Merge commit '99665eb45f58d959d2cb9e49ddb960c79d596f33'

1 files changed, 24 insertions, 8 deletions

diff --git a/nixpkgs/pkgs/misc/arm-trusted-firmware/default.nix b/nixpkgs/pkgs/misc/arm-trusted-firmware/default.nix
index 49fdc7a829c5..9531324b14a9 100644
--- a/nixpkgs/pkgs/misc/arm-trusted-firmware/default.nix
+++ b/nixpkgs/pkgs/misc/arm-trusted-firmware/default.nix
@@ -1,7 +1,12 @@
 { lib, stdenv, fetchFromGitHub, openssl, pkgsCross, buildPackages
 
-# Warning: this blob runs on the main CPU (not the GPU) at privilege
-# level EL3, which is above both the kernel and the hypervisor.
+# Warning: this blob (hdcp.bin) runs on the main CPU (not the GPU) at
+# privilege level EL3, which is above both the kernel and the
+# hypervisor.
+#
+# This parameter applies only to platforms which are believed to use
+# hdcp.bin. On all other platforms, or if unfreeIncludeHDCPBlob=false,
+# hdcp.bin will be deleted before building.
 , unfreeIncludeHDCPBlob ? true
 }:
 
@@ -9,27 +14,36 @@ let
   buildArmTrustedFirmware = { filesToInstall
             , installDir ? "$out"
             , platform ? null
+            , platformCanUseHDCPBlob ? false  # set this to true if the platform is able to use hdcp.bin
             , extraMakeFlags ? []
             , extraMeta ? {}
-            , version ? "2.6"
             , ... } @ args:
-           stdenv.mkDerivation ({
+
+           # delete hdcp.bin if either: the platform is thought to
+           # not need it or unfreeIncludeHDCPBlob is false
+           let deleteHDCPBlobBeforeBuild = !platformCanUseHDCPBlob || !unfreeIncludeHDCPBlob; in
+
+           stdenv.mkDerivation (rec {
 
     pname = "arm-trusted-firmware${lib.optionalString (platform != null) "-${platform}"}";
-    inherit version;
+    version = "2.7";
 
     src = fetchFromGitHub {
       owner = "ARM-software";
       repo = "arm-trusted-firmware";
       rev = "v${version}";
-      sha256 = "sha256-qT9DdTvMcUrvRzgmVf2qmKB+Rb1WOB4p1rM+fsewGcg=";
+      sha256 = "sha256-WDJMMIWZHNqxxAKeHiZDxtPjfsfQAWsbYv+0o0PiJQs=";
     };
 
-    patches = lib.optionals (!unfreeIncludeHDCPBlob) [
+    patches = lib.optionals deleteHDCPBlobBeforeBuild [
       # this is a rebased version of https://gitlab.com/vicencb/kevinboot/-/blob/master/atf.patch
       ./remove-hdcp-blob.patch
     ];
 
+    postPatch = lib.optionalString deleteHDCPBlobBeforeBuild ''
+      rm plat/rockchip/rk3399/drivers/dp/hdcp.bin
+    '';
+
     depsBuildBuild = [ buildPackages.stdenv.cc ];
 
     # For Cortex-M0 firmware in RK3399
@@ -60,7 +74,7 @@ let
     meta = with lib; {
       homepage = "https://github.com/ARM-software/arm-trusted-firmware";
       description = "A reference implementation of secure world software for ARMv8-A";
-      license = (if unfreeIncludeHDCPBlob then [ licenses.unfreeRedistributable ] else []) ++ [ licenses.bsd3 ];
+      license = [ licenses.bsd3 ] ++ lib.optionals (!deleteHDCPBlobBeforeBuild) [ licenses.unfreeRedistributable ];
       maintainers = with maintainers; [ lopsided98 ];
     } // extraMeta;
   } // builtins.removeAttrs args [ "extraMeta" ]);
@@ -111,6 +125,7 @@ in {
     platform = "rk3328";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    platformCanUseHDCPBlob = true;
   };
 
   armTrustedFirmwareRK3399 = buildArmTrustedFirmware rec {
@@ -118,6 +133,7 @@ in {
     platform = "rk3399";
     extraMeta.platforms = ["aarch64-linux"];
     filesToInstall = [ "build/${platform}/release/bl31/bl31.elf"];
+    platformCanUseHDCPBlob = true;
   };
 
   armTrustedFirmwareS905 = buildArmTrustedFirmware rec {