1################################################################################
2# Following variables defines how the NS_USER (Non Secure User - Client
3# Application), NS_KERNEL (Non Secure Kernel), S_KERNEL (Secure Kernel) and
4# S_USER (Secure User - TA) are compiled
5################################################################################
6COMPILE_NS_USER   ?= 64
7override COMPILE_NS_KERNEL := 64
8COMPILE_S_USER    ?= 64
9COMPILE_S_KERNEL  ?= 64
10
11OPTEE_OS_PLATFORM = vexpress-fvp
12
13include common.mk
14
15################################################################################
16# Variables used for TPM configuration.
17################################################################################
18BR2_ROOTFS_OVERLAY = $(ROOT)/build/br-ext/board/fvp/overlay
19BR2_PACKAGE_FTPM_OPTEE_EXT_SITE ?= $(CURDIR)/br-ext/package/ftpm_optee_ext
20BR2_PACKAGE_FTPM_OPTEE_PACKAGE_SITE ?= $(ROOT)/ms-tpm-20-ref
21
22# The fTPM implementation is based on ARM32 architecture whereas the rest of the
23# system is built to run on 64-bit mode (COMPILE_S_USER = 64). Therefore set
24# BR2_PACKAGE_FTPM_OPTEE_EXT_SDK manually to the arm32 OPTEE toolkit rather than
25# relying on OPTEE_OS_TA_DEV_KIT_DIR variable.
26BR2_PACKAGE_FTPM_OPTEE_EXT_SDK ?= $(OPTEE_OS_PATH)/out/arm/export-ta_arm32
27
28BR2_PACKAGE_LINUX_FTPM_MOD_EXT_SITE ?= $(CURDIR)/br-ext/package/linux_ftpm_mod_ext
29BR2_PACKAGE_LINUX_FTPM_MOD_EXT_PATH ?= $(LINUX_PATH)
30
31################################################################################
32# Paths to git projects and various binaries
33################################################################################
34MEASURED_BOOT		?= n
35TF_A_PATH		?= $(ROOT)/trusted-firmware-a
36ifeq ($(MEASURED_BOOT),y)
37# Prefer release mode for TF-A if using Measured Boot, debug may exhaust memory.
38TF_A_BUILD		?= release
39endif
40TF_A_DEBUG		?= $(DEBUG)
41ifeq ($(TF_A_DEBUG),1)
42TF_A_LOGLVL		?= 40
43TF_A_BUILD		?= debug
44else
45TF_A_LOGLVL 		?= 20
46TF_A_BUILD		?= release
47endif
48FVP_PATH		?= $(ROOT)/Base_RevC_AEMvA_pkg/models/Linux64_GCC-9.3
49FVP_BIN			?= FVP_Base_RevC-2xAEMvA
50FVP_LINUX_DTB		?= $(LINUX_PATH)/arch/arm64/boot/dts/arm/fvp-base-revc.dtb
51OUT_PATH		?= $(ROOT)/out
52BINARIES_PATH		?= $(ROOT)/out/bin
53UBOOT_PATH		?= $(ROOT)/u-boot
54UBOOT_BIN		?= $(UBOOT_PATH)/u-boot.bin
55MKIMAGE_PATH		?= $(UBOOT_PATH)/tools
56HAFNIUM_PATH		?= $(ROOT)/hafnium
57HAFNIUM_BIN		?= $(HAFNIUM_PATH)/out/reference/secure_aem_v8a_fvp_vhe_clang/hafnium.bin
58UBOOT_BOOT_SCRIPT	?= $(OUT_PATH)/boot.scr
59BOOT_IMG		?= $(OUT_PATH)/boot-fat.uefi.img
60FTPM_PATH		?= $(ROOT)/ms-tpm-20-ref/Samples/ARM32-FirmwareTPM/optee_ta
61
62# Option to configure FF-A and SPM:
63# n:	disabled
64# 3:	not supported, SPMC and SPMD at EL3 (in TF-A)
65# 2:	SPMC at S-EL2 (in Hafnium), SPMD at EL3 (in TF-A)
66# 1:	SPMC at S-EL1 (in OP-TEE), SPMD at EL3 (in TF-A)
67SPMC_AT_EL ?= n
68ifneq ($(filter-out n 1 2,$(SPMC_AT_EL)),)
69$(error Unsupported SPMC_AT_EL value $(SPMC_AT_EL))
70endif
71
72ifeq ($(MEASURED_BOOT),y)
73# By default enable FTPM for backwards compatibility.
