1 { lib, stdenv, fetchFromGitHub, fetchFromGitLab, openssl, pkgsCross, buildPackages
3 # Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
4 # privilege level EL3, which is above both the kernel and the
7 # This parameter applies only to platforms which are believed to use
8 # hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
9 # hdcp.bin will be deleted before building.
10 , unfreeIncludeHDCPBlob ? true
14 buildArmTrustedFirmware = { filesToInstall
17 , platformCanUseHDCPBlob ? false # set this to true if the platform is able to use hdcp.bin
22 # delete hdcp.bin if either: the platform is thought to
23 # not need it or unfreeIncludeHDCPBlob is false
24 let deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob; in
26 stdenv.mkDerivation (rec {
28 pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
31 src = fetchFromGitHub {
32 owner = "ARM-software";
33 repo = "arm-trusted-firmware";
35 hash = "sha256-CAuftVST9Fje/DWaaoX0K2SfWwlGMaUFG4huuwsTOSU=";
38 patches = lib.optionals deleteHDCPBlobBeforeBuild [
39 # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
40 ./remove-hdcp-blob.patch
43 postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
44 rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
47 depsBuildBuild = [ buildPackages.stdenv.cc ];
49 # For Cortex-M0 firmware in RK3399
50 nativeBuildInputs = [ pkgsCross.arm-embedded.stdenv.cc ];
52 buildInputs = [ openssl ];
55 "HOSTCC=$(CC_FOR_BUILD)"
56 "M0_CROSS_COMPILE=${pkgsCross.arm-embedded.stdenv.cc.targetPrefix}"
57 "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
58 # binutils 2.39 regression
59 # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
60 # See also: https://developer.trustedfirmware.org/T996
61 "LDFLAGS=-no-warn-rwx-segments"
62 ] ++ (lib.optional (platform != null) "PLAT=${platform}")
68 mkdir -p ${installDir}
69 cp ${lib.concatStringsSep " " filesToInstall} ${installDir}
74 hardeningDisable = [ "all" ];
77 # Fatal error: can't create build/sun50iw1p1/release/bl31/sunxi_clocks.o: No such file or directory
78 enableParallelBuilding = false;
81 homepage = "https://github.com/ARM-software/arm-trusted-firmware";
82 description = "Reference implementation of secure world software for ARMv8-A";
83 license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
84 maintainers = with maintainers; [ lopsided98 ];
86 } // builtins.removeAttrs args [ "extraMeta" ]);
89 inherit buildArmTrustedFirmware;
91 armTrustedFirmwareTools = buildArmTrustedFirmware rec {
92 # Normally, arm-trusted-firmware builds the build tools for buildPlatform
93 # using CC_FOR_BUILD (or as it calls it HOSTCC). Since want to build them
94 # for the hostPlatform here, we trick it by overriding the HOSTCC setting
95 # and, to be safe, remove CC_FOR_BUILD from the environment.
98 "HOSTCC=${stdenv.cc.targetPrefix}gcc"
102 "tools/fiptool/fiptool"
103 "tools/cert_create/cert_create"
107 find "$out" -type f -executable -exec mv -t "$out/bin" {} +
111 armTrustedFirmwareAllwinner = buildArmTrustedFirmware rec {
112 platform = "sun50i_a64";
113 extraMeta.platforms = ["aarch64-linux"];
114 filesToInstall = ["build/${platform}/release/bl31.bin"];
117 armTrustedFirmwareAllwinnerH616 = buildArmTrustedFirmware rec {
118 platform = "sun50i_h616";
119 extraMeta.platforms = ["aarch64-linux"];
120 filesToInstall = ["build/${platform}/release/bl31.bin"];
123 armTrustedFirmwareAllwinnerH6 = buildArmTrustedFirmware rec {
124 platform = "sun50i_h6";
125 extraMeta.platforms = ["aarch64-linux"];
126 filesToInstall = ["build/${platform}/release/bl31.bin"];
129 armTrustedFirmwareQemu = buildArmTrustedFirmware rec {
131 extraMeta.platforms = ["aarch64-linux"];
133 "build/${platform}/release/bl1.bin"
134 "build/${platform}/release/bl2.bin"
135 "build/${platform}/release/bl31.bin"
139 armTrustedFirmwareRK3328 = buildArmTrustedFirmware rec {
140 extraMakeFlags = [ "bl31" ];
142 extraMeta.platforms = ["aarch64-linux"];
143 filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
146 armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
147 extraMakeFlags = [ "bl31" ];
149 extraMeta.platforms = ["aarch64-linux"];
150 filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
151 platformCanUseHDCPBlob = true;
154 armTrustedFirmwareRK3588 = buildArmTrustedFirmware rec {
155 extraMakeFlags = [ "bl31" ];
157 extraMeta.platforms = ["aarch64-linux"];
158 filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
160 # TODO: remove this once the following get merged:
161 # 1: https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/21840
162 # 2: https://review.trustedfirmware.org/c/ci/tf-a-ci-scripts/+/21833
163 src = fetchFromGitLab {
164 domain = "gitlab.collabora.com";
165 owner = "hardware-enablement/rockchip-3588";
166 repo = "trusted-firmware-a";
167 rev = "002d8e85ce5f4f06ebc2c2c52b4923a514bfa701";
168 hash = "sha256-1XOG7ILIgWa3uXUmAh9WTfSGLD/76OsmWrUhIxm/zTg=";
172 armTrustedFirmwareS905 = buildArmTrustedFirmware rec {
173 extraMakeFlags = [ "bl31" ];
175 extraMeta.platforms = ["aarch64-linux"];
176 filesToInstall = [ "build/${platform}/release/bl31.bin"];