shrinkwrap-tool 2026.2.1__py3-none-any.whl

shrinkwrap/config/hafnium-base.yaml

@@ -0,0 +1,51 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Hafnium is the Secure Partition Manager that runs at SEL2.
+
+image: shrinkwraptool/base-full
+
+build:
+  hafnium:
+    repo:
+      remote: https://git.trustedfirmware.org/hafnium/hafnium.git
+      revision: v2.14.0
+
+    params:
+      PROJECT: reference
+      PLATFORM: secure_aem_v8a_fvp_vhe
+
+    build:
+      # Hafnium doesn't provide a mechanism to forward number of jobs to ninja,
+      # so it will always parallelize across all cpus. Ideally we would specify
+      # max jobs with ${param:jobs}.
+      - make OUT_DIR=${param:builddir} ${param:join_equal}
+
+    artifacts:
+      HAFNIUM: ${param:builddir}/secure_aem_v8a_fvp_vhe_clang/hafnium.bin
+
+  tfa:
+    params:
+      # Although TFA is now able to detect most features dynamically, there are
+      # still a few, which are required by Hafnium, which it can't. Given these
+      # are hard requirements for Hafnium, define them here.
+      GIC_EXT_INTID: 1
+      ENABLE_FEAT_MTE2: 1
+      ENABLE_SVE_FOR_SWD: 1
+      ENABLE_SME_FOR_SWD: 1
+
+run:
+  params:
+    # Hafnium requires extended gic support, so define these here to show they
+    # are tightly coupled.
+    -C gic_distributor.ARE-fixed-to-one: 1
+    -C gic_distributor.extended-ppi-count: 64
+    -C gic_distributor.extended-spi-count: 1024
+    -C cluster0.gicv3.extended-interrupt-range-support: 1
+    -C cluster1.gicv3.extended-interrupt-range-support: 1
+    -C cluster0.memory_tagging_support_level: 2
+    -C cluster1.memory_tagging_support_level: 2
+    -C bp.dram_metadata.is_enabled: 1

shrinkwrap/config/kvm-unit-tests.yaml

@@ -0,0 +1,32 @@
+# Copyright (c) 2024, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Build KVM unit tests.
+
+build:
+  kvm-unit-tests:
+    repo:
+        remote: https://gitlab.arm.com/linux-arm/kvm-unit-tests-cca
+        revision: cca/rmm-v1.0-rel0
+
+    toolchain: aarch64-linux-gnu-
+
+    params:
+      --arch: arm64
+      --cross-prefix: $${CROSS_COMPILE}
+      --target: kvmtool
+
+    build:
+      - ./configure ${param:join_equal}
+      - make -j${param:jobs}
+      - sed -i -e "/PRETTY_PRINT_STACKS/s/yes/no/"
+               -e "/ERRATATXT/s/=.*/=errata.txt/"
+               -e "/HOST/s/=.*/=aarch64/"
+               -e "/ARCH/s/=.*/=arm64/"
+               ${param:sourcedir}/config.mak
+
+    artifacts:
+       KVM_UNIT_TESTS: ${param:sourcedir}

shrinkwrap/config/kvmtool-base.yaml

@@ -0,0 +1,33 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  kvmtool is a lightweight Virtual Machine Monitor that can be used, in concert
+  with KVM, to create and manage virtual machines. This config fragment can be
+  used to build the kvmtool binary, which is exported as an artifact called
+  LKVM. Fancy optional extras which depend on 3rd party libraries are not
+  enabled.
+
+build:
+  kvmtool:
+    repo:
+      dtc:
+        remote: https://git.kernel.org/pub/scm/utils/dtc/dtc.git
+        revision: v1.7.2
+      kvmtool:
+        remote: https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git
+        revision: 7ad32e5514aca2b6d19398fd3ae5a7c5e0e1ce24
+
+    toolchain: aarch64-linux-gnu-
+
+    build:
+      - export CC=$${CROSS_COMPILE}gcc
+      - export ARCH=arm64
+      - export LIBFDT_DIR=${param:sourcedir}/dtc/libfdt
+      - make -j${param:jobs} -C dtc libfdt
+      - make -j${param:jobs} -C kvmtool
+
+    artifacts:
+      LKVM: ${param:sourcedir}/kvmtool/lkvm

