1
0
mirror of https://git.yoctoproject.org/meta-arm synced 2026-07-17 16:17:09 +00:00

Compare commits

..

22 Commits

Author SHA1 Message Date
Andrew Jeffery 0d4c09cf00 arm/trusted-services: ts-sp-fw: Replace v2.7.0 tag with commit ID
Do so for the usual reason of avoiding network access during recipe
parsing. Occasionally parsing will stall for me as it seems connectivity
to trustedfirmware.org can be flaky.

Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-15 15:49:05 +01:00
Ross Burton 5425d269c1 CI: use canonical git.yoctoproject.org URLs
The canonical repository URLs don't use /git/.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-04-04 13:55:43 -04:00
Ross Burton 97284c1c3e arm/fvp-base-a-aem: update SRC_URI
developer.arm.com has a reorganisation and whilst most paths have a
redirect in place, the older FVP binaries did not.  Update the URL for
this FVP to the new canonical URLs.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 10:14:07 -04:00
Ross Burton 9c548d16e0 arm-system-ready/arm-systemready-ir-acs: add version to download filename
The download filename wasn't versioned so multiple versions would write
to the same file on disk and conflict, causing repeated downloads and
fetch failures.

Add the PV to the filename on disk to resolve this.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-03-26 10:14:02 -04:00
Musa Antike e56a0cd6fe kas: Include unattended Debian test
Add unattended installation yml to Debian  target

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:37:39 -05:00
Musa Antike 61bfbf1601 arm-systemready/oeqa: Add unattended installation testcase
Add test for Debian unattended installation verification

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-29 11:37:32 -05:00
Musa Antike 32c4bca3ae arm-systemready/linux-distros: Implement unattended Debian
- Implement unattended installation for Debian
- Upgrade Debian version to 12.8.0

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-15 10:00:18 -05:00
Musa Antike 6d58916259 arm-systemready/linux-distros: Move openSUSE unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-15 10:00:18 -05:00
Musa Antike dfc0187c36 arm-systemready/linux-distros: Move Fedora unattended conf to SRC_URI
- Replace THISDIR with UNPACKDIR by adding unattended conf to SRC_URI

Signed-off-by: Musa Antike <musa.antike@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2025-01-15 10:00:18 -05:00
Peter Hoyes 0ef5fd9682 arm/lib: Relax "Listening for serial connection" regex
Newer versions of the FVP now contain a full log entry for the
"Listening for serial connection on port" regex of the form:

INFO: FVP_NAME: terminal_uart: Listening for serial connection...

Relax the regex to support this new logging format and change from
re.match to re.search as the regex may not appear at the start of the
line.

This change is backwards-compatible with older versions of the FVP.

Signed-off-by: Peter Hoyes <peter.hoyes@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-18 06:00:16 -05:00
Hugues KAMBA MPIANA 18bc3f9389 kas: corstone-1000: Pin Yocto layer dependencies for CORSTONE1000-2024.11 release
The SHA of the dependent community layers are set to
the tested SHA from the `styhead` branch of each layer.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 12:00:12 -05:00
Hugues KAMBA MPIANA 2d601b02b7 kas: corstone-1000: Update the SHA of the Yocto layer dependencies for the CORSTONE1000-2024.11 release.
The SHA of the dependent community layers are commented out and set to
the tested SHA from the `styhead` branch of each layer.

The set SHAs are to be uncommented in the `styhead` branch which is
to be used to create the `CORSTONE1000-2024.11` tag.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 12:00:12 -05:00
Hugues KAMBA MPIANA 4c490d2c2b arm-bsp/documentation: corstone1000: Amend documentation for CORSTONE1000-2024.11 release
* Fix typographical error in documentation.
* Add missing instructions.
* Create paragraphs where necessary to improve readability.
* Change `note` box to `important` box

* Remove verification of arm_tstee driver presence:
arm-tstee driver has been integrated in Linux v6.10.14 which is
the one used in the software stack. It is built as part of Linux and
is no longer a loadable module.
The steps to verify the driver presence are no longer applicable.

* Standardise naming of the target platform:
Consistently use the name `Corstone-1000` to refer to the target platform.

* Update Debian OS version from 12.4 to 12.7
Debian version 12.4 has a bug in Shim 15.7.
This bug causes a fatal error when attempting to boot media installer
for Debian,and resets the platform before installation starts.
A patch to skip the Shim was applied to Corstone-1000 to avoid
the error.
Debian version 12.7 no longer has the bug in the Shim thus making
the usage of the patch redundant.
Bump Debian installer to version 12.7 and remove usage of the patch
for the Debian installation test.

* Replace xterm with tmux:
Update the user guide to specify tmux instead of xterm.
Using tmux as opposed to xterm provides a better user experience
when running the commands listed on the user guide.

* Use ACS image for FVP SystemReady test:
Due to fixed timeout values in the meta-arm-systemready the ACS time
test do not complete successfully.
Instead, specify commands to use the pre-built ACS image.

* List Trusted Services as a host component:
Add Trusted Services to the list of components used on the Host processor
of the Corstone-1000. The various BitBake recipes and append files used to
build Trusted Services are listed for the component.

* Update release version to CORSTONE1000-2024.11:
All references to the version of the Corstone-1000 software reference
stack have been updated from CORSTONE1000-2024.06 to CORSTONE1000-2024.11.
Add to the changelog the 2024.11 release information.
Add the 2024.11 release notes.

Signed-off-by: Hugues KAMBA MPIANA <hugues.kambampiana@arm.com>
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-05 12:00:12 -05:00
Bence Balogh d824ee371a arm-bsp/trusted-firmware-m: corstone1000: Fix Secure Debug connection due to token version mismatch
Due to a mismatch between the ADAC dummy token major version and the version
in the secure-debug-manager repository [1]'s submodule [2], the secure debug connection was denied.
Update the ADAC token major and minor versions in TF-M to align with the expected
dummy token.

[1] https://github.com/ARM-software/secure-debug-manager/
[2] https://git.trustedfirmware.org/plugins/gitiles/shared/psa-adac.git/+/refs/heads/master/psa-adac/core/include/psa_adac.h

Fixes: 7e9466 ("arm-bsp/trusted-firmware-m: corstone1000: add Secure Debug")
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-12-02 06:00:12 -05:00
Jon Mason acafe7c89f CI: remove branch name
The meta-arm styhead branch should be using the styhead branches of
meta-clang, meta-virtualization, and meta-secure-core.  Remove the
master branch specific line to allow for these to be used.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-18 10:34:03 -05:00
Ziad Elhanafy 2a624d2239 arm-systemready/linux-distros: Follow WORKDIR -> UNPACKDIR transition
This adapts to the oe-core rework to enforce a separate directory
for unpacking local sources (UNPACKDIR) instead of polluting WORKDIR
directly.

Follows the guidelines from:
https://lists.openembedded.org/g/openembedded-architecture/message/2007

Signed-off-by: Ziad Elhanafy <ziad.elhanafy@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-11-06 10:08:08 -05:00
Ben 52b2ad14a8 kas: Include unattended openSUSE test
Add unattended installation class to openSUSE target

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-16 07:00:15 -04:00
Ben a987c321b7 arm-systemready/oeqa: Add unattended installation testcase
Add test for openSUSE unattended installation

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-16 07:00:15 -04:00
Ben b2f0014a48 arm-systemready/linux-distros: Implement unattended openSUSE
Implement unattended installation for openSUSE

Signed-off-by: Ben Cownley <ben.cownley@arm.com>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-16 07:00:15 -04:00
Jon Mason ca9375b72d CI: Rework qemuarm64-secureboot matrix
qemuarm64-secureboot is using systemd for uefi-secureboot, which has
warnings with musl (and fails to compile with clang and musl).  So,
modify the matrix to keep the coverage of everything else but musl.

Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:58 -04:00
Javier Tia 691d479ce4 arm/qemuarm64-secureboot: Enable UEFI Secure Boot
Encapsulate all UEFI Secure Boot required settings in one Kas
configuration file.

Introduce SBSIGN_KEYS_DIR variable where UEFI keys will be generated
to sign UEFI binaries. 

Introduce uefi-secureboot machine feature, which is being used to
conditionally set the proper UEFI settings in recipes.

Replace Grub bootloader with systemd-boot, which it makes easier to
enable Secure Boot.

Advantages using systemd as Init Manager:

- Extending secure boot to userspace is a lot easier with systemd than
with sysvinit where custom scripts will need to be written for all use
cases.

- systemd supports dm-verity and TPM devices for encryption usecases out
of the box. Enabling them is a lot easier than writing custom scripts
for sysvinit.

- systemd also supports EUFI signing the UKI binaries which merge kernel,
command line and initrd which helps in bringing secure boot towards
rootfs.

- systemd offers a modular structure with unit files that are more
predictable and easier to manage than the complex and varied scripts
used by SysVinit. This modularity allows for better control and
customization of the boot process, which is beneficial in Secure Boot
environments.

- Add CI settings to build and test UEFI Secure Boot.

Add one test to verify Secure Boot using OE Testing infraestructure:

$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml
...
RESULTS - uefi_secureboot.UEFI_SB_TestSuite.test_uefi_secureboot: PASSED (0.62s)
...
SUMMARY:
core-image-base () - Ran 73 tests in 28.281s
core-image-base - OK - All required tests passed (successes=19, skipped=54, failures=0, errors=0)

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> [yml file include fix]
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:44 -04:00
Javier Tia 67a28fc298 arm: Enable Secure Boot in all required recipes
In the target, Secure Boot starts from the firmware (u-boot), adds the
signing keys, and verifies the bootloader (systemd-boot) and kernel
(Linux).

sbsign bbclass is used to sign the binaries. sbsign is the name of the
tool used to sign these binaries. Hence the name of this class to sbsign
and variables with SBSIGN prefix.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Jon Mason <jon.mason@arm.com>
2024-10-07 10:17:44 -04:00
183 changed files with 2665 additions and 2026 deletions
+17 -33
View File
@@ -10,7 +10,7 @@ variables:
# The default machine tag for the build jobs
DEFAULT_TAG: ""
# The machine tag for the ACS test jobs
ACS_TAG: "$DEFAULT_TAG"
ACS_TAG: ""
# The directory to use as the persistent cache (the root for DL_DIR, SSTATE_DIR, etc)
CACHE_DIR: $CI_BUILDS_DIR/persist
# The container mirror to use
@@ -33,11 +33,9 @@ stages:
stage: build
interruptible: true
variables:
KUBERNETES_CPU_REQUEST: $CPU_REQUEST
KAS_WORK_DIR: $CI_PROJECT_DIR/work
KAS_BUILD_DIR: $KAS_WORK_DIR/build
# Set this in the environment to enable local repository caches
KAS_REPO_REF_DIR: ""
KAS_REPO_REF_DIR: $CACHE_DIR/repos
SSTATE_DIR: $CACHE_DIR/sstate
DL_DIR: $CACHE_DIR/downloads
BB_LOGCONFIG: $CI_PROJECT_DIR/ci/logging.yml
@@ -45,12 +43,19 @@ stages:
IMAGE_DIR: $KAS_BUILD_DIR/tmp/deploy/images
TOOLCHAIN_LINK_DIR: $KAS_BUILD_DIR/toolchains
before_script:
- echo KAS_WORK_DIR = $KAS_WORK_DIR
- echo SSTATE_DIR = $SSTATE_DIR
- echo DL_DIR = $DL_DIR
- rm -rf $KAS_WORK_DIR
- mkdir --verbose --parents $KAS_WORK_DIR $KAS_REPO_REF_DIR $SSTATE_DIR $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
# Must do this here, as it's the only way to make sure the toolchain is installed on the same builder
- ./ci/get-binary-toolchains $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
# Generalised fragment to do a Kas build
.build:
extends: .setup
variables:
KUBERNETES_CPU_REQUEST: $CPU_REQUEST
rules:
# Don't run MR pipelines
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
@@ -94,18 +99,7 @@ update-repos:
exit_codes: 128
script:
- |
exit_code=0
# Dump the environment for reference
printenv
# Update the reference repositories if needed
if [ -n "$KAS_REPO_REF_DIR" ]; then
flock --verbose --timeout 60 $KAS_REPO_REF_DIR --command ./ci/update-repos || exit_code=$?
# Exit now if that failed, unless the status was 128 (fetch failed)
test $exit_code != 0 -a $exit_code != 128 && exit 1
fi
flock --verbose --timeout 60 $KAS_REPO_REF_DIR ./ci/update-repos
# Only generate if doesn't already exist, to allow feature branches to drop one in.
if test -f lockfile.yml; then
echo Using existing lockfile.yml
@@ -113,26 +107,24 @@ update-repos:
# Be sure that this is the complete list of layers being fetched
kas dump --lock --update ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/clang.yml:ci/meta-virtualization.yml | tee lockfile.yml
fi
exit $exit_code
artifacts:
name: "lockfile"
when: always
paths:
- lockfile.yml
#
# Build stage, the actual build jobs
#
# Available options for building are (VIRT _must_ be last for ssh override)
# Available options for building are
# DISTRO: [poky, poky-altcfg, poky-tiny]
# KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
# TOOLCHAINS: [gcc, clang]
# TOOLCHAINS: [gcc, clang, external-gccarm]
# TCLIBC: [glibc, musl]
# FIRMWARE: [u-boot, edk2]
# TS: [none, trusted-services]
# VIRT: [none, xen]
# TESTING: testimage
# SECUREDEBUG: [none, secure-debug]
# VIRT: [none, xen]
arm-systemready-ir-acs:
extends: .build
@@ -252,11 +244,6 @@ musca-s1:
pending-updates:
extends: .setup
# Only run this job for the default branch (master), or if forced with
# BUILD_FORCE_PENDING_UPDATES.
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $BUILD_FORCE_PENDING_UPDATES != null
artifacts:
paths:
- update-report
@@ -265,6 +252,9 @@ pending-updates:
# This configuration has all of the layers we need enabled
- kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
"$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
# Do this on x86 whilst the compilers are x86-only
tags:
- x86_64
qemuarm64-secureboot:
extends: .build
@@ -305,7 +295,7 @@ qemuarm-secureboot:
TOOLCHAINS: [gcc, clang]
TCLIBC: [glibc, musl]
TESTING: testimage
- DISTRO: [poky, poky-altcfg]
- TOOLCHAINS: external-gccarm
TESTING: testimage
- KERNEL: linux-yocto-dev
TESTING: testimage
@@ -355,12 +345,6 @@ selftest:
sgi575:
extends: .build
parallel:
matrix:
- TESTING: testimage
# FVP binary is x86-only
tags:
- x86_64
toolchains:
extends: .build
+1 -1
View File
@@ -7,7 +7,7 @@ distro: poky
defaults:
repos:
branch: walnascar
branch: styhead
repos:
meta-arm:
+2 -2
View File
@@ -5,5 +5,5 @@ header:
# Add universally helpful features when testing boards
local_conf_header:
rootlogin: |
EXTRA_IMAGE_FEATURES:append = " allow-empty-password empty-root-password allow-root-login"
debug: |
EXTRA_IMAGE_FEATURES:append = " debug-tweaks"
+13
View File
@@ -0,0 +1,13 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/siemens/kas/master/kas/schema-kas.json
header:
version: 14
local_conf_header:
cc: |
SKIP_RECIPE[gcc-cross-arm] = "Using external toolchain"
TCMODE = "external-arm"
EXTERNAL_TOOLCHAIN = "${TOPDIR}/toolchains/${TARGET_ARCH}"
# Disable ptest as this pulls target compilers, which don't
# work with external toolchain currently
DISTRO_FEATURES:remove = "ptest"
+1 -6
View File
@@ -19,13 +19,8 @@ target:
# Target packages to test aarch64
- fvp-base-a-aem
- fvp-corstone1000
- fvp-rd1-ae
- fvp-v3-r1
# Nativesdk to test x86-64
- nativesdk-fvp-base-a-aem
- nativesdk-fvp-corstone1000
- nativesdk-fvp-rd1-ae
- nativesdk-fvp-v3-r1
# These are x86 only... :(
- nativesdk-fvp-n1-edge
- nativesdk-fvp-sgi575
- nativesdk-fvp-tc3
+51
View File
@@ -0,0 +1,51 @@
#!/bin/bash
set -u -e
BASENAME=arm-gnu-toolchain
VER=${VER:-13.3.rel1}
HOST_ARCH=${HOST_ARCH:-$(uname -m)}
# Use the standard kas container locations if nothing is passed into the script
DOWNLOAD_DIR="${1:-/builds/persist/downloads/}"
TOOLCHAIN_DIR="${2:-/builds/persist//toolchains/}"
TOOLCHAIN_LINK_DIR="${3:-build/toolchains/}"
# These should be already created by .gitlab-ci.yml, but do here if run outside of that env
mkdir -p $DOWNLOAD_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
download() {
TRIPLE=$1
URL=https://developer.arm.com/-/media/Files/downloads/gnu/$VER/binrel/$BASENAME-$VER-$HOST_ARCH-$TRIPLE.tar.xz
wget -P $DOWNLOAD_DIR -nc $URL
}
if [ $HOST_ARCH = "aarch64" ]; then
# AArch64 Linux hosted cross compilers
# AArch32 target with hard float
download arm-none-linux-gnueabihf
elif [ $HOST_ARCH = "x86_64" ]; then
# x86_64 Linux hosted cross compilers
# AArch32 target with hard float
download arm-none-linux-gnueabihf
# AArch64 GNU/Linux target
download aarch64-none-linux-gnu
else
echo "ERROR - Unknown build arch of $HOST_ARCH"
exit 1
fi
for i in arm aarch64; do
if [ ! -d $TOOLCHAIN_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*/ ]; then
if [ ! -f $DOWNLOAD_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*.tar.xz ]; then
continue
fi
tar -C $TOOLCHAIN_DIR -axvf $DOWNLOAD_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu*.tar.xz
fi
# Setup a link for the toolchain to use local to the building machine (e.g., not in a shared location)
ln -s $TOOLCHAIN_DIR/$BASENAME-$VER-$HOST_ARCH-$i-none-linux-gnu* $TOOLCHAIN_LINK_DIR/$i
done
-6
View File
@@ -4,11 +4,5 @@ header:
version: 14
includes:
- ci/base.yml
- ci/fvp.yml
local_conf_header:
sshpregen: |
# Allow the use of the pregen keys as this is CI so safe
COMPATIBLE_MACHINE:pn-ssh-pregen-hostkeys:sgi575 = "sgi575"
machine: sgi575
+4 -18
View File
@@ -23,29 +23,15 @@ local_conf_header:
WKS_FILE = "efi-disk.wks.in"
KERNEL_IMAGETYPE = "Image"
MACHINE_FEATURES:append = " efi uefi-secureboot uefi-http-boot uefi-capsule-updates"
MACHINE_FEATURES:append = " efi uefi-secureboot"
EFI_PROVIDER = "systemd-boot"
# Use systemd as the init system
INIT_MANAGER = "systemd"
DISTRO_FEATURES:append = " systemd"
DISTRO_FEATURES_NATIVE:append = " systemd"
IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
TEST_SUITES:append = " uefi_secureboot uki"
IMAGE_CLASSES += "uki"
IMAGE_CLASSES += "sbsign"
UKI_SB_KEY = "${SBSIGN_KEY}"
UKI_SB_CERT = "${SBSIGN_CERT}"
QB_KERNEL_ROOT = ""
IMAGE_BOOT_FILES:remove = "Image"
INITRAMFS_IMAGE = "core-image-initramfs-boot"
# not for initramfs image recipe
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "uki"
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "sbsign"
IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "testimage"
IMAGE_FEATURES:remove:pn-core-image-initramfs-boot = "ssh-server-dropbear"
CORE_IMAGE_EXTRA_INSTALL:remove:pn-core-image-initramfs-boot = "ssh-pregen-hostkeys"
TEST_SUITES:append = " uefi_secureboot"
+1 -1
View File
@@ -44,7 +44,7 @@ if __name__ == "__main__":
if repodir.exists():
try:
print("Updating %s..." % repo)
subprocess.run(["git", "-C", repodir, "-c", "gc.autoDetach=false", "fetch", repo], check=True)
subprocess.run(["git", "-C", repodir, "-c", "gc.autoDetach=false", "fetch"], check=True)
except subprocess.CalledProcessError as e:
print(e)
failed = True
-3
View File
@@ -4,13 +4,10 @@ header:
version: 14
includes:
- ci/meta-virtualization.yml
- ci/poky-altcfg.yml
local_conf_header:
meta-virt: |
DISTRO_FEATURES:append = " virtualization xen"
sshd: |
IMAGE_FEATURES:append = " ssh-server-openssh"
target:
- xen-image-minimal
+4 -4
View File
@@ -5,7 +5,7 @@ distro: poky
defaults:
repos:
branch: walnascar
branch: styhead
repos:
meta-arm:
@@ -16,14 +16,14 @@ repos:
poky:
url: https://git.yoctoproject.org/git/poky
commit: ee0d8d8a61d8e22a3dd00c32cde58ee6e8ec458f
commit: 5465094be9a61a1639e1dab6d2b4ebea2bee7440
layers:
meta:
meta-poky:
meta-openembedded:
url: https://git.openembedded.org/meta-openembedded
commit: 2169c9afcc0945045bea49f58011080942d4ddb4
commit: 461d85a1831318747af5abe86da193bcde3fd9b4
layers:
meta-oe:
meta-python:
@@ -31,7 +31,7 @@ repos:
meta-secure-core:
url: https://github.com/wind-river/meta-secure-core.git
commit: 423bc85b050594cc42fe3f2e0d0229960e70b94e
commit: 59d7e90542947c342098863b9998693ac79352b0
layers:
meta-secure-core-common:
meta-signing-key:
+1 -3
View File
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "meta-arm-bsp"
BBFILE_PATTERN_meta-arm-bsp = "^${LAYERDIR}/"
BBFILE_PRIORITY_meta-arm-bsp = "5"
LAYERSERIES_COMPAT_meta-arm-bsp = "styhead walnascar"
LAYERSERIES_COMPAT_meta-arm-bsp = "styhead"
LAYERDEPENDS_meta-arm-bsp = "core meta-arm"
# This won't be used by layerindex-fetch, but works everywhere else
@@ -28,5 +28,3 @@ BBFILES_DYNAMIC += " \
WARN_QA:append:layer-meta-arm-bsp = " patch-status"
addpylib ${LAYERDIR}/lib oeqa
IMAGE_ROOTFS_EXTRA_ARGS ?= ""
+4 -4
View File
@@ -4,7 +4,7 @@
#@NAME: Armv8-A Base Platform FVP machine
#@DESCRIPTION: Machine configuration for Armv8-A Base Platform FVP model
require conf/machine/include/arm/arch-armv8-5a.inc
require conf/machine/include/arm/arch-armv8-4a.inc
ARM_SYSTEMREADY_FIRMWARE = "trusted-firmware-a:do_deploy"
ARM_SYSTEMREADY_ACS_CONSOLE = "default"
@@ -57,9 +57,9 @@ FVP_CONFIG[cluster1.stage12_tlb_size] ?= "1024"
FVP_CONFIG[bp.secureflashloader.fname] ?= "bl1-fvp.bin"
FVP_CONFIG[bp.flashloader0.fname] ?= "fip-fvp.bin"
FVP_CONFIG[bp.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic"
# Set the baseline to ARMv8.5, as the default is 8.0.
FVP_CONFIG[cluster0.has_arm_v8-5] = "1"
FVP_CONFIG[cluster1.has_arm_v8-5] = "1"
# Set the baseline to ARMv8.4, as the default is 8.0.
FVP_CONFIG[cluster0.has_arm_v8-4] = "1"
FVP_CONFIG[cluster1.has_arm_v8-4] = "1"
FVP_CONSOLES[default] = "terminal_0"
FVP_TERMINALS[bp.terminal_0] ?= "Console"
FVP_TERMINALS[bp.terminal_1] ?= ""
@@ -14,8 +14,7 @@ TFA_BL2_BINARY = "bl2-corstone1000.bin"
TFA_FIP_BINARY = "fip-corstone1000.bin"
# optee
PREFERRED_VERSION_optee-os ?= "4.4.%"
PREFERRED_VERSION_optee-client ?= "4.4.%"
PREFERRED_VERSION_optee-os ?= "4.2.%"
# Trusted Services
TS_PLATFORM = "arm/corstone1000"
@@ -35,7 +34,7 @@ IMAGE_CMD:wic[vardeps] += "GRUB_LINUX_APPEND"
# Linux kernel
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
PREFERRED_VERSION_linux-yocto ?= "6.12.%"
PREFERRED_VERSION_linux-yocto ?= "6.10.%"
KERNEL_IMAGETYPE = "Image"
KERNEL_IMAGETYPE:firmware = "Image.gz"
# add FF-A support in the kernel
@@ -64,6 +63,3 @@ ARM_SYSTEMREADY_FIRMWARE = "${FIRMWARE_DEPLOYMENT}:do_deploy \
corstone1000-esp-image:do_image_complete \
"
ARM_SYSTEMREADY_ACS_CONSOLE ?= "default"
# Workaround IMAGE_ROOTFS_EXTRA_SPACE being ignored when images are repacked
IMAGE_ROOTFS_EXTRA_ARGS += "--extra-space ${@${IMAGE_ROOTFS_EXTRA_SPACE}}K"
-4
View File
@@ -26,10 +26,6 @@ EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boo
SERIAL_CONSOLES ?= "115200;ttyAMA0 115200;hvc0"
EXTRA_IMAGEDEPENDS += "edk2-firmware"
# FIXME - Currently seeing a kernel warning for the CPU topology when bumping
# the version past this. The issue is being tracked in
# https://github.com/tianocore/edk2-platforms/issues/752
PREFERRED_VERSION_edk2-firmware ?= "202408%"
QB_SYSTEM_NAME = "qemu-system-aarch64"
QB_MACHINE = "-machine sbsa-ref"
+4 -42
View File
@@ -7,56 +7,18 @@
require conf/machine/include/arm/armv8-2a/tune-cortexa75.inc
EXTRA_IMAGEDEPENDS += "virtual/control-processor-firmware"
EXTRA_IMAGEDEPENDS += "trusted-firmware-a"
KERNEL_IMAGETYPE ?= "Image"
PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
SERIAL_CONSOLES = "115200;ttyAMA0"
EFI_PROVIDER ?= "${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd-boot", "grub-efi", d)}"
#grub-efi
EFI_PROVIDER ?= "grub-efi"
MACHINE_FEATURES += "efi"
IMAGE_FSTYPES += "cpio.gz wic"
IMAGE_NAME_SUFFIX = ""
IMAGE_CLASSES += "fvpboot"
WKS_FILE ?= "efi-disk.wks.in"
WKS_FILE ?= "sgi575-efidisk.wks"
WKS_FILE_DEPENDS:append = " ${EXTRA_IMAGEDEPENDS}"
# testimage config
TEST_TARGET = "OEFVPTarget"
#TEST_TARGET_IP = "127.0.0.1:222"
TEST_SUITES = "fvp_boot"
# FVP Config
FVP_PROVIDER ?= "fvp-sgi575-native"
FVP_EXE ?= "FVP_CSS_SGI-575"
# Virtio-Net configuration
FVP_CONFIG[board.virtio_net.enabled] ?= "1"
FVP_CONFIG[board.virtio_net.hostbridge.userNetworking] ?= "1"
FVP_CONFIG[board.virtio_net.hostbridge.userNetPorts] = "2222=22"
FVP_CONFIG[board.virtioblockdevice.image_path] ?= "${IMAGE_NAME}.wic"
#FVP_CONFIG[cache_state_modelled] ?= "0"
FVP_CONFIG[css.cmn600.mesh_config_file] = "SGI-575_cmn600.yml"
FVP_CONFIG[css.cmn600.force_rnsam_internal] ?= "false"
FVP_CONFIG[css.gic_distributor.ITS-device-bits] ?= "20"
FVP_DATA ?= "css.scp.armcortexm7ct=scp_ramfw.bin@0x0BD80000"
FVP_CONFIG[css.mcp.ROMloader.fname] ?= "mcp_romfw.bin"
FVP_CONFIG[css.scp.ROMloader.fname] ?= "scp_romfw.bin"
FVP_CONFIG[css.trustedBootROMloader.fname] ?= "bl1-sgi575.bin"
FVP_CONFIG[board.flashloader0.fname] ?= "fip-sgi575.bin"
FVP_CONSOLES[default] = "terminal_uart_ap"
FVP_TERMINALS[css.scp.terminal_uart_aon] ?= "SCP Console"
FVP_TERMINALS[css.mcp.terminal_uart0] ?= ""
FVP_TERMINALS[css.mcp.terminal_uart1] ?= ""
FVP_TERMINALS[css.terminal_uart_ap] ?= "Console"
FVP_TERMINALS[css.terminal_uart1_ap] ?= ""
FVP_TERMINALS[soc.terminal_s0] ?= ""
FVP_TERMINALS[soc.terminal_s1] ?= ""
FVP_TERMINALS[soc.terminal_mcp] ?= ""
FVP_TERMINALS[board.terminal_0] ?= ""
FVP_TERMINALS[board.terminal_1] ?= ""
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2025, Arm Limited.
# Copyright (c) 2022-2024, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -10,70 +10,6 @@ Change Log
This document contains a summary of the new features, changes and
fixes in each release of Corstone-1000 software stack.
***************
Version 2025.05
***************
Changes
=======
- OP-TEE OS: Added support for v4.4
- Trusted Services: PSA-Crypto structures aligned with TF-M, added protobuf interface to crypto-sp
- Documentation: fixed typos, added host-level authentication section, enabled fly-out sidebar menu
- Das U-Boot: Reserved memory for RSS communication-pointer access protocol
- Linux Kernel: Upgraded kernel to v6.12, updated Upstream-Status notes for remoteproc patches
- Corstone-1000 image: Implemented IMAGE_ROOTFS_EXTRA_SPACE workaround
Corstone-1000 components versions
=================================
+-------------------------------------------+-------------------+
| linux-yocto | 6.12.30 |
+-------------------------------------------+-------------------+
| u-boot | 2023.07.02 |
+-------------------------------------------+-------------------+
| external-system | 0.1.0 |
+-------------------------------------------+-------------------+
| optee-client | 4.4.0 |
+-------------------------------------------+-------------------+
| optee-os | 4.4.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-a | 2.11.0 |
+-------------------------------------------+-------------------+
| trusted-firmware-m | 2.1.1 |
+-------------------------------------------+-------------------+
| libts | 602be60719 |
+-------------------------------------------+-------------------+
| ts-newlib | 4.1.0 |
+-------------------------------------------+-------------------+
| ts-psa-{crypto, iat, its. ps}-api-test | 74dc6646ff |
+-------------------------------------------+-------------------+
| ts-sp-{se-proxy, smm-gateway} | 602be60719 |
+-------------------------------------------+-------------------+
Yocto distribution components versions
======================================
+-------------------------------------------+----------------+
| meta-arm | walnascar |
+-------------------------------------------+----------------+
| poky | ee0d8d8a61 |
+-------------------------------------------+----------------+
| meta-openembedded | 2169c9afcc |
+-------------------------------------------+----------------+
| meta-secure-core | 423bc85b05 |
+-------------------------------------------+----------------+
| busybox | 1.37.0 |
+-------------------------------------------+----------------+
| musl | 1.2.5 |
+-------------------------------------------+----------------+
| gcc-arm-none-eabi | 13.3.rel1 |
+-------------------------------------------+----------------+
| gcc-cross-aarch64 | 14.2.0 |
+-------------------------------------------+----------------+
| openssl | 3.4.1 |
+-------------------------------------------+----------------+
***************
Version 2024.11
@@ -1,8 +1,3 @@
# SPDX-FileCopyrightText: <text>Copyright 2020-2024 Arm Limited and/or its
# affiliates <open-source-office@arm.com></text>
#
# SPDX-License-Identifier: MIT
# Configuration file for the Sphinx documentation builder.
#
# This file only contains a selection of the most common options. For a full
@@ -55,9 +50,6 @@ exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store', 'docs/infra']
# a list of builtin themes.
#
html_theme = 'sphinx_rtd_theme'
html_theme_options = {
'flyout_display': 'attached',
}
# Define the canonical URL if you are using a custom domain on Read the Docs
html_baseurl = os.environ.get("READTHEDOCS_CANONICAL_URL", "")
Binary file not shown.

