2_LINUX_KERNEL=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.7"
> +        BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
> +        BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment"
> +        BR2_PACKAGE_OPENSSL=y
> +        BR2_PACKAGE_OPTEE_EXAMPLES=y
> +        BR2_PACKAGE_OPTEE_TEST=y
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION=y
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE="v2.7"
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="qemu"
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE=y
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33=y
> +        BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="BL32_RAM_LOCATION=tdram"
> +        BR2_TARGET_OPTEE_OS=y
> +        BR2_TARGET_OPTEE_OS_NEEDS_DTC=y
> +        BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt"
> +        BR2_PACKAGE_HOST_QEMU=y
> +        BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
> +        """
> +
> +    def patch_dts(self):
> +        """
> +        Place the rootfs into the kernel command line via the DTB.
> +
> +        In qemu-system-arm, -append is only allowed with -kernel option. Since
> +        we are using the -bios option to load TF-A (which in turn loads the
> +        kernel), we have to manually patch the DTB to add the root option.
> +        """
> +        dtb = os.path.join(self.builddir, "images", "qemu.dtb")
> +        rootfs = os.path.join(self.builddir, "images", "rootfs.ext4")
> +        flash = os.path.join(self.builddir, "images", "flash.bin")
> +        qemu = os.path.join(self.builddir, "host", "bin", "qemu-system-arm")
> +        fdtput = os.path.join(self.builddir, "host", "bin", "fdtput")
> +
> +        # get the DTB from Qemu
> +        subprocess.run([
> +            qemu, "-machine", f"virt,dumpdtb={dtb}", "-machine",
> +            "secure=on", "-cpu", "cortex-a15"
> +            ], check=True)
> +
> +        # insert kernel command line argument into DTB
> +        subprocess.run([fdtput, "-t", "s", f"{dtb}", "/chosen", "bootargs",
> +            "root=/dev/vda" ], check=True)
> +
> +        return dtb, rootfs, flash
> +
> +    def test_run(self):
> +        dtb, rootfs, flash = self.patch_dts()
> +
> +        self.emulator.boot(arch="arm", options=[
> +            "-machine", f"virt", "-machine",

Why f"virt" and not just "virt" ?

Otherwise, looks good to me!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v4] support/testing/tests/boot/test_atf.py: test BL33

[Jakob Kastelic]

This commit adds a new runtime test, in which TF-A loads Linux directly
(as BL33) under Qemu. This test is used to test the new TF-A flag,
BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33.

Signed-off-by: Jakob Kastelic <kastelic.jakob@gmail.com>

---
Changes v3 -> v4:
  - use external toolchain
  - do not use custom headers
  - do not use qemu patches
  - do not force check hashes
---
 DEVELOPERS                             |  3 +
 support/testing/tests/boot/test_atf.py | 92 ++++++++++++++++++++++++++
 2 files changed, 95 insertions(+)

diff --git a/DEVELOPERS b/DEVELOPERS
index 225d1ac917..d2d4f99371 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1510,6 +1510,9 @@ F:	package/python-scipy/
 F:	support/testing/tests/package/sample_python_scipy.py
 F:	support/testing/tests/package/test_python_scipy.py
 
+N:	Jakob Kastelic <kastelic.jakob@gmail.com>
+F:	support/testing/tests/boot/test_atf.py
+
 N:	James Hilliard <james.hilliard1@gmail.com>
 F:	package/apcupsd/
 F:	package/bpftool/
diff --git a/support/testing/tests/boot/test_atf.py b/support/testing/tests/boot/test_atf.py
index b822b9d357..a5e4671a61 100644
--- a/support/testing/tests/boot/test_atf.py
+++ b/support/testing/tests/boot/test_atf.py
@@ -1,3 +1,6 @@
+import os
+import subprocess
+
 import infra.basetest
 
