Add warnings for future deprecation of nixos options related to packaging

UPGRADE_CHECKLIST.md

@@ -1,10 +1,11 @@
 ### Updating
 - [ ] Update `l4tVersion`, `jetpackVersion`, and `cudaVersion` in overlay.nix
-- [ ] Update branch/revision/sha256s in:
+- [ ] Update branch/revision/hashes in:
     - [ ] `overlay.nix`
     - [ ] `kernel/default.nix`
-    - [ ] `pkgs/uefi-firmware/default.nix`
-    - [ ] Grep for "sha256 = ", see if there is anything else not covered
+    - [ ] `pkgs/uefi-firmware/edk2-nvidia.nix`
+    - [ ] `pkgs/uefi-firmware/jetson-edk2-uefi.nix`
+    - [ ] `grep -r -e "hash = " -e "sha256 = "` to see if there is anything else not covered
 - [ ] Update the kernel version in `kernel/default.nix` if it chaged.
 - [ ] Run `debs-update.py` and `gitrepos-update.py` under `sourceinfo` to generate new sourceinfo json files
 - [ ] Compare files from `unpackedDebs` before and after

device-pkgs/flash-script.nix

@@ -9,7 +9,7 @@
   # be used by the bootloader(s) and passed to the kernel.
   dtbsDir ? null
 , # Optional package containing uefi_jetson.efi to replace prebuilt version
-  uefi-firmware ? null
+  uefiFirmware ? null
 , # Optional package containing tos.img to replace prebuilt version
   tosImage ? null
 , # Optional EKS file containing encrypted keyblob
@@ -44,18 +44,18 @@
 
   ${lib.optionalString (partitionTemplate != null) "cp ${partitionTemplate} flash.xml"}
   ${lib.optionalString (dtbsDir != null) "cp -r ${dtbsDir}/. kernel/dtb/"}
-  ${lib.optionalString (uefi-firmware != null) ''
-  cp ${uefi-firmware}/uefi_jetson.bin bootloader/uefi_jetson.bin
+  ${lib.optionalString (uefiFirmware != null) ''
+  cp ${uefiFirmware}/uefi_jetson.bin bootloader/uefi_jetson.bin
 
   # For normal NixOS usage, we'd probably use systemd-boot or GRUB instead,
   # but lets replace the upstream L4TLauncher EFI payload anyway
-  cp ${uefi-firmware}/L4TLauncher.efi bootloader/BOOTAA64.efi
+  cp ${uefiFirmware}/L4TLauncher.efi bootloader/BOOTAA64.efi
 
   # Replace additional dtbos
-  cp ${uefi-firmware}/dtbs/*.dtbo kernel/dtb/
+  cp ${uefiFirmware}/dtbs/*.dtbo kernel/dtb/
   ''}
   ${lib.optionalString (tosImage != null) ''
-  cp ${tosImage}/tos.img bootloader/tos-optee_${socType}.img
+  cp ${tosImage} bootloader/tos-optee_${socType}.img
   ''}
   ${lib.optionalString (eksFile != null) ''
   cp ${eksFile} bootloader/eks_${socType}.img

modules/flash-script.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, utils, ... }:
+{ options, config, pkgs, lib, utils, ... }:
 