Before

Width:  |  Height:  |  Size: 43 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 58 KiB

After

Width:  |  Height:  |  Size: 63 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 16 KiB

@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2025, Arm Limited.
# Copyright (c) 2022-2024, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -19,22 +19,6 @@ intended for safety-critical applications. Should Your Software or Your Hardware
prove defective, you assume the entire cost of all necessary servicing, repair
or correction.
***********************
Release notes - 2025.05
***********************
Known Issues or Limitations
---------------------------
- Crypto isolation is not supported in the Secure world of Corstone-1000. Additionally, clients in
the Normal world are not isolated from one another.Therefore, if an end user wants to add a new
Secure Partition (SP) (such as a software TPM) that accesses the Crypto service via the SE-Proxy,
they are responsible for implementing their own isolation mechanisms to ensure proper security boundaries.
- DSTREAM debug probe may experience unreliable USB connectivity when used with Arm DS for secure debug.
This issue is under active investigation, and we are working to identify and resolve compatibility issues in a future update.
As a more stable alternative, the ULINKpro debug probe is recommended for use with Corstone-1000 in secure debug scenarios.
***********************
Release notes - 2024.11
***********************
@@ -60,16 +44,6 @@ Platform Support
- This software release is tested on Corstone-1000 Fast Model platform (FVP) version 11.23_25
https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
SystemReady IR v2.0 Certification Milestone
-------------------------------------------
As of this release, Corstone-1000 has achieved `SystemReady IR v2.0 certification <https://www.arm.com/architecture/system-architectures/systemready-certification-program/ve>`__.
This milestone confirms compliance with the SystemReady IR requirements, ensuring broader compatibility and reliability for deployment.
Applied patch `313ad2a0e600 <https://git.yoctoproject.org/meta-arm/commit/?h=scarthgap&id=313ad2a0e600655d9bfbe53646e356372ff02644>`__ to address compatibility requirements for SystemReady IR v2.0.
This update is included in tag `CORSTONE1000-2024.06-systemready-ir-v2.0 <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.06-systemready-ir-v2.0>`__ and builds on the `CORSTONE1000-2024.06` release.
***********************
Release notes - 2023.11
***********************
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2025, Arm Limited.
# Copyright (c) 2022-2024, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -16,266 +16,137 @@ Arm Corstone-1000 is a reference solution for IoT devices. It is part of
Total Solution for IoT which consists of hardware and software reference
implementation.
The combination of Corstone-1000 software and hardware reference solution is `PSA Level-2 ready
certified <psa_l2-ready_>`__ as well as `Arm SystemReady Devicetree certified <systemready-ir-certification_>`__.
Corstone-1000 software plus hardware reference solution is PSA Level-2 ready
certified (`PSA L2 Ready`_) as well as System Ready IR certified(`SRIR cert`_).
More information on the Corstone-1000 subsystem product and design can be
found at:
`Arm Corstone-1000 Software`_ and `Arm Corstone-1000 Technical Overview`_.
More information on the Corstone-1000 subsystems product and design can be
found on `Arm Developer <arm-developer-cs1000-website_>`__.
This document explicitly focuses on the software part of the solution and
This readme explicitly focuses on the software part of the solution and
provides internal details on the software components. The reference
software package of the platform can be retrieved following instructions
present in the user guide document.
present in the user-guide document.
***************
Design Overview
***************
The software architecture of Corstone-1000 platform is a reference
implementation of `Platform Security Architecture <psa-certified-website_>`__ which provides
implementation of Platform Security Architecture (`PSA`_) which provides
framework to build secure IoT devices.
The base system architecture of the platform is created from three different types of subsystems:
- Secure Enclave
- Host System
- External System
Each subsystem provides different functionality to the overall system on a chip (SoC).
The base system architecture of the platform is created from three
different types of systems: Secure Enclave, Host and External System.
Each subsystem provides different functionality to overall SoC.
.. image:: images/CorstoneSubsystems.png
:width: 720
:alt: CorstoneSubsystems
Secure Enclave
==============
The Secure Enclave boots first on system power on, it provides `PSA Root of Trust (RoT) <psa-certified-website_>`__ and
cryptographic functions. It is based on a Cortex-M0+ processor, CC312 Cryptographic Accelerator and
peripherals such as watchdog and secure flash.
.. image:: images/Corstone1000SecureFlashMPS3.png
:width: 400
:alt: Corstone1000SecureFlashMPS3
.. image:: images/Corstone1000SecureFlashFVP.png
:width: 400
:alt: Corstone1000SecureFlashFVP
Software running on the Secure Enclave is isolated via hardware for enhanced security.
Communication with the Secure Enclave is achieved using `Message Handling Units (MHUs) <arm-developer-mhu-website_>`__
and shared memory.
Its software components comprises:
- `Trusted Firmware-M (TF-M) BL1 <trusted-firmware-m-bl1-website_>`__
- `MCUboot <mcuboot-website_>`__
- `TrustedFirmware-M <trusted-firmware-m-website_>`__
The software design on the Secure Enclave follows `Arm Firmware Framework for M-Profile
processor <arm-fmw-framework-m-profile-pdf_>`__ (FF-M) specification.
Host System
===========
The Secure Enclave System, provides PSA Root of Trust (RoT) and
cryptographic functions. It is based on an Cortex-M0+ processor,
CC312 Cryptographic Accelerator and peripherals, such as watchdog and
secure flash. Software running on the Secure Enclave is isolated via
hardware for enhanced security. Communication with the Secure Encalve
is achieved using Message Handling Units (MHUs) and shared memory.
On system power on, the Secure Enclave boots first. Its software
comprises of a ROM code (TF-M BL1), MCUboot BL2, and
TrustedFirmware-M(`TF-M`_) as runtime software. The software design on
Secure Enclave follows Firmware Framework for M class
processor (`FF-M`_) specification.
The Host System is based on ARM Cortex-A35 processor with standardized
peripherals to allow booting a Linux-based operating system (OS). The Cortex-A35 has
the `TrustZone <arm-trustzone-for-cortex-a-website_>`__ technology that allows Secure and Non-secure security
states in the processor.
peripherals to allow for the booting of a Linux OS. The Cortex-A35 has
the TrustZone technology that allows secure and non-secure security
states in the processor. The software design in the Host System follows
Firmware Framework for A class processor (`FF-A`_) specification.
The boot process follows Trusted Boot Base Requirement (`TBBR`_).
The Host Subsystem is taken out of reset by the Secure Enclave system
during its final stages of the initialization. The Host subsystem runs
FF-A Secure Partitions(based on `Trusted Services`_) and OPTEE-OS
(`OPTEE-OS`_) in the secure world, and U-Boot(`U-Boot repo`_) and
linux (`linux repo`_) in the non-secure world. The communication between
non-secure and the secure world is performed via FF-A messages.
The boot process follows `Trusted Boot Base Requirements Client <trusted-board-boot-requirements-client-pdf_>`__.
The Host System is taken out of reset by the Secure Enclave system during its final stages of the
initialization.
An external system is intended to implement use-case specific functionality.
The system is based on Cortex-M3 and run RTX RTOS. Communication between the
external system and Host (Cortex-A35) can be performed using MHU as transport
mechanism. The current software release supports switching on and off the
external system. Support for OpenAMP-based communication is under
development.
In the Secure world, the Host System runs:
- FF-A Secure Partitions (based on `Trusted Services <trusted-services-website_>`__)
- `OP-TEE OS <op-tee-os-repository_>`__
In the Non-secure World, the Host System runs:
- `U-Boot <das-u-boot-repository_>`__
- `Linux kernel <linux-repository_>`__
The software design in the Host System follows `Arm Firmware Framework for Arm A-profile
<arm-fmw-framework-a-profile-pdf_>`__ (FF-A) specification.
The communication between Non-secure and the Secure world is performed via FF-A messages.
External System
===============
The External System is intended to implement use-case specific functionality.
The system is based on Cortex-M3 and runs `Keil RTX5 <keil-rtx5-website_>`__.
Communication between the external system and Host (Cortex-A35) can be performed using MHU as transport
mechanism. The current software release supports switching the External System ON and OFF.
The Corstone-1000 architecture is designed to cover a range of
`Power, Performance, and Area (PPA) <ppa-website_>`__ applications, and enable extension
for use-case specific applications, for example, sensors, cloud connectivity, and edge computing.
Overall, the Corstone-1000 architecture is designed to cover a range
of Power, Performance, and Area (PPA) applications, and enable extension
for use-case specific applications, for example, sensors, cloud
connectivitiy, and edge computing.
*****************
Secure Boot Chain
*****************
For the security of a device, it is essential that only authorized
software should run on the device.
The Corstone-1000 boot uses a `Secure boot <arm-developer-secureboot-website_>`__ chain process
where an already authenticated image verifies and loads the following software in the chain.
For the boot chain process to work, the start of the chain should be trusted, forming the
software should run on the device. The Corstone-1000 boot uses a
Secure Boot Chain process where an already authenticated image verifies
and loads the following software in the chain. For the boot chain
process to work, the start of the chain should be trusted, forming the
Root of Trust (RoT) of the device. The RoT of the device is immutable in
nature and encoded into the device by the device manufacturer before it
is deployed into the field.
In Corstone-1000, the content of the ROM and CC312 One Time Programmable (OTP) memory forms the RoT.
nature and encoded into the device by the device owner before it
is deployed into the field. In Corstone-1000, the content of the ROM
and CC312 OTP (One Time Programmable) memory forms the RoT.
Verification of an image can happen either by comparing the computed and stored hashes, or by
checking the signature of the image if the image is signed.
Verification of an image can happen either by comparing the computed and
stored hashes, or by checking the signature of the image if the image
is signed.
.. image:: images/SecureBootChain.png
:width: 870
:alt: SecureBootChain
It is a lengthy chain to boot the software on Corstone-1000.
It is a lengthy chain to boot the software on Corstone-1000. On power on,
the Secure Enclave starts executing BL1_1 code from the ROM which is the RoT
of the device. The BL1_1 is the immutable bootloader of the system, it handles
the provisioning on the first boot, hardware initialization and verification
of the next stage.
TF-M BL1_1
==========
The BL1_2 code, hashes and keys are written into the OTP during the provisioning.
The next bootstage is the BL1_2 which is copied from the OTP into the RAM. The
BL1_1 also compares the BL1_2 hash with the hash saved to the OTP. The BL1_2
verifies and transfers control to the next bootstage which is the BL2. During the
verification, the BL1_2 compares the BL2 image's computed hash with the BL2 hash in
the OTP. The BL2 is MCUBoot in the system. BL2 can provision additional keys on the
first boot and it authenticates the initial bootloader of the host (Host TF-A BL2)
and TF-M by checking the signatures of the images.
The MCUBoot handles the image verification the following way:
On power-up, the Secure Enclave begins execution from TF-M BL1_1, which resides in ROM and serves as
the Root of Trust (RoT) for the device.
TF-M BL1_1 is the immutable bootloader and is responsible for:
- Provisioning the device during the first boot
- Performing hardware initialization
- Verifying the integrity and authenticity of the next stage in the boot chain
At boot time, TF-M BL1_1:
- Copies the TF-M BL1_2 image from OTP to RAM.
- Verifies the integrity of BL1_2 by comparing its computed hash with the hash stored in OTP.
TF-M BL1_2
==========
During provisioning, the TF-M BL1_2 binary, along with its hashes and cryptographic keys, is stored
in One-Time Programmable (OTP) memory.
Once verified, TF-M BL1_2:
- Takes control and verifies the next stage in the boot chain, which is TF-M BL2.
- Computes the hash of the BL2 image and compares it with the BL2 hash stored in OTP to ensure
integrity before transferring execution to BL2.
.. note::
The TF-M BL1 design details can be found in the `TF-M design documents <trusted-firmware-m-bl1-website_>`_.
.. important::
Corstone-1000 has some differences compared to this design due to memory (OTP/ROM)
limitations:
- BL1_1 code size is larger than needed because it handles most of the hardware initialization instead of the BL1_2.
- BL1_2 cannot be updated during provisioning time because the provisioning bundle that contains its code is located in the ROM.
- BL1_2 does not use the post-quantum LMS verification.
- BL2 cannot be updated because it is verified by comparing the computed hash to the hash stored in the OTP.
TF-M BL2
========
In this system, TF-M BL2 refers to MCUBoot.
On the first boot, MCUBoot can provision additional cryptographic keys. It is responsible for authenticating both:
- TF-M (Trusted Firmware-M), and
- The initial bootloader of the Host system, `Trusted Firmware-A (TF-A) BL2 <trusted-firmware-a-bl2-website_>`__
This authentication is done by verifying the digital signatures of the respective images.
MCUBoot performs image verification in the following steps:
#. Load the image from non-volatile memory into RAM.
#. Validate the image's signature using the corresponding public key.
.. note::
The public key present in the image header is validated by comparing with the hash.
Depending on the image, the hash of the public key is either stored in the OTP or part
of the software which is being already verified in the previous stages.
- Load image from a non-volatile memory to dynamic RAM.
- The public key present in the image header is validated by comparing with the hash.
Depending on the image, the hash of the public key is either stored in the OTP or part
of the software which is being already verified in the previous stages.
- The image is validated using the public key.
The execution control is passed to TF-M after the verification.
As the runtime executable of the Secure Enclave, TF-M initializes itself before
bringing the Host system out of reset.
The execution control is passed to TF-M after the verification. TF-M being
the runtime executable of the Secure Enclave which initializes itself and, at the end,
brings the host CPU out of rest.
The TF-M BL1 design details and reasoning can be found in the `TF-M design documents
<https://tf-m-user-guide.trustedfirmware.org/design_docs/booting/bl1.html>`_.
The Corstone-1000 has some differences compared to this design due to memory (OTP/ROM)
limitations:
Host System Authentication
==========================
- The provisioning bundle that contains the BL1_2 code is located in the ROM.
This means the BL1_2 cannot be updated during provisioning time.
- The BL1_1 handles most of the hardware initialization instead of the BL1_2. This
results in a bigger BL1_1 code size than needed.
- The BL1_2 does not use the post-quantum LMS verification. The BL2 is verified by
comparing the computed hash to the hash which is stored in the OTP. This means the
BL2 is not updatable.
The Host system follows the boot standard defined in the `Trusted Board Boot Requirements Client <trusted-board-boot-requirements-client-pdf_>`__
to authenticate the Secure and Non-secure software.
The `Firmware Image Package (FIP) <trusted-firmware-a-fip-guide_>`__ packs bootloader images and
other payloads into a single archive.
.. image:: images/FIPDiagram.png
:alt: FIPDiagram
The FIP for Corstone-1000 contains:
- Trusted firmware-A BL2
- AP EL3 Runtime firmware, BL31 image
- AP Secure Payload, BL32 image
- AP Normal world firmware -U-boot, BL33 image
- Trusted OS Firmware configuration file used by Trusted OS (BL32), TOS_FW_CONFIG
- Key certificates
- Content certificates
To load and validate TF-A BL2, TF-M BL2 first parses the GUID Partition Table (GPT)
to locate the FIP. It then determines the offset of TF-A BL2 within the FIP.
.. note::
TF-M does not check the FIP signature, it only checks the TF-A BL2's signature in the FIP.
.. important::
The implicitly trusted components are:
- A SHA-256 hash of the Root of Trust Public Key (ROTPK) -
For development purposes, a development ROTPK is used and its hash embedded into the TF-A BL2 image.
This public key is provided by the TF-A source code.
- TF-A BL2 image - it can be trusted because it has been verified by TF-M BL2 before starting TF-A.
The remaining components in the Chain of Trust (CoT) are either certificates or bootloader images.
Bootloader Authentication
-------------------------
The FIP contains two types of certificates:
- **Content Certificates** - used to store the hash of a bootloader image.
- **Key Certificates** - used to verify public keys used to sign Content Certificates.
The Host system bootloader images are authenticated by computing their hash and comparing it to the corresponding hash found in the Content Certificate.
Certificates Verification
-------------------------
The public keys defined in the Trusted Key Certificate are used to verify the later certificates in
the CoT process. The Trusted Key Certificate is verified with the Root of Trust Public Key.
UEFI Authenticated Variables
----------------------------
The host follows the boot standard defined in the `TBBR`_ to authenticate the
secure and non-secure software.
For UEFI Secure Boot, authenticated variables can be accessed from the secure flash.
The feature has been integrated in U-Boot, which authenticates the images as per the UEFI
@@ -285,74 +156,82 @@ specification before executing them.
Secure Services
***************
Corstone-1000 is unique in offering a secure environment for running trusted workloads.
While the Host system includes TrustZone technology, the platform also features a hardware-isolated
Secure Enclave, specifically designed to execute these secure workloads.
In Corstone-1000, essential Secure Services—such as Cryptography, Protected Storage,
Internal Trusted Storage, and Attestation—are provided through PSA Functional APIs implemented in TF-M.
From the user's perspective, there is no difference when communicating with these services,
whether they run in the Secure Enclave or in the Secure world of the Host system.
The diagram below illustrates the data flow for such calls.
Corstone-1000 is unique in providing a secure environment to run a secure
workload. The platform has TrustZone technology in the Host subsystem but
it also has hardware isolated Secure Enclave environment to run such secure
workloads. In Corstone-1000, known Secure Services such as Crypto, Protected
Storage, Internal Trusted Storage and Attestation are available via PSA
Functional APIs in TF-M. There is no difference for a user communicating to
these services which are running on a Secure Enclave instead of the
secure world of the host subsystem. The below diagram presents the data
flow path for such calls.
.. image:: images/SecureServices.png
:width: 930
:alt: SecureServices
The Secure Enclave Proxy Secure Partition (SE Proxy SP) is a proxy managed by OP-TEE that forwards
Secure Service calls to the Secure Enclave. This communication uses the `RSE communication protocol <https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html>`_.
While the protocol supports shared memory and MHU interrupts as a doorbell mechanism between cores,
in Corstone-1000, the entire message is currently transmitted through the MHU channels.
Corstone-1000 implements Isolation Level 2 using the Cortex-M0+ Memory Protection Unit (MPU).
Users can define their own secure services to run either in the Host system's Secure World or in
the Secure Enclave. This choice involves a trade-off between latency and security.
Services running in the Secure Enclave benefit from strong, hardware-enforced isolation,
offering higher security but at the cost of increased latency. In contrast, services running in the
Host Secure World experience lower latency, but rely on TrustZone technology for virtualized isolation,
which offers comparatively less robust security.
The SE Proxy SP (Secure Enclave Proxy Secure Partition) is a proxy partition
managed by OPTEE which forwards such calls to the Secure Enclave. The
solution relies on the `RSE communication protocol
<https://tf-m-user-guide.trustedfirmware.org/platform/arm/rse/rse_comms.html>`_
which is a lightweight serialization of the psa_call() API. It can use shared
memory and MHU interrupts as a doorbell for communication between two cores
but currently the whole message is forwarded through the MHU channels in Corstone-1000.
Corstone-1000 implements isolation level 2. Cortex-M0+ MPU (Memory Protection
Unit) is used to implement isolation level 2.
For a user to define its own secure service, both the options of the host
secure world or secure encalve are available. It's a trade-off between
lower latency vs higher security. Services running on a Secure Enclave are
secure by real hardware isolation but have a higher latency path. In the
second scenario, the services running on the secure world of the host
subsystem have lower latency but virtual hardware isolation created by
TrustZone technology.
**********************
Secure Firmware Update
**********************
Apart from always booting the authorized images, it is also essential that
the device only accepts the authorized (signed) images in the firmware update
process. Corstone-1000 supports OTA (Over the Air) firmware updates and
follows Platform Security Firmware Update specification (`FWU`_).
In addition to always booting authorized images, it is equally important that the device only accepts
authorized (signed) images during the firmware update process. Corstone-1000 supports over-the-air (OTA)
firmware updates and complies with the `Platform Security Firmware Update for the A-profile Arm Architecture <platform-security-fwu-for-a-profile-pdf_>`__
specification.
As defined in the specification, the external flash is divided into two banks: one bank holds the
currently running images, while the other is used to stage new images.
There are four updatable components: **BL2**, **TF-M**, **the FIP** and **the Kernel Image** (the initramfs bundle).
New images are delivered and accepted in the form of UEFI capsules.
As standardized into `FWU`_, the external flash is divided into two
banks of which one bank has currently running images and the other bank is
used for staging new images. There are four updatable units, i.e. Secure
Enclave's BL2 and TF-M, and Host's FIP (Firmware Image Package) and Kernel
Image (the initramfs bundle). The new images are accepted in the form of a UEFI capsule.
.. image:: images/ExternalFlash.png
:width: 690
:alt: ExternalFlash
When a firmware update is triggered, U-Boot begins by verifying the UEFI capsule by checking its signature,
version number, and size. After successful verification, it signals the Secure Enclave, which then
starts writing the capsule contents to flash memory.
