commit 33bcaed1211ab27968433b546979687bc1182630
author Rob Hughes <robert.hughes@arm.com> Tue Jan 17 16:10:26 2023 +0000
committer Joanna Farley <joanna.farley@arm.com> Tue Apr 04 11:37:00 2023 +0200
tree bf5e19dfbc150bab1e0026753c5f836ef335c2f5
parent 2fad320f5623edcdd23297ab57c4b9b0b0ef872c

feat(ethos-n)!: load NPU firmware at BL2

BL2 on Juno now loads the Arm(R) Ethos(TM)-N NPU firmware into a fixed
address, using the existing image loading framework.

Includes support for TRUSTED_BOARD_BOOT, if enabled, using the firmware
content and key certificates from the FIP.

Supports the ARM_IO_IN_DTB option so can specify the firmware location
from the dtb rather than it being hardcoded to the FIP

Update makefile to automatically embed the appropriate images into the
FIP.

BREAKING CHANGE: Building the FIP when TZMP1 support is enabled in the
NPU driver now requires a parameter to specify the NPU firmware file.

Signed-off-by: Rob Hughes <robert.hughes@arm.com>
Signed-off-by: Mikael Olsson <mikael.olsson@arm.com>
Change-Id: I8cd64fb20d58f8bd539facb085606213d6cead06

plat/arm/common/arm_common.mk

diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index dc875e5..e424ec0 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -132,7 +132,29 @@
   else
     $(error ARM_ETHOSN_NPU_TZMP1 only supported on Juno platform, not ${PLAT})
   endif
-endif
+
+  ifeq (${TRUSTED_BOARD_BOOT},0)
+    # We rely on TRUSTED_BOARD_BOOT to prevent the firmware code from being
+    # tampered with, which is required to protect the confidentiality of protected
+    # inference data.
+    $(error ARM_ETHOSN_NPU_TZMP1 is only available if TRUSTED_BOARD_BOOT is enabled)
+  endif
+
+  # We need the FW certificate and key certificate
+  $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/npu_fw_key.crt,--npu-fw-key-cert))
+  $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/npu_fw_content.crt,--npu-fw-cert))
+  # Needed for our OIDs to be available in tbbr_cot_bl2.c
+  $(eval $(call add_define, PLAT_DEF_OID))
+  PLAT_INCLUDES	+=	-I${PLAT_DIR}certificate/include
+  PLAT_INCLUDES	+=	-Iinclude/drivers/arm/
+
+  # We need the firmware to be built into the FIP
+  $(eval $(call TOOL_ADD_IMG,ARM_ETHOSN_NPU_FW,--npu-fw))
+
+  # Needed so that UUIDs from the FIP are available in BL2
+  $(eval $(call add_define,PLAT_DEF_FIP_UUID))
+  PLAT_INCLUDES		+=	-I${PLAT_DIR}fip
+endif # ARM_ETHOSN_NPU_TZMP1
 
 # Use an implementation of SHA-256 with a smaller memory footprint but reduced
 # speed.
@@ -396,8 +418,11 @@
         ifneq (${COT_DESC_IN_DTB},0)
             BL2_SOURCES	+=	lib/fconf/fconf_cot_getter.c
         else
-            BL2_SOURCES	+=	drivers/auth/tbbr/tbbr_cot_common.c	\
-				drivers/auth/tbbr/tbbr_cot_bl2.c
+            BL2_SOURCES	+=	drivers/auth/tbbr/tbbr_cot_common.c
+	    # Juno has its own TBBR CoT file for BL2
+            ifneq (${PLAT},juno)
+                BL2_SOURCES	+=	drivers/auth/tbbr/tbbr_cot_bl2.c
+            endif
         endif
     else ifeq (${COT},dualroot)
         AUTH_SOURCES	+=	drivers/auth/dualroot/cot.c