From 53c37d29601751df53fdfdcfea613f99ebd2e5fb Mon Sep 17 00:00:00 2001 From: Jared Baur Date: Fri, 13 Dec 2024 17:08:50 -0800 Subject: [PATCH] Refactor optee packages This splits out optee-related packages into multiple derivations to allow for easier overriding of individual components. This will eventually allow for the removal of nixos options that override these components, as overlays are now easier to use. --- device-pkgs/flash-script.nix | 2 +- overlay-with-config.nix | 28 ++-- overlay.nix | 27 +++- pkgs/optee/arm-trusted-firmware.nix | 39 +++++ pkgs/optee/client.nix | 28 ++++ pkgs/optee/default.nix | 235 ---------------------------- pkgs/optee/hw-key-agent.nix | 48 ++++++ pkgs/optee/nv-luks-srv.nix | 48 ++++++ pkgs/optee/os.nix | 60 +++++++ pkgs/optee/tos-image.nix | 31 ++++ 10 files changed, 290 insertions(+), 256 deletions(-) create mode 100644 pkgs/optee/arm-trusted-firmware.nix create mode 100644 pkgs/optee/client.nix delete mode 100644 pkgs/optee/default.nix create mode 100644 pkgs/optee/hw-key-agent.nix create mode 100644 pkgs/optee/nv-luks-srv.nix create mode 100644 pkgs/optee/os.nix create mode 100644 pkgs/optee/tos-image.nix diff --git a/device-pkgs/flash-script.nix b/device-pkgs/flash-script.nix index 30ec594e..88f25cc2 100644 --- a/device-pkgs/flash-script.nix +++ b/device-pkgs/flash-script.nix @@ -55,7 +55,7 @@ cp ${uefiFirmware}/dtbs/*.dtbo kernel/dtb/ ''} ${lib.optionalString (tosImage != null) '' - cp ${tosImage}/tos.img bootloader/tos-optee_${socType}.img + cp ${tosImage} bootloader/tos-optee_${socType}.img ''} ${lib.optionalString (eksFile != null) '' cp ${eksFile} bootloader/eks_${socType}.img diff --git a/overlay-with-config.nix b/overlay-with-config.nix index 2f06ba96..d09c7f66 100644 --- a/overlay-with-config.nix +++ b/overlay-with-config.nix @@ -11,13 +11,6 @@ final: prev: ( inherit (final) lib; - tosArgs = { - inherit (final.nvidia-jetpack) socType; - inherit (cfg.firmware.optee) taPublicKeyFile; - opteePatches = cfg.firmware.optee.patches; - extraMakeFlags = cfg.firmware.optee.extraMakeFlags; - }; - flashTools = cfg.flasherPkgs.callPackages (import ./device-pkgs { inherit config; pkgs = final; }) { }; in { @@ -49,14 +42,18 @@ final: prev: ( patches = (old.patches or [ ]) ++ cfg.firmware.uefi.edk2UefiPatches; }); - flash-tools = prevJetpack.flash-tools.overrideAttrs ({ patches ? [ ], postPatch ? "", ... }: { - patches = patches ++ cfg.flashScriptOverrides.patches; - postPatch = postPatch + cfg.flashScriptOverrides.postPatch; + opteeOS = prevJetpack.opteeOS.overrideAttrs (old: { + patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches; + makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags; + }); + + opteeTaDevKit = prevJetpack.opteeTaDevKit.overrideAttrs (old: { + patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches; + makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags; }); - tosImage = finalJetpack.buildTOS tosArgs; - taDevKit = finalJetpack.buildOpteeTaDevKit tosArgs; - inherit (finalJetpack.tosImage) nvLuksSrv hwKeyAgent; + armTrustedFirmware = finalJetpack.callPackage ./pkgs/optee/arm-trusted-firmware.nix { }; + tosImage = finalJetpack.callPackage ./pkgs/optee/tos-image.nix { }; flashInitrd = let @@ -193,6 +190,11 @@ final: prev: ( cfg.firmware.variants; }); + flash-tools = prevJetpack.flash-tools.overrideAttrs (old: { + patches = (old.patches or [ ]) ++ cfg.flashScriptOverrides.patches; + postPatch = (old.postPatch or "") + cfg.flashScriptOverrides.postPatch; + }); + # Use the flash-tools produced by mkFlashScript, we need whatever changes # the script made, as well as the flashcmd.txt from it flash-tools-flashcmd = finalJetpack.callPackage ./device-pkgs/flash-tools-flashcmd.nix { diff --git a/overlay.nix b/overlay.nix index 201b2822..0dcfe198 100644 --- a/overlay.nix +++ b/overlay.nix @@ -63,13 +63,26 @@ in jetsonEdk2Uefi = self.callPackage ./pkgs/uefi-firmware/jetson-edk2-uefi.nix { }; uefiFirmware = self.callPackage ./pkgs/uefi-firmware/default.nix { }; - inherit (prev.callPackages ./pkgs/optee { - # Nvidia's recommended toolchain is gcc9: - # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33 - stdenv = prev.gcc9Stdenv; - inherit (self) bspSrc gitRepos l4tVersion; - }) buildTOS buildOpteeTaDevKit opteeClient; - genEkb = self.callPackage ./pkgs/optee/gen-ekb.nix { }; + # Nvidia's recommended toolchain for optee is gcc9: + # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33 + opteeStdenv = prev.gcc9Stdenv; + + opteeClient = self.callPackage ./pkgs/optee/client.nix { }; + + opteeTaDevKit = (self.callPackage ./pkgs/optee/os.nix { }).overrideAttrs (old: { + pname = "optee-ta-dev-kit"; + makeFlags = (old.makeFlags or [ ]) ++ [ "ta_dev_kit" ]; + }); + + nvLuksSrv = self.callPackage ./pkgs/optee/nv-luks-srv.nix { }; + hwKeyAgent = self.callPackage ./pkgs/optee/hw-key-agent.nix { }; + + opteeOS = self.callPackage ./pkgs/optee/os.nix { + earlyTaPaths = [ + "${self.nvLuksSrv}/${self.nvLuksSrv.uuid}.stripped.elf" + "${self.hwKeyAgent}/${self.hwKeyAgent.uuid}.stripped.elf" + ]; + }; flash-tools = self.callPackage ./pkgs/flash-tools { }; diff --git a/pkgs/optee/arm-trusted-firmware.nix b/pkgs/optee/arm-trusted-firmware.nix new file mode 100644 index 00000000..eb881531 --- /dev/null +++ b/pkgs/optee/arm-trusted-firmware.nix @@ -0,0 +1,39 @@ +{ gitRepos +, l4tVersion +, opteeStdenv +, socType +}: + +opteeStdenv.mkDerivation { + pname = "arm-trusted-firmware"; + version = l4tVersion; + src = gitRepos."tegra/optee-src/atf"; + makeFlags = [ + "-C arm-trusted-firmware" + "BUILD_BASE=$(PWD)/build" + "CROSS_COMPILE=${opteeStdenv.cc.targetPrefix}" + "DEBUG=0" + "LOG_LEVEL=20" + "PLAT=tegra" + "SPD=opteed" + "TARGET_SOC=${socType}" + "V=0" + # binutils 2.39 regression + # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions` + # See also: https://developer.trustedfirmware.org/T996 + "LDFLAGS=-no-warn-rwx-segments" + ]; + + enableParallelBuilding = true; + + installPhase = '' + runHook preInstall + + mkdir -p $out + cp ./build/tegra/${socType}/release/bl31.bin $out/bl31.bin + + runHook postInstall + ''; + + meta.platforms = [ "aarch64-linux" ]; +} diff --git a/pkgs/optee/client.nix