Deprecate nixos options related to packaging

We have a few nixos options that are mirrors of arguments to
`stdenv.mkDerivation` (e.g. `patches`, `postPatch`). Let's encourage
users to use the overlay system in order customize packaging.

UPGRADE_CHECKLIST.md

@@ -1,10 +1,11 @@
 ### Updating
 - [ ] Update `l4tVersion`, `jetpackVersion`, and `cudaVersion` in overlay.nix
-- [ ] Update branch/revision/sha256s in:
+- [ ] Update branch/revision/hashes in:
     - [ ] `overlay.nix`
     - [ ] `kernel/default.nix`
-    - [ ] `uefi-firmware.nix`
-    - [ ] Grep for "sha256 = ", see if there is anything else not covered
+    - [ ] `pkgs/uefi-firmware/edk2-nvidia.nix`
+    - [ ] `pkgs/uefi-firmware/jetson-edk2-uefi.nix`
+    - [ ] `grep -r -e "hash = " -e "sha256 = "` to see if there is anything else not covered
 - [ ] Update the kernel version in `kernel/default.nix` if it chaged.
 - [ ] Grep for the previous version strings e.g. "35.4.1"
 - [ ] Compare files from `unpackedDebs` before and after

device-pkgs/flash-script.nix

@@ -10,7 +10,7 @@ flash-tools:
   # be used by the bootloader(s) and passed to the kernel.
   dtbsDir ? null
 , # Optional package containing uefi_jetson.efi to replace prebuilt version
-  uefi-firmware ? null
+  uefiFirmware ? null
 , # Optional package containing tos.img to replace prebuilt version
   tosImage ? null
 , # Optional EKS file containing encrypted keyblob
@@ -44,18 +44,18 @@ flash-tools:
 
   ${lib.optionalString (partitionTemplate != null) "cp ${partitionTemplate} flash.xml"}
   ${lib.optionalString (dtbsDir != null) "cp -r ${dtbsDir}/. kernel/dtb/"}
-  ${lib.optionalString (uefi-firmware != null) ''
-  cp ${uefi-firmware}/uefi_jetson.bin bootloader/uefi_jetson.bin
+  ${lib.optionalString (uefiFirmware != null) ''
+  cp ${uefiFirmware}/uefi_jetson.bin bootloader/uefi_jetson.bin
 
   # For normal NixOS usage, we'd probably use systemd-boot or GRUB instead,
   # but lets replace the upstream L4TLauncher EFI payload anyway
-  cp ${uefi-firmware}/L4TLauncher.efi bootloader/BOOTAA64.efi
+  cp ${uefiFirmware}/L4TLauncher.efi bootloader/BOOTAA64.efi
 
   # Replace additional dtbos
-  cp ${uefi-firmware}/dtbs/*.dtbo kernel/dtb/
+  cp ${uefiFirmware}/dtbs/*.dtbo kernel/dtb/
   ''}
   ${lib.optionalString (tosImage != null) ''
-  cp ${tosImage}/tos.img bootloader/tos-optee_${socType}.img
+  cp ${tosImage} bootloader/tos-optee_${socType}.img
   ''}
   ${lib.optionalString (eksFile != null) ''
   cp ${eksFile} bootloader/eks_${socType}.img

modules/flash-script.nix

@@ -22,6 +22,12 @@ in
     (mkRenamedOptionModule [ "hardware" "nvidia-jetpack" "firmware" "optee" "supplicantExtraArgs" ] [ "hardware" "nvidia-jetpack" "firmware" "optee" "supplicant" "extraArgs" ])
     (mkRenamedOptionModule [ "hardware" "nvidia-jetpack" "firmware" "optee" "trustedApplications" ] [ "hardware" "nvidia-jetpack" "firmware" "optee" "supplicant" "trustedApplications" ])
     (mkRenamedOptionModule [ "hardware" "nvidia-jetpack" "firmware" "optee" "supplicantPlugins" ] [ "hardware" "nvidia-jetpack" "firmware" "optee" "supplicant" "plugins" ])
+    (mkRemovedOptionModule [ "hardware" "nvidia-jetpack" "firmware" "uefi" "edk2NvidiaPatches" ] "Use `nixpkgs.overlays` to modify `pkgs.nvidia-jetpack.edk2NvidiaSrc` instead.")
+    (mkRemovedOptionModule [ "hardware" "nvidia-jetpack" "firmware" "uefi" "edk2UefiPatches" ] "Use `nixpkgs.overlays` to modify `pkgs.nvidia-jetpack.jetsonEdk2Uefi` instead.")
+    (mkRemovedOptionModule [ "hardware" "nvidia-jetpack" "flashScriptOverrides" "patches" ] "Use `nixpkgs.overlays` to modify `pkgs.nvidia-jetpack.flash-tools` instead.")
+    (mkRemovedOptionModule [ "hardware" "nvidia-jetpack" "flashScriptOverrides" "postPatch" ] "Use `nixpkgs.overlays` to modify `pkgs.nvidia-jetpack.flash-tools` instead.")
+    (mkRemovedOptionModule [ "hardware" "nvidia-jetpack" "firmware" "optee" "patches" ] "Use `nixpkgs.overlays` to modify `pkgs.nvidia-jetpack.opteeOS` instead.")
+    (mkRemovedOptionModule [ "hardware" "nvidia-jetpack" "firmware" "optee" "extraMakeFlags" ] "Use `nixpkgs.overlays` to modify `pkgs.nvidia-jetpack.opteeOS` instead.")
   ];
 
   options = {
@@ -57,22 +63,6 @@ in
             default = cfg.firmware.uefi.debugMode;
           };
 
