From 0ad2b42f939a038b063fc50aba09fbaeaa07ddda Mon Sep 17 00:00:00 2001 From: Arturo Buzarra Date: Thu, 4 Jul 2024 16:24:34 +0200 Subject: [PATCH] stm-st-stm32mp: tf-a: add support to ConnectCore MP25 DVK platform Add support based on v2.8 version from STM release openstlinux-6.1-yocto-mickledore-mp2-v23.12.06. https://onedigi.atlassian.net/browse/DEL-8995 Signed-off-by: Arturo Buzarra --- .../classes/fip-utils-stm32mp2.bbclass | 567 ++++++++++++++++ meta-digi-arm/classes/sign-stm32mp2.bbclass | 125 ++++ .../tf-a-stm32mp2-common.inc | 36 ++ .../tf-a-stm32mp2-config.inc | 19 + .../trusted-firmware-a/tf-a-stm32mp2.inc | 603 ++++++++++++++++++ ...p_%.bbappend => tf-a-stm32mp_2.6.bbappend} | 0 .../trusted-firmware-a/tf-a-stm32mp_2.8.bb | 42 ++ .../trusted-firmware-a/tf-a-tools.inc | 48 ++ .../0001-FIX-GCC-tools-overwrite.patch | 48 ++ ...se-a-root-key-password-from-command-.patch | 126 ++++ .../trusted-firmware-a/tf-a-tools_2.8.bb | 22 + 11 files changed, 1636 insertions(+) create mode 100644 meta-digi-arm/classes/fip-utils-stm32mp2.bbclass create mode 100644 meta-digi-arm/classes/sign-stm32mp2.bbclass create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-common.inc create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-config.inc create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2.inc rename meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/{tf-a-stm32mp_%.bbappend => tf-a-stm32mp_2.6.bbappend} (100%) create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools.inc create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-FIX-GCC-tools-overwrite.patch create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-tools-allow-to-use-a-root-key-password-from-command-.patch create mode 100644 meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools_2.8.bb diff --git a/meta-digi-arm/classes/fip-utils-stm32mp2.bbclass b/meta-digi-arm/classes/fip-utils-stm32mp2.bbclass new file mode 100644 index 000000000..e27d65479 --- /dev/null +++ b/meta-digi-arm/classes/fip-utils-stm32mp2.bbclass @@ -0,0 +1,567 @@ +inherit sign-stm32mp2 + +DEPENDS += "tf-a-tools-native util-linux-native" + +# Configure new package to provide fiptool wrapper for SDK usage +PACKAGES =+ "${FIPTOOL_WRAPPER}" + +BBCLASSEXTEND:append = " nativesdk" + +RRECOMMENDS:${FIPTOOL_WRAPPER}:append:class-nativesdk = " nativesdk-tf-a-tools" + +# Define default TF-A FIP namings +FIP_BASENAME ?= "fip" +FIP_SUFFIX ?= "bin" + +# Set default TF-A FIP config +FIP_CONFIG ?= "" + +# Default FIP config: +# There are two options implemented to select two different firmware and each +# FIP_CONFIG should configure one: 'tfa' or 'optee' +FIP_CONFIG_FW_TFA = "tfa" +FIP_CONFIG_FW_TEE = "optee" + +# Init BL31 config +FIP_BL31_ENABLE ?= "" + +# Set CERTTOOL binary name to use +CERTTOOL ?= "cert_create" +# Set ENCTOOL binary name to use +ENCTOOL ?= "encrypt_fw" +# Set FIPTOOL binary name to use +FIPTOOL ?= "fiptool" +# Set STM32MP fiptool wrapper +FIPTOOL_WRAPPER ?= "fiptool-stm32mp" + +# Default FIP file names and suffixes +FIP_BL31 ?= "tf-a-bl31" +FIP_BL31_SUFFIX ?= "bin" +FIP_BL31_DTB ?= "bl31" +FIP_BL31_DTB_SUFFIX ?= "dtb" +FIP_TFA ?= "tf-a-bl32" +FIP_TFA_SUFFIX ?= "bin" +FIP_TFA_DTB ?= "bl32" +FIP_TFA_DTB_SUFFIX ?= "dtb" +FIP_FW_CONFIG ?= "fw-config" +FIP_FW_CONFIG_SUFFIX ?= "dtb" +FIP_FW_DDR ?= "ddr_pmu" +FIP_FW_DDR_SUFFIX ?= "bin" +FIP_OPTEE_HEADER ?= "tee-header_v2" +FIP_OPTEE_PAGER ?= "tee-pager_v2" +FIP_OPTEE_PAGEABLE ?= "tee-pageable_v2" +FIP_OPTEE_SUFFIX ?= "bin" +FIP_UBOOT ?= "u-boot-nodtb" +FIP_UBOOT_SUFFIX ?= "bin" +FIP_UBOOT_DTB ?= "u-boot" +FIP_UBOOT_DTB_SUFFIX ?= "dtb" + +# Configure default folder path for binaries to package +FIP_DEPLOYDIR_FIP ?= "${DEPLOYDIR}/fip" +FIP_DEPLOYDIR_BL31 ?= "${DEPLOYDIR}/arm-trusted-firmware/bl31" +FIP_DEPLOYDIR_TFA ?= "${DEPLOYDIR}/arm-trusted-firmware/bl32" +FIP_DEPLOYDIR_FWCONF ?= "${DEPLOYDIR}/arm-trusted-firmware/fwconfig" +FIP_DEPLOYDIR_FWDDR ?= "${DEPLOYDIR}/arm-trusted-firmware/ddr" +FIP_DEPLOYDIR_OPTEE ?= "${DEPLOY_DIR}/images/${MACHINE}/optee" +FIP_DEPLOYDIR_UBOOT ?= "${DEPLOY_DIR}/images/${MACHINE}/u-boot" + +# Set default configuration to allow FIP signing +FIP_ENCRYPT_SUFFIX ??= "${@bb.utils.contains('ENCRYPT_ENABLE', '1', '${ENCRYPT_SUFFIX}', '', d)}" +FIP_ENCRYPT_NONCE ??= "1234567890abcdef12345678" +FIP_SIGN_SUFFIX ??= "${@bb.utils.contains('SIGN_ENABLE', '1', '${SIGN_SUFFIX}', '', d)}" + +# Define FIP dependency build +FIP_DEPENDS += "virtual/bootloader" +FIP_DEPENDS += "${@bb.utils.contains('MACHINE_FEATURES', 'optee', 'virtual/optee-os', '', d)}" +FIP_DEPENDS:class-nativesdk = "" + +# ----------------------------------------------- +# Handle FIP config and set internal vars +# FIP_BL32_CONF +python () { + import re + + # Make sure that deploy class is configured + if not bb.data.inherits_class('deploy', d): + bb.fatal("The st-fip-utils class needs the deploy class to be configured on recipe side.") + + # Manage FIP binary dependencies + fip_depends = (d.getVar('FIP_DEPENDS') or "").split() + if len(fip_depends) > 0: + for depend in fip_depends: + d.appendVarFlag('do_deploy', 'depends', ' %s:do_deploy' % depend) + + # Manage FIP config settings + fipconfigflags = d.getVarFlags('FIP_CONFIG') + if fipconfigflags is not None: + # The "doc" varflag is special, we don't want to see it here + fipconfigflags.pop('doc', None) + fipconfig = (d.getVar('FIP_CONFIG') or "").split() + if not fipconfig: + raise bb.parse.SkipRecipe("FIP_CONFIG must be set in the %s machine configuration." % d.getVar("MACHINE")) + if (d.getVar('FIP_BL32_CONF') or "").split(): + raise bb.parse.SkipRecipe("You cannot use FIP_BL32_CONF as it is internal to FIP_CONFIG var expansion.") + if (d.getVar('FIP_DEVICETREE') or "").split(): + raise bb.parse.SkipRecipe("You cannot use FIP_DEVICETREE as it is internal to FIP_CONFIG var expansion.") + if len(fipconfig) > 0: + # Init internal fip firmware config + fip_config_fw_tfa = d.getVar('FIP_CONFIG_FW_TFA') or "" + fip_config_fw_tee = d.getVar('FIP_CONFIG_FW_TEE') or "" + for config in fipconfig: + for f, v in fipconfigflags.items(): + if config == f: + # Make sure to get var flag properly expanded + v = d.getVarFlag('FIP_CONFIG', config) + if not v.strip(): + bb.fatal('[FIP_CONFIG] Missing configuration for %s config' % config) + items = v.split(',') + if items[0] and len(items) > 2: + raise bb.parse.SkipRecipe('Only and can be specified!') + # Set internal vars + if items[0] == fip_config_fw_tfa or items[0] == fip_config_fw_tee: + bb.debug(1, "Appending '%s' to FIP_BL32_CONF" % items[0]) + d.appendVar('FIP_BL32_CONF', items[0] + ',') + else: + bb.fatal('[FIP_CONFIG] Wrong configuration for %s config: %s should be one of %s or %s' % (config,items[0],fip_config_fw_tfa,fip_config_fw_tee)) + bb.debug(1, "Appending '%s' to FIP_DEVICETREE" % items[1]) + d.appendVar('FIP_DEVICETREE', items[1] + ',') + break +} + +# Deploy the fip binary for current target +do_deploy:append:class-target() { + install -d ${DEPLOYDIR} + install -d ${FIP_DEPLOYDIR_FIP} + + unset i + for config in ${FIP_CONFIG}; do + i=$(expr $i + 1) + bl32_conf=$(echo ${FIP_BL32_CONF} | cut -d',' -f${i}) + dt_config=$(echo ${FIP_DEVICETREE} | cut -d',' -f${i}) + for dt in ${dt_config}; do + # Init soc suffix + soc_suffix="" + if [ -n "${STM32MP_SOC_NAME}" ]; then + for soc in ${STM32MP_SOC_NAME}; do + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && soc_suffix="-${soc}" + done + fi + # Init FIP fw-config settings + [ -f "${FIP_DEPLOYDIR_FWCONF}/${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX} file in folder: ${FIP_DEPLOYDIR_FWCONF}" + FIP_FWCONFIG="--fw-config ${FIP_DEPLOYDIR_FWCONF}/${dt}-${FIP_FW_CONFIG}-${config}.${FIP_FW_CONFIG_SUFFIX}" + # Init FIP hw-config settings + [ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}" + FIP_HWCONFIG="--hw-config ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT_DTB}-${dt}.${FIP_UBOOT_DTB_SUFFIX}" + # Init FIP nt-fw config + [ -f "${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX} file in folder: ${FIP_DEPLOYDIR_UBOOT}" + FIP_NTFW="--nt-fw ${FIP_DEPLOYDIR_UBOOT}/${FIP_UBOOT}${soc_suffix}.