shrinkwrap-tool 2026.2.1__py3-none-any.whl

shrinkwrap/config/cca-3world.yaml

@@ -0,0 +1,215 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Brings together a software stack to demonstrate Arm CCA running on FVP in a
+  three-world configuration. Includes TF-A in root world, RMM in realm world,
+  and EDK2 and Linux in Normal world on the host. Guests can be launched
+  in-realm in a number of configurations using kvmtool. EDK2 can be optionally
+  used as guest FW.
+
+  If the user provides an ext2/4 filesystem image via the GUEST_ROOTFS btvar, a
+  guest disk image is created that includes a FAT16 partition containing the
+  guest kernel (to be loaded by the guest EDK2 FW), and the provided filesystem
+  as the rootfs. The user can provide their own filesystem image, or
+  alternatively use a simple buildroot image created with buildroot.yaml:
+
+  .. code-block:: shell
+    $ shrinkwrap build cca-3world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}'
+
+  The user can also control the guest kernel command line parameters used on
+  the guest disk image via the GUEST_CMDLINE btvar.
+
+  Once built, the user must get some of the generated artifacts into the FVP
+  environment. This can either be done by copying them to the host's rootfs or
+  by sharing them into the FVP using 9p.
+
+  For the time being, there is an issue in the linux kernel's handling of 9p
+  which does not share correctly the guest image to the guest EFI, preventing
+  the guest to boot. Copying the artifacts into the host's rootfs is the way to
+  go. Something like the following example should work. For simplicity, this
+  example reuses the guest filesystem generated with buildroot as the host's
+  rootfs, after resizing it so that there is room for the guest's rootfs:
+
+  .. code-block:: shell
+    $ cd ~/.shrinkwrap/package/cca-3world
+    $ TOOLS_PATH=~/.shrinkwrap/build/build/cca-3world/buildroot/host/sbin
+    $ $TOOLS_PATH/e2fsck -fp rootfs.ext2
+    $ $TOOLS_PATH/resize2fs rootfs.ext2 256M
+    $ sudo su
+    # mkdir mnt
+    # mount rootfs.ext2 mnt
+    # mkdir mnt/cca
+    # cp guest-disk.img KVMTOOL_EFI.fd lkvm mnt/cca/.
+    # umount mnt
+    # rm -rf mnt
+    # exit
+
+  Now you can boot the host, using the rootfs we just modified, either using DT:
+
+  .. code-block:: shell
+    $ shrinkwrap run cca-3world.yaml --rtvar ROOTFS=rootfs.ext2
+
+  Or alternatively, using ACPI:
+
+  .. code-block:: shell
+    $ shrinkwrap run cca-3world.yaml -r ROOTFS=rootfs.ext2 --rtvar CMDLINE="mem=1G earlycon root=/dev/vda ip=dhcp acpi=force"
+
+  Finally, once the host has booted, log in as "root" (no password), and launch
+  a realm using kvmtool from the /cca directory (that was created above):
+
+  .. code-block:: shell
+    # cd /cca
+    # ./lkvm run --realm --disable-sve --irqchip=gicv3-its --firmware KVMTOOL_EFI.fd -c 1 -m 512 --no-pvtime --force-pci --disk guest-disk.img --measurement-algo=sha256 --restricted_mem
+
+  Be patient while this boots to the UEFI shell. Navigate to "Boot Manager",
+  then "UEFI Shell" and wait for the startup.nsh script to execute, which will
+  launch the kernel. Continue to be patient, and eventually you will land at a
+  login prompt. Login as "root" (no password).
+
+  When the linux kernel 9p issue will be fixed, the shared directory approach
+  can be used. Simply boot the host with the SHARE rtvar. This only works for
+  DT-based environments though:
+
+  .. code-block:: shell
+    $ cd ~/.shrinkwrap/package/cca-3world
+    $ shrinkwrap run cca-3world.yaml --rtvar ROOTFS=rootfs.ext2 --rtvar SHARE=.
+
+  Then, once the host has booted, log in as "root" (no password) and mount the
+  shared folder to "/cca" and change dir to it. The realm guest can then be
+  launched as previously:
+
+  .. code-block:: shell
+    # mkdir /cca
+    # mount -t 9p -o trans=virtio,version=9p2000.L FM /cca
+    # cd /cca
+    # ./lkvm run --realm --disable-sve --irqchip=gicv3-its --firmware KVMTOOL_EFI.fd -c 1 -m 512 --no-pvtime --force-pci --disk guest-disk.img --measurement-algo=sha256 --restricted_mem
+
+  It is also possible to launch Linux without using EDK2 as the guest FW:
