@@ -258,6 +258,7 @@ qemuarm64-secureboot:
parallel:
matrix:
- TOOLCHAINS: [gcc, clang]
+ FIRMWARE: [u-boot, edk2]
TCLIBC: [glibc, musl]
TS: [none, qemuarm64-secureboot-ts]
TESTING: testimage
@@ -13,5 +13,5 @@ local_conf_header:
EXTRA_IMAGEDEPENDS += "edk2-firmware"
EFI_PROVIDER ?= "grub-efi"
- QB_DEFAULT_BIOS = "QEMU_EFI.fd"
+ QB_DEFAULT_BIOS ??= "QEMU_EFI.fd"
WKS_FILE ?= "efi-disk.wks.in"
new file mode 100644
@@ -0,0 +1,19 @@
+COMPATIBLE_MACHINE = "qemuarm-secureboot"
+
+TFA_PLATFORM = "qemu"
+
+# EDK2 dropped support for 32bit Arm, so u-boot only
+TFA_UBOOT = "1"
+TFA_INSTALL_TARGET = "flash.bin"
+
+do_compile:append() {
+ # Create a secure flash image for booting AArch64 Qemu. See:
+ # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html
+ dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc
+ dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc
+}
+
+do_deploy:append(){
+ # runqemu requires flash.bin to be in the deploy directory
+ ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin
+}
new file mode 100644
@@ -0,0 +1,36 @@
+COMPATIBLE_MACHINE = "qemuarm64-secureboot"
+
+# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS.
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+SRC_URI:append = " file://0001-Add-spmc_manifest-for-qemu.patch"
+
+TFA_PLATFORM = "qemu"
+
+# Trusted Services secure partitions require arm-ffa machine feature.
+# Enabling Secure-EL1 Payload Dispatcher (SPD) in this case
+TFA_SPD = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'spmd', 'opteed', d)}"
+# Configure tf-a accordingly to TS requirements if included
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', ' CTX_INCLUDE_EL2_REGS=0 SPMC_OPTEE=1 ', '' , d)}"
+# Cortex-A57 supports Armv8.0 (no S-EL2 execution state).
+# The SPD SPMC component should run at the S-EL1 execution state.
+TFA_SPMD_SPM_AT_SEL2 = "0"
+
+TFA_UBOOT ?= "1"
+
+TFA_INSTALL_TARGET = "flash.bin"
+
+# When using OP-TEE SPMC specify the SPMC manifest file.
+EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \
+ 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}"
+
+do_compile:append() {
+ # Create a secure flash image for booting AArch64 Qemu. See:
+ # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html
+ dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc
+ dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc
+}
+
+do_deploy:append(){
+ # runqemu requires flash.bin to be in the deploy directory
+ ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin
+}
@@ -1,32 +1,14 @@
-COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot"
-COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm-secureboot"
+# Machine specific TFAs
-# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS.
-FILESEXTRAPATHS:prepend:qemuarm64-secureboot := "${THISDIR}/files:"
-SRC_URI:append:qemuarm64-secureboot = " \
- file://0001-Add-spmc_manifest-for-qemu.patch \
- "
+QEMU_TFA_REQUIRE ?= ""
+QEMU_TFA_REQUIRE:qemuarm-secureboot = "trusted-firmware-a-qemuarm-secureboot.inc"
+QEMU_TFA_REQUIRE:qemuarm64-secureboot = "trusted-firmware-a-qemuarm64-secureboot.inc"
-TFA_PLATFORM:qemuarm64-secureboot = "qemu"
-TFA_PLATFORM:qemuarm-secureboot = "qemu"
+require ${QEMU_TFA_REQUIRE}
-# Trusted Services secure partitions require arm-ffa machine feature.
-# Enabling Secure-EL1 Payload Dispatcher (SPD) in this case
-TFA_SPD:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'spmd', 'opteed', d)}"
-# Configure tf-a accordingly to TS requirements if included
-EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', ' CTX_INCLUDE_EL2_REGS=0 SPMC_OPTEE=1 ', '' , d)}"
-# Cortex-A57 supports Armv8.0 (no S-EL2 execution state).
-# The SPD SPMC component should run at the S-EL1 execution state.
-TFA_SPMD_SPM_AT_SEL2:qemuarm64-secureboot = "0"
-
-TFA_UBOOT:qemuarm64-secureboot = "1"
-TFA_UBOOT:qemuarm-secureboot = "1"
TFA_BUILD_TARGET:aarch64:qemuall = "all fip"
TFA_BUILD_TARGET:arm:qemuall = "all fip"
-TFA_INSTALL_TARGET:qemuarm64-secureboot = "flash.bin"
-TFA_INSTALL_TARGET:qemuarm-secureboot = "flash.bin"
-
DEPENDS:append:aarch64:qemuall = " optee-os"
DEPENDS:append:arm:qemuall = " optee-os"
@@ -46,30 +28,3 @@ EXTRA_OEMAKE:append:arm:qemuall = " \
BL32_RAM_LOCATION=tdram \
AARCH32_SP=optee \
"
-# When using OP-TEE SPMC specify the SPMC manifest file.
-EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \
- 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}"
-
-do_compile:append:qemuarm64-secureboot() {
- # Create a secure flash image for booting AArch64 Qemu. See:
- # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html
- dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc
- dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc
-}
-
-do_compile:append:qemuarm-secureboot() {
- # Create a secure flash image for booting AArch64 Qemu. See:
- # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html
- dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc
- dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc
-}
-
-do_deploy:append:qemuarm64-secureboot(){
- # runqemu requires flash.bin to be in the deploy directory
- ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin
-}
-
-do_deploy:append:qemuarm-secureboot(){
- # runqemu requires flash.bin to be in the deploy directory
- ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin
-}
@@ -5,6 +5,12 @@ EDK2_BIN_NAME:qemuarm64 = "QEMU_EFI.fd"
# No need for PXE booting in qemu, disable to reduce unnecessary noise
EDK2_EXTRA_BUILD:qemuarm64 += " -D NETWORK_PXE_BOOT_ENABLE=FALSE "
+COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot"
+EDK2_PLATFORM:qemuarm64-secureboot = "ArmVirtQemuKernel-AArch64"
+EDK2_PLATFORM_DSC:qemuarm64-secureboot = "ArmVirtPkg/ArmVirtQemuKernel.dsc"
+EDK2_BIN_NAME:qemuarm64-secureboot = "QEMU_EFI.fd"
+#EDK2_BUILD_RELEASE:qemuarm64-secureboot = "0"
+
do_install:append:qemuarm64() {
install ${B}/Build/${EDK2_PLATFORM}/${EDK2_BUILD_MODE}_${EDK_COMPILER}/FV/${EDK2_BIN_NAME} ${D}/firmware/
}
Do the changes necessary to get qemuarm64-secureboot to work with edk2 firmware, and add it to CI. The CI changes needed to make it dynamic based on edk2.yml or u-boot.yml required moving the relevant parts into inc files. Signed-off-by: Jon Mason <jon.mason@arm.com> --- .gitlab-ci.yml | 1 + ci/edk2.yml | 2 +- .../trusted-firmware-a-qemuarm-secureboot.inc | 19 +++++++ ...rusted-firmware-a-qemuarm64-secureboot.inc | 36 ++++++++++++ .../trusted-firmware-a_%.bbappend | 55 ++----------------- .../recipes-bsp/uefi/edk2-firmware_%.bbappend | 6 ++ 6 files changed, 68 insertions(+), 51 deletions(-) create mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm-secureboot.inc create mode 100644 meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm64-secureboot.inc