xref: /OK3568_Linux_fs/buildroot/board/qemu/arm-vexpress-tz/readme.txt (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1Board qemu_arm_vexpress_tz builds a QEMU ARMv7-A target system with
2OP-TEE running in the TrustZone secure world and a Linux based
3OS running in the non-secure world. The board configuration enables
4builds of the QEMU host ARM target emulator.
5
6  make qemu_arm_vexpress_tz_defconfig
7  make
8
9The BIOS used in the QEMU host is the ARM Trusted Firmware-A (TF-A).
10In our configuration, U-Boot uses QEMU semihosting file access to load the
11kernel and rootfs image files. For this reason the emulation needs to be run
12from the image directory:
13
14  cd output/images && ../host/bin/qemu-system-arm \
15	-machine virt -machine secure=on -cpu cortex-a15 \
16	-smp 1 -s -m 1024 -d unimp \
17	-serial stdio \
18	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
19	-semihosting-config enable,target=native \
20	-bios flash.bin # qemu_arm_vexpress_tz_defconfig
21
22The boot stage traces (if any) followed by the login prompt will appear
23in the terminal that started QEMU.
24
25If you want to emulate more cores, use "-smp {1|2|3|4}" to select the
26number of cores.
27
28Note: "-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic"
29brings network support that is used i.e. in OP-TEE regression tests.
30
31
32-- Boot Details --
33
34TF-A is used as QEMU BIOS. Its BL1 image boots and load its BL2 image. In turn,
35this image loads the OP-TEE secure world (ARMv7-A BL32 stage) and the U-boot as
36non-secure bootloader (BL33 stage).
37
38QEMU natively hosts and loads in RAM the QEMU ARM target device tree. OP-TEE
39reads and modifies its content according to OP-TEE configuration.
40
41Enable TF-A traces from LOG_LEVEL (I.e LOG_LEVEL=40) from
42BR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES.
43
44
45-- OP-TEE Traces --
46
47Secure boot stages and/or secure runtime services may use a serial link for
48their traces.
49
50The ARM Trusted Firmware outputs its traces on the QEMU standard (first)
51serial interface.
52
53The OP-TEE OS uses the QEMU second serial interface.
54
55To get the OP-TEE OS traces, append a second -serial argument after
56-serial stdio in the QEMU command line. I.e, the following enables 2 serial
57consoles over telnet connections:
58
59  cd output/images && ../host/bin/qemu-system-arm \
60	-machine virt -machine secure=on -cpu cortex-a15 \
61	-smp 1 -s -m 1024 -d unimp \
62	-serial telnet:127.0.0.1:1235,server \
63	-serial telnet:127.0.0.1:1236,server \
64	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
65	-semihosting-config enable,target=native \
66	-bios flash.bin
67
68QEMU is now waiting for the telnet connection. From another shell, open a
69telnet connection on the port for the U-boot and Linux consoles:
70
71  telnet 127.0.0.1 1235
72
73and again for the secure console
74
75  telnet 127.0.0.1 1236
76
77
78-- Using gdb --
79
80One can debug the OP-TEE secure world using GDB through the QEMU host.
81To do so, simply run the qemu-system-arm emulation, then run a GDB client
82and connect the QEMU internal GDB server.
83
84The example below assumes we run QEMU and the GDB client from the same
85host computer. We use option -S of qemu-system-arm to make QEMU
86waiting for the GDB continue instruction before booting the images.
87
88From a first shell:
89  cd output/images && ../host/bin/qemu-system-arm \
90	-machine virt -machine secure=on -cpu cortex-a15 \
91	-smp 1 -s -m 1024 -d unimp \
92	-serial stdio \
93	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
94	-semihosting-config enable,target=native \
95	-bios flash.bin \
96	-S
97
98From a second shell:
99  ./output/host/bin/arm-linux-gdb
100  GNU gdb (GNU Toolchain for the A-profile Architecture 8.2-2018-08 (arm-rel-8.23)) 8.1.1.20180704-git
101  Copyright (C) 2018 Free Software Foundation, Inc.
102  ...
103  For help, type "help".
104  Type "apropos word" to search for commands related to "word".
105  (gdb)
106
107From this GDB console, connect to the target, load the OP-TEE core symbols,
108set a breakpoint to its entry point (__text_start) and start emulation:
109
110  (gdb) target remote 127.0.0.1:1234
111  (gdb) symbol-file ./output/build/optee-os-<reference>/out/core/tee.elf
112  (gdb) hbreak __text_start
113  Hardware assisted breakpoint 1 at 0xe100000: file core/arch/arm/kernel/generic_entry_a32.S, line 246.
114  (gdb) cont
115  Continuing.
116
117  Thread 1 hit Breakpoint 1, _start () at core/arch/arm/kernel/generic_entry_a32.S:246
118  246		bootargs_entry
119  (gdb)
120
121
122Emulation has started, TF-A has loaded OP-TEE and U-boot images in memory and
123has booted OP-TEE. Emulation stopped at OP-TEE core entry.
124
125Note: QEMU hosts a GDB service listening to TCP port 1234, as set through
126qemu-system-arm command line option -s.
127
128Note: To build the GDB server, the following extra options have to be added to
129the Buildroot configuration:
130
131    BR2_ENABLE_DEBUG=y
132    BR2_PACKAGE_GDB=y
133    BR2_PACKAGE_HOST_GDB=y
134    BR2_TOOLCHAIN_BUILDROOT_CXX=y
135    BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
136