+
+  .. code-block:: shell
+    # ./lkvm run --realm --disable-sve --irqchip=gicv3-its -c 1 -m 512 --no-pvtime --force-pci --console virtio --kernel Image --disk guest-disk.img -p "console=hvc0 root=/dev/vda2" --measurement-algo=sha256 --restricted_mem
+
+  This config also builds kvm-unit-tests, which can be run in the realm instead
+  of Linux:
+
+  .. code-block:: shell
+    # cd /cca/kvm-unit-tests/arm
+    # export PATH=/cca:$PATH
+    # ./run-realm-tests
+
+concrete: true
+
+layers:
+  - cca-edk2.yaml
+  - linux-base.yaml
+  - kvmtool-base.yaml
+  - kvm-unit-tests.yaml
+
+build:
+  linux:
+    repo:
+      remote: https://git.gitlab.arm.com/linux-arm/linux-cca.git
+      revision: cca-host/v8
+    prebuild:
+      # Use source dir modification time as timestamp (for locally reproducible build)
+      - export KBUILD_BUILD_TIMESTAMP="@$$(stat -c '%Y' ${param:sourcedir})"
+      - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_VIRT_DRIVERS --enable CONFIG_ARM_CCA_GUEST
+      # Reduce the number of timer exits from the guest
+      - ./scripts/config --file ${param:builddir}/.config --disable CONFIG_HZ_250 --enable CONFIG_HZ_100
+
+  kvmtool:
+    repo:
+      dtc:
+        revision: v1.6.1
+      kvmtool:
+        remote: https://gitlab.arm.com/linux-arm/kvmtool-cca
+        revision: cca/v6
+
+  edk2-cca-guest:
+    repo:
+      edk2:
+        remote: https://git.gitlab.arm.com/linux-arm/edk2-cca.git
+        revision: 3223_arm_cca_v4
+
+    toolchain: aarch64-none-elf-
+
+    stderrfilt: true
+
+    prebuild:
+      - export WORKSPACE=${param:sourcedir}
+      - export GCC5_AARCH64_PREFIX=$$CROSS_COMPILE
+      - export PACKAGES_PATH=$$WORKSPACE/edk2
+      - export IASL_PREFIX=${artifact:ACPICA}/
+      - export PYTHON_COMMAND=/usr/bin/python3
+
+    params:
+      -a: AARCH64
+      -t: GCC5
+      -p: edk2/ArmVirtPkg/ArmVirtKvmTool.dsc
+      -b: RELEASE
+      --pcd: PcdShellDefaultDelay=0
+      ' --pcd': PcdPlatformBootTimeOut=0
+      '  --pcd': PcdUefiShellDefaultBootEnable=1
+
+    build:
+      - source edk2/edksetup.sh --reconfig
+      - make -j${param:jobs} -C edk2/BaseTools
+      - build -n ${param:jobs} -D EDK2_OUT_DIR=${param:builddir} ${param:join_space}
+
+    artifacts:
+      EDK2_CCA_GUEST: ${param:builddir}/RELEASE_GCC5/FV/KVMTOOL_EFI.fd
+
+  guest-disk:
+    build:
+      - BOOTIMG="${param:builddir}/boot.img"
+      - ROOTIMG="${btvar:GUEST_ROOTFS}"
+      - DISKIMG="${param:builddir}/guest-disk.img"
+      - STARTUP="${param:builddir}/startup.nsh"
+
+      # Automatically boot the kernel when starting the EFI shell.
+      - echo "bootaa64.efi ${btvar:GUEST_CMDLINE}" > $${STARTUP}
+
+      # 64MB fat16 boot partition containing kernel as efi bootloader.
+      - dd if=/dev/zero of=$${BOOTIMG} bs=1M count=64 status=none
+      - mkfs.vfat -F16 -n boot $${BOOTIMG} &> /dev/null
+      - mcopy -spm -i $${BOOTIMG} ${artifact:KERNEL} ::bootaa64.efi
+      - mcopy -spm -i $${BOOTIMG} $${STARTUP} ::startup.nsh
+
+      # If no rootfs was provided, create an empty one to use.
+      - if [ -z "$${ROOTIMG}" ]; then
+      -   ROOTIMG="${param:builddir}/root.img"
+      -   dd if=/dev/zero of=$${ROOTIMG} bs=1M count=64 status=none
+      -   mkfs.ext4 $${ROOTIMG} &> /dev/null
+      - fi
+
+      # Disk image with 1MB start and end blocks for GPT, sandwiching the boot
+      # partition and the rootfs.
+      - dd if=/dev/zero bs=512 count=2048 status=none > $${DISKIMG}
+      - dd if=$${BOOTIMG} status=none >> $${DISKIMG}
+      - dd if=$${ROOTIMG} status=none >> $${DISKIMG}
+      - dd if=/dev/zero bs=512 count=2048 status=none >> $${DISKIMG}
+
+      # Add the partition table.
+      - parted $${DISKIMG} mktable gpt mkpart boot fat16 1MiB 65MiB mkpart root ext4 65MiB 100% &> /dev/null
+
+    artifacts:
+      GUEST_DISK: ${param:builddir}/guest-disk.img
+
+buildex:
+  btvars:
+    GUEST_ROOTFS:
+      type: path
+      value: ''
+
+    GUEST_CMDLINE:
+      type: string
+      value: root=/dev/vda2 acpi=force ip=on
+
+run:
+  rtvars:
+    KERNEL:
+      value: ${artifact:KERNEL}
+

