[S] Change in coreboot[main]: arch/arm64: Add Kconfig option ARM64_BL31_OPTEE_WITH_SMC - coreboot-gerrit

20 Jun 2024

Yu-Ping Wu has submitted this change. ( https://review.coreboot.org/c/coreboot/+/83111?usp=email )
Change subject: arch/arm64: Add Kconfig option ARM64_BL31_OPTEE_WITH_SMC
......................................................................
arch/arm64: Add Kconfig option ARM64_BL31_OPTEE_WITH_SMC
Add a new Kconfig option ARM64_BL31_OPTEE_WITH_SMC to control whether to
build the OP-TEE dispatcher for BL31. This config also enables the BL31
build option OPTEE_ALLOW_SMC_LOAD, which allows loading the OP-TEE image
after boot via a Secure Monitor Call (SMC). For ChromeOS devices,
CROS_WIDEVINE_SMC is also enabled to allow passing secrets from firmware
to OP-TEE.
BUG=b:347851571
TEST=emerge-geralt coreboot
BRANCH=geralt
Change-Id: I4dcf82d47b537146d71ce3cd2050ec597ed0734f
Signed-off-by: Yu-Ping Wu yupingso@chromium.org
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83111
Tested-by: build bot (Jenkins) no-reply@coreboot.org
Reviewed-by: Julius Werner jwerner@chromium.org
---
M src/arch/arm64/Kconfig
M src/arch/arm64/Makefile.mk
2 files changed, 18 insertions(+), 0 deletions(-)
Approvals:
  Julius Werner: Looks good to me, approved
  build bot (Jenkins): Verified

diff --git a/src/arch/arm64/Kconfig b/src/arch/arm64/Kconfig
index 2d71067..af5050b 100644
--- a/src/arch/arm64/Kconfig
+++ b/src/arch/arm64/Kconfig
@@ -46,6 +46,15 @@
    default n
    depends on ARCH_RAMSTAGE_ARM64 && ARM64_CURRENT_EL = 3
+config ARM64_BL31_OPTEE_WITH_SMC
+	bool "Build OP-TEE dispatcher for BL31 and allow loading via an SMC"
+	default n
+	depends on ARM64_USE_ARM_TRUSTED_FIRMWARE
+	help
+	  This option adds support for building the OP-TEE Secure Payload Dispatcher
+	  (SPD) for BL31, and allows loading the OP-TEE image via a Secure Monitor Call
+	  (SMC).
+
 config ARM64_BL31_EXTERNAL_FILE
    string "Path to external BL31.ELF (leave empty to build from source)"
    depends on ARM64_USE_ARM_TRUSTED_FIRMWARE
diff --git a/src/arch/arm64/Makefile.mk b/src/arch/arm64/Makefile.mk
index 6499283..cb43897 100644
--- a/src/arch/arm64/Makefile.mk
+++ b/src/arch/arm64/Makefile.mk
@@ -185,6 +185,15 @@
 # Set a consistent build timestamp: the same coreboot has
 BL31_MAKEARGS += BUILD_MESSAGE_TIMESTAMP='"$(shell sed -n 's/^.define COREBOOT_BUILD>.*"(.*)".*/\1/p' $(obj)/build.h)"'
+ifeq ($(CONFIG_ARM64_BL31_OPTEE_WITH_SMC),y)
+BL31_MAKEARGS += SPD=opteed
+BL31_MAKEARGS += OPTEE_ALLOW_SMC_LOAD=1
+BL31_MAKEARGS += PLAT_XLAT_TABLES_DYNAMIC=1
+ifeq ($(CONFIG_CHROMEOS),y)
+BL31_MAKEARGS += CROS_WIDEVINE_SMC=1
+endif
+endif # CONFIG_ARM64_BL31_OPTEE_WITH_SMC
+
 BL31_CFLAGS := -fno-pic -fno-stack-protector -Wno-deprecated-declarations -Wno-unused-function
 BL31_LDFLAGS := -Wl,--emit-relocs
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/83111?usp=email
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: coreboot
Gerrit-Branch: main
Gerrit-Change-Id: I4dcf82d47b537146d71ce3cd2050ec597ed0734f
Gerrit-Change-Number: 83111
Gerrit-PatchSet: 5
Gerrit-Owner: Yu-Ping Wu yupingso@google.com
Gerrit-Reviewer: Julius Werner jwerner@chromium.org
Gerrit-Reviewer: Yidi Lin yidilin@google.com
Gerrit-Reviewer: Yu-Ping Wu yupingso@google.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-CC: Paul Menzel paulepanter@mailbox.org



    