b/pkgs/optee/client.nix new file mode 100644 index 00000000..29364e02 --- /dev/null +++ b/pkgs/optee/client.nix @@ -0,0 +1,28 @@ +{ opteeStdenv, fetchpatch, gitRepos, l4tVersion, pkg-config, libuuid }: + +opteeStdenv.mkDerivation { + pname = "optee_client"; + version = l4tVersion; + src = gitRepos."tegra/optee-src/nv-optee"; + patches = [ + ./0001-Don-t-prepend-foo-bar-baz-to-TEEC_LOAD_PATH.patch + (fetchpatch { + name = "tee-supplicant-Allow-for-TA-load-path-to-be-specified-at-runtime.patch"; + url = "https://github.com/OP-TEE/optee_client/commit/f3845d8bee3645eedfcc494be4db034c3c69e9ab.patch"; + stripLen = 1; + extraPrefix = "optee/optee_client/"; + hash = "sha256-XjFpMbyXy74sqnc8l+EgTaPXqwwHcvni1Z68ShokTGc="; + }) + ]; + nativeBuildInputs = [ pkg-config ]; + buildInputs = [ libuuid ]; + enableParallelBuilding = true; + makeFlags = [ + "-C optee/optee_client" + "DESTDIR=$(out)" + "SBINDIR=/sbin" + "LIBDIR=/lib" + "INCLUDEDIR=/include" + ]; + meta.platforms = [ "aarch64-linux" ]; +} diff --git a/pkgs/optee/default.nix b/pkgs/optee/default.nix deleted file mode 100644 index 02f2a340..00000000 --- a/pkgs/optee/default.nix +++ /dev/null @@ -1,235 +0,0 @@ -{ l4tVersion -, bspSrc -, buildPackages -, lib -, stdenv -, fetchgit -, pkg-config -, libuuid -, dtc -, nukeReferences -, fetchpatch -, gitRepos -}: - -let - atfSrc = gitRepos."tegra/optee-src/atf"; - nvopteeSrc = gitRepos."tegra/optee-src/nv-optee"; - - opteeClient = stdenv.mkDerivation { - pname = "optee_client"; - version = l4tVersion; - src = nvopteeSrc; - patches = [ - ./0001-Don-t-prepend-foo-bar-baz-to-TEEC_LOAD_PATH.patch - (fetchpatch { - name = "tee-supplicant-Allow-for-TA-load-path-to-be-specified-at-runtime.patch"; - url = "https://github.com/OP-TEE/optee_client/commit/f3845d8bee3645eedfcc494be4db034c3c69e9ab.patch"; - stripLen = 1; - extraPrefix = "optee/optee_client/"; - hash = "sha256-XjFpMbyXy74sqnc8l+EgTaPXqwwHcvni1Z68ShokTGc="; - }) - ]; - nativeBuildInputs = [ pkg-config ]; - buildInputs = [ libuuid ]; - enableParallelBuilding = true; - makeFlags = [ - "-C optee/optee_client" - "DESTDIR=$(out)" - "SBINDIR=/sbin" - "LIBDIR=/lib" - "INCLUDEDIR=/include" - ]; - meta.platforms = [ "aarch64-linux" ]; - }; - - buildOptee = lib.makeOverridable ({ pname ? "optee-os" - , socType - , earlyTaPaths ? [ ] - , extraMakeFlags ? [ ] - , opteePatches ? [ ] - , taPublicKeyFile ? null - , ... - }: - let - nvCccPrebuilt = { - t194 = ""; - t234 = "${nvopteeSrc}/optee/optee_os/prebuilt/t234/libcommon_crypto.a"; - }.${socType}; - - makeFlags = [ - "-C optee/optee_os" - "CROSS_COMPILE64=${stdenv.cc.targetPrefix}" - "PLATFORM=tegra" - "PLATFORM_FLAVOR=${socType}" - "CFG_WITH_STMM_SP=y" - "CFG_STMM_PATH=${bspSrc}/bootloader/standalonemm_optee_${socType}.bin" - "NV_CCC_PREBUILT=${nvCccPrebuilt}" - "O=$(out)" - ] - ++ (lib.optional (taPublicKeyFile != null) "TA_PUBLIC_KEY=${taPublicKeyFile}") - ++ extraMakeFlags; - in - stdenv.mkDerivation { - inherit pname; - version = l4tVersion; - src = nvopteeSrc; - patches = opteePatches; - postPatch = '' - patchShebangs $(find optee/optee_os -type d -name scripts -printf '%p ') - ''; - nativeBuildInputs = [ - dtc - (buildPackages.python3.withPackages (p: with p; [ pyelftools cryptography ])) - ]; - inherit makeFlags; - enableParallelBuilding = true; - # NOTE: EARLY_TA_PATHS needs to be added outside of `makeFlags` since it is a - # space separated list of paths. See - # https://nixos.org/manual/nixpkgs/stable/#build-phase for more details. - preBuild = lib.optionalString (earlyTaPaths != [ ]) '' - makeFlagsArray+=(EARLY_TA_PATHS="${toString earlyTaPaths}") - ''; - dontInstall = true; - meta.platforms = [ "aarch64-linux" ]; - }); - - buildOpteeTaDevKit = args: buildOptee (args // { - pname = "optee-ta-dev-kit"; - extraMakeFlags = (args.extraMakeFlags or [ ]) ++ [ "ta_dev_kit" ]; - }); - - buildNvLuksSrv = args: stdenv.mkDerivation { - pname = "nvluks-srv"; - version = l4tVersion; - src = nvopteeSrc; - patches = [ ./0001-nvoptee-no-install-makefile.patch ./0002-Exit-with-non-zero-status-code-on-TEEC_InvokeCommand.patch ]; - nativeBuildInputs = [ (buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; - enableParallelBuilding = true; - makeFlags = [ - "-C optee/samples/luks-srv" - "CROSS_COMPILE=${stdenv.cc.targetPrefix}" - "TA_DEV_KIT_DIR=${buildOpteeTaDevKit args}/export-ta_arm64" - "OPTEE_CLIENT_EXPORT=${opteeClient}" - "O=$(PWD)/out" - ]; - installPhase = '' - runHook preInstall - - install -Dm755 -t $out/bin out/ca/luks-srv/nvluks-srv-app - install -Dm755 -t $out out/early_ta/luks-srv/*.stripped.elf - - runHook postInstall - ''; - meta.platforms = [ "aarch64-linux" ]; - }; - - buildHwKeyAgent = args: stdenv.mkDerivation { - pname = "hwkey-agent"; - version = l4tVersion; - src = nvopteeSrc; - patches = [ ./0001-nvoptee-no-install-makefile.patch ]; - nativeBuildInputs = [ (buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; - enableParallelBuilding = true; - makeFlags = [ - "-C optee/samples/hwkey-agent" - "CROSS_COMPILE=${stdenv.cc.targetPrefix}" - "TA_DEV_KIT_DIR=${buildOpteeTaDevKit args}/export-ta_arm64" - "OPTEE_CLIENT_EXPORT=${opteeClient}" - "O=$(PWD)/out" - ]; - installPhase = '' - runHook preInstall - - install -Dm755 -t $out/bin out/ca/hwkey-agent/nvhwkey-app - install -Dm755 -t $out out/ta/hwkey-agent/*.stripped.elf - - runHook postInstall - ''; - }; - - buildOpteeDTB = lib.makeOverridable ({ socType, ... }: - let - flavor = lib.replaceStrings [ "t" ] [ "" ] socType; - in - buildPackages.runCommand "tegra-${flavor}-optee.dtb" - { - nativeBuildInputs = [ dtc ]; - } '' - mkdir -p $out - dtc -I dts -O dtb -o $out/tegra${flavor}-optee.dtb ${nvopteeSrc}/optee/tegra${flavor}-optee.dts - ''); - - buildArmTrustedFirmware = lib.makeOverridable ({ socType, ... }: - stdenv.mkDerivation { - pname = "arm-trusted-firmware"; - version = l4tVersion; - src = atfSrc; - makeFlags = [ - "-C arm-trusted-firmware" - "BUILD_BASE=$(PWD)/build" - "CROSS_COMPILE=${stdenv.cc.targetPrefix}" - "DEBUG=0" - "LOG_LEVEL=20" - "PLAT=tegra" - "SPD=opteed" - "TARGET_SOC=${socType}" - "V=0" - # binutils 2.39 regression - # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions` - # See