shrinkwrap/config/cca-4world.yaml

@@ -0,0 +1,57 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Builds on cca-3world.yaml, and adds support for running Hafnium along with some
+  secure partitions in Secure World.
+  Build with:
+
+  .. code-block:: shell
+    $ shrinkwrap build cca-4world.yaml --overlay buildroot.yaml --btvar GUEST_ROOTFS='${artifact:BUILDROOT}'
+
+  Then run the model with:
+
+  .. code-block:: shell
+    $ cd ~/.shrinkwrap/package/cca-4world
+    $ shrinkwrap run cca-4world.yaml --rtvar ROOTFS=rootfs.ext2 --rtvar SHARE=.
+
+  Once the host has booted, log in as "root" (no password).
+
+  Secure partitions can be enumerated by:
+
+  .. code-block:: shell
+    # cat /sys/devices/arm-ffa-*/uuid
+    b4b5671e-4a90-4fe1-b81f-fb13dae1dacb
+    d1582309-f023-47b9-827c-4464f5578fc8
+    79b55c73-1d8c-44b9-8593-61e1770ad8d2
+    eaba83d8-baaf-4eaf-8144-f7fdcbe544a7
+
+  See cca-3worlds.yaml config :ref:`userguide/configstore/cca-3world:description`
+  if willing to launch a realm using kvmtool.
+
+concrete: true
+
+layers:
+  - cca-3world.yaml
+  - hafnium-base.yaml
+  # Provides secure partitions that run under Hafnium for demonstration.
+  - tftf-base.yaml
+
+build:
+  tfa:
+    params:
+      SPD: spmd
+      SPMD_SPM_AT_SEL2: 1
+      SP_LAYOUT_FILE: ${artifact:SP_LAYOUT}
+      BL32: ${artifact:HAFNIUM}
+
+  linux:
+    prebuild:
+      - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_ARM_FFA_TRANSPORT
+
+run:
+  terminals:
+    bp.terminal_2:
+      friendly: hafnium

