fvp_ffa.mk

# Select which SPMC version to use. Possible values:
#   - github: up-stream version from master branch
#   - tforg:  trustedfirmware.org fork (integration or psa-development branch)
SPMC_VERSION			?= github

# Select SP deployment type. Possible values:
#   - opteesp: legacy OP-TEE specific ELF format
#   - sp:      generic binary SP, fip packaging method is forced by this option
SP_DEPLOYMENT_TYPE		?= opteesp

# Trusted Services build configs. SP_COMMON_FLAGS is passed to each Trusted
# Services SP.
SP_COMMON_FLAGS ?=
#PSA SP specific build configs:
ifeq (github, $(SPMC_VERSION))
ifeq (fip, $(SP_PACKAGING_METHOD))
$(error Invalid packaging method for github version)
endif
ifeq (sp, $(SP_DEPLOYMENT_TYPE))
$(error Unsupported deployment type for github version)
endif
endif
PSA_ITS_EXTRA_FLAGS ?=
PSA_PROTECTED_STORAGE_EXTRA_FLAGS ?=
PSA_CRYPTO_EXTRA_FLAGS ?=
PSA_ATTESTATION_EXTRA_FLAGS ?=
PSA_SMM_GATEWAY_EXTRA_FLAGS ?=

DTS_CONFIG			?=
DTS				?= optee_ffa
DTS_PATH			?= $(BUILD_PATH)/fvp
USE_FVP_BASE_PLAT		?= 1

ifeq (opteesp, $(SP_DEPLOYMENT_TYPE))
SP_FILE_EXTENSION=stripped.elf
else ifeq (sp, $(SP_DEPLOYMENT_TYPE))
SP_FILE_EXTENSION=bin
SP_PACKAGING_METHOD=fip
else
$(error Invalid SP deployment type $(SP_DEPLOYMENT_TYPE))
endif

# Use "embedded" or "fip"
SP_PACKAGING_METHOD		?= embedded

OPTEE_OS_COMMON_EXTRA_FLAGS	+= CFG_CORE_SEL1_SPMC=y CFG_CORE_FFA=y
OPTEE_OS_COMMON_EXTRA_FLAGS	+= CFG_CORE_HEAP_SIZE=131072
OPTEE_OS_COMMON_EXTRA_FLAGS	+= O=out/arm
ifeq (tforg, $(SPMC_VERSION))
OPTEE_OS_COMMON_EXTRA_FLAGS	+= CFG_WITH_SP=y
else
OPTEE_OS_COMMON_EXTRA_FLAGS	+= CFG_SECURE_PARTITION=y
endif

SP_EVENT_LOG ?= y

ifeq (y,$(SP_EVENT_LOG))
TF_A_FLAGS ?= \
	ARM_TSP_RAM_LOCATION=tdram \
	BL32=$(OPTEE_OS_PAGER_V2_BIN) \
	BL33=$(EDK2_BIN) \
	DEBUG=0 \
	PLAT=fvp \
	SPMD_SPM_AT_SEL2=0 \
	MBEDTLS_DIR=$(ROOT)/mbedtls \
	ARM_ROTPK_LOCATION=devel_rsa \
	ARM_TSP_RAM_LOCATION=tdram \
	FVP_USE_GIC_DRIVER=FVP_GICV3 \
	GENERATE_COT=1 \
	MEASURED_BOOT=1 \
	PLAT=fvp \
	ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
	TPM_HASH_ALG=sha256 \
	TRUSTED_BOARD_BOOT=1 \
	EVENT_LOG_LEVEL=20 \
	BL2_optee=y \
	SPD=spmd
else
TF_A_FLAGS ?= \
	ARM_TSP_RAM_LOCATION=tdram \
	BL32=$(OPTEE_OS_PAGER_V2_BIN) \
	BL33=$(EDK2_BIN) \
	DEBUG=$(DEBUG) \
	PLAT=fvp \
	SPD=spmd \
	SPMD_SPM_AT_SEL2=0
endif
include fvp.mk

