shrinkwrap-tool 2026.2.1__py3-none-any.whl

shrinkwrap/config/arch/v8.5.yaml

@@ -0,0 +1,29 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv8.5 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.4.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 8
+      ARM_ARCH_MINOR: 5
+      BRANCH_PROTECTION: 1
+
+run:
+  params:
+    -C cluster0.has_arm_v8-5: 1
+    -C cluster1.has_arm_v8-5: 1
+    -C cluster0.has_branch_target_exception: 1                        # Implement Branch target identification mechanism from ARMv8.5 (FEAT_BTI). 1:feature is implemented if ARMv8.5 is enabled.
+    -C cluster1.has_branch_target_exception: 1
+    -C cluster0.has_rndr: 1                                           # Implement random number instructions to read from RNDR and RNDRSS random number registers from ARMv8.5 (FEAT_RNG). 1:feature is implemented if ARMv8.5 is enabled.
+    -C cluster1.has_rndr: 1

shrinkwrap/config/arch/v8.6.yaml

@@ -0,0 +1,28 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv8.6 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.5.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 8
+      ARM_ARCH_MINOR: 6
+
+run:
+  params:
+    -C cluster0.has_arm_v8-6: 1
+    -C cluster1.has_arm_v8-6: 1
+    -C cluster0.ecv_support_level: 2                                  # Implement Enhanced Counter Virtualization feature from ARMv8.6. 2:fully supported with CNTPOFF (FEAT_ECV).
+    -C cluster1.ecv_support_level: 2
+    -C cluster0.enhanced_pac2_level: 3                                # Implements Enhanced PAC2 from ARMv8.6 (FEAT_PAuth2). This feature is mandatory for ARMv8.6 but can be cherrypicked to a ARMv8.3(or greater) implementation. 3:EnhancedPAC2 with FPACCombined.
+    -C cluster1.enhanced_pac2_level: 3

shrinkwrap/config/arch/v8.7.yaml

@@ -0,0 +1,24 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv8.7 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.6.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 8
+      ARM_ARCH_MINOR: 7
+
+run:
+  params:
+    -C cluster0.has_arm_v8-7: 1
+    -C cluster1.has_arm_v8-7: 1

shrinkwrap/config/arch/v8.8.yaml

@@ -0,0 +1,31 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv8.8 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.7.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 8
+      ARM_ARCH_MINOR: 8
+
+run:
+  params:
+    -C cluster0.has_arm_v8-8: 1
+    -C cluster1.has_arm_v8-8: 1
+    -C cluster0.has_const_pac: 1                                      # Feature for singular selection of PAC field (FEAT_CONSTPACFIELD). 1:feature is implemented if Armv8.8 is enabled.
+    -C cluster1.has_const_pac: 1
+    -C cluster0.has_hpmn0: 1                                          # Allow hypervisor to set MDCR_EL2.HPMN to 0 (FEAT_HPMN0). 1:feature is implemented if Armv8.8 is enabled.
+    -C cluster1.has_hpmn0: 1
+    -C cluster0.pmb_idr_external_abort: 1                             # Describes how the PE manages External aborts on writes made by the Statistical Profiling Extension to the Profiling Buffer. (From Armv8.8 and Armv9.3, the value 0 is not permitted) 1: External abort is ignored.
+    -C cluster1.pmb_idr_external_abort: 1
+    -C gic_distributor.has_nmi: 1

shrinkwrap/config/arch/v8.9.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) 2023, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv8.9 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.8.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 8
+      ARM_ARCH_MINOR: 9
+
+run:
+  params:
+    -C cluster0.has_arm_v8-9: 1
+    -C cluster1.has_arm_v8-9: 1
+    -C cluster0.has_permission_indirection_s1: 1
+    -C cluster1.has_permission_indirection_s1: 1
+    -C cluster0.has_permission_indirection_s2: 1
+    -C cluster1.has_permission_indirection_s2: 1
+    -C cluster0.has_permission_overlay_s1: 1
+    -C cluster1.has_permission_overlay_s1: 1
+    -C cluster0.has_permission_overlay_s2: 1
+    -C cluster1.has_permission_overlay_s2: 1