shrinkwrap/config/linux-base.yaml

@@ -0,0 +1,80 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Linux kernel build config. Builds the kernel image and set of modules. Image
+  is exported as the KERNEL artifact, while the modules are exported in a tgz
+  archive as the KMODULES artifact. Modules are only built if a higher level
+  layer specifies `export BUILD_KMODULES=true` in the prebuild section.
+
+  By default the defconfig is built. Users can optionally add commands to the
+  prebuild list to modify the config (e.g. `./scripts/config ...`) or even
+  replace the .config, as required.
+
+  A higher level layer can optionally request kselftests to be built by
+  specifying `export BUILD_KSELFTESTS=true` in the prebuild section. If
+  specified, the kselftests package is exported in a tgz archive as the
+  KSELFTESTS artifact. A subset of targets can be specified with (e.g.)
+  `export BUILD_KSELFTESTS="mm arm64"`
+
+build:
+  linux:
+    repo:
+      remote: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+      revision: v6.17
+
+    toolchain: aarch64-linux-gnu-
+
+    prebuild:
+      - export BUILD_KMODULES=false
+      - export BUILD_KSELFTESTS=false
+      - export KBUILD_BUILD_HOST="shrinkwrap"
+      - export ARCH=arm64
+      - make -j${param:jobs} O=${param:builddir} defconfig
+
+      # Unconditionally add the virtio-rng driver so we can use the device on
+      # FVP to speed up CRNG init.
+      - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_HW_RANDOM
+      - ./scripts/config --file ${param:builddir}/.config --enable CONFIG_HW_RANDOM_VIRTIO
+
+    build:
+      # Finalize the config.
+      - make -j${param:jobs} O=${param:builddir} olddefconfig
+
+      - if [ "$$BUILD_KMODULES" = "true" ]; then
+          # Make the kernel image and modules.
+      -   make -j${param:jobs} O=${param:builddir} Image modules
+
+          # Package the modules into a tgz archive.
+      -   make -j${param:jobs} O=${param:builddir} INSTALL_MOD_PATH=${param:builddir}/modules modules_install
+      -   tar -caf ${param:builddir}/modules.tgz -C ${param:builddir}/modules .
+      -   rm -rf ${param:builddir}/modules
+      - else
+          # Make the kernel image.
+      -   make -j${param:jobs} O=${param:builddir} Image
+
+          # Dummy modules archive to keep artifacts happy.
+      -   touch ${param:builddir}/modules.tgz
+      - fi
+
+      - if [ "$$BUILD_KSELFTESTS" != "false" ]; then
+          # Make kselftests and package into tgz archive.
+      -   make -j${param:jobs} O=${param:builddir} headers_install
+      -   if [ "$$BUILD_KSELFTESTS" = "true" ]; then
+      -     make -j${param:jobs} O=${param:builddir} -C tools/testing/selftests install INSTALL_PATH=${param:builddir}/kselftests
+      -   else
+      -     make -j${param:jobs} O=${param:builddir} -C tools/testing/selftests install INSTALL_PATH=${param:builddir}/kselftests TARGETS="$$BUILD_KSELFTESTS"
+      -   fi
+      -   tar -caf ${param:builddir}/kselftests.tgz -C ${param:builddir}/kselftests .
+      -   rm -rf ${param:builddir}/kselftests
+      - else
+          # Dummy kselftests archive to keep artifacts happy.
+      -   touch ${param:builddir}/kselftests.tgz
+      - fi
+
+    artifacts:
+      KERNEL: ${param:builddir}/arch/arm64/boot/Image
+      KMODULES: ${param:builddir}/modules.tgz
+      KSELFTESTS: ${param:builddir}/kselftests.tgz

