On Wed, May 13, 2020 at 05:11:34PM -0500, Joshua Watt wrote:
> Adds support for booting AArch64 Qemu machines using TF-A + optee +
> u-boot. Most of the changes are applicable to any AArch64 qemu target,
> and a reference machine called qemuarm64-secureboot has been added that
> show how to enable support for it.
Can we hold on this patch, please? I want to review it thoroughly :)
Also, it touches a lot of suff and throws a wrench into my TF-A work -
I waited patiently to get all your changes in and kept rebasing my work.
No more rebases, please, let me submit my changes first... :)
That's fine. I'm not in any hurry for this, just got it working and figured I'd share it.
Denys
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
> .../conf/machine/qemuarm64-secureboot.conf | 26 +++++++++++++
> .../trusted-firmware-a/trusted-firmware-a.inc | 39 ++++++++++++-------
> .../recipes-bsp/u-boot/u-boot/qemuarm64.cfg | 4 ++
> meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend | 3 ++
> .../recipes-security/optee/optee-os_git.bb | 6 +++
> meta-arm/recipes-security/optee/optee.inc | 2 +-
> meta-arm/wic/qemuarm64.wks | 4 ++
> 7 files changed, 70 insertions(+), 14 deletions(-)
> create mode 100644 meta-arm/conf/machine/qemuarm64-secureboot.conf
> create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> create mode 100644 meta-arm/wic/qemuarm64.wks
>
> diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> new file mode 100644
> index 0000000..cfb358b
> --- /dev/null
> +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf
> @@ -0,0 +1,26 @@
> +MACHINEOVERRIDES =. "qemuarm64:"
> +
> +require ${COREBASE}/meta/conf/machine/qemuarm64.conf
> +
> +KMACHINE = "qemuarm64"
> +
> +UBOOT_MACHINE = "qemu_arm64_defconfig"
> +
> +# The 5.4 kernel panics when booting, so use the development kernel until the
> +# default kernel is upgraded (5.5. supposedly works)
> +PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-dev"
> +
> +QB_MACHINE = "-machine virt,secure=on"
> +QB_OPT_APPEND += "-no-acpi"
> +QB_MEM = "-m 1G"
> +QB_DEFAULT_FSTYPE = "wic.qcow2"
> +QB_DEFAULT_BIOS = "flash.bin-qemu"
> +QB_FSINFO = "wic:no-kernel-in-fs"
> +QB_ROOTFS_OPT = ""
> +
> +IMAGE_FSTYPES += "wic wic.qcow2"
> +
> +WKS_FILE ?= "qemuarm64.wks"
> +WKS_FILE_DEPENDS = "trusted-firmware-a"
> +IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}"
> +
> diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> index 4b5da7a..64497d6 100644
> --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc
> @@ -7,10 +7,11 @@ PACKAGE_ARCH = "${MACHINE_ARCH}"
>
> inherit deploy nopackages
>
> -COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE = "qemuarm64"
>
> # Platform must be set for each machine
> TFA_PLATFORM ?= "invalid"
> +TFA_PLATFORM_aarch64_qemuall = "qemu"
>
> # Build for debug (set TFA_DEBUG to 1 to activate)
> TFA_DEBUG ?= "0"
> @@ -35,16 +36,19 @@ SRCREV_FORMAT_append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '',
> # U-boot support (set TFA_UBOOT to 1 to activate)
> # When U-Boot support is activated BL33 is activated with u-boot.bin file
> TFA_UBOOT ?= "0"
> +TFA_UBOOT_aarch64_qemuall = "1"
>
> # What to build
> # By default we only build bl1, do_deploy will copy
> # everything listed in this variable (by default bl1.bin)
> TFA_BUILD_TARGET ?= "bl1"
> +TFA_BUILD_TARGET_aarch64_qemuall = "all fip"
>
> # What to install
> # do_install and do_deploy will install everything listed in this
> # variable. It is set by default to TFA_BUILD_TARGET
> TFA_INSTALL_TARGET ?= "${TFA_BUILD_TARGET}"
> +TFA_INSTALL_TARGET_aarch64_qemuall = "flash.bin"
>
> # Requires CROSS_COMPILE set by hand as there is no configure script
> export CROSS_COMPILE="${TARGET_PREFIX}"
> @@ -61,6 +65,7 @@ do_configure[noexec] = "1"
> # We need dtc for dtbs compilation
> # We need openssl for fiptool
> DEPENDS_append = " dtc-native openssl-native"
> +DEPENDS_append_aarch64_qemuall = " optee-os"
>
> # Add platform parameter
> EXTRA_OEMAKE += "BUILD_BASE=${B} PLAT=${TFA_PLATFORM}"
> @@ -76,6 +81,15 @@ DEPENDS += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot', '', d)}"
> do_compile[depends] += " ${@bb.utils.contains('TFA_UBOOT', '1', 'u-boot:do_deploy', '', d)}"
> EXTRA_OEMAKE += "${@bb.utils.contains('TFA_UBOOT', '1', ' BL33=${DEPLOY_DIR_IMAGE}/u-boot.bin', '',d)}"
>
> +EXTRA_OEMAKE_append_aarch64_qemuall = " \
> + BL32=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-header_v2.bin \
> + BL32_EXTRA1=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pager_v2.bin \
> + BL32_EXTRA2=${STAGING_DIR_TARGET}${nonarch_base_libdir}/firmware/tee-pageable_v2.bin \
> + BL32_RAM_LOCATION=tdram \
> + SPD=opteed \
> + "
> +BUILD_PLAT = "${B}/${TFA_PLATFORM}/${@"debug" if d.getVar("TFA_DEBUG") == "1" else "release"}/"
> +
> # The following hack is needed to fit properly in yocto build environment
> # TFA is forcing the host compiler and its flags in the Makefile using :=
> # assignment for GCC and CFLAGS.
