Merge pull request #176339 from amjoseph-nixpkgs/pr/backport/174691

[Backport release-22.05] arm-trusted-firmware: unfree only if hdcp.bin used
NixOS · Jul 3, 2022 · 4eb80b0 · 4eb80b0
2 parents a8df415 + f7c1aa6
commit 4eb80b0
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/pkgs/misc/arm-trusted-firmware/default.nix b/pkgs/misc/arm-trusted-firmware/default.nix
@@ -1,18 +1,29 @@
 { lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
 
-# Warning: this blob runs on the main CPU (not the GPU) at privilege
-# level EL3, which is above both the kernel and the hypervisor.
+# Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
+# privilege level EL3, which is above both the kernel and the
+# hypervisor.
+#
+# This parameter applies only to platforms which are believed to use
+# hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
+# hdcp.bin will be deleted before building.
 , unfreeIncludeHDCPBlob ? true
 }:
 
 let
   buildArmTrustedFirmware = { filesToInstall
             , installDir ? "$out"
             , platform ? null
+            , platformCanUseHDCPBlob ? false  # set this to true if the platform is able to use hdcp.bin
             , extraMakeFlags ? []
             , extraMeta ? {}
             , version ? "2.6"
             , ... } @ args:
+
+           # delete hdcp.bin if either: the platform is thought to
+           # not need it or unfreeIncludeHDCPBlob is false
+           let deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob; in
+
            stdenv.mkDerivation ({
 
     pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
@@ -25,11 +36,15 @@ let
       sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
     };
 
-    patches = lib.optionals (!unfreeIncludeHDCPBlob) [
+    patches = lib.optionals deleteHDCPBlobBeforeBuild [
       # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
       ./remove-hdcp-blob.patch
     ];
 
+    postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
+      rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
+    '';
+
     depsBuildBuild = [ buildPackages.stdenv.cc ];
 
     # For Cortex-M0 firmware in RK3399
@@ -60,7 +75,7 @@ let
     meta = with lib; {
       homepage = "https://github.com/ARM-software/arm-trusted-firmware";
       description = "A reference implementation of secure world software for ARMv8-A";
-      license = (if unfreeIncludeHDCPBlob then [ licenses.unfreeRedistributable ] else []) ++ [ licenses.bsd3 ];
+      license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
       maintainers = with maintainers; [ lopsided98 ];
     } // extraMeta;
   } // builtins.removeAttrs args [ "extraMeta" ]);
@@ -111,13 +126,15 @@ in {
     platform = "rk3328";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    platformCanUseHDCPBlob = true;
   };
 
   armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
     extraMakeFlags = [ "bl31" ];
     platform = "rk3399";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    platformCanUseHDCPBlob = true;
   };
 
   armTrustedFirmwareS905 = buildArmTrustedFirmware rec {