From 3aaba92a701d4306cbb59b5e5105dfefffe03765 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Wed, 25 May 2022 23:49:22 -0700
Subject: [PATCH] arm-trusted-firmware: set unfreeIncludeHDCPBlob=false if not
 used

The `unfreeIncludeHDCPBlob` parameter was introduced as a result of
this reviewer request:

   https://github.com/NixOS/nixpkgs/issues/148890#issuecomment-1032002903

The default value `unfreeIncludeHDCPBlob?true` causes a change in the
`meta.license` field for all of the subpackages within
`pkgs/misc/arm-trusted-firmware/`, and results in them needing
`NIXPKGS_ALLOW_NONFREE=1`.

For Rockchip platforms this change is unavoidable; we are correcting
an incorrect license declaration.  However for non-Rockchip platforms
the file `hdcp.bin` does not get included in the output.  Therefore we
can set `unfreeIncludeHDCPBlob=false` on these platforms and produce
no user-visible change in the resulting output, while preserving the
ability to build them without `NIXPKGS_ALLOW_NONFREE=1`.

Let's do that.
---
 pkgs/misc/arm-trusted-firmware/build.nix   | 72 +++++++++++++++++
 pkgs/misc/arm-trusted-firmware/default.nix | 90 ++++++----------------
 pkgs/top-level/all-packages.nix            |  2 +-
 3 files changed, 96 insertions(+), 68 deletions(-)
 create mode 100644 pkgs/misc/arm-trusted-firmware/build.nix

diff --git a/pkgs/misc/arm-trusted-firmware/build.nix b/pkgs/misc/arm-trusted-firmware/build.nix
new file mode 100644
index 000000000000000..94f61bb6c798e9d
--- /dev/null
+++ b/pkgs/misc/arm-trusted-firmware/build.nix
@@ -0,0 +1,72 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, openssl
+, pkgsCross
+, buildPackages
+}:
+
+{ filesToInstall
+, installDir ? "$out"
+, platform ? null
+, deleteHDCPBlobBeforeBuild ? false
+, extraMakeFlags ? []
+, extraMeta ? {}
+, version ? "2.6"
+, ... } @ args:
+
+stdenv.mkDerivation ({
+
+  pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "ARM-software";
+    repo = "arm-trusted-firmware";
+    rev = "v${version}";
+    sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
+  };
+
+  patches = lib.optionals deleteHDCPBlobBeforeBuild [
+    # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
+    ./remove-hdcp-blob.patch
+  ];
+
+  postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
+      rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
+    '';
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  # For Cortex-M0 firmware in RK3399
+  nativeBuildInputs = [ pkgsCross.arm-embedded.stdenv.cc ];
+
+  buildInputs = [ openssl ];
+
+  makeFlags = [
+    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
+  ] ++ (lib.optional (platform != null) "PLAT=${platform}")
+  ++ extraMakeFlags;
+
+  installPhase = ''
+      runHook preInstall
+
+      mkdir -p ${installDir}
+      cp ${lib.concatStringsSep " " filesToInstall} ${installDir}
+
+      runHook postInstall
+    '';
+
+  hardeningDisable = [ "all" ];
+  dontStrip = true;
+
+  # Fatal error: can't create build/sun50iw1p1/release/bl31/sunxi_clocks.o: No such file or directory
+  enableParallelBuilding = false;
+
+  meta = with lib; {
+    homepage = "https://github.com/ARM-software/arm-trusted-firmware";
+    description = "A reference implementation of secure world software for ARMv8-A";
+    license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
+    maintainers = with maintainers; [ lopsided98 ];
+  } // extraMeta;
+} // builtins.removeAttrs args [ "extraMeta" ])
diff --git a/pkgs/misc/arm-trusted-firmware/default.nix b/pkgs/misc/arm-trusted-firmware/default.nix
index 49fdc7a829c5877..c7b1bfc6b7ab580 100644
--- a/pkgs/misc/arm-trusted-firmware/default.nix
+++ b/pkgs/misc/arm-trusted-firmware/default.nix
@@ -1,73 +1,22 @@
-{ lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
-
-# Warning: this blob runs on the main CPU (not the GPU) at privilege
-# level EL3, which is above both the kernel and the hypervisor.
+{ lib
+, stdenv
+, fetchFromGitHub
+, openssl
+, pkgsCross
+, buildPackages
+, buildArmTrustedFirmware
+
+# Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
+# privilege level EL3, which is above both the kernel and the
+# hypervisor.
+#
+# This parameter applies only to platforms which are believed to use
+# hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
+# hdcp.bin will be deleted before building.
 , unfreeIncludeHDCPBlob ? true
 }:
 
