Gitiles
Code Review Sign In
review.coreboot.org / coreboot / 3ac5fb3091972bc8973b86e3e4ba863bc0c323b3^! / .
commit3ac5fb3091972bc8973b86e3e4ba863bc0c323b3[log] [tgz]
authorYu-Ping Wu <yupingso@chromium.org>Tue Jun 18 15:55:43 2024 +0800
committerYu-Ping Wu <yupingso@google.com>Fri Jun 21 01:49:43 2024 +0000
treed9f09bf5aa2a4584b5ac9c8cc67d69fcb72563d1
parent063c594e9f036dcc16f9ef134350ce8be2e8f45f [diff]
arch/arm64: Add Kconfig option ARM64_BL31_OPTEE_WITH_SMC

Add a new Kconfig option ARM64_BL31_OPTEE_WITH_SMC to control whether to
build the OP-TEE dispatcher for BL31. This config also enables the BL31
build option OPTEE_ALLOW_SMC_LOAD, which allows loading the OP-TEE image
after boot via a Secure Monitor Call (SMC). For ChromeOS devices,
CROS_WIDEVINE_SMC is also enabled to allow passing secrets from firmware
to OP-TEE.

BUG=b:347851571
TEST=emerge-geralt coreboot
BRANCH=geralt

Change-Id: I4dcf82d47b537146d71ce3cd2050ec597ed0734f
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83111
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>

diff --git a/src/arch/arm64/Kconfig b/src/arch/arm64/Kconfig
index 2d71067..af5050b 100644
--- a/src/arch/arm64/Kconfig
+++ b/src/arch/arm64/Kconfig

@@ -46,6 +46,15 @@
 	default n
 	depends on ARCH_RAMSTAGE_ARM64 && ARM64_CURRENT_EL = 3
 
+config ARM64_BL31_OPTEE_WITH_SMC
+	bool "Build OP-TEE dispatcher for BL31 and allow loading via an SMC"
+	default n
+	depends on ARM64_USE_ARM_TRUSTED_FIRMWARE
+	help
+	  This option adds support for building the OP-TEE Secure Payload Dispatcher
+	  (SPD) for BL31, and allows loading the OP-TEE image via a Secure Monitor Call
+	  (SMC).
+
 config ARM64_BL31_EXTERNAL_FILE
 	string "Path to external BL31.ELF (leave empty to build from source)"
 	depends on ARM64_USE_ARM_TRUSTED_FIRMWARE

diff --git a/src/arch/arm64/Makefile.mk b/src/arch/arm64/Makefile.mk
index 6499283..cb43897 100644
--- a/src/arch/arm64/Makefile.mk
+++ b/src/arch/arm64/Makefile.mk

@@ -185,6 +185,15 @@
 # Set a consistent build timestamp: the same coreboot has
 BL31_MAKEARGS += BUILD_MESSAGE_TIMESTAMP='"$(shell sed -n 's/^.define COREBOOT_BUILD\>.*"\(.*\)".*/\1/p' $(obj)/build.h)"'
 
+ifeq ($(CONFIG_ARM64_BL31_OPTEE_WITH_SMC),y)
+BL31_MAKEARGS += SPD=opteed
+BL31_MAKEARGS += OPTEE_ALLOW_SMC_LOAD=1
+BL31_MAKEARGS += PLAT_XLAT_TABLES_DYNAMIC=1
+ifeq ($(CONFIG_CHROMEOS),y)
+BL31_MAKEARGS += CROS_WIDEVINE_SMC=1
+endif
+endif # CONFIG_ARM64_BL31_OPTEE_WITH_SMC
+
 BL31_CFLAGS := -fno-pic -fno-stack-protector -Wno-deprecated-declarations -Wno-unused-function
 BL31_LDFLAGS := -Wl,--emit-relocs