 # Convenience package that allows you to set options for the flash script using the NixOS module system.
 # You could do the overrides yourself if you'd prefer.
@@ -409,6 +409,63 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    warnings = lib.optionals options.hardware.nvidia-jetpack.firmware.uefi.edk2NvidiaPatches.isDefined [
+      ''
+        The option `hardware.nvidia-jetpack.firmware.uefi.edk2NvidiaPatches`
+        will be deprecated soon. Please migrate to using the `nixpkgs.overlays`
+        option to define an overlay that modifies the
+        `pkgs.nvidia-jetpack.edk2NvidiaSrc` derivation. For example, see
+        <jetpack-nixos/overlay-with-config.nix>.
+      ''
+    ]
+    ++ lib.optionals options.hardware.nvidia-jetpack.firmware.uefi.edk2UefiPatches.isDefined [
+      ''
+        The option `hardware.nvidia-jetpack.firmware.uefi.edk2UefiPatches` will
+        be deprecated soon. Please migrate to using the `nixpkgs.overlays`
+        option to define an overlay that modifies the
+        `pkgs.nvidia-jetpack.jetsonEdk2Uefi` derivation. For example, see
+        <jetpack-nixos/overlay-with-config.nix>.
+      ''
+    ]
+    ++ lib.optionals options.hardware.nvidia-jetpack.flashScriptOverrides.patches.isDefined [
+      ''
+        The option `hardware.nvidia-jetpack.flashScriptOverrides.patches` will
+        be deprecated soon. Please migrate to using the `nixpkgs.overlays`
+        option to define an overlay that modifies the
+        `pkgs.nvidia-jetpack.flash-tools` derivation. For example, see
+        <jetpack-nixos/overlay-with-config.nix>.
+      ''
+    ]
+    ++ lib.optionals options.hardware.nvidia-jetpack.flashScriptOverrides.postPatch.isDefined [
+      ''
+        The option `hardware.nvidia-jetpack.flashScriptOverrides.postPatch`
+        will be deprecated soon. Please migrate to using the `nixpkgs.overlays`
+        option to define an overlay that modifies the
+        `pkgs.nvidia-jetpack.flash-tools` derivation. For example, see
+        <jetpack-nixos/overlay-with-config.nix>.
+      ''
+    ]
+    ++ lib.optionals options.hardware.nvidia-jetpack.firmware.optee.patches.isDefined [
+      ''
+        The option `hardware.nvidia-jetpack.firmware.optee.patches` will be
+        deprecated soon. Please migrate to using the `nixpkgs.overlays` option
+        to define an overlay that modifies the `pkgs.nvidia-jetpack.opteeOS`
+        and/or `pkgs.nvidia-jetpack.opteeTaDevKit` derivations. For example,
+        see <jetpack-nixos/overlay-with-config.nix>.
+      ''
+    ]
+    ++ lib.optionals options.hardware.nvidia-jetpack.firmware.optee.extraMakeFlags.isDefined [
+      ''
+        The option `hardware.nvidia-jetpack.firmware.optee.extraMakeFlags` will
+        be deprecated soon. Please migrate to using the `nixpkgs.overlays`
+        option to define an overlay that modifies the
+        `pkgs.nvidia-jetpack.opteeOS` and/or
+        `pkgs.nvidia-jetpack.opteeTaDevKit` derivations. For example, see
+        <jetpack-nixos/overlay-with-config.nix>.
+      ''
+    ]
+    ;
+
     hardware.nvidia-jetpack.flashScript = lib.warn "hardware.nvidia-jetpack.flashScript is deprecated, use config.system.build.flashScript" config.system.build.flashScript;
     hardware.nvidia-jetpack.devicePkgs = (lib.mapAttrs (_: lib.warn "hardware.nvidia-jetpack.devicePkgs is deprecated, use pkgs.nvidia-jetpack") pkgs.nvidia-jetpack);
 

overlay-with-config.nix

@@ -11,13 +11,6 @@ final: prev: (
 
     inherit (final) lib;
 
-    tosArgs = {
-      inherit (final.nvidia-jetpack) socType;
-      inherit (cfg.firmware.optee) taPublicKeyFile;
-      opteePatches = cfg.firmware.optee.patches;
-      extraMakeFlags = cfg.firmware.optee.extraMakeFlags;
-    };
-
     flashTools = cfg.flasherPkgs.callPackages (import ./device-pkgs { inherit config; pkgs = final; }) { };
   in
   {
@@ -38,24 +31,33 @@ final: prev: (
         inherit (config.boot.loader.efi) efiSysMountPoint;
       };
 
