TF-A/Hafnium v2.15.0 release updates (FVP)

[odeprez]

No description provided.

[odeprez]

OP-TEE/manifest#346

[odeprez]

This might require bumping the model version if it exists in a CI.

[gyuri-szing]

It seems the OP-TEE CI runs validation only in QEMU and the CI concern is not valid.

I think running tests on the AEM base FVP in the CI could be enabled now as it has became freely available from here. But this is out of scope for this change.

[jforissier]

It seems the OP-TEE CI runs validation only in QEMU and the CI concern is not valid.

Correct.

I think running tests on the AEM base FVP in the CI could be enabled now as it has became freely available from here. But this is out of scope for this change.

+1. That's interesting.

[odeprez]

About measured boot:

MEASURED_BOOT=y requires cmake needed to build libeventlog hosted as a TF-A submodule. It may require a docker file update if built in a CI.

MEASURED_BOOT=y MEASURED_BOOT_FTPM=y breaks linux build with

GEN     out/arm/core/tee-raw.bin
make[1]: Leaving directory '/data_nvme0n1/olidep01/optee_fvp/linux'
make -C /data_nvme0n1/olidep01/optee_fvp/build/../linux LOCALVERSION= CROSS_COMPILE="/usr/bin/ccache /data_nvme0n1/olidep01/optee_fvp/build/../toolchains/aarch64/bin/aarch64-linux-gnu-" ARCH=arm64 M=drivers/char/tpm  \
	modules_install INSTALL_MOD_PATH=/data_nvme0n1/olidep01/optee_fvp/build/../linux
make[1]: Entering directory '/data_nvme0n1/olidep01/optee_fvp/linux'
make[2]: Entering directory '/data_nvme0n1/olidep01/optee_fvp/linux/drivers/char/tpm'
make[4]: *** No rule to make target '/data_nvme0n1/olidep01/optee_fvp/build/../linux/lib/modules/6.18.0-gcf6e3218c251/updates/drivers/char/tpm/tpm_tis_core.ko', needed by 'depmod'.  Stop.
make[3]: *** [/data_nvme0n1/olidep01/optee_fvp/linux/Makefile:1916: modules_install] Error 2
make[2]: *** [/data_nvme0n1/olidep01/optee_fvp/linux/Makefile:248: __sub-make] Error 2
make[2]: Leaving directory '/data_nvme0n1/olidep01/optee_fvp/linux/drivers/char/tpm'
make[1]: *** [Makefile:248: __sub-make] Error 2
make[1]: Leaving directory '/data_nvme0n1/olidep01/optee_fvp/linux'
make: *** [Makefile:198: linux-ftpm-module] Error 2
make: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/data_nvme0n1/olidep01/optee_fvp/optee_os'
nonroot@56c3f4401d25:/data_nvme0n1/olidep01/optee_fvp/build$ 

MEASURED_BOOT=y MEASURED_BOOT_FTPM=n crashes at boot time

NOTICE:  Booting Trusted Firmware
NOTICE:  BL1: v2.14.0(release):v2.14.0
NOTICE:  BL1: Built : 12:00:29, Jun  1 2026
NOTICE:  BL1: Booting BL2
NOTICE:  BL2: v2.14.0(release):v2.14.0
NOTICE:  BL2: Built : 12:00:34, Jun  1 2026
ERROR:   Unable to write Event Log data to TOS_FW_CONFIG
ERROR:   bl2_plat_mboot_finish(): Unable to update TOS_FW_CONFIG

PANIC at PC : 0x000000000402c94c

Command lines above assume SPMC_AT_EL=2
This happens already with upstream without this change.

[odeprez]

I observe this while booting linux

[ 6.056193] optee: probing for conduit method.
[ 6.056233] optee: api uid mismatch
[ 6.056279] optee firmware:optee: probe with driver optee failed with error -22
[ 6.056857] optee: revision 4.10 (a067036f)
[ 6.078576] optee: initialized driver

This happens already with upstream without this change.

[jenswikl]

Does this break upstream, or is upstream already broken?

[odeprez]

Does this break upstream, or is upstream already broken?

Hi, I retried current v2.14 based integration and it already exhibits both the issues from above.

I fixed MEASURED_BOOT=y MEASURED_BOOT_FTPM=n with an additional change adding a tpm event log node to the SPMC manifest.