74MEASURED_BOOT_FTPM ?= y
75else
76$(call force,MEASURED_BOOT_FTPM,n,requires MEASURED_BOOT enabled)
77endif
78
79# Build ancillary components to access fTPM if Measured Boot is enabled.
80ifeq ($(MEASURED_BOOT_FTPM),y)
81DEFCONFIG_FTPM ?= --br-defconfig build/br-ext/configs/ftpm_optee
82DEFCONFIG_TPM_MODULE ?= --br-defconfig build/br-ext/configs/linux_ftpm
83DEFCONFIG_TSS ?= --br-defconfig build/br-ext/configs/tss
84endif
85
86################################################################################
87# Targets
88################################################################################
89all: arm-tf optee-os ftpm boot-img linux u-boot
90clean: arm-tf-clean boot-img-clean buildroot-clean ftpm-clean optee-os-clean u-boot-clean
91
92include toolchain.mk
93
94################################################################################
95# Folders
96################################################################################
97$(OUT_PATH):
98	mkdir -p $@
99
100################################################################################
101# Shared folder
102################################################################################
103# Enable accessing the host directory FVP_VIRTFS_HOST_DIR from the FVP.
104# The shared folder can be mounted in the following ways:
105#  - Run 'mount -t 9p -o trans=virtio,version=9p2000.L FM <mount point>' or,
106#  - enable FVP_VIRTFS_AUTOMOUNT.
107# The latter will use the Buildroot post-build script to add an entry to the
108# target's /etc/fstab, mounting the shared directory to FVP_VIRTFS_MOUNTPOINT
109# on the FVP.
110# Note: the post-build script can only append to fstab. If FVP_VIRTFS_AUTOMOUNT
111# is changed from "y" to "n", run 'rm -r ../out-br/build/skeleton-init-sysv' so
112# the target's fstab will be replaced with the unmodified original again.
113FVP_VIRTFS_ENABLE	?= n
114FVP_VIRTFS_HOST_DIR	?= $(ROOT)
115FVP_VIRTFS_AUTOMOUNT	?= n
116FVP_VIRTFS_MOUNTPOINT	?= /mnt/host
117
118ifeq ($(SPMC_AT_EL),2)
119BL32_DEPS		?= hafnium optee-os
120else
121BL32_DEPS		?= optee-os
122endif
123
124BL33_BIN		?= $(UBOOT_BIN)
125BL33_DEPS		?= u-boot
126
127ifeq ($(FVP_VIRTFS_AUTOMOUNT),y)
128$(call force,FVP_VIRTFS_ENABLE,y,required by FVP_VIRTFS_AUTOMOUNT)
129endif
130
131BR2_ROOTFS_POST_BUILD_SCRIPT = $(ROOT)/build/br-ext/board/fvp/post-build.sh
132BR2_ROOTFS_POST_SCRIPT_ARGS = "$(FVP_VIRTFS_AUTOMOUNT) $(FVP_VIRTFS_MOUNTPOINT)"
133
134################################################################################
135# ARM Trusted Firmware
136################################################################################
137TF_A_EXPORTS ?= \
138	CROSS_COMPILE="$(CCACHE)$(AARCH64_CROSS_COMPILE)"
139
140TF_A_FLAGS ?= \
141	BL33=$(UBOOT_BIN) \
142	FVP_USE_GIC_DRIVER=FVP_GICV3 \
143	PLAT=fvp \
144	DEBUG=$(TF_A_DEBUG) \
145	LOG_LEVEL=$(TF_A_LOGLVL)
146
147ifneq ($(MEASURED_BOOT),y)
148	TF_A_FLAGS += MEASURED_BOOT=0
149else
150	TF_A_FLAGS += MBEDTLS_DIR=$(ROOT)/mbedtls  \
151		      ARM_ROTPK_LOCATION=devel_rsa \
152		      GENERATE_COT=1 \
153		      MEASURED_BOOT=1 \
154		      ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \
155		      TPM_HASH_ALG=sha256 \
156		      TRUSTED_BOARD_BOOT=1 \
157		      EVENT_LOG_LEVEL=20
158endif
159
160TF_A_FLAGS_BL32_OPTEE  = BL32=$(OPTEE_OS_HEADER_V2_BIN)
161TF_A_FLAGS_BL32_OPTEE += BL32_EXTRA1=$(OPTEE_OS_PAGER_V2_BIN)
162TF_A_FLAGS_BL32_OPTEE += BL32_EXTRA2=$(OPTEE_OS_PAGEABLE_V2_BIN)
163TF_A_FLAGS_BL32_OPTEE += ARM_TSP_RAM_LOCATION=tdram
164
165TF_A_FLAGS_SPMC_AT_EL_n  = $(TF_A_FLAGS_BL32_OPTEE) SPD=opteed
166TF_A_FLAGS_SPMC_AT_EL_1  = BL32=$(OPTEE_OS_PAGER_V2_BIN) SPD=spmd
167TF_A_FLAGS_SPMC_AT_EL_1 += CTX_INCLUDE_EL2_REGS=0 SPMD_SPM_AT_SEL2=0
168TF_A_FLAGS_SPMC_AT_EL_1 += ARM_SPMC_MANIFEST_DTS=../build/fvp/spmc_el1_partitions_manifest.dts
169TF_A_FLAGS_SPMC_AT_EL_1 += SPMC_OPTEE=1
170TF_A_FLAGS_SPMC_AT_EL_2  = SPD=spmd
171TF_A_FLAGS_SPMC_AT_EL_2 += SP_LAYOUT_FILE=../build/fvp/sp_layout.json
172TF_A_FLAGS_SPMC_AT_EL_2 += BL32=$(HAFNIUM_BIN)
173TF_A_FLAGS_SPMC_AT_EL_2 += ARM_SPMC_MANIFEST_DTS=../build/fvp/spmc_el2_optee_sp_manifest.dts
174TF_A_FLAGS_SPMC_AT_EL_2 += BRANCH_PROTECTION=1
175TF_A_FLAGS_SPMC_AT_EL_2 += ENABLE_FEAT_MTE2=1
176
177TF_A_FLAGS += $(TF_A_FLAGS_SPMC_AT_EL_$(SPMC_AT_EL))
178
179arm-tf: $(BL32_DEPS) $(BL33_DEPS)
180	$(TF_A_EXPORTS) $(MAKE) -C $(TF_A_PATH) $(TF_A_FLAGS) all fip
181
182arm-tf-clean:
183	$(TF_A_EXPORTS) $(MAKE) -C $(TF_A_PATH) $(TF_A_FLAGS) clean
184
185################################################################################
186# Linux kernel
187################################################################################
188LINUX_DEFCONFIG_COMMON_ARCH := arm64
189LINUX_DEFCONFIG_COMMON_FILES ?= \
190		$(LINUX_PATH)/arch/arm64/configs/defconfig \
191		$(CURDIR)/kconfigs/fvp.conf
192
193.PHONY: linux-ftpm-module
194linux-ftpm-module: linux
195ifeq ($(MEASURED_BOOT_FTPM),y)
196linux-ftpm-module:
197	$(MAKE) -C $(LINUX_PATH) $(LINUX_COMMON_FLAGS) M=drivers/char/tpm  \
198		modules_install INSTALL_MOD_PATH=$(LINUX_PATH)
199endif
200
201linux-defconfig: $(LINUX_PATH)/.config
202
203LINUX_COMMON_FLAGS += ARCH=arm64
204
205linux: linux-common
206
207linux-defconfig-clean: linux-defconfig-clean-common
208
209LINUX_CLEAN_COMMON_FLAGS += ARCH=arm64
210
211linux-clean: linux-clean-common
212
213LINUX_CLEANER_COMMON_FLAGS += ARCH=arm64
214
215linux-cleaner: linux-cleaner-common
216
217################################################################################
218# OP-TEE
219################################################################################
220OPTEE_OS_COMMON_FLAGS += CFG_ARM_GICV3=y
221OPTEE_OS_COMMON_FLAGS_SPMC_AT_EL_1 = CFG_CORE_SEL1_SPMC=y
222OPTEE_OS_COMMON_FLAGS_SPMC_AT_EL_2 = CFG_CORE_SEL2_SPMC=y
223OPTEE_OS_COMMON_FLAGS_SPMC_AT_EL_2 += CFG_ARM_GICV3=n CFG_CORE_HAFNIUM_INTC=y
224OPTEE_OS_COMMON_FLAGS_SPMC_AT_EL_2 += CFG_CORE_WORKAROUND_NSITR_CACHE_PRIME=n
225
226OPTEE_OS_COMMON_FLAGS += $(OPTEE_OS_COMMON_FLAGS_SPMC_AT_EL_$(SPMC_AT_EL))
227
228ifeq ($(MEASURED_BOOT),y)
229	OPTEE_OS_COMMON_FLAGS += CFG_DT=y CFG_CORE_TPM_EVENT_LOG=y
230endif
231
232optee-os: optee-os-common
233
234optee-os-clean: ftpm-clean optee-os-clean-common
235
236################################################################################