-let
-  buildArmTrustedFirmware = { filesToInstall
-            , installDir ? "$out"
-            , platform ? null
-            , extraMakeFlags ? []
-            , extraMeta ? {}
-            , version ? "2.6"
-            , ... } @ args:
-           stdenv.mkDerivation ({
-
-    pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
-    inherit version;
-
-    src = fetchFromGitHub {
-      owner = "ARM-software";
-      repo = "arm-trusted-firmware";
-      rev = "v${version}";
-      sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
-    };
-
-    patches = lib.optionals (!unfreeIncludeHDCPBlob) [
-      # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
-      ./remove-hdcp-blob.patch
-    ];
-
-    depsBuildBuild = [ buildPackages.stdenv.cc ];
-
-    # For Cortex-M0 firmware in RK3399
-    nativeBuildInputs = [ pkgsCross.arm-embedded.stdenv.cc ];
-
-    buildInputs = [ openssl ];
-
-    makeFlags = [
-      "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
-    ] ++ (lib.optional (platform != null) "PLAT=${platform}")
-      ++ extraMakeFlags;
-
-    installPhase = ''
-      runHook preInstall
-
-      mkdir -p ${installDir}
-      cp ${lib.concatStringsSep " " filesToInstall} ${installDir}
-
-      runHook postInstall
-    '';
-
-    hardeningDisable = [ "all" ];
-    dontStrip = true;
-
-    # Fatal error: can't create build/sun50iw1p1/release/bl31/sunxi_clocks.o: No such file or directory
-    enableParallelBuilding = false;
-
-    meta = with lib; {
-      homepage = "https://github.com/ARM-software/arm-trusted-firmware";
-      description = "A reference implementation of secure world software for ARMv8-A";
-      license = (if unfreeIncludeHDCPBlob then [ licenses.unfreeRedistributable ] else []) ++ [ licenses.bsd3 ];
-      maintainers = with maintainers; [ lopsided98 ];
-    } // extraMeta;
-  } // builtins.removeAttrs args [ "extraMeta" ]);
-
-in {
-  inherit buildArmTrustedFirmware;
-
+{
   armTrustedFirmwareTools = buildArmTrustedFirmware rec {
     extraMakeFlags = [
       "HOSTCC=${stdenv.cc.targetPrefix}gcc"
@@ -82,18 +31,21 @@ in {
       mkdir -p "$out/bin"
       find "$out" -type f -executable -exec mv -t "$out/bin" {} +
     '';
+    deleteHDCPBlobBeforeBuild = true;
   };
 
   armTrustedFirmwareAllwinner = buildArmTrustedFirmware rec {
     platform = "sun50i_a64";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = ["build/${platform}/release/bl31.bin"];
+    deleteHDCPBlobBeforeBuild = true;
   };
 
   armTrustedFirmwareAllwinnerH616 = buildArmTrustedFirmware rec {
     platform = "sun50i_h616";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = ["build/${platform}/release/bl31.bin"];
+    deleteHDCPBlobBeforeBuild = true;
   };
 
   armTrustedFirmwareQemu = buildArmTrustedFirmware rec {
@@ -104,6 +56,7 @@ in {
       "build/${platform}/release/bl2.bin"
       "build/${platform}/release/bl31.bin"
     ];
+    deleteHDCPBlobBeforeBuild = true;
   };
 
   armTrustedFirmwareRK3328 = buildArmTrustedFirmware rec {
@@ -111,6 +64,7 @@ in {
     platform = "rk3328";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    deleteHDCPBlobBeforeBuild = !unfreeIncludeHDCPBlob;
   };
 
   armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
@@ -118,6 +72,7 @@ in {
     platform = "rk3399";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    deleteHDCPBlobBeforeBuild = !unfreeIncludeHDCPBlob;
   };
 
   armTrustedFirmwareS905 = buildArmTrustedFirmware rec {
@@ -125,5 +80,6 @@ in {
     platform = "gxbb";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31.bin"];
+    deleteHDCPBlobBeforeBuild = true;
   };
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 178b2e5c88d2394..5e9c8160d5eb491 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -22822,8 +22822,8 @@ with pkgs;
     fftw = fftwFloat;
   };
 
+  buildArmTrustedFirmware = callPackage ../misc/arm-trusted-firmware/build.nix {};
   inherit (callPackage ../misc/arm-trusted-firmware {})
-    buildArmTrustedFirmware
     armTrustedFirmwareTools
     armTrustedFirmwareAllwinner
     armTrustedFirmwareAllwinnerH616