This reverts commit fad7c187.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit 1f7379c1.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit 1c5b46f5.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit 61ea90a8.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit 37ed8525.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit 40b7d400.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit df9942ee.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit d8545d9f.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

This reverts commit 8745fa38.

The series causes a bug where the phython environment is not properly
activated inside the container and as a result commands fail to execute
properly.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

Chris Kay authored Jul 18, 2025 and Ryan Roberts committed Jul 31, 2025

This change forces the `build-documentation` step to take account of any
changes to the Docker images by the change under test.

Signed-off-by: Chris Kay <chris.kay@arm.com>

Chris Kay authored Jul 18, 2025 and Ryan Roberts committed Jul 31, 2025

uv is now available from within Shrinkwrap's Docker images, which means
that all of Shrinkwrap's `pip install`-able dependencies should be
declared explicitly in `pyproject.toml`, including runtime dependencies
of the projects that Shrinkwrap builds.

Runtime dependencies have been separated out into optional dependencies.
These dependencies differ from dependency groups in that they are
available to downstream users using the "extras" syntax:

    uv tool install "git+https://

<...>/shrinkwrap.git[runtime]"

This change introduces the following extras:

  - `runtime` - runtime dependencies for all projects
  - `runtime-edk2` - runtime dependencies for EDK2
  - `runtime-op-tee` - runtime dependencies for OP-TEE
  - `runtime-tf-a` - runtime dependencies for TF-A

Signed-off-by: Chris Kay <chris.kay@arm.com>

Chris Kay authored Jul 25, 2025 and Ryan Roberts committed Jul 31, 2025

This change introduces a check to the CI scripts to ensure that the pip
requirements file for the documentation remains in sync with the `docs`
project group, so that downstream contributors can continue to build the
documentation the same way as before while still benefiting from uv's
strict dependency locking.

Signed-off-by: Chris Kay <chris.kay@arm.com>

Chris Kay authored Jul 24, 2025 and Ryan Roberts committed Jul 31, 2025

This change migrates the ReadTheDocs documentation generation process to
uv from pip. These changes were done in accordance with the
recommendations from the official [ReadTheDocs documentation][1].

[1]: https://docs.readthedocs.com/platform/stable/build-customization.html#install-dependencies-with-uv



Signed-off-by: Chris Kay <chris.kay@arm.com>

Chris Kay authored Jul 21, 2025 and Ryan Roberts committed Jul 31, 2025

This change makes the entire repository available from the Docker build
context, which means that we can access files outside of the `docker`
directory from the image building process.

The reason for this is so that we can install Python runtime
dependencies based on the `pyproject.toml` file in the root of the
repositroy, rather than having to manage them manually in the
Dockerfile.

Signed-off-by: Chris Kay <chris.kay@arm.com>

Chris Kay authored Jul 18, 2025 and Ryan Roberts committed Jul 31, 2025

This small change ensures that [uv][1] is available and usable from
within Shrinkwrap's Docker images, and uses it to set up a new global
virtual environment.

For the moment, the virtual environment that is already created with
venv during the build process continues to take precedence - this change
is just about ensuring that uv is available and functional.

[1]: https://docs.astral.sh/uv/
[2]: https://docs.python.org/3/library/venv.html

Chris Kay authored Jun 20, 2025 and Ryan Roberts committed Jul 31, 2025

The `pyproject.toml` file is a standard Python project configuration
file, defined by [PEP 518][1] and expanded upon in [PEP 621][2], which
centralises project metadata and build configuration.

The major benefit to this standard is the ability to automate the
installation of project dependencies (both during development and for
downstream users). As a result, it becomes possible to directly install
Shrinkwrap and all of its runtime dependencies with any of:

    uv tool install git+https://git.gitlab.arm.com/tooling/shrinkwrap.git
    pipx install git+https://git.gitlab.arm.com/tooling/shrinkwrap.git
    pip install git+https://git.gitlab.arm.com/tooling/shrinkwrap.git

This also makes it possible to build redistributable packages for
distribution via [PyPI][3], the Python Package Index.