TF_A_FLAGS+=ARM_SPMC_MANIFEST_DTS=$(CURDIR)/fvp/spmc_manifest.dts
TS_INSTALL_PREFIX:=$(CURDIR)/../out-ts

# Add machinery allowing to build secure partitions from Trusted Services.
#
# build-sp <sp-name>,<uuid>,<TS build flags>
#   <sp name>   The name of the SP.
#
# When called build and clean targets for the SP will be defined as:
#
#   ffa-<sp name>-sp            - Build the SP with cmake, and include the SP
#                                 export makefile to make the SP binary part
#                                 of the OP-TEE OS image.
#   ffa-<sp name>-sp-clean      - run make clean on the cmake project
#   ffa-<sp name>-sp-realclean  - remove all cmake output
#
# To run these for each SP in one step, the "ffa-sp-all", "ffa-sp-all-clean" and
# "ffa-sp-all-realclean" targets are defined.
#
# The build and the clean target are added to the dependency tree of common
# op-tee targets.
#
#example:
#$(eval $(call build-sp,crypto,d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0, -DTS_PLATFORM=ts/mock))
#This wil build the crypto_sp with the mock platorm as it backend.
#Don't add spaces between the ',' and the uuid and name.

.PHONY: ffa-sp-all
.PHONY: ffa-sp-all-clean
.PHONY: ffa-sp-all-realclean

optee-os-common: ffa-sp-all
optee-os-clean: ffa-sp-all-clean

ffa-sp-all-realclean:
	rm -rf $(TS_INSTALL_PREFIX)/$(SP_DEPLOYMENT_TYPE)

ifeq (tforg-fip, $(SPMC_VERSION)-$(SP_PACKAGING_METHOD))
# If FIP packaging method is selected, TF-A requires a number of config options:
# - ARM_BL2_SP_LIST_DTS:   This file will be included into the TB_FW_CONFIG DT
#                          of TF-A. It contains the UUID and load address of SP
#                          packages present in the FIP, BL2 will load them based
#                          on this information.
# - ARM_SPMC_MANIFEST_DTS: Contains information about the SPMC: consumed by the
#                          SPMD at SPMC init. And about the SP packages: the
#                          SPMC can only know where the packages were loaded by
#                          BL2 based on this file.
# - SP_LAYOUT_FILE:        JSON file which describes the corresponding SP image
#                          and SP manifest DT pairs, TF-A will create the SP
#                          packages based on this. However, the TS build
#                          provides a separate JSON file for each SP. A Python
#                          snippet is used to merge these JSONs into one file.
define include_sp
	TS_SP_JSON_LIST+=${TS_INSTALL_PREFIX}/$(SP_DEPLOYMENT_TYPE)/json/$1.json
endef
SP_LAYOUT_FILE := $(TS_INSTALL_PREFIX)/$(SP_DEPLOYMENT_TYPE)/json/sp_layout.json

TF_A_FLAGS+=SP_LAYOUT_FILE=$(SP_LAYOUT_FILE)
TF_A_FLAGS+=ARM_BL2_SP_LIST_DTS=$(CURDIR)/fvp/bl2_sp_images.dtsi
OPTEE_OS_COMMON_EXTRA_FLAGS+=CFG_FIP_SP=y

MERGE_JSON_PY := import json, sys
MERGE_JSON_PY += \ncombined = {}
MERGE_JSON_PY += \nfor path in sys.stdin.read().split():
MERGE_JSON_PY += \n  with open(path) as f:
MERGE_JSON_PY += \n    current = json.load(f)
MERGE_JSON_PY += \n    combined = {**combined, **current}
MERGE_JSON_PY += \nprint(json.dumps(combined, indent=4))

$(SP_LAYOUT_FILE): ffa-sp-all
	@echo $(TS_SP_JSON_LIST) | python3 -c "$$(echo -e '$(MERGE_JSON_PY)')" > $(SP_LAYOUT_FILE)

