Refactor optee packages

This splits out optee-related packages into multiple derivations to allow for easier overriding of individual components. This will eventually allow for the removal of nixos options that override these components, as overlays are now easier to use.
anduril · Dec 14, 2024 · 53c37d2 · 53c37d2
1 parent 8c15176
commit 53c37d2
Show file tree

Hide file tree

Showing 10 changed files with 290 additions and 256 deletions.
diff --git a/device-pkgs/flash-script.nix b/device-pkgs/flash-script.nix
@@ -55,7 +55,7 @@
   cp ${uefiFirmware}/dtbs/*.dtbo kernel/dtb/
   ''}
   ${lib.optionalString (tosImage != null) ''
-  cp ${tosImage}/tos.img bootloader/tos-optee_${socType}.img
+  cp ${tosImage} bootloader/tos-optee_${socType}.img
   ''}
   ${lib.optionalString (eksFile != null) ''
   cp ${eksFile} bootloader/eks_${socType}.img

diff --git a/overlay-with-config.nix b/overlay-with-config.nix
@@ -11,13 +11,6 @@ final: prev: (
 
     inherit (final) lib;
 
-    tosArgs = {
-      inherit (final.nvidia-jetpack) socType;
-      inherit (cfg.firmware.optee) taPublicKeyFile;
-      opteePatches = cfg.firmware.optee.patches;
-      extraMakeFlags = cfg.firmware.optee.extraMakeFlags;
-    };
-
     flashTools = cfg.flasherPkgs.callPackages (import ./device-pkgs { inherit config; pkgs = final; }) { };
   in
   {
@@ -49,14 +42,18 @@ final: prev: (
         patches = (old.patches or [ ]) ++ cfg.firmware.uefi.edk2UefiPatches;
       });
 
-      flash-tools = prevJetpack.flash-tools.overrideAttrs ({ patches ? [ ], postPatch ? "", ... }: {
-        patches = patches ++ cfg.flashScriptOverrides.patches;
-        postPatch = postPatch + cfg.flashScriptOverrides.postPatch;
+      opteeOS = prevJetpack.opteeOS.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches;
+        makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags;
+      });
+
+      opteeTaDevKit = prevJetpack.opteeTaDevKit.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches;
+        makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags;
       });
 
-      tosImage = finalJetpack.buildTOS tosArgs;
-      taDevKit = finalJetpack.buildOpteeTaDevKit tosArgs;
-      inherit (finalJetpack.tosImage) nvLuksSrv hwKeyAgent;
+      armTrustedFirmware = finalJetpack.callPackage ./pkgs/optee/arm-trusted-firmware.nix { };
+      tosImage = finalJetpack.callPackage ./pkgs/optee/tos-image.nix { };
 
       flashInitrd =
         let
@@ -193,6 +190,11 @@ final: prev: (
             cfg.firmware.variants;
         });
 
+      flash-tools = prevJetpack.flash-tools.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.flashScriptOverrides.patches;
+        postPatch = (old.postPatch or "") + cfg.flashScriptOverrides.postPatch;
+      });
+
       # Use the flash-tools produced by mkFlashScript, we need whatever changes
       # the script made, as well as the flashcmd.txt from it
       flash-tools-flashcmd = finalJetpack.callPackage ./device-pkgs/flash-tools-flashcmd.nix {

diff --git a/overlay.nix b/overlay.nix
@@ -63,13 +63,26 @@ in
     jetsonEdk2Uefi = self.callPackage ./pkgs/uefi-firmware/jetson-edk2-uefi.nix { };
     uefiFirmware = self.callPackage ./pkgs/uefi-firmware/default.nix { };
 
