xref: /OK3568_Linux_fs/buildroot/board/qemu/arm-vexpress-tz/readme.txt (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593SmuzhiyunBoard qemu_arm_vexpress_tz builds a QEMU ARMv7-A target system with
2*4882a593SmuzhiyunOP-TEE running in the TrustZone secure world and a Linux based
3*4882a593SmuzhiyunOS running in the non-secure world. The board configuration enables
4*4882a593Smuzhiyunbuilds of the QEMU host ARM target emulator.
5*4882a593Smuzhiyun
6*4882a593Smuzhiyun  make qemu_arm_vexpress_tz_defconfig
7*4882a593Smuzhiyun  make
8*4882a593Smuzhiyun
9*4882a593SmuzhiyunThe BIOS used in the QEMU host is the ARM Trusted Firmware-A (TF-A).
10*4882a593SmuzhiyunIn our configuration, U-Boot uses QEMU semihosting file access to load the
11*4882a593Smuzhiyunkernel and rootfs image files. For this reason the emulation needs to be run
12*4882a593Smuzhiyunfrom the image directory:
13*4882a593Smuzhiyun
14*4882a593Smuzhiyun  cd output/images && ../host/bin/qemu-system-arm \
15*4882a593Smuzhiyun	-machine virt -machine secure=on -cpu cortex-a15 \
16*4882a593Smuzhiyun	-smp 1 -s -m 1024 -d unimp \
17*4882a593Smuzhiyun	-serial stdio \
18*4882a593Smuzhiyun	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
19*4882a593Smuzhiyun	-semihosting-config enable,target=native \
20*4882a593Smuzhiyun	-bios flash.bin # qemu_arm_vexpress_tz_defconfig
21*4882a593Smuzhiyun
22*4882a593SmuzhiyunThe boot stage traces (if any) followed by the login prompt will appear
23*4882a593Smuzhiyunin the terminal that started QEMU.
24*4882a593Smuzhiyun
25*4882a593SmuzhiyunIf you want to emulate more cores, use "-smp {1|2|3|4}" to select the
26*4882a593Smuzhiyunnumber of cores.
27*4882a593Smuzhiyun
28*4882a593SmuzhiyunNote: "-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic"
29*4882a593Smuzhiyunbrings network support that is used i.e. in OP-TEE regression tests.
30*4882a593Smuzhiyun
31*4882a593Smuzhiyun
32*4882a593Smuzhiyun-- Boot Details --
33*4882a593Smuzhiyun
34*4882a593SmuzhiyunTF-A is used as QEMU BIOS. Its BL1 image boots and load its BL2 image. In turn,
35*4882a593Smuzhiyunthis image loads the OP-TEE secure world (ARMv7-A BL32 stage) and the U-boot as
36*4882a593Smuzhiyunnon-secure bootloader (BL33 stage).
37*4882a593Smuzhiyun
38*4882a593SmuzhiyunQEMU natively hosts and loads in RAM the QEMU ARM target device tree. OP-TEE
39*4882a593Smuzhiyunreads and modifies its content according to OP-TEE configuration.
40*4882a593Smuzhiyun
41*4882a593SmuzhiyunEnable TF-A traces from LOG_LEVEL (I.e LOG_LEVEL=40) from
42*4882a593SmuzhiyunBR2_TARGET_ARM_TRUSTED_FIRMWARE_ADDITIONAL_VARIABLES.
43*4882a593Smuzhiyun
44*4882a593Smuzhiyun
45*4882a593Smuzhiyun-- OP-TEE Traces --
46*4882a593Smuzhiyun
47*4882a593SmuzhiyunSecure boot stages and/or secure runtime services may use a serial link for
48*4882a593Smuzhiyuntheir traces.
49*4882a593Smuzhiyun
50*4882a593SmuzhiyunThe ARM Trusted Firmware outputs its traces on the QEMU standard (first)
51*4882a593Smuzhiyunserial interface.
52*4882a593Smuzhiyun
53*4882a593SmuzhiyunThe OP-TEE OS uses the QEMU second serial interface.
54*4882a593Smuzhiyun
55*4882a593SmuzhiyunTo get the OP-TEE OS traces, append a second -serial argument after
56*4882a593Smuzhiyun-serial stdio in the QEMU command line. I.e, the following enables 2 serial
57*4882a593Smuzhiyunconsoles over telnet connections:
58*4882a593Smuzhiyun
59*4882a593Smuzhiyun  cd output/images && ../host/bin/qemu-system-arm \
60*4882a593Smuzhiyun	-machine virt -machine secure=on -cpu cortex-a15 \
61*4882a593Smuzhiyun	-smp 1 -s -m 1024 -d unimp \
62*4882a593Smuzhiyun	-serial telnet:127.0.0.1:1235,server \
63*4882a593Smuzhiyun	-serial telnet:127.0.0.1:1236,server \
64*4882a593Smuzhiyun	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
65*4882a593Smuzhiyun	-semihosting-config enable,target=native \
66*4882a593Smuzhiyun	-bios flash.bin
67*4882a593Smuzhiyun
68*4882a593SmuzhiyunQEMU is now waiting for the telnet connection. From another shell, open a
69*4882a593Smuzhiyuntelnet connection on the port for the U-boot and Linux consoles:
70*4882a593Smuzhiyun
71*4882a593Smuzhiyun  telnet 127.0.0.1 1235
72*4882a593Smuzhiyun
73*4882a593Smuzhiyunand again for the secure console
74*4882a593Smuzhiyun
75*4882a593Smuzhiyun  telnet 127.0.0.1 1236
76*4882a593Smuzhiyun
77*4882a593Smuzhiyun
78*4882a593Smuzhiyun-- Using gdb --
79*4882a593Smuzhiyun
80*4882a593SmuzhiyunOne can debug the OP-TEE secure world using GDB through the QEMU host.
