forked from anduril/jetpack-nixos
-
Notifications
You must be signed in to change notification settings - Fork 0
/
uefi-firmware.nix
199 lines (165 loc) · 7.32 KB
/
uefi-firmware.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
{ lib, stdenv, buildPackages, fetchFromGitHub, fetchpatch, runCommand, edk2, acpica-tools,
dtc, python3, bc, imagemagick, unixtools, applyPatches, nukeReferences,
l4tVersion,
# Optional path to a boot logo that will be converted and cropped into the format required
bootLogo ? null,
# Patches to apply to edk2-nvidia source tree
edk2NvidiaPatches ? [],
debugMode ? false,
errorLevelInfo ? debugMode, # Enables a bunch more info messages
# The root certificate (in PEM format) for authenticating capsule updates. By
# default, EDK2 authenticates using a test keypair commited upstream.
trustedPublicCertPemFile ? null,
}:
let
# TODO: Move this generation out of uefi-firmware.nix, because this .nix
# file is callPackage'd using an aarch64 version of nixpkgs, and we don't
# want to have to recompilie imagemagick
bootLogoVariants = runCommand "uefi-bootlogo" { nativeBuildInputs = [ buildPackages.buildPackages.imagemagick ]; } ''
mkdir -p $out
convert ${bootLogo} -resize 1920x1080 -gravity Center -extent 1920x1080 -format bmp -define bmp:format=bmp3 $out/logo1080.bmp
convert ${bootLogo} -resize 1280x720 -gravity Center -extent 1280x720 -format bmp -define bmp:format=bmp3 $out/logo720.bmp
convert ${bootLogo} -resize 640x480 -gravity Center -extent 640x480 -format bmp -define bmp:format=bmp3 $out/logo480.bmp
'';
###
# See: https://github.com/NVIDIA/edk2-edkrepo-manifest/blob/main/edk2-nvidia/Jetson/NVIDIAJetsonManifest.xml
edk2-src = fetchFromGitHub {
owner = "NVIDIA";
repo = "edk2";
rev = "r${l4tVersion}-edk2-stable202208";
fetchSubmodules = true;
sha256 = "sha256-PTbNxbncfSvxLW2XmdRHzUy+w5+1Blpk62DJpxDmedA=";
};
edk2-platforms = fetchFromGitHub {
owner = "NVIDIA";
repo = "edk2-platforms";
rev = "r${l4tVersion}-upstream-20220830";
sha256 = "sha256-PjAJEbbswOLYupMg/xEqkAOJuAC8SxNsQlb9YBswRfo=";
};
edk2-non-osi = fetchFromGitHub {
owner = "NVIDIA";
repo = "edk2-non-osi";
rev = "r${l4tVersion}-upstream-20220830";
sha256 = "sha256-EPtI63jYhEIo4uVTH3lUt9NC/lK5vPVacUAc5qgmz9M=";
};
edk2-nvidia = applyPatches {
src = fetchFromGitHub {
owner = "NVIDIA";
repo = "edk2-nvidia";
rev = "2c81e0fc74f703012dd3b2f18da5be256e142fe3"; # Latest on r35.3.1-updates as of 2023-05-17
sha256 = "sha256-Qh1g+8a7ZcFG4VmwH+xDix6dpZ881HaNRE/FJoaRljw=";
};
patches = edk2NvidiaPatches ++ [
(fetchpatch {
url = "https://github.com/NVIDIA/edk2-nvidia/commit/9604259b0d11c049f6a3eb5365a3ae10cfb9e6d9.patch";
hash = "sha256-v/WEwcSNjBXeN0eXVzzl31dn6mq78wIm0u5lW1jGcdE=";
})
./capsule-authentication.patch
];
postPatch = lib.optionalString errorLevelInfo ''
sed -i 's#PcdDebugPrintErrorLevel|.*#PcdDebugPrintErrorLevel|0x8000004F#' Platform/NVIDIA/NVIDIA.common.dsc.inc
'' + lib.optionalString (bootLogo != null) ''
cp ${bootLogoVariants}/logo1080.bmp Silicon/NVIDIA/Assets/nvidiagray1080.bmp
cp ${bootLogoVariants}/logo720.bmp Silicon/NVIDIA/Assets/nvidiagray720.bmp
cp ${bootLogoVariants}/logo480.bmp Silicon/NVIDIA/Assets/nvidiagray480.bmp
'';
};
edk2-nvidia-non-osi = fetchFromGitHub {
owner = "NVIDIA";
repo = "edk2-nvidia-non-osi";
rev = "r${l4tVersion}";
sha256 = "sha256-27PTl+svZUocmU6r/8FdqqI9rwHAi+6zSFs4fBA13Ks=";
};
edk2-jetson = edk2.overrideAttrs (_: { src = edk2-src; });
pythonEnv = buildPackages.python3.withPackages (ps: [ ps.tkinter ]);
targetArch = if stdenv.isi686 then
"IA32"
else if stdenv.isx86_64 then
"X64"
else if stdenv.isAarch64 then
"AARCH64"
else
throw "Unsupported architecture";
buildType = if stdenv.isDarwin then
"CLANGPDB"
else
"GCC5";
buildTarget = if debugMode then "DEBUG" else "RELEASE";