-          edk2NvidiaPatches = mkOption {
-            type = types.listOf types.path;
-            description = lib.mdDoc ''
-              Patches that will be applied to the edk2-nvidia repo
-            '';
-            default = [ ];
-          };
-
-          edk2UefiPatches = mkOption {
-            type = types.listOf types.path;
-            description = lib.mdDoc ''
-              Patches that will be applied to the nvidia edk2 repo which is nvidia's fork of the upstream edk2 repo
-            '';
-            default = [ ];
-          };
-
           secureBoot = {
             enrollDefaultKeys = lib.mkEnableOption "enroll default UEFI keys";
             defaultPkEslFile = mkOption {
@@ -175,16 +165,6 @@ in
             };
           };
 
-          patches = mkOption {
-            type = types.listOf types.path;
-            default = [ ];
-          };
-
-          extraMakeFlags = mkOption {
-            type = types.listOf types.str;
-            default = [ ];
-          };
-
           taPublicKeyFile = mkOption {
             type = types.nullOr types.path;
             default = null;
@@ -298,18 +278,6 @@ in
           description = ".xml file describing partition template to use when flashing";
         };
 
-        patches = mkOption {
-          type = types.listOf types.path;
-          default = [ ];
-          description = "Patches to apply to the flash-tools";
-        };
-
-        postPatch = mkOption {
-          type = types.lines;
-          default = "";
-          description = "Additional commands to run when building flash-tools";
-        };
-
         additionalDtbOverlays = mkOption {
           type = types.listOf types.path;
           default = [ ];

overlay-with-config.nix

@@ -5,13 +5,6 @@ final: prev: (
     cfg = config.hardware.nvidia-jetpack;
 
     inherit (prev) lib;
-
-    tosArgs = {
-      inherit (final.nvidia-jetpack) socType;
-      inherit (cfg.firmware.optee) taPublicKeyFile;
-      opteePatches = cfg.firmware.optee.patches;
-      extraMakeFlags = cfg.firmware.optee.extraMakeFlags;
-    };
   in
   {
     nvidia-jetpack = prev.nvidia-jetpack.overrideScope (finalJetpack: prevJetpack: {
@@ -27,24 +20,19 @@ final: prev: (
         else if lib.hasPrefix "xavier-" cfg.som then "0x19"
         else throw "Unknown SoC type";
 
-      uefi-firmware = prevJetpack.uefi-firmware.override ({
+      edk2NvidiaSrc = prevJetpack.edk2NvidiaSrc.override {
+        errorLevelInfo = cfg.firmware.uefi.errorLevelInfo;
         bootLogo = cfg.firmware.uefi.logo;
+      };
+
+      jetsonEdk2Uefi = prevJetpack.jetsonEdk2Uefi.override ({
         debugMode = cfg.firmware.uefi.debugMode;
-        errorLevelInfo = cfg.firmware.uefi.errorLevelInfo;
-        edk2NvidiaPatches = cfg.firmware.uefi.edk2NvidiaPatches;
-        edk2UefiPatches = cfg.firmware.uefi.edk2UefiPatches;
       } // lib.optionalAttrs cfg.firmware.uefi.capsuleAuthentication.enable {
         inherit (cfg.firmware.uefi.capsuleAuthentication) trustedPublicCertPemFile;
       });
 
-      flash-tools = prevJetpack.flash-tools.overrideAttrs ({ patches ? [ ], postPatch ? "", ... }: {
-        patches = patches ++ cfg.flashScriptOverrides.patches;
-        postPatch = postPatch + cfg.flashScriptOverrides.postPatch;
-      });
-
-      tosImage = finalJetpack.buildTOS tosArgs;
-      taDevKit = finalJetpack.buildOpteeTaDevKit tosArgs;
-      inherit (finalJetpack.tosImage) nvLuksSrv hwKeyAgent;
+      armTrustedFirmware = finalJetpack.callPackage ./pkgs/optee/arm-trusted-firmware.nix { };
+      tosImage = finalJetpack.callPackage ./pkgs/optee/tos-image.nix { };
 
       flashInitrd =
         let
@@ -101,7 +89,7 @@ final: prev: (
         inherit lib;
         inherit (cfg.firmware) eksFile;
         inherit (cfg.flashScriptOverrides) additionalDtbOverlays flashArgs partitionTemplate;
-        inherit (finalJetpack) tosImage socType uefi-firmware;
+        inherit (finalJetpack) tosImage socType uefiFirmware;
 
         dtbsDir = config.hardware.deviceTree.package;
       } // args);

overlay.nix

@@ -59,15 +59,30 @@ in
         self.gitRepos
     );
 
-    inherit (prev.callPackages ./pkgs/uefi-firmware { inherit (self) l4tVersion; })
-      edk2-jetson uefi-firmware;
-
-    inherit (prev.callPackages ./pkgs/optee {
-      # Nvidia's recommended toolchain is gcc9:
-      # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
-      stdenv = prev.gcc9Stdenv;
-      inherit (self) bspSrc gitRepos l4tVersion;
-    }) buildTOS buildOpteeTaDevKit opteeClient;
+    edk2NvidiaSrc = self.callPackage ./pkgs/uefi-firmware/edk2-nvidia-src.nix { };
+    jetsonEdk2Uefi = self.callPackage ./pkgs/uefi-firmware/jetson-edk2-uefi.nix { };
+    uefiFirmware = self.callPackage ./pkgs/uefi-firmware/default.nix { };
+
+    # Nvidia's recommended toolchain for optee is gcc9:
+    # https://nv-tegra.nvidia.com/r/gitweb?p=tegra/optee-src/nv-optee.git;a=blob;f=optee/atf_and_optee_README.txt;h=591edda3d4ec96997e054ebd21fc8326983d3464;hb=5ac2ab218ba9116f1df4a0bb5092b1f6d810e8f7#l33
+    opteeStdenv = prev.gcc9Stdenv;
+
+    opteeClient = self.callPackage ./pkgs/optee/client.nix { };
+
+    opteeTaDevKit = (self.callPackage ./pkgs/optee/os.nix { }).overrideAttrs (old: {
+      pname = "optee-ta-dev-kit";
+      makeFlags = (old.makeFlags or [ ]) ++ [ "ta_dev_kit" ];
+    });
+
+    nvLuksSrv = self.callPackage ./pkgs/optee/nv-luks-srv.nix { };
+    hwKeyAgent = self.callPackage ./pkgs/optee/hw-key-agent.nix { };
+
+    opteeOS = self.callPackage ./pkgs/optee/os.nix {
+      earlyTaPaths = [
+        "${self.nvLuksSrv}/${self.nvLuksSrv.uuid}.stripped.elf"
+        "${self.hwKeyAgent}/${self.hwKeyAgent.uuid}.stripped.elf"
+      ];
+    };
 
     flash-tools = self.callPackage ./pkgs/flash-tools { };
 

pkgs/optee/arm-trusted-firmware.nix

@@ -0,0 +1,39 @@
+{ gitRepos
+, l4tVersion
+, opteeStdenv
+, socType
+}:
+
+opteeStdenv.mkDerivation {
+  pname = "arm-trusted-firmware";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/atf";
+  makeFlags = [
+    "-C arm-trusted-firmware"
+    "BUILD_BASE=$(PWD)/build"
+    "CROSS_COMPILE=${opteeStdenv.cc.targetPrefix}"
+    "DEBUG=0"
+    "LOG_LEVEL=20"
+    "PLAT=tegra"
+    "SPD=opteed"
+    "TARGET_SOC=${socType}"
+    "V=0"
+    # binutils 2.39 regression
+    # `warning: /build/source/build/rk3399/release/bl31/bl31.elf has a LOAD segment with RWX permissions`
+    # See also: https://developer.trustedfirmware.org/T996
+    "LDFLAGS=-no-warn-rwx-segments"
+  ];
+
+  enableParallelBuilding = true;
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out
+    cp ./build/tegra/${socType}/release/bl31.bin $out/bl31.bin
+
+    runHook postInstall
+  '';
+
+  meta.platforms = [ "aarch64-linux" ];
+}

pkgs/optee/client.nix

@@ -0,0 +1,28 @@
+{ opteeStdenv, fetchpatch, gitRepos, l4tVersion, pkg-config, libuuid }:
+
+opteeStdenv.mkDerivation {
+  pname = "optee_client";
+  version = l4tVersion;
+  src = gitRepos."tegra/optee-src/nv-optee";
+  patches = [
+    ./0001-Don-t-prepend-foo-bar-baz-to-TEEC_LOAD_PATH.patch
+    (fetchpatch {
+      name = "tee-supplicant-Allow-for-TA-load-path-to-be-specified-at-runtime.patch";
+      url = "https://github.com/OP-TEE/optee_client/commit/f3845d8bee3645eedfcc494be4db034c3c69e9ab.patch";
+      stripLen = 1;
+      extraPrefix = "optee/optee_client/";
+      hash = "sha256-XjFpMbyXy74sqnc8l+EgTaPXqwwHcvni1Z68ShokTGc=";
+    })
+  ];
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libuuid ];
+  enableParallelBuilding = true;
+  makeFlags = [
+    "-C optee/optee_client"
+    "DESTDIR=$(out)"
+    "SBINDIR=/sbin"
+    "LIBDIR=/lib"
+    "INCLUDEDIR=/include"
+  ];
+  meta.platforms = [ "aarch64-linux" ];
+}