[PATCH 2/5] ci: add post-buildman script to build TF-A

Raymond Mao Tue, 16 Sep 2025 09:15:35 -0700

Add a script which is running after buildman to fetch TF-A (v2.13.0)
with MbedTLS (v3.6) and build 'flash.bin', linking built U-Boot as
BL33 and OP-TEE as BL32, with both Firmware Handoff and Measured Boot
enabled.


Signed-off-by: Raymond Mao <raymond....@linaro.org>
---
 .azure-pipelines.yml               |  1 +
 .gitlab-ci.yml                     |  1 +
 tools/post_build_tfa_fw_handoff.sh | 87 ++++++++++++++++++++++++++++++
 3 files changed, 89 insertions(+)
 create mode 100755 tools/post_build_tfa_fw_handoff.sh

diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
index 8209d2b329c..eb547606ddd 100644
--- a/.azure-pipelines.yml
+++ b/.azure-pipelines.yml
@@ -290,6 +290,7 @@ stages:
           cp /opt/grub/grubriscv64.efi 
\${UBOOT_TRAVIS_BUILD_DIR}/grub_riscv64.efi
           cp /opt/grub/grubaa64.efi \${UBOOT_TRAVIS_BUILD_DIR}/grub_arm64.efi
           cp /opt/grub/grubarm.efi \${UBOOT_TRAVIS_BUILD_DIR}/grub_arm.efi
+          ./tools/post_build_tfa_fw_handoff.sh \${UBOOT_TRAVIS_BUILD_DIR} 
\${TEST_PY_BD} \${TEST_PY_ID}
           # create sdcard / spi-nor images for sifive unleashed using genimage
           if [[ "\${TEST_PY_BD}" == "sifive_unleashed" ]]; then
               mkdir -p root;
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 85401d3e09b..61e4af96c9a 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -79,6 +79,7 @@ stages:
     - cp /opt/grub/grubriscv64.efi $UBOOT_TRAVIS_BUILD_DIR/grub_riscv64.efi
     - cp /opt/grub/grubaa64.efi $UBOOT_TRAVIS_BUILD_DIR/grub_arm64.efi
     - cp /opt/grub/grubarm.efi $UBOOT_TRAVIS_BUILD_DIR/grub_arm.efi
+    - ./tools/post_build_tfa_fw_handoff.sh ${UBOOT_TRAVIS_BUILD_DIR} 
${TEST_PY_BD} ${TEST_PY_ID}
     # create sdcard / spi-nor images for sifive unleashed using genimage
     - if [[ "${TEST_PY_BD}" == "sifive_unleashed" ]]; then
         mkdir -p root;
diff --git a/tools/post_build_tfa_fw_handoff.sh 
b/tools/post_build_tfa_fw_handoff.sh
new file mode 100755
index 00000000000..f876db593ba
--- /dev/null
+++ b/tools/post_build_tfa_fw_handoff.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Copyright (c) 2025 Linaro Limited
+# Author: Raymond Mao <raymond....@linaro.org>
+#
+# CI Post-buildman script for building TF-A 'flash.bin' with Measured
+# Boot and Firmware Handoff enabled.
+#
+# Usage: from the top level U-Boot source tree, run:
+# $ ./tools/post_build_tfa_fw_handoff.sh ${UBOOT_TRAVIS_BUILD_DIR} \