shrinkwrap/config/cca-edk2.yaml

@@ -0,0 +1,58 @@
+# Copyright (c) 2024, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Brings together TF-A, TF-RMM and EDK2 to provide a 3 world environment running
+  on FVP. In this config TF-A is in Root World, TF-RMM is in Realm EL2 and EDK2
+  and Linux form the non-secure EL2. Allows easy specification of the kernel
+  image and command line, and rootfs at runtime (see rtvars). ACPI is provided
+  by UEFI. DT is enabled by default. Use 'acpi=force' command line option to
+  enable ACPI boot.
+
+  By default (if not overriding the rtvars) a sensible command line is used that
+  will set up the console for logging and attempt to mount the rootfs image from
+  the FVP's virtio block device. However the default rootfs image is empty, so
+  the kernel will panic when attempting to mount; the user must supply a rootfs
+  if it is required that the kernel completes its boot. No default kernel image
+  is supplied and the config will refuse to run unless it is explicitly
+  specified.
+
+  Note that by default, UEFI variables are build time configured directing EDK2
+  to boot to the shell. This will cause startup.nsh to be executed and will
+  start the kernel boot. This way everything is automatic. By default, all EDK2
+  output is muxed to stdout. If you prefer booting UEFI to its UI, override the
+  the build pcd parameter `PcdUefiShellDefaultBootEnable` using the overlay and
+  override terminals 'bp.terminal_0'.type to 'telnet'.
+
+  .. code-block:: shell
+    $ shrinkwrap build cca-edk2.yaml
+
+  .. code-block:: shell
+    $ shrinkwrap run cca-edk2.yaml --rtvar KERNEL=path/to/Image --rtvar ROOTFS=path/to/rootfs.img
+
+  When booting with device tree, a directory can optionally be shared from the
+  host system into the Linux environment running in the FVP. To do so, set the
+  SHARE rtvar to the desired directory, then mount the share inside the FVP with
+  the following (or automate it in fstab):
+
+  .. code-block:: shell
+    # mkdir /share
+    # mount -t 9p -o trans=virtio,version=9p2000.L FM /share
+
+concrete: true
+
+layers:
+  - tfa-rme.yaml
+  - ns-edk2-base.yaml
+
+build:
+  edk2:
+    repo:
+      edk2:
+        remote: https://git.gitlab.arm.com/linux-arm/edk2-cca.git
+        revision: 3223_arm_cca_v4
+      edk2-platforms:
+        remote: https://git.gitlab.arm.com/linux-arm/edk2-platforms-cca.git
+        revision: 3223_arm_cca_v4

shrinkwrap/config/debug/rmm.yaml

@@ -0,0 +1,15 @@
+# Copyright (c) 2024, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Overlay for RMM to build debug configuration.
+
+build:
+  rmm:
+    params:
+      -DCMAKE_BUILD_TYPE: Debug
+
+    artifacts:
+      RMM: ${param:builddir}/Debug/rmm.img

shrinkwrap/config/debug/tfa.yaml

@@ -0,0 +1,18 @@
+# Copyright (c) 2024, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Overlay for TFA to build debug configuration.
+
+build:
+  tfa:
+    params:
+      DEBUG: 1
+
+    artifacts:
+      BL1: ${param:builddir}/fvp/debug/bl1.bin
+      BL2: ${param:builddir}/fvp/debug/bl2.bin
+      BL31: ${param:builddir}/fvp/debug/bl31.bin
+      FIP: ${param:builddir}/fvp/debug/fip.bin