-    inherit (prev.callPackages ./pkgs/optee {
-      # Nvidia's recommended toolchain is gcc9:
-      # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
-      stdenv = prev.gcc9Stdenv;
-      inherit (self) bspSrc gitRepos l4tVersion;
-    }) buildTOS buildOpteeTaDevKit opteeClient;
-    genEkb = self.callPackage ./pkgs/optee/gen-ekb.nix { };
+    # Nvidia's recommended toolchain for optee is gcc9:
+    # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
+    opteeStdenv = prev.gcc9Stdenv;
+
+    opteeClient = self.callPackage ./pkgs/optee/client.nix { };
+
+    opteeTaDevKit = (self.callPackage ./pkgs/optee/os.nix { }).overrideAttrs (old: {
+      pname = "optee-ta-dev-kit";
+      makeFlags = (old.makeFlags or [ ]) ++ [ "ta_dev_kit" ];
+    });
+
+    nvLuksSrv = self.callPackage ./pkgs/optee/nv-luks-srv.nix { };
+    hwKeyAgent = self.callPackage ./pkgs/optee/hw-key-agent.nix { };
+
+    opteeOS = self.callPackage ./pkgs/optee/os.nix {
+      earlyTaPaths = [
+        "${self.nvLuksSrv}/${self.nvLuksSrv.uuid}.stripped.elf"
+        "${self.hwKeyAgent}/${self.hwKeyAgent.uuid}.stripped.elf"
+      ];
+    };
 
     flash-tools = self.callPackage ./pkgs/flash-tools { };
 

diff --git a/pkgs/optee/arm-trusted-firmware.nix b/pkgs/optee/arm-trusted-firmware.nix
@@ -0,0 +1,39 @@
+{ gitRepos
+, l4tVersion
+, opteeStdenv
+, socType
+}:
+
+opteeStdenv.mkDerivation {
+  pname = "arm-trusted-firmware";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/atf";
+  makeFlags = [
+    "-C arm-trusted-firmware"
+    "BUILD_BASE=$(PWD)/build"
+    "CROSS_COMPILE=${opteeStdenv.cc.targetPrefix}"
+    "DEBUG=0"
+    "LOG_LEVEL=20"
+    "PLAT=tegra"
+    "SPD=opteed"
+    "TARGET_SOC=${socType}"
+    "V=0"
+    # binutils 2.39 regression
+    # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
+    # See also: https://developer.trustedfirmware.org/T996
+    "LDFLAGS=-no-warn-rwx-segments"
+  ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp ./build/tegra/${socType}/release/bl31.bin $out/bl31.bin
+
+    runHook postInstall
+  '';
+
+  meta.platforms = [ "aarch64-linux" ];
+}
diff --git a/pkgs/optee/client.nix b/pkgs/optee/client.nix
@@ -0,0 +1,28 @@
+{ opteeStdenv, fetchpatch, gitRepos, l4tVersion, pkg-config, libuuid }:
+
+opteeStdenv.mkDerivation {
+  pname = "optee_client";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/nv-optee";
+  patches = [
+    ./0001-Don-t-prepend-foo-bar-baz-to-TEEC_LOAD_PATH.patch
+    (fetchpatch {
+      name = "tee-supplicant-Allow-for-TA-load-path-to-be-specified-at-runtime.patch";
+      url = "https://github.com/OP-TEE/optee_client/commit/f3845d8bee3645eedfcc494be4db034c3c69e9ab.patch";
+      stripLen = 1;
+      extraPrefix = "optee/optee_client/";
+      hash = "sha256-XjFpMbyXy74sqnc8l+EgTaPXqwwHcvni1Z68ShokTGc=";
+    })
+  ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libuuid ];
+  enableParallelBuilding = true;
+  makeFlags = [
+    "-C optee/optee_client"
+    "DESTDIR=$(out)"
+    "SBINDIR=/sbin"
+    "LIBDIR=/lib"
+    "INCLUDEDIR=/include"
+  ];
+  meta.platforms = [ "aarch64-linux" ];
+}
diff --git a/pkgs/optee/default.nix b/pkgs/optee/default.nix