81*4882a593SmuzhiyunTo do so, simply run the qemu-system-arm emulation, then run a GDB client
82*4882a593Smuzhiyunand connect the QEMU internal GDB server.
83*4882a593Smuzhiyun
84*4882a593SmuzhiyunThe example below assumes we run QEMU and the GDB client from the same
85*4882a593Smuzhiyunhost computer. We use option -S of qemu-system-arm to make QEMU
86*4882a593Smuzhiyunwaiting for the GDB continue instruction before booting the images.
87*4882a593Smuzhiyun
88*4882a593SmuzhiyunFrom a first shell:
89*4882a593Smuzhiyun  cd output/images && ../host/bin/qemu-system-arm \
90*4882a593Smuzhiyun	-machine virt -machine secure=on -cpu cortex-a15 \
91*4882a593Smuzhiyun	-smp 1 -s -m 1024 -d unimp \
92*4882a593Smuzhiyun	-serial stdio \
93*4882a593Smuzhiyun	-netdev user,id=vmnic -device virtio-net-device,netdev=vmnic \
94*4882a593Smuzhiyun	-semihosting-config enable,target=native \
95*4882a593Smuzhiyun	-bios flash.bin \
96*4882a593Smuzhiyun	-S
97*4882a593Smuzhiyun
98*4882a593SmuzhiyunFrom a second shell:
99*4882a593Smuzhiyun  ./output/host/bin/arm-linux-gdb
100*4882a593Smuzhiyun  GNU gdb (GNU Toolchain for the A-profile Architecture 8.2-2018-08 (arm-rel-8.23)) 8.1.1.20180704-git
101*4882a593Smuzhiyun  Copyright (C) 2018 Free Software Foundation, Inc.
102*4882a593Smuzhiyun  ...
103*4882a593Smuzhiyun  For help, type "help".
104*4882a593Smuzhiyun  Type "apropos word" to search for commands related to "word".
105*4882a593Smuzhiyun  (gdb)
106*4882a593Smuzhiyun
107*4882a593SmuzhiyunFrom this GDB console, connect to the target, load the OP-TEE core symbols,
108*4882a593Smuzhiyunset a breakpoint to its entry point (__text_start) and start emulation:
109*4882a593Smuzhiyun
110*4882a593Smuzhiyun  (gdb) target remote 127.0.0.1:1234
111*4882a593Smuzhiyun  (gdb) symbol-file ./output/build/optee-os-<reference>/out/core/tee.elf
112*4882a593Smuzhiyun  (gdb) hbreak __text_start
113*4882a593Smuzhiyun  Hardware assisted breakpoint 1 at 0xe100000: file core/arch/arm/kernel/generic_entry_a32.S, line 246.
114*4882a593Smuzhiyun  (gdb) cont
115*4882a593Smuzhiyun  Continuing.
116*4882a593Smuzhiyun
117*4882a593Smuzhiyun  Thread 1 hit Breakpoint 1, _start () at core/arch/arm/kernel/generic_entry_a32.S:246
118*4882a593Smuzhiyun  246		bootargs_entry
119*4882a593Smuzhiyun  (gdb)
120*4882a593Smuzhiyun
121*4882a593Smuzhiyun
122*4882a593SmuzhiyunEmulation has started, TF-A has loaded OP-TEE and U-boot images in memory and
123*4882a593Smuzhiyunhas booted OP-TEE. Emulation stopped at OP-TEE core entry.
124*4882a593Smuzhiyun
125*4882a593SmuzhiyunNote: QEMU hosts a GDB service listening to TCP port 1234, as set through
126*4882a593Smuzhiyunqemu-system-arm command line option -s.
127*4882a593Smuzhiyun
128*4882a593SmuzhiyunNote: To build the GDB server, the following extra options have to be added to
129*4882a593Smuzhiyunthe Buildroot configuration:
130*4882a593Smuzhiyun
131*4882a593Smuzhiyun    BR2_ENABLE_DEBUG=y
132*4882a593Smuzhiyun    BR2_PACKAGE_GDB=y
133*4882a593Smuzhiyun    BR2_PACKAGE_HOST_GDB=y
134*4882a593Smuzhiyun    BR2_TOOLCHAIN_BUILDROOT_CXX=y
135*4882a593Smuzhiyun    BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
136