> @@ -91,13 +105,12 @@ do_compile() {
> }
> do_compile[cleandirs] = "${B}"
>
> -do_install() {
> - if ${@"true" if d.getVar('TFA_DEBUG') == '1' else "false"}; then
> - BUILD_PLAT=${B}/${TFA_PLATFORM}/debug/
> - else
> - BUILD_PLAT=${B}/${TFA_PLATFORM}/release/
> - fi
> +do_compile_append_aarch64_qemuall() {
> + dd if=${BUILD_PLAT}/bl1.bin of=${BUILD_PLAT}/flash.bin bs=4096 conv=notrunc
> + dd if=${BUILD_PLAT}/fip.bin of=${BUILD_PLAT}/flash.bin seek=64 bs=4096 conv=notrunc
> +}
>
> +do_install() {
> install -d -m 755 ${D}/firmware
> for atfbin in ${TFA_INSTALL_TARGET}; do
> if [ "$atfbin" = "all" ]; then
> @@ -106,17 +119,17 @@ do_install() {
> bberror "Please specify valid targets in TFA_INSTALL_TARGET or"
> bberror "rewrite or turn off do_install"
> exit 1
> - elif [ -f $BUILD_PLAT/$atfbin.bin ]; then
> + elif [ -f ${BUILD_PLAT}/$atfbin.bin ]; then
> echo "Install $atfbin.bin"
> - install -m 0644 $BUILD_PLAT/$atfbin.bin \
> + install -m 0644 ${BUILD_PLAT}/$atfbin.bin \
> ${D}/firmware/$atfbin-${TFA_PLATFORM}.bin
> - elif [ -f $BUILD_PLAT/$atfbin/$atfbin.elf ]; then
> + elif [ -f ${BUILD_PLAT}/$atfbin/$atfbin.elf ]; then
> echo "Install $atfbin.elf"
> - install -m 0644 $BUILD_PLAT/$atfbin/$atfbin.elf \
> + install -m 0644 ${BUILD_PLAT}/$atfbin/$atfbin.elf \
> ${D}/firmware/$atfbin-${TFA_PLATFORM}.elf
> - elif [ -f $BUILD_PLAT/$atfbin ]; then
> + elif [ -f ${BUILD_PLAT}/$atfbin ]; then
> echo "Install $atfbin"
> - install -m 0644 $BUILD_PLAT/$atfbin \
> + install -m 0644 ${BUILD_PLAT}/$atfbin \
> ${D}/firmware/$atfbin-${TFA_PLATFORM}
> elif [ "$atfbin" = "dtbs" ]; then
> echo "dtbs install, skipped"
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> new file mode 100644
> index 0000000..de0c6ec
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot/qemuarm64.cfg
> @@ -0,0 +1,4 @@
> +CONFIG_TFABOOT=y
> +# This must match the address that TF-A jumps to for BL33
> +CONFIG_SYS_TEXT_BASE=0x60000000
> +
> diff --git a/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> new file mode 100644
> index 0000000..afcd70a
> --- /dev/null
> +++ b/meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend
> @@ -0,0 +1,3 @@
> +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
> +
> +SRC_URI_append_qemuarm64-secureboot = " file://qemuarm64.cfg"
> diff --git a/meta-arm/recipes-security/optee/optee-os_git.bb b/meta-arm/recipes-security/optee/optee-os_git.bb
> index dfff6d1..aa51376 100644
> --- a/meta-arm/recipes-security/optee/optee-os_git.bb
> +++ b/meta-arm/recipes-security/optee/optee-os_git.bb
> @@ -21,7 +21,11 @@ SRC_URI = " \
> S = "${WORKDIR}/git"
>
> OPTEEMACHINE ?= "${MACHINE}"
> +OPTEEMACHINE_aarch64_qemuall = "vexpress-qemu_armv8a"
> +OPTEEMACHINE_armv7a_qemuall = "vexpress-qemu_virt"
> +
> OPTEEOUTPUTMACHINE ?= "${MACHINE}"
> +OPTEEOUTPUTMACHINE_qemuall = "vexpress"
>
> OPTEE_ARCH = "null"
> OPTEE_ARCH_armv7a = "arm32"
> @@ -72,6 +76,8 @@ do_deploy() {
>
> addtask deploy before do_build after do_install
>
> +SYSROOT_DIRS += "${nonarch_base_libdir}/firmware"
> +
> FILES_${PN} = "${nonarch_base_libdir}/firmware/"
> FILES_${PN}-dev = "${includedir}/optee/"
>
> diff --git a/meta-arm/recipes-security/optee/optee.inc b/meta-arm/recipes-security/optee/optee.inc
> index b3e5271..3138148 100644
> --- a/meta-arm/recipes-security/optee/optee.inc
> +++ b/meta-arm/recipes-security/optee/optee.inc
> @@ -1,2 +1,2 @@
> -COMPATIBLE_MACHINE ?= "invalid"
> +COMPATIBLE_MACHINE = "qemuarm64"
> # Please add supported machines below or set it in .bbappend or .conf
> diff --git a/meta-arm/wic/qemuarm64.wks b/meta-arm/wic/qemuarm64.wks
> new file mode 100644
> index 0000000..7285279
> --- /dev/null
> +++ b/meta-arm/wic/qemuarm64.wks
> @@ -0,0 +1,4 @@
> +bootloader --ptable gpt
> +
> +part /boot --ondisk=vda --align 64 --size=100M --active --source bootimg-partition --fstype=ext4 --label boot --sourceparams="loader=u-boot"
> +part / --ondisk=vda --source rootfs --fstype=ext4 --label root
> --
> 2.17.1
>
>