${FIP_UBOOT_SUFFIX}" + # Init FIP bl31 settings + if [ "${FIP_BL31_ENABLE}" = "1" ]; then + # Check for files + [ -f "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}" ] || bbfatal "Missing ${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX} file in folder: ${FIP_DEPLOYDIR_BL31}" + [ -f "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_BL31}" + # Set CERT_BL31CONF + CERT_BL31CONF=" \ + --soc-fw ${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX} \ + --soc-fw-config ${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} \ + " + if [ "${ENCRYPT_ENABLE}" = "1" ]; then + encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}" + if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})" + + # encrypt bl31 binary + bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in \"${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}\" \ + --out \"${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX}\" " + ${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}.${FIP_BL31_SUFFIX}" \ + --out "${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX}" + # encrypt bl31 devicetree + bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in \"${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}\" \ + --out \"${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX} \" " + ${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" \ + --out "${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX}" + fi + # Set FIP_BL31CONF + FIP_BL31CONF="\ + --soc-fw ${FIP_DEPLOYDIR_BL31}/${FIP_BL31}${soc_suffix}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_SUFFIX} \ + --soc-fw-config ${FIP_DEPLOYDIR_BL31}/${dt}-${FIP_BL31_DTB}${FIP_ENCRYPT_SUFFIX}.${FIP_BL31_DTB_SUFFIX} \ + " + else + CERT_BL31CONF="" + FIP_BL31CONF="" + fi + # Init FIP extra conf settings + if [ "${bl32_conf}" = "${FIP_CONFIG_FW_TFA}" ]; then + # Check for files + [ -f "${FIP_DEPLOYDIR_TFA}/${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX}" ] || bbfatal "Missing ${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX} file in folder: ${FIP_DEPLOYDIR_TFA}" + [ -f "${FIP_DEPLOYDIR_TFA}/${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX}" ] || bbfatal "Missing ${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} file in folder: ${FIP_DEPLOYDIR_TFA}" + # Set FIP_EXTRACONF + FIP_EXTRACONF="\ + --tos-fw ${FIP_DEPLOYDIR_TFA}/${FIP_TFA}${soc_suffix}.${FIP_TFA_SUFFIX} \ + --tos-fw-config ${FIP_DEPLOYDIR_TFA}/${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} \ + " + elif [ "${bl32_conf}" = "${FIP_CONFIG_FW_TEE}" ]; then + # Check for files + [ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}" + [ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}" + [ -f "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX} file in folder: ${FIP_DEPLOYDIR_OPTEE}" + # Set CERT_EXTRACONF + CERT_EXTRACONF="\ + --tos-fw ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX} \ + --tos-fw-extra1 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX} \ + --tos-fw-extra2 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX} \ + " + if [ "${ENCRYPT_ENABLE}" = "1" ]; then + encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}" + if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + encrypt_key="$(hexdump -e '/1 "%02x"' ${encrypt_key})" + # encrypt optee header + bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}\" \ + --out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" " + ${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}.${FIP_OPTEE_SUFFIX}" \ + --out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}" + # encrypt optee pager + bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}\" \ + --out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" " + ${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}.${FIP_OPTEE_SUFFIX}" \ + --out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}" + # encrypt optee pageable + bbnote "${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}\" \ + --out \"${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}\" " + ${ENCTOOL} --key ${encrypt_key} --nonce ${FIP_ENCRYPT_NONCE} --fw-enc-status 0 \ + --in "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}.${FIP_OPTEE_SUFFIX}" \ + --out "${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX}" + fi + # Set FIP_EXTRACONF + FIP_EXTRACONF="\ + --tos-fw ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_HEADER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \ + --tos-fw-extra1 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGER}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \ + --tos-fw-extra2 ${FIP_DEPLOYDIR_OPTEE}/${FIP_OPTEE_PAGEABLE}-${dt}${FIP_ENCRYPT_SUFFIX}.${FIP_OPTEE_SUFFIX} \ + " + else + bbfatal "Wrong configuration '${bl32_conf}' found in FIP_CONFIG for ${config} config." + fi + # Init FIP DDR config settings + if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then + FIP_DDRCONF="--ddr-fw ${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" + CERT_DDRCONF="--ddr-fw ${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" + else + FIP_DDRCONF="" + CERT_DDRCONF="" + fi + # Init certificate settings + if [ "${SIGN_ENABLE}" = "1" ]; then + sign_key="${SIGN_KEY_PATH_LIST}" + if [ $(echo ${SIGN_KEY_PASS} | wc -w) -gt 1 ]; then + sign_single_key_pass=$(echo ${SIGN_KEY_PASS} | cut -d' ' -f1) + else + sign_single_key_pass="${SIGN_KEY_PASS}" + fi + if [ -n "${STM32MP_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && sign_key=$(echo ${SIGN_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + mkdir -p ${B}/${config}-${dt} + FIP_CERTCONF="\ + --tb-fw-cert ${B}/${config}-${dt}/tb_fw.crt \ + --trusted-key-cert ${B}/${config}-${dt}/trusted_key.crt \ + --nt-fw-cert ${B}/${config}-${dt}/nt_fw_content.crt \ + --nt-fw-key-cert ${B}/${config}-${dt}/nt_fw_key.crt \ + --tos-fw-cert ${B}/${config}-${dt}/tos_fw_content.crt \ + --tos-fw-key-cert ${B}/${config}-${dt}/tos_fw_key.crt \ + --stm32mp-cfg-cert ${B}/${config}-${dt}/stm32mp_cfg_cert.crt \ + " + if [ "${FIP_BL31_ENABLE}" = "1" ]; then + FIP_CERTCONF="${FIP_CERTCONF} \ + --soc-fw-cert ${B}/${config}-${dt}/soc_fw_content.crt \ + --soc-fw-key-cert ${B}/${config}-${dt}/soc_fw_key.crt \ + " + fi + # Need fake bl2 binary to generate certificates + touch ${WORKDIR}/bl2-fake.bin + # Generate certificates + bbnote "${CERTTOOL} -n --tfw-nvctr 0 --ntfw-nvctr 0 --key-alg ecdsa --hash-alg sha256 \ + --rot-key ${sign_key} \ + --rot-key-pwd $sign_single_key_pass \ + ${FIP_FWCONFIG} \ + ${FIP_HWCONFIG} \ + ${FIP_NTFW} \ + ${FIP_CERTCONF} \ + ${CERT_EXTRACONF} \ + ${CERT_DDRCONF} \ + ${CERT_BL31CONF} \ + --tb-fw ${WORKDIR}/bl2-fake.bin" + ${CERTTOOL} -n --tfw-nvctr 0 --ntfw-nvctr 0 --key-alg ecdsa --hash-alg sha256 \ + --rot-key ${sign_key} \ + --rot-key-pwd $sign_single_key_pass \ + ${FIP_FWCONFIG} \ + ${FIP_HWCONFIG} \ + ${FIP_NTFW} \ + ${FIP_CERTCONF} \ + ${CERT_EXTRACONF} \ + ${CERT_DDRCONF} \ + ${CERT_BL31CONF} \ + --tb-fw ${WORKDIR}/bl2-fake.bin + # Remove fake bl2 binary + rm -f ${WORKDIR}/bl2-fake.bin + + # Init FIP DDR cert settings + FIP_DDRCERTCONF="--stm32mp-cfg-cert ${B}/${config}-${dt}/stm32mp_cfg_cert_ddr.crt" + # Generate FIP DDR certificates + if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then + bbnote "${CERTTOOL} -n --tfw-nvctr 0 \ + --rot-key ${sign_key} \ + --rot-key-pwd $sign_single_key_pass \ + ${FIP_DDRCERTCONF} \ + ${CERT_DDRCONF}" + ${CERTTOOL} -n --tfw-nvctr 0 \ + --rot-key ${sign_key} \ + --rot-key-pwd $sign_single_key_pass \ + ${FIP_DDRCERTCONF} \ + ${CERT_DDRCONF} + fi + else + FIP_CERTCONF="" + FIP_DDRCERTCONF="" + fi + # Generate FIP binary + bbnote "${FIPTOOL} create \ + ${FIP_FWCONFIG} \ + ${FIP_HWCONFIG} \ + ${FIP_NTFW} \ + ${FIP_BL31CONF} \ + ${FIP_EXTRACONF} \ + ${FIP_DDRCONF} \ + ${FIP_CERTCONF} \ + ${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-${config}${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}" + ${FIPTOOL} create \ + ${FIP_FWCONFIG} \ + ${FIP_HWCONFIG} \ + ${FIP_NTFW} \ + ${FIP_BL31CONF} \ + ${FIP_EXTRACONF} \ + ${FIP_DDRCONF} \ + ${FIP_CERTCONF} \ + ${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-${config}${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX} + # Generate FIP DDR binary + if [ -f "${FIP_DEPLOYDIR_FWDDR}/${FIP_FW_DDR}-${dt}.${FIP_FW_DDR_SUFFIX}" ]; then + bbnote "${FIPTOOL} create \ + ${FIP_DDRCERTCONF} \ + ${FIP_DDRCONF} \ + ${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-ddr${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX}" + ${FIPTOOL} create \ + ${FIP_DDRCERTCONF} \ + ${FIP_DDRCONF} \ + ${FIP_DEPLOYDIR_FIP}/${FIP_BASENAME}-${dt}-ddr${FIP_ENCRYPT_SUFFIX}${FIP_SIGN_SUFFIX}.