Refactor optee packages

This splits out optee-related packages into multiple derivations to
allow for easier overriding of individual components. This will
eventually allow for the removal of nixos options that override these
components, as overlays are now easier to use.

Author: jmbaur

device-pkgs/flash-script.nix

@@ -55,7 +55,7 @@
   cp ${uefiFirmware}/dtbs/*.dtbo kernel/dtb/
   ''}
   ${lib.optionalString (tosImage != null) ''
-  cp ${tosImage}/tos.img bootloader/tos-optee_${socType}.img
+  cp ${tosImage} bootloader/tos-optee_${socType}.img
   ''}
   ${lib.optionalString (eksFile != null) ''
   cp ${eksFile} bootloader/eks_${socType}.img

overlay-with-config.nix

@@ -11,13 +11,6 @@ final: prev: (
 
     inherit (final) lib;
 
-    tosArgs = {
-      inherit (final.nvidia-jetpack) socType;
-      inherit (cfg.firmware.optee) taPublicKeyFile;
-      opteePatches = cfg.firmware.optee.patches;
-      extraMakeFlags = cfg.firmware.optee.extraMakeFlags;
-    };
-
     flashTools = cfg.flasherPkgs.callPackages (import ./device-pkgs { inherit config; pkgs = final; }) { };
   in
   {
@@ -53,14 +46,18 @@ final: prev: (
         patches = (old.patches or [ ]) ++ cfg.firmware.uefi.edk2UefiPatches;
       });
 
-      flash-tools = prevJetpack.flash-tools.overrideAttrs ({ patches ? [ ], postPatch ? "", ... }: {
-        patches = patches ++ cfg.flashScriptOverrides.patches;
-        postPatch = postPatch + cfg.flashScriptOverrides.postPatch;
+      opteeOS = prevJetpack.opteeOS.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches;
+        makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags;
+      });
+
+      opteeTaDevKit = prevJetpack.opteeTaDevKit.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.firmware.optee.patches;
+        makeFlags = (old.makeFlags or [ ]) ++ cfg.firmware.optee.extraMakeFlags;
       });
 
-      tosImage = finalJetpack.buildTOS tosArgs;
-      taDevKit = finalJetpack.buildOpteeTaDevKit tosArgs;
-      inherit (finalJetpack.tosImage) nvLuksSrv hwKeyAgent;
+      armTrustedFirmware = finalJetpack.callPackage ./pkgs/optee/arm-trusted-firmware.nix { };
+      tosImage = finalJetpack.callPackage ./pkgs/optee/tos-image.nix { };
 
       flashInitrd =
         let
@@ -197,6 +194,11 @@ final: prev: (
             cfg.firmware.variants;
         });
 
+      flash-tools = prevJetpack.flash-tools.overrideAttrs (old: {
+        patches = (old.patches or [ ]) ++ cfg.flashScriptOverrides.patches;
+        postPatch = (old.postPatch or "") + cfg.flashScriptOverrides.postPatch;
+      });
+
       # Use the flash-tools produced by mkFlashScript, we need whatever changes
       # the script made, as well as the flashcmd.txt from it
       flash-tools-flashcmd = finalJetpack.callPackage ./device-pkgs/flash-tools-flashcmd.nix {

overlay.nix

@@ -63,13 +63,26 @@ in
     jetsonEdk2Uefi = self.callPackage ./pkgs/uefi-firmware/jetson-edk2-uefi.nix { };
     uefiFirmware = self.callPackage ./pkgs/uefi-firmware/default.nix { };
 
-    inherit (prev.callPackages ./pkgs/optee {
-      # Nvidia's recommended toolchain is gcc9:
-      # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
-      stdenv = prev.gcc9Stdenv;
-      inherit (self) bspSrc gitRepos l4tVersion;
-    }) buildTOS buildOpteeTaDevKit opteeClient;
-    genEkb = self.callPackage ./pkgs/optee/gen-ekb.nix { };
+    # Nvidia's recommended toolchain for optee is gcc9:
+    # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
+    opteeStdenv = prev.gcc9Stdenv;
+
+    opteeClient = self.callPackage ./pkgs/optee/client.nix { };
+
+    opteeTaDevKit = (self.callPackage ./pkgs/optee/os.nix { }).overrideAttrs (old: {
+      pname = "optee-ta-dev-kit";
+      makeFlags = (old.makeFlags or [ ]) ++ [ "ta_dev_kit" ];
+    });
+
+    nvLuksSrv = self.callPackage ./pkgs/optee/nv-luks-srv.nix { };
+    hwKeyAgent = self.callPackage ./pkgs/optee/hw-key-agent.nix { };
+
+    opteeOS = self.callPackage ./pkgs/optee/os.nix {
+      earlyTaPaths = [
+        "${self.nvLuksSrv}/${self.nvLuksSrv.uuid}.stripped.elf"
+        "${self.hwKeyAgent}/${self.hwKeyAgent.uuid}.stripped.elf"
+      ];
+    };
 
     flash-tools = self.callPackage ./pkgs/flash-tools { };
 

pkgs/optee/arm-trusted-firmware.nix

@@ -0,0 +1,39 @@
+{ gitRepos
+, l4tVersion
+, opteeStdenv
+, socType
+}:
+
+opteeStdenv.mkDerivation {
+  pname = "arm-trusted-firmware";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/atf";
+  makeFlags = [
+    "-C arm-trusted-firmware"
+    "BUILD_BASE=$(PWD)/build"
+    "CROSS_COMPILE=${opteeStdenv.cc.targetPrefix}"
+    "DEBUG=0"
+    "LOG_LEVEL=20"
+    "PLAT=tegra"
+    "SPD=opteed"
+    "TARGET_SOC=${socType}"
+    "V=0"
+    # binutils 2.39 regression
+    # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
+    # See also: https://developer.trustedfirmware.org/T996
+    "LDFLAGS=-no-warn-rwx-segments"
+  ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp ./build/tegra/${socType}/release/bl31.bin $out/bl31.bin
+
+    runHook postInstall
+  '';
+
+  meta.platforms = [ "aarch64-linux" ];
+}

pkgs/optee/client.nix

@@ -0,0 +1,28 @@
+{ opteeStdenv, fetchpatch, gitRepos, l4tVersion, pkg-config, libuuid }:
+
+opteeStdenv.mkDerivation {
+  pname = "optee_client";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/nv-optee";
+  patches = [
+    ./0001-Don-t-prepend-foo-bar-baz-to-TEEC_LOAD_PATH.patch
+    (fetchpatch {
+      name = "tee-supplicant-Allow-for-TA-load-path-to-be-specified-at-runtime.patch";
+      url = "https://github.com/OP-TEE/optee_client/commit/f3845d8bee3645eedfcc494be4db034c3c69e9ab.patch";
+      stripLen = 1;
+      extraPrefix = "optee/optee_client/";
+      hash = "sha256-XjFpMbyXy74sqnc8l+EgTaPXqwwHcvni1Z68ShokTGc=";
+    })
+  ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libuuid ];
+  enableParallelBuilding = true;
+  makeFlags = [
+    "-C optee/optee_client"
+    "DESTDIR=$(out)"
+    "SBINDIR=/sbin"
+    "LIBDIR=/lib"
+    "INCLUDEDIR=/include"
+  ];
+  meta.platforms = [ "aarch64-linux" ];
+}