237# Hafnium
238################################################################################
239
240HAFNIUM_EXPORTS = PATH=$(TOOLCHAIN_ROOT)/clang-$(CLANG_BUILD_VER)/bin:$(PATH)
241
242.hafnium_checkout:
243	git -C $(HAFNIUM_PATH) submodule update --init
244	touch $@
245
246hafnium: $(HAFNIUM_BIN)
247
248$(HAFNIUM_BIN): .hafnium_checkout | $(OUT_PATH)
249	$(HAFNIUM_EXPORTS) $(MAKE) -C $(HAFNIUM_PATH) $(HAFNIUM_FLAGS) PLATFORM=secure_aem_v8a_fvp_vhe
250
251
252################################################################################
253# Buildroot
254################################################################################
255
256buildroot: linux-ftpm-module
257
258################################################################################
259# U-Boot
260################################################################################
261UBOOT_DEFCONFIG_FILES := $(ROOT)/build/kconfigs/u-boot_fvp.conf
262
263UBOOT_COMMON_FLAGS ?= CROSS_COMPILE=$(CROSS_COMPILE_NS_KERNEL)
264
265$(UBOOT_PATH)/.config: $(UBOOT_DEFCONFIG_FILES)
266	cd $(UBOOT_PATH) && scripts/kconfig/merge_config.sh $(UBOOT_DEFCONFIG_FILES)
267
268.PHONY: u-boot-defconfig
269u-boot-defconfig: $(UBOOT_PATH)/.config
270
271.PHONY: u-boot
272u-boot: u-boot-defconfig
273	$(MAKE) -C $(UBOOT_PATH) $(UBOOT_COMMON_FLAGS)
274
275.PHONY: u-boot-clean
276u-boot-clean:
277	$(MAKE) -C $(UBOOT_PATH) $(UBOOT_COMMON_FLAGS) distclean
278
279$(UBOOT_BOOT_SCRIPT): $(BUILD_PATH)/fvp/uboot_boot_cmd.txt u-boot | $(OUT_PATH)
280	$(MKIMAGE_PATH)/mkimage -A arm64 \
281				-O linux \
282				-T script \
283				-C none \
284				-d $(BUILD_PATH)/fvp/uboot_boot_cmd.txt \
285				$(UBOOT_BOOT_SCRIPT)
286
287################################################################################
288# Boot Image
289################################################################################
290
291.PHONY: boot-img
292boot-img: buildroot u-boot $(UBOOT_BOOT_SCRIPT)
293	rm -f $(BOOT_IMG)
294	mformat -i $(BOOT_IMG) -n 64 -h 255 -T 131072 -v "BOOT IMG" -C ::
295	mcopy -i $(BOOT_IMG) $(LINUX_PATH)/arch/arm64/boot/Image ::
296	mcopy -i $(BOOT_IMG) $(FVP_LINUX_DTB) ::/fvp.dtb
297	mcopy -i $(BOOT_IMG) $(ROOT)/out-br/images/rootfs.cpio.gz ::/initrd.img
298	mcopy -i $(BOOT_IMG) $(UBOOT_BOOT_SCRIPT) ::
299
300.PHONY: boot-img-clean
301boot-img-clean:
302	rm -f $(BOOT_IMG)
303
304################################################################################
305# Run targets
306################################################################################
307# This target enforces updating root fs etc
308run: all
309	$(MAKE) run-only
310
311FVP_ARGS ?= \
312	-C bp.ve_sysregs.exit_on_shutdown=1 \
313	-C cache_state_modelled=0 \
314	-C pctl.startup=0.0.0.0 \
315	-C cluster0.NUM_CORES=4 \
316	-C cluster0.cpu0.enable_crc32=1 \
317	-C cluster0.cpu1.enable_crc32=1 \
318	-C cluster0.cpu2.enable_crc32=1 \
319	-C cluster0.cpu3.enable_crc32=1 \
320	-C cluster0.cpu0.semihosting-cwd="$(BINARIES_PATH)" \
321	-C cluster0.cpu1.semihosting-cwd="$(BINARIES_PATH)" \
322	-C cluster0.cpu2.semihosting-cwd="$(BINARIES_PATH)" \