${FIP_SUFFIX} + fi + done + done +} + +# Stub do_compile for nativesdk use case as we only expect to provide FIPTOOL_WRAPPER +do_compile:class-nativesdk() { + return +} + +do_install:class-nativesdk() { + # Create the FIPTOOL_WRAPPER script to use on sdk side + cat << EOF > ${WORKDIR}/${FIPTOOL_WRAPPER} +#!/bin/bash - +function bbfatal() { echo "\$*" ; exit 1 ; } + +# Set default TF-A FIP config +FIP_CONFIG="\${FIP_CONFIG:-${FIP_CONFIG}}" +FIP_BL31_ENABLE="\${FIP_BL31_ENABLE:-${FIP_BL31_ENABLE}}" +FIP_BL32_CONF="" +FIP_DEVICETREE="\${FIP_DEVICETREE:-}" + +# Set default supported configuration for devicetree and bl32 configuration +declare -A FIP_BL32_CONF_ARRAY +declare -A FIP_DEVICETREE_ARRAY +EOF + for config in ${FIP_CONFIG}; do + i=$(expr $i + 1) + cat << EOF >> ${WORKDIR}/${FIPTOOL_WRAPPER} +FIP_BL32_CONF_ARRAY[${config}]="$(echo ${FIP_BL32_CONF} | cut -d',' -f${i})" +FIP_DEVICETREE_ARRAY[${config}]="$(echo ${FIP_DEVICETREE} | cut -d',' -f${i})" +EOF + done + unset i + cat << EOF >> ${WORKDIR}/${FIPTOOL_WRAPPER} + +# Make sure about FIP_CONFIG value +if [ -z "\$FIP_CONFIG" ]; then + bbfatal "Wrong configuration 'FIP_CONFIG' is empty." +else + # Check that configuration match any of the supported ones + for config in \$FIP_CONFIG; do + CONFIG_FOUND=NO + for fip_config in ${FIP_CONFIG}; do + [ "\${config}" = "\${fip_config}" ] && { CONFIG_FOUND="YES" ; break; } + done + [ "\${CONFIG_FOUND}" = "NO" ] && bbfatal "Wrong 'FIP_CONFIG' configuration : \${config} is not one of the supported one (${FIP_CONFIG})" + done +fi +# Manage FIP_BL32_CONF default init +if [ -z "\$FIP_BL32_CONF" ]; then + # Assigned default supported value + for config in \$FIP_CONFIG; do + FIP_BL32_CONF+="\${FIP_BL32_CONF_ARRAY[\${config}]}," + done +fi +# Manage FIP_DEVICETREE default init +if [ -z "\$FIP_DEVICETREE" ]; then + # Assigned default supported value + for config in \$FIP_CONFIG; do + FIP_DEVICETREE+="\${FIP_DEVICETREE_ARRAY[\${config}]}," + done +fi + +# Configure default folder path for binaries to package +FIP_DEPLOYDIR_ROOT="\${FIP_DEPLOYDIR_ROOT:-}" +FIP_DEPLOYDIR_FIP="\${FIP_DEPLOYDIR_FIP:-\$FIP_DEPLOYDIR_ROOT/fip}" +FIP_DEPLOYDIR_TFA="\${FIP_DEPLOYDIR_TFA:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32}" +FIP_DEPLOYDIR_BL31="\${FIP_DEPLOYDIR_BL31:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31}" +FIP_DEPLOYDIR_FWDDR="\${FIP_DEPLOYDIR_FWDDR:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/ddr}" +FIP_DEPLOYDIR_FWCONF="\${FIP_DEPLOYDIR_FWCONF:-\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/fwconfig}" +FIP_DEPLOYDIR_OPTEE="\${FIP_DEPLOYDIR_OPTEE:-\$FIP_DEPLOYDIR_ROOT/optee}" +FIP_DEPLOYDIR_UBOOT="\${FIP_DEPLOYDIR_UBOOT:-\$FIP_DEPLOYDIR_ROOT/u-boot}" + +echo "" +echo "${FIPTOOL_WRAPPER} config:" +for config in \$FIP_CONFIG; do + i=\$(expr \$i + 1) + bl32_conf=\$(echo \$FIP_BL32_CONF | cut -d',' -f\$i) + dt_config=\$(echo \$FIP_DEVICETREE | cut -d',' -f\$i) + echo " \${config}:" ; \\ + echo " bl32 config value: \${bl32_conf}" + echo " devicetree config: \${dt_config}" +done +echo "" +echo "Switch configuration:" +echo " FIP_BL31_ENABLE : \$FIP_BL31_ENABLE" +echo "" +echo "Output folders:" +echo " FIP_DEPLOYDIR_ROOT : \$FIP_DEPLOYDIR_ROOT" +echo " FIP_DEPLOYDIR_FIP : \$FIP_DEPLOYDIR_FIP" +echo " FIP_DEPLOYDIR_TFA : \$FIP_DEPLOYDIR_TFA" +echo " FIP_DEPLOYDIR_BL31 : \$FIP_DEPLOYDIR_BL31" +echo " FIP_DEPLOYDIR_FWCONF: \$FIP_DEPLOYDIR_FWCONF" +echo " FIP_DEPLOYDIR_OPTEE : \$FIP_DEPLOYDIR_OPTEE" +echo " FIP_DEPLOYDIR_UBOOT : \$FIP_DEPLOYDIR_UBOOT" +echo "" +unset i +for config in \$FIP_CONFIG; do + i=\$(expr \$i + 1) + bl32_conf=\$(echo \$FIP_BL32_CONF | cut -d',' -f\$i) + dt_config=\$(echo \$FIP_DEVICETREE | cut -d',' -f\$i) + for dt in \${dt_config}; do + # Init soc suffix + soc_suffix="" + if [ -n "${STM32MP_SOC_NAME}" ]; then + for soc in ${STM32MP_SOC_NAME}; do + [ "\$(echo \${dt} | grep -c \${soc})" -eq 1 ] && soc_suffix="-\${soc}" + done + fi + # Init FIP fw-config settings + [ -f "\$FIP_DEPLOYDIR_FWCONF/\${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX} file in folder: \\\$FIP_DEPLOYDIR_FWCONF or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/fwconfig'" + FIP_FWCONFIG="--fw-config \$FIP_DEPLOYDIR_FWCONF/\${dt}-${FIP_FW_CONFIG}-\${config}.${FIP_FW_CONFIG_SUFFIX}" + # Init FIP hw-config settings + [ -f "\$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_UBOOT' or '\\\$FIP_DEPLOYDIR_ROOT/u-boot'" + FIP_HWCONFIG="--hw-config \$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT_DTB}-\${dt}.${FIP_UBOOT_DTB_SUFFIX}" + # Init FIP nt-fw config + [ -f "\$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX}" ] || bbfatal "Missing ${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_UBOOT' or '\\\$FIP_DEPLOYDIR_ROOT/u-boot'" + FIP_NTFW="--nt-fw \$FIP_DEPLOYDIR_UBOOT/${FIP_UBOOT}\${soc_suffix}.${FIP_UBOOT_SUFFIX}" + # Init FIP bl31 settings + if [ "\$FIP_BL31_ENABLE" = "1" ]; then + # Check for files + [ -f "\$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX}" ] || bbfatal "Missing \$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_BL31' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31'" + [ -f "\$FIP_DEPLOYDIR_BL31/\${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_BL31' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl31'" + # Set FIP_BL31CONF + FIP_BL31CONF="\\ + --soc-fw \$FIP_DEPLOYDIR_BL31/${FIP_BL31}\${soc_suffix}.${FIP_BL31_SUFFIX} \\ + --soc-fw-config \$FIP_DEPLOYDIR_BL31/\${dt}-${FIP_BL31_DTB}.${FIP_BL31_DTB_SUFFIX} \\ + " + else + FIP_BL31CONF="" + fi + # Init FIP extra conf settings + if [ "\${bl32_conf}" = "${FIP_CONFIG_FW_TFA}" ]; then + # Check for files + [ -f "\$FIP_DEPLOYDIR_TFA/${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX}" ] || bbfatal "Missing ${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_TFA' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32'" + [ -f "\$FIP_DEPLOYDIR_TFA/\${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX}" ] || bbfatal "Missing \${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_TFA' or '\\\$FIP_DEPLOYDIR_ROOT/arm-trusted-firmware/bl32'" + # Set FIP_EXTRACONF + FIP_EXTRACONF="\\ + --tos-fw \$FIP_DEPLOYDIR_TFA/${FIP_TFA}\${soc_suffix}.${FIP_TFA_SUFFIX} \\ + --tos-fw-config \$FIP_DEPLOYDIR_TFA/\${dt}-${FIP_TFA_DTB}.${FIP_TFA_DTB_SUFFIX} \\ + " + elif [ "\${bl32_conf}" = "${FIP_CONFIG_FW_TEE}" ]; then + # Check for files + [ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'" + [ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'" + [ -f "\$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX}" ] || bbfatal "Missing ${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX} file in folder: '\\\$FIP_DEPLOYDIR_OPTEE' or '\\\$FIP_DEPLOYDIR_ROOT/optee'" + # Set FIP_EXTRACONF + FIP_EXTRACONF="\\ + --tos-fw \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_HEADER}-\${dt}.${FIP_OPTEE_SUFFIX} \\ + --tos-fw-extra1 \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGER}-\${dt}.${FIP_OPTEE_SUFFIX} \\ + --tos-fw-extra2 \$FIP_DEPLOYDIR_OPTEE/${FIP_OPTEE_PAGEABLE}-\${dt}.${FIP_OPTEE_SUFFIX} \\ + " + else + bbfatal "Wrong configuration '\${bl32_conf}' found in FIP_CONFIG for \${config} config." + fi + + # DRR FW + if [ -f "\$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX}" ]; then + FIP_EXTRACONF="\$FIP_EXTRACONF --ddr-fw \$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX} " + ${FIPTOOL} create \\ + --ddr-fw \$FIP_DEPLOYDIR_FWDDR/${FIP_FW_DDR}-\${dt}.${FIP_FW_DDR_SUFFIX} \\ + \$FIP_DEPLOYDIR_FIP/${FIP_BASENAME}-\${dt}-ddr.${FIP_SUFFIX} + echo "[${FIPTOOL}] DDR FW created" + fi + + # Generate FIP binary + echo "[${FIPTOOL}] Create ${FIP_BASENAME}-\${dt}-\${config}.${FIP_SUFFIX} fip binary into 'FIP_DEPLOYDIR_FIP' folder..." + [ -d "\$FIP_DEPLOYDIR_FIP" ] || mkdir -p "\$FIP_DEPLOYDIR_FIP" + ${FIPTOOL} create \\ + \$FIP_FWCONFIG \\ + \$FIP_HWCONFIG \\ + \$FIP_NTFW \\ + \$FIP_BL31CONF \\ + \$FIP_EXTRACONF \\ + \$FIP_DEPLOYDIR_FIP/${FIP_BASENAME}-\${dt}-\${config}.${FIP_SUFFIX} + echo "[${FIPTOOL}] Done" + done +done +EOF + + # Install the FIPTOOL_WRAPPER + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/${FIPTOOL_WRAPPER} ${D}${bindir}/ +} + +# Feed package for sdk with our fiptool wrapper +FILES:${FIPTOOL_WRAPPER}:class-nativesdk = "${bindir}/${FIPTOOL_WRAPPER}" diff --git a/meta-digi-arm/classes/sign-stm32mp2.bbclass b/meta-digi-arm/classes/sign-stm32mp2.bbclass new file mode 100644 index 000000000..cbd754604 --- /dev/null +++ b/meta-digi-arm/classes/sign-stm32mp2.bbclass @@ -0,0 +1,125 @@ +EXTERNAL_KEY_CONF ??= "0" + +ENCRYPT_ENABLE ??= "0" +ENCRYPT_FIP_KEY ??= "" +ENCRYPT_FSBL_KEY ??= "" +ENCRYPT_SUFFIX ??= "_Encrypted" + +SIGN_ENABLE ??= "0" +SIGN_KEY ??="" +SIGN_KEY_PASS ??= "" +SIGN_SUFFIX ??= "_Signed" + +SIGN_TOOL ??= "" + +def search_path(file_search, d): + """ + Check for path availability from BBPATH + And return the absolute path + """ + search_path = d.getVar("BBPATH").split(":") + for p in search_path: + file_path = os.path.join(p, file_search) + if os.path.isfile(file_path): + return file_path + bbpaths = d.getVar('BBPATH').replace(':','\n\t') + bb.fatal('\n[sign-stm32mp] Not able to find "%s" path from current BBPATH var:\n\t%s.' % (file_search, bbpaths)) + +def init_keylist_from(keylist, keyinput, soclist, d): + """ + Build the var as a coma separated list of values, + Using either the default var value + or any defined _socname var value + (with 'socname' item comming from var value list) + """ + # Init soc name list + socname_list = (d.getVar(soclist) or "").split() + # Init key from keyinput var value + key = d.getVar(keyinput) or "" + if key: + # Check first if keyinput_ is defined to use it + if len(socname_list) > 0: + # Configure keylist according to STM32MP_SOC_NAME list + d.setVar(keylist, '') + for socname in socname_list: + key = d.getVar(keyinput + '_' + socname) or "" + if key: + if d.getVar('EXTERNAL_KEY_CONF') == '1': + key = search_path(key, d) + bb.debug(1, "[sign-stm32mp] Append '%s' path to %s (socname %s)." % (key, keylist, socname)) + d.appendVar(keylist, key + ',') + else: + bb.fatal("[sign-stm32mp] Please make sure to configure \"%s_%s\" var to key file." % (keyinput, socname)) + else: + # Default to keyinput value setting + if d.getVar('EXTERNAL_KEY_CONF') == '1': + key = search_path(key, d) + bb.debug(1, "[sign-stm32mp] Set %s to '%s' path." % (keylist, key)) + d.setVar(keylist, key) + else: + bb.debug(1, "[sign-stm32mp] Set %s to '%s' path." % (keylist, key)) + d.setVar(keylist, key) + else: + # Check first if keyinput_ is defined to use it + if len(socname_list) > 0: + # Configure keylist according to STM32MP_SOC_NAME list + d.setVar(keylist, '') + for socname in socname_list: + key = d.getVar(keyinput + '_' + socname) + if key: + if d.getVar('EXTERNAL_KEY_CONF') == '1': + key = search_path(key, d) + bb.debug(1, "[sign-stm32mp] Append '%s' path to %s (socname %s)." % (key, keylist, socname)) + d.appendVar(keylist, key + ',') + else: + bb.fatal("[sign-stm32mp] Please make sure to configure \"%s_%s\" var to key file." % (keyinput, socname)) + else: + bb.fatal("[sign-stm32mp] Please make sure to configure \"%s\" var to key file." % keyinput) + +python __anonymous() { + if d.getVar('SIGN_ENABLE') == "1" or d.getVar('ENCRYPT_ENABLE') == "1": + + # Signing process is dedicated to "target" recipe only: + # Make sure to discard native and nativesdk + for native_class in ['native', 'nativesdk']: + if bb.data.inherits_class(native_class, d): + return + + # Check for SIGN_TOOL configuration + signtool = d.getVar('SIGN_TOOL') or "" + if not signtool: + bb.fatal("[sign-stm32mp] Please make sure to configure \"SIGN_TOOL\" var to signing tool.") + # Check for SIGN_TOOL is present in PATH environment variable + if not bb.utils.which(d.getVar('PATH'), signtool): + bb.debug(1, "[sign-stm32mp] %s binary is not found in PATH." % signtool) + signtool_path = search_path(signtool, d) + bb.debug(1, "[sign-stm32mp] Set SIGN_TOOL to '%s' path." % signtool_path) + d.setVar('SIGN_TOOL', signtool_path) + + if d.getVar('SIGN_ENABLE') == "1": + # Check for internal use of SIGN_KEY_PATH_LIST + signingkey_list = d.getVar('SIGN_KEY_PATH_LIST') + if signingkey_list: + raise bb.parse.SkipRecipe("[sign-stm32mp] You cannot use SIGN_KEY_PATH_LIST as it is internal to sign-stm32mp.bbclass.") + # Init SIGN_KEY_PATH_LIST from SIGN_KEY settings + init_keylist_from('SIGN_KEY_PATH_LIST', 'SIGN_KEY', 'STM32MP_SOC_NAME', d) + + if d.getVar('ENCRYPT_ENABLE') == "1": + if d.getVar('SIGN_ENABLE') == "0": + bb.fatal("[sign-stm32mp] You need to set 'SIGN_ENABLE = 1' to encrypt and sign binaries at once.") + + # Check for internal use of ENCRYPT_FSBL_KEY_PATH_LIST + fsbl_encryptkey_list = d.getVar('ENCRYPT_FSBL_KEY_PATH_LIST') + if fsbl_encryptkey_list: + raise bb.parse.SkipRecipe("[sign-stm32mp] You cannot use ENCRYPT_FSBL_KEY_PATH_LIST as it is internal to sign-stm32mp.bbclass.") + # Init ENCRYPT_KEY_PATH_LIST from ENCRYPT_KEY settings + init_keylist_from('ENCRYPT_FSBL_KEY_PATH_LIST', 'ENCRYPT_FSBL_KEY', 'STM32MP_ENCRYPT_SOC_NAME', d) + + # Check for internal use of ENCRYPT_FIP_KEY_PATH_LIST + fip_encryptkey_list = d.getVar('ENCRYPT_FIP_KEY_PATH_LIST') + if fip_encryptkey_list: + raise bb.parse.SkipRecipe("[sign-stm32mp] You cannot use ENCRYPT_FIP_KEY_PATH_LIST as it is internal to sign-stm32mp.bbclass.") + # Init ENCRYPT_KEY_PATH_LIST from ENCRYPT_KEY settings + init_keylist_from('ENCRYPT_FIP_KEY_PATH_LIST', 'ENCRYPT_FIP_KEY', 'STM32MP_ENCRYPT_SOC_NAME', d) + +} diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-common.inc b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-common.inc new file mode 100644 index 000000000..a118981d3 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-common.inc @@ -0,0 +1,36 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-stm32mp:" + +SECTION = "bootloaders" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://license.rst;md5=1dd070c98a281d18d9eefd938729b031" +CVE_PRODUCT = "arm:trusted_firmware-a" + +SRC_URI = "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=http;branch=lts-v2.8" +SRCREV = "f94d6db9b101d3d4cd053e54edd5b876f1cc84ec" + +SRC_URI += " \ + file://tf-a-st-ddr.tar.gz;subdir=git;name=fw \ + file://0001-v2.8-stm32mp25-beta.patch \ + " + +SRC_URI[fw.sha256sum] = "c87d8a03a8feab1f8a51818a7942deade5d31abb7f4afaa6d6dfa922383e9805" + +TF_A_VERSION = "v2.8.12" +TF_A_SUBVERSION = "stm32mp" +TF_A_RELEASE = "beta-r1" +PV = "${TF_A_VERSION}-${TF_A_SUBVERSION}-${TF_A_RELEASE}" + +ARCHIVER_ST_BRANCH = "${TF_A_VERSION}-${TF_A_SUBVERSION}" +ARCHIVER_ST_REVISION = "${PV}" +ARCHIVER_COMMUNITY_BRANCH = "master" +ARCHIVER_COMMUNITY_REVISION = "${TF_A_VERSION}" + +S = "${WORKDIR}/git" + +# --------------------------------- +# Configure default preference to manage dynamic selection between tarball and github +# --------------------------------- +STM32MP_SOURCE_SELECTION ?= "tarball" + +DEFAULT_PREFERENCE = "${@bb.utils.contains('STM32MP_SOURCE_SELECTION', 'github', '-1', '1', d)}" diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-config.inc b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-config.inc new file mode 100644 index 000000000..64a42bfbc --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2-config.inc @@ -0,0 +1,19 @@ +# Define config for each TF_A_CONFIG +# TF_A_CONFIG[config] ?= ",,,," + +TF_A_OPTEE_param:stm32mp1common = "AARCH32_SP=optee" +TF_A_OPTEE_param:stm32mp2common = "SPD=opteed" + +TF_A_CONFIG[optee] ?= "${STM32MP_DEVICETREE},${TF_A_OPTEE_param},,${@bb.utils.contains('FIP_BL31_ENABLE', '1', 'bl31 dtbs', 'dtbs', d)},${@bb.utils.contains('FIP_BL31_ENABLE', '1', 'bl31 fwconfig', 'fwconfig', d)}" + +TF_A_CONFIG[emmc] ?= "${DEVICE_BOARD_ENABLE:EMMC},STM32MP_EMMC=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)}" +TF_A_CONFIG[nand] ?= "${DEVICE_BOARD_ENABLE:NAND},STM32MP_RAW_NAND=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NAND}' if ${TF_A_MTD_START_OFFSET_NAND} else ''}" +TF_A_CONFIG[nor] ?= "${DEVICE_BOARD_ENABLE:NOR},STM32MP_SPI_NOR=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_NOR}' if ${TF_A_MTD_START_OFFSET_NOR} else ''}" +TF_A_CONFIG[sdcard] ?= "${DEVICE_BOARD_ENABLE:SDCARD},STM32MP_SDMMC=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)}" +TF_A_CONFIG[spinand] ?= "${DEVICE_BOARD_ENABLE:SPINAND},STM32MP_SPI_NAND=1 ${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', 'PSA_FWU_SUPPORT=1', '', d)} ${@'STM32MP_FORCE_MTD_START_OFFSET=${TF_A_MTD_START_OFFSET_SPINAND}' if ${TF_A_MTD_START_OFFSET_SPINAND} else ''}" +TF_A_CONFIG[uart] ?= "${STM32MP_DEVICETREE},STM32MP_UART_PROGRAMMER=1" +TF_A_CONFIG[usb] ?= "${STM32MP_DEVICETREE},STM32MP_USB_PROGRAMMER=1" + +# Define configuration for SSP +TF_A_CONFIG[uart-ssp] ?