also: https://developer.trustedfirmware.org/T996 - "LDFLAGS=-no-warn-rwx-segments" - ]; - - enableParallelBuilding = true; - - installPhase = '' - runHook preInstall - - mkdir -p $out - cp ./build/tegra/${socType}/release/bl31.bin $out/bl31.bin - - runHook postInstall - ''; - - meta.platforms = [ "aarch64-linux" ]; - }); - - buildTOS = { socType, ... }@args: - let - armTrustedFirmware = buildArmTrustedFirmware args; - - opteeDTB = buildOpteeDTB args; - - nvLuksSrv = buildNvLuksSrv args; - hwKeyAgent = buildHwKeyAgent args; - - opteeOS = buildOptee ({ - earlyTaPaths = [ - "${nvLuksSrv}/b83d14a8-7128-49df-9624-35f14f65ca6c.stripped.elf" - "${hwKeyAgent}/82154947-c1bc-4bdf-b89d-04f93c0ea97c.stripped.elf" - ]; - } // args); - - image = buildPackages.runCommand "tos.img" - { - nativeBuildInputs = [ nukeReferences ]; - passthru = { inherit nvLuksSrv hwKeyAgent; }; - } '' - mkdir -p $out - ${buildPackages.python3}/bin/python3 ${bspSrc}/nv_tegra/tos-scripts/gen_tos_part_img.py \ - --monitor ${armTrustedFirmware}/bl31.bin \ - --os ${opteeOS}/core/tee-raw.bin \ - --dtb ${opteeDTB}/*.dtb \ - --tostype optee \ - $out/tos.img - - # Get rid of any string references to source(s) - nuke-refs $out/* - ''; - in - image; -in -{ - inherit buildTOS buildOpteeTaDevKit opteeClient; -} diff --git a/pkgs/optee/hw-key-agent.nix b/pkgs/optee/hw-key-agent.nix new file mode 100644 index 00000000..ae310a4f --- /dev/null +++ b/pkgs/optee/hw-key-agent.nix @@ -0,0 +1,48 @@ +{ gitRepos +, opteeStdenv +, l4tVersion +, opteeTaDevKit +, opteeClient +, buildPackages +}: + +let + nvopteeSrc = gitRepos."tegra/optee-src/nv-optee"; +in +opteeStdenv.mkDerivation (finalAttrs: { + pname = "hwkey-agent"; + version = l4tVersion; + + src = nvopteeSrc; + + patches = [ ./0001-nvoptee-no-install-makefile.patch ]; + + nativeBuildInputs = [ (buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; + + enableParallelBuilding = true; + + makeFlags = [ + "-C optee/samples/hwkey-agent" + "CROSS_COMPILE=${opteeStdenv.cc.targetPrefix}" + "TA_DEV_KIT_DIR=${opteeTaDevKit}/export-ta_arm64" + "OPTEE_CLIENT_EXPORT=${opteeClient}" + "O=$(PWD)/out" + ]; + + installPhase = '' + runHook preInstall + + install -Dm755 -t $out/bin out/ca/hwkey-agent/nvhwkey-app + install -Dm755 -t $out out/ta/hwkey-agent/${finalAttrs.passthru.uuid}.stripped.elf + + runHook postInstall + ''; + + + passthru.uuid = "82154947-c1bc-4bdf-b89d-04f93c0ea97c"; + + meta = { + platforms = [ "aarch64-linux" ]; + mainProgram = "nvhwkey-app"; + }; +}) diff --git a/pkgs/optee/nv-luks-srv.nix b/pkgs/optee/nv-luks-srv.nix new file mode 100644 index 00000000..2b4ded96 --- /dev/null +++ b/pkgs/optee/nv-luks-srv.nix @@ -0,0 +1,48 @@ +{ gitRepos +, opteeStdenv +, l4tVersion +, opteeTaDevKit +, opteeClient +, buildPackages +}: + +let + nvopteeSrc = gitRepos."tegra/optee-src/nv-optee"; +in +opteeStdenv.mkDerivation (finalAttrs: { + pname = "nvluks-srv"; + version = l4tVersion; + + src = nvopteeSrc; + + patches = [ ./0001-nvoptee-no-install-makefile.patch ./0002-Exit-with-non-zero-status-code-on-TEEC_InvokeCommand.patch ]; + + nativeBuildInputs = [ (buildPackages.python3.withPackages (p: [ p.cryptography ])) ]; + + enableParallelBuilding = true; + + makeFlags = [ + "-C optee/samples/luks-srv" + "CROSS_COMPILE=${opteeStdenv.cc.targetPrefix}" + "TA_DEV_KIT_DIR=${opteeTaDevKit}/export-ta_arm64" + "OPTEE_CLIENT_EXPORT=${opteeClient}" + "O=$(PWD)/out" + ]; + + installPhase = '' + runHook preInstall + + install -Dm755 -t $out/bin out/ca/luks-srv/nvluks-srv-app + install -Dm755 -t $out out/early_ta/luks-srv/${finalAttrs.passthru.uuid}.stripped.elf + + runHook postInstall + ''; + + + passthru.uuid = "b83d14a8-7128-49df-9624-35f14f65ca6c"; + + meta = { + platforms = [ "aarch64-linux" ]; + mainProgram = "nvluks-srv-app"; + }; +}) diff --git a/pkgs/optee/os.nix b/pkgs/optee/os.nix new file mode 100644 index 00000000..1ab9d4d4 --- /dev/null +++ b/pkgs/optee/os.nix @@ -0,0 +1,60 @@ +{ lib +, gitRepos +, l4tVersion +, dtc +, buildPackages +, stdenv +, bspSrc +, socType +, earlyTaPaths ? [ ] +, taPublicKeyFile ? null +}: + +let + nvopteeSrc = gitRepos."tegra/optee-src/nv-optee"; + + nvCccPrebuilt = { + t194 = ""; + t234 = "${nvopteeSrc}/optee/optee_os/prebuilt/t234/libcommon_crypto.a"; + }.${socType}; +in +stdenv.mkDerivation { + pname = "optee-os"; + version = l4tVersion; + + src = nvopteeSrc; + + postPatch = '' + patchShebangs $(find optee/optee_os -type d -name scripts -printf '%p ') + ''; + + nativeBuildInputs = [ + dtc + (buildPackages.python3.withPackages (p: with p; [ pyelftools cryptography ])) + ]; + + makeFlags = [ + "-C optee/optee_os" + "CROSS_COMPILE64=${stdenv.cc.targetPrefix}" + "PLATFORM=tegra" + "PLATFORM_FLAVOR=${socType}" + "CFG_WITH_STMM_SP=y" + "CFG_STMM_PATH=${bspSrc}/bootloader/standalonemm_optee_${socType}.bin" + "NV_CCC_PREBUILT=${nvCccPrebuilt}" + "O=$(out)" + ] + ++ (lib.optional (taPublicKeyFile != null) "TA_PUBLIC_KEY=${taPublicKeyFile}"); + + enableParallelBuilding = true; + + # NOTE: EARLY_TA_PATHS needs to be added outside of `makeFlags` since it is a + # space separated list of paths. See + # https://nixos.org/manual/nixpkgs/stable/#build-phase for more details. + preBuild = lib.optionalString (earlyTaPaths != [ ]) '' + makeFlagsArray+=(EARLY_TA_PATHS="${toString earlyTaPaths}") + ''; + + dontInstall = true; + + meta.platforms = [ "aarch64-linux" ]; +} diff --git a/pkgs/optee/tos-image.nix b/pkgs/optee/tos-image.nix new file mode 100644 index 00000000..6a43cefa --- /dev/null +++ b/pkgs/optee/tos-image.nix @@ -0,0 +1,31 @@ +{ gitRepos +, lib +, runCommand +, python3 +, dtc +, bspSrc +, armTrustedFirmware +, opteeOS +, nukeReferences +, socType +}: + + +let + flavor = lib.replaceStrings [ "t" ] [ "" ] socType; + nvopteeSrc = gitRepos."tegra/optee-src/nv-optee"; + +in +runCommand "tos.img" +{ + nativeBuildInputs = [ dtc python3 nukeReferences ]; +} '' + dtc -I dts -O dtb -o optee.dtb ${nvopteeSrc}/optee/tegra${flavor}-optee.dts + + python3 ${bspSrc}/nv_tegra/tos-scripts/gen_tos_part_img.py \ + --monitor ${armTrustedFirmware}/bl31.bin \ + --os ${opteeOS}/core/tee-raw.bin \ + --dtb optee.dtb \ + --tostype optee \ + $out +''