···
1
-
{ buildArmTrustedFirmware, stdenv }:
10
+
# Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
11
+
# privilege level EL3, which is above both the kernel and the
14
+
# This parameter applies only to platforms which are believed to use
15
+
# hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
16
+
# hdcp.bin will be deleted before building.
17
+
unfreeIncludeHDCPBlob ? true,
21
+
buildArmTrustedFirmware = lib.makeOverridable (
24
+
installDir ? "$out",
26
+
platformCanUseHDCPBlob ? false, # set this to true if the platform is able to use hdcp.bin
27
+
extraMakeFlags ? [ ],
32
+
# delete hdcp.bin if either: the platform is thought to
33
+
# not need it or unfreeIncludeHDCPBlob is false
35
+
deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob;
38
+
stdenv.mkDerivation (
41
+
pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
44
+
src = fetchFromGitHub {
45
+
owner = "ARM-software";
46
+
repo = "arm-trusted-firmware";
47
+
tag = "v${version}";
48
+
hash = "sha256-rxm5RCjT/MyMCTxiEC8jQeFMrCggrb2DRbs/qDPXb20=";
51
+
patches = lib.optionals deleteHDCPBlobBeforeBuild [
52
+
# this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
53
+
./remove-hdcp-blob.patch
56
+
postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
57
+
rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
60
+
depsBuildBuild = [ buildPackages.stdenv.cc ];
62
+
nativeBuildInputs = [
63
+
pkgsCross.arm-embedded.stdenv.cc # For Cortex-M0 firmware in RK3399
64
+
openssl # For fiptool
67
+
# Make the new toolchain guessing (from 2.11+) happy
68
+
# https://github.com/ARM-software/arm-trusted-firmware/blob/4ec2948fe3f65dba2f19e691e702f7de2949179c/make_helpers/toolchains/rk3399-m0.mk#L21-L22
69
+
rk3399-m0-oc = "${pkgsCross.arm-embedded.stdenv.cc.targetPrefix}objcopy";
71
+
buildInputs = [ openssl ];
74
+
"HOSTCC=$(CC_FOR_BUILD)"
75
+
"M0_CROSS_COMPILE=${pkgsCross.arm-embedded.stdenv.cc.targetPrefix}"
76
+
"CROSS_COMPILE=${stdenv.cc.targetPrefix}"
77
+
# Make the new toolchain guessing (from 2.11+) happy
78
+
"CC=${stdenv.cc.targetPrefix}cc"
79
+
"LD=${stdenv.cc.targetPrefix}cc"
80
+
"AS=${stdenv.cc.targetPrefix}cc"
81
+
"OC=${stdenv.cc.targetPrefix}objcopy"
82
+
"OD=${stdenv.cc.targetPrefix}objdump"
83
+
# Passing OpenSSL path according to docs/design/trusted-board-boot-build.rst
84
+
"OPENSSL_DIR=${openssl}"
86
+
++ (lib.optional (platform != null) "PLAT=${platform}")
92
+
mkdir -p ${installDir}
93
+
cp ${lib.concatStringsSep " " filesToInstall} ${installDir}
98
+
hardeningDisable = [ "all" ];
101
+
# breaks secondary CPU bringup on at least RK3588, maybe others
102
+
env.NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
107
+
homepage = "https://github.com/ARM-software/arm-trusted-firmware";
108
+
description = "Reference implementation of secure world software for ARMv8-A";
112
+
++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
113
+
maintainers = with maintainers; [ lopsided98 ];
117
+
// builtins.removeAttrs args [ "extraMeta" ]
123
+
inherit buildArmTrustedFirmware;