shrinkwrap/config/arch/v9.0.yaml

@@ -0,0 +1,29 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv9.0 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.5.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 9
+      ARM_ARCH_MINOR: 0
+      CTX_INCLUDE_AARCH32_REGS: 0
+
+run:
+  params:
+    -C cluster0.has_arm_v9-0: 1
+    -C cluster1.has_arm_v9-0: 1
+    -C cluster0.max_32bit_el: 0                                       # Maximum exception level supporting AArch32 modes. -1: No Support for A32 at any EL, x:[0:3] - All the levels below supplied ELx supports A32
+    -C cluster1.max_32bit_el: 0
+    -C cluster0.sve.has_sve2: 1                                       # Whether SVE2 is implemented (FEAT_SVE2).
+    -C cluster1.sve.has_sve2: 1

shrinkwrap/config/arch/v9.1.yaml

@@ -0,0 +1,25 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv9.1 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.6.yaml
+  - arch/v9.0.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 9
+      ARM_ARCH_MINOR: 1
+
+run:
+  params:
+    -C cluster0.has_arm_v9-1: 1
+    -C cluster1.has_arm_v9-1: 1

shrinkwrap/config/arch/v9.2.yaml

@@ -0,0 +1,29 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv9.2 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.7.yaml
+  - arch/v9.1.yaml
+
+build:
+  tfa:
+    params:
+      ARM_ARCH_MAJOR: 9
+      ARM_ARCH_MINOR: 2
+
+run:
+  params:
+    -C cluster0.has_arm_v9-2: 1
+    -C cluster1.has_arm_v9-2: 1
+    -C cluster0.has_brbe: 1                                           # If true, implements branch record buffer extension (FEAT_BRBE).
+    -C cluster1.has_brbe: 1
+    -C cluster0.sve.has_sme: 1                                        # Whether SME is implemented
+    -C cluster1.sve.has_sme: 1

shrinkwrap/config/arch/v9.3.yaml

@@ -0,0 +1,23 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv9.3 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.8.yaml
+  - arch/v9.2.yaml
+
+run:
+  params:
+    -C cluster0.has_arm_v9-3: 1
+    -C cluster1.has_arm_v9-3: 1
+    -C cluster0.has_brbe_v1p1: 1                                      # If true, implements FEAT_BRBEv1p1.
+    -C cluster1.has_brbe_v1p1: 1
+    -C cluster0.sve.has_sme2: 1                                       # Whether SME2 is implemented (FEAT_SME2)
+    -C cluster1.sve.has_sme2: 1

shrinkwrap/config/arch/v9.4.yaml

@@ -0,0 +1,21 @@
+# Copyright (c) 2023, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv9.4 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v8.9.yaml
+  - arch/v9.3.yaml
+
+run:
+  params:
+    -C cluster0.has_arm_v9-4: 1
+    -C cluster1.has_arm_v9-4: 1
+    -C cluster0.has_gcs: 1
+    -C cluster1.has_gcs: 1

shrinkwrap/config/arch/v9.5.yaml

@@ -0,0 +1,20 @@
+# Copyright (c) 2023, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Implements all mandatory requirements and features as well as a sensible
+  selection of optional ones for the Armv9.5 architecture extension within the
+  Base_RevC-2xAEMvA FVP. Intended for use as an overlay to
+  FVP_Base_RevC-2xAEMvA-base.yaml.
+
+layers:
+  - arch/v9.4.yaml
+
+run:
+  params:
+    -C cluster0.has_arm_v9-5: 1
+    -C cluster1.has_arm_v9-5: 1
+    -C cluster0.has_lsfe: 1
+    -C cluster1.has_lsfe: 1