 
@@ -30,3 +33,92 @@ class TestATFAllwinner(infra.basetest.BRTest):
 
     def test_run(self):
         pass
+
+
+class TestATFNoUBoot(infra.basetest.BRTest):
+    config = \
+        """
+        BR2_arm=y
+        BR2_cortex_a15=y
+        BR2_ARM_FPU_VFPV3D16=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_TARGET_ROOTFS_EXT2=y
+        BR2_TARGET_ROOTFS_EXT2_4=y
+        BR2_TARGET_GENERIC_GETTY_PORT="ttyAMA0"
+        BR2_ROOTFS_POST_BUILD_SCRIPT="board/qemu/arm-vexpress-tz/post-build.sh"
+        BR2_ROOTFS_POST_IMAGE_SCRIPT="board/qemu/post-image.sh"
+        BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_DEFCONFIG)"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="6.18.7"
+        BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
+        BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/arm-vexpress-tz/linux.fragment"
+        BR2_PACKAGE_OPENSSL=y
+        BR2_PACKAGE_OPTEE_EXAMPLES=y
+        BR2_PACKAGE_OPTEE_TEST=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_CUSTOM_VERSION_VALUE="v2.7"
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_PLATFORM="qemu"
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_FIP=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_BL32_OPTEE=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_LINUX_AS_BL33=y
+        BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES="BL32_RAM_LOCATION=tdram"
+        BR2_TARGET_OPTEE_OS=y
+        BR2_TARGET_OPTEE_OS_NEEDS_DTC=y
+        BR2_TARGET_OPTEE_OS_PLATFORM="vexpress-qemu_virt"
+        BR2_PACKAGE_HOST_QEMU=y
+        BR2_PACKAGE_HOST_QEMU_SYSTEM_MODE=y
+        """
+
+    def patch_dts(self):
+        """
+        Place the rootfs into the kernel command line via the DTB.
+
+        In qemu-system-arm, -append is only allowed with -kernel option. Since
+        we are using the -bios option to load TF-A (which in turn loads the
+        kernel), we have to manually patch the DTB to add the root option.
+        """
+        dtb = os.path.join(self.builddir, "images", "qemu.dtb")
+        rootfs = os.path.join(self.builddir, "images", "rootfs.ext4")
+        flash = os.path.join(self.builddir, "images", "flash.bin")
+        qemu = os.path.join(self.builddir, "host", "bin", "qemu-system-arm")
+        fdtput = os.path.join(self.builddir, "host", "bin", "fdtput")
+
+        # get the DTB from Qemu
+        subprocess.run([
+            qemu, "-machine", f"virt,dumpdtb={dtb}", "-machine",
+            "secure=on", "-cpu", "cortex-a15"
+            ], check=True)
+
+        # insert kernel command line argument into DTB
+        subprocess.run([fdtput, "-t", "s", f"{dtb}", "/chosen", "bootargs",
+            "root=/dev/vda" ], check=True)
+
+        return dtb, rootfs, flash
+
+    def test_run(self):
+        dtb, rootfs, flash = self.patch_dts()
+
+        self.emulator.boot(arch="arm", options=[
+            "-machine", "virt", "-machine",
+            "secure=on", "-cpu", "cortex-a15", "-dtb", dtb, "-smp", "1",
+            "-s", "-m", "1024", "-d", "unimp", "-netdev", "user,id=vmnic",
+            "-device", "virtio-net-device,netdev=vmnic", "-semihosting-config",
+            "enable=on,target=native", "-bios", flash,
+            "-drive", f"file={rootfs},if=none,format=raw,id=hd0", "-device",
+            "virtio-blk-device,drive=hd0"
+            ])
+
+        self.emulator.login()
+
+        # Check the Kernel has OP-TEE messages
+        self.assertRunOk("dmesg | grep -F optee:")
+
+        # Check we have OP-TEE devices
+        self.assertRunOk("ls -al /dev/tee*")
+
+        # Run some OP-TEE examples
+        examples = ["aes", "hello_world", "hotp", "random", "secure_storage"]
+        for ex in examples:
+            self.assertRunOk(f"optee_example_{ex}")
-- 
2.47.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot