1# 2# Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. 3# 4# SPDX-License-Identifier: BSD-3-Clause 5# 6 7include common/fdt_wrappers.mk 8 9ifeq (${ARCH}, aarch64) 10 # On ARM standard platorms, the TSP can execute from Trusted SRAM, Trusted 11 # DRAM (if available) or the TZC secured area of DRAM. 12 # TZC secured DRAM is the default. 13 14 ARM_TSP_RAM_LOCATION ?= dram 15 16 ifeq (${ARM_TSP_RAM_LOCATION}, tsram) 17 ARM_TSP_RAM_LOCATION_ID = ARM_TRUSTED_SRAM_ID 18 else ifeq (${ARM_TSP_RAM_LOCATION}, tdram) 19 ARM_TSP_RAM_LOCATION_ID = ARM_TRUSTED_DRAM_ID 20 else ifeq (${ARM_TSP_RAM_LOCATION}, dram) 21 ARM_TSP_RAM_LOCATION_ID = ARM_DRAM_ID 22 else 23 $(error "Unsupported ARM_TSP_RAM_LOCATION value") 24 endif 25 26 # Process flags 27 # Process ARM_BL31_IN_DRAM flag 28 ARM_BL31_IN_DRAM := 0 29 $(eval $(call assert_boolean,ARM_BL31_IN_DRAM)) 30 $(eval $(call add_define,ARM_BL31_IN_DRAM)) 31else 32 ARM_TSP_RAM_LOCATION_ID = ARM_TRUSTED_SRAM_ID 33endif 34 35$(eval $(call add_define,ARM_TSP_RAM_LOCATION_ID)) 36 37 38# For the original power-state parameter format, the State-ID can be encoded 39# according to the recommended encoding or zero. This flag determines which 40# State-ID encoding to be parsed. 41ARM_RECOM_STATE_ID_ENC := 0 42 43# If the PSCI_EXTENDED_STATE_ID is set, then ARM_RECOM_STATE_ID_ENC need to 44# be set. Else throw a build error. 45ifeq (${PSCI_EXTENDED_STATE_ID}, 1) 46 ifeq (${ARM_RECOM_STATE_ID_ENC}, 0) 47 $(error Build option ARM_RECOM_STATE_ID_ENC needs to be set if \ 48 PSCI_EXTENDED_STATE_ID is set for ARM platforms) 49 endif 50endif 51 52# Process ARM_RECOM_STATE_ID_ENC flag 53$(eval $(call assert_boolean,ARM_RECOM_STATE_ID_ENC)) 54$(eval $(call add_define,ARM_RECOM_STATE_ID_ENC)) 55 56# Process ARM_DISABLE_TRUSTED_WDOG flag 57# By default, Trusted Watchdog is always enabled unless 58# SPIN_ON_BL1_EXIT or ENABLE_RME is set 59ARM_DISABLE_TRUSTED_WDOG := 0 60ifneq ($(filter 1,${SPIN_ON_BL1_EXIT} ${ENABLE_RME}),) 61ARM_DISABLE_TRUSTED_WDOG := 1 62endif 63$(eval $(call assert_boolean,ARM_DISABLE_TRUSTED_WDOG)) 64$(eval $(call add_define,ARM_DISABLE_TRUSTED_WDOG)) 65 66# Process ARM_CONFIG_CNTACR 67ARM_CONFIG_CNTACR := 1 68$(eval $(call assert_boolean,ARM_CONFIG_CNTACR)) 69$(eval $(call add_define,ARM_CONFIG_CNTACR)) 70 71# Process ARM_BL31_IN_DRAM flag 72ARM_BL31_IN_DRAM := 0 73$(eval $(call assert_boolean,ARM_BL31_IN_DRAM)) 74$(eval $(call add_define,ARM_BL31_IN_DRAM)) 75 76# As per CCA security model, all root firmware must execute from on-chip secure 77# memory. This means we must not run BL31 from TZC-protected DRAM. 78ifeq (${ARM_BL31_IN_DRAM},1) 79 ifeq (${ENABLE_RME},1) 80 $(error "BL31 must not run from DRAM on RME-systems. Please set ARM_BL31_IN_DRAM to 0") 81 endif 82endif 83 84# Process ARM_PLAT_MT flag 85ARM_PLAT_MT := 0 86$(eval $(call assert_boolean,ARM_PLAT_MT)) 87$(eval $(call add_define,ARM_PLAT_MT)) 88 89# Use translation tables library v2 by default 90ARM_XLAT_TABLES_LIB_V1 := 0 91$(eval $(call assert_boolean,ARM_XLAT_TABLES_LIB_V1)) 92$(eval $(call add_define,ARM_XLAT_TABLES_LIB_V1)) 93 94# Don't have the Linux kernel as a BL33 image by default 95ARM_LINUX_KERNEL_AS_BL33 := 0 96$(eval $(call assert_boolean,ARM_LINUX_KERNEL_AS_BL33)) 97$(eval $(call add_define,ARM_LINUX_KERNEL_AS_BL33)) 98 99ifeq (${ARM_LINUX_KERNEL_AS_BL33},1) 100 ifneq (${ARCH},aarch64) 101 ifneq (${RESET_TO_SP_MIN},1) 102 $(error "ARM_LINUX_KERNEL_AS_BL33 is only available if RESET_TO_SP_MIN=1.") 103 endif 104 endif 105 ifndef PRELOADED_BL33_BASE 106 $(error "PRELOADED_BL33_BASE must be set if ARM_LINUX_KERNEL_AS_BL33 is used.") 107 endif 108 ifeq (${RESET_TO_BL31},1) 109 ifndef ARM_PRELOADED_DTB_BASE 110 $(error "ARM_PRELOADED_DTB_BASE must be set if ARM_LINUX_KERNEL_AS_BL33 is 111 used with RESET_TO_BL31.") 112 endif 113 $(eval $(call add_define,ARM_PRELOADED_DTB_BASE)) 114 endif 115endif 116 117# Arm(R) Ethos(TM)-N NPU SiP service 118ARM_ETHOSN_NPU_DRIVER := 0 119$(eval $(call assert_boolean,ARM_ETHOSN_NPU_DRIVER)) 120$(eval $(call add_define,ARM_ETHOSN_NPU_DRIVER)) 121 122# Arm(R) Ethos(TM)-N NPU TZMP1 123ARM_ETHOSN_NPU_TZMP1 := 0 124$(eval $(call assert_boolean,ARM_ETHOSN_NPU_TZMP1)) 125$(eval $(call add_define,ARM_ETHOSN_NPU_TZMP1)) 126ifeq (${ARM_ETHOSN_NPU_TZMP1},1) 127 ifeq (${ARM_ETHOSN_NPU_DRIVER},0) 128 $(error ARM_ETHOSN_NPU_TZMP1 is only available if ARM_ETHOSN_NPU_DRIVER=1) 129 endif 130 ifeq (${PLAT},juno) 131 $(eval $(call add_define,JUNO_ETHOSN_TZMP1)) 132 else 133 $(error ARM_ETHOSN_NPU_TZMP1 only supported on Juno platform, not ${PLAT}) 134 endif 135 136 ifeq (${TRUSTED_BOARD_BOOT},0) 137 # We rely on TRUSTED_BOARD_BOOT to prevent the firmware code from being 138 # tampered with, which is required to protect the confidentiality of protected 139 # inference data. 140 $(error ARM_ETHOSN_NPU_TZMP1 is only available if TRUSTED_BOARD_BOOT is enabled) 141 endif 142 143 # We need the FW certificate and key certificate 144 $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/npu_fw_key.crt,--npu-fw-key-cert)) 145 $(eval $(call TOOL_ADD_PAYLOAD,${BUILD_PLAT}/npu_fw_content.crt,--npu-fw-cert)) 146 # Needed for our OIDs to be available in tbbr_cot_bl2.c 147 $(eval $(call add_define, PLAT_DEF_OID)) 148 PLAT_INCLUDES += -I${PLAT_DIR}certificate/include 149 PLAT_INCLUDES += -Iinclude/drivers/arm/ 150 151 # We need the firmware to be built into the FIP 152 $(eval $(call TOOL_ADD_IMG,ARM_ETHOSN_NPU_FW,--npu-fw)) 153 154 # Needed so that UUIDs from the FIP are available in BL2 155 $(eval $(call add_define,PLAT_DEF_FIP_UUID)) 156 PLAT_INCLUDES += -I${PLAT_DIR}fip 157endif # ARM_ETHOSN_NPU_TZMP1 158 159# Use an implementation of SHA-256 with a smaller memory footprint but reduced 160# speed. 161$(eval $(call add_define,MBEDTLS_SHA256_SMALLER)) 162 163# Add the build options to pack Trusted OS Extra1 and Trusted OS Extra2 images 164# in the FIP if the platform requires. 165ifneq ($(BL32_EXTRA1),) 166$(eval $(call TOOL_ADD_IMG,bl32_extra1,--tos-fw-extra1)) 167endif 168ifneq ($(BL32_EXTRA2),) 169$(eval $(call TOOL_ADD_IMG,bl32_extra2,--tos-fw-extra2)) 170endif 171 172# Enable PSCI_STAT_COUNT/RESIDENCY APIs on ARM platforms 173ENABLE_PSCI_STAT := 1 174ENABLE_PMF := 1 175 176# Override the standard libc with optimised libc_asm 177OVERRIDE_LIBC := 1 178ifeq (${OVERRIDE_LIBC},1) 179 include lib/libc/libc_asm.mk 180endif 181 182# On ARM platforms, separate the code and read-only data sections to allow 183# mapping the former as executable and the latter as execute-never. 184SEPARATE_CODE_AND_RODATA := 1 185 186# On ARM platforms, disable SEPARATE_NOBITS_REGION by default. Both PROGBITS 187# and NOBITS sections of BL31 image are adjacent to each other and loaded 188# into Trusted SRAM. 189SEPARATE_NOBITS_REGION := 0 190 191# In order to support SEPARATE_NOBITS_REGION for Arm platforms, we need to load 192# BL31 PROGBITS into secure DRAM space and BL31 NOBITS into SRAM. Hence mandate 193# the build to require that ARM_BL31_IN_DRAM is enabled as well. 194ifeq ($(SEPARATE_NOBITS_REGION),1) 195 ifneq ($(ARM_BL31_IN_DRAM),1) 196 $(error For SEPARATE_NOBITS_REGION, ARM_BL31_IN_DRAM must be enabled) 197 endif 198 ifneq ($(RECLAIM_INIT_CODE),0) 199 $(error For SEPARATE_NOBITS_REGION, RECLAIM_INIT_CODE cannot be supported) 200 endif 201endif 202 203# Disable ARM Cryptocell by default 204ARM_CRYPTOCELL_INTEG := 0 205$(eval $(call assert_boolean,ARM_CRYPTOCELL_INTEG)) 206$(eval $(call add_define,ARM_CRYPTOCELL_INTEG)) 207 208# Enable PIE support for RESET_TO_BL31/RESET_TO_SP_MIN case 209ifneq ($(filter 1,${RESET_TO_BL31} ${RESET_TO_SP_MIN}),) 210 ENABLE_PIE := 1 211endif 212 213# CryptoCell integration relies on coherent buffers for passing data from 214# the AP CPU to the CryptoCell 215ifeq (${ARM_CRYPTOCELL_INTEG},1) 216 ifeq (${USE_COHERENT_MEM},0) 217 $(error "ARM_CRYPTOCELL_INTEG needs USE_COHERENT_MEM to be set.") 218 endif 219endif 220 221# Disable GPT parser support, use FIP image by default 222ARM_GPT_SUPPORT := 0 223$(eval $(call assert_boolean,ARM_GPT_SUPPORT)) 224$(eval $(call add_define,ARM_GPT_SUPPORT)) 225 226# Include necessary sources to parse GPT image 227ifeq (${ARM_GPT_SUPPORT}, 1) 228 BL2_SOURCES += drivers/partition/gpt.c \ 229 drivers/partition/partition.c 230endif 231 232# Enable CRC instructions via extension for ARMv8-A CPUs. 233# For ARMv8.1-A, and onwards CRC instructions are default enabled. 234# Enable HW computed CRC support unconditionally in BL2 component. 235ifeq (${ARM_ARCH_MAJOR},8) 236 ifeq (${ARM_ARCH_MINOR},0) 237 BL2_CPPFLAGS += -march=armv8-a+crc 238 endif 239endif 240 241ifeq ($(PSA_FWU_SUPPORT),1) 242 # GPT support is recommended as per PSA FWU specification hence 243 # PSA FWU implementation is tightly coupled with GPT support, 244 # and it does not support other formats. 245 ifneq ($(ARM_GPT_SUPPORT),1) 246 $(error For PSA_FWU_SUPPORT, ARM_GPT_SUPPORT must be enabled) 247 endif 248 FWU_MK := drivers/fwu/fwu.mk 249 $(info Including ${FWU_MK}) 250 include ${FWU_MK} 251endif 252 253ifeq (${ARCH}, aarch64) 254PLAT_INCLUDES += -Iinclude/plat/arm/common/aarch64 255endif 256 257PLAT_BL_COMMON_SOURCES += plat/arm/common/${ARCH}/arm_helpers.S \ 258 plat/arm/common/arm_common.c \ 259 plat/arm/common/arm_console.c 260 261ifeq (${ARM_XLAT_TABLES_LIB_V1}, 1) 262PLAT_BL_COMMON_SOURCES += lib/xlat_tables/xlat_tables_common.c \ 263 lib/xlat_tables/${ARCH}/xlat_tables.c 264else 265ifeq (${XLAT_MPU_LIB_V1}, 1) 266include lib/xlat_mpu/xlat_mpu.mk 267PLAT_BL_COMMON_SOURCES += ${XLAT_MPU_LIB_V1_SRCS} 268else 269include lib/xlat_tables_v2/xlat_tables.mk 270PLAT_BL_COMMON_SOURCES += ${XLAT_TABLES_LIB_SRCS} 271endif 272endif 273 274ARM_IO_SOURCES += plat/arm/common/arm_io_storage.c \ 275 plat/arm/common/fconf/arm_fconf_io.c 276ifeq (${SPD},spmd) 277 ifeq (${BL2_ENABLE_SP_LOAD},1) 278 ARM_IO_SOURCES += plat/arm/common/fconf/arm_fconf_sp.c 279 endif 280endif 281 282BL1_SOURCES += drivers/io/io_fip.c \ 283 drivers/io/io_memmap.c \ 284 drivers/io/io_storage.c \ 285 plat/arm/common/arm_bl1_setup.c \ 286 plat/arm/common/arm_err.c \ 287 ${ARM_IO_SOURCES} 288 289ifdef EL3_PAYLOAD_BASE 290# Need the plat_arm_program_trusted_mailbox() function to release secondary CPUs from 291# their holding pen 292BL1_SOURCES += plat/arm/common/arm_pm.c 293endif 294 295BL2_SOURCES += drivers/delay_timer/delay_timer.c \ 296 drivers/delay_timer/generic_delay_timer.c \ 297 drivers/io/io_fip.c \ 298 drivers/io/io_memmap.c \ 299 drivers/io/io_storage.c \ 300 plat/arm/common/arm_bl2_setup.c \ 301 plat/arm/common/arm_err.c \ 302 common/tf_crc32.c \ 303 ${ARM_IO_SOURCES} 304 305# Firmware Configuration Framework sources 306include lib/fconf/fconf.mk 307 308BL1_SOURCES += ${FCONF_SOURCES} ${FCONF_DYN_SOURCES} 309BL2_SOURCES += ${FCONF_SOURCES} ${FCONF_DYN_SOURCES} 310 311# Add `libfdt` and Arm common helpers required for Dynamic Config 312include lib/libfdt/libfdt.mk 313 314DYN_CFG_SOURCES += plat/arm/common/arm_dyn_cfg.c \ 315 plat/arm/common/arm_dyn_cfg_helpers.c \ 316 common/uuid.c 317 318DYN_CFG_SOURCES += ${FDT_WRAPPERS_SOURCES} 319 320BL1_SOURCES += ${DYN_CFG_SOURCES} 321BL2_SOURCES += ${DYN_CFG_SOURCES} 322 323ifeq (${RESET_TO_BL2},1) 324BL2_SOURCES += plat/arm/common/arm_bl2_el3_setup.c 325endif 326 327# Because BL1/BL2 execute in AArch64 mode but BL32 in AArch32 we need to use 328# the AArch32 descriptors. 329ifeq (${JUNO_AARCH32_EL3_RUNTIME},1) 330BL2_SOURCES += plat/arm/common/aarch32/arm_bl2_mem_params_desc.c 331else 332ifneq (${PLAT}, corstone1000) 333BL2_SOURCES += plat/arm/common/${ARCH}/arm_bl2_mem_params_desc.c 334endif 335endif 336BL2_SOURCES += plat/arm/common/arm_image_load.c \ 337 common/desc_image_load.c 338ifeq (${SPD},opteed) 339BL2_SOURCES += lib/optee/optee_utils.c 340endif 341 342BL2U_SOURCES += drivers/delay_timer/delay_timer.c \ 343 drivers/delay_timer/generic_delay_timer.c \ 344 plat/arm/common/arm_bl2u_setup.c 345 346BL31_SOURCES += plat/arm/common/arm_bl31_setup.c \ 347 plat/arm/common/arm_pm.c \ 348 plat/arm/common/arm_topology.c \ 349 plat/common/plat_psci_common.c 350 351ifneq ($(filter 1,${ENABLE_PMF} ${ARM_ETHOSN_NPU_DRIVER}),) 352ARM_SVC_HANDLER_SRCS := 353 354ifeq (${ENABLE_PMF},1) 355ARM_SVC_HANDLER_SRCS += lib/pmf/pmf_smc.c 356endif 357 358ifeq (${ARM_ETHOSN_NPU_DRIVER},1) 359ARM_SVC_HANDLER_SRCS += plat/arm/common/fconf/fconf_ethosn_getter.c \ 360 drivers/delay_timer/delay_timer.c \ 361 drivers/arm/ethosn/ethosn_smc.c 362ifeq (${ARM_ETHOSN_NPU_TZMP1},1) 363ARM_SVC_HANDLER_SRCS += drivers/arm/ethosn/ethosn_big_fw.c 364endif 365endif 366 367ifeq (${ARCH}, aarch64) 368BL31_SOURCES += plat/arm/common/aarch64/execution_state_switch.c\ 369 plat/arm/common/arm_sip_svc.c \ 370 ${ARM_SVC_HANDLER_SRCS} 371else 372BL32_SOURCES += plat/arm/common/arm_sip_svc.c \ 373 ${ARM_SVC_HANDLER_SRCS} 374endif 375endif 376 377ifeq (${EL3_EXCEPTION_HANDLING},1) 378BL31_SOURCES += plat/common/aarch64/plat_ehf.c 379endif 380 381ifeq (${SDEI_SUPPORT},1) 382BL31_SOURCES += plat/arm/common/aarch64/arm_sdei.c 383ifeq (${SDEI_IN_FCONF},1) 384BL31_SOURCES += plat/arm/common/fconf/fconf_sdei_getter.c 385endif 386endif 387 388# RAS sources 389ifeq (${RAS_EXTENSION},1) 390BL31_SOURCES += lib/extensions/ras/std_err_record.c \ 391 lib/extensions/ras/ras_common.c 392endif 393 394# Pointer Authentication sources 395ifeq (${ENABLE_PAUTH}, 1) 396PLAT_BL_COMMON_SOURCES += plat/arm/common/aarch64/arm_pauth.c 397endif 398 399ifeq (${SPD},spmd) 400BL31_SOURCES += plat/common/plat_spmd_manifest.c \ 401 common/uuid.c \ 402 ${LIBFDT_SRCS} 403 404BL31_SOURCES += ${FDT_WRAPPERS_SOURCES} 405endif 406 407ifeq (${DRTM_SUPPORT},1) 408BL31_SOURCES += plat/arm/common/arm_err.c 409endif 410 411ifneq (${TRUSTED_BOARD_BOOT},0) 412 413 # Include common TBB sources 414 AUTH_SOURCES := drivers/auth/auth_mod.c \ 415 drivers/auth/img_parser_mod.c 416 417 # Include the selected chain of trust sources. 418 ifeq (${COT},tbbr) 419 BL1_SOURCES += drivers/auth/tbbr/tbbr_cot_common.c \ 420 drivers/auth/tbbr/tbbr_cot_bl1.c 421 ifneq (${COT_DESC_IN_DTB},0) 422 BL2_SOURCES += lib/fconf/fconf_cot_getter.c 423 else 424 BL2_SOURCES += drivers/auth/tbbr/tbbr_cot_common.c 425 # Juno has its own TBBR CoT file for BL2 426 ifneq (${PLAT},juno) 427 BL2_SOURCES += drivers/auth/tbbr/tbbr_cot_bl2.c 428 endif 429 endif 430 else ifeq (${COT},dualroot) 431 AUTH_SOURCES += drivers/auth/dualroot/cot.c 432 else ifeq (${COT},cca) 433 AUTH_SOURCES += drivers/auth/cca/cot.c 434 else 435 $(error Unknown chain of trust ${COT}) 436 endif 437 438 BL1_SOURCES += ${AUTH_SOURCES} \ 439 bl1/tbbr/tbbr_img_desc.c \ 440 plat/arm/common/arm_bl1_fwu.c \ 441 plat/common/tbbr/plat_tbbr.c 442 443 BL2_SOURCES += ${AUTH_SOURCES} \ 444 plat/common/tbbr/plat_tbbr.c 445 446 $(eval $(call TOOL_ADD_IMG,ns_bl2u,--fwu,FWU_)) 447 448 IMG_PARSER_LIB_MK := drivers/auth/mbedtls/mbedtls_x509.mk 449 450 $(info Including ${IMG_PARSER_LIB_MK}) 451 include ${IMG_PARSER_LIB_MK} 452endif 453 454# Include Measured Boot makefile before any Crypto library makefile. 455# Crypto library makefile may need default definitions of Measured Boot build 456# flags present in Measured Boot makefile. 457ifneq ($(filter 1,${MEASURED_BOOT} ${DRTM_SUPPORT}),) 458 MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk 459 $(info Including ${MEASURED_BOOT_MK}) 460 include ${MEASURED_BOOT_MK} 461 462 ifneq (${MBOOT_EL_HASH_ALG}, sha256) 463 $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512)) 464 endif 465 466 ifeq (${MEASURED_BOOT},1) 467 BL1_SOURCES += ${EVENT_LOG_SOURCES} 468 BL2_SOURCES += ${EVENT_LOG_SOURCES} 469 endif 470 471 ifeq (${DRTM_SUPPORT},1) 472 BL31_SOURCES += ${EVENT_LOG_SOURCES} 473 endif 474endif 475 476ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT} ${DRTM_SUPPORT}),) 477 CRYPTO_SOURCES := drivers/auth/crypto_mod.c \ 478 lib/fconf/fconf_tbbr_getter.c 479 BL1_SOURCES += ${CRYPTO_SOURCES} 480 BL2_SOURCES += ${CRYPTO_SOURCES} 481 BL31_SOURCES += drivers/auth/crypto_mod.c 482 483 # We expect to locate the *.mk files under the directories specified below 484 ifeq (${ARM_CRYPTOCELL_INTEG},0) 485 CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk 486 else 487 CRYPTO_LIB_MK := drivers/auth/cryptocell/cryptocell_crypto.mk 488 endif 489 490 $(info Including ${CRYPTO_LIB_MK}) 491 include ${CRYPTO_LIB_MK} 492endif 493 494ifeq (${RECLAIM_INIT_CODE}, 1) 495 ifeq (${ARM_XLAT_TABLES_LIB_V1}, 1) 496 $(error "To reclaim init code xlat tables v2 must be used") 497 endif 498endif 499