2024-04-21 15:54:59 +00:00
|
|
|
{ lib, stdenv, fetchFromGitHub, fetchFromGitLab, openssl, pkgsCross, buildPackages
|
2022-02-20 05:27:41 +00:00
|
|
|
|
2022-06-16 17:23:12 +00:00
|
|
|
# Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
|
|
|
|
# privilege level EL3, which is above both the kernel and the
|
|
|
|
# hypervisor.
|
|
|
|
#
|
|
|
|
# This parameter applies only to platforms which are believed to use
|
|
|
|
# hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
|
|
|
|
# hdcp.bin will be deleted before building.
|
2022-02-20 05:27:41 +00:00
|
|
|
, unfreeIncludeHDCPBlob ? true
|
|
|
|
}:
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
let
|
|
|
|
buildArmTrustedFirmware = { filesToInstall
|
|
|
|
, installDir ? "$out"
|
|
|
|
, platform ? null
|
2022-06-16 17:23:12 +00:00
|
|
|
, platformCanUseHDCPBlob ? false # set this to true if the platform is able to use hdcp.bin
|
2020-04-24 23:36:52 +00:00
|
|
|
, extraMakeFlags ? []
|
|
|
|
, extraMeta ? {}
|
|
|
|
, ... } @ args:
|
2022-06-16 17:23:12 +00:00
|
|
|
|
|
|
|
# delete hdcp.bin if either: the platform is thought to
|
|
|
|
# not need it or unfreeIncludeHDCPBlob is false
|
|
|
|
let deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob; in
|
|
|
|
|
2022-08-21 13:32:41 +00:00
|
|
|
stdenv.mkDerivation (rec {
|
2020-04-24 23:36:52 +00:00
|
|
|
|
2022-02-10 20:34:41 +00:00
|
|
|
pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
|
2024-01-02 11:29:13 +00:00
|
|
|
version = "2.10.0";
|
2020-04-24 23:36:52 +00:00
|
|
|
|
|
|
|
src = fetchFromGitHub {
|
|
|
|
owner = "ARM-software";
|
|
|
|
repo = "arm-trusted-firmware";
|
2020-05-03 17:38:23 +00:00
|
|
|
rev = "v${version}";
|
2024-01-02 11:29:13 +00:00
|
|
|
hash = "sha256-CAuftVST9Fje/DWaaoX0K2SfWwlGMaUFG4huuwsTOSU=";
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
|
2022-06-16 17:23:12 +00:00
|
|
|
patches = lib.optionals deleteHDCPBlobBeforeBuild [
|
2022-02-20 05:27:41 +00:00
|
|
|
# this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
|
|
|
|
./remove-hdcp-blob.patch
|
|
|
|
];
|
|
|
|
|
2022-06-16 17:23:12 +00:00
|
|
|
postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
|
|
|
|
rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
|
|
|
|
'';
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
depsBuildBuild = [ buildPackages.stdenv.cc ];
|
|
|
|
|
|
|
|
# For Cortex-M0 firmware in RK3399
|
|
|
|
nativeBuildInputs = [ pkgsCross.arm-embedded.stdenv.cc ];
|
|
|
|
|
|
|
|
buildInputs = [ openssl ];
|
|
|
|
|
|
|
|
makeFlags = [
|
2023-08-22 20:05:09 +00:00
|
|
|
"HOSTCC=$(CC_FOR_BUILD)"
|
|
|
|
"M0_CROSS_COMPILE=${pkgsCross.arm-embedded.stdenv.cc.targetPrefix}"
|
2020-04-24 23:36:52 +00:00
|
|
|
"CROSS_COMPILE=${stdenv.cc.targetPrefix}"
|
2022-10-21 18:38:19 +00:00
|
|
|
# binutils 2.39 regression
|
|
|
|
# `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
|
|
|
|
# See also: https://developer.trustedfirmware.org/T996
|
|
|
|
"LDFLAGS=-no-warn-rwx-segments"
|
2020-04-24 23:36:52 +00:00
|
|
|
] ++ (lib.optional (platform != null) "PLAT=${platform}")
|
|
|
|
++ extraMakeFlags;
|
|
|
|
|
|
|
|
installPhase = ''
|
|
|
|
runHook preInstall
|
|
|
|
|
|
|
|
mkdir -p ${installDir}
|
|
|
|
cp ${lib.concatStringsSep " " filesToInstall} ${installDir}
|
|
|
|
|
|
|
|
runHook postInstall
|
|
|
|
'';
|
|
|
|
|
|
|
|
hardeningDisable = [ "all" ];
|
|
|
|
dontStrip = true;
|
|
|
|
|
|
|
|
# Fatal error: can't create build/sun50iw1p1/release/bl31/sunxi_clocks.o: No such file or directory
|
|
|
|
enableParallelBuilding = false;
|
|
|
|
|
|
|
|
meta = with lib; {
|
|
|
|
homepage = "https://github.com/ARM-software/arm-trusted-firmware";
|
2024-06-20 14:57:18 +00:00
|
|
|
description = "Reference implementation of secure world software for ARMv8-A";
|
2022-06-16 17:23:12 +00:00
|
|
|
license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
|
2020-05-03 17:38:23 +00:00
|
|
|
maintainers = with maintainers; [ lopsided98 ];
|
2020-04-24 23:36:52 +00:00
|
|
|
} // extraMeta;
|
|
|
|
} // builtins.removeAttrs args [ "extraMeta" ]);
|
|
|
|
|
|
|
|
in {
|
|
|
|
inherit buildArmTrustedFirmware;
