1FVP_VIRTFS_ENABLE		?= y
2FVP_VIRTFS_AUTOMOUNT		?= y
3MEASURED_BOOT			?= y
4MEASURED_BOOT_FTPM		?= n
5TS_SMM_GATEWAY			?= y
6TS_LOGGING_SP			?= y
7TS_LOGGING_SP_LOG		?= "trusted-services-logs.txt"
8TS_UEFI_TESTS			?= n
9TS_FW_UPDATE			?= n
10TS_UEFI_AUTH_VAR 		?= y
11TS_UEFI_INTERNAL_CRYPTO	?= n
12# Supported values: embedded, fip
13SP_PACKAGING_METHOD		?= embedded
14SPMC_TESTS			?= n
15SPMC_AT_EL			?= 1
16
17# Behaves a similar way like BRANCH_PROTECTION in TF-A:
18# unset: Default value. mbranch-protection flag is not provided
19# 0: Turns off all types of branch protection
20# 1: Enables all types of branch protection features
21# 2: Return address signing to its standard level
22# 3: Extend the signing to include leaf functions
23# 4: Turn on branch target identification mechanism
24TS_BRANCH_PROTECTION		?= unset
25BRANCH_PROTECTION_OPTIONS	:= unset 0 1 2 3 4
26
27ifeq ($(filter $(TS_BRANCH_PROTECTION),$(BRANCH_PROTECTION_OPTIONS)),)
28  $(error TS_BRANCH_PROTECTION is not set to a valid option)
29endif
30
31ifneq ($(TS_UEFI_AUTH_VAR)-$(TS_SMM_GATEWAY),y-y)
32SP_SMM_GATEWAY_EXTRA_FLAGS += -DUEFI_AUTH_VAR=OFF
33TS_APP_UEFI_TEST_EXTRA_FLAGS += -DUEFI_AUTH_VAR=OFF
34endif
35
36ifeq ($(TS_UEFI_INTERNAL_CRYPTO),y)
37SP_SMM_GATEWAY_EXTRA_FLAGS += -DUEFI_INTERNAL_CRYPTO=ON
38endif
39
40# Enable the "HArdware Volatile Entropy Gathering and Expansion" daemon to
41# overcome low-entropy conditions in the FVP
42BR2_PACKAGE_HAVEGED		?= y
43
44# Disable packages not used by this configuration
45BR2_PACKAGE_HOST_E2FSPROGS	?= n
46BR2_PACKAGE_KEYUTILS		?= n
47BR2_PACKAGE_MMC_UTILS		?= n
48BR2_PACKAGE_OPENSC		?= n
49BR2_PACKAGE_OPTEE_EXAMPLES_EXT	?= n
50BR2_PACKAGE_STRACE		?= n
51
52# Building xtest is not necessary if we don't want to run the SPMC tests
53ifneq ($(SPMC_TESTS),y)
54BR2_PACKAGE_OPTEE_TEST_EXT	?= n
55BR2_PACKAGE_LIBOPENSSL		?= n
56BR2_PACKAGE_OPENSSL		?= n
57endif
58
59# TS SP configurations
60DEFAULT_SP_CONFIG		?= default-opteesp
61SP_BLOCK_STORAGE_CONFIG	?= $(DEFAULT_SP_CONFIG)
62SP_PSA_ITS_CONFIG		?= $(DEFAULT_SP_CONFIG)
63SP_PSA_PS_CONFIG		?= $(DEFAULT_SP_CONFIG)
64SP_PSA_CRYPTO_CONFIG		?= $(DEFAULT_SP_CONFIG)
65SP_PSA_ATTESTATION_CONFIG	?= $(DEFAULT_SP_CONFIG)
66SP_SMM_GATEWAY_CONFIG		?= $(DEFAULT_SP_CONFIG)
67SP_FWU_CONFIG			?= $(DEFAULT_SP_CONFIG)
68SP_LOGGING_CONFIG		?= $(DEFAULT_SP_CONFIG)
69
70LINUX_DEFCONFIG_COMMON_FILES ?= $(CURDIR)/kconfigs/fvp_trusted-services.conf
71
72include fvp.mk
73include trusted-services.mk
74
75# The macros used in bl2_sp_list.dts and spmc_manifest.dts has to be passed to
76# TF-A because it handles the preprocessing of these files.
