On Tue, Sep 16, 2025 at 09:14:18AM -0700, Raymond Mao wrote:
> Add a script which is running after buildman to fetch TF-A (v2.13.0)
> with MbedTLS (v3.6) and build 'flash.bin', linking built U-Boot as
> BL33 and OP-TEE as BL32, with both Firmware Handoff and Measured Boot
> enabled.
>
> Signed-off-by: Raymond Mao <raymond....@linaro.org>
> ---
> .azure-pipelines.yml | 1 +
> .gitlab-ci.yml | 1 +
> tools/post_build_tfa_fw_handoff.sh | 87 ++++++++++++++++++++++++++++++
> 3 files changed, 89 insertions(+)
> create mode 100755 tools/post_build_tfa_fw_handoff.sh
>
> diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml
> index 8209d2b329c..eb547606ddd 100644
> --- a/.azure-pipelines.yml
> +++ b/.azure-pipelines.yml
> @@ -290,6 +290,7 @@ stages:
> cp /opt/grub/grubriscv64.efi
> \${UBOOT_TRAVIS_BUILD_DIR}/grub_riscv64.efi
> cp /opt/grub/grubaa64.efi \${UBOOT_TRAVIS_BUILD_DIR}/grub_arm64.efi
> cp /opt/grub/grubarm.efi \${UBOOT_TRAVIS_BUILD_DIR}/grub_arm.efi
> + ./tools/post_build_tfa_fw_handoff.sh \${UBOOT_TRAVIS_BUILD_DIR}
> \${TEST_PY_BD} \${TEST_PY_ID}
> # create sdcard / spi-nor images for sifive unleashed using
> genimage
> if [[ "\${TEST_PY_BD}" == "sifive_unleashed" ]]; then
> mkdir -p root;
> diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
> index 85401d3e09b..61e4af96c9a 100644
> --- a/.gitlab-ci.yml
> +++ b/.gitlab-ci.yml
> @@ -79,6 +79,7 @@ stages:
> - cp /opt/grub/grubriscv64.efi $UBOOT_TRAVIS_BUILD_DIR/grub_riscv64.efi
> - cp /opt/grub/grubaa64.efi $UBOOT_TRAVIS_BUILD_DIR/grub_arm64.efi
> - cp /opt/grub/grubarm.efi $UBOOT_TRAVIS_BUILD_DIR/grub_arm.efi
> + - ./tools/post_build_tfa_fw_handoff.sh ${UBOOT_TRAVIS_BUILD_DIR}
> ${TEST_PY_BD} ${TEST_PY_ID}
> # create sdcard / spi-nor images for sifive unleashed using genimage
> - if [[ "${TEST_PY_BD}" == "sifive_unleashed" ]]; then
> mkdir -p root;
> diff --git a/tools/post_build_tfa_fw_handoff.sh
> b/tools/post_build_tfa_fw_handoff.sh
> new file mode 100755
> index 00000000000..f876db593ba
> --- /dev/null
> +++ b/tools/post_build_tfa_fw_handoff.sh
The "is this a valid board" check should be in the pipeline file (like
where we do all the other board-specific things) instead of the helper
script.
> @@ -0,0 +1,87 @@
> +#!/bin/bash
> +# SPDX-License-Identifier: GPL-2.0+
> +#
> +# Copyright (c) 2025 Linaro Limited
> +# Author: Raymond Mao <raymond....@linaro.org>
> +#
> +# CI Post-buildman script for building TF-A 'flash.bin' with Measured
> +# Boot and Firmware Handoff enabled.
> +#
> +# Usage: from the top level U-Boot source tree, run:
> +# $ ./tools/post_build_tfa_fw_handoff.sh ${UBOOT_TRAVIS_BUILD_DIR} \
> +# ${TEST_PY_BD} ${TEST_PY_ID}
> +#
> +# 'bl1.bin', 'fip.bin' and 'flash.bin' will be generated and copied
> +# to /tmp.
> +
> +set -e
> +
> +BUILDMAN_OUT_DIR=$(realpath "$1")
> +BOARD=$2
> +ID=$4
> +echo "Buildman Outdir: $BUILDMAN_OUT_DIR, Board: $BOARD, ID: $ID"
Can we not use fiptool to update the contents of a file here? And build
as much as possible in the Dockerfile, like we do for vexpress?
--
Tom
signature.asc
Description: PGP signature