jetson-edk2-uefi =
# TODO: edk2.mkDerivation doesn't have a way to override the edk version used!
# Make it not via passthru ?
stdenv.mkDerivation {
pname = "jetson-edk2-uefi";
version = l4tVersion;
# Initialize the build dir with the build tools from edk2
src = edk2-src;
depsBuildBuild = [ buildPackages.stdenv.cc ];
nativeBuildInputs = [ bc pythonEnv acpica-tools dtc unixtools.whereis ];
strictDeps = true;
NIX_CFLAGS_COMPILE = [
"-Wno-error=format-security" # TODO: Fix underlying issue
# Workaround for ../Silicon/NVIDIA/Drivers/EqosDeviceDxe/nvethernetrm/osi/core/osi_hal.c:1428: undefined reference to `__aarch64_ldadd4_sync'
"-mno-outline-atomics"
];
${"GCC5_${targetArch}_PREFIX"} = stdenv.cc.targetPrefix;
# From edk2-nvidia/Silicon/NVIDIA/edk2nv/stuart/settings.py
PACKAGES_PATH = lib.concatStringsSep ":" [
"${edk2-src}/BaseTools" # TODO: Is this needed?
edk2-src edk2-platforms edk2-non-osi edk2-nvidia edk2-nvidia-non-osi
"${edk2-platforms}/Features/Intel/OutOfBandManagement"
];
enableParallelBuilding = true;
prePatch = ''
rm -rf BaseTools
cp -r ${edk2-jetson}/BaseTools BaseTools
chmod -R u+w BaseTools
'';
configurePhase = ''
runHook preConfigure
export WORKSPACE="$PWD"
source ./edksetup.sh BaseTools
${lib.optionalString (trustedPublicCertPemFile != null) ''
echo Using ${trustedPublicCertPemFile} as public certificate for capsule verification
${lib.getExe buildPackages.openssl} x509 -outform DER -in ${trustedPublicCertPemFile} -out PublicCapsuleKey.cer
python3 BaseTools/Scripts/BinToPcd.py -p gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer -i PublicCapsuleKey.cer -o PublicCapsuleKey.cer.gEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer.inc
python3 BaseTools/Scripts/BinToPcd.py -x -p gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr -i PublicCapsuleKey.cer -o PublicCapsuleKey.cer.gFmpDevicePkgTokenSpaceGuid.PcdFmpDevicePkcs7CertBufferXdr.inc
''}
runHook postConfigure
'';
buildPhase = ''
runHook preBuild
# The BUILDID_STRING and BUILD_DATE_TIME are used
# just by nvidia, not generic edk2
build -a ${targetArch} -b ${buildTarget} -t ${buildType} -p Platform/NVIDIA/Jetson/Jetson.dsc -n $NIX_BUILD_CORES \
-D BUILDID_STRING=${l4tVersion} \
-D BUILD_DATE_TIME="$(date --utc --iso-8601=seconds --date=@$SOURCE_DATE_EPOCH)" \
${lib.optionalString (trustedPublicCertPemFile != null) "-D CUSTOM_CAPSULE_CERT"} \
$buildFlags
runHook postBuild
'';
installPhase = ''
runHook preInstall
mv -v Build/*/* $out
runHook postInstall
'';
};
uefi-firmware = runCommand "uefi-firmware-${l4tVersion}" {
nativeBuildInputs = [ python3 nukeReferences ];
} ''
mkdir -p $out
python3 ${edk2-nvidia}/Silicon/NVIDIA/Tools/FormatUefiBinary.py \
${jetson-edk2-uefi}/FV/UEFI_NS.Fv \
$out/uefi_jetson.bin
python3 ${edk2-nvidia}/Silicon/NVIDIA/Tools/FormatUefiBinary.py \
${jetson-edk2-uefi}/AARCH64/L4TLauncher.efi \
$out/L4TLauncher.efi
mkdir -p $out/dtbs
for filename in ${jetson-edk2-uefi}/AARCH64/Silicon/NVIDIA/Tegra/DeviceTree/DeviceTree/OUTPUT/*.dtb; do
cp $filename $out/dtbs/$(basename "$filename" ".dtb").dtbo
done
# Get rid of any string references to source(s)
nuke-refs $out/uefi_jetson.bin
'';
in {
inherit edk2-jetson uefi-firmware;
}