.PHONY: ffa-sp-layout-clean
ffa-sp-layout-clean:
	@rm -f $(SP_LAYOUT_FILE)

arm-tf: $(SP_LAYOUT_FILE)
ffa-sp-all-clean: ffa-sp-layout-clean
endif

ifeq (embedded, $(SP_PACKAGING_METHOD))

# build_fdt converts the SP manifest dts file to have the proper
# UUID format and builds the fdt into a dtb file which can be used by
# OP-TEE.
define build_fdt
ffa-$1-dts: ffa-$1-sp
	python3 fvp/fdt_uuid_conversion.py --fdt ${TS_INSTALL_PREFIX}/opteesp/manifest/$2.dts
	dtc -I dts -O dtb -o ${TS_INSTALL_PREFIX}/opteesp/manifest/$2.dtb ${TS_INSTALL_PREFIX}/opteesp/manifest/$2.dts
ffa-sp-all: ffa-$1-dts
endef


# If the SPMC version is tforg and embedded packaging method is selected then
# the SP manifest files from TS have to be merged into a common DTS file, which
# is passed to OP-TEE as the embedded DT file. For each SP a dtsi file is
# exported from TS, which contains a single node, representing that SP.
# The TS_SP_DTSI_LIST parameter contains a line like this for each SP:
#
# #include "<absolute_path_to_dtsi>/<sp_uuid>.dtsi"
#
define include_sp
	ifeq (tforg, $(SPMC_VERSION))
		OPTEE_OS_COMMON_EXTRA_FLAGS+=EARLY_TA_PATHS+=${TS_INSTALL_PREFIX}/$(SP_DEPLOYMENT_TYPE)/bin/$2.$(SP_FILE_EXTENSION)
		TS_SP_DTSI_LIST+="\\n\#include \"${TS_INSTALL_PREFIX}/$(SP_DEPLOYMENT_TYPE)/manifest/$2.dtsi\""
	else
		OPTEE_OS_COMMON_EXTRA_FLAGS+=SP_PATHS+=${TS_INSTALL_PREFIX}/$(SP_DEPLOYMENT_TYPE)/bin/$2.$(SP_FILE_EXTENSION)
		$(eval $(call build_fdt,$1,$2))
	endif
endef

ifeq (tforg, $(SPMC_VERSION))
SP_MANIFEST_FILE := $(OUT_PATH)/sp_manifest.dts
OPTEE_OS_COMMON_EXTRA_FLAGS+=CFG_EMBED_DTB_SOURCE_FILE=$(SP_MANIFEST_FILE)

$(SP_MANIFEST_FILE): ffa-sp-all
	@echo -e "/dts-v1/;\n/ {$(TS_SP_DTSI_LIST)\n};" > $(SP_MANIFEST_FILE)

optee-os-common: $(SP_MANIFEST_FILE)

.PHONY: ffa-sp-manifest-clean
ffa-sp-manifest-clean:
	@rm -f $(SP_MANIFEST_FILE)
ffa-sp-all-clean: ffa-sp-manifest-clean
endif
endif

define build-sp
.PHONY: ffa-$1-sp
ffa-$1-sp:
	CROSS_COMPILE="$$(AARCH64_CROSS_COMPILE)" cmake -G"Unix Makefiles" -DCMAKE_INSTALL_PREFIX=$${TS_INSTALL_PREFIX} \
		      -S $$(CURDIR)/../trusted-services/deployments/$1/$(SP_DEPLOYMENT_TYPE) -B $$(CURDIR)/../ts-build/$1 \
		      ${SP_COMMON_FLAGS} $3
	cmake --build $$(CURDIR)/../ts-build/$1 -- -j$$(nproc)
	cmake --install $$(CURDIR)/../ts-build/$1
	$(eval $(call include_sp,$1,$2))


.PHONY: ffa-$1-sp-clean
ffa-$1-sp-clean:
	cmake --build $$(CURDIR)/../ts-build/$1 -- clean -j$$(nproc)