armTrustedFirmwareTools = buildArmTrustedFirmware {
126
+
# Normally, arm-trusted-firmware builds the build tools for buildPlatform
127
+
# using CC_FOR_BUILD (or as it calls it HOSTCC). Since want to build them
128
+
# for the hostPlatform here, we trick it by overriding the HOSTCC setting
129
+
# and, to be safe, remove CC_FOR_BUILD from the environment.
130
+
depsBuildBuild = [ ];
"HOSTCC=${stdenv.cc.targetPrefix}gcc"
···
20
-
armTrustedFirmwareAllwinner = buildArmTrustedFirmware (finalAttrs: {
146
+
armTrustedFirmwareAllwinner = buildArmTrustedFirmware rec {
22
-
meta.platforms = [ "aarch64-linux" ];
23
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31.bin" ];
148
+
extraMeta.platforms = [ "aarch64-linux" ];
149
+
filesToInstall = [ "build/${platform}/release/bl31.bin" ];
26
-
armTrustedFirmwareAllwinnerH616 = buildArmTrustedFirmware (finalAttrs: {
152
+
armTrustedFirmwareAllwinnerH616 = buildArmTrustedFirmware rec {
platform = "sun50i_h616";
28
-
meta.platforms = [ "aarch64-linux" ];
29
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31.bin" ];
154
+
extraMeta.platforms = [ "aarch64-linux" ];
155
+
filesToInstall = [ "build/${platform}/release/bl31.bin" ];
32
-
armTrustedFirmwareAllwinnerH6 = buildArmTrustedFirmware (finalAttrs: {
158
+
armTrustedFirmwareAllwinnerH6 = buildArmTrustedFirmware rec {
34
-
meta.platforms = [ "aarch64-linux" ];
35
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31.bin" ];
160
+
extraMeta.platforms = [ "aarch64-linux" ];
161
+
filesToInstall = [ "build/${platform}/release/bl31.bin" ];
38
-
armTrustedFirmwareQemu = buildArmTrustedFirmware (finalAttrs: {
164
+
armTrustedFirmwareQemu = buildArmTrustedFirmware rec {
40
-
meta.platforms = [ "aarch64-linux" ];
166
+
extraMeta.platforms = [ "aarch64-linux" ];
42
-
"build/${finalAttrs.platform}/release/bl1.bin"
43
-
"build/${finalAttrs.platform}/release/bl2.bin"
44
-
"build/${finalAttrs.platform}/release/bl31.bin"
168
+
"build/${platform}/release/bl1.bin"
169
+
"build/${platform}/release/bl2.bin"
170
+
"build/${platform}/release/bl31.bin"
48
-
armTrustedFirmwareRK3328 = buildArmTrustedFirmware (finalAttrs: {
49
-
makeFlags = [ "bl31" ];
174
+
armTrustedFirmwareRK3328 = buildArmTrustedFirmware rec {
175
+
extraMakeFlags = [ "bl31" ];
51
-
meta.platforms = [ "aarch64-linux" ];
52
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31/bl31.elf" ];
177
+
extraMeta.platforms = [ "aarch64-linux" ];
178
+
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
55
-
armTrustedFirmwareRK3399 = buildArmTrustedFirmware (finalAttrs: {
56
-
makeFlags = [ "bl31" ];
181
+
armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
182
+
extraMakeFlags = [ "bl31" ];
58
-
meta.platforms = [ "aarch64-linux" ];
59
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31/bl31.elf" ];
184
+
extraMeta.platforms = [ "aarch64-linux" ];
185
+
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
platformCanUseHDCPBlob = true;
63
-
armTrustedFirmwareRK3568 = buildArmTrustedFirmware (finalAttrs: {
64
-
makeFlags = [ "bl31" ];
189
+
armTrustedFirmwareRK3568 = buildArmTrustedFirmware rec {
190
+
extraMakeFlags = [ "bl31" ];
66
-
meta.platforms = [ "aarch64-linux" ];
67
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31/bl31.elf" ];
192
+
extraMeta.platforms = [ "aarch64-linux" ];
193
+
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
70
-
armTrustedFirmwareRK3588 = buildArmTrustedFirmware (finalAttrs: {
71
-
makeFlags = [ "bl31" ];
196
+
armTrustedFirmwareRK3588 = buildArmTrustedFirmware rec {
197
+
extraMakeFlags = [ "bl31" ];
73
-
meta.platforms = [ "aarch64-linux" ];
74
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31/bl31.elf" ];
199
+
extraMeta.platforms = [ "aarch64-linux" ];
200
+
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf" ];
77
-
armTrustedFirmwareS905 = buildArmTrustedFirmware (finalAttrs: {
78
-
makeFlags = [ "bl31" ];
203
+
armTrustedFirmwareS905 = buildArmTrustedFirmware rec {
204
+
extraMakeFlags = [ "bl31" ];
80
-
meta.platforms = [ "aarch64-linux" ];
81
-
filesToInstall = [ "build/${finalAttrs.platform}/release/bl31.bin" ];
206
+
extraMeta.platforms = [ "aarch64-linux" ];
207
+
filesToInstall = [ "build/${platform}/release/bl31.bin" ];
pyrox.dev