From cd3093e7fc0c48193dfe3889571f9efc3e116acc Mon Sep 17 00:00:00 2001
From: Jared Baur <jaredbaur@fastmail.com>
Date: Wed, 7 Feb 2024 15:55:19 -0800
Subject: [PATCH] optee: add gen_ekb.py script

The gen_ekb.py script from the nv-optee source is a useful utility for
generating EKB images.
---
 default.nix                |  3 ++-
 pkgs/optee/default.nix     | 11 +++++------
 pkgs/optee/gen-ekb.nix     | 21 +++++++++++++++++++++
 pkgs/optee/nvoptee-src.nix |  6 ++++++
 4 files changed, 34 insertions(+), 7 deletions(-)
 create mode 100644 pkgs/optee/gen-ekb.nix
 create mode 100644 pkgs/optee/nvoptee-src.nix

diff --git a/default.nix b/default.nix
index fff28fc0..e5ccc9b0 100644
--- a/default.nix
+++ b/default.nix
@@ -64,6 +64,7 @@ let
     stdenv = pkgsAarch64.gcc9Stdenv;
     inherit bspSrc l4tVersion;
   }) buildTOS buildOpteeTaDevKit opteeClient;
+  genEkb = callPackage ./pkgs/optee/gen-ekb.nix { inherit l4tVersion; };
 
   flash-tools = callPackage ./pkgs/flash-tools {
     inherit bspSrc l4tVersion;
@@ -160,7 +161,7 @@ rec {
   inherit edk2-jetson uefi-firmware;
   inherit otaUtils;
 
-  inherit opteeClient;
+  inherit opteeClient genEkb;
 
   # TODO: Source packages. source_sync.sh from bspSrc
   # GST plugins
diff --git a/pkgs/optee/default.nix b/pkgs/optee/default.nix
index 613f1f0c..b7c30a33 100644
--- a/pkgs/optee/default.nix
+++ b/pkgs/optee/default.nix
@@ -9,6 +9,9 @@
 , dtc
 , nukeReferences
 , fetchpatch
+, writeShellScriptBin
+, python3
+, callPackage
 }:
 
 let
@@ -18,11 +21,7 @@ let
     sha256 = "sha256-9ml28qXN0B04ZocBr04x4tBzJ3iLgqGoVBveSkSCrgk=";
   };
 
-  nvopteeSrc = fetchgit {
-    url = "https://nv-tegra.nvidia.com/r/tegra/optee-src/nv-optee";
-    rev = "jetson_${l4tVersion}";
-    sha256 = "sha256-44RBXFNUlqZoq3OY/OFwhiU4Qxi4xQNmetFmlrr6jzY=";
-  };
+  nvopteeSrc = callPackage ./nvoptee-src.nix { inherit l4tVersion; };
 
   opteeClient = stdenv.mkDerivation {
     pname = "optee_client";
@@ -233,5 +232,5 @@ let
     image;
 in
 {
-  inherit buildTOS buildOpteeTaDevKit opteeClient;
+  inherit buildTOS buildOpteeTaDevKit opteeClient genEkb;
 }
diff --git a/pkgs/optee/gen-ekb.nix b/pkgs/optee/gen-ekb.nix
new file mode 100644
index 00000000..214b8e32
--- /dev/null
+++ b/pkgs/optee/gen-ekb.nix
@@ -0,0 +1,21 @@
+{ callPackage, l4tVersion, stdenv, python3 }:
+
+stdenv.mkDerivation {
+  pname = "gen_ekb.py";
+  src = callPackage ./nvoptee-src.nix { inherit l4tVersion; };
+  version = l4tVersion;
+  dontBuild = true;
+  buildInputs = [
+    (python3.withPackages (p: with p; [
+      cryptography
+      pycryptodome
+    ]))
+  ];
+  installPhase = ''
+    runHook preInstall
+    install -D optee/samples/hwkey-agent/host/tool/gen_ekb/gen_ekb.py \
+      $out/bin/gen_ekb.py
+    patchShebangs --host $out/bin/gen_ekb.py
+    runHook postInstall
+  '';
+}
diff --git a/pkgs/optee/nvoptee-src.nix b/pkgs/optee/nvoptee-src.nix
new file mode 100644
index 00000000..1c06cea2
--- /dev/null
+++ b/pkgs/optee/nvoptee-src.nix
@@ -0,0 +1,6 @@
+{ fetchgit, l4tVersion }:
+fetchgit {
+  url = "https://nv-tegra.nvidia.com/r/tegra/optee-src/nv-optee";
+  rev = "jetson_${l4tVersion}";
+  sha256 = "sha256-44RBXFNUlqZoq3OY/OFwhiU4Qxi4xQNmetFmlrr6jzY=";
+}