diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 048366bd..a93a0f1e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -258,6 +258,7 @@ qemuarm64-secureboot: parallel: matrix: - TOOLCHAINS: [gcc, clang] + FIRMWARE: [u-boot, edk2] TCLIBC: [glibc, musl] TS: [none, qemuarm64-secureboot-ts] TESTING: testimage diff --git a/ci/edk2.yml b/ci/edk2.yml index cf2f5851..e14c16e1 100644 --- a/ci/edk2.yml +++ b/ci/edk2.yml @@ -13,5 +13,5 @@ local_conf_header: EXTRA_IMAGEDEPENDS += "edk2-firmware" EFI_PROVIDER ?= "grub-efi" - QB_DEFAULT_BIOS = "QEMU_EFI.fd" + QB_DEFAULT_BIOS ??= "QEMU_EFI.fd" WKS_FILE ?= "efi-disk.wks.in" diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm-secureboot.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm-secureboot.inc new file mode 100644 index 00000000..6227d188 --- /dev/null +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm-secureboot.inc @@ -0,0 +1,19 @@ +COMPATIBLE_MACHINE = "qemuarm-secureboot" + +TFA_PLATFORM = "qemu" + +# EDK2 dropped support for 32bit Arm, so u-boot only +TFA_UBOOT = "1" +TFA_INSTALL_TARGET = "flash.bin" + +do_compile:append() { + # Create a secure flash image for booting AArch64 Qemu. See: + # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html + dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc + dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc +} + +do_deploy:append(){ + # runqemu requires flash.bin to be in the deploy directory + ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin +} diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm64-secureboot.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm64-secureboot.inc new file mode 100644 index 00000000..9bfe52c5 --- /dev/null +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a-qemuarm64-secureboot.inc @@ -0,0 +1,36 @@ +COMPATIBLE_MACHINE = "qemuarm64-secureboot" + +# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS. +FILESEXTRAPATHS:prepend := "${THISDIR}/files:" +SRC_URI:append = " file://0001-Add-spmc_manifest-for-qemu.patch" + +TFA_PLATFORM = "qemu" + +# Trusted Services secure partitions require arm-ffa machine feature. +# Enabling Secure-EL1 Payload Dispatcher (SPD) in this case +TFA_SPD = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'spmd', 'opteed', d)}" +# Configure tf-a accordingly to TS requirements if included +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', ' CTX_INCLUDE_EL2_REGS=0 SPMC_OPTEE=1 ', '' , d)}" +# Cortex-A57 supports Armv8.0 (no S-EL2 execution state). +# The SPD SPMC component should run at the S-EL1 execution state. +TFA_SPMD_SPM_AT_SEL2 = "0" + +TFA_UBOOT ?= "1" + +TFA_INSTALL_TARGET = "flash.bin" + +# When using OP-TEE SPMC specify the SPMC manifest file. +EXTRA_OEMAKE:append = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \ + 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}" + +do_compile:append() { + # Create a secure flash image for booting AArch64 Qemu. See: + # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html + dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc + dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc +} + +do_deploy:append(){ + # runqemu requires flash.bin to be in the deploy directory + ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin +} diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend index 679f6f22..a230a0c7 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend @@ -1,32 +1,14 @@ -COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot" -COMPATIBLE_MACHINE:qemuarm-secureboot = "qemuarm-secureboot" +# Machine specific TFAs -# Enable passing TOS_FW_CONFIG from FIP package to Trusted OS. -FILESEXTRAPATHS:prepend:qemuarm64-secureboot := "${THISDIR}/files:" -SRC_URI:append:qemuarm64-secureboot = " \ - file://0001-Add-spmc_manifest-for-qemu.patch \ - " +QEMU_TFA_REQUIRE ?