77define add-dtc-define
78DTC_CPPFLAGS+=-D$1=$(subst y,1,$(subst n,0,$($1)))
79endef
80
81ifeq ($(SP_PACKAGING_METHOD),fip)
82$(eval $(call add-dtc-define,SPMC_TESTS))
83$(eval $(call add-dtc-define,TS_SMM_GATEWAY))
84$(eval $(call add-dtc-define,TS_FW_UPDATE))
85$(eval $(call add-dtc-define,TS_LOGGING_SP))
86
87TF_A_EXPORTS += DTC_CPPFLAGS="$(DTC_CPPFLAGS)"
88endif
89
90OPTEE_OS_COMMON_EXTRA_FLAGS += \
91	CFG_SECURE_PARTITION=y \
92	CFG_CORE_SEL1_SPMC=y \
93	CFG_CORE_HEAP_SIZE=131072 \
94	CFG_DT=y \
95	CFG_MAP_EXT_DT_SECURE=y
96
97# If branch protection is unset, do not pass it
98ifeq ($(filter $(TS_BRANCH_PROTECTION),unset),)
99TF_A_FLAGS              += BRANCH_PROTECTION=$(TS_BRANCH_PROTECTION)
100TS_APP_COMMON_FLAGS	+= -DBRANCH_PROTECTION=$(TS_BRANCH_PROTECTION)
101SP_COMMON_FLAGS		+= -DBRANCH_PROTECTION=$(TS_BRANCH_PROTECTION)
102endif
103
104# Branch Target Identification enablement
105ifneq ($(filter $(TS_BRANCH_PROTECTION),1 4),)
106OPTEE_OS_COMMON_EXTRA_FLAGS += CFG_CORE_BTI=y
107OPTEE_OS_COMMON_EXTRA_FLAGS += CFG_TA_BTI=y
108
109FVP_EXTRA_ARGS += -C cluster0.has_branch_target_exception=2
110FVP_EXTRA_ARGS += -C cluster1.has_branch_target_exception=2
111FVP_EXTRA_ARGS += -C cluster0.has_arm_v8-5=1
112FVP_EXTRA_ARGS += -C cluster1.has_arm_v8-5=1
113endif
114
115# Pointer Authentication enablement
116ifneq ($(filter $(TS_BRANCH_PROTECTION),1 2 3),)
117OPTEE_OS_COMMON_EXTRA_FLAGS += CFG_CORE_PAUTH=y
118OPTEE_OS_COMMON_EXTRA_FLAGS += CFG_TA_PAUTH=y
119
120FVP_EXTRA_ARGS += -C cluster0.has_pointer_authentication=2
121FVP_EXTRA_ARGS += -C cluster1.has_pointer_authentication=2
122endif
123
124# The boot order of the SPs is determined by the order of calls here. This is
125# due to the SPMC not (yet) supporting the boot order field of the SP manifest.
126ifeq ($(SPMC_TESTS),n)
127# LOGGING SP
128ifeq ($(TS_LOGGING_SP),y)
129$(eval $(call build-sp,logging,config/$(SP_LOGGING_CONFIG),da9dffbd-d590-40ed-975f-19c65a3d52d3,$(SP_LOGGING_EXTRA_FLAGS)))
130endif
131# PSA SPs
132$(eval $(call build-sp,block-storage,config/$(SP_BLOCK_STORAGE_CONFIG),63646e80-eb52-462f-ac4f-8cdf3987519c,$(SP_BLOCK_STORAGE_EXTRA_FLAGS)))
133$(eval $(call build-sp,internal-trusted-storage,config/$(SP_PSA_ITS_CONFIG),dc1eef48-b17a-4ccf-ac8b-dfcff7711b14,$(SP_PSA_ITS_EXTRA_FLAGS)))
134$(eval $(call build-sp,protected-storage,config/$(SP_PSA_PS_CONFIG),751bf801-3dde-4768-a514-0f10aeed1790,$(SP_PSA_PS_EXTRA_FLAGS)))
135$(eval $(call build-sp,crypto,config/$(SP_PSA_CRYPTO_CONFIG),d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0,$(SP_PSA_CRYPTO_EXTRA_FLAGS)))
136ifeq ($(MEASURED_BOOT),y)
137$(eval $(call build-sp,attestation,config/$(SP_PSA_ATTESTATION_CONFIG),a1baf155-8876-4695-8f7c-54955e8db974,$(SP_PSA_ATTESTATION_EXTRA_FLAGS)))
138endif
139ifeq ($(TS_SMM_GATEWAY),y)
140$(eval $(call build-sp,smm-gateway,config/$(SP_SMM_GATEWAY_CONFIG),ed32d533-99e6-4209-9cc0-2d72cdd998a7,$(SP_SMM_GATEWAY_EXTRA_FLAGS)))
141endif
142ifeq ($(TS_FW_UPDATE),y)
143$(eval $(call build-sp,fwu,config/$(SP_FWU_CONFIG),6823a838-1b06-470e-9774-0cce8bfb53fd,$(SP_FWU_EXTRA_FLAGS)))