+#     ${TEST_PY_BD} ${TEST_PY_ID}
+#
+# 'bl1.bin', 'fip.bin' and 'flash.bin' will be generated and copied
+# to /tmp.
+
+set -e
+
+BUILDMAN_OUT_DIR=$(realpath "$1")
+BOARD=$2
+ID=$4
+echo "Buildman Outdir: $BUILDMAN_OUT_DIR, Board: $BOARD, ID: $ID"
+
+# U-Boot binary generated by buildman
+BL33_BIN=${BUILDMAN_OUT_DIR}/u-boot.bin
+# Path to the toolchain file that generated by buildman
+TOOLCHAIN_INFO_FILE=${BUILDMAN_OUT_DIR}/toolchain
+
+MBEDTLS_DIR=/tmp/mbedtls
+TFA_DIR=/tmp/tfa-fh
+OPTEE_DIR=/tmp/optee_os
+OPTEE_OUT_DIR=${OPTEE_DIR}/out/arm-plat-vexpress/core
+BL32_BIN=${OPTEE_OUT_DIR}/tee-header_v2.bin
+BL32_EXTRA1_BIN=${OPTEE_OUT_DIR}/tee-pager_v2.bin
+BL32_EXTRA2_BIN=${OPTEE_OUT_DIR}/tee-pageable_v2.bin
+
+if [[ "$BOARD" != "qemu_arm64" || "$ID" != "fw_handoff_tfa_optee" ]]; then
+    exit 0
+fi
+
+if [ -f "$TOOLCHAIN_INFO_FILE" ]; then
+  # Extract path and cross prefix of the toolchain
+  TOOLCHAIN_PATH=$(grep '^path ' "$TOOLCHAIN_INFO_FILE" | cut -d' ' -f2)
+  TOOLCHAIN_PREFIX=$(grep '^cross ' "$TOOLCHAIN_INFO_FILE" | cut -d' ' -f2)
+  TOOLCHAIN_NAME="${TOOLCHAIN_PATH}/${TOOLCHAIN_PREFIX}"
+  echo "Extracted toolchain: $TOOLCHAIN_NAME"
+else
+  echo "ERROR: toolchain info file not found!"
+  exit 1
+fi
+
+# Set the same toolchain used by buildman for building
+CROSS="CROSS_COMPILE=$TOOLCHAIN_NAME"
+
+# Get TF-A (v2.13.0) and MbedTLS (v3.6)
+git clone --depth=1 --branch mbedtls-3.6 
https://github.com/ARMmbed/mbedtls.git ${MBEDTLS_DIR}
+git clone --depth=1 --branch v2.13.0 
https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git ${TFA_DIR}
+
+make -C ${TFA_DIR} \
+  ${CROSS} \
+  PLAT=qemu \
+  BL33=${BL33_BIN} \
+  BL32=${BL32_BIN} \
+  BL32_EXTRA1=${BL32_EXTRA1_BIN} \
+  BL32_EXTRA2=${BL32_EXTRA2_BIN} \
+  BL32_RAM_LOCATION=tdram SPD=opteed \
+  TRANSFER_LIST=1 E=0 \
+  TRUSTED_BOARD_BOOT=1 \
+  GENERATE_COT=1 \
+  CREATE_KEYS=1 \
+  DECRYPTION_SUPPORT=aes_gcm \
+  ENCRYPT_BL31=1 \
+  ENCRYPT_BL32=1 \
+  ENABLE_STACK_PROTECTOR=strong \
+  KEY_ALG=rsa \
+  KEY_SIZE=4096 \
+  MEASURED_BOOT=1 \
+  EVENT_LOG_LEVEL=10 \
+  KEY_ALG=rsa \
+  MBOOT_EL_HASH_ALG=sha256 \
+  MBEDTLS_DIR=${MBEDTLS_DIR} \
+  all fip
+
+TFA_OUT_DIR=${TFA_DIR}/build/qemu/release
+dd if=${TFA_OUT_DIR}/bl1.bin of=${TFA_OUT_DIR}/flash.bin bs=4096 conv=notrunc
+dd if=${TFA_OUT_DIR}/fip.bin of=${TFA_OUT_DIR}/flash.bin seek=64 bs=4096 
conv=notrunc
+cp ${TFA_OUT_DIR}/bl1.bin ${TFA_OUT_DIR}/fip.bin ${TFA_OUT_DIR}/flash.bin /tmp/
-- 
2.25.1

[PATCH 2/5] ci: add post-buildman script to build TF-A

Reply via email to