shrinkwrap/config/ns-edk2-base.yaml

@@ -0,0 +1,83 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Internal building block for edk2-based systems. Requires separate layer to add
+  TF-A, DT and FVP (configured to suit).
+
+layers:
+  - edk2-base.yaml
+
+build:
+  tfa:
+    params:
+      BL33: ${artifact:EDK2}
+
+run:
+  rtvars:
+    BL1:
+      type: path
+      value: ${artifact:BL1}
+
+    FIP:
+      type: path
+      value: ${artifact:FIP}
+
+    DTB:
+      type: path
+      value: ${artifact:DTB}
+
+    CMDLINE:
+      type: string
+      value: console=ttyAMA0 earlycon=pl011,0x1c090000 root=/dev/vda ip=dhcp
+
+    KERNEL:
+      type: path
+      value: null
+
+    ROOTFS:
+      type: path
+      value: ''
+
+    SHARE:
+      type: path
+      value: ''
+
+    EDK2FLASH:
+      type: path
+      value: ''
+
+  params:
+    -C bp.secureflashloader.fname: ${rtvar:BL1}
+    -C bp.flashloader0.fname: ${rtvar:FIP}
+    -C bp.virtioblockdevice.image_path: ${rtvar:ROOTFS}
+    -C cluster0.cpu0.semihosting-cwd: $${SEMIHOSTDIR}
+    -C bp.flashloader1.fname: ${rtvar:EDK2FLASH}
+    -C bp.virtiop9device.root_path: ${rtvar:SHARE}
+
+  prerun:
+    # We use the FVP's and UEFI's semihosting capability to get the images into
+    # the system. Wrap this up as a command in the startup.nsh along with the
+    # command line. UEFI will execute this when entering its shell. Copy the
+    # images to a unique temp directory (which is the root of our semihosting
+    # environment) then refer to them by its base name to UEFI. Using a unique
+    # temp directory means we can run multiple instances in parallel.
+    - SEMIHOSTDIR=`mktemp -d`
+    - function finish { rm -rf $$SEMIHOSTDIR; }
+    - trap finish EXIT
+    - cp ${rtvar:KERNEL} $${SEMIHOSTDIR}/Image
+    - cp ${rtvar:DTB} $${SEMIHOSTDIR}/fdt.dtb
+    - cat <<EOF > $${SEMIHOSTDIR}/startup.nsh
+    - Image dtb=fdt.dtb ${rtvar:CMDLINE}
+    - EOF
+
+  terminals:
+    bp.terminal_0:
+      friendly: ''
+      type: stdinout
+      no_color: true
+      no_escapes: 'EFI stub: Booting Linux Kernel...'
+    bp.terminal_1:
+      friendly: edk2

shrinkwrap/config/ns-edk2-optee.yaml

@@ -0,0 +1,41 @@
+# Copyright (c) 2023, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Brings together a software stack to demonstrate OPTEE in secure EL1
+  with TF-A in secure EL3 but without FF-A and secure EL2(Hafnium).
+  Secure partition dispatcher exists inside OPTEE.
+
+concrete: true
+
+layers:
+  - ns-edk2.yaml
+  - optee-base.yaml
+
+build:
+  tfa:
+    params:
+      BL32: ${artifact:OPTEE_HDR_BIN}
+      BL32_EXTRA1: ${artifact:OPTEE_PAGER_BIN}
+      BL32_EXTRA2: ${artifact:OPTEE_PAGEABLE_BIN}
+      SPD: opteed
+      ARM_TSP_RAM_LOCATION: tdram
+  dt:
+    build:
+      # When using the default fvp-base-revc.dts, an overlay is added which
+      # adds extra properties that OPTEE requires to enable OPTEE driver
+      # in the kernel.
+      - if [ "$${DTS}" = "fvp-base-revc.dts" ]; then
+      - >-
+          OVERLAY="/ {
+            firmware {
+              optee {
+                compatible = \"linaro,optee-tz\";
+                method = \"smc\";
+              };
+            };
+          };"
+      -   ( dtc -q -O dts -I dtb $${DTB_FINAL} ; echo -e "$${OVERLAY}" ) | dtc -q -O dtb -o $${DTB_FINAL}
+      - fi