shrinkwrap/config/bootwrapper.yaml

@@ -0,0 +1,76 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Best choice for: I have a linux-system.axf boot-wrapper and want to run it.
+
+  Build to wrap a provided kernel with boot-wrapper EL3 FW into
+  linux-system.axf. Provide the kernel image via the KERNEL btvar, and
+  optionally override the kernel command line by providing the CMDLINE btvar.
+
+  Then run the boot-wrapper (or pass a separately created one as the BOOTWRAPPER
+  rtvar) in the FVP. A ROOTFS can be optionally provided. If present it is
+  loaded into the virtio block device (/dev/vda).
+
+concrete: true
+
+layers:
+  - FVP_Base_RevC-2xAEMvA-base.yaml
+  - dt-base.yaml
+
+build:
+  bootwrapper:
+    repo:
+      remote: https://git.kernel.org/pub/scm/linux/kernel/git/mark/boot-wrapper-aarch64.git
+      revision: master
+
+    toolchain: aarch64-linux-gnu-
+
+    prebuild:
+      - autoreconf -i
+      - ./configure --host=aarch64-linux-gnu --enable-gicv3 --with-dtb="${btvar:DTB}" --with-kernel-image="${btvar:KERNEL}" --with-cmdline="${btvar:CMDLINE}"
+
+    build:
+      - make -j${param:jobs}
+
+    artifacts:
+      BOOTWRAPPER: ${param:sourcedir}/linux-system.axf
+
+buildex:
+  btvars:
+    DTB:
+      type: path
+      value: ${artifact:DTB}
+
+    KERNEL:
+      type: path
+      value: null
+
+    CMDLINE:
+      type: string
+      value: console=ttyAMA0 earlycon=pl011,0x1c090000 root=/dev/vda ip=dhcp
+
+run:
+  rtvars:
+    BOOTWRAPPER:
+      type: path
+      value: ${artifact:BOOTWRAPPER}
+
+    ROOTFS:
+      type: path
+      value: ''
+
+  params:
+    -C pctl.startup: '*.*.*.*'
+    -C bp.secure_memory: 0
+    -a cluster*.cpu*: ${rtvar:BOOTWRAPPER}
+    -C bp.virtioblockdevice.image_path: ${rtvar:ROOTFS}
+    -C bp.pl011_uart0.shutdown_tag: '"System halted"'
+
+  terminals:
+    bp.terminal_0:
+      friendly: ''
+      type: stdinout
+      no_color: true

shrinkwrap/config/buildroot-cca.yaml

@@ -0,0 +1,113 @@
+# Copyright (c) 2024, Linaro Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Integrate tools for CCA into the buildroot image:
+  - cca-workload-attestation to display an attestation token or send it to a
+    verifier.
+    https://git.codelinaro.org/linaro/dcap/cca-demos/cca-workload-attestation-poc
+  - keybroker-demo to demonstrate remote attestation for downloading secrets.
+    https://github.com/veraison/keybroker-demo/
+  - cca-realm-measurements to generate a DTB and run a VMM.
+    https://github.com/veraison/cca-realm-measurements
+  - kvmtool and QEMU to run Realm VMs.
+  - Automatically mount the shared 9p folder to /mnt, mount configfs for
+    attestation, and create a tap interface.
+
+  Use it with:
+
+  .. code-block:: shell
+    $ shrinkwrap build cca-3world.yaml --overlay buildroot-cca.yaml
+    $ shrinkwrap run cca-3world.yaml
+
+  In the host, launch a VM with:
+
+  .. code-block:: shell
+    $ gen-run-vmm.sh [--kvmtool]
+
+  In the guest, you can obtain an attestation token, and send it to a verifier:
+
+  .. code-block:: shell
+    $ cca-workload-attestation report
+    {
+      "cca-platform-token": {
+      ...
+    $ cca-workload-attestation passport
+    {
+      "ear.verifier-id": {
+        "build": "N/A",
+        "developer": "Veraison Project"
+      },
+      ...
+
+  You can also obtain a key from a keybroker running locally that performs
+  attestation. Run the keybroker-server on the build machine, using the
+  external IP of the build machine to be accessible from the keybroker-app (in
+  this case 192.168.0.10 on a local network):
+
+  .. code-block:: shell
+    $ keybroker-server -e http://192.168.0.10 -v -a 0.0.0.0
+
+  In the guest, connect to the server
+
+  .. code-block:: shell
+    $ keybroker-app -v -e http://192.168.0.10:8088 skywalker
+
+layers:
+  - buildroot.yaml
+
+build:
+  linux:
+    prebuild:
+      # We extend buildroot with an initscript that creates a macvtap interface,
+      # so enable it in the kernel
+      - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_MACVLAN --enable CONFIG_MACVTAP
+
+  buildroot-external-cca:
+    repo:
+      remote: https://git.codelinaro.org/linaro/dcap/buildroot-external-cca.git
+      revision: cca/v8
+
+    artifacts:
+      BUILDROOT_EXTERNAL_CCA:
+        path: ${param:sourcedir}
+        export: false
+
+  buildroot:
+    repo:
+      remote: https://github.com/buildroot/buildroot.git
+      revision: 2024.08.2
+
+    prebuild:
+      - make BR2_JLEVEL=${param:jobs} O=${param:builddir} BR2_EXTERNAL=${artifact:BUILDROOT_EXTERNAL_CCA} cca_defconfig
+
+      # gen-vmm-run.sh configuration for the shrinkwrap package/ layout
+      - cat <<EOF> ${param:builddir}/gen-run-vmm.cfg
+      - KERNEL=/mnt/Image
+      - INITRD=/mnt/rootfs.cpio
+      - EDK2_DIR=/mnt/
+      - RUN_DISK=/mnt/guest-disk.img
+      - EOF
+
+      - sed -i '\@BR2_PACKAGE_CCA_REALM_MEASUREMENTS_CFG@s@=.*@="\${param:builddir}/gen-run-vmm.cfg"@' ${param:builddir}/.config
+
+    artifacts:
+      GUEST_INITRD: ${param:builddir}/images/rootfs.cpio
+
+buildex:
+  btvars:
+    GUEST_ROOTFS:
+      type: path
+      value: ${artifact:BUILDROOT}
+
+run:
+  rtvars:
+    ROOTFS:
+      type: path
+      value: ${artifact:BUILDROOT}
+
+    SHARE:
+      type: path
+      value: ${param:packagedir}