= "" +QEMU_TFA_REQUIRE:qemuarm-secureboot = "trusted-firmware-a-qemuarm-secureboot.inc" +QEMU_TFA_REQUIRE:qemuarm64-secureboot = "trusted-firmware-a-qemuarm64-secureboot.inc" -TFA_PLATFORM:qemuarm64-secureboot = "qemu" -TFA_PLATFORM:qemuarm-secureboot = "qemu" +require ${QEMU_TFA_REQUIRE} -# Trusted Services secure partitions require arm-ffa machine feature. -# Enabling Secure-EL1 Payload Dispatcher (SPD) in this case -TFA_SPD:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'spmd', 'opteed', d)}" -# Configure tf-a accordingly to TS requirements if included -EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', ' CTX_INCLUDE_EL2_REGS=0 SPMC_OPTEE=1 ', '' , d)}" -# Cortex-A57 supports Armv8.0 (no S-EL2 execution state). -# The SPD SPMC component should run at the S-EL1 execution state. -TFA_SPMD_SPM_AT_SEL2:qemuarm64-secureboot = "0" - -TFA_UBOOT:qemuarm64-secureboot = "1" -TFA_UBOOT:qemuarm-secureboot = "1" TFA_BUILD_TARGET:aarch64:qemuall = "all fip" TFA_BUILD_TARGET:arm:qemuall = "all fip" -TFA_INSTALL_TARGET:qemuarm64-secureboot = "flash.bin" -TFA_INSTALL_TARGET:qemuarm-secureboot = "flash.bin" - DEPENDS:append:aarch64:qemuall = " optee-os" DEPENDS:append:arm:qemuall = " optee-os" @@ -46,30 +28,3 @@ EXTRA_OEMAKE:append:arm:qemuall = " \ BL32_RAM_LOCATION=tdram \ AARCH32_SP=optee \ " -# When using OP-TEE SPMC specify the SPMC manifest file. -EXTRA_OEMAKE:append:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', \ - 'QEMU_TOS_FW_CONFIG_DTS=${S}/plat/qemu/fdts/optee_spmc_manifest.dts', '', d)}" - -do_compile:append:qemuarm64-secureboot() { - # Create a secure flash image for booting AArch64 Qemu. See: - # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html - dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc - dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc -} - -do_compile:append:qemuarm-secureboot() { - # Create a secure flash image for booting AArch64 Qemu. See: - # https://trustedfirmware-a.readthedocs.io/en/latest/plat/qemu.html - dd if=${BUILD_DIR}/bl1.bin of=${BUILD_DIR}/flash.bin bs=4096 conv=notrunc - dd if=${BUILD_DIR}/fip.bin of=${BUILD_DIR}/flash.bin seek=64 bs=4096 conv=notrunc -} - -do_deploy:append:qemuarm64-secureboot(){ - # runqemu requires flash.bin to be in the deploy directory - ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin -} - -do_deploy:append:qemuarm-secureboot(){ - # runqemu requires flash.bin to be in the deploy directory - ln -srn ${DEPLOYDIR}/${PN}/flash.bin ${DEPLOYDIR}/flash.bin -} diff --git a/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend b/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend index 06313624..9f75e0a9 100644 --- a/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend +++ b/meta-arm/recipes-bsp/uefi/edk2-firmware_%.bbappend @@ -5,6 +5,12 @@ EDK2_BIN_NAME:qemuarm64 = "QEMU_EFI.fd" # No need for PXE booting in qemu, disable to reduce unnecessary noise EDK2_EXTRA_BUILD:qemuarm64 += " -D NETWORK_PXE_BOOT_ENABLE=FALSE " +COMPATIBLE_MACHINE:qemuarm64-secureboot = "qemuarm64-secureboot" +EDK2_PLATFORM:qemuarm64-secureboot = "ArmVirtQemuKernel-AArch64" +EDK2_PLATFORM_DSC:qemuarm64-secureboot = "ArmVirtPkg/ArmVirtQemuKernel.dsc" +EDK2_BIN_NAME:qemuarm64-secureboot = "QEMU_EFI.fd" +#EDK2_BUILD_RELEASE:qemuarm64-secureboot = "0" + do_install:append:qemuarm64() { install ${B}/Build/${EDK2_PLATFORM}/${EDK2_BUILD_MODE}_${EDK_COMPILER}/FV/${EDK2_BIN_NAME} ${D}/firmware/ }