shrinkwrap/config/ns-edk2.yaml

@@ -0,0 +1,49 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Best choice for: I want to run Linux on FVP, booting with ACPI/DT, and have
+  easy control over its command line.
+
+  Brings together TF-A and EDK2 to provide a simple non-secure world environment
+  running on FVP. Allows easy specification of the kernel image and command
+  line, and rootfs at runtime (see rtvars). ACPI is provided by UEFI.
+
+  An extra rtvar is added (DTB) which allows specification of a custom device
+  tree. By default (if not overriding the rtvar), the upstream kernel device
+  tree is used. DT is enabled by default. Use 'acpi=force' to enable ACPI
+  boot.
+
+  By default (if not overriding the rtvars) a sensible command line is used that
+  will set up the console for logging and attempt to mount the rootfs image from
+  the FVP's virtio block device. However the default rootfs image is empty, so
+  the kernel will panic when attempting to mount; the user must supply a rootfs
+  if it is required that the kernel completes its boot. No default kernel image
+  is supplied and the config will refuse to run unless it is explicitly
+  specified.
+
+  Note that by default, UEFI variables are build time configured directing EDK2
+  to boot to the shell. This will cause startup.nsh to be executed and will
+  start the kernel boot. This way everything is automatic. By default, all EDK2
+  output is muxed to stdout. If you prefer booting UEFI to its UI, override the
+  the build pcd parameter `PcdUefiShellDefaultBootEnable` using the overlay and
+  override terminals 'bp.terminal_0'.type to 'telnet'.
+
+  When booting with device tree, a directory can optionally be shared from the
+  host system into the Linux environment running in the FVP. To do so, set the
+  SHARE rtvar to the desired directory, then mount the share inside the FVP with
+  the following (or automate it in fstab):
+
+  .. code-block:: shell
+    # mkdir /share
+    # mount -t 9p -o trans=virtio,version=9p2000.L FM /share
+
+concrete: true
+
+layers:
+  - FVP_Base_RevC-2xAEMvA-base.yaml
+  - tfa-base.yaml
+  - dt-base.yaml
+  - ns-edk2-base.yaml

shrinkwrap/config/ns-preload.yaml

@@ -0,0 +1,98 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Best choice for: I just want to run Linux on FVP.
+
+  A simple, non-secure-only configuration where all components are preloaded
+  into memory (TF-A's BL31, DTB and kernel). The system resets directly to BL31.
+  Allows easy specification of a custom command line at build-time (via
+  build.dt.params dictionary) and specification of the device tree, kernel image
+  and rootfs at run-time (see rtvars).
+
+  By default (if not overriding the rtvars), the upstream kernel device tree is
+  used along with a sensible command line that will set up the console for
+  logging and attempt to mount the rootfs image from the FVP's virtio block
+  device. However the default rootfs image is empty, so the kernel will panic
+  when attempting to mount; the user must supply a rootfs if it is required that
+  the kernel completes its boot. No default kernel image is supplied and the
+  config will refuse to run unless it is explicitly specified.  Note: If
+  specifying a custom dtb at runtime, this will also override any command line
+  specified at build time, since the command line is added to the chosen node of
+  the default dtb.
+
+  A directory can optionally be shared from the host system into the Linux
+  environment running in the FVP. To do so, set the SHARE rtvar to the desired
+  directory, then mount the share inside the FVP with the following (or automate
+  it in fstab):
+
+  .. code-block:: shell
+    # mkdir /share
+    # mount -t 9p -o trans=virtio,version=9p2000.L FM /share
+
+concrete: true
+
+layers:
+  - FVP_Base_RevC-2xAEMvA-base.yaml
+  - tfa-base.yaml
+  - dt-base.yaml
+
+build:
+  tfa:
+    params:
+      RESET_TO_BL31: 1
+      ARM_LINUX_KERNEL_AS_BL33: 1
+      PRELOADED_BL33_BASE: 0x84000000
+      ARM_PRELOADED_DTB_BASE: 0x82000000
+
+  dt:
+    params:
+      console: ttyAMA0
+      earlycon: pl011,0x1c090000
+      root: /dev/vda
+      ip: dhcp
+
+run:
+  rtvars:
+    BL31:
+      type: path
+      value: ${artifact:BL31}
+
+    DTB:
+      type: path
+      value: ${artifact:DTB}
+
+    KERNEL:
+      type: path
+      value: null
+
+    ROOTFS:
+      type: path
+      value: ''
+
+    SHARE:
+      type: path
+      value: ''
+
+  params:
+    -C cluster0.cpu0.RVBAR: 0x04001000
+    -C cluster0.cpu1.RVBAR: 0x04001000
+    -C cluster0.cpu2.RVBAR: 0x04001000
+    -C cluster0.cpu3.RVBAR: 0x04001000
+    -C cluster1.cpu0.RVBAR: 0x04001000
+    -C cluster1.cpu1.RVBAR: 0x04001000
+    -C cluster1.cpu2.RVBAR: 0x04001000
+    -C cluster1.cpu3.RVBAR: 0x04001000
+    '--data cluster0.cpu0': ${rtvar:BL31}@0x04001000
+    ' --data cluster0.cpu0': ${rtvar:DTB}@0x82000000
+    '  --data cluster0.cpu0': ${rtvar:KERNEL}@0x84000000
+    -C bp.virtioblockdevice.image_path: ${rtvar:ROOTFS}
+    -C bp.virtiop9device.root_path: ${rtvar:SHARE}
+
+  terminals:
+    bp.terminal_0:
+      friendly: ''
+      type: stdinout
+      no_color: true