-      uefi-firmware = prevJetpack.uefi-firmware.override ({
+      edk2NvidiaSrc = (prevJetpack.edk2NvidiaSrc.override {
+        errorLevelInfo = cfg.firmware.uefi.errorLevelInfo;
         bootLogo = cfg.firmware.uefi.logo;
+      }).overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.uefi.edk2NvidiaPatches;
+      });
+
+      jetsonEdk2Uefi = (prevJetpack.jetsonEdk2Uefi.override ({
         debugMode = cfg.firmware.uefi.debugMode;
-        errorLevelInfo = cfg.firmware.uefi.errorLevelInfo;
-        edk2NvidiaPatches = cfg.firmware.uefi.edk2NvidiaPatches;
-        edk2UefiPatches = cfg.firmware.uefi.edk2UefiPatches;
       } // lib.optionalAttrs cfg.firmware.uefi.capsuleAuthentication.enable {
         inherit (cfg.firmware.uefi.capsuleAuthentication) trustedPublicCertPemFile;
+      })).overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.uefi.edk2UefiPatches;
       });
 
-      flash-tools = prevJetpack.flash-tools.overrideAttrs ({ patches ? [ ], postPatch ? "", ... }: {
-        patches = patches ++ cfg.flashScriptOverrides.patches;
-        postPatch = postPatch + cfg.flashScriptOverrides.postPatch;
+      opteeOS = prevJetpack.opteeOS.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches;
+        makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags;
       });
 
-      tosImage = finalJetpack.buildTOS tosArgs;
-      taDevKit = finalJetpack.buildOpteeTaDevKit tosArgs;
-      inherit (finalJetpack.tosImage) nvLuksSrv hwKeyAgent;
+      opteeTaDevKit = prevJetpack.opteeTaDevKit.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches;
+        makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags;
+      });
+
+      armTrustedFirmware = finalJetpack.callPackage ./pkgs/optee/arm-trusted-firmware.nix { };
+      tosImage = finalJetpack.callPackage ./pkgs/optee/tos-image.nix { };
 
       flashInitrd =
         let
@@ -112,7 +114,7 @@ final: prev: (
         inherit lib flash-tools;
         inherit (cfg.firmware) eksFile;
         inherit (cfg.flashScriptOverrides) flashArgs partitionTemplate preFlashCommands postFlashCommands;
-        inherit (finalJetpack) tosImage socType uefi-firmware;
+        inherit (finalJetpack) tosImage socType uefiFirmware;
 
         additionalDtbOverlays = args.additionalDtbOverlays or cfg.flashScriptOverrides.additionalDtbOverlays;
         dtbsDir = config.hardware.deviceTree.package;
@@ -192,6 +194,11 @@ final: prev: (
             cfg.firmware.variants;
         });
 
+      flash-tools = prevJetpack.flash-tools.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.flashScriptOverrides.patches;
+        postPatch = (old.postPatch or "") + cfg.flashScriptOverrides.postPatch;
+      });
+
       # Use the flash-tools produced by mkFlashScript, we need whatever changes
       # the script made, as well as the flashcmd.txt from it
       flash-tools-flashcmd = finalJetpack.callPackage ./device-pkgs/flash-tools-flashcmd.nix {

overlay.nix

@@ -59,16 +59,30 @@ in
         self.gitRepos
     );
 