When Firmware update is triggered, U-Boot verifies the capsule by checking the
capsule signature, version number and size. Then it signals the Secure Enclave
that can start writing UEFI capsule into the flash.
Once the write operation is complete, the Secure Enclave resets the entire system. The update process
is tracked using a state machine stored in the Metadata Block within flash. TF-M runs an OTA service
that is responsible for verifying and updating the images in the passive flash bank. Communication
between the UEFI capsule update subsystem and the OTA service follows the same data path described
earlier. After verifying the capsule, the OTA service writes the new images to the passive bank,
updates the system state to 'trial,' and initiates a reset.
Once this operation finishes, Secure Enclave resets the entire system.
The Metadata Block in the flash has the below firmware update state machine.
TF-M runs an OTA service that is responsible for accepting and updating the
images in the flash. The communication between the UEFI Capsule update
subsystem and the OTA service follows the same data path explained above.
The OTA service writes the new images to the passive bank after successful
capsule verification. It changes the state of the system to trial state and
triggers the reset.
During boot, the bootloaders in both the Secure Enclave and the Host system read the Metadata Block to
determine which bank to boot from. If the trial boot succeeds, the Host system sends an acknowledgment
that transitions the system state from 'trial' to 'regular.' If the system fails during the trial phase
or hangs, a watchdog timer triggers a reset. The Secure Enclaves BL1 contains logic to detect multiple
resets and can revert to the previously known-good bank. This fallback mechanism is essential to ensure
the device remains available and functional.
Boot loaders in Secure Enclave and Host read the Metadata
block to get the information on the boot bank. In the successful trial stage,
the acknowledgment from the host moves the state of the system from trial to
regular. Any failure in the trial stage or system hangs leads to a system
reset. This is made sure by the use of watchdog hardware. The Secure Enclave's
BL1 has the logic to identify multiple resets and eventually switch back to the
previous good bank. The ability to revert to the previous bank is crucial to
guarantee the availability of the device.
.. image:: images/SecureFirmwareUpdate.png
@@ -365,15 +244,13 @@ the device remains available and functional.
UEFI Runtime Support in U-Boot
******************************
The implementation of UEFI boot-time and runtime APIs requires persistent variable storage. In
Corstone-1000, UEFI variables are stored using the Protected Storage (PS) service.
The diagram below illustrates the data flow for storing UEFI variables. U-Boots UEFI subsystem
communicates with the Secure World using the U-Boot FF-A driver, which interfaces with the `UEFI System Management Mode (SMM) service <trusted-services-uefi-smm-website_>`__.
The SMM service provides support for the UEFI System Management Mode. This support is implemented by the SMM Gateway secure partition.
The SMM service then uses the Proxy Protected Storage (PS) provided by the SE Proxy SP.
These PS calls are forwarded to the Secure Enclave, following the communication path described earlier.
Implementation of UEFI boottime and runtime APIs require variable storage.
In Corstone-1000, these UEFI variables are stored in the Protected Storage
service. The below diagram presents the data flow to store UEFI variables.
The U-Boot implementation of the UEFI subsystem uses the U-Boot FF-A driver to
communicate with the SMM Service in the secure world. The backend of the
SMM service uses the proxy PS from the SE Proxy SP. From there on, the PS
calls are forwarded to the Secure Enclave as explained above.
.. image:: images/UEFISupport.png
@@ -381,38 +258,30 @@ These PS calls are forwarded to the Secure Enclave, following the communication
:alt: UEFISupport
**********
***************
References
**********
* `Arm Developer <arm-developer-cs1000-search_>`__
* `Arm Security Architectures <arm-architecture-security-features-platform-security_>`_
***************
`ARM Corstone-1000 Search`_
`Arm security features`_
--------------
*Copyright (c) 2022-2025, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
.. _arm-developer-cs1000-website: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _arm-developer-cs1000-search: https://developer.arm.com/search#q=corstone-1000
.. _arm-developer-mhu-website: https://developer.arm.com/documentation/ka005129/latest/#:~:text=An%20MHU%20is%20a%20device,that%20a%20message%20is%20available
.. _arm-developer-secureboot-website: https://developer.arm.com/documentation/PRD29-GENC-009492/c/TrustZone-Software-Architecture/Booting-a-secure-system/Secure-boot
.. _arm-architecture-security-features-platform-security: https://www.arm.com/architecture/security-features/platform-security
.. _linux-repository: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
.. _arm-trustzone-for-cortex-a-website: https://www.arm.com/technologies/trustzone-for-cortex-a
.. _arm-fmw-framework-a-profile-pdf: https://developer.arm.com/documentation/den0077/latest
.. _arm-fmw-framework-m-profile-pdf: https://developer.arm.com/architectures/Firmware%20Framework%20for%20M-Profile
.. _platform-security-fwu-for-a-profile-pdf: https://developer.arm.com/documentation/den0118/a/
.. _op-tee-os-repository: https://github.com/OP-TEE/optee_os
.. _psa-certified-website: https://www.psacertified.org/
.. _psa_l2-ready: https://www.psacertified.org/products/corstone-1000/
.. _systemready-ir-certification: https://armkeil.blob.core.windows.net/developer/Files/pdf/certificate-list/arm-systemready-ve-arm-neoverse.pdf
.. _trusted-board-boot-requirements-client-pdf: https://developer.arm.com/documentation/den0006/latest
.. _trusted-firmware-m-website: https://www.trustedfirmware.org/projects/tf-m/
.. _trusted-firmware-m-bl1-website: https://trustedfirmware-m.readthedocs.io/en/latest/design_docs/booting/bl1.html
.. _trusted-firmware-a-bl2-website: https://developer.arm.com/documentation/108028/0000/RD-TC22-software/Software-components/AP-firmware/Trusted-firmware-A-BL2
.. _trusted-firmware-a-fip-guide: https://trustedfirmware-a.readthedocs.io/en/latest/design/firmware-design.html#firmware-image-package-fip
.. _trusted-services-website: https://www.trustedfirmware.org/projects/trusted-services/
.. _trusted-services-uefi-smm-website: https://trusted-services.readthedocs.io/en/integration/services/uefi-smm-services.html#
.. _das-u-boot-repository: https://github.com/u-boot/u-boot.git
.. _keil-rtx5-website: https://developer.arm.com/Tools%20and%20Software/Keil%20MDK/RTX5%20RTOS
.. _ppa-website: https://developer.arm.com/documentation/102738/0100/Power--performance--and-area-analysis
.. _mcuboot-website: https://docs.mcuboot.com/
.. _Arm Corstone-1000 Technical Overview: https://developer.arm.com/documentation/102360/0000
.. _Arm Corstone-1000 Software: https://developer.arm.com/Tools%20and%20Software/Corstone-1000%20Software
.. _Arm Corstone-1000 Search: https://developer.arm.com/search#q=corstone-1000
.. _Arm security features: https://www.arm.com/architecture/security-features/platform-security
.. _linux repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/
.. _FF-A: https://developer.arm.com/documentation/den0077/latest
.. _FF-M: https://developer.arm.com/architectures/Firmware%20Framework%20for%20M-Profile
.. _FWU: https://developer.arm.com/documentation/den0118/a/
.. _OPTEE-OS: https://github.com/OP-TEE/optee_os
.. _PSA: https://www.psacertified.org/
.. _PSA L2 Ready: https://www.psacertified.org/products/corstone-1000/
.. _SRIR cert: https://armkeil.blob.core.windows.net/developer/Files/pdf/certificate-list/arm-systemready-ir-certification-arm-corstone-1000.pdf
.. _TBBR: https://developer.arm.com/documentation/den0006/latest
.. _TF-M: https://www.trustedfirmware.org/projects/tf-m/
.. _Trusted Services: https://www.trustedfirmware.org/projects/trusted-services/
.. _U-Boot repo: https://github.com/u-boot/u-boot.git
@@ -1,5 +1,5 @@
..
# Copyright (c) 2022-2025, Arm Limited.
# Copyright (c) 2022-2024, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -50,32 +50,25 @@ The Corstone-1000 software stack can be run on:
Yocto Stable Branch
-------------------
Corstone-1000 software stack is built on top of Yocto Project's `Walnascar release <meta-arm-repository-release-branch_>`__.
Corstone-1000 software stack is built on top of Yocto styhead release.
Software Components
-------------------
Within the Yocto Project, each component included in the Corstone-1000 software stack is specified as
a `BitBake recipe <https://docs.yoctoproject.org/bitbake/2.2/bitbake-user-manual/bitbake-user-manual-intro.html#recipes>`__.
The recipes specific to the Corstone-1000 BSP are located at:
``${WORKSPACE}/meta-arm/meta-arm-bsp/``.
``$WORKSPACE/meta-arm/meta-arm-bsp/``.
.. important::
``${WORKSPACE}`` refers to the absolute path to your workspace where the `meta-arm` repository will be cloned.
``$WORKSPACE`` refers to the absolute path to your workspace where the `meta-arm` repository will be cloned.
Consider exporting it (e.g., ``export WORKSPACE=$(realpath .)``) if you're already in the workspace directory,
so you can copy and paste the commands from this guide verbatim.
.. important::
``${TARGET}`` is either ``mps3`` or ``fvp``.
Consider exporting it (e.g., ``export TARGET=mps3``) so you can copy and paste the commands from this guide verbatim.
``$TARGET`` is either ``mps3`` or ``fvp``.
The Yocto machine config files for the Corstone-1000 FVP and MPS3 targets are:
- ``${WORKSPACE}/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc``
- ``${WORKSPACE}/meta-arm/meta-arm-bsp/conf/machine/corstone1000-${TARGET}.conf``
- ``$WORKSPACE/meta-arm/meta-arm-bsp/conf/machine/include/corstone1000.inc``
- ``$WORKSPACE/meta-arm/meta-arm-bsp/conf/machine/corstone1000-$TARGET.conf``
.. note::
@@ -88,64 +81,64 @@ Host Processor Components
`Trusted Firmware-A <https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git>`__
====================================================================================
+----------+-------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb`` |
+----------+-------------------------------------------------------------------------------------------------------+
+----------+-----------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a_2.11.0.bb`` |
+----------+-----------------------------------------------------------------------------------------------------+
`Trusted Services <https://trusted-services.readthedocs.io/en/latest/index.html>`__
====================================================================================
+----------+-------------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-crypto-api-test_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-iat-api-test_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-its-api-test_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-ps-api-test_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway_git.bb`` |
+----------+-------------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy_git.bb`` |
+----------+-------------------------------------------------------------------------------------------------------------+
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/libts_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-crypto-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-iat-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-its-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-psa-ps-api-test_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-se-proxy_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/trusted-services/ts-sp-smm-gateway_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/libts_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-crypto-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-iat-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-its-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-psa-ps-api-test_git.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-smm-gateway.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/trusted-services/ts-sp-se-proxy.bb`` |
+----------+-----------------------------------------------------------------------------------------------------------+
`OP-TEE <https://git.trustedfirmware.org/OP-TEE/optee_os.git>`__
================================================================
+----------+------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend`` |
+----------+------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-security/optee/optee-os_4.4.0.bb`` |
+----------+------------------------------------------------------------------------------------------+
+----------+----------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-security/optee/optee-os_4.%.bbappend`` |
+----------+----------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-security/optee/optee-os_4.2.0.bb`` |
+----------+----------------------------------------------------------------------------------------+
`U-Boot <https://github.com/u-boot/u-boot.git>`__
=================================================
+----------+----------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend`` |
+----------+----------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend`` |
+----------+----------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2023.07.02.bb`` |
+----------+----------------------------------------------------------------------------------+
+----------+--------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend`` |
+----------+--------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend`` |
+----------+--------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/u-boot/u-boot_2023.07.02.bb`` |
+----------+--------------------------------------------------------------------------------+
Linux
=====
@@ -154,13 +147,13 @@ distribution which is a Linux distribution stripped down to a minimal configurat
The provided distribution is based on `BusyBox <https://www.busybox.net/>`__ and built using `musl libc <https://musl.libc.org/>`__.
+-----------+------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend`` |
+-----------+------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/poky/meta/recipes-kernel/linux/linux-yocto_6.12.bb`` |
+-----------+------------------------------------------------------------------------------------------------+
| defconfig | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig`` |
+-----------+------------------------------------------------------------------------------------------------+
+-----------+----------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-kernel/linux/linux-yocto_%.bbappend`` |
+-----------+----------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb`` |
+-----------+----------------------------------------------------------------------------------------------+
| defconfig | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-kernel/linux/files/corstone1000/defconfig`` |
+-----------+----------------------------------------------------------------------------------------------+
*************************
Secure Enclave Components
@@ -169,11 +162,11 @@ Secure Enclave Components
`Trusted Firmware-M <https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git>`__
====================================================================================
+----------+-------------------------------------------------------------------------------------------------------+
| bbappend | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend`` |
+----------+-------------------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.1.1.bb`` |
+----------+-------------------------------------------------------------------------------------------------------+
+----------+-----------------------------------------------------------------------------------------------------+
| bbappend | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m_%.bbappend`` |
+----------+-----------------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm/recipes-bsp/trusted-firmware-m/trusted-firmware-m_2.1.0.bb`` |
+----------+-----------------------------------------------------------------------------------------------------+
************************************
External System Processor Components
@@ -186,9 +179,9 @@ An example application that uses the `RTX Real-Time Operating System <https://de
The application project can be found `here <https://git.gitlab.arm.com/arm-reference-solutions/corstone1000/external_system/rtx>`__.
+----------+----------------------------------------------------------------------------------------------+
| Recipe | ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb`` |
+----------+----------------------------------------------------------------------------------------------+
+----------+--------------------------------------------------------------------------------------------+
| Recipe | ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/external-system/external-system_0.1.0.bb`` |
+----------+--------------------------------------------------------------------------------------------+
.. _building-the-software-stack:
@@ -199,7 +192,7 @@ Build
Building binaries natively on Windows and AArch64 Linux is not supported.
Use an Intel or AMD 64-bit architecture Linux based development machine to build the software stack and transfer the binaries to run the software stack on an FVP in Windows or AArch64 Linux
Use an AMD64 Linux based development machine to build the software stack and transfer the binaries to run the software stack on an FVP in Windows or AArch64 Linux
if required.
@@ -207,8 +200,8 @@ Build
.. code-block:: console
mkdir ${WORKSPACE}
cd ${WORKSPACE}
mkdir $WORKSPACE
cd $WORKSPACE
#. Install kas version 4.4 with ``sudo`` rights.
@@ -218,18 +211,18 @@ Build
Ensure the kas installation directory is visible on the ``$PATH`` environment variable.
#. Clone the `meta-arm` Yocto layer in the workspace ``${WORKSPACE}``.
#. Clone the `meta-arm` Yocto layer in the workspace ``$WORKSPACE``.
.. code-block:: console
cd ${WORKSPACE}
git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2025.05
cd $WORKSPACE
git clone https://git.yoctoproject.org/git/meta-arm -b CORSTONE1000-2024.11
#. Build a Corstone-1000 image:
.. code-block:: console
kas build meta-arm/kas/corstone1000-${TARGET}.yml:meta-arm/ci/debug.yml
kas build meta-arm/kas/corstone1000-$TARGET.yml:meta-arm/ci/debug.yml
.. important::
@@ -248,22 +241,22 @@ Build
.. code-block:: console
kas build meta-arm/kas/corstone1000-${TARGET}.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-extsys.yml
kas build meta-arm/kas/corstone1000-$TARGET.yml:meta-arm/ci/debug.yml:meta-arm/kas/corstone1000-extsys.yml
A clean build takes a significant amount of time given that all of the development machine utilities are also
built along with the target images. Those development machine utilities include executables (Python,
CMake, etc.) and the required toolchains.
Once the build succeeds, all output binaries will be placed in ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/``
Once the build succeeds, all output binaries will be placed in ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/``
Everything apart from the Secure Enclave ROM firmware and External System firmware, is bundled into a single binary, the
``corstone1000-flash-firmware-image-corstone1000-${TARGET}.wic`` file.
``corstone1000-flash-firmware-image-corstone1000-$TARGET.wic`` file.
The output binaries run in the Corstone-1000 platform are the following:
- The Secure Enclave ROM firmware: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/bl1.bin``
- The External System Processor firmware: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/es_flashfw.bin``
- The internal firmware flash image: ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-flash-firmware-image-corstone1000-${TARGET}.wic``
- The Secure Enclave ROM firmware: ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/bl1.bin``
- The External System Processor firmware: ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/es_flashfw.bin``
- The internal firmware flash image: ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-flash-firmware-image-corstone1000-$TARGET.wic``
.. _flashing-firmware-images:
@@ -276,13 +269,6 @@ Flash
machine does not require any firmware flashing. Refer to `this <running-software-stack-fvp_>`__
section for running the software stack on FVP.
.. important::
When preparing the SD card for flashing, ensure that it is at least 4GB in size and formatted
with a FAT32 partition.
Using smaller cards or unsupported file systems (e.g., exFAT, NTFS) may cause the flashing
process to fail or the device to become unresponsive.
#. Download the FPGA bit file image ``AN550: Arm® Corstone™-1000 for MPS3 Version 2.0``
on the `Arm Developer website <https://developer.arm.com/tools-and-software/development-boards/fpga-prototyping-boards/download-fpga-images>`__.
Click on the ``Download AN550 bundle`` button and login to download the file.
@@ -316,9 +302,9 @@ Flash
└── ES0.bin
#. Depending upon the MPS3 board version, you should update the ``images.txt`` file
(found in the corresponding ``HBI0309x`` folder e.g. ``Boardfiles/MB/HBI0309${BOARD_VERSION}/AN550/images.txt``)
(found in the corresponding ``HBI0309x`` folder e.g. ``Boardfiles/MB/HBI0309$BOARD_VERSION/AN550/images.txt``)
so it points to the images under the ``SOFTWARE`` directory.
Where ``${BOARD_VERSION}`` is a variable containing the board printed on the MPS3 board.
Where ``$BOARD_VERSION`` is a variable containing the board printed on the MPS3 board.
The ``images.txt`` file compatible with the latest version of the software
stack can be seen below;
@@ -355,10 +341,10 @@ Flash
IMAGE2FILE: \SOFTWARE\es0.bin
#. Copy ``bl1.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle.
#. Copy ``es_flashfw.bin`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle
#. Copy ``bl1.bin`` from ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle.
#. Copy ``es_flashfw.bin`` from ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE`` directory of the FPGA bundle
and rename the binary to ``es0.bin``.
#. Copy ``corstone1000-flash-firmware-image-corstone1000-mps3.wic`` from ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE``
#. Copy ``corstone1000-flash-firmware-image-corstone1000-mps3.wic`` from ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3`` to the ``SOFTWARE``
directory of the FPGA bundle and rename the wic image to ``cs1000.bin``.
.. note::
@@ -441,7 +427,7 @@ Corstone-1000 FVP software image.
A Yocto recipe is provided to download the latest supported FVP version.
The recipe is located at ``${WORKSPACE}/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb``.
The recipe is located at ``$WORKSPACE/meta-arm/meta-arm/recipes-devtools/fvp/fvp-corstone1000.bb``.
The latest FVP version is ``11.23.25`` and is automatically downloaded and installed when using the
``runfvp`` command as detailed below.
@@ -453,15 +439,14 @@ The latest FVP version is ``11.23.25`` and is automatically downloaded and insta
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp -- --version"
The FVP can also be manually downloaded from `Arm Developer <arm-developer-fvp_>`__ to download
the Corstone-1000 platform FVP installer.
Follow the instructions of the installer to setup the FVP.
The FVP can also be manually downloaded from the `Arm Ecosystem FVPs`_ page by navigating
to "Corstone IoT FVPs" section to download the Corstone-1000 platform FVP installer. Follow the
instructions of the installer to setup the FVP.
#. Run the FVP
.. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux"
@@ -493,13 +478,6 @@ Tests
following the instructions `here <building-the-software-stack_>`__.
Reports
-------
