rpi5: uefi & arm-tf current packaging state

2024-04-20 18:54:58 +02:00 · 2024-04-20 18:54:58 +02:00 · 718e2a32e3
parent 19df296944
commit 718e2a32e3
5 changed files with 111 additions and 13 deletions
--- a/nixos/akamanto/default.nix
+++ b/nixos/akamanto/default.nix
@ -250,7 +250,7 @@ in {
      pipewire
      (v4l-utils.override { withGUI = false; })

-      rpi5-arm-tf
+      rpi5-edk2
    ];
  programs.nix-index.enable = lib.mkForce false;
  services.journald.extraConfig = ''
--- a/overlays/rpi5.nix
+++ b/overlays/rpi5.nix
@ -10,6 +10,7 @@ self: super: rec {
  linuxPackages_rpi5 = self.linuxPackagesFor linux_rpi5;

  rpi5-arm-tf = self.callPackage ../pkgs/rpi5-arm-tf.nix { };
+  rpi5-edk2-tools = self.callPackage ../pkgs/rpi5-edk2-tools.nix { };
  rpi5-uefi = self.callPackage ../pkgs/rpi5-uefi.nix { };
  rpi5-uefi-bin = self.callPackage ../pkgs/rpi5-uefi-bin.nix { };
 }
--- a/pkgs/rpi5-arm-tf.nix
+++ b/pkgs/rpi5-arm-tf.nix
@ -4,14 +4,6 @@ stdenv.mkDerivation rec {
  name = "arm-trusted-firmware-rpi5";
  version = "20240316";

-  # src = fetchFromGitHub {
-  #   owner = "worproject";
-  #   repo = "rpi5-uefi";
-  #   rev = "c1ca184c608dca75a346cc56b8eaf42648d83e86";
-  #   fetchSubmodules = true;
-  #   hash = "sha256-mGMqgJXsEFq79aHes8HUGcKrfbGjeAHTA/xzbq5qURs=";
-  # };
-
  src = fetchFromGitHub {
    owner = "worproject";
    repo = "arm-trusted-firmware";
@ -24,6 +16,7 @@ stdenv.mkDerivation rec {

  makeFlags = [
    "HOSTCC=$(CC_FOR_BUILD)"
+    "AS=$(CC_FOR_BUILD)"
    "CROSS_COMPILE=${stdenv.cc.targetPrefix}"
    # binutils 2.39 regression
    # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
@ -37,7 +30,7 @@ stdenv.mkDerivation rec {
    "SMC_PCI_SUPPORT=1"
  ];

-  filesToInstall = [ "build/rpi5/release" ];
+  filesToInstall = [ "build/rpi5/release/*" ];