-    inherit (prev.callPackages ./pkgs/uefi-firmware { inherit (self) l4tVersion; })
-      edk2-jetson uefi-firmware;
-
-    inherit (prev.callPackages ./pkgs/optee {
-      # Nvidia's recommended toolchain is gcc9:
-      # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
-      stdenv = prev.gcc9Stdenv;
-      inherit (self) bspSrc gitRepos l4tVersion;
-    }) buildTOS buildOpteeTaDevKit opteeClient;
-    genEkb = self.callPackage ./pkgs/optee/gen-ekb.nix { };
+    edk2NvidiaSrc = self.callPackage ./pkgs/uefi-firmware/edk2-nvidia-src.nix { };
+    jetsonEdk2Uefi = self.callPackage ./pkgs/uefi-firmware/jetson-edk2-uefi.nix { };
+    uefiFirmware = self.callPackage ./pkgs/uefi-firmware/default.nix { };
+
+    # Nvidia's recommended toolchain for optee is gcc9:
+    # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
+    opteeStdenv = prev.gcc9Stdenv;
+
+    opteeClient = self.callPackage ./pkgs/optee/client.nix { };
+
+    opteeTaDevKit = (self.callPackage ./pkgs/optee/os.nix { }).overrideAttrs (old: {
+      pname = "optee-ta-dev-kit";
+      makeFlags = (old.makeFlags or [ ]) ++ [ "ta_dev_kit" ];
+    });
+
+    nvLuksSrv = self.callPackage ./pkgs/optee/nv-luks-srv.nix { };
+    hwKeyAgent = self.callPackage ./pkgs/optee/hw-key-agent.nix { };
+
+    opteeOS = self.callPackage ./pkgs/optee/os.nix {
+      earlyTaPaths = [
+        "${self.nvLuksSrv}/${self.nvLuksSrv.uuid}.stripped.elf"
+        "${self.hwKeyAgent}/${self.hwKeyAgent.uuid}.stripped.elf"
+      ];
+    };
 
     flash-tools = self.callPackage ./pkgs/flash-tools { };
 

pkgs/optee/arm-trusted-firmware.nix

@@ -0,0 +1,39 @@
+{ gitRepos
+, l4tVersion
+, opteeStdenv
+, socType
+}:
+
+opteeStdenv.mkDerivation {
+  pname = "arm-trusted-firmware";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/atf";
+  makeFlags = [
+    "-C arm-trusted-firmware"
+    "BUILD_BASE=$(PWD)/build"
+    "CROSS_COMPILE=${opteeStdenv.cc.targetPrefix}"
+    "DEBUG=0"
+    "LOG_LEVEL=20"
+    "PLAT=tegra"
+    "SPD=opteed"
+    "TARGET_SOC=${socType}"
+    "V=0"
+    # binutils 2.39 regression
+    # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
+    # See also: https://developer.trustedfirmware.org/T996
+    "LDFLAGS=-no-warn-rwx-segments"
+  ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp ./build/tegra/${socType}/release/bl31.bin $out/bl31.bin
+
+    runHook postInstall
+  '';
+
+  meta.platforms = [ "aarch64-linux" ];
+}

pkgs/optee/client.nix

@@ -0,0 +1,28 @@
+{ opteeStdenv, fetchpatch, gitRepos, l4tVersion, pkg-config, libuuid }:
+
+opteeStdenv.mkDerivation {
+  pname = "optee_client";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/nv-optee";
+  patches = [
+    ./0001-Don-t-prepend-foo-bar-baz-to-TEEC_LOAD_PATH.patch
+    (fetchpatch {
+      name = "tee-supplicant-Allow-for-TA-load-path-to-be-specified-at-runtime.patch";
+      url = "https://github.com/OP-TEE/optee_client/commit/f3845d8bee3645eedfcc494be4db034c3c69e9ab.patch";
+      stripLen = 1;
+      extraPrefix = "optee/optee_client/";
+      hash = "sha256-XjFpMbyXy74sqnc8l+EgTaPXqwwHcvni1Z68ShokTGc=";
+    })
+  ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libuuid ];
+  enableParallelBuilding = true;
+  makeFlags = [
+    "-C optee/optee_client"
+    "DESTDIR=$(out)"
+    "SBINDIR=/sbin"
+    "LIBDIR=/lib"
+    "INCLUDEDIR=/include"
+  ];
+  meta.platforms = [ "aarch64-linux" ];
+}