shrinkwrap/config/debug/tftf.yaml

@@ -0,0 +1,17 @@
+# Copyright (c) 2025, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Overlay for TFTF to build debug configuration.
+
+build:
+  tftf:
+    params:
+      DEBUG: 1
+
+    artifacts:
+      TFTF_BIN: ${param:builddir}/fvp/debug/tftf.bin
+      SP_LAYOUT: ${param:builddir}/fvp/debug/sp_layout.json
+

shrinkwrap/config/dt-base.yaml

@@ -0,0 +1,115 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Builds a device tree from upstream linux kernel and exports the dtb as an
+  artifact called DTB. By default, fvp-base-revc.dts is built, but the user can
+  override this by specifying its name in the DTS variable as part of a higher
+  layer's prebuild commands. Optionally, a kernel command line is dynamically
+  added to the chosen node if any params are specified. Uses a slimmed down
+  mirror of the upstream repo to avoid having to sync all of linux.
+
+build:
+  dt:
+    repo:
+      remote: https://git.kernel.org/pub/scm/linux/kernel/git/devicetree/devicetree-rebasing.git
+      revision: v6.17-dts
+
+    toolchain: aarch64-none-elf-
+
+    prebuild:
+      # User can override DTS in prebuild step of higher layer.
+      - DTS=fvp-base-revc.dts
+      # User can override these to define an initrd in memory.
+      - INITRD_START=
+      - INITRD_END=
+
+    build:
+      - DT_BASENAME=$$(basename $${DTS} .dts)
+      - DTB_INTER=src/arm64/arm/$${DT_BASENAME}.dtb
+      - DTB_FINAL=${param:builddir}/dt_bootargs.dtb
+
+      # This script compiles the selected dts then dynamically adds kernel
+      # bootargs to the chosen node. It uses any defined key=value pairs from
+      # the `params` key. If none are defined (the default) the dts is compiled
+      # without a command line. If an initrd location is provided, it is also
+      # added to the chosen node.
+      - make CPP=$${CROSS_COMPILE}cpp -j${param:jobs} $${DTB_INTER}
+      - CHOSEN=
+      - if [ ! -z "${param:join_equal}" ]; then
+      -   CHOSEN="$${CHOSEN}bootargs = \"${param:join_equal}\";\n"
+      - fi
+      - if [ ! -z "$${INITRD_START}" ] && [ ! -z "$${INITRD_END}" ]; then
+      -   INITRD_START_HI=$$((($${INITRD_START} >> 32) & 0xffffffff))
+      -   INITRD_START_LO=$$(($${INITRD_START} & 0xffffffff))
+      -   INITRD_END_HI=$$((($${INITRD_END} >> 32) & 0xffffffff))
+      -   INITRD_END_LO=$$(($${INITRD_END} & 0xffffffff))
+      -   CHOSEN="$${CHOSEN}linux,initrd-start = <$${INITRD_START_HI} $${INITRD_START_LO}>;\n"
+      -   CHOSEN="$${CHOSEN}linux,initrd-end = <$${INITRD_END_HI} $${INITRD_END_LO}>;\n"
+      - fi
+      - if [ -z "$${CHOSEN}" ]; then
+      -   cp $${DTB_INTER} $${DTB_FINAL}
+      - else
+      -   ( dtc -q -O dts -I dtb $${DTB_INTER} ; echo -e "/ { chosen { $${CHOSEN} }; };" ) | dtc -q -O dtb -o $${DTB_FINAL}
+      - fi
+
+      # When using the default fvp-base-revc.dts, an overlay is added which adds
+      # extra properties that TFA requires. This allows embedding this DT
+      # directly in the FIP rather than having TFA use its own DT then inject
+      # this at a higher level. It's also not always possible to inject the DT
+      # at a higher level anyway, due to TFA constraints. Included in the
+      # overlay: a 64MB carve-out is reserved at the end of the first memory
+      # bank, which is used by tfa and (if present) the rmm, timer frequency,
+      # some extra psci properties, and cpu-map to map the cores to clusters.
+      # By default the virtio-rng is disabled (because it was not present in
+      # older builds of the rev C FVP), so enable it here, so Linux can use it
+      # to initialize its RNG and speed up boot.
+      - if [ "$${DTS}" = "fvp-base-revc.dts" ]; then
+      - >-
+          OVERLAY="/ {
+            reserved-memory {
+              fw: fw@7C000000 {
+                reg = <0x00000000 0xFC000000 0 0x04000000>;
+                no-map;
+              };
+            };
+            timer {
+              clock-frequency = <100000000>;
+            };
+            psci {
+              compatible = \"arm,psci-1.0\", \"arm,psci-0.2\";
+              max-pwr-lvl = <2>;
+            };
+            cpus {
+              cpu-map {
+                cluster0 {
+                  core0 { cpu = <&{/cpus/cpu@0}>; };
+                  core1 { cpu = <&{/cpus/cpu@100}>; };
+                  core2 { cpu = <&{/cpus/cpu@200}>; };
+                  core3 { cpu = <&{/cpus/cpu@300}>; };
+                };
+                cluster1 {
+                  core0 { cpu = <&{/cpus/cpu@10000}>; };
+                  core1 { cpu = <&{/cpus/cpu@10100}>; };
+                  core2 { cpu = <&{/cpus/cpu@10200}>; };
+                  core3 { cpu = <&{/cpus/cpu@10300}>; };
+                };
+              };
+            };
+            bus@8000000 {
+              motherboard-bus@8000000 {
+                iofpga-bus@300000000 {
+                  virtio@200000 {
+                    status = \"okay\";
+                  };
+                };
+              };
+            };
+          };"
+      -   ( dtc -q -O dts -I dtb $${DTB_FINAL} ; echo -e "$${OVERLAY}" ) | dtc -q -O dtb -o $${DTB_FINAL}
+      - fi
+
+    artifacts:
+      DTB: ${param:builddir}/dt_bootargs.dtb