  installPhase = ''
    runHook preInstall
--- a/pkgs/rpi5-edk2-tools.nix
+++ b/pkgs/rpi5-edk2-tools.nix
@ -0,0 +1,59 @@
+{ lib, stdenv, fetchFromGitHub, openssl
+, buildPackages, runCommand, clangStdenv, fetchpatch, libuuid
+, python3 }:
+
+let
+  srcWithVendoring = fetchFromGitHub {
+    owner = "worproject";
+    repo = "rpi5-uefi";
+    rev = "c1ca184c608dca75a346cc56b8eaf42648d83e86";
+    fetchSubmodules = true;
+    hash = "sha256-mGMqgJXsEFq79aHes8HUGcKrfbGjeAHTA/xzbq5qURs=";
+  };
+  pythonEnv = buildPackages.python3.withPackages (ps: [ ps.tkinter ]);
+in stdenv.mkDerivation {
+  name = "rpi5-edk2-tools";
+  version = "20240316";
+
+  # We don't want EDK2 to keep track of OpenSSL,
+  # they're frankly bad at it.
+  src = runCommand "edk2-unvendored-src" { } ''
+    cp --no-preserve=mode -r ${srcWithVendoring} $out
+    rm -rf $out/edk2/CryptoPkg/Library/OpensslLib/openssl
+    mkdir -p $out/edk2/CryptoPkg/Library/OpensslLib/openssl
+    tar --strip-components=1 -xf ${buildPackages.openssl.src} -C $out/edk2/CryptoPkg/Library/OpensslLib/openssl
+    chmod -R +w $out/
+
+    # Fix missing INT64_MAX include that edk2 explicitly does not provide
+    # via it's own <stdint.h>. Let's pull in openssl's definition instead:
+    sed -i $out/edk2/CryptoPkg/Library/OpensslLib/openssl/crypto/property/property_parse.c \
+        -e '1i #include "internal/numbers.h"'
+  '';
+
+  nativeBuildInputs = [ pythonEnv ];
+  depsBuildBuild = [ buildPackages.stdenv.cc buildPackages.bash ];
+  depsHostHost = [ libuuid ];
+  strictDeps = true;
+
+  # trick taken from https://src.fedoraproject.org/rpms/edk2/blob/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/edk2.spec#_319
+  GCC5_AARCH64_PREFIX = stdenv.cc.targetPrefix;
+
+  makeFlags = [ "-C edk2/BaseTools" ];
+
+  env.NIX_CFLAGS_COMPILE = "-Wno-return-type"
+    + lib.optionalString stdenv.cc.isGNU " -Wno-error=stringop-truncation"
+    + lib.optionalString stdenv.isDarwin " -Wno-error=macro-redefined";
+
+  hardeningDisable = [ "format" "fortify" ];
+
+  installPhase = ''
+    mkdir -vp $out
+    mv -v edk2/BaseTools $out
+    mv -v edk2/edksetup.sh $out
+    # patchShebangs fails to see these when cross compiling
+    for i in $out/BaseTools/BinWrappers/PosixLike/*; do
+      substituteInPlace $i --replace '/usr/bin/env bash' ${buildPackages.bash}/bin/bash
+      chmod +x "$i"
+    done
+  '';
+}
--- a/pkgs/rpi5-uefi.nix
+++ b/pkgs/rpi5-uefi.nix
@ -1,4 +1,49 @@
-{ lib, stdenv, fetchFromGitHub, fetchFromGitLab, openssl, pkgsCross
-, buildPackages }:
+{ lib, stdenv, openssl, pkgsCross
+, buildPackages, runCommand, rpi5-arm-tf, rpi5-edk2-tools, libuuid
+, python3, bc }:

-stdenv.mkDerivation { }
+let
+  pythonEnv = buildPackages.python3.withPackages (ps: [ps.tkinter]);
+in stdenv.mkDerivation {
+  name = "rpi5-arm-uefi";
+  
+  inherit (rpi5-edk2-tools) src version;
+
+  nativeBuildInputs = [ bc pythonEnv ];
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  strictDeps = true;
+
+  # trick taken from https://src.fedoraproject.org/rpms/edk2/blob/08f2354cd280b4ce5a7888aa85cf520e042955c3/f/edk2.spec#_319
+  GCC5_AARCH64_PREFIX = stdenv.cc.targetPrefix;
+
+  prePatch = ''
+    rm -rf BaseTools
+    ln -sv ${rpi5-edk2-tools}/BaseTools BaseTools
+  '';
+
+  configurePhase = ''
+    runHook preConfigure
+    export WORKSPACE="$PWD"
+    . ${rpi5-edk2-tools}/edksetup.sh BaseTools
+    runHook postConfigure
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+    build -a AARCH64 \
+      -b RELEASE \
+      -t GCC \
+      -p edk2-platforms/Platform/RaspberryPi/RPi5/RPi5.dsc \
+      -D TFA_BUILD_ARTIFACTS=${rpi5-arm-tf} \
+      --pcd gEfiMdeModulePkgTokenSpaceGuid.PcdFirmwareVersionString=L"${rpi5-edk2-tools.version}" \
+      -n $NIX_BUILD_CORES $buildFlags
+    
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mv -v Build/*/* $out
+    runHook postInstall
+  '';
+}