shrinkwrap/config/optee-base.yaml

@@ -0,0 +1,37 @@
+# Copyright (c) 2024, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  This provides the baseline for OPTEE 64-bit build.
+
+build:
+  optee:
+    repo:
+      remote: https://github.com/OP-TEE/optee_os.git
+      revision: 4.6.0
+
+    toolchain: aarch64-linux-gnu-
+
+    params:
+      CFG_ARM_GICV3: y
+      CFG_ARM64_core: y
+      CFG_CALLOUT: y
+      CFG_CORE_HEAP_SIZE: 131072
+      CFG_DEBUG_INFO: y
+      CFG_NOTIF_TEST_WD: y
+      CFG_TEE_CORE_LOG_LEVEL: 2
+      CFG_USER_TA_TARGETS: ta_arm64
+      CROSS_COMPILE: aarch64-linux-gnu-
+      CROSS_COMPILE_core: aarch64-linux-gnu-
+      CROSS_COMPILE_ta_arm64: aarch64-linux-gnu-
+      DEBUG: 0
+      PLATFORM: vexpress-fvp
+    build:
+      - make O=${param:builddir} ${param:join_equal} all
+
+    artifacts:
+      OPTEE_HDR_BIN: ${param:builddir}/core/tee-header_v2.bin
+      OPTEE_PAGER_BIN: ${param:builddir}/core/tee-pager_v2.bin
+      OPTEE_PAGEABLE_BIN: ${param:builddir}/core/tee-pageable_v2.bin

shrinkwrap/config/rfa-base.yaml

@@ -0,0 +1,49 @@
+# Copyright (c) 2025, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Rusted-Firmware-A. This provides a baseline configuration that can be
+  customized by higher layers.
+
+layers:
+  - tfa-base.yaml
+  - rust.yaml
+
+build:
+  tfa:
+    params:
+      FVP_TRUSTED_SRAM_SIZE: 512
+      BL31: ${artifact:RFA_BL31}
+    postbuild:
+      - cp ${artifact:RFA_BL31} ${param:builddir}/fvp/release/rfa_bl31.bin
+    artifacts:
+      BL31: ${param:builddir}/fvp/release/rfa_bl31.bin
+
+  rfa:
+    params:
+      PLAT: fvp
+      DEBUG: 0
+      OBJCOPY: aarch64-none-elf-objcopy
+
+    repo:
+      remote: https://git.trustedfirmware.org/RF-A/rusted-firmware-a
+      # The tests do not properly shut-down with v0.1.0 revision.
+      revision: b0fec182669b59f16271ba695b4387cffcbc42a1
+
+    prebuild:
+      # Calling rustup to install the toolchain / components described
+      # by `rust-toolchain.toml`
+      - source ${artifact:RUST_ENV}
+      - rustup show
+
+    build:
+      - source ${artifact:RUST_ENV}
+      # Relocate the 'target' directory from ${param:sourcedir} to ${param:builddir} via symbolic link
+      - mkdir -p ${param:builddir}/target ; ln -sf ${param:builddir}/target ${param:sourcedir}/target
+      - make -j${param:jobs} ${param:join_equal} build
+
+    artifacts:
+      RFA_BL31: ${param:builddir}/target/bl31.bin
+      RFA_BL31_ELF: ${param:builddir}/target/bl31.elf