144endif
145else
146# SPMC test SPs
147OPTEE_OS_COMMON_EXTRA_FLAGS	+= CFG_SPMC_TESTS=y
148$(eval $(call build-sp,spm-test1,opteesp,5c9edbc3-7b3a-4367-9f83-7c191ae86a37,$(SP_SPMC_TEST_EXTRA_FLAGS)))
149$(eval $(call build-sp,spm-test2,opteesp,7817164c-c40c-4d1a-867a-9bb2278cf41a,$(SP_SPMC_TEST_EXTRA_FLAGS)))
150$(eval $(call build-sp,spm-test3,opteesp,23eb0100-e32a-4497-9052-2f11e584afa6,$(SP_SPMC_TEST_EXTRA_FLAGS)))
151$(eval $(call build-sp,spm-test4,opteesp,423762ed-7772-406f-99d8-0c27da0abbf8,$(SP_SPMC_TEST_EXTRA_FLAGS)))
152endif
153
154# Linux user space applications
155ifeq ($(SPMC_TESTS),n)
156$(eval $(call build-ts-app,libts,$(TS_APP_LIBTS_EXTRA_FLAGS)))
157$(eval $(call build-ts-app,libpsats,$(TS_APP_LIBPSATS_EXTRA_FLAGS)))
158$(eval $(call build-ts-app,ts-service-test,$(TS_APP_TS_SERVICE_TEST_EXTRA_FLAGS)))
159$(eval $(call build-ts-app,psa-api-test/internal_trusted_storage,$(TS_APP_PSA_ITS_EXTRA_FLAGS)))
160$(eval $(call build-ts-app,psa-api-test/protected_storage,$(TS_APP_PSA_PS_EXTRA_FLAGS)))
161$(eval $(call build-ts-app,psa-api-test/crypto,$(TS_APP_PSA_CRYPTO_EXTRA_FLAGS)))
162ifeq ($(MEASURED_BOOT),y)
163$(eval $(call build-ts-app,psa-api-test/initial_attestation,$(TS_APP_PSA_IAT_EXTRA_FLAGS)))
164endif
165ifeq ($(TS_UEFI_TESTS),y)
166$(eval $(call build-ts-app,uefi-test,$(TS_APP_UEFI_TEST_EXTRA_FLAGS)))
167
168# uefi-test uses MM Communicate via the arm-ffa-user driver and the message
169# payload is forwarded in a carveout memory area. Adding reserved-memory node to
170# the device tree to prevent Linux from using the carveout area for other
171# purposes.
172
173ORIGINAL_DTB := $(FVP_LINUX_DTB)
174CARVEOUT_ENTRY = $(ROOT)/build/fvp/mm_communicate_carveout.dtsi
175FVP_LINUX_DTB = $(ROOT)/out/fvp_with_mm_carveout.dtb
176
177$(FVP_LINUX_DTB): $(CARVEOUT_ENTRY) | linux
178	{ dtc -Idtb -Odts $(ORIGINAL_DTB); cat $(CARVEOUT_ENTRY); } | dtc -Idts -Odtb -o $(FVP_LINUX_DTB)
179
180boot-img: $(FVP_LINUX_DTB)
181
182.PHONY: carveout-dtb-clean
183carveout-dtb-clean:
184	rm -f $(FVP_LINUX_DTB)
185
186boot-img-clean: carveout-dtb-clean
187endif
188
189ifeq ($(TS_FW_UPDATE),y)
190
191# TODO: the fwu-tool is currently not needed.
192$(eval $(call build-ts-host-app,fwu-tool,$(TS_HOST_UEFI_TEST_EXTRA_FLAGS)))
193
194ffa-fwu-sp: ts-host-fwu-tool
195
196# Copy the disk image used by FWU to the build directory to allow the FVP binary to find it.
197$(BINARIES_PATH)/secure-flash.img:
198	mkdir -p $(BINARIES_PATH)
199	cp $(ROOT)/trusted-services/components/media/disk/disk_images/multi_location_fw.img $(BINARIES_PATH)/secure-flash.img
200
201# Add a shortcut to help manually doing the copy.
202ffa-fwu-fash-img: $(BINARIES_PATH)/secure-flash.img
203
204ffa-fwu-sp: $(BINARIES_PATH)/secure-flash.img
205
206endif
207
208ffa-fwu-fash-img-clean:
209	rm -f $(BINARIES_PATH)/secure-flash.img
210
211clean: ffa-fwu-fash-img-clean
212
213clean: ts-host-all-clean ffa-test-all-clean ffa-sp-all-clean linux-arm-ffa-user-clean
214
215endif
216