Reports for the tests conducted on the `Corstone-1000 software (CORSTONE1000-2025.05) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2025.05>`__
release are available for reference `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2025.05/embedded-a/corstone1000/CORSTONE1000-2025.05?ref_type=tags>`__.
.. _clean-secure-flash:
Clean Secure Flash
@@ -511,12 +489,12 @@ Clean Secure Flash
This is to erase the flash cleanly and prepare a clean board environment for testing.
#. Clone the `systemready-patch` repository to your ${WORKSPACE}.
#. Clone the `systemready-patch` repository to your $WORKSPACE.
.. code-block:: console
cd ${WORKSPACE}
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2025.05
cd $WORKSPACE
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git -b CORSTONE1000-2024.11
#. Copy the secure flash cleaning Git patch file to your copy of `meta-arm`.
@@ -535,12 +513,12 @@ Clean Secure Flash
.. code-block:: console
cd ${WORKSPACE}
cd $WORKSPACE
kas shell meta-arm/kas/corstone1000-mps3.yml:meta-arm/ci/debug.yml
bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image
bitbake -c build corstone1000-flash-firmware-image
#. Replace the ``bl1.bin`` file on the SD card with ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/bl1.bin``.
#. Replace the ``bl1.bin`` file on the SD card with ``$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3/bl1.bin``.
#. Reboot the board to completely erase the secure flash.
@@ -556,7 +534,7 @@ Clean Secure Flash
.. code-block:: console
cd ${WORKSPACE}/meta-arm
cd $WORKSPACE/meta-arm
git reset --hard
cd ..
bitbake -c cleansstate trusted-firmware-m corstone1000-flash-firmware-image
@@ -566,14 +544,11 @@ Clean Secure Flash
You can proceed with the test instructions in the following section after having done all the above.
SystemReady IR
SystemReady-IR
--------------
.. important::
**SystemReady IR** has now been renamed **SystemReady Devicetree Band**.
Running the tests described below requires USB drives.
Running the SystemReady-IR tests described below requires USB drives.
In our testing, not all USB drive models worked well with the MPS3.
Here are the USB drive models that were stable in our test environment:
@@ -597,10 +572,10 @@ A storage with EFI System Partition (ESP) must exist in the system for the UEFI-
.. code-block:: console
kas build meta-arm/kas/corstone1000-${TARGET}.yml:meta-arm/ci/debug.yml --target corstone1000-esp-image
kas build meta-arm/kas/corstone1000-$TARGET.yml:meta-arm/ci/debug.yml --target corstone1000-esp-image
#. Locate the ``corstone1000-esp-image-corstone1000-${TARGET}.wic`` build artefact
in ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/``
#. Locate the ``corstone1000-esp-image-corstone1000-$TARGET.wic`` build artefact
in ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/``
****************************
Use the EFI System Partition
@@ -630,7 +605,7 @@ MPS3
.. code-block:: console
sudo dd \
if=${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic \
if=$WORKSPACE/build/tmp/deploy/images/corstone1000-mps3/corstone1000-esp-image-corstone1000-mps3.wic \
of=/dev/sdb \
iflag=direct oflag=direct status=progress bs=512; sync;
@@ -647,7 +622,7 @@ It will be used when the SystemReady-IR tests is performed on the FVP in the lat
****************************
Run SystemReady IR ACS Tests
Run SystemReady-IR ACS Tests
****************************
ACS is used to ensure architectural compliance across different implementations of the architecture.
@@ -668,31 +643,20 @@ See the directory structure of the ACS image ``BOOT`` partition below:
.. code-block:: console
├── acs_results
├── EFI
└── BOOT
├── app
├── bbr
├── bootaa64.efi
├── bsa
├── debug
├── grub.cfg
├── Shell.efi
│ ├── sie_startup.nsh
│ └── startup.nsh
   └── BOOT
   ├── app
   ├── bbr
   ├── bootaa64.efi
   ├── bsa
   ├── debug
   ├── Shell.efi
   └── startup.nsh
├── grub
├── grub.cfg
├── Image
├── security-interface-extension-keys
│ ├── NullPK.auth
│ ├── TestDB1.auth
│ ├── TestDB1.der
│ ├── TestDBX1.auth
│ ├── TestDBX1.der
│ ├── TestKEK1.auth
│ ├── TestKEK1.der
│ ├── TestPK1.auth
│ └── TestPK1.der
├── startup.nsh
└── yocto_image.flag
├── ramdisk-busybox.img
└── acs_results
The ``BOOT`` partition is also used to store test results in the ``acs_results`` folder.
@@ -710,13 +674,13 @@ This sections below describe how to build and run ACS tests on Corstone-1000.
.. code-block:: console
cd ${WORKSPACE}
git clone https://github.com/ARM-software/arm-systemready.git -b v23.09_SR_REL2.0.0_ES_REL1.3.0_IR_REL2.1.0 --depth 1
cd $WORKSPACE
git clone https://github.com/ARM-software/arm-systemready.git
This repository contains the infrastructure to build the ACS and the bootable prebuilt images to be used for the
certifications of SystemReady IR.
certifications of SystemReady-IR.
#. Find the pre-built ACS live image in ``${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic.xz``.
#. Find the pre-built ACS live image in ``$WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic.xz``.
.. note::
@@ -729,7 +693,7 @@ This sections below describe how to build and run ACS tests on Corstone-1000.
.. code-block:: console
cd ${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
cd $WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
unxz ir-acs-live-image-generic-arm64.wic.xz
MPS3
@@ -753,7 +717,7 @@ MPS3
.. code-block:: console
cd ${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
cd $WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0
sudo dd if=ir-acs-live-image-generic-arm64.wic of=/dev/sdc iflag=direct oflag=direct bs=1M status=progress; sync
#. Plug the USB drive to the MPS3. At this point you should have both the USB drive with the ESP and the USB drive with the ACS image plugged to the MPS3.
@@ -793,12 +757,12 @@ Run the commands below to run the ACS test on FVP using the built firmware image
.. code-block:: console
cd ${WORKSPACE}
cd $WORKSPACE
tmux
./meta-arm/scripts/runfvp \
--terminals=tmux \
./build/tmp/deploy/images/corstone1000-fvp/corstone1000-flash-firmware-image-corstone1000-fvp.fvpconf \
-- -C board.msd_mmc.p_mmc_file=${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic
-- -C board.msd_mmc.p_mmc_file=$WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic
.. note::
@@ -830,7 +794,7 @@ The results can be fetched from the `acs_results` folder in the ``BOOT`` partiti
sudo mkdir /mnt/test
sudo mount -o rw,offset=1048576 \
${WORKSPACE}/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic \
$WORKSPACE/arm-systemready/IR/prebuilt_images/v23.09_2.1.0/ir-acs-live-image-generic-arm64.wic \
/mnt/test
#####################################################
@@ -858,18 +822,18 @@ Generate Capsules
*****************
U-Boot's ``mkeficapsule`` tool is used to generate capsules. It is built automatically for the host machine during the firmware image building process.
The tool can be found in the ``${WORKSPACE}/build/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkeficapsule`` directory.
The tool can be found in the ``$WORKSPACE/build/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkeficapsule`` directory.
``mkeficapsule`` uses a no-partition image which is created when performing a clean firmware build.
The no-partition image can be found in the ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-${TARGET}/corstone1000-${TARGET}_image.nopt`` directory.
The no-partition image can be found in the ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-$TARGET_image.nopt`` directory.
The capsule's default metadata passed can be found in the ``${WORKSPACE}/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb``
and ``${WORKSPACE}/meta-arm/kas/corstone1000-image-configuration.yml`` files.
The capsule's default metadata passed can be found in the ``$WORKSPACE/meta-arm/meta-arm-bsp/recipes-bsp/images/corstone1000-flash-firmware-image.bb``
and ``$WORKSPACE/meta-arm/kas/corstone1000-image-configuration.yml`` files.
Valid Capsule
=============
An automatically generated capsule can be found in ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-${TARGET}-v6.uefi.capsule`` after running a firmware build.
An automatically generated capsule can be found in ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-$TARGET-v6.uefi.capsule`` after running a firmware build.
The default metadata values are assumed to be correct to generate a valid capsule.
@@ -886,27 +850,26 @@ Run the following commands to generate an invalid capsule with a ``fw-version``
.. code-block:: console
cd ${WORKSPACE}
cd $WORKSPACE
./build/tmp/sysroots-components/x86_64/u-boot-tools-native/usr/bin/mkeficapsule \
--monotonic-count 1 \
--private-key build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_key.key \
--certificate build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000_capsule_cert.crt \
--private-key build/tmp/deploy/images/corstone1000-$TARGET/corstone1000_capsule_key.key \
--certificate build/tmp/deploy/images/corstone1000-$TARGET/corstone1000_capsule_cert.crt \
--index 1 \
--guid ${TARGET}_GUID \
--fw-version 5 \
build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-${TARGET}_image.nopt \
corstone1000-${TARGET}-v5.uefi.capsule
--guid $TARGET_GUID \
--fw-version 5 build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-$TARGET_image.nopt \
corstone1000-$TARGET-v5.uefi.capsule
.. important::
``${TARGET}_GUID`` is different depending on whether the capsule is built for the ``fvp`` or ``mps3`` ``${TARGET}``.
``$TARGET_GUID`` is different depending on whether the capsule is built for the ``fvp`` or ``mps3`` ``$TARGET``.
- ``fvp`` ``${TARGET}_GUID`` is ``989f3a4e-46e0-4cd0-9877-a25c70c01329``
- ``mps3`` ``${TARGET}_GUID`` is ``df1865d1-90fb-4d59-9c38-c9f2c1bba8cc``
- ``fvp`` ``$TARGET_GUID`` is ``989f3a4e-46e0-4cd0-9877-a25c70c01329``
- ``mps3`` ``$TARGET_GUID`` is ``df1865d1-90fb-4d59-9c38-c9f2c1bba8cc``
The invalid capsule will be located in the ``${WORKSPACE}`` directory.
The invalid capsule will be located in the ``$WORKSPACE`` directory.
***************************
Transfer Capsules to Target
@@ -924,16 +887,10 @@ MPS3
.. code-block:: console
cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-mps3/corstone1000-mps3-v6.uefi.capsule /dev/sdc/BOOT/
cp ${WORKSPACE}/corstone1000-mps3-v5.uefi.capsule /dev/sdc/EFI/BOOT/
sudo cp $CAPSULES_PATH/corstone1000-mps3-v6.uefi.capsule $ACS_IMAGE_USB_DRIVE_PATH/BOOT/
sudo cp $CAPSULES_PATH/corstone1000-mps3-v5.uefi.capsule $ACS_IMAGE_USB_DRIVE_PATH/BOOT/
sync
.. note::
``/dev/sdc`` is the assumed path for the ACS Image USB drive.
Replace it with the actual device path as enumerated on your development machine.
.. important::
Since we are using the direct Capsule Update method, the capsule files should not be placed in
@@ -943,7 +900,7 @@ FVP
===
#. Download and extract the ACS image `as described for the MPS3 <mps3-instructions-for-acs-image_>`_.
The ACS image extraction location will be referred below as ``${ACS_IMAGE_PATH}``.
The ACS image extraction location will be referred below as ``$ACS_IMAGE_PATH``.
.. note::
@@ -954,10 +911,10 @@ FVP
.. code-block:: console
fdisk -lu ${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic
fdisk -lu $ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic
Device Start End Sectors Size Type
${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic1 2048 309247 307200 150M Microsoft basic data
${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic2 309248 1343339 1034092 505M Linux filesystem
$ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic1 2048 309247 307200 150M Microsoft basic data
$ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic2 309248 1343339 1034092 505M Linux filesystem
Given that the first partition starts at sector 2048 and each sector is 512 bytes in size,
@@ -968,14 +925,14 @@ FVP
.. code-block:: console
sudo mkdir /mnt/ir-acs-live-image-generic-arm64
sudo mount -o rw,offset=<first_partition_offset> ${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic /mnt/ir-acs-live-image-generic-arm64
sudo mount -o rw,offset=<first_partition_offset> $ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic /mnt/ir-acs-live-image-generic-arm64
#. Copy the capsules:
.. code-block:: console
sudo cp ${WORKSPACE}/build/tmp/deploy/images/corstone1000-fvp/corstone1000-fvp-v6.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
sudo cp ${WORKSPACE}/corstone1000-fvp-v5.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
sudo cp $CAPSULES_PATH/corstone1000-fvp-v6.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
sudo cp $CAPSULES_PATH/corstone1000-fvp-v5.uefi.capsule /mnt/ir-acs-live-image-generic-arm64/
sync
#. Unmount the IR image:
@@ -988,8 +945,8 @@ FVP
Run Capsule Update Tests
************************
The valid capsule (``corstone1000-${TARGET}-v6.uefi.capsule``) will be used first to run the positive capsule update test.
This will be followed by using the invalid capsule (``corstone1000-${TARGET}-v5.uefi.capsule``) to run the negative capsule update test.
The valid capsule (``corstone1000-$TARGET-v6.uefi.capsule``) will be used first to run the positive capsule update test.
This will be followed by using the invalid capsule (``corstone1000-$TARGET-v5.uefi.capsule``) to run the negative capsule update test.
.. important::
@@ -1015,17 +972,16 @@ Positive Capsule Update Test
.. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux \
-- -C board.msd_mmc.p_mmc_file=${ACS_IMAGE_PATH}/ir-acs-live-image-generic-arm64.wic"
-- -C board.msd_mmc.p_mmc_file=$ACS_IMAGE_PATH/ir-acs-live-image-generic-arm64.wic"
.. warning::
``${ACS_IMAGE_PATH}`` must be an absolute path. Ensure there are no spaces before or after of ``=`` of the ``-C board.msd_mmc.p_mmc_file`` option.
``$ACS_IMAGE_PATH`` must be an absolute path. Ensure there are no spaces before or after of ``=`` of the ``-C board.msd_mmc.p_mmc_file`` option.
#. Wait until U-Boot loads EFI from the ACS image and interrupt the EFI shell by pressing the ``Escape`` key when the following prompt is displayed on the Host Processor terminal (``ttyUSB2`` for MPS3).
#. Wait until U-Boot loads EFI from the ACS image and interrupt the EFI shell by pressing the ``Escape`` key when the following prompt is displayed on the Host Processor terminal (``ttyUSB2``).
.. code-block:: console
@@ -1062,7 +1018,7 @@ Positive Capsule Update Test
The software stack copies the capsule content to the external flash, which is shared between the Secure Enclave and the Host Processor
before rebooting the system.
After the first reboot, TrustedFirmware-M should apply the valid capsule and display the following log on the Secure Enclave terminal (``ttyUSB1`` for MPS3)
After the first reboot, TrustedFirmware-M should apply the valid capsule and display the following log on the Secure Enclave terminal (``ttyUSB1``)
before rebooting the system a second time:
.. code-block:: console
@@ -1137,13 +1093,13 @@ Negative Capsule Update Test
The `positive capsule update test <positive-capsule-update-test_>`__ must be run before running the negative capsule update test.
#. After running the positive capsule update test, reboot the system by typing the following command on the Host Processor terminal (``ttyUSB2`` for MPS3):
#. After running the positive capsule update test, reboot the system by typing the following command on the Host Processor terminal (``ttyUSB2``):
.. code-block:: console
reboot
#. Wait until U-Boot loads EFI from the ACS image and interrupt the EFI shell by pressing the ``Escape`` key when the following prompt is displayed on the Host Processor terminal (``ttyUSB2`` for MPS3).
#. Wait until U-Boot loads EFI from the ACS image and interrupt the EFI shell by pressing the ``Escape`` key when the following prompt is displayed on the Host Processor terminal (``ttyUSB2``).
.. code-block:: console
@@ -1170,7 +1126,7 @@ Negative Capsule Update Test
EFI/BOOT/app/CapsuleApp.efi corstone1000-fvp-v5.uefi.capsule
#. TrustedFirmware-M should reject the capsule due to having a lower firmware version and display the following log on the Secure Enclave terminal (``ttyUSB1`` for MPS3):
#. TrustedFirmware-M should reject the capsule due to having a lower firmware version and display the following log on the Secure Enclave terminal (``ttyUSB1``):
.. code-block:: console
@@ -1274,9 +1230,9 @@ Follow the instructions below to create the installation media.
For openSUSE Tumbleweed, search for an ISO file with the format: ``openSUSE-Tumbleweed-DVD-aarch64-Snapshot$DATE-Media.iso``.
``openSUSE-Tumbleweed-DVD-aarch64-Snapshot20250509-Media.iso`` was used during development.
``openSUSE-Tumbleweed-DVD-aarch64-Snapshot20240516-Media.iso`` was used during development.
The location of the ISO file on the development machine will be referred to as ``${DISTRO_INSTALLER_ISO_PATH}``.
The location of the ISO file on the development machine will be referred to as ``$DISTRO_INSTALLER_ISO_PATH``.
#. Create the installation media which will contain the necessary files to install the operation system.
@@ -1300,7 +1256,7 @@ Follow the instructions below to create the installation media.
.. code-block:: console
sudo dd if=${DISTRO_INSTALLER_ISO_PATH} of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync;
sudo dd if=$DISTRO_INSTALLER_ISO_PATH of=/dev/sdb iflag=direct oflag=direct status=progress bs=1M; sync;
- FVP:
@@ -1323,7 +1279,7 @@ Corstone-1000 on-board non-volatile storage size is insufficient for installing
.. code-block:: console
dd if=/dev/zero of=${WORKSPACE}/fvp_distro_system_drive.img \
dd if=/dev/zero of=$WORKSPACE/fvp_distro_system_drive.img \
bs=1 count=0 seek=10G; sync; \
parted -s fvp_distro_system_drive.img mklabel gpt
@@ -1367,11 +1323,10 @@ FVP
.. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux -- \
-C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img \
-C board.msd_mmc_2.p_mmc_file=${DISTRO_INSTALLER_ISO_PATH}"
-C board.msd_mmc.p_mmc_file=$WORKSPACE/fvp_distro_system_drive.img \
-C board.msd_mmc_2.p_mmc_file=$DISTRO_INSTALLER_ISO_PATH"
The Linux distribution will be installed on ``fvp_distro_system_drive.img``.
@@ -1434,10 +1389,9 @@ Boot Distribution
.. code-block:: console
tmux
kas shell meta-arm/kas/corstone1000-fvp.yml:meta-arm/ci/debug.yml \
-c "../meta-arm/scripts/runfvp --terminals=tmux -- \
-C board.msd_mmc.p_mmc_file=${WORKSPACE}/fvp_distro_system_drive.img"
-C board.msd_mmc.p_mmc_file=$WORKSPACE/fvp_distro_system_drive.img"
.. warning::
@@ -1532,32 +1486,29 @@ Generate Keys, Signed Image and Unsigned Image
.. code-block:: console
cd ${WORKSPACE}
cd $WORKSPACE
git clone https://gitlab.arm.com/arm-reference-solutions/systemready-patch \
-b CORSTONE1000-2025.05
git clone https://git.gitlab.arm.com/arm-reference-solutions/systemready-patch.git \
-b CORSTONE1000-2024.11
#. Set the current working directory to build directory's subdirectory containing the software stack build images.
.. code-block:: console
cd ${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/
cd $WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/
#. Run the image signing script (without changing the current working directory).
.. code-block:: console
./${WORKSPACE}/systemready-patch/embedded-a/corstone1000/secureboot/create_keys_and_sign.sh \
-d ${TARGET} \
-v ${CERTIFICATE_VALIDITY_DURATION_IN_DAYS}
./$WORKSPACE/systemready-patch/embedded-a/corstone1000/secureboot/create_keys_and_sign.sh \
-d $TARGET \
-v $CERTIFICATE_VALIDITY_DURATION_IN_DAYS
.. important::
The `efitools <https://github.com/vathpela/efitools/>`__ package is required to execute the script.
``${CERTIFICATE_VALIDITY_DURATION_IN_DAYS}`` is an integer that specifies the certificate's validity period in days.
.. note::
Consult the image signing script help message (``-h``) for more information about other optional arguments.
@@ -1566,7 +1517,7 @@ Generate Keys, Signed Image and Unsigned Image
The keys, signed kernel image, and unsigned kernel image will be copied to the exisiting ESP image.
The modified ESP image can be found at ``${WORKSPACE}/build/tmp/deploy/images/corstone1000-${TARGET}/corstone1000-esp-image-corstone1000-${TARGET}.wic``.
The modified ESP image can be found at ``$WORKSPACE/build/tmp/deploy/images/corstone1000-$TARGET/corstone1000-esp-image-corstone1000-$TARGET.wic``.
****************************
@@ -1792,7 +1743,7 @@ The tests use the `arm_tstee` driver to access Trusted Services Secure Partition
Ensure there are no USB drives connected to the board when running the test on the MPS3.
The steps below are applicable to both MPS3 and FVP.
The steps below are applicable to both MPS3 and FVP).
#. Start the Corstone-1000 and wait until it boots to Linux on the Host Processor terminal (``ttyUSB2``).
@@ -1874,33 +1825,31 @@ For more information about this, see the following resources:
- `Authenticated Debug Access Control Specification <https://developer.arm.com/documentation/den0101/latest/>`__
- `Arm Corstone-1000 for MPS3 Application Note AN550, Chapter 7 <https://developer.arm.com/documentation/dai0550/latest/>`__
The Secure Debug Manager API is implemented in the `Secure Debug Manager (PSA-ADAC / SDC-600) <secure-debug-manager-repo-readme_>`__ repository.
The Secure Debug Manager API is implemented in the `secure-debug-manager <https://github.com/ARM-software/secure-debug-manager>`__ repository.
This repository also contains the necessary files for the Arm Development Studio support.
The build and integration instructions can be found in its `README <secure-debug-manager-repo-readme_>`__.
The `Secure Debug Manager (PSA-ADAC / SDC-600)` repository also contains the private key and chain certificate to be used during the tests.
The private key's public pair is provisioned into the One-Time Programmable memory in TrustedFirmware-M.
These are dummy keys that should not be used in production.
The `secure-debug-manager` repository also contains the private key and chain certificate to be used during the tests.
The private key's public pair is provisioned into the One-Time Programmable memory in TrustedFirmware-M. These are dummy keys that should not be used in production.
To test the Secure Debug feature, you'll need a debug probe from the `Arm ULINKpro family <arm-ulink-pro-website_>`__
and `Arm Development Studio <arm-ds-website_>`__ versions 2022.2, 2022.c, or 2023.a.
To test the Secure Debug feature, you'll need a debug probe from the DSTREAM family and Arm Development Studio versions 2022.2, 2022.c, or 2023.a.
#. Clone the `Secure Debug Manager (PSA-ADAC / SDC-600)` repository to your workspace.
#. Clone the `secure-debug-manager` repository to your workspace.
.. code-block:: console
cd ${WORKSPACE}
cd $WORKSPACE
git clone https://github.com/ARM-software/secure-debug-manager.git
#. Navigate into the repository directory and checkout the specific commit in the listing below.
.. code-block:: console
cd ${WORKSPACE}/secure-debug-manager
cd $WORKSPACE/secure-debug-manager
git checkout b30d6496ca749123e86b39b161b9f70ef76106d6
#. Follow the instructions in the `Secure Debug Manager (PSA-ADAC / SDC-600)'s README <secure-debug-manager-repo-readme_>`__ for the development machine setup.
#. Follow the steps in the `secure-debug-manager`'s `README <secure-debug-manager-repo-readme_>`__ for the development machine setup.
#. Rebuild the software stack with Secure Debug.
@@ -1922,7 +1871,7 @@ and `Arm Development Studio <arm-ds-website_>`__ versions 2022.2, 2022.c, or 202
#. Connect the debug probe to the MPS3 using the 20-pin 1.27mm connector with the ``CS_20W_1.27MM silkscreen`` label.
#. Create a debug configuration in Arm Development Studio as described in the `Secure Debug Manager (PSA-ADAC / SDC-600)'s README <secure-debug-manager-armds-integration_>`__.
#. Create a debug configuration in Arm Development Studio as described in the `secure-debug-manager`'s `README <https://github.com/ARM-software/secure-debug-manager?tab=readme-ov-file#arm-development-studio-integration>`__.
#. Connect the debuger to the target using the debug configuration.
@@ -1933,14 +1882,14 @@ and `Arm Development Studio <arm-ds-website_>`__ versions 2022.2, 2022.c, or 202
...
Please provide private key file path:
Enter file path > ${WORKSPACE}\secure-debug-manager\example\data\keys\EcdsaP256Key-3.pem
Enter file path > $WORKSPACE\secure-debug-manager\example\data\keys\EcdsaP256Key-3.pem
Please provide trust chain file path:
Enter file path > ${WORKSPACE}\secure-debug-manager\example\data\chains\chain.EcdsaP256-3
Enter file path > $WORKSPACE\secure-debug-manager\example\data\chains\chain.EcdsaP256-3
...
#. When successful authenticated, Arm Development Studio will connect to the running MPS3 and the debug features can be used.
#. When successful authenticated, Arm Development Studio will connect to the running MS3 and the debug features can be used.
The following prompt should appear in the Secure Enclave terminal (``ttyUSB1``):
.. code-block:: console
@@ -1950,13 +1899,15 @@ and `Arm Development Studio <arm-ds-website_>`__ versions 2022.2, 2022.c, or 202
...
Reports
-------
Various test reports for the `Corstone-1000 software (CORSTONE1000-2024.11) <https://git.yoctoproject.org/meta-arm/tag/?h=CORSTONE1000-2024.11>`__
release version are available for reference `here <https://gitlab.arm.com/arm-reference-solutions/arm-reference-solutions-test-report/-/tree/CORSTONE1000-2024.11/embedded-a/corstone1000/CORSTONE1000-2024.11?ref_type=tags>`__.
--------------
*Copyright (c) 2022-2025, Arm Limited. All rights reserved.*
*Copyright (c) 2022-2024, Arm Limited. All rights reserved.*
.. _arm-developer-fvp: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
.. _secure-debug-manager-repo-readme: https://github.com/ARM-software/secure-debug-manager/tree/master?tab=readme-ov-file#secure-debug-manager-psa-adac--sdc-600
.. _secure-debug-manager-armds-integration: https://github.com/ARM-software/secure-debug-manager?tab=readme-ov-file#arm-development-studio-integration
.. _meta-arm-repository-release-branch: https://web.git.yoctoproject.org/meta-arm?h=walnascar
.. _arm-ulink-pro-website: https://www.arm.com/products/development-tools/debug-probes/ulink-pro
.. _arm-ds-website: https://www.arm.com/products/development-tools/embedded-and-software/arm-development-studio
.. _Arm Ecosystem FVPs: https://developer.arm.com/tools-and-software/open-source-software/arm-platforms-software/arm-ecosystem-fvps
.. _secure-debug-manager-repo-readme: https://github.com/ARM-software/secure-debug-manager/blob/master/README.md
+4 -4
View File
@@ -1,4 +1,4 @@
# Copyright (c) 2022-2024, Arm Limited.
# Copyright (c) 2022, Arm Limited.
#
# SPDX-License-Identifier: MIT
@@ -6,6 +6,6 @@
jinja2==3.1.1
# Required to build the documentation
sphinx==7.1.2
sphinx_rtd_theme~=3.0.0
docutils~=0.18.1
sphinx~=5.0
sphinx_rtd_theme~=2.0.0
docutils==0.17.1
@@ -3,6 +3,3 @@ NUMA: Failed to initialise from firmware
# TODO: we should be using bochsdrm over efifb?
efifb: cannot reserve video memory at 0x80000000
# TODO: debug why this sometimes happens
failed to find screen to remove
@@ -1,5 +1,6 @@
# Machine specific configurations
MACHINE_HAFNIUM_REQUIRE ?= ""
MACHINE_HAFNIUM_REQUIRE:tc = "hafnium-tc.inc"
require ${MACHINE_HAFNIUM_REQUIRE}
@@ -4,5 +4,6 @@ MACHINE_SCP_REQUIRE ?= ""
MACHINE_SCP_REQUIRE:juno = "scp-firmware-juno.inc"
MACHINE_SCP_REQUIRE:sgi575 = "scp-firmware-sgi575.inc"
MACHINE_SCP_REQUIRE:tc = "scp-firmware-tc.inc"
require ${MACHINE_SCP_REQUIRE}
@@ -1,33 +0,0 @@
From f5b2fa90e0c0324f31e72429e7a7382f49a25912 Mon Sep 17 00:00:00 2001
From: Shen Jiamin <shen_jiamin@comp.nus.edu.sg>
Date: Wed, 24 Jul 2024 18:58:55 +0800
Subject: [PATCH] fix(zynqmp): handle secure SGI at EL1 for OP-TEE
OP-TEE requires SGIs to be handled at S-EL1. The
Makefile was not properly setting the flag
GICV2_G0_FOR_EL3 to 0 when the SPD is OP-TEE.
Change-Id: I256afa37ddf4ad4a154c43d51807de670c3689bb
Signed-off-by: Shen Jiamin <shen_jiamin@comp.nus.edu.sg>
---
plat/xilinx/zynqmp/platform.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Upstream-Status: Backport
diff --git a/plat/xilinx/zynqmp/platform.mk b/plat/xilinx/zynqmp/platform.mk
index c340009d0..22eceb621 100644
--- a/plat/xilinx/zynqmp/platform.mk
+++ b/plat/xilinx/zynqmp/platform.mk
@@ -21,7 +21,7 @@ ENABLE_LTO := 1
EL3_EXCEPTION_HANDLING := $(SDEI_SUPPORT)
# pncd SPD requires secure SGI to be handled at EL1
-ifeq (${SPD}, $(filter ${SPD},pncd tspd))
+ifeq (${SPD}, $(filter ${SPD},pncd tspd opteed))
ifeq (${ZYNQMP_WDT_RESTART},1)
$(error "Error: ZYNQMP_WDT_RESTART and SPD=pncd are incompatible")
endif
--
2.34.1
@@ -1,33 +0,0 @@
From b91c651e6d596cfe27448b19c8fb2f1168493827 Mon Sep 17 00:00:00 2001
From: Mikko Rapeli <mikko.rapeli@linaro.org>
Date: Mon, 15 Jan 2024 09:26:56 +0000
Subject: [PATCH] qemu_measured_boot.c: ignore TPM error and continue with boot
If firmware is configured with TPM support but it's missing
on HW, e.g. swtpm not started and/or configured with qemu,
then continue booting. Missing TPM is not a fatal error.
Enables testing boot without TPM device to see that
missing TPM is detected further up the SW stack and correct
fallback actions are taken.
Upstream-Status: Pending
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
plat/qemu/qemu/qemu_measured_boot.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plat/qemu/qemu/qemu_measured_boot.c b/plat/qemu/qemu/qemu_measured_boot.c
index 76a4da17e6a9..ec7f44d3720d 100644
--- a/plat/qemu/qemu/qemu_measured_boot.c
+++ b/plat/qemu/qemu/qemu_measured_boot.c
@@ -80,7 +80,8 @@ void bl2_plat_mboot_finish(void)
* Note: In QEMU platform, OP-TEE uses nt_fw_config to get the
* secure Event Log buffer address.
*/
- panic();
+ ERROR("Ignoring TPM errors, continuing without\n");
+ return;
}
/* Copy Event Log to Non-secure memory */
@@ -62,9 +62,3 @@ EXTRA_OEMAKE += "FVP_DT_PREFIX=fvp-base-gicv3-psci-1t FVP_USE_GIC_DRIVER=FVP_GIC
# Our fvp-base machine explicitly has v8.4 cores
EXTRA_OEMAKE += "ARM_ARCH_MAJOR=8 ARM_ARCH_MINOR=4"
# If GENERATE_COT is set, then tf-a will try to use local poetry install
# to run the python cot-dt2c command. Disable the local poetry and use
# the provided cot-dt2c.
EXTRA_OEMAKE += "POETRY=''"
DEPENDS += "cot-dt2c-native"
@@ -11,9 +11,3 @@ TFA_UEFI = "1"
EXTRA_OEMAKE += "TRUSTED_BOARD_BOOT=1 GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \
ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem"
# If GENERATE_COT is set, then tf-a will try to use local poetry install
# to run the python cot-dt2c command. Disable the local poetry and use
# the provided cot-dt2c.
EXTRA_OEMAKE += "POETRY=''"
DEPENDS += "cot-dt2c-native"
@@ -8,5 +8,6 @@ MACHINE_TFA_REQUIRE:fvp-base = "trusted-firmware-a-fvp-base.inc"
MACHINE_TFA_REQUIRE:juno = "trusted-firmware-a-juno.inc"
MACHINE_TFA_REQUIRE:sbsa-ref = "trusted-firmware-a-sbsa-ref.inc"
MACHINE_TFA_REQUIRE:sgi575 = "trusted-firmware-a-sgi575.inc"
MACHINE_TFA_REQUIRE:tc = "trusted-firmware-a-tc.inc"
require ${MACHINE_TFA_REQUIRE}
@@ -0,0 +1,88 @@
From 4d3ebb03b89b122af490824ca73287954a35bd07 Mon Sep 17 00:00:00 2001
From: Jamie Fox <jamie.fox@arm.com>
Date: Thu, 22 Aug 2024 16:54:45 +0100
Subject: [PATCH] Platform: corstone1000: Fix isolation L2 memory protection
The whole of the SRAM was configured unprivileged on this platform, so
the memory protection required for isolation level 2 was not present.
This patch changes the S_DATA_START to S_DATA_LIMIT MPU region to be
configured for privileged access only. It also reorders the MPU regions
so that the App RoT sub-region overlapping S_DATA has a higher region
number and so takes priority in the operation of the Armv6-M MPU.
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/30951]
---
.../arm/corstone1000/tfm_hal_isolation.c | 43 +++++++++----------
1 file changed, 21 insertions(+), 22 deletions(-)
diff --git a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
index 39b19c535..498f14ed2 100644
--- a/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
+++ b/platform/ext/target/arm/corstone1000/tfm_hal_isolation.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
* Copyright (c) 2022 Cypress Semiconductor Corporation (an Infineon
* company) or an affiliate of Cypress Semiconductor Corporation. All rights
* reserved.
@@ -99,6 +99,26 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
return ret;
}
+ /* Set the RAM attributes. It is needed because the first region overlaps the whole
+ * SRAM and it has to be overridden.
+ * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
+ * and added to the platform_region_defs compile definitions.
+ */
+ base = S_DATA_START;
+ limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+ ret = configure_mpu(rnr++, base, limit,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_ONLY);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
+
+ base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
+ limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
+ ret = configure_mpu(rnr++, base, limit,
+ XN_EXEC_NOT_OK, AP_RW_PRIV_ONLY);
+ if (ret != TFM_HAL_SUCCESS) {
+ return ret;
+ }
/* RW, ZI and stack as one region */
base = (uint32_t)&REGION_NAME(Image$$, TFM_APP_RW_STACK_START, $$Base);
@@ -133,27 +153,6 @@ enum tfm_hal_status_t tfm_hal_set_up_static_boundaries(
#endif
- /* Set the RAM attributes. It is needed because the first region overlaps the whole
- * SRAM and it has to be overridden.
- * The RAM_MPU_REGION_BLOCK_1_SIZE and RAM_MPU_REGION_BLOCK_2_SIZE are calculated manually
- * and added to the platform_region_defs compile definitions.
- */
- base = S_DATA_START;
- limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
- ret = configure_mpu(rnr++, base, limit,
- XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
- if (ret != TFM_HAL_SUCCESS) {
- return ret;
- }
-
- base = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE;
- limit = S_DATA_START + RAM_MPU_REGION_BLOCK_1_SIZE + RAM_MPU_REGION_BLOCK_2_SIZE;
- ret = configure_mpu(rnr++, base, limit,
- XN_EXEC_NOT_OK, AP_RW_PRIV_UNPRIV);
- if (ret != TFM_HAL_SUCCESS) {
- return ret;
- }
-
arm_mpu_enable();
#endif /* CONFIG_TFM_ENABLE_MEMORY_PROTECT */
--
2.25.1
@@ -35,6 +35,7 @@ SRC_URI:append:corstone1000 = " \
file://0013-CC312-ADAC-Add-PSA_WANT_ALG_SHA_256-definition.patch \
file://0014-Platform-CS1000-Add-crypto-configs-for-ADAC.patch \
file://0015-Platform-CS1000-Fix-platform-name-in-logs.patch \
file://0016-Platform-corstone1000-Fix-isolation-L2-memory-protection.patch \
file://0017-Platform-CS1000-Remove-unused-BL1-files.patch \
file://0018-Platform-CS1000-Remove-duplicated-metadata-write.patch \
file://0019-Platform-CS1000-Fix-compiler-switch-in-BL1.patch \
@@ -50,6 +51,16 @@ SRC_URI:append:corstone1000-mps3 = " \
file://0003-Fix-psa_key_handle_t-initialization.patch;patchdir=../tfm-psa-adac \
"
# TF-M ships patches for external dependencies that needs to be applied
apply_tfm_patches() {
find ${S}/lib/ext/qcbor -type f -name '*.patch' -print0 | sort -z | xargs -r -t -0 -n 1 patch -p1 -d ${S}/../qcbor/ -i
find ${S}/lib/ext/mbedcrypto -type f -name '*.patch' -print0 | sort -z | xargs -r -t -0 -n 1 patch -p1 -d ${S}/../mbedtls/ -i
find ${S}/lib/ext/mcuboot -type f -name '*.patch' -print0 | sort -z | xargs -r -t -0 -n 1 patch -p1 -d ${S}/../mcuboot/ -i
find ${S}/lib/ext/tf-m-tests -type f -name '*.patch' -print0 | sort -z | xargs -r -t -0 -n 1 patch -p1 -d ${S}/../tf-m-tests/ -i
}
do_patch[postfuncs] += "apply_tfm_patches"
do_install() {
install -D -p -m 0644 ${B}/bin/tfm_s_signed.bin ${D}/firmware/tfm_s_signed.bin
install -D -p -m 0644 ${B}/bin/bl2_signed.bin ${D}/firmware/bl2_signed.bin
@@ -68,7 +68,6 @@ SRC_URI:append = " \
file://0050-fwu-Use-metadata-v2.patch \
${@bb.utils.contains('MACHINE_FEATURES', 'corstone1000-extsys', \
'', 'file://0051-corstone1000-purge-remoteproc-dts-node.patch' , d)} \
file://0052-reserve-memory-for-se-comm.patch \
"
do_configure:append() {
@@ -4,4 +4,6 @@ SRC_URI:append = " \
file://0001-vexpress64-Set-the-DM_RNG-property.patch \
file://0002-vexpress64-Select-PSCI-RESET-by-default.patch \
file://0003-vexpress64-Imply-CONFIG_ARM64_CRC32-by-default.patch \
file://0004-arm-Move-sev-and-wfe-definitions-to-common-Arm-heade.patch \
file://0005-armv8-generic_timer-Use-event-stream-for-udelay.patch \
"
@@ -1,46 +0,0 @@
From 8fdd91630f335b71e55e570a011f07b083c47dd6 Mon Sep 17 00:00:00 2001
From: Emekcan Aras <emekcan.aras@arm.com>
Date: Mon, 10 Jul 2023 19:00:43 +0100
Subject: [PATCH] arm-bsp/u-boot: Reserve memory for RSS comm pointer access protocol
This memory was used by OpenAMP to establish communication between
the Secure Enclave and Trusted Services. After transitioning from
OpenAMP to RSE_COMMS, this shared memory is now configured for the
pointer access protocol in RSE_COMMS.
Since this memory may be still used by a user-space application
in linux as U-Boot is passing an EFI memory map starting from
0x80000000, this memory range should be reserved as the
pointer access protocol may be enabled on corstone1000 in the future.
Upstream-Status: Pending [Not submitted to upstream yet]
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
---
arch/arm/dts/corstone1000.dtsi | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/arch/arm/dts/corstone1000.dtsi b/arch/arm/dts/corstone1000.dtsi
index 0f8ad255ce..a71b89c025 100644
--- a/arch/arm/dts/corstone1000.dtsi
+++ b/arch/arm/dts/corstone1000.dtsi
@@ -45,6 +45,17 @@
lba = <65536>;
};
+ reserved-memory {
+ #address-cells = <2>;
+ #size-cells = <2>;
+ ranges;
+
+ smem_mem: smem_region@88000000 {
+ reg = <0x0 0x88000000 0x0 0x100000>;
+ no-map;
+ };
+ };
+
gic: interrupt-controller@1c000000 {
compatible = "arm,gic-400";
#interrupt-cells = <3>;
--
2.17.1
@@ -0,0 +1,84 @@
From b18a3c183d20812933d192d4b0d622b11ef2bf29 Mon Sep 17 00:00:00 2001
From: Peter Hoyes <Peter.Hoyes@arm.com>
Date: Wed, 1 May 2024 09:16:32 +0100
Subject: [PATCH] arm: Move sev() and wfe() definitions to common Arm header
file
The sev() and wfe() asm macros are currently defined only for
mach-exynos. As these are common Arm instructions, move them to the
common asm/system.h header file, for both Armv7 and Armv8, so they
can be used by other machines.
wfe may theoretically trigger a context switch if an interrupt occurs
so add a memory barrier to this call.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Reviewed-by: Andre Przywara<andre.przywara@arm.com>
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
arch/arm/include/asm/system.h | 9 +++++++++
arch/arm/mach-exynos/include/mach/system.h | 19 -------------------
2 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h
index 43f7503571d7..51123c296843 100644
--- a/arch/arm/include/asm/system.h
+++ b/arch/arm/include/asm/system.h
@@ -154,6 +154,13 @@ enum dcache_option {
"wfi" : : : "memory"); \
})
+#define wfe() \
+ ({asm volatile( \
+ "wfe" : : : "memory"); \
+ })
+
+#define sev() asm volatile("sev")
+
static inline unsigned int current_el(void)
{
unsigned long el;
@@ -369,6 +376,8 @@ void switch_to_hypervisor_ret(void);
#ifdef __ARM_ARCH_7A__
#define wfi() __asm__ __volatile__ ("wfi" : : : "memory")
+#define wfe() __asm__ __volatile__ ("wfe" : : : "memory")
+#define sev() __asm__ __volatile__ ("sev")
#else
#define wfi()
#endif
diff --git a/arch/arm/mach-exynos/include/mach/system.h b/arch/arm/mach-exynos/include/mach/system.h
index 5d0bebac5733..0aed4c3e2bf6 100644
--- a/arch/arm/mach-exynos/include/mach/system.h
+++ b/arch/arm/mach-exynos/include/mach/system.h
@@ -36,25 +36,6 @@ struct exynos5_sysreg {
#define USB20_PHY_CFG_HOST_LINK_EN (1 << 0)
-/*
- * This instruction causes an event to be signaled to all cores
- * within a multiprocessor system. If SEV is implemented,
- * WFE must also be implemented.
- */
-#define sev() __asm__ __volatile__ ("sev\n\t" : : );
-/*
- * If the Event Register is not set, WFE suspends execution until
- * one of the following events occurs:
- * - an IRQ interrupt, unless masked by the CPSR I-bit
- * - an FIQ interrupt, unless masked by the CPSR F-bit
- * - an Imprecise Data abort, unless masked by the CPSR A-bit
- * - a Debug Entry request, if Debug is enabled
- * - an Event signaled by another processor using the SEV instruction.
- * If the Event Register is set, WFE clears it and returns immediately.
- * If WFE is implemented, SEV must also be implemented.
- */
-#define wfe() __asm__ __volatile__ ("wfe\n\t" : : );
-
/* Move 0xd3 value to CPSR register to enable SVC mode */
#define svc32_mode_en() __asm__ __volatile__ \
("@ I&F disable, Mode: 0x13 - SVC\n\t" \
--
2.30.2
@@ -0,0 +1,105 @@
From ebc84d7b60c1ed3398e9f600fe3dc8406500bd35 Mon Sep 17 00:00:00 2001
From: Peter Hoyes <Peter.Hoyes@arm.com>
Date: Wed, 1 May 2024 09:16:33 +0100
Subject: [PATCH] armv8: generic_timer: Use event stream for udelay
Polling cntpct_el0 in a tight loop for delays is inefficient.
This is particularly apparent on Arm FVPs, which do not simulate
real time, meaning that a 1s sleep can take a couple of orders
of magnitude longer to execute in wall time.
If running at EL2 or above (where CNTHCTL_EL2 is available), enable
the cntpct_el0 event stream temporarily and use wfe to implement
the delay more efficiently. The event period is chosen as a
trade-off between efficiency and the fact that Arm FVPs do not
typically simulate real time.
This is only implemented for Armv8 boards, where an architectural
timer exists, and only enabled by default for the ARCH_VEXPRESS64
board family.
Signed-off-by: Peter Hoyes <Peter.Hoyes@arm.com>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
arch/arm/cpu/armv8/Kconfig | 8 ++++++++
arch/arm/cpu/armv8/generic_timer.c | 27 +++++++++++++++++++++++++++
arch/arm/include/asm/system.h | 6 ++++--
3 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/arch/arm/cpu/armv8/Kconfig b/arch/arm/cpu/armv8/Kconfig
index 9f0fb369f773..199335cd6040 100644
--- a/arch/arm/cpu/armv8/Kconfig
+++ b/arch/arm/cpu/armv8/Kconfig
@@ -191,6 +191,14 @@ config ARMV8_EA_EL3_FIRST
Exception handling at all exception levels for External Abort and
SError interrupt exception are taken in EL3.
+config ARMV8_UDELAY_EVENT_STREAM
+ bool "Use the event stream for udelay"
+ default y if ARCH_VEXPRESS64
+ help
+ Use the event stream provided by the AArch64 architectural timer for
+ delays. This is more efficient than the default polling
+ implementation.
+
menuconfig ARMV8_CRYPTO
bool "ARM64 Accelerated Cryptographic Algorithms"
diff --git a/arch/arm/cpu/armv8/generic_timer.c b/arch/arm/cpu/armv8/generic_timer.c
index e4aa5a474553..1de7ec596fc7 100644
--- a/arch/arm/cpu/armv8/generic_timer.c
+++ b/arch/arm/cpu/armv8/generic_timer.c
@@ -114,3 +114,30 @@ ulong timer_get_boot_us(void)
return val / get_tbclk();
}
+
+#if CONFIG_IS_ENABLED(ARMV8_UDELAY_EVENT_STREAM)
+void __udelay(unsigned long usec)
+{
+ u64 target = get_ticks() + usec_to_tick(usec);
+
+ /* At EL2 or above, use the event stream to avoid polling CNTPCT_EL0 so often */
+ if (current_el() >= 2) {
+ u32 cnthctl_val;
+ const u8 event_period = 0x7;
+
+ asm volatile("mrs %0, cnthctl_el2" : "=r" (cnthctl_val));
+ asm volatile("msr cnthctl_el2, %0" : : "r"
+ (cnthctl_val | CNTHCTL_EL2_EVNT_EN | CNTHCTL_EL2_EVNT_I(event_period)));
+
+ while (get_ticks() + (1ULL << event_period) <= target)
+ wfe();
+
+ /* Reset the event stream */
+ asm volatile("msr cnthctl_el2, %0" : : "r" (cnthctl_val));
+ }
+
+ /* Fall back to polling CNTPCT_EL0 */
+ while (get_ticks() <= target)
+ ;
+}
+#endif
diff --git a/arch/arm/include/asm/system.h b/arch/arm/include/asm/system.h
index 51123c296843..7e30cac32a09 100644
--- a/arch/arm/include/asm/system.h
+++ b/arch/arm/include/asm/system.h
@@ -69,8 +69,10 @@
/*
* CNTHCTL_EL2 bits definitions
*/
-#define CNTHCTL_EL2_EL1PCEN_EN (1 << 1) /* Physical timer regs accessible */
-#define CNTHCTL_EL2_EL1PCTEN_EN (1 << 0) /* Physical counter accessible */
+#define CNTHCTL_EL2_EVNT_EN BIT(2) /* Enable the event stream */
+#define CNTHCTL_EL2_EVNT_I(val) ((val) << 4) /* Event stream trigger bits */
+#define CNTHCTL_EL2_EL1PCEN_EN (1 << 1) /* Physical timer regs accessible */
+#define CNTHCTL_EL2_EL1PCTEN_EN (1 << 0) /* Physical counter accessible */
/*
* HCR_EL2 bits definitions
--
2.30.2
@@ -4,6 +4,7 @@ MACHINE_U-BOOT_REQUIRE ?= ""
MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
require ${MACHINE_U-BOOT_REQUIRE}
@@ -1,26 +0,0 @@
# Install EDK2 Base Tools in native sysroot. Currently the BaseTools are not
# built, they are just copied to native sysroot. This is sufficient for
# generating UEFI capsules as it only depends on some python scripts. Other
# tools need to be built first before adding to sysroot.
SUMMARY = "EDK2 Base Tools"
LICENSE = "BSD-2-Clause-Patent"
# EDK2
SRC_URI = "git://github.com/tianocore/edk2.git;branch=master;protocol=https"
LIC_FILES_CHKSUM = "file://License.txt;md5=2b415520383f7964e96700ae12b4570a"
SRCREV = "b158dad150bf02879668f72ce306445250838201"
UPSTREAM_CHECK_GITTAGREGEX = "^edk2-stable(?P<pver>\d+)$"
S = "${WORKDIR}/git"
inherit native
RDEPENDS:${PN} += "python3-core"
do_install () {
mkdir -p ${D}${bindir}/edk2-BaseTools
cp -r ${WORKDIR}/git/BaseTools/* ${D}${bindir}/edk2-BaseTools/
}
@@ -5,6 +5,3 @@ EDK2_PLATFORM_DSC = "Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc"
EDK2_BIN_NAME = "BL33_AP_UEFI.fd"
COMPATIBLE_MACHINE = "sgi575"
FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
SRC_URI += " file://0001-Platform-Sgi-workaround-ArmFfaLib-error.patch;patchdir=edk2-platforms"
@@ -1,9 +0,0 @@
SRCREV_edk2 ?= "b158dad150bf02879668f72ce306445250838201"
SRCREV_edk2-platforms ?= "a3c898956a4d48dc5980336fa6ce6eeb23c4f72b"
SRC_URI += "file://0001-Platform-StMmRpmb-Fix-build.patch;patchdir=edk2-platforms"
# FIXME - clang is having issues with antlr
TOOLCHAIN:aarch64 = "gcc"
require recipes-bsp/uefi/edk2-firmware.inc
@@ -1,41 +0,0 @@
From b368ff0e774508b60c18bc19fbfaaa3910616e66 Mon Sep 17 00:00:00 2001
From: Jon Mason <jon.mason@arm.com>
Date: Wed, 2 Apr 2025 15:57:21 -0400
Subject: [PATCH] Platform/Sgi: workaround ArmFfaLib error
When attempting to build sgi575, the following error is encountered
| Active Platform = /builder/meta-arm/build/tmp/work/sgi575-poky-linux/edk2-firmware/202502/edk2/edk2-platforms/Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc
|
|
| build.py...
| /builder/meta-arm/build/tmp/work/sgi575-poky-linux/edk2-firmware/202502/edk2/edk2-platforms/Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc(...): error 4000: Instance of library class [ArmFfaLib] is not found
| in [/builder/meta-arm/build/tmp/work/sgi575-poky-linux/edk2-firmware/202502/edk2/ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf] [AARCH64]
| consumed by module [/builder/meta-arm/build/tmp/work/sgi575-poky-linux/edk2-firmware/202502/edk2/ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf]
|
|
This is because commit 9f9a3de9e4c5595cd42d14c705570887630209d8 in
edk2-firmware adds a reference to the ArmFfaLib in
ArmPkg/Drivers/MmCommunicationDxe/MmCommunication.inf
That file is referenced in Platform/ARM/SgiPkg/SgiPlatform.dsc.inc
To workaround this issue, add the ArmFfaLib to Sgi575.dsc.
Upstream-Status: Pending [https://github.com/tianocore/edk2-platforms/issues/761]
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc b/Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc
index f29272778d73..30f2d1fd49a7 100644
--- a/Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc
+++ b/Platform/ARM/SgiPkg/Sgi575/Sgi575.dsc
@@ -55,3 +55,6 @@
[Components.common]
Platform/ARM/SgiPkg/AcpiTables/Sgi575AcpiTables.inf
+
+[LibraryClasses.common.DXE_RUNTIME_DRIVER]
+ ArmFfaLib|ArmPkg/Library/ArmFfaLib/ArmFfaDxeLib.inf
@@ -1,38 +0,0 @@
From ee185eda7b7ec9a0c82827fea197fbb73d971f93 Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ardb@kernel.org>
Date: Thu, 29 Aug 2024 21:21:50 +0200
Subject: [PATCH] Platform/StMmRpmb: Fix build
Add some missing library class resolutions relating to changes in the
core upstream EDK2 repo.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
.../PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc | 3 +++
1 file changed, 3 insertions(+)
Upstream-Status: Backport
diff --git a/Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc b/Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc
index 653029c52f..54c7a63b41 100644
--- a/Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc
+++ b/Platform/StandaloneMm/PlatformStandaloneMmPkg/PlatformStandaloneMmRpmb.dsc
@@ -41,11 +41,14 @@
ExtractGuidedSectionLib|EmbeddedPkg/Library/PrePiExtractGuidedSectionLib/PrePiExtractGuidedSectionLib.inf
FvLib|StandaloneMmPkg/Library/FvLib/FvLib.inf
HobLib|StandaloneMmPkg/Library/StandaloneMmCoreHobLib/StandaloneMmCoreHobLib.inf
+ HobPrintLib|MdeModulePkg/Library/HobPrintLib/HobPrintLib.inf
+ ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf
IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf
NULL|MdePkg/Library/BaseStackCheckLib/BaseStackCheckLib.inf
MemLib|StandaloneMmPkg/Library/StandaloneMmMemLib/StandaloneMmMemLib.inf
MemoryAllocationLib|StandaloneMmPkg/Library/StandaloneMmCoreMemoryAllocationLib/StandaloneMmCoreMemoryAllocationLib.inf
PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf
+ PeCoffGetEntryPointLib|MdePkg/Library/BasePeCoffGetEntryPointLib/BasePeCoffGetEntryPointLib.inf
PeCoffLib|MdePkg/Library/BasePeCoffLib/BasePeCoffLib.inf
PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf
VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
--
2.43.0
@@ -1,3 +1,2 @@
CONFIG_I2C=y
CONFIG_I2C_DESIGNWARE_CORE=y
CONFIG_I2C_DESIGNWARE_PLATFORM=y
@@ -18,7 +18,7 @@ The driver also supports control of multiple remote processors at the
same time.
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Upstream-Status: Denied [Agreement reached: https://lore.kernel.org/all/20241009094635.GA14639@e130802.arm.com/]
Upstream-Status: Submitted [cover letter: https://lore.kernel.org/all/20240301164227.339208-1-abdellatif.elkhlifi@arm.com/]
---
MAINTAINERS | 6 +
drivers/remoteproc/Kconfig | 18 ++
@@ -6,7 +6,7 @@ Subject: [PATCH 2/6] arm64: dts: Add corstone1000 external system device node
add device tree node for the external system core in Corstone-1000
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Upstream-Status: Denied [Agreement reached: https://lore.kernel.org/all/20241009094635.GA14639@e130802.arm.com/]
Upstream-Status: Submitted [cover letter: https://lore.kernel.org/all/20240301164227.339208-1-abdellatif.elkhlifi@arm.com/]
---
arch/arm64/boot/dts/arm/corstone1000.dtsi | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
@@ -6,7 +6,7 @@ Subject: [PATCH 3/6] dt-bindings: remoteproc: Add Arm remoteproc
introduce the bindings for Arm remoteproc support.
Signed-off-by: Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>
Upstream-Status: Denied [Agreement reached: https://lore.kernel.org/all/20241009094635.GA14639@e130802.arm.com/]
Upstream-Status: Submitted [cover letter: https://lore.kernel.org/all/20240301164227.339208-1-abdellatif.elkhlifi@arm.com/]
---
.../bindings/remoteproc/arm,rproc.yaml | 69 +++++++++++++++++++
MAINTAINERS | 1 +
@@ -90,6 +90,13 @@ COMPATIBLE_MACHINE:sgi575 = "sgi575"
KBUILD_DEFCONFIG:sgi575 = "defconfig"
KCONFIG_MODE:sgi575 = "--alldefconfig"
#
# Total Compute (TC0/TC1) KMACHINE
#
COMPATIBLE_MACHINE:tc = "(tc0|tc1)"
KBUILD_DEFCONFIG:tc = "defconfig"
KCONFIG_MODE:tc = "--alldefconfig"
#
# sbsa-ref KMACHINE
#
@@ -0,0 +1,28 @@
From 1410d9e9c3e73b1319b98be67ad00c7630c4cb2e Mon Sep 17 00:00:00 2001
From: Emekcan Aras <Emekcan.Aras@arm.com>
Date: Wed, 3 Apr 2024 16:05:07 +0100
Subject: [PATCH] increase tzdram size
Upstream-Status: Backport [https://github.com/OP-TEE/optee_os/commit/258b72d242cd1a8ae56c87f9572a0624084785c7]
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
---
core/arch/arm/plat-corstone1000/conf.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/arch/arm/plat-corstone1000/conf.mk b/core/arch/arm/plat-corstone1000/conf.mk
index 98347b143..c2dd71f05 100644
--- a/core/arch/arm/plat-corstone1000/conf.mk
+++ b/core/arch/arm/plat-corstone1000/conf.mk
@@ -34,7 +34,7 @@ CFG_TEE_CORE_NB_CORE ?= 1
CFG_TZDRAM_START ?= 0x02002000
# TEE_RAM (OPTEE kernel + DATA) + TA_RAM = 3MB
-CFG_TZDRAM_SIZE ?= 0x300000
+CFG_TZDRAM_SIZE ?= 0x340000
CFG_SHMEM_START ?= 0x86000000
CFG_SHMEM_SIZE ?= 0x00200000
--
2.25.1
@@ -1,30 +0,0 @@
From ce58e4d78dc7a4f3c3b08ee425461eb190d70543 Mon Sep 17 00:00:00 2001
From: Bence Balogh <bence.balogh@arm.com>
Date: Fri, 1 Nov 2024 00:45:53 +0100
Subject: [PATCH] plat-corstone1000: increase CFG_TZDRAM_SIZE
TZDRAM is a 4MB SRAM in Corstone-1000. Its start address is `0x0200_0000`
but the first 0x2000 bytes are reserved for future use. `CFG_TZDRAM_SIZE`
can be increased to `0x360000` so OP-TEE has more RAM.
Signed-off-by: Bence Balogh <bence.balogh@arm.com>
Upstream-Status: Pending
---
core/arch/arm/plat-corstone1000/conf.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/arch/arm/plat-corstone1000/conf.mk b/core/arch/arm/plat-corstone1000/conf.mk
index 9fa0729d5..745dc958a 100644
--- a/core/arch/arm/plat-corstone1000/conf.mk
+++ b/core/arch/arm/plat-corstone1000/conf.mk
@@ -34,7 +34,7 @@ CFG_TEE_CORE_NB_CORE ?= 1
CFG_TZDRAM_START ?= 0x02002000
# TEE_RAM (OP-TEE kernel + DATA) + TA_RAM
-CFG_TZDRAM_SIZE ?= 0x340000
+CFG_TZDRAM_SIZE ?= 0x360000
CFG_SHMEM_START ?= 0x86000000
CFG_SHMEM_SIZE ?= 0x00200000
--
2.25.1
@@ -0,0 +1,43 @@
From 2fadadf1075c95b2955f047fa0387b39612f7b30 Mon Sep 17 00:00:00 2001
From: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
Date: Thu, 30 May 2024 13:37:38 +0000
Subject: [PATCH] plat-corstone1000: Remove MMCOMM buffer address
Remove MMCOMM buffer address and mapping, as it is not being used anymore
Upstream-Status: Backport [In v3, https://github.com/OP-TEE/optee_os/commit/eaee88fbcac6dcc15fe1d1a758b53eb2b66cfc60]
Signed-off-by: Harsimran Singh Tungal <harsimransingh.tungal@arm.com>
---
core/arch/arm/plat-corstone1000/main.c | 1 -
core/arch/arm/plat-corstone1000/platform_config.h | 3 ---
2 files changed, 4 deletions(-)
diff --git a/core/arch/arm/plat-corstone1000/main.c b/core/arch/arm/plat-corstone1000/main.c
index b3861c4c8..61171b9a9 100644
--- a/core/arch/arm/plat-corstone1000/main.c
+++ b/core/arch/arm/plat-corstone1000/main.c
@@ -15,7 +15,6 @@
static struct pl011_data console_data __nex_bss;
register_ddr(DRAM0_BASE, DRAM0_SIZE);
-register_ddr(MM_COMM_BUF_BASE, MM_COMM_BUF_SIZE);
register_phys_mem_pgdir(MEM_AREA_IO_SEC, CONSOLE_UART_BASE, PL011_REG_SIZE);
register_phys_mem_pgdir(MEM_AREA_IO_SEC, GICD_BASE, GIC_DIST_REG_SIZE);
diff --git a/core/arch/arm/plat-corstone1000/platform_config.h b/core/arch/arm/plat-corstone1000/platform_config.h
index 6653d38bc..f59c93a14 100644
--- a/core/arch/arm/plat-corstone1000/platform_config.h
+++ b/core/arch/arm/plat-corstone1000/platform_config.h
@@ -26,9 +26,6 @@
#define GICD_BASE (GIC_BASE + GICD_OFFSET)
#define GICC_BASE (GIC_BASE + GICC_OFFSET)
-#define MM_COMM_BUF_BASE 0x02000000
-#define MM_COMM_BUF_SIZE 0x1000
-
#define UART_BAUDRATE 115200
#define CONSOLE_BAUDRATE UART_BAUDRATE
--
2.34.1
@@ -0,0 +1,46 @@
#!/bin/sh
# Source function library
. /etc/init.d/functions
NAME=tee-supplicant
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="OP-TEE Supplicant"
DAEMON=@sbindir@/$NAME
test -f $DAEMON || exit 0
test -f @sysconfdir@/default/$NAME && . @sysconfdir@/default/$NAME
test -f @sysconfdir@/default/rcS && . @sysconfdir@/default/rcS
SSD_OPTIONS="--oknodo --quiet --exec $DAEMON -- -d $OPTARGS"
set -e
case $1 in
start)
echo -n "Starting $DESC: "
start-stop-daemon --start $SSD_OPTIONS
echo "${DAEMON##*/}."
;;
stop)
echo -n "Stopping $DESC: "
start-stop-daemon --stop $SSD_OPTIONS
echo "${DAEMON##*/}."
;;
restart|force-reload)
$0 stop
sleep 1
$0 start
;;
status)
status ${DAEMON} || exit $?
;;
*)
echo "Usage: $0 {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
@@ -0,0 +1,10 @@
[Unit]
Description=TEE Supplicant on %i
[Service]
User=root
EnvironmentFile=-@sysconfdir@/default/tee-supplicant
ExecStart=@sbindir@/tee-supplicant $OPTARGS
[Install]
WantedBy=basic.target
@@ -1,7 +1,8 @@
FILESEXTRAPATHS:prepend := "${THISDIR}/files/optee-os/corstone1000:"
SRC_URI:append = " \
file://0001-Handle-logging-syscall.patch \
file://0002-plat-corstone1000-increase-CFG_TZDRAM_SIZE.patch \
file://0002-increase-tzdram-size.patch \
file://0003-plat-corstone1000-Remove-MMCOMM-buffer-address.patch \
"
COMPATIBLE_MACHINE = "corstone1000"
@@ -1,65 +0,0 @@
From e5a4487e2b757d0063148691c7d06ae1c7e15b9a Mon Sep 17 00:00:00 2001
From: Emekcan Aras <emekcan.aras@arm.com>
Date: Tue, 18 Jun 2024 11:52:43 +0100
Subject: [PATCH] protobuf fix
Upstream-Status: Pending (not yet submitted to upstream)
Signed-off-by: Emekcan Aras <emekcan.aras@arm.com>
---
.../se-proxy/env/commonsp/se_proxy_sp.c | 25 ++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/deployments/se-proxy/env/commonsp/se_proxy_sp.c b/deployments/se-proxy/env/commonsp/se_proxy_sp.c
index a0eb03b6f..e2774c135 100644
--- a/deployments/se-proxy/env/commonsp/se_proxy_sp.c
+++ b/deployments/se-proxy/env/commonsp/se_proxy_sp.c
@@ -13,6 +13,7 @@
#include "trace.h"
#include "deployments/se-proxy/infra/service_proxy_factory.h"
#include "deployments/se-proxy/se_proxy_interfaces.h"
+#include <service/crypto/factory/crypto_provider_factory.h>
static bool sp_init(uint16_t *own_sp_id);
@@ -39,7 +40,7 @@ void __noreturn sp_main(union ffa_boot_info *boot_info)
goto fatal_error;
}
- rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 5, 16);
+ rpc_status = ts_rpc_endpoint_sp_init(&rpc_endpoint, 6, 16);
if (rpc_status != RPC_SUCCESS) {
EMSG("Failed to initialize RPC endpoint: %d", rpc_status);
goto fatal_error;
@@ -129,6 +130,28 @@ void __noreturn sp_main(union ffa_boot_info *boot_info)
goto fatal_error;
}
+ struct rpc_service_interface *crypto_iface_protobuf = NULL;
+ struct crypto_provider *crypto_protobuf_provider = NULL;
+
+ crypto_protobuf_provider = crypto_protobuf_provider_factory_create();
+ if (!crypto_protobuf_provider) {
+ EMSG("Failed to create crypto protobuf provider factory");
+ goto fatal_error;
+ }
+
+ crypto_iface_protobuf = service_provider_get_rpc_interface(
+ &crypto_protobuf_provider->base_provider);
+ if (!crypto_iface_protobuf) {
+ EMSG("Failed to create service provider RPC interface");
+ goto fatal_error;
+ }
+
+ rpc_status = ts_rpc_endpoint_sp_add_service(&rpc_endpoint, crypto_iface_protobuf);
+ if (rpc_status != RPC_SUCCESS) {
+ EMSG("Failed to add service to RPC endpoint: %d", rpc_status);
+ goto fatal_error;
+ }
+
while (1) {
ts_rpc_endpoint_sp_receive(&rpc_endpoint, &req_msg, &resp_msg);
--
2.25.1
@@ -1,29 +0,0 @@
From 71da6c0384fb241cadf052968e8dce9c357e4a33 Mon Sep 17 00:00:00 2001
From: Ali Can Ozaslan <ali.oezaslan@arm.com>
Date: Tue, 29 Apr 2025 07:52:14 +0000
Subject: [PATCH] Align PSA Crypto structs with TF-Mv2.1.1
The psa_client_key_attributes_s struct had to be aligned with the
psa_key_attributes_s struct in TF-M.
Signed-off-by: Ali Can Ozaslan <ali.oezaslan@arm.com>
Upstream-Status: Pending
---
components/service/crypto/include/psa/crypto_client_struct.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h
index ebc4008..f0c8cad 100644
--- a/components/service/crypto/include/psa/crypto_client_struct.h
+++ b/components/service/crypto/include/psa/crypto_client_struct.h
@@ -38,7 +38,6 @@ struct psa_client_key_attributes_s
uint32_t alg;
uint32_t alg2;
uint32_t id;
- int32_t owner_id;
};
#define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0}
--
2.34.1
@@ -21,8 +21,6 @@ SRC_URI:append:corstone1000 = " \
file://0017-Implement-Private-Authenticated-Variable-verificatio.patch \
file://0018-Make-RSS-and-MHU-sizes-compile-time-definitions-user.patch \
file://0019-Align-PSA-Crypto-with-TF-Mv2.1.patch \
file://0020-se-proxy-protobuf-change.patch \
file://0021-Align-PSA-Crypto-structs-with-TF-Mv2.1.1.patch \
"
# The patches above introduce errors with GCC 14.1, silence them for now
+1 -1
View File
@@ -5,6 +5,6 @@
part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label boot --active --align 1024 --use-uuid --part-name="ESP" --part-type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B --fixed-size 256M
part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/ ${IMAGE_ROOTFS_EXTRA_ARGS}
part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/
bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}"
+11
View File
@@ -0,0 +1,11 @@
# short-description: Create an EFI disk image
# long-description: Creates a partitioned EFI disk image that the user
# can directly dd to boot media. Uses a custom grub.cfg file to configure the boot.
part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024
part / --source rootfs --ondisk sda --fstype=ext4 --label root --align 1024 --uuid=9c53a91b-e182-4ff1-aeac-6ee2c432ae94
part swap --ondisk sda --size 44 --label swap1 --fstype=swap
bootloader --ptable gpt --configfile="sgi575-grub.cfg" --timeout=5
+9
View File
@@ -0,0 +1,9 @@
set debug="loader,mm"
set term="vt100"
set default="0"
set timeout="1"
menuentry 'Arm reference image boot on sgi575' {
linux /Image acpi=force console=ttyAMA0,115200 ip=dhcp root=PARTUUID=9c53a91b-e182-4ff1-aeac-6ee2c432ae94 rootwait verbose debug
}
+1 -1
View File
@@ -8,7 +8,7 @@ BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
BBFILE_COLLECTIONS += "meta-arm-systemready"
BBFILE_PATTERN_meta-arm-systemready = "^${LAYERDIR}/"
LAYERSERIES_COMPAT_meta-arm-systemready = "styhead walnascar"
LAYERSERIES_COMPAT_meta-arm-systemready = "styhead"
LAYERDEPENDS_meta-arm-systemready = "core"
@@ -48,7 +48,7 @@ TEST_SUITES = "arm_systemready_ir_acs"
PV = "2.0.0"
PV_DATE = "23.03"
FULL_PV = "v${PV_DATE}_${PV}"
ARM_SYSTEMREADY_IR_ACS_BRANCH ?= "legacy_systemready"
ARM_SYSTEMREADY_IR_ACS_BRANCH ?= "main"
IMAGE_FILENAME = "ir-acs-live-image-generic-arm64-${PV}.wic"
SRC_URI = " \
https://github.com/ARM-software/arm-systemready/raw/${ARM_SYSTEMREADY_IR_ACS_BRANCH}/IR/prebuilt_images/${FULL_PV}/ir-acs-live-image-generic-arm64.wic.xz;name=acs-img;downloadfilename=${IMAGE_FILENAME}.xz \
+64
View File
@@ -6,6 +6,70 @@ This layer contains recipes for the prebuilt GNU Arm toolchains.
Information regarding contributing, reporting bugs, etc can be found in the
top-level meta-arm readme file.
Recipes for pre-built GNU Arm toolchain for Linux development are provided under
``recipes-devtools/external-arm-toolchain/``.
external-arm-toolchain.bb
~~~~~~~~~~~~~~~~~~~~~~~~~
This recipe provides support for pre-built GNU toolchains targeting processors
from the Arm Cortex-A family and implementing the Arm A-profile architecture.
Usage
^^^^^
In order to use any of pre-built Arm toolchain versions (8.2, 8.3, 9.2 and so
on), a user needs to download and untar tool-set on host machine at a particular
installation path eg: ``/opt/toolchain/``. Then user needs to specify following
in ``conf/local.conf`` in order to replace OE toolchain with pre-built GNU-A
toolchain:
TCMODE = "external-arm"
EXTERNAL_TOOLCHAIN = "<path-to-the-toolchain>"
- Eg. for AArch64 (eg. qemuarm64 machine in poky distro)
EXTERNAL_TOOLCHAIN = "\
<installation-path>/gcc-arm-9.2-2019.12-x86_64-aarch64-none-linux-gnu \
"
- Eg. for AArch32 (eg. qemuarm machine in poky distro)
EXTERNAL_TOOLCHAIN = "\
<installation-path>/gcc-arm-9.2-2019.12-x86_64-arm-none-linux-gnueabihf \
"
Supported distros and machines
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Since this pre-built GNU-A tool-set simply replaces OE toolchain, so it is
meant to be distro and machine agnostic as long as one is cross-compiling for
Arm A-profile architecture.
Tested distro and machines (for zeus stable release):
1. Distro: poky; machines: qemuarm and qemuarm64 (build and boot tested)
2. Distro: RPB; machines: dragonboard-410c (build and boot tested)
3. Distro: world; machines: qemuarm and qemuarm64. Build tested for following
layers:
- poky/meta
- poky/meta-poky
- poky/meta-yocto-bsp
- meta-openembedded/meta-oe
- meta-openembedded/meta-python
- meta-openembedded/meta-networking
SDK support
^^^^^^^^^^^
Pre-built toochain provides support to build OE SDK which has been tested using
following commands:
$ bitbake core-image-base -c populate_sdk
$ bitbake core-image-base -c testsdk
Note: Currently generated SDK only uses glibc provided by pre-built toolchain.
The cross compiler, binutils, gdb/gdbserver etc. are built from source.
This is something we would like to improve in future in order to package
most of the components from pre-built toolchain instead.
Pre-built Arm toolchain for bare-metal development
--------------------------------------------------
@@ -0,0 +1,134 @@
def eat_run(d, cmd, *args):
import bb.process
import subprocess
topdir = d.getVar('TOPDIR', True)
toolchain_path = d.getVar('EXTERNAL_TOOLCHAIN', True)
if not toolchain_path:
return 'UNKNOWN', 'UNKNOWN'
target_prefix = d.getVar('TARGET_PREFIX', True)
path = os.path.join(toolchain_path, 'bin', target_prefix + cmd)
args = [path] + list(args)
return bb.process.run(args, cwd=topdir, stderr=subprocess.PIPE)
def eat_get_version(d):
try:
stdout, stderr = eat_run(d, 'gcc', '-v')
except bb.process.CmdError as exc:
bb.error('Failed to obtain external Arm toolchain version: %s' % exc)
return 'UNKNOWN'
else:
last_line = stderr.splitlines()[-1]
return last_line
# Extract the YYYY.MM or release version
def eat_get_main_version(d):
version = eat_get_version(d)
bb.debug(2, 'Trying for parse version info from: %s' % version)
if version != 'UNKNOWN':
if version.split()[4] == '(Arm':
# gcc version 11.3.1 20220712 (Arm GNU Toolchain 11.3.Rel1)
return version.split()[7].split(')')[0]
elif version.split()[4] == '(GNU':
# gcc version 9.2.1 20191025 (GNU Toolchain for the A-profile Architecture 9.2-2019.12 (arm-9.10))
# gcc version 8.2.1 20180802 (GNU Toolchain for the A-profile Architecture 8.2-2018.11 (arm-rel-8.26))
return version.split()[10].split('-')[1]
elif version.split()[3] == '(GNU':
# gcc version 8.3.0 (GNU Toolchain for the A-profile Architecture 8.3-2019.03 (arm-rel-8.36))
return version.split()[9].split('-')[1]
else:
bb.error('Failed to parse external Arm toolchain version from: %s' % version)
else:
return version
# Extract the x.y.z version from 'gcc version 4.9.1'
def eat_get_gcc_version(d):
version = eat_get_version(d)
if version != 'UNKNOWN':
return version.split()[2]
else:
return version
def eat_get_libc_version(d):
import os,bb
import subprocess
syspath = bb.data.expand('${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}', d)
if not syspath:
return 'UNKNOWN'
topdir = d.getVar('TOPDIR', True)
lddpath = syspath + '/libc/usr/bin/ldd'
if os.path.exists(lddpath):
cmd = '/bin/sh ' + lddpath + ' --version'
try:
stdout, stderr = bb.process.run(cmd, cwd=topdir, stderr=subprocess.PIPE)
except bb.process.CmdError as exc:
bb.error('Failed to obtain external Arm libc version: %s' % exc)
return 'UNKNOWN'
else:
first_line = stdout.splitlines()[0]
return first_line.split()[2]
return 'UNKNOWN'
def eat_get_kernel_version(d):
import os,bb
syspath = bb.data.expand('${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}', d)
if not syspath:
return 'UNKNOWN'
vf = syspath + '/libc/usr/include/linux/version.h'
try:
f = open(vf, 'r')
except (OSError, IOError):
return 'UNKNOWN'
l = f.readlines();
f.close();
for s in l:
if s.find('LINUX_VERSION_CODE') > 0:
ver = int(s.split()[2])
maj = ver / 65536
ver = ver % 65536
min = ver / 256
ver = ver % 256
return str(maj)+'.'+str(min)+'.'+str(ver)
return 'UNKNOWN'
def eat_get_gdb_version(d):
try:
stdout, stderr = eat_run(d, 'gdb', '-v')
except bb.process.CmdError:
return 'UNKNOWN'
else:
first_line = stdout.splitlines()[0]
return first_line.split()[-1]
def eat_get_bfd_version(d):
try:
stdout, stderr = eat_run(d, 'as', '--version')
except bb.process.CmdError:
return 'UNKNOWN'
else:
first_line = stdout.splitlines()[0]
return first_line.split()[-1]
python external_arm_toolchain_version_handler () {
if not isinstance(e, bb.event.ConfigParsed):
return
d = e.data
ld = d.createCopy()
d.setVar('EAT_VER_MAIN', eat_get_main_version(ld))
d.setVar('EAT_VER_GCC', eat_get_gcc_version(ld))
d.setVar('EAT_VER_LIBC', eat_get_libc_version(ld))
d.setVar('EAT_VER_KERNEL', eat_get_kernel_version(ld))
d.setVar('EAT_VER_GDB', eat_get_gdb_version(ld))
d.setVar('EAT_VER_BFD', eat_get_bfd_version(ld))
}
addhandler external_arm_toolchain_version_handler
@@ -0,0 +1,124 @@
#
# Configuration to use an external Arm binary toolchain
#
EXTERNAL_TOOLCHAIN ?= "/usr/local/arm-binary-toolchain/${TARGET_ARCH}"
# oe-core passes this by default because it assumes GCC 13. This can be removed when Arm GCC is 13.1+.
DEBUG_PREFIX_MAP:remove = "-fcanon-prefix-map"
TOOLCHAIN_PATH_ADD = "${EXTERNAL_TOOLCHAIN}/bin:"
PATH =. "${TOOLCHAIN_PATH_ADD}"
EAT_TARGET_SYS:arm ?= "${@ 'arm-none-linux-gnueabihf' if os.path.exists('${EXTERNAL_TOOLCHAIN}/bin/arm-none-linux-gnueabihf-gcc') else 'arm-linux-gnueabihf'}"
EAT_TARGET_SYS:aarch64 ?= "${@ 'aarch64-none-linux-gnu' if os.path.exists('${EXTERNAL_TOOLCHAIN}/bin/aarch64-none-linux-gnu-gcc') else 'aarch64-linux-gnu'}"
EAT_TARGET_SYS = "${TARGET_SYS}"
TARGET_PREFIX = "${EAT_TARGET_SYS}-"
EAT_LIBDIR:arm = "lib"
EAT_LIBDIR:aarch64 = "lib64"
GCCMULTILIB:forcevariable = "--disable-multilib"
IMAGE_LINGUAS:forcevariable = ""
# Blacklist toolchain recipes as a belt-and-suspenders way to use the external toolchain
SKIP_RECIPE[glibc] = "Using external toolchain"
SKIP_RECIPE[libgcc] = "Using external toolchain"
SKIP_RECIPE[gcc-cross] = "Using external toolchain"
SKIP_RECIPE[gcc-cross-aarch64] = "Using external toolchain"
SKIP_RECIPE[gcc-cross-arm] = "Using external toolchain"
SKIP_RECIPE[gcc-runtime] = "Using external toolchain"
SKIP_RECIPE[gcc-sanitizers] = "Using external toolchain"
PREFERRED_PROVIDER_linux-libc-headers = "external-arm-toolchain"
PREFERRED_PROVIDER_linux-libc-headers-dev = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/${TARGET_PREFIX}gcc = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/${TARGET_PREFIX}gcc-initial = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/${TARGET_PREFIX}g++ = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/${TARGET_PREFIX}binutils = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/${TARGET_PREFIX}libc-for-gcc = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/${TARGET_PREFIX}compilerlibs = "external-arm-toolchain"
PREFERRED_PROVIDER_glibc = "external-arm-toolchain"
PREFERRED_PROVIDER_libgcc = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/libc = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/libc-locale = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/libintl = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/libiconv = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/crypt = "external-arm-toolchain"
PREFERRED_PROVIDER_glibc-thread-db = "external-arm-toolchain"
PREFERRED_PROVIDER_glibc-mtrace = "external-arm-toolchain"
PREFERRED_PROVIDER_libc-mtrace = "external-arm-toolchain"
PREFERRED_PROVIDER_virtual/linux-libc-headers = "external-arm-toolchain"
PREFERRED_PROVIDER_gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} ?= "external-arm-sdk-toolchain-${TRANSLATED_TARGET_ARCH}"
PREFERRED_PROVIDER_binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} ?= "external-arm-sdk-toolchain-${TRANSLATED_TARGET_ARCH}"
PREFERRED_PROVIDER_gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} ?= "external-arm-sdk-toolchain-${TRANSLATED_TARGET_ARCH}"
TOOLCHAIN_OPTIONS = " --sysroot=${STAGING_DIR_HOST}"
DISTRO_FEATURES_LIBC = "ipv4 ipv6 libc-backtrace libc-big-macros libc-bsd libc-cxx-tests libc-catgets libc-crypt \
libc-crypt-ufc libc-db-aliases libc-envz libc-fcvt libc-fmtmsg libc-fstab libc-ftraverse \
libc-getlogin libc-idn libc-inet-anl libc-libm libc-libm-big \
libc-locales libc-locale-code libc-charsets \
libc-memusage libc-nis libc-nsswitch libc-rcmd libc-rtld-debug libc-spawn libc-streams libc-sunrpc \
libc-utmp libc-utmpx libc-wordexp libc-posix-clang-wchar libc-posix-regexp libc-posix-regexp-glibc \
libc-posix-wchar-io"
ENABLE_BINARY_LOCALE_GENERATION = "0"
GLIBC_INTERNAL_USE_BINARY_LOCALE = "precompiled"
LIBCOVERRIDE = ":libc-glibc"
LIBC_DEPENDENCIES:remove = "glibc-gconv-cp1252 glibc-gconv-ibm850 glibc-gconv-iso8859-1 glibc-gconv-iso8859-15 glibc-localedata-i18n"
ERROR_QA[type] ?= "list"
python toolchain_metadata_setup () {
import subprocess
if not isinstance(e, bb.event.ConfigParsed):
return
d = e.data
l = d.createCopy()
external_toolchain = l.getVar('EXTERNAL_TOOLCHAIN', True)
if not external_toolchain or external_toolchain == 'UNDEFINED':