shrinkwrap/config/edk2-base.yaml

@@ -0,0 +1,59 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  EDK2 UEFI firmware implementation for the FVP.
+
+  Builds acpica from source as part of the build process.
+
+build:
+  acpica:
+    repo:
+      remote: https://github.com/acpica/acpica.git
+      revision: R2025_04_04
+
+    build:
+      - make -j${param:jobs}
+
+    artifacts:
+      ACPICA:
+        path: ${param:sourcedir}/generate/unix/bin
+        export: false
+
+  edk2:
+    repo:
+      edk2:
+        remote: https://github.com/tianocore/edk2.git
+        revision: edk2-stable202508.01
+      edk2-platforms:
+        remote: https://github.com/tianocore/edk2-platforms.git
+        revision: 8cc9da9dc8431d1f0dfab28d92b3941e2c19aeb8
+
+    toolchain: aarch64-none-elf-
+
+    stderrfilt: true
+
+    prebuild:
+      - export WORKSPACE=${param:sourcedir}
+      - export GCC5_AARCH64_PREFIX=$$CROSS_COMPILE
+      - export PACKAGES_PATH=$$WORKSPACE/edk2:$$WORKSPACE/edk2-platforms
+      - export IASL_PREFIX=${artifact:ACPICA}/
+      - export PYTHON_COMMAND=/usr/bin/python3
+
+    params:
+      -a: AARCH64
+      -t: GCC5
+      -p: Platform/ARM/VExpressPkg/ArmVExpress-FVP-AArch64.dsc
+      -b: RELEASE
+      --pcd: PcdShellDefaultDelay=0
+      ' --pcd': PcdUefiShellDefaultBootEnable=1
+
+    build:
+      - source edk2/edksetup.sh --reconfig
+      - make -j${param:jobs} -C edk2/BaseTools
+      - build -n ${param:jobs} -D EDK2_OUT_DIR=${param:builddir} ${param:join_space}
+
+    artifacts:
+      EDK2: ${param:builddir}/RELEASE_GCC5/FV/FVP_AARCH64_EFI.fd