|
|
|
|
|
|
|
|
armTrustedFirmwareTools = buildArmTrustedFirmware rec {
|
2023-08-22 20:05:09 +00:00
|
|
|
# Normally, arm-trusted-firmware builds the build tools for buildPlatform
|
|
|
|
# using CC_FOR_BUILD (or as it calls it HOSTCC). Since want to build them
|
|
|
|
# for the hostPlatform here, we trick it by overriding the HOSTCC setting
|
|
|
|
# and, to be safe, remove CC_FOR_BUILD from the environment.
|
|
|
|
depsBuildBuild = [ ];
|
2020-04-24 23:36:52 +00:00
|
|
|
extraMakeFlags = [
|
|
|
|
"HOSTCC=${stdenv.cc.targetPrefix}gcc"
|
2023-05-24 13:37:59 +00:00
|
|
|
"fiptool" "certtool"
|
2020-04-24 23:36:52 +00:00
|
|
|
];
|
|
|
|
filesToInstall = [
|
|
|
|
"tools/fiptool/fiptool"
|
|
|
|
"tools/cert_create/cert_create"
|
|
|
|
];
|
|
|
|
postInstall = ''
|
|
|
|
mkdir -p "$out/bin"
|
|
|
|
find "$out" -type f -executable -exec mv -t "$out/bin" {} +
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
armTrustedFirmwareAllwinner = buildArmTrustedFirmware rec {
|
|
|
|
platform = "sun50i_a64";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = ["build/${platform}/release/bl31.bin"];
|
2021-10-06 13:57:05 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
armTrustedFirmwareAllwinnerH616 = buildArmTrustedFirmware rec {
|
|
|
|
platform = "sun50i_h616";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = ["build/${platform}/release/bl31.bin"];
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
|
2023-04-12 12:48:02 +00:00
|
|
|
armTrustedFirmwareAllwinnerH6 = buildArmTrustedFirmware rec {
|
|
|
|
platform = "sun50i_h6";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = ["build/${platform}/release/bl31.bin"];
|
|
|
|
};
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
armTrustedFirmwareQemu = buildArmTrustedFirmware rec {
|
|
|
|
platform = "qemu";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = [
|
|
|
|
"build/${platform}/release/bl1.bin"
|
|
|
|
"build/${platform}/release/bl2.bin"
|
|
|
|
"build/${platform}/release/bl31.bin"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
armTrustedFirmwareRK3328 = buildArmTrustedFirmware rec {
|
|
|
|
extraMakeFlags = [ "bl31" ];
|
|
|
|
platform = "rk3328";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
|
|
|
|
};
|
|
|
|
|
|
|
|
armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
|
|
|
|
extraMakeFlags = [ "bl31" ];
|
|
|
|
platform = "rk3399";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
|
2022-06-16 17:23:12 +00:00
|
|
|
platformCanUseHDCPBlob = true;
|
2020-04-24 23:36:52 +00:00
|
|
|
};
|
|
|
|
|
2024-04-21 15:54:59 +00:00
|
|
|
armTrustedFirmwareRK3588 = buildArmTrustedFirmware rec {
|
|
|
|
extraMakeFlags = [ "bl31" ];
|
|
|
|
platform = "rk3588";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
|
|
|
|
platformCanUseHDCPBlob = true;
|
|
|
|
|
|
|
|
# TODO: remove this once the following get merged:
|
|
|
|
# 1: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/21840
|
|
|
|
# 2: https://review.trustedfirmware.org/c/ci/tf-a-ci-scripts/+/21833
|
|
|
|
src = fetchFromGitLab {
|
|
|
|
domain = "gitlab.collabora.com";
|
|
|
|
owner = "hardware-enablement/rockchip-3588";
|
|
|
|
repo = "trusted-firmware-a";
|
|
|
|
rev = "002d8e85ce5f4f06ebc2c2c52b4923a514bfa701";
|
|
|
|
hash = "sha256-1XOG7ILIgWa3uXUmAh9WTfSGLD/76OsmWrUhIxm/zTg=";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2020-04-24 23:36:52 +00:00
|
|
|
armTrustedFirmwareS905 = buildArmTrustedFirmware rec {
|
|
|
|
extraMakeFlags = [ "bl31" ];
|
|
|
|
platform = "gxbb";
|
|
|
|
extraMeta.platforms = ["aarch64-linux"];
|
|
|
|
filesToInstall = [ "build/${platform}/release/bl31.bin"];
|
|
|
|
};
|
|
|
|
}
|