= "${STM32MP_DEVICETREE},STM32MP_UART_PROGRAMMER=1 STM32MP_SSP=1,tf-a-ssp" +TF_A_CONFIG[usb-ssp] ?= "${STM32MP_DEVICETREE},STM32MP_USB_PROGRAMMER=1 STM32MP_SSP=1,tf-a-ssp" diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2.inc b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2.inc new file mode 100644 index 000000000..9081c90d3 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp2.inc @@ -0,0 +1,603 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-stm32mp:" + +PROVIDES += "virtual/trusted-firmware-a" + +PACKAGE_ARCH = "${MACHINE_ARCH}" + +inherit deploy +#inherit sign-stm32mp +inherit fip-utils-stm32mp2 +#inherit external-dt + + +STAGING_EXTDT_DIR = "${TMPDIR}/work-shared/${MACHINE}/external-dt" + +# Include TF-A config definitions +require tf-a-stm32mp2-config.inc + +# ------------------------------------ +# Set MBEDTLS support +TFA_MBEDTLS_DIR ?= "mbedtls" +# MBEDTLS v2.28.5 +SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;protocol=https;destsuffix=git/${TFA_MBEDTLS_DIR};branch=mbedtls-2.28;name=mbedtls" +SRCREV_mbedtls = "47e8cc9db2e469d902b0e3093ae9e482c3d87188" +LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" +LICENSE_MBEDTLS = "Apache-2.0" +# Add MBEDTLS to our sources +SRC_URI:append = " ${@bb.utils.contains('SIGN_ENABLE', '1', '${SRC_URI_MBEDTLS}', '', d)}" +# Update license variables +LICENSE:append = "${@bb.utils.contains('SIGN_ENABLE', '1', ' & ${LICENSE_MBEDTLS}', '', d)}" +LIC_FILES_CHKSUM:append = "${@bb.utils.contains('SIGN_ENABLE', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" +# Add mbed TLS to version +SRCREV_FORMAT:append = "${@bb.utils.contains('SIGN_ENABLE', '1', '_mbedtls', '', d)}" +# ------------------------------------ + +B = "${WORKDIR}/build" +# Configure build dir for externalsrc class usage through devtool +EXTERNALSRC_BUILD:pn-${PN} = "${WORKDIR}/build" + +DEPENDS += "dtc-native openssl-native" +DEPENDS:append = " ${@bb.utils.contains('TF_A_ENABLE_DEBUG_WRAPPER', '1', 'stm32wrapper4dbg-native', '', d)}" + +# Default log level +ST_TF_A_DEBUG ??= "1" +ST_TF_A_DEBUG_TRACE ??= "0" +ST_TF_A_LOG_LEVEL_RELEASE ??= "20" +ST_TF_A_LOG_LEVEL_DEBUG ??= "40" + +# Configure make settings +EXTRA_OEMAKE += 'PLAT=${TFA_PLATFORM}' +EXTRA_OEMAKE += 'ARCH=${TFA_ARM_ARCH}' +EXTRA_OEMAKE += 'ARM_ARCH_MAJOR=${TFA_ARM_MAJOR}' +EXTRA_OEMAKE += 'CROSS_COMPILE=${TARGET_PREFIX}' +# Debug support +EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'DEBUG=${ST_TF_A_DEBUG}', '', d)}" +EXTRA_OEMAKE += "${@bb.utils.contains('ST_TF_A_DEBUG_TRACE', '1', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_DEBUG}', 'LOG_LEVEL=${ST_TF_A_LOG_LEVEL_RELEASE}', d)}" +EXTRA_OEMAKE += "${@bb.utils.contains('EXTERNAL_DT_ENABLED', '1', 'TFA_EXTERNAL_DT=${STAGING_EXTDT_DIR}/tf-a', '', d)}" +# OPTEE in sysram +EXTRA_OEMAKE:append:stm32mp1common = " ${@bb.utils.contains('ST_OPTEE_IN_SYSRAM', '1', 'STM32MP1_OPTEE_IN_SYSRAM=1', '', d)}" + +# Define default TF-A namings +TF_A_BASENAME ?= "tf-a" +TF_A_SUFFIX ?= "stm32" + +# Output the ELF generated +ELF_DEBUG_ENABLE ?= "" +TF_A_ELF_SUFFIX = "elf" + +BL1_NAME ?= "bl1/bl1" +BL1_ELF = "${BL1_NAME}.${TF_A_ELF_SUFFIX}" +BL1_BASENAME = "${@os.path.basename(d.getVar("BL1_NAME"))}" +BL1_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL1_NAME"))}" + +BL2_NAME ?= "bl2/bl2" +BL2_ELF = "${BL2_NAME}.${TF_A_ELF_SUFFIX}" +BL2_BASENAME = "${@os.path.basename(d.getVar("BL2_NAME"))}" +BL2_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL2_NAME"))}" + +BL31_NAME ?= "bl31/bl31" +BL31_ELF = "${BL31_NAME}.${TF_A_ELF_SUFFIX}" +BL31_BASENAME = "${@os.path.basename(d.getVar("BL31_NAME"))}" +BL31_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL31_NAME"))}" +BL31_SUFFIX ?= "bin" + +BL32_NAME ?= "bl32/bl32" +BL32_ELF = "${BL32_NAME}.${TF_A_ELF_SUFFIX}" +BL32_BASENAME = "${@os.path.basename(d.getVar("BL32_NAME"))}" +BL32_BASENAME_DEPLOY ?= "${@os.path.basename(d.getVar("BL32_NAME"))}" +BL32_SUFFIX ?= "bin" + +DT_SUFFIX ?= "dtb" +FWCONFIG_NAME ?= "fw-config" + +# Output the firwmare ddr +TF_A_FWDDR ?= "0" +TF_A_FWDDR:stm32mp25common = "1" + +FWDDR_NAME ?= "ddr_pmu" +FWDDR_SUFFIX ?= "bin" + +# Set default TF-A config +TF_A_CONFIG ?= "" + +# Enable the wrapper for debug +TF_A_ENABLE_DEBUG_WRAPPER ??= "1" + +# Set default configuration to allow signing +TF_A_SIGN_SUFFIX ??= "${@bb.utils.contains('SIGN_ENABLE', '1', '${SIGN_SUFFIX}', '', d)}" +TF_A_SIGN_OF ?= "0x00000001" +TF_A_SIGN_OF:stm32mp1common ?= "0x00000001" +TF_A_SIGN_OF:stm32mp25common ?= "0x00000001" +TF_A_SIGN_OF:stm32mp25revabcommon ?= "0x00000001" + +TF_A_ENCRYPT_SUFFIX ??= "${@bb.utils.contains('ENCRYPT_ENABLE', '1', '${ENCRYPT_SUFFIX}', '', d)}" +TF_A_ENCRYPT_DC ?= "0x0E5F2025" +TF_A_ENCRYPT_DC:stm32mp1common ?= "0x0E5F2025" +TF_A_ENCRYPT_DC:stm32mp25common ?= "0x25205f0e" +TF_A_ENCRYPT_DC:stm32mp25revabcommon ?= "0x25205f0e" + +TF_A_ENCRYPT_IMGVER ?= "0" +TF_A_ENCRYPT_OF ?= "0x80000003" +TF_A_ENCRYPT_OF:stm32mp1common ?= "0x80000003" +TF_A_ENCRYPT_OF:stm32mp2common ?= "0x10000003" + + +# Set metadata generation +TF_A_ENABLE_METADATA ??= "${@bb.utils.contains('MACHINE_FEATURES', 'fw-update', '1', '0', d)}" +TF_A_METADATA_NAME ?= "metadata" +TF_A_METADATA_SUFFIX ?= "bin" +TF_A_METADATA_BINARY ??= "${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" + +TF_A_METADATA_TOOL ?= "tools/fwu_gen_metadata/fwumd_tool.py" +TF_A_METADATA_JSON ?= "plat/st/common/default_metadata.json" + +# Configure specific build flags +EXTRA_OEMAKE += "${@bb.utils.contains('SIGN_ENABLE', '1', 'TRUSTED_BOARD_BOOT=1', '', d)}" +EXTRA_OEMAKE += "${@bb.utils.contains('SIGN_ENABLE', '1', 'MBEDTLS_DIR=${TFA_MBEDTLS_DIR}', '', d)}" +EXTRA_OEMAKE:append:stm32mp2common = " ${@bb.utils.contains('SIGN_ENABLE', '1', 'BRANCH_PROTECTION=0', '', d)} " + +EXTRA_OEMAKE += "${@bb.utils.contains('ENCRYPT_ENABLE', '1', 'DECRYPTION_SUPPORT=aes_gcm ENCRYPT_BL32=1', '', d)}" +EXTRA_OEMAKE += "${@bb.utils.contains('ENCRYPT_ENABLE', '1', bb.utils.contains('FIP_BL31_ENABLE', '1', 'ENCRYPT_BL31=1', '', d), '', d)} " + +# Addons parameters for SIGN_TOOL +SIGN_TOOL_EXTRA ?= "" +SIGN_TOOL_EXTRA:stm32mp25common = "--header-version 2" +SIGN_TOOL_EXTRA:stm32mp25revabcommon = "--header-version 2" + +# Specific for revA board +EXTRA_OEMAKE:append:stm32mp25revabcommon = " CONFIG_STM32MP25X_REVA=1 " + +# ----------------------------------------------- +# Handle TF-A config and set internal vars +# TF_A_DEVICETREE +# TF_A_EXTRA_OPTFLAGS +python () { + import re + + tfaconfigflags = d.getVarFlags('TF_A_CONFIG') + # The "doc" varflag is special, we don't want to see it here + tfaconfigflags.pop('doc', None) + tfaconfig = (d.getVar('TF_A_CONFIG') or "").split() + tfabasename = d.getVar('TF_A_BASENAME') + + if not tfaconfig: + raise bb.parse.SkipRecipe("TF_A_CONFIG must be set in the %s machine configuration." % d.getVar("MACHINE")) + if (d.getVar('TF_A_DEVICETREE') or "").split(): + raise bb.parse.SkipRecipe("You cannot use TF_A_DEVICETREE as it is internal to TF_A_CONFIG var expansion.") + if (d.getVar('TF_A_EXTRA_OPTFLAGS') or "").split(): + raise bb.parse.SkipRecipe("You cannot use TF_A_EXTRA_OPTFLAGS as it is internal to TF_A_CONFIG var expansion.") + if (d.getVar('TF_A_BINARIES') or "").split(): + raise bb.parse.SkipRecipe("You cannot use TF_A_BINARIES as it is internal to TF_A_CONFIG var expansion.") + if (d.getVar('TF_A_MAKE_TARGET') or "").split(): + raise bb.parse.SkipRecipe("You cannot use TF_A_MAKE_TARGET as it is internal to TF_A_CONFIG var expansion.") + if (d.getVar('TF_A_FILES') or "").split(): + raise bb.parse.SkipRecipe("You cannot use TF_A_FILES as it is internal to TF_A_CONFIG var expansion.") + + if len(tfaconfig) > 0: + for config in tfaconfig: + for f, v in tfaconfigflags.items(): + if config == f: + # Make sure to get var flag properly expanded + v = d.getVarFlag('TF_A_CONFIG', config) + if not v.strip(): + bb.fatal('[TF_A_CONFIG] Missing configuration for %s config' % config) + items = v.split(',') + if items[0] and len(items) > 5: + raise bb.parse.SkipRecipe('Only ,,,, can be specified!') + # Set internal vars + bb.debug(1, "Appending '%s' to TF_A_DEVICETREE" % items[0]) + d.appendVar('TF_A_DEVICETREE', items[0] + ',') + if len(items) > 1 and items[1]: + bb.debug(1, "Appending '%s' to TF_A_EXTRA_OPTFLAGS." % items[1]) + d.appendVar('TF_A_EXTRA_OPTFLAGS', items[1] + ',') + else: + d.appendVar('TF_A_EXTRA_OPTFLAGS', '' + ',') + if len(items) > 2 and items[2]: + bb.debug(1, "Appending '%s' to TF_A_BINARIES." % items[2]) + d.appendVar('TF_A_BINARIES', items[2] + ',') + else: + bb.debug(1, "Appending '%s' to TF_A_BINARIES." % tfabasename) + d.appendVar('TF_A_BINARIES', tfabasename + ',') + if len(items) > 3 and items[3]: + bb.debug(1, "Appending '%s' to TF_A_MAKE_TARGET." % items[3]) + d.appendVar('TF_A_MAKE_TARGET', items[3] + ',') + else: + d.appendVar('TF_A_MAKE_TARGET', 'all' + ',') + if len(items) > 4 and items[4]: + bb.debug(1, "Appending '%s' to TF_A_FILES." % items[4]) + d.appendVar('TF_A_FILES', items[4] + ',') + else: + d.appendVar('TF_A_FILES', 'bl2' + ',') + break + + # Manage case of signature: + if d.getVar('SIGN_ENABLE') == "1": + # If signature are activated, for winning space, the debug parameter will be remove and level of trace decrease + if d.getVar('ST_TF_A_DEBUG_TRACE') == '1': + bb.warn("TF-A SIGNATURE: force ST_TF_A_DEBUG_TRACE to '0' to disable DEBUG and decrease log level") + d.setVar('ST_TF_A_DEBUG_TRACE', "0") +} + +# ----------------------------------------------- +# Enable use of work-shared folder +TFA_SHARED_SOURCES ??