shrinkwrap/config/ffa-hafnium-optee.yaml

@@ -0,0 +1,45 @@
+# Copyright (c) 2023, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Brings together a software stack to demonstrate Arm FF-A running on FVP.
+  Includes TF-A in secure EL3 running SPMD(Secure Partition Manager
+  Dispatcher), Hafnium as secure Hypervisor at secure EL2 running SPMC
+  (Secure Partition Manager Core) and OPTEE as a secure partition/VM
+  in secure EL1 and Linux in Normal world.
+
+concrete: true
+
+layers:
+  - ns-edk2.yaml
+  - hafnium-base.yaml
+  - optee-base.yaml
+  - arch/v8.5.yaml
+
+build:
+  optee:
+    params:
+      CFG_CORE_SEL2_SPMC: y
+      CFG_CORE_ASYNC_NOTIF: y
+      CFG_CORE_HAFNIUM_INTC: y
+      CFG_ARM_GICV3: n
+      CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME: n
+
+  tfa:
+    prebuild:
+    - cat <<EOF > ${param:builddir}/sp_layout.json
+    - "{"
+    -   "\"op-tee\" : {"
+    -     "\"image\" : \"${artifact:OPTEE_PAGER_BIN}\","
+    -     "\"pm\" : \"${param:sourcedir}/plat/arm/board/fvp/fdts/optee_sp_manifest.dts\""
+    -   "}"
+    - "}"
+    - EOF
+    params:
+      ARM_SPMC_MANIFEST_DTS: ${param:sourcedir}/plat/arm/board/fvp/fdts/fvp_spmc_optee_sp_manifest.dts
+      SP_LAYOUT_FILE: ${param:builddir}/sp_layout.json
+      BL32: ${artifact:HAFNIUM}
+      SPMD_SPM_AT_SEL2: 1
+      SPD: spmd

shrinkwrap/config/ffa-optee.yaml

@@ -0,0 +1,30 @@
+# Copyright (c) 2023, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Brings together a software stack to demonstrate Arm FF-A running on FVP.
+  Includes TF-A in secure EL3 running SPMD(Secure Partition Manager
+  Dispatcher), with secure EL2 disabled and SPMC(Secure Partition Manager
+  Core) inside OPTEE at secure EL1 and Linux in Normal world.
+
+concrete: true
+
+layers:
+  - ns-edk2.yaml
+  - optee-base.yaml
+
+build:
+  optee:
+    params:
+      CFG_CORE_SEL1_SPMC: y
+      CFG_CORE_ASYNC_NOTIF: y
+
+  tfa:
+    params:
+      ARM_SPMC_MANIFEST_DTS: ${param:sourcedir}/plat/arm/board/fvp/fdts/fvp_spmc_el1_optee_manifest.dts
+      BL32: ${artifact:OPTEE_PAGER_BIN}
+      SPMD_SPM_AT_SEL2: 0
+      SPMC_OPTEE: 1
+      SPD: spmd

shrinkwrap/config/ffa-tftf.yaml

@@ -0,0 +1,26 @@
+# Copyright (c) 2023, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Brings together a software stack to demonstrate Arm FF-A running on FVP.
+  Includes TF-A in secure EL3, Hafnium in secure EL2 and some demo TF-A
+  test secure partitions.
+
+concrete: true
+
+layers:
+  - ns-edk2.yaml
+  - hafnium-base.yaml
+  - tftf-base.yaml
+  - arch/v8.5.yaml
+
+build:
+  tfa:
+    params:
+      BL33: ${artifact:EDK2}
+      SPD: spmd
+      SPMD_SPM_AT_SEL2: 1
+      SP_LAYOUT_FILE: ${artifact:SP_LAYOUT}
+      BL32: ${artifact:HAFNIUM}