bb.fatal("Error: EXTERNAL_TOOLCHAIN must be set to the path to your arm toolchain")
if not os.path.isabs(external_toolchain):
bb.fatal("Error: EXTERNAL_TOOLCHAIN path '%s' must be absolute path" % external_toolchain)
if not os.path.exists(external_toolchain):
bb.fatal("Error: EXTERNAL_TOOLCHAIN path '%s' does not exist" % external_toolchain)
# The external toolchain may not have been built with the oe-core preferred
# gnu hash setting, so ensure that the corresponding sanity check is not an error.
error_qa = oe.data.typed_value('ERROR_QA', l)
if 'ldflags' in error_qa:
error_qa.remove('ldflags')
d.setVar('ERROR_QA', ' '.join(error_qa))
}
addhandler toolchain_metadata_setup
def populate_toolchain_links(d):
import errno
import os
from glob import glob
d = d.createCopy()
pattern = bb.data.expand('${EXTERNAL_TOOLCHAIN}/bin/${TARGET_PREFIX}*', d)
files = glob(pattern)
if not files:
bb.fatal("Unable to populate toolchain binary symlinks")
bindir = d.getVar('STAGING_BINDIR_TOOLCHAIN', True)
bb.mkdirhier(bindir)
for f in files:
base = os.path.basename(f)
newpath = os.path.join(bindir, base)
try:
os.symlink(f, newpath)
except OSError as exc:
if exc.errno == errno.EEXIST:
break
bb.fatal("Unable to populate toolchain binary symlink for %s: %s" % (newpath, exc))
require conf/distro/include/external-arm-toolchain-versions.inc
+1 -1
View File
@@ -9,4 +9,4 @@ BBFILE_PATTERN_arm-toolchain := "^${LAYERDIR}/"
BBFILE_PRIORITY_arm-toolchain = "5"
LAYERDEPENDS_arm-toolchain = "core"
LAYERSERIES_COMPAT_arm-toolchain = "styhead walnascar"
LAYERSERIES_COMPAT_arm-toolchain = "styhead"
@@ -0,0 +1 @@
require ${@oe.utils.conditional('TCMODE', 'external-arm', 'grub-external-arm.inc', '', d)}
@@ -0,0 +1,5 @@
# grub uses --target triplet to find binutils binaries such as objcopy
# Since external-arm toolchain uses aarch64-none-linux-gnu triplet,
# OE-defined TARGET_SYS differs from EAT_TARGET_SYS used by external-arm
# toolchain, grub needs passing the correct --target to configure script
CONFIGUREOPTS:append:class-target = " --target=${EAT_TARGET_SYS}"
@@ -0,0 +1 @@
PACKAGECONFIG:remove = "${@bb.utils.contains('TCMODE', 'external-arm', 'libmount-mountfd-support', '' , d)}"
@@ -28,4 +28,4 @@ BBCLASSEXTEND = "native nativesdk"
# Skipping file deps - we don't control the dependencies for prebuilt libraries, resulting in
# nothing provides libcrypt.so.1()(64bit) needed by nativesdk-gcc-arm-none-eabi
# when packaged as RPM for SDK.
SKIP_FILEDEPS = "1"
SKIP_FILEDEPS="1"
@@ -0,0 +1,143 @@
inherit cross-canadian
require license.inc
PN = "external-arm-sdk-toolchain-${TARGET_ARCH}"
BPN = "external-arm-sdk-toolchain"
PV = "${EAT_VER_MAIN}"
INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
INHIBIT_PACKAGE_STRIP = "1"
INHIBIT_SYSROOT_STRIP = "1"
INHIBIT_DEFAULT_DEPS = "1"
EXCLUDE_FROM_SHLIBS = "1"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
# Skip packaging QA checks for prebuilt binaries
INSANE_SKIP:gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "dev-so staticdev file-rdeps libdir"
INSANE_SKIP:gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} = "dev-so file-rdeps"
INSANE_SKIP:binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "dev-so file-rdeps"
# Skip file dependencies in RPM for prebuilt binaries
SKIP_FILEDEPS = "1"
PROVIDES = "\
gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} \
gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} \
binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} \
"
PACKAGES = "\
gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} \
gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} \
binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} \
"
# Adjust defaults in line with external toolchain
bindir = "${exec_prefix}/bin"
libdir = "${exec_prefix}/lib"
libexecdir = "${exec_prefix}/libexec"
datadir = "${exec_prefix}/share"
gcclibdir = "${libdir}/gcc"
FILES:gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "\
${prefix}/${EAT_TARGET_SYS}/lib/libstdc++.* \
${prefix}/${EAT_TARGET_SYS}/lib/libgcc_s.* \
${prefix}/${EAT_TARGET_SYS}/lib/libsupc++.* \
${prefix}/${EAT_TARGET_SYS}/include \
${gcclibdir}/${EAT_TARGET_SYS}/${EAT_VER_GCC}/* \
${bindir}/${TARGET_PREFIX}gcov \
${bindir}/${TARGET_PREFIX}gcc* \
${bindir}/${TARGET_PREFIX}g++ \
${bindir}/${TARGET_PREFIX}cpp \
${libexecdir}/* \
"
FILES:gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} = "\
${bindir}/${TARGET_PREFIX}gdb* \
${datadir}/gdb/* \
"
FILES:binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "\
${prefix}/${EAT_TARGET_SYS}/bin/ld* \
${prefix}/${EAT_TARGET_SYS}/bin/objcopy \
${prefix}/${EAT_TARGET_SYS}/bin/strip \
${prefix}/${EAT_TARGET_SYS}/bin/nm \
${prefix}/${EAT_TARGET_SYS}/bin/ranlib \
${prefix}/${EAT_TARGET_SYS}/bin/as \
${prefix}/${EAT_TARGET_SYS}/bin/ar \
${prefix}/${EAT_TARGET_SYS}/bin/objdump \
${prefix}/${EAT_TARGET_SYS}/lib/ldscripts/* \
${bindir}/${TARGET_PREFIX}ld* \
${bindir}/${TARGET_PREFIX}addr2line \
${bindir}/${TARGET_PREFIX}objcopy \
${bindir}/${TARGET_PREFIX}readelf \
${bindir}/${TARGET_PREFIX}strip \
${bindir}/${TARGET_PREFIX}nm \
${bindir}/${TARGET_PREFIX}ranlib \
${bindir}/${TARGET_PREFIX}gprof \
${bindir}/${TARGET_PREFIX}as \
${bindir}/${TARGET_PREFIX}c++filt \
${bindir}/${TARGET_PREFIX}ar \
${bindir}/${TARGET_PREFIX}strings \
${bindir}/${TARGET_PREFIX}objdump \
${bindir}/${TARGET_PREFIX}size \
"
DESCRIPTION:gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "The GNU cc and gcc C compilers"
DESCRIPTION:gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} = "gdb - GNU debugger"
DESCRIPTION:binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "A GNU collection of binary utilities"
LICENSE:gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "${EAT_GCC_LICENSE}"
LICENSE:gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} = "${EAT_GDB_LICENSE}"
LICENSE:binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "${EAT_BFD_LICENSE}"
PKGV:gcc-cross-canadian-${TRANSLATED_TARGET_ARCH} = "${EAT_VER_GCC}"
PKGV:gdb-cross-canadian-${TRANSLATED_TARGET_ARCH} = "${EAT_VER_GDB}"
PKGV:binutils-cross-canadian-${TRANSLATED_TARGET_ARCH} = "${EAT_VER_BFD}"
do_install() {
install -d ${D}${prefix}/${EAT_TARGET_SYS}/bin
install -d ${D}${prefix}/${EAT_TARGET_SYS}/lib
install -d ${D}${prefix}/${EAT_TARGET_SYS}/include
install -d ${D}${bindir}
install -d ${D}${libdir}
install -d ${D}${prefix}/${EAT_TARGET_SYS}/lib/ldscripts
install -d ${D}${libexecdir}
install -d ${D}${datadir}/gdb
install -d ${D}${gcclibdir}/${EAT_TARGET_SYS}/${EAT_VER_GCC}/include
CP_ARGS="-Prf --preserve=mode,timestamps --no-preserve=ownership"
# gcc
for i in libstdc++.* libgcc_s.* libsupc++.*; do
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/${EAT_LIBDIR}/$i ${D}${prefix}/${EAT_TARGET_SYS}/lib
done
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/include/* ${D}${prefix}/${EAT_TARGET_SYS}/include
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/* ${D}${gcclibdir}/${EAT_TARGET_SYS}/${EAT_VER_GCC}
for i in gcov gcc* g++ cpp; do
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/bin/${TARGET_PREFIX}$i ${D}${bindir}
done
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/libexec/* ${D}${libexecdir}
# gdb
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/bin/${TARGET_PREFIX}gdb* ${D}${bindir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/share/gdb/* ${D}${datadir}/gdb/
# binutils
for i in ld* objcopy strip nm ranlib as ar objdump; do
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/bin/$i ${D}${prefix}/${EAT_TARGET_SYS}/bin
done
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/lib/ldscripts/* ${D}${prefix}/${EAT_TARGET_SYS}/lib/ldscripts
for i in ld* addr2line objcopy readelf strip nm ranlib gprof as c++filt ar strings objdump size; do
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/bin/${TARGET_PREFIX}$i ${D}${bindir}
done
}
python () {
if not d.getVar("EAT_VER_MAIN", False):
raise bb.parse.SkipPackage("External ARM toolchain not configured (EAT_VER_MAIN not set).")
if d.getVar('TCLIBC', True) != "glibc":
raise bb.parse.SkipPackage("incompatible with %s" % d.getVar('TCLIBC', True))
}
@@ -0,0 +1,685 @@
require recipes-core/glibc/glibc-package.inc
require license.inc
INHIBIT_DEFAULT_DEPS = "1"
LIC_FILES_CHKSUM = "\
file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 \
"
PROVIDES += "\
linux-libc-headers \
virtual/${TARGET_PREFIX}gcc \
virtual/${TARGET_PREFIX}g++ \
virtual/${TARGET_PREFIX}gcc-initial \
virtual/${TARGET_PREFIX}binutils \
virtual/${TARGET_PREFIX}libc-for-gcc \
virtual/${TARGET_PREFIX}compilerlibs \
virtual/libc \
virtual/libintl \
virtual/libiconv \
virtual/crypt \
glibc-mtrace \
glibc-thread-db \
glibc \
libc-mtrace \
gcc-runtime \
libgcc \
libg2c \
libg2c-dev \
libssp \
libssp-dev \
libssp-staticdev \
libgfortran \
libgfortran-dev \
libgfortran-staticdev \
libmudflap \
libmudflap-dev \
libgomp \
libgomp-dev \
libgomp-staticdev \
libitm \
libitm-dev \
libitm-staticdev \
libquadmath \
libquadmath-dev \
libquadmath-staticdev \
virtual/linux-libc-headers \
libgcov-staticdev \
virtual/libc-locale \
"
PV = "${EAT_VER_MAIN}"
BINV = "${EAT_VER_GCC}"
SRC_URI = "file://SUPPORTED"
S = "${WORKDIR}/sources"
UNPACKDIR = "${S}"
do_install() {
# do_copy_locale expects SUPPORTED to be in WORKDIR, but recent
# changes have made it so that the source/unpack location is no
# longer WORKDIR and cannot be pointed to be such. So, do this
# copy manually here
install -m 0644 ${UNPACKDIR}/SUPPORTED ${WORKDIR}/SUPPORTED
# Add stubs for files OE-core expects
install -d ${S}/nscd/
touch ${S}/nscd/nscd.init
touch ${S}/nscd/nscd.conf
touch ${S}/nscd/nscd.service
touch ${S}/../makedbs.sh
install -d ${D}${base_libdir}
install -d ${D}${base_sbindir}
install -d ${D}${bindir}
install -d ${D}${sbindir}
install -d ${D}${libdir}
install -d ${D}${libexecdir}
install -d ${D}${datadir}
install -d ${D}${includedir}
install -d ${D}/include
install -d ${D}${libdir}/${TARGET_SYS}/${EAT_VER_GCC}
install -d ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/include
CP_ARGS="-Prf --preserve=mode,timestamps --no-preserve=ownership"
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/${EAT_LIBDIR}/* ${D}${base_libdir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/${EAT_LIBDIR}/* ${D}${base_libdir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/usr/${EAT_LIBDIR}/* ${D}${libdir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/usr/share/* ${D}${datadir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/usr/include/* ${D}${includedir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/include/* ${D}${includedir}
if [ -d ${D}${includedir}/c++/${EAT_VER_GCC}/${EAT_TARGET_SYS} ]; then
mv ${D}${includedir}/c++/${EAT_VER_GCC}/${EAT_TARGET_SYS} ${D}${includedir}/c++/${EAT_VER_GCC}/${TARGET_SYS}
fi
ln -sf ../usr/include/c++ ${D}/include/c++
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/usr/bin/* ${D}${bindir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/usr/sbin/* ${D}${sbindir}
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/sbin/* ${D}${base_sbindir}
rm -rf ${D}${bindir}/gdbserver
sed -i -e 's#/arm/tools/gnu/bash/4.2/rhe6-x86_64##' ${D}${bindir}/tzselect
sed -i -e 's#/arm/tools/gnu/bash/4.2/rhe6-x86_64##' ${D}${bindir}/ldd
sed -i -e 's#/usr/bin/bash#/bin/sh#' ${D}${bindir}/tzselect
sed -i -e 's#/usr/bin/bash#/bin/sh#' ${D}${bindir}/ldd
sed -i -e 's#/bin/bash#/bin/sh#' ${D}${bindir}/tzselect
sed -i -e 's#/bin/bash#/bin/sh#' ${D}${bindir}/ldd
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/crt*.o ${D}${libdir}/${TARGET_SYS}/${EAT_VER_GCC}/
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/libgcc* ${D}${libdir}/${TARGET_SYS}/${EAT_VER_GCC}/
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/libgcov* ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/include/ssp ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/include || true
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/include/sanitizers ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/include || true
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/include/quadmath* ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/include || true
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/include/omp.h ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/include || true
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/include/openacc.h ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/include || true
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/lib/gcc/${EAT_TARGET_SYS}/${EAT_VER_GCC}/finclude ${D}${libdir}/gcc/${TARGET_SYS}/${EAT_VER_GCC}/
# fix up the copied symlinks (they are still pointing to the multiarch directory)
linker_name="${@bb.utils.contains("TUNE_FEATURES", "aarch64", "ld-linux-aarch64.so.1", bb.utils.contains("TUNE_FEATURES", "callconvention-hard", "ld-linux-armhf.so.3", "ld-linux.so.3",d), d)}"
if [ -f ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/${EAT_LIBDIR}/ld-${EAT_VER_LIBC}.so ]; then
ln -sf ld-${EAT_VER_LIBC}.so ${D}${base_libdir}/${linker_name}
else
cp ${CP_ARGS} ${EXTERNAL_TOOLCHAIN}/${EAT_TARGET_SYS}/libc/lib/${linker_name} ${D}${base_libdir}/
fi
ln -sf ../../lib/librt.so.1 ${D}${libdir}/librt.so
ln -sf ../../lib/libcrypt.so.1 ${D}${libdir}/libcrypt.so
ln -sf ../../lib/libresolv.so.2 ${D}${libdir}/libresolv.so
ln -sf ../../lib/libnss_hesiod.so.2 ${D}${libdir}/libnss_hesiod.so
ln -sf ../../lib/libutil.so.1 ${D}${libdir}/libutil.so
ln -sf ../../lib/libBrokenLocale.so.1 ${D}${libdir}/libBrokenLocale.so
ln -sf ../../lib/libpthread.so.0 ${D}${libdir}/libpthread.so
ln -sf ../../lib/libthread_db.so.1 ${D}${libdir}/libthread_db.so
ln -sf ../../lib/libanl.so.1 ${D}${libdir}/libanl.so
ln -sf ../../lib/libdl.so.2 ${D}${libdir}/libdl.so
ln -sf ../../lib/libnss_db.so.2 ${D}${libdir}/libnss_db.so
ln -sf ../../lib/libnss_dns.so.2 ${D}${libdir}/libnss_dns.so
ln -sf ../../lib/libnss_files.so.2 ${D}${libdir}/libnss_files.so
ln -sf ../../lib/libnss_compat.so.2 ${D}${libdir}/libnss_compat.so
ln -sf ../../lib/libm.so.6 ${D}${libdir}/libm.so
ln -sf ../../lib/libc_malloc_debug.so.0 ${D}${libdir}/libc_malloc_debug.so
# remove potential .so duplicates from base_libdir
# for all symlinks created above in libdir
rm -f ${D}${base_libdir}/librt.so
rm -f ${D}${base_libdir}/libcrypt.so
rm -f ${D}${base_libdir}/libresolv.so
rm -f ${D}${base_libdir}/libnss_hesiod.so
rm -f ${D}${base_libdir}/libutil.so
rm -f ${D}${base_libdir}/libBrokenLocale.so
rm -f ${D}${base_libdir}/libpthread.so
rm -f ${D}${base_libdir}/libthread_db.so
rm -f ${D}${base_libdir}/libanl.so
rm -f ${D}${base_libdir}/libdl.so
rm -f ${D}${base_libdir}/libnss_db.so
rm -f ${D}${base_libdir}/libnss_dns.so
rm -f ${D}${base_libdir}/libnss_files.so
rm -f ${D}${base_libdir}/libnss_compat.so
rm -f ${D}${base_libdir}/libm.so
# Move these completely to ${libdir} and delete duplicates in ${base_libdir}
for lib in asan hwasan atomic gfortran gomp itm lsan sanitizer stdc++ tsan ubsan; do
if [ -e ${D}${base_libdir}/lib${lib}.spec ] ; then
mv ${D}${base_libdir}/lib${lib}.spec ${D}${libdir}
fi
if [ -e ${D}${base_libdir}/lib${lib}.a ] ; then
mv ${D}${base_libdir}/lib${lib}.a ${D}${libdir}
fi
rm -f ${D}${base_libdir}/lib${lib}*
done
# Clean up duplicate libs that are both in base_libdir and libdir
rm -f ${D}${libdir}/libgcc*
# Besides ld-${EAT_VER_LIBC}.so, other libs can have duplicates like lib*-${EAT_VER_LIBC}.so
# Only remove them if both are regular files and are identical
for i in ${D}${base_libdir}/lib*-${EAT_VER_LIBC}.so; do
if [ ! -e $i ] ; then
continue
fi
f=$(echo $i | sed 's/-${EAT_VER_LIBC}//')
l=$(ls $f.*)
if [ $(readlink -f $i ) = $l ]; then
echo "$i is a symlink of $l, keep it"
elif [ $(readlink -f $l ) = $i ]; then
echo "$l is a symlink of $i, keep it"
else
cmp -s $i $l
if [ $? -eq 0 ]; then
echo "$i is a duplicate of $l, remove it"
rm $i
else
echo "$i and $l are different files, keep them both"
fi
fi
done
if [ -d ${D}${base_libdir}/arm-linux-gnueabi ]; then
rm -rf ${D}${base_libdir}/arm-linux-gnueabi
fi
if [ -d ${D}${base_libdir}/ldscripts ]; then
rm -rf ${D}${base_libdir}/ldscripts
fi
# Provided by libnsl2
rm -rf ${D}${includedir}/rpcsvc/yppasswd.*
# Provided by quota
rm -rf ${D}${includedir}/rpcsvc/rquota.*
if [ -f ${D}${libdir}/libc.so ];then
sed -i -e "s# /${EAT_LIBDIR}/${EAT_TARGET_SYS}# ../../${EAT_LIBDIR}#g" -e "s# /usr/${EAT_LIBDIR}/# /usr/lib/#g" -e "s# /usr/${EAT_LIBDIR}/${EAT_TARGET_SYS}# .#g" -e "s# /${EAT_LIBDIR}/ld-linux# ../../${EAT_LIBDIR}/ld-linux#g" ${D}${libdir}/libc.so
sed -i -e "s# /${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" ${D}${libdir}/libc.so
sed -i -e "s# /lib# ../../lib#g" -e "s# /usr/lib# .#g" ${D}${libdir}/libc.so
fi
if [ -f ${D}${base_libdir}/libc.so ];then
sed -i -e "s# /${EAT_LIBDIR}/${EAT_TARGET_SYS}# ../../lib#g" -e "s# /usr/${EAT_LIBDIR}/${EAT_TARGET_SYS}# .#g" -e "s# /${EAT_LIBDIR}/# /lib/#g" ${D}${base_libdir}/libc.so
if [ -f ${D}${base_libdir}/libc.so.6 ]; then
sed -i -e "s# /usr/${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" -e "s# /${EAT_LIBDIR}/libc.so.6# /lib/libc.so.6#g" ${D}${base_libdir}/libc.so.6
fi
fi
# Remove if empty
rmdir ${D}${bindir} || true
rmdir ${D}${sbindir} || true
rmdir ${D}${base_sbindir} || true
rmdir ${D}${libexecdir} || true
# Remove unused /usr/share/info/dir
rm -f ${D}${infodir}/dir
}
# External toolchain doesn't provide multilib support so make corresponding
# install API as an empty API to avoid an unnecessary errors.
oe_multilib_header () {
return
}
PACKAGES_DYNAMIC = "^locale-base-.* \
^glibc-gconv-.* ^glibc-charmap-.* ^glibc-localedata-.* ^glibc-binary-localedata-.* \
^${MLPREFIX}glibc-gconv$"
# PACKAGES is split up according to the 'source' recipes/includes in OE-core
# Stylistic differences are kept to make copy/pasting easier.
# From gcc-runtime.inc
PACKAGES += "\
gcc-runtime-dbg \
libstdc++ \
libstdc++-precompile-dev \
libstdc++-dev \
libstdc++-staticdev \
libg2c \
libg2c-dev \
libssp \
libssp-dev \
libssp-staticdev \
libmudflap \
libmudflap-dev \
libmudflap-staticdev \
libquadmath \
libquadmath-dev \
libquadmath-staticdev \
libgomp \
libgomp-dev \
libgomp-staticdev \
libatomic \
libatomic-dev \
libatomic-staticdev \
libitm \
libitm-dev \
libitm-staticdev \
"
# From gcc-sanitizers.inc
PACKAGES += "gcc-sanitizers gcc-sanitizers-dbg"
PACKAGES += "libasan libubsan liblsan libtsan"
PACKAGES += "libasan-dev libubsan-dev liblsan-dev libtsan-dev"
PACKAGES += "libasan-staticdev libubsan-staticdev liblsan-staticdev libtsan-staticdev"
# From libgfortran.inc:
PACKAGES += "\
libgfortran-dbg \
libgfortran \
libgfortran-dev \
libgfortran-staticdev \
"
# libgcc.inc uses ${PN}, so replace that
PACKAGES += "\
libgcc \
libgcc-dev \
libgcc-dbg \
"
# ... and the leftovers
PACKAGES =+ "\
${PN}-mtrace \
libgcov-staticdev \
linux-libc-headers \
linux-libc-headers-dev \
"
# Re-order PACKAGES list in order to shift ${PN}-dev towards the end as
# it is meant to pick up remaining dev libraries and headers that aren't
# picked up by other packages. And since some static libraries needs to
# be packaged in ${PN}-dev, so we need to keep ${PN}-staticdev later in
# order.
PACKAGES := "${@oe.utils.str_filter_out('${PN}-dev', '${PACKAGES}', d)}"
PACKAGES := "${@oe.utils.str_filter_out('${PN}-staticdev', '${PACKAGES}', d)}"
PACKAGES += "\
${PN}-dev \
${PN}-staticdev \
"
INSANE_SKIP += " 32bit-time"
INSANE_SKIP:${PN}-dbg = "staticdev"
INSANE_SKIP:${PN}-utils += "ldflags"
INSANE_SKIP:libstdc++ += "ldflags"
INSANE_SKIP:libgfortran += "ldflags"
INSANE_SKIP:libgcc += "ldflags dev-deps"
INSANE_SKIP:libgcc-dev += "staticdev"
INSANE_SKIP:libgfortran += "ldflags dev-deps"
INSANE_SKIP:libstdc++ += "ldflags dev-deps"
INSANE_SKIP:libatomic += "ldflags"
INSANE_SKIP:libasan += "ldflags"
INSANE_SKIP:libubsan += "ldflags"
INSANE_SKIP:libssp += "ldflags"
INSANE_SKIP:libgomp += "ldflags"
INSANE_SKIP:libitm += "ldflags"
INSANE_SKIP:gdbserver += "ldflags"
# OE-core has literally listed 'glibc' in LIBC_DEPENDENCIES :/
RPROVIDES:${PN} = "glibc rtld(GNU_HASH)"
# Add runtime provides for the other libc* packages as well
RPROVIDES:${PN}-dev = "glibc-dev"
RPROVIDES:${PN}-doc = "glibc-doc"
RPROVIDES:${PN}-dbg = "glibc-dbg"
RPROVIDES:${PN}-pic = "glibc-pic"
RPROVIDES:${PN}-utils = "glibc-utils"
RPROVIDES:${PN}-mtrace = "glibc-mtrace libc-mtrace"
PKG:${PN} = "glibc"
PKG:${PN}-dev = "glibc-dev"
PKG:${PN}-doc = "glibc-doc"
PKG:${PN}-dbg = "glibc-dbg"
PKG:${PN}-pic = "glibc-pic"
PKG:${PN}-utils = "glibc-utils"
PKG:${PN}-mtrace = "glibc-mtrace"
PKG:${PN}-gconv = "glibc-gconv"
PKG:${PN}-extra-nss = "glibc-extra-nss"
PKG:${PN}-thread-db = "glibc-thread-db"
PKG:${PN}-pcprofile = "glibc-pcprofile"
PKG:${PN}-staticdev = "glibc-staticdev"
PKGV = "${EAT_VER_LIBC}"
PKGV:${PN} = "${EAT_VER_LIBC}"
PKGV:${PN}-dev = "${EAT_VER_LIBC}"
PKGV:${PN}-doc = "${EAT_VER_LIBC}"
PKGV:${PN}-dbg = "${EAT_VER_LIBC}"
PKGV:${PN}-pic = "${EAT_VER_LIBC}"
PKGV:${PN}-utils = "${EAT_VER_LIBC}"
PKGV:${PN}-mtrace = "${EAT_VER_LIBC}"
PKGV:${PN}-gconv = "${EAT_VER_LIBC}"
PKGV:${PN}-extra-nss = "${EAT_VER_LIBC}"
PKGV:${PN}-thread-db = "${EAT_VER_LIBC}"
PKGV:${PN}-pcprofile = "${EAT_VER_LIBC}"
PKGV:${PN}-staticdev = "${EAT_VER_LIBC}"
PKGV:catchsegv = "${EAT_VER_LIBC}"
PKGV:glibc-extra-nss = "${EAT_VER_LIBC}"
PKGV:glibc-thread-db = "${EAT_VER_LIBC}"
PKGV:libmemusage = "${EAT_VER_LIBC}"
PKGV:libsegfault = "${EAT_VER_LIBC}"
PKGV:libsotruss = "${EAT_VER_LIBC}"
PKGV:sln = "${EAT_VER_LIBC}"
PKGV:nscd = "${EAT_VER_LIBC}"
PKGV:ldd = "${EAT_VER_LIBC}"
PKGV:libasan-dev = "${EAT_VER_GCC}"
PKGV:libasan = "${EAT_VER_GCC}"
PKGV:libasan-staticdev = "${EAT_VER_GCC}"
PKGV:libatomic-dev = "${EAT_VER_GCC}"
PKGV:libatomic = "${EAT_VER_GCC}"
PKGV:libatomic-staticdev = "${EAT_VER_GCC}"
PKGV:libg2c-dev = "${EAT_VER_GCC}"
PKGV:libg2c = "${EAT_VER_GCC}"
PKGV:libgcc-dev = "${EAT_VER_GCC}"
PKGV:libgcc = "${EAT_VER_GCC}"
PKGV:libgfortran-dbg = "${EAT_VER_GCC}"
PKGV:libgfortran-dev = "${EAT_VER_GCC}"
PKGV:libgfortran = "${EAT_VER_GCC}"
PKGV:libgfortran-staticdev = "${EAT_VER_GCC}"
PKGV:libgomp-dev = "${EAT_VER_GCC}"
PKGV:libgomp = "${EAT_VER_GCC}"
PKGV:libgomp-staticdev = "${EAT_VER_GCC}"
PKGV:libitm-dev = "${EAT_VER_GCC}"
PKGV:libitm = "${EAT_VER_GCC}"
PKGV:libitm-staticdev = "${EAT_VER_GCC}"
PKGV:liblsan-dev = "${EAT_VER_GCC}"
PKGV:liblsan = "${EAT_VER_GCC}"
PKGV:liblsan-staticdev = "${EAT_VER_GCC}"
PKGV:libmudflap-dev = "${EAT_VER_GCC}"
PKGV:libmudflap = "${EAT_VER_GCC}"
PKGV:libmudflap-staticdev = "${EAT_VER_GCC}"
PKGV:libquadmath-dev = "${EAT_VER_GCC}"
PKGV:libquadmath = "${EAT_VER_GCC}"
PKGV:libquadmath-staticdev = "${EAT_VER_GCC}"
PKGV:libssp-dev = "${EAT_VER_GCC}"
PKGV:libssp = "${EAT_VER_GCC}"
PKGV:libssp-staticdev = "${EAT_VER_GCC}"
PKGV:libstdc++-dbg = "${EAT_VER_GCC}"
PKGV:libstdc++-dev = "${EAT_VER_GCC}"
PKGV:libstdc++ = "${EAT_VER_GCC}"
PKGV:libstdc++-precompile-dev = "${EAT_VER_GCC}"
PKGV:libstdc++-staticdev = "${EAT_VER_GCC}"
PKGV:libtsan-dev = "${EAT_VER_GCC}"
PKGV:libtsan = "${EAT_VER_GCC}"
PKGV:libtsan-staticdev = "${EAT_VER_GCC}"
PKGV:libubsan-dev = "${EAT_VER_GCC}"
PKGV:libubsan = "${EAT_VER_GCC}"
PKGV:libubsan-staticdev = "${EAT_VER_GCC}"
PKGV:linux-libc-headers-dev = "${EAT_VER_KERNEL}"
PKGV:linux-libc-headers = "${EAT_VER_KERNEL}"
PKGV:gdbserver = "${EAT_VER_GDBSERVER}"
ALLOW_EMPTY:${PN}-mtrace = "1"
FILES:${PN}-mtrace = "${bindir}/mtrace"
FILES:libgcov-staticdev = "${libdir}/gcc/${TARGET_SYS}/${BINV}/libgcov.a"
FILES:libsegfault = "${base_libdir}/libSegFault*"
FILES:catchsegv = "${bindir}/catchsegv"
RDEPENDS:catchsegv = "libsegfault"
# From libgfortran.inc:
FILES:libgfortran = "${libdir}/libgfortran.so.*"
FILES:libgfortran-dev = "\
${libdir}/libgfortran*.so \
${libdir}/libgfortran.spec \
${libdir}/libgfortran.la \
${libdir}/gcc/${TARGET_SYS}/${BINV}/libgfortranbegin.* \
${libdir}/gcc/${TARGET_SYS}/${BINV}/libcaf_single* \
${libdir}/gcc/${TARGET_SYS}/${BINV}/finclude/ \
"
FILES:libgfortran-staticdev = "${libdir}/libgfortran.a"
# From gcc-sanitizers.inc:
FILES:libasan += "${libdir}/libasan.so.* ${libdir}/libhwasan.so.*"
FILES:libasan-dev += "\
${libdir}/libasan_preinit.o \
${libdir}/libasan.so \
${libdir}/libhwasan.so \
${libdir}/libasan.la \
"
FILES:libasan-staticdev += "${libdir}/libasan.a \