shrinkwrap/config/buildroot.yaml

@@ -0,0 +1,54 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Generates a very simple rootfs as an ext2/4 image. Higher layers can modify
+  the buildroot config by adding commands to prebuild.
+
+concrete: true
+
+build:
+  buildroot:
+    repo:
+      remote: https://github.com/buildroot/buildroot.git
+      revision: 2025.08.1
+
+    toolchain: aarch64-linux-gnu-
+
+    stderrfilt: true
+
+    prebuild:
+      # Building with the Docker runtime on macOS will fail while configuring
+      # host-tar unless this variable is set.
+      - export FORCE_UNSAFE_CONFIGURE=1
+
+      # Start from default config, but allow higher level layers to modify it.
+      - make BR2_JLEVEL=${param:jobs} O=${param:builddir} BR2_DEFCONFIG=${param:configdir}/buildroot.config defconfig
+      # Uncomment the below line if you want to regenerate the defconfig and
+      # save it to ${param:configdir}/buildroot.config
+      # - make BR2_JLEVEL=${param:jobs} O=${param:builddir} BR2_DEFCONFIG=${param:configdir}/buildroot.config savedefconfig
+
+    build:
+      # Fakeroot takes a while to start when the file descriptor limit is high.
+      # Reduce it to significantly accelerate the build.
+      # - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920913
+      # - https://github.com/moby/moby/issues/45436
+      - saved_limit=$$(ulimit -S -n)
+      - new_limit=4096
+      - if [ "$$new_limit" -lt "$$saved_limit" ]; then
+      -   ulimit -S -n "$$new_limit"
+      - fi
+
+      # Build.
+      - make BR2_JLEVEL=${param:jobs} O=${param:builddir}
+
+      # Restore the previous file limit
+      - ulimit -S -n "$$saved_limit"
+
+    artifacts:
+      BUILDROOT: ${param:builddir}/images/rootfs.ext2
+      # Some scripts including test.py in shrinkwrap might depend on the
+      # rootfs.ext4 which is just symlink to rootfs.ext2, copy that too
+      BUILDROOT_EXT4: ${param:builddir}/images/rootfs.ext4