shrinkwrap/config/rfa.yaml

@@ -0,0 +1,47 @@
+# Copyright (c) 2025, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Rusted-Firmware-A. This configuration runs RF-A with the default
+  features along with its normal-world and secure-world tests.
+
+concrete: true
+
+layers:
+  - FVP_Base_RevC-2xAEMvA-base.yaml
+  - arch/v9.0.yaml
+  - rfa-base.yaml
+
+build:
+  tfa:
+    params:
+      SPD: spmd
+      SPMD_SPM_AT_SEL2: 0
+      LOG_LEVEL: 50
+      BL32: ${artifact:BL32}
+      BL33: ${artifact:BL33}
+
+  rfa:
+    build:
+      - make -j${param:jobs} ${param:join_equal} target/bl32.bin target/bl33.bin
+    artifacts:
+      BL32: ${param:builddir}/target/bl32.bin
+      BL33: ${param:builddir}/target/bl33.bin
+
+run:
+  rtvars:
+    BL1:
+      type: path
+      value: ${artifact:BL1}
+
+    FIP:
+      type: path
+      value: ${artifact:FIP}
+
+  params:
+    -C cluster0.cpu0.semihosting-cwd: target
+    -C cluster1.cpu0.semihosting-cwd: target
+    -C bp.secureflashloader.fname: ${rtvar:BL1}
+    -C bp.flashloader0.fname: ${rtvar:FIP}

shrinkwrap/config/rmm-base.yaml

@@ -0,0 +1,24 @@
+# Copyright (c) 2022, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+build:
+  rmm:
+    repo:
+      remote: https://git.trustedfirmware.org/TF-RMM/tf-rmm.git
+      revision: tf-rmm-v0.8.0
+
+    toolchain: aarch64-none-elf-
+
+    params:
+      -DRMM_CONFIG: fvp_defcfg
+      -DCMAKE_BUILD_TYPE: Release
+      -DLOG_LEVEL: 40
+
+    build:
+      - cmake ${param:join_equal} -S . -B ${param:builddir}
+      - cmake --build ${param:builddir} -j ${param:jobs}
+
+    artifacts:
+      RMM: ${param:builddir}/Release/rmm.img

shrinkwrap/config/rust.yaml

@@ -0,0 +1,31 @@
+# Copyright (c) 2025, Arm Limited.
+# SPDX-License-Identifier: MIT
+
+%YAML 1.2
+---
+description: >-
+  Install Rust in the shrinkwrap build directory.
+
+  The reasons for installing the Rust toolchain in the build directory rather
+  than adding it to the Docker image are:
+  - Many Rust projects use a file name `rust-toolchain.toml` to specify a
+    specific version or channel that are likely to diverge from any version
+    installed in the Docker image.
+  - Cargo caches crate downloads inside $CARGO_HOME which will be lost across
+    shrinkwrap builds if the toolchain is in the Docker image.
+
+build:
+  rust:
+    build:
+      - export CARGO_HOME=${param:sourcedir}/cargo
+      - export RUSTUP_HOME=${param:sourcedir}/rustup
+      - if ! [ -f $${CARGO_HOME}/bin/cargo ] ; then
+      -   mkdir -p $${CARGO_HOME}/bin $${RUSTUP_HOME}/bin ;
+      -   curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs |
+      -     sh -s -- --profile minimal --default-toolchain none -y --no-modify-path ;
+      - fi
+      - echo "export CARGO_HOME=$${CARGO_HOME}" > ${param:builddir}/rust.env
+      - echo "export RUSTUP_HOME=$${RUSTUP_HOME}" >> ${param:builddir}/rust.env
+      - echo "export PATH=$${CARGO_HOME}/bin:$${RUSTUP_HOME}/bin:"'$$'"{PATH}" >> ${param:builddir}/rust.env
+    artifacts:
+      RUST_ENV: ${param:builddir}/rust.env