${libdir}/libhwasan.a \
"
FILES:libubsan += "${libdir}/libubsan.so.*"
FILES:libubsan-dev += "\
${libdir}/libubsan.so \
${libdir}/libubsan.la \
"
FILES:libubsan-staticdev += "${libdir}/libubsan.a"
FILES:liblsan += "${libdir}/liblsan.so.*"
FILES:liblsan-dev += "\
${libdir}/liblsan.so \
${libdir}/liblsan.la \
${libdir}/liblsan_preinit.o \
"
FILES:liblsan-staticdev += "${libdir}/liblsan.a"
FILES:libtsan += "${libdir}/libtsan.so.*"
FILES:libtsan-dev += "\
${libdir}/libtsan.so \
${libdir}/libtsan.la \
${libdir}/libtsan_*.o \
"
FILES:libtsan-staticdev += "${libdir}/libtsan.a"
FILES:gcc-sanitizers = "${libdir}/*.spec ${libdir}/gcc/${TARGET_SYS}/${BINV}/include/sanitizer/*.h"
# From libgcc.inc:
FILES:libgcc = "${base_libdir}/libgcc_s.so.1"
FILES:libgcc-dev = "\
${base_libdir}/libgcc*.so \
${@oe.utils.conditional('BASETARGET_SYS', '${TARGET_SYS}', '', '${libdir}/${BASETARGET_SYS}', d)} \
${libdir}/${TARGET_SYS}/${BINV}* \
${libdir}/${TARGET_ARCH}${TARGET_VENDOR}* \
"
FILES:linux-libc-headers = ""
FILES:linux-libc-headers-dev = "\
${includedir}/asm* \
${includedir}/linux \
${includedir}/mtd \
${includedir}/rdma \
${includedir}/scsi \
${includedir}/sound \
${includedir}/video \
"
FILES:${PN} += "\
${libdir}/bin \
${libdir}/locale \
${libdir}/gconv/gconv-modules \
${datadir}/zoneinfo \
${base_libdir}/libcrypt*.so.* \
${base_libdir}/libcrypt-*.so \
${base_libdir}/libc.so.* \
${base_libdir}/libc-*.so \
${base_libdir}/libm.so.* \
${base_libdir}/libmemusage.so \
${base_libdir}/libm-*.so \
${base_libdir}/ld*.so.* \
${base_libdir}/ld-*.so \
${base_libdir}/libpthread*.so.* \
${base_libdir}/libpthread*.so \
${base_libdir}/libpthread-*.so \
${base_libdir}/libresolv*.so.* \
${base_libdir}/libresolv-*.so \
${base_libdir}/librt*.so.* \
${base_libdir}/librt-*.so \
${base_libdir}/libutil*.so.* \
${base_libdir}/libutil-*.so \
${base_libdir}/libnss_files*.so.* \
${base_libdir}/libnss_files-*.so \
${base_libdir}/libnss_compat*.so.* \
${base_libdir}/libnss_compat-*.so \
${base_libdir}/libnss_dns*.so.* \
${base_libdir}/libnss_dns-*.so \
${base_libdir}/libnss_nis*.so.* \
${base_libdir}/libnss_nisplus-*.so \
${base_libdir}/libnss_nisplus*.so.* \
${base_libdir}/libnss_nis-*.so \
${base_libdir}/libnss_hesiod*.so.* \
${base_libdir}/libnss_hesiod-*.so \
${base_libdir}/libdl*.so.* \
${base_libdir}/libdl-*.so \
${base_libdir}/libanl*.so.* \
${base_libdir}/libanl-*.so \
${base_libdir}/libBrokenLocale*.so.* \
${base_libdir}/libBrokenLocale-*.so \
${base_libdir}/libthread_db*.so.* \
${base_libdir}/libthread_db-*.so \
${base_libdir}/libmemusage.so \
${base_libdir}/libSegFault.so \
${base_libdir}/libpcprofile.so \
"
FILES:${PN}-dbg += "${base_libdir}/debug"
# From gcc-runtime.inc
# include python debugging scripts
FILES:gcc-runtime-dbg += "\
${libdir}/libstdc++.so.*-gdb.py \
${datadir}/gcc-${BINV}/python/libstdcxx \
"
FILES:libg2c = "${target_libdir}/libg2c.so.*"
SUMMARY:libg2c = "Companion runtime library for g77"
FILES:libg2c-dev = "\
${libdir}/libg2c.so \
${libdir}/libg2c.a \
${libdir}/libfrtbegin.a \
"
SUMMARY:libg2c-dev = "Companion runtime library for g77 - development files"
FILES:libstdc++ = "${libdir}/libstdc++.so.*"
SUMMARY:libstdc++ = "GNU standard C++ library"
FILES:libstdc++-dev = "\
/include/c++ \
${includedir}/c++/ \
${libdir}/libstdc++.so \
${libdir}/libstdc++*.la \
${libdir}/libsupc++.la \
"
SUMMARY:libstdc++-dev = "GNU standard C++ library - development files"
FILES:libstdc++-staticdev = "\
${libdir}/libstdc++*.a \
${libdir}/libsupc++.a \
"
SUMMARY:libstdc++-staticdev = "GNU standard C++ library - static development files"
FILES:libstdc++-precompile-dev = "${includedir}/c++/${TARGET_SYS}/bits/*.gch"
SUMMARY:libstdc++-precompile-dev = "GNU standard C++ library - precompiled header files"
FILES:libssp = "${libdir}/libssp.so.*"
SUMMARY:libssp = "GNU stack smashing protection library"
FILES:libssp-dev = "\
${libdir}/libssp*.so \
${libdir}/libssp*_nonshared.a \
${libdir}/libssp*.la \
${libdir}/gcc/${TARGET_SYS}/${BINV}/include/ssp \
"
SUMMARY:libssp-dev = "GNU stack smashing protection library - development files"
FILES:libssp-staticdev = "${libdir}/libssp*.a"
SUMMARY:libssp-staticdev = "GNU stack smashing protection library - static development files"
FILES:libquadmath = "${libdir}/libquadmath*.so.*"
SUMMARY:libquadmath = "GNU quad-precision math library"
FILES:libquadmath-dev = "\
${libdir}/gcc/${TARGET_SYS}/${BINV}/include/quadmath* \
${libdir}/libquadmath*.so \
${libdir}/libquadmath.la \
"
SUMMARY:libquadmath-dev = "GNU quad-precision math library - development files"
FILES:libquadmath-staticdev = "${libdir}/libquadmath.a"
SUMMARY:libquadmath-staticdev = "GNU quad-precision math library - static development files"
# NOTE: mudflap has been removed as of gcc 4.9 and has been superseded by the address sanitiser
FILES:libmudflap = "${libdir}/libmudflap*.so.*"
SUMMARY:libmudflap = "Pointer debugging library for gcc"
FILES:libmudflap-dev = "\
${libdir}/libmudflap*.so \
${libdir}/libmudflap.la \
"
SUMMARY:libmudflap-dev = "Pointer debugging library for gcc - development files"
FILES:libmudflap-staticdev = "${libdir}/libmudflap.a"
SUMMARY:libmudflap-staticdev = "Pointer debugging library for gcc - static development files"
FILES:libgomp = "${libdir}/libgomp*${SOLIBS}"
SUMMARY:libgomp = "GNU OpenMP parallel programming library"
FILES:libgomp-dev = "\
${libdir}/libgomp*${SOLIBSDEV} \
${libdir}/libgomp*.la \
${libdir}/libgomp.spec \
${libdir}/gcc/${TARGET_SYS}/${BINV}/include/omp.h \
${libdir}/gcc/${TARGET_SYS}/${BINV}/include/openacc.h \
"
SUMMARY:libgomp-dev = "GNU OpenMP parallel programming library - development files"
FILES:libgomp-staticdev = "${libdir}/libgomp*.a"
SUMMARY:libgomp-staticdev = "GNU OpenMP parallel programming library - static development files"
FILES:libatomic = "${libdir}/libatomic.so.*"
SUMMARY:libatomic = "GNU C++11 atomics support library"
FILES:libatomic-dev = "\
${libdir}/libatomic.so \
${libdir}/libatomic.la \
"
SUMMARY:libatomic-dev = "GNU C++11 atomics support library - development files"
FILES:libatomic-staticdev = "${libdir}/libatomic.a"
SUMMARY:libatomic-staticdev = "GNU C++11 atomics support library - static development files"
FILES:libitm = "${libdir}/libitm.so.*"
SUMMARY:libitm = "GNU transactional memory support library"
FILES:libitm-dev = "\
${libdir}/libitm.so \
${libdir}/libitm.la \
${libdir}/libitm.spec \
"
SUMMARY:libitm-dev = "GNU transactional memory support library - development files"
FILES:libitm-staticdev = "${libdir}/libitm.a"
SUMMARY:libitm-staticdev = "GNU transactional memory support library - static development files"
EAT_VER_MAIN ??= ""
python () {
if not d.getVar("EAT_VER_MAIN", False):
raise bb.parse.SkipPackage("External ARM toolchain not configured (EAT_VER_MAIN not set).")
if d.getVar('TCLIBC', True) != "glibc":
raise bb.parse.SkipPackage("incompatible with %s" % d.getVar('TCLIBC', True))
}
@@ -0,0 +1,79 @@
LICENSE = "GPL-3.0-with-GCC-exception & GPL-3.0-only & GPL-2.0-only & LGPL-3.0-only & LGPL-2.1-only & LGPL-2.0-only"
EAT_BFD_LICENSE = "GPL-3.0-only"
EAT_GCC_LICENSE = "GPL-3.0-with-GCC-exception & GPL-3.0-only"
EAT_GDB_LICENSE = "GPL-3.0-only"
EAT_LIBC_LICENSE = "GPL-2.0-only & LGPL-2.1-only"
EAT_RLE_LICENSE = "GPL-3.0-with-GCC-exception"
LICENSE:${PN} = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-dev = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-doc = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-dbg = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-pic = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-utils = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-mtrace = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-gconv = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-extra-nss = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-thread-db = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-pcprofile = "${EAT_LIBC_LICENSE}"
LICENSE:${PN}-staticdev = "${EAT_LIBC_LICENSE}"
LICENSE:catchsegv = "${EAT_LIBC_LICENSE}"
LICENSE:glibc-extra-nss = "${EAT_LIBC_LICENSE}"
LICENSE:glibc-thread-db = "${EAT_LIBC_LICENSE}"
LICENSE:libmemusage = "${EAT_LIBC_LICENSE}"
LICENSE:libsegfault = "${EAT_LIBC_LICENSE}"
LICENSE:libsotruss = "${EAT_LIBC_LICENSE}"
LICENSE:sln = "${EAT_LIBC_LICENSE}"
LICENSE:nscd = "${EAT_LIBC_LICENSE}"
LICENSE:ldd = "${EAT_LIBC_LICENSE}"
LICENSE:libasan-dev = "${EAT_GCC_LICENSE}"
LICENSE:libasan = "${EAT_GCC_LICENSE}"
LICENSE:libasan-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libatomic-dev = "${EAT_GCC_LICENSE}"
LICENSE:libatomic = "${EAT_GCC_LICENSE}"
LICENSE:libatomic-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libg2c-dev = "${EAT_GCC_LICENSE}"
LICENSE:libg2c = "${EAT_GCC_LICENSE}"
LICENSE:libgcc-dev = "${EAT_GCC_LICENSE}"
LICENSE:libgcc = "${EAT_GCC_LICENSE}"
LICENSE:libgfortran-dbg = "${EAT_GCC_LICENSE}"
LICENSE:libgfortran-dev = "${EAT_GCC_LICENSE}"
LICENSE:libgfortran = "${EAT_GCC_LICENSE}"
LICENSE:libgfortran-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libgomp-dev = "${EAT_GCC_LICENSE}"
LICENSE:libgomp = "${EAT_GCC_LICENSE}"
LICENSE:libgomp-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libitm-dev = "${EAT_GCC_LICENSE}"
LICENSE:libitm = "${EAT_GCC_LICENSE}"
LICENSE:libitm-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:liblsan-dev = "${EAT_GCC_LICENSE}"
LICENSE:liblsan = "${EAT_GCC_LICENSE}"
LICENSE:liblsan-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libmudflap-dev = "${EAT_GCC_LICENSE}"
LICENSE:libmudflap = "${EAT_GCC_LICENSE}"
LICENSE:libmudflap-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libquadmath-dev = "${EAT_GCC_LICENSE}"
LICENSE:libquadmath = "${EAT_GCC_LICENSE}"
LICENSE:libquadmath-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libssp-dev = "${EAT_GCC_LICENSE}"
LICENSE:libssp = "${EAT_GCC_LICENSE}"
LICENSE:libssp-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libstdc++-dbg = "${EAT_GCC_LICENSE}"
LICENSE:libstdc++-dev = "${EAT_GCC_LICENSE}"
LICENSE:libstdc++ = "${EAT_GCC_LICENSE}"
LICENSE:libstdc++-precompile-dev = "${EAT_GCC_LICENSE}"
LICENSE:libstdc++-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libtsan-dev = "${EAT_GCC_LICENSE}"
LICENSE:libtsan = "${EAT_GCC_LICENSE}"
LICENSE:libtsan-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:libubsan-dev = "${EAT_GCC_LICENSE}"
LICENSE:libubsan = "${EAT_GCC_LICENSE}"
LICENSE:libubsan-staticdev = "${EAT_GCC_LICENSE}"
LICENSE:linux-libc-headers-dev = "GPL-2.0-only"
LICENSE:linux-libc-headers = "GPL-2.0-only"
LICENSE:gdbserver = "GPL-2.0-only & GPL-3.0-only & LGPL-2.0-only & LGPL-3.0-only"
+1 -1
View File
@@ -31,7 +31,7 @@ EXTRA_IMAGEDEPENDS += "${FVP_PROVIDER}"
IMAGE_CLASSES += "image-artifact-names"
IMAGE_POSTPROCESS_COMMAND += "do_write_fvpboot_conf"
IMAGE_POSTPROCESS_COMMAND += "do_write_fvpboot_conf;"
python do_write_fvpboot_conf() {
# Note that currently this JSON file is in development and the format may
# change at any point, so it should always be used with a matching runfvp.
+1 -1
View File
@@ -33,7 +33,7 @@ DEPENDS += "trusted-firmware-m-scripts-native"
# python3-cryptography needs the legacy provider, so set OPENSSL_MODULES to the
# right path until this is relocated automatically.
export OPENSSL_MODULES = "${STAGING_LIBDIR_NATIVE}/ossl-modules"
export OPENSSL_MODULES="${STAGING_LIBDIR_NATIVE}/ossl-modules"
# The arguments passed to the TF-M image signing script. Override this variable
# in an image recipe to customize the arguments.
+1 -1
View File
@@ -13,7 +13,7 @@ LAYERDEPENDS_meta-arm = " \
core \
arm-toolchain \
"
LAYERSERIES_COMPAT_meta-arm = "styhead walnascar"
LAYERSERIES_COMPAT_meta-arm = "styhead"
# runfvp --console needs telnet, so pull this in for testimage.
HOSTTOOLS_NONFATAL += "telnet"
@@ -18,7 +18,7 @@ QB_KERNEL_ROOT = "/dev/vda2"
IMAGE_FSTYPES += "wic wic.qcow2"
WKS_FILE ?= "qemuarm64.wks"
WKS_FILE_DEPENDS:append = " trusted-firmware-a"
WKS_FILE_DEPENDS = "trusted-firmware-a"
IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
MACHINE_FEATURES += "optee-ftpm"
+2 -1
View File
@@ -29,7 +29,8 @@ def cli_from_config(config, terminal_choice):
if terminal_choice != "none" and name:
# TODO if raw mode
# cli.extend(["--parameter", f"{terminal}.mode=raw"])
cli.extend(["--parameter", f"{terminal}.terminal_command={terminals[terminal_choice].command.format(name=name)}"])
# TODO put name into terminal title
cli.extend(["--parameter", f"{terminal}.terminal_command={terminals[terminal_choice].command}"])
else:
# Disable terminal
cli.extend(["--parameter", f"{terminal}.start_telnet=0"])
+3 -3
View File
@@ -53,7 +53,7 @@ class Terminals:
terminals = Terminals()
# TODO: option to switch between telnet and netcat
connect_command = "telnet localhost %port"
terminals.add_terminal(2, "tmux", f"tmux new-window -n \"{{name}} - %title\" \"{connect_command}\"")
terminals.add_terminal(2, "gnome-terminal", f"gnome-terminal --window --title \"{{name}} - %title\" --command \"{connect_command}\"")
terminals.add_terminal(1, "xterm", f"xterm -title \"{{name}} - %title\" -e {connect_command}")
terminals.add_terminal(2, "tmux", f"tmux new-window -n \"%title\" \"{connect_command}\"")
terminals.add_terminal(2, "gnome-terminal", f"gnome-terminal --window --title \"%title\" --command \"{connect_command}\"")
terminals.add_terminal(1, "xterm", f"xterm -title \"%title\" -e {connect_command}")
terminals.add_terminal(0, "none", None)
+1 -1
View File
@@ -12,7 +12,7 @@ class OpteeTestSuite(OERuntimeTestCase):
"""
Run OP-TEE tests (xtest).
"""
@OETimeout(2700)
@OETimeout(1300)
@OEHasPackage(['optee-test'])
def test_opteetest_xtest(self):
# clear storage before executing tests
@@ -4,7 +4,7 @@ LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=bb63326febfb5fb909226c8e7ebcef5c"
SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/mark/boot-wrapper-aarch64.git;branch=master;protocol=https"
SRCREV = "ac6742520ded1da30d500f74e8affe86e27cabd5"
SRCREV = "5e3760073454c72f3458805a1b7a89ecf80353cb"
# boot-wrapper doesn't make releases
UPSTREAM_CHECK_COMMITS = "1"
@@ -0,0 +1,29 @@
From 745294ffa9bb9296eb4250f24dd0ae8115fadd7a Mon Sep 17 00:00:00 2001
From: Jon Mason <jon.mason@arm.com>
Date: Thu, 27 Oct 2022 20:10:09 +0000
Subject: [PATCH] work around visibility issue
gn commit 46b572ce4ceedfe57f4f84051bd7da624c98bf01 "fixed" the
visibility field not applying to public configs. This caused dtc to
have issues due to libfdt and others not being specified. Due to the
number, it was cleaner to remove the visibility field (which defaults to
everything being visible).
Upstream-Status: Pending [Not submitted to upstream yet]
Signed-off-by: Jon Mason <jon.mason@arm.com>
---
BUILD.gn | 1 -
1 file changed, 1 deletion(-)
diff --git a/BUILD.gn b/BUILD.gn
index f55560c540de..d60c3e37135b 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -5,7 +5,6 @@
# https://opensource.org/licenses/BSD-3-Clause.
config("libfdt_config") {
- visibility = [ ":gtest" ]
include_dirs = [
"libfdt",
"hafnium_inc",
@@ -16,8 +16,9 @@ inherit deploy python3native pkgconfig ${CLANGNATIVE}
SRC_URI = "gitsm://git.trustedfirmware.org/hafnium/hafnium.git;protocol=https;branch=master \
file://0001-arm-hafnium-fix-kernel-tool-linking.patch \
file://0001-Use-pkg-config-native-to-find-the-libssl-headers.patch;patchdir=third_party/linux \
file://0001-work-around-visibility-issue.patch;patchdir=third_party/dtc \
"
SRCREV = "2cf2ca7c4b81ab18e9cd363d9a5c8288e2a94fda"
SRCREV = "2bef7ab3895c48d39b84ab58179b2d0de5156b8b"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build"
@@ -1,4 +1,4 @@
From 8b4b14943de92a2c7f8b328c2de75771493b7d18 Mon Sep 17 00:00:00 2001
From b298400a5783453f64d8bebbd92db2c84c4a49fd Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@arm.com>
Date: Mon, 10 Jul 2023 14:09:16 +0100
Subject: [PATCH] OPTEE Private Includes
@@ -11,14 +11,14 @@ For some reason this behaviour isn't deterministic, a ticket has been filed with
Upstream-Status: Pending
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
product/optee/common/module/console/CMakeLists.txt | 2 +-
product/optee/common/module/mbx/CMakeLists.txt | 2 +-
module/optee/console/CMakeLists.txt | 2 +-
module/optee/mbx/CMakeLists.txt | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/product/optee/common/module/console/CMakeLists.txt b/product/optee/common/module/console/CMakeLists.txt
diff --git a/module/optee/console/CMakeLists.txt b/module/optee/console/CMakeLists.txt
index aebb7cc79766..942aa98c85ff 100644
--- a/product/optee/common/module/console/CMakeLists.txt
+++ b/product/optee/common/module/console/CMakeLists.txt
--- a/module/optee/console/CMakeLists.txt
+++ b/module/optee/console/CMakeLists.txt
@@ -14,7 +14,7 @@ target_include_directories(${SCP_MODULE_TARGET}
# Those includes are needed for mutex definitnion that is used in optee_smt
# notification
@@ -28,10 +28,10 @@ index aebb7cc79766..942aa98c85ff 100644
"${SCP_OPTEE_DIR}/core/include/"
"${SCP_OPTEE_DIR}/lib/libutils/ext/include/"
"${SCP_OPTEE_DIR}/lib/libutee/include/")
diff --git a/product/optee/common/module/mbx/CMakeLists.txt b/product/optee/common/module/mbx/CMakeLists.txt
diff --git a/module/optee/mbx/CMakeLists.txt b/module/optee/mbx/CMakeLists.txt
index 305fa42b7370..783a7970c2d5 100644
--- a/product/optee/common/module/mbx/CMakeLists.txt
+++ b/product/optee/common/module/mbx/CMakeLists.txt
--- a/module/optee/mbx/CMakeLists.txt
+++ b/module/optee/mbx/CMakeLists.txt
@@ -15,7 +15,7 @@ target_include_directories(${SCP_MODULE_TARGET}
# Those includes are needed for mutex defifitnion that is used in optee_smt
# notification
@@ -12,7 +12,7 @@ SRC_URI = "${SRC_URI_SCP_FIRMWARE};branch=${SRCBRANCH} \
"
SRCBRANCH = "main"
SRCREV = "25681b34bdc838b7231e0056e3ef5164e8005382"
SRCREV = "3267f2964114a56faaf46a40704be6ca78240725"
PROVIDES += "virtual/control-processor-firmware"
@@ -1,25 +0,0 @@
# Description, License, and version from tools/cot_dt2c/pyproject.toml in TF-A source
DESCRIPTION = "CoT-dt2c Tool is a python script to convert CoT DT file into corresponding C file"
LICENSE = "BSD-3-Clause"
SRC_URI_TRUSTED_FIRMWARE_A ?= "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https"
SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A};branch=${SRCBRANCH}"
LIC_FILES_CHKSUM = "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1"
# Use cot-dt2c from TF-A v2.12.0
SRCREV = "4ec2948fe3f65dba2f19e691e702f7de2949179c"
SRCBRANCH = "master"
inherit python_poetry_core
BBCLASSEXTEND = "native nativesdk"
S = "${UNPACKDIR}/git"
# Dependencies of plotly and igraph are not needed for the standard case
RDEPENDS:${PN} += "python3-click \
python3-pydevicetree \
python3-pyparsing \
"
PEP517_SOURCE_PATH = "${S}/tools/cot_dt2c"
@@ -10,7 +10,7 @@ Enables testing boot without TPM device to see that
missing TPM is detected further up the SW stack and correct
fallback actions are taken.
Upstream-Status: Submitted [https://review.trustedfirmware.org/c/TF-A/trusted-firmware-a/+/36514]
Upstream-Status: Pending
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
@@ -9,8 +9,8 @@ SRC_URI_TRUSTED_FIRMWARE_A ?= "git://git.trustedfirmware.org/TF-A/trusted-firmwa
SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A};destsuffix=fiptool-${PV};branch=${SRCBRANCH}"
LIC_FILES_CHKSUM = "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
# Use fiptool from TF-A v2.10.9
SRCREV = "7e63213601425c7a6d83e47dc936b264deb9df2b"
# Use fiptool from TF-A v2.10.4
SRCREV = "569e16caad976a0684147da1ecc6333fd9b7f813"
SRCBRANCH = "lts-v2.10"
DEPENDS += "openssl-native"
@@ -7,11 +7,11 @@ LICENSE = "BSD-3-Clause"
SRC_URI_TRUSTED_FIRMWARE_A ?= "git://git.trustedfirmware.org/TF-A/trusted-firmware-a.git;protocol=https"
SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A};destsuffix=fiptool-${PV};branch=${SRCBRANCH}"
LIC_FILES_CHKSUM = "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1"
LIC_FILES_CHKSUM = "file://docs/license.rst;md5=b5fbfdeb6855162dded31fadcd5d4dc5"
# Use fiptool from TF-A v2.12.1
SRCREV = "8cf9edba5cc3ec11ed5463f206aa5819f7fdbade"
SRCBRANCH = "lts-v2.12"
# Use fiptool from TF-A v2.11.0
SRCREV = "f2735ebccf5173f74c0458736ec526276106097e"
SRCBRANCH = "master"
DEPENDS += "openssl-native"
@@ -11,7 +11,9 @@ SRC_URI_TRUSTED_FIRMWARE_A_TESTS ?= "git://git.trustedfirmware.org/TF-A/tf-a-tes
SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A_TESTS};branch=${SRCBRANCH} \
"
SRCBRANCH = "master"
SRCREV = "6a113621a9efdc143e9270b1789046cd7d9cdfb1"
SRCREV = "42b99719d5dde58bdde07712bcb70a20d87f9067"
DEPENDS += "optee-os"
EXTRA_OEMAKE += "USE_NVM=0"
EXTRA_OEMAKE += "SHELL_COLOR=1"
@@ -33,7 +35,7 @@ B = "${WORKDIR}/build"
EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
# Requires CROSS_COMPILE set by hand as there is no configure script
export CROSS_COMPILE = "${TARGET_PREFIX}"
export CROSS_COMPILE="${TARGET_PREFIX}"
LDFLAGS[unexport] = "1"
do_compile() {
@@ -8,9 +8,12 @@ inherit deploy
COMPATIBLE_MACHINE ?= "invalid"
SRC_URI_TRUSTED_FIRMWARE_A_TESTS ?= "git://git.trustedfirmware.org/TF-A/tf-a-tests.git;protocol=https"
SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A_TESTS};nobranch=1"
SRC_URI = "${SRC_URI_TRUSTED_FIRMWARE_A_TESTS};branch=${SRCBRANCH} \
"
SRCBRANCH = "master"
SRCREV = "8917cf8b5eeb409b63256076d0dc35c60930ce18"
SRCREV = "fd053b75cde9c2aa1a5b979a2b544890510d4f52"
DEPENDS += "optee-os"
EXTRA_OEMAKE += "USE_NVM=0"
EXTRA_OEMAKE += "SHELL_COLOR=1"
@@ -32,7 +35,7 @@ B = "${WORKDIR}/build"
EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
# Requires CROSS_COMPILE set by hand as there is no configure script
export CROSS_COMPILE = "${TARGET_PREFIX}"
export CROSS_COMPILE="${TARGET_PREFIX}"
LDFLAGS[unexport] = "1"
do_compile() {
@@ -77,7 +77,7 @@ TFA_BUILD_TARGET ?= "bl1"
TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
# Requires CROSS_COMPILE set by hand as there is no configure script
export CROSS_COMPILE = "${TARGET_PREFIX}"
export CROSS_COMPILE="${TARGET_PREFIX}"
# Let the Makefile handle setting up the CFLAGS and LDFLAGS as it is a standalone application
CFLAGS[unexport] = "1"
@@ -1,17 +1,17 @@
require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
# TF-A v2.10.12
SRCREV_tfa = "408ba4ddfe9a8d55e3e2488bea89c39adef07981"
# TF-A v2.10.4
SRCREV_tfa = "569e16caad976a0684147da1ecc6333fd9b7f813"
SRCBRANCH = "lts-v2.10"
LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b2c740efedc159745b9b31f88ff03dde"
# in TF-A src, docs/getting_started/prerequisites.rst lists the expected version mbedtls
# mbedtls-3.6.2
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=mbedtls-3.6"
SRCREV_mbedtls = "107ea89daaefb9867ea9121002fbbdf926780e98"
# mbedtls-3.4.1
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=master"
SRCREV_mbedtls = "72718dd87e087215ce9155a826ee5a66cfbe9631"
LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
# continue to boot also without TPM
SRC_URI += "\
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM += "file://docs/license.rst;md5=b5fbfdeb6855162dded31fadcd5d4dc
# in TF-A src, docs/getting_started/prerequisites.rst lists the expected version mbedtls
# mbedtls-3.6.0
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=main"
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=master"
SRCREV_mbedtls = "2ca6c285a0dd3f33982dd57299012dacab1ff206"
LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
@@ -1,20 +0,0 @@
require recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
# TF-A v2.12.1
SRCREV_tfa = "8cf9edba5cc3ec11ed5463f206aa5819f7fdbade"
SRCBRANCH = "lts-v2.12"
LIC_FILES_CHKSUM += "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1"
# in TF-A src, docs/getting_started/prerequisites.rst lists the expected version mbedtls
# mbedtls-3.6.2
SRCBRANCH_MBEDTLS = "mbedtls-3.6"
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;name=mbedtls;protocol=https;destsuffix=git/mbedtls;branch=${SRCBRANCH_MBEDTLS}"
SRCREV_mbedtls = "107ea89daaefb9867ea9121002fbbdf926780e98"
LIC_FILES_CHKSUM_MBEDTLS = "file://mbedtls/LICENSE;md5=379d5819937a6c2f1ef1630d341e026d"
# continue to boot also without TPM
SRC_URI += "\
file://0001-qemu_measured_boot.c-ignore-TPM-error-and-continue-w.patch \
"

Some files were not shown because too many files have changed in this diff Show More