= "1" +STAGING_TFA_DIR = "${TMPDIR}/work-shared/${MACHINE}/tfa-source" +# Make sure to move ${S} to STAGING_TFA_DIR. We can't just +# create the symlink in advance as the git fetcher can't cope with +# the symlink. +do_unpack[cleandirs] += "${S}" +do_unpack[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}" +do_clean[cleandirs] += "${S}" +do_clean[cleandirs] += "${@bb.utils.contains('TFA_SHARED_SOURCES', '1', '${STAGING_TFA_DIR}', '', d)}" +base_do_unpack:append () { + # Specific part to update devtool-source class + if bb.data.inherits_class('devtool-source', d): + # We don't want to move the source to STAGING_TFA_DIR here + if d.getVar('STAGING_TFA_DIR', d): + d.setVar('STAGING_TFA_DIR', '${S}') + + shared = d.getVar("TFA_SHARED_SOURCES") + if shared and oe.types.boolean(shared): + # Copy/Paste from kernel class with adaptation to TFA var + s = d.getVar("S") + if s[-1] == '/': + # drop trailing slash, so that os.symlink(tfasrc, s) doesn't use s as directory name and fail + s=s[:-1] + tfasrc = d.getVar("STAGING_TFA_DIR") + if s != tfasrc: + bb.utils.mkdirhier(tfasrc) + bb.utils.remove(tfasrc, recurse=True) + if d.getVar("EXTERNALSRC"): + # With EXTERNALSRC S will not be wiped so we can symlink to it + os.symlink(s, tfasrc) + else: + import shutil + shutil.move(s, tfasrc) + os.symlink(tfasrc, s) +} + +do_compile() { + unset LDFLAGS + unset CFLAGS + unset CPPFLAGS + + unset i + for config in ${TF_A_CONFIG}; do + i=$(expr $i + 1) + # Initialize devicetree list, extra make options and tf-a basename + dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i}) + extra_opt=$(echo ${TF_A_EXTRA_OPTFLAGS} | cut -d',' -f${i}) + tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i}) + tf_a_make_target=$(echo ${TF_A_MAKE_TARGET} | cut -d',' -f${i}) + for dt in ${dt_config}; do + # Init specific soc settings + soc_extra_opt="" + soc_suffix="" + if [ -n "${STM32MP_SOC_NAME}" ]; then + for soc in ${STM32MP_SOC_NAME}; do + if [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ]; then + soc_extra_opt="$(echo ${soc} | awk '{print toupper($0)}')=1" + soc_suffix="-${soc}" + fi + done + fi + mkdir -p ${B}/${config}${soc_suffix} + if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then + ${S}/${TF_A_METADATA_TOOL} jsonparse "${S}/${TF_A_METADATA_JSON}" -b "${B}/${config}${soc_suffix}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" + fi + + # Init specific ddr settings + ddr_extra_opt="" + if [ "${TF_A_FWDDR}" = "1" ]; then + # Detect ddr type if it's present + oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} dtbs + if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb" ]; then + ddr_dtb_node=$(${STAGING_BINDIR_NATIVE}/fdtget -l ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc | grep ddr | head -n 1) + ddr_propertie=$(${STAGING_BINDIR_NATIVE}/fdtget ${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-bl2.dtb /soc/${ddr_dtb_node} st,mem-name || echo "none") + ddr_target="" + # potentials value of ddr_propertie: + # DDR3 16bits + # DDR4 32bits + # DDR4 8Gbits + # LPDDR4 32bits + case ${ddr_propertie} in + DDR3*) + ddr_extra_opt=" STM32MP_DDR3_TYPE=1 " + ddr_target="ddr3" + ;; + DDR4*) + ddr_extra_opt=" STM32MP_DDR4_TYPE=1 " + ddr_target="ddr4" + ;; + LPDDR4*) + ddr_extra_opt=" STM32MP_LPDDR4_TYPE=1 " + ddr_target="lpddr4" + ;; + *) + bbwarn "Missing st,mem-name information for ${dt}" + ;; + esac + bbnote "${dt}: ${tf_a_make_target} -> ${ddr_extra_opt}" + # Copy TF-A ddr binary with explicit devicetree filename + if [ -n "${ddr_target}" ]; then + if [ -s "${S}/drivers/st/ddr/phy/firmware/bin/${ddr_target}_pmu_train.bin" ]; then + cp "${S}/drivers/st/ddr/phy/firmware/bin/${ddr_target}_pmu_train.bin" "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}" + else + bbwarn "Missing ddr firmware file ${ddr_target}_pmu_train.bin for ${dt}" + fi + fi + fi + fi + + encrypt_extra_opt="" + if [ "${ENCRYPT_ENABLE}" = "1" ]; then + encrypt_key="${ENCRYPT_FIP_KEY_PATH_LIST}" + if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FIP_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + encrypt_extra_opt="ENC_KEY=$(hexdump -e '/1 "%02x"' ${encrypt_key})" + fi + + oe_runmake -C "${S}" BUILD_PLAT="${B}/${config}${soc_suffix}-${dt}" DTB_FILE_NAME="${dt}.dtb" ${extra_opt} ${soc_extra_opt} ${ddr_extra_opt} ${encrypt_extra_opt} ${tf_a_make_target} + + # Copy TF-A binary with explicit devicetree filename + if [ -f "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" ]; then + cp "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" + if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then + stm32wrapper4dbg -s "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}.${TF_A_SUFFIX}" -d "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" + fi + + if [ "${SIGN_ENABLE}" = "1" ]; then + # Init sign key for signing tools + sign_key="${SIGN_KEY_PATH_LIST}" + if [ -n "${STM32MP_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && sign_key=$(echo ${SIGN_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + # Init default '-of' option for signing case + tf_a_sign_of_opt="" + dd if="${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" of=header.dump bs=1 count=4 skip=72 > /dev/null 2> /dev/null + temp_version=$(od -A o -t dI header.dump | head -n 1 | cut -d' ' -f2- | sed "s/ //g") + rm -f header.dump + [ "$(expr $temp_version / 65536)" = "2" ] && tf_a_sign_of_opt="-of ${TF_A_SIGN_OF}" + # Sign tf-a binary + echo "${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA} \ + ${tf_a_sign_of_opt}" + ${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA} \ + ${tf_a_sign_of_opt} + if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then + echo "${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key "${sign_key}" \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA} \ + ${tf_a_sign_of_opt}" + ${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key "${sign_key}" \ + --type fsbl \ + --silent \ + ${SIGN_TOOL_EXTRA} \ + ${tf_a_sign_of_opt} + fi + fi + + if [ "${ENCRYPT_ENABLE}" = "1" ]; then + # Init encrypt key for signing tools + encrypt_key="${ENCRYPT_FSBL_KEY_PATH_LIST}" + if [ -n "${STM32MP_ENCRYPT_SOC_NAME}" ]; then + unset k + for soc in ${STM32MP_ENCRYPT_SOC_NAME}; do + k=$(expr $k + 1) + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && encrypt_key=$(echo ${ENCRYPT_FSBL_KEY_PATH_LIST} | cut -d',' -f${k}) + done + fi + # Init default '-of' option for signing case + tf_a_sign_of_opt="" + dd if="${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" of=header.dump bs=1 count=4 skip=72 > /dev/null 2> /dev/null + temp_version=$(od -A o -t dI header.dump | head -n 1 | cut -d' ' -f2- | sed "s/ //g") + rm -f header.dump + [ "$(expr $temp_version / 65536)" = "2" ] && tf_a_sign_of_opt="-hv 2" + # Encrypt tf-a binary + echo '${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + --enc-key ${encrypt_key} \ + --enc-dc "${TF_A_ENCRYPT_DC}" \ + --image-version "${TF_A_ENCRYPT_IMGVER}" \ + -of "${TF_A_ENCRYPT_OF}" \ + ${tf_a_sign_of_opt} ' + ${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + --enc-key ${encrypt_key} \ + --enc-dc "${TF_A_ENCRYPT_DC}" \ + --image-version "${TF_A_ENCRYPT_IMGVER}" \ + -of "${TF_A_ENCRYPT_OF}" \ + ${tf_a_sign_of_opt} + if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then + echo '${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + --enc-key ${encrypt_key} \ + --enc-dc "${TF_A_ENCRYPT_DC}" \ + --image-version "${TF_A_ENCRYPT_IMGVER}" \ + -of "${TF_A_ENCRYPT_OF}" \ + ${tf_a_sign_of_opt}' + ${SIGN_TOOL} \ + -bin "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + -o "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" \ + --password ${SIGN_KEY_PASS} \ + --public-key $(ls -1 $(dirname ${sign_key})/publicKey*.pem | tr '\n' '\t') \ + --private-key ${sign_key} \ + --type fsbl \ + --silent \ + --enc-key ${encrypt_key} \ + --enc-dc "${TF_A_ENCRYPT_DC}" \ + --image-version "${TF_A_ENCRYPT_IMGVER}" \ + -of "${TF_A_ENCRYPT_OF}"\ + ${tf_a_sign_of_opt} + fi + fi + fi + done + done + + if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then + ${S}/${TF_A_METADATA_TOOL} jsonparse "${S}/${TF_A_METADATA_JSON}" -b "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" + fi +} + +do_deploy() { + install -d ${DEPLOYDIR} + install -d ${DEPLOYDIR}/arm-trusted-firmware + + unset i + for config in ${TF_A_CONFIG}; do + i=$(expr $i + 1) + # Initialize devicetree list and tf-a basename + dt_config=$(echo ${TF_A_DEVICETREE} | cut -d',' -f${i}) + tfa_basename=$(echo ${TF_A_BINARIES} | cut -d',' -f${i}) + tfa_file_type=$(echo ${TF_A_FILES} | cut -d',' -f${i}) + for dt in ${dt_config}; do + # Init soc suffix + soc_suffix="" + if [ -n "${STM32MP_SOC_NAME}" ]; then + for soc in ${STM32MP_SOC_NAME}; do + [ "$(echo ${dt} | grep -c ${soc})" -eq 1 ] && soc_suffix="-${soc}" + done + fi + for file_type in ${tfa_file_type}; do + case "${file_type}" in + bl2) + # Install TF-A binary + if [ -f "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}.${TF_A_SUFFIX}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/" + if [ "${TF_A_ENABLE_DEBUG_WRAPPER}" = "1" ]; then + install -d "${DEPLOYDIR}/arm-trusted-firmware/debug" + install -m 644 "${B}/${config}${soc_suffix}-${dt}/debug-${tfa_basename}-${dt}-${config}${TF_A_ENCRYPT_SUFFIX}${TF_A_SIGN_SUFFIX}.${TF_A_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/debug/" + fi + fi + if [ -n "${ELF_DEBUG_ENABLE}" ]; then + install -d "${DEPLOYDIR}/arm-trusted-firmware/debug" + if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL2_ELF}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL2_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL2_BASENAME_DEPLOY}${soc_suffix}-${config}.${TF_A_ELF_SUFFIX}" + fi + fi + if [ "${TF_A_FWDDR}" = "1" ]; then + install -d "${DEPLOYDIR}/arm-trusted-firmware/ddr" + # Install DDR firmware binary + if [ -f "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}" ]; then + if [ ! -s "${DEPLOYDIR}/arm-trusted-firmware/ddr/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${FWDDR_NAME}-${dt}.${FWDDR_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/ddr/" + fi + fi + fi + ;; + bl31) + # Install BL31 files + install -d "${DEPLOYDIR}/arm-trusted-firmware/bl31" + # Install BL31 binary + if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL31_BASENAME}.${BL31_SUFFIX}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL31_BASENAME}.${BL31_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}.${BL31_SUFFIX}" + fi + # Install BL31 devicetree + if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL31_BASENAME}.${DT_SUFFIX}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL31_BASENAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/${dt}-${BL31_BASENAME}.${DT_SUFFIX}" + fi + if [ -n "${ELF_DEBUG_ENABLE}" ]; then + install -d "${DEPLOYDIR}/arm-trusted-firmware/bl31/debug" + if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL31_ELF}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL31_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/bl31/debug/${tfa_basename}-${BL31_BASENAME_DEPLOY}${soc_suffix}-${config}.${TF_A_ELF_SUFFIX}" + fi + fi + ;; + bl32) + # Install BL32 files + install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32" + # Install BL32 binary + if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL32_BASENAME}.${BL32_SUFFIX}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL32_BASENAME}.${BL32_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}.${BL32_SUFFIX}" + fi + # Install BL32 devicetree + if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/${dt}-${BL32_BASENAME}.${DT_SUFFIX}" + fi + if [ -n "${ELF_DEBUG_ENABLE}" ]; then + install -d "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug" + if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL32_ELF}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL32_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/bl32/debug/${tfa_basename}-${BL32_BASENAME_DEPLOY}${soc_suffix}-${config}.${TF_A_ELF_SUFFIX}" + fi + fi + ;; + fwconfig) + # Install fwconfig + install -d "${DEPLOYDIR}/arm-trusted-firmware/fwconfig" + if [ -f "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/fdts/${dt}-${FWCONFIG_NAME}.${DT_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/fwconfig/${dt}-${FWCONFIG_NAME}-${config}.${DT_SUFFIX}" + fi + ;; + esac + done # for file_type in ${tfa_file_type} + done # for dt in ${dt_config} + if [ -n "${ELF_DEBUG_ENABLE}" ]; then + install -d "${DEPLOYDIR}/arm-trusted-firmware/debug" + if [ -f "${B}/${config}${soc_suffix}-${dt}/${BL1_ELF}" ]; then + install -m 644 "${B}/${config}${soc_suffix}-${dt}/${BL1_ELF}" "${DEPLOYDIR}/arm-trusted-firmware/debug/${tfa_basename}-${BL1_BASENAME_DEPLOY}-${config}.${TF_A_ELF_SUFFIX}" + fi + fi + done # for config in ${TF_A_CONFIG} + + if [ "${TF_A_ENABLE_METADATA}" = "1" ]; then + install -d "${DEPLOYDIR}/arm-trusted-firmware" + if [ -f "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" ]; then + install -m 644 "${B}/${TF_A_METADATA_NAME}.${TF_A_METADATA_SUFFIX}" "${DEPLOYDIR}/arm-trusted-firmware/${TF_A_METADATA_BIN}" + fi + fi +} +addtask deploy before do_build after do_compile diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bbappend similarity index 100% rename from meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_%.bbappend rename to meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.6.bbappend diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb new file mode 100644 index 000000000..d83049b77 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-stm32mp_2.8.bb @@ -0,0 +1,42 @@ +# +# Copyright (C) 2024 Digi International Inc. +# +require tf-a-stm32mp2-common.inc +require tf-a-stm32mp2.inc + +SUMMARY = "Trusted Firmware-A for STM32MP1" +LICENSE = "BSD-3-Clause" + +# Select internal or Github TF-A repo +TFA_URI_STASH = "${DIGI_MTK_GIT}/emp/arm-trusted-firmware.git;protocol=ssh" +TFA_URI_GITHUB = "${DIGI_GITHUB_GIT}/arm-trusted-firmware.git;protocol=https" +TFA_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${TFA_URI_STASH}', '${TFA_URI_GITHUB}', d)}" + +SRCBRANCH = "v2.8/stm32mp/master" +SRCREV = "${AUTOREV}" + +SRC_URI = " \ + ${TFA_GIT_URI};branch=${SRCBRANCH} \ +" + +TF_A_VERSION = "v2.8.12" +TF_A_RELEASE = "beta-r1" + +# Configure settings +TFA_PLATFORM = "stm32mp1" +TFA_ARM_MAJOR = "7" +TFA_ARM_ARCH = "aarch32" + +TFA_PLATFORM:aarch64 = "stm32mp2" +TFA_ARM_MAJOR:aarch64 = "8" +TFA_ARM_ARCH:aarch64 = "aarch64" + +# Enable the wrapper for debug +TF_A_ENABLE_DEBUG_WRAPPER ?