323	-C cluster0.cpu3.semihosting-cwd="$(BINARIES_PATH)" \
324	-C cluster1.NUM_CORES=4 \
325	-C cluster1.cpu0.enable_crc32=1 \
326	-C cluster1.cpu1.enable_crc32=1 \
327	-C cluster1.cpu2.enable_crc32=1 \
328	-C cluster1.cpu3.enable_crc32=1 \
329	-C cluster1.cpu0.semihosting-cwd="$(BINARIES_PATH)" \
330	-C cluster1.cpu1.semihosting-cwd="$(BINARIES_PATH)" \
331	-C cluster1.cpu2.semihosting-cwd="$(BINARIES_PATH)" \
332	-C cluster1.cpu3.semihosting-cwd="$(BINARIES_PATH)" \
333	-C bp.secure_memory=1 \
334	-C bp.secureflashloader.fname=$(TF_A_PATH)/build/fvp/$(TF_A_BUILD)/bl1.bin \
335	-C bp.flashloader0.fname=$(TF_A_PATH)/build/fvp/$(TF_A_BUILD)/fip.bin \
336	-C bp.virtioblockdevice.image_path=$(BOOT_IMG)
337ifeq ($(SPMC_AT_EL),2)
338	FVP_ARGS += -C cluster0.gicv3.extended-interrupt-range-support=1 \
339		    -C cluster0.has_generic_authentication=1 \
340		    -C cluster0.has_pointer_authentication=2 \
341		    -C cluster0.has_branch_target_exception=1 \
342		    -C cluster0.has_arm_v8-4=1 \
343		    -C cluster0.has_large_system_ext=1 \
344		    -C cluster0.has_large_va=1 \
345		    -C cluster0.has_rndr=1 \
346		    -C cluster0.memory_tagging_support_level=3 \
347		    -C cluster1.gicv3.extended-interrupt-range-support=1 \
348		    -C cluster1.has_generic_authentication=1 \
349		    -C cluster1.has_pointer_authentication=2 \
350		    -C cluster1.has_branch_target_exception=1 \
351		    -C cluster1.has_arm_v8-4=1 \
352		    -C cluster1.has_large_system_ext=1 \
353		    -C cluster1.has_large_va=1 \
354		    -C cluster1.has_rndr=1 \
355		    -C cluster1.memory_tagging_support_level=3 \
356		    -C gic_distributor.extended-ppi-count=64 \
357		    -C gic_distributor.extended-spi-count=1024 \
358		    -C pci.pci_smmuv3.mmu.SMMU_AIDR=0x2 \
359		    -C pci.pci_smmuv3.mmu.SMMU_IDR0=0x0046123B \
360		    -C pci.pci_smmuv3.mmu.SMMU_IDR1=0x00600002 \
361		    -C pci.pci_smmuv3.mmu.SMMU_IDR3=0x1714 \
362		    -C pci.pci_smmuv3.mmu.SMMU_IDR5=0xFFFF0475 \
363		    -C pci.pci_smmuv3.mmu.SMMU_S_IDR1=0xA0000002 \
364		    -C pci.pci_smmuv3.mmu.SMMU_S_IDR2=0 \
365		    -C pci.pci_smmuv3.mmu.SMMU_S_IDR3=0
366endif
367ifeq ($(FVP_NETWORK_SUPPORT),y)
368	FVP_ARGS += -C bp.hostbridge.userNetworking=true \
369		    -C bp.hostbridge.userNetPorts="5555=5555,8080=80,8022=22" \
370		    -C bp.smsc_91c111.enabled=1 \
371		    -C bp.smsc_91c111.mac_address=auto \
372		    -C bp.virtio_net.enabled=1 \
373		    -C bp.virtio_net.hostbridge.userNetworking=1
374endif
375ifeq ($(FVP_NO_VISUALISATION),y)
376	FVP_ARGS += -C bp.vis.disable_visualisation=1 \
377		    -C bp.terminal_0.start_telnet=0 \
378		    -C bp.terminal_1.mode=raw \
379		    -C bp.terminal_1.start_telnet=0 \
380		    -C bp.terminal_2.mode=raw \
381		    -C bp.terminal_2.start_telnet=0 \
382		    -C bp.terminal_3.mode=raw \
383		    -C bp.terminal_3.start_telnet=0
384endif
385ifeq ($(TS_LOGGING_SP),y)
386	FVP_ARGS += -C bp.pl011_uart2.out_file=$(TS_LOGGING_SP_LOG)
387endif
388ifeq ($(FVP_VIRTFS_ENABLE),y)
389	FVP_ARGS += -C bp.virtiop9device.root_path=$(FVP_VIRTFS_HOST_DIR)
390endif
391
392run-only:
393	$(FVP_PATH)/$(FVP_BIN) $(FVP_ARGS) $(FVP_EXTRA_ARGS)
394