linux: support including optional crypto accelerator firmware in rootfs

SolidRun · Jan 27, 2025 · 77f806a · 77f806a
1 parent c12135d
commit 77f806a
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 1 deletion.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -71,6 +71,16 @@ jobs:
           build_tag=$(date +%Y-%m-%d)_$(git rev-parse --short HEAD)
           echo "build_tag=$build_tag" >> "$GITHUB_OUTPUT"
 
+      - name: Fetch Proprietary Firmware
+        shell: bash -e {0}
+        env:
+          ACCESS_KEY: ${{ secrets.IMAGES_S3_ACCESS }}
+          SECRET_KEY: ${{ secrets.IMAGES_S3_SECRET }}
+          HOST: ${{ secrets.IMAGES_S3_HOST }}
+          BUCKET: ${{ secrets.PROTECTED_S3_BUCKET }}
+        run: |
+          s3cmd --access_key="$ACCESS_KEY" --secret_key="$SECRET_KEY" --host="$HOST" --host-bucket="%(bucket)s.$HOST" get s3://$BUCKET/marvell/cn913x/sources-is_fw-SDK12.24.10.tar.bz2 ./cn9130-crypto-firmware.tar.bz2
+
       - name: Build
         shell: bash -x {0}
         run: |

diff --git a/README.md b/README.md
@@ -90,6 +90,20 @@ Build options can be customised by passing environment variables to the runme sc
   - `true` (default)
   - `false`
 
+### Include Crypto Accelerator Firmware
+
+CN9130 SoC comes with a cryptographic accelerator block that requires a proprietary firmware package from Marvell.
+
+This package is picked up automatically by the build system, **only if** a file `cn9130-crypto-firmware.tar.bz2` exists in the root directory of the build (i.e. next to this `README.md` file).
+
+The package must include the files below:
+
+- `is_fw/license.txt`
+- `is_fw/inside-secure/eip197b/ifpp.bin`
+- `is_fw/inside-secure/eip197b/ipue.bin`
+
+Carefully review `license.txt` before use!
+
 ## DDR configuration and EEPROM
 
 The atf dram_port.c supports both CN9132 CEX-7 SO-DIMM integrating SPD EEPROM, and CN9130 SOM with DDRs soldered on board which are configured according to boot straps MPP[10:11].

diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -20,7 +20,7 @@ RUN apt-get --no-install-recommends -y install \
 	vim qemu-system-arm libtool m4 automake meson \
 	pkg-config python3-pyelftools kmod \
 	debootstrap libncurses-dev crossbuild-essential-arm64 \
-	openssl ca-certificates fakeroot
+	openssl ca-certificates fakeroot s3cmd
 
 # generate cross pkg-config
 ADD aarch64-linux-gnu.personality /usr/share/pkgconfig/personality.d

diff --git a/runme.sh b/runme.sh
@@ -566,6 +566,21 @@ meson setup \
 	build
 ninja -C build
 
+###############################################################################
+# inject proprietary firmware blobs
+###############################################################################
+
+if [ -e "$ROOTDIR/cn9130-crypto-firmware.tar.bz2" ]; then
+	rm -rf $ROOTDIR/build/firmware
+	mkdir -p $ROOTDIR/build/firmware
+
+	tar -C $ROOTDIR/build/firmware -xf $ROOTDIR/cn9130-crypto-firmware.tar.bz2
+
+	echo inside-secure/eip197b/ifpp.bin | e2cp -v -G 0 -O 0 -P 644 -s "$ROOTDIR/build/firmware/is_fw" -d "$ROOTDIR/images/tmp/rootfs.ext4:usr/lib/firmware/" -a
+	echo inside-secure/eip197b/ipue.bin | e2cp -v -G 0 -O 0 -P 644 -s "$ROOTDIR/build/firmware/is_fw" -d "$ROOTDIR/images/tmp/rootfs.ext4:usr/lib/firmware/" -a
+	echo license.txt | e2cp -v -G 0 -O 0 -P 644 -s "$ROOTDIR/build/firmware/is_fw" -d "$ROOTDIR/images/tmp/rootfs.ext4:usr/lib/firmware/inside-secure/eip197b/" -a
+fi
+
 ###############################################################################
 # assembling images
 ###############################################################################