= "1" + +# --------------------------------- +# Configure archiver use +# --------------------------------- +include ${@oe.utils.ifelse(d.getVar('ST_ARCHIVER_ENABLE') == '1', 'tf-a-stm32mp-archiver.inc','')} + +COMPATIBLE_MACHINE = "(ccmp2)" diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools.inc b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools.inc new file mode 100644 index 000000000..5d0fe9913 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools.inc @@ -0,0 +1,48 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/tf-a-tools:" + +SRC_URI:append = " \ + file://0001-FIX-GCC-tools-overwrite.patch \ + file://0001-tools-allow-to-use-a-root-key-password-from-command-.patch \ + " + +DEPENDS += "dtc-native openssl" + +COMPATIBLE_HOST:class-target = "null" + +HOSTCC:class-native = "${BUILD_CC}" +HOSTCC:class-nativesdk = "${CC}" + +EXTRA_OEMAKE += "HOSTCC='${HOSTCC}' OPENSSL_DIR='${STAGING_EXECPREFIXDIR}'" +EXTRA_OEMAKE += "certtool enctool fiptool" +EXTRA_OEMAKE += "PLAT=${TFA_PLATFORM}" + +do_configure[noexec] = "1" + +do_compile:prepend:class-native () { + # This is still needed to have the native fiptool executing properly by + # setting the RPATH + sed -e '/^LDLIBS/ s,$, \$\{BUILD_LDFLAGS},' \ + -e '/^INCLUDE_PATHS/ s,$, \$\{BUILD_CFLAGS},' \ + -i ${S}/tools/fiptool/Makefile + # This is still needed to have the native cert_create executing properly by + # setting the RPATH + sed -e '/^LIB_DIR/ s,$, \$\{BUILD_LDFLAGS},' \ + -e '/^INC_DIR/ s,$, \$\{BUILD_CFLAGS},' \ + -i ${S}/tools/cert_create/Makefile + # This is still needed to have the native fiptool executing properly by + # setting the RPATH + sed -e '/^LIB_DIR/ s,$, \$\{BUILD_LDFLAGS},' \ + -e '/^INC_DIR/ s,$, \$\{BUILD_CFLAGS},' \ + -i ${S}/tools/encrypt_fw/Makefile +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 \ + ${B}/tools/fiptool/fiptool \ + ${B}/tools/cert_create/cert_create \ + ${B}/tools/encrypt_fw/encrypt_fw \ + ${D}${bindir} +} + +BBCLASSEXTEND += "native nativesdk" diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-FIX-GCC-tools-overwrite.patch b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-FIX-GCC-tools-overwrite.patch new file mode 100644 index 000000000..63d7dc604 --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-FIX-GCC-tools-overwrite.patch @@ -0,0 +1,48 @@ +From 68a2098a3035b8374d0ce0b1feead650dadbce64 Mon Sep 17 00:00:00 2001 +From: Christophe Priouzeau +Date: Thu, 24 Nov 2022 16:18:27 +0100 +Subject: [PATCH] FIX GCC tools overwrite + +Signed-off-by: Christophe Priouzeau +--- + Makefile | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/Makefile b/Makefile +index 1ddb7b844..d6583dfe9 100644 +--- a/Makefile ++++ b/Makefile +@@ -183,19 +183,19 @@ endif + # Toolchain + ################################################################################ + +-HOSTCC := gcc ++HOSTCC ?= gcc + export HOSTCC + +-CC := ${CROSS_COMPILE}gcc +-CPP := ${CROSS_COMPILE}cpp +-AS := ${CROSS_COMPILE}gcc +-AR := ${CROSS_COMPILE}ar +-LINKER := ${CROSS_COMPILE}ld +-OC := ${CROSS_COMPILE}objcopy +-OD := ${CROSS_COMPILE}objdump +-NM := ${CROSS_COMPILE}nm +-PP := ${CROSS_COMPILE}gcc -E +-DTC := dtc ++#CC := ${CROSS_COMPILE}gcc ++#CPP := ${CROSS_COMPILE}cpp ++#AS := ${CROSS_COMPILE}gcc ++#AR := ${CROSS_COMPILE}ar ++#LINKER := ${CROSS_COMPILE}ld ++#OC := ${CROSS_COMPILE}objcopy ++#OD := ${CROSS_COMPILE}objdump ++#NM := ${CROSS_COMPILE}nm ++#PP := ${CROSS_COMPILE}gcc -E ++#DTC := dtc + + # Use ${LD}.bfd instead if it exists (as absolute path or together with $PATH). + ifneq ($(strip $(wildcard ${LD}.bfd) \ +-- +2.25.1 + diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-tools-allow-to-use-a-root-key-password-from-command-.patch b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-tools-allow-to-use-a-root-key-password-from-command-.patch new file mode 100644 index 000000000..0a17ea37f --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools/0001-tools-allow-to-use-a-root-key-password-from-command-.patch @@ -0,0 +1,126 @@ +From 204cde3bd45f634e3699a42ed8f865a8385743a5 Mon Sep 17 00:00:00 2001 +From: Christophe Priouzeau +Date: Mon, 28 Nov 2022 12:16:38 +0100 +Subject: [PATCH] tools: allow to use a root key password from command line + +By defining the ROT_KEY_PWD, user is able to define the private +root key password. Useful for build system management. + +Signed-off-by: Lionel Debieve +--- + make_helpers/tbbr/tbbr_tools.mk | 2 ++ + tools/cert_create/include/key.h | 2 +- + tools/cert_create/src/key.c | 4 ++-- + tools/cert_create/src/main.c | 13 +++++++++++-- + 4 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk +index 5ef2d852e..147159b1a 100644 +--- a/make_helpers/tbbr/tbbr_tools.mk ++++ b/make_helpers/tbbr/tbbr_tools.mk +@@ -25,6 +25,7 @@ + # KEY_SIZE + # ROT_KEY + # PROT_KEY ++# ROT_KEY_PWD + # PLAT_KEY + # SWD_ROT_KEY + # CORE_SWD_KEY +@@ -74,6 +75,7 @@ $(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg,FWU_))) + $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key))) + $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key,FWU_))) + $(if ${PROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PROT_KEY},--prot-key))) ++$(if ${ROT_KEY_PWD},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY_PWD},--rot-key-pwd))) + $(if ${PLAT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${PLAT_KEY},--plat-key))) + $(if ${SWD_ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${SWD_ROT_KEY},--swd-rot-key))) + $(if ${CORE_SWD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${CORE_SWD_KEY},--core-swd-key))) +diff --git a/tools/cert_create/include/key.h b/tools/cert_create/include/key.h +index 312575b44..ed3654b08 100644 +--- a/tools/cert_create/include/key.h ++++ b/tools/cert_create/include/key.h +@@ -74,7 +74,7 @@ key_t *key_get_by_opt(const char *opt); + int key_new(key_t *key); + #endif + int key_create(key_t *key, int type, int key_bits); +-int key_load(key_t *key, unsigned int *err_code); ++int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code); + int key_store(key_t *key); + void key_cleanup(void); + +diff --git a/tools/cert_create/src/key.c b/tools/cert_create/src/key.c +index 487777b67..c8f5357be 100644 +--- a/tools/cert_create/src/key.c ++++ b/tools/cert_create/src/key.c +@@ -189,7 +189,7 @@ int key_create(key_t *key, int type, int key_bits) + return 0; + } + +-int key_load(key_t *key, unsigned int *err_code) ++int key_load(key_t *key, char *rot_key_pwd, unsigned int *err_code) + { + FILE *fp; + EVP_PKEY *k; +@@ -198,7 +198,7 @@ int key_load(key_t *key, unsigned int *err_code) + /* Load key from file */ + fp = fopen(key->fn, "r"); + if (fp) { +- k = PEM_read_PrivateKey(fp, &key->key, NULL, NULL); ++ k = PEM_read_PrivateKey(fp, &key->key, NULL, rot_key_pwd); + fclose(fp); + if (k) { + *err_code = KEY_ERR_NONE; +diff --git a/tools/cert_create/src/main.c b/tools/cert_create/src/main.c +index 2ab6bcfd9..90bb82ba8 100644 +--- a/tools/cert_create/src/main.c ++++ b/tools/cert_create/src/main.c +@@ -292,6 +292,10 @@ static const cmd_opt_t common_cmd_opt[] = { + { "print-cert", no_argument, NULL, 'p' }, + "Print the certificates in the standard output" + } ++ ,{ ++ { "rot-key-pwd", required_argument, NULL, 'r' }, ++ "Password for the root key" ++ }, + }; + + int main(int argc, char *argv[]) +@@ -310,6 +314,7 @@ int main(int argc, char *argv[]) + unsigned char md[SHA512_DIGEST_LENGTH]; + unsigned int md_len; + const EVP_MD *md_info; ++ char *rot_key_pw = NULL; + + NOTICE("CoT Generation Tool: %s\n", build_msg); + NOTICE("Target platform: %s\n", platform_msg); +@@ -347,7 +352,7 @@ int main(int argc, char *argv[]) + + while (1) { + /* getopt_long stores the option index here. */ +- c = getopt_long(argc, argv, "a:b:hknps:", cmd_opt, &opt_idx); ++ c = getopt_long(argc, argv, "a:b:hknpr:s:", cmd_opt, &opt_idx); + + /* Detect the end of the options. */ + if (c == -1) { +@@ -381,6 +386,10 @@ int main(int argc, char *argv[]) + case 'p': + print_cert = 1; + break; ++ case 'r': ++ rot_key_pw = malloc(sizeof(char) * strlen(optarg)); ++ strncpy(rot_key_pw, optarg, strlen(optarg)); ++ break; + case 's': + hash_alg = get_hash_alg(optarg); + if (hash_alg < 0) { +@@ -441,7 +450,7 @@ int main(int argc, char *argv[]) + #endif + + /* First try to load the key from disk */ +- if (key_load(&keys[i], &err_code)) { ++ if (key_load(&keys[i], rot_key_pw, &err_code)) { + /* Key loaded successfully */ + continue; + } +-- +2.25.1 + diff --git a/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools_2.8.bb b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools_2.8.bb new file mode 100644 index 000000000..27bff1dde --- /dev/null +++ b/meta-digi-arm/dynamic-layers/stm-st-stm32mp/recipes-bsp/trusted-firmware-a/tf-a-tools_2.8.bb @@ -0,0 +1,22 @@ +require tf-a-stm32mp2-common.inc +require tf-a-tools.inc + +SUMMARY = "Cert_create & Fiptool for fip generation for Trusted Firmware-A" +LICENSE = "BSD-3-Clause" + +# Select internal or Github TF-A repo +TFA_URI_STASH = "${DIGI_MTK_GIT}/emp/arm-trusted-firmware.git;protocol=ssh" +TFA_URI_GITHUB = "${DIGI_GITHUB_GIT}/arm-trusted-firmware.git;protocol=https" +TFA_GIT_URI ?= "${@oe.utils.conditional('DIGI_INTERNAL_GIT', '1' , '${TFA_URI_STASH}', '${TFA_URI_GITHUB}', d)}" + +SRCBRANCH = "v2.8/stm32mp/master" +SRCREV = "${AUTOREV}" + +SRC_URI = " \ + ${TFA_GIT_URI};branch=${SRCBRANCH} \ +" + +# Configure settings +TFA_PLATFORM = "stm32mp1" +TFA_PLATFORM:class-native = "stm32mp2" +TFA_PLATFORM:class-nativesdk = "stm32mp2"