Merge pull request #174691 from a-m-joseph/pr/atf-set-unfreeIncludeHDCPBlob-master

arm-trusted-firmware: set unfree only if hdcp.bin is used; otherwise delete it before building

1 files changed, 21 insertions, 4 deletions

diff --git a/pkgs/misc/arm-trusted-firmware/default.nix b/pkgs/misc/arm-trusted-firmware/default.nix
index 49fdc7a829c58..4145e2f43f0aa 100644
--- a/pkgs/misc/arm-trusted-firmware/default.nix
+++ b/pkgs/misc/arm-trusted-firmware/default.nix
@@ -1,7 +1,12 @@
 { lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
 
-# Warning: this blob runs on the main CPU (not the GPU) at privilege
-# level EL3, which is above both the kernel and the hypervisor.
+# Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
+# privilege level EL3, which is above both the kernel and the
+# hypervisor.
+#
+# This parameter applies only to platforms which are believed to use
+# hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
+# hdcp.bin will be deleted before building.
 , unfreeIncludeHDCPBlob ? true
 }:
 
@@ -9,10 +14,16 @@ let
   buildArmTrustedFirmware = { filesToInstall
             , installDir ? "$out"
             , platform ? null
+            , platformCanUseHDCPBlob ? false  # set this to true if the platform is able to use hdcp.bin
             , extraMakeFlags ? []
             , extraMeta ? {}
             , version ? "2.6"
             , ... } @ args:
+
+           # delete hdcp.bin if either: the platform is thought to
+           # not need it or unfreeIncludeHDCPBlob is false
+           let deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob; in
+
            stdenv.mkDerivation ({
 
     pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
@@ -25,11 +36,15 @@ let
       sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
     };
 
-    patches = lib.optionals (!unfreeIncludeHDCPBlob) [
+    patches = lib.optionals deleteHDCPBlobBeforeBuild [
       # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
       ./remove-hdcp-blob.patch
     ];
 
+    postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
+      rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
+    '';
+
     depsBuildBuild = [ buildPackages.stdenv.cc ];
 
     # For Cortex-M0 firmware in RK3399
@@ -60,7 +75,7 @@ let
     meta = with lib; {
       homepage = "https://github.com/ARM-software/arm-trusted-firmware";
       description = "A reference implementation of secure world software for ARMv8-A";
-      license = (if unfreeIncludeHDCPBlob then [ licenses.unfreeRedistributable ] else []) ++ [ licenses.bsd3 ];
+      license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
       maintainers = with maintainers; [ lopsided98 ];
     } // extraMeta;
   } // builtins.removeAttrs args [ "extraMeta" ]);
@@ -111,6 +126,7 @@ in {
     platform = "rk3328";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    platformCanUseHDCPBlob = true;
   };
 
   armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
@@ -118,6 +134,7 @@ in {
     platform = "rk3399";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    platformCanUseHDCPBlob = true;
   };
 
   armTrustedFirmwareS905 = buildArmTrustedFirmware rec {