tjh.dev
1{
2 lib,
3 stdenv,
4 fetchFromGitHub,
5 fetchFromGitLab,
6 openssl,
7 pkgsCross,
8 buildPackages,
9
10 # Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
11 # privilege level EL3, which is above both the kernel and the
12 # hypervisor.
13 #
14 # This parameter applies only to platforms which are believed to use
15 # hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
16 # hdcp.bin will be deleted before building.
17 unfreeIncludeHDCPBlob ? true,
18}:
19
20let
21 buildArmTrustedFirmware = lib.makeOverridable (
22 {
23 filesToInstall,
24 installDir ? "$out",
25 platform ? null,
26 platformCanUseHDCPBlob ? false, # set this to true if the platform is able to use hdcp.bin
27 extraMakeFlags ? [ ],
28 extraMeta ? { },
29 ...
30 }@args:
31
32 # delete hdcp.bin if either: the platform is thought to
33 # not need it or unfreeIncludeHDCPBlob is false
34 let
35 deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob;
36 in
37
38 stdenv.mkDerivation (
39 rec {
40
41 pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
42 version = "2.13.0";
43
44 src = fetchFromGitHub {
45 owner = "ARM-software";
46 repo = "arm-trusted-firmware";
47 tag = "v${version}";
48 hash = "sha256-rxm5RCjT/MyMCTxiEC8jQeFMrCggrb2DRbs/qDPXb20=";
49 };
50
51 patches = lib.optionals deleteHDCPBlobBeforeBuild [
52 # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
53 ./remove-hdcp-blob.patch
54 ];
55
56 postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
57 rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
58 '';
59
60 depsBuildBuild = [ buildPackages.stdenv.cc ];
61
62 nativeBuildInputs = [
63 pkgsCross.arm-embedded.stdenv.cc # For Cortex-M0 firmware in RK3399
64 openssl # For fiptool
65 ];
66
67 # Make the new toolchain guessing (from 2.11+) happy
68 # https://github.com/ARM-software/arm-trusted-firmware/blob/4ec2948fe3f65dba2f19e691e702f7de2949179c/make_helpers/toolchains/rk3399-m0.mk#L21-L22
69 rk3399-m0-oc = "${pkgsCross.arm-embedded.stdenv.cc.targetPrefix}objcopy";
70
71 buildInputs = [ openssl ];
72
73 makeFlags = [
74 "HOSTCC=$(CC_FOR_BUILD)"
75 "M0_CROSS_COMPILE=${pkgsCross.arm-embedded.stdenv.cc.targetPrefix}"
76 "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
77 # Make the new toolchain guessing (from 2.11+) happy
78 "CC=${stdenv.cc.targetPrefix}cc"
79 "LD=${stdenv.cc.targetPrefix}cc"
80 "AS=${stdenv.cc.targetPrefix}cc"
81 "OC=${stdenv.cc.targetPrefix}objcopy"
82 "OD=${stdenv.cc.targetPrefix}objdump"
83 # Passing OpenSSL path according to docs/design/trusted-board-boot-build.rst
84 "OPENSSL_DIR=${openssl}"
85 ]
86 ++ (lib.optional (platform != null) "PLAT=${platform}")
87 ++ extraMakeFlags;
88
89 installPhase = ''
90 runHook preInstall
91
92 mkdir -p ${installDir}
93 cp ${lib.concatStringsSep " " filesToInstall} ${installDir}
94
95 runHook postInstall
96 '';
97
98 hardeningDisable = [ "all" ];
99 dontStrip = true;
100
101 # breaks secondary CPU bringup on at least RK3588, maybe others
102 env.NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
103
104 meta =
105 with lib;
106 {
107 homepage = "https://github.com/ARM-software/arm-trusted-firmware";
108 description = "Reference implementation of secure world software for ARMv8-A";
109 license = [
110 licenses.bsd3
111 ]
112 ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
113 maintainers = with maintainers; [ lopsided98 ];
114 }
115 // extraMeta;
116 }
117 // builtins.removeAttrs args [ "extraMeta" ]
118 )
119 );
120
121in
122{
123 inherit buildArmTrustedFirmware;
124
125 armTrustedFirmwareTools = buildArmTrustedFirmware {
126 # Normally, arm-trusted-firmware builds the build tools for buildPlatform
127 # using CC_FOR_BUILD (or as it calls it HOSTCC). Since want to build them
128 # for the hostPlatform here, we trick it by overriding the HOSTCC setting
129 # and, to be safe, remove CC_FOR_BUILD from the environment.
130 depsBuildBuild = [ ];
131 extraMakeFlags = [
132 "HOSTCC=${stdenv.cc.targetPrefix}gcc"
133 "fiptool"
134 "certtool"
135 ];
136 filesToInstall = [
137 "tools/fiptool/fiptool"
138 "tools/cert_create/cert_create"
139 ];
140 postInstall = ''
141 mkdir -p "$out/bin"
142 find "$out" -type f -executable -exec mv -t "$out/bin" {} +
143 '';
144 };
145
146 armTrustedFirmwareAllwinner = buildArmTrustedFirmware rec {
147 platform = "sun50i_a64";
148 extraMeta.platforms = [ "aarch64-linux" ];
149 filesToInstall = [ "build/${platform}/release/bl31.bin" ];
150 };
151
152 armTrustedFirmwareAllwinnerH616 = buildArmTrustedFirmware rec {
153 platform = "sun50i_h616";
154 extraMeta.platforms = [ "aarch64-linux" ];
155 filesToInstall = [ "build/${platform}/release/bl31.bin" ];
156 };
157
158 armTrustedFirmwareAllwinnerH6 = buildArmTrustedFirmware rec {
159 platform = "sun50i_h6";
160 extraMeta.platforms = [ "aarch64-linux" ];
161 filesToInstall = [ "build/${platform}/release/bl31.bin" ];
162 };
163
164 armTrustedFirmwareQemu = buildArmTrustedFirmware rec {
165 platform = "qemu";
166 extraMeta.platforms = [ "aarch64-linux" ];
167 filesToInstall = [
168 "build/${platform}/release/bl1.bin"
169 "build/${platform}/release/bl2.bin"
170 "build/${platform}/release/bl31.bin"
171 ];
172 };
173
174 armTrustedFirmwareRK3328 = buildArmTrustedFirmware rec {
175 extraMakeFlags = [ "bl31" ];
176 platform = "rk3328";
177 extraMeta.platforms = [ "aarch64-linux" ];
178 filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
179 };
180
181 armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
182 extraMakeFlags = [ "bl31" ];
183 platform = "rk3399";
184 extraMeta.platforms = [ "aarch64-linux" ];
185 filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
186 platformCanUseHDCPBlob = true;
187 };
188
189 armTrustedFirmwareRK3568 = buildArmTrustedFirmware rec {
190 extraMakeFlags = [ "bl31" ];
191 platform = "rk3568";
192 extraMeta.platforms = [ "aarch64-linux" ];
193 filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
194 };
195
196 armTrustedFirmwareRK3588 = buildArmTrustedFirmware rec {
197 extraMakeFlags = [ "bl31" ];
198 platform = "rk3588";
199 extraMeta.platforms = [ "aarch64-linux" ];
200 filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
201 };
202
203 armTrustedFirmwareS905 = buildArmTrustedFirmware rec {
204 extraMakeFlags = [ "bl31" ];
205 platform = "gxbb";
206 extraMeta.platforms = [ "aarch64-linux" ];
207 filesToInstall = [ "build/${platform}/release/bl31.bin" ];
208 };
209}