If you are contributing to Shrinkwrap, it is strongly recommended that
you install [uv][4] and set up a virtual environment:

    curl -LsSf https://astral.sh/uv/install.sh | sh # Install uv

    uv venv # Create a virtual environment in `${PWD}/.venv`
    uv sync # Install Shrinkwrap's development dependencies

You can run commands within the virtual environment from outside of it:

    uv run shrinkwrap --help

... or load the virtual environment and run them from wherever you are:

    source .venv/bin/activate # Most modern IDEs can do this automatically
    shrinkwrap --help

[1]: https://peps.python.org/pep-0518/
[2]: https://peps.python.org/pep-0621/
[3]: https://pypi.org/
[4]: https://docs.astral.sh/uv/

Chris Kay authored Jul 25, 2025 and Ryan Roberts committed Jul 31, 2025

When calling Shrinkwrap from a script context, exceptions triggered by
the program are suppressed by default. This does not occur when calling
the `main()` function directly.

The changes that follow this one introduce a project script which calls
the `main()` function, meaning it does not share this behaviour.

This change moves this exception suppression behaviour out of the global
scope and into the function so that the observed behaviour in both a
script context and a package context is identical.

Signed-off-by: Chris Kay <chris.kay@arm.com>

Chris Kay authored Jun 20, 2025 and Ryan Roberts committed Jul 31, 2025

This change moves the `config` directory to `shrinkwrap/config`, and
creates a symlink from the original location to the new one to avoid
breaking existing workflows.

Without this move these configuration files would be unreachable by the
program when installed by a package manager (e.g. `pip install
shrinkwrap`), as most Python build systems cannot bundle data from
outside the package module tree (or they make it very awkward).

Signed-off-by: Chris Kay <chris.kay@arm.com>

Chris Kay authored Jul 17, 2025 and Ryan Roberts committed Jul 31, 2025

Sphinx 5 relies on the `imghdr` module from the standard library, but
this module is no longer available in Python 3.11 and up (for the PEP
which justified its removal, [PEP 594][1]).

[1]: https://peps.python.org/pep-0594/#imghdr



Signed-off-by: Chris Kay <chris.kay@arm.com>

On macOS, files copied on a bind mounted volume can be corrupted if the
original is sparse. In particular, this can happen for the rootfs image.
Setting --sparse=never in the copy prevents this corruption.

The rootfs.ext2 resulting from the current buildroot.yaml is not sparse,
so this change will only noticeably affect custom configurations.

Signed-off-by: Chris Reed <chris.reed@arm.com>

Jayanth Dodderi Chidanand authored Jul 13, 2025 and Ryan Roberts committed Jul 23, 2025

This patch replaces the manual tarball-based installation
of the aarch64 LLVM toolchain with an automated setup using
the official apt.llvm.org repository.

This update is required to keep the Shrinkwrap Docker
environment aligned with the Hafnium project's transition to
Clang v20 and ensure consistent toolchain behavior across
both projects.

Legacy environment variables and download logic have been
removed from "build.sh" accordingly.

Signed-off-by: Jayanth Dodderi Chidanand <jayanthdodderi.chidanand@arm.com>

Delete documentation/userguide/configstore/ contents before diffing
with the genconfigstore.py output, to detect deletions in addition to
changes.

Signed-off-by: Chris Reed <chris.reed@arm.com>

Fixes: 712d89e5 ("docs: Add configstore docs for newly added configs")
Signed-off-by: Chris Reed <chris.reed@arm.com>

Fixes: 23925546 ("git: Add support for project cache directory")
Fixes: 61945f53 ("config: Add ${param:packagedir} to the run variables")
Fixes: 4f56d552 ("config: Add btvars to yaml schema")
Signed-off-by: Chris Reed <chris.reed@arm.com>

Setting FORCE_UNSAFE_CONFIG bypasses a check against building as root
in the host-tar package, to work around a build failure when using the
Docker runtime on macOS.

Fixes #33.

Signed-off-by: Chris Reed <chris.reed@arm.com>

By default, the release build is used for tftf. Add overlay for debug
build. This also sets the artifacts path for TFTF_BIN and SP_LAYOUT

Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>

Exiting immediately when one of the jobs fails can leave source and
build directories in a bad state. For example interrupting the kernel
link process leaves an empty file which causes build to fail on the next
attempt. Killing git clone can leave index.lock files which causes an
error on the next attempt.

When a process returns an error, mark the build as failed (by setting
exec_error) and clear the queue but keep running until the concurrent
processes complete.