.PHONY: ffa-$1-sp-realclean
ffa-$1-sp-realclean:
	rm -rf $$(CURDIR)/../ts-build/$1

ffa-sp-all: ffa-$1-sp
ffa-sp-all-clean: ffa-$1-sp-clean
ffa-sp-all-realclean: ffa-$1-sp-realclean
endef

$(eval $(call build-sp,internal-trusted-storage,dc1eef48-b17a-4ccf-ac8b-dfcff7711b14, ${PSA_ITS_EXTRA_FLAGS}))
$(eval $(call build-sp,protected-storage,751bf801-3dde-4768-a514-0f10aeed1790, ${PSA_PROTECTED_STORAGE_EXTRA_FLAGS}))
$(eval $(call build-sp,crypto,d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0, ${PSA_CRYPTO_EXTRA_FLAGS}))
$(eval $(call build-sp,attestation,a1baf155-8876-4695-8f7c-54955e8db974, ${PSA_ATTESTATION_EXTRA_FLAGS}))
ifeq (tforg, $(SPMC_VERSION))
$(eval $(call build-sp,smm-gateway,ed32d533-99e6-4209-9cc0-2d72cdd998a7, ${PSA_SMM_GATEWAY_EXTRA_FLAGS}))
endif

.PHONY: sp_uuid_list
sp_uuid_list: $(SHARED_DIR)/sp_uuid_list.txt

.PHONY: sp_uuid_list_clean
sp_uuid_list_clean:
	rm -rf $(SHARED_DIR)/sp_uuid_list.txt

ffa-sp-all-clean: sp_uuid_list_clean

$(SHARED_DIR)/sp_uuid_list.txt: ffa-sp-all | shared_directory
	find $(TS_INSTALL_PREFIX)/$(SP_DEPLOYMENT_TYPE)/bin -name "[0-9a-f-]*.$(SP_FILE_EXTENSION)" -type f | \
		sed -n "s@.*/\(.*\).$(SP_FILE_EXTENSION)@\1@gp" | tr '\n' ',' | \
		head -c -1 > $(SHARED_DIR)/sp_uuid_list.txt

# Add targets to build the "arm_ffa_user" Linux Kernel module.
arm_ffa_user: sp_uuid_list linux | $(OUT_PATH)
	$(eval ROOT:=$(CURDIR)/..)
	mkdir -p $(OUT_PATH)/arm_ffa_user
	make -C $(CURDIR)/../linux_poc $(LINUX_COMMON_FLAGS) install TARGET_DIR=$(OUT_PATH)/arm_ffa_user

arm_ffa_user_clean:
	make -C $(CURDIR)/../linux_poc clean

arm_ffa_tee: linux  | $(OUT_PATH)
	$(eval ROOT:=$(CURDIR)/..)
	mkdir -p $(OUT_PATH)/arm_ffa_tee
	make -C $(CURDIR)/../linux_tee $(LINUX_COMMON_FLAGS) install TARGET_DIR=$(OUT_PATH)/arm_ffa_tee

arm_ffa_tee_clean:
	make -C $(CURDIR)/../linux_tee clean

# Copy out-of-tree kernel modules to shared directory and concatenate module load scripts.
arm_ffa_drivers: arm_ffa_tee arm_ffa_user | shared_directory
	cat $(OUT_PATH)/arm_ffa_tee/load_module.sh $(OUT_PATH)/arm_ffa_user/load_module.sh > $(SHARED_DIR)/load_module.sh
	chmod 775 $(SHARED_DIR)/load_module.sh
	cp -u $(OUT_PATH)/arm_ffa_tee/arm-ffa-tee.ko $(SHARED_DIR)
	cp -u $(OUT_PATH)/arm_ffa_user/arm-ffa-user.ko $(SHARED_DIR)

all: arm_ffa_drivers

# Disable CONFIG_STRICT_DEVMEM option in the Linux kernel config. This allows userspace access to
# the whole NS physical address space through /dev/mem.
linux-defconfig:
	cd $(LINUX_PATH) && ./scripts/config --disable CONFIG_STRICT_DEVMEM