cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

arm-trusted-firmware: unfree only if hdcp.bin used; otherwise delete it

Browse source 
The `unfreeIncludeHDCPBlob` parameter was introduced as a result of
this reviewer request:

  https://github.com/NixOS/nixpkgs/issues/148890#issuecomment-1032002903

The default value `unfreeIncludeHDCPBlob?true` causes a change in the
`meta.license` field for all of the subpackages within
`pkgs/misc/arm-trusted-firmware/`, and results in them needing
`NIXPKGS_ALLOW_NONFREE=1`.

For non-Rockchip platforms the file hdcp.bin does not get included in
the output; the blob is for a Synopsys HDCP core that is currently
used only by Rockchip (although other companies could license it from
Synopsys in the future). Therefore on non-Rockchip we can delete
hdcp.bin before building instead of changing the license. This
preserves the ability to build them without NIXPKGS_ALLOW_NONFREE=1.

Let's do that.

Deleting hdcp.bin ensures that we won't be caught by surprise if some
future non-Rockchip Arm CPU licenses the same Synopsys HDCP core that
Rockchip is using.

Use easier-to-follow names for controlling the blob
inclusion/exclusion.  Also, if the blob is believed to be unnecessary,
delete it beforehand so we will know if we were wrong about that belief.

Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
This commit is contained in:
Adam Joseph 2022-05-25 23:49:22 -07:00
parent f04d78fdd2
commit 8485bfc9bf
1 changed files with 21 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
pkgs/misc/arm-trusted-firmware/default.nix
View file

@ -1,7 +1,12 @@
{ lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages { lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
# Warning: this blob runs on the main CPU (not the GPU) at privilege # Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
# level EL3, which is above both the kernel and the hypervisor. # privilege level EL3, which is above both the kernel and the
# hypervisor.
#
# This parameter applies only to platforms which are believed to use
# hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
# hdcp.bin will be deleted before building.
, unfreeIncludeHDCPBlob ? true , unfreeIncludeHDCPBlob ? true
}: }:
@ -9,10 +14,16 @@ let
buildArmTrustedFirmware = { filesToInstall buildArmTrustedFirmware = { filesToInstall
, installDir ? "$out" , installDir ? "$out"
, platform ? null , platform ? null
, platformCanUseHDCPBlob ? false # set this to true if the platform is able to use hdcp.bin
, extraMakeFlags ? [] , extraMakeFlags ? []
, extraMeta ? {} , extraMeta ? {}
, version ? "2.6" , version ? "2.6"
, ... } @ args: , ... } @ args:
# delete hdcp.bin if either: the platform is thought to
# not need it or unfreeIncludeHDCPBlob is false
let deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob; in
stdenv.mkDerivation ({ stdenv.mkDerivation ({
pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}"; pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
@ -25,11 +36,15 @@ let
sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg="; sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
}; };
patches = lib.optionals (!unfreeIncludeHDCPBlob) [ patches = lib.optionals deleteHDCPBlobBeforeBuild [
# this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
./remove-hdcp-blob.patch ./remove-hdcp-blob.patch
]; ];
postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
'';
depsBuildBuild = [ buildPackages.stdenv.cc ]; depsBuildBuild = [ buildPackages.stdenv.cc ];
# For Cortex-M0 firmware in RK3399 # For Cortex-M0 firmware in RK3399
@ -60,7 +75,7 @@ let
meta = with lib; { meta = with lib; {
homepage = "https://github.com/ARM-software/arm-trusted-firmware"; homepage = "https://github.com/ARM-software/arm-trusted-firmware";
description = "A reference implementation of secure world software for ARMv8-A"; description = "A reference implementation of secure world software for ARMv8-A";
license = (if unfreeIncludeHDCPBlob then [ licenses.unfreeRedistributable ] else []) ++ [ licenses.bsd3 ]; license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
maintainers = with maintainers; [ lopsided98 ]; maintainers = with maintainers; [ lopsided98 ];
} // extraMeta; } // extraMeta;
} // builtins.removeAttrs args [ "extraMeta" ]); } // builtins.removeAttrs args [ "extraMeta" ]);
@ -111,6 +126,7 @@ in {
platform = "rk3328"; platform = "rk3328";
extraMeta.platforms = ["aarch64-linux"]; extraMeta.platforms = ["aarch64-linux"];
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"]; filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
platformCanUseHDCPBlob = true;
}; };
armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec { armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
@ -118,6 +134,7 @@ in {
platform = "rk3399"; platform = "rk3399";
extraMeta.platforms = ["aarch64-linux"]; extraMeta.platforms = ["aarch64-linux"];
filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"]; filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
platformCanUseHDCPBlob = true;
}; };
armTrustedFirmwareS905 = buildArmTrustedFirmware rec { armTrustedFirmwareS905 = buildArmTrustedFirmware rec {