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

FEAT_LSFE (Large System Float Extension), providing atomic floating
point memory operations, is optional from v9.5.  Enable it as standard,
there's no particular reason not to.

Signed-off-by: Mark Brown <broonie@kernel.org>

There have been numerous reports of VPNs not playing nicely with the
bridged docker network. Let's switch to using the host network to try to
solve this. The host network is described as "Remove network isolation
between the container and the Docker host". Essentially they are now the
same network entity.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

Update AEM FVP to latest 11.29 package.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>

Update TF-A/TF-a-tests/Hafnium firmware components to v2.13 tag.

Update TF-RMM firmware component to v0.7.0 tag.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>

Required by TF-A to build secure partition packages in the 4 worlds
config.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>

Jean-Philippe Brucker authored May 14, 2025 and Ryan Roberts committed May 15, 2025

Update the Linux patches to cca/v8. The VMMs needs update as well since
the magic numbers of the KVM API changed. That includes the
buildroot-external-cca component which includes QEMU compatible with
cca/v8.

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>

Aneesh Kumar K.V (Arm) authored Feb 20, 2025 and Ryan Roberts committed May 15, 2025

This update extends project cache directory support to submodules. All
submodules can be updated in the project cache by running the following
command from the top-level cache directory:

git submodule update --init --checkout --recursive --force
or by cloning with git clone --recurse-submodules

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>

Aneesh Kumar K.V (Arm) authored Feb 20, 2025 and Ryan Roberts committed May 15, 2025

This update introduces support for setting up a git clone alternate
reference location. The SHRINKWRAP_PROJECT_CACHE environment variable
specifies the mirror directory location.

Both a bare clone and a full clone can be used as a reference
repository. Additionally, a new component attribute, "project", allows
naming the project cache directory. For example:

kvmtool:
   project: kvmtool
   remote: https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git


   revision: master

Signed-off-by: Aneesh Kumar K.V (Arm) <aneesh.kumar@kernel.org>

Olivier Deprez authored Mar 26, 2025 and Ryan Roberts committed May 02, 2025

Follow up to:
a502ce34 feature: add an optional 'image' field to config files.
0ca0537d config: ffa-hafnium-optee: Use the optional 'image' field

Move the "image:" field to hafnium-base config and remove it from
cca-4world and ffa-hafnium-optee configs.

This will benefit configurations consuming hafnium-base config including
above ones and ffa-tftf, or future configuration consuming this config.

Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>

The TFA build system does not notice when a build parameter changes
between incremental builds and this can lead to stale compilation units.
An example of this is when switching between v8.x and v9.x
architectures; v9.x adds CTX_INCLUDE_AARCH32_REGS=0. Where the v8.x
default is CTX_INCLUDE_AARCH32_REGS=1.

Up until now, the advice has been to workaround this by explicitly doing
a clean when changing arch versions. But this continues to bite people,
so let's workaround this in the tfa config by storing the parameters for
each build. Then we can compare to the previous build and do a clean if
they have changed. This provides a robust solution that does not incur
any performance penalty for the common case of rebuilding without any
parameter changes.

To make this work, ensure the parameters are always in the same order
when generating the parameters string. Previously their order was
arbitrary and would change from run to run.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

Previously the newest available version of cmake was always installed in
the shrinkwrap docker image. But since v4.0.0 was released, we started
getting an error when compiling the optee client as part of buildroot
(our default buildroot config enables optee):

---8<---
CMake Error at CMakeLists.txt:1 (cmake_minimum_required):
  Compatibility with CMake < 3.5 has been removed from CMake.

  Update the VERSION argument <min> value.  Or, use the <min>...<max> syntax
  to tell CMake that the project requires at least <min> but has been updated
  to work with policies introduced by <max> or earlier.

  Or, add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to try configuring anyway.
---8<---

The issue is that optee doesn't explicitly specify a policy version so
cmake assumes a very old one which is no longer supported in v4.0.0.
Ultimately this needs to be fixed in buildroot's upstream, but until
then, let's fix the version at the newest v3 point release.

Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>

Jean-Philippe Brucker authored Feb 26, 2025 and Ryan Roberts committed Apr 22, 2025

Launch a guest and check that it is running in a Realm

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>