pkgs/misc/arm-trusted-firmware/default.nix

   1 { lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
   2
   3 # Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
   4 # privilege level EL3, which is above both the kernel and the
   5 # hypervisor.
   6 #
   7 # This parameter applies only to platforms which are believed to use
   8 # hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
   9 # hdcp.bin will be deleted before building.
  10 , unfreeIncludeHDCPBlob ? true
  11 }:
  12
  13 let
  14   buildArmTrustedFirmware = { filesToInstall
  15             , installDir ? "$out"
  16             , platform ? null
  17             , platformCanUseHDCPBlob ? false  # set this to true if the platform is able to use hdcp.bin
  18             , extraMakeFlags ? []
  19             , extraMeta ? {}
  20             , ... } @ args:
  21
  22            # delete hdcp.bin if either: the platform is thought to
  23            # not need it or unfreeIncludeHDCPBlob is false
  24            let deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob; in
  25
  26            stdenv.mkDerivation (rec {
  27
  28     pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
  29     version = "2.7";
  30
  31     src = fetchFromGitHub {
  32       owner = "ARM-software";
  33       repo = "arm-trusted-firmware";
  34       rev = "v${version}";
  35       sha256 = "sha256-WDJMMIWZHNqxxAKeHiZDxtPjfsfQAWsbYv+0o0PiJQs=";
  36     };
  37
  38     patches = lib.optionals deleteHDCPBlobBeforeBuild [
  39       # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
  40       ./remove-hdcp-blob.patch
  41     ];
  42
  43     postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
  44       rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
  45     '';
  46
  47     depsBuildBuild = [ buildPackages.stdenv.cc ];
  48
  49     # For Cortex-M0 firmware in RK3399
  50     nativeBuildInputs = [ pkgsCross.arm-embedded.stdenv.cc ];
  51
  52     buildInputs = [ openssl ];
  53
  54     makeFlags = [
  55       "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
  56       # binutils 2.39 regression
  57       # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
  58       # See also: https://developer.trustedfirmware.org/T996
  59       "LDFLAGS=-no-warn-rwx-segments"
  60     ] ++ (lib.optional (platform != null) "PLAT=${platform}")
  61       ++ extraMakeFlags;
  62
  63     installPhase = ''
  64       runHook preInstall
  65
  66       mkdir -p ${installDir}
  67       cp ${lib.concatStringsSep " " filesToInstall} ${installDir}
  68
  69       runHook postInstall
  70     '';
  71
  72     hardeningDisable = [ "all" ];
  73     dontStrip = true;
  74
  75     # Fatal error: can't create build/sun50iw1p1/release/bl31/sunxi_clocks.o: No such file or directory
  76     enableParallelBuilding = false;
  77
  78     meta = with lib; {
  79       homepage = "https://github.com/ARM-software/arm-trusted-firmware";
  80       description = "A reference implementation of secure world software for ARMv8-A";
  81       license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
  82       maintainers = with maintainers; [ lopsided98 ];
  83     } // extraMeta;
  84   } // builtins.removeAttrs args [ "extraMeta" ]);
  85
  86 in {
  87   inherit buildArmTrustedFirmware;
  88
  89   armTrustedFirmwareTools = buildArmTrustedFirmware rec {
  90     extraMakeFlags = [
  91       "HOSTCC=${stdenv.cc.targetPrefix}gcc"
  92       "fiptool" "certtool" "sptool"
  93     ];
  94     filesToInstall = [
  95       "tools/fiptool/fiptool"
  96       "tools/cert_create/cert_create"
  97       "tools/sptool/sptool"
  98     ];
  99     postInstall = ''
 100       mkdir -p "$out/bin"
 101       find "$out" -type f -executable -exec mv -t "$out/bin" {} +
 102     '';
 103   };
 104
 105   armTrustedFirmwareAllwinner = buildArmTrustedFirmware rec {
 106     platform = "sun50i_a64";
 107     extraMeta.platforms = ["aarch64-linux"];
 108     filesToInstall = ["build/${platform}/release/bl31.bin"];
 109   };
 110
 111   armTrustedFirmwareAllwinnerH616 = buildArmTrustedFirmware rec {
 112     platform = "sun50i_h616";
 113     extraMeta.platforms = ["aarch64-linux"];
 114     filesToInstall = ["build/${platform}/release/bl31.bin"];
 115   };
 116
 117   armTrustedFirmwareQemu = buildArmTrustedFirmware rec {
 118     platform = "qemu";
 119     extraMeta.platforms = ["aarch64-linux"];
 120     filesToInstall = [
 121       "build/${platform}/release/bl1.bin"
 122       "build/${platform}/release/bl2.bin"
 123       "build/${platform}/release/bl31.bin"
 124     ];
 125   };
 126
 127   armTrustedFirmwareRK3328 = buildArmTrustedFirmware rec {
 128     extraMakeFlags = [ "bl31" ];
 129     platform = "rk3328";
 130     extraMeta.platforms = ["aarch64-linux"];
 131     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
 132     platformCanUseHDCPBlob = true;
 133   };
 134
 135   armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
 136     extraMakeFlags = [ "bl31" ];
 137     platform = "rk3399";
 138     extraMeta.platforms = ["aarch64-linux"];
 139     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
 140     platformCanUseHDCPBlob = true;
 141   };
 142
 143   armTrustedFirmwareS905 = buildArmTrustedFirmware rec {
 144     extraMakeFlags = [ "bl31" ];
 145     platform = "gxbb";
 146     extraMeta.platforms = ["aarch64-linux"];
 147     filesToInstall = [ "